Meet the expert: Onur Korucu to speak at PrivSec Global

Streaming live November 29 and 30, PrivSec Global unites experts from both Privacy and Security, providing a forum where professionals across both fields can listen, learn and debate the central role that Privacy, Security and GRC play in business today. 

Onur Korucu is Global VP at IT services and consulting multinational, TerzionDx. She has previously worked at professional services companies including KPMG, PwC and Grant Thornton, and has operated as an experienced consultant within senior management in multiple countries. Recently Onur worked as a GRC, Cyber Security and Data Protection senior manager within Avanade UK & Ireland before moving into her current role.

Onur appears exclusively at PrivSec Global to discuss Ransomware as a Service (RaaS), the evolving tactics of cybercriminals who exploit RaaS, and what businesses can do to optimise digital defences.

Below, Onur answers questions on her professional journey and the themes of her PrivSec Global session.

Could you outline your career so far?

I am Global Vice President of Technology Consulting Services, Technology and Law at one of the Microsoft partners, TerzionDX, which produces AI, robotics and automation solutions, and also provides infrastructure services with a focus on security. I am advisory board member of GovernID, a data protection and privacy-enhanced technology company.

I am an information security, compliance, and privacy professional focused primarily on emerging technologies from information security and data protection perspectives. On top of my technical engineering degree and M.Sc degree, I hold an LL.M degree in Information and Technology Law. I have also completed a Business Analytics Executive Master’s programme at the University of Cambridge.

I have published a book about risk-based global approaches to improve data protection, and regularly publish articles in prestigious magazines such as Harvard Business Review and Tomorrow Magazine about trending technology, cyber security and data protection, and privacy trends. 

I was among lecturers for the Cyber Security Masters programme at universities in Istanbul and London. I am a Women in Tech World ambassador, board member, and International Association of Privacy Professionals (IAPP) Ireland Chapter Chair. 

I have been nominated for the GRC Role Model of the Year, Technology Consulting Leader, Cyber Women of the Year, Risk Leader of the Year, and The Technology Businesswoman, awards.

What has enabled RaaS to become such a popular tactic for cybercriminals?

Ransomware, one of the most persistent and pervasive cyber threats, continues to evolve, and its latest form presents a new menace to organizations worldwide. The evolution of ransomware doesn’t involve new advances in technology. Instead, it involves a new business model: ransomware as a service (RaaS). 

The volume of ransomware attacks and data breaches increases significantly every year, and it can be costly for individuals, customers, and organizations. Nowadays, cybercriminals have made ransomware incidents as a regular cybersecurity occurrence. Most ransomware incidents are not due to sophisticated attack techniques but are usually the result of poor cyber hygiene. 

That’s not to say that victims do not take cyber security seriously; modern IT estates are exceptionally complex, particularly for organisations that have undergone acquisitions and mergers, and security controls can be difficult to implement effectively across complex environments.

Poor cyber hygiene can include unpatched devices, poor password protection, or lack of multi-factor authentication (MFA). Remedying these are not silver bullets, but implementing such measures would interrupt the majority of ransomware attacks. MFA, in particular, is often not in place, which enables many ransomware attacks to be successful.

Many companies and government institutions that have been hit by ransomware have been reluctant to discuss what led to the events, but many admit that the successful attack was the result of employees falling for phishing emails. 

ENISA reports explain that “Phishing attacks are carried out in high volume and target a broad audience, while other social engineering attacks make use of custom campaigns tailored to target specific employees. Using social engineering, threat actors leverage an employees’ access inside an organization to gain a technical foothold in the network from which they carry out further attacks.”

What primary steps can companies take to avoid falling victim to such attacks?

The most effective strategy to protect from a ransomware attack is continuously monitoring your ecosystem for vulnerabilities and educating employees on how to identify phishing attacks. 

The below-mentioned steps are best practices to help mitigate the risk of a ransomware attack. Ransomware as a Service is increasing every year because it is easy to deploy, cheap, powerful, and doesn’t demand any technical expertise. 

The best defences against this malicious attack are antivirus and antimalware (AV/AM) solutions, frequent patching, and vigilance. However, reputational risks and monetary are high if companies don’t have a proper cybersecurity plan.

Threat actors are reiterating their tactics, methods, and procedures on both payload and delivery campaigns due to the rapid awareness and reaction to phishing and ransomware. This perseverance shows that only concentrating on technology, with an emphasis on procuring, deploying, and optimizing security solutions, is insufficient.

Without a phishing defence strategy in place, businesses are vulnerable to not only the widespread phishing emails used to transmit ransomware but also the less noticeable emails used to deliver the same infection for years.

Here are some steps that companies can take to protect themselves:

• Build credential hygiene: Develop a logical network segmentation based on privileges that can be implemented alongside network segmentation to limit lateral movement.
• Audit credential exposure: Auditing credential exposure is critical in preventing ransomware attacks and cybercrime in general. IT security teams and SOCs can work together to reduce administrative privileges and understand the level at which their credentials are exposed.
• Harden the cloud: As attackers move towards cloud resources, it’s important to secure cloud resources and identities as well as on-premises accounts. Security teams should focus on hardening security identity infrastructure, enforcing multifactor authentication (MFA) on all accounts, and treating cloud admins/tenant admins with the same level of security and credential hygiene as Domain Admins.
• Close security blind spots: Organizations should verify that their security tools are running in optimum configuration and perform regular network scans to ensure a security product protects all systems.
• Reduce the attack surface: Establish attack surface reduction rules to prevent common attack techniques used in ransomware attacks. In observed attacks from several ransomware-associated activity groups, organizations with clearly defined rules have been able to mitigate attacks in their initial stages while preventing hands-on-keyboard activity.
• Evaluate the perimeter: Organizations must identify and secure perimeter systems that attackers might use to access the network. Public scanning interfaces can be used to augment data.
• Harden internet-facing assets: Ransomware attackers and access brokers use unpatched vulnerabilities, whether already disclosed or zero-day, especially in the initial access stage. They also rapidly adopt new vulnerabilities. To further reduce exposure, organizations can use the threat and vulnerability management capabilities in endpoint detection and response products to discover, prioritize, and remediate vulnerabilities and misconfigurations.
• Prepare for recovery: The best ransomware defence should include plans to recover quickly in the event of an attack. It will cost less to recover from an attack than to pay a ransom, so be sure to conduct regular backups of your critical systems and protect those backups against deliberate erasure and encryption. If possible, store backups in online immutable storage or fully offline or off-site.