Info and Cyber Security Threats to Expect in 2019
With the start of the new year, we thought we would commence 2019 with a run down of the five top information and cyber security threats that Australian businesses can expect to see, and unfortunately be exposed to.
1. Ever-Present Trusted Insider Attacks
Malicious insiders are those who have privileged access to information, technology or assets, and who deliberately exploit their access in ways that compromise commercial or national interests. The Managing the insider threat to your business handbook defines the malicious trusted insider threat “… as the threat posed by unauthorised access, use or disclosure of privileged information, techniques, technology, assets or premises by an individual with legitimate or indirect access, which may cause harm.”
Reputational damage is also a serious risk regarding unlawful distribution of sensitive and private information to unauthorised parties.
The motivations of a malicious trusted insider vary, as the Deputy Director-General of ASIO explained at a conference in 2015, “…when we talk about malicious insiders, we are talking about individuals who, with a range of motivations, betray the trust of their employer. Research has shown that motivations for such betrayal vary widely. But they are fundamentally personal - such as disgruntlement, revenge, ego, a sense of the misguided greater good or loyalties, or financial gain.”
Insiders can also pose an unintentional threat, such as assisting someone to access physical facilities or information systems without realising that what they are passing on may hold significant value and may be used for malicious purposes. This often happens when employees lack security awareness or fail to follow correct security protocols.
Trusted insiders present a threat whether acting independently with a specific agenda and intent or act by assisting external parties; they are not necessarily predisposed to undertakings that go against the policies of an organisation. Opportunism, compounded by circumstance, may turn an otherwise trustworthy person into someone who seeks to deliberately steal or harm an organisation and/or its assets.
2. Sophisticated Ransomware Attacks
ISACA defines ransomware as: “Malware that restricts access to the compromised systems until a ransom demand is satisfied.”
Ransomware is vicious malware that locks users out of their devices or blocks access to files until a sum of money or ransom is paid. There are different variants of ransomware; with some strains designed to attack windows PCs while other families infect Macs and even mobile devices. Ransomware is highly effective because the methods of encryption or locking of the files are practically impossible to decrypt without paying ransom. There are two basic types of ransomware in circulation; crypto and locker.
Locker ransomware is designed to deny access to computing resources. This typically takes the form of locking the computer’s or device’s user interface and then asking the user to pay a fee in order to restore access to it. Locked computers will often be left with limited capabilities, such as only allowing the user to interact with the ransomware and pay the ransom. This means access to the mouse might be disabled and the keyboard functionality might be limited to numeric keys, allowing the victim to only type numbers to indicate the payment code.
Crypto ransomware primarily identifies and encrypts valuable data stored on targeted computer systems, rendering the data useless unless the user obtains the decryption key. Generally, crypto ransomware target Microsoft Office, CAD and other productivity tools. Image files may also be locked.
The ransomware threat showing no signs of abating. Internet users need to be aware of the risks and how to identify phishing emails and other forms of distribution.
There are security software tools available on the open-market, however these are only effective against known software strains.
3. Advanced Persistent Threats
Advanced persistent threats - commonly known as an APT - are cyber based attacks in which an unauthorised user gains access to a system or network and remains there for an extended period without being detected.
Such attacks are particularly dangerous for businesses and enterprise, as attackers have ongoing access to sensitive company data. Advanced persistent threats generally do not cause damage to company networks or devices. Instead, the goal of advanced persistent threats is most often data theft and espionage.
As has been widely reported within Australia and overseas, APT attacks are becoming increasingly common as cyber criminals look to more sophisticated measures to achieve their goals. APTs have caused several large, costly data breaches and are known for their ability to remain undetected for long periods.
Advanced persistent threats do not take a general, broad approach; instead, they are carefully planned and designed with the goal of attacking one specific company or organisation and are different from many traditional threats, such as viruses and malware that exhibit the same behaviour consistently, and are repurposed for attacking different systems or companies. APTs are highly customised and sophisticated, designed specifically to get around the existing security measures in place within a company.
APT attackers are increasingly using smaller companies (including ICT managed service providers) that make up the supply-chain of their ultimate target as a way of gaining access to targeted organisations. They use such companies, which are typically less well defended, as steppingstones.
In many cases, trusted connections are used to gain initial access. This means attackers may use employees’ or business partners’ credentials obtained through phishing attacks or other malicious means. This assists attackers in the critical goal of remaining undetected long enough to map the victim’s systems and devise a strategic plan of attack to harvest sensitive and private data; whether business, client or staff information.
4. Further Business Email Compromise
A Business Email Compromise (BEC) is a form of phishing attack where a cybercriminal attempts to get an employee, customer, or vendor to transfer funds or sensitive information to the phisher. This is usually done using keylogger malware or phishing methods, where attackers create a spoofed or lookalike domain that is one or two letters off to trick them into thinking they received a genuine email. Upon monitoring the compromised email account, the scammer will try to determine who initiates payments and invoices and who requests them.
Access email accounts is generally facilitated though guessing passwords based on information gained through social engineering or the use of a “brute force attack” with Password Cracker tools.
Scammers can also activate specific email forwarding functions within the compromised account (sometimes using keyword filtering if available) that will automatically send selected (invoices and other attachments) or on-mass incoming messages to the hacker’s own account – without the victim knowing that this is occurring.
Unlike traditional phishing attacks, which target a large number of individuals across a company, BEC attacks are highly focused. Cyber criminals will scrape compromised email inboxes (and assess whether the email is securely hosted or on a mainstream service such as Hotmail etc), study recent company news, and research employees on social media sites in order to make these email attacks look as convincing as possible. It can also make it very hard for employees to recognise the email is not legitimate.
Government security and cybersecurity agencies assess that BEC attacks will continue to grow and expand as a cost-effective and relatively simple form of corporate extortion as they can yield vast sums of money and have a high chance of success before being identified by the victim.
Successful BEC attacks invariably lead to the facilitation of invoice redirection scams (fraud).
5. Increased Supply Chain Attacks
A supply chain attack, also called a value-chain or third-party attack, occurs when someone infiltrates another system through an outside partner or provider with access to systems and data. This has dramatically changes the attack surface of the typical enterprise in the past few years, with more suppliers and service providers touching sensitive data than ever before.
Generally, supply chain attacks on information systems begin with an advanced persistent threat that determines a member of the supply network with the weakest cyber security in order to affect the target organisation. This includes ICT Managed Service Providers.
According to an investigation produced by Verizon Enterprise, 92% of the cyber security incidents analysed in their survey occurred among small firms.