Businesses have cause to celebrate the benefits of technology – but fear it as well – as cyber-security journalist Tom Reeve explains.
From word processing, accounting packages and emails to process automation, just in time shipping and online sales and marketing, the hardware and software that drives modern businesses have enabled massive jumps in productivity while driving down costs.
However, the very technology that enables your business – your entire IT infrastructure from the boardroom to the shop floor – may be hijacked by attackers to eat your organisation from within.
This goes beyond losing control of your Twitter account or the front page of your website being defaced – it is a battle for your data and your money.
You may consider cyber-security as an IT issue or something that falls under the remit of the audit committee, but IT is everywhere and organisations ignore cyber-security at their peril – just ask TalkTalk, Tesco Bank and Camelot, to name just a few.
In a series of articles I will look at who these attackers are, what they are looking for and how you and your board of directors can fight back against the hackers.
But first, let’s take a quick tour through 10 of the biggest threats facing organisations, large and small.
1. Network infiltration is the basis for many high-profile attacks, and it involves exploiting weaknesses in software, systems, hardware or staff to gain privileged access to servers and workstations. There are many ways to hack your network and cyber-security experts will tell you that it’s not a matter of if you get hacked – but when.
Once the attacker has gained entry to a trusted device on your network, then he’s spoilt for choice: steal the data on the computer, spy on the user to glean further usernames and passwords to other devices, lock the user out (see ransomware) or exploit weaknesses in the corporate network to force his way into other machines. Or he could harness the machine as part of a botnet, using it to send spam or attack computers outside your network.
Last year, it was revealed that Australian government systems, including a branch of the Defence Department, had been infiltrated repeatedly in the past five years, leading to the loss of plans for a geostationary satellite system among other things.
2. Ransomware is pretty much what it says on the tin, a new wrinkle on an attack that’s about as old as humanity itself. Ransomware is notable for being the one cyber-attack that goes out of its way to advertise itself. While other malicious software conceals itself, ransomware only hides for as long as it takes to encrypt your files. Then it launches a big banner proclaiming your new status as its victim.
Ransomware creators are noted for their excellent “customer” service. Their business model relies on teaching the victim how to do something that they probably haven’t done before: purchase bitcoins. They often include tutorials and even videos detailing each step.
Angela Sasse, professor of human-centred security at UCL, has interviewed victims about their experience of being attacked, and she says they often rave about how helpful the ransomers have been. However, this is to miss the point: by paying them, you are supporting their criminal business model and the advice from law enforcement, at least officially, is not to pay.
3. Trojan horses are a class of attack in which the harmful payload is hidden inside another ‘beneficial’ program, the most insidious examples of this being programs that claim to rid your computer of viruses or fix common configuration problems. Once downloaded, they will often ask for administrator rights on your device, be it a desktop, tablet or mobile phone.
Having enslaved your machine, a Trojan will typically open a connection to the internet and attempt to connect to a command and control server. Sometimes it will lie dormant, making it harder to detect and investigate the source of the attack. But when he’s ready, the attacker can download his choice of malware including keyloggers for sniffing passwords, botnet controllers to turn your machine into a DDoS robot and network intrusion tools to gain access to other machines.
Some Trojans have even been known to eliminate the competition by installing antivirus software and cleaning out other malware it finds on its host. Trojans are an effective and popular way to control computers, and even intelligence agencies have been known to employ them.
In the past year we have seen Trojans which bypass security on the Chrome browser, target customers of online Russian banks and even one designed to manipulate currency rates.
4. Phishing is an attack on your staff aimed at luring them into giving away passwords and other sensitive information. Dressed up as an email from a trustworthy source, it can appear to come from someone the person knows such as a friend or colleague or a bank or government agency.
Through training and vigilance, the incidence of successful phishing attacks can be reduced, but even so, the most savvy of users can fall for this attack if they aren’t paying attention.
Phishing attacks are usually sent to thousands of users at a time, but a more refined version of the attack, called spear-phishing, targets individuals. After carefully researching their victim, often using sources such as social media and publicly available corporate records, the attacker will write an email that sounds as if the the sender knows the recipient personally.
Phishing and spear-phishing were used to gain access to the email accounts of Democratic Party officials in the US ahead of the presidential election, and is also the most common type of malicious email that most people receive. Learning to spot them is one of the most effective skills you can learn for online survival.
5. Whaling is considered a variation of phishing even though it doesn’t contain any malware. Instead, it seeks to deceive the recipient into believing that it was written by a trusted figure – such as the company boss or a supplier – with instructions for wiring money.
In one well-known case, Ubiquiti, a manufacturer of network devices, was scammed out of $46.7 million (£37 million) by “an outside entity targeting the Company’s finance department. This fraud resulted in transfers of funds aggregating $46.7 million held by a Company subsidiary incorporated in Hong Kong to other overseas accounts held by third parties,” according to an SEC filing.
And slightly closer to home, last year, two European manufacturers – Leoni AG and FACC – lost €40 million each in separate whaling attacks. In the case of FACC, the CEO and CFO were both sacked.
6. Supply chain attacks come from trusted suppliers who have privileged access to your corporate network. Organisations often trust their suppliers with sensitive information and access to their internal organisation while forgetting that suppliers don’t always have perfect control over their own IT networks.
In one well-known case in 2013, Target Stores in America was compromised by an HVAC service provider which had access to the retailer’s internal networks through a purchase order management system. Attackers gained access to Target through the HVAC supplier and then waited several months, until the Black Friday shopping weekend, to launch a massive attack against thousands of point-of-sale terminals, stealing details on 110 million people.
7. Zero-day vulnerabilities are a class unto themselves. All software packages are thought to have vulnerabilities, and responsible developers patch them as quickly as they can once they become aware of them. Responsible disclosure is a process whereby security researchers inform companies of the problem and give them the opportunity to patch the problem before it is announced to the wider computing community.
However, malicious researchers, sometimes called black hats, don’t disclose vulnerabilities when they discover them because hidden vulnerabilities are valuable. Zero-days – so-called because developers have zero days to respond to them – are traded by criminal groups and even nation states for up to half a million dollars in some cases.
However, most organisations don’t need to worry about zero-days for the simple reason that they only retain their value for as long as they remain unknown. The more a zero-day is used, the more likely it is to be discovered. Organisations need only ask themselves, are we worth a zero-day attack? If not, move on – there are enough other things to worry about.
8. Vulnerable equipment and software is less about deliberate attacks and more about manufacturers’ sloppy security practices. In the rush to get a product to market, or keep costs as low as possible, security often takes a backseat.
When acquiring new hardware or software, ask yourself if you can trust the supplier. A little research on the internet can reveal whether the manufacturer has been cited in many security research reports.
Even brand names are not immune. It was recently revealed that Honeywell SCADA controllers – network-connected devices for controlling industrial processes – contained insecure password data and were also vulnerable to “path traversal” attacks. And CISCO regularly publishes security alerts alongside software updates, detailing vulnerabilities that it has discovered and fixed.
9. BYOD are those personal devices that staff use to connect to your network. Whether it’s a mobile phone or a tablet, every time you allow a member of staff to connect their device to your network, you are shaking hands with a computer of unspecified pedigree and unknown hygiene.
Consider why you are allowing these mobile devices to access your network, and if it is just to allow them to use the Wi-Fi, consider setting up an isolated network for this purpose.
10. Denial of service is an attack that can bring your website or cloud services grinding to a halt. A common attack method, known as distributed denial of service (DDoS), typically employs a botnet of thousands of compromised computers to flood a victim’s server with packets of useless information.
The target becomes bogged down in the sheer number of requests it is forced to handle in attacks lasting minutes or days, slowing and sometimes crashing the device.
In a new wrinkle on this tried and tested attack, attackers are using the Mirai malware to take over internet-connected CCTV cameras and digital video recorders and launching the biggest DDoS attacks ever seen. Last year, Twitter, Spotify, Netflix, Amazon and Reddit were among the many websites taken offline for several hours by an attack on the Dyn DNS service which appears to have been enabled, at least in part, by a Mirai botnet.
So there you have it – ten cyber-threats facing your organisation.