According to Gartner global spending on cybersecurity exceeded $114 Billion in 2018, yet the scale and frequency of breaches still seems to be increasing.
We are in danger of becoming complacent when confronted with numbers like X million customer details or Y million credit card accounts being sold on the dark web. So what is the truth of the situation in 2019? What lessons can we learn from the latest misfortunes of others?
Pay up or else…
Ransomware, where malicious software encrypts your data and then asks for payment (usually in cryptocurrency) to get your data decrypted, is still a big hit with cyber crime gangs.
The Wannacry outbreak in 2017, infamously targeting hospitals in England showed that many large institutions had old unpatched systems and presented ‘low hanging fruit’ for the cyber extortionist. Despite this warning ransomware attacks against public bodies continue with one recorded every month in the US in 2019. They can be profitable for the attacker. The Administrative Offices of the Georgia Courts were attacked in June and ended up paying the ransom of $400,000. There were similar attacks in Lake City and Riviera Beach in Florida and they also paid. Lake City paid 42 bitcoin (almost $500,000) to attackers, and Riviera Beach paid 65 bitcoin (almost $600,000).
These attacks are so commonplace there are online seminars describing what to do when it happens. Institutions in the US are being advised by insurance companies to pay any ransom and then claim on their policy. The hackers’ weapon of choice is often a new strain of ransomware called LockerGoga which is also increasingly being deployed against industrial and manufacturing businesses.
Update your software (but carefully)
Supply Chain Attacks have been popular in 2019. These involve a legitimate software vendor pushing out what seems to be a trustworthy software update but actually contains malicious software alongside. This was made famous by the NotPetya attack in 2017 and continues to be popular in 2019.
In March, following a report from Kaspersky Labs, the computer maker ASUS disclosed a supply chain attack on it’s Live Update software. This attack caused more than 1 million users to receive malware as they innocently updated their ASUS computers. This was particularly hard to identify because the malicious software was signed using legitimate ASUS certificates. The culprits are thought to be a Chinese-speaking group called Shadowpad or Barium. Other attackers managed to compromise a version of Microsoft’s Visual Studio. They subsequently penetrated game development companies that used Visual Studio in their code development process.
What could be worse for a company than finding out they have been breached ? Being told by someone else. This happened to Citrix earlier this year when the FBI told them that international cyber criminals had gained access to their internal network.
Serious cyber attacks can take months to investigate and the FBI is still working to understand exactly what happened. It was reported that the Iranian-backed group Iridium was responsible. They made off with at least 6 TB of sensitive internal data including blueprints, emails and other documents. The Iridium group has been linked with more than 200 attacks worldwide this year alone against government agencies, oil, gas and technology companies.
A recent submission by Citrix to the California Office of the Attorney General admitted that the attackers had access to the Citrix network for around 5 months. Also confirming that compromised data included names, social security numbers and financial information.
If it smells like a phish, swims like a phish…
So we’ve seen what happens when a company doesn’t know about a breach, that can be pretty bad, but what about if they do know and just don’t say anything ? This is what happened at the Indian IT outsourcing and consulting company Wipro Ltd. This incident started when it was noticed by separate sources that Wipro’s servers seemed to be being used for phishing attacks. It seems their own customers were able to trace the activity back to the Wipro servers.
Initially Wipro executives played down the problem, ignoring reporter’s questions for days, eventually admitting to an incident but then playing down the severity. They then claimed it had been handled when they had only just hired a forensics firm to investigate the extent of the problem. They also focused on picking holes in reports criticising their actions or inaction in the immediate aftermath.
Further forensic examination of Wipro’s systems show that this breach could have first happened as long ago as 2015. The attackers even used phishing emails taken from a training course to help staff spot phishing.
Is there a doctor in the house
Incidents like the ones we’ve looked at so far can often be catastrophic for the companies affected. Take the cautionary tale of the American Medical Collection Agency (AMCA), a massive healthcare-related debt collection company. They eventually discovered that their systems had first been penetrated around August 2018 but they only realised this in March 2019.
AMCA contracted with many companies and at least two, LabCorp and Quest Diagnostics reported that 7.7 million and 12 million of their patients’ records respectively had been exposed. This data included full names, dates of birth, phone number and, addresses along with dates of medical services. It is likely that other companies’ patient records were exposed but the count has reached 20 million just with these two.
In mid-June the parent company of AMCA, Retrieval-Masters Creditors Bureau Inc. filed for Chapter 11 bankruptcy protection.
What can we do for the best?
The days of ingenious hackers forcing their way in through cracks in the operating system are all but gone. Nowadays it is nearly always some form of credential theft or phishing-based deception that causes us to invite the vampire across the threshold.
Most modern hacking tools concern themselves with staying hidden once they’re inside your network or silently stealing your precious data.
So what can be done ? Wise companies operate continuous security education programs for their staff. Time spent helping employees spot bogus emails is never wasted. Introduce them to the watering-hole attack where staff can be duped into visiting booby trapped websites by juicy fake news about their company or employees.
It’s always worth stressing the need for better passwords or ideally promoting the use of a software password manager. In fact in 2019 we really should all embrace multi-factor authentication (for personal devices and at work). Staff should be reminded of the potential dangers of plugging unknown devices (like USB sticks) into corporate equipment (remember Stuxnet !). Enterprising trainers can have some fun with social engineering topics. Social engineering is of course just techno-speak for an old fashioned con.
If the worst happens don’t hide your misfortune or try to deny there is a problem. European legislation requires immediate disclosure with fines for failure to do so. Doing nothing risks letting a mild toothache develop into an abscess with all the pain that entails.
So if you really want to keep your crown jewels secure you need two things. State of the art security tools and a well trained workforce that is aware of the new generation of security threats and equipped to face them.
(First published in The British Computer Society’s magazine ITNow, Winter 2019 https://academic.oup.com/itnow/issue/61/4 )