Develop a view on Cyber
Learn with us as our Cyber Edu-series brings you a snippet about the facets of Cyber. Issues will cover the latest topics and get you acquainted with cyber in an instant.
How can you triumph over cyber challenges today? Cyber attackers are just getting started and no businesses are immune. Keep a lookout on this page for the latest part bi-monthly.
July 2020: Part 12
Understanding the Internet of Things
What is the Internet of Things?
The Internet of Things (IoT) is the concept of connecting any device with an on/off switch to the Internet and to other connected devices. It is a giant network of connected things and people – all of which collect and share data about the way they are used and about the environment around them.
This includes an extraordinary number of objects, including smartphones, smart home appliances such as smart fridge, self-driving cars, wearable fitness devices, and more.
Key benefits of the IoT
This interconnectedness has brought about immense benefits to consumers in terms of productivity, convenience, time and cost savings, and a greater quality of life.
These benefits are a result of three key factors enabled by IoT:
1. Remote monitoring
Users can access data and information easily, remotely, and in real time, reducing the need to make physical trips. For example, knowing that you are low on milk or printer ink could save you another trip to the store in the near future. Furthermore, monitoring the expiration of products can and will improve safety.
2. Automation and control
Due to physical objects getting connected and controlled digitally and centrally with wireless infrastructure, there is a large amount of automation and control in the workings. Without human intervention, the machines are able to communicate with each other and manage everyday tasks.
3. Predictive Analysis
With IoT, users can know things in advance. For example, in healthcare, smart sensors can analyse health conditions and lifestyle choices and recommend preventative measures to reduce disease occurrences. In the agriculture or farming, a wide variety of sensors such as temperature, water and nutrient level, and light intensity can provide a detailed analysis of conditions for best crop yield.
Security challenges in the IoT
According to a forecast by Business Insider, there will be over 64 billion IoT devices by 2025.
Despite these trends, there are still a few key IoT security challenges to be addressed in order for us to fully harness the potential of IoT.
Challenges for the future of IoT:
1. Outdated hardware or software
A majority of IoT devices do not get the appropriate updates, while some of them may never even get a single update. What this means is that these products are secure at the time of purchase but become vulnerable to attacks over time when the hackers exploits a security vulnerability. When these issues are not fixed through regular updates to the hardware and software, the devices become vulnerable to attacks.
2. Use of weak and default credentials
Many IoT companies sell devices and provide default credentials with them – like an admin username – which are easy to find and are often used by hackers to carry out brute-force attacks to attempt to compromise these devices. If successful, hackers can use them for nefarious purposes like using the processing power of these devices in another botnet.
3. Malware and ransomware
The rapid rise in the development of IoT products makes cyberattack permutations unpredictable. Cybercriminals have become very advanced today, and are able to lock consumers out of their own devices. These devices and the IOT network could be infected by malware or ransomware by the attackers.
4. Data security and privacy
Data is constantly being harnessed, transmitted, stored and processed by large companies using a wide array of IoT devices, such as smart TVs, speakers and lighting systems, and connected printers. With increased interconnectedness, data protection has become more difficult as it gets transferred between multiple devices within a few seconds. Not all devices through which data is being transmitted or received are secure, which can lead to a data leak. Also, some of the data could contain personal information or preferences and would raise privacy issues if leaked.
How to protect your IoT devices?
IoT can bring a lot of convenience to our lives and to guard against potential threats, it is very important to secure your the IoT devices in your smart home to prevent cyber attacks.
Here are 8 ways to help secure your smart home:
1. Change default usernames and passwords
Cybercriminals probably already know the default passwords that come with many IoT products. Choose devices that allow you to change the default password.
2. Use strong, unique passwords for Wi-Fi networks and device accounts
Use unique, complex passwords made up of letters, numbers, and symbols. Avoid common words or passwords that are easy to guess. Use a strong encryption method (such as WPA2) when you set up Wi-Fi network access to keep your network secure.
3. Disable features you may not need
IoT devices come with a variety of services such as remote access, often enabled by default. If you do not need it, be sure to disable it.
4. Keep your software up to date
Do not put off installing software updates, as it might be a patch for a security flaw.
5. Use two-factor authentication
Two-factor authentication (2FA) — such as a one-time code sent to your mobile phone — can keep hackers out of your accounts. If your smart-device apps offers 2FA, use it.
6. Set up a guest network
Keep your Wi-Fi account private. Visitors, friends and relatives can log into a separate network that does not tie into your IoT devices.
7. Ensure physical security
As best as possible make sure that the IoT devices are kept in a secure location where the attacker cannot simply walk up and tamper with them. If the device supports tampering alarms such as CCTV cameras then make sure to enable this feature.
IBM. (November 2016). What is the Internet of Things? Retrieved from: https://www.ibm.com/blogs/internet-of-things/what-is-the-iot/
LinkedIn. (February 2017). The advantages and disadvantages of Internet Of Things (IoT). Retrieved from: https://www.linkedin.com/pulse/advantages-disadvantages-internet-things-iot-tommy-quek/
IoT for all. (March 2020). Advantages and Disadvantages of Implementing IoT in Healthcare. Retrieved from: https://www.iotforall.com/iot-healthcare-advantages-disadvantages/
Readwrite. (September 2019). 9 Main Security Challenges for the Future of the Internet Of Things (IoT). Retrieved from: https://readwrite.com/2019/09/05/9-main-security-challenges-for-the-future-of-the-internet-of-things-iot/
Peerbits. (n.d.). 10 Biggest security challenges for IoT. Retrieved from: https://www.peerbits.com/blog/biggest-iot-security-challenges.html
Cloudflare. (December 2017). Inside the infamous Mirai IoT Botnet: A Retrospective Analysis. Retrieved from: https://blog.cloudflare.com/inside-mirai-the-infamous-iot-botnet-a-retrospective-analysis/
ZDNet. (May 2018). Mirai DDoS attack against KrebsOnSecurity cost device owners $300,000. Retrieved from: https://www.zdnet.com/article/mirai-botnet-attack-against-krebsonsecurity-cost-device-owners-300000/
Ars Technica. (September 2016). Record-breaking DDoS reportedly delivered by >145k hacked cameras. Retrieved from: https://arstechnica.com/information-technology/2016/09/botnet-of-145k-cameras-reportedly-deliver-internets-biggest-ddos-ever/
Techcrunch. (October 2016). Large DDoS attacks cause outages at Twitter, Spotify, and other sites. Retrieved from: https://techcrunch.com/2016/10/21/many-sites-including-twitter-and-spotify-suffering-outage/
Techcrunch. (January 2018). After breach exposing millions of parents and kids, toymaker VTech handed a $650K fine by FTC. Retrieved from: https://techcrunch.com/2018/01/08/after-breach-exposing-millions-of-parents-and-kids-toymaker-vtech-handed-a-650k-fine-by-ftc/
Threat Post. (November 2019). Amazon Fixes Ring Video Doorbell Flaw That Leaked Wi-Fi Credentials. Retrieved from: https://threatpost.com/amazon-fixes-ring-video-doorbell-flaw-that-leaked-wi-fi-credentials/150029/
Threat Post. (April 2019). 2 Million IoT Devices Vulnerable to Complete Takeover. Retrieved from: https://threatpost.com/iot-devices-vulnerable-takeover/144167/
Norton. (n.d.). 12 tips to help secure your smart home and IoT devices. Retrieved from: https://us.norton.com/internetsecurity-iot-smart-home-security-core.html
March 2020 Part 11
An introduction to privileged access management
What is privileged access management?
In a recent report by Gartner, privileged access management (PAM) has been named the top cyber security priority for organisations. In today’s hyper-connected world where cyber-attacks are rampant, traditional security measures are no longer sufficient and effective on their own to prevent costly data breaches.
In cyber security, ‘privileged access’ encompasses access to critical systems – computers, networks and network devices, software applications and other digital assets. PAM is thus the combination of tools and technology used to secure, control and monitor access to an organisation’s critical information and resources.
Privileged access is the most common target for hackers, as it leads to the most valuable information. To build a robust and strong frontline of security, traditional security measures such as firewalls, virtual private networks (VPNs), access controls and email gateways need to be combined with PAM for an effective defence against attackers.
Key components of PAM
While PAM solutions vary in their design, most of them consist of these three components:
- Access Manager - A single portal that allows security teams to manage all employee access. Through this portal, a privileged user can request access while administrators can disable a privileged user’s access.
- Session Manager – Enables real-time monitoring of all privileged user actions to prevent and detect suspicious activity. It tracks and creates an audit trail of actions taken during a privileged account session.
- Password Manager – A centralised and encrypted vault that helps with controlling passwords and enforcing password policies, such as regular rotation and revocation of passwords.
Why do organisations need PAM?
As covered in our previous Cyber 101 issue on phishing, the average cost of a cyber-attack globally is USD3.92 million. With six in every ten businesses having experienced a data breach from 2016 to 2019, organisations who prioritise PAM have a tremendous competitive advantage over their peers. PAM helps organisations ensure continuous operations that can withstand the threat of cyber-attacks.
- 74% of data breaches start with privileged credential abuse
- 18% of healthcare employees would sell confidential data for as little as USD500 to USD1000
- 24% of employees know of someone who has sold privileged credentials to outsiders
Besides, PAM provides the following benefits to organisations:
- Powerful security solution
PAM is a powerful security solution that can be used to improve insights into vulnerability assessments, IT network inventory scanning and identity governance, among other things. This enhancement of cyber security serves as a deterrence to many cyber criminals.
- Saves time and money
Most cyber security solutions only reduce risk but bring no additional business value. However, employing the right PAM solution can increase productivity by giving employees access to systems and applications faster and more securely. This enables CISOs to get more done with the same budget.
- Fast track to compliance
With strong security control recommendations, PAM develops a good baseline of policies that can help to fast-track your compliance standards to align with industry and government regulations.
- Quick recovery from cyber-attacks
A PAM solution enables you to quickly audit privileged accounts that have been used recently, identify passwords that have been changed, and determine which applications have been executed.
Netprotocol. (January 2019). Gartner: Privileged Access Management is the #1 Cyber Security Priority. Retrieved from: https://www.netprotocol.net/gartner-privileged-access-management-is-the-1-cyber-security-priority/
Wallix. (6 February 2019). Privileged Access Management Features | PAM Features. Retrieved from: http://blog.wallix.com/privileged-access-management-features-pam-features
TechRadar. (1 October 2019). Data breaches hitting more companies than ever. Retrieved from: https://www.techradar.com/news/data-breaches-hitting-more-companies-than-ever
Centrify. (n.d.). SURVEY: Privileged Access Management in the Modern Threatscape. Retrieved from: https://www.centrify.com/resources/centrify-privileged-access-management-in-the-modern-threatscape-2019/
Accenture. (1 March 2018). One in Five Health Employees Willing to Sell Confidential Data to Unauthorized Parties, Accenture Survey Finds. Retrieved from: https://newsroom.accenture.com/news/one-in-five-health-employees-willing-to-sell-confidential-data-to-unauthorized-parties-accenture-survey-finds.htm
December 2019 Part 10
Understanding phishing techniques
What is phishing?
Phishing is a type of social engineering attack often used to steal user data, including login credentials, bank account numbers and credit card numbers. This occurs when an attacker pretends to be a trusted entity to dupe a victim into clicking a malicious link, which can lead to the installation of malware, freezing of the system as part of a ransomware attack, or revealing of sensitive information.
Phishing is one of the oldest types of cyberattacks, dating back to the 1990s. Despite having been around for decades, it is still one of the most widespread and damaging cyberattacks.
What are the consequences of phishing?
Two common consequences of phishing are:
1. Financial loss
Phishing can lead to devastating financial losses for individuals as well as businesses.
For an individual, if a hacker manages to access sensitive bank account information, personal funds and investments are at risk of being stolen.
For businesses, financial losses can extend to regulatory fines and remediation costs. Phishing is the most prevalent and damaging cyber threat facing businesses, as exemplified by the figures below:
- The average total cost of a data breach is US$3.92 million
- 90% of data breaches are caused by phishing
- 76% of businesses reported being a victim of a phishing attack in 2018
- 30% of phishing messages get opened by targeted users
- Business email compromise scams account for US$12 billion of losses in 2018
2. Data loss and reputational damage
Phishing attacks often attempt to access more than just money from companies and individuals. Instead, they attempt to steal something much more valuable – data.
When phishing attacks successfully trigger data breaches, phishers can also cause damage to individuals’ reputation by:
• Using the victim’s credentials for illegal activities or to blackmail the victim’s contacts
• Publishing the victim’s personal information to embarrass them
• Impersonating the victim to send out fake emails or malicious posts
For businesses, phishing can also lead to data breaches that will impact consumer trust.
In Deloitte’s GDPR Benchmark Survey, out of 1,650 consumers who were surveyed:
- 25% would trust an organisation less if its data was compromised
- 59% would be less likely to buy from a company involved in a data breach
As phishing attacks get more convincing and sophisticated, it is important to become educated and well-informed in spotting the common techniques employed in such scams.
The Cyber Security Agency of Singapore (CSA) has provided a few tell-tale signs of a phishing email to look out for when encountering a potential phishing scam:
1. Mismatched and misleading information
- Misspelled URLs – such as “facebok.com” instead of “facebook.com”
- Hidden URLs – when a phisher hides the actual URL by displaying plain text like “Click Here”, or even through displaying a legitimate URL
Protect yourself by hovering your mouse cursor over a suspicious link to see the actual URL. If you are using a mobile device, long-press the link to display a window with the actual URL. Be careful not to tap and open the link.
2. Use of urgent or threatening language
Be wary of phrases such as “urgent action required” or “your account will be terminated”, as phishers often aim to instil panic and fear to trick you into providing confidential information.
3. Promises of attractive rewards
False offers of amazing deals or unbelievable prizes are commonly used to instil a sense of urgency to provide your confidential information. If it is too good to be true, it probably is.
4. Requests for confidential information
Most organisations would never ask for your personal information such as your login credentials, credit card details and identification number. When in doubt, contact the company directly to clarify, but do not use the contact information provided in the email.
5. Unexpected emails
If you receive an email regarding a purchase you did not make, do not open the attachments and links.
6. Suspicious attachments
Exercise caution and look out for suspicious attachment names and file types. Be extra wary of .exe files, and delete them immediately if they appear unexpectedly in your inbox.
Infosec. (n.d.). Phishing Tools & Techniques. Retrieved from: https://resources.infosecinstitute.com/category/enterprise/phishing/phishing-tools-techniques/#gref
Imperva. (n.d.). Phishing attacks. Retrieved from: https://www.imperva.com/learn/application-security/phishing-attack-scam/
IBM. (n.d.). How much would a data breach cost your business?. Retrieved from: https://www.ibm.com/security/data-breach
Retruster. (n.d.). 2019 Phishing Statistics and Email Fraud Statistics. Retrieved from: https://retruster.com/blog/2019-phishing-and-email-fraud-statistics.html
Trend Micro. (18 July 2018). FBI Report: Global BEC Losses Exceeded US$12 Billion in 2018. Retrieved from:https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/fbi-report-global-bec-losses-exceeded-us-12-billion-in-2018
Infosec. (n.d.). Reputational Damages. Retrieved from: https://resources.infosecinstitute.com/category/enterprise/phishing/phishing-as-a-risk-damages-from-phishing/reputational-damages/
Deloitte. (n.d.). A new era for privacy. Retrieved from: https://www2.deloitte.com/uk/en/pages/risk/articles/gdpr-six-months-on.html
Go Safe Online. (4 September 2019). Cyber Tip - Spot Signs Of Phishing. Retrieved from: https://www.csa.gov.sg/gosafeonline/go-safe-for-me/homeinternetusers/spot-signs-of-phishing
September 2019 Part 9
Understanding threats in social media
With social media so closely interwoven into our everyday lives, it has become a prime target for cybercrimes and exploitations. The more information we share on these public platforms, the more vulnerable we are to targeted attacks.
What are the key risks in using social media?
1) Data breaches
A data breach is an incident where information is stolen from a system without the knowledge or authorisation of the system’s owner.
According to Gemalto's latest Breach Level Index, a global database of public data breaches, social media has become the largest data breach threat of our time.
With the massive reach of social media, data breaches on these platforms can expose millions of users to getting their personal information or user profiles stolen.
2) Phishing and malware
Phishing is when cyber criminals employ social engineering techniques to trick users into clicking deceptive links to download malware (short for malicious software).
On social media, these deceptive links often appear as:
- Unbelievable news
- Fake giveaways
- Shocking videos
- Games and quizzes
3) Catfishing and deception
A catfish is someone who purposefully deceives others online by impersonating as someone else or creating an identity that does not portray their actual self. Victims of catfishing can be subject to embarrassment, emotional devastation or monetary loss.
Catfishing usually involves some form of emotional motivation, such as personal insecurities, boredom, mental illness, revenge, harassment. Some catfish may also solicit money or gifts from their victims.
Cyberbullying is abuse that takes place over digital platforms, especially social media, where people can view, participate and share content. It includes sharing or sending of negative, mean or false content aimed at harming or humiliating another individual.
Cyberbullying affects individuals in the digital space, but can also have a direct impact to the physical, mental and emotional safety of individuals offline. It has become very prevalent amongst the youth, with 3 out of 4 children and teenagers in Singapore having experienced it.
How can you protect yourself?
With the proliferation of cybercrimes targeted at social media, it is imperative for users to remain vigilant and take steps to protect themselves.
Some tips include:
- Using strong passwords
- Being selective with friend requests
- Avoiding sharing personal or sensitive information
- Avoiding clicking links that look suspicious
- Installing a trusted anti-virus software
- Changing privacy settings to limit who can see your content
Norton. (n.d.). 11 social media threats and scams to watch out for. Retrieved from: https://uk.norton.com/internetsecurity-online-scams-11-social-media-threats-and-scams-to-watch-out-for.html
Norton. (n.d.). 5 ways you didn't know you could get a virus, malware, or your social account hacked. Retrieved from: https://us.norton.com/internetsecurity-malware-5-ways-you-didnt-know-you-could-get-a-virus-malware-or-your-social-account-hacked.html
Vanman, E. (26 July 2018). We asked catfish why they trick people online—it's not about money. Retrieved from: https://phys.org/news/2018-07-catfish-people-onlineit-money.html
Cybersmile. (n.d.). Catfishing. Retrieved from: https://www.cybersmile.org/what-we-do/advice-help/catfishing
Stopbullying. (n.d.). What Is Cyberbullying. Retrieved from: https://www.stopbullying.gov/cyberbullying/what-is-it/index.html
Get Cyber Safe. (n.d.). Social Networking. Retrieved from: https://www.getcybersafe.gc.ca/cnt/rsks/nln-ctvts/scl-ntwrkng-en.aspx
June 2019 Part 8
What is Cyber Threat Intelligence (CTI)?
CTI primarily focuses on analysing raw data gathered from recent and past events to monitor, detect and prevent threats to an organisation, shifting the focus from reactive to preventive intelligent security measures. Ideally, CTI should become the foundation on which an organisation builds its secure, vigilant and resilient capabilities.
Why is CTI important?
CTI ensures organisations are informed and kept up to date with the volume of threats, including the methods, vulnerability, targets and actors within the space.
The potential benefits of having CTI include:
- Prevent data loss
- Detect breaches
- Understand what defence mechanisms are required
- Reveal additional information on threats and motives
- Creates awareness about the existence of other threats
- Provide guidance in the event of a breach
How to build an effective CTI framework for your organisation
- Define what is important: Understand what data analytics networks you own is the first step in identifying what CTI solutions your organisation will need.
- Set specific goals you want CTI to achieve: Defining clear, specific goals helps your organisation understand the current gap, and the tools needed to bridge that gap.
- Continuously refine your CTI feed: Criminals are ever evolving; your organisation need to constantly redefine and evaluate the CTI strategy to provide relevant, up-to-date insights.
- Get expert help: Many organisations choose to hire third-party managed security service providers to gain an entire team of cybersecurity experts at a fraction of the cost.
Ali, S., Padmanabhan, V., & Dixon, J. (2014). Why cybersecurity is a strategic issue. Bain & Company. Retrieved from http://www2.bain.com/Images/BAIN_BRIEF_Why_cybersecurity_is_a_strategic_issue.pdf
Bandura Cyber. (2018). 2018 Threat Intelligence Report. Retrieved from https://banduracyber.com/wp-content/uploads/2018/10/2018_Threat-Intelligence_Report_Bandura-10-26.pdf
Conner, B. (22 May 2018). Forbes. Retrieved from https://www.forbes.com/sites/forbestechcouncil/2018/05/22/real-time-cyber-threat-intelligence-is-more-critical-than-ever/#518403c317fb
Deloitte. (n.d.). Cyber Threat Intelligence: Move to an intelligence-driven cybersecurity model. Retrieved from https://www2.deloitte.com/content/dam/Deloitte/lu/Documents/risk/lu-cyber-threat-intelligence-cybersecurity-29102014.pdf
Dosal, E. (9 Oct 2018). How to Build an Effective Cyber Threat Intelligence Framework.
Compuquip Cybersecurity. Retrieved from https://www.compuquip.com/blog/build-an-effective-cyber-threat-intelligence-framework
Forcepoint. (n.d.). What are Indicators of Compromise? Retrieved from https://www.forcepoint.com/cyber-edu/indicators-compromise-ioc
Guccione, D. (11 Jan 2019). What is the dark web? How to access it and what you'll find. CSO Online. Retrieved from https://www.csoonline.com/article/3249765/what-is-the-dark-web-how-to-access-it-and-what-youll-find.html
Intel & Analysis Working Group. (n.d.). What is Cyber Threat Intelligence? Center for Internet Security. Retrieved from https://www.cisecurity.org/blog/what-is-cyber-threat-intelligence/
Ludlow, P. (13 Jan 2018). What Is a ‘Hacktivist’? The New York Times. Retrieved from https://opinionator.blogs.nytimes.com/2013/01/13/what-is-a-hacktivist/
McGuire, J. (6 May 2017). 5 Ways to Start Using Threat Intelligence Effectively. Crowe. Retrieved from https://www.crowe.com/cybersecurity-watch/using-threat-intelligence-effectively
Salinas, S. (11 Dec 2018). Understanding the Attack Surface and How to Defend It. Cylance: Threat Vector. Retrieved from https://threatvector.cylance.com/en_us/home/understanding-the-attack-surface-and-how-to-defend-it.html
SurfWatch Labs. (29 Jun 2016). New Cyber Threat Intelligence Case Study for Financial Services Released by SurfWatch Labs. Retrieved from https://www.surfwatchlabs.com/releases/2016/06/29/new_cyber_threat_intelligence_case_study_for_financial_services_released_by_surfwatch_labs
Van Impe, K. (18 Sep 2018). Raise the Red Flag: Guidelines for Consuming and Verifying Indicators of Compromise. Security Intelligence. Retrieved from https://securityintelligence.com/raise-the-red-flag-guidelines-for-consuming-and-verifying-indicators-of-compromise/
Van Impe, K. (4 Jun 2018). What Are the Different Types of Cyberthreat Intelligence? Security Intelligence. Retrieved from https://securityintelligence.com/what-are-the-different-types-of-cyberthreat-intelligence/
December 2017 Part 7
The digital & cyber trends in 2018
2017 has been an eventful year with some of the largest breaches happening, such as the data breaches of Verizon, Equifax and Uber to list a few of the most recent events. It is also the year when Apple gave us the IPhone X with Face ID and Amazon gave us access to Alexa with its range of Echo devices. Now as 2017 draws to a close, you must wonder what is in store for 2018. Here is what we think you should look out for in the coming year.
- The EU General Data Protection Regulation (GDPR) will be effective 25 May 2018 and non-compliant organisations will face significant impacts. Learn more about the EU GDRP here.
- After the WannaCry ransomware disaster, Crime-as-a-Service (CaaS) will mature and flourish with more tools becoming available for non-technical aspiring criminals to purchase and conduct their own attacks. Read here for more details.
- Data collected from the Internet of Things (IoT) devices such as smart watches will help businesses to develop more intelligent apps and smarter devices by applying Artificial Intelligence (AI) to learn about the human behaviour and identify areas where simple tasks may be replaced or more efficient. Read about each individual trend here.
- An important development from the exponential growth of data is the use of edge computing together with cloud computing to deliver services. Learn more about this trend here.
In addition to the trends above, we have a Tech Trends report for your holiday reading. Deloitte’s ninth annual Tech Trends report identifies trends that are likely to disrupt businesses in the next 18-24 months, from enterprise data sovereignty to digital reality, API imperative, and more.
The trends reflect the macro forces fuelling growth— cloud, digital, and analytics— as well as the innovations built upon this foundation, such as blockchain and cognitive computing.
This year’s report spotlights ongoing transformations of core systems and, more broadly, of IT’s role within the enterprise. As in previous years, we balance these discussions with perspectives on how such changes are impacting IT operations and how companies respond to cyber risk. The pace of change across industries and the globe is only increasing. When organizations recognize connections between new technologies and bring them into harmony, they create something new and greater: the symphonic enterprise. Read Tech Trends reports here.
November 2017 Part 6
Cyber Risks Troubling Organisations
One of the most severe cyber risks that organisations continue to face are data breaches. A data breach is an incident where information is stolen or taken from a system without the knowledge or authorisation of the system’s owner.
What are some impacts of a data breach?
- Loss of sensitive, proprietary, or confidential information
- Damage to an organisation’s reputation
- Financial losses
- Customers loss of trust in the organisation
What are some common breach methods?
- A trusted individual or person of authority with access privileges stealing data from an organisation. E.g. Some employees are willing to sell these data for personal profit
See story: http://www.businessinsider.sg/iphone-8-iphone-x-ios-11-leaks-inside-job-2017-9/?r=US&IR=T
- Sensitive data is exposed through mistakes or negligence, mostly by insiders. Eg. More than 50% of the security breaches are due to human error because of failure to follow the organisation’s policies
See story: https://www.insuretrust.com/employee-mistakes-a-big-source-of-data-breaches/
Payment Card Fraud
- Payment card information being stolen using physical skimming devices, phishing of personal information. Eg. Cyber thieves can use a stolen credit card to buy items online
See story: https://pocketsense.com/causes-credit-card-fraud-5798165.html
- Cyber espionage describes the stealing of confidential information stored in digital formats or on computers and IT networks. It is similar to a high tech form of spying
See story: https://medium.com/threat-intel/cyber-espionage-spying-409416c794ec
Why data breaches are a significant risk?
- Data breaches are no longer a binary proposition where an organisation either have or have not been breached
- They are wildly variable, from breaches compromising entire global networks of highly sensitive data to others having little to no impact
- According to the Ponemon Institute’s “2017 Cost of Data Breach Study: Global Overview,” the odds are as high as 1 in 4
Technology is meant to enhance and improve both business and consumer aspects of our era today. Unfortunately technology carry risks and open us up to vulnerabilities in the cyber world. To combat cyber attacks, a cyber security maturity framework is recommended. This is a set of standards and best practices from an industry, professional or international bodies which encompasses a logical structure for organisations to benchmark their current cyber capabilities.
A cyber security maturity framework is helpful for an organisation looking to strengthen their security, vigilance and resilience against cyber threats depending on their objectives and cyber-related risks.
There are a number of cyber security maturity frameworks available and while the approach may differ for each framework, organisations will be able to achieve its desired maturity level with any framework.
October 2017 Part 5
Shortage of Cybersecurity Talents
According to the estimates by the Center for Strategic and International Studies, cybercrime costs the global economy US$400 billion per year. With the escalating awareness and prominence of security breaches, securing physical and digital assets for the purpose of confidentiality, integrity and availability are a priority for every organisation. With the vital role cyber security professionals play in the business ecosystem, market demand for cyber security professionals is outpacing supply.
What are their roles and responsibilities?
- Developing and designing enterprise security architecture
- Monitoring and identifying threats in enterprise architecture
- Conducting regular security assessment
Why are they important to organisations?
- Most organisations face challenges in interpreting the detection or mitigation of cyber security threats
- They develop and implement overarching processes
Why is there a shortage?
- As the skills of cyber attackers advances, cyber security professionals are more equipped than an IT professional to understand the tactics, techniques and procedures
- Schools are still graduating cybersecurity majors and that means a lack of experience and exposure to realistic cyber attacks
What can you do?
- Re-examine workforce strategies and improve recruitment outreach
- Have a robust support program for new hires
- Prioritise skills, knowledge, and willingness to learn when recruiting
- Build a local cybersecurity ecosystem
- Develop a strong culture of risk awareness
Disaster Resource Guide. The importance of cyber security within your organisation. Retrieved from Disaster Resource Guide: http://www.disasterresource.com/index.php?option=com_content&view=article&id=1717:the-importance-of-cyber-security-within-your-organization
Simpli Learn. (2017, August 9) Key roles & responsibilities of IT security professionals. Retrieved from Simpli Learn: https://www.simplilearn.com/it-security-professionals-key-roles-responsibilities-article
Dark Reading. (2017, August 22) Health IT & cybersecurity: 5 hiring misconceptions to avoid. Retrieved from Dark Reading: https://www.darkreading.com/careers-and-people/health-it-and-cybersecurity-5-hiring-misconceptions-to-avoid/a/d-id/1329932?
Dark Reading. (2017, September 12) The ‘team of teams’ model for cybersecurity. Retrieved from Dark Reading: https://www.darkreading.com/application-security/the-team-of-teams-model-for-cybersecurity/a/d-id/1329840?
Monster Cloud. (2017, March 25) Importance of cybersecurity in business. Retrieved from Monster Cloud: https://monstercloud.com/importance-of-cybersecurity/
Threat Analysis Group. Threat, vulnerability, risk – commonly mixed up terms. Retrieved from Threat Analysis Group: https://www.threatanalysis.com/2010/05/03/threat-vulnerability-risk-commonly-mixed-up-terms/
Harvard Business Review. (2017, May 4) Cybersecurity has a serious talent shortage. Here’s how to fix it. Retrieved from Harvard Business Review: https://hbr.org/2017/05/cybersecurity-has-a-serious-talent-shortage-heres-how-to-fix-it
Forbes. (2017, May 31) The top cybersecurity challenges experts are facing today. Retrieved from Forbes: https://www.forbes.com/sites/quora/2017/05/31/the-top-cyber-security-challenges-experts-are-facing-today/#54279fef2238
Forbes. (2017, March 16) The fast-growing job with a huge skills gap: cyber security. Retrieved from Forbes: https://www.forbes.com/sites/jeffkauflin/2017/03/16/the-fast-growing-job-with-a-huge-skills-gap-cyber-security/#407a0a3c5163
August 2017 Part 4
Anatomy of a Cyber Attacker
Cyber criminals are as diverse as their real-world counterparts. In the last five years, there have been cyber attacks targeted at all sorts of organisations. These criminal activities include breaking into private networks, stealing data and installing ransomware, etc. Every individual is responsible for an organisation’s cyber security and it is vital that you know your enemies and implement effective cyber security measures.
3 Types of Cyber Attackers
- White Hats
- White hats are security researchers or hackers who work for organisations such as the government or cyber security firms, etc. E.g. they work to discover vulnerabilities in software and networks to recommend ways to address these gaps.
2. Black Hats
- Black Hats are criminals, who use their ability to plunder individuals or organisations. They explore or develop software deficiencies and attack methods or other malicious tools to break into machines and steal data, such as passwords, email, intellectual property, credit card numbers or bank account credentials.
3. Grey Hats
- Grey Hats fall into the middle ground between the White and Black Hat categories. Often, Grey Hat hackers look to expose vulnerabilities in a system to inform an organisation of the defect or share it with a group of people. Although, these hackers are not usually motivated by personal gain, their actions may be considered illegal or unethical.
Two factors that determine the type of hacker:
- What are their intentions?
- Are their intentions law-breaking?
Four primary motivators:
- Financial Gain
- Ideology or Politics
- Cyber Protection
Not all hackers have malicious intent. Hacking can be used for good and evil, it boils down to the hacker’s intent. In mainstream media, the term “hacker” is usually related to cyber criminals. A hacker could be anyone regardless of intentions or methods. Hacking is not an illegal activity unless their actions compromises a system without an owner’s permission.
Cross Domain Solutions. Types of Cyber Crimes. Retrieved from Cross Domain Solutions: http://www.crossdomainsolutions.com/cyber-crime/
The Guardian. (2017, August 23). Identity fraud reaching epidemic levels, new figures show. Retrieved from The Guardian: https://www.theguardian.com/money/2017/aug/23/identity-fraud-figures-cifas-theft
Channel News Asia. (2017, 19 March). Ethical hackers on the frontline, keeping your home safe from cyber-attacks. Retrieved from Channel News Asia: http://www.channelnewsasia.com/news/singapore/ethical-hackers-on-the-frontline-keeping-your-home-safe-from-cyb-8577866
Make Use Of. (2012, July 13). 5 of the World’s Most Famous And Most Influential White Hat Hackers. Retrieved from Make Use Of: http://www.makeuseof.com/tag/5-worlds-famous-influential-white-hat-hackers/
Express. (2015, September 1). Lizard Squad: The notorious hacking group who brought down UK government website. Retrieved from Express: http://www.express.co.uk/life-style/science-technology/602157/Lizard-Squad-Hacking-Group-Ddos-Attack-PS4-Xbox-NCA
Technotification.com (2014, December 30). Top 10 Black-Hat Hackers in the World. Retrieved from Technotification.com: https://www.technotification.com/2014/12/top-10-best-black-hat-hackers-in-the-world.html
The Guardian. (2016, August 8). The state of cyber security: we’re all screwed. Retrieved from The Guardian: https://www.theguardian.com/technology/2016/aug/08/cyber-security-black-hat-defcon-hacking
The Mental Club. (2015, April 5). Top 5 Black Hat Hackers of the World. Retrieved from The Mental Club: http://thementalclub.com/top-5-black-hat-hackers-world-572
Toptenz.net. (2010, May 24). Top 10 Infamous Hackers. Retrieved from Toptenz.net: http://www.toptenz.net/top-10-infamous-hackers.php
IT World Canada. (2012, January 3). Experts divided om ‘grey hat’ hackers. Retrieved from IT World Canada: http://www.itworldcanada.com/article/experts-divided-on-grey-hat-hackers/45669
Techopedia. Hactivism. Retrieved from Techopedia: https://www.techopedia.com/definition/2410/hacktivism
Express. (2016, May 11). ‘This is just the beginning’ Anonymous hackers take down nine banks in 30-day cyber attack. Retrieved from Express: http://www.express.co.uk/news/world/669346/Anonymous-hackers-take-down-nine-banks-in-30-day-cyber-attack
Entrepreneur.com. (2017, March 2). 4 Easy Ways to Protect Your Company From a Cyber Attack. Retrieved from Entrepreneur.com: https://www.entrepreneur.com/article/289680
July 2017 Part 3
Anatomy of a Cyber Attack
One of the most important knowledge that a cyber security professional would have to know is the Cyber Kill Chain. The Cyber Kill Chain is a seven-stage model that illustrates how cyber criminals get to their victims and target on the system’s vulnerabilities.
7-Stages of Cyber Kill Chain
- Attacker gathers information on the target before launching attack. They usually look for publicly available information on the Internet.
- The attacker uses an exploit and create a malicious payload to send the victim without actual contact with them.
- Attacker sends malicious payload to the victim by email or through other means, which is only one of the numerous intrusion methods the attacker can use.
- The actual exploitation only takes place when the attacker uses an exploit.
- Installing malware on the infected computer is only relevant if the attacker used malware as part of the attack.
6. Command and Control
- The attacker creates a command and control channel to continue operating his internal assets remotely.
- Attacker performs these steps to achieve his actual goals inside the victim’s network.
Knowing and understanding the “7 Steps of The Cyber Kill Chain” enable organisations to trace the movements of an attacker and take the necessary security precautions to prevent such attack from happening.
However, over-focus on this area can also be detrimental to network security. A persistent, highly determined and skilled attacker will always find a way into the network. Thus, instead of analysing old malware, organisation should also focus on detecting ongoing attacks before the damage is done.
Deloitte.com. Responding to cyber threats in the new reality.
Retrieved from Deloitte.com: https://www2.deloitte.com/content/dam/Deloitte/sg/Documents/risk/sea-risk-cyber-thought-leadership-noexp.pdf
Alien Vault. Defend like an attacker: Applying the cyber kill chain
Retrieved from Alien Vault: https://www.alienvault.com/blogs/security-essentials/defend-like-an-attacker-applying-the-cyber-kill-chain
Telelink. Access Networking Threats, Corporate WAN Threats, IT Threats
Retrieved from Telelink: http://itsecurity.telelink.com/reconnaissance/
Techopedia. Active Reconnaissance.
Retrieved from Techopedia: https://www.techopedia.com/definition/3650/active-reconnaissance
The Guardian. (2016, October 22). Cyber attack: hackers ‘weaponised’ everyday devices
with malware. Retrieved from The Guardian: https://www.theguardian.com/technology/2016/oct/22/cyber-attack-hackers-weaponised-everyday-devices-with-malware-to-mount-assault
University of Pennsylvania. Cyber Weapons. Retrieved from University of Pennsylvania: https://sites.google.com/site/uscyberwar/cyber-weapons
Alert Logic. (2016, December 30). The Cyber Kill Chain: Understanding Advanced Persistent Threats. Retrieved from Alert Logic: https://www.alertlogic.com/blog/the-cyber-kill-chain-understanding-advanced-persistent-threats/
CNN. (2017, June 28). Another big malware attach ripples across the world. Retrieved from CNN: http://money.cnn.com/2017/06/27/technology/hacking-petya-europe-ukraine-wpp-rosneft/index.html
Bleeping Computer (2017, July 20). Valve Patches Security Flaw That Allows Installation of Malware via Steam Games. Retrieved from Bleeping Computer: https://www.bleepingcomputer.com/news/security/valve-patches-security-flaw-that-allows-installation-of-malware-via-steam-games/
RSA. (2012, August 16). Stalking The Kill Chain: The Attacker’s Chain. Retrieved from RSA: https://blogs.rsa.com/stalking-the-kill-chain-the-attackers-chain-2/
News. (2017, May 15). Ransomware cyberattack hits Australia as EU warns victims worldwide may grow. Retrieved from News: http://www.abc.net.au/news/2017-05-14/ransomware-cyberattack-threat-lingers-as-people-return-to-work/8525554
Infosec Institute. (2013, May 21). Cyber Kill Chain is a Great Idea, But Is It Something Your Company Can Implement. Retrieved from Infosec Institute: http://resources.infosecinstitute.com/cyber-kill-chain-is-a-great-idea-but-is-it-something-your-company-can-implement/#gref
June 2017 Part 2
What are your risks?
- Online payment systems may not guarantee the safety of your money – $81M stolen from central bank of Bangladesh in 2016 cyber heist
- Drugs, information and your credit card data – Take your pick in the online black markets
- Is your child’s identity at risk? – Young mum experiences ‘digital kidnapping’
- Cyber bullying can kill - How it can lead to suicide
- Your data and devices could be held hostage – Find out the anatomy of a ransomware
How is your data retrieved?
Social Engineering Attacks
- Baiting – Watch what happens when you plug a foreign device into your computer
- Phishing – Personal details targeted in phishing emails that appears as Google Docs
- Pretexting – Your board director can be an impersonator to get your phone records (Hewlett-Packard incident)
- Read more on social engineering fraud
- Social media alone can help cyber criminals know you better– 30% of internet users vulnerable to attacks
- Google tracks you by what you share – Here’s how to stop it
- Think before you post – When it can cost you your job
What can you do?
- Be discreet about your privacy settings and ‘check-in’s.
- Be sure you know who people are before accepting connections
- Be wary about messages from unfamiliar emails
Daily Mail. (2016, April 23). Hackers steal $81 million from a Bangladeshi bank with no firewall... and were only caught out when the illiterate fraudsters spelt 'foundation' as 'fandation'. Retrieved from Daily Mail: http://www.dailymail.co.uk/news/article-3555298/Hackers-steal-81-million-Bangladeshi-bank-no-firewall-caught-illiterate-fraudsters-spelt-foundation-fandation.html#ixzz4oaAuU5g3
News. (2016, January 18). Suspicion and mistrust: Total anarchy on the dark web. Retrieved from News: http://www.news.com.au/technology/online/security/suspicion-and-mistrust-total-anarchy-on-the-dark-web/news-story/e9240f00f4a69206e811efc4086b9213
Yahoo. (2015, March 3). The Disturbing Facebook Trend of Stolen Kids Photos. Retrieved from Yahoo: https://www.yahoo.com/news/mom-my-son-was-digitally-kidnapped-what-112545291567.html
CNN. (2016, December 1). Teen who was relentlessly bullied kills herself in front of her family. Retrieved from CNN: http://edition.cnn.com/2016/12/01/health/teen-suicide-cyberbullying-trnd/index.html
Deloitte.com. Ransomware is moving to the next level. Retrieved from Deloitte.com: https://www2.deloitte.com/lu/en/pages/risk/articles/ransomware-moving-next-level.html
Deloitte.com. Cyber video: Companies like yours. Retrieved from: https://www2.deloitte.com/global/en/pages/risk/articles/cybervideo-companies-like-yours.html
NBC News. (2017, May 4). Massive Phishing Attack Targets Gmail Users. Retrieved from NBC News: http://www.nbcnews.com/tech/security/massive-phishing-attack-targets-millions-gmail-users-n754501
The New York Times. (2006, September 8). Hewlett-Packard Spied on Writers in Leaks. Retrieved from The New York Times: http://www.nytimes.com/2006/09/08/technology/08hp.html
Deloitte.com. Safeguarding your enterprise from social engineering fraud risks. Retrieved from Deloitte.com: https://www2.deloitte.com/in/en/pages/finance/articles/social-engineering-fraud-risks.html
ETCIO.com. (2016, January 10). Oversharing on social networking sites leaves 30% internet users vulnerable to cybercrime. Retrieved from ETCIO.com: http://cio.economictimes.indiatimes.com/news/digital-security/oversharing-on-social-networking-sites-leaves-30-internet-users-vulnerable-to-cybercrime/50517472
Wired. (2017, March 20). Google tracks everything you do: here’s how to delete it. Retrieved from Wired: http://www.wired.co.uk/article/google-history-search-tracking-data-how-to-delete
Deloitte.com. Phishing and ransomware can be your worst nightmares, how can you prevent these evolving threats. Retrieved from Deloitte.com: https://www2.deloitte.com/lu/en/pages/risk/articles/phishing-ransomware-how-to-prevent-threats.html
May 2017 Part I
Hunting in the Cyberspace
You may have read the recent news about one of the largest cyber attacks, the WannaCry Ransomware. This incident is a wake-up call to all organisations alike, requiring global responsibility and attention to prevent future episodes. We hope to shed light on the fundamentals of cyber security with this 8 part Edu-series to help you understand and protect your data.
Cyber attacks, unlike physical warfare, transcend national borders by compromising computer systems and networks. In this interconnected digital sphere, they threaten the very infrastructures that nations and corporations depend on. Data theft, manipulation of networks and disabling online platforms have amounted to considerable repercussions.
Undeniably, major cyber infringements demonstrate the vulnerability of all organizations’ systems. The growing trend of political cyber attacks has formed a new field of spying: cyber espionage – superpowers have engaged cyber software such as Stuxnet, Flame and DuQu, in an attempt to monitor, collect and control its target. Subscribe for more information!
BBC. (2010, August 25). Secret US military computers 'cyber attacked' in 2008. Retrieved from BBC: http://www.bbc.com/news/world-us-canada-11088658
BBC. (2013, January 31). New York Times 'hit by hackers from China'. Retrieved from BBC: http://www.bbc.com/news/world-asia-china-21271849
Broad, W. J., Markoff, J., & Sanger, D. E. (2011, January 15). Israeli Test on Worm Called Crucial in Iran Nuclear Delay. Retrieved from The New York Times: http://www.nytimes.com/2011/01/16/world/middleeast/16stuxnet.html
CNET. (2017, May 15). WannaCry ransomware: Everything you need to know. Retrieved from CNET: https://www.cnet.com/news/wannacry-wannacrypt-uiwix-ransomware-everything-you-need-to-know/
Fiegerman, S. (2016, December 15). Yahoo says data stolen from 1 billion accounts. Retrieved from CNN: http://money.cnn.com/2016/12/14/technology/yahoo-breach-billion-users/index.html?iid=EL
Jones, S. (2014, August 29). Ukraine: Russia’s new art of war. Retrieved from Financial Times: https://www.ft.com/content/ea5e82fa-2e0c-11e4-b760-00144feabdc0
Lee, T. B. (2013, November 1). How a grad student trying to build the first botnet brought the Internet to its knees. Retrieved from Washington Post: https://www.washingtonpost.com/news/the-switch/wp/2013/11/01/how-a-grad-student-trying-to-build-the-first-botnet-brought-the-internet-to-its-knees/?utm_term=.7cf9a699c497
Russell, A. (2004, February 28). CIA plot led to huge blast in Siberian gas pipeline. Retrieved from Telegraph: http://www.telegraph.co.uk/news/worldnews/northamerica/usa/1455559/CIA-plot-led-to-huge-blast-in-Siberian-gas-pipeline.html
Telegraph. (2013, January 14). Red October computer virus found. Retrieved from Telegraph: http://www.telegraph.co.uk/technology/news/9800946/Red-October-computer-virus-found.html