Welcome to a new epoch of cybercrime. The tactics may sound familiar, but the landscape is changing rapidly beneath our fingertips. A recent explosion in companies facilitating home working, the Internet of Things (IoT), automation, AI and cloud computing have opened rich and vulnerable terrain for criminals.
Not only are personal data, money and brand reputation on the line, but potentially critical infrastructure as well, leaving individuals, businesses and governments little choice but to pay attention.
Our advisor, Dr Paul Haskell-Dowland, Associate Dean for Computing and Security at ECU, walks us through the top cyber security threats for the year ahead, with practical tips on how to stay secure.
Risk 1. Human behaviour
According to Paul, the most significant risk factor for most organisations is still the human element – specifically, our bad habits.
“It's important to recognise that cyber security threats aren't always highly technical,” Paul explains.
“There is a strong tendency to focus on the technical because that's often easily fixed by subscribing to a service or purchasing and updating a piece of software. However, one of the biggest problems we face is human behaviour.”
Annual password surveys show us that every year the top ten passwords people choose are fundamentally the same. Things like using the word “password”, using the same password for multiple logins, or progressing through a range of numbers after essentially the same password, are all rife bad practice that makes people attractive (easy) targets.
Using the same password across multiple logins means that the minute one password is compromised, all of them are compromised.
Find out if your email and password have been leaked
The website haveibeenpwned allows you to easily check whether your information is within the 9.5 billion accounts that have been compromised and made visible on the internet. The site won't list your password, but it will tell you which services your password or dataset came from.
If you find out you have been breached, it's time to update your password, especially if you use the same password in multiple places (or worse, for your online banking!).
A significant source of this information was the 2016 LinkedIn password breach, with over 160 million accounts from the major social networking environment having been publicly released.
Generate stronger passwords
Best practice is to create a long, unique password for every account.
Paul explains why it's time to take passwords to the next level: “Not so long ago, 6-8 letter passwords were considered secure enough. But today, a decent computer can crack an eight-letter password in a matter of hours. It's really not a challenging task.”
Of course, trying to remember one for every service you use at a moment's notice is almost impossible. So, Paul suggests using a password manager.
“There are lots of them out there ranging from good and free, to very good and very expensive. I use a password manager called 1Password' which allows me to generate a unique password for each website.
“My typical passwords are 20 characters long and completely random sequences. They aren't memorable, but by making the password long enough, you make the size of the problem difficult enough that you're no longer an attractive target. If the password is leaked (like with LinkedIn), it is only that one website that is affected.”
Risk 2. Attacks targeting critical infrastructure
When you think about the critical infrastructure of a country – electricity, gas, water and nuclear power plants – you would expect the security wrapped around those kinds of facilities to be highly developed and highly secure.
However, some crucial infrastructure, particularly in the utilities domain, are not as well protected as we would like to think.
As Paul explains:
“Utilities often comprise of old infrastructure which has been enhanced over the years to gain modern capabilities. Infrastructure is often located far away from cities with kilometres of networked systems potentially even operating over public mobile phone networks. The minute you have critical systems on networks, it opens up the opportunity for misuse.”
Incidents can vary from relatively benign cases of inexperienced “script kiddies” experimenting with the systems they come across, to vindictive hackers modifying the bowels of a sewage treatment plant. It could even include international espionage such as the case of the cyber weapon Stuxnet which shut down Iran's nuclear enrichment facility by destroying computer-controlled centrifuges.
Audit and rapid response
For most countries, critical infrastructure is already considered a major threat vector, and the risks are well understood, with agencies poised to act.
In Australia, there are routine audits of critical infrastructure and protocols to deal with incidents as they arise. But the scale of the vulnerability, particularly the distances involved in delivering critical infrastructure across Australia, does make it an enormous risk.
Risk 3. Ransomware is evolving, and the cloud is a target
Ransomware is nothing new, but it has been growing and becoming more sophisticated.
What is ransomware?
Ransomware is a form of malicious software (like a virus) specifically designed to lock people out of their computers, servers or data and charge them a ransom to unlock it. Ransomware is usually targeted at specific operating systems or even individual organisations.
“Ransomware is evolving,” says Paul, “Targeting individual organisations requires coordinating mail shots, dropping USB keys – it takes a lot of effort. With organisations moving into the Cloud in large volumes, if a threat vector can target a cloud provider and actually implement ransomware at the hypervisor level – like Amazon or Microsoft – then your return is much, much bigger.
“There is a lot of effort going on right now in the malicious attacker's world, looking at different kinds of malware targeting hypervisors and cloud service providers.
“During 2020, it's very likely we're going to see that evolution of the threat appearing in real life attacks against cloud providers and the impact of that will be much, much larger,” he says.
There have been a growing number of big cases affecting councils, public services and national level infrastructure holding vital (sometimes life-critical) data to ransom.
When you move things into the Cloud, which is effectively just outsourcing remote servers, you utilise technological virtualisation.
Massive servers run data centres, and within a single server, you will run multiple virtual machines. The hypervisor manages these platforms and makes sure the machines are isolated from each other as well as ensuring resources are shared in an appropriate manner. Hypervisors have a significant security role to play.
To pay or not to pay? Protecting against ransomware
If you do fall prey to ransomware, organisations are never advised to pay the ransom. Ideally, you would have backups from which you could restore lost information and circumvent the issue.
Prevention is the best cure, and there are plenty of security service providers you can talk to if you're concerned about ransomware attacks. Although large, established organisations are most likely to be at risk, smaller organisations who are maybe part of a vital supply chain to a larger organisation need to look at their vulnerability to ransomware as well.
Risk 4. Deep fakes
Another risk that isn't being talked about much (yet) and doesn't immediately seem like a cyber threat are deep fakes.
Most people will be familiar with the concept via celebrity deep fakes where video is created based on video content from speeches of public figures. This same technology can be used in a business context to trick people into following convincing voice or video instructions from their boss or a senior manager in their company.
“Deep fakes add legitimacy to email campaigns encouraging people to make large financial transactions,” Paul explains. “A video message from that user or video conferencing session can add significant legitimacy to a request, opening up options to undertake large-scale fraud.
“This is a particular risk when you have senior managers who are also public figures and appear regularly in the media and undertake public talks.”
It's an old kind of threat, enabled by the latest technology.
Defending against deep fakes
The best solution to ward against deep fakes is to have robust policies and protocols in place for dealing with financial transactions. Employees who can undertake these kinds of transactions should have a clear understanding of what the processes should be and the risks around deep fakes.
Does it require multiple verifications? Should requests be embedded in procurement systems? Who are the correct people to go through to verify a large financial transaction? If you have any doubt at all, it's better to be safe and double-check the transaction with your manager, rather than to be sorry.
Risk 5. Hacking the Internet of Things
The Internet of Things (IoT) hasn't been in the news lately, but as people take an increasing number of cheap, unsecured devices into their homes, we are sowing a vast field of future opportunity for hackers.
“Consumers want the latest technology and toys to play with and they don't want to pay a lot to purchase them,” Paul says.
“In the IOT market, you have a cheaply produced device connected to a network with basic computing technology inside them with limited processing power and storage. The typical safeguard that you would wrap around your computer like firewalls, antivirus software and patches to update systems just aren't there. So, you end up running a very basic operating system with limited security controls around it in a device that's permanently connected to the internet – it's a perfect storm.
“IoT devices are also manufactured in large volumes, so you end up with vast networks of personal video recorders, CCTV cameras and even children's toy connected to the internet and vulnerable to attack.”
IoT are prime candidates for botnets. Distributed botnets can remotely compromise IoT devices and task them with doing certain activities, like sending spam emails or sharing the load in an attack on a piece of infrastructure.
Hackers don't want to work harder than they need to. If a device is easy to hack and isn't secured behind your firewall, they become back doors to your home network.
If you think it sounds dramatic to call your IoT high-tech doorbell, CCTV or printer a risk, go read about that time a casino had its client database stolen through a fancy fish tank.
When was the last time anyone updated the firmware in their printer, doorbell or wireless access point? It just doesn't happen because we don't think of them as computers.
“Unsupported, vulnerable IoT devices will be in the world, connected to the internet for years to come and as more and more hit the market their use will become part of hackers toolkits and they will be compromised in greater volumes,” Paul says.
The website shodan.io allows anyone to search for internet-connected devices that share characteristics.
“If, for example, I know what a manufacturers web cam looks like, I can search for all of them. With the right hacker tools, it would be straightforward to methodically test devices with the generic password and operate them remotely to collect footage.”
Limiting your exposure to IoT cyber crime
Think very carefully about what you bring into your home or give to others. IoT devices offer valuable services but should be treated with the same care as a new computer. Change the default passwords, keep your gadgets behind a firewall and if devices really are essential to you, consider investing in those with better support.
Ask yourself if you really need the latest internet connected toy with video cameras for your child floating around in your home environment. If the answer is no, postpone the purchase until manufacturers offer better support for their products.
Risk 6. Working from home
In the new context of a global pandemic, we are seeing a rapid explosion in remote work. Smart companies will have enabled this rapidly and safely, but others may have compromised their cyber-hygiene in favour of speed.
“This pandemic will have many people working remotely, and people may be unknowingly opening opportunities for malicious actors on a huge scale,” Paul warns.
“There is also a risk with rushing to implement this kind of infrastructure where it hasn't been previously planned for. Lots of users all of a sudden connecting remotely does represent a risk for organisations.”
One of the challenges with working in home environments is that you are undertaking business activity which may require access to sensitive data or resources in an environment that is – most of the time – untrustworthy.
Organisations rely on barriers like firewalls to keeps dangerous elements out. However, as we move to mobile work, we increasingly rely on technologies like VPNs to allow our remote users to connect into corporate infrastructure.
“A VPN is basically a hole, a point to point connection from the outside world into your organisational network, which in itself has risks.
“If you have individuals not only working from home but utilising personal devices, then the organisation has lost control over the endpoint. This introduces a whole range of problems. There may be devices in the home environment that are already compromised and are now in the same network as a work laptop.”
How to WFH safely (during pandemic or otherwise)
A mix of technical safeguards and common sense will help mitigate risks while working from home.
Companies should consider using protected desktops, VPNs or asking people to remotely connect into a virtual workspace in a cloud-based environment to undertake their work. These measures help to isolate or extrapolate work activities from their locality.
Individuals should also perform a thorough home audit and ensure passwords are set appropriately on all internet-connected devices.
Risk 7. Automation, AI and malevolent machine learning
Any fully automated process that has lost human oversight introduces the risk of malicious access. This kind of access is a well-known risk for the banking and financial systems which rely heavily on automation, and it is an area of growing concern for major infrastructure as well.
Machine learning (and unlearning)
“Something I'd expect to see more of in 2020 is the use of AI to develop more sophisticated spam email attacks,” Paul says. “It's usually easy to decipher what is and isn't spam based on typos and poor language and so on, but what if those systems could learn from what good emails look like and replicate them?”
Automated systems which monitor infrastructure can also be re-programmed to ignore certain problems or scenarios.
“We are now seeing automation in machine learning and artificial intelligence being used in cyber security as well,” Paul says. “If you are using platforms to learn what user behaviour looks like, and what ‘normal’ is, and if you can re-educate that system to give it a different version of what normal is, you can train it to ignore certain actions.
“That means you can manipulate it to begin to believe that the threat you are trying to introduce to the system is actually normal or normal enough to not trigger an alert.”
Fighting AI with AI
From a defence perspective, there is lots of exciting work going on right now in the arena of cyber research, looking at how to mitigate specific attacks against AI systems.
Cyber experts are looking at analyses of network traffic patterns and trends, and even using AI to detect when an enemy is trying to inject traffic in to subvert a learning algorithm.
“AI is being used on both sides and it's a game of cat and mouse,” Paul says. “One side gets the advantage for a time, then it flips to the other as new tech is developed.”
Risk 8. 5G
5G is an evolving area that will be going mainstream over the next year or two and as with any new technology, brings with it the risk of being subverted. The ease of connectivity and depth of market penetration will, likely, bring with it a considerable number of unsecured IOT enabled devices.
“If mainstream usage shifts to 5G and there are significant benefits in attacking that environment, then you can bet attackers will utilise that high-speed technology thoroughly,” Paul says.
10 actions you can take right now to reduce your cyber risk
A range of simple things can help make sure most organisations are suitably safeguarded against the most likely types of attacks or at least, make for less attractive targets for cybercrime.
- Set strong passwords
- Lock your computer when you leave it
- Have safe (quarantined) systems for guest users
- Don't open links in emails that you don't know about
- Never plug in a USB you find in the street
- Ensure you have multiple backups of crucial data (and that they get tested regularly)
- Use antivirus software and firewalls
- Only use secure WiFi, avoid public hotspots and combine with VPN for further protection
- Have a robust cyber security policy (and procedures for financial transactions)
- Educate staff, family and friends on the risks of human behaviour
Join the next wave of Cyber Security specialists
According to Paul, there is a vast demand and a skills shortage for suitably qualified cyber security workers, not only in Australia, but globally.
“Even ignoring the predictions I've outlined above, right now there is a massive skills shortage and demand is only going to grow. We are really looking at between three and five million vacancies over the coming years for people with cyber security capabilities and training,” he says.
“New entrants to this career can expect significant salaries that rise rapidly with experience. It's a great opportunity to work in an exciting environment that's constantly evolving.
“It's also an industry that isn't just for tech-heads or your stereotypical geek in a hoodie in a darkened room. We need a full spectrum of people with expertise in cyber and diversity of thinking, background, gender, age and experience.
“We need people with backgrounds in psychology, medicine, the humanities, and good communication skills. Not everyone needs to be a hacker.”
Looking for your next career move? Consider training for a Master of Cyber Security with ECU.