[BreachExchange] Is your 'cyber hygiene' putting you at risk of attack?
Audrey McNeil
audrey at riskbasedsecurity.com
Tue Dec 6 19:34:07 EST 2016
http://www.wired.co.uk/article/biggest-developments-
in-digital-security-in-2016
No-one – and no business – is immune from cyberthreats. From dating website
Ashley Madison, to household names such as Yahoo! and Tesco Bank, all the
way up to the US’s Democratic National Committee – high-profile
organisations and smaller entities alike keep falling victim to black hat
hackers and cybercriminals.
The rise in the number of attacks has got worse over the past few years.
Hacking tools have reached unprecedented levels of sophistication and –
more importantly – of availability. Cyber gangs selling tools, information,
services and advice on the dark web mingle with skilled mercenaries on the
payroll of state actors. In the face of sudden change, many businesses fail
to protect themselves appropriately, and end up botching their reaction
when a hack eventually occurs. But what is the current state of
cybersecurity, and how should we respond when confronted with threats?
Here, representatives from international law firm Bird & Bird help us
understand the situation, and outline the dos and don’ts of cybersecurity
today.
Threat to Enterprise
The upper echelons of a company must take responsibility for setting up a
prevention and response plan able to stave off cyber-threat-led catastrophe.
“They should always start preparing for when an incident happens, as
opposed to if,” Bird&Bird partner Simon Shooter explains.
Failing to do so might result in substantial financial loss, loss of
reputation, regulatory fines and even personal liability, as shareholders
can take legal actions against boards that have inadequately protected the
businesses from cyber-risks.
One common mistake companies make is treating cybersecurity simply as a
technology problem, Bird&Bird partner Shooter explains. Both in advance
preparation and when an incident happens, it should be managed in a more
holistic way. “People are still looking at cybersecurity in a very
one-dimensional way – as a pure IT issue,” Shooter says. “Now, if a company
gets hacked we put together a multidisciplinary group, including people
whose experience is in PR, compliance, IT and Partner Relationship
Management, to give a multidisciplinary approach to clients. It’s much
better balanced and more appropriate.”
Cybercrime and criminal gangs
The main issue with today’s hacking tools is that they are easy to get hold
of. Malicious software and penetration tools are a dime a dozen on the
dark-net markets, drastically lowering the barriers to entry for would-be
cyber-criminals.
“If you want to commit a cybercrime you don’t have to be a computer wiz at
all anymore,” Shooter says. To make things worse, some of those tools are
of extremely high quality. It is not rare that privateers working with
state actors for cyber-warfare actions eventually put themselves up for
hire on the dark web, or sell their military-level tools there.
“There are some very, very sophisticated capabilities on the dark web right
now,” Shooter says. However, it is wrong to believe that all hacks are at
the highest levels of sophistication. The majority are relatively simple
attacks that could have been avoided by having the basics of cyber
protection and preparation in place.
Emerging Threats
“The reason why cybercriminals are becoming more sophisticated is that they
are focusing their attention on high-value targets who have sophisticated,
tight controls in place to protect their digital assets. They have to hone
their techniques to get inside the system, which gives them a more advanced
tool-set to employ next time round, and so the cycle continues,” explains
Bird&Bird associate Bryony Hurst.
At the same time, there are some soft spots hackers can exploit to get in:
according to an FBI’s report, for instance, the amount of business emails
compromised by cyber-criminals increased by 1300 percent from 2014 to 2015.
Most of these cyber attacks are of the ransomware kind – where a malicious
party encrypts a company’s data and ask for money to return them. But
Shooter has also witnessed more insidious schemes.
“Sometimes someone penetrates your system, gets inside and watches
carefully to identify trends and idiosyncrasies that can be used to extract
value later on,” he says. “It’s a form of industrial espionage and
international espionage – they look for information they can use in the
long term.”
National Security
>From the Stuxnet virus that destroyed Iran’s centrifuges in 2010, to the
alleged Russian involvement in disclosing information about US presidential
candidates in 2016, state-led cyberattacks are increasingly becoming a
common occurrence – and cyber warfare is already a reality. That is not
going to change anytime soon, according to Shooter. If anything, it is
probably going to get worse.
“It’s much easier for me to sit behind a terminal in a hotel room than risk
my life in the battlefield,” he says. “If I can hit a soft target with a
maximal effect – let’s say if I hacked the UK’s social security payment
system... you can imagine the chaos that would follow. Nation states are
now fully capable of causing significant levels of chaos, and this is a
present threat.”
Learning from Hackers
Whatever the kind of hacker or attack a company is affected by, the key
thing is being ready to react appropriately, Shooter explains. Preparation
is crucial.
“If you find that someone has hacked your business and got access to vital
information panic is not a good way to address the problem,” he says.
“First of all, it is important that everybody has a suitable or at least
half-decent response plan.” Teamwork and preparing a centrally co-ordinated
response is fundamental here, underlines Bryony Hurst.
“You have to identify who in your company is going to be a member of your
‘response team’, make sure they are aware of their role and put in place
the right internal communication structure to allow them to exchange
information in a way that is legally protected. Choose the right
spokesperson and ensure they are well-briefed on the facts and instructed
to resist the temptation to speculate publicly early on” she says.
Negotiating with hackers to avoid the worst might be possible in some
cases, but it is rarely advisable.
“If I pay them off today, am I going to have to pay them off tomorrow?,”
Shooter says. “If cybercriminal are prepared to sell data for money on the
dark web you can bet they’ll sell a list of people who paid ransomware
hackers, and who are susceptible to pay again.”
AI and Beyond
The current insurgency has triggered the emergence of a series of
cyber-security solutions harnessing cutting-edge technology to face up to
new threats. Many of them resorted to Artificial Intelligence (AI) to
engineer self-improving systems, Hurst explains. “There are even AI systems
being developed that imitate the human immune system: they are
self-learning and their ability to react to threat situations evolves over
time,” she says.
Yet, a great deal of damage could be reduced by simply being more aware of
the way the security environment has changed, Shooter thinks.
“About 70 per cent of attacks could be avoided with some basic levels of
cyber hygiene. We’re not talking about spending fortunes, but of people
going through baby steps,” he says. “To make a difference inside your
business, a lot of that depends on changing attitude and changing staff
behaviour.”
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20161206/a9d916d9/attachment.html>
More information about the BreachExchange
mailing list