The scale and nature of the threat is increasing at a deeply concerning rate that the private sector struggles with and the public sector poorly understands. Fraud, Harassment, Child Abuse and conventional crime are all being underpinned by technology. Official reports show that fraud and computer misuse offences outstrip all other types of crime.
Cybercrime, including Ransomware, is a Growing Phenomenon in the Developed World
Understanding the Risk
To allocate budgets, resources and protective measures effectively, cyberthreats should be seen not as alien concepts, but as extensions of threats and risks in the physical world.
First, understand the risk. The risks of attacks, physical or cyber, is defined in ISO 31000 (risk management) and repeated in ISO 27000 series (information assets) as: the Effect of Uncertainty on Objectives. Something unexpected, caused by something we were under-informed about, happening to something we care about: e.g. a hacking attack by overseas criminals on our servers.
Managing such risk means coming to grips with those uncertainties and effects to make our servers safer. The core componants are:
- Context: for example, the value of the data to our client and the internal processes that protect it.
- Identification: for example, theft of intellectual property with consequent loss of revenue.
- Analysis: for example, what we know about hostile parties, the damage they could do, how likely such damage is to occur, what our IT controls and human vulnerabilities are, and what resulting levels of risk we face.
- Evaluation: what analysis tells us about risk levels (for example, 'high' for hacking because of poor password controls and possible collusion by disaffected insiders) versus our tolerance for risk (for example, 'low' because the client would cancel the contract) and thus how far we need to treat the risk.
- Treatment: for example, strengthen password protocols; strengthen vetting and re-vetting regimes; sign-off residual levels of risk.
Apply Sound Principles
Despite portrayals of teenagers launching technological attacks on unsuspecting organisations run by behind-the-times adults, there are still some established priciples still apply and are valid.
WHO has the motive to attack; WHAT methods do they possess, WHAT exploitable opportunities exist?
Analysing attacks in that way underwrites investigatory and preventive techniques, cybercrime included, in many juristictions:
The Motive X Method X Opportunity approach. To use this formula to reduce risk, we can try to reduce one or more elements as close as possible to zero.
If attackers have enough motive and method, no system is invulnerable. Even if opportunity is almost zero, a combination of motive and method can still be too high for an attack to be withstood. The US-Israeli breach of Iran's nuclear programme was an example, as the 2016 documentary Zero Hours Showed. Insider agents with physical access to Iranian systems were needed to breach their considerable security. Despite low opportunity, the attackers had sophisticated methodology and the overriding motive of preventing Iran developing nuclear weapons.
Few businesses face such extremes, but the principles remain valid: appropriately inexpensive options provide sufficient security to mitigate the threats.
Cyber Attacks: Ease v Succcess Likelihood
1. Organised Crime 2. IP Theft 3. Extortion 4. Ad Fraud 5. Bank Fraud 6. Payment System 7. Bug Bounty 8. Medical Records Fraud 9. Cyber Warefare 10. Identity Fraud 11. Credential Harvesting 12. Credit Card Fraud 13. Hacktivism
Method examines attackers' tools and their effectiveness, from sophisticated remote hacks (difficult and expensive for the attacker) to spam emails (cheaper but less effective). Cheaper, more effective methods are more likely, so cyber security should respond accordingly.
The company's risk assessment determines which methods of attack are most likely to succeed, determining the mitigations needed to reduce the method factor acceptably.
Insider threats provide opportunity for attackers; GCHQ assesses 75% of attacks are wholly or partly in this category, breaking down roughly as follows:
- Employees breaching security for personal gain (malicious insiders);
- Employees coerced by bribary or blackmail (vulnerable insiders);
- Employees circumventing security to make life easier (WIMPs: Well intentioned but misguided people);
- Employees unwittingly lured by phishing and or other cyber fraud;
- Employee and management staff inneficiency, and failure to learn lessons.
Insider threats can lead to financial and reputational loss. Talk Talk lost £60 million, 100,000 customers and 20% of share value after a cyber attack in 2015. Staff inattention and failure to comprehend the developing crisis were likely causes of the most impactful consequences.
Different risk profiles exist for each insider type, which need to be approached accordingly. Generic profiles are:
Malicious Insider (high motive, high opportunity, low method)
With some internal grievance, 80% of attackers are already known to management for negative behaviour, and make their highly motivated attacks after admonishment, demotion or firing. Opportunity might be high due to insider knowledge, but method might be low, especially if already under preventive control measures.
The best defences are strongly implemented Standard Operating Procedures (SOPs) derived substantially from standard human resources and physical security SOPs.
Vulnerable Insider (moderate motive, high opportunity, high method)
Bribed or blackmailed, vulnerable insiders tend not to have a history of wrongdoing with the firm, and so are harder to detect. Attackers might exploit gambling or credit debts, a growing problem among young professionals. Method and opportunity are high as the attackers can coerce the insider, whose clean record allows them to act undetected, negating some of the technical security. Motive can be lowered to moderate through employee engagement.
WIMPS (low motive, moderate opportunity, moderate method)
By ignoring SOPs, WIMPS create opportunities for attackers. Mitigation is through staff engagement, training and awareness. identifying how and why SOPs and protocols can be circumvented leads to new policies and procedures to deter attacks.
Unwitting Employees (low motive, high opportunity, moderate method)
Staff can inadvertently create opportunities for attackers who use scams such as ransomware (computer malware that takes the victim's data hostage, with demands for money to release it), and various forms of phishing. Two enterprise-level phishing threats are:
Spear-phishing: directed at individuals and companies to gather information about the target; accounts for most current attacks.
Clone-phishing: clones an existing legitimate email, replaces its attatchment or link with a false version, and re-sends it apparently from the real sender; can spread quickly among duped parties who trust each other. Mitigation is by reducing opportunity and creating a culture of cyber awareness, so staff understand, recognise, and avoid such threats.
Cyber Awareness Culture
Creating awareness is difficult, but can be achieved by training on SOPs and on individual roles in company security; staff who misunderstand the purpose of security can become WIMPs by finding ways to circumvent it. Cyber security is too often based on surveillance, technical complexity, and deliberately keeping information away from staff on a misdirected principle of 'need-to-know'. The reverse is usually true:
- Empowered employees support security and help identify and eliminate vulnerabilities.
- Staff who feel untrusted might see security as directed against them, and find ways to defeat it. Morale, productivity, and staff turnover can be adversely affected.
- A better principle is to start with trust, and view staff who cannot be trusted to be part of the company's security as less valuable employees.
Four Principles that Help to Create a Strong Cyber Security Culture
1. Ensure everyone from CEO downwards understands and adheres to SOPs, When managers ignore rules they alienate staff and create oppotunities for attackers; note the rising prevalence of CEO and senior management impersonation in emails and online, so-called 'whaling' attacks (where an email or web page targeting a senior manager can purport to come from a known senior internal or external stakeholder, for example with a false claim for compensation or a false client approach).
2. Make training interactive, with posters, using game-playing techniques, practical exercises, and entertaining media such as 'xkcd' web-comics.
3. Training should always contain something new and interesting, any training needs tailoring to the audience, but the aim is to create cyber situational awareness. This includes basic technical education, explaining unfamiliar terms.
4. Encourage feedback and track the success of specific outputs.
Cyber Situational Awareness
Knowing how cyber attacks work reduces method and opportunity. Technical methods can be explained by linking cyber principles and concepts to physical equivalents.
1. Not logging-off unattended computers or smartphones is like leaving houses or cars unlocked.
2. Sensitive documents on unprotected network drives is like leaving them in paper form on unattended desks.
3. Disreputable websites are run by untrustworthy people who misuse or exploit you and your information as if you had engaged them face to face in a disreputable nightclub.
Appropriate technical mitigations are also important, with solutions dependant on each company's unique risk assessment.
- Controlling access priviligies
- Encrypting sensitive files
- Password security following guidance from GCHQ and the National Cyber Security Centre
- Robust physical site security and resilient internal infrastructure
- Appropriate firewalls
- Secure, snapshot backups
- USB dongles
- Using social media technology to help screen those who need access
- Web-verification tools to protect against specific types of attack
Cybercrime is a rapidly growing concern with commensurate risks and costs. Most threats have equivalents in the physical workspace and are often best understood and managed as such.
By using the 'Motive x Method x Opportunity' approach within a robust risk assessment framework that compiles with acknowledged standards, in particular ISO 31000 and ISO 2700 series, some businesses can save resources and combat cyber threats by focusing less on complex technical solutions and more on physical and human ones.
Cybercrime is costing the economy hundreds of million pounds each year, do not become a victim yourselves.
Please feel free to contact Atlas UK Security for any advice on this matter