Cybersecurity: The evolving threat
Stewart Twynham continues his GDPR preview series with a basic history lesson in how the risks surrounding online technology have evolved during the past 15 years.
In 2017, the Information Commissioner’s Office (ICO) secured eight convictions against NHS employees, all of whom were caught prying into the medical records of patients, friends, colleagues or others without a valid or legal reason.
Just this month, a former council worker was fined for sharing personal information on children and parents via Snapchat.
With the press and the cybersecurity industry getting excited by more esoteric threats, it’s important not to overlook the ones under an organisation’s nose. Before I break the general data protection regulation (GDPR) down over the coming weeks, I want to take a balanced look at today’s threat environment - away from the vendor hyperbole. To do this I need to take you back in time.
Fifteen years ago: the cyber-terrorist
Back in 2003, the world was a very different place. While the media had already come up with the notion of “cyberterrorism”, waging a war via the internet was pretty much impossible.
To begin with, most of us were still doing everything on paper. Strict rules on the export of 128-bit cryptography from America had only been relaxed a few years earlier. And without high-quality encryption, services such as online banking and e-government were not yet established. But this was all about to change.
Fourteen years ago: the rise of the criminal gangs
Early computer crime was relatively disorganized and the fear of being hacked far outweighed reality. For businesses, the malicious theft or destruction of data by employees represented by far the biggest risk.
Computer crimes tended to focus on low-hanging fruit such as credit card fraud. As businesses and individuals began to do more online, the criminal community saw new opportunities to monetise their activities. By 2007, there had been a shift towards identity fraud. Now criminals could establish a line of credit rather than having to rely on credit card numbers that might only be good for a couple of low-value transactions.
Tim Jordan’s Genealogy of Hacking suggests that the real catalyst was the rise in online gambling in the early part of the decade. Suddenly, computer criminals and organised crime networks were being brought together - resulting in an explosion of viruses, online scams, botnets and ransomware. Organised crime also had links back to nation states including Russia - an opportunity which was not lost on the Kremlin.
Twelve years ago: Hacktivism emerges
Hacktivists are hackers motivated by ideology, often gathering and leaking confidential information from governments and large corporates they disagree with.
The website WikiLeaks started as an attempt to uncover the truth and fight corruption. While many might see this as a noble cause, the uncontrolled release of sensitive information by hacking groups wasn’t welcomed by businesses, governments or the individuals who were adversely affected.
Eight years ago: Hacking turns professional
The emergence of the cybercrime-as-a-service industry has probably been one of the more unexpected developments of the decade.
Taking the lead from successful IT providers, there has been a proliferation of “hackers-for-hire” offering hacking, malware, DDoS (Distributed Denial of Service) and ransomware to budding criminals who lack the necessary technical acumen.
Complete with service level agreements and cast-iron money back guarantees, there is an almost surreal emphasis on customer care and professionalism. If a target’s website is not taken offline or a piece of malware is detected by anti-virus software within a certain time, the customer can be confident that their money won’t have been wasted as their supplier will support them.
It has also opened the door for all kinds of traditional protest groups - everything from animal-rights to right-wing politicians - to get involved in cyber attacks and become the hacktivists of the future.
Four years ago: The state-sponsored hack
The attack on Sony by Lazarus - a North Korean hacking group - put the notion of a serious attack sponsored by hostile state actors into the spotlight. But this rogue state’s abilities are dwarfed by other players on the cybercrime stage. Currently, Russia is the only country with the kind of scale in terms of people and infrastructure to offer a serious and credible threat to the West. The situation, however, is quite nuanced.
Recent attacks by both Russian and North Korean hacking groups have targeted banks, large firms and cryptocurrency exchanges solely to steal money.
The attack on the Winter Olympics which took 300 computers permanently offline is believed to have been carried out by Russian hackers who ran a false flag operation - connecting via a North Korean service provider to point the finger at Pyongyang. The line between cybercrime and cyber warfare is becoming increasingly blurred.
This blurred line is also a fairly accurate representation of where we are today. Ciaran Martin, CEO of the National Cyber Security Centre, identifies the two most proximate threats as being hostile states (mainly Russia) and the “rampant criminality” that exists in cyberspace.
All cyber attacks are targeted...
…but attacks that target particular businesses or individuals are less common. Small businesses tend to assume they’re not a target for cybercrime because they’re too small, but I have yet to come across any ransomware that checks the size of your balance sheet prior to infection.
The reality is that attacks generally target a particular vulnerability: an operating system, a piece of unpatched software, a particular device or a common misconfiguration. All things that you commonly find in small businesses.
Basic controls can save the day
The majority of attacks last year targeted vulnerabilities that were more than a year old - keeping your systems and devices up to date will prevent many of these types of attack.
Many attacks take advantage of poor network configuration. The WannaCry attack that brought the NHS in England to its knees last year was able to propagate right across the NHS secure broadband network because firewalls were not correctly configured.
Many attacks rely on weak passwords. It is estimated that the 25 most common passwords will get you into around 10% of the world’s systems and that 43% of login attempts are malicious.
Getting the basics right will either prevent or mitigate the damage of cyberattacks which are not specifically targeted towards you.
Targeted businesses need to up their game
Of course, some businesses are a genuine target - and often the ones that least expect it. Here are just a few examples of how your business might become one:
- You run a popular forum or website - the high number of visitors and/or user accounts will be attractive to criminals. Enthusiast sites run on a part-time basis are at particular risk because these groups don’t generally have the skills or resources to prevent an attack.
- You’ve developed a popular piece of software or plug-in. Inserting malware into your software could reach thousands of users, as happened to the ICO website recently.
- You’re a supplier to a government agency/a popular celebrity/a high profile company/a piece of critical infrastructure. The easiest way into a hardened target is invariably through its supply chain.
- You announce on LinkedIn or Facebook that you’ve been awarded some funding or a valuable contract. I’ve even seen very small charities targeted in this way - and again they often lack the resources and experience to defend themselves.
The difficulty for targeted businesses is that traditional models of risk don’t apply. You can harden critical systems as much as you like but most attacks will begin where your organisation is at its most vulnerable - for example when software is being downloaded onto the MD’s laptop by his or her children after school.
Businesses must set minimum standards across their entire organisation, with a particular focus on protecting and training those with higher levels of access such as the management, IT and finance teams.
Keep cyber threats in perspective
Around 50% of ICO notifications in 2017 came down to human error of some form or another. It’s important not to lose sight what’s right in front of you - especially now GDPR is almost upon us.
Cyberattacks are still critically important because they impact all of your data in one go - but that threat needs to be balanced against everything else that may be going on within your organisation.
A word on privacy
Over the last 15 years, we have seen a revolution in the way personal data is collected, processed and stored en masse. Organisations have been largely free to harvest and trade our data without our explicit approval - a fact evidenced by the number of organisations now struggling to justify their lawful basis for processing.
Worse, some have failed to provide even the most basic security, allowing data to be lost, stolen, carelessly discarded or exported without due diligence. This has allowed individuals to be harmed through identity theft, social engineering, phishing, smishing and by allowing criminals direct access to their personal finances.
Under the latest Data Protection Act, which celebrates its 20th birthday this year, privacy has become an elusive concept - with businesses consistently failing to take their responsibilities seriously.
The GDPR now hands the control of personal data back to the data subject - and presses a big reset button on the huge stockpiles of data that were once collected. It goes further by anticipating that there are things far worse than financial loss - preventing the processing of particularly sensitive information in most circumstances.
The large potential fines may have grabbed the headlines, but these will be reserved for the biggest firms (historically also the worst offenders). It’s the wide-ranging non-monetary sanctions which give the ICO the most powers under the GDPR.
There are anomalies - there will always be anomalies in anything - but for the most part, people in the know agree that GDPR is all about “good data protection rights” and not another piece of unnecessary red tape.
The GDPR will never solve all of the world’s problems, not least because plenty of personal data has already been stolen, but it will set out a level playing field on which all businesses will need to operate.
Next time: I will introduce the GDPR and take a walk through some of the key changes over the Data Protection Act 1998.