by Henry Elisher
Business Analysis (BAPL) Consultant
What is the cyber security threat?
The internet is where we all now conduct our business. Electronic systems and digital information are essential for businesses to conduct a whole range of their day to day activities. The increased nature of connectivity also brings greater exposure to criminal activity and the opportunism for those with the desire to either steal, manipulate, damage or threaten by utilising the scope of connectivity
Recent cyber-attacks by cyber terrorists’ show that their targets can, and are, far ranging, from governments, to businesses and individuals. In a world where we are all connected the reach is extensive, not one organisation or individual is immune. People need to be aware of the evolving threat and the increasing level of sophistication by attackers as they employ cutting-edge techniques to breach the security barriers of organisations.
Even with this ever evolving and increasing threat, the cyber-security measures of organisations are too often reactive instead of being the cornerstones of a sound digital infrastructure. To add some perspective, in the Asia-Pacific region, companies on average identified that they were susceptible to, on average, 6 threats per minute but, they added, only 50% of those alerts would be investigated.
One major study on the Security Capabilities of the Asia Pacific region highlighted the following important findings.
Breaches
- In the Asia Pacific region companies can receive up to 10,000 threats per day
- 69% of companies surveyed received more than 5,000 threats a day
Lack of Security Readiness
- Regarding digital security infrastructure, up to 9% of respondents stated they do not have cyber-security professionals at their organisations and 13% stated they do not have executives that were responsible and accountable for cyber-security at their organisations
Economic and reputational fallout
- In South East Asia alone 51% of cyber attacks resulted in a loss of more than $1million USD
- Nearly 10% stated that cyber attacks had resulted in losses of greater than $10 million USD
Multi-pronged attacks
- The changing nature of attacks means that attackers are not just targeting IT infrastructure but also operational technologies, 30% of organisations stated that they have seen cyber attacks along those lines
In comparison to counterparts in the Asia-Pacific it appears that in Australia more organisations are dealing with alerts with more vigour and gravity than their regional peers, 81% of companies are facing more than 5000 alerts per day, and 33% of organisations have stated they deal with 100,000 – 150,000 alerts per day
The cost of breaches in Australia is also the highest within the Asia-Pacific region with 52% reporting that attacks costs between $1-5 million USD, with 9% reporting costs of $10 million +, estimates in this sense relating to lost revenue, loss of customers, lost opportunities and out-of-pocket cost.
What is Cyber-security all about?
Successful cyber-security has multiple layers of protection that spreads across computers, networks, programs or the data that an individual intends to keep. In an organisation it is the people, processes and technology that must complement one another in order to provide the most effective defence
People
- Must understand and comply with basic data security principles such as choosing strong passwords, being wary of attachments, and backing up data consistently
Processes
- Organisations need to have a framework for how they deal with both attempted and successful attacks
Technology
- Technology is essential if giving organisations and individuals the computer security tools they need to protect themselves from cyber-attacks. The three main entities that must be protected are endpoint devices like computers, smart devices, and routers; networks and the cloud. Common technology utilised to protect these entities are next-generation firewalls, DNS filtering, malware protection, antivirus software, and email security solution
Types of security threats
Ransomware
- This is a type of malicious software designed to extort money by blocking access to files on a computer system until a ransom is paid. Paying the ransom does not of course guarantee that the files will be recovered or restored
Malware
- Is a type of software designed to gain unauthorised access or cause damage to a computer
Social Engineering
- A tactic used to trick you into revealing sensitive information. From this attackers can solicit a monetary payment or gain access to your confidential data
Phishing
- Is the practice of sending fraudulent emails that resemble emails from reputable sources. The aim is to steal sensitive data like credit card information and login information – this tends to be the most common type of cyber attack
Cyber crime mitigation
The Australian Cyber Security Centre (ACSC) is the Australian Governments lead on national cyber security, it brings together cyber security capabilities from across the Australian Government to improve cyber resilience of the Australian community and in support of economic and social prosperity of Australians in the digital age.
The ACSC also provides cyber security advice and assistance to Australian Government organisations, businesses and individuals. They have details on the types of strategies that companies can utilise in order to mitigate cyber security incidents.
With that said, whilst no single strategy, is guaranteed to prevent cyber security incidents, organisations are recommended to implement eight essential mitigation strategies, as listed below, in order to formulate a security baseline. This baseline will make it harder for attackers to compromise systems and will of course be much more cost-effective than being put in the position of having to respond to a large-scale cyber security incident
The essential eight strategies are:
Application Whitelisting – to control the execution of unauthorised software
Patching applications – to remediate known security vulnerabilities
Configuring Microsoft Office macro settings – to block untrusted macros
Application hardening – to protect against vulnerable functionality
Restrictive administrative privileges – to limit powerful access to systems
Patching operating systems – to remediate known security vulnerabilities
Multi-factor authentication – to protect against risky activities
Daily back-ups – to maintain the availability of critical data
Implementation of strategies – starting points for business analysts
- Prior to implementing a mitigation strategy, organisations need to identify their assets, particularly their vulnerable assets, and perform a risk assessment to identifying the levels of protection required from various threats.
- Building up support and increasing cyber security awareness requires ‘motivators’. Some of the ‘motivators’ that impart awareness and create urgency to cyber security are penetration tests, mandatory breach reporting & mandatory compliance.
- A mitigation strategy should be implemented for high risk users and computers such as those that have access to (sensitive or high-availability) data and exposed to untrustworthy content, and then the strategy can be rolled out for all other users and computers.
- Perform ‘hands on’ testing to verify the effectiveness of implementation and mitigation strategies
- The four major threats to businesses/organisations are as listed below:
- targeted cyber intrusion and external adversaries that steal data
- ransomware that denies access for monetary gain, and external adversaries who destroy data and prevent computers/networks from functioning
- malicious insiders who steal data such as customer details or intellectual property
- malicious insiders who destroy data and prevent computers/networks from functioning
- Incorporating the top 8 strategies are the most effective way for mitigating targeted cyber intrusions and ransomware – the ASD considers their implementation to be the security baseline for all organisations
Major threats – suggested mitigation strategy implementation
Below is listed the major type of security threats to organisations and the essential strategies to be adopted in combating these threats.
Targeted cyber intrusions (advanced persistent threats) and other external adversaries that steal data:
- Implement “essential” mitigation strategies to:
- prevent malware delivery and execution
- limit the extent of cyber security incidents
- detect cyber-security incidents and respond
Ransomware and external adversaries who destroy data and prevent computers/networks from functioning:
Implement “essential” mitigation strategies to:
- recover data and system availability
- prevent malware delivery and execution
- limit the extent of cyber security incidents
- detect cyber security incidents and respond
Malicious insiders who steal data:
- Implement ‘Control removable storage media and connect devices’ to mitigate data exfiltration
- Implement ‘Outbound web and email data loss prevention’
- Implement “essential” mitigation strategies to:
- limit the extent of data security incidents
- detect cyber security incidents and respond
Malicious insiders who destroy data and prevent computers/networks from functioning:
- Implement “essential” mitigation strategies to:
- recover data and system availability
- limit the extend of cyber security incidents
- detect cyber security incidents and respond
Essential mitigation strategies
Some of eight essential mitigation strategies are outlined below with additional supporting strategies also specified. Those that the Australian Cyber Security Centre (ACSC) consider ‘Essential’ or ‘Excellent’ are outlined below.
Relative security rating effectiveness Migration strategy
Mitigation strategies to prevent malware delivery and execution
Essential Application whitelisting or approved/trusted programs to prevent execution of unapproved/malicious programs including .exe, DLL, scripts (e.g. Windows Script Host, Powershell and HTA) and installers
Essential Patch applications e.g. Flash, web browsers, Microsoft Office, Java and PDF viewers. Patch/mitigate computers with ‘extreme risk’ vulnerabilities. Use the latest versions of applications
Essential Configure Microsoft Office macro settings to block macros from the Internet, and only allow vetted macros either in ‘trusted locations with limited write access or digitally signed with a trust certificate
Essential User application hardening. Configure web browsers to block Flash (best to uninstall it), ads & Java on the internet. Disable unneeded features of Microsoft Office (e.g. OLE), web browsers and PDF viewers
Excellent Automated dynamic analysis of email and web content run in a sandbox, blocked if suspicious behaviour is identified e.g. network traffic, new or modified files, or other system configuration changes
Excellent Email content filtering. Whitelist attachment types (included in archives and next archives). Analyse/sanitise hyperlinks, PDF and Microsoft Office attachments. Quarantine Microsoft Office macros
Excellent Web content filtering. Whitelist allowed types of web content and web sites with good reputation ratings. Block access to malicious domains and IP addresses, ads, anonymity networks and free domains
Excellent Deny computers direct internet connectivity. Use a gateway firewall to require use of a split DNS server, an email server, and an authenticated web proxy server for outbound web connections.
Excellent Operating system generic exploit migration e.g. Data Execution Prevention (DEP), Address Space Layout Randomisation (ASLR) and Enhanced Mitigation Experience Toolkit (EMET)
Mitigation strategies to limit the extent of cyber security incidents
Essential Restrict administrative privileges to operating systems and applications based on user duties. Regularly revalidate the need for privileges. Don’t used privileged accounts for reading email and web browsing.
Essential Patch operating systems. Patch/mitigate computers (including network devices) with ‘extreme risk’ vulnerabilities. Use the latest operating system version. Don’t use unsupported versions.
Essential Multi-factor authentication including for VPN’s, RDP, SSH and other remote access, and for all users when they perform a privileged action or access an important (sensitive/high availability) data repository.
Excellent Disable local administrator accounts or assign passphrases that are random and unique for each computer’s local administrator account in order to prevent propagation using shared local administrator credentials
Excellent Network segmentation. Deny traffic between computers unless required. Constrain devices with low assurance e.g. BYOD and IoT. Restrict access to network drives and data repositories based on user duties.
Excellent Protect authentication credentials. Remove CPassword values (MS14-025). Configure WDigest (KB2871997). Use Credential Guard. Change default passphrases. Require long complex passphrases
Mitigation strategies to detect cyber security incidents and respond
Excellent Continuous incident detection and response with automated immediate analysis of centralised time-synchronised logs of permitted and denied: computer events, authentication, file access and network activity
Essential Mitigation strategies to recover data and system availability
Daily backups of important new/changed data, software and configuration settings, stored disconnected, retained for at least three months. Test restoration liability, annually and when IT infrastructure changes.