The future of cyber crime
The shadowy world of cyber crime is increasingly infringing on the real one and businesses’ most dangerous enemies are lurking just behind the computer screen.
In this uncertain and dangerous world, it can feel like there is nothing an organisation can do to avoid a malicious attack but there is always a resistance front and we are going to share with you the advice that could save your business.
There are signs that the Internet might break up into national segments. Snowden’s revelations have intensified the demand for rules prohibiting the use of foreign services. Individual countries are becoming reluctant to let a single byte of information out of their networks.
These aspirations will grow ever stronger and legislative restrictions will inevitably transform into technical prohibitions. The next step will most likely be attempts to limit foreign access to data inside a country. As this trend develops further it may lead at some point to the collapse of the current Internet, which will break into dozens of national networks. The shadowy Darknet will then be the only truly world-wide web.
In the meantime, businesses continue to face attempts by cyber-criminals to access and steal data from their organisations. While it’s easy to read the headlines and draw the conclusion that targeted attacks are a problem only for large organisations that maintain ‘critical infrastructure’ systems, any organisation can become a victim. All organisations hold data that could be of value to cyber-criminals; and smaller organisations can also be used as a ‘stepping-stone’ to reach larger companies.
Most malicious programs are designed to be as unobtrusive as possible, quietly gathering data in the background. This makes them much more insidious than the cyber-vandalism of the 1990s. The financial impact of malware today is much harder to determine, because a victim may not even know that they have been infected, or what data may be have been stolen by the cyber-criminals. Most attacks are speculative – designed to trap anyone unlucky enough to fall victim to them but it’s clear that the number of targeted attacks is increasing. The aim is get a foothold in a target company, steal corporate data or damage a company’s reputation. Also, we’re now in an era where malicious code can be used as a cyber-weapon: and while an organisation may not be in the direct firing line it could become ‘collateral damage’ if it isn’t adequately protected.
Therefore, it’s important to invest in security, which means developing a security strategy. But it should be one that’s specifically tailored to your business, not one based solely on a generic ‘best practices’ template or loose ‘guesstimates’ about the overall cost of cyber crime. What’s important is gauging how malware has impacted your business historically and how it might do so in the future. It’s also important to realise that security is like housework – it’s only meaningful if you repeat the process at regular intervals. So you need a mechanism to measure the effectiveness of the security tools you use and you need a process for updating the strategy to meet new threats as they arise.
So what are the biggest threats to your organisation and how you can secure it against them?
The Human Factor
Many of today’s threats are highly sophisticated, but often the starting-point for a targeted attack is to trick individuals in the company into doing something that puts the company’s security at risk. Unfortunately, businesses often ignore the human dimension of security. Even if the need for staff awareness is acknowledged, the methods used don’t achieve positive results. Yet we ignore the human factor in corporate security at our peril, since it’s all too clear that technology alone can’t guarantee security. So it’s important for organisations to make security awareness part of their security strategy.
Threats to privacy
Every time we sign up for an online account, we disclose information about ourselves; and companies around the world actively gather information about their customers. The threat to privacy takes two forms. First, personal data is put at risk if the provider of goods and services we do business with is compromised. Second, companies aggregate and use the information they hold about us for advertising and promotional purposes, even where it’s unclear that they’re doing this, or how to opt out of this process. We all need to realise that our personal data has value – to cyber-criminals and legitimate businesses alike. It’s also important to understand that the risk of over-sharing extends to the organisation we work for: cyber-criminals actively gather public data in order to frame targeted attacks against businesses.
For this reason, organisations need to raise awareness among employees about the risks associated with sharing information online. We’re all predisposed to trust web sites with a security certificate issued by a bona fide Certificate Authority [CA], or an application with a valid digital certificate. Unfortunately, not only have cyber-criminals been able to issue fake certificates for their malware – (using so-called self-signed certificates), they have also been able to successfully breach the systems of various CAs and use stolen certificates to sign their code. The problem can be compounded if a security vendor automatically adds an application with a stolen certificate to their white-list of known-good applications.
The Cloud
There are two key factors driving development of cloud services. The first is cost: the economies of scale that can be achieved by storing data or hosting applications in the cloud can result in significant savings for any business. The second is flexibility: data can be accessed any time, any place, anywhere – and from any device, including laptops, tablets and smartphones. But as the use of the cloud grows, so too will the number of security threats that target it. It’s important that businesses understand that, while they may outsource the handling and storage of their data, they can’t out-source responsibility for the data itself. If their provider’s systems are breached, and data is exposed, they are responsible. Therefore, businesses need to assess the potential risks in just the same way that they would if they were storing data internally. There are also other issues that need to be considered. These include where the company’s data will be stored geographically, the legal jurisdiction that will apply to the data, what steps will be taken to secure the data on their provider’s systems (including how it will be secured from others who use the same provider) and the logistics involved in migrating the data to another provider in the future.
Mobile
The traditional ‘work place’ is disappearing. So the task of securing data has become harder for businesses as staff increasingly conduct business ‘on the go’: at home, at the airport, in the hotel – or anywhere else they can get a wireless signal. It’s not so much that the traditional network perimeter has disappeared. Rather it has become fragmented – and moves around as employees do. This has increased the points of exposure to malware and hackers. Business security is also being affected by a related development, the growing use of smartphones at work.
IT departments now have to manage a heterogeneous mix of endpoint devices: desktops, laptops and smartphones – often a variety of different smartphones. The problem is exacerbated because many people use the same device for personal and business use – a trend often referred to as ‘bring your own device’ [BYOD]. So loss of data on a device may be bad news not just for an individual, but for the business too. It could adversely affect the company’s reputation, or put confidential data into the public domain.
So the potential risk comes not just from the threat of malware, but also from data leakage – either through loss or theft of a mobile device. The impact on corporate security is twofold. First, security policies must be revised to reflect the changes in working practices. It’s no longer possible for IT departments to defend the traditional network perimeter. Instead, they must apply a security ‘wrapper’ around every employee – so that they are protected wherever they work and whatever device they use. Second, the tools deployed across the business must be flexible enough to implement this ‘follow-me security’ policy.
Out of date software and vulnerabilities
One of the key methods used by cyber-criminals to install malware on victims’ computers is to exploit un-patched vulnerabilities in applications. This relies on the existence of vulnerabilities and the failure of individuals or businesses to patch their applications. Cyber-criminals typically focus their attention on applications that are widely-used and are likely to be un-patched for the longest time – giving them a sufficient window of opportunity to achieve their goals. Java vulnerabilities currently account for more than 90 per cent of attacks, although other applications, such as Adobe Reader, continue to attract the attention of cyber-criminals. To reduce the ‘attack surface’, businesses must ensure that they run the latest versions of software, apply security updates as they become available and remove software that is no longer needed in the organisation. The use of a vulnerability scanner to identify un-patched applications will also help to minimise the risk of such applications being overlooked and being exploited by cyber-criminals to gain access to business systems.
Criminals will always exist, whether in real life or in the cyber-world, and businesses will always be targets. However, as we have demonstrated, there are areas of weakness that if businesses protect, they can minimise the risk of attack. Ensuring that all members of your organisation are united in the fight against cyber-criminals, and know what to look out for when it comes to attempts to breach security, will mean your business remains strong enough to fight and live another day.
David Emm
Senior security researcher, Kaspersky Lab
