printer friendly version

The worst of times

We live in a connected world where almost everything we touch can be connected to the Internet and as such, almost everything is now a cyber threat. In the additional online articles for this publication, one commenter explains that very soon our world will be one where just as everything you plug into the electricity grid is powered (let’s exclude Eskom for now), every technical gadget will automatically ‘plug into’ the Internet grid and be connected.

The benefits we have obtained from this connectivity are astounding when compared to the world in 1991, but the risks are just as astounding as crime in this online world really is a pandemic that can reach anyone, anywhere. A recent webinar hosted by Emmanuel Tzingakis and Zaheer Ebrahim from Trend Micro, highlighted the cyber threats companies and individuals face today, as highlighted in the company’s 2021 Mid-Year Security Roundup report ^[1].

Apart from the increased scams we have seen as a result of Covid, plus the usual financial scams like unknown lottery wins and Nigerian princes with millions to put in our bank accounts, malware attacks have evolved to a new level. Ransomware, for example, used to be focused on getting someone to click on a link in an email or inserting a USB drive they picked up somewhere, but today they are using more sophisticated techniques to get into corporate servers.

Zero-day threats are a favourite method of getting into someone’s PC or laptop and from there the criminals move laterally and upwards until they gain access to the data companies consider valuable. A zero-day threat is “a threat that exploits an unknown computer security vulnerability. The term is derived from the age of the exploit, which takes place before or on the first (or ‘zeroth’) day of a developer’s awareness of the exploit or bug. This means that there is no known security fix because developers are oblivious to the vulnerability or threat.” ^[2] This leads to corporate espionage, or more commonly ransomware.

In a recent online seminar sponsored by Hyland, Dave Kennedy, the founder and CEO of TrustedSec noted that another major issue to consider is the time criminals have inside your network. Research has shown that once inside it can take months for them to be discovered unless they launch an attack and expose themselves in that manner. It is far better to catch them at ‘first breach’ before they can cause damage.

Of course, Both Trend Micro and Kennedy add, the fact that many companies have backups that can be restored if their systems are encrypted does not sit well with criminals and today they have upped their game by also stealing the data and threatening to release it if the ransom is not paid. Chances are they will sell it afterwards anyway, but it’s good leverage.

Very profitable crime

Kennedy spoke specifically about ransomware and its proliferation, echoing the comments above. The ransomware gangs are very advanced and even when one shuts down because things may be getting too hot for them, they simply restart under another banner and carry on as before.

Ransomware-as-a-Service is also a fast-growing market and it allows people without the skills to create this type of malware to simply make use of a cloud service to commit their crimes, paying a percentage of their loot to the service providers.

Frighteningly, Kennedy noted that he believes ransomware gangs will, within the next three years or so, have the same technical capacity as nation states because of the almost endless funds they are able to steal and invest in their technology. And sadly, because of the difficulty enterprises have in responding to these threats.

Steal from home

The pandemic has also seen far more people working from home or other remote places, as well as a dramatic rise in the use of cloud services to support remote workers. This has put a renewed emphasis on cloud vulnerabilities, including against the large cloud service providers. Many companies use containers, or templates to deploy their cloud applications and services and these are yet another target and must be protected and regularly updated.

Even VPNs (virtual private networks) are being targeted. A VPN is supposed to secure the users’ communications with the server (a company’s server in this instance), but as a new attack target, more vulnerabilities are being discovered, allowing savvy criminals right into the servers IT wants to secure.

While other attack vectors are blooming (especially when it comes to ransomware, but not exclusively to this particular malware), the Trend Micro report shows that bad links (or fake links taking you to phishing or other sites with malware) is in first place as an attack vector. Closely competing for the number one spot, emails are second place, with malicious files in third. (These files are infected with malicious applications or scripts and can easily be downloaded from a USB or from a cloud storage platform like OneDrive.)

In defence of South Africa

While we already know that the physical borders of South Africa are as secure as Eskom is reliable, what about the cyber borders of the country? Recent high-profile attacks on both the public and private sectors show that the news isn’t much better in the cyber world. Due to the lack of legislation forcing companies to report cyber breaches (until PoPIA was in force), the real situation is probably worse than many are led to believe.

As an example, Trend Micro reports that about 1,7% of global ransomware attacks targeted Africa in the first half of 2021, with South Africa making up 1,05% of those. The country’s poor defences make it a major target and a testing ground for malware developers.

There are also many threats being rolled out against the industrial sector, both locally and globally. As the Industrial Internet of Things (IIoT) connects more factories and plants to the Internet, we are seeing increasing attacks aimed at sabotaging industry for ransom, espionage or political motives. Defending these environments can be difficult as many rely on legacy equipment, often integrated with more modern technology, and updating these is a complex process as nobody wants to shut down their entire factory to run updates and then start up again.

Being cyber resilient

As Kennedy noted in the Hyland event, cybersecurity is not a ‘castle and moat’ design. With cloud and BYOD (bring your own device), exacerbated by people using their own private devices for work nowadays, it’s more like an open city with patrols roaming through it. This is resulting in a shift in the attitude of organisations, with hardening their cyber ‘city’ becoming a priority. However, with the supply chain becoming a major vulnerability, the city’s vulnerable landscape is growing and incorporating numerous other cities and villages that may not be as cyber-aware.

While there are many solutions available for cybersecurity, being cyber resilient is not a matter of technology alone. Instead of point solutions targeting specific threats, Trend Micro advises Extended Detection and Response (XDR) solutions that bridge standalone products and provide better contextual information on the holistic cyber landscape of the organisation.

The reason technology is not enough is that ransomware gangs, for example, have built tools to get around local antivirus suites and other defence tools, some of these tools are openly available on the Internet for those who know where to look, added Kennedy.

Therefore, the key to cyber resilience is, as always, people, processes and technology. When it comes to processes, Trend Micro says companies need to ensure they have all their ducks in a row when it comes to cyber threats. Just as a company would have fire marshals to guide staff in the event of a fire, it needs to have people at every level who know exactly what to do in a cyber emergency.

And although it is becoming a buzzword in 2021, a zero-trust approach to network, application and general access is a must today. Anything suspicious must be flagged and systems must be in place to ensure people are who they claim to be – especially with more people logging in remotely.

Additionally, the ‘small things’ should not be neglected either says Trend Micro. For example, the basic principle of having a complex password that can’t be guessed easily is a critical help to cyber resilience – even though it seems rather simple.

For Kennedy, the MITRE ATT&CK; Model is a good starting point to understand the threats one faces and what attackers do so that you can stop them before it’s too late (stopping them at ‘first breach’). If you have clear visibility over your cyber estate, you are in a better position to detect and defend.

There are many resources on https://attack.mitre.org to assist in developing your cyber defence strategy. In addition, Check Point Software has a guide to the latest from MITRE, noting “This year’s MITRE ATT&CK; Evaluations round is the most comprehensive to date, with the largest number of participating vendors. Better understanding the Evaluations’ results will help you choose the optimal solution to defend your organisation against real-life cyberattacks and threat groups.”

The guide is available from Check Point at www.securitysa.com/*mitre20 (redirects to https://pages.checkpoint.com/nrt-mitre-ultimate-guide.html).

And when it comes to people. Training people to be cyber-aware and instilling a sense of responsibility for their own cybersecurity will also pay dividends. This is more than telling them not to click on suspicious links, says Trend Micro, it includes business and personal assistance too (perhaps social media insights, such as what not to post etc.). Most importantly, training should be refreshed at regular intervals to incorporate any new or unexpected threats – or simply as a reminder about good cyber hygiene.

Ending on a lighter, but no less serious note, the Trend Micro presenters offered the cybersecurity equivalent of the four Ds of physical security (Deter, Deny, Delay and Detect), with the three Ds of cyber resilience: Detect, Defend and Deal with it.

Multifactor authentication matters

29% more South Africans attacked with password stealers in 2021.

Cybercriminals are constantly coming up with new methods for online fraud and there has been an increase in such activity in recent months. Kaspersky experts noticed increased activity from fraudsters stealing passwords by using special malware called Trojan-PSW. These are stealers capable of gathering login and other account information, including any personal data from gaming websites and streaming accounts, for example, to online banking.

Kaspersky experts analysed data on the number of attempts to infect and the targets. According to the research, the dynamics for South Africa are worrisome: during January to September 2021 there were 29% more users attacked than in the same period of 2020.

There is also a global growth in the number of attacked users during this time. For example, there were approximately 160 000 more targets across the world in September than in April, an increase of 45%. In recent months, Kaspersky experts have also seen a sharp rise in the number of attempts to infect users: Q3 2021 (July to September) saw an increase of almost 30%.

“As statistics show, logins, passwords, payment details and other personal data continue to be an attractive target for cyber criminals and they remain a popular commodity on the dark market. For this reason, we encourage Internet users to take extra steps to protect their accounts. For example, by using multifactor authentication methods,” comments Denis Parinov, security expert at Kaspersky.

The cost of partnerships

Third-party incidents became the costliest enterprise data breaches in 2021.

The latest edition of Kaspersky’s annual IT Security Economics report (www.securitysa.com/*cyber1) reveals the growing severity of cybersecurity incidents affecting businesses through suppliers they share data with. The average financial impact of such an event for an enterprise reached $US 1,4 million in 2021 which makes it the costliest type of incident worldwide, while the same type of attack cost enterprises in META around US$ 915 000.

Attacks where global businesses are affected through their contractors have become a clear trend. Business data is typically distributed across multiple third parties including service providers, partners, suppliers and subsidiaries. As such, organisations need to consider not only the cybersecurity risks affecting their IT infrastructure, but also those that can come from outside.

According to the survey, more than a third (40%) of large organisations in META suffered attacks involving data shared with suppliers. This number hasn’t changed significantly since the 2020 report (when it was at 44%).

To minimise the risk of any attacks and data breaches for businesses, an effective endpoint protection with threat detection and response capabilities should be used. In addition, managed protection services will help organisations with their attack investigation and expert response.

^[1] www.securitysa.com/*trend3 (redirects to https://www.trendmicro.com/vinfo/us/security/research-and-analysis/threat-reports/roundup/attacks-from-all-angles-2021-midyear-security-roundup)

^[2] www.securitysa.com/*zero1 (redirects to https://www.techopedia.com/definition/27451/zero-day-threat)

Share this article:

Further reading: