NTT Security releases cybersecurity report

Study puts cyber threats into layman’s terms, giving both practical and technical advice
Tuesday, May 2, 2017

OMAHA, Neb.—NTT Security, the specialized security company of NTT Group, has launched its 2017 Global Threat Intelligence Report (GTIR), which highlights the latest ransomware, phishing and DDoS attack trends and demonstrates the impact of today’s threats against global organizations.

Analyzing content from NTT Group operating companies, including NTT Security, Dimension Data, NTT Communications and NTT Data, and data from the Global Threat Intelligence Center (formerly known as SERT), the report analyzes global threat trends based on log, event, attack, incident and vulnerability data from Oct. 1, 2015 to Sept. 31, 2016.

With phishing now widely used as a mechanism for distributing ransomware—a form of malware designed to hold data or devices hostage—the report reveals that 77 percent of all detected ransomware globally was in four main sectors: business & professional services (28 percent), government (19 percent), health care (15 percent) and retail (15 percent).

Rob Kraus, director, security research and strategy, NTT Security, told Security Systems News that for this year’s report “we really tried to target the C-level executives and the end users, whereas previously we had focused more on technical jargon and getting deep down into the weeds on the technical side. We took a step back this year and decided in this report to really focus on threats in layman’s terms. We wanted it to be simple enough to be understood by a larger audience, while still providing some of the technical details if a company wants to get deeper into certain areas that they are most vulnerable in.”

Kraus noted that another goal was to focus on making sure the report was regionally significant, so it is broken down by geographic region, identifying the most prevalent attacks for each region, and explaining how each attack happens while offering step-by-step measures that can be taken to prevent and respond to the attacks, from both a management and technical perspective.

According to the report, ransomware played a very large part in the most prevalent types of attacks observed in the Americas during 2016. While IoT challenges loom, the Americas have recently received a significant amount of attention from Business Email Compromise (BEC) attacks, which are sometimes called CEO fraud. BEC attacks were the second most common type of phishing attack, which NTT Security supported with incident response engagements both globally, and in the Americas specifically.

“Attacks rise and fall as new vulnerabilities are identified, but the big hitters follow a 2- to 3 year trend,” Kraus explained. “So sequel injection was really hot for a few years and then kind of slowed, and then ransomware followed, and those attacks are still happening but they are not as prevalent as previous years because of increased awareness. Now we are in the BEC phase, and my prediction is with the focus on IoT the next couple of years you will find exploit kits that are developed specifically just for IoT, and I am sure there are several out there now already.”

Now in its fifth year, one of the key points of the GTIR report “was to emphasize that cybersecurity is a business problem,” said Kraus. “For too long businesses have been looking at it as a technical problem but I think that businesses now are just starting to make the turn to understand risk and loss and the business impact of cyber attacks.”

He continued, “We see in some places that things are getting better; for instance, awareness and education about threats have improved. One of the important messages, though, is that we can’t rest on that. The attackers are too smart and they have the luxury of time and motivation and they are always going to change their attack techniques.”

Mike Hrabik, CTO and regional CEO, U.S., NTT Security, said in the report that the sophistication of attack techniques continues to rapidly evolve.

“We have more data than ever before as the number of connected devices increases daily,” he said. “These innovations only increase challenges to secure this interconnected and expanding attack surface. This clarifies the need for detection policies and procedures along with an orchestrated defense, which includes advanced response capabilities in order to ensure that these innovative technologies are properly protected from evolving threats. Developing a mature and proactive security approach is essential to protecting and defending agile and dynamic environments against increasingly opportunistic and targeted threats.”

Kraus pointed out that although awareness is improving, he is still not seeing organizations doing as much as they should on the risk assessment front.

The assessment is not only “a qualitative or quantitative analysis on how much your loss potential is but it also helps with your spending, especially with tight budgets,” he explained. “An assessment tells you where your largest loss potential is, helps you figure out a budget to fix those things, and helps you spend your money wisely.”

Kraus said that the next step is getting those on the C-Suite level—the CSOs, CEOs and CFOs, for example—to create a cybersecurity roadmap for the next 3- to 5 years to reduce losses over that period. “You may have to invest $1 million but if that is going to save you $3- to $4 million over a 5-year period, I think that is money well spent. But I don’t see those on the C-level having these conversations yet,” he said.

Steven Bullitt, vice president, Threat Intelligence & Incident Response, GTIC, NTT Security, said in the announcement, “Our end goal is not to create fear, uncertainty and doubt or to overcomplicate the current state of the threat landscape, but to make cybersecurity interesting and inclusive for anyone facing the challenges of security attacks, not just security professionals. We want to ensure everyone is educated about these issues and understands that they have a personal responsibility when it comes to the protection of their organization, and that the organization has an obligation to help them do so.”