Nearly half of all UK companies suffered a breach over the past 12 months, according to the Government’s Cyber Security Breaches Survey. The average cost to large businesses over the period was £20,000, and in some cases the figure reached millions of pounds.
Breaches most commonly took place via phishing emails coaxing staff into revealing passwords or financial information. At the same time, ransomware, such as the WannaCry cryptoworm that hit the NHS, has become a prolific form of attack. In October, vulnerabilities were discovered in the WPA2 protocol that can help attackers hijack Wi-Fi data transmission.
As a backdrop to this, the landscape is changing very quickly, says Simon McCalla, CTO at Nominet. “Breaches are becoming common, as is the diversity of how they are happening,” he says, pointing out that criminals are carrying out many targeted attacks over multiple protocols. “It makes it so much harder to protect your business when you are being attacked from both sides.”
Making things worse, cyber criminals are starting to exploit third parties, says Vince Warrington, director at Protective Intelligence. “It’s now very difficult to attack a bank, so hackers are targeting the third party who supplies the Wi-Fi routers. So, it’s going up the supply chain and people aren’t prepared for that. It’s no longer about your security; it’s the security of the people you give data to.”
Attack vectors
Adding to this, the sheer number of unsecured Internet of Things (IoT) devices in use today is putting firms at increasing risk of attack. According to Stephen Moore, chief security strategist at Exabeam, IoT devices can be used as a “stepping stone” into a company’s network. This is because many of the devices have access to other databases and systems and use a simple ‘username plus password’ to access these.
Richard Moulds, general manager at Whitewood, says: “If you can fool one device, you can fool them all. How do you authenticate these devices and how do you establish confidential communications between them?”
One way criminals are using IoT to perform an attack is distributed denial-of-service (DDoS), which sees multiple machines taken over to form a botnet. The devices then flood a network with traffic, which can cause websites to crash. This was the technique used when the Mirai botnet took over connected devices such as baby monitors to attack online firms including Netflix whose systems were operated by domain name system (DNS) provider Dyn.
McCalla says: “Fundamentally you need to leave your DNS port open, but malware and viruses can use this as a method to get up to no good.”
Another high-profile IoT botnet was dubbed “Reaper” by researchers at Netlab 360. It took over two million internet-connected webcams, security cameras and digital video recorders during the course of a month.
So how can businesses protect themselves? While firms traditionally separate their internal and guest networks, Ojas Rege, chief strategy officer at MobileIron, suggests that IoT devices should also have a network of their own. “A lot of the IoT systems need integration with the enterprise: you need a guest network, a low-trust IoT network and an internal network,” he explains. “That’s the only way you can control this. We have all heard of ‘shadow IT’ – where someone brings in a device or app – but now it’s become shadow IoT.”
Yet many firms are not carrying out basic security ‘hygiene’ measures such as patching. It is understood the WannaCry ransomware was able to reach the NHS because systems were based on Windows XP, the operating system that is no longer supported by Microsoft.
Practices for hardening systems and networks in the 1990s are basically true today. One of these rules is patching, says John Bambenek, senior threat researcher at Fidelis Cybersecurity. However, this must now be done more quickly than in the past.
Ben Silverstone, course leader for computing and quantitative business at Arden University, focuses on the people side of cyber security. He agrees that patching is often missed. “This is a behavioural matter, not technology – the technology is there,” he points out.
Silverstone says cyber security comes down to education and training. “A lot of IT training is around the functional and systems end, rather than the behavioural bits that underpin the systems we are using. The knee-jerk response is thinking that people can’t be trusted, so firms will lock a system down, but this doesn’t deal with the underlying problem.”
Cyber security is about more than mitigating the attack, says Warrington. “It’s about acknowledging the problem and looking at how we respond to an incident. It’s not the chief security officer’s role: firms should have PR people on hand to help them respond.”
There are many examples of this being handled badly, he says. “Look at the Equifax breach – they found out they had a problem and sat on it for months.”
GDPR is coming
Adding to complexity, businesses must ensure they are compliant with the EU update to the General Data Protection Regulation (GDPR) from May 2018. Companies are obliged to report a breach of personal data within 72 hours. The GDPR also gives more rights to data subjects, comprising both a firm’s employees and customers. Those that do not comply can face fines of up to four per cent of company turnover.
There has been much hype about GDPR, and this has made some companies weary of the barrage of information from vendors trying to scare them into buying products. In addition, Warrington says: “My concern is that a lot of information about GDPR is inaccurate: People say speed cameras can’t operate because they record the car registration number which is ‘personal’ data. This isn’t true.”
Another misconception about GDPR centres around the need to comply following Brexit. “Some companies think they don’t have to worry about it, but it will be written into the Repeal Bill and we will still hold EU citizens’ information,” he says.
It might appear daunting, but Warrington thinks GDPR is “a good regulation”. He adds: “I say to companies to look at it as an opportunity to get your data in order.”
According to Moulds, rather than seeing GDPR as a security mandate, firms should view it as “an organisational framework, looking at the data you collect and how you use it”. He explains: “It’s simple data management practices and accessibility to users. One of the strengths of GDPR is it will focus companies on only storing the information they need, so departments such as marketing will have to justify why they require data.”
With regulation such as GDPR making the impact of data loss much bigger, it is important to have a cyber security strategy. As part of this, Rege warns firms to be aware that threats change all the time, especially in mobile. “The way Apple and Google are attacking this is very powerful; they are constantly updating the OS and putting in place security mechanisms in their app stores. That’s good news as they are stopping malware being available there.”
However, currently, he says, a lot of focus is on the apps when the landscape is much broader. “Companies should be securing the device, network and app; they must have a mechanism to approach all these threats.”
Meanwhile, firms must ensure security is not just IT-focused, says Warrington. “It needs to be discussed at the top level. People understand physical crime and are starting to realise the threat of cybercrime. It’s risk management; that’s all it is.”
At the same time, it is important to consider the changing landscape can be complex for those in charge of security. McCalla explains: “The challenge for any CSO is: it’s a very crowded marketplace, some types of technology are more effective than others. What’s important is covering as many bases as you can. You can’t keep buying loads of tools and technologies – it’s about buying the key things that deal with attacks.”
In the past, companies spent a large proportion of their cyber security budgets on endpoint security. However, today firms are looking to centralise solutions, McCalla says. As part of this, organisations are starting to monitor traffic, allowing them to spot and sometimes mitigate security problems in real time. This technique, which is known as machine learning and artificial intelligence (AI), uses data to spot patterns without intervention from
a human. Because intelligent security systems are able to ‘learn’ from these patterns, their ability to identify anomalies and mitigate attacks improves over time.
“Collecting large amounts of data and pattern-matching using predictive analytics to see the future is important to security,” Rege says.
Indeed, McCalla says this technique is particularly useful for large companies that collect vast amounts of data. “As a business, we deal with five billion queries and responses a day [on DNS]. Our users can have up to 20 billion.
“The traffic is sometimes malicious, and finding that is really key. We are starting to use pattern-recognition techniques where algorithms are self-learning and can see what ‘normal’ looks like. Unusual patterns are a big sign of malicious traffic.”
Some of this traffic will be email spam, he says, but quite often it could be something more harmful such as DDoS. “If a business is suddenly seeing a big spike in traffic and it’s coming from the other side of the world such as Russia – that’s typically a sign that something isn’t quite right.”
On the other hand, he says: “If traffic starts to drop, someone could have taken a server offline.”
Intelligent techniques
Increasingly, today’s intelligent techniques are able to give a context to data. In the past, says Moore: “You might get an alert to say there’s a virus in this environment, but it wouldn’t tell you if it has been there before.”
In contrast, Moore says newer tools are starting to add these pieces together to form an idea of what is going on in the network. User and entity behaviour analytics (UEBA) uses machine learning and data science to get an understanding of how humans, entities or devices behave in a certain environment, he says.
Based on that behaviour, risk-scoring is added, and if an activity is deemed ‘not normal’, points begin to accrue. “Whether it’s a device or human being, an analyst responsible for security can understand that,” he explains.
For example, Moore says: “Someone might have opened new systems for the first time, or visited a file upload site, and this might be indicative of a threat. In IoT, it might be the first time the machine has run a process; maybe it tries to connect to an outbound connection such as a country we don’t do business in.”
With techniques such as this it is likely that, in the future, human intervention will be even more limited. The ideal scenario is getting an automated response that can mitigate the attack without a need for intervention, says Bambenek. “Take ransomware: there is a defined pattern of how cryptographic ransom works. You can use machine learning to say, ‘I don’t have a signature for this, but the pattern makes it likely
to be ransomware.’ If you can stop it, that’s a very good automated response,” he explains.
More intelligent response is already possible, says Moore. “We can respond with actions: for example, by saying ‘disable this account’, or ‘take this machine offline’.”
However, despite the benefits, there is a risk associated with the machine-learning model, says Moulds. “Once you start to programme in learning, there is a risk that the bad guys work out what the model is. You could get systems that are so rule-based, they allow criminals to bring them down.”
Those who work in cyber security concede that in this way, the area is a game of cat and mouse. However, intelligent techniques have great potential to help firms stay one step ahead of criminals. As the risk of attack grows, technology such as this, along with a strategy that includes training staff, will help businesses safeguard their valuable customer data.