General Business Forum Brought to you by Square

Cybersecurity: The evolving threat

  1. Francois Badenhorst

    Francois Badenhorst Business Editor, UKBF & AWEB Staff Member

    Posts: 91 Likes: 18
    2 |

    In this article from information security expert Stewart Twynham, we look at how the risks surrounding online technology have evolved during the past 15 years.

    In 2017, the Information Commissioner’s Office (ICO) secured eight convictions against NHS employees, all of whom were caught prying into the medical records of patients, friends, colleagues or others without a valid or legal reason.

    Just this month, a former council worker was fined for sharing personal information on children and parents via Snapchat.

    With the press and the cybersecurity industry getting excited by more esoteric threats, it’s important not to overlook the ones under an organisation’s nose. I want to take a balanced look at today’s threat environment - away from the vendor hyperbole. To do this I need to take you back in time.

    Fifteen years ago: the cyber-terrorist

    Back in 2003, the world was a very different place. While the media had already come up with the notion of “cyberterrorism”, waging a war via the internet was pretty much impossible.

    To begin with, most of us were still doing everything on paper. Strict rules on the export of 128-bit cryptography from America had only been relaxed a few years earlier. And without high-quality encryption, services such as online banking and e-government were not yet established. But this was all about to change.

    Fourteen years ago: the rise of the criminal gangs

    Early computer crime was relatively disorganized and the fear of being hacked far outweighed reality. For businesses, the malicious theft or destruction of data by employees represented by far the biggest risk.

    Computer crimes tended to focus on low-hanging fruit such as credit card fraud. As businesses and individuals began to do more online, the criminal community saw new opportunities to monetise their activities. By 2007, there had been a shift towards identity fraud. Now criminals could establish a line of credit rather than having to rely on credit card numbers that might only be good for a couple of low-value transactions.

    Tim Jordan’s Genealogy of Hacking suggests that the real catalyst  was the rise in online gambling in the early part of the decade. Suddenly, computer criminals and organised crime networks were being brought together - resulting in an explosion of viruses, online scams, botnets and ransomware. Organised crime also had links back to nation states including Russia - an opportunity which was not lost on the Kremlin.

    Twelve years ago: Hacktivism emerges

    Hacktivists are hackers motivated by ideology, often gathering and leaking confidential information from governments and large corporates they disagree with.

    The website WikiLeaks started as an attempt to uncover the truth and fight corruption. While many might see this as a noble cause, the uncontrolled release of sensitive information by hacking groups wasn’t welcomed by businesses, governments or the individuals who were adversely affected.

    Eight years ago: Hacking turns professional

    The emergence of the cybercrime-as-a-service industry has probably been one of the more unexpected developments of the decade.

    Taking the lead from successful IT providers, there has been a proliferation of “hackers-for-hire” offering hacking, malware, DDoS (Distributed Denial of Service) and ransomware to budding criminals who lack the necessary technical acumen.

    Complete with service level agreements and cast-iron money back guarantees, there is an almost surreal emphasis on customer care and professionalism. If a target’s website is not taken offline or a piece of malware is detected by anti-virus software within a certain time, the customer can be confident that their money won’t have been wasted as their supplier will support them.

    It has also opened the door for all kinds of traditional protest groups - everything from animal-rights to right-wing politicians - to get involved in cyber attacks and become the hacktivists of the future.

    Four years ago: The state-sponsored hack

    The attack on Sony by Lazarus - a North Korean hacking group - put the notion of a serious attack sponsored by hostile state actors into the spotlight. But this rogue state’s abilities are dwarfed by other players on the cybercrime stage. Currently, Russia is the only country with the kind of scale in terms of people and infrastructure to offer a serious and credible threat to the West. The situation, however, is quite nuanced.

    Recent attacks by both Russian and North Korean hacking groups have targeted banks, large firms and cryptocurrency exchanges solely to steal money.

    The attack on the Winter Olympics which took 300 computers permanently offline is believed to have been carried out by Russian hackers who ran a false flag operation - connecting via a North Korean service provider to point the finger at Pyongyang. The line between cybercrime and cyber warfare is becoming increasingly blurred.

    This blurred line is also a fairly accurate representation of where we are today. Ciaran Martin, CEO of the National Cyber Security Centre, identifies the two most proximate threats as being hostile states (mainly Russia) and the “rampant criminality” that exists in cyberspace.

    All cyber attacks are targeted...

    …but attacks that target particular businesses or individuals are less common. Small businesses tend to assume they’re not a target for cybercrime because they’re too small, but I have yet to come across any ransomware that checks the size of your balance sheet prior to infection.

    The reality is that attacks generally target a particular vulnerability: an operating system, a piece of unpatched software, a particular device or a common misconfiguration. All things that you commonly find in small businesses.

    Basic controls can save the day

    The majority of attacks last year targeted vulnerabilities that were more than a year old - keeping your systems and devices up to date will prevent many of these types of attack.

    Many attacks take advantage of poor network configuration. The WannaCry attack that brought the NHS in England to its knees last year was able to propagate right across the NHS secure broadband network because firewalls were not correctly configured.

    Many attacks rely on weak passwords. It is estimated that the 25 most common passwords will get you into around 10% of the world’s systems and that 43% of login attempts are malicious.

    Getting the basics right will either prevent or mitigate the damage of cyberattacks which are not specifically targeted towards you.

    Targeted businesses need to up their game

    Of course, some businesses are a genuine target - and often the ones that least expect it. Here are just a few examples of how your business might become one:

    You run a popular forum or website - the high number of visitors and/or user accounts will be attractive to criminals. Enthusiast sites run on a part-time basis are at particular risk because these groups don’t generally have the skills or resources to prevent an attack.

    You’ve developed a popular piece of software or plug-in. Inserting malware into your software could reach thousands of users, as happened to the ICO website recently.

    You’re a supplier to a government agency/a popular celebrity/a high profile company/a piece of critical infrastructure. The easiest way into a hardened target is invariably through its supply chain.

    You announce on LinkedIn or Facebook that you’ve been awarded some funding or a valuable contract. I’ve even seen very small charities targeted in this way - and again they often lack the resources and experience to defend themselves.

    The difficulty for targeted businesses is that traditional models of risk don’t apply. You can harden critical systems as much as you like but most attacks will begin where your organisation is at its most vulnerable - for example when software is being downloaded onto the MD’s laptop by his or her children after school.

    Businesses must set minimum standards across their entire organisation, with a particular focus on protecting and training those with higher levels of access such as the management, IT and finance teams.

    Keep cyber threats in perspective

    Around 50% of ICO notifications in 2017 came down to human error of some form or another. It’s important not to lose sight what’s right in front of you - especially now GDPR is almost upon us.

    Cyberattacks are still critically important because they impact all of your data in one go - but that threat needs to be balanced against everything else that may be going on within your organisation.

    A word on privacy

    Over the last 15 years, we have seen a revolution in the way personal data is collected, processed and stored en masse. Organisations have been largely free to harvest and trade our data without our explicit approval - a fact evidenced by the number of organisations now struggling to justify their lawful basis for processing.

    Worse, some have failed to provide even the most basic security, allowing data to be lost, stolen, carelessly discarded or exported without due diligence. This has allowed individuals to be harmed through identity theft, social engineering, phishing, smishing and by allowing criminals direct access to their personal finances.

    Under the latest Data Protection Act, which celebrates its 20th birthday this year, privacy has become an elusive concept - with businesses consistently failing to take their responsibilities seriously.

    The GDPR now hands the control of personal data back to the data subject - and presses a big reset button on the huge stockpiles of data that were once collected. It goes further by anticipating that there are things far worse than financial loss - preventing the processing of particularly sensitive information in most circumstances.

    The large potential fines may have grabbed the headlines, but these will be reserved for the biggest firms (historically also the worst offenders). It’s the wide-ranging non-monetary sanctions which give the ICO the most powers under the GDPR.

    There are anomalies - there will always be anomalies in anything - but for the most part, people in the know agree that GDPR is all about “good data protection rights” and not another piece of unnecessary red tape.

    The GDPR will never solve all of the world’s problems, not least because plenty of personal data has already been stolen, but it will set out a level playing field on which all businesses will need to operate.

    This article was originally posted on AccountingWEB. You can read more from Stewart here

    #0
  2. Russ Michaels

    Russ Michaels UKBF Contributor Free Member

    Posts: 65 Likes: 14
    The overarching problem is that a lot of SMB's simply do not care about security or data loss because it will cost them money to care, or just do not understand the issues so just ignore them. There have been many occurrences of hacking and data theft reported, where the target has shrugged it off and continued as normal, still with no security in place, and have been hacked again.

    The GDPR will go some way to alleviate this by dishing out fines to businesses that ignore security and fail to protect their data, so will hopefully make people start to take the subject of security seriously when it will potentially be more expensive not to.

    A shocking 37,000 websites on average are hacked every single day, due to poor or non-existent security and not being maintained. These hacked websites are then used to target visitors to those websites and distribute malware or steal data.

    Many SMB's are not even aware they have been hacked, I have had a couple of clients myself whose systems were actually compromised several years ago, and the criminals had been reading their emails, stealing their data, getting all their staff's personal details and passwords, all unhindered and undetected.

    One of the most common answers I get when I discuss the subject with folks is "Oh I have an IT guy".
    Imagine you have no security alarm in your home, rubbish locks on the doors, open windows etc, easy access for any criminal right?, but you say "I know a police officer".
    Knowing a police officer is not going to stop criminals breaking into your premises, getting in through your open windows or getting past the non-existant security since that police officer you know is not going to be guarding your property 24/7, in fact knowing him will not make any difference what so ever.

    In the same way, having or knowing an IT guy also is not going to stop cyber-criminals, or stop you being hacked if you have poor security, as your IT guy is not monitoring and maintaining your IT systems 24/7 or looking for vulnerabilities or reviewing your password policies.

    At the absolute least, folks need to use a decent cyber-security protection suite rather than just free anti-virus. I personally use BitDefender myself and this is what I recommend to my clients. It is not a solution by itself, but is considerably better than nothing and does afford a decent amount of protection against common threats.
    [​IMG]
     
    Last edited: Mar 16, 2018
    Posted: Mar 16, 2018 By: Russ Michaels Member since: Jan 19, 2018
    #2
    Excel Insights likes this.
  3. Excel Insights

    Excel Insights UKBF Newcomer Free Member

    Posts: 0 Likes: 0
    To add to the excellent information provided by Stewart Twynham (via Francois) and Russ, many people currently fretting about getting GDPR compliant don't perhaps fully realise how closely data privacy and information security are linked. Indeed, ensuring compliance with ISO 27001 or even Cyber Essentials will take your business a good amount of the way towards compliance with GDPR. First and foremost, though, find out whether your business potentially falls under the requirement to comply with GDPR.

    If your business serves an industry with particular regulations, such as financial services or defence/aerospace, you need to understand from your customer whether this means you need them to flow down stronger requirements, such as those of PCI-DSS, DCPP or DFARS. Ignorance is not accepted as an excuse for non-compliance by the authorities involved.

    One of my clients experiences multiple daily state-sponsored attacks on its network (the states sponsoring those attacks aren't always who you think they would be!), and guarding against intrusion is a constant game of cat and mouse. However, by far the biggest vulnerability most businesses have to contend with is not some Hollywood-like 'back door' - it's the people working for you. So educating your workforce not to open emails from mysterious senders or navigate to unknown websites whilst connected to your systems is half the battle.

    Something else to consider is how well your suppliers and subcontractors secure the information you share with them. Supply Chain Information Security is gaining focus as we see more examples of a company's supply chain being used to compromise the end target. If you operate B2B, you need to be aware of how well your company secures your client's information, and the implications of how a breach of your own systems might affect those of your customer.

    Information Security is about protecting all of the information that the business needs to function and remain competitive - customer information (the target of GDPR) is a subset of that. When you get good at protecting all your information, GDPR becomes a bit less scary! Using protection like BitDefender is an absolute essential, but think about what information you hold and who it has value to, then consider the appropriate measures you might need to take to protect it. As with so much of life, plan for what you'll do if the worst were to happen.
     
    Posted: Mar 28, 2018 By: Excel Insights Member since: May 24, 2013
    #3