[BreachExchange] Coping with increasingly sophisticated capabilities of cybercrime syndicates

[Audrey McNeil]

http://www.securityinfowatch.com/article/12260502/coping-with-increasingly-
sophisticated-capabilities-of-cybercrime-syndicates

Cyberspace has become a progressively attractive hunting ground for
criminals, activists and terrorists motivated to make money, get noticed,
cause disruption or even bring down corporations and governments through
online attacks. The technical capabilities and reach of cybercriminals are
now equal to those of many governments and organizations. In the next few
years, these capabilities will extend far beyond those of their victims. As
a result, the ability of current control mechanisms to protect
organizations is likely to diminish, exposing them to greater impact.

In this day and age, organizations must be prepared for the unpredictable
so they have the resilience to withstand unforeseen high impact events. In
2014, the global cost of cybercrime was estimated at more than $400
billion, a sum which is approximately the same as other, more mature
criminal activities such as counterfeiting or illegal drugs sales. This
makes cybercrime a lucrative business. Additionally, e-commerce sales are
predicted to increase dramatically over the next two years, presenting
cybercriminals with equally large opportunities.

Cybercrime, along with the increase in hacktivism, the increase in the cost
of compliance to deal with the uptick in regulatory requirements coupled
with the relentless advances in technology against a backdrop of
underinvestment in security departments, can all combine to cause the
perfect storm. Moving forward, if the C-Suite doesn’t understand
cyberspace, they will either take on more risk than they would knowingly
accept, or miss opportunities to further their strategic business
objectives such as increasing customer engagement or market leadership.
These organizations are more likely to suffer embarrassing incidents, and
when they do, they will suffer greater and longer-lasting impact.

Cybercrime Is Valuable

It goes without saying that information that is being stolen, leaked or
lost, has a value. Cybercrime syndicates mature as malspace continues to
develop. Let’s take a look at a few types of cybercrime that we at the
Information Security Forum (ISF) are seeing:

Crime-as-a-Service: As crime syndicates mature, they emulate corporate
practices by aligning commercially and diversifying their enterprises,
seeking profits by moving more of their activities online. They base their
operations where political and law enforcement structures are weak and
malleable in order to conduct their activities relatively undisturbed. This
level of sophistication forces legitimate organizations everywhere to adapt
their security strategies and fortify their internal business operations.

In a criminal marketplace with a global talent pool, professionalization
will lead to specialization. Different criminal business units will focus
on what they do best, and strategy development and market segmentation will
emulate private sector best practices; malware development is a prominent
example. Rising profits will allow crime syndicates to steadily diversify
into new markets and fund research and development from their revenue.
Online expansion of criminal syndicates will result in Crime-as-a-Service
(CaaS) offerings and the proliferation of bulletproof distributed hosting
providers that turn a blind eye to the malicious activities of their outlaw
clients.

Mobility Concerns: Smartphones are a prime target for malicious actors. The
rapid uptake of Bring Your Own Device (BYOD) and the introduction of
wearable technologies to the workplace will intensify the high demand for
mobile apps. To meet this increased demand, developers working under
intense pressure and on razor-thin profit margins will sacrifice security
and testing to rapid delivery and low cost, producing poor quality products
that are easily hijacked by criminals or hacktivists.

Mobile devices, applications, and cloud-based storage introduced to the
workplace by employees constitute a growing security risk to businesses of
all sizes. These risks stem from mismanagement of the device itself,
external manipulation of software vulnerabilities, and the deployment of
poorly tested, unreliable business applications (shadow IT).

IoT Adds Unmanaged Risks: The billions of devices that comprise the IoT
will collect a wide variety of data from users, who will be unaware that it
is happening, where the data is being stored, or who has access to it.
These devices may be inadequately protected, exposing critical
infrastructure, including industrial control and financial systems, to
attack.

As organizations deal with this complex digital environment, they will
respond by automating tasks previously performed by people. Human cognitive
abilities will be regarded as a bottleneck to task completion and
efficiency. Algorithms will be increasingly used to ensure tasks are
performed with accuracy and timeliness. However, the interactions between
these algorithms will become overwhelmingly complex, introducing
significant new vulnerabilities and new challenges for security experts.

Insiders Continue to Pose a Threat: Most high-profile attacks on corporate
data centers and institutional networks have originated outside of the
victimized organizations. But the network openings that allow outside
cyber-attackers to burrow in, infect databases and take down file servers
almost always originate with trusted insiders. According to a worldwide
survey of ISF members, the vast majority of those network openings were
created innocently through accidental or inadvertent insider behavior.
Vulnerabilities can be created by something as mundane as a trusted
employee taking files to work on at home.

Moving forward, organizations must nurture a culture where insiders can be
trusted – and insiders can trust the organization in return. Organizations
with a high exposure to insider risk should expand their insider threat and
security awareness programs. A culture of trust becomes more imperative as
the volume of information insiders can access, store, and transmit
continues to soar and mobile working for multiple employers becomes the
status quo.

The Dangers of Ransomware

Ransomware is certainly in the news these days, as has been seen with
recent attacks on universities and healthcare institutions. These attacks
involve a targeted device, such as a laptop, smartphone or tablet, being
locked and the only person who has the key to unlocking the device is the
attacker who typically demands money in return for the unlock key.

Ransomware is a form of malware, and no organization or individual is
immune from ransomware attacks. These are targeted, profit-driven attacks
and the criminals don’t care who they get their money from. It’s clear that
the easier the target, the more likely an individual or organization is to
be attacked.

The guiding principle from an ISF standpoint is that all individuals who
have access to an organization’s information and systems should be made
aware of the risks from malware and ransomware and the actions required to
minimize those risks. There are three key areas that should remain a focus
for individuals and organizations. This include:

 Follow good practice around patching of operating systems and software,
ensuring that virus scanners and malware protection are up-to-date and
performing regular backups
Anyone with access to the organization’s IT is educated about ransomware
and is asked to provide appropriate security controls on connecting devices
Employees must be provided with continuous knowledge and learning about
malware and ransomware.
Education cannot be one-off. It should be reinforced frequently

One question that I’m asked frequently is “should I pay?” Ultimately, this
is up to the discretion of the individual or the organization. Most will
say that you should not pay. Others will say that it is OK. But remember,
you could end up with a target on your back. The bottom line is that if you
can’t do without the information, and you don’t have a backup, then paying
is the only alternative you have left to recapture your information.
Therefore, prevention is the way to go to better protect yourself.

Cyber Security is Not Enough

No business is immune to a cyber-attack. But, there are ways to better
protect your organization from future incidents.

Today, risk management largely focuses on achieving security through the
management and control of known risks. The rapid evolution of opportunities
and risks in cyberspace is outpacing this approach and it no longer
provides the required protection. Organizations must extend risk management
to include risk resilience, in order to manage, respond and mitigate any
damaging impacts of cyberspace activity.

Cyber resilience anticipates a degree of uncertainty: it’s difficult to
undertake completely comprehensive risk assessments about participation in
cyberspace. Cyber resilience also recognizes the challenges in keeping pace
with, or anticipating, the increasingly sophisticated threats from
malspace. It encompasses the need for a prepared and comprehensive
rapid-response capability, as organizations will be subject to
cyber-attacks regardless of their best efforts to protect themselves.

Above all, cyber resilience is about safeguarding the sustainability and
success of an organization, even when it has been subjected to the almost
inevitable attack.

The Importance of a Risk Assessment Process

Managing information risk is critical for all organizations, but effective
only if it enables business strategies, initiatives, and goals. As a
result, an organization’s risk management activities – whether coordinated
as an enterprise-wide program or at functional levels – must include
assessment of which risks could compromise business success and resilience.

For help with information risk assessment, I recommend reviewing the ISF
Threat Radar. The Threat Radar plots the ability to manage a threat to its
potential level of impact, thus helping determine its relative importance
for an individual organization. It can also demonstrate any change likely
to occur over the period in question.

It is important to remember that it is not feasible to defend against all
threats. An organization, therefore, needs to look closely at its
resilience: analyze and optimize the plans and arrangements in place to
minimize impact, speed recovery, and learn from incidents.

 Further detail on cyber resilience is available in our report Cyber
Security Strategies: Achieving Cyber Resilience.

 The Need for Better Security Awareness

 Many businesses identify their people as their biggest advantage but fail
to recognize the need to manage the human element of information security.
People should be an organization’s strongest control. Organizations must go
beyond security awareness training to embed positive information security
behaviors that will turn into habits, creating a sustainable security
culture throughout the enterprise. The real driver of security awareness
activities should be risk, and how better employee behaviors can reduce
that risk.

Adopting the perspective that disclosure will be more damaging than the
data theft itself is a guaranteed way to damage customer trust. However,
many organizations lack rehearsed incident response and tech-literate
public relations plans. We urge our members to carefully consider their
response because your organization can’t control the news once it becomes
public. This is particularly true as data breaches occur with greater
frequency and the general public pays greater attention to privacy and
security matters. I highly recommend running simulations with your public
relations firm so that you are better prepared to respond following a
breach.

 What’s Next?

 Data breaches have become a regular feature of modern life. This will
continue as long as efficiency and ease of data access trump security, a
state of affairs which makes economic sense for many organizations, that is
until they suffer a breach of their own. Once a breach happens, the value
of security as a business enabler becomes clearer. Prevention and detection
will evolve, but will continue to rely on technical and intelligence-based
solutions. This will involve a discrete number of stakeholders and
departments who implement the basics and thereby manage the majority of
information risk.

At a time when data breaches are becoming far too common, organizations
that produce an imaginative and credible response will have a comparative
advantage over those that are slow and confused, and this will translate
into tangible business value. By adopting a realistic, broad-based,
collaborative approach to cyber security and resilience, government
departments, regulators, senior business managers and information security
professionals will be better able to understand the true nature of today’s
increasing cyber threats and respond appropriately.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160922/51cf130c/attachment.html>