Cyber Risks and Liabilities – Winter Newsletter

By | December 20, 2013

Technology Risk InsightsBiggest Threats of 2013 and Forecasting 2014

As 2013 winds down and 2014 begins, industry experts have offered their take on the biggest cyber-security threats of the past year and predicted the trends we are likely to see in the near future.

Russian computer security company Kaspersky Lab recently released its list of the top cyber threats of 2013, with cyber espionage at the top of the list. The Edward Snowden/NSA saga is well documented and has shed light on how the U.S. government uses mass surveillance on its citizens and other countries. That’s not the only major espionage event to occur in 2013—Kaspersky discovered a malicious program named “MiniDuke” that was used to spy on and attack government agencies in 23 countries, including Belgium, Portugal, Ukraine and Romania.

Hacktivists were also big threats to cyber security in 2013. The group Anonymous is perhaps the most famous hacktivism group, as they use cyber attacks as a form of political or social protest. The Syrian Electronic Army is also a major hacktivism group, and they used their skills to hack the Associated Press’ Twitter account to send out fake tweets about an explosion at the White House.

Ransomware is becoming more prevalent as a way for cyber criminals to make money. Ransomware is a malicious program that locks a user out of his or her computer and/or files, then demands a ransom to unlock the property. Many people end up paying the ransom, but there is no guarantee that the criminals will ever unlock the computer or files.

Finally, mobile malware is becoming a major problem for smartphone users. Android devices are the biggest targets, as they are widely used and easy to develop software for. SMS Trojans are gaining in popularity as a method for hackers to steal data from users. These Trojans are sent via text message, where they are then free to spread to other devices via Bluetooth and start harvesting the user’s personal data.

As we look ahead to 2014, New York-based risk mitigation firm Kroll has some insight into what to expect:

  • Companies that have lax cyber-security standards will be urged to comply with various National Institute of Standards and Technology (NIST) and International Organization for Standardization (ISO) frameworks or face potential action by regulators and other legal repercussions.
  • Insider cyber attacks will become more prevalent. Kroll predicts that almost half of all data breaches will come from a company’s employees or people who work with the company.
  • Companies will become better and more efficient at responding to cyber-security events. While being 100 percent safe from an attack is impossible, companies can save a lot of money and headaches in the future by preparing for an attack and responding as soon as possible to limit the damage.
  • Finally, expect companies to more heavily scrutinize their cloud computing and Bring Your Own Device policies to minimize data risks and potential legal problems.

 

The Necessity of Encryption

Storing valuable information securely is important. Your business may need to store sensitive data, such as customers’ personal information, but storing that data creates the risk of losing it and paying large fines for data breaches. But simply storing your sensitive information behind passwords or firewalls is not enough—if attackers break through your business’ cyber-security measures, they will have access to all of your sensitive and valuable information.

No security measure is foolproof. It is best to assume that your business’ security is always vulnerable, a belief which highlights the necessity of encrypting your business’ data.

Encryption does not prevent hacking or the unauthorized access of information, but it does prevent third parties from reading it. Encryption uses mathematical algorithms and an encryption key to encode data so that only someone who has the encryption key can read the data.

Protecting the encryption key is therefore crucial. Never store it in the same place as the encrypted data. Likewise, never send encrypted data and the key to unlock it in the same message. If you need to send encrypted data via email, provide the key over the telephone to the message’s recipient. This prevents an inadvertent or malicious interceptor from reading its contents.

The best encryption method for your business will depend on the sensitivity of its information and its data storage methods. There are many different types of encryption, including the following:

  • Full disk encrypts an entire disk, including all its data. This method is used to encrypt laptops, desktops and mobile devices.
  • Individual file encrypts a single file or creates an encrypted repository for file storage.
  • Data transit encrypts during a transfer, but does not guarantee encryption once the data reaches its destination.

 

Three Tips from a Pro Hacker

Penetration testers, also known as professional hackers, are consultants hired by companies to hack into their computer systems to discover flaws in their security. Here are three tips from a penetration tester to help minimize a data breach:

1.     Egress is important, too. Most companies focus only on stopping criminals from getting IN to the system, but stopping them (and sensitive data) from escaping is just as important.

  1. Don’t issue master keys. You may have a good password policy, but are your administrators using the same passwords for multiple accounts? Make sure they follow strict password rules, as well.
  2. Patch, patch, patch. Always keep your systems patched as soon as possible. Adopt a patching program to ensure it is being done in a timely manner.

Spies Using LinkedIn to Infect IT Workers with Malware

According to German news site Der Spiegel, the Government Communications Headquarters (GCHQ), a British intelligence agency, has been creating fake LinkedIn profiles for IT employees at communications companies to gain access to their corporate networks.

Basically, the GCHQ learns what it can about the target employees, creates a spoof LinkedIn profile about them and then injects the profile with malware. When the target employees open up the profile, the malware spreads and the GCHQ has its way into the company.

The GCHQ has also targeted billing clearinghouses in an attempt to gather data.

Beware of the CryptoLocker Ransomware

CryptoLocker is a newer variant of ransomware that restricts access to infected computers and demands the victim provide a payment to the attackers in order to decrypt and recover their files. At this time, the primary means of infection is phishing emails containing malicious attachments. CryptoLocker has been spreading through phony FedEx and UPS tracking notices and also through fake emails designed to mimic the look of legitimate businesses. In addition, some victims saw the malware appear after a previous infection from one of several botnets frequently seen in the cyber-criminal underground.

To protect your business from this ransomware, maintain your antivirus software, tell employees to ignore emails from shipping companies if they’re not expecting a delivery and never follow unsolicited links in emails.

Download our newsletter: Cyber Newsletter – Winter1314


Comments are closed.