A cyberattack is every investor’s worst nightmare. The attack is personal yet your attacker is anonymous. You rarely know how the breach occurred or how much of your personal information your attacker has. When you suffer a financial loss, you are likely to be held liable for it.
Experts says that most cyberattacks rely on some form of social engineering. This is why your antivirus software alone is not adequate protection against cybercriminals.
Hennie Ferreira, CEO of cybersecurity company Cybadev, says social engineering was used in the deployment of one of the worst viruses yet created. Stuxnet, which is believed to have been created by the US and Israel to attack a nuclear processing facility in Iran, made its way onto the computers of its targets via unbranded USB sticks left lying around at he site of the attack.
"People inserted them into their devices to check what was on them or to get the sticks back to the owners. The virus spread from there.
"Unfortunately, there is no antivirus software that can prevent someone from sticking a USB drive into their computer, or one that can keep you from clicking on the wrong link [and unwittingly installing a virus]. It’s not possible to stop these threats in any way other than by making people aware.
"Major attacks originate in social engineering," he says.
Jason Jordaan, a forensic analyst and MD of DFIRLABS.com, says social engineering is "still the most common attack vector".
He says that while people have wised up to the risks associated with downloading files or opening attachments from unknown sources, some ransomware groups still send attachments in the form of PDF documents.
"Many organisations that get hit have very decent security. But a lot of this comes down to user behaviour."
In May, the Small Business Development Agency fell victim to a ransomware attack. It did not respond to questions relating to the number of data subjects exposed as a result of the breach, or whether data subjects and the information regulator had been notified.
Globally, ransomware attacks last year increased by 485% compared to the previous year, according to Bitdefender’s "2020 Consumer Threat Landscape Report".
Jordaan says ransomware attacks have evolved over the past 18 months to include an element of extortion.
"They not only get into your system, but also copy data off your system and then encrypt it. If you don’t pay the ransom, they threaten to release it in the public domain, taking things to the level of extortion. I’ve investigated a couple such cases," he says.
Security is not a product or a service, Jordaan says. "It’s a capability — something you have to constantly be working on to keep abreast of the risks."
Ferreira says individuals and small enterprises tend to have weak cybersecurity compared to big corporates, which have the budget to cover their cyber-risks. This makes individuals and small businesses soft targets. Small businesses are particularly "juicy" targets, he says, because they have more data than individuals.
Furthermore, he says, enterprise-grade antivirus software on the market is aimed at corporates and is therefore unaffordable for individuals and small businesses.
Cybadev aims to fill this gap in the market. The company, which was launched earlier this year, offers "next-generation" antivirus software, a virtual private network and monthly training for R195 per month per user.
Ferreira says traditional antivirus software is "very ineffective" in warding off the most common attacks.
He says next-generation antivirus software is a step up from traditional antivirus software, which relies on "signature detection".
Signature detection takes a file and runs it through an algorithm and makes a fingerprint of the file, which produces a unique signature of the file. Signatures are then stored in a database of known threats. As a file comes on to your computer, it is run through the same algorithm and database to see if it’s a virus or not. If it’s a virus it will be quarantined or deleted, he says.
"This used to be effective when there were not as many threats around, but now there are billions of active threats — about 300-million new threats are found every day. That becomes a problem for antivirus software, because these databases become so big that they are not feasible. That’s why one of the biggest complaints with antivirus software is that the moment you install it on your computer, it slows right down. It has to hash all the files and compare all the signatures in insanely large databases to figure out whether they are viruses or not."
Ferreira says there have been some improvements in the way databases are structured, "but it’s not sustainable to solve malware".
"The other problem is you assume the threat on your computer has already been discovered. But if it hasn’t been detected and placed on the database as a known virus, then your database is useless.
"To make it even more complicated, if you take a normal computer virus and go into the code of that virus, and add one space or one character, it completely changes the signature. So you can bypass signature detection very easily," he says.
Next-generation antivirus software relies on behavioural heuristics — the behaviour of programs — to detect viruses, and is "managed", Ferreira says. This means it’s not a product that is merely bought and installed. "Someone has to sit in a data centre and use their expertise to discern when a threat is legitimate and when it’s not.
"If it’s not properly managed it will constrain your computer. Over time, the artificial intelligence and algorithms will get smarter."
Ferreira says companies that build next-generation software don’t manage it themselves. They sell it to large companies with their own teams of cybersecurity experts, who manage it internally.
"What we have done is set up our own security to manage on behalf of small businesses and individuals. I think that’s a first in SA. I don’t know of any other players that offer real next-generation antivirus software to individuals and small businesses."
But no matter how good your antivirus software is, it alone covers very few of the threats out there, he says. What users need is ongoing awareness training.
The training that Cybadev provides to its customers is only 10 minutes a month, comprising a short video covering a particular threat, such as how to identify a phishing e-mail or how to secure your phone. It’s followed by a quiz to test the participant’s comprehension and the business owner sees who in their organisation did the training.
Jordaan agrees that more education and training of users are desperately needed. We all use phones and computers, which have become critical to our lives, yet we have not been taught how to keep them secure, he says.
"We’ve been trained to understand and appreciate risk in the physical world, but we’ve never received that training to appreciate risk in the virtual world. So people don’t understand why they mustn’t reuse their password, for example."
He concedes it’s not always easy to discern a safe site from a dodgy one. Some providers have tried to address this, he says. When you go to a website, some antivirus products scan the site before it loads, because websites are a known attack vector.
But Jordaan challenges the inference by Ferreira that all traditional antivirus software is redundant.
Most products do the job, he says. Software does sometimes fail — either the threats have evolved beyond the capability of the software or the software has vulnerabilities. But it’s also true that people buy antivirus products and then fail to do regular updates.
He also points out that not all antivirus software is viciously expensive. There are open-source products such as Security Onion which are free and "pretty damn decent", he says.
Jordaan says that no vendor will tell you this, but if you’re running Microsoft Windows as your operating system, one of the best antivirus products on the market at the moment is Microsoft Defender.
"You don’t pay for it when it’s part of your operating system. That platform has all the resources of the Microsoft Corporation behind it. It’s not perfect, because there’s no such thing."
On the subject of a managed solution, Jordaan says managed security service providers are a prominent development in the industry.
"Think of it as armed response for your house — you need some kind of security professional that’s available 24/7 to monitor everything.
"When we refer to managed services, there are many levels. There are managed services where it’s not actually live-managed. You might get a log file once a day or once a week. You’ve got to look at who is doing the analysis. Then you go right the way through to security operations centres … where you have teams of trained analysts doing this kind of work. But that service isn’t cheap.
"I can’t get 24-hour armed response for my house for R195 a month."
Antivirus software is like a condom, Jordaan says. It’s not 100% effective, but it’s better than nothing.
"There are different types and a lot of the time it comes down to how you set it up. Security is only as good as your constant vigilance."
Mark Heyink, an attorney who specialises in laws governing information security, says good cybersecurity is about technology, process and people. "Technology is your software and systems; documented process establishes the rules of ‘how to use’ technology, and must be used to ensure people do the right things. While all are important, unless people know what their responsibilities are, the security is significantly weakened."
Would you like to comment on this article?
Sign up (it's quick and free) or sign in now.
Please read our Comment Policy before commenting.