[metaslider id=2951] … Read More
From DarkReading – Kelly Sheridan – January 30, 2018
In the future of digital extortion, ransomware isn’t the only weapon, and database files and servers won’t be the only targets.
When we think of digital extortion, we typically think of ransomware. But cybercriminals now are looking outside ransomware for new ways to shake down organizations.
Cybercriminals have learned that many businesses will pay if a ransomware attack cripples their day-to-day operations. Ransomware drove the spike in digital extortion in 2017 and remains cybercriminals’ weapon of choice, according to a new Trend Micro study “Digital Extortion: A Forward-Looking View.”
But threat actors are exploring new extortion tactics. “Some of the attacks we’ve seen highlight a shift in the model itself,” says Trend Micro chief cybersecurity officer Ed Cabrera. “As we expand our digital footprint, I think it creates an enormous opportunity for attackers to identify areas where they can have immediate impact.”
The criminal extortion framework has been around in the physical world for a long time, he continues. Now, in the digital world, it’s just getting started. Attackers are learning their chances of getting paid increase exponentially if they target certain files, systems, or databases. While ransomware will remain popular, but other types of threats are starting to appear, according to Trend Micro.
Extortion attacks and critical infrastructure
“Going forward, you would be remiss to just focus on files,” says Cabrera. Cybercriminals will begin to leverage the growth of IoT, specifically industrial IoT, to extort money from victims. Businesses that need to be up and running at all times are especially vulnerable
If you have questions on how to protect your mission critical systems, contact us.
Over the Christmas holidays, the advertisements for Alexa, Google Home and similar were about ever other commercial on television. I have to admit I don’t really see a need to ask a personal digital assistant to turn on music, add something to a shopping list or tell me what the weather is like outside – but then again, I can see the attraction for some.
If you did receive a digital assistant or are thinking of getting one please read the following article:
AI in the Workplace: How Digital Assistants Impact Cybersecurity
Information Security – January 29, 2018 – Sage Singleton
Digital Assistants (sometimes seen as AIs) are becoming ubiquitous in living rooms and smartphones everywhere. Now, these devices are taking the leap to the business world. With Amazon’s announcement of the Alexa for Business Platform, AIs may soon be able to assist with everything from conference calls to office supply orders. All that utility may come at the cost of security, however, since these AI devices are vulnerable to potential hacking.
Digital Assistants Enter the Business World
Digital assistants have exploded in popularity over the last two years. Amazon’s Echo devices were the website’s number-one-selling product last year, and Google and Apple are eyeing increasing market shares as new developments for Google Home and Apple HomeKit close the AI gap.
Amazon has made recent moves to conquer the small business market and is the first in the burgeoning AI industry to attempt to do so. The Alexa for Business Platform brings additional functionality (Alexa’s “skills”) to offices everywhere. There are still some hurdles for the technology; lingering privacy concerns leave some businesses wondering whether the addition of a digital assistant will leave their company vulnerable to a security breach.
Digital Assistants and Security
Digital assistants like Alexa, Google Assistant, and Siri use voice recognition technology as their primary interface. This means they are always listening, even when they are not in use. For a hacker, this makes any digital assistant a potential listening device, a security flaw that was proven in a report released by British security researcher Mark Barnes. With access to the microphone, corporate espionage and identity theft are real concerns.
Privacy is another major hurdle before digital assistants gain widespread adoption in the corporate world. Private data exchanges can use a protocol called end-to-end encryption, which restricts data access to just the sender and receiver.
Unfortunately, end-to-end encryption is not always the default, and many devices and programs don’t use it, leaving any collected data open to mining by third parties — Google’s Allo messaging app uses voice recognition technology without end-to-end encryption.
A team from Zhejiang University found another startling vulnerability for digital assistants using ultrasonic signals. Aptly named the DolphinAttack, the technique uses ultrasonic frequencies above the human hearing range to issue commands to nearby AIs. The attack effectively turns these devices into a backdoor, since a hacker can simply ask a device equipped with Alexa, Siri, or Google Assistant to visit a phishing website, call a phone number, or disable a web-connected security system.
Businesses are increasingly finding themselves the target for these types of attacks. In a process called “whale phishing”, hackers specifically target high-value individuals in corporate offices for phishing scams, identity theft, and more. Larger businesses are vulnerable since they offer hackers bigger targets for these types of breaches.
Protecting Your Business from Attack
The Better Business Bureau’s 2017 survey of cybersecurity issues among small businesses reports that one out of five companies has been the victim of a cyber-attack. Many of these attacks can be traced to lost personal data like passwords or an employee’s identity, raising concerns for digital assistants and their potential use as listening devices.
Beyond general statistics, it’s hard to identify the frequency of hacks specifically related to digital assistants, but the vulnerabilities are hard to ignore. Web-connected devices of all types can potentially be used as entry points into secure systems; a North American casino was the victim of data theft using a Wi-Fi connected fish tank. Barnes recommends not putting smart devices in spaces where compromising information could be overheard.
If the benefits of a digital assistant outweigh the potential drawbacks, you can take steps to minimize your risk of a security breach, both physically and digitally. The Better Business Bureau’s survey shows that cyber-attacks can even come from internal employees. Implementing a prevention plan and a response plan can offer the best protection for your business.
The Future of AIs and Cybersecurity
The rapid development of machine learning and voice-powered AIs points to a rapidly changing future. Chips developed by MIT hint at the development of digital assistants that no longer require a web connection to process AI-related tasks like voice recognition, potentially closing many of the security flaws these devices possess.
Whether these devices can overcome their security flaws and mainstream into the corporate world is unclear, but the rapid development of their underlying technologies indicates big changes on the horizon for offices everywhere. Some of the concerns about listening devices may also be exaggerated; as Barnes reminds readers in his article, almost all of us already have a smartphone mic in our pocket that we are okay with.
Businesses have cause to celebrate the benefits of technology – but fear it as well – as cyber-security journalist Tom Reeve explains.
From word processing, accounting packages and emails to process automation, just in time shipping and online sales and marketing, the hardware and software that drives modern businesses have enabled massive jumps in productivity while driving down costs.
However, the very internet service (check this link right here now to know more) that enables your business – your entire IT infrastructure from the boardroom to the shop floor – may be hijacked by attackers to eat your organisation from within. This goes beyond losing control of your Twitter account or the front page of your website being defaced – it is a battle for your data and your money.
You may consider cyber-security as an IT issue or something that falls under the remit of the audit committee, but IT is everywhere and organisations ignore cyber-security at their peril – just ask TalkTalk, Tesco Bank and Camelot, to name just a few.
In a series of articles I will look at who these attackers are, what they are looking for and how you and your board of directors can fight back against the hackers.
But first, let’s take a quick tour through 10 of the biggest threats facing organisations, large and small.
1. Network infiltration is the basis for many high-profile attacks, and it involves exploiting weaknesses in software, systems, hardware or staff to gain privileged access to servers and workstations. There are many ways to hack your network and cyber-security experts will tell you that it’s not a matter of if you get hacked – but when.
Once the attacker has gained entry to a trusted device on your network, then he’s spoilt for choice: steal the data on the computer, spy on the user to glean further usernames and passwords to other devices, lock the user out (see ransomware) or exploit weaknesses in the corporate network to force his way into other machines. Or he could harness the machine as part of a botnet, using it to send spam or attack computers outside your network.
Last year, it was revealed that Australian government systems, including a branch of the Defence Department, had been infiltrated repeatedly in the past five years, leading to the loss of plans for a geostationary satellite system among other things.
2. Ransomware is pretty much what it says on the tin, a new wrinkle on an attack that’s about as old as humanity itself. Ransomware is notable for being the one cyber-attack that goes out of its way to advertise itself. While other malicious software conceals itself, ransomware only hides for as long as it takes to encrypt your files. Then it launches a big banner proclaiming your new status as its victim.
Ransomware creators are noted for their excellent “customer” service. Their business model relies on teaching the victim how to do something that they probably haven’t done before: purchase bitcoins. They often include tutorials and even videos detailing each step.
Angela Sasse, professor of human-centred security at UCL, has interviewed victims about their experience of being attacked, and she says they often rave about how helpful the ransomers have been. However, this is to miss the point: by paying them, you are supporting their criminal business model and the advice from law enforcement, at least officially, is not to pay.
3. Trojan horses are a class of attack in which the harmful payload is hidden inside another ‘beneficial’ program, the most insidious examples of this being programs that claim to rid your computer of viruses or fix common configuration problems. Once downloaded, they will often ask for administrator rights on your device, be it a desktop, tablet or mobile phone.
Having enslaved your machine, a Trojan will typically open a connection to the internet and attempt to connect to a command and control server. Sometimes it will lie dormant, making it harder to detect and investigate the source of the attack. But when he’s ready, the attacker can download his choice of malware including keyloggers for sniffing passwords, botnet controllers to turn your machine into a DDoS robot and network intrusion tools to gain access to other machines.
Some Trojans have even been known to eliminate the competition by installing antivirus software and cleaning out other malware it finds on its host. Trojans are an effective and popular way to control computers, and even intelligence agencies have been known to employ them.
In the past year we have seen Trojans which bypass security on the Chrome browser, target customers of online Russian banks and even one designed to manipulate currency rates.
4. Phishing is an attack on your staff aimed at luring them into giving away passwords and other sensitive information. Dressed up as an email from a trustworthy source, it can appear to come from someone the person knows such as a friend or colleague or a bank or government agency.
Through training and vigilance, the incidence of successful phishing attacks can be reduced, but even so, the most savvy of users can fall for this attack if they aren’t paying attention.
Phishing attacks are usually sent to thousands of users at a time, but a more refined version of the attack, called spear-phishing, targets individuals. After carefully researching their victim, often using sources such as social media and publicly available corporate records, the attacker will write an email that sounds as if the the sender knows the recipient personally.
Phishing and spear-phishing were used to gain access to the email accounts of Democratic Party officials in the US ahead of the presidential election, and is also the most common type of malicious email that most people receive. Learning to spot them is one of the most effective skills you can learn for online survival.
5. Whaling is considered a variation of phishing even though it doesn’t contain any malware. Instead, it seeks to deceive the recipient into believing that it was written by a trusted figure – such as the company boss or a supplier – with instructions for wiring money.
In one well-known case, Ubiquiti, a manufacturer of network devices, was scammed out of $46.7 million ( 37 million) by “an outside entity targeting the Company’s finance department. This fraud resulted in transfers of funds aggregating $46.7 million held by a Company subsidiary incorporated in Hong Kong to other overseas accounts held by third parties,” according to an SEC filing.
And slightly closer to home, last year, two European manufacturers – Leoni AG and FACC – lost €40 million each in separate whaling attacks. In the case of FACC, the CEO and CFO were both sacked.
6. Supply chain attacks come from trusted suppliers who have privileged access to your corporate network. Organisations often trust their suppliers with sensitive information and access to their internal organisation while forgetting that suppliers don’t always have perfect control over their own IT networks.
In one well-known case in 2013, Target Stores in America was compromised by an HVAC service provider which had access to the retailer’s internal networks through a purchase order management system. Attackers gained access to Target through the HVAC supplier and then waited several months, until the Black Friday shopping weekend, to launch a massive attack against thousands of point-of-sale terminals, stealing details on 110 million people.
7. Zero-day vulnerabilities are a class unto themselves. All software packages are thought to have vulnerabilities, and responsible developers patch them as quickly as they can once they become aware of them. Responsible disclosure is a process whereby security researchers inform companies of the problem and give them the opportunity to patch the problem before it is announced to the wider computing community.
However, malicious researchers, sometimes called black hats, don’t disclose vulnerabilities when they discover them because hidden vulnerabilities are valuable. Zero-days – so-called because developers have zero days to respond to them – are traded by criminal groups and even nation states for up to half a million dollars in some cases.
However, most organisations don’t need to worry about zero-days for the simple reason that they only retain their value for as long as they remain unknown. The more a zero-day is used, the more likely it is to be discovered. Organisations need only ask themselves, are we worth a zero-day attack? If not, move on – there are enough other things to worry about.
8. Vulnerable equipment and software is less about deliberate attacks and more about manufacturers’ sloppy security practices. In the rush to get a product to market, or keep costs as low as possible, security often takes a backseat.
When acquiring new hardware or software, ask yourself if you can trust the supplier. A little research on the internet can reveal whether the manufacturer has been cited in many security research reports. You may also want to hire Denver IT services or others in your location so that there’s someone to keep an eye on everything software-related.
Not only should you look for reliable equipment and software, but you should also look for an ISP who will not misuse your data. You can use a VPN on your device to secure your data as well. It’s best to go with a reputable internet service provider (like viasat satellite internet). You can also consider the add-on features provided by many ISPs, such as providing an internet connection in addition to antivirus, to protect your device from external malware.
Even brand names are not immune. It was recently revealed that Honeywell SCADA controllers – network-connected devices for controlling industrial processes – contained insecure password data and were also vulnerable to “path traversal” attacks. And CISCO regularly publishes security alerts alongside software updates, detailing vulnerabilities that it has discovered and fixed.
9. BYOD are those personal devices that staff use to connect to your network. Whether it’s a mobile phone or a tablet, every time you allow a member of staff to connect their device to your network, you are shaking hands with a computer of unspecified pedigree and unknown hygiene.
Consider why you are allowing these mobile devices to access your network, and if it is just to allow them to use the Wi-Fi, consider setting up an isolated network for this purpose.
10. Denial of service is an attack that can bring your website or cloud services grinding to a halt. A common attack method, known as distributed denial of service (DDoS), typically employs a botnet of thousands of compromised computers to flood a victim’s server with packets of useless information.
The target becomes bogged down in the sheer number of requests it is forced to handle in attacks lasting minutes or days, slowing and sometimes crashing the device.
In a new wrinkle on this tried and tested attack, attackers are using the Mirai malware to take over internet-connected CCTV cameras and digital video recorders and launching the biggest DDoS attacks ever seen. Last year, Twitter, Spotify, Netflix, Amazon and Reddit were among the many websites taken offline for several hours by an attack on the Dyn DNS service which appears to have been enabled, at least in part, by a Mirai botnet.
So there you have it – ten cyber-threats facing your organisation.
Threats evolve. One of the first companies I was working for was hit by a ‘denial of service’ attack, an email was sent to a friend of mine which had a script that made sheep dance all over your screen. It was pretty amusing so she decided to send it to the distribution list in the office. Let’s just say that the system administrators were not amused, as it brought the network down completely, and took the afternoon to bring everyone back up. This was in 1995. Now security did evolve to a certain extent, this type of attack would have been caught by either your UTM, email security appliance or end point solution. Over the course of several years, security solutions did evolve – firewalls, end point, network access control and logging. In the early 2000’s, the terms SIM, SEM and SIEM were the rage, and the next best thing for organizations to battle against threat actors, as it was a great solution to review all of the events from your network in one centralized location. That was also when you could back up your logs to a CD.
Fast forward to today, we have embraced BYOD, Cloud technology, IoT devices, and no one actually picks up the phone any more – email or texting is the communication tool providing immediate gratification. (anyone remember what a telex machine is). This explosion of technology, and reliance on said technology, has completely altered the threat landscape. Organizations are subject to ransomware, trojans, APT’s, insider threats and more – which ‘can’ make it through your defenses, and be hard to detect and remediate.
In a recent article from Dark Reading by Kelly Sheridan, it identifies that the current SIEM systems have flaws, and while reading this, I was not surprised. Almost any product that collects event logs identifies themselves as an SIEM, and some SIEM’s now promote the security analytics more than logging portion of the product. In addition, the introduction of a new acronym – SOAPA – which stands for security operations and analytics platform architecture (Network World, November 29, 2016), was created to distinguish themselves from SIEM.
Advances for the SIEM is not moving at the same speed as the threats, or taking into account different threat vectors. Typically event data is sent from the host devices, using either standard syslog or through the use of an agent, to a repository of some sort. This event data is then queried using a set of correlation rules, that will then initiate an alert or a response of some sort. While most SIEM’s identify that they have huge libraries of pre-built reporting, they need to be refined to accommodate your organization AND they need to be regularly reviewed to ensure that any new “threats” will be discovered, and alerted on or have a response of some sort created.
While for some attacks the SIEM will most definitely be advantageous to the organization, and of course, if you are required to collect and monitor logs for a compliance requirement it is a necessity, however the threats today take into account how these platforms work. The threat actors are meticulous; and look at ways to evade the traditional security platforms.
The growth in products that are deemed to include security analytics/behavioural analysis can assist organizations in determining if network activity is malicious. The products look at the typical activity of a network over time, baseline it, and then can provide a relatively good assumption when the activity deviates that there is a potential issue at hand.
By combining behavioural analysis/security analytics, machine learning and threat intelligence, an organization will be provided a more comprehensive review of activity on your network. Using a system that is not based on rules, but rather looking holistically at all of the users, devices, applications and how they all interact, running it through algorithms and machine learning techniques – this will provide a more accurate detection of a threat.
To find out more, contact us.
Ransomware is already a problem. The Internet of Things has had a number of security issues. What happens when the two combine?
Ransomware had a breakout year in 2016, making headlines as it affected everything from hospitals to police stations. At the same time, attacks against Internet of things (IoT) devices — home appliances, toys, cars, and more, all brimming with newly exploitable connectivity — have continued to proliferate.
Most information security professionals agree that ransomware and IoT hacks will continue to increase in frequency, but one less obvious development that could be on the horizon is a convergence of both of these attack methods. So, what could the implications of an IoT ransomware attack be?
To answer this question, we first need to consider the potential target of an IoT ransomware attack. Ransomware usually goes after computers and networks that house the mission-critical data necessary to maintain the day-to-day operations of a business. Such targeting ensures that once this data has been encrypted and rendered useless, the organization has adequate incentive to purchase the cryptocurrency (typically Bitcoin) being demanded by the hacker to release its data.
Luckily for us, many IoT devices don’t qualify as mission critical, as I doubt any parent is going to fork over a ransom to unlock their child’s Hello Barbie. But there are certain devices that perform critical functions and therefore could meet this criterion. As IoT becomes more widespread and increases in sophistication, the number of potentially lucrative targets will only increase. Unlike with traditional ransomware, attackers that hijack IoT devices can not only compromise the data collected through a device’s sensors, but could also render a critical device’s physical functions inaccessible — greatly increasing the chances that a victim will pay up.
One device that is currently ripe for exploitation is the connected thermostat. Products like Nest and Ecobee remotely monitor and regulate the temperatures of homes. If compromised by hackers, they could be used to blast the air conditioning during a blizzard or crank up the heat in the middle of a July heatwave. Although this may seem like an inconvenience rather than a catastrophe for a typical homeowner, when applied to business environments, the stakes are raised. For example, an attacker who gains control of the HVAC systems of a large building could theoretically increase an organization’s electricity bill to the point where paying a ransom becomes a practical and cost-effective alternative.
The same reasoning behind the thermostat example can be applied to a wide range of other IoT devices. It wouldn’t be difficult to imagine a hijacked smart lock taking on a mind of its own or a connected lightbulb refusing to illuminate. However, one can also imagine more disturbing scenarios arising from advanced IoT use cases, such as connected cars and smart cities. In such cases, a successful ransomware attack could extend well beyond a minor inconvenience, exposing affected victims to potentially dangerous or even life-threatening consequences.
However, IoT isn’t a lost cause altogether. As with any emerging technology, IoT device vendors need to work out the security bugs in their products, and they’re already beginning to do so. For every snooping Barbie discovered and connected car hacked, the industry moves one step closer to achieving the level of security that enterprise customers need. Similar to how the Target breach was a wake-up call for retailers, the IoT industry will inevitably be hit with an attack of a similar scope, whose repercussions will in turn serve as a major catalyst for industry-wide change.
Until we see this change, though, IT teams tasked with deploying connected devices must become more aware of the issues around IoT security and keep these in mind when deciding which devices to buy and deploy in their organizations. If your business can survive the next couple of years without going all in on IoT, it might be worth postponing purchases until the technology, especially the security, of these devices has evolved.
But if you absolutely can’t wait, there are several considerations that are critical when purchasing a new device. These include:
- Assess how easy it is to change default credentials. Many IoT-enabled devices, such as the Internet-enabled cameras that made up the Mirai botnet, are insecure because their owners never think to change the password. You wouldn’t do that with your new laptop, would you?
- Disable any insecure protocols. Not all devices are created equally, and device makers that fail to invest in secure protocols must be avoided. Right now, there is a lack of standards for what makes an IoT device secure, so it’s up to buyers to assess what makes the device tick. For example, many vulnerable webcams were reported in 2016, due to a Real Time Streaming Protocol that enabled video sharing but didn’t require a password for authentication.
- Evaluate the recovery process. Many devices can have factory settings reset with one click, while others may require manufacturer involvement. Worse yet, in some cases, recovery may be impossible, forcing users to pay the ransom as a last resort. It’s up to buyers to understand the recovery process for the devices they own, and to create a contingency plan should one of them be compromised.
Whether you end up making the plunge into IoT or waiting until the kinks are worked out, the threats posed by Internet-connected devices are real. That being said, IoT is here to stay, so it’s up to us to ensure it isn’t allowed to compromise the security of our future.