The year just past saw several high-profile cyber-attacks hit the news, and brought the whole issue of cyber-security firmly into the spotlight. With the lessons still being learned from 2015 in mind, let’s look ahead to what you should be wary of in the months to come.
Home is Where the Hurt Is?
“Smart” domestic devices and the growing Internet of Things (IoT) will contribute to making the average home a source of potential cyber-security risk.
Off-the-rack components and their supporting platform of unregulated cloud services may mean that the multitude of webcams, smart TV sets, garage and front-door locking mechanisms, lighting systems and alarms leave the production floor with inherent security vulnerabilities built in.
Even basic protections like password access or encryption may be absent – and those devices that do have security features on-board may be difficult to update, as there are so many of them, in such diverse locations.
The threat is relevant, as many of these devices are continuously collecting personal information about us, which could be of value to hackers. Gaining access to a smart device is also a route into the home, where for example a baby monitor could be turned into a spycam.
To say nothing of the issue of control. Last year, hackers were able to remotely gain control of vehicles made by Jeep, taking over the steering, and even decommissioning the braking system. And a smart rifle with Wi-Fi capability was discovered to have a targeting mechanism which could be remotely hacked.
A Case of Stagefright
Handheld devices aren’t immune to the threat, either. Security researchers have revealed a massive flaw in the Android operating system which has the potential to affect tens of millions of smartphones, tablets, and other devices.
Dubbed “Stagefright”, the vulnerability exists in the code which manages Android’s handling of image display and processing. Stagefright could potentially be set off via a booby-trapped text message, sent to unwitting recipients.
Google has responded by issuing a patch – but with many Android users still unaware of the threat (or in locations where easy access to the Play Store is a luxury), there could still be millions of vulnerable devices still out there.
Unsolved Equation
Independent contractors like Hacking Team (an alleged source of espionage gear for rogue states and other oppressive regimes) have been one supplier of spying tools for governments and state-sponsored organisations. But several nations are actively pursuing this technology on their own.
One such system is the Equation Group, a hard drive intrusion mechanism which operates at the firmware level, with the ability to reinstall itself from a hidden sector on the disk – even if the operating system is completely refreshed.
Due to its level of sophistication, researchers think it probable that the Equation Group was developed through direct state sponsorship, with the Reuters news agency quoting anonymous sources formerly associated with America’s NSA (National Security Agency) who confirm its origins within that organisation.
Spying has been a part of international relations since nation-states first emerged, so this isn’t a problem that’s going to go away. And it’s not just other governments that are targeted; high-profile organisations and specific enterprises within a country are vulnerable, too.
The Walking, Talking Threat Element
Nuix – a company specialising in information management technologies and global security intelligence – has just released its survey of chief information security officers and directors from Fortune 1000 and Fortune 500 companies.
The report suggests that over 70% of respondents now have a policy or programme in place to deal with threats from inside their enterprise, with some 14% of those surveyed dedicating over 40% of their budgets to this particular security issue.
Simply stated, people are seen as the biggest threat or weakness, as far as securing information is concerned.
Malicious intent is one problem, but the persistent risk comes from ignorance and sloppy practices: taking shortcuts to gain system access or use of resources, unsafe conduct with email and text messaging, lack of discretion when speaking over open channels, etc.
Thankfully, people can be educated, and best practices can be put in place.
Some Best Practices:
Know the Risks: Each organisation is different, with its own unique information set and network infrastructure. It’s important to assess the value of the data you have, and the level of vulnerability of your operations and assets.
Use Layers: Firewalls alone aren’t enough. Access protection should be complemented by monitoring software within the system, to continuously scan for vulnerabilities and unauthorised activity.
Use Analytics: Make sure that analytics software is part of your security suite, so that abnormal events and unusual patterns of activity can be identified over time.
Use Encryption: The 2015 attack on BlueCross BlueShield was made much less severe through the simple password encryption of the hacked Carefirst data; though birth-dates, names, and emails of over 1 million users were compromised, their password-protected medical records and Social Security data remained intact.
Use Two-Stage Authentication: Simple protocols like having to answer a security question after a password login or entering a code sent via SMS can reduce unauthorised access damage significantly.
Keep Track of Changes: Audit trails should be used to monitor each instance when someone opens, signs, or sends a document. And use tamper-proofing technology to reduce fraud, by alerting anyone whose e-signature is on a document of any changes made to it, subsequently.
Train and Test Your People: Educate your staff in the security protocols and practices you have in place – and conduct periodic drills to simulate a cyber-attack, to gauge their preparedness and response.
It’s no longer a question of “if” your organisation will come under attack, but “when”. Your best defence is to plan for that event.