As the number of cyber-crimes seems to rise steadily year-on-year, the methods hackers use remain surprisingly consistent. Sometime there is a spike in a particular type of malware favoured by cyber-thieves but ‘tried-and-tested’ techniques such as phishing and exploiting web site vulnerabilities are still popular. It’s just that hackers are getting better at using them, which of course doesn’t bode well for the unprotected.
Cyber-attacks are growing in number and sophistication; the figures for stolen data and money stolen and disruption caused by cybercriminals is rising all the time. Cybercrime is now such a common part of life that it is becoming widely accepted as an everyday computing hazard.
However, attackers are displaying ever increasing levels of sophistication which is why it's important to have your computer set to automatically receive and install updates and have good security software in place.
What is different, but hardly surprising, is that many hacked companies are now keeping quiet about their systems being breached. It’s understandable given that no business wants to admit that its network has been breached and customer records have been stolen. Or if they do, they tend to downplay the impact.
This lack of transparency plays into the hands of cyber criminals because it masks the true scale of malicious hacking which in turn diminishes the problem when in actuality it is a dangerous and rapidly growing threat.
With that in mind the following five areas illustrate just where the major global cyber threats are coming from, both today and tomorrow.
Internet of Things
IT industry analyst Gartner predicts that there will be 6.4 billion connected devices in operation this year. This represents a 30 percent increase on 2015 and Gartner is claiming there will be more than 20 billion connected devices by 2020.
These connected devices, often called the Internet of Things (IoT), range from smart refrigerators and heating systems to vehicles, traffic lights and even critical national infrastructure.
In the rush to get products to market, the security of these devices is often relegated down the list of priorities. This means that many of them are vulnerable to attack. But why would anyone want to hack them?
To start with, a smart device, say a connected thermostat, or even smart TV can provide access to a home network. And access to a home network allows a hacker to access all other devices connected to the network such as desktop PCs, laptops and smartphones. Essentially cyber-criminals gain access to an information goldmine.
The same problem applies at the corporate level. It might be argued that business is driving IoT uptake harder than the consumer market.
Business and IoT has been dubbed the next industrial revolution; it allows companies to make smarter products, it enables smarter business operations and smarter decisions and it can radically alter business models for the better.
But poor security could lead to the mother of all hacks. Vulnerable IoT devices can provide a gateway into enterprise networks allowing hackers to essentially plunder the corporate crown jewels.
Ransomware is on the rise – there’s been a 35 percent increase in detection rates since 2015. And it’s easy to see why. From a cyber-criminal’s perspective ransomware is the must-have malware. It locks up computer files using high-level encryption and victims can’t get their files back until they have paid the ransom.
Hospitals, police departments, businesses have all fallen victim to this most insidious of threats. There’s little chance of a cyber-criminal being caught while the potential rewards are staggeringly high – millions of pounds sterling and euros.
But ransomware is not only increasing in terms of its penetration but it’s also becoming increasingly sophisticated. PadCrypt ransomware for instance which demands about £500 from its victims also includes a ‘Live Feature’ option which, when clicked, opens up a screen where the victim can speak in real-time with the malware's developers.
On the other hand ‘7ev3n’ ransomware essentially obliterates computers by disabling system recovery options. You can get your files back but the ransom is hefty - about £3,800.
TeslaCrypt ransomware is spreading through spam emails and using social engineering techniques to lure victims into opening an email. In a sense it is targeting victims rather than relying on scatter gun approach and recently it has mutated into different forms as cyber-thieves tweak its code.
An important thing to note is that ransomware, as illustrated by TeslaCrypt, is increasingly loaded into phishing emails and these emails are often localised, such as from postal service in Germany or a well-known retailer in Sweden.
Spear-phishing is also on the rise; it’s not going away. Spear phishing is an email or digital scam that targets a specific individual, organization or business. It differs from traditional phishing in that it is has a very specific focus. It typically uses email and is most commonly used to steal data for malicious purposes or sometimes install malware on a targeted user's computer.
The US FBI recently warned that a type of spear phishing attack known as ‘CEO email scam’ is on the rise. The cyber crook typically assumes the identity of someone in a position of authority and sends an email to an employee requesting privileged information or the transfer of assets outside the company. According to the FBI, businesses have lost $2.3 billion because of spear phishing. And this is only in the US. The global figure will be much higher.
Typically spear phishing attacks target employees in human resources, legal, accounting, finance, and other departments with seemingly urgent and innocent requests for, wire transfers, invoices, company credit card information, employees’ personal information and so on. Because the sender appears to be an executive or a known service provider the request appears legitimate and unsurprisingly employees cooperate.
Even cyber security companies have fallen victim to spear phishing. RSA, a global enterprise-focused security vendor was the victim of such an attack. It was breached after attackers sent two different spear phishing e-mails to four workers at its parent company EMC. The e-mails contained a malicious attachment that was identified in the subject line as “2011 Recruitment plan.xls.”
There are an estimated one billion web sites in the world though whether all of them are operational are not is a moot point. No doubt quite a few have short life spans set up by eager beavers which are then left to wilt on the digital vine.
But that said there are still an enormous number that are operational. According to Symantec there were one million website attacks each day during 2015 while 317 million new pieces of malware where created in 2014. These are staggering numbers.
Ironically however, many attacks rely on old computer bugs that companies just haven't gotten around to fixing. A Verizon 2015 Data Breach Investigations Report revealed that in nearly 90% of cases, hackers relied on computer bugs that have been around since 2002.
Given that nearly 75 percent of all legitimate websites have unpatched vulnerabilities it’s hardly surprising that cyber criminals take advantage. To put it simply many web site administrators fail to secure their websites.
There are several attack vectors that hackers exploit when attacking websites. These attack methods are largely ‘technical’ but common and will continue to pose a threat for some time to come:
- SQL injection is a type of web application security vulnerability in which an attacker attempts to use application code to access or corrupt database content. It’s a common web site attack method and has been responsible for some major hacks
- Security misconfiguration provides hackers access to private web site data or features and can result in a complete system compromise. Security misconfiguration is common and essentially its means that websites are not properly secured. This can be as simple as poor administrator password security.
- Cross-site scripting (XSS) targets an application's users by injecting code, into a web application's output.
- If authentication credentials and session identifiers are not protected at all times an attacker can hijack an active session and assume the identity of a user.
- Cross-Site Request Forgery (CSRF) is a malicious attack where a user is tricked into performing an action he or she didn't intend to do. For instance a third-party website will send a request to a web application that a user is already authenticated against such as a bank. Targets include web applications like social media, in browser email clients, online banking, and web interfaces for network devices.
Criminals are getting better at finding and using so-called zero-day vulnerabilities — previously unknown flaws in browsers and website plugins that leave home and business computers open to attack. Hundreds of thousands of systems can be infected before the vulnerability is discovered and patched.
Zero-day threats have always been around but the number discovered in 2015 more than doubled to 54, up 125 percent. This may not seem like many but the potential damage they can cause is tremendous because nobody has any idea they exist until they start wreaking damage.
Professional hacking crime outfits make a living out of finding and exploit the vulnerabilities in popular software. Two such typical targets are Internet Explorer and Adobe Flash, because they are so widely used by millions of people around the world.
Flash Player, for instance, is one of the most ubiquitous and widely used pieces of software in the world, and as such, is a target of malicious hackers. As such it has been a prized target for hackers. Its creator Adobe is aware of this and says it has been able to deliver patches for zero-day threats within two days of discovery. This doesn’t mean the threat is going away, rather the figures suggest hackers are putting more resources into discovering zero-day threats and will continue to do so.
Relatively recently the Pew Research Center canvassed thousands of experts and companies that help develop the internet to get their take on the future of cyber security.
The survey wasn’t a typical Voxpop or ‘man-in-the-street’ survey rather it invited experts within the field Internet evolution such as technology builders, researchers, managers, policymakers, marketers, and analysts as to their views.
Here are some of its conclusions:
- By 2025 a major cyber-attack will have caused widespread harm to a nation’s security and capacity to defend itself and its people. This could be a significant loss of life or property and losses, damages or theft that is measured in the billions of dollars.
- Cyber-attacks are a looming challenge for businesses and individuals. Certain sectors, such as finance and power systems, are the most vulnerable. There are significant divides between those organisations that are prepared and those that aren’t.
However, on the other hand some other noteworthy themes to emerge from the survey included:
- There is steady progress in security fixes. Despite the internet’s vulnerabilities, a distributed network structure will help thwart the worst attacks. Security standards will be upgraded. The good guys will still be winning the cyber security arms race by 2025.
- Hype over cyber-attacks is an exaggeration of real dangers fostered by the individuals and organizations that gain the most from creating an atmosphere of fear.
This latter point is a moot one and one that has surely arisen in the minds of many. But that said, the amount of new malware created each day is staggering. The precise figure varies according to the source but we’ve seen numbers that range from almost 250,000 new malware samples released every day up to one million a day.
Now much of this malware is likely to be existing malicious code that has been tweaked to help it slip past anti-virus defences. But even if the figure was a mere 5,000 every day it’s still an awful lot of malware.
If you haven’t already battened down your cyber hatches perhaps it’s time you did.