Thomas Cook and the problem with phishing

Posted: October 3, 2019 | Author: | Filed under: Uncategorized | Tags: , , , , , | Leave a comment

phishingLast week, the world’s oldest travel agent, Thomas Cook, collapsed, leaving around 150,000 holidaymakers stranded. But the demise of one of the UK high street’s best-known brands didn’t just end up costing the government, which had to foot the bill for repatriation. It resulted in another opportunistic phishing campaign of the sort that often follow major news events.

In this case, reports soon emerged of consumers targeted with phone calls and emails purporting to come from ‘refund agents’ who just needed their bank/card details in order to reimburse them for their holiday. I spoke to some security experts to find out how far brands are exposed to such campaigns, and what they can do about it. The consensus is that communication with customers is key.

“Organisations and users are at their weakest, post-incident, when it comes to fraud. As we’ve seen time and time again, hackers almost immediately distribute phishing attempts to try and capitalise on an incident,” Proofpoint cybersecurity strategist, Adenike Cosgrove, told me by email. “The repercussions are huge: it will affect customers as well as financial institutions dealing with the aftermath, as their contact centres are inundated with calls from concerned consumers.”

The primary impact of such scams is on customer confidence and trust in the brands they do business with, according to Gemma Moore, director at security consultancy Cyberis. However, they’re almost impossible to stop, she told me.

“What brands can do is manage their customer communications closely and ensure that their customers are well-briefed about how the brand will communicate with them and under what circumstances,” Moore continued.

“Brands can work to educate their customers to treat communications with a sceptical eye. Many banks, for example, regularly remind their customers that they will never contact them asking for sensitive information like card details by email or telephone. Ultimately, vigilance is the best defence for people who are targeted in this way and brands can help this by maintaining clarity.”

Banks add confusion

So, organisations need not only to have a clear communications strategy but also to remind customers what this is, so that any phishing attempts that deviate from the norm will be easier to spot. With the Thomas Cook incident, however, UK banks added to the confusion by texting their customers with messages containing links and phone numbers to call. Some recipients understandably believed these to also be phishing attempts, especially as some claimed not to have even bought a holiday with Thomas Cook recently.

Once again, transparency and consistency is key to keeping customers safe.

“How the banks communicate is key. There is an argument that they should not use text messages as SMS phishing is rife and would potentially confuse consumers,” said Cosgrove.

Brands must not only try to mitigate the impact of attacks on consumers, of course, but also attempts to phish their employees, which could lead to serious data breaches, ransomware infection or other threats. At the same time, and backed by a global cybercrime economy built on stolen data and dark web sites, cyber-criminals are constantly evolving their tools and tactics to trick both employees and consumers.

One technique gaining in popularity is “angler” phishing, where fraudsters set up Twitter accounts masquerading as brands’ customer service operations. They monitor complaints from customers and then jump in to hijack the conversation, often requesting additional personal info and financial details from the victim.

“Another key trend we are seeing is an increase in domain fraud, where criminals leverage domains to target a known brand or company by sending phishing campaigns that look like genuine communication,” Cosgrove explained.

“Recent research shows that 96% of organisations found ‘lookalike’ domains posing as their brand, with registrations of fraudulent domains growing by 11% last year.”

This is where brand and domain monitoring services could come in handy, although as with any cyber-threat, defence-in-depth is recommended. Phishing campaigns are relatively easy to launch and have a decent success rate, so don’t expect any major change in tactics anytime soon. Ultimately all organisations can do is educate their customers about the dangers, create clear, careful communications policies, and closely monitor abuse of their brands and domains online.

 

 

 

 

Advertisement

Will DNS threats finally undo organisations, or are they ready to take control?

Posted: August 1, 2019 | Author: | Filed under: Uncategorized | Tags: , , , , , , , , , , , , | Leave a comment

codeThe Domain Name System (DNS) is one of the least understood but most crucial parts of any IT environment. Although it’s operated via a global network of servers under the control of ISPs, non-profits, registries and others, attacks can strike to the heart of any organisation. DDoS, phishing, malware downloads, C&C communications and even data exfiltration can all take place via DNS channels.

Because it’s always on and running in the background, converting domain names to IP addresses so users can surf the web, it’s a great conduit for attackers. But that also makes it a useful place to gain advanced insight and control. I spoke to a range of industry experts on the key challenges and opportunities facing firms.

A new favourite

DNS attacks are becoming increasingly popular with nation state hackers. Sea Turtle and DNSpionage campaigns over the past couple of years have targeted Middle Eastern governments and military organisations. They typically compromise key DNS servers, and change the queries stored in them to enable man-in-the-middle phishing attacks designed to secretly steal important passwords. Part of the problem, according to Nominet’s head of IT security, Cath Goulding, is that the protocol is decades old.

“DNS was designed nearly 50 years ago. The people who created it could not possibly imagine the threats that we face today,” she tells me via email. “The advanced malware that we see could not be conceived 50 years ago, so DNS was not designed to defend against it. Humans simply can’t manually monitor the amount of data that passes through it, so we must rely on algorithms and machine learning to keep us safe.”

Gary Cox, technology director for Western Europe at Infoblox, adds that DNS is increasingly being targeted by hackers as other avenues are blocked.

“DNS has become more and more popular as a result of other security gaps being filled – by things like next-gen firewalls, IDS/IPS systems, highly capable endpoint protection going well beyond just basic Anti-Virus,” he explains to me. “New attack vectors are continually explored and exploited, and the latest twist from a DNS perspective is that DNS over HTTPS (DoH) is now being used to circumvent DNS security controls.”

According to DNS pioneer and Farsight Security CEO, Paul Vixie, services like DoH “are well intentioned but policy-ignorant, and many threats to the user or to the rest of the user’s network are able to bypass security controls when the user bypasses the local name service.”

Another example of a DNS bypass attack which has garnered an increasing number of headlines over the past year is DNS rebinding. In this attack, hackers first get victims to click on malicious links or online adverts, with rebinding techniques enabling them to bypass the network firewall and use the victim’s browser as a proxy to target any devices on this network. It’s predicted that this type of attack could become increasingly popular in compromising IoT endpoints.

What can we do?

So how can IT security leaders hope to mitigate the risk of a DNS-based attack? After all, with the DNS servers themselves usually out of their control, there’s a limit as to what they can do, right? Well, yes and no. Goulding argues that by using analytics services that search DNS traffic, organisations can turn the ubiquity of DNS to their advantage, using it as an early warning system to spot and block attacks before they’ve had a chance to impact the organisation.

“Utilising a DNS monitoring tool is the first step to mitigating the DNS risk,” she explains. “And while not every firm can afford high-level DNS protection, taking steps to ensure staff education is crucial, too. For many workers, they might not be clear what is and what isn’t a malicious link or malicious add. Ensuring staff have the tools they need to work out what might be malicious and what not be malicious will ensure company safety.”

ISACA board director, Asaf Weisberg, adds that DNSSEC should be rolled across the industry “to strengthen authentication in DNS, by using a DNS Zone’s private key to digitally sign the DNS data, and allowing the resolver to confirm the validity of the DNS data through a corresponding public key that is being retrieved as part of the DNS query.”

However, efforts thus far have been poor. It’s claimed that less than 20% of DNS stakeholders have adopted the specifications – a figure ICANN wants improving urgently. Without this kind of cross-industry response, DNS could remain a security blind spot for organisations for many years to come.

Trump’s second thoughts on Huawei ban will only benefit China

Posted: July 26, 2019 | Author: | Filed under: Uncategorized | Tags: , , , , , | Leave a comment

trumpRepublishing this latest piece from IDG Connect from early this month.

The news coming out of the latest G20 summit in Japan has been largely focused, just as Donald Trump likes it, on his trade war with China. But has the self-styled Dealmaker-in-Chief made a tactical error by appearing to relax punitive rules imposed on one of the Middle Kingdom’s leading tech firms, Huawei?

While the details are still to be hammered out, the announcement would appear to be good news for US tech firms, in the short term at least. But it will only serve to buy Chinese firms more time as the country accelerates towards tech self-sufficiency, while failing to resolve the question of who builds America’s 5G networks.

A good day for Huawei

Trump’s announcement over the weekend came after he and Chinese President Xi Jinping met at the meeting of world leaders in Osaka. The two agreed to resume trade talks, halting the imminent imposition of tariffs on a further $300bn of Chinese imports to America as well as relaxing rules preventing US firms from selling components to Huawei. The latter agreement effectively reverses a decision made last month to stick Huawei and 70 subsidiaries on an “entity list”, although even this had been subject to a subsequent 90-day delay. That decision was touted as one made on national security concerns about the Shenzhen-based network equipment and smartphone manufacturer, although Beijing officials have claimed it was more aimed at constraining the global rise of China’s tech giants.

National Economic Council chairman Larry Kudlow subsequently clarified that these US national security concerns “are still paramount”, and that the new agreement did not amount to a “general amnesty”. Instead, it will only “grant some additional licenses where there is a general availability” of the parts needed by Huawei. These include key processors and software produced by US firms. Huawei was hit for six by the US Commerce Department order in May, which imperilled the supply of key smartphone kit from Qualcomm as well as Intel server and laptop chips, Xilinx and Broadcom networking kit and even Google Android support.

Kicking the 5G can

US technology firms will certainly be happy with the G20 decision. Losing one of their biggest Asia clients – one of the world’s top three smartphone producers – would have been a major financial blow. But it does nothing to address the other key China initiative taken by the Trump administration in late May: declaring a national emergency preventing the supply of IT services and equipment from firms (like Huawei and ZTE) considered under the direction of foreign adversaries.

There is therefore still a huge question mark over how the US competes with China more broadly when the only viable supplier of 5G networks at present is Huawei. Its kit is said to be cheaper and as much as a year more advanced than rivals like Nokia and Ericsson. Washington’s decision to block on national security grounds threatens to stall progress in IoT and smart cities, autonomous vehicles and other sectors which are waiting for 5G to accelerate to the next level of development. More important still, there may be significant military advances being held up by these 5G delays.

Former Pentagon official and visiting fellow at The Heritage Foundation, Steve Bucci, is optimistic that homegrown solutions can be found.

“Trump’s comments do not lift these [5G] restrictions, which is spot on. We cannot lift them safely,” he told me by email. “The answer is to challenge US companies to pick up the baton. They can do it technologically, and just need a little assurance their investments will not be in vain. Additionally, it would probably give our allies and friends a few more options.”

An uncertain future

Yet given the hundreds of billions Huawei and China have spent in gaining an advantage in 5G, it’s unlikely at present that US firms can catch up. That could mean long-term decline for its telecoms sector and missing out on a huge economic dividend.

“The leader of 5G stands to gain hundreds of billions of dollars in revenue over the next decade, with widespread job creation across the wireless technology sector,” a Pentagon report warned in April. “The country that owns 5G will own many innovations and set the standards for the rest of the world. That country is currently not likely to be the United States.”

In the meantime, the Trump administration’s initial decision to put Huawei on a trade blacklist will only have strengthened Xi Jinping’s arguments at home that China is still too reliant on the US for key technology components.

Roslyn Layton, co-creator of ChinaTechThreat.com, member of the Trump Transition Team for FCC, argued via email that “Huawei is in a death spiral”.

“If Huawei doesn’t have access to the essential patents from Qualcomm, Huawei is out of business.  Huawei can’t make 5G equipment without these patents,” she added.

This may be true. But you can be sure that it and more generally the Chinese state will be working hard to become self-sufficient in these components. Deals like the G20 one simply buy them more time. The long-term picture for US tech suppliers with major markets in China and the many thousands of businesses waiting for 5G networks is far from rosy.

 

Tech in 2019: what’s in store for APAC

Posted: January 4, 2019 | Author: | Filed under: Uncategorized | Tags: , , , , , , , , , , , , , , , , , | Leave a comment

south china sea mapIn today’s globalised business world, what happens in Shenzhen or Singapore may be just as important as trends closer to home. To that end, I recently offered IDG Connect the following round-up of the past year in APAC, and a few notes on what we can expect from the months ahead. As Apple’s dire performance in China has shown, Asia increasingly matters to Western tech firms, their customers, shareholders and partners: 

Asia’s technology market had more global exposure in 2018 than in many recent years. There’s just one problem: most of it was negative. President Trump has begun a de facto trade war with China which has now morphed into a full-fledged stand-off on several fronts, with cyber-espionage and perceived unfair Chinese trading practices at the heart of US grievances. As we head into 2019 expect tensions to increase, with other south-east Asian nations potentially benefitting as US firms pull their supply chain operations from the Middle Kingdom.

It could be an extremely nervy time for Silicon Valley CEOs.

The trade war continues

The tit-for-tat trade war started in 2018 might have so far steered largely clear of tech goods, although some firms have begun to warn of an impact on profits. But the industry has certainly been at the heart of the stand-off between the world’s superpowers. In January a deal between Huawei and AT&T to sell the former’s smartphones in the US collapsed after pressure from lawmakers worried about unspecified security concerns. Then came a seven-year ban on US firms selling to ZTE — the result of the Chinese telco breaking sanctions by selling to Iran, and then lying to cover its tracks. Although part of the ban was subsequently lifted temporarily, it highlighted to many in the Chinese government what president Xi Jinping had been saying for some time: the country needs to become self-sufficient in technology. It was reinforced when Huawei became the subject of a similar investigation.

This is about America, and Trump in particular, fighting back against what it sees as years of unfair trading practices by China. The argument goes that the Asian giant has been engaged in cyber-espionage on an epic scale to catch up technologically with the West, and unfairly forces IP transfers on foreign firms as the price for access to its huge domestic market. Thus, the coming year will see a ratcheting up of tensions. China on the one side will look to increase its espionage in areas like mobile phone processors to accelerate plans to become self-sufficient. And the US will continue to find ways to crack down on Chinese firms looking to access its market — probably citing national security concerns. There are even reports that the US has considered a total ban on Chinese students coming to the country over espionage concerns.

“Technology CEOs the world over with supply chain dependencies in China — so probably all of them — should be increasingly nervous and focused on their firms’ efforts to have viable contingency plans for a US-China technology cold war,” wrote China-watcher Bill Bishop in his Sinocism newsletter. That could spell good news for other ASEAN nations like Vietnam, where Samsung has made a major investment in facilities — although few countries in the region boast the infrastructure links and volume of skilled workers China does.

Cybersecurity takes centre stage

As mentioned, cybersecurity and online threats are at the heart of the Sino-US stand-off. The stakes got even higher after a blockbuster report from Bloomberg Businessweek which claimed Chinese intelligence officers had implanted spy chips on motherboards heading for a US server maker. Although the claims have been denied by Apple, Amazon and the server maker in question, Supermicro, they will confirm what many have feared about supply chain risk for a long time and accelerate efforts in 2019 to move facilities out of China. Further fanning the flames is a US indictment alleging Chinese spies worked with insiders including the head of IT security at a French aerospace company’s China plant to steal IP.

In a move likely to enrage China, the US also recently arrested and charged a Ministry of State Security (MSS) operative with conspiracy to steal aviation trade secrets. A major backlash is likely to come from Beijing. But more could also come from Washington after a combative congressional report from the US-China Economic and Security Review Commission called for a clampdown on supply chain risk and warned of China’s efforts to dominate 5G infrastructure and IoT production.

Aside from state-sponsored attackers, there’s a growing threat from Chinese cyber-criminals, according to one security vendor. Western firms suffer millions of attacks per year from financially motivated Chinese hackers, according to IntSights. Expect that to increase in the future as the state encourages criminals to focus their efforts outside the country, or even to team up with hacking groups at arm’s length. Also expect the country’s Cybersecurity Law to have a growing impact on how Western firms do business there. Ostensibly meant to vet such firms for interference by the NSA and CIA, the law could also serve as a pretext for Chinese officials to access sensitive IP and source code belonging to Western firms operating in China.

For other countries in the region, improving cybersecurity is vital to their efforts to attract more foreign IT investment and nurture start-up friendly environments. Although there are pockets of good practice, APAC is thought to be among the least mature regions worldwide. AT Kearney has called on ASEAN nations to increase cybersecurity spending to around $170 billion, warning that they are in danger of losing $750 billion in market capitalisation otherwise.

The threat from Chinese spies and local hackers is compounded by the growing danger posed by North Korea. Its state-sponsored hackers are acting with increasing impunity. FireEye recently identified a new group, APT38, which was responsible for the attacks on Bangladesh Bank and other financially motivated raids. Expect more attacks aimed at raising funds for the regime, as well as destructive campaigns and politically motivated information theft.

Taking a lead

On a more positive note, APAC is increasingly seen as a leader in emerging digital technologies: led by the two regional giants of India and China but also mature nations like Singapore, Taiwan, Hong Kong and South Korea. Microsoft believes that digital transformation will inject over $1 trillion to APAC GDP by 2021, with artificial intelligence (AI) a key catalyst for growth.

AI continues to be major focus for the region. Singapore is a leader in AI thanks to heavy government investment in schemes such as AI Singapore (AISG) and its AI Speech Lab, while government-owned investment company SGInnovate has recently unveiled its Deep Tech Nexus strategy. India is also is also poised to become “one of the most active centres of expertise in AI” according to experts, thanks to government backing.

Asia is leading the way on smart city projects. Investment in initiatives was set to reach $28.3 billion in 2018 in APAC (ex Japan), and is forecast to reach $45.3 billion in 2021 — partly out of necessity. The region’s cities are forecast to add another one billion citizens by 2040, which will require up to 65% of the UN’s Sustainable Development Goal targets to be met.

India’s Modi government has led the way with an ambitious plan to transform 100 cities, although 2019 will be a crucial year, given that recent reports claim 72% of these projects are still only at the planning stage. Many more examples are springing up all over the ASEAN region, however, from flood awareness programmes in Danang to a free public Wi-Fi and CCTV camera network in Phuket. IDC celebrates some of the best examples each year, showing the breadth of innovation in the region.

However, governments will need to do better in 2019 to tackle major barriers to digital transformation identified by the UN. These include excessively top-down approaches; security, privacy, and accountability problems; and digital exclusion. It claimed just 43% of APAC residents were internet users in 2016. There’s plenty of work for governments and the private sector to do next year.

 

Remote working: how to balance productivity and security

Posted: December 13, 2018 | Author: | Filed under: Uncategorized | Tags: , , , , , , | Leave a comment

laptop and honeThe UK has a profound productivity problem. Growth has been flat over the past decade and still lags pre-financial crisis levels. In this environment it’s vital that IT departments support employee demands for more flexibility in where and how they work.

Employers must provide flexible working options by law in the UK. But beyond this is just makes good business sense, helping improve job satisfaction, reduce churn, and drive that elusive productivity. It could even help firms to downsize offices to lower rent and overheads. The big problem is the cybersecurity risks it introduces.

I spoke to some experts for an upcoming Infosecurity Magazine feature to find out more.

Duo Security’s Trusted Access Report notes that over 40% of requests to use corporate applications come from outside the secure networks.

“Users are demanding flexible working conditions to perform their jobs and security needs to enable these practices as well as not inhibit them otherwise users will just find work-arounds. The risk may be increased as users log in to unprotected Wi-Fi spots that may have been set up to deliberately trap them or be infected by malware to perform attacks,” the vendor’s advisory CISO, Richard Archdeacon, told me.

“This way of working enables a situation where a hacker using remote access with stolen credentials may be able to perform a sophisticated attack. We need to ensure that users are aware of this risk and that their endpoint devices are as up to date as possible, which will help reduce the potential of compromise.”

A Zero Trust approach, in which the default setting is to assume users and devices have been compromised, offers a way forward, he claimed. It should include not just security on each mobile endpoint but also multi-factor authentication (MFA) so that remote workers can prove they are who they say.

Raghu Konka, iPass VP of engineering, pointed to the risk of passive data collection and man-in-the-middle attacks via public Wi-Fi, as well as “untrusted sources” such as websites and email attachments.

“Rather than everything being neatly secured on the company’s network in an office building, mobile workers can be accessing data from anywhere, and this opens them up to a number of threats,” he told me.

“Malware downloaded onto the victim’s devices in these attacks can be used to steal personal, financial or business information or lock access to data. Email fraud is another growing concern for enterprises when employees work remotely, as these workers are used to receiving instructions or conducting business via email rather than face-to-face, and therefore may not see the need to verify that the requests are legitimate.”

For SANS instructor Lee Neely, the flexible working risk can be split into two components: security of the connection and security of the environment.

“Users working from locations outside the corporation pose physical risks, as in theft of the device, unauthorised observation of the contents, and possibly non-employees having access to the device,” he said of the latter.

“Screen protectors, full disk encryption, and replacement of sleep mode with hibernate go a long way here, but still cannot protect an open system which is grabbed out of a user’s possession. Sandboxing with authentication to access corporate information in those areas can reduce the likelihood of access on a shared system, but you cannot get to zero risk.”

 

 

Some Best Practice Tips for Effective Cyber Incident Response

Posted: October 5, 2018 | Author: | Filed under: Uncategorized | Tags: , , , , , | Leave a comment

big dataI’ve been neglecting this blog a bit of late. That’s due in part to being overwhelmed with the sheer number of security breach stories and features to write up this summer. I can’t recall a time when there’s been so much going on, and such a great variety of incidents — apart from last year, and the year before …. and possibly the year before that.

It’s becoming something of a cliché to say “it’s not a case of ‘if’ but ‘when’ your organisation is successfully attacked” — but that doesn’t make it any less true. That puts even more pressure on firms to get incident response right. Succeed, and you could get away with little more than a slap on the wrist from the regulators — you may even find your organisation’s reputation enhanced. I asked the experts their views for an upcoming Infosecurity Magazine feature.

First and foremost, IR plans should be drawn up by an organisation-wide team, according to IISP board director, Chris Hodson.

“The IR team must be cross-functional and comprised of senior business stakeholders that understand the importance of the data, applications and infrastructure across their enterprise,” he told me.

“An effective plan must consider not only the nefarious, but also accidental and environmental events. In a world where technology and internet connectivity is baked into everything, safety has become a key consideration too — it’s no longer just considerations of ‘confidentiality, integrity and availability’ (CIA), we need to look at safety being of paramount importance.”

PwC’s US cybersecurity and privacy lead, Sean Joyce, was more prescriptive.

“The incident response plan (IRP) should include but not be limited to the following types of information: event and incident definitions; incident categories, descriptions, and criticality levels; escalation matrices; incident life cycle workflows; a listing of internal stakeholders and external partners with their roles and responsibilities; and reporting requirements,” he explained to me.

Certified SANS instructor, Mathias Fuchs, added much more to the list, including a communications plan, police liaison, mapping out of standard operating procedures, and how to deal with outsourcers like cloud providers.

“As message control is one of the key points in incident response, a predefined circle of trust that limits information flow to people not working on the case as well as to the outside world is key,” he added. “Particularly for publicly traded organisations, information about security incidents has to be treated with great caution as it usually does have an impact on the stock price once publicly available.”

My plan’s in place, now what?

Once you’ve got a plan drawn up, it’s essential to test it regularly, according to Joyce.

“Preparation is a key component to any incident response event. In our experience, organisations that take the time to develop and test their IRPs and playbooks are more prepared to respond and likely reduce the impact of an incident,” he argued.” Decisions that are made in the first 24 hours are extremely impactful in a positive or negative way.”

For Ian Glover, president of accreditation body CREST, it’s also vital to determine how ready the organisation is to respond to an incident, covering people, process and technology.

“CREST has developed a maturity model and free tool to enable assessment of the status of an organisation’s cybersecurity incident response capability on a scale of 1 (least effective) to 5 (most effective),” he told me. “The tool enables assessments to be made at either a summary or detailed level and has been developed in conjunction with a broad range of organisations, including industry bodies, consumer organisations, the UK government and suppliers of expert technical security services. It delivers an assessment against a maturity model based on the 15 steps within the three-phase Cyber Security Incident Response process.”

Lessons learned

Even the best laid plans can come apart when a cyber-attack actually strikes. But well-defined and practiced playbooks can help, said PwC’s Joyce.

“An organisation, in consultation with their external partners, should proceed forward with identifying any additional requirements related to preservation, investigation, containment, and longer-term remediation related actions. The results of the investigative work stream should be communicated in a defined/repeatable process that will directly support internal and external messaging related to the incident,” he explained.

“Depending on the incident, organisations should pre-plan their internal briefing requirements to the board and the frequency and detail of those updates. For external messaging, organisations should work with external partners such as counsel and PR organizations to begin drafting an appropriate hold statement as well as media release should notification be needed prior to the conclusion of the investigation.”

SANS’ Fuchs urged IR teams not to act too quickly, especially if they don’t yet know how the attacker got in.

“Find all ways the attacker might have into your network. Try to develop intelligence about the attacker as you investigate, that helps you when they come back. Figure out what they were looking for and what they have already exfiltrated,” he advised. “Conduct a full investigation and then execute the remediation plan on a weekend where you disconnect the whole organisation from the internet.”

Post IR processes are also vital in helping build long-term resilience.

“If they didn’t get what they were there for, they will return,” warned Fuchs. “Find better ways to detect them and avoid them getting back in the same way they did the first time.”

PwC’s Joyce recommended organisations conduct an IR “post-mortem”.

“The results of this may lead to revisions of the incident response plan, policies, procedures, and key reporting metrics; additional training for the board, executives, staff; and additional investments in technologies in the organisations efforts to mitigate risk and evolve with the constantly evolving cyber threat,” he concluded. “In addition, organisations can schedule table-top exercises to provide training opportunities for all key internal and external stakeholders whose support will be needed in response to an incident. Table-tops provide opportunities to evaluate an organisation’s incident response plan and to assess key components such as escalations, internal and external communications, and technical proficiency of the incident response team.”

Cybercrime-as-a-Service: Where Do We Go from Here?

Posted: July 17, 2018 | Author: | Filed under: Uncategorized | Tags: , , , , , , | Leave a comment

big dataToday the cybercrime economy is estimated to be worth anything from $600bn to over $1.5 trillion. “Estimated” is the key word here, because in many ways it’s impossible to know for certain just how much money is made off the back of fraud, data theft, ransomware, crypto-mining etc. But what we do know is that the “as-a-service” model is a key component, enabling unskilled criminals to cash in on the cyber-craze and get rich relatively quickly off the back of poor corporate security and fallible consumers.

For a recent feature I interviewed some experts to better understand the scale of the problem, and what hope there is of some kind of comeback for good guys.

The web of profit

One of the best recent reports into the cybercrime economy was the Bromium-sponsored Into the Web of Profit analysis by University of Surrey senior lecturer, Michael McGuire. He explained that the popularity of the cybercrime-as-a-service (CaaS) model boils down to the sheer range of opportunities it affords the criminal fraternity.

“If you accept cybercrime as a hi-tech crime then you need hi-tech tools and methods to facilitate it, and the CaaS model is opening this market up. There are many extremely well organised criminal groups that are developing these tools, and the everyday man on the street is able to make use of their work as a result,” he told me.

“Given the wide range of perpetrators that are looking to make use of some form of CaaS, there really aren’t many types of cybercrime activity where it doesn’t play a role. Everyone can now get hold of various types of attack and varying levels of sophistication. Of course, it isn’t just malware – we are seeing all sorts of CaaS that is helping money laundering and breaking into banks.”

SANS-certified instructor Matthew Toussain explained that CaaS has rapidly matured over the past 10 years.

“The service offerings originally began over a decade ago as Distributed Denial of Service-for-hire before growing into exploit kit rentals and now ransomware as a service. Now the model and process for attackers has settled into a highly mature state where iteration of process and method is no longer necessary for intrusion sets to maintain these services,” he told me.

“Often the differentiator today is which malicious ‘provider’ offers more features or lower prices. These systems are generally driven by a modern web interface. While transactions are generally handled in Bitcoin it is not uncommon to see PayPal used as a method of payment.

Hope for the future?

For those who believe that cybercrime is a relatively harmless form of criminal activity in the grand scheme of things, McGuire had some home truths. His report explained that cyber-criminals often re-invest their profits, not just into online activities but narcotics, human trafficking and more.

“Anything that furthers criminal activity, whether it is CaaS or more guns on the streets is bad for society, and CaaS is certainly doing just that,” he added. “CaaS is also growing the potential opportunity for crime – even people that don’t have a criminal background can now contribute towards cybercrime. It is raising the criminal threat to a level where organisations, and even nation states that can make use of these tools.”

So is there any hope of a fightback by governments, organisations and law enforcers? Not according to Toussain.

“Law enforcement is by its very nature reactive, and for many organisations this may already be too late. Moreover, law enforcement has failed to effectively combat existing threats and continues to allow these black-market services to grow into a burgeoning industry,” he said. “There are a host of difficulties including international and extradition restrictions imposed upon the law enforcement community that make it unlikely we will see a marked improvement in the short-term.”

In fact, many experts suggested that a bigger impact on the problem could be made if organisations just got better at cybersecurity, making themselves a harder target.

“Law enforcement tries to disrupt trust in the black markets. These are anonymous activities, so if people don’t trust the seller, the market goes away. But the are many, many markets,” said James Lewis, director of the technology and public policy program at thinktank the Center for Strategic and International Studies. “Better security is always good, and this includes basic hygiene and thinking about encryption and backup to manage ransomware risk.”

Bromium CEO, Gergory Webb unsurprisingly believes that security technology can play a part here, providing innovative solutions to help keep corporates safe.

“The platform criminality model is productising malware and making cybercrime as easy as shopping online. Not only is it easy to access cyber-criminal tools, services and expertise: it means enterprises and governments alike are going to see more sophisticated, costly and disruptive attacks as The Web of Profit continues to gain momentum,” he explained. “We can’t solve this problem using old thinking or outmoded technology. By focusing on new methods of cybersecurity that protect rather than detect, we believe we can make cybercrime a lot harder.”

However, responsibility lies not just with law enforcement, CISOs or the security industry, but also the online platforms like Facebook that are abused by cyber-criminals to steal personal data, spread malware, trade attack tools and techniques, launder money and more.

“In terms of industry, the reactive security posture that many firms adopt is not enough and must improve if we are to disrupt hackers’ revenue channels, whether that is software enabled or developing better security skills for staff members,” concluded McGuire.

“But the missing element of responsibility is what legitimate platforms themselves can do. They have to get organised with regards to cybercrime and step up to the plate with better measures and much more transparent data practices.”

As Washington Investigates Huawei, is it Time for US Tech CEOs to Get Nervous?

Posted: June 1, 2018 | Author: | Filed under: Uncategorized | Tags: , , , , , , , , | Leave a comment

huawei campus shenzhenHere’s a version of a piece I wrote for IDG Connect recently about the escalating tech trade war between the US and China. While Trump is blowing hot and cold on what to do with ZTE, an even  bigger potential problem is looming.

A full-on trade war between the United States and China just got another step closer after Washington opened an investigation into whether Huawei broke US sanctions on Iran. The Department of Justice (DoJ) has already slapped tariffs on $60bn worth of Chinese steel and aluminium, but this turn of events could have arguably more serious repercussions.

On the one hand it could cause panic in US tech boardrooms if China ends up banning sales of electronics components made in the Middle Kingdom. But in the longer term, this could accelerate China’s push towards self-sufficiency, locking out US firms like Qualcomm for good.

A seven-year ban?

The Justice Department investigation is said to have stemmed from a similar probe into whether Shenzhen rival ZTE broke US sanctions by exporting kit with American components in it to Iran. It was found guilty not only of breaking the sanctions, which resulted in an $892m fine, but of breaking the deal’s terms by failing to punish those involved. The resulting seven-year ban on US firms selling to ZTE will severely hamper its growth efforts, especially as it relies on chips and other components from the likes of Qualcomm and Micron Technology.

The probe of Huawei, which is said to have been ongoing since early 2017, could result in a similar punishment if the firm is found guilty of breaking sanctions. Washington has belatedly realised that the US is being supplanted by China as the world’s pre-eminent tech superpower and that has meant increasing roadblocks put in the way of the number one telecoms equipment maker and third-largest smartphone maker in the world. National security concerns have been used to keep Huawei down, first in 2012 when it and ZTE were de facto banned from the US telecoms infrastructure market after a damning congressional report, and more recently when AT&T and Verizon were lent on to drop plans to sell the latest Huawei smartphones, and Best Buy stopped selling its devices.

Like ZTE, Huawei could be severely restricted if it is hit with a US components ban. But is Washington shooting itself in the foot with this heavy-handed approach?

A global problem

First, China and its new leader-for-life Xi Jinping is more than ready and willing to fight back against what it sees as unfair trade practices by the Trump administration. It has already fired back with retaliatory tariffs on US food imports and will do so again if a mooted additional $100bn in tariffs from the US goes through. By the same rationale, could China respond to orders banning sales of US components, by banning the sale of China-made components to US tech firms?

Potentially, believes China-watcher Bill Bishop.

“The US-China technology war may run much hotter than the overall conflict over trade. Xi continues to make clear that China can no longer rely on foreign technology and must go all out to end its reliance on it,” he wrote in his popular Sinocism newsletter. “Technology CEOs the world over with supply chain dependencies in China — so probably all of them — should be increasingly nervous and focused on their firms’ efforts to have viable contingency plans for a US-China technology cold war.”

Beijing-based Forrester principal analyst, Charlie Dai, told me the potential for disruption to US supply chains could be “significant”.

“It’s hard to find effective contingency plans and the only way is to have everyone, especially the US government, to realise the importance of collaboration,” he added.

“In a world where the global supply chain and value ecosystem have already become critical drivers for the business growth of large countries like US and China, any further action like ZTE’s case will hurt the economic relationship between the US and China, which is the last thing that companies and customers want to see.”

Towards self-reliance

In the longer term, this could be the reminder Beijing needs that it must become self-reliant in technology to achieve its “rightful” place at the global number one superpower. This has been a goal of Xi’s for years. In fact, that’s what the controversial Made in China 2025 initiative is all about – reducing reliance on foreign suppliers.

“Heavy dependence on imported core technology is like building our house on top of someone else’s walls: no matter how big and how beautiful it is, it won’t remain standing during a storm,” Xi said as far back as 2016. The Chinese government has already set up a fund which aims to raise up to 200 billion yuan ($31.7bn) to back a range of domestic firms including processor designers and  equipment makers. But although chips are the number one target, China’s efforts to become self-sufficient in tech expand to other spheres. It has long been trying to nurture a home-grown rival to Windows, although efforts so far have not been hugely successful.

It’s not just Chinese firms the US must be wary of, according to James Lewis, SVP at the Center for Strategic and International Studies.

“The seven-year ban on US components will only encourage foreign suppliers to rush into the space vacated by US companies,” he said of the ZTE case. “It will reinforce the Chinese government’s desire to replace US suppliers with Chinese companies. And it will lead others to begin to make things they did not make before, causing permanent harm to the market share of US companies.”

One final word of warning to US tech CEOs: if China is looking to close the gap on technology capabilities, be prepared for a new deluge of cyber-espionage attempts focused on stealing IP. Innovation may be the first of Xi’s “five major concepts of development”, but that hasn’t stopped the nation pilfering in epic quantities in the past to gain parity with the West.

“It’s impossible for most countries, if not all, to be self-sufficient in all tech components,” claimed Forrester’s Dai. “One chip relates to many different hardware and software components. It requires continuous investments which are hard to realise in the short-term.”

That may be so, but bet against China at your peril. If any country has the resources and now the determination to do it, it’s the Middle Kingdom.

When Nations Attack: Are We Already in a Cyber-Cold War?

Posted: March 29, 2018 | Author: | Filed under: Uncategorized | Tags: , , , , , , , | Leave a comment

big dataNation state cyber attacks have never had a higher profile. The sheer volume and sophistication of threat activity today means reporting of incidents has flooded the mainstream media over the past few years. In another post I’ll asked several experts how they characterise the current threat, and the implications of the thorny attribution problem.

But that leaves us with a difficult question to answer: what happens next? Are we headed towards inevitable cyber-conflict?

Not according to former GCHQ deputy director of cyber, Brian Lord.

“It is highly unlikely for a fair time yet that cyber will be the only domain in which a full-blown conflict will occur, and for the foreseeable future will be complementary to traditional warfare not instead of,” argued Lord, now MD of cyber at PGIO. “But the road to conflict will have a very heavy cyber-dimension.”

Could the establishing of cyber-norms help prevent a major conflict in the future? Experts were sanguine about the prospect. Lord claimed the journey to such an end would be “very slow”.

“The abilities of international (and indeed national) legislation and treaties to keep pace with the speed of technological risks challenges (and opportunities) is, in todays’ world sadly lacking and those who want to sidestep outdated rules can easily find a way to do so,” he told me by email.

FireEye senior analyst, Fred Plant, claimed countries are already negotiating cyber-related issues on one-on-one, which could form the basis for wider agreements.

“However, ‘cyber-norms’ are still ultimately rooted in what states determine to be acceptable behavior among other states, and this can differ greatly from one country to another. Cyber-espionage activity against dissidents, for example, can be considered a natural extension of long-standing norms in many authoritarian states whereas Western countries consider such operations to be highly controversial and intertwined with domestic surveillance,” he added. “Serious incidents can occur when these disagreements collide. Conversely, escalations can also occur when rogue countries are already regularly violating international norms, as North Korea-sponsored actors have demonstrated.”

For SecureData head of security strategy, Charl van der Walt, the world’s superpowers are already “preparing the battlefield” via a “cyber-land grab” which involves compromising key machines, probing CNI for weaknesses and compromising supply chains whilst removing risk from their own. The effect of this is to slowly balkanise cyber-space, as smaller nations ally themselves with one side of the other and the world sinks into a protracted Cyber-Cold War, he claimed.

“Day by day, it seems as if the ‘global’ internet is slowly splintering along geopolitical lines. While this ‘cyber-balkanisation’ may have many fronts, it’s perhaps seen most clearly in the recently renewed focus by the US government on integrity in its supply chain, blocking foreign tech providers from competing for contracts in strategically important sectors. Foreign providers in this complex chain of inter-dependencies have been caught in the crossfire as collateral damage,” he told me.

“As we can expect that all cyber super powers are engaging in this activity this presents smaller or developing nation-states with a challenge. As recent history and basic logic clearly shows, for a nation-state that does not have the skill, finance or other resources required to secure and control the hardware and software it uses all the way from the up, it is effectively impossible to protect itself from the offensive operations of more capable nations. So the smaller nation is thus forced to choose the lesser of the evils: aligning itself with the cyber super power it distrusts the least and accepting that it can no longer engage the others for fear of being compromised.”

In the meantime, it’s likely that the escalation of nation state offensive activity will trickle down into the cybercrime underground – as evidenced most clearly in the NSA exploits used to spread WannaCry ransomware in 2017. For van der Walt, “government investment into offensive cyber capabilities is like air being blown into a balloon.”

“Everything offensive is getting bigger and badder and governments are producing an entire new generation of ‘cyber warriors’ with training, skills, experience and exposure that has never been seen before,” he concluded. “Eventually these people will leave military service (like all soldiers eventually do) and find their way into the civilian landscape in one form or another. Many will undoubtedly end up somewhere else in the Cyber Military Complex, but the rest of the world (including crime) will no doubt also be impacted by their experiences.”

← Older Entries
Newer Entries →