I don’t lose sleep about IT security but it is a constant concern and has been for the last fifteen years –how to protect data, money and identity. Hardly a month goes by without some breach hitting the headlines; V-Tech, TalkTalk, Ashley-Madison and of course Donald Trump’s various businesses have experienced several breaches during March and April - anybody would think he’s a huge target or something. Public figures, government and politically sensitive organisations will always face a higher threat, in fact this week the UK Government has publicised figures indicating that 2/3 of large UK businesses have suffered some sort of breach in the last 12 months and that only 20% have a clear view of the dangers. Large corporations can generally afford to protect themselves but it is the mid-market and SME businesses that concern me most because security tends to be reactive and sometimes considered only after an incident. Some may not even notice a breach for months or even years but there are always better ways to protect yourself, commercially and personally.
Viruses have been around since the ‘70s, gained notoriety in the ‘80s and started to take hold as the Internet exploded in the late ‘90s. I suffered my first virus in 1999 when ‘Melissa’ took advantage of out-of-date anti-virus software. It took a week to clear it up and was embarrassing to realise that I’d relayed it to contacts in my address book. When I joined another company in 2000 it was already infected with ‘ILOVEYOU’ and took significant effort at the time to eradicate. When, three months later, we were hit with a mailbomb DOS attack, which virtually stopped email for two days, I started to take security much more seriously.
I did what most people do; sought expert advice, listened, read and worked out what was needed. My resultant plan was a tiered security system, combining different solutions to mitigate risk and it’s served me well; I haven’t had a virus for over fifteen years – although I’d better not shout too loudly about that.
Since then the security landscape has changed massively; in 2003 ‘Slammer’ lived up to its name, crashing the Internet within fifteen minutes of release and there have generally been two or three headline viruses per year since. ‘Stuxnet’ in 2010 may have been originally written to disrupt SCADA (Supervisory Control and Data Acquisition) systems, worryingly the type of systems which control nuclear facilities. Zeus’ targeted on-line banking and in 2013 ‘Cryptolocker’ was the first big ransomware to cause havoc. There have, of course been a multitude more and everyone will remember their own particular ‘favourites’.
Like technology generally, the threat landscape moves at a significant pace – Trojans and spam no longer top the charts. Cyber-crime is now big business and IT is still susceptible to a 15 year-old in his bedroom who is clever with code and little else to do – look at the TalkTalk incident for proof of that. It is this fast evolution that businesses in general struggle with and the pace is increasing.
It seems that malware writers in the last two years have really got the cloud computing message with vigour; many botnets now seek homes in virtual servers rather than their physical predecessors. Consequently, botnets continue to increase despite concerted efforts by Government agencies like the Federal Bureau of Investigation (FBI) to combat the threat. The highly publicised ‘take-downs’ are the tip of a sizeable iceberg.
Target, Sony, and Anthem made headlines in 2015 but, according to CNSNews, 2016 could be the year of ransomware. In February, Hollywood Presbyterian Medical Centerpaid $17,000 to regain access to its files after they were encrypted in a ransomware attack, and ‘KeRanger’ recently became the first strain of ransomware to strike Apple devices; it demands 1 bitcoin (about £320) to release the files it encrypts. In January Lincolnshire County Council suffered a breach with a bitcoin ransom demand and they have been quite tight-lipped on how they’ve dealt with it but they had to shut down all systems for several days so the effect was enormous.
Spear-phishing is on the rise and the latest terminology is ‘whaling’, where faked emails purportedly from a CEO or CFO target managers with a seemingly legitimate instruction. The new terminology may not be the best, as a whale is a mammal rather than a ‘big fish’, but it’s indicative of the trend. In 2015 I saw, first hand, live examples of targeted phishing where a compromised small business server in Arizona was used to generate spoofed emails requesting senior UK company execs send financial information. It failed due to the diligence of the CFO but it may have worked in other organisations.
According to the FBI, whaling scams alone are up 270% from January 2015. From October 2013 through February 2016, law enforcement received reports from 17,642 victims, amounting to more than $2.3 billion in losses.
In February of this year the ‘Tiny Banker’ malware made headlines infecting many major banking institutions in the United States, including Chase, HSBC and Bank of America using HTTP injection to force the user's computer to believe that it is on the bank's website.
All of the above are logical progressions of what has gone before, however, I believe the biggest emerging threat is not from the computer on your desk or your lap; it’s the one in your pocket that you use to ring home, listen to tunes and ‘like’ cat pictures.
The line between consumer and enterprise mobile threats is blurred, but most IT security experts recognise that they have mobile threats in their enterprise and this will be a growing concern for them as threats continue to evolve, putting enterprise data at risk.
Recent high profile studies focussed on commercial mobile vulnerabilities like Operation Pawn Storm, xSSER mRAT, MasqueAtack, WireLurker, Pangu, HeartBleed and more, are showing cyber-thieves are making advancements toward mobile as an attack vector. Mobile Remote Access Trojans (mRATs) provide unauthorised, stealth access to mobile devices. An attacker can exploit mRATs to access information from devices such as location, contacts, photos, screen capture, and even recordings of nearby sounds. Known mRAT players include HackingTeam, mSpy, and SpyBubble. If you think about it this is a very logical step for cyber-crime; the thieves are following the money – the phone in your pocket has become a digital wallet containing your bank details, debit/credit card information and your identity.
The smartphone may now be your wallet but it’s even more than that – in lots of cases it’s also your remote access to company data and systems. Many people use an app to access systems and usually they go with what’s provided. ‘TeamViewer Quick Support’ is a mobile support app with over 5 million downloads in Google Play. It communicates via a plugin over a binder and when the main app initialises the plugin, the plugin loads the certificate of the caller and verifies that the serial number of the certificate equals a hard-coded serial number. In Android, each developer generates its own self-signed certificate to sign an app. This enables the developer to decide the certificate’s serial number. An attacker can exploit this and generate a certificate with a serial number that will match the plugin’s required hardcoded serial number. The attacker can then create an app signed with this certificate and that interacts with the plugin. Then, the app can bypass the plugin verification mechanism and obtain full access to the device. The Android platform is beset has over 95% of mobile malware but it isn’t alone; Virus writers have cottoned on to the prevalence of Apple devices and are writing specifically for that platform more and more. I’ve had Macs and PCs in tandem since 1984 and many Mac users I know boast that they ‘don’t need anti-virus’ – think again!
Mass cloud adoption moves the security perimeter. As the Internet of Things (IoT) develops and more and more devices are connected the threat vectors increase substantially and as 5G and SDN become mainstream threats evolve and change.
It would be easy to say ‘install these components and your security will be fine’ – anyone who says that probably hasn’t got your best interests at heart. Every organisation has different requirements and needs to balance security with operational efficiency. MOD establishments have completely different IT security requirements to a commercial business. Indeed, any organisation with general public awareness may have detractors and face ATP (Advanced Persistent Threat) as a consequence. Retailers are a high threat target – that’s back to the thieves following the money - but in general terms there is a framework, which can suit many organisations to minimise threat.
I’d recommend all organisations to consider its IT security profile in terms of control technology, policies and responsibilities. Does the organisation have a robust IT security policy? Does the Computer and Telephony Policy / Code of Connection negate plausible deniability? Are the control mechanisms appropriate? Are the roles and responsibilities clear? Is system and data access segregated, reviewed and controlled effectively? What exactly is the loss potential on differing endpoint devices? There are many questions but if you’re going to get secure you need to ask them, consider potential loss and recognise that a breach is inevitable – it’s about magnitude and loss mitigation. Then you need to get the right blend of technology to make the policies a last resort – the proactive security mechanisms to stop people doing the wrong things. Prevention is better than cure, as the adage goes.
My framework from fifteen years ago still works well for most SME-to-Midmarket organisations – three tiers with tight controls and robust policies that should never be required if the technology is installed correctly, properly managed and regularly (and accountably) maintained and reviewed.
The evolving mobile scenario requires appropriate control so I’d suggest that a Mobile Device Management (MDM) solution is appropriate for most organisations.
Technology continues to evolve and the threats evolve with it. Techniques on both sides continue to change but the central issue remains the same: too many organisations are unprepared for breach so do what I did back in 2001 – work out what’s important, do something about it and don’t lose sleep.
Need advice on your IT security?
Call us on:
0113 387 1070 / 01924 562120
Or email us on: