As we move further and further into the digital age, businesses are continually enhancing their ability to communicate on the move, exchange information and streamline processes through incredible advances in technology. This means there is a greater degree of flexibility both when and where organisations can execute strategic and operational decisions, pass sensitive information and transmit intellectual property. Additionally, the incredible advances in IoT, robotics, AI and analytics etc. have led to significantly enhanced delivery of services across almost every industry. However, with these significant improvements there comes a much larger surface area from which businesses can be attacked. Whilst advances in digital communication have reduced the time it takes to build a reputation they have also reduced the time it takes to destroy one too.
Where it began to where we are now
Cybercrime is not a new concept the first recorded cyber crime took place in 1820 when Joseph-Marie Jacquard, a textile manufacturer in France, produced the loom. This device allowed the repetition of a series of steps in the weaving of special fabrics. Ultimately, this advancement in technology resulted in a fear amongst Jacquard's employees, that their traditional employment and livelihood were being threatened. They committed acts of sabotage to discourage Jacquard from further use of the new technology.
In the 1960s the term hacking became mainstream when it was used to describe the activities of train enthusiast, who modified the operation of their model trains.
To the general public, a "hack" became known as a clever way to fix a problem with a product, or an easy way to improve its function. It wasn’t until the 1970’s that the term hacking developed a malicious meaning when technologically savvy individuals discovered the correct codes and tones that would allow them to make long-distance phone calls for free.
Since then we have seen a steady increase in acts of sabotage, theft of information and intellectual property etc. Attacks are becoming grander in scale perpetrated not just by technologically savvy individuals but by organised criminal networks and nation-states. Unfortunately, SME has borne the brunt of attacks and not larger enterprise, with 63% of cyber-attacks perpetrated against SMB. In 2017, Norton reported that 516,380 Australian small businesses were the victims of cybercrime, and each year that figure continues to rise. Statistics are now showing that two out of five Australian SMBs have been targeted and 60% of SMB that experience a cyber breach go bankrupt within six months.
Where does a breach begin?
Often, we hear about sophisticated attacks from organised crime syndicates or nation-states looking to exploit sensitive information and Australian intellectual property. However, it is important to make the distinction between what is sophisticated and what is simply an exploitation of a "known vulnerability". It is much easier for an organisation to come to terms with a breach if they believe it is a sophisticated attack from a criminal group or nation-state. It is also much easier for that organisation to blame it on a sophisticated attack, to reduce any reputational damage. The reality is, however, much different.
From experience the most common reasons why a business is “hacked” comes down to the 3Ps:
- Phishing emails.
- Password management
To mitigate against the various threats, it is important to understand how the threat operates, and like most humans, they will take the path of least resistance. Here is what to understand about each of the above attack categories.
More and more these types of attacks are becoming targeted through social engineering. Adversaries will purchase information contained on open-source databases and then trawl social media sites to build an intelligence picture on companies and individuals. Within an hour a threat could have obtained information on the personal details, personal interests, family members’ details and the business dealings of at least five key staff members. Before long, an adversary has obtained a bank of open source intelligence on an entire company, which they can then use as "clickbait". The most effective way to combat this is through education and training. However, education and training must be incentivised and have objectives and KPIs, which are monitored at the individual and departmental level. Most importantly the education and training must be engaging and delivered across the spectrum of learning types. Otherwise, it risks becoming a "box-ticking" exercise for employees and, therefore, a waste of critical resources.
Password management across the board is not taken seriously enough when it comes to understanding how easy we are making it for the threats. More often than not employees utilise the same password across multiple systems, both work and personal. This is not just limited to individual employees but also IT departments or MSPs that use the same admin password across multiple privileged access accounts. All a threat requires is one employee who has had their work or personal email breached on a website or through an online application. A username and password can go for as little as $1 on the dark web. Once a threat has the credentials it takes minutes, through open-source intelligence research, to ascertain where that individual works, lives, banks etc.
From there, it is simply a matter of testing the credentials against commonly used systems and applications. Alternatively, a threat can purchase brute force attack software for $50 and run every password imaginable against a username. The most effective way to mitigate this threat is through multifactor authentication and password management tools. Even better is to use a hardware-based MFA option, such as an ID card or thumbprint reader, so regardless if a threat can obtain a password they physically need to have the MFA token to complete the access. This provides an additional benefit of being able to audit exactly who accessed what system and when.
Applications and systems require patching often because they contain vulnerabilities. A threat will reverse engineer that patch or update, and then be able to identify what that particular system’s or application’s vulnerability was. Once they have identified the vulnerability, they can then exploit it to obtain access. This becomes particularly prevalent in organisations that allow BYODs. A seemingly opportune attack on an individual’s unpatched personal device can turn into a fully targeted attack on an organisations network when that compromised device is connected.
The most effective way to mitigate this threat is through policies and procedures. Every organisation should have a security steering group. One of their responsibilities should be to check, either physically or with the MSP, that all endpoints and systems or applications in use have received and completed the required patch. This includes having a strict BYOD policy where connections are made to a guest network segregated from the organisation business network.
Investing in the right areas
Whilst the 3P’s each have a different technical aspect associated with the attack method, they all have one thing in common – human error.
All too often organisations commit to unnecessary overspend on technical solutions when there are more affordable and easier to implement controls, which will provide a greater return on investment. Organisations must commit time to develop a security strategy that meets the business objectives and implement measures that are based on probability and consequence to those business objectives. There is no point implementing controls at all costs, it will only serve to impede the business objectives if this approach is taken. Similarly, an approach that tries to mitigate risks through layered technical solutions only is flawed; for the sole reason, that human nature will always be the weakest link and path of least resistance for the threat. A layered approach that is measured between technical, physical and human controls is essential to creating hard shoulders that effectively and efficiently achieve the desired outcomes.
In addition to considering the business objective when implementing certain controls, managers and executive teams must consider the CIA triangle – Confidentiality, Integrity and Availability of information. Take a health team performing a life-saving or complex operation. What is the more important aspect of the triangle? Does a surgeon or nurse have the time to perform authentication with a password and MFA to access vital patient information in theatre? I would suggest the availability of the information trumps confidentiality but integrity is probably equally as important. Therefore, some systems/endpoints may require basic to no means of authentication to mitigate the greater risk to human life. This is where our layered solution comes into effect and allows controls to be placed in other areas, which then create the hard shoulders to more vulnerable systems.
Moving forward there needs to be a shift from the doom and gloom approach to cybersecurity. Understanding the consequences and risks are very important, but the strategic focus for executives should not be on the negative effects of an attack, but rather the positive aspects of developing a sound cybersecurity strategy. Capgemini ‘s Digital Transformation Review highlights that consumers across the retail industry are willing to spend 20% more with companies who demonstrate robust cybersecurity capabilities. Additionally, organisations that can adopt advanced cybersecurity measures drive a 5.4% uplift in annual revenue.
For information security managers; taking the positive approach in selling cyber and information security upgrades to executives, with tangible metrics associated to profit and revenue, is much more likely to elicit a positive response and investment in resources. The implemented procedures and controls, however, must be congruent with the organisation’s business processes so as not to impede agility and continuity, otherwise, the workforce will not embrace the change and corners will be cut.
Re-framing the approach.
There is no silver bullet to fully preventing a breach from occurring. The fact is you are more likely to be breached than not, especially as cybercrime is now more profitable than drug trafficking. If organisations become comfortable to this realisation, then re-framing our thought process from “how do we mitigate a breach from occurring” to “how do we stop the breach from spreading” may shift the organisational focus from a defensive posture to an offensive one. So now instead of waiting for something to happen, organisations can energise their workforce to actively engage in measures to seek out, detect and report. Therefore, enhancing the organisation's security culture and developing organisational citizenship behaviours. As George Washington wrote in 1799 “…make them believe, that offensive operations, oftentimes, is the surest, if not the only (in some cases) means of defense”
Just as organisations and employees have vulnerabilities, so does the threats. One of those vulnerabilities is organisational collaboration. Breaches of significance are often reported in the media, however, by the time the investigation has been completed and the results released the threats have changed their tactics. Imagine ecosystems where organisations shared information about attempted, detected and successful breaches. A simple 5Ws, essentially, a lessons learnt database that allows organisations to remain inside the OODA loop (Observe, Orientate, Decide, Act) of the threats. Our tactics changing faster than theirs, keeping the threats on their toes instead of the other way around.
Cybersecurity breaches are unlikely to subside, the fact is they are likely to get worse. The threats avenue of approach (3Ps) is also unlikely to change either, but their tactics along that avenue of approach most certainly will. So our ability to remain within their decision cycle will be dependent on our ability to adapt, shift our focus and re-frame the approach to implementing security solutions. It will require a greater degree of trust between organisations to share information and the ability to think outside the box.
Matt Bunker provides specialist security advise, training and solutions to organisations and executives. He is the Managing Director of a security and risk management firm and a former Special Forces Army Officer.