Report Card for Chromas T Wizard
Although the weather would have us believe otherwise, we are halfway through the year. As usual it is time for our mid year report.
At our annual security event, this year themed ‘CloudBurst’ and held at the Tower of London, we made some predictions for security (or lack of it) activity for the year ahead. Let’s see how we are getting on.
Yet more data breaches
2015 will be shown to be the tip of the iceberg! Organisations that store customer data and don’t understand its value to The Mob will be eviscerated. The new European Data Protection Regulation is still in development, not to be implemented until 2017, so other than the reputational risk (you would think that would be enough wouldn’t you, TalkTalk?), there is nothing to punish the guilty and sloppy.
Organisations with poor controls, unpatched infrastructure and unencrypted data will be breached.
Not at the difficult end of soothsaying this, however the scale of data breaches this year is staggering with wild numbers of records released for nefarious or just mean purposes.
Any readers of the most excellent itgovernance blog on breaches and hacks will have seen that in June 2016 alone, more than 289,150,000 records were leaked. Yowser.
You can read the itgovernance blog here.
What is unfortunately unsurprising about the hacks and breaches of this year is that, according to the UK government in its Cyber Breaches Survey 2016, only 51% of all businesses have attempted to identify the risks they face by performing health checks and audits for example, although larger enterprises score much better than small and medium size businesses.
Furthermore, only half of businesses have implemented controls recommended in the Government’s Cyber Essentials scheme. The recommendations are available here. They make a lot of sense and if you haven’t read them, now might be the time!
More connections, more opportunity
As more devices are connected including cars, trucks and trains (what could possibly go wrong?), increasingly sophisticated attacks will be developed to breach them and use them to breach other connected devices over the secure control channels that they use.
It was interesting to see the announcement by Nvidia of a watercooled super computer on a board early this year called the Drive PX 2, capable of 25 trillion operations per second (you read that right) and designed to be able to handle the complexities of driving cars automatically in a multitude of unpredictable situations using ‘deep learning’ and neural networks.
The automation arms race will have to be supported by effective security strategies from day one, which we all know is very unlikely to happen.
The Internet of Things is becoming deeply problematic from a security perspective. Regular readers of this blog might, unless they have wiped their memories to overcome the depression of Euro2016, remember last week’s blog, which discussed two major Botnets running on compromised Webcams and CCTV devices.
If you want to freak yourselves out, take a look at this terrifying list here.
It is essential that any IoT devices at home or in the business are effectively defended, which unfortunately does include changing the default password. Please Don’t be lazy!
2015 saw a massive rise in exploits against the mobile devices – you will recall the sneaky version of Apple’s Xcode (XcodeGhost) complete with factory fitted malware, well, expect more of the same and worse.
The target will be absolutely anything stored on the device that offers even the minutest value to the perpetrators and their associates. This is a numbers game and with more mobile devices than inhabitants of the planet, the numbers are big and interesting to the villains.
It wont matter if you have Android or iOS, the big guns are out to get them and weaponisation of mobile threats is imminent.
Verizon’s excellent security report at the start of the year identified that although the number of attacks against mobile devices are enjoying (!) exponential growth, they were not being used as the basis for structured attacks, well at least they weren’t. Attacks designed to steal credentials from mobile devices, including temporary two factor authentication codes are very real and being used in the wild. Some of you may have seen an example of this on the good old BBC’s You and Yours programme. If you missed it, it was covered in Computer Weekly here.
You can read the Verizon report here, just as with all security reports, it is now a little out of date at the ripe old age of 6 months
The Market in Financial Derivatives Directive (MiFi II) regulation has been delayed from January 2017 until 2018 or possibly beyond, (it was agreed in 2014, welcome to Brussels). Until this time the current regulations around trading will remain as is. Whilst this gives the technology folks more time to develop solutions to the onerous demands of MiFi II, it leaves the markets vulnerable to manipulation.
We predict that data breaches (such as the breaches of market newswire data in the USA last year) will be used to manipulate markets. If anybody gets caught, that is a different matter.
ITC is reviewing the technologies being developed to support MiFi II and will be ready to hit the ground running if the starter gun ever goes off!
Regulation continues to fight to keep up with market manipulation. We have seen bankers from Barclays and Rabobank either pleading to or being found guilty of, rigging the Libor rates and you can be sure that it doesn’t start and finish there!
This week (on the 3rd of July) The EU (who are they?) Market Abuse Regulation (MAR) was introduced; although it is unknown how prepared the market is for these and the maelstrom of regulation coming its way!
Computers, doing trades automatically in sub millisecond timeframes. What could possibly go wrong?
This year, the biggest banking breach was, of course, the $81 million theft from the Bangladeshi bank, which we covered here.
You can read a nice piece about Market regulation here.
One thing we can guarantee is that you will get bored of us warning you about Clouds being breached. As organisations exploit the convenience of clouds and move from proof of concept to production without the intervening security architecture and without good practice guides and controls, we will see more Cloud breaches and Cloud infrastructure being used as a way in.
Those meddling security architects just held you up unnecessarily anyway, didn’t they?
ITC has developed and will continue to update best practice guides for the major cloud vendors (AWS and Azure currently) and are well positioned to help you bypass the storm.
We keep seeing celebrity’s pictures and private data being inappropriately and nastily shared on the Internet following breaches of cloud data storage, you will remember good old Adele’s pregnancy pictures of March this year.
Not really big beer though is it? Well reported breaches of LinkedIn, Myspace etc. continue to haunt us however, with credentials being recycled over and over and freely available for all to peruse!
It won’t be long before the next one, wait and see.
Ransomware will not go away
In fact, it will get more evasive, more nasty and more prevalent. 2015 saw the bad guys becoming wise guys and rather than demand unfeasibly large ransoms, start demanding more reasonable amounts – from MORE people.
This will hit you, your parents, your grandparents and increasingly small to medium sized businesses who already had a tricky 2015. Let’s hope that best practice security and security awareness can be implemented before rather than after the event.
Another year of the Phish
The momentum behind really sophisticated phishing attacks will continue to grow. We are now so far from the days of ‘send me your bank account details and I will wire you the monies’.
Phishing and the more targeted so-called ‘spear’ phishing will continue to be the primary vector for infection across the board. As more sophisticated automated defences are developed, so the attacks will evolve and continuous user awareness will become an imperative.
We are going to deal with ransomware and phishing at the same time. They have continued to be a major headache for small, medium and large enterprises, not to mention your grandparents, your parents and your kids.
According to Kaspersky, there has been a sharp upturn in the number of emails with malicious attachments, you can read their report here.
It doesn’t take a card-carrying genius to work out that the majority of malware being distributed by these emails, which according to Symantac and many others, are opened by up to 30% of unsuspecting punters, is ransomware.
The lovely people at FireEye reported a huge spike in ransomware in March this year here and you can be sure that this is only going to get worse.
Our least favourite ransomware story was (we think) the first of now many Hospitals being ransomed, which we reported in February here. Prison is too good for these people.
Microsoft will fix everything
Microsoft will release a new version of Windows, built from the ground up, with no legacy leaky libraries on April the first.
Well this was obviously a not very funny April Fool’s joke, however imagine our surprise when Microsoft announced it was bringing the Unix Shell Bash to Windows on March 30th 2016, read here.
Overall, we think Chromas wasn’t far off the mark on his work. a solid 9/10, obviously room for improvement, as there always is.
If you would like to discuss anything security with one of our in-house sages, please contact us at: [email protected] or call us on 020 7517 3900.