Despite decades of changes in the computer industry, it’s amazing how much stays the same. Businesses create and store, vast amounts of business, and customer data that needs to be secured against hackers.
It’s important to secure data on corporate devices and servers for a number of reasons. Firstly, the information created by employees costs a lot to produce and therefore has lots of value, as recreating it would be expensive. Then we have the issue of intellectual property that could provide a competitive advantage, royalties, or future market opportunities, as long as it’s closely protected.
This corporate data is also developed over a number of years and the jobs of many employees rely on this being available to them. If this was to be lost, or encrypted, like in a ransomware attack, the impact on a business could be so severe, it could overwhelm it, with the cost of recreating the data, being more expensive than the funds available.
While it’s important hackers never get paid their ransom, it is understandable why some try that path. Some hope of the data being unlocked, can be better than no hope. The problem is, every payment provides additional motivation to spread ransomware further, in the hope of a bigger pay day.
The second element is customer data and the risk there is really data compromise. Should this information be leaked online, not only would it be detrimental to the reputation of an business, but there could also be legal action taken against a business, if it could be proven that they failed to adequately protect it. Often these fines are substantial and multiplied per incident, so if you have your whole customer database hacked, the fine could be of a scale that would be business-ending.
Finally, there’s the financial incentive, with businesses often moving millions of dollars through accounts each month, the attackers would love to get a piece of that redirected to them. This attack often involves social engineering to derive important information from staff, which can then form the basis for a targeted attack or spear-phishing campaign.
Knowing who works in the finance and payroll department, along with their superiors, is valuable information. Often email phishing attacks request payment details be changed and without the right business processes in place to validate, an unknowing employee may make the change to enable to scam.
Enabling MFA wherever possible is a great strategy to assist in reducing this attack vector and Microsoft recently turned on MFA by default for new 365 tenants.
You can have the best technology stack on the planet, but ultimately people in your business have access to your systems and unless their credentials stay safe, your business is at risk. The only real counter to this is raised awareness through regular training. Some organisations even set up fake phishing attacks to test how their employees would respond.
Security Evangelist, David Jacoby is part of The Global Research Analysis
Team (GReAT) at Kaspersky, at the recent, annual SAS@Home, he spoke about the evolution of how cybercriminals have changed the way we work with the internet.
Hacking in 1980 – Pop 80s
This was a time where collecting usernames and passwords was tracked manually or simply written on a Post-it Note. Password cracking was uncommon because computers were slow and did have enough CPU power.
War dialing was used to dial difference phone lines to identify if it was a fax machine or a main frame in the system. Dumpster diving, while popular in the 80s, does not exist today. Targets include modem connected devices such as recycling machines or telecommunication equipment.
| Techniques | Targets |
|---|---|
| Brute force Default / weak passwords Backdoors Password cracking War dialing Dumpster Diving | Mainframes Critical Infrastructures Modem connected devices Telecom equipment |
Hacking in 1990 – Grunge 90s
Cybercriminals moved away from modems to the internet. We opened Pandora’s box with the internet. Stack overflows was something new and exciting. We also saw a lot of software being exploited during this time. However, something else changed.
People started to use individual computers and soon after started attacking individual computers. Hence, web and mail servers online was on a rise in attacks in the 90s.
| Techniques | Targets |
|---|---|
| Brute force Default / Weak passwords Backdoors Password cracking Stack Overflows Remote code/command injection | Mainframes Critical infrastructures IoT devices Individual computers Internet services |
Hacking in 2000 – Y2K
Reuse passwords were severely common in the year 2000. Remembering multiple passwords proved difficult which made things easy for cybercriminals. Unlike the 80s, this era showed that software vulnerabilities and supply chain was popular for cybercriminals.
Targets include a new wave of mobile devices. I would also consider a laptop an avenue for being used as a mobile device as it is connected to different places and can be moved from one place to another easily.
| Techniques | Targets |
|---|---|
| Brute force Default/weak passwords Backdoors Reused passwords Software vulnerabilities Supply chain attacks A lot more.. | Critical infrastructure IoT devices Internet Servers Mobile devices |
Current situation
So, while the techniques really haven’t changed much in decades, that’s because it’s effective. The current situation sees a vibrant WhiteHat hacker scene and bug bounties that reward the responsible disclosure of a vulnerability.
Kaspersky’s Corporate IT Security Risks Survey of around 5,000 businesses included almost 250 Australian enterprises and SMBs. The report found that a massive 49.4% of security incidents that occurred in 2019 were through employees’ inappropriate IT use. Inappropriate data sharing from mobile devices was experienced by 42.9% of the Australian businesses surveyed.
The response to COVID19 meant that many organisations moved to using more cloud services and remote working, potentially exposing Australian businesses to heightened risk.
David Emm, Principal Security Researcher of Kaspersky says the cost of data breaches can be crippling to some businesses. The NotPetya attack in 2017 cost food giant Mondelez as much as $100M in remediation and recovery costs.
Even smaller losses can be crippling, as they often come at the worst time. 26.4% of Australian small businesses reported that they lost between $3,000 and $15,000 through attacks in 2019. Targeted attacks on the other hand, make up nearly 50% of Australian businesses who have been a victim.
In Australia, more than 7% didn’t know if they had been targeted, 3.4% in the US and 2.7 in Great Britain. Based on the survey, the average cost of
ransomware attacks that resulted in data breaches is $1.46M.
The survey also found that 34.8% of Australian businesses had been involved in an incident through a third-party cloud service used by employees in the past year.
One key takeaway is that often security audits vet software and services based on their current code, but most projects rely on dozens of underlying frameworks that are written and updated by 3rd parties.
