Perspectives

Cyber 101

Develop a view on Cyber

Learn with us as our 8 Part Cyber Edu-series brings you a snippet about the facets of Cyber every month. Issues will cover the latest topics and get you acquainted with cyber in an instant.

How can you triumph over cyber challenges today? Cyber attackers are just getting started and no businesses are immune. Keep a lookout on this page for the latest part every month.

Subscribe in the form on your right to receive an exclusive e-book combining all 8 parts of the  series and a bonus infographic at the end of this series in December. 

Cyber 101 Subscription Form 

Subscribe here

November 2017 Part 6

Cyber Risks Troubling Organisations


One of the most severe cyber risks that organisations continue to face are data breaches. A data breach is an incident where information is stolen or taken from a system without the knowledge or authorisation of the system’s owner.
 

What are some impacts of a data breach?

  • Loss of sensitive, proprietary, or confidential information
  • Damage to an organisation’s reputation
  • Financial losses
  • Customers loss of trust in the organisation

 

What are some common breach methods?

Insider Leaks

  • A trusted individual or person of authority with access privileges stealing data from an organisation. E.g.  Some employees are willing to sell these data for personal profit

See story: http://www.businessinsider.sg/iphone-8-iphone-x-ios-11-leaks-inside-job-2017-9/?r=US&IR=T

 

Unintended Disclosure

  • Sensitive data is exposed through mistakes or negligence, mostly by insiders. Eg. More than 50% of the security breaches are due to human error because of failure to follow the organisation’s policies

See story: https://www.insuretrust.com/employee-mistakes-a-big-source-of-data-breaches/

 

Payment Card Fraud

  • Payment card information being stolen using physical skimming devices, phishing of personal information. Eg. Cyber thieves can use a stolen credit card to buy items online  

See story: https://pocketsense.com/causes-credit-card-fraud-5798165.html

 

Cyber Espionage

  • Cyber espionage describes the stealing of confidential information stored in digital formats or on computers and IT networks. It is similar to a high tech form of spying

See story: https://medium.com/threat-intel/cyber-espionage-spying-409416c794ec

 

Why data breaches are a significant risk?

  • Data breaches are no longer a binary proposition where an organisation either have or have not been breached
  • They are wildly variable, from breaches compromising entire global networks of highly sensitive data to others having little to no impact
  • According to the Ponemon Institute’s “2017 Cost of Data Breach Study: Global Overview,” the odds are as high as 1 in 4

 

Technology is meant to enhance and improve both business and consumer aspects of our era today. Unfortunately technology carry risks and open us up to vulnerabilities in the cyber world. To combat cyber attacks, a cyber security maturity framework is recommended. This is a set of standards and best practices from an industry, professional or international bodies which encompasses a logical structure for organisations to benchmark their current cyber capabilities.

A cyber security maturity framework is helpful for an organisation looking to strengthen their security, vigilance and resilience against cyber threats depending on their objectives and cyber-related risks.

There are a number of cyber security maturity frameworks available and while the approach may differ for each framework, organisations will be able to achieve its desired maturity level with any framework.

November Part 6: Cyber Risks Troubling Organisations

October 2017 Part 5

Shortage of Cybersecurity Talents


According to the estimates by the Center for Strategic and International Studies, cybercrime costs the global economy US$400 billion per year. With the escalating awareness and prominence of security breaches, securing physical and digital assets for the purpose of confidentiality, integrity and availability are a priority for every organisation. With the vital role cyber security professionals play in the business ecosystem, market demand for cyber security professionals is outpacing supply.

 

What are their roles and responsibilities?

  • Developing and designing enterprise security architecture
  • Monitoring and identifying threats in enterprise architecture
  • Conducting regular security assessment

 

Why are they important to organisations?

  • Most organisations face challenges in interpreting the detection or mitigation of cyber security threats
  • They develop and implement overarching processes

 

Why is there a shortage? 

  • As the skills of cyber attackers advances, cyber security professionals are more equipped than an IT professional to understand the tactics, techniques and procedures
  • Schools are still graduating cybersecurity majors and that means a lack of experience and exposure to realistic cyber attacks

 

What can you do?

  • Re-examine workforce strategies and improve recruitment outreach
  • Have a robust support program for new hires
  • Prioritise skills, knowledge, and willingness to learn when recruiting
  • Build a local cybersecurity ecosystem
  • Develop a strong culture of risk awareness
October 2017 Part 5: Shortage of Cybersecurity Talents

References

Disaster Resource Guide. The importance of cyber security within your organisation. Retrieved from Disaster Resource Guide: http://www.disasterresource.com/index.php?option=com_content&view=article&id=1717:the-importance-of-cyber-security-within-your-organization

Simpli Learn. (2017, August 9) Key roles & responsibilities of IT security professionals. Retrieved from Simpli Learn: https://www.simplilearn.com/it-security-professionals-key-roles-responsibilities-article

Dark Reading. (2017, August 22) Health IT & cybersecurity: 5 hiring misconceptions to avoid. Retrieved from Dark Reading: https://www.darkreading.com/careers-and-people/health-it-and-cybersecurity-5-hiring-misconceptions-to-avoid/a/d-id/1329932?

Dark Reading. (2017, September 12) The ‘team of teams’ model for cybersecurity. Retrieved from Dark Reading: https://www.darkreading.com/application-security/the-team-of-teams-model-for-cybersecurity/a/d-id/1329840?

Monster Cloud. (2017, March 25) Importance of cybersecurity in business. Retrieved from Monster Cloud: https://monstercloud.com/importance-of-cybersecurity/

Threat Analysis Group. Threat, vulnerability, risk – commonly mixed up terms. Retrieved from Threat Analysis Group: https://www.threatanalysis.com/2010/05/03/threat-vulnerability-risk-commonly-mixed-up-terms/

Harvard Business Review. (2017, May 4) Cybersecurity has a serious talent shortage. Here’s how to fix it. Retrieved from Harvard Business Review: https://hbr.org/2017/05/cybersecurity-has-a-serious-talent-shortage-heres-how-to-fix-it

Forbes. (2017, May 31) The top cybersecurity challenges experts are facing today. Retrieved from Forbes: https://www.forbes.com/sites/quora/2017/05/31/the-top-cyber-security-challenges-experts-are-facing-today/#54279fef2238

Forbes. (2017, March 16) The fast-growing job with a huge skills gap: cyber security. Retrieved from Forbes: https://www.forbes.com/sites/jeffkauflin/2017/03/16/the-fast-growing-job-with-a-huge-skills-gap-cyber-security/#407a0a3c5163

August 2017 Part 4

Anatomy of a Cyber Attacker


Cyber criminals are as diverse as their real-world counterparts. In the last five years, there have been cyber attacks targeted at all sorts of organisations. These criminal activities include breaking into private networks, stealing data and installing ransomware, etc. Every individual is responsible for an organisation’s cyber security and it is vital that you know your enemies and implement effective cyber security measures.

3 Types of Cyber Attackers
  1. White Hats

2. Black Hats

  • Black Hats are criminals, who use their ability to plunder individuals or organisations. They explore or develop software deficiencies and attack methods or other malicious tools to break into machines and steal data, such as passwords, email, intellectual property, credit card numbers or bank account credentials.
    Source: http://www.wonderslist.com/top-10-black-hat-hackers/
     

3.  Grey Hats

  • Grey Hats fall into the middle ground between the White and Black Hat categories. Often, Grey Hat hackers look to expose vulnerabilities in a system to inform an organisation of the defect or share it with a group of people. Although, these hackers are not usually motivated by personal gain, their actions may be considered illegal or unethical.
    Source: http://www.bbc.com/news/technology-28524909

 

Key takeaways

Two factors that determine the type of hacker:

  1. What are their intentions?
  2. Are their intentions law-breaking?


Four primary motivators:

  1. Financial Gain
  2. Ideology or Politics
  3. Entertainment
  4. Cyber Protection
     

Not all hackers have malicious intent. Hacking can be used for good and evil, it boils down to the hacker’s intent. In mainstream media, the term “hacker” is usually related to cyber criminals. A hacker could be anyone regardless of intentions or methods. Hacking is not an illegal activity unless their actions compromises a system without an owner’s permission.

August 2017 Part 4: Anatomy of a Cyber Attacker

References

Cross Domain Solutions. Types of Cyber Crimes. Retrieved from Cross Domain Solutions: http://www.crossdomainsolutions.com/cyber-crime/

The Guardian. (2017, August 23). Identity fraud reaching epidemic levels, new figures show. Retrieved from The Guardian: https://www.theguardian.com/money/2017/aug/23/identity-fraud-figures-cifas-theft

Channel News Asia. (2017, 19 March). Ethical hackers on the frontline, keeping your home safe from cyber-attacks. Retrieved from Channel News Asia: http://www.channelnewsasia.com/news/singapore/ethical-hackers-on-the-frontline-keeping-your-home-safe-from-cyb-8577866

Make Use Of. (2012, July 13). 5 of the World’s Most Famous And Most Influential White Hat Hackers. Retrieved from Make Use Of: http://www.makeuseof.com/tag/5-worlds-famous-influential-white-hat-hackers/

Express. (2015, September 1). Lizard Squad: The notorious hacking group who brought down UK government website. Retrieved from Express: http://www.express.co.uk/life-style/science-technology/602157/Lizard-Squad-Hacking-Group-Ddos-Attack-PS4-Xbox-NCA

Technotification.com (2014, December 30). Top 10 Black-Hat Hackers in the World. Retrieved from Technotification.com: https://www.technotification.com/2014/12/top-10-best-black-hat-hackers-in-the-world.html

The Guardian. (2016, August 8). The state of cyber security: we’re all screwed. Retrieved from The Guardian: https://www.theguardian.com/technology/2016/aug/08/cyber-security-black-hat-defcon-hacking

The Mental Club. (2015, April 5). Top 5 Black Hat Hackers of the World. Retrieved from The Mental Club: http://thementalclub.com/top-5-black-hat-hackers-world-572

Toptenz.net. (2010, May 24). Top 10 Infamous Hackers. Retrieved from Toptenz.net: http://www.toptenz.net/top-10-infamous-hackers.php

IT World Canada. (2012, January 3). Experts divided om ‘grey hat’ hackers. Retrieved from IT World Canada: http://www.itworldcanada.com/article/experts-divided-on-grey-hat-hackers/45669

Techopedia. Hactivism. Retrieved from Techopedia: https://www.techopedia.com/definition/2410/hacktivism

Express. (2016, May 11). ‘This is just the beginning’ Anonymous hackers take down nine banks in 30-day cyber attack. Retrieved from Express: http://www.express.co.uk/news/world/669346/Anonymous-hackers-take-down-nine-banks-in-30-day-cyber-attack

Entrepreneur.com. (2017, March 2). 4 Easy Ways to Protect Your Company From a Cyber Attack. Retrieved from Entrepreneur.com: https://www.entrepreneur.com/article/289680

July 2017 Part 3

Anatomy of a Cyber Attack


One of the most important knowledge that a cyber security professional would have to know is the Cyber Kill Chain. The Cyber Kill Chain is a seven-stage model that illustrates how cyber criminals get to their victims and target on the system’s vulnerabilities.

7-Stages of Cyber Kill Chain
  1. Reconnaissance
  • Attacker gathers information on the target before launching attack. They usually look for publicly available information on the Internet.
     

2. Weaponization

  • The attacker uses an exploit and create a malicious payload to send the victim without actual contact with them.
     

3.  Delivery

  • Attacker sends malicious payload to the victim by email or through other means, which is only one of the numerous intrusion methods the attacker can use.
     

4.  Exploitation

  • The actual exploitation only takes place when the attacker uses an exploit.
     

5.  Installation

  • Installing malware on the infected computer is only relevant if the attacker used malware as part of the attack.
     

6.  Command and Control

  • The attacker creates a command and control channel to continue operating his internal assets remotely.
     

7.  Actions

  • Attacker performs these steps to achieve his actual goals inside the victim’s network.

 

Key takeaways

Knowing and understanding the “7 Steps of The Cyber Kill Chain” enable organisations to trace the movements of an attacker and take the necessary security precautions to prevent such attack from happening.

However, over-focus on this area can also be detrimental to network security. A persistent, highly determined and skilled attacker will always find a way into the network. Thus, instead of analysing old malware, organisation should also focus on detecting ongoing attacks before the damage is done.

July 2017 Part 3: 7 Stages of Cyber Kill Chain

References

Deloitte.com. Responding to cyber threats in the new reality.
Retrieved from Deloitte.com: https://www2.deloitte.com/content/dam/Deloitte/sg/Documents/risk/sea-risk-cyber-thought-leadership-noexp.pdf

Alien Vault. Defend like an attacker: Applying the cyber kill chain
Retrieved from Alien Vault: https://www.alienvault.com/blogs/security-essentials/defend-like-an-attacker-applying-the-cyber-kill-chain

Telelink. Access Networking Threats, Corporate WAN Threats, IT Threats
Retrieved from Telelink: http://itsecurity.telelink.com/reconnaissance/

Techopedia. Active Reconnaissance.
Retrieved from Techopedia: https://www.techopedia.com/definition/3650/active-reconnaissance

The Guardian. (2016, October 22). Cyber attack: hackers ‘weaponised’ everyday devices
with malware. Retrieved from The Guardian: https://www.theguardian.com/technology/2016/oct/22/cyber-attack-hackers-weaponised-everyday-devices-with-malware-to-mount-assault

University of Pennsylvania. Cyber Weapons. Retrieved from University of Pennsylvania: https://sites.google.com/site/uscyberwar/cyber-weapons

Alert Logic. (2016, December 30). The Cyber Kill Chain: Understanding Advanced Persistent Threats. Retrieved from Alert Logic: https://www.alertlogic.com/blog/the-cyber-kill-chain-understanding-advanced-persistent-threats/

Dark Reading. (2016, September 9). A Twist On The Cyber Kill Chain: Defending Against A Javascript Malware Attack. Retrieved from Dark Reading: http://www.darkreading.com/attacks-breaches/a-twist-on-the-cyber-kill-chain-defending-against-a-javascript-malware-attack/a/d-id/1326952

CNN. (2017, June 28). Another big malware attach ripples across the world. Retrieved from CNN: http://money.cnn.com/2017/06/27/technology/hacking-petya-europe-ukraine-wpp-rosneft/index.html

Bleeping Computer (2017, July 20). Valve Patches Security Flaw That Allows Installation of Malware via Steam Games. Retrieved from Bleeping Computer: https://www.bleepingcomputer.com/news/security/valve-patches-security-flaw-that-allows-installation-of-malware-via-steam-games/

RSA. (2012, August 16). Stalking The Kill Chain: The Attacker’s Chain. Retrieved from RSA: https://blogs.rsa.com/stalking-the-kill-chain-the-attackers-chain-2/

News. (2017, May 15). Ransomware cyberattack hits Australia as EU warns victims worldwide may grow. Retrieved from News: http://www.abc.net.au/news/2017-05-14/ransomware-cyberattack-threat-lingers-as-people-return-to-work/8525554

Infosec Institute. (2013, May 21). Cyber Kill Chain is a Great Idea, But Is It Something Your Company Can Implement. Retrieved from Infosec Institute: http://resources.infosecinstitute.com/cyber-kill-chain-is-a-great-idea-but-is-it-something-your-company-can-implement/#gref

June 2017 Part 2

What are your risks?

Cyber Theft

  • Online payment systems may not guarantee the safety of your money – $81M stolen from central bank of Bangladesh in 2016 cyber heist
  • Drugs, information and your credit card data – Take your pick in the online black markets
     

Identity Theft

  • Is your child’s identity at risk? – Young mum experiences ‘digital kidnapping’

Cyber Bullying

  • Cyber bullying can kill - How it can lead to suicide
     

Ransomware

  • Your data and devices could be held hostage – Find out the anatomy of a ransomware
     

How is your data retrieved?

Social Engineering Attacks

  • Baiting – Watch what happens when you plug a foreign device into your computer
  • Phishing – Personal details targeted in phishing emails that appears as Google Docs
  • Pretexting – Your board director can be an impersonator to get your phone records (Hewlett-Packard incident)
  • Read more on social engineering fraud


Oversharing

  • Social media alone can help cyber criminals know you better– 30% of internet users vulnerable to attacks
  • Google tracks you by what you share – Here’s how to stop it
  • Think before you post – When it can cost you your job
     

What can you do?

  • Be discreet about your privacy settings and ‘check-in’s.
  • Be sure you know who people are before accepting connections
  • Be wary about messages from unfamiliar emails
June 2017 Part 2: Your Biggest Risk Could Be You

References

Daily Mail. (2016, April 23). Hackers steal $81 million from a Bangladeshi bank with no firewall... and were only caught out when the illiterate fraudsters spelt 'foundation' as 'fandation'. Retrieved from Daily Mail: http://www.dailymail.co.uk/news/article-3555298/Hackers-steal-81-million-Bangladeshi-bank-no-firewall-caught-illiterate-fraudsters-spelt-foundation-fandation.html#ixzz4oaAuU5g3

News. (2016, January 18). Suspicion and mistrust: Total anarchy on the dark web. Retrieved from News: http://www.news.com.au/technology/online/security/suspicion-and-mistrust-total-anarchy-on-the-dark-web/news-story/e9240f00f4a69206e811efc4086b9213

Yahoo. (2015, March 3). The Disturbing Facebook Trend of Stolen Kids Photos. Retrieved from Yahoo: https://www.yahoo.com/news/mom-my-son-was-digitally-kidnapped-what-112545291567.html

CNN. (2016, December 1). Teen who was relentlessly bullied kills herself in front of her family. Retrieved from CNN: http://edition.cnn.com/2016/12/01/health/teen-suicide-cyberbullying-trnd/index.html

Deloitte.com. Ransomware is moving to the next level. Retrieved from Deloitte.com: https://www2.deloitte.com/lu/en/pages/risk/articles/ransomware-moving-next-level.html

Deloitte.com. Cyber video: Companies like yours. Retrieved from: https://www2.deloitte.com/global/en/pages/risk/articles/cybervideo-companies-like-yours.html

NBC News. (2017, May 4). Massive Phishing Attack Targets Gmail Users. Retrieved from NBC News: http://www.nbcnews.com/tech/security/massive-phishing-attack-targets-millions-gmail-users-n754501

The New York Times. (2006, September 8). Hewlett-Packard Spied on Writers in Leaks. Retrieved from The New York Times: http://www.nytimes.com/2006/09/08/technology/08hp.html

Deloitte.com. Safeguarding your enterprise from social engineering fraud risks. Retrieved from Deloitte.com: https://www2.deloitte.com/in/en/pages/finance/articles/social-engineering-fraud-risks.html

ETCIO.com. (2016, January 10). Oversharing on social networking sites leaves 30% internet users vulnerable to cybercrime. Retrieved from ETCIO.com: http://cio.economictimes.indiatimes.com/news/digital-security/oversharing-on-social-networking-sites-leaves-30-internet-users-vulnerable-to-cybercrime/50517472

Wired. (2017, March 20). Google tracks everything you do: here’s how to delete it. Retrieved from Wired: http://www.wired.co.uk/article/google-history-search-tracking-data-how-to-delete

Deloitte.com. Phishing and ransomware can be your worst nightmares, how can you prevent these evolving threats. Retrieved from Deloitte.com: https://www2.deloitte.com/lu/en/pages/risk/articles/phishing-ransomware-how-to-prevent-threats.html

May 2017 Part I

Hunting in the Cyberspace

You may have read the recent news about one of the largest cyber attacks, the WannaCry Ransomware. This incident is a wake-up call to all organisations alike, requiring global responsibility and attention to prevent future episodes. We hope to shed light on the fundamentals of cyber security with this 8 part Edu-series to help you understand and protect your data.

Cyber attacks, unlike physical warfare, transcend national borders by compromising computer systems and networks. In this interconnected digital sphere, they threaten the very infrastructures that nations and corporations depend on. Data theft, manipulation of networks and disabling online platforms have amounted to considerable repercussions.

Undeniably, major cyber infringements demonstrate the vulnerability of all organizations’ systems. The growing trend of political cyber attacks has formed a new field of spying: cyber espionage – superpowers have engaged cyber software such as Stuxnet, Flame and DuQu, in an attempt to monitor, collect and control its target. Subscribe for more information!

References

BBC. (2010, August 25). Secret US military computers 'cyber attacked' in 2008. Retrieved from BBC: http://www.bbc.com/news/world-us-canada-11088658

BBC. (2013, January 31). New York Times 'hit by hackers from China'. Retrieved from BBC: http://www.bbc.com/news/world-asia-china-21271849

Broad, W. J., Markoff, J., & Sanger, D. E. (2011, January 15). Israeli Test on Worm Called Crucial in Iran Nuclear Delay. Retrieved from The New York Times: http://www.nytimes.com/2011/01/16/world/middleeast/16stuxnet.html

CNET. (2017, May 15). WannaCry ransomware: Everything you need to know. Retrieved from CNET: https://www.cnet.com/news/wannacry-wannacrypt-uiwix-ransomware-everything-you-need-to-know/

Fiegerman, S. (2016, December 15). Yahoo says data stolen from 1 billion accounts. Retrieved from CNN: http://money.cnn.com/2016/12/14/technology/yahoo-breach-billion-users/index.html?iid=EL

Jones, S. (2014, August 29). Ukraine: Russia’s new art of war. Retrieved from Financial Times: https://www.ft.com/content/ea5e82fa-2e0c-11e4-b760-00144feabdc0

Lee, T. B. (2013, November 1). How a grad student trying to build the first botnet brought the Internet to its knees. Retrieved from Washington Post: https://www.washingtonpost.com/news/the-switch/wp/2013/11/01/how-a-grad-student-trying-to-build-the-first-botnet-brought-the-internet-to-its-knees/?utm_term=.7cf9a699c497

Russell, A. (2004, February 28). CIA plot led to huge blast in Siberian gas pipeline. Retrieved from Telegraph: http://www.telegraph.co.uk/news/worldnews/northamerica/usa/1455559/CIA-plot-led-to-huge-blast-in-Siberian-gas-pipeline.html

Telegraph. (2013, January 14). Red October computer virus found. Retrieved from Telegraph: http://www.telegraph.co.uk/technology/news/9800946/Red-October-computer-virus-found.html

Did you find this useful?