October 2023, and October, like every year, is Cybersecurity Awareness Month. And for that reason, here at KuppingerCole, we came up with the idea to play a game. all of us will have two gos when it comes to presenting a statement and asking a question and all the others are there to answer the question, to assess the statement and to give their opinion on that. I will start out with the first statement, and that is something that I've learned also from advisory business, what I'm doing. When we look at the target verticals, when it comes to cybersecurity attacks, many persons, many people think that financial services as a vertical are leading by far when it comes to web application and API attacks, as an example. And I think, no, I claim it's true. Financial services as a vertical are the most threatened vertical among others. So is this true or false? Maybe starting with Alexei for the answer, Is financial services most threatened?
Well, Matthias, to be honest, I do not believe this can be true. Because all the banks and financial organizations, they are probably the best prepared for a cyber attack. Right? Because they have to, they’re heavily regulated. So I would probably bet that it's other verticals which are much more vulnerable, like hospitals, for example, public sector organizations which are targeted much, much more.
Okay, thank you. Marina?
In this case, I agree with Alexei. I don't think it is true. Lately, we have seen many cyber attacks to public institutions, to even governments. So then, I believe it is not true. But let's see the answer, what it will say.
Yeah. First, Paul, what is what is your assessment? Am I right or am I lying?
Yeah. Yeah. Hang on a minute, Marina, I haven't even had a go yet, so I actually agree with Matthias. Only because I... he sounds like he's read the same report that I did that said that financial services indeed suffer the most, at least software based attack, API attack. So I'm going to say yes. And don't forget, it doesn't mean that the attacks were successful. It's just all attacks. So that could be, Alexei is right, they're well protected. So yeah, I'm going to say yes.
Okay. I most probably did not read the same report that you did because the report that I have is the Akamai State of the Internet Report 2023. And it says that financial services are number three in the list and there are two others that are a higher ranking in that suspicious countdown. So above them more than double of the number of attacks that have been identified is commerce. And inbetween number two is high technology. Some numbers on that. So commerce is 34% and a bit more. High tech is 22%. And financial services actually is 16%, which is half of number one. So the statement was wrong, but it shows some common misconceptions. But I, I agree that Alexei and Marina were right in assessing that.
I can't believe that e-commerce is the first one. So, I mean, I mean, I imagine that maybe, you know, public institutions, as Alexei said, like hospitals, for instance, where they can, you know, the attackers can actually dig a lot of data.
Absolutely true. But maybe they are not out for data, but for money.
Agreed.
I think, Matthias, actually and I'm going to look stupid here, but I did read - that was the report, but I must have misread it because I'm pretty sure that financial services were top of the pile when it came to API and software based. And I think probably I got so excited by that. But I thought that they were number one everywhere. There you go.
Okay. But you get a chance to correct that. You are next to ask.
My question. Okay. Well, it's kind of related, I guess. So my question is, would the recent MGM casino hack have been easily prevented by a zero trust framework?
Right. Okay. Well, correct me if I misremember something about that hack heavily involved social engineering, right? Someone called in and asked someone else to change a password to do something stupid. So it's all like hundred percent human mistake. Would a zero trust solution have prevented this? Perhaps, if it were like really deployed consistently across the entirety of MGM’s IT infrastructure, I don't think they had, or they were even close to that, so, I would say no. It probably would not have.
Yes, I'm not really sure. I would say that they didn't follow zero trust for the same premise that, you know, you always have to verify and as Alexei said, it was like a kind of human mistake involved. By the way, nowadays we have artificial intelligence that also automates the process to identify, you know, such as of misbehavior. So but I think it is false. I'm not sure, to be honest, like I would say false. But...
I would agree with what Alexei said. So if there really was some social engineering behind that, this term zero trust is a bit wrong when it says you don't trust anything because you trust identities and you trust what users claim who they are. And if they give away their credentials they can be misused. So that only part of trust that still needs to be there, or the most important part of the trust that still needs to be there. If this is broken, then zero trust is of no use in that context. So I would agree with the other three, and I'm interested in the answer.
Well, it was a bit of a trick question, really, because I was alluding to people as we know always say vendors are quite keen on saying that they now support zero trust and but it's not actually something that you can add in as in to an application or software and stuff. So yeah, the answer is actually it, it might have done if they actually had it right from the start, had as Marina said, verified instead of just as in what happened, - although they haven't officially confirmed this, but they haven’t denied either - is that they just took the identity of a senior admin and he rang the helpdesk and said, I've lost my password. And they said, okay, no problem, we'll change it for you. That was it. And then from then on, the hackers were straight in. So the answer is no.
But apparently they had a great insurance policy, so they have not lost any money on that.
Oh really? I didn't know that.
That's amazing, actually.
I heard the news that the insurer is now about to pay $100 million dollars.
Wow. Well, they were supposed to be losing about 10 million a day when, because they switched, they literally switched, you know, like they’re supposed to do, switched everything off. And I think also they refused to pay the ransom.
Okay. Round one, question three, handing over to Alexei.
Okay so I actually thought about this question even like right just now after we have started this call, looking specifically at Paul and his wonderful boomer disguise. So Paul, what do you think. Are boomers, and I mean, the real boomer generation, really the most vulnerable generation when it comes to cybersecurity attacks?
Define Boomer.
So, you’re saying that I'm a boomer? I guess I am actually, I do actually just about fall into the boomer generation. So and I have actually fallen for a couple of hacks. So I'm going to say, yeah, because we struggle with technology as boomers.
Well, I wouldn’t say that this is true, actually, you know. So I believe that it depends on the level of instruction of different people. I mean, some of you here may have the age of my dad and for sure, you know, much more than him. So then, you know, I wouldn't consider you in the same group, even though they, you know, they are in the same generation. So I would say it is false. And what do you think, Matthias?
Yeah. I don't think it's a matter of age. It's a matter of tech savviness, it's a matter of interest and in understanding technology and maybe sometimes also just following the advice you are given. So switching on MFA is not an age topic, it's more or less a risk management topic. So just switch it on and no matter how old you are. So I would disagree, but I'm sure there are numbers, right?
Yeah, it's actually kind of a tricky question as well, because on the one hand, we as analysts should not be generalizing and like, you know, following the stereotypes, but apparently there was a real study and they found that it's actually the millennials who are more susceptible to a cybersecurity attack, it was 44% of like the entire generation suffering at least one attack.
Yeah. Yeah. Marina gets hacked every week, I think. Phished. Well, I'm pleased to hear that, Alexei.
so am I, So am I. So ending round one with Marina's statement / question.
Yes. Okay. So in average, there are approximately 500 new malware variants created every day. Do you think it is true or it is false?
And I start out, I think in the age of generative AI and and the influence of things much more changing rapidly through automation, I would assume the number is much higher and growing.
Paul, what do you think?
I sounds like a trick question, but I would say higher, as well. Definitely.
It probably depends a lot on how do you count, so maybe like a site like VirusTotal could probably show you exactly that statistic. I don't know. I have no checked, to be honest. But, yeah, I agree that it's kind of meaningless nowadays because you could probably generate a different variety of a virus for every of your recipient nowadays,
Well, all of you are right. Actually, the average is 500,000 a day. I am, you know, like a lady of numbers. So then in the last report of astra security, they actually presented it is 560,000 daily. So it's like kind of a lot.
Everyone gets a virus.
A personal virus.
I'm so glad I didn't say it was less.
Well, we have to stay awake, actually. Cybersecurity awareness month.