Behind-the-Scenes with John Shier, senior security advisor at Sophos

John ShierFor a behind-the-scenes view of what it’s like to be on the frontline of tracking security trends, we interviewed John Shier, senior security advisor and nine-year Sophos veteran.

John works closely with SophosLabs to study and analyze all types of cyberattacks emerging around the world. He’s also an expert on the advanced technology needed to combat these threats.

Here’s John’s insider take on what you need to know to stay one step ahead.

Q1. As a security advisor at Sophos, tell us about your average day

The first thing I do every day is monitor security news. This includes checking in with SophosLabs, scanning Naked Security and other news sites, and much more. The outcome of this effort often directs the rest of my day. If there’s a breaking security story, then we prepare for interest from journalists wanting reaction and insight and outreach to customers. The rest of the day usually involves researching threats, consulting internally and getting ready for my next talk at an industry event. When I’m not in the office, you can find me at one of many security conferences around the world.

Q2. We’re seeing ransomware in the news right now. What can you tell us about ransomware as a growing cyber threat?

Unfortunately, ransomware continues to be big news, and it doesn’t show any signs of letting up. We are seeing all kinds of ransomware with different tactics and technology. Some encrypt your files with a public key, which makes it nearly impossible to reverse, while other ransomware uses a locally stored key. They might encrypt your networked file shares or encrypt the master boot record of your computer, locking you out of the operating system.

Recently, there have been some high-profile cases of ransomware infecting hospitals in the U.S., including a California hospital that paid $17,000 for the decryption key. The infection caused so much disruption that staff had to resort to the “old-fashioned” method of using pen and paper for record keeping. In March, another hospital in the U.S., this time in Kentucky, was infected with Locky ransomware, but was able to recover using offline backups. Unfortunately, it took administrators five days to return to normal operation.

In many cases, phishing is the infection vector for ransomware attacks, but malvertising is also playing an increased role in making this type of threat more viable. At SophosLabs, we are seeing Cryptowall, TorrentLocker, CTBLocker, TeslaCrypt and, now, Locky as the most prevalent ransomware families.

Offline backups are probably the most important measure organizations can take to protect against ransomware. Of course, using up-to-date proactive protection is also a big part of a company’s defense, as is ensuring that all of your computers have the latest security patches. If ransomware does manage to make it past your security technologies and infect an unpatched computer, you can use those backups to recover files without sending money to the crooks.

Q3. What are some other evolving threats, such as geo-malware or location-based cyber attacks, you’re seeing? Are there any locations in particular that are activity hotbeds?

Geo-malware – tailoring and targeting malware based on victims’ geographic locations – is an interesting problem. Like many popular global retail outlets, cybercriminals are now tailoring their messaging and malware “products” to suit the local language and culture. It doesn’t make good business sense to display German ransomware instructions to an Italian victim. You’re also less likely to get your ransom paid if you infect victims in developing countries versus people or companies in wealthier nations.

All of this leads to cybercriminals designing malware that blends into local environments, appears more realistic and is more financially rewarding. At SophosLabs, we have seen many examples of this type of intentional geo-targeting. Ransomware largely infiltrates North America, Europe and Australia. Some banking Trojans are quite prevalent in South America, while one in particular, Yebot, is found almost exclusively in Hong Kong.

SophosLabs is also tracking the concept of “un-targeting,” which is when crooks specifically determine that their malware doesn’t execute if it lands on a particular system, such as a Russian language operating system, a Chinese keyboard or malware researcher’s virtual machine. Geo-malware is this precise, which gives you a glimpse into the serious and determined intent of some cybercriminals.

Q4. What are your thoughts on malvertising as a way to infect and spread viruses? How and what types of businesses are vulnerable?

Malvertising (malicious online advertising) has been around for a while now, but has increased in prevalence over the last couple of years. Last month, there was a high-profile campaign that affected BBC, Newsweek, The New York Times and MSN. From the crook’s point of view, malvertising provides a method of delivering malware that can be extremely targeted, difficult to detect and track, and uses the trustworthy reputation and bandwidth of an established site. For example, using geo-IP information, hackers can target their malicious campaigns against particular countries. And then, using demographic information, they can further zero-in on narrower segments of the population.

Many of these campaigns run over weekends and are short lived, but can have massive impact if they’re spread on highly trafficked sites. Unfortunately, by infecting the networks that feed ads to legitimate businesses online, everyone is equally at risk.

Q5. As threats increase in complexity, what do we need to do to defend against them?

Crime is organized so why not do the same with our defenses? Complex threats are the new normal and security solutions have to evolve in order to address this reality. Historically, we have deployed product after product to deal with different facets of the threat. Now we have a suite of security products, each doing their own thing with little to no meaningful correlation. Cybercriminals have known this for a while and have been purposefully designing their attacks to weave between the layers of security.

A strong coordinated defense is needed to protect against a complex threat. It’s not enough to just keep throwing products at the problem anymore. We need to use our existing products in a coordinated way. One way to do this is by providing context to all the data that is being generated by your security technologies. If the products can communicate and share intelligence, they can better respond to multi-vector threats. Innovation will still play a part, but instead of being another standalone service, it can integrate into this coordinated platform.

Q6. As a security advisor who “sees it all,” what are your three top online safety tips?

1. Keep all software up to date. Let the software do all the work for you. Enable automatic updating on all of your security software and operating systems. Include any applications that support auto-updating. Don’t forget that mobile devices and apps need updating, as well.

2. Use multi-factor authentication. Even if a crook gets hold of your password – you know, the one that’s complex and unique ;-) – they won’t be able to get into your account unless they also control the second factor. Two-step verification is good (think SMS codes), two-factor authentication is best (think hardware token or biometric).

3. Connect with care. Be suspicious of all emails you receive that contain attachments or links. Especially the ones that urge you to act right away. Phishing emails are better than ever. Take the extra time to spot anything that looks odd and even verify the communication. You’re not sure your mom actually sent you that online animated card for your birthday? Give her a call and ask. You’ll be doing yourself a favor, and she would love to talk to you.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s