It seems that every day we hear of more reports on cybercrime, hacks and costly losses due to ransom attacks by criminal hijacking IT systems. Indeed, we take notice of the big events: the attack on Sony Entertainment in 2015; the Department of Meteorology attack in 2015; and just recently the Australian Bureau of Statistics’ Census experiencing a DDoS (Distributed Denial of Service) attack that caused a shut down on Census Night in August 2016.
Yet as bad as these are, they pale into insignificance to the losses being incurred by the hacks resulting from Social Engineering so effectively used by criminals. Social engineering *1 has been identified by some major banks as the current biggest threat to their business as reported in the Australian Financial review on Sept 7 2016 - “Banks brace for more cyberattacks”. It reports that more $1 billion is lost to cybercrime every year in Australia.
Penetration Testing focusses on the integrity of the IT systems and software being used by the organisation. To break into a system via this route requires a considerable level of resources. A much easier way is to exploit the real vulnerability of people, procedures and controls that exist in the organisation, hence, the increased interest in Social Engineering by criminals.
Many of the Social Engineering attacks are coming in the form of “phishing” which is the term that refers to attempts to steal passwords by masquerading as a trusted party in order to infiltrate IT systems.
There have been quite a number of these “phishing’ attacks in Australia during 2016 where the criminals have posed as AGL, Australia Post, Netflix, ATO and the major banks in order to steal your identity and money.
One form of attack is called “Spear phishing” or “Whaling” where senior staff, and CEOs are encouraged to download malware. This malware sits on their computer, watching and waiting for access to sensitive areas of the company system - recording key strokes, names and codes. For example, in relation to banks, it monitors then finds the codes and process to replicate money transfers through the SWIFT network or orders ATMs to dispense cash.
For other organisations such malware on their computers would be used to access customer names, accounts, sensitive information, passwords or anything that will allow criminals to steal a customer or person’s identity. This information is valuable and can be bought and sold on the “DarkNet” *2, as reported in the recent Cyber Security program on the ABC.
Unlike banks and large institutions, small to medium companies do not have the capacity manage the fallout that arises from such an attack. There have been a notable number of companies that have gone bankrupt from a serious security breach. These breaches have come from Social Engineering attacks exploiting the inherent vulnerabilities of the company’s own people and processes.
As a consequence, cyber security cannot be put on the back burner any longer for any organisation. Attacks will continue and will increasingly become more frequent and complex. The solutions will need to be robust and all encompassing. The management of Cyberattacks and Social Engineering vulnerabilities will be core to business continuity.
Insurance companies have started to provide risk management packages to assist organisations to offset some of the commercial impacts associated with security. However, this does not alleviate the need to improve security – especially as premiums will be tied to independent testing and verification of the efficacy of their security processes. Ultimately the insurance can never cover loss of business, profits and business reputation. It will only cover the direct costs to the business.
The solution is to give priority to improving security. Typically, this encompasses testing, training, having governance procedures that manages access to the areas of highest risk to business continuity should organisations be attacked.
It is fair to say that attacks are inevitable for any organisation – it is only a matter of when and how.
For more information on Penetration Testing and Social Engineering... Click here.
*1 Social engineering, in the context of information security, refers to psychological manipulation of people into performing actions or divulging confidential information. A type of confidence trick for the purpose of information gathering, fraud, or system access, it differs from a traditional "con" in that it is often one of many steps in a more complex fraud scheme.
*2 The DarkNet is a network not accessed by normal web browsers. It requires different software and a special VPN set up in order to participate and remain hidden. It is used by people expressly to evade the law and any traceability of their activities.