Embed Size (px)
Citation preview
SUMMARY
• The propagation of newer, more connected smart devices has led to a sudden rise in
cyberattacks.
• The relatively low awareness of this trend has meant that most corporations and
individuals are left vulnerable to sophisticated attacks.
• The increasing frequency and intricacy of attacks indicate resourceful attackers with
powerful backers. Evidence suggests a growing trend of state-sponsorship of online attacks.
• Large, multinational corporations also have significant incentives to launch online attacks
for either sabotage or espionage.
• Individuals, small and medium sized businesses are at the most risk.
• Emails are now the primary weapon in a escalating online arms race between regulators,
corporations, and attackers.
• New sophisticated forms of attack, like Man in the Middle, have appeared over the past few years.
• Private security providers, niche data protective platforms, and cyber security
software developers must step up to fill the gap and help safeguard individual and business
data privacy.
Digital attacks are now increasingly frequent and increasingly complex. A crippling cyber attack in Estonia in 20071 , Apple’s iCloud hack in 20122 , and the 2016 cyber attack on
Bangladesh’s central bank3 that resulted in a whopping US$951 million loss are all examples of the expanding scale of this problem.
INTRODUCTIONCyber attacks were, until recently, disregarded as science fiction. Popular depictions of young hackers in their basement have clouded the public’s perception of this very real and seriously dangerous threat. Exponential growth in the number of smart devices, the
relentless penetration of the internet, the growing sophistication of cyber attack tools, and the complacency of average users and businesses has pushed the threat of cyber attacks firmly into the realm of reality.
The issue seems to be compounded by three factors:1. States and economies are now more heavily reliant on digital technologies.2. States and multinational businesses may have perverse incentives to utilize cyber attacks for nefarious purposes. 3. There is a lack of a legal framework for cross-border and industrial cyber attacks.
The combination of these three factors has resulted in an escalating arms race in the digital space between states and companies in different parts of the world. The severity and frequency of attacks can be expected to grow over the coming decades. While a better international legal framework could help mitigate the damage, an international
consensus on this issue seems to be a long way off.
Study delves into the true scale of the problem and the factors influencing it in an attempt to suggest the most effective method of protection for individuals and companies.
The scale and sophistication of cyber attacks is currently experiencing runaway growth. A 2016 report by Symantec Corporation suggested that zero-day vulnerability doubled between 2013 and 2015, going from 23 to 544. That’s one vulnerability detected every week. Furthermore, the company believes large corporations have collectively lost half
a billion personal records so far and perhaps covered up a large extent of the damage caused by such cyber attacks.
The most worrying aspect of these increasingly frequent attacks is the rate of success attackers can expect. A recent survey suggested a majority of email phishing scams, the most common form of online attacks, were surprisingly effective.
Meanwhile, the British government’s Cyber Security Breaches Survey found that two-thirds of large British businesses were hit by a cyber breach in 2016. 70% of these attacks involved spyware, malware, and viruses with varying degrees of sophistication.
Opened
Clicked
Hours
61 21 80
0
25%
50%
1M
0,5M
Pe
rce
nt
Co
un
t
Figure 14.
Percent (of opened) clicked
THE GROWING FREQUENCY OF ATTACKS
STATE SPONSORSHIP
With the growing volume and efficiency of cyber attacks, it may be fair to assume these activities are fell funded. Speculation on the source of the funds usually leads experts to conclude states are responsible for a significant proportion of attacks.
The true extent of state involvement in these nefarious activities is debateable. International law does not yet extend to cyberspace. Even if there were attempts to
sign international treaties and clearly define sovereign responsibility for activities online, it would be difficult to enforce. States can easily fund and incite online attacks which are so quick and efficient that plausible deniability is not compromised8. In other words, holding states accountable for their actions is nearly impossible with current tools and the state of online security.
Five and a half million cybercrimes were reported in the United Kingdom each year, making it the most common form of criminal offence in the country5 . Similarly, the rate of cybercrime doubled in Germany in 2016, although authorities in the country suspect these crimes are underreported6.
In the United States, the rate of cybercrime that had an impact exceeding $20 million doubled in 2015, as compared to 2014. PWC reported that there were an estimated
117.339 attacks every single day around the world7. The growing instances of cybercrime are paralleled by the growth in their impact. Not only are these crimes getting more rampant, but they’re also much more expensive and their effects are deeper than ever before. Although there are numerous reasons for this drastic escalation in cyber crime across the world, one particular factor has had a bigger impact than any other - state sponsorship.
As the world’s second largest economy with the world’s second largest military budget, nuclear-powered China is a prime player in this arena of state-sponsored cyber attacks. When it was apparent that multinational South Korean conglomerate Lotte Group had swapped land with the Korean government in order to facilitate the THAAD deployment, a ‘patriotic attack group’ called “Denounce Lotte Group” attacked the Korean group11.
Another fact the Institute highlighted was the relative sophistication of state-sponsored attacks. Because of the immense resources at the disposal of governments, experts believe these cyber attacks are much more dangerous and concerning than armed attacks by Islamic (or other) terrorist groups. ISIS, for example, has clearly shown it’s able to influence users online through social media, but has not displayed any capacity for a sophisticated online hack.
Shackelford elaborates this with a historic example of a massive cyber attack on Estonia in 20079. He observed that there was no proof, but considerable speculation, about Russia’s involvement in this attack. However, even if the Eastern European country could provide irrefutable proof of Russia’s connection, the framework of international law would offer no remedy or course of action to deal with the situation. Perhaps the largest powers flexing their
muscles online are Russia and China. Both sovereign states have displayed exceptional online attack capabilities in the past. Russia’s attack on the World Anti-Doping Agency (WADA), known now as Fancy Bear, was a clear display of state-powered cyber attacks. Meanwhile, China expressed displeasure with the American Terminal High-Altitude Air Defense (THAAD) system in South Korea10 by attacking the system online.
NOW, CYBER ATTACKS HAVE THE POTENTIAL TO DISRUPT TRANSACTIONS, RUIN REPUTATIONS, STEAL INTELLECTUAL PROPERTY, AND CORRUPT THE INFORMATION SYSTEMS INFRASTRUCTURE OF MASSIVE ENTERPRISES.
Eva Andrijcic and Barry Horowitz from the US Department of Systems and Information Engineering found that cyber attacks that had lasting, long-term effects on the US economy were the most serious threat to corporate America over the past few decades. In particular, the loss of intellectual property (IP) due to cyber attacks had a measurably egregious impact on the country’s economic welfare.C-suite executives seem extremely worried about the growing rate of cybercrime and the increased risk to business data security.
In a survey by PWC 61% of respondents claimed they were concerned about the rise in these threats. Meanwhile, only 37% of organizations said they had a cyber incident response plan in place. There is an apparent gap between the level of threat CIOs and CEOs face and their investments in mitigating the risks. There is also a clear gap in perception. When asked if the rate of cyber crime had increased, only 53% their perception of these crimes had increased in the past. Meanwhile, 41% said it had remained the same and 5% said it had decreased.
CORPORATE ESPIONAGE
Governments, however, are not the only institutions that might have incentives to exploit this gap in international laws. Multinational corporation have the perfect mix of
resources, weak legal frameworks, and vested interests to launch a powerful cyber attack for very different purposes - defeating competition.
FIGURE 1. HAS YOUR UNDERSTANDING OF CYBER SECURITY RISKS INCREASED?
The state of cybersecurity at corporations is abysmal. One in six respondents to PWC’s survey said they had no idea if their organization had ever been a victim of cyber crime. Most organizations have either not implemented a cyber incident response plan, not fully analyzed the feasibility of such a plan, or not considered it at all. The worrying state of corporate cyber security leaves the entire economy open to damaging, large-scale data breaches. Corporate espionage rates have spiked with as a new source of funding becomes available - the state. According to former
US defense secretary Robert Gates12, most countries have some form of corporate espionage operation to steal trade secrets and intellectual property from innovative companies. According to him, China was a primary concern. China-sponsored strikes were targeted at US companies with valuable trade secrets, intellectual property for technical innovations, and formulas for drugs under development at pharmaceutical companies. China’s corporate espionage has the ability to dilute the most crucial aspect of the American economy - innovative ideas and proprietary information13.
46,5%53,5%
YES
NO
Source: Global Economic Crime Survey 2016
Email attachment
Web drive-by
Email link
Download by malware
Network propagation
Incident count
Figure 34.
10
10
39
61
63
Source: Verizon 2016 DBIR
For Chinese hackers, quantum computing designs and biotechnology were particularly attractive targets. According to an IP Commission Report, outright theft of IP costs the US between $225 to $600 billion every year14. A substantial drain on the economy. Similar cases are playing out across
the world as different countries with varying degrees of technical prowess battle over the most prized economic assets of the twenty-first century - data.This loss of critical data and value is not limited to corporations, but extends to individuals as well.
EMAIL AS A WEAPON With its ease of use and widespread prevalence, email has quickly become the weapon of choice for attackers.
90% of the digital world, by most estimates, relies on email for daily operations. Businesses, private individuals and even government agencies must use an email account to get access to most platforms.
This has made email the prime target in the cyber warfare arena. Emails are by far the most common tool for cyber attackers. Primarily driven by the relative rate of success with simple phishing scams, emails tend to be the preferred tool for even sophisticated attackers. A survey by Verizon found that 47% of crimeware was distributed by attackers as an email attachment, with links within emails coming in a close third.
The Insurance Journal15 recently found that a vast majority of online cyber attacks were still being conducted through fake emails and malicious links within them. Unsophisticated attackers often target employees within firms, tricking them into clicking on links and error messages and parting with sensitive login or company data.
The prevalence of these attacks underscores the importance of protecting email platforms.In 2014, British prime minister David Cameron launched an attempt to make user-facing encryption illegal in the United Kingdom16. The crusade against online data protection through encryption was a failure, but other states have since tried to do something similar.
It’s evident that now we’ve entered a new phase in cyber criminality. Online attacks are now more broadly targeted, much better funded, far more effective and irrefutably politically motivated. Although a sudden release of private information about political parties in different countries can only have a limited effect on the outcome, there is no doubt these attacks sabotage the public debate. This trend threatens the very foundation of modern democracies across the globe.
WHAT’S AT RISK? INDIVIDUALS AND CORPORATIONS
1. In a single quarter in 2016, more than 18 million malware samples were detected. Many of these were sophisticated enough to get past antivirus security17.
2. In 2016, ransomware attacks tripled. Kaspersky reported over 4,000 such attacks over the course of the year and actually recorded one attack every 40 seconds during September18.
3. Nearly 8 out of every 10 people understand the risks of clicking links within emails from unknown senders, yet they clicked a dubious link in a prototype email sent out at a Black Hat conference anyway19.
4. Nearly half the businesses that suffered a cyber attack last year said they were making no changes to their IT security infrastructure and would not expand the budget for security either20.
The risk to individuals and corporations from the growing threat of cyber attack cannot be overstated. Here are some stark statistics on the magnitude of this issue:
Individuals and SME businesses are likely to be the most vulnerable groups to cyber attacks.
The issue is resolved, somewhat, by the availability of better tools for consumers and private business owners. Secure HTTPS connections, end-to-end encryption and two-factor authentication have helped
mitigate the risk of straightforward cyber attacks on data and personal information. Nonetheless, attackers have kep up with increasingly sophisticated tools and techniques. A new form of attack that has the potential to penetrate TLS-encrypted internet data transmission is called the ‘Man in the Middle’ attack21.
ROLE OF PRIVATE SECURITY PROVIDERS Considering the mammoth scale of the problem and lack of international regulations within the sector, it is imperative for private security providers to work with individuals, businesses, and governments that respect the need for data protection.
Privat security providers can enhance the fight against cyber attacks by placing data centers in locations with better data protection laws (such as Switzerland). Furthermore, private
players can offer small and medium businesses access to sophisticated tools such as two-step verification, data encryption, and a cloud-based platform for securing cross-border transactions, communications, and intellectual property23.
MitM attacks involve intercepting the connection between client and server to inject fake commands and change keys. Some of the most popular web and mobile platforms (most of which are considered
relatively secure) are still vulnerable to this form of attack22. The most effective way for private citizens and businesses to protect themselves if to look for specialized solutions offered in the private-sector.
Although most people would revert to the most mainstream technology giant for their security needs, this is considerably risky strategy. Counterintuitively, large, well known tech companies remain more vulnerable to attack since attackers are more likely to focus on operating systems, mobile applications, and software packages with the widest user base. This is precisely why the recent Wanna Cry malware attack targeted Microsoft’s older Windows operating systems, why Whatsapp remains vulnerable to Man in the Middle attacks despite its deployment of end-to-end encryption, and why major companies like Apple, Adobe, Yahoo, and Facebook have been subject to frequent high-profile attacks in the past.
Niche service providers with specialized software may be able to offer better, more bespoke solutions. Organizations and individuals looking to protect their data can reach out to specialist security providers with custom platforms and highly secure forms of encryption and data protection. Private security service providers, of all sizes and specialties, are integral to the safety and security ofn online data and private information.
Private security providers can act as the catalyst that brings top-notch cyber security to the mainstream. A pressing need of the hour.
CONCLUSIONCyber attacks are an exponentially growing threat for individuals, businesses and sovereign states across the world. States and corporations are particularly likely to fund sophisticated online attacks considering the toothlessness of international regulations in cyberspace. Meanwhile, small businesses and private citizens bear the brunt of these attacks.
Individuals and corporations are woefully unprepared for most attacks. Private and sensitive data is often unencrypted, security protocols are not implemented and staff are
never trained to handle cyber breaches. Add to this the ubiquity of email and it’s easy to see why most attackers launch simple attacks in the form of email attachments and links. Email is now the weapon of choice in the cyber battle over private data.
The most effective solution for the issue is expansion of the capabilities and market for private cyber security products. At scale, these private security providers can plug the gap in demand for effective online protection across the world.
LINKS
1. https://www.theguardian.com/world/2007/may/17/topstories3.russia
2. http://www.bbc.com/news/technology-29237469
3. http://www.reuters.com/article/us-cyber-heist-philippines-idUSKCN0YA0CH
4. https://www.symantec.com/content/dam/symantec/docs/infographics/istr-zero-day-en.pdf\
5. http://www.telegraph.co.uk/news/2017/01/19/fraud-cyber-crime-now-countrys-common-offences/
6. http://www.reuters.com/article/us-germany-cybercrime-crime-idUSKBN17Z26S
7. http://www.wealthandfinance-intl.com/cybercrime-incidents-on-the-rise
8. http://heinonline.org/HOL/LandingPage?handle=hein.journals/geojintl42&div=35&id=&page=
9. https://papers.ssrn.com/sol3/cf_dev/AbsByAuth.cfm?per_id=1195469
10. https://arstechnica.com/security/2017/04/researchers-claim-china-trying-to-hack-south-korea-missile-defense-efforts/
11. https://arstechnica.com/security/2017/04/researchers-find-china-tried-infiltrating-companies-lobbying-trump-on-trade/
12. http://thediplomat.com/2014/05/robert-gates-most-countries-conduct-economic-espionage/
13. https://www.ft.com/content/8b07a73a-7679-11e5-a95a-27d368e1ddf7
14. http://ipcommission.org/report/IP_Commission_Report_Update_2017.pdf
15. http://www.insurancejournal.com/news/national/2015/04/14/364191.htm
16. http://www.businessinsider.in/David-Cameron-is-going-to-try-and-ban-encryption-in-Britain/articleshow/47896954.cms
17. http://www.pandasecurity.com/mediacenter/panda-security/18-million-new-malware-samples-in-the-second-quarter/
18. http://www.infoworld.com/article/3148747/security/ransomware-attacks-against-businesses-increased-threefold-in-2016.html
19. http://www.businessinsider.in/Even-this-expert-on-hackers-got-tricked-into-clicking-a-scam-email/articleshow/53625920.cms
20. https://www.pwc.com/gx/en/issues/cyber-security/information-security-survey.html
21. https://jhalderm.com/pub/papers/interception-ndss17.pdf
22. https://www.theinquirer.net/inquirer/news/3002553/security-flaw-leaves-whatsapp-messages-susceptible-to-man-in-the-middle-at-
tacks
23. https://secureswissdata.com/two-factor-authentication-importance/
