The die is cast as far as cybercrime is concerned. The coming year will see more attacks and more manipulations and, naturally, more breaches that result in losses of data, money, reputation and who knows what else.
We will also see more people and companies confused as to why they were hit (those that know they have been hit), when everyone thought they were using the right protection.
Hi-Tech Security Solutions spoke with David Emm, principal security researcher, Kaspersky Lab, about the coming year in the cybersecurity world. He believes that one of the key areas of cyber-weakness companies will have to deal with is the human factor.
Whether attacks are targeted or random in nature, getting a foot in the door via an unsuspecting or careless employee is one of the main tactics for cyber criminals. By using one or more forms of social engineering, people wanting to gain access to company data and networks are expert at tricking people into divulging information, or clicking on phishing links which result in infected computers.
Emm says that while people are definitely a company’s weakest cybersecurity link, they can also be the strongest link. Companies that develop a security culture in which employees are educated and aware of the dangers and tactics employed by would-be hackers will find their staff becoming a strong weapon in preventing many intrusions and breaches.
The attacks we are going to see more of are sophisticated, targeted attacks making use of the latest the cyber-world can deliver – such as zero-day vulnerabilities. These are the most dangerous as most companies have little defence against them. However, these types of attacks will be limited as there is quite a competition going on between ‘black hats’ looking to discover and then sell or use these vulnerabilities for profit, and ‘white hats’ that discover these exploits and take the responsible route in informing the relevant companies before making it public.
The primary attacks will, however, still be made via more ‘normal’ methods, such as advanced persistent attacks (APTs), hacking and the enormous number of malware applications out there. While larger companies generally have the ability to handle these attacks, the small- and medium-sized businesses don’t have the expertise.
Emm suggests that while your traditional antivirus solutions are not able to handle all the attacks thrown at people and companies today, they are still crucial in the overall defensive strategy against cybercrime as they can handle many of the ‘normal’ attacks. Companies then need to add more sophisticated tools such as behavioural analysis, sandboxing and heuristics to their arsenal for more advanced threats.
This is the first step in a three-step process to protect your assets in the digital age. Emm adds that the second is to back up your data to ensure that if a zero-day or some other attack (like ransomware) succeeds, you are not left helpless. (And backing up your data is generally considered best practice in any case.)
The third step is patching. Many successful attacks are carried out using vulnerabilities that were previously discovered and fixed, but the targets had not patched their systems.
Beyond your infrastructure
Sadly, it’s not enough to simply patch your infrastructure anymore. It has become common practice to see attackers targeting a company’s supply chain as an easier way to compromise the business. If an attacker can’t get into your systems, there’s a good chance one of the companies in your supply chain will not have the same level of protection. The attacker will then compromise this business in the hopes of using it to find a way into yours.
Emm says we’re also seeing an increase in profiling where, in order to avoid wasting money, attackers use ‘off-the-shelf’ malware to launch many attacks. When some of those succeed, they them focus on the victims to find the ones they believe will be profitable and they pay special attention to them using more sophisticated methods.
And it’s worth noting that ‘false flags’ are also being used more regularly. A false flag is when the attackers leave clues that indicate their malware was created by someone else to keep themselves off the radar when it comes to reprisals.
A perfect example was seen at the PyeongChang Winter Olympic Games in South Korea where unknown hackers attacked the Organising Committee’s servers. Among the fallout was that many people couldn’t attend the ceremonies as they were unable to print out their tickets. Fingers were pointed at North Korea, Russia, Iran and China, but it appears that the evidence was planted to throw investigators off the track – and we still don’t know who the real attacker was.
Wireless connectivity has become the norm in almost every location around the world, whether it is via Wi-Fi or cellular connections, or more advanced types of wireless networking designed for long-haul or high-bandwidth data communications. And while wireless communications is common, many people still think it is a less secure medium than traditional wired networking. Emm says this is not necessarily the case.
Working securely is not about locking down a location, he says, which is almost impossible given the plethora of devices we use for communications these days. It is about making sure you can do your work wherever you are, but being able to do it securely. Again, education plays an important factor in secure wireless computing and we need to ensure people are aware of the dangers.
For example, public Wi-Fi is not always secure, but making sure people use a VPN is a good start to protecting one’s data. Similarly, people should know what activities should be restricted to known networks; banking on a public network, for example, would not be advisable.
A matter of policy
On the topic of wireless communications, Hi-Tech Security Solutions reached out to Riaan Graham, sales director, sub-Saharan Africa at Ruckus Networks, to find out a little more about wireless security.
Expanding on Emm’s comments, Graham says security starts by looking at the policies you have in place for handling wireless communications, from BYOD (bring your own device) to current IoT (Internet of Things) devices making use of your infrastructure (of course, the policy does not exclude wired networks). This policy is not simply a document you have in case you need to prove that you had a plan, but it will dictate the level of security you build into your infrastructure, wireless or not. For this reason, he says it needs to be a well-researched and forward-looking document that incorporates all possibilities.
An important aspect of a wireless security policy, however, is to ensure that it is implemented correctly. This means not leaving your devices with the default state with the default passwords, as well as ensuring that encryption is activated. Even though there are those who claim to be able to bypass these protections, enabling them will reduce the threats you face significantly – and they are simple to implement.
Once again, he says education is key to teaching people how to be safe when communicating, both on a corporate and a personal level. He provides the case of a financial company that had taken the necessary steps from a technical perspective to secure their network, but then an employee brought in an USB drive with a music video on. The drive was infected with malware and subsequently infected the user’s computer and then spread.
Another option is to ‘ring-fence’ the most sensitive areas on the network, only allowing access to authorised people. However, even this can be a problem because companies are stuck in username/password authentication mode. Despite innumerable examples of how weak relying on a username and a password is, it is still the most widely used means to gain authentication to anything – be it bank accounts or personal data.
Certificate based authentication
The traditional alternative to username/password authentication would be to add another means of verifying you are who you claim to be – known as two-factor authentication – such as a one-time PIN or some third-party device. Biometrics has also been promoted as a more secure form of authentication, but it can prove expensive.
Graham says there is a new way of authentication – certificate-based authentication – that adds to the security of the user and the company’s digital assets. This allows companies to issue a certificate to authenticated devices (once you have authenticated yourself), allowing them easy access to the network in future. Based on the company security policy, a certificate (or licence) is granted to authenticated devices to access to the network, or specific areas or data therein.
In other words, the certificate determines what you may or may not do. If you try to log in with an uncertified device, you are denied access or restricted as to what you may do. This is especially useful for people who move around. Even if you are in a different branch, your certificate (or licence) will still provide you access to IT resources because it has been certified.
Different vendors are looking at this type of authentication and it is likely to become more common in future. For example, Ruckus has an on-boarding process in which the user is asked a number of questions the first time they log in from a device. Depending on the security policy, once the user is authenticated, their device is ‘licensed’ to access the network and they can go ahead.
This does not replace your traditional security measures however. Graham agrees with Emm that even the traditional antivirus solutions are still required – and they need to be kept up to date along with other software as a starting point to a good security posture. Just as a building starts off with foundations and eventually ends up with all the ‘cool stuff’, your security posture must start with foundations upon which you build a user friendly, accessible and distributed solution, with security built into everything.
|Tel:||+27 11 543 5800|
|Fax:||+27 11 787 8052|
|Articles:||More information and articles about Technews Publishing|
© Technews Publishing (Pty) Ltd | All Rights Reserved