As Internet penetration increases around the world, so do the risks involved with global connectivity. The inherent fragility of online ecosystems was made abundantly clear in May and June of this year as tens of thousands of computers were held hostage by hackers wielding exceptionally sophisticated cyberweapons stolen from the American intelligence community. We spoke with an Information Security expert to discuss three global forecasts in cyberattacks that you need to be aware of.
1. Ransomware: Pay Up... Or Else
Worldwide ransomware attacks have already happened – twice – in 2017, laying bare the soft underbelly of industries, organizations, and infrastructure components that many take for granted as being innately secure. Hospitals, drug companies, banks, shipping companies and other organizations around the world were locked out of their computers by hackers demanding ransoms be paid in Bitcoin for decryption keys. It's unclear how many companies paid. A major part of the problem is that the malware used was exceptionally sophisticated. As Christopher Magill, an Information Security Compliance Manager based in Seattle told us, "tools which were only available to nation states are now free." Other experts agree. In their 2017 forecast, cyber-security company FireEye writes that "the line between the level of sophistication of certain financial attackers and advanced state-sponsored attackers is not just blurred – it no longer exists." The May and June attacks proved it. Both used tools stolen from the National Security Agency to exploit vulnerabilities found in certain Microsoft systems. By the time Microsoft put out a patch after the first attack in May, the damage was done. Thousands of computers around the world were infected. What's worse, the New York Times reported, is that thousands more were infected with a new version of the worm the following month because they failed to install the fix.
Hardening The Target: Preventing Ransomware Attacks
According to Christopher Magill, prevention is key. "Defending against (ransomware attacks) requires two things: First, always patch your systems with the latest software updates. Second, have backups of important or sensitive data, preferably stored offline."
Those who fail to take their information security seriously will wish they had heeded that advice if infected with ransomware. "Companies after the fact are often out of luck after a ransomware attack," Magill said. "Occasionally malware vendors are able to extract and release the decryption keys to recover, but there are more than 200,000 new malware signatures found every day. It can be like finding a needle in the haystack."
"The one thing companies should never do is pay the ransom. It requires trusting that the attacker will (or is even able to) keep their end of the bargain. Plus it reinforces ransomware as a sustainable business model. At some point you have to starve the ransomware tumor to kill it."
– Christopher Magill, Information Security Expert
2. The Internet of Things: "Tiny PCs You Can't Patch"
Gartner Inc. estimates that by 2020, 20.8 billion Internet-connected things will be in daily use. These include SmartTVs, security cameras, smoke detectors, and even seemingly mundane appliances like refrigerators, lamps, and coffee pots. Each of those things, however, has the potential to be hacked: each is a potential portal for cyberattackers to invade your home – or office – network. Chris Magill calls these internet-enabled devices "tiny PCs you can't patch."
These types of attacks have already happened. In 2014 NBC News reported that hackers turned over 100,000 gadgets and appliances into virtual zombies, using them to send out 750,000 malicious emails. Earlier this year, The Boston Globe reported that Wikileaks claimed to be in possession of leaked CIA documents– and the accompanying code – that revealed an ability to exploit vulnerabilities in, among other things, Samsung Smart TVs that would allow them to turn them into listening devices. The chances of your coffee pot's maker doing something about it? Probably slim. Once again, an ounce of prevention is worth a pound of cure. "For IoT, don't expect manufacturers to care about security," Magill says. "The financial incentives aren't there for companies to secure a $30 light bulb. Instead, set up a secure home router (a firewall is better) and change default passwords wherever you can."
3. Piercing The Cloud: All Your Data Up For Grabs
Although it hasn't happened yet, experts agree that a major attack on one or more Cloud-based services is inevitable. Watchguard, a cyber-security firm, named attacks on Infrastructure-as-a-Service as one of their major predictions for 2017. "Cloud adoption is growing at an incredible rate among organizations of all sizes," the company noted in an infographic. "As these platforms have become increasingly engrained in the fabric of businesses’ operations, they’ve also become a ripe target for criminal hackers." The result of such an attack could wreak absolute havoc on an organization. As InfoWorld's Fahmida Y. Rashid writes, "The severity of potential damage tends to depend on the sensitivity of the data exposed. Exposed personal financial information tends to get the headlines, but breaches involving health information, trade secrets, and intellectual property can be more devastating."
"When a data breach occurs, companies may incur fines, or they may face lawsuits or criminal charges. Breach investigations and customer notifications can rack up significant costs. Indirect effects, such as brand damage and loss of business, can impact organizations for years." – Fahmida Y. Rashid, InfoWorld
Fortunately, Cloud services are generally quite secure. Unfortunately, as with so many other vulnerabilities to outside attacks, the problem is sitting at your desk: it's you. "It used to be that Cloud was assumed to be less secure than on-premise (systems)," Magill told us. "We've kind of reached a stage where Cloud providers have gotten very good at security to the point that the most common successful attack against an organization is now phishing email. Humans as always remain the weakest link."
The solution, of course, is continuing training for employees and contractors at every level to remain cognizant and aware of incoming threats. With cyberattacks preying on global networks, it is imperative that every individual and organization treat Information Security with the same respect that they would physical security: the attacks may be electronic, but the harm done is very real.
Cover photo: Max Pixel