Cyber attack methods and business impact
When Jimi Hendrix sang Elmore James’ Bleeding Heart, little did he know that he would be a victim of copyright theft after his death in 1970. The song portrayed desolation and heartbreak and today the Heartbleed Bug that left 300,000 web servers vulnerable in 2014 ironically conveys the same message. The bug along with scores of cyber attack methods threatens to bleed out hundreds of millions of dollars from businesses and government enterprises across nationalities causing much anxiety and despair. The enduring Shellshock bug makes 70% of all machines vulnerable and has been going undetected for the last 20 years.
With 120,000 incoming cyber attacks every day growing at 60% annually it is no surprise that cyber security is quickly gaining prominence within IT budgets and enterprise risk management programs.
The complexity of cyber attack prevention
In 2013, 3,000 US companies were unaware of cyber intrusions until notiﬁed by the FBI, while for organizations with security incidents the average annual monetary loss was approximately $400,000 in 2014.
Cyber exploits are not limited to large businesses, critical infrastructure, government or large supply chains, anyone and everyone are at risk. How then can businesses address this pressing issue of a robust cyber security program? Though there are several good frameworks available most start with ﬁrst step as classiﬁcation and identiﬁcation of cyber attack methods that are key to analyzing motives and damage mitigation. Whether incidents are state sponsored, propaganda or criminal by nature or by hactivists, the annual cost to the global economy from cybercrimes is between $300 and $500 billion as estimated by McAfee. The gravity of this issue prompted US President’s 2013 Executive Order on improving cyber security and the formation of the National Institute of Standards and Technology (NIST) Cyber security Framework.
Unfortunately cybercrime landscape is not just about organized theft, it is also about increasing complexity and sophisticated techniques. A mapping of the major cyber attacks identiﬁes creative combinations of well-known cyber methods such as: (1) Malware: Virus, worms, Trojan horse, spyware, adware, scareware; (2) SQL Injection: Malicious SQL commands; (3) Spear phishing: Targeted email scam; (4) DDoS: Attack on Network, system or online service availability; (5) XSS Attacks: Malicious scripts on web sites; (6) Watering Hole: Opportunistic attack through a malicious code on a webpage; (7) APT or “Advanced Persistent Threat”: A persistent relentless and undetected attack targeting sensitive data or intellectual property, making recovery and detection a costly proposition.
The severity of sophisticated attacks can be understood from the fact that Adobe had its 150 million customer data compromised in 2013 as an effect of Malware and APT injected into its systems. Target Inc. also paid the price with personal information of 70 million people and card data of 40 million compromised in a combined APT, malware and spear phishing attack. JP Morgan suﬀered from a three month undetected cyber attack giving hackers the highest level of administrative privileges on more than 90 of the bank’s servers in 2014. Consequently data pertaining to 76 million households and 7 million small businesses was breached. Astonishingly nine other ﬁnancial institutions were also attacked by the same group said to be originating from Russia.
New technologies have fuelled new attack tactics. Point of Sale systems, Digital payment systems, Internet Of Things, Clouds and Mobility have added new dimensions with rising worms and viruses making way through vulnerable systems.
No matter what methods are used whether external or internal, on desktop or mobile systems, businesses today are challenged with maintaining corporate credibility and securing sensitive data with major cost implications after a cyber attack. Lost business and erosion of customer trust can have enduring consequences on brand image and company reputation that are built over years, while governmental enterprises have to face damaging consequences of cyber espionage threatening national utilities or even national security. Ransomware is the new trend of cyber attacks that threaten individual users and enterprises altogether with ransom for the recovery of their own data.
Businesses today need to understand how key preventive measures can be implemented through an organizational cyber security framework to address cyber crime. A stepwise approach to forming a strategy would include:
- Commission an IT system vulnerability assessment to identify and evaluate inside and outside sources including contractors, third party vendors, and employees
- Deﬁne day-to-day security procedures
- Secure IT systems:
a. Activate ﬁrewall
b. Test vendor systems before giving access to the internal network
c. Use latest versions of anti -virus, anti – spyware software
d. Test mobile devices for vulnerabilities
e. Monitor internet connection
- Use “white hat” hackers to test the implementation
- Set up intellectual property agreements
- Execute regular system updates and turn on automatic updates for all Operating Systems
- Update and evaluate commonly used software: Java, Adobe Reader, Microsoft Office, Flash, Internet Explorer: all have carried vulnerabilities at one stage or the other
- Change passwords frequently and stay cautious while using public computers
- Never click on email links or download attachments without verifying authenticity
- Ensure the senior management regularly communicate to the employee on safe cyberspace behavior and security awareness training
According to recent surveys, best practices such as IT system vulnerability assessment, account/password management policy, cyber risks inclusion in enterprise risk management program, intrusion detection system have been reported as successful deterrents by governmental organizations.
Article written by Ernest Legrand, CEO at WEBCBG, for Fullcover, MDS Group, issue n°8.