Monday Dec 23, 2024
Friday, 24 March 2017 00:51 - - {{hitsCtrl.values.hits}}
Internet data which is generated, transmitted and stored these days is growing extremely fast, as indeed are the activities of cyber criminals. The situation now facing the business community, if not Government agencies worldwide is very real, with credible threats to cyber security on an unprecedented scale of diversity and complexity.
According to Gartner Inc., which is an American Information Technology research and advisory firm providing technology-related insights, headquartered in the United States, interest in security technology is increasingly driven by elements of digital business particularly cloud, mobile computing and now also the Internet of Things as well by reason of the sophisticated and high impact nature of advanced targeted attacks. This focus is driving investment in emerging offerings, such as endpoint detection and remediation tools, threat intelligence and cyber security tools such as encryption, notwithstanding which one needs to give serious thought to even more sophisticated cyber security protection particularly so, with global internet traffic predicted to grow threefold in the course of the next five years.
In early 2015, Sri Lanka participated in the Council of Europe Convention on fighting cybercrime, which was a two-day European Union-funded international conference on ‘Assessing the Threat of Cybercrime’. Then again in September 2015, Sri Lanka became the first country in South Asia and second in Asia i.e. after Japan, to become a state party to the Budapest Cybercrime Convention. This international treaty effectively addressed internet and computer crime by harmonising national loss, improving investigative techniques and increasing criminal justice cooperation among nation states effectively to combat the threat of cybercrime.
In a recent statement, the Government of Sri Lanka urged local businesses to consider cyber security as a key area and to develop expertise in this domain.
The Global Risks 2015 report published in January by the World Economic Forum (WEF) surprisingly revealed that 90% of companies worldwide recognise that they are insufficiently prepared to protect themselves against cyber attacks. According to the Centre for Strategic and International Studies, cybercrime costs the global economy over $ 400 billion per year.
On the other side of the coin it is estimated that spending on information security worldwide say, in 2015, was in the region of $ 75 billion.
To elucidate, digital security is best defined as the risk-driven expansion and extension of current security risk practices that offer to protect digital assets of all forms in the digital business and ensures that relationships among those assets can be trusted. One has to be wary these days of what can best be described as an advanced threat environment, which innovates faster than most traditional blocking mechanisms such as firewalls, intrusion prevention systems and secured web gateways.
It is interesting to record that the Chinese President XI Jinping, in the course of his opening speech during a recent visit to the US, placed emphasis on the need for international cyber security as one of the priorities of the day.
Even in Sri Lanka, senior Government sources have echoed these sentiments as was evident from the far-reaching comments expressed by Central Bank Governor Dr. Indrajit Coomaraswamy at the Cyber Security Summit 2016, some sections of which are worth repeating here.
He described cybercrime as the “fastest-growing social criminality in the world” and that measures should be taken to eradicate the looming landscape in this respect not only as a matter of national interest but also as a national responsibility. He went on to state that “as Sri Lanka becomes a more connected country through the introduction of better access technologies, more affordable devices and becomes increasingly automated in terms of electronic services, cyber threats posed to our nation will also increase. Rather than fear this stress, citizens need to strive to learn and apply good security practices and standards, in accordance with our way of life and face the ICT-enabled future with confidence.
According to a recent security report by Microsoft, Sri Lanka has been rated amongst the top 10 countries in the Asia Pacific region in terms of facing cyber threats. Thus it is evident that there is a crying need to secure our cyberspace if we are to continue growing the national economy and protecting our way of life.
I believe that all are aware of a recent incident in Colombo which revealed that the website of the country’s President had been hacked by a 17-year-old student. Fortunately, this caused no harm as it was merely a defacement which did not do anything more than cosmetic harm as no data was stolen nor was there a security breach. However, this development clearly illustrates that in this day and age even a youngster can develop the capacity to hack a website which, apart from anything else, is surely a good enough reason for concern by both the corporate and government sectors which should look to urgently initiate remedial action.
According to Mr. Roshan Chandraguptha, Principal Security Engineer of the Sri Lanka Computer Emergency Readiness Team in Sri Lanka, there have been 1,500 cases of hacking (largely Facebook-related) in Sri Lanka reported up to August 2016 as against 2,800 in 2015 and 1,500 in 2014. These developments have resulted in more people now seeking help to eradicate this menace but still for all from my own experience the larger corporates are generally complacent in the mistaken belief that their existing firewalls and the like are adequate, despite the frequency of web hacking incidents attributed largely to the freely available hacking tools on the internet.
It must be borne in mind that when a website is set up, it is the information security that is of critical importance and not merely the content as largely believed. Some hackers do so prompted by a political agenda or to embarrass people while others seek data for their own criminal usage.
More recent news reports provided an insight to hackers using internet connected home devices such as CCTV cameras and printers to attack popular websites. Security analysts now believe the attacks used the Internet of Things web connected home devices to launch such assaults.
According to Flash Point, a security firm, the attack in one particular case had used what they referred to as ‘botnets’ infected with the ‘Mirai’ malware. Many of the devices involved are said to have come from Chinese manufacturers with easy-to-guess usernames and passwords that cannot be changed by the user - a vulnerability which the malware exploits.
According to cyber security expert Bryan Krebs, Mirai scours the web for ‘Internet of Things’ devices protected by little more than factory default usernames and passwords and then enlists the devices in attacks that hurl junk traffic at an online target until it can no longer accommodate legitimate visitors or users. The owner of the device would generally have no way of knowing that it had been compromised in an attack.
Apparently Mr. Krebs is intimately familiar with this type of incident after his own website was targeted by a similar assault in September 2016. Incidentally, I am told that the ‘Internet of Things’ or more commonly used IOT, refers to the use of intelligently connected devices and systems to leverage data gathered by embedded sensors and actuators in machines and other physical objects. I am told that for consumers the IOT has the potential to deliver solutions that dramatically improve energy, efficiency, security, health, education and many other aspects of daily life.
For enterprises, IOT can unpin solutions that improve decision-making and productivity in manufacturing, retail, agriculture and other sectors.
In these days, several business enterprises are rapidly expanding into various, if not, complex areas of business and in these circumstances they need to:
To illustrate the gravity of the cyber security threats that have evolved, it is useful to take the example of hospitals, which most persons would regard as low-risk or at no risk of cyber attacks.
The US Federal Drug Administration has warned that hackers are habitually targeting medical devices and hospitals with constant attempts of intrusion and attack, which can well pose a threat to patient safety. In the case of hospitals overseas, many have been victims of ransomware in 2016 – software that made their data unintelligible and demanded a payment to effect restoration.
Then again, there have been documented attacks on larger pieces of equipment such as MRI scanners and in some instances operations have been cancelled because computer systems were knocked out by malware.
There have also been instances where there have been attacks aimed at stealing personal data or for that matter, disabling older medical equipment that helps to monitor vital life signs. The question that arises here is whether hospitals in this country recognise the seriousness of the very real cyber threat involved and have taken measures to meet this situation.
South Asian Technologies Ltd. CEO Sanjaya Padmaperuma recently stated that “widespread adaption of cyberspace has created borderless societies, providing unprecedented opportunities to stimulate economies” which is quite true.
However, on the other side of the coin, the exponential growth in cyberspace will provide hackers with a wider spread to feast on. What most people are not aware of is that in this country the Computer Crimes Act of 2007 clearly lays down the actions that a court can institute against persons found guilty of committing cybercrimes. I wish the media would give more publicity to this piece of legislation, which may prompt prospective hackers to think twice before proceeding with their criminal intents.
For obvious reasons, they do not want the victims to know that their systems had been breached so that, inter alia, they can continue to milk data from that system in order to make money whereas companies whose websites or databases have been hacked do not wish this fact publicised in the belief that it would have an adverse effect, not only on their reputation but more so on their business activities.
It is of interest to mention that the Federation of Small Businesses in the UK carried out a survey and found that 66% of its members had been victims of cybercrime in 2014-2015 at an annual cost of £ 5.3 billion. It is clear here that smaller organisations tend to get hit harder by a hack than larger counterparts because they struggle to absorb costs.
In fact, there was an example of one of their members receiving a text message supposedly from his father asking about the value of the shares in the company because he was thinking of selling in order to buy a property.
As a precautionary measure, he contacted his father, who denied sending such a mail. It transpired that his email account had been hacked six weeks previously and the hackers had sent the email changing the settings in Gmail whereby any response would immediately be deleted thus covering their tracks.
This attempted attack was more sophisticated than everyday ‘phishing’ as these criminals had obviously spent effort in doing research on the company and its ownership although it is difficult to foresee how they intended to make money out of their criminality. It would imply that someone would pay for that information as in the world of start-ups, the CEOs understanding of what his or her company is worth is highly valuable information.
In the same week, the company was subjected to another failed attack “a much more typical wire fraud”. What happened here was that the person in the company responsible for payments received an email purportedly from their Chief Executive asking how to send money. Had the Finance Director replied the fraudsters would make payments to themselves.
Other forms of attack include shutting down companies’ systems and demanding a ransom to get these working again. The so-called ‘hacktivists’ meanwhile attack businesses whose practices they disagree with. Companies that collect credit card data are obvious targets. I would reiterate that smaller companies tend to be more vulnerable to attacks because these often do not have in-house IT security systems in place.
I referred earlier to ‘phishing’ and for those who are not au fait with this term, it refers to the fraudulent practice of sending emails purporting to be from reputable parties in order to induce individuals to reveal personal information such as passwords and credit card numbers.
In 2016, there was a cyber insight conference organised by the Insurance Times in London where some interesting aspects relating to cybercrime were the subject of discussion.
The UK cyber market is young compared to America, when it comes to the amount of historical claims data available. However, the UK is now seeing a marked increase in the number of cyber security insurance policies that customers are buying as they begin to understand their level of exposure and the industry becomes more familiar with how to sell the products as the demand for cyber cover grows.
Focus on progress should need to engage more with insurers and take advantage of the cyber specialists who work with their insurance partners. This is so in Sri Lanka as well, where ideally the broker community should be fully clued up on Cyber Security Insurance.
A lot of mid-corporate businesses still think that cyber attacks are all about liability but judging by the experience in the UK, the majority of the claims are first party involving crime or property damage. Thus, prospective clients should be advised suitably and persuaded to consider not only liability but also both crime and property damage insurance.
On the insurers side I believe they need to encourage brokers to properly understand their products relating to cyber insurance. The wording in the policy should be simple and easy to understand.
Once again, turning to the UK market, 50% of SME cyber losses came from theft or loss of hardware. Twenty percent are inside jobs, 21% are from malware and 7% are as a result of hacking or as they call it DDOS i.e. Distributed Denial of Service while 2% comes from phishing emails.
The Internet of Things (IOT) will of course be the next big area for hackers to target. In this context, it is interesting to add that at the aforesaid conference, one participant, who could best be described as an “ethical hacker”illustrated to the audience how susceptible connected gadgets are to hacking.
This was done by using a smart kettle and door bells to show how easy it was for hackers to access goods and take control of a gadget. The big game changer with IOT is that, effectively, we are putting the technology in the hands of the hacker. We are also seeing a lot of IOT devices able to do e-commerce, which is going to be a risk in the future.
Cyber threats of course are not restricted to mere corporates or individuals but more so, on a larger scale to the international arena. Recently, we see a situation that has developed, where the Obama Government in the United States made the somewhat startling statement that following exhaustive investigations carried out, they have collated adequate evidence to the effect that Russia hacked the democratic party emails prior to the Presidential Elections and used this information in such a manner as to ensure that Donald Trump was elected to that position.
Metaphorically speaking, how much water this carries is difficult to quantify but as one can imagine, such an accusation would not have been made without adequate grounds. Then again, a few weeks back, the French Foreign Minister announced that there had been 24 cyber attacks targeting their defence installations.
What all this goes to prove is that adequate cyber security is an essential ingredient towards running businesses if not even a Government.
Be that as it may, it is of interest to describe what is said to have actually taken place to John Podesta, who was the Chairman of Hilary Clinton’s election campaign. His email login represented a point of vulnerability, a scene where the digital walls protecting his campaign were at the mercy of his judgement and specifically, whether he could determine if a message apparently from a reputable source was real or fake.
An email warned him that someone in Ukraine had tried to access his Gmail account and asked him to click on a button and reset his password. As his technology experts were of the view that this was a legitimate mail, he did press the button, which appeared to lead to an official Google page but it was in fact a meticulously personalised fake with a domain address linked to a remote cluster of atolls in the South Pacific.
All this was designed to trick Podesta into entering his password. This technique is known as ‘spear phishing’ –a weapon against companies and political organisations because it needs to succeed only once against a single target.
After that, attackers can use a trusted identity of the first compromised account to more easily persuade colleagues into opening infected attachments or clicking on malicious links. Not only will a working email password yield years of intra office chatter, etc. but also it can often leverage control of other personal accounts.
I wish also to refer to a disturbing, if not frightening, development in the international market where cyber war is available for sale. After a producer of surveillance software was hacked, its leaked documents shed light on a shadowy global industry that has turned email theft into a terrifying and lucrative political weapon.
A subscription-based website called ‘Insider Surveillance’ lists more than a dozen companies selling so-called ethical malware including ‘Hacking Team’ – just one of many private companies that largely, below public notice, has sprung up to aid Governments in surveilling the private lives of individual citizens.
This company has customers all over the world. According to internal documents, its hacking tool, which is called the Remote Control System, can be licensed for as little as $ 200,000 per year, well within the budget of a governing strongman.
After it has been surreptitiously installed on a target computer or phone, this system can invisibly eavesdrop on everything i.e. text messages, emails, Skype calls, location data and so on.
It can grab data before it can be encrypted and carries out an invisible digitalised equivalent of a Watergate-style program. I am told that the same program that you use to monitor your baby may well be used by Bashar al-Assad or Abdel el-Sisi to track whoever they don’t like. What is interesting is that the company called ‘Hacking Team’ to whom I referred earlier had their own site hacked which, apart from anything else, revealed that their malware had been sold to several foreign governments.
The Wikileaks release aired on BBC on 7 March 2017 reveals that the US Intelligence Services had hacked the personal details of citizens, which if proved correct, bears testimony to the foregoing particularly so as two days later, a further news report brought to light that they were investigating the leak of their malware.
Yet another revelation by Wikileaks on 8 March 2017 referred to the CIA using Samsung Smart TVs as one of its weapons for surveillance. In elaboration, Wikileaks claims that the CIA worked with UK intelligence officials to turn microphones and TVs into listening devices through a program called ‘Weeping Angel’ where even when the TV is switched off, the microphone is active and listening.
Wikileaks adds that the audio goes to a covert CIA server rather than a party authorised by Samsung. In such cases, audio is not limited to TV commercials but could include everyday conversations.
In reality, cyber attacks are so popular precisely because they are often so difficult to prove beyond a shadow of a doubt and thus offer the benefit of deniability. In the physical world, even the most talented of bank robbers will leave enough of a trail in terms of city-wide surveillance cameras, electronic device records, DNA evidence, financial transactions and other information to identify the likely culprit and establish concrete evidence of guilt.
In the cyber realm, one can construct such a chain of intermediaries and false evidence as to make attribution extremely difficult.
It is believed that the UK Government’s strategy to spend £ 1.96 billion on cyber security and set up a National Cyber Security Centre would make it simpler for businesses to obtain advice on cyber security and would bring together the skills needed to respond to such incidents, a worthy example for Sri Lanka to follow.
Broadly speaking, in Sri Lanka there is a sense of complacency generally prevailing in the business environment, where the cybercrime security risk factor is not viewed as seriously as it should be. Apart from whatever measures may be embedded in the existing arrangements, what would prove invaluable is a digital business and data protection insurance whereby notwithstanding whatever new or complex threat environment is developed by hackers, the policy will come into play subject of course to the adequacy of the sum insured and the relevant conditions applicable.