Ransomware is such big business that security vendor F-secure is tracking 110 gangs making money from the malware, the company’s chief research officer has told annual SecTor cyber security conference.

It’s the biggest single problem infosec teams face today, Mikko Hypponen told the Toronto conference on Tuesday, because once a machine is infected “it will stop you dead in your tracks.”

Mikko Hypponen
Mikko Hypponen

Things are so bad that a number of organizations are buying digital wallets with Bitcoin as protection for the day they are infected – and their willingness to pay ransoms only makes things worse, Hypponen added, because the more victims that pay the more attackers are encouraged.

It’s sad, he said in an interview later, because his firm gets calls for help from customers and can’t do anything because the damage has already been done. “And you would be surprised how many companies don’t have up to date backups or cannot recover them.”

CISOs can fight back, he said. “One, don’t get Don’t get infected — easy to say, hard to do. Solution two: Have good backups, including offline backups. Option number three: Find the bad people and put them in jail.”

It was a typical performance from the opinionated Hypponen, who gave a vigorous lunch-time address ranging from foreseeing Internet-connected toasters (Why? Because chips are cheap. However, they’re a backdoor to home – and possibly corporate – networks) to the stupid things people do (Like put a photo on social media of the new credit card they got because they like the bright colour. And yes, the person was also willing to tell the world their CVV number …).

We’ll get to passwords, the IoT and other things in a moment. But back to the interview:

–The biggest mistake CIOS make is “probably not getting the board to understand the (technical) problems. The CISO is supposed to be the translator between the technical problems and the board, and if you’re not able to do that you’re not able to to get board support. You will get their support sporadically. You will get it when [a huge breach like] Ashley Madison happens, for a quarter. And then it will be away.”

–On passwords: “Passwords shouldn’t be a problem anymore in 2016” but they are, he said in his speech.

In the interview he said password managers are the solution to users needing dozens of passwords. Another is biometrics. “But the fact is we have way, way too many places relying on old school passwords as an authentication mechanism.” The proof: Facebook CEO Mark Zukerberg’s password for several social media sites was revealed over the summer to be “dadada.”

–On the Internet of Things and industrial control systems (ICS). They mean computers are now in homes and factories, he said, but there are devices online that shouldn’t be due to misconfiguration and stupidity. Break into them and huge distributed denial of service (DdoS) bots are created.

CISOs should worry that an IoT coffee pot or light bulb will be the weak point in a network.

“I hope the IoT will bring more good things than bad, he said, but “that’s not clear yet.”

–On the hacking of the Democratic party email in the U.S.: As with any attack or potential attack he said, ask who benefits. Russia, in this case, he argued in his address. Not that it wants to determine the outcome on election day, but to weaken America by making the presidential loser’s supporters believe the vote was rigged. “They don’t have to actually hack the vote,” he said. “It’s enough to erode the trust in the system.”

Finally, advice to the infosec pros in the audience: You cannot defend all parts of your network all the time, he said. “Instead of trying to keep all the attackers out all of the time we really should be focusing on resiliancy, being able to continue operations even when there is a break. Focus on detecting the breach and recovering from the breach.

“We used to think our job was to secure computers. What I’m telling you is your job is to secure society.”