4 November 2015

Emerging Cyberthreats: What, When, Where and How?


Emerging Cyberthreats: What, When, Where and How?

Last Monday, Gov. Rick Snyder said Michigan state government faces 2.5 million cyberattacks (on average) every day.

“I believe we actually are getting attacked more,” said Snyder at the North American International Cyber Summit in Detroit.

“But secondly, we’ve improved our practices to actually detect more attacks —because that’s something out there that we probably are attacked even more than two-and-a-half million times a day.”

What happens after an attack? If the attackers are stopped, the online battle keeps rages on — and on. But if the attackers are successful, personal identity theft could be one devastating outcome.



Two cyber attacks this year at Anthem and Premera Blue Cross health benefits companies have potentially exposed millions of Americans — including hundreds of thousands of Tennessee residents — to identity theft and fraud by cyber criminals.

In March, Premera Blue Cross officials said that the information of 11 million U.S. consumers was at risk, including the information of more than 16,000 Tennessee insurance consumers.


"Espionage is happening at a rate we have never seen before," said Denise Zheng, a deputy director at the Center for Strategic and International Studies. ...

"This is a global problem. We don't have a malware problem. We have an adversary problem. There are people being paid to try to get inside our systems 24/7," said Tony Cole, vice president of the cyber security firm FireEye.

No doubt, different organizations have varying definitions and thresholds for what constitutes a “cyberattack” versus a “security incident” versus a phishing email attempt, but that is a different blog for another day.

Details Please: What are these cyberattacks and where are they coming from?

A few great sources for understanding these emerging cyberthreats, industry attack trends, sources of threats and mitigation techniques, include reports and white papers from security industry leaders. Here are a few (free) resources to consider, along with a small excerpt with some recent data from each: 
Symantec 2015 Internet Security Threat Report — Advanced attackers targeted 5 out of 6 large companies in 2014, an increase of 40%over 2013. 2014 had 24 zero-day vulnerabilities. Meanwhile, attackers are streamlining and updating their techniques while companies struggle with old vulnerabilities. 

McAfee Labs Threat Report — “Ransomware continues to grow very rapidly — with the number of new samples rising 58% in Q2.” 

Trend Micro Security Research and Trend Analysis — “Cybercriminals continue to enhance their tools to improve the effectiveness of cyber attacks. Tried-and-true crimeware such as the Black Hole Exploit Kit, automatic transfer systems, and ransomware have been refined and improved in ways that demonstrate how malware development has become increasingly professional in rigor, discipline, and methodology. We see this sophistication play out particularly in highly targeted, advanced persistent threats that are fast becoming the cyber threats to lose sleep over because traditional detection and prevention tools are no longer adequate….” 

Missouri Chief Information Security Officer Mike Roling and his government security team do an excellent job of describing various forms of cyberattacks that are faced by global organizations and even individuals at home. Using a Halloween-weekend theme, the Missouri Cybersecurity Blog describes howMalware Wears Costumes Too. They cover: Trojan Horses, Drive-By Downloads and Malvertising, social engineers through malicious links and scareware, and more.

The sources of these cyberattacks vary widely, but include organized crime, foreign governments, adventurous researchers with good or bad intentions and insider threats from employees. This report describing cyberthreats from the United Kingdom (UK) Government does a nice job of describing ongoing security threats online.

More Emerging Threats

Georgia Tech covers five major areas in its Emerging Cyber Threats Report 2015. These areas are: 
Technology enables surveillance, while policy lags behind. 
Attackers continue to target the trust relationship between users and machines. 
Mobile devices fall under increasing attack, stressing the security of the ecosystem. 
Rogue insiders cause significant damage, but solutions are neither simple nor easy. 
Low-intensity online nation-state conflicts become the rule, not the exception. 

Other cyberthreats that are emerging include asymmetrical warfare.

"Cyber warfare doesn't require a significant number of troops or a superior set of bombs," cybersecurity expert David Kennedy.

Iran is building its cyberwarfare capabilities faster than experts "would have ever imagined." Attacks by Iranian hackers have targeted the military, oil and gas, energy and utilities, transportation, airlines, airports, hospitals and aerospace industries, among others, and have taken place at over 50 companies in 16 countries — 10 of which have been in the US.


What Can Be Done?

“You will write a check to someone.” That is the message delivered to executives around the country by Chris Pogue of Nuix. Pogue added that if you take appropriate protective measures for online assets, such as mitigating cybervulnerabilities, conducting penetration tests, building good cyberdefense intelligence and ensuring that the right team is in place, the check will be much smaller overall than the bill you pay when a data breach inevitably happens.

Chris was one member of the emerging threats panel that I moderated at theSecureWorld Dallas event this week. The other panelists were Ben Desjardins from Radware, Lucus Morris from CroweHorwath and Dan Geisler from WatchGuard.

Pogue's comments reminded me of the car commercial on the importance of oil changes. The message used to proclaim, “Pay me now or pay me later.” But this situation is even more serious with the stakes much higher for global enterprises.

The comments from the panelists covered emerging mobile (smartphone) threats, cloud computing threats, evolving malware, applications security threats and insider threats from internal staff. The panelists highlighted the importance of patching servers, stopping known threats after risk assessments, establishing good partnerships in cybersecurity and data sharing with Information Sharing and Analysis Centers (ISACs), law enforcement agencies and other government organizations.

Should organizations “hack back?” The answer is generally no, unless you work for the Department of Defense (DoD). This recent article from PCWorld explains this complicated topic in detail. Here’s an excerpt:

Daniel Garrie, founder and editor in chief of the Journal of Law and Cyber Warfare, said countries’ varying attitudes towards cyber warfare make it harder to establish standards between the U.S. and other countries.

“Not only is there no playbook for countries and companies looking to respond to a cyberattack,” said Garrie, “but there are arguably a hundred different playbooks, for each country, making the appropriate and permissible response all the more challenging.”

In some countries, Garrie said, hacking is “not per-se illegal and it is certainly not taboo or shameful.” On the contrary, Garrie continued, “it appears in some countries that such activity is encouraged.”

No matter how sweet it seems, revenge remains an option the U.S. government doesn’t openly engage in. While it’s tempting to fighting back against perpetrators aggressively, a tit-for-tat approach risks creating more problems than it would solve.

Final Thoughts

On Friday, Oct. 30, the White House released this blog on “Modernizing Federal Cybersecurity” from Tony Scott, which described next steps on federal cybersecurity after the recent review following the OPM and other federal breaches. Here an excerpt:

“Today, the state of Federal cybersecurity is stronger than ever before. Agencies are utilizing significant resources to protect our Nation’s critical infrastructure and to improve performance in this critical area. However, there are no one-shot silver bullets. Cyber threats cannot be eliminated entirely, but they can be managed much more effectively. CSIP helps get our current Federal house in order, but it does not re-architect the house. Alongside today’s CSIP release, we are also issuing guidance to agencies on Fiscal Year 2015 – 2016 Federal Information Security Modernization Act (FISMA) and Privacy Management. ...”

I want to reiterate one line which I really like from Mr. Scott, and which I have been saying for a long time. “Cyber threats cannot be eliminated entirely, but they can be managed much more effectively.” Like stopping other forms of crime, there are steps that can be taken to make a big difference, so let’s not just throw in the towel and assume that emerging cyberthreats cannot be stopped.

I urge readers to examine these various new and emerging cyberthreats, including trends, white papers, international reports and potential solutions. Strive to improve in your mitigation of these cyberthreats as we head into 2016.

No comments: