by Henry Elisher

Business Analysis (BAPL) Consultant

 

What is the cyber security threat?

The internet is where we all now conduct our business. Electronic systems and digital information are essential for businesses to conduct a whole range of their day to day activities. The increased nature of connectivity also brings greater exposure to criminal activity and the opportunism for those with the desire to either steal, manipulate, damage or threaten by utilising the scope of connectivity

Recent cyber-attacks by cyber terrorists’ show that their targets can, and are, far ranging, from governments, to businesses and individuals. In a world where we are all connected the reach is extensive, not one organisation or individual is immune. People need to be aware of the evolving threat and the increasing level of sophistication by attackers as they employ cutting-edge techniques to breach the security barriers of organisations.

Even with this ever evolving and increasing threat, the cyber-security measures of organisations are too often reactive instead of being the cornerstones of a sound digital infrastructure. To add some perspective, in the Asia-Pacific region, companies on average identified that they were susceptible to, on average, 6 threats per minute but, they added, only 50% of those alerts would be investigated.

One major study on the Security Capabilities of the Asia Pacific region highlighted the following important findings.

Breaches

• In the Asia Pacific region companies can receive up to 10,000 threats per day
• 69% of companies surveyed received more than 5,000 threats a day

Lack of Security Readiness

• Regarding digital security infrastructure, up to 9% of respondents stated they do not have cyber-security professionals at their organisations and 13% stated they do not have executives that were responsible and accountable for cyber-security at their organisations

Economic and reputational fallout

• In South East Asia alone 51% of cyber attacks resulted in a loss of more than $1million USD
• Nearly 10% stated that cyber attacks had resulted in losses of greater than $10 million USD

Multi-pronged attacks

• The changing nature of attacks means that attackers are not just targeting IT infrastructure but also operational technologies, 30% of organisations stated that they have seen cyber attacks along those lines

In comparison to counterparts in the Asia-Pacific it appears that in Australia more organisations are dealing with alerts with more vigour and gravity than their regional peers, 81% of companies are facing more than 5000 alerts per day, and 33% of organisations have stated they deal with 100,000 – 150,000 alerts per day

The cost of breaches in Australia is also the highest within the Asia-Pacific region with 52% reporting that attacks costs between $1-5 million USD, with 9% reporting costs of $10 million +, estimates in this sense relating to lost revenue, loss of customers, lost opportunities and out-of-pocket cost.

What is Cyber-security all about?

Successful cyber-security has multiple layers of protection that spreads across computers, networks, programs or the data that an individual intends to keep. In an organisation it is the people, processes and technology that must complement one another in order to provide the most effective defence

People

• Must understand and comply with basic data security principles such as choosing strong passwords, being wary of attachments, and backing up data consistently

Processes

• Organisations need to have a framework for how they deal with both attempted and successful attacks

Technology

• Technology is essential if giving organisations and individuals the computer security tools they need to protect themselves from cyber-attacks. The three main entities that must be protected are endpoint devices like computers, smart devices, and routers; networks and the cloud. Common technology utilised to protect these entities are next-generation firewalls, DNS filtering, malware protection, antivirus software, and email security solution 

Types of security threats

Ransomware

• This is a type of malicious software designed to extort money by blocking access to files on a computer system until a ransom is paid. Paying the ransom does not of course guarantee that the files will be recovered or restored

Malware

• Is a type of software designed to gain unauthorised access or cause damage to a computer

Social Engineering

• A tactic used to trick you into revealing sensitive information. From this attackers can solicit a monetary payment or gain access to your confidential data 

Phishing

• Is the practice of sending fraudulent emails that resemble emails from reputable sources. The aim is to steal sensitive data like credit card information and login information – this tends to be the most common type of cyber attack

Cyber crime mitigation

The Australian Cyber Security Centre (ACSC) is the Australian Governments lead on national cyber security, it brings together cyber security capabilities from across the Australian Government to improve cyber resilience of the Australian community and in support of economic and social prosperity of Australians in the digital age.

The ACSC also provides cyber security advice and assistance to Australian Government organisations, businesses and individuals. They have details on the types of strategies that companies can utilise in order to mitigate cyber security incidents.

With that said, whilst no single strategy, is guaranteed to prevent cyber security incidents, organisations are recommended to implement eight essential mitigation strategies, as listed below, in order to formulate a security baseline. This baseline will make it harder for attackers to compromise systems and will of course be much more cost-effective than being put in the position of having to respond to a large-scale cyber security incident

The essential eight strategies are:

Application Whitelisting – to control the execution of unauthorised software

Patching applications – to remediate known security vulnerabilities

Configuring Microsoft Office macro settings – to block untrusted macros

Application hardening – to protect against vulnerable functionality

Restrictive administrative privileges – to limit powerful access to systems

Patching operating systems – to remediate known security vulnerabilities

Multi-factor authentication – to protect against risky activities

Daily back-ups – to maintain the availability of critical data

Implementation of strategies – starting points for business analysts

• Prior to implementing a mitigation strategy, organisations need to identify their assets, particularly their vulnerable assets, and perform a risk assessment to identifying the levels of protection required from various threats.
• Building up support and increasing cyber security awareness requires ‘motivators’. Some of the ‘motivators’ that impart awareness and create urgency to cyber security are penetration tests, mandatory breach reporting & mandatory compliance.
• A mitigation strategy should be implemented for high risk users and computers such as those that have access to (sensitive or high-availability) data and exposed to untrustworthy content, and then the strategy can be rolled out for all other users and computers.
• Perform ‘hands on’ testing to verify the effectiveness of implementation and mitigation strategies
• The four major threats to businesses/organisations are as listed below:
  • targeted cyber intrusion and external adversaries that steal data
  • ransomware that denies access for monetary gain, and external adversaries who destroy data and prevent computers/networks from functioning
  • malicious insiders who steal data such as customer details or intellectual property
  • malicious insiders who destroy data and prevent computers/networks from functioning
• Incorporating the top 8 strategies are the most effective way for mitigating targeted cyber intrusions and ransomware – the ASD considers their implementation to be the security baseline for all organisations

Major threats – suggested mitigation strategy implementation

Below is listed the major type of security threats to organisations and the essential strategies to be adopted in combating these threats.

Targeted cyber intrusions (advanced persistent threats) and other external adversaries that steal data:

• Implement “essential” mitigation strategies to:
• prevent malware delivery and execution
• limit the extent of cyber security incidents
• detect cyber-security incidents and respond

Ransomware and external adversaries who destroy data and prevent computers/networks from functioning:

Implement “essential” mitigation strategies to:

• recover data and system availability
• prevent malware delivery and execution
• limit the extent of cyber security incidents
• detect cyber security incidents and respond

Malicious insiders who steal data:

• Implement ‘Control removable storage media and connect devices’ to mitigate data exfiltration
• Implement ‘Outbound web and email data loss prevention’
• Implement “essential” mitigation strategies to:
• limit the extent of data security incidents
• detect cyber security incidents and respond

Malicious insiders who destroy data and prevent computers/networks from functioning:

• Implement “essential” mitigation strategies to:
• recover data and system availability
• limit the extend of cyber security incidents
• detect cyber security incidents and respond

 

Essential mitigation strategies

Some of eight essential mitigation strategies are outlined below with additional supporting strategies also specified.  Those that the Australian Cyber Security Centre (ACSC) consider ‘Essential’ or ‘Excellent’ are outlined below.

 

Relative security rating effectiveness                                                                  Migration strategy

Mitigation strategies to prevent malware delivery and execution

Essential          Application whitelisting or approved/trusted programs to prevent execution of unapproved/malicious programs including .exe, DLL, scripts (e.g. Windows Script Host, Powershell and HTA) and installers

Essential          Patch applications e.g. Flash, web browsers, Microsoft Office, Java and PDF viewers. Patch/mitigate computers with ‘extreme risk’ vulnerabilities. Use the latest versions of applications

Essential          Configure Microsoft Office macro settings to block macros from the Internet, and only allow vetted macros either in ‘trusted locations with limited write access or digitally signed with a trust certificate

Essential          User application hardening. Configure web browsers to block Flash (best to uninstall it), ads & Java on the internet. Disable unneeded features of Microsoft Office (e.g. OLE), web browsers and PDF viewers

Excellent           Automated dynamic analysis of email and web content run in a sandbox, blocked if suspicious behaviour is identified e.g. network traffic, new or modified files, or other system configuration changes

Excellent           Email content filtering. Whitelist attachment types (included in archives and next archives). Analyse/sanitise hyperlinks, PDF and Microsoft Office attachments. Quarantine Microsoft Office macros

Excellent           Web content filtering. Whitelist allowed types of web content and web sites with good reputation ratings. Block access to malicious domains and IP addresses, ads, anonymity networks and free domains

Excellent           Deny computers direct internet connectivity. Use a gateway firewall to require use of a split DNS server, an email server, and an authenticated web proxy server for outbound web connections.

Excellent           Operating system generic exploit migration e.g. Data Execution Prevention (DEP), Address Space Layout Randomisation (ASLR) and Enhanced Mitigation Experience Toolkit (EMET)

 

Mitigation strategies to limit the extent of cyber security incidents

Essential          Restrict administrative privileges to operating systems and applications based on user duties. Regularly revalidate the need for privileges. Don’t used privileged accounts for reading email and web browsing.

Essential          Patch operating systems. Patch/mitigate computers (including network devices) with ‘extreme risk’ vulnerabilities. Use the latest operating system version. Don’t use unsupported versions.

Essential          Multi-factor authentication including for VPN’s, RDP, SSH and other remote access, and for all users when they perform a privileged action or access an important (sensitive/high availability) data repository.

Excellent           Disable local administrator accounts or assign passphrases that are random and unique for each computer’s local administrator account in order to prevent propagation using shared local administrator credentials

Excellent           Network segmentation. Deny traffic between computers unless required. Constrain devices with low assurance e.g. BYOD and IoT. Restrict access to network drives and data repositories based on user duties.

Excellent           Protect authentication credentials. Remove CPassword values (MS14-025). Configure WDigest (KB2871997). Use Credential Guard. Change default passphrases. Require long complex passphrases

 

Mitigation strategies to detect cyber security incidents and respond

Excellent           Continuous incident detection and response with automated immediate analysis of centralised time-synchronised logs of permitted and denied: computer events, authentication, file access and network activity

Essential          Mitigation strategies to recover data and system availability

Daily backups of important new/changed data, software and configuration settings, stored disconnected, retained for at least three months. Test restoration liability, annually and when IT infrastructure changes.