Cyber-security: organisations vulnerable to new swathe of attacks

2014 saw Apple, Target, Ebay and Sony become victims of cyber theft, and while experts warn 2015 is set for further disasters, organisations are betting on not being targets rather than addressing the core problems.

2014 was a bad year for cyber security, and experts warn that 2015 could be even worse. The scale of attacks indicates that cyber crime is not only a considerable challenge but that the bad guys are winning. Rather than implement effective security, many organisations are simply gambling that they do not represent an attractive enough target compared with their peers.

The cyber world has become an increasingly attractive playground for criminals, activists and terrorists motivated to become noticed, make money, cause havoc or bring down corporations and governments through online attacks. In 2013 alone, IBM reported, 1.5 million monitored cyber attacks took place in the US, so it is not a surprise that cyber-security specialist and senior vice president of products at Clearswift Guy Bunker warns: “threats are an everyday event and breaches are ‘when’ not ‘if’.”

To make matters worse, cyber criminals are not only hacking the obvious such as smartphones, e-health devices and credit card theft; they are beginning to see driverless vehicles, e-cigarettes and smart kitchen appliances as potential targets.

Before 2014 got under way, security consultancy Websense predicted a number of attack types would blossom. Its recent ‘2014 Predictions Accuracy’ report shows that the experts had identified some key problems correctly. The report states that as the cloud became the preferred location for storing data, cyber criminals focused their attention on attacking the cloud.

Other predictions that appear to have come true include a shift from simple data theft at corporation level to nation-state level, a decrease in the quantity of new malware resulting in more targeted attacks and cyber criminals targeting the weakest links in the information chain, such as third-party vendors, contractors, point-of-‘sale devices and out-of-date software.

During 2014, US retailers Neiman Marcus and Target reported that 110 million accounts had been compromised. The Heartbleed bug made its presence known in April, affecting the likes of Mumsnet, Pinterest and Google. The bug lay in open-‘source software, OpenSSL, that is designed to encrypt communications between a user’s computer and a web server, and resulted in exposure of users’ personal information.

Cyber criminals are not only after personal or financial information. As the year drew to a close, Sony’s movie division Sony Pictures suffered a cyber attack that resulted in upcoming movies being leaked. North Korea was accused of being behind the attacks: an apparent attempt to prevent a comedy being released that shows the nation’s leader Kim Jong-un threatened by assassination.

“Each year we see the frequency and severity of security attacks increase, and there no reason to think 2015 will buck this trend,” says Co3 Systems CEO John Bruce. “The consequence will be harsher measures within the EU on companies who are not adequately prepared for security breaches and it is possible that as in the US, we will see CSOs or even CEOs lose their jobs as a result.

“Furthermore in 2015, there will be an attack on the scale of the Target breach, so large and far-reaching that it can’t swept under the carpet.”

More attacks, less change

TK Keanini, CTO at Lancope, sounds a similar note, warning: “The big message in 2015 is that security is everyone’s problem.”

Organisations remain largely unprepared for the onslaught, according to Ernst & Young’s findings from its ‘Get Ahead of Cybercrime’ report. For the most part, the report claims, they lack the awareness, budget and skills to prevent a cyber attack.

EY’s global cyber-security leader Ken Allan says: “This expansion of cyber crime is not being matched by a corresponding expansion in the capability of organisations to manage the risk, creating an ever increasing gap. All of this contributes to a greater likelihood that a cyber attack will have serious negative consequences, potentially leading to the ultimate demise of an organisation.”

Of the 1,825 organisations surveyed, 67 per cent face rising threats in their information security risk environment, and 37 per cent have no real-time insight into cyber risks necessary to combat these threats. Despite an increase in attacks, 43 per cent said their organisation’s budget will stay approximately the same, and 53 per cent believe a lack of skilled resources is another obstacle in defeating cyber crime.

“Cyber crime is not slowing down for a number of reasons,” says Allan. “Firstly, the opportunity for criminals to make money continues to grow. We not only have the sale of commodity information such as credit card details, we also have the sale of sensitive business information, such as intellectual property.”

Allan adds that there is more to attack now. “As businesses expand their digital footprint to create more channels or more cost effective ways to market, there are greater opportunities for cyber criminals.

“Lastly there is the inevitable expansion of the IT estate to include mobile devices and the increasing connection of the Internet of Things, again increasing the footprint that can be attacked.”

Allan says there are three roadblocks. First is lack of agility, as organisations admit there are still known vulnerabilities in their cyber defences and they are not moving fast enough to mitigate these. Second, more organisations are reporting that their information security budgets will not increase, meaning they are unable to face growing threats effectively. The last roadblock is the lack of cyber-security specialists. Organisations need to build skills in non-technical disciplines, such as analytics, to integrate cyber security into the core business.

“The approach organisations need to take to get ahead of cyber crime has little to do with technology. Organisations have to ensure they are adaptable to business needs, and incorporating cyber security strategy into business decisions,” reckons Allan. “They also have to have a clear view of what it is they want or need to protect. Identifying the so-called crown jewels is essential. This implies a differential approach where some assets are better protected than others.”

When, not if

Websense’s ‘2015 Security Predictions’ report states that cyber espionage, the Internet of Things, healthcare, credit-card theft and mobile attacks are the biggest cyber threats to come in the next 12 months.

“Cyber crime will continue to boom in 2015 as we see more criminals enter the profession not wanting to miss out. The reason for this is simply that cyber crime pays; the rewards heavily outweigh the risks,” explains Co3’s John Bruce. “The likelihood of getting caught is very small in comparison to other serious crimes, plus there is a low cost of entry, as the tools needed to attack even the most comprehensive security systems are incredibly cheap when compared with what could be gained.”

Lancope’s Keanini says access to the hacks themselves is getting easier: “We are seeing a lot of modularity to cyber crime. An attacker doesn’t necessarily have to have the knowledge of an exploit or delivery mode to have a successful campaign; they can go to market and buy those things. They are not individuals anymore. They are a system of attackers.”

Healthcare provides an attractive target for cyber criminals because patient records hold a treasure trove of data that is valuable to an attacker, plus no other single type of record contains so much personally identifiable information that can be used in a multitude of different follow-up attacks and various types of fraud.

The Internet of Things presents another problem for 2015 and will change the security landscape in cyberspace. For the moment consumer products and household items do not present the main security threat: business use will be the main focus. Websense forecasts that there will be at least one major breach of an organisation via a newly introduced Internet-connected device, most likely through a programmable logic controller, or similar connected device, in a manufacturing environment.

Spurred by the Target case, the retail industry is under the spotlight. According to Websense the game is changing. Altough credit-card theft through point-of-sale systems is the norm, credit cards are now being hacked and then put up for sale on carding sites worldwide. Of course when a credit card is flagged up as stolen and then cancelled, the value in the card decreases; however Websense say this only pushes criminals to gather more cards.

Furthermore, Websense predicts, cyber espionage will be hard to control, as countries are already fighting a cyber war through economic, industrial, military and political means.

“The SandWorm zero-day exploit made big headlines when its discovery was revealed in October. Part of the reason was because of the technical implications, but the other was because of the impact. We know that at least one hacking group used the vulnerability to target critical infrastructure, a trend that will continue in 2015,” says Bruce. “Although hacktivism failed to dominate the headlines in 2014, it has always been cyclical. With several conflicts persisting around the world, and given a controversial general election this year in the UK, we should expect renewed momentum in this kind of malicious activity.”

Mobile phone attacks are not solely seen as ways to crack the passcode or to steal data from the device itself any more, but increasingly as a way to steal information from the cloud it is connected to. As businesses tend to rely on the cloud to store data, a variety of devices, such as desktop, mobile and tablet, will have access to it, meaning cyber criminals will be able to hack into the business’s cloud platform through a mobile and gain more company data.

“2015 will bring more Heartbleeds, Shellshocks and high-profile cyber-security breaches. Users today have too much access to too many resources, from too many places, using too may identities, which cannot be allowed to continue,” says Centrify’s CTO Barry Scott. “IT has become ‘de-perimeterised’ as a result of cloud and mobile technologies, with traditional security, such as firewalls now inadequate, and identity management solutions have become more important to handle identity as the new perimeter. It’s only logical that this will lead to a rise in cloud-based identity management services, so-called identity as a service or IDaaS, where new features can be added incredibly fast as needs dictate, compared with traditional on-premises software products.”

Moving forward

Although individuals are being advised to protect their passwords better, the real change must come from organisations, as they have much greater opportunity to combat cyber crime.

Scott says: “There needs to be more focus on finding alternatives to passwords, increased use of multi-factor authentication to plug the holes passwords can leave, so businesses should demand their SaaS application providers provide federated authentication to stop the explosion of user identities.”

“Threat intelligence and threat knowledge-sharing shows growing promise, representing a real opportunity to turn the tables on the bad guys. Currently there are a number of obstacles to its success, including the relative quality of the data involved and how complicated it can be to share,” Bruce says. “We’ve learnt by now that technology is no panacea; therefore getting the balance of how humans and machines work together will be increasingly important. Studies of chess masters and supercomputers have shown that a computer alone, no matter how powerful, can still be overcome.

Bruce adds: “Security solutions still lack the judgement that’s needed to make sure that the cure they prescribe isn’t worse than the disease it’s intend to address. The ideal approach will leverage computers for information collection and analysis, but rely on humans to fine-tune the response.”

Keanini sees the positive: “If there is any good news, it’s brought the topic to the forefront. Organisations that are paying attention out there or that have been abused will perform threat modelling as part of their business continuity plan.”