The Evolving Cyber Threat Landscape
The InfoSec Consulting Series #14
By Jay Pope
My consulting experience has taught me that most project managers don’t give a great deal of thought to cyber threats until they make the headlines. The WannaCry attack that crippled much of the NHS being a prime example. But of course, threats come from a variety of sources some of which may not be, at first sight, malicious. So, how is the cyber threat landscape set to change over the next few years and what are the threats businesses need to worry about?
In previous years the headline threat was ransomware, locking up crucial files and demanding payment to release them. While the ransomware threat is still out there, 2018 saw a decline in attacks. The way ransomware is used is changing too, it’s often now used as a distraction technique to occupy security teams and hide a more direct attempt to exfiltrate data or money elsewhere. In a classic example of cyber criminals following the money, the high value of cryptocurrencies in the early part of this year has seen a huge increase in mining. Installed in drive-by attacks from infected web pages, these attacks steal CPU time to mine currencies. Easy money for the criminals and a pain for everyone else. With some nations known to have sophisticated cyber-attack capabilities, another major worry – though we have yet to see its full impact – is a nation state attack. Targets of such an attack are likely to be internet service providers, critical infrastructure such as power and water supplies, and potentially industries such as pharmaceutical, chemical and electronics production.
While businesses and governments are making increasing investments in defensive systems, including the use of artificial intelligence to spot threats and carry out operational tasks, it remains true that in many cases the human element provides the weak link allowing attackers to penetrate. Social engineering remains a successful attack vector. Phishing emails are a popular mechanism, often carefully targeted at senior executives or finance departments. But email is not the only technique used; in some cases, employees can be tricked via phone calls.
The cyber threat landscape is never static, as we’ve seen, there have already been shifts in the nature and focus of attacks in the last few months. Predicting how it will change in future is difficult as there are likely to be developing threats that we are not currently aware of. That said, there are some areas of the threat landscape that we can confidently predict. We’ve already talked about nation state attacks and these are set to become a larger part of the cyber threat landscape. There are several possible routes that this could take, the most likely being espionage to steal information. There is, however, also the possibility of more direct attacks seeking to bring down or disrupt infrastructure or industries.
Emerging technologies are also likely to become subject to attacks. We’ve already seen Internet of Things devices recruited into bot nets. This is something that’s probably going to get worse as more and more of the gadgetry we use in our everyday lives becomes connected, providing a bigger attack surface for hackers. We’re going to see these attacks targeting new sectors too. There has already been proof of context attacks against cars’ targeting locking and braking systems. As more self-driving vehicles take to the roads, the ability to use these to create disruption becomes a serious possibility. While defenders are increasingly putting their faith in machine learning and artificial intelligence to spot attacks, there’s plenty of evidence that the attackers are turning to AI as well. Recent attacks against honeypot systems set up by researchers have revealed a worrying level of automation used to make it easier for human attackers to follow up and steal data.
In the face of this fast-moving cyber threat landscape, what steps can CISOs and management take? It’s important to determine what information the business holds – in terms of personal information, GDPR requires you to do this anyway – but also which systems are crucial to operating and generating profits. Once you know what needs protecting, you can start to look at cyber security strategy. How are systems protected and how is that protection tested? Are levels of spending on cyber security adequate? Does the business have the appropriate skills in-house or is it reliant on a third-party service provider? Has the Cloud Product Group(s) carefully considered the shared responsibility model of the Cloud Platform and identified an appropriate controls framework? How exposed are you to the public cloud and what’s the policy on shadow IT and allowing staff to use their own devices?
It’s important to look beyond the boundaries of the organisation too. Digital transformation projects have brought about increasing levels of integration between suppliers and customer systems. You may be confident that your data is safe on your systems, but can you say the same of the third-parties you’re sharing it with? How do you track security of data flows with your Information Exchange Partners (IEP).
You then need to consider how you would respond if a breach occurred. Again, GDPR rears its head as it imposes certain obligations, but the business response needs to go beyond that. It’s crucial to recognise that a data breach is not solely an IT problem. It has implications for PR, legal, HR and other areas – indeed it could impact the entire business. This, in turn, feeds into disaster planning, which is no longer just about the risk of power outages of floods. Businesses are also increasingly looking at insuring themselves against the risks posed by a major cyber-attack.
Does Your Organisation Need Top Cyber Security Consultants?
We are a team of experts with extensive knowledge and experience of helping organisations improve business performance. Our highly qualified consultancy team can deliver cyber security capability at all levels of your organisation and are on hand to help ensure your projects deliver solutions that are appropriately aligned to your cyber security risk position, and meet technical, business and ethics due diligence requirements. Schedule a call above to learn more about how we can help.