vol 10, issue 1

Cyber-security: organisations vulnerable to new swathe of attacks

19 January 2015
By Aasha Bodhani
Share |
Fruit machine graphic

Feeling lucky?

The Interview film poster

North Korea is accused of attacking Sony Pictures in retaliation for ‘The Interview

A man sitting on the floor works on his laptop

A security engineer at Google works in a hallway during the Black Hat 2014 security conference

Apple logo

Apple’s iCloud service in China came under attack in 2014

2014 saw Apple, Target, Ebay and Sony become victims of cyber theft, and while experts warn 2015 is set for further disasters, organisations are betting on not being targets rather than addressing the core problems.

2014 was a bad year for cyber security, and experts warn that 2015 could be even worse. The scale of attacks indicates that cyber crime is not only a considerable challenge but that the bad guys are winning. Rather than implement effective security, many organisations are simply gambling that they do not represent an attractive enough target compared with their peers.

The cyber world has become an increasingly attractive playground for criminals, activists and terrorists motivated to become noticed, make money, cause havoc or bring down corporations and governments through online attacks. In 2013 alone, IBM reported, 1.5 million monitored cyber attacks took place in the US, so it is not a surprise that cyber-security specialist and senior vice president of products at Clearswift Guy Bunker warns: "threats are an everyday event and breaches are 'when' not 'if'."

To make matters worse, cyber criminals are not only hacking the obvious such as smartphones, e-health devices and credit card theft; they are beginning to see driverless vehicles, e-cigarettes and smart kitchen appliances as potential targets.

Before 2014 got under way, security consultancy Websense predicted a number of attack types would blossom. Its recent '2014 Predictions Accuracy' report shows that the experts had identified some key problems correctly. The report states that as the cloud became the preferred location for storing data, cyber criminals focused their attention on attacking the cloud.

Other predictions that appear to have come true include a shift from simple data theft at corporation level to nation-state level, a decrease in the quantity of new malware resulting in more targeted attacks and cyber criminals targeting the weakest links in the information chain, such as third-party vendors, contractors, point-of-'sale devices and out-of-date software.

During 2014, US retailers Neiman Marcus and Target reported that 110 million accounts had been compromised. The Heartbleed bug made its presence known in April, affecting the likes of Mumsnet, Pinterest and Google. The bug lay in open-'source software, OpenSSL, that is designed to encrypt communications between a user's computer and a web server, and resulted in exposure of users' personal information.

Cyber criminals are not only after personal or financial information. As the year drew to a close, Sony's movie division Sony Pictures suffered a cyber attack that resulted in upcoming movies being leaked. North Korea was accused of being behind the attacks: an apparent attempt to prevent a comedy being released that shows the nation's leader Kim Jong-un threatened by assassination.

"Each year we see the frequency and severity of security attacks increase, and there no reason to think 2015 will buck this trend," says Co3 Systems CEO John Bruce. "The consequence will be harsher measures within the EU on companies who are not adequately prepared for security breaches and it is possible that as in the US, we will see CSOs or even CEOs lose their jobs as a result.

"Furthermore in 2015, there will be an attack on the scale of the Target breach, so large and far-reaching that it can't swept under the carpet."

More attacks, less change

TK Keanini, CTO at Lancope, sounds a similar note, warning: "The big message in 2015 is that security is everyone's problem."

Organisations remain largely unprepared for the onslaught, according to Ernst & Young's findings from its 'Get Ahead of Cybercrime' report. For the most part, the report claims, they lack the awareness, budget and skills to prevent a cyber attack.

EY's global cyber-security leader Ken Allan says: "This expansion of cyber crime is not being matched by a corresponding expansion in the capability of organisations to manage the risk, creating an ever increasing gap. All of this contributes to a greater likelihood that a cyber attack will have serious negative consequences, potentially leading to the ultimate demise of an organisation."

Of the 1,825 organisations surveyed, 67 per cent face rising threats in their information security risk environment, and 37 per cent have no real-time insight into cyber risks necessary to combat these threats. Despite an increase in attacks, 43 per cent said their organisation's budget will stay approximately the same, and 53 per cent believe a lack of skilled resources is another obstacle in defeating cyber crime.

"Cyber crime is not slowing down for a number of reasons," says Allan. "Firstly, the opportunity for criminals to make money continues to grow. We not only have the sale of commodity information such as credit card details, we also have the sale of sensitive business information, such as intellectual property."

Allan adds that there is more to attack now. "As businesses expand their digital footprint to create more channels or more cost effective ways to market, there are greater opportunities for cyber criminals.

"Lastly there is the inevitable expansion of the IT estate to include mobile devices and the increasing connection of the Internet of Things, again increasing the footprint that can be attacked."

Allan says there are three roadblocks. First is lack of agility, as organisations admit there are still known vulnerabilities in their cyber defences and they are not moving fast enough to mitigate these. Second, more organisations are reporting that their information security budgets will not increase, meaning they are unable to face growing threats effectively. The last roadblock is the lack of cyber-security specialists. Organisations need to build skills in non-technical disciplines, such as analytics, to integrate cyber security into the core business.

"The approach organisations need to take to get ahead of cyber crime has little to do with technology. Organisations have to ensure they are adaptable to business needs, and incorporating cyber security strategy into business decisions," reckons Allan. "They also have to have a clear view of what it is they want or need to protect. Identifying the so-called crown jewels is essential. This implies a differential approach where some assets are better protected than others."

When, not if

Websense's '2015 Security Predictions' report states that cyber espionage, the Internet of Things, healthcare, credit-card theft and mobile attacks are the biggest cyber threats to come in the next 12 months.

"Cyber crime will continue to boom in 2015 as we see more criminals enter the profession not wanting to miss out. The reason for this is simply that cyber crime pays; the rewards heavily outweigh the risks," explains Co3's John Bruce. "The likelihood of getting caught is very small in comparison to other serious crimes, plus there is a low cost of entry, as the tools needed to attack even the most comprehensive security systems are incredibly cheap when compared with what could be gained."

Lancope's Keanini says access to the hacks themselves is getting easier: "We are seeing a lot of modularity to cyber crime. An attacker doesn't necessarily have to have the knowledge of an exploit or delivery mode to have a successful campaign; they can go to market and buy those things. They are not individuals anymore. They are a system of attackers."

Healthcare provides an attractive target for cyber criminals because patient records hold a treasure trove of data that is valuable to an attacker, plus no other single type of record contains so much personally identifiable information that can be used in a multitude of different follow-up attacks and various types of fraud.

The Internet of Things presents another problem for 2015 and will change the security landscape in cyberspace. For the moment consumer products and household items do not present the main security threat: business use will be the main focus. Websense forecasts that there will be at least one major breach of an organisation via a newly introduced Internet-connected device, most likely through a programmable logic controller, or similar connected device, in a manufacturing environment.

Spurred by the Target case, the retail industry is under the spotlight. According to Websense the game is changing. Altough credit-card theft through point-of-sale systems is the norm, credit cards are now being hacked and then put up for sale on carding sites worldwide. Of course when a credit card is flagged up as stolen and then cancelled, the value in the card decreases; however Websense say this only pushes criminals to gather more cards.

Furthermore, Websense predicts, cyber espionage will be hard to control, as countries are already fighting a cyber war through economic, industrial, military and political means.

"The SandWorm zero-day exploit made big headlines when its discovery was revealed in October. Part of the reason was because of the technical implications, but the other was because of the impact. We know that at least one hacking group used the vulnerability to target critical infrastructure, a trend that will continue in 2015," says Bruce. "Although hacktivism failed to dominate the headlines in 2014, it has always been cyclical. With several conflicts persisting around the world, and given a controversial general election this year in the UK, we should expect renewed momentum in this kind of malicious activity."

Mobile phone attacks are not solely seen as ways to crack the passcode or to steal data from the device itself any more, but increasingly as a way to steal information from the cloud it is connected to. As businesses tend to rely on the cloud to store data, a variety of devices, such as desktop, mobile and tablet, will have access to it, meaning cyber criminals will be able to hack into the business's cloud platform through a mobile and gain more company data.

"2015 will bring more Heartbleeds, Shellshocks and high-profile cyber-security breaches. Users today have too much access to too many resources, from too many places, using too may identities, which cannot be allowed to continue," says Centrify's CTO Barry Scott. "IT has become 'de-perimeterised' as a result of cloud and mobile technologies, with traditional security, such as firewalls now inadequate, and identity management solutions have become more important to handle identity as the new perimeter. It's only logical that this will lead to a rise in cloud-based identity management services, so-called identity as a service or IDaaS, where new features can be added incredibly fast as needs dictate, compared with traditional on-premises software products."

Moving forward

Although individuals are being advised to protect their passwords better, the real change must come from organisations, as they have much greater opportunity to combat cyber crime.

Scott says: "There needs to be more focus on finding alternatives to passwords, increased use of multi-factor authentication to plug the holes passwords can leave, so businesses should demand their SaaS application providers provide federated authentication to stop the explosion of user identities."

"Threat intelligence and threat knowledge-sharing shows growing promise, representing a real opportunity to turn the tables on the bad guys. Currently there are a number of obstacles to its success, including the relative quality of the data involved and how complicated it can be to share," Bruce says. "We've learnt by now that technology is no panacea; therefore getting the balance of how humans and machines work together will be increasingly important. Studies of chess masters and supercomputers have shown that a computer alone, no matter how powerful, can still be overcome.

Bruce adds: "Security solutions still lack the judgement that's needed to make sure that the cure they prescribe isn't worse than the disease it's intend to address. The ideal approach will leverage computers for information collection and analysis, but rely on humans to fine-tune the response."

Keanini sees the positive: "If there is any good news, it's brought the topic to the forefront. Organisations that are paying attention out there or that have been abused will perform threat modelling as part of their business continuity plan."

Further information

Share |
Related forum discussions
forum comment To start a discussion topic about this article, please log in or register.    

Latest Issue

E&T cover image 1605

"We visit Barcelona, one of the smartest cities in the world, to find out what makes it so special. What does it look like and what is the future?"

E&T jobs

  • Senior Development Engineer, Electronics

    Premium job

    Helmet Integrated Systems / Gentex Corporation
    • Letchworth Garden City, Hertfordshire
    • Competitive

    We are innovative, robust and fast growing business, whose main focus is to deliver continues improvement to existing products and offer new soluti...

    • Recruiter: Helmet Integrated Systems / Gentex Corporation

    Apply for this job

  • Smart Grid Research Engineer

    Premium job

    University of Strathclyde
    • Cumbernauld, Glasgow
    • Grade: 6/7* £26,537 - £37,768*

    Work as part of a growing dynamic team on a wide range of technical projects with particular emphasis on experimental validation and testing

    • Recruiter: University of Strathclyde

    Apply for this job

  • Electrical Asset Specialist

    Affinity Water
    • Hatfield, Hertfordshire

    Responsible for updating and writing electrical engineering standards, approved codes of practice and safe systems of work

    • Recruiter: Affinity Water

    Apply for this job

  • Senior Electronics Engineer

    York Instruments
    • York, North Yorkshire

    Senior electronics engineer to work as part of a team developing an MEG imaging system; working with the engineering team and external contractors.

    • Recruiter: York Instruments

    Apply for this job

  • Manufacturing Engineer - Circuit Card Assembly

    MBDA
    • Lostock Junction
    • Competitive Salary & Benefits

    What’s the opportunity?   Manufacturing UK is an integral part of the Operations Directorate whose principal mission is to ensure that MBDA’s deliverable commitments are met...

    • Recruiter: MBDA

    Apply for this job

  • High Voltage Engineer

    Premium job

    Essex X-Ray & Medical Equipment
    • Great Dunmow, Essex

    This High Voltage Engineer will provide design leadership for high voltage cable assemblies up to one megavolt.

    • Recruiter: Essex X-Ray & Medical Equipment

    Apply for this job

  • Team Leader - Flank Arrays

    BAE Systems
    • Barrow-In-Furness, Cumbria, England
    • Negotiable

    Team Leader - Flank Arrays Would you like to work in a unique role within the construction of the Astute Class submarines? We currently have a vacancy for a Team Leader - Flank Arrays at our site in Barrow-in-Furness. As a Team Leader - Flank Arrays, you

    • Recruiter: BAE Systems

    Apply for this job

  • Electronics and Software Engineer

    Copley Scientific Ltd
    • Nottingham
    • circa £35,000 per annum + bonus

    Develop new test equipment for the pharmaceutical industry. Good opportunities to grow and develop. Successful family-owned and managed business.

    • Recruiter: Copley Scientific Ltd

    Apply for this job

  • Bridge Test Facility Manager

    BAE Systems
    • Shropshire, Telford, England
    • Negotiable

    Bridge Test Facility ManagerWe currently have a vacancy for a Bridge Test Facility Manager at our site in Telford with our Land UK business.As the Bridge Test Facility Manager, you will be part of our Test & Trials team, working closely with the Mili

    • Recruiter: BAE Systems

    Apply for this job

  • Intelligent Transport Systems Engineer - Highways Technology

    Premium job

    Mott MacDonald
    • Birmingham, West Midlands

    Our transport technology team in Birmingham is currently growing a highly skilled and customer-focused team to...

    • Recruiter: Mott MacDonald

    Apply for this job

More jobs ▶

Subscribe

Choose the way you would like to access the latest news and developments in your field.

Subscribe to E&T