The Biggest Cybersecurity Threats of 2017: The Need to Prepare

Digitalization has opened up new jobs and opportunities but it also has introduced new threats. The threat with “no face,” so stated by the United States Army, has changed the way organizations look at security. Endless types of malware have rendered organizations weak, grappling with poor lines of defense in case of an attack.

Today it is understood that company files and classified information alike are stored within an organization’s internal hardware devices, through offsite third parties, and/or in “the cloud.” What is not understood is the dollar amount associated with the risks that organizations take when making these decisions. In 2016 there were close to 1.4 billion records breached [1] - and this number is expected to rise by at least 2% in 2017.

The world is beginning to realize how great an impact cyber criminals have on organizations. A shift has occurred among those previously unwilling to change their cybersecurity footprint. An analyst at Gartner believes that organizations will increase their spending for IT products and services by 7% on a year-to-year basis from 2017 on [2]. However, where to start is a mystery to many. 

A cyber-attack can occur at any moment, unbeknownst to many organizations. A study done by the Ponemon Institute found, on average, it takes 191 days for an organization to identify a data breach and 66 days to contain the data breach [3]. In that time, valuable resources must be reallocated and regular workday activities must be delayed. In the 191 days, an insurmountable amount of data can - and will be - lost. In the US and Canada, the average cost of each record lost amounted to $225 USD. A comparison between 2016 and 2017 showed that the amount of cyber-attacks were actually lower in number in 2017; however, the ability, strength, and maliciousness of the attacks had increased.

Two key questions have arisen:

How is this occurring? Who are those being responsible? 

A look back at cyberattacks from early 2017 through the present can help shed some light on how to handle these issues going forward

A cyber-criminal group called Shadow Brokers initiated a new wave of cyber-attacks. In 2017, the group made themselves known by exposing highly classified information from the National Security Agency (NSA). It is believed that in 2013, the group stole this information from an external NSA staging server. The information they were able to retrieve, a series of hacking tools and computer exploit publications, has given a number of cyber-criminal groups the needed pieces to create and finalize their attacks [4]. The identities of this group’s members and the amount of information they hold are still unknown.

EternalBlue, the most well-known of the exploit tools made public by Shadow Brokers, aided in many attacks such as WannaCry and Petya. Its purpose is to take advantage of Microsoft Windows operating system’s software vulnerability. This tool was essentially a worm made to “plant” ransomware in individual computer systems and infect computer systems at an extremely fast rate.

Ransomware, a type of malware, essentially holds a victim’s data hostage until the ransom is paid. If the ransom is not paid then there is the possibility that the victim’s data will be deleted, indefinitely encrypted or publicized (i.e. made publicly known). Typically, Ransomware is able to access a computer via an email with a link attached. If opened, a number of files on the computer will become encrypted. This would prevent the victim from opening certain documents, though the operating system would still be up and running. With EternalBlue and other exploit tools now readily available, new age cyber criminals have created vicious monsters for the world to deal with.

WannaCry

A cyber-attack in May 2017 was different from most of other ransomware attacks. With the help of EternalBlue, it gained remote access, ransomware was able to spread across networks very quickly, instead of just infecting one computer at a time. The ransomware infected more than 300,000 computers globally [5]. WannaCry used two different ways to exploit weaknesses – both from the NSA leakage by Shadow Brokers. 

Cost: Approximately $4 billion dollars in losses. It lasted four days, affecting about 200,000 victims [6]. 

For greater insight about WannaCry, Sia Partners published an article dedicated to the subject.

Petya

Petya is a ransomware that made its appearance in 2016. It first infected a Human Resource department in Germany through emails. When the link that presented itself via an email was opened, a number of files on the computer would become encrypted, preventing the victim from opening the documents. The user’s operating system still worked but many files could not be accessed.

Petya made somewhat of a “reappearance” after the WannaCry’s cyber-attack, with a new malware deemed NotPetya. The name came about because of the resemblance to its ransomware predecessor. Unlike Petya, NotPetya showed greater sophistication in terms of the complexity of its resolution. Ukraine was first to be disrupted by this malicious attack and reported a linkage between the update of “MeDoc,” a type of Ukrainian accounting software, and the NotPetya malware [7].

It was later deduced that this malware was a “wiper” [8]; it imitated the look of a ransomware but its true intent was only destruction. Even when payment was made by a victim, his or her information would still be deleted.

Cost: One example of the costs of Petya can be referred via issues at at Maersk, the world’s largest container shipping company, which has revealed associated losses of $300 million [9].

Dragonfly 2.0

A group known as Dragonfly committed an act in late 2013 that many have come to believe was cyber-espionage. The group showed focused intent with cyber-attacks on the pharmaceutical and energy sectors, devoting their efforts toward electrical operating systems across the United States and in Europe. Communications, water, food, and industrial goods were ultimately affected by the infestation of the energy sector [10].

Dragonfly’s main goal was to seize sensitive data from the energy firms, and if the opportunity presented itself, sabotage the victim’s energy supplies.

More recently, in the first half of 2017, a cyber-attack named Dragonfly 2.0 occurred. Energy sectors were again the prime target, giving investigators reason to believe it is the same group that was involved in the original Dragonfly incident. The malicious attacks used multiple types of Trojan-ware to not only steal the victim’s information, but to also compromise work usage and enable remote access to multiple victims’ computers.

Equifax

The U.S. consumer credit reporting agency Equifax has gone public about a recent cyber-attack on its organization. Social Security numbers, dates of birth, and spending reports were hacked; about all Americans’ information has been affected. The attack was discovered around July 29, 2017, with 50% of the breached data made known to the general public on September 7, 2017. Not only did it affect the credit reports of close to 143 million United States citizens, but the hackers also gained access to 209,000 credit card accounts - and nearly 11 million U.S. driver’s licenses. The cause of the Equifax incident was ineffective patch updates [10]. This correlates to a study done by Cisco, where patch issues are still the largest, in terms of the total (29,660 vulnerable servers found between February and March of 2017), for the United States [11]. Missed updates and patching of significant computer infrastructure led to hackers finding vulnerable areas of entry. The Equifax attack is the third major cybersecurity incident at the firm since 2015 and has already been named one of the top five biggest data breaches ever [12].  It has also been called one of the top 10 worst cyber-attacks to ever occur.

Cost: It could take years to realize the actual financial fallout of the Equifax breach [13].

”The size of the breach, quality and quantity of personal information and far-reaching impact make it unprecedented.” – Maria White, CEO of Security Mentor

Deloitte

Over the past year, Deloitte LLP realized that an outside source was hacking a server within their email system. Originally, the company announced that the breach had been limited to an estimated six customers. It has now been made known that 350 clients could been at risk. The attack occurred as Deloitte LLP was updating to Microsoft’s cloud-based Office 365 service. The issue is that the hacking group had access to their email database for months, undetected, despite Deloitte’s relative expertise in cybersecurity field [15].

Cyber Threat Intelligence

A majority of the attackers discussed here have benefited from faulty or older programs. However, organizations have not shown enough interest in greater investment in their IT security. Truly making sense of the risk versus reward calculation has been a struggle for organizations. One risk calculation exercise shows that 10,000 records lost has been equated to about $1.9 million in losses - and $6.3 million in losses has been equated to 50,000 records lost [16]. Setting new cybersecurity standards, establishing security programs, and staying up to date on the digital world can save an organization the agony of combatting ransomwares’ demands.

Training

An organization’s employees are among its greatest assets, but they can also be a source of risk if they are not properly trained. Human error alone is estimated to account for 28% of data issues/breaches [17]. Creation of a training program to aid employees across all spectrums can help protect against the chance of a cyber-attack occurring. This training would ideally encompass all employees, including the developers and system engineers in charge of making their organization’s data safe. Proper techniques in cyber security need to continually be accounted for to help protect against the chance of an attack.

• Employee Awareness Training: A Basic understanding to avoid, recognize, and deliver any suspicious activity/information to the correct personnel
• System/Network Engineers and Developers Training: Periodic training for specialists to maintain the most up to date and relative information on protecting the digitalized infrastructure

Incident Response Testing – Tabletop exercises

Proactive security measures, once deemed non-essential, have now become top priorities in today’s digital world. Organizations need to have plans for scenarios prior to, during, and after an attack to defend against a potential cyber-attack. Organizations must take a new approach to have a chance at protecting their valuable information. This can be done by addressing the aspects that must be considered in a cyber-threat. First, organizations must consider a new strategy and framework. From that strategy, an implementation of new risk and control assessments need to be developed. Once reviewed and implemented, monitoring for unusual or suspicious activity can then take place.

Monitoring helps produce benefits that can be assessed for future use. All of this also must have governance to address any issues not previously consolidated or considered. Finally, how to respond and a direction of recovery must always be prepared and planned [18]. Tabletop simulation exercises, performed on a periodic basis, can help organizations be ready for “what if” scenarios. If an organization is able to understand where they might be vulnerable, then they can be aware and ask the questions during the discussion process instead of during a real emergency later.

Lack of review and awareness in any aspect of an organization’s cybersecurity program will increase the likelihood that a problem occurs. Not accounting for each area of a business, especially today, increases the likelihood of a security breach. With or without a law in place, an organization’s productivity will be hurt if cybersecurity is not addressed in a timely fashion. Hackers will proceed to cause mischief without regret, and so organizations must use the power of proactivity to reduce the chance of such an occurrence. Security risks can be reduced by applying knowledge ahead of time, on a recurring basis. Employee awareness training, security training for IT professionals, and the constant testing of networks can all help assist organizations in their ongoing quest to be safe in a digital world.

Sia Partners

Sources:

• https://www.theguardian.com/business/2017/oct/10/deloitte-hack-hit-server-containing-emails-from-across-us-government 
• https://www.theatlantic.com/technology/archive/2017/05/shadow-brokers/527778/
• https://www.wsj.com/articles/equifax-breach-could-cost-billions-1505474692
• https://www.nytimes.com/2017/09/07/business/equifax-cyberattack.html
• www.breachlevelindex.com/assets/Breach-Level-Index-Report-2016-Gemalto.pdf
• http://www.verizonenterprise.com/verizon-insights-lab/dbir/2017/
• https://www.cbsnews.com/news/wannacry-ransomware-attacks-wannacry-virus-losses/
• https://www.wired.com/story/russian-hackers-attack-ukraine/
• http://nbacls.com/cle-2017/cle-8/FINAL%20-%20Cybersecur%20Preparedness_Rapid%20Respo_Feb%202017.pdf
• https://www.cisco.com/c/dam/global/es_mx/solutions/security/pdf/cisco-2017-midyear-cybersecurity-report.pdf
• http://oversitesentry.com/learning-from-equifax-breach/
• http://info.resilientsystems.com/hubfs/IBM_Resilient_Branded_Content/White_Papers/2017_Global_CODB_Report_Final.pdf
• http://www.zdnet.com/article/petya-ransomware-cyber-attack-costs-could-hit-300m-for-shipping-giant-maersk/
• https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group
• http://www.telegraph.co.uk/news/2017/05/13/nhs-cyber-attack-everything-need-know-biggest-ransomware-offensive/
• https://techcrunch.com/2017/08/16/global-cybersecurity-sending-to-grow-7-to-86-4bn-in-2017-says-gartner/
• https://www.ictsecuritymagazine.com/wp-content/uploads/2017-Data-Breach-Investigations-Report.pdf

Key Takeaways

• Cyber-attacks have begun to strengthen in maliciousness. Employees from different aspects of an organization must all be made aware to steer progress forward in a digitalized world.

• The ease of switching to online storage creates lack of awareness. Strengthen the preparation – companies should consider enhancing the following: Employee awareness training, Cybersecurity program updates, IT professionals security training

• Cyber-attacks are happening across all streams and in a variety of ways. Security professionals should work on their cyber threat intelligence in order to stay ahead, this would mean to keep up to date with the latest technology and tactics before, during and after an attack.