Attackers unite, so should defenders
Solitary hackers still prowl cyberspace, but the team work is the real trend (and threat!) of today. Merely years ago an attack performed by a team was mostly a thing to boast about while sipping beer with your buddies. Now it’s the key to success, and not just because contemporary cyber walls are too thick for a single intruder.
Picture a hacking team having access (no matter how for right now) to a targeted company’s AI. Namely: being able to mess with the machine learning of this particular network – even if the rest of the perimeter is guarded better than a nuclear warheads repository. With non-complicated manipulations there is the way to “alternatively educate” the image recognition system of a target’s video surveillance. So then, seeing a physical intruder on the premises, cameras will not bashfully turn away – they will just get blind on an individual, so a hacking team member could sneak in and access the most protected areas personally.
Ok, it may sound a little too “mission-impossiblish”. But the fact is: hackers effectively unite to distribute the responsibilities and organize powerful attacks that are short in time and often hard to notice. Techniques they use evolve at pace of Internet growth, i.e. very fast; plus intruders are free to select their tactics for any specific attack and change’em, rapidly too, upon facing unbreakable obstacles. The scenario described above is not of an extraordinary type: sometimes attacks are designed as cyber-physical, when fooling the system simplifies real trespassing. Or vice versa, when the breach starts from physical trespassing – to get hooked to a target’s system.
Pro-actions of a defending side should also be directed team-wise, but for a target the scenario is quite different. Breach risks cease to be a headache of just IT Dept., as those risks may jeopardize the entire business – sensitive data leaks, third parties exposure, etc. So today top management, with branch supervisors, most surely finances and even, at times, marketing and communications – must have the data breach response protocol ready, just as for the other critical cases. The trend that is emerging in connection to these pro-actions is insurance of possible data loss/exposure risks. This step was already considered for a while, so again – not the brand new. But the biggest occurrences of such insurance contracts – and thus far the corresponding reimbursements – did not hit the news yet.
Remote control
“Home offices” is probably the most distinctive recent trend. Its key features may be seen as a kind of childhood maladies: its birth was quite sudden while its growth was (still is) explosive, both due to the pandemic nature of the trend itself. Introducing remote mode, companies were, of course, considering security matters. But often, with the urgency of rapid switch, protection was less attentively thought over.
Attackers prefer easier targets: rather than doing heads-on on now stretched, but still well-defended corporate infrastructure, they search for vulnerabilities in remote desktop protocols and/or aim for personal devices that may have access to corporate networks. Again, attack designs are more complex than just direct breaches. For example, obtaining some corporate data from personal devices is knowingly the preparatory stage. Then, with the help of skilled social engineering and alternatively collected chunks of corporate information (which piles up into a significant database) the main attack, causing much bigger harm, will be performed.
As the word “clandestine” almost directly refers to espionage, so a clandestine attack design is widely used to suck highly sensitive data from businesses. Such attacks are performed with a kind of technical grace – using fileless malware. This method utilizes OS-embedded processes and tools; there is literally nothing to be written onto disks – and therefore much harder to detect in comparison to “regular” malware. As per ESET findings, in 2021 more of such attacks will be targeting government institutions rather than business entities.
Protective measures for defending sides usually include hardening of corporate access policies. It makes remote work less convenient, but, as experts of business growth Mobius Institute note, “in the corporate world reliability is often over convenience”. By the way the same business educational institution keeps calling: enlighten your staff, partners and everyone involved about cyber security and teach at least basic information safety skills.
Human factor still the biggest issue
“It is in human nature to make mistakes”. Or “nobody’s perfect”, and another dozen totally valid excuses. The same question has to be asked in response to all mentioned: pure nonchalance or intention? Amusingly, the answer to this question is hardly important: about 90% of commercial data breaches are caused by employees’ negligence. More than that, such shockingly high indicators date back to the mid-2010es and keep fluctuating only within single digits range ever since.
The further breakdown goes roughly like this:
- malware which actions are more or less automated and not directly connected with human operations – decreased to 15.5% in 2020 from 19% in 2017;
- software failure/non-reliability – same steady 17% over the recent years. Please note that the freshest data on software performance in “home office” mode are still to collect and analyze;
- the rest of percents belongs to accidents of/at third parties. This includes negligence of service providers, although various surveys attribute only 11% of total breaches to cloud services providers and like.
A little more statistics: Grand View Research calculated the Western cyber security market worth of USD 166B in 2020, with the 10% predicted compound annual growth rate and estimated size of just short of USD 330B in 2027.
Two honorable mentions are proper here, although they are not only about B2B.
Number one: highly flexible and sometimes truly elaborated social engineering keeps bringing cyber criminals their loaf of bread – often the entire sandwich. Phishing, scam schemes, those extra-notorious letters from Nigeria: it’s hard to believe but even the latter technique still works, even with the growing level of average information literacy. The most contemporary (but also not the brand new) phishing trends are: promoting platforms designed almost identically to the verified ones and pretending to be law enforcement representatives already investigating previous phishing schemes – where the same credit cards or similar data are “required” to go on with inquiries.
Email phishing entered the corporate segment too, particularly in a form of “man-in-the-middle”. For example intruders, having information on a prospective contract, substitute addresses with, again, the very similar ones. As email exchange usually goes in chains of messages, fake participation is harder to detect. On many occasions the fraud is discovered only after financial transactions are completed.
The same Q&A pair remains unchanged since, like, the Wild West times, if not earlier:
– Why are you robbing banks? – Because they got money!
Yet modern banking systems are well-protected, so malevolent people are turning their attention to non-banking entities that offer certain monetary instruments: gaming portals where achievements can be exchanged for provisional “gold” and vice versa, Internet and mobile providers with developed money-convertible bonus systems and financial accounts tied to customer IDs, etc.
The 2nd honorable mention is the “Internet-native” youngsters, millenials and more tender ages. Even with parental control tools fully active teenagers tend to behave insecurely online – which is not so much about direct financial losses or other types of fraud, but rather about deeply affecting young personalities and attitudes. Openly scary issues like suicidal movements, teenage gangs or school shootings are beyond the scope of this post, although probably for the 1st time we are witnessing “Internet-nativity” having a palpable impact offline.
Automation of analysis, including behavioral models, is seen as a solution for this matter. Proactive content monitoring will not only counter the existing destructive trends, but is likely to be able to detect the coming ones. The additional, personal and much easier to execute, concern is to keep the kids away from devices that are involved in parents/relatives/guardians’ business activities.
Integral approach to protection
We are willfully omitting another coming trend, Internet of Things safety. Particularly because these roads, still largely under construction, are already known. Each device needs its own protection; and it’s obvious that not only small appliances, but also systems as big as a smart city or transportation facilities, could be attacked.
As we mentioned earlier, today information security matters should be considered as important as, daresay, COVID-19 protection. From basic cautious behavior on any level of an enterprise to automated monitoring and tight cooperation of all responsible for a company’s safety – only an integral approach will keep sensitive data intact and intruders away.
As breaches can be costly, so are nowadays’ protection measures. Not every entity can afford a full information security team on-premises. Various outsource solutions are available: starting with an independent information security audit performed per your request, and all the way up to establishing cooperation with Secure Operations Center or Managed Services provider specializing on security matters. We’ll also omit your safety-related headache and CAPEX issues, since in such cooperation there are virtually none.
Another protection method, a penetration test, is somewhat standalone. Like in military drills: “The best way to repel the attack is to simulate one”. Pentests, conducted by seasoned professionals of security-minded IT providers, imitate attacks on a client’s perimeter, infrastructure, etc. – sometimes revealing vulnerabilities that were not even imagined. Another pentest benefit is its inability to harm the existing system: even with multiple holes in a clients’ network the imitated attacks only point out the weak links, not changing anything.