Embed Size (px)
Citation preview
2016 Cyber Security
Special ReportPublished January 2017
Year In Review
apvera.com
Special Report Industry Insights
Copyright © 2017 Apvera 2
Contents
Introduction...............................................................................................................................................................................................2016 Trends................................................................................................................................................................................................. Year of Ransomware........................................................................................................................................................................ 2-faced Malware, Ghostware..................................................................................................................................................... Data Leaks............................................................................................................................................................................................... SWIFT Hack............................................................................................................................................................................................ Email Impersonation...................................................................................................................................................................... Cyber Threats in Politics............................................................................................................................................................... IoT: A New Threat............................................................................................................................................................................... Organizational Preparedness..................................................................................................................................................2017 Keyword.......................................................................................................................................................................................... Ransomware Decrease, Mobile Attack Increase..................................................................................................... Increased Security Outlays, with Questionable ROI............................................................................................. APAC’s Rising Cyber Security Agenda.............................................................................................................................Conclusion.................................................................................................................................................................................................
34455567781010101112
Introduction
With each year that passes, the cyber security landscape becomes increasingly complex and sophisticated. Technology is developing at an astonishing rate, and while in most instances this is considered a positive progression, when it comes to cybercrime and online security, it is only fueling the fire. Hackers are being forced to be more creative and daring with how they infiltrate even the seemingly most secure systems and networks.
Cyber criminals now come in many different and surprising forms. From the individuals working alone through to the highly organized, well-sponsored teams capable of breaching the most sophisticated cybersecurity systems, hackers have shown that they can access almost anything through the Internet. Mass-scale fraud from personal data, the discovery of corporate misdemeanors and some of the most comprising classified state secrets all featured heavily in the 2016 news agenda thanks to the prevalence of sophisticated cyber security attacks.
Another factor contributing to the diversification of cyber threats is that individuals and organizations are using more and connected Internet of Things (IoT) technology on a daily basis. Remote digital, Internet-enabled devices such as wearables, gadgets, sensors and smartphones are creating new connections and consequently exposing new vulnerabilities.
In 2016, a small number of extremely large, high-profile online breaches were uncovered and revealed via the media – exposing the harsh realities of cybercrime to the general public. Overall there was a sharp increase in the number of attacks on organizations threatening loss of data, revenue and reputation. While many businesses have bolstered their systems and budgets to minimize these losses, far too many fell prey to well-known and easily pre-vented phishing and malware attacks. Mishandling of data and devices, along with failure to implement cyber security best practices, or effective end user training, resulted in 60% of security incidents being attributed to insiders. During the year, outsider attacks also became more prevalent with an unprecedented increase in the numbers of successful breaches, as hackers compromised systems with new and more sophisticated methods. While organizations continue to allocate more budget towards IT security initiatives, many continue to fall short and underestimate the potential dangers. With the proliferation of dig-ital devices and resources accessible to hackers and employees, the industry will need to increase their efforts to prevent more devastating losses of revenue, reputation and services.
Copyright © 2017 Apvera 3
2016 Trends
Ransomware attacks soared in 2016. Based on numbers from the first three quarters, there were four times as many ransomware attacks in 2016 as there were in 2015 (source: Beazley Breach Response Services). Interestingly, the ransoms requested are generally small, circa. US$1,000, often remitted as infamous bitcoins. The report suggests that hackers now find it more lucrative to ransom multiple different data systems for a mere US$1,000, than to hijack the entire client financial records and sell them in bulk on the black market.
There were, however, other more substantial ransom demands. The Federal Bureau of Inves-tigation (FBI), reported that across 2015, organizations paid out an estimated US$24M in ransom demands. Furthermore, in the first quarter 2016, businesses paid out US$209M, sug-gesting that the total for the year could reach as high as US$1B.
Year of Ransomware:
The ransom itself is only a small portion of the loss to an organization. Interruption of data services can impact a firm’s ability to operate and cause serious reputational damage among their customers. In industries such as healthcare, transportation, law enforcement, utilities, government and finance; cyber security is a serious business. Through simple negli-gence, organizations can go bankrupt from a breach. Individuals, who are now intrinsically connected via Internet of Things (IoT) systems, are a growing concern, as they are more frequently being targeted and their identities stolen.
Copyright © 2017 Apvera 4
10,000
20,000
30,000
40,000
50,000
60,000
J2015
F M A M J J A S O N D J2016
F M A
Overall Ransomware Infections by Monthfrom January 2015 to April 2016
2-faced Malware, Ghostware
At the close of 2015, Ghostware attacks were expected to become more widespread. During 2016, Ghostware attacks were less frequent, but their impact was more prominent and dam-aging. The Democratic National Committee hack went completely undetected, until sensi-tive political documents were publicly released. Many analysts anticipate more of these types of attacks, and that in 2017, they will become commonplace.
Data Leaks
Malicious activity from insiders became more difficult to control and prevent during 2016. In May, the U.S. Department of Health and Human Services Office for Civil Rights, reported that the top five breaches since the beginning of the year were down to insiders. The most damaging breaches included theft, and data loss exposures due to improper use of email security procedures.
Insiders will undoubtedly remain the greater and more difficult threat to protect against, given that they have privileged access to data to perform their duties. However, organiza-tions must improve awareness, monitoring and training to prevent accidental losses, and thwart malicious insider breaches.
SWIFT Hack
In 2016, hackers exploiting SWIFT, the global bank messaging system, executed one of the most successful heists in history. Using legitimate credentials of the Bangladesh Central Bank, they successfully requested the Federal Reserve Bank in New York to transfer US$81M to individual accounts throughout Asia.
SWIFT itself was not compromised, but rather Bangladesh Central Bank’s systems. The bank reportedly did not have a firewall in place, providing easy access for hackers. In addi-tion to highlighting the importance of firewalls to financial institutions and other business-es, this breach demonstrated the need for ongoing human monitoring of systems due to the critical role that insiders played in validating the transactions.
Copyright © 2017 Apvera 5
The Bangladesh Central Bank was one of the few attacks to make global news headlines. For both security purposes and preservation of reputation, most attacks go unreported and unpublished which leads to the presumption that cyber security preparedness is not criti-cal to business success. However, the problem remains so widespread that SWIFT publicly released an advisory bulletin in September 2016 stating that a number of attacks had successfully taken place, and that more were inevitable.
Email Impersonation
In June 2016, the FBI issued a bulletin reporting a 1300% increase in email impersonation schemes in the US since January 2015. Over 14,000 cases, at a cost of US$960M, were reported between October 2013 and May of 2016. Outside of the U.S. just 1600 cases, total-ing losses of approximately US$93M, were reported. As with the majority of security breaches, a large proportion of online impersonation cases go unreported for fear of dam-aging a firm’s reputation. Others go completely undiscovered and therefore unreported, so these figures are likely to be much lower than in reality.
As protective technology is constantly evolving and becoming more sophisticated, scam-mers have diversified from just targeting individuals and are now hitting small and medi-um-sized enterprises more frequently through the attack vectors. Traditionally, email phishing was the primary method used to fraudulently transfer funds or customer and corporate data to another source, however today scammers are increasingly using creative methods to steal proprietary information. By leveraging information available on company websites, social media profiles and industry news sites scammers can impersonate suppli-ers, clients, government authorities, courts or any other party to encourage unsuspecting individuals to reveal their personal or financial information.
Copyright © 2017 Apvera 6
by Which Ransomware Entered the Organization
Email Link
Email Attachment
A Web site or Web application other than email or social media
Social Media
USB Stick
31%
24%
28%
4%
3%
Cyber Threats in Politics
The FBI, Central Intelligence Agency (CIA) and other global agencies blamed Russia for interfering in the 2016 U.S. presidential elections. The intelligence community alleged that from Q2 of 2015 the FSB – Russia’s foreign intelligence agency - sent emails containing malicious code to over 1,000 recipients in government offices. To date, the largest impact of this phishing scheme, used to gain access to untold government systems, is the theft of emails and other data contained in the Democratic National Committee systems. The committee was allegedly infiltrated in Q1 of 2016 by Russia’s military intelligence agency, the GRU.
Public leaking of information, stolen in both initiatives, has led many to believe that Russia intended to undermine the presidential campaign of Hillary Clinton, thus implying support for Donald Trump. The hack resulted in the public release of the Democratic candidate’s personal emails, which demonstrated less tact than would be expected of a national figure and her staff. Additionally, many of the messages were not always consistent with publicly presented agendas which led to lack of public trust in the campaign. In retaliation, the Democratic President at the time, Barack Obama, expelled 35 Russian diplomats and warned of further sanctions and cyber-attacks against Russia if anything of this nature happened again to the US Government.
This episode was a prime example of just how effective a relatively unsophisticated phish-ing campaign can be. From seemingly benign internal communications, a simple cyber breach caused enormous global impact against someone who many might assume would be better prepared and protected.
IoT: A New Threat
In October 2016, a cyber-attack took down many of the world’s largest sites including Facebook, Netflix, Twitter and many others. The distributed denial of service (DDoS) attack likely compromised a new attack vector: The Internet of Things (IoT). Specifically, in this case, personal DVRs and webcams were compromised.
With IoT technology set to grow exponentially in 2017, the security community will need to devise a strategy to protect individuals and their families against compromises to everyday items such as refrigerators, automobiles, ovens and home automation devices. Today more home devices have assigned IP addresses and are fully connected to the internet so it is likely that hackers will soon start gaining access to them.
Copyright © 2017 Apvera 7
Organizational Preparedness
While cyber security and online fraud frequently features in news headlines, most organiza-tions are inadequately prepared or protected. A Harris poll of over 500 small businesses conducted for Nationwide Insurance highlighted that 78% of small businesses had no response plan in place for a cyber-attack, even though over half had been victim to one in the past. Of these businesses, two thirds said that it took them over a month to recover from an attack. From those who had not experienced an attack, 57% believed they could recover within a month. This disconnect seems profound.
Large operations do not fare much better. The National Association of Corporate Directors (NACD) surveyed 600 of its members in 2016 and found that only one fifth of board mem-bers had a high-level understanding of cyber-security. While this was an improvement on the previous year, where just 11% of the Directors surveyed claimed to have a deep knowl-edge of the associated issues, it is now considered unacceptable that so few senior compa-ny members have such a limited knowledge of an area that could be extremely costly an organization, both from a reputational and financial standpoint. 59% of respondents reported that they found overseeing cyber risk difficult, demonstrating the need for organi-zations to on-board a robust and easy to understand system for detecting and dealing with threats in a timely fashion.
Copyright © 2017 Apvera 8
5,000
10,000
15,000
20,000
25,000
30,000
35,000
A(2014)
M J J A S O N D J(2015)
F M A M J J A S O N D J(2016)
F M
The Number of Users Encountering Mobile Ransomwarein the Period April 2014 to March 2016
The Yahoo breach, announced in December, where data from 1B users was stolen, shows just how ill-prepared even large technology companies can be. Gartner states that compa-nies are continuing to spend more on cyber security; they predicted US$81B would be directed towards IT security initiatives in 2016, an increase of nearly 8% on the preceding year. An 8% increase over one year pales into insignificance when you consider the project-ed spending in 2020 is expected to reach US$170B.
The progressive use of machine learning and artificial intelligence (AI) show enormous potential in thwarting future attacks. We now have the ability to analyse huge databases of information (“data lakes”) and monitor user behaviours, leveraging AI technology to quickly deliver more sophisticated and accurate forensic and preventative action. These technolo-gies have significantly reduced vulnerabilities for many organizations and are expected to become increasingly more effective and ubiquitous in 2017.
However, the success of fairly unsophisticated phishing attacks, loss of personal devices, failure to change and use complex passwords, along with other negligent user behaviour, ensures human error still accounts for a high level of online security issues.
Copyright © 2017 Apvera 9
2017 Keyword
Gartner warns that mobile attacks will increase in the near future, and that enterprise opera-tions are severely lagging in preventative action. Even with the widely acknowledged rise in attacks such as Pegasus and XcodeGhost and notorious vulnerabilities like Stagefright and Heartbleed, Gartner predicts that it will take until 2019 for as few as a quarter of enterprise firms to put into place Mobile Threat Defenses (MTD). That leaves an astonishing three quar-ters of large, international enterprises with no MTD plan for the foreseeable future.
Some what controversially, Malware Bytes projects that during 2017, businesses will likely see a drop in Ransomware attacks due to increased awareness and deployment of software security solutions, whilst individuals will become more frequent targets of these attacks.
Ransomware Decrease, Mobile attack Increase
In the SANS IT Security Spending Study of 2016, 36% of respondents, felt that their security expenditures were ineffective. A possible cause for this may be that only 23% of them report-ed that IT security expenditures were earmarked or separated from the IT budget as a whole, making cost vs. return analysis difficult. Further compounding the question of effectiveness, a mere 22% of those surveyed benchmarked results of security initiatives.
Increased Security Outlays, with Questionable ROI
Copyright © 2017 Apvera 10
Adjusting Security Plans in 2017 for Cyber Attack Victims
52%No Changes Planned
31%Making Changes to
Their Security PlanCyber Attack
Victims
As a result of the growth in business digitalization in the region (which is outpacing other areas), Market Report Hubs expects APAC to record the largest increase in security solutions expenditures during 2017.
Continued Ransomware attacks and a possible increase in breaches of Industrial Control Systems (ICS) are two of the primary concerns for many security experts for the upcoming year. Thieves and professional criminals may exploit ICSs to compromise security doors and gain access to facilities and competitors can be expected to turn off HVAC systems in data rooms to overheat systems, or on production lines where work-in-progress may be dam-aged.
APAC’s rising Cyber Security Agenda
Copyright © 2017 Apvera 11
With substantial increases in IT security budgets projected, board members and senior man-agement will be expected to put cyber security high on their agenda, and deliver recognis-able results via more detailed tracking and reporting of IT security initiatives.
Copyright © 2017 Apvera 12
Given the turbulent and delicate political and financial climate, it perhaps wasn’t surprising that 2016 saw so many serious data breaches and major attacks. While financial gain is still a powerful motivator for cyber criminals, it’s by no means the only one and last year’s attack-ers proved that they could be even more creative when causing havoc online. In 2016, gov-ernments and their personnel were major targets of cyber threats; causing drastic, and unex-pected, changes to campaigns and legislation. This proved that no-one is safe from cyber-crime and often motives aren’t always fully understood – either way this trend is set to con-tinue and so individual and organizational preparedness is imperative. Enterprise-targeted ransomware attacks are now mainstream and will continue to be a major threat in 2017. Conversely, even personal hacks, including phishing and malware attacks, are likely to increase in regularity and complexity as they leverage valuable data collected from an individual’s multitude of day-to-day digital touchpoints.
Digital identity management, the adoption of mobile payments, and the increase in IoT technology are all having a significant impact on enterprise security. Every new product that connects to the Internet, whether personal or company-owned, faces the full force of today’s threats. And as technology progresses it is vital that individuals are prepared against the speed and complexity of today’s attacks.
Unfortunately, this year’s report highlighted that even though investment is being placed in the IT systems of organizations, senior team members are still not making adequate provi-sions around cyber security and insider threats. Awareness is essential to security planning and understanding the threat landscape requires both technology and policy change. Greater transparency, well-informed discussions about security, ongoing innovation, and perhaps most importantly, preparation, will help mitigate against the myriad of risks going forward.
Conclusion
[1] Verizon 2016 Data Breach Investigations Report[2] Market Report Hubs: Cyber Security Market by Solutions[3] FBI Alert Number 1-061416-PSA[4] Huffington Post: FBI Analysis Fingers Russian Spy Agencies for U.S. Election Hacks[5] Intel Security 2016 Data Protection Benchmark Study[6] Malware Bytes: Security in 2017[7] SANS IT Security Spending Study of 2016
References
UNITED STATES2443 Fillmore St Suite #380-7232San Francisco, CA 94115
+1 415 891 2270
SINGAPORE#07-11 Blk 71 Ayer Rajah CrescentSingapore, 139551
+65 3158 8697 [email protected]
HONG KONG4/F, C Wisdom Centre37 Hollywood RoadHong Kong S.A.R.
+852 5803 2940
