Ask anyone involved in fighting cyber crime on a daily basis about what businesses should know, and the first thing they will say is that no organisation is immune.
The second most frequently raised point is that no business can afford to ignore cyber crime, which is estimated to cost the global economy around $445bn a year.
The losses are both direct and indirect, with many businesses citing downtime or lost productivity as a costly side-effect of some cyber criminal activity.
The reality is that every business connected to the internet can expect to fall victim to cyber crime at some point as criminals expand their ability to steal money directly or to turn stolen data into money.
The problem is that, while most information security professionals are aware of the threat cyber crimes poses to the business, senior executives are often unaware of the scale of the problem.
Despite increased media coverage of high-profile breaches, many top executives still believe their organisation has no valuable data and will not be targeted.
“But just being connected to the internet makes any company interesting to cyber criminals,” says Phil Huggins, vice-president of security science at global digital risk and investigations firm Stroz Friedberg.
“Any company connected to the internet is a resource that can be exploited by criminals because of the data it holds.”
However, there are indications that awareness is growing, with 61% of respondents to PricewaterhouseCoopers' 2015 Chief Executive Survey expressing concern about cyber threats and a lack of data security, up 13% from 2014.
LESSONS TO BE LEARNED: PART ONE
- Employees are the weakest link due to phishing and social engineering;
- Security awareness training for employees is essential;
- Credential theft and abuse is a common and powerful tactic use by cyber criminals;
- Cyber criminals target organisations with computing resources that they can rent out;
- Extortion, where data is held ransom, is an increasingly common cyber criminal activity;
- DDoS attacks or threats of DDoS attacks are also being used to blackmail businesses.
Cyber criminals collaborate
Another challenge is that cyber criminals collaborate across various groups to combine a wide variety of intelligence and attack methods.
“Cyber-crime operations generally use a combination of all the different exploits available and build a campaign layer by layer,” says Charlie McMurdie, senior cyber crime advisor at PricewaterhouseCoopers (PwC) and former head of the UK police central e-crime unit.
“They will do their research, they will look at open-source intelligence opportunities, they will look at physical vulnerabilities, they will look at what a target company is working on, they will use technical exploits, and they will send in phishing emails to get a foot in the door, so they can engineer themselves into a position they can cause more harm,” she says.
Social engineering through techniques such as phishing emails is a key and common element to all major cyber crime campaigns, which underlines the importance of cyber security awareness training.
Exploiting weaknesses to steal data
McMurdie says cyber criminals also commonly exploit weaknesses or gaps in policies and procedures, such as failure to check something more than once.
“Businesses should ensure they are able to detect and halt these blended types of attacks that are increasingly sophisticated in the types of malware and social engineering they use,” she says.
This trend is developing alongside an ever-growing volume of generic techniques used by cyber criminals to target businesses, demanding an ever-increasing defence capability.
Some businesses, but not all, are waking up to the fact that cyber crime campaigns are not just about technical attacks on the network, but exploiting any and all opportunities, says McMurdie.
Underneath it all, however, most cyber crime boils down to cyber-enabled theft of money or theft of data. Criminals use data either to commit other kinds of theft such as fraud, or sold to others to use in this way.
The value of personal data
Top data targets include intellectual property and databases of personal information about employees, partners, suppliers and customers which can be used for identity theft and fraud.
The quest for personal data is believed to be behind the recent cyber attack on US health insurer Anthem, that reportedly exposed the personal data of up to 80 million customers and employees.
“The more detailed and complete datasets a company holds about individuals, the more likely it is to be targeted by cyber criminals,” says McMurdie.
The computing domain is continually transforming or enhancing traditional crime, says Troels Oerting, former head of Europol’s European Cybercrime Centre (EC3).
The availability of a whole set of services – such as malware-as-a-service – is accelerating this trend, putting sophisticated cyber tools in the hands of criminals who do not have any cyber expertise.
“The use of cyber criminal services by a wider group of less technically minded criminals to carry out cyber crimes is a trend we see increasing,” says Archibald.
“Technique, tools, and approaches used to access company networks to commit cyber crime are now available much more widely available along with advice on how to use them.”
Anatomy of a bank robbery
Cyber space is being used to augment older crimes. For example, in 2013 a gang ordered five pre-paid debit cards from a bank in the Middle East and then hacked into the bank’s India-based cloud service provider to modify the card details.
The cards were given unlimited credit limits and the gang used 60 clones of the cards to withdraw $45m before the bank’s fraud detection systems activated to cancel the cards.
“Card cloning was taken to a new level and, in just a few hour, the criminals were able to net more cash than was stolen in traditional bank robberies in the US for the whole of 2013,” says Oerting.
The most recent example of cyber-enabled theft is the estimated $1bn siphoned out of 100 banks, e-payment systems and financial institutions in 30 countries by the multi-national Carbanak gang.
The cyber criminals began by gaining entry into an employee’s computer through spear phishing to steal credentials and track down administrators’ computers for video surveillance.
This allowed them to see and record everything that happened on the screens of staff who serviced the cash transfer systems, the investigation by Kaspersky Lab, Interpol and Europol revealed.
In this way, the fraudsters got to know every detail of the bank clerks’ work and were able to mimic staff activity in order to transfer money out of accounts undetected for at least two years.
LESSONS TO BE LEARNED: PART TWO
- Cyber criminals are increasingly masquerading as company officials to divert payments;
- Businesses are being tricked by email notifications into sending payments to criminals;
- Blended attacks are becoming increasingly common using any and all opportunities;
- Good data governance policies and processes are key to limiting harm in a breach;
- Keeping all software up to date ensures criminals have fewer weaknesses to exploit;
- Collaboration across industry and with law enforcement is key to fighting cyber crime.
Criminals choose new targets
Security researchers say this marks a significant step in the evolution of cyber crime against financial institutions, because it targets them directly and not their customers.
Until recently, cyber criminals have mainly used relatively low-level techniques to target bank customers conducting transactions online or by stealing payment card credentials and data to commit fraud.
But now some cyber criminals are turning their attention to key banking staff, with a view to stealing their identities to work in banking systems and steal cash.
“Payments that appear to be ordered or authorised by high-ranking banking officials are relatively unlikely to be challenged by low-ranking officials,” says Troels Oerting.
He warns that similar tactics could be used in business, where cyber criminals could impersonate chief financial officers and the like, to approve payments to criminals' banking accounts.
Oerting says that, by infiltrating company back-end systems and impersonating company executives, criminals could also alter payment details to divert funds to accounts under their control.
McMurdie says some criminals simply craft a plausible looking e-mail, supposedly from a supplier to the accounts department, to trick them into making invoices that can be worth millions or hundreds of thousands payable to accounts controlled by the criminals.
Stealing processing power
Another trend in the finance sector is cyber criminals gaining footholds in organisations and taking control of IT infrastructures to rent out the processing power of computers on the networks.
Investigators at Stroz Friedberg have seen instances where criminals have hacked into organisations to tap into the power of their super computers.
The most common criminal exploitation of supercomputers is to make unauthorised use of their processing power to mine bitcoins for profit.
“Often when we are called in to investigate something we will find a whole series of low-level compromises used to exploit the computing resources in organisations,” says Huggins.
“This type of low-level access to company networks and resources within and outside the financial sector is commonly traded by cyber criminals on underground markets.”
According to Huggins, the type of employee impersonation used by the Carbanak gang is also appearing outside the banking industry with criminals defrauding some e-commerce firms using man in the browser attacks.
This technique takes advantage of vulnerabilities in browser security to modify web pages, modify transaction content or insert additional transactions.
Any business conducting browser-based transactions needs to be aware of this technique and implement security controls to detect and block it.
This technique is also used to hijack online banking sessions, so e-commerce firms would be advised to forge strategic partnerships in the banking industry to help defend against this type of attack.
Holding encrypted data to ransom
Another growing trend is for cyber criminals to hold data to ransom. Typically attackers breach a company network and then encrypt key data. They then demand money for decrypting the data.
“More companies pay up than would care to admit because they face a very tough choice: either they pay up or they have implement disaster recovery procedures,” says Huggins.
Criminals are increasingly targeting government agencies, municipalities and businesses alongside individuals with so-called "ransomware", malware that locks up data or websites so that a ransom can be demanded, says Troels Oerting.
A recent case involved a municipality in Denmark that came under a heavy attack from an Eastern European criminal organisation that took over the municipality’s servers. The attackers claimed they had encrypted and locked the data. They said the data would be unlocked only if a ransom was paid.
Ransomware is becoming a lot more sophisticated, says Charlie McMurdie. “There is now far more research going into the ransomware that is being used by cyber criminals as part of an overall trend towards an increasingly sophisticated approach,” she says.
The same is true of phishing attacks, which tend to be of a far better quality than has been seen before. “Cyber criminals are researching and using the names of people to make them more plausible and effective in manipulating people in organisation,” says McMurdie.
Some cyber criminals have even gone so far as to set up fake company websites and use them to lend credibility to phishing emails.
Distributed denial of service (DDoS) attacks are now also being used in a similar way to how ransomware makes money out of a businesses, and Oerting expects this trend to grow.
“Cyber criminals are hitting mainly internet-dependent business with DDoS attacks to block access to the company’s website, and then following that up with demands for payment and a threat to continue until payment is made,” he says.
Executives struggle with response
While there may be a growing awareness of cyber threats and the need for data security among top executives, McMurdie says many are still struggling to put in place or identify exactly what their response to this every increasing threat should look like.
Many feel overwhelmed by the threat, but the size of the problem should not be used as an excuse by companies of any size to do nothing, says Seth Berman, executive managing director at Stroz Friedberg.
“Once companies understand why they are attractive cyber criminals, they should assume they will be targeted and even breached, and plan accordingly,” he says.
The NCCU’s Andy Archibald says that, while cyber criminals are becoming increasingly sophisticated at the high-end, the bulk of the cyber crime is still unsophisticated.
Simple precautions in a risk-based approach
“The cyber crime targeting small and medium business tends to be relatively unsophisticated, so by taking some simple precautions such as those set out in the government’s Cyber Essentials scheme, businesses can reduce the likelihood of becoming a victim of cyber crime,” he says.
Archibald says that, if all companies simply ensured their most valuable data assets had some protection around them and their software systems were kept up to date, that would go a long way in reducing the risk of cyber crime.
“This includes ensuring that employees are aware they are working in an environment where cyber criminals are continually trying to copy or manipulate data and behave appropriately in the way they handle data and deal with emails, so they do not become unwitting accomplices to cyber criminals,” he says.
Berman says that, while cyber crime will never go away, there is a lot companies can do to reduce the risk to the business.
“The reality is that companies cannot plug every security hole, but a proper risk assessment will help prioritise investment and plans of action. A risk-based approach will ensure that companies are more resilient, that they will be able to respond quicker to threats, and that networks are properly segmented,” he says.
Instead of focusing only on building higher, thicker walls, this approach ensures that when fireballs do come flying over the walls, the company has some water buckets ready to put out the flames
Restricting attackers' movements
By segmenting networks, businesses can ensure that only authorised employees are able to access appropriate data assets. Segmentation also helps to restrict the movement attackers.
“Restricting the movement of attacker gives businesses more time to respond and limits the amount of damage the attackers can do,” says Berman. A lack of segmentation at Sony Pictures allowed attackers free reign once they were on the network
If organisations assume they will be breached at some point, that helps to further refine the risk-based priorities, says Huggins. “Instead of focusing only on building higher, thicker walls, this approach ensures that when fireballs do come flying over the walls, the company has some water buckets ready to put out the flames,” he says.
McMurdie says businesses can also reduce risks by continually reviewing and improving their policies and processes around data governance.
“There are a lot of non-technical measures that can be taken in an organisation in policy and processes to prevent a lot of harm being caused,” she says.
Supply chain incentive
One of the main reasons all companies are attractive to cyber criminals is the fact that they are connected to other people and organisations.
For this reason, after the company’s employees, the supply chain is often the next weakest link, with some large organisations linked to as many as 400,000 suppliers.
“Cyber criminals know that the more interconnections there are, the more weak links there are that can be exploited, especially if the supply chain is not properly managed in terms of cyber security,” says Huggins.
Berman says a collaborative approach is key to making supply chains more resilient in which security information is shared between companies and bigger, better resource players help smaller companies to meet minimum security standards.
“Bigger organisations can raise the security of their supply chains by sharing capabilities and working together to achieve a common goal in the same way that cyber criminals do to great effect,” he says.
Security in every business process
McMurdie says businesses need to recognise that cyber security is not just a concern of IT, but that all businesses processes need to harmonise together to address cyber threats.
But, she says, mapping internal processes and checking internal policy, processes and governance, that is not enough without continual testing and improvement to keep up with the ever-evolving threat.
“All businesses should seek to emulate industry leaders who are realising that cyber security is not an isolated part of the business,” says McMurdie.
“They are now looking to embed cyber security in all aspects of their business processes, including those relating to customers, suppliers, point of sale systems, and mobile devices,” she says.
According to the NCCU, cyber criminals are increasingly exploiting the relative lack of user awareness on how to use mobile access to corporate networks securely.
Criminals are attacking businesses by taking advantage of the fact that user behaviour changes when people are away from the office, says Archibald.
“If businesses are attacked by cyber criminals, it is essential there is an incident response plan in place and that everyone knows what their responsibilities are in responding and recovering,” he says.
Law enforcement works with industry
Archibald says law enforcement has made “real progress” in this regard in the past 18 months, with membership the UK government’s Cyber Security Information Sharing Partnership (CISP) increasing significantly.
“The sharing of attack details through that is giving us greater situational awareness and the opportunity to engage directly with companies who have been victims of cyber crime. Industry is making a valuable contribution in helping us to identify and prioritise threats,” he says.
Archibald chairs a joint law enforcement and cross-government board that meets every second month with industry from a range of sectors.
“Through a forum with the British Bankers Association we have access to the banks through regular meetings in a formal setting,” he says.
Through this engagement, industry is also helping law enforcement officers with some operational activity such as helping organisations hit by cyber crime to recover and clean up after attacks.
“We are seeing a joint effort against attackers, especially in terms of offering advice on protection, prevention, and recovery,” says Archibald.
“We have made a good start which has taken us to an unprecedented level of co-operation and capability, and now it is important that we continue to build on that to become increasingly proactive in fighting cyber crime,” he says.
There are several ways Archibald would like to take this initiative forward, such as joint intelligence operational groups.
“There is an enthusiasm and willingness on both sides to work much more closely together, to deal with the cyber threats we collectively face,” he says.
Archibald believes that national and international collaboration with Europol and Interpol is vital to making progress in fighting cyber crime through building up shared knowledge and capability. The message to business is to get involved – to avoid being a victim.