I’ve been reading a number of articles recently about new cyber-security threats and the increasing sophistication of cyber-criminals. Some of the predictions are truly frightening and cause me to wonder what the future will bring. Some of the more interesting threats include:
- Network-connected everything has become such a trend that it has its own acronym - (IoT). TVs, appliances, cars, watches, medical devices, even skateboards are vulnerable to hack attacks.
- In one incident, a “smart” refrigerator was used as a spam bot
- In another case, security researchers hacked a Jeep Cherokee while a journalist was driving, resulting in a government-mandated recall of 1.4 million cars
- Two computer security engineers in Australia developed a way to remotely control Bluetooth-capable skateboards
Increasingly sophisticated phishing:
- Phishing has become big business. What started as poorly worded and misspelled letters and emails from a Nigerian prince that cast a wide net for potential victims has become a sophisticated industry targeting specific individuals in specific companies. These companies (in foreign countries) “often have dozens to hundreds of employees, pay bribes to local law enforcement and politicians and are often seen as the employer of choice in their region.”
- Business Email Compromise (BEC): Spoofed emails, supposedly from the CEO of a company are sent to the CFO or VP of Finance directing him/her to transfer a moderately large sum to a bank in a foreign country to complete a deal the CEO has negotiated. Naturally, the transfer is to be kept confidential so the information doesn’t leak thus risking insider stock trading…and it is urgent. In some variations a phone call from an accomplice posing as an attorney confirms the deal and lends credibility.
- Similar to the above technique, a spoof email from the CEO is sent to Human Resources requesting employees’ W2 information. The information is used for identity theft or to file bogus tax returns.
Equipment manufacturers who embed firmware in their products (i.e. anything electronic) are susceptible to having the firmware hacked prior to it being downloaded into the product. In addition, commercially available UEFI rootkits have appeared along with other easily obtained tools that have existed for years that allow access to the firmware controlling a device (e.g. BIOS and UEFI for computers, smartphone firmware, etc.).
The Equation Group, a sophisticated hacker group discovered by Kaspersky, developed “malware capable of reprogramming hard disk and solid state drive firmware and remaining persistent despite efforts at higher levels (operating system reinstalls, drive reformats) to remove it.”[i]
The list of nefarious cyber-schemes goes on-and-on. It is safe to assume that as our attempts to foil these schemes become more sophisticated so will the capabilities of the cyber-criminal community. The question remains, what we as IT managers, business owners and employees, can do to protect ourselves. There are no easy answers, no silver bullet. There are, however, a few key actions that can move an organization in the direction of better defenses and coping mechanisms against these threats.
- Education and Training – Non-savvy employees are the weak link in the IT security chain. No matter how good your email filters and antivirus software are, all it takes is one malicious email getting through and being opened by an unsuspecting employee to cause a disaster. Mandatory and ongoing training and education of employees of the techniques used by cyber-criminals and the dangers of lack of diligence will go a long way to minimizing this risk.
- Find an IT security expert partner or team of partners– There are few (if any) IT departments in the world that have the expertise and skills to defend their organization against all cyber-threats. These threats are evolving and morphing too rapidly. Organizations today need to find trusted IT security partners to guide them through the maze of IT security strategies, policies and products and help them choose the ones appropriate for their organization.
- Recovery Plan – Recovery from hardware failure causing data loss is a well-established best practice. Most IT departments regularly put their disaster recovery plans to the test so they are confident they will work in the event of a real disaster. The same approach should be taken when it comes to IT security threats. Identify the threats most likely to affect the organization and develop a plan for coping with the aftermath should one succeed.
- Share information – Companies often don’t want to reveal that they have been hacked because of the damage to their reputation, stock value, etc. This approach can backfire in a big way when the breach is discovered and revealed (which it usually is) later. Why not come clean right away and possibly help other organizations prepare for a similar attack. The more that organizations can come together to share information and develop a comprehensive strategy for countering cyber-crime, the more likely we are to succeed in combating it.
“We are all in this together” sounds like a trite phrase to use in our competitive, sophisticated society. The reality is, however, that, when it comes to defending against the ever-changing landscape of threats to our information, our identities, our funds, our livelihood, we need to pool our talent and our expertise to be successful.