As 2017 comes in, it is time for businesses to think about several serious cybersecurity risks that not only pose significant risks to many enterprises today, but are also growing more threatening with the passage of time. Here are four such risks; enterprises would be wise to develop defense mechanisms against these risks as soon as possible.
Advanced Persistent Threats
In some ways, Advanced Persistent Threats (APTs) are the scariest cybersecurity risk facing businesses today. APTs are threats that combine three factors to create an extremely dangerous situation:
Advanced – APTs are advanced in the sense that the attacker (or attackers) utilizing them have the resources to carry out sophisticated, difficult-to-defend-against attacks; often the parties behind APTs are government agents or people acting on behalf of organized crime syndicates. These parties have large budgets to support armies of hackers, and may perform their own research and development in order to discover and exploit zero-day vulnerabilities. APTs are almost always launched with political or financial motives; APT actors are typically not interested in simply defacing a website or perpetrating other forms of “mischief.”
Persistent – APTs are persistent in that the parties utilizing them are willing to keep attacking their targets until they successfully compromise them; they are not opportunistic hackers who are going to grow frustrated and move on to attack some other parties if they repeatedly fail to breach their intended victims. APTs actors are also typically patient in another regard: after breaching an organization they usually do not wreak havoc in the short term, rather they remain secretive with long-term covertness, and maximize the value to themselves of the breach – by searching networks for more valuable data, by infecting more mission critical systems, etc.
Threat – APTs are threats in that the parties with the advanced capabilities and ability to be persistent pose a threat of attacking a third party. APT actors are hostile. Parties that are advanced and could be persistent, but which are not going to attack, do not pose a threat, and are not APTs. Many major corporations in the United States, for example, theoretically have the resources to launch APT attacks against other corporations but would never do so.
One of the major problems that APTs create is that classic security technologies often fail to shield against the attacks of a true APT actor. With the tools that the attacker is likely to possess, and with its persistence in attacking, it is likely that eventually at least one of its techniques will prove successful, and its target will be compromised. Remember, the odds are overwhelmingly in the attacker’s favor: the defender needs to protect against 100% of attacks, the attacker just needs a single attack to be successful.
As such, to protect against APTs, an organization must prepare to defend itself against situations in which a hostile party has successfully breached perimeter (and virtual perimeter) defenses, and has gained access to the enterprise’s internal networks connected to the Internet, and perhaps even to those not connected to it (as was the case with Stuxnet). One approach to dealing with APTs is to have security countermeasures that scan internal networks and systems for anomalous behavior of users and machines – if there is an attempt, for example, to transfer large amounts of data from a CFO’s computer in New York City to a computer system in China, that should raise a red flag and be investigated before the transfer is allowed to occur. Likewise, because social engineering is almost always an ingredient of modern attacks, addressing the “people risk” discussed below is critical in reducing exposure to APTs.
Ransomware refers to computer malware that prevents users from accessing their files until they pay a ransom to the criminal or criminal enterprise behind the ransomware. Ransomware attacks grew significantly in 2016 both in terms of the number of attacks and the variety of targets infected (including businesses of varying sizes across verticals, hospitals, government agencies, and individuals), and, will likely close out 2016 having caused about a billion dollars of damage. Sadly, as bad as the ransomware epidemic has been until now, for a variety of reasons it is likely to grow much worse in upcoming years: any time an attack mechanism is found by criminals to be extremely profitable they invest in capabilities to perpetrate similar attacks in the future. As such, attackers continue to improve the stealthiness of their ransomware attacks, leveraging approaches used by APT actors of hiding malware for long periods of time within an organization until the malware can find the most valuable systems and target those. The Internet of Things (as discussed below), ransomware for mobile devices, as well as the advancement of data-stealing-ransomware as opposed to earlier-strains that simply exempted files, are also likely to aggravate the situation.
Internet of Things Risks
The Internet of Things (IoT) refers to the plethora of smart, non-computer devices that are now connected to the Internet. With the mass proliferation of such devices, and with the embedding of computer systems within cars, factory equipment, appliances, and all sorts of other machines – the need for cybersecurity has expanded from just computers and related equipment to a large percentage of all electrical devices. Yet, many – if not most – IoT devices are poorly protected to begin with, and many businesses deploying IoT-enabled equipment do not realize that such devices are hackable, thereby creating the right mix for cyber-disasters. It is not hard to imagine messages appearing to the tune of “Pay me or I’ll make every item your factory produces have a dangerous defect,” “pay me or I’ll turn off the heat in your office on the coldest days of the winter,” or even “pay me or I will cause your trucks to crash.” IoT also creates opportunities for APT actors – establishing new attack vectors as well as systems that can be compromised in order to inflict severe damage to an enterprise’s operations. Make sure that your organization has a plan for dealing with IoT devices – and make sure that nobody can attach such devices to your internal networks without the Information Security team’s approval. Remember, malware that infects computers on a network can also propagate to IoT devices and their control systems.
Insider risks continue to grow. Obviously, rogue insiders – disgruntled employees or other folks intent on harming an organization – pose a major threat that must be addressed with proper policies and enforcement of those policies; you must ensure that people do not have access to information and system resources that they do not need access to in order to do their jobs, and that there is auditability and accountability for actions that people take. But, one danger that continues to grow and often remains relatively unaddressed is that of human error causing serious security incidents. Employees oversharing information on social media, for example, has helped criminals craft highly-effective spear phishing emails, which in turn have helped criminals breach organizations and cause all sorts of problems. Human vulnerabilities are often exploited as the first step in an APT attack – meaning that dealing with human error is a critical element in protecting against the worst of cyber-attacks – so make sure that you both educate your employees and deploy technology to reduce human errors – when it comes to cybersecurity, an ounce of prevention can be worth tons of cure.