Three cybersecurity experts issued stark warnings about the array of threats now confronting IT service providers, from brazen phishing attacks via phone, to threat actors who run their criminal enterprises like modern corporations.
The alerts were issued as managed service providers and other channel players increasingly become increasing targets of cyberattacks aimed at disrupting services.
One such attack took place over the United States July Fourth weekend, with a malware attack against SHI International.
Some of SHI International's systems were knocked out for more than a week before recently being restored.
“These attacks are not going away,” Austin Roberts, sales manager at cybersecurity firm Huntress Labs, told a roomful of mostly IT service providers attending the first-ever XChange Security 2022 conference in Reston, Virginia.
The conference is hosted by CRN parent The Channel Company.
Roberts noted that financial losses tied to cybercrimes have risen from about US$1.4 billion to nearly US$7 billion just in the past four years, based on federal data.
That makes hacking one of the fastest growing “industries” in the world right now, Roberts said.
He noted that cyber-gangs now even model themselves like businesses, with their own criminal affiliate networks, revenue sharing plans, and even HR-like organisations.
“They have actual playbooks,” he said of how cybergangs organise and conduct themselves.
In a conference session entitled “How to Rob a Bank Over the Phone,” Joshua Crumbaugh, chief executive of cybersecurity consultants PhishFirewall regaled XChange attendees with a tale of how he was once hired by the US government's Federal Deposit Insurance Corporation to conduct “ethical hacks” against banks to see whether their security defenses worked.
At one bank, Crumbaugh said he called a vice president, who was in charge of IT at the bank.
The vice president had been warned about the pending FDIC-ordered security tests, but Crumbaugh convinced him via phone to insert bogus code in the bank’s system.
Crumbaugh, who played audio recordings of his phone conversation with the hapless bank executive, said he even convinced the vice president to meet with him in person at the bank on the following Monday – which they ultimately did.
The security researcher said he was then promptly given access to the bank’s IT centre and individual employees’ work computers.
He said he even sneaked into the bank’s vault and took selfie-photos of himself with wads of cash.
One of the lessons learned: not all phishing attacks start via email or text.
Another lesson learned: successful phishing attacks are often the fault of management, not employees.
“It’s the lack of training – lack of education,” Crumbaugh said, noting that lack of training and education applies to top brass too.
Danny Jenkins, chief executive and co-founder of security vendor ThreatLocker, said institutions simply need more controls over how their IT operations are run for software and access to systems.
Jenkins, whose XChange Security keynote talk was titled “Zero Trust for Applications,” later told CRN that the key is not to necessarily catch and “chop off the heads” of cyber-hackers.
Instead, the goal is to build up a solid enough defence to deter hackers and make their exploits less lucrative.
“You need to make it more difficult and less profitable for them,” he said.
“At that point, they’re start to disappear a bit,” Jenkins added.