Tuesday, 6 December 2016

Cyber security in 2016 – why is it still not happening? [Link - ITProPortal]

I was asked to write an article reviewing the cyber security challenges for 2016, Here is the article that was published on the ITProPortal website: 

===================================

It's 2016, and businesses are generally still not taking security seriously.

Image source: Shutterstock/jijomathaidesigners

Perhaps the surprising, and damning, thing about 2016 in terms of security is that businesses are generally still not taking security seriously. Nobody wants to admit to being slack when it comes to cyber security, but the indisputable fact is that during 2016, many organisations simply didn’t show up, whatever they claimed.  

The basics are still not being done. Updates aren’t being applied, patching strategies are not in place, admin credentials are easy to find. Let’s be blunt, people are still trying to do security on the cheap, using, for example, free antivirus software.  This was most evident in the amount of ransomware that infected companies. 

A Trend Micro report claimed that 45 per cent of UK businesses were hit by ransomware this year. We believe the figure is much higher, closer to 60 or 70 per cent. 


Ransomware scourge


In the US, hospitals have paid massive amounts of money when their databases have been encrypted by ransomware. The Hollywood Presbyterian Medical Center paid a $17,000 bitcoin ransom for the decryption key for patient data. It was infected by the delivery of an email attachment disguised as a Microsoft Word invoice. In the UK some hospitals had to cancel operations.  

Hundreds of planned operations, outpatient appointments, and diagnostic procedures were put on hold at multiple hospitals across Lincolnshire.  The damage done by ransomware in 2016 is largely attributable to the infamous Locky and its many variants. It was first identified in February and made it to the top of the ransomware charts only two weeks later. 

It initially used malicious macros in Office documents to infect its victim’s computer, and these documents were distributed attached to spam emails. Locky has been through several versions since then. A new version was released on October 24, and less than 24 hours later yet another version was launched. It’s carried through phishing campaigns and the email subjects are centred on pay cheques, receipts, invoices, orders, or wrong credit card charges all of which are themes designed to fool recipients into opening attached files.   

Heads in the sand


In a sense it’s staggering that people are still falling for these tricks, given the exposure about ransomware dangers. There still seems to be a general mindset that ‘it will never happen to me’, when it clearly is happening to lots of businesses and individuals.  It’s frustrating because basic security measures offer protection. Being on the front line we tend to get a good sense of what is happening on the ground and it can be best summed up with the phrase ‘blind panic’ when a company is hit.  

But this lack of awareness, or ‘head in the sand’ scenario, is also playing out across other areas. Security in 2016 can also be defined by the large number of replay attacks that have taken place. Ransomware is included in this but it’s not exclusive. Yahoo is perhaps one of the biggest culprits. 

In 2012, a security breach exposed 450,000 usernames and passwords from a site on the huge web portal with the company failing to take even basic precautions to protect the data. Two years later it happened again with 500 million account details stolen.

Enormous DDoS attacks


Yahoo cried ‘state-sponsored actor’ in its defence but clearly it’s still not adequately protecting its customer data. This defence is usually code for ‘don’t blame us, it was a really sophisticated attack’. And Yahoo only came clean in 2016. These serious errors are clearly an illustration of some fundamental flaws at the online giant. Is it any wonder that it’s gone from an operation worth close to $100 million at its peak to today’s evaluation of $4.8 million? 

Another large 2016 security event, which ironically few noticed at the time, was the largest DDoS attack recorded, a whopping 540Gbps directed at public facing websites belonging to organisations affiliated with the 2016 Rio Olympics. These attacks were sustained, sophisticated, and actually started months before the Olympics began.  

These attacks were clearly aimed at the global stage and foreshadowed the equally massive IoT botnet based DDoS attacks which, in contrast, caught the attention of the mainstream media because they were launched from compromised everyday household devices such as internet connected video recorders and cameras.  

Plundering millions


The industry, at large has been warning about the parlous state of IoT security for some time, but it seems no one really wants to listen until an attack hits home and hurts bank balances.  

The Swift’s global payments network hack that resulted in $81 million being siphoned from Bangladesh central bank was also noteworthy due to the huge amounts of money involved.  Hackers also exploited the Swift system to steal a reported $10 million from an unnamed bank in Ukraine, while back in Bangladesh an eye watering $1 billion cyber theft was only stopped when an eagle-eyed employee spotted a typo. 

In an ironic way it’s almost fitting that a hack to see out 2016 was the attack on Tesco Bank. The company was forced to repay £2.5 million of losses to 9,000 customers in a heist described as ‘unprecedented’ by regulators. It may seem small when compared to the Swift system hacks but there’s worrying significance that the company apparently ignored warnings that its vulnerable software was being targeted by cyber criminals for months before the attack. What is just as shocking is that the bank didn’t even encourage two-factor authentication for its customers. 

How many more financial organisations are going to be nailed by cyber thieves before the message gets through? If the EU General Data Protection Regulation had been in force, which is due to come into effect in 2018, Tesco would have been hit by a fine up to £1.9bn. And who could say that Tesco and other organisations with terrifyingly lax cyber security wouldn’t deserve it?

Monday, 5 December 2016

Cyber-security in 2017 – brace yourself [Link - ITProPortal]

I was asked to gaze into my crystal ball and write a piece around the Cyber Security challenges for 2017.  Here is the article as it appeared on the ITProPortal website: 

=================================

If there’s one thing you can say with certainty about cyber-security in 2017, it’s that many companies are going to fail because they are simply not doing the right thing. Fundamental flaws still exist.

Image source: Shutterstock/jijomathaidesigners

It's about the business


Until the technical people lift their heads up and see that security and business are different sides of the same coin, we will inevitably see more damaging attacks. When security people learn to speak in the language of business they will begin to understand just where in the organisation they need to apply their expertise. 

This might be smart configuration options, cautious security policies, vigilance and a willingness to read server logs like some people read the newspaper in the morning to identify targeted attacks.  

Of course, this won’t stem the malware tsunami but it will help defend against it. Leading the malware charge in 2017 will be ransomware. Like 2016 it will be more of the same, with an important and fundamental exception; ransomware will be more sophisticated.

Advanced attack vectors


Encryption keys are becoming more complex while ransomware attack vectors are becoming alarmingly advanced. Ransomware can mount previously mapped drives, encrypt them, and then unmount them, reaching deeper into the network.  

However, the efficiency of ransomware as a tool for fraud will also be slowly undermined. One misconception about ransomware is that once the ransom is paid, the victim receives the keys to unlock their files. Increasingly we are seeing instances of this not happening. The fraudsters are simply taking the money and running.

Criminals dumbing down


As ransomware is now available as-a-service, it is reaching down into the lower levels of the criminal underworld and organised crime networks. The type of villain who uses the ‘service’ might have previously been involved with keeping crooked books for instance.

As such they can’t be bothered to send decryption keys which of course will erode the value of ransomware as victims increasingly refuse to pay the ransom.

IoT security


Another major area of concern is the security of IoT devices. It’s fair to say that the existing state of device security isn’t great. Some devices are managed by web consoles that don’t even have encryption. Some devices have passwords hard coded into them that you can’t change. It would be good to see manufacturers take some responsibility but this is unlikely as they operate with tight margins and are unlikely to take on tasks that eat into thin profits. 

If we’re lucky, we will see the emergence of pressure groups consisting of industry vendors and third parties who are no longer willing to sit back and watch major hacks unfold. 

Questioning machine learning


Another area to keep an eye on is machine learning. As with any new technology it’s usually proclaimed with a loud fanfare and over exaggerated claims that often fall just short of guaranteeing freedom for all and world peace. In terms of security, machine learning does promise a lot of potential but when you drill down some serious questions need to be asked.  

In 2017 we’re likely to see these questions put forward with some force, as it becomes apparent that machine learning in the security realm has flaws. For instance, how are the machines learning, are millions of good and bad results being fed into the machine to ensure accurate analytics and what kind of input is coming from security labs and research teams?  

These are important questions and with the advent of next-generation endpoints, such as mobile devices and laptops designed to respond to machine learning security in depth is vital to ensure success. If machine learning vendors can’t answer these questions with confidence, then you can expect to see machine learning and security take a dive.

Shock of GDPR


An area where you can expect to see panic break out is the European Union’s General Data Protection Regulations or GDPR as it’s more commonly known. At the moment UK organisations are displaying naivety towards GDPR which comes into effect in May 2018. Many are hiding behind Brexit and taking the view that the UK won’t be in the EU come May 2018 so GDPR won’t affect them. However, if a business operates in Europe, it will.  

To meet GDPR requirements, measures need to be put in place in 2017. Many companies have already finalised budget for 2017 but haven’t made any provision for GDPR. With no budget provision, there’s going to be an awful lot of flapping when companies realise that it’s nowhere near compliance ready. 

Big fines, big panic


GDPR also reaches up to the board and any data breaches can result in enormous fines of up to 4 per cent of revenue. This can and will translate in some cases, to fines that run into millions of pounds. Are executive directors aware that if they show negligence in protecting customer data they’re going to be hit really hard?  

In summary, it would be uplifting to say that we’re not going to see any more major breaches, that fundamental flaws will be addressed, that new technologies are going to change the security landscape for the better and everyone is set for GDPR. In reality, while we will see some positives we also need to prepare our businesses for more breaches and more hacks.