In early 2016, we shared our predictions of key security threats likely to hit us this year. As predicted, cyber espionage, ransomware, insider threats, IoT device attacks and attacks on industrial control systems (ICS) all increased in 2016. A number of other targets remain in the line of hackers’ fire, with both financial gain and personal notoriety being key drivers of malicious activity.
All the threats we predicted for 2016 continue to be areas where we believe proactive steps can be made to minimize an organization’s risk profile.
It should be no surprise that cyber espionage, generally defined as obtaining secrets via a cyberattack, is on the list of key threats in 2016. There have been plenty of headline-grabbing cyber espionage attacks, including the very recent attacks by Russian hackers under the banner “Fancy Bear” who released private health data of U.S. and other Olympians that they illicitly took during an attack on the World Anti-Doping Agency.
In another example, the FBI sent out a warning in late August to state boards of election after two election board websites were breached, and the U.S. government was hacked earlier this year, exposing personal information on millions of people. There were multiple breaches against fast-food chains like CiCi’s Pizza and Wendy’s, against retailers like Eddie Bauer, against tech companies like Apple (News - Alert) and Twitter, and against health insurance companies such as Anthem.
Some attacks are tied to nation-state cyber espionage. In May the FBI issued an alert warning of groups using Advanced Persistent Threats (APTs)—targeted, sophisticated attacks typically executed by well-organized and resourced groups and even from state sponsored actors. The FBI alert noted cyber actors targeting sensitive information stored on U.S. commercial and government networks through cyber espionage.
Almost always, cyber espionage is unforeseen, so the trick is to stay proactive. Employees need to be educated and even undergo regular training to help better understand how attacks are executed and how to mitigate them. All assets need to be inventoried. Firewalls are critical, as is ensuring all systems are regularly patched and all antivirus software is updated. Intrusion (News - Alert) detection systems (IDS) and intrusion prevention systems (IPS) should be tested regularly to ensure they are functioning properly.
Ransomware is a more sophisticated malware attack that infects a computer and restricts users’ access to it until a ransom is paid to unlock it. In recent years, attacks have increased and have become highly targeted and sophisticated. In April, the FBI put out a report stressing this. According to the report, “Incidents of Ransomware on the Rise,” ransomware attacks are proliferating. Enterprises are increasingly at risk because they have many users to target, and a single illicit entry can take down multiple systems across an organization.
The method of attack, which used to be via spam and phishing emails that required the victim to click on a link, can also now be done by seeding legitimate websites with malicious code hidden, for example, in pop-up ads. If a user clicks on the pop-up ad, the malicious code locks down a user’s files by encrypting it, then presents a message on the user’s screen demanding ransom to decrypt the files, with additional instructions to the victim on how to provide payment and regain access. In other cases, the malware can be automatically downloaded and installed on the user’s computer by taking advantage of security weaknesses in the browser, plug-ins or operating system, without the user’s knowledge, until the ransomware message pops up.
Ransomware victims in 2016 have paid, often in bitcoin, to end the attack; Hollywood Presbyterian Medical Center, for example, paid about $17,000 in bitcoin to free its computers after ransomware took them offline. In another case, the University of Calgary said it paid $20,000 (Canadian dollars) to free its email system after being attacked in May 2016 by ransomware. The cost of ransomware can go way beyond the money demanded from the attackers, because it can cost much more for the technical support required to mitigate the attack and repair any damage. According to the FBI, ransomware victims reported total costs from such attacks of $209 million in the first three months of 2016, up from $24 million for all of 2015.
Enterprises need to take proactive steps to reduce their risk of falling victim to a ransomware attack. This includes frequent vulnerability scanning and penetration testing, ongoing security education for all employees, consistent patching, anti-virus software updates, email and spam filters, and comprehensive data backup and recovery plans.
Although they don’t often capture the imagination like state-sponsored cyber espionage, insider threats are an ongoing security problem. According to the 2016 Data Breach Investigations Report, conducted by Verizon (News - Alert) with cooperation from a multitude of companies, there were 10,489 incidents that fit into the category of what the report defines as insider privilege and misuse. Of those, 172 resulted in confirmed data disclosure.
Insider incidents can be the most difficult of all security attacks to detect, which is why it is critical organizations regularly review software code for backdoors, scan systems for known vulnerabilities, and perform penetration testing to expose weaknesses.
Industrial Control Systems
We may not hear a lot about attacks on industrial control systems – especially those that control critical infrastructure such as electrical, water and transportation networks – but the concern is real. That’s because many of these critical systems, built long before the Internet, are now online. Legacy supervisory control and data acquisition (SCADA) networks are especially vulnerable because they were not designed with cybersecurity in mind given many were put in place prior to the Internet being the backbone of our daily communication.
Cyberattacks on ICS can have devastating consequences. Not only can they impact data privacy, and interrupt operations or critical services like electricity, the attacks also could threaten the safety of individuals. That’s why the U.S. Department of Homeland Security has created a task force called The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) aimed at reducing risks within and across all critical infrastructure sectors through education and communication. The task force teams law enforcement, intelligence and federal, state, local government agencies with private-sector experts among control systems owners, operators, and vendors. Additionally, ICS-CERT collaborates with international and private sector CERTs to share control systems-related security incidents and mitigation measures.
In early 2016, ICS-CERT Issued an alert about a series of cyberattacks on three energy companies in the Ukraine that caused power outages over Christmas 2015 across large sections of the country’s population. The task force said it shared the report for situational awareness and network defense purposes.
To help prevent attacks, organizations should use network segmentation, firewalls and DMZs to protect and even segregate networks that contain mission-critical and SCADA systems. Authentication, authorization, and access control is required for direct and remote connectivity, as is the securing of wireless connections. And it is more important than ever to subject critical infrastructure to real-world threat modeling and penetration testing, which helps identify security gaps.
As IoT spreads into our day-to-day lives in everything from appliances to fitness trackers and home security monitoring systems, so do the security challenges. Of even greater concern are IoT devices that have health impacts, such as medical robots or wearable devices used to monitor health and in some cases dispense medication.
What started as IoT components, such as GPS systems or tire pressure monitors in vehicles, has now advanced into a complex Internet-enabled system. Connected cars are fueling the need for automotive security and already, while hackers have been exposing risks and weaknesses in connected cars for some time. With self-driving cars, the stakes are eve higher. In May, a driver was killed driving a Tesla self-driving car operating on Autopilot in Florida, and while the crash is not related to a cyberattack but a system malfunction, the incident has added new pressures for ensuring and protecting the veracity of connected cars.
In March, the FBI and National Highway Traffic Safety Administration jointly released a statement cautioning drivers of the increased risks that come with connected vehicles. The announcement details ways an attacker can access a vehicle’s network and driver data, discusses several demonstrated remote exploits, and outlines steps drivers can take to minimize risks such as ensuring vehicle software is up to date, exercising discretion when connecting third-party devices to vehicles, and tracking who has physical access to vehicles.
Providers of IoT devices need to ensure they are taking appropriate security testing measures prior to devices going out to the mass market. Device security needs to be built in, and encryption needs to be used every time data is transmitted. Alerts should be used if there’s any suspicious activity, and stringent testing should be done, especially when employing new protocols such as Zigbee and 802.14 for wireless sensor networks. Consumers also need to ensure they are following the recommended setup of IoT devices and taking simple steps such as changing default passwords when they purchase these devices.
About the Author
Sameer Dixit is a leader in cybersecurity with over 15 years of experience in penetration testing and security research. At Spirent (News - Alert), Sameer is leading the ethical hacking and security research team called Spirent Security Labs.
Prior to Spirent, Sameer has worked for leading security companies such as Trustwave-SpiderLabs and Cenzic Inc. where he led the penetration testing, vulnerability scanning and managed security testing services team.
Sameer has contributed research for OWASP, and has been quoted in various industry-leading security and business publications such as Security Week, Business Insider, ZDnet, SC Magazine, and more. Additionally, he has spoken at various Cyber Security Threat Summits and Universities, has conducted webinars, and actively blogs on emerging Web & Mobile security trends.