Data breaches are continuing to hit businesses of all sizes. In the first quarter of 2019, financial giant Capital One suffered one of the biggest ever, when hackers gained access to 100 million customer accounts. During the same month, aluminium producer Norsk Hydro was forced to switch to manual operations after being hit with ransomware. This year has also seen the true impact of cyber attacks on businesses operating in Europe, after British Airways and Marriott Hotel Group became the first to be fined under GDPR.
Even before regulatory fines, the cost of a cyber assault can be huge. Accenture and the Ponemon Institute’s Annual Cost of Cybercrime study found that the average cost is $13m (£10m).
It is therefore no surprise that cyber security is quickly becoming an integral part of every company’s strategy. But in an age of increasing competition leading to quick and sometimes careless digital transformation initiatives, many firms need to take a more serious approach to securing their data. Indeed, experts think companies should react with more caution to trends such as bring your own device, the Internet of Things (IoT) and the cloud.
CompTIA global faculty member Ian Thornton-Trump says digital transformation initiatives were “hit and miss” in 2019. “Maybe the reason cyber criminals did so well was due to poor identity and access management and privileged account management – and tremendously bad cloud security configurations.” Despite many companies’ best efforts, these problems cannot be easily fixed using other technology, says Thornton-Trump. “All the fancy vendor products and artificial intelligence, machine learning and even blockchain technology have proved to be elusive solutions in closing the knowledge gap of rapid attempts at digital transformation.”
And as technology advances, some firms think they are protected because they perform basic cybersecurity protocols such as encryption. But encryption on its own doesn’t always secure data, says Tempered Networks technical support engineer Alex Vranas. “Just because packets are encrypted doesn’t mean someone can’t acquire data by analysing what they see,” he warns.
To illustrate this, he points out that researchers have been able to detect specific songs in encrypted audio streams, “because audio cadence is preserved through a number of encryption technologies”.
Wireless attack vectors
As cyber attacks increase, securing data is certainly becoming a more complex task. So, what are the top attack vectors?
At a very basic level, a company’s Wi-Fi router can leave it open to attack, and many such devices are shipped with insecure configurations, says Harman Singh, managing consultant at Defendza. He warns: “This opens up a number of opportunities for an attacker, whether it’s changing DNS settings to intercept or divert internet traffic, or firmware attacks.”
Another concern is the ability to access wireless networks by exploiting weaknesses in Wi-Fi protocols. Chris Elliman, lead consultant at Context Information Security, cites 2017’s keyreinstallation attack (KRACK), where researchers decrypted WPA2 sessions in the air; the vulnerability will be fixed in WPA3. Elliman says: “Previously outdated protocols will be blocked; there will be a defined protocol list. There are also additional protections that stop offline brute force attacks.”
However, there is no getting away from the fact that the current security solution is WPA2, and firms need to implement security based on this for now. “Certificate-based authentication is probably the most secure way of implementing that,” says Elliman.
He adds: “The difficultly with WPA3 is your wireless card needs to be WPA3-ready. If someone doesn’t have the functionality on their phone or laptop, it will fall back to WPA2.”
Experts agree incoming WPA3 certainly helps, but it doesn’t alleviate the Wi-Fi threat completely. “It’s a move in the right direction, but because of the need for backwards compatibility, it can always be downgraded to WPA2,” says Ryan Orsi, director of product management at WatchGuard. “This means a lot of the four-way [WPA2 handshake] vulnerabilities can be exploited.”
WPA3 is safer, but your device has no way to establish whether something is a true access point, Orsi explains. “So, you can still perform an evil-twin attack on the network.”
An evil-twin attack involves rogue access points being used to trap legitimate users away from their corporate network. “Once a user has logged into the attacker’s network, a target device, workstation or laptop will automatically connect to the rogue access point with a stronger signal,” says Singh. This attack is particularly concerning because it is hidden: the target user will see no changes in their experience. Among the risks, says Singh, “this attack can be used to monitor a user’s internet traffic, or launch a malicious campaign against the business”.
Similarly, rogue femtocells can target cellular communications such as 3G and 4G, says Singh.
Cellular security
Cellular is of course considered more secure than Wi-Fi. But there are still risks for businesses that rely on 3G and 4G communications. One cyber assault that is “impossible” to mitigate is jamming attacks, which flood the airwaves with noise to disrupt cellular communications, says Vranas.
At the same time, satellite communications use uplinks and downlinks often transmitted through open telecommunications network security protocols. This creates a huge attack surface, says Vranas. “Satellite communications can be intercepted from a large number of locations. If the data isn’t encrypted, someone somewhere will likely see it.”
SIM swapping is one of the biggest cellular-based vulnerabilities that companies should be aware of, says Todd Kelly, chief security officer at Cradlepoint. This type of attack allows a hacker to bypass two-factor authentication. “An adversary could try to log in as a business user to a service, say ‘forgot the password’ and they will be sent a verification code via SMS. The attacker can then reset the password and log in.”
Kelly says LTE is a “robust” technology. Specifically, he advocates the security of private LTE, which leverages micro towers and on-site small cells. Private LTE can be enabled by the 3.5GHz spectrum band. “This is great for ports or large-area campuses, which can leverage LTE-enabled endpoints to have control over the data and infrastructure.” But LTE isn’t foolproof: the attack surface is also broadened as more devices are connected – and it gets worse with 5G.
Beyond cellular, another area of concern is the security of the billions of devices connected to the internet. IoT and machine-to-machine (M2M) devices have been used by some firms for years, but many of the security issues remain. By far the biggest risk in IoT is the lack of security in the design by product manufacturers. This is despite initiatives such as the measures introduced by the UK government last year.
Developed in collaboration with the National Cyber Security Centre, the government’s Secure by Design review laid out plans to embed security in the design process, rather than it being bolted on as an afterthought. However, despite these measures to ensure products undergo extensive security assessments before release, vulnerable devices are still hitting the market, says Singh.
IoT device authentication is also a security concern, he says. “This has to be the main cause of compromises due to default credentials, no credentials, or use of vulnerable authentication mechanisms.” Insecure interfaces are another problem. “Insecure web and network services utilised by internet-exposed interfaces are an invitation for compromise,” Singh says.
Attackers choose to target IoT devices because it is easy to do so. “The skillset needed for the exploitation of these services doesn’t require a nation state actor or the latest zeroday vulnerability,” Singh explains. “Most of the time, these issues are plain-text credentials, weak credentials, vulnerable plugins or libraries in use.”
Cyber security in 2019 and beyond
There are multiple threats across many attack vectors, so what can firms that rely on wireless communications do to stay secure? Achi Lewis, EMEA and India director for NetMotion, advises companies to understand their “hidden” network, which he defines as “devices sitting on the edge or outside your control”.
He adds: “Decide what you need and build your environment around those elements. This will assure control, ease of use and the best experience for users and organisations.”
Taking the risks into account, Kelly is an advocate of treating networks as untrusted. “Regardless of the threats, that’s what you should embrace as a mindset.” He also advises using virtual private networks (VPNs) and certificate-based authentication with rotating keys.
Singh agrees, advising firms to deploy certificate-based authentication as a “must have” in corporate wireless networks. “A certificate-based authentication scheme uses public key cryptography and a digital certificate to authenticate a user. The biggest advantages with this scheme are privacy-based by protecting a user’s wireless credentials.”
It is important to make sure that all firmware and software modules in use for network administration and management are updated to the latest stable versions. “This will ensure the attack surface remains minimal,” Singh says.
At the same time, ensure encryption is in line with secure configuration for authentication and data transmission purposes, Singh adds. He says: “Always segregate the networks, users and environments. This includes separating the guest from the corporate network.”
Vranas agrees. He says network segmentation and resource isolation are “important concepts used for network security” and “the first thing most operators implement to limit breaches from propagating further”. He adds that recent innovations in networking have made the tools for segmentation even easier to implement, deploy and manage.
Meanwhile, Singh advises users to log network traffic events in order to ensure there is an audit trail that can be analysed for suspicious activities in case of an attack. He adds: “Ensure that logs are aggregated securely in a central repository; correlate events using security information and events monitoring (SIEM) to help you identify and detect issues in real time.” In addition, he says testing is important.
Elliman says firms should also be aware of how their wireless network (SSID) name can be used against them. The wireless network is often in the business’s name. “If the attacker wanted to find the network and target the business, it’s like a red flag. You can use animals or planets for network names.” In addition, he recommends implementing a content filtering solution. This should block adult content or anything illegal.
At the same time, password security is vital, especially to protect against an evil-twin attack in WPA3. “Use very complex passwords,” says Kelly. Update the Wi-Fi password and change it regularly, advises Orsi.
The cyber-security threat landscape will continue to diversify, so it is important that firms keep up with the basics. On top of patching systems regularly, employees should be educated and on board with how to help the whole business stay as secure as possible.
