Cyber Security: What we’ve learned in 2017 to get ready for 2018

Well, it’s been a very interesting year with a few surprises along the way, but as expected, cyber crime grew, financial impact was huge and many companies struggled to recover.

Cyber attacks will be the biggest threat to every person and business on earth

Cyber security is quickly becoming part of everyone’s daily life and can no longer be separated into personal and work life. In the past cyber attacks were usually only a concern in the workplace, though today that is no longer the situation. Cyber attacks are more common now and affect everyone connected to the internet.

Cyber attacks are going to be the biggest threat to every person and business on earth and will be the trigger for future wars and political instability.

So, let’s look back on what happened in 2017 and examine the lessons we learned from it.

Ransomware or RansomScare?

Ransomware was, of course, going to be a big topic. But who could have foreseen the impact of WannaCry and NotPetya?  WannaCry hit the world on May 12th infecting more than 230,000 systems in over 150 countries, causing havoc in the UK’s National Health Service. WannaCry used the EternalBlue exploit that was part of the Vault7 leak from the U.S. National Security Agency (NSA) offensive tools.  The impact was huge. It caused many disruptions around the world and highlighted the importance of patching systems with security updates.

Was the lesson learned well? NO. Shortly after WannaCry we were introduced to NotPetya. NotPetya arrive in late June, this time escalating out of Ukraine and quickly cascading around the world, impacting system after system and causing havoc with energy companies, transportation, medical, power grid, bus stations, airports and banks.

The financial gain from both variants of ransomware was quite low with a combined total of approximately $150k compared to older variants like Zeus which claimed more than $100 million.

Follow the motive or follow the money either—either one will lead to the criminal

In my experience in digital forensics I have always followed two rules when analyzing a cyber crime, and that is: follow the motive or follow the money either—either one will lead to the criminal.

In both WannaCry and NotPetya it looks like the motive was not financial. The payload and financial portion of the crime was constructed by two different groups of cybercriminals.  When you look at the motives of cyber criminals who use ransomware you’ll usually find the following:

  1. Destruction – this means they do not care about the financial reward. They do it purely to cause disruption and fear.  Of course, cyber criminals may decide to take the financial takings provided the action is untraceable.
  1. Financial Motivation – they want as much financial reward as possible. And usually the ransom is a premium to get the data or access back.
  1. Cryptocurrency Manipulation – knowing that ransomware usually requires payment in the form of cryptocurrency, and that the value is derived from the number of wallets, they use ransomware to prompt a significant increase in value. The best way to get away with the crime is to make money legally.
  1. Disguising of the Real Motive – this is usually to hide the real crime. After committing a cyber crime they need to hide any traces, and what better way to do it than to cause disruption with ransomware? While the world is racing to regain security and reduce the impact, the cyber criminals have moved away from the real crime, hiding any trace of what happened. Create a disaster or catastrophe to cover your tracks.
  1. Misdirection – like disguising the real motive, this is usually used by ‘magicians’ to focus your eyes on something else. I believe we have seen examples of this in the recent nation state attacks in which they leave breadcrumbs that lead the investigators to focus their time on a specific country when in fact it was attributed to another.  This is quite common in cyber crime in the hope that time will prevent the true criminal from being found.

If this was your crime how would you have done it?

I will leave you to consider what the real purpose of recent ransomware threats has been, but remember it can also be a combination of motives, or involve multiple threat actors with different motives.  It is always important to step back and think: if this was your crime how would you have done it?  It’s crucial to be able to think and look at the world through the eyes a hacker or cyber criminal.

Hackers’ key take-ways from Black Hat and Defcon

At Black Hat and Defcon this year I had loads of discussions with my industry peers and took part in some interesting debates. One clear outcome from Black Hat is that traditional cyber security is no longer sufficient for keeping hackers out.  If you rely purely on Antivirus or Firewalls, then you are likely already compromised.

Hackers say traditional perimeter security like firewalls and antivirus is irrelevant or obsolete.  Hackers pointed out that both privileged accounts and email access is the quickest way of gaining access to sensitive data, so it’s important that with both privileged accounts and email you focus extra attention on protecting and securing access.

Big hacks just got bigger

Data breaches will happen.  Sometimes they do not impact you, and sometimes they impact everyone including you.  So, what big data breaches had significant impact to our way of life in a connected world?  Well, firstly, your email address is probably no longer private nor has limited exposure.

The Equifax breach impacted 143 million U.S. citizens

Huge database leaks like River City exposed 1.37 billion email addresses, ensuring you’ll get spammed more than ever before. The Equifax breach (Equifax is a U.S. credit checking company) impacted 143 million U.S. citizens resulting in the executives taking early retirement, and leaving 50% of U.S. citizens at risk from identity theft, financial fraud or further security risks in the future. Uber tried to conceal a massive breach from 2016, paying hackers to stay quiet and trust that they deleted the data.  And yes, finally Yahoo accepted the fact that their data breach affected all their users’ data.

What is clear from these data breaches is that no matter what size of company they are all victims of cyber crime. But what we learned from these hacks is that how you respond to a cyber incident is crucial to the overall impact and cost of a breach.

The big surprise, and what not to do in a cyber breach. Yes, do NOT blame the employees

The biggest surprise, for me, was the Equifax data breach and the events that followed the cyber incident.  With so many lessons to learn from over years of poorly managed cyber incidents, you’d think a company with the importance and influence that Equifax has would have learned from others.  But no. Instead they fell into a deep void and failed to demonstrate that big companies can handle cyber incidents properly.

With so many U.S. citizens being affected and the cost involved, the impact of this data breach will be seen for years to come as it will lead to many other incidents from identity theft to financial fraud. It will also impact other online services as the data compromised is typically the security controls for those services.

A breach often gets blamed, and wrongly so, on a single employee

In addition to the mishandling of the breach we often find that it gets blamed on a single employee. This is unfortunate and occurs because so many IT departments have a Champagne cyber issue with a beer budget, and the employee is simply a victim of an inadequate cyber security system.

Of course, congress got your back after these data breaches, or did they?

The next surprise was when congress then made it difficult for consumers to sue banks putting Equifax in a win-win situation after not protecting U.S. Citizens’ sensitive data.  This was conveniently hidden behind all the other headline news in recent months.

In the wake of this—one of the worst cyber events in the history of the U.S. —and with the Equifax hack resulting in 143 million U.S. citizens having their personal details exposed, and with their increased risk of future cyber-attacks, identity theft and the financial impact that came with it, many Americans had to pay, yes they had to pay, to have their credit frozen to reduce the risk of further exposure.

Just a few weeks after this significant event which also affected hundreds of thousands of citizens in other countries, we saw the U.K. FCA (Financial Conduct Authority) launch an investigation into Equifax, which could ultimately see Equifax lose it ability to operate in the U.K.

This could go on to be the biggest breach in U.S. history

This could result in major law suits from consumers in the U.S., and could go on to be the biggest in U.S. history due to the unknown impact it may have in the future.  So you would think that the U.S. senate would want to investigate and strengthen cyber security laws to protect U.S. citizens from companies not doing enough to secure the critical data that keeps them safe from cyber attacks. Well, not exactly. It is the complete reverse. The U.S. senate voted to make it more difficult for a U.S. citizen to sue a financial institution like Equifax, thereby allowing those companies to continue to get away with not prioritizing the cyber security of their customers.  This does not strengthen the U.S.’s position in  security against cyber attacks but instead significantly weakens it by leaving citizens exposed and financial companies not accountable for cyber incidents that result in the citizens being the victim.

Compliance is going to get tougher and penalties bigger

Of course, sometimes you just should ask yourself “Why?”  Why do some companies respond to such incidents in this way? Why did Uber reveal the major cyber breach which they initially went out of the way to conceal?  Well the answer is money of course, and a bit of reputation here and there with a tiny bit of a fresh start with a new CEO on board.  So, new regulations are getting tougher on cyber crimes and major data breaches.

Now is probably a good time to disclose your data breach fast– here is why

 Uber has finally disclosed that it experienced a cyber breach in 2016 where the personal details of both drivers and customers were hacked by cyber criminals, and in which they paid a small ransom to have the data apparently destroyed. Of course we believe that, right?  Another data breach, another CSO gets the axe and departs for mishandling a major data breach incident—it’s  a common trend.

Uber concealed the data breach increasing the cyber risk of both drivers and customers

The big news here is that Uber concealed the data breach increasing the cyber risk of both drivers and customers, and losing trust from investors and governments.  The mishandling of credentials for an Amazon Web Services account was apparently behind the data breach which shows that companies really need to adhere to the industry recommendations on securing and protecting privileged credentials.  Failing to protect privileged credentials can lead to major cyber incidents, and how you manage your privileged accounts can be the difference between a simple perimeter breach and a cyber catastrophe. Poor privileged access management has been a major industry problem that needs to be addressed, and the Uber incident is just another example of a company not managing access and securing the keys to the kingdom.

It is reported that around 80% of data breaches are a result of stolen or compromised privileged credentials, and privileged credentials security is a must for many industry regulations. So not protecting them exposes companies to compliance failure as well as data breaches like we saw with Uber.  This data breach also demonstrates the importance of incident handling as a major part of a company’s cyber security policy, and doing it right can change the outcome of many cyber incidents. Do not wait until it is too late to get your incident response plan in place.

During the time since this data breach occurred we have seen the former CEO, Kalanick, replaced with the current CEO, Khosrowshahi. Disclosure of this data breach provides Mr. Khosrowshahi a chance to set things straight and change the perception of the company after the many scandals that have dogged Uber for the past few years, casting a cloud over the company.

But why now, and why should you avoid Uber’s poor example and disclose breaches ASAP?  Well, you may or may not know about the upcoming EU General Data Protection Regulation (GDPR) which is coming into enforcement in May 2018. It applies huge financial penalties for failure to disclose data breaches and follows a strict 72-hour breach notification to authorities in the countries impacted.

You are accountable and responsible for all the information you collect

The EU GDPR replaces the European General Data Protection Directive from 1995 and provides the foundation for taking responsibility and being accountable when it comes to dealing with European citizens’ private data.  This means you are accountable and responsible for all the information you collect. The more information you gather, the more data you must account for, and therefore the more data you are responsible for. If a data breach occurs and it is found that adequate security measures were not in place, there are significant penalties and fines: 20 million Euros or 4% of annual turnover.  So, in my rough calculation, if we use Uber’s gross bookings from 2016 of 20 Billion USD, then Uber in a post-May 2018 GDPR could face possible financial penalties of 800 Million USD, which of course would be much higher than they would be facing by disclosing the data breach today.

So are you hiding a major data breach like Uber? If so you might want to disclose it immediately. Perhaps you have not found the data breach yet.  Then get looking immediately before it’s too late and your entire business is at risk.  I suspect many companies who provide services to EU Citizens will need to think hard about keeping major data breaches a secret and face a higher financial post-May 2018, so we may see more companies like Uber face the reality that now is a good time to air your dirty laundry and survive the tougher cyber regulations looming in the near future.

So, with these examples and lessons learned from 2017, what do we face in 2018 and what should you be prepared for?

Here are some of my predictions for 2018. Are you ready?

  1. Privacy is gone but not forgotten – will it ever be reversible?

The end of privacy as we know it is closer than you may think.  Privacy definitions are very different between nation states and cultures, though one thing they have in common is that privacy is becoming less and less an option for most citizens.  In public almost everyone is being watched and monitored 24*7 with thousands of cameras using your expressions, fashion, walk, directions, interactions and speech to determine what you need, what you might be thinking, who you are going to meet, and who is nearby. Algorithms even determine what you next action might be.  All of this is to help provide a custom experience that’s unique to everyone, as well as predict and prevent security threats.  The term “if you have nothing to hide you have nothing to fear” is becoming reality, and privacy will continue to disappear in 2018.

  1. Fake news will become the next major disruption

We have all heard about fake news but sometimes struggle to grasp the extent of it. The next generation is no longer getting the news and latest updates from printed papers. Instead they are moving online to social media to get the latest trends and information.  With almost all news shared on social media being fake it is left up to the person reading it to determine whether the information is true or not. This makes the world a very unpredictable place moving forward.  With no indicators on the source or truth of the news on social media, many countries, democracies and nation states will struggle with transparency and could become politically unstable.  It only takes one fake news item within a trustworthy source to devalue the entire news feed, forcing us to question what is real.  Fake news is a form of cyber attack and will grow significantly.

  1. Ransomware will evolve to cross platform and payments will be single-click

Yes, ransomware is going to be platform-agnostic and will be able to lock people out of any device or system. The financial payment for ransomware is going to evolve so that it will be as easy as clicking once to pay the ransom.  It will target time-sensitive systems and events, so watch out World Cup next year because, as always, cyber crime will look for major events to trick and take advantage of people wanting to get access to their favorite sport or concerts.  RansomScare will become the next threat which will present life or death situations unless a ransom is paid.  Ransomware will only increase, and with it of course, the value of bitcoin.

  1. Identity theft and stolen credentials and passwords will continue unabated

Cyber Criminals and hackers will continue to pursue identity theft and credentials theft in 2018.  With more than 4.5 billion identities stolen in 2016—more than everyone using the internet—identities will continue to be a target because the more cyber criminals know the more they can influence us.  Identity theft has increased in record numbers in recent years and has been the primary focus of many cyber criminals. It’s much easier to steal a trusted insider’s credentials and bypass traditional cyber security controls than it is to break through the firewall.

 

  1. Blockchain will become an important cyber security control

Most people are familiar with blockchain being the building blocks for cryptocurrencies and transactions, though many are not familiar with its ability to provide non-repudiation or data integrity when related to cyber security.  Blockchain was used heavily in the early digital systems within Estonia, primarily to ensure history could not be re-written, and this mind-set can be repeated in security when it comes to the integrity of systems and data.  Blockchain can be used for multiple different attributes from ensuring data is not poisoned, in digital forensics to ensure chain of custody does not manipulate the data, and for security log integrity.

Blockchain is an ever-increasing trend in cyber security.  Blockchain will be more important in cyber security than just finance or cryptocurrencies which it is more commonly known for today. Blockchain will be a vital technology to ensure the veracity and accuracy of data as it flows through the internet, guaranteeing data has not been corrupted or poisoned during the transfer, and making data integrity in critical supply chains possible.  Blockchain will be used for identities, online transactions, data transfers, health records and more, including replacing passports.

  1. Behaviour Analysis and Reputation will keep trust

Behaviour Analysis and Reputation will become a normal part of validating trusted users of a network.  Rather than behavioural measurements like pressure or typing speed, behaviour analysis and reputation will be more based on our normal working predictions. For example, employees are predictable in the locations they work from, the systems they use and the browsers or sequence in which applications and websites they open.

  1. Cyber hygiene and education and continuously make for better cyber awareness

Almost all companies will increase the priority of cyber hygiene and start rolling out cyber awareness and cyber hygiene projects within their organizations.

People are the greatest risk of cyber incident but can also be the strongest defense

As cyber criminals target employees’ personal and company accounts the best defense and quickest win for organizations is to educate the employee on how to detect cyber threats.  People are the greatest risk of cyber incident but can also be the strongest defense. What is true is that people are on the front-line of cyber attacks, and a well informed and educated front-line can mean the difference between being safe or being a victim.

  1. Governments and encryption will come head to head

It’s clear that governments hate not being able to spy on people, and encryption is making it more difficult for governments to gather intelligence about other nations’, foe or allies’ activities, either for political advantage, economic advantage or espionage.  What’s surprising is that, while this was typically for intelligence on other nation states, it has become more common practice for nation states monitoring their own citizens as disclosed by Edward Snowden.  With more people using VPN and encryption or messaging apps that have end-to-end encryption we are going to see a head to head battle between governments and technology, especially when it relates to security and terrorism.

  1. Humans will be connected directly to the internet

Humans are already almost entirely connected to the internet.  With fashion and technology becoming intertwined and internet experience becoming personalized (just like when our work and personal life separation disappeared) the next generation will only know of life continuously connected to the internet. And I mean they will really be connected, not through a device.  With Augmented Reality and Virtual Reality, we are going to be trying to determine which world we are in, as in the Matrix—would you swallow the blue or the red pill?

Conclusion

What is clear is that cyber security is more important now than any time in history, with cybercrime quickly overtaking traditional crime in almost every country globally.

Technology alone can’t protect your identity or sensitive information. Hackers and other threat actors target human beings, seeking ways to trick them into giving up vital information unknowingly. They do this because it’s the easiest way to get at valuable data in a process known as social engineering. So, it’s not surprising that exploited humans are the weakest link in the cyber security chain, and simultaneoulsy the best hope for preventing a cyber security disaster.

We need to get the balance between people and technology right. We have too much complexity in the cyber security industry. It’s important that we make cyber security simple and easier to use with less complexity.  The future of cyber security lies in making it simple.


If you’d like to know how to protect your organization from a cyber breach, our white paper, The Anatomy of a Privileged Account Hack, details the process hackers use to breach the traditional cyber security perimeters of organizations, from SMBs to the enterprise. Download it for free. It’s an easy read and it’s loaded with examples and eye-popping information.

What makes IAM, PIM, PAM and the other acronyms so confusing?

Get the answers—and check out our interactive ACRONYM DICTIONARY

 

This is a Security Bloggers Network syndicated blog post authored by Joseph Carson. Read the original post at: Thycotic