Aiming for cyber safety

As organisations transition towards more digital integration, the scope of cyber security is expanding and shifting towards ‘cyber safety’ in a much broader sense. The familiar concept of CIA (confidentiality, integrity, availability) does not meet the new requirements of ensuring safety of any organisation’s broadened business ecosystem and customers. Shadi A. Razak, MBCS, from CyNation, shares his thoughts on how organisations can achieve cyber safety.

Over the past year, we have seen an increase in cross-over threats that compromise organisations’ and individuals’ privacy, security and safety. With the rapid adoption of interconnected things from home appliances and cars to medical devices, we expect a great increase in data privacy breaches, fraud and identity theft, cyber extortion and espionage.

At CyNation, we believe that the threat landscape in 2017 and 2018 will revolve around smart-phones and mobile devices, internet of things, the cloud and IT infrastructure.

Smart-phones and mobile devices

Smart-phones are an increasingly attractive target for online criminals. As a result, attacks are becoming more sophisticated and effective in stealing valuable personal data or extorting money from victims. Although Android users remain the main target, iOS devices experienced effective attacks in which devices did not even need to be jail-broken to be compromised.

According to IDC’s Worldwide Quarterly Mobile Phone Tracker (July 28, 2016), there are more than 1.6 billion smart-phones being used around the world today. This number is forecast to reach 6.4 billion by 2020 according to Samsung and Ericsson.

Such rapid adoption, coupled with enhanced processing powers, high bandwidth connectivity (4G and 5G) and mobile payment systems such as Apple Pay, Samsung Pay and Android Pay, are making smart-phones an attractive target for cyber criminals.

As a result, the number of mobile phone vulnerabilities has increased dramatically by at least 200 per cent in the past couple of years.

With many app stores accessible from desktops and laptops, users are able to browse, purchase, and remotely install apps. This provide a unique opportunity for crossover threats. Several malwares already exploited this by stealing browser cookies for Google play sessions from the infected computer and used the users’ credentials to impersonate the user and remotely install apps onto the victims’ phones and tablets without their knowledge or consent.

Besides the usual trick of hiding malicious code inside allegedly legitimate apps, attackers are developing more sophisticated techniques to make money from their victims. One technique we have recently seen is the use of a phishing Trojan. It tricks users into entering their banking credentials through the pop-up of a fake login page or payment form on top of a legitimate banking or shopping application.

Similarly, mobile ransomware is getting more convincing by using an operating system’s design or an authority’s logos to intimidate the user and lure them into paying their fine or subscription to unlock their device.

We usually recommend organisations and individuals to:

Not jailbreak their devices, as this increases the likelihood of being targeted
Pay close attention to the permissions and consents requested and required by installed apps
Download and install apps from trusted sources only and to avoid downloading apps from unknown websites
Update phone OS and apps as often as possible, as long as the update source is trusted
Delete any suspicious app identified
Change your mobile OS and app store ID every three months
Install additional mobile security solutions, like mobile antivirus and antimalware apps from trusted providers
Automate your device back-up and keep your back-ups up-to-date
Use on-device encryption and remote find and wipe tools in case the device is stolen or lost.

Internet of things

The internet of things has arrived. Even though in its early days, we can see the impact it will have on our lives and the environment: smart devices and wearables download updates from the internet; point-of-sale terminals at shops are 24/7 interconnected with the company’s central system; smart thermostat allows us to control the temperature in our homes through the internet, and connected and driverless cars are already roaming our cities’ streets.

With billions of people connected to the internet today and the number of connected devices expected to exceed 21 billion by 2020 (Gartner Inc., press release, November 10, 2015), the internet of things represents a major transformation in the digital world.

In order for it to deliver the estimated two trillion USD economic benefit, manufacturers, designers and users have to address fundamental cyber security challenges. Devices that were not meant to be internet-enabled are now online and potentially open to attack.

Without efficient security measures, these present an increasingly attractive target to attackers who look for easy targets and entry points to our homes and businesses - our private and professional lives.

As with all cyber security threats, some are more dangerous than others. A hacked fitness monitor may be an inconvenience whist a vulnerability in millions of cars will present serious danger. Similarly, a backdoor in a medical device may give thieves access to a person’s medical records (a data confidentiality breach), but it also has the potential to lead to serious injury or even death.

Taking all these factors into consideration, protecting the internet of things and ensuring the physical safety of its users requires a comprehensive and proactive approach to cyber security. If we couple this with security and privacy by design, meaning safety is built in to devices themselves, their underlying infrastructure and the systems that manage them, we can reach cyber safety.

We’d always recommend that organisations:

Adopt strong SSL / TLS encryption technology to secure devices’ connectivity and authenticity
Make use of user threat modelling and code signing throughout the application development
Use add on-device security, such as physical unclonable functions and embedded critical system protection
Pen-test their connected technology and audit it against security common criteria and known security standards.

Cloud computing and IT infrastructure

Cyber security affects us all. Just as bacteria and viruses surround us and are not going to miraculously go away, vulnerabilities are a part of our computing environment. They are here to stay - like it or not - albeit in ever changing forms and manifestations. A careless approach to monitoring and updating our systems will be a major cause of malware infections and cyber-attack.

With organisations moving their IT infrastructure and systems to virtual and cloud hosted environments, visibility and control of systems are being reduced and entirely entrusted to third party service providers. As a result, the complexity of protecting businesses’ infrastructure and systems will increase and bring new cyber security challenges to the organisation and its stakeholders.

This doesn’t mean the cloud and virtual environment are less secure than traditional IT services. However, as with any system, each time a new layer is introduced to a service stack, the attack surface increases. For example: poorly configured and administrated virtual environments can allow attackers to escape from a guest virtual machine (VM) and access the native host’s operating system, alongside other VMs running on the same platform.

Attackers exploiting such vulnerabilities can steal sensitive data of any of the virtual machines in the affected system and gain elevated access to the host’s local network and systems. Other trends we’ve seen over the past two years, mostly as a result of poorly-managed security of cloud environments, are ghostware and two-faced malware.

In view of these threats, we recommend organisations to:

Stay informed about emerging threats and trends
Keep all systems and devices patched and updated
Employ a multi-layer cyber security programme in which defences exists in each layer of the used infrastructure and system
Apply good security and data protection policies
Train staff well on cyber safety and inform them of its impacts on them and the business
Control access to the infrastructure and systems on a least-privilege basis
Understand well the settings of your cloud resources and configure them accordingly
Read the cloud providers’ service-level agreements to learn how data in the cloud is secured and request evidence to support these claims
Ensure your virtual environment is in compliance with the latest cyber security standards and data privacy regulations
Control access to the cloud administrator infrastructure on a ‘need to know basis’
Enable event logging to keep track of who is accessing data in the cloud and when
Always back up your system and virtual environment and keep the backups offsite.