Last year saw multiple high profile cyber-attacks across the globe, with no industry or sector being safe from attack. Cyber-attacks even penetrated the highest levels of government with hacked information used to seek to influence public opinion in the US election. However, such high profile breaches remain just the tip of the iceberg and all organisations are at risk from growing and evolving cyber threats in 2017.
Few, if any, of the ‘old’ attacks are likely to go away, but at least businesses are gradually waking up to the need to defend against them and starting to put suitable systems and processes in place to mitigate the risks faced. However, 2017 is expected to see a number of threats dominate the headlines and IT professionals must work with senior executives to ensure the necessary steps are taken to manage such risks more effectively.
Top threats this year are likely to include continued nation state cyber espionage against a wide array of organisations, and evolving and increasingly sophisticated ransomware and cyber extortion attacks. Furthermore, as organisations continue to leverage evolving technologies, including the cloud and Internet of Things (IoT), and in parallel shore up perimeter defences to raise the bar of network security, criminals will increase their focus on the human element as an entry point. Advanced social engineering tactics will become more targeted, cunning, and more effective, exploiting the weakest link – the end user – that organisations always find challenging to safeguard.
(Ab)using the IoT
At the same time as organisations are still seeking to deal with these known, but still challenging cyber threats, new high profile attack vectors will emerge, including a rise in data integrity attacks and an increase in attacks harnessing IoT devices.
Specifically, in relation to new attacks in 2017, we expect to see:
- Criminals increasingly harnessing IoT devices as botnets to attack infrastructure: once devices are compromised and harnessed, they will be used as launching points for malware propagation, spam, Distributed Denial of Service (DDoS) attacks and the anonymising of malicious activities.
- A rise in data integrity attacks: sabotage or corruption of data as the next big threat will gain prominence in 2017, with criminal elements seeking to gain financial advantage by deliberately amending data or to sow confusion and doubt over the accuracy and reliability of information, impairing decision-making across the private and public sectors.
Alongside this changing threat environment, organisations will also face an increase in regulatory pressures, in particular for organisations in the financial services, technology and telecommunications sectors and those parts of the critical national infrastructure. This increased pressure from authorities worldwide will push development of in-house 'red teaming' capabilities to accelerate in 2017. This process, which aims to intelligently test an organisation’s security, is rapidly being recognised as a global ‘gold standard’ and will be accompanied by a drive to recruit, train or retain top cyber talent as organisations place a higher premium on effective cyber protection and detection. This push will likely first occur in financial hubs such as UK, US, Hong Kong and Singapore.
An increased focus on pre-Merger & Acquisition cyber due diligence is also expected to become more important in 2017, with investors and the legal and financial services industries in general learning from high profile transactions that were disrupted or derailed in 2016 following the exposure of cyber vulnerabilities. However, the level of assurance provided by cyber due diligence is expected to continue to pose challenges for investors and lawyers understanding of cyber threats and risks.
Given the changes in the cyber threat landscape and the greater risk facing organisations, as data becomes ever more crucial to all aspects of organisations business processes, global commerce, news and even elections, there are a number of practical steps organisations can take to more effectively manage the risks of successful attacks. Many government organisations have produced numerous ‘best practice’ and guidance documents for managing cyber risk: in the UK, such sources include the National Cyber Security Centre (NCSC) whose vision is “to help make the UK the safest place to live and do business online”. All organisations should ensure they are following guidance such as the ‘10 Steps to Cyber Security’ and ‘Cyber Essentials’ available from the NCSC website .
In addition, the following measures, designed to reduce the risk of falling victim to cyber thieves, are particularly relevant to retailers and those with e-commerce operations:
- Implement two-factor authentication on all publicly accessible portals. If you don’t have this configured on Citrix portals or any vendor portal that allows access to your network, consider implementing this.
- Limit outbound access wherever possible. Specifically, don’t open up ports 80, 443, and 53 if you don’t need to for business reasons. If you do need to, create a whitelist of permitted hosts rather than allow a certain port access to all IP addresses.
- Add scrutiny on servers that have propagation routes and access to point-of-sale machines, e-commerce web servers and databases. For example this could include file integrity monitoring servers, antivirus servers, update servers (e.g. WSUS), digital video recording (DVR) servers, domain controllers, and remote access jump servers, among others.
- Perform spot checks on point-of-sale systems that can store plaintext cardholder data in memory (RAM). If there is a system that has more than a single point-of-sale application processing track data in RAM, then it should be investigated as the second application processing track data could be malware.
- Be aware of the current threat landscape in the UK. Updates from the police via Actionfraud and the NCSC are a good place to start.
- Conduct regular threat-hunting exercises so attackers can be discovered before they are able to exfiltrate data.
- If you have an e-commerce environment, monitor the website access logs to spot SQL Injections (at least search for 10 common SQL injection tool names in the logs) and devise a strategy to look for web shell (web backdoor) traffic. Also look at the 'Checkout' page code periodically to ensure that it’s not appended to send a copy of cardholder data to attackers.
- If you are using a tokenisation solution, ensure that the server that is running the tokenisation software has adequate controls and monitoring in place as that server may have plain text cardholder data in RAM that can be targeted.
Simon Viney, director, Cyber Resilience practice, Stroz Friedberg
Image source: Shutterstock/BeeBright