One of the best ways to understand any given concept is to classify it. Classification is used across many disciplines, from biology to data science. Being able to group ideas, items, and areas, allows us to focus in on them and see connections across that class. In cyber security we can also classify areas, helping us to understand particular drivers, rules, reasons and outcomes for a given cyber threat.
Cyber security can be broadly broken down into these areas:
- Domain: Which allows us to identify the areas of vulnerability and where they are originating.
- Methods of exploitation: Understanding the vectors, tools and mechanisms used to exploit those vulnerabilities
- Outcomes: Which is the resulting impact of the cyber attack.
Domain is the top class in this system, with methods of exploitation and outcomes being subclasses; using this we can then begin to create an ontology of cybersecurity threats. In this article, we will look at the highest level class, ‘domain’ and how each of the subclasses impacts the different domain types. Using this type of analysis can help you to choose the right approach to minimising the impact of each cyber threat.
The human factor in IT security is the single biggest threat to our enterprise cyber safety. Users, across the board, from every area of an organisation are an intrinsic security hole. The ‘human vulnerability’ is seen as both internal or ‘insider threats’, as well as those originating from external sources – our own behaviour being used against us as the driver for the cyber threat.
The threat inside: An Insider threat is a major concern for all organisations. In a recent report by Gartner into insider threats, they found that 62% of insiders carried out actions that gave them effectively a second income. Usually, this was from the access and misuse of sensitive data, including leaking data to suppliers to undermine the negotiating powers of the company.
The costs of insider threats is also a concern of this domain – a study by PWC into insider threats highlighted that 32% of respondents found insider threat based cyber crimes were more costly and damaging than external threats. The study concurs with the Gartner findings that financial incentive was one of the most prevalent reasons for insider breaches.
Insider breaches are carried out most commonly by privileged access abuse and by misuse of access credentials. For example, a survey by Centrify found that sharing credentials was common, with 52% of U.S. IT administrators sharing their login credentials with contractors and 59% with fellow employees.
Social engineering: One thing that cybercriminals have used to their advantage is understanding how humans behave. They are using our own behaviour against us, to bring a cyber threat to its successful conclusion. And successful they are. Phishing, especially its highly targeted cousin, spear phishing, is the most successful method of breaching company data. Alan Paller, Head of Research at the SANS Institute, has estimated that around 95% of successful attacks on enterprises originated with a spear phishing email. Human beings have an intrinsic need to build up trusted relationships with each other and it is this pattern of behaviour that cybercriminals target. Spear phishing in particular, and more recently Business Email Compromise (BES), are techniques that require a hacker to understand their target at a deep level. However, this effort is worth their while as the financial gains from phishing related crimes reveal. BES, for example, which attempts to trick users into transferring monies into hacker bank accounts, believing they are legitimate, has raked in around $2.3 billion in funds to the cyber criminal gangs behind the scam.
Cybercriminals will continue to use social engineering while it continues to be so successful. One of USP’s phishing awareness campaigns, a highly effective way of managing the threat, found that the click rate for phishing emails was 50% with 6% of those being successfully scammed. 6% of users within a company of thousands could end up extremely damaging.
In the ‘old days’, an enterprise had full control over the applications used across the infrastructure. Desktops were locked down, and no extraneous or non-standard applications could be installed. Today, this is no longer possible and the emergence of ‘shadow IT’ has seen unauthorised applications, including Cloud applications like Dropbox, installed or used without IT department knowledge. This has added a new level of security strain on an organisation. Gartner is predicting that by 2020 one third of successful security attacks will originate with shadow IT resources.
The problem that shadow IT is creating is in the area of knowledge. Security starts with knowledge – knowing what applications are running, and what data is being generated and used. Shadow IT makes the acquisition of this knowledge much more difficult. If you don’t know which applications are installed, you cannot control the exploitation of vulnerabilities. If you don’t know where data is being generated, transferred or stored, you cannot add protective layers to that data.
The problem of shadow IT is being addressed with the use of Cloud Access Security Brokers (CASB) that are used to check across the network for Cloud enabled applications. Security policies such as advanced authentication measures, single sign-on, encryption and anti-exploit prevention can then be applied appropriately.
Internet of Things (IoT) and the Digitisation of Industry / Industry 4.0
One of the revolutions of modern times is the Internet enablement of devices. Gartner is predicting that by 2020 more than half of new business processes will utilise some form of the IoT. As this highly distributed network of interconnected devices grows and grows, it also opens up potential routes into networks and new ways of obtaining information maliciously.
One of the current issues with the IoT is the rather slow uptake of security standards by many manufacturers. For example, the potential for critical infrastructures attacks based on Internet enabled Industrial Control System units (ICS) is high without the right security measures in place. Denial of Service (DoS) attacks on these ICS units could bring entire infrastructures in the energy industry to a standstill causing widespread chaos.
One of the other concerns of the IoT is that it is improving productivity, and making communication of the supply chain more effective. It is also extending the fuzziness of the perimeter so that it no longer exists. This makes traditional methods of preventing cyber attacks less effective. The above mentioned critical infrastructures are at particular risk from supply chain attacks originating through insecure IoT devices.
Consumers are also at risk from IoT based attacks. Many IoT based products that have been introduced to the consumer market have been found lacking in security – from smart fridges, to children’s teddy bears, to wearables. One of the most recent IoT threat was found in the lighting products in the Osram Lightify range, which are used for both consumer and commercial lighting. Security testers Rapid7 found a number of vulnerabilities in the products that could allow unauthorised access to a Wi-Fi network.
The development of the IoT is part of an evolutionary cycle of cyber security threats which are evolving with the changing IT environment. In the 90s as the Internet started to be used across a wider audience, we saw host based attacks move to a more client based threat. As mobile became de rigueur in our digital lives, the threats moved across to mobile devices. And now with the advent of the IoT we are seeing another shift in the cyber threat landscape to Internet enabled items mass adopted by consumers.
The movement of IT systems and processes from a closed network into a more open Cloud domain brought with it fundamental changes to how we apply protection to our systems, and especially our data. The removal of the perimeter, stretching it out into the Cloud meant that we have had to look at security from a new standpoint, and encompass data governance across jurisdictions.
One of the biggest challenges of the Cloud is having full sight of data. Understanding where data is transferred, stored and shared across highly disparate networks, is a fundamental requirement of creating a secure Cloud based environment. Having control over data movement and storage can then be applied more effectively. In the world of Cloud security, identity management is king and controls the keys to the data castle. Measures such as privileged access control through flexible authentication measures, has been shown to be highly effective in managing data access. Granular and adaptive credential application can ensure that only the correct person can access any given resource, without impacting usability. One area that can be used to great effect in a Cloud setup across managed services is federation. Federation can create more seamless, but still secure working conditions, controlling and managing access across related services.
Mobile Apps, Mobile Devices, Wearables
The mobile device has been a major change in the way we use the Internet and communicate. It has also made changes in our business lives too, as ever more companies embrace the concept of using personal devices to access corporate resources in BYOD. The latter usage model has brought with it issues around the security of the enterprise – mobile access requiring additional security considerations.
On a consumer level, mobile devices are increasingly being used for online transactions. In a survey by Visa Europe, 58% of people use their mobile to shop online. This opens up the threat corridor to cybercriminals using various methods to intercept insecure mobile channels. One of the biggest concerns of mobile users is the increase in mobile malware; Check Point Software finding an increase of 50% in mobile malware in April 2016. New variants of mobile malware include mobile ransomware, which locks a phone until a ransom payment is made. Phishing has crossed over from the traditional computer to mobile devices with SMiShing in text messages.
Protecting mobile devices requires new thinking. Methods like two-factor authentication fall short of being secure when protecting mobile devices for data loss, or malware. Authentication needs to be smarter for mobile access, using adaptive methods to ensure risk is mitigated. Mobile security awareness is also an emerging area of security training that can help to alleviate the risks of mobile threats.
Recognize New Paradigms in Attack Vectors
One of the most important things to remember about cyber security and the threat landscape is that is not static. Threat profiles change and evolve. As cybercriminal techniques are recognized, and enterprises apply new methodologies to thwart attempts at breaching resources, cybercriminal approaches evolve to enhance their effectiveness. It is part of the eternal game of cybersecurity to keep up to date with the changing threat landscape. We need to recognize subtle movements to new paradigms in attack vectors and keep our awareness of the top threats current. Being able to classify risk types is a vital tool in keeping ahead of the cybercriminal. It gives us the tools to have insight and a deeper understanding of where any evolutionary changes to the threat profile may occur.
Michael Liebi ist Gründer und nun als Board Member bei United Security Providers tätig.