What kind of year has it been? Cybersecurity review part 2
We’re having a look back what could be described as a ‘tumultuous’ year from a cybersecurity point of view. If you missed it, take a look part one which covered the first six months of 2017.
Strap yourselves in for part two for the second half, where we also look at what we must now do as an industry to help our customers step up to these new levels of cyber threat…
July – August 2017
In the latter half of the year we released our Midyear Cybersecurity Report, which showed how much things had moved on in the last six months alone.
Crucially, we revealed that though they are still primarily motivated by financial gain, the aim of some cyber criminals now is to step things up a gear, and not just to attack, but to destroy in a way that prevents organisations from restoring their systems and data (i.e. taking out their backups).
Here’s a key line from the report:
“The rapid evolution of threats and the magnitude of attacks that Cisco’s threat researchers and technology partners have been observing of late is troubling. There is a sense throughout the security community that actors in the shadow economy may be carefully laying the groundwork for campaigns that not only will have far-reaching impact, but also will be extremely difficult to recover from. They seek to eliminate the “safety net” that organisations rely on to restore their systems and data following a DDoS attack, a ransomware campaign, or any other cyber incident that severely disrupts their operations.”
What’s the main reason for the escalation in activity? Much of the blame lies at the door of cyber criminals seeing the huge opportunity in being able to hack into IoT devices (those which haven’t necessarily been built with security in mind), and create large scale attacks using IoT botnets.
The report goes on to explain that we’ve seen evidence that most organisations aren’t fully aware of what IoT devices may be connecting to their network – such as smart metres, cameras, or thermostats. Many of these devices lag well behind desktop security capabilities, and are typically rarely patched or run outdated applications.
September – December 2017
In September we discovered a malicious backdoor within the security tool CCleaner, which was used to deliver malware to those who had installed the (otherwise legitimate) tool.
It’s what’s known as a ‘Supply Chain Attack’, where cyber criminals compromise software update mechanisms, and effectively piggy-back on the distribution of legitimate software.
This attack is similar to the means of distribution of Nyetya, in that it was reminiscent of the use of co-distributing potentially-unwanted-programs, alongside the download of freeware software.
Bad Rabbit Ransomware
Towards the end of the year we also saw the release of the Bad Rabbit Ransomware. That worked by encouraging users who visited compromised websites to install malware, which was masquerading as a fake Flash Player update.
The malware then checks for other computers on the same network, and attempts to spread to infect them using a variety of techniques. In parallel, the malware acts to encrypt local files and demands the payment of a ransom in order to regain access to the encrypted files.
So, what kind of year has it been?
From a cybersecurity perspective, we have seen even more destructive intent from the cyber criminals. They are increasing their attempts ensure their campaigns are widespread, self-propagating, and undetectable until it’s too late.
So, the priority has to be on making sure your defences are strong enough and layered enough…but it’s more than about simply meeting the new threat. It’s about ensuring security flows through the business, and isn’t just contained within the IT department.
If security isn’t engrained in your overall business strategy, this often means it gets “bolted on” which actually slows you down and inhibits your growth. Worse case scenario – you’ll have to stop, go back, and fix cybersecurity concerns that should have been considered at the outset.
Here’s some advice from Cisco Cybersecurity leader Mik Stevens on how to raise the platform of security within your business:
- Personalise your business’ cybersecurity risk factors. Just like employers don’t like receiving generic CVs, boards don’t like it when they have to look at stuff that is of little relevance. What does risk mean to you? Are you a retail business that is particularly at risk at peak periods? Are your employees more likely to partake in Shadow IT?
- It’s also important to benchmark this against other companies in your industry. Boards like context – it’s not just your business that needs to mitigate this risk – everyone needs to.
- Even better – add a monetary value on the potential cost of a data breach for this particular risk. Don’t forget to add GDPRfines on top of this, should you be proven to not have had ‘appropriate security’.
- Demonstrate a scenario of a cyber attack. For example – a ransomware attack on an endpoint. Explain how your current security posture would cope with such an attack and, how you could limit the damage with more effective layers of security. Crucially – how quick can you respond? At what point would you know about the threat? What can be done to improve this? Again, put monetary values on the potential downtime/ cost to remove the malware.
To learn more about how to innovate securely in 2018, take a look at our ebook: “Cybersecurity done right” which includes a section from one of our Talos experts Martin Lee on how to keep tabs on rogue IoT devices.Tags: