2016 Summary: To understand where we are, we must first look at where we came from
To say last year was a catastrophe in terms of combating cyber threats in Australia would be putting it lightly. Australia faced its worst ever year in terms of number, size and severity of attacks.
To think that the biggest and most damaging data breach in Australian history was done by running a simple IP scan using a tool that can be easily downloaded for free is quite frightening. 1.3 million donors dating back to 2013's medical records were exposed. The breach exposed personal details such as, health records, sexual history and contact details.
One of the major factors that occurred in 2016 that influenced the rapid progression of cyber security standards set by the government was the email phishing scam that cost the Brisbane City Council approximately $450,000. All the scammer did was trick the staff into wiring payments of a contractor into their own back account by sending emails posing as the contractor.
The Big Problem: Reactive, not proactive
You must be thinking, "Wow! Seeing how easy it is for systems to be hacked, companies must surely be scurrying to make sure they are protected!" Unfortunately, that is not the case. Why? It's simple really! Human nature. Most people are reactive and not proactive when it comes to something new. People don't usually feel a threat until its right at their doorstep. This is especially true in a business environment. Executives have so much on their plates that new threats tend to go straight to the bottom of their to-do list.
It is too easy for hackers
Another issue is the lack of knowledge and understanding posed by having system vulnerabilities. Despite 80% of Australian companies believing they face an increased threat of cyber attack, 51% believe their organisation does not have the systems in place to detect a sophisticated attack.
A Global Information Security Survey done by EY found companies are lacking the agility, the budget and the skills to mitigate known vulnerabilities and successfully address cyber security. 50% of respondents said that their organisation’s total information security budget will stay approximately the same or decrease in the coming 12 months despite threats.
34% of organisations have no real time insight on cyber risks and 55% say that a lack of skilled resources is one of the main obstacles challenging their information security program with only 17% meeting all security operations requirements in house. Another issue is the reliance of scanners which any hacker can bypass. Some executives still think antivirus is enough to fight off hacks, which most companies don't even update and most hackers can work around. Most hacking techniques can bypass antivirus or go undetected.
Business Basics: Technology adoption lifecycle
The technology adoption lifecycle is a sociological model that describes the adoption or acceptance of a new product or innovation, according to the demographic and psychological characteristics of defined adopter groups. From a cyber security perspective, innovators would be (eg) hacker & programmers. Early adopters would be Government, Large corporations, cloud based system operators etc. Early majority SMEs. Late majority, general public. Laggards are those that do not use the internet as frequently.
What will drive change?
As we begin the Early majority stage of cyber security, what will be the main driving forces for change?
- Mandatory data breach reporting law with $3.8 million fine
- Continuous increase in number, size and severity of data breaches
- General public awareness and outrage
- Difficulty to conduct business without firm security assurances
Drivers of change: Mandatory data breach reporting
After many years, the Australian government is now ready to change its privacy act due to increased cyber threats. The passing of longawaited mandatory data breach notification laws through the House of Representatives is a clear indicator of this.
The bill passed through with bipartisan support on Tuesday (7 Feb 17), having been on the government's agenda since early 2015. Organisations will have to reveal if their systems are compromised by cyber attacks or technical failings.
Companies that are affected by the legislation included businesses with over $3 million in turnover, smaller firms that handle sensitive information and most government agencies. The concept of a mandatory data reporting scheme first emerged in 2008 when the Australian Law Reform Commission reviewed Australia's privacy laws and recommended its introduction. Under this law, failure to report a breach would incur a $1.8 million fine on a company and a $360K on an individual.
Lawsuits: Once companies are forced to disclose more breaches, people who are affected are likely to file lawsuits if sensitive information is lost.
General public awareness and outrage: as more and more attacks occur and media focus increases, customers will demand evidence of IT security measures and those that do not have any in place would be highly scrutinised.
Difficulty to conduct business without firm security assurances: this will be due to the fact that companies with security measures will be less willing to deal with other companies unless they can assure them their systems are secure thus reducing third party vulnerabilities.
Irreparable brand damage: is also another factor which is hard for a company to recover from.
Impact of a data breach: Ashley Madison: case study
In July 2015, a group calling itself "The Impact Team" stole the user data of Ashley Madison, a commercial website billed as enabling extramarital affairs. The group copied personal information about the site's user base and threatened to release users' names and personally identifying information if Ashley Madison was not immediately shut down. On 18 and 20 August, the group leaked more than 25 gigabytes of company data, including user details.
Impact: Extortion. Following the hack, communities of internet vigilantes began combing through to find famous individuals, who they planned to publicly humiliate. France24 reported that 1,200 Saudi Arabian .sa email addresses were in the leaked database, and in Saudi Arabia adultery can be punished with death.
Several thousand U.S. .mil and .gov email addresses were registered on the site. In the days following the breach, extortionists began targeting people whose details were included in the leak, attempting to scam over US$200 worth of Bitcoins from them.
One company started offering a "search engine" where people could type email addresses of colleagues or their spouse into the website, and if the email address was on the database leak, then the company would send them letters threatening that their details were to be exposed unless they paid money to the company.
Suicide: On 24 August 2015, Toronto police announced that two unconfirmed suicides had been linked to the data breach, in addition to "reports of hate crimes connected to the hack." Unconfirmed reports say a man in the U.S. died by suicide. On 24 August 2015, a pastor and professor at the New Orleans Baptist Theological Seminary committed suicide citing the leak that had occurred six days before.
Law suit: Users whose details were leaked filed a $567 million class action lawsuit against Avid Dating Life and Avid Media, the owners of Ashley Madison, through Canadian law firms Charney Lawyers and Sutts, Strosberg LLP.
Tackling a company's cyber security is a huge task due to the multitude of ways a system can be infiltrated, especially for large multinationals. Therefore, a smart approach is to first determine a current security posture, find vulnerabilities and progress from there. This is achievable through conducting a Penetration test. A penetration test is an attempt to evaluate the security of an IT infrastructure by safely trying to exploit vulnerabilities.
These vulnerabilities may exist in operating systems, service and application flaws, improper configurations, or risky end user behaviour. These should be done at least quarterly with security audits. Companies that use credit card information should also make sure they adhere to the correct PCI Compliance standards.
Managed Security Services
A penetration test is the best first step as it brings a company's cyber security to current standards. However, Cyber security is a rapidly developing field where new threats are found every day.
Think of it this way. Its like a game of cat and mouse but instead of trying to catch a mouse you are chasing after a ghost who probably knows how your system works better than you do. On average, for every 2500 lines of code there is at least 1 vulnerability.
An iPhone has about 8 million lines of code. That's 3200 lines of code waiting to be exploited, hence all the annoying system updates and bug fixes. And that is the perfect example of how constant cyber security should be done. This is however very expensive to do due to the equipment required and the demand for trained professionals with the capability to perform these tasks.
Thus the best solution is managed security services. This is live monitoring by IT Security specialists gives an unprecedented view into attacks, providing threat data and realtime analysis to provide powerful protection.
Article by Panashe Muzenda, Cybernetic Global Intelligence.