Your A–Z guide to cybersecurity threats and how to deal with them.
Cyber attacks have come a long way since your Hotmail account received a random message from a Nigerian prince looking to loan you a million dollars. In the wake of incidents like the recent Cambridge Analytica-Facebook scandal and last year’s WannaCry ransomware outbreak, global anxiety surrounding privacy and cybersecurity is at an all-time high.
So it should be, because the stakes are high. Cyberattacks, where customer records or critical business data are lost, are expected to cost Australian businesses with 100 to 500 employees around A$1.9 million each, on average, according to research by security firm Webroot.
This A–Z guide to cyberthreats will help you understand and arm yourself against everything from Android malware to zero-day exploits (attacks that exploit a previously unknown security vulnerability).
Vulnerability, exploit or malware?
No, they’re not all the same thing. Before we get into specific threats, key terms describe the different types of cyberthreat.
Vulnerability is a hardware or software flaw that leaves systems open to potential attacks or breaches. An exploit is the act of using that vulnerability to attack or breach a system or network in a particular way.
One way to do this is to develop malware – a catch-all term short for malicious software; including computer viruses, worms, Trojan horses, spyware and other nasties.
Advanced Persistent Threat (APT)
An APT is a series of attacks that targets a particular organisation that has high-value data, such as a government agency, bank or manufacturer. The hackers are generally highly skilled and extremely persistent in their attempts to gain unfettered access to the organisation’s network.
Their aim is to remain undetected for a long period of time, so they can steal as much data as possible for a range of reasons, such as industrial espionage.
The more popular an operating system becomes, the more susceptible it becomes to malware, and that’s certainly the case with Android. There are now more than 2.5 billion Android devices worldwide and 20 million malware threats, according to security researcher AV-test.org.
Google itself admitted it took down more than 700,000 “bad” apps from its Google Play store in 2017.
BlueBorne Bluetooth vulnerabilities
Security vendor Armis Labs identified a series of Bluetooth vulnerabilities collectively known as BlueBorne, which could impact more than 8.2 billion computers and devices running Android, iOS, Windows and Linux – including Amazon and Google smart speakers.
There are no known instances of hackers exploiting BlueBorne vulnerabilities, but potentially they could allow hackers to take control of – or spread malware to – any susceptible device when Bluetooth is on.
A botnet is a (typically) large number of compromised connected devices that are taken over by bots designed to cause devices to participate in specific DDoS (distributed denial of service), spam and other attacks.
Brute force attack
This is a trial-and-error method of gaining information, such as a password. Hackers generally use software to automate and greatly accelerate the process.
Cryptocurrencies such as bitcoin depend on, and reward, bitcoin miners who use their own systems to help with the number-crunching needed to process transactions. However, increasing the scale of a mining operation requires investing in computers and it can consume a lot of electricity. Instead, hackers may hijack other people’s computers to bitcoin-mine.
These systems are typically infected via drive-by code (see adjacent), and a tool called Coinhive (multiple security firms recently identified this as the top malicious threat to web users), has made this easy to implement. According to Malwarebytes, Australians were subject to more than 12 million Coinhive-based drive-by incidents in October 2017 alone.
As if there weren’t enough hackers, now even non-technical criminals can purchase ransomware, DDoS (distributed denial of service), hacking and other tools to perpetrate online and offline crimes, according to Europol’s Internet Organised Crime Threat Assessment 2017. Collectively, these tools are called crime-as-a-service.
A DDoS is a targeted attack designed to take down a computer network or servers by flooding them with data sent simultaneously from many individual devices. Security vendor Kaspersky has identified one DDoS attack that lasted more than 320 hours.
Typical DDoS targets are governments, media and other high-profile websites. However, in one 2016 case, a young hacker allegedly configured his website to automatically make 911 calls, inundating emergency services in three US counties with fake calls.
However it’s done, the aim is generally to download malware onto site visitors’ systems without their knowledge.
Thinking strategically and managing risk. This course explores the characteristics of strategic thinking as well as the traits you need to be an effective strategic and "big picture" thinker. The course then moves to an examination of risk along with strategies for how to identify, assess and manage it.
Email is still one of the most popular methods of distributing malware. Over 2016-17, reports to the Federal Government’s Australian Cybercrime Online Reporting Network indicated losses of more than A$20 million due to business email compromise – a 230 per cent increase on the previous year.
Phishing – bogus emails purporting to be from reputable companies and designed to obtain information such as passwords and credit card numbers – is still rife. Security vendor MailGuard regularly reports on phishing emails masquerading as trusted brands, including the ATO, ASIC, Telstra, EnergyAustralia, Xero, Commonwealth Bank, Netflix, Amazon and many more.
Not all hackers are financially motivated criminals. Activists who seek political or social change are also turning to hacking techniques. Perhaps the best-known hacktivist group is Anonymous, which claimed responsibility for many high-profile DDoS attacks, including one on the Church of Scientology.
Internet of Things vulnerabilities
The Internet of Things (IoT) is transforming operations in manufacturing plants, farms, mines and even whole cities, but it has an Achilles heel – the security of the connected devices and sensors that are so essential in delivering the data needed for IoT applications.
These low-cost devices and sensors are often unsecured and, as a result, open to a range of threats. One is Mirai malware, which has infected millions of IoT and other connected devices, turning them into botnets. One such botnet was responsible for delivering a massive DDoS attack that brought down the internet for most of the US East Coast in 2016.
Keyloggers record every keystroke made on the systems on which they are installed. They’ve been used by surveillance organisations, but are also a type of malware that sends information such as passwords and credit card details back to cybercriminals.
KRACK wi-fi vulnerability
Discovered by a security researcher in 2017, KRACK (short for key reinstallation attack) is a wi-fi vulnerability that has the potential to affect millions of systems and devices. The flaw is in the WPA2 encryption protocol that protects data on wireless networks.
In general, wi-fi networks – and particularly public networks – are known high security risks.
Don’t believe the old boast that “Macs don’t get viruses”. In fact, security vendor Malwarebytes reported a 270 per cent increase in Mac malware in 2017. True, the actual number is still dwarfed by the volume of Windows viruses, but complacency can and does result in ransomware and other malware infections on Macintosh devices.
Just as compromised webpages can deliver drive-by downloads, web ads have been shown to be a source of hidden malware. It’s particularly nasty because many legitimate sites contain third-party ads.
Meltdown and Spectre
Meltdown and Spectre are the highly publicised and serious processor design flaws that could allow rogue programs to access data that should be secured. Meltdown affects all Intel x86 and some ARM processors, while Spectre affects Intel, AMD and ARM chips. It means that virtually all modern computers and many other devices are at risk.
Potentially unwanted programs (PUPs)
PUPs include spyware, adware, browser toolbars and other annoying programs that have been installed deviously, such as piggybacking on the installation of another application. They may not be as dangerous as malware, but they can be very annoying and difficult to get rid of.
Ransomware became public enemy number one in 2017, following a string of global outbreaks, including WannaCry and Petya. What could be worse than malware that encrypts all your files, requiring you to pay a ransom for the decryption key?
According to a 2018 global report from software company Symantec, WannaCry cost Asia-Pacific businesses US$300 million in the three months after its release.
A rootkit is malicious software designed to gain privileged (and often administrator-level) access to a computer or operating system, while hiding its presence.
Sony BMG was accused of using a rootkit as part of its CD copy-protection measures in 2005, but rootkits since then have been generally malware.
Smart home vulnerabilities.
Like business-focused IoT devices, many smart home devices are known to be open to attacks. Certain security cameras, TVs and even connected children’s toys have been shown to have vulnerabilities by security researchers.
Social media security
We explored the Facebook-Cambridge Analytica scandal in the June 2018 edition of INTHEBLACK. However, even before that there have been security issues with social media. For example, in 2016, security vendor Check Point identified images on Facebook, LinkedIn and other services that triggered malicious downloads.
The figures vary significantly, but at best around 39 per cent of all emails globally are unsolicited messages, according to research company Statista. Or, to put it another way, more than one billion spam emails are sent every minute.
Also known as spear-phishing, whaling is a type of highly targeted phishing often aimed at senior executives and is designed to trick them into providing confidential company information or passwords to financial systems or accounts.
A zero day is the day on which a vendor learns of a vulnerability to their system or software. A zero-day exploit occurs in the period before that day and after cybercriminals discover and then exploit the flaw, typically with malware.
How to fight cyberthreats
These are just some of the cyberthreats out there, so what can you do about them? Here are a few options.
Keep your systems and software up-to-date.
Serious vulnerabilities are usually quickly patched with security updates by vendors – as has been the case for the BlueBorne, KRACK, Meltdown and Spectre vulnerabilities. It doesn’t always go to plan, however. For example, Intel withdrew its initial Meltdown and Spectre security updates due to performance issues. Similarly, Microsoft withdrew its first Meltdown/Spectre update for Windows after a number of PCs with AMD chips failed to boot after installing the patch. The latest patches seem fine, however, and usually the benefits of prompt system updates far outweigh the alternative: vulnerable systems.
Use endpoint protection.
This means protecting computers, smartphones and other endpoint devices – thankfully, AV-Test.org shows that Android security software is now quite effective. As well as traditional antivirus software, endpoint protection can include safe-browsing and anti-fraud tools that help prevent drive-by downloads and theft of credit card and other sensitive information from phishing attacks or compromised wi-fi networks.
Advanced tools such as machine learning. Heuristics (an algorithm that produces an expedited, acceptable solution) and sandboxing (isolating applications from critical systems) can help mitigate zero-day exploits and other unknown threats.
Back up regularly.
It’s always been essential, of course, but it’s particularly vital in protecting against ransomware. Back-ups should be “offline, or otherwise disconnected from computers” because ransomware and other malware can “encrypt, corrupt or delete back-ups that are easily accessible”, according to the Australian Signals Directorate’s highly regarded cybersecurity strategies.
Consider DDoS mitigation services.
High-profile organisationsor those that can’t afford outages should talk to their ISP or a specialist provider about DDoS mitigation services.
Adopt IoT security.
It’s essential that organisations deploying IoT applications investigate the various security solutions on offer.
Educate yourself and your staff.
Email security services such as MailGuard can filter fraudulent emails, but ultimately education is the first weapon in the ongoing battle against phishing and other threats that target humans, rather than machines. Lesson number one: use long, random passphrases – and a different one for every login to prevent brute force and other attacks. A password manager (such as Keeper Security, Dashlane, LogMeOnce or Sticky Password) is a must.
Consider advanced threat protection.
There are other types of security products that can and should be considered by businesses, such as endpoint detection and response (EDR) and threat intelligence services to help mitigate advanced threats such as APTs (advanced persistent threats).
CPA Australia also offers cyberthreat-related information, as part of our Professional Resources. Visit cpaaustralia.com.au/cyber for more information.