In October, the Australian Cyber Security Centre released its 2017 Threat Report, reflecting on the previous year in cyber security. This annual report addresses the current challenges and emerging trends confronting Australia's digital landscape. Its overarching message is clear: cyber criminals are becoming increasingly sophisticated, and the threat posed to individuals, governments and business is growing. Cyber security should therefore be high on the agenda of all Australians, as our nation becomes increasingly dependent on its digital infrastructure.
- Prevention is always better than cure. The cost of implementing robust and comprehensive cyber security measures may seem onerous, but it is an important investment in reducing the long-term costs associated with a breach.
- Consider implementing the 'Essential Eight'. The Australian Signals Directorate's (the ASD) 'Essential Eight' (the E8) should be considered industry-standard when it comes to preparing your business for the growing threat being posed by the cyber age. To combat the realities of increasing levels of malicious cyber activity, the ASD began publishing a list of 'Strategies to Mitigate Targeted Cyber Intrusions' in 2010. In February 2017, version 3.0 of the ASD's list of strategies was released and saw the agency begin recommending the E8. The E8 is a customisable list of practical actions that both public and private organisations can take to ensure system integrity as the disruptive realities posed by cyber threats continue to grow. The ASD suggests that 85 per cent of cyber intrusions the agency investigated could have been prevented by implementation of the E8.1
- A significant cyber attack hasn't happened in Australia … yet. The 2017 Threat Report is unambiguous when it suggests that although a significant cyber attack has not yet occurred in Australia, businesses should not become complacent. It is a matter of when – not if – your business will be affected by a cyber breach, and businesses need to ensure that they are adequately prepared for this reality.
- The key challenges identified for businesses in the 2017 Threat Report are ransomware, credential-harvesting malware and social engineering. Read on to find out how they are affecting Australian businesses and what you can do to protect yours.
The Australian Cyber Security Centre (the ACSC) is a Federal Government initiative established to ensure that Australian networks are among the hardest in the world to compromise. It opened in November 2014.
The ACSC brings together the operational capabilities of several government agencies, and is the joint responsibility of the Attorney-General and the Minister for Defence. The ACSC's partner agencies include:
- the Australian Crime Commission;
- the Australian Federal Police;
- the Australian Security Intelligence Organisation;
- the Australian Signals Directorate;
- the Computer Emergency Response Team Australia; and
- the Defence Intelligence Organisation.2
The ACSC is the next stage in the development of Australia's cyber security capability, bringing together key operational elements in one facility to:
- enable a more complete understanding and sharing of sophisticated cyber threats;
- facilitate faster and more effective responses to significant cyber incidents; and
- foster seamless interaction between government and industry partners.3
The ACSC will function as a hub for private and public sector collaboration to combat the full range of cyber security threats.
Businesses are an obvious target for the perpetrators of cyber attacks, who are generally seeking one of two outcomes from their assault on your digital infrastructure.
- To covertly enter your internal network, take control of your systems and hold them to ransom. Although their demands are often small enough to entice businesses to comply, the assailants frequently fail to hold up their end of the bargain. As a result, many businesses that have paid a ransom have been left out of pocket, with significant data loss and interruptions to their regular operation.
- To access the data on employees, service providers and consumers that many businesses hold. This information is valuable to perpetrators of cyber attacks, as it often acts as a platform from which they may carry out further attacks.
Cyber crime is an attractive option for criminals, as it can generate large profits with a low risk of identification and indictment. Each successful compromise encourages further illegitimate activity. The ACSC has outlined a number of current challenges.
What is it? 'Ransomware' is a form of malware that is intended to prevent or restrict users from accessing their systems until a ransom is paid, the primary purpose being direct revenue generation. Malicious programs typically enter a host system through the downloading of an infected email attachment, or opening of a website that is designed to silently imprint the malware package onto visitors.4 The malware then proceeds to encrypt data within the system, before locking the user out and demanding a predetermined ransom.
The 'WannaCry' attack earlier this year was a ransomware program that held computers hostage worldwide. Whoever propagated the global assault froze the systems of hundreds of thousands of users, threatening the destruction of their files unless US$300 worth of Bitcoin was transferred to an untraceable account. Significantly, the WannaCry attack immobilised emergency rooms across the UK and brought a major telecommunications company in Spain to a halt, highlighting the real-life consequences that can flow from cyber attacks.
- Ransomware exploits cost US$1 billion in 2016.5
- 39 per cent of Asia-Pacific companies experienced at least one ransomware incident in 2016.6
What is the trend? The ACSC notes that ransomware continues to be a persistent threat to Australia's digital environment. From humble beginnings, whereby perpetrators would operate primarily through large-scale phishing campaigns, ransomware attacks are becoming increasingly sophisticated.
Being a relatively inexpensive and easy-to-run form of malware, there is now a black market for ransomware development. Vendors with the financial resources to do so will often set up platforms on the dark net and sell access to various ransomware programs to operators. Operators will then employ these 'DIY' ransomware programs in their own campaigns, often requiring that a share of the profits be returned to the vendor. This provides, with little effort on their part, the merchants of ransomware programs with access to a vast pool of victims, making it an attractive means of revenue generation.
Ransomware operators are beginning to tailor their attacks to specific target groups, employing various social engineering (see below) techniques to gain entry into host systems. This approach uses well-known Australian brands or government department identities to gain the trust of victims before convincing them to allow the malware program to insert itself into the host system.
How is this relevant to business? Although it might be easy to sweep aside the meagre price tag of ransomware as 'spare change', what should not be so readily dismissed is the disruption to ordinary business operations and reputational damage.
- When the system goes down, the business goes down. The potential immobilisation of a company's digital infrastructure represents a massive hurdle, given the overwhelming reliance most businesses place on technology.
- Vulnerable in the eyes of consumers. Consumers are unlikely to forget that your business was the victim of a cyber attack. This is particularly pertinent for businesses that operate in the financial or communications space and deal closely with individuals' personal information. Consumers will think twice about entrusting their details to companies known to be vulnerable to cyber attack.
- Get hit once, get hit again. Although the one-time payment of a ransom may seem reasonable, you are identifying yourself as willing to cooperate with future demands. Perpetrators are likely to target your organisation repeatedly if they think that you are likely to pay the ransom again.
What is it? Credential-harvesting malware is designed to obtain an unsuspecting user's personal information when they log into websites or applications. Once the malicious program has infected the host system, it will silently 'harvest' relevant details, such as usernames and passwords, which are then sent to an external source. From here, perpetrators are able to sell the data onto third parties or use it for themselves, depending on their objectives.
What is the trend? Credential-harvesting malware poses a significant risk, with individuals now relying more heavily on mobile devices for storage of personal information. 'Internet of Things' (IoT) devices are often not designed with cyber security in mind and are highly susceptible to malicious digital interference. The ACSC suggests that malware designed specifically for smartphones will likely increase significantly over the next few years, as perpetrators seek to capitalise on this window of opportunity. Although IoT devices hold great promise for business collaboration and innovation, their security risk will grow as they become more integrated into our daily lives.
How is this relevant to business? This form of cyber attack has particular bearing on those companies that regularly handle the personal information of consumers. In the 21st century, data is money, and companies cannot forget the potential value of this commodity in the hands of an individual with malicious intentions.
- Financial institutions are a key target for credential harvesting malware, due to the pecuniary interests of most cyber criminals. As the financial industry becomes progressively more digitised through the use of mobile and internet access points, companies should anticipate increased cyber threats from credential-harvesting malware.
- This is not just an issue for individual consumers. Specific forms of malware are designed to target high-value businesses, such as banks or stock brokerages. If the malicious program manages to infect the CEO or CFO's device, the attacker could gain access to a significant portion of the company's accounts.
What is it? Cyber criminals regularly use social engineering techniques to manipulate human trust and elicit information.7 As networks become more resilient in the face of cyber threats, the perpetrators of digital crime are becoming increasingly reliant upon 'human error' to secure a back door into local systems. By convincing an unsuspecting user to open a malicious email attachment or link, malware can covertly infect the network and avoid a system's primary cyber defences.
'Business email compromise' (BEC) is increasingly utilised by cyber criminals to infect systems that would ordinarily be protected through technical means. Between October 2013 and December 2016, US$5.3 billion was stolen through this method of social engineering.8 Adversaries using this technique have usually done their research on the target business, including its corporate hierarchy, employees, contractors and service providers. An email will then usually be sent to an employee with financial responsibilities, appearing to be from a top executive, requesting that a wire payment be made to a vendor or business associate.9 The message will frequently achieve the desired outcome by conveying a sense of urgency, which results in the unsuspecting employee sending money to an offshore account owned by the perpetrator.
What is the trend? The ACSC has recognised a growing sophistication in this area. With more than 90 per cent of all cyber security breaches resulting from human error,10 the growing trend of social engineering should be taken seriously. Significantly, the 2017 Report notes that there has been a marked increase in the number of BEC cyber attacks through the course of 2017, often targeting small to medium-sized businesses.11
How is this relevant to business? The breach of company computer networks as a result of social engineering represents the majority of successful cyber breaches worldwide. Cyber criminals are making billions of dollars each year by exploiting human error and taking advantage of unsuspecting users. The 'people' factor is often ignored when implementing effective cyber security strategies, yet is integral to ensuring a strong digital defence.
- Education is key. Confronted with the reality of a cyber attack that has resulted in considerable loss, many executives will naturally scramble to update their technological defences. However, with more than 90 per cent of intrusions resulting from human error, the best defence to increasingly sophisticated social engineering techniques is education and training. Making your employees aware of the threat significantly diminishes your risk of a cyber attack.
- Be aware of your service providers. You might have taken all the right steps to mitigate your own risk of a cyber attack, but you can never be sure that your service providers have done the same. It is a good idea to exercise some level of caution when dealing with your regular business partners, to ensure that you are protected from negligence on their part.
Advanced malicious cyber activity against Australia's national and economic interests is increasing in frequency, scale, sophistication and severity. The ACSC notes that foreign states possess the greatest capacity to compromise Australian networks – both in the private and public sectors – and are continually increasing their level of investment in cyber capabilities. Although cyber defences in Australia have gradually improved, cyber criminals have kept pace by adapting tools to circumvent enhanced security practices.
Cyber security, it seems, is a constant struggle to stay ahead of the challenges posed by constantly advancing adversaries.
- Australian Signals Directorate, 'Strategies to Mitigate Cyber Security Incidents', Department of Defence.
ACSC 2017 Threat Report, 4.
ACSC 2017 Threat Report, 4.
ACSC 2017 Threat Report, 27.
- Cisco, Cisco 2017 Midyear Cybersecurity Report, 5.
- Cisco 2017 Midyear Cybersecurity Report, 41.
ACSC 2017 Threat Report, 29.
- Cisco 2017 Midyear Cybersecurity Report, 5.
- Cisco 2017 Midyear Cybersecurity Report, 22.
- Willis Towers Watson, 'When it comes to cyber risk, businesses are missing the human touch', press release (1 March 2017).
ACSC 2017 Threat Report, 32.