With recent hacks of organizations ranging from Yahoo! to Wendy’s to the U.S. presidential campaigns, cyber-attacks continue to evolve in their frequency, severity and complexity. While 2016 was marked by several high-profile incidents, 2017 promises to present entirely new challenges that will continue to push organizations to enhance both their front-end preparedness measures and response to live cyber-attacks.
Here are five key trends to monitor:
- Distributed Denial-of-Service (DDoS) attacks are increasing in volume and becoming much more sophisticated with the rise of the Internet of Things (IOT) device usage.
In October 2016, we saw a prominent attack against an Internet directory service that knocked dozens of popular websites offline. Although DDoS attacks have historically used large networks of compromised computers — called botnets — to send destructively overwhelming traffic to the sites they target, recent examples have expanded in size and scope. Instead of a computer network, threat actors are now manipulating IoT devices to build the damaging botnet. Unfortunately, IoT devices, which include interconnected products like security cameras or cell phones, are cheaply manufactured and notoriously insecure, which makes them susceptible to compromise.
Companies should ensure that their communications plans account for a significant outage and include a plan for communicating with customers if their website is down.
- Reports suggest that ransomware threats to companies and organizations continue to rise, holding data, intellectual property and critical systems hostage.
Beyond the business decision of whether or not to pay the ransom fee (now routinely paid in untraceable bitcoin, versus unmarked bills in a non-descript briefcase), the reputational risks inherent to both possible approaches warrant careful advance consideration. If an organization pays the ransom, it opens itself up to future attacks and escalating ransom demands. If an organization does not pay, however, it risks tarnished stakeholder trust and jeopardized brand equity by failing to protect its business and/or its customers’ information at all costs.
Companies should go through the process of determining under what circumstances they would and would not pay a ransom. Doing this ahead of time will make decision making in the moment much easier.
- The European Union General Data Protection Regulation (GDPR) is set to replace the Data Protection Directive in 2018 and will lead to a greater degree of breach notification obligations, among other requirements – but industry media coverage suggests that many companies are not prepared.
The General Data Protection Regulation (GDPR) was adopted by the European Parliament in April 2016 and will replace the Data Protection Directive in 2018. Under the GDPR, a “personal data breach” is defined as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.” According to IAPP, this broad definition differs from that of most U.S. state data breach laws and, for communications purposes, creates a new requirement to begin notification processes no later than 72 hours after becoming aware of a personal data breach.
Any company that has data on EU citizens should ensure that they have an established teams in-country who can assist in the notification process. Local representation is critical for managing cultural nuances when notifying customers of an incident.
- Cyber security policy: Nation state attacks likely to escalate.
It’s likely that the United States will take a much more aggressive stance toward responding to cyber attacks. As evidenced from previous attacks on Sony Pictures and many critical infrastructure providers over the past few years, it’s possible that business will be caught in the middle and be the victim of advanced attacks. Further, there will be a continued debate over civil liberties, as well as conflict between law enforcement and technology companies over the circumstances under which the government can force companies to share information about customers and if they will be required to “unlock” or otherwise compromise technology.
All companies should ensure they have a documented strategy and messaging that explains under which circumstances they will provide information to the government.
- Media coverage and industry analysis are reporting that corporate spear phishing attacks are increasing, often around tax season, and are getting even more brazen in nature.
In 2016, more than 55 companies announced they had fallen victim to tailored schemes responsible for stealing W-2 tax records of employees. These ploys come in a variety of forms (e.g., email requests that appear to come from employees or elaborate SMS fraud targeting prepaid debit cards, often used by the government to issue tax refunds). However, the newest rounds of spear phishing attacks being reported target entire companies and organizations by exploiting internal emails and communications from managers and executives.
One effective strategy for mitigating this threat is conducting regular phishing exercises with employees so they are more aware of the threat and potential scams.
Ping of death
IT specialist and engineer Chuck Reilly is seeing the change at Southern California Edison, one of the country’s largest electric utilities according to its website.
“When we first started, it was the simple attacks. It was the ‘ping of death’ [sending an oversized packet of data to a computer], denial of service attacks, maybe viruses and worms,” he said. “Very unsophisticated attacks.”
The cyber attacks on utilities, once like hammers, may turn into games of malicious chess.
“We’ve been thinking about that,” Reilly told Archer News. “The concept of assault-in-depth. To start expanding our planning, our defenses.”
“To look at these moves as three-dimensional chess, and what’s happening and trying to figure out what the counter move would be,” he added.
Who will be the better player? If the hackers win, you will spend more time in the dark, hoping for the lights to go back on.
Reilly is working to prepare his team, in case the hackers break through.
“To minimize the damage, so we don’t end up like Ukraine, you know, days, weeks, months later, still having services not available,” Reilly said.
Elkins’ ‘fire drill’ may not be the weapon of choice for most malicious hackers. But he said they will go after devices that people do not usually consider to be computers, like radios, monitors, televisions, appliances and tools.
“Absolutely,” he said. “Because that’s where you’re not looking for it.”
Do you have anything that you can plug in or put batteries in and has been made in the past five or ten years?
“That’s a computer,” Elkins said. “It’s at least one. It might be several.”
That may seem overwhelming, especially if your job is to protect a big target from cyber attackers. You now have to worry about thousands more devices than before.
“It’s way too much to keep up with,” he said. “I know it’s way too much stuff. And so do the attackers. They know it’s too much stuff. So that’s why the attacks are moving to these devices.”
The best way to fight back? Think of these devices as computers, Elkins said.
“These are computer systems. As much as possible, treat them like your other computer systems,” he said.
“You know certain things to do with those systems. You watch out for their passwords, and you watch out for their firewalls and you watch out for their patching and their firmware updates,” he added.
You may not need to worry about a flaming drill attack in your garage. But paying more attention to security for your smart TV could keep the hackers out—and ransom money in your pocket, instead of theirs.