Cybersecurity will always be a hot topic within the IT industry, and as a financial technology company, staying on top of cybersecurity and continuously evaluating latest trends and hacking techniques is of utmost importance to us. I recently attended the 8th IRISSCERT Cyber Crime Conference in Dublin, which provided an overview of the current cyber threats facing the business industry and what can be done to mitigate the risk where possible.
Brian Honan, Head of Irish Reporting and Information Security Service (IRISS), really struck a chord when he said: ‘Cybercrime accounts for more financial loss than any other form of crime in the UK’.
This message was echoed by Richard Costelloe, Information Risk Officer from the KBC Group, who said that ‘Financial cyber scams are the most profitable form of crime’. There’s clearly a market for this kind of crime, so a key question that every business should be asking itself right now is not if they are going to be attacked, but when and how so they can prepare themselves to survive.
The Office for National Statistics has reported there have been more than 5.8 million incidents of cybercrime in the past year. One in ten adults have been victim of such offences in the 12 months and fraud now costs an estimated £193 billion a year. With this in mind, are there trends emerging within cybercrime which businesses should be aware of? Well, 93% of all reported attacks are Denial of Service (DoS) attacks. Ransomware is also on the horizon with more and more companies becoming a victim of such a sophisticated attack. While few vendors offer ransomware detection solution, a company’s IT department should always follow best practice and have tested backups available. The amount of Network Time Protocol (NTP) attacks has also increased in the past 12 months. Mobile malware is also another example of a new trend that users might not be aware of. So what can be done to protect businesses and individuals from a cyber attack? The conference speakers shared a number of different ideas ranging from fixing on-the-fly to thinking like an attacker, but they also shared current case studies of how they are dealing with different forms of cybercrime.
Hacking the device that keeps me alive
Marie Moe, a research scientist at Norwegian based independent research company, SINTEF, presented her very personal perspective on the topic of cybersecurity. As a pacemaker user, she is leading a project that focuses on the security of medical devices. Like any other machine, medical devices have a microchip and a code that controls the device. As such, they are vulnerable to external hacks and bugs. Using her own pacemaker as an example, she explained that they have two different communication channels built-in for further programming and so forth. The first channel works on a similar principle as contactless cards, while the second channel communicates with a specifically designed base station that can be anywhere within the range of 10-15 meters. These channels open a whole new level of possibilities for cyber thugs. While extreme “007”-like cases of remote assassination were mentioned as a joke, more realistic scenarios were discussed in all seriousness. Ransomware for example could be used as a way of blackmailing a pacemaker user, requesting money in exchange for keeping the hacked device active.
What are the consequences of business negligence in this instance? Beyond the obvious negligence to the customer, it could also result in the loss of company revenue. St. Jude Medical in the US, for example, have lost as much as 8% in share value after announcing that their devices are vulnerable to cyberattacks.
Marie is therefore urging that the industry has a responsibility to regulate the technology more effectively, and encourages internal ethical hacking in order to spot any flaws before external hackers are given the chance.
Terms and Conditions – Do you always read the small print?
Christopher Boyd from Malwarebytes argued the case to urgently change the way businesses present their terms and conditions to individuals. As an example of the flaws within T&Cs, Christopher showcased a free mobile phone game with T&Cs containing 406,000 words. It would take over 12 hours for the consumer to read them in order to just play a throwaway game. This isn’t a one-off either, and can be seen in T&Cs across all sorts of industries. ‘Keep it simple’ therefore was the key out-take from Christopher’s talk. As a way forward, could T&Cs be written up-front in plain English, with a more detailed legal explanation underneath? This would ensure that customers are clear on what they’re signing up to, and aware of any potential loop-holes which could open them up to a cyber attack. This certainly provided plenty of food for thought.
Know your enemy – international cyber warfare
“The Art of War”, a theory coined by Sun Tzu, the famous Chinese Military Strategist, is still valid today in the digital age. This is according to Bob McArdle from Trend Micro, a leading IT security company, which has written a number of interesting whitepapers about how the hacker community can be researched based on their country of origin. For example, the Russian hacking community is the most mature, with forums dating back to 2004. The variety of hacking services offered and pool of resources is impressive, with one forum reporting 35,000 subscribed users, where membership costs $50 a year. In comparison, China is more orientated on its internal market, due to the scale and opportunities within its own country alone. Each country has its favoured techniques of hacking, which led us to evaluate that knowing and understanding your potential hackers is the first step towards successfully protecting your business.
–Written by Ernest Krukowski, System Administrator