The hacker: made in Hollywood?

The hacker: made in Hollywood?

A hacker is smart, much smarter than the average. With just a few clicks and a few key combinations, he’s hacked into the systems of governments, government agencies and large corporations. He avoids the public and acts in secret. His skin is pale, he always wears dark clothes and works late into the night – that’s what Hollywood tells us. And the stereotypes created by the film industry remain in our consciousness… But who is behind the ingenious attacks that frighten whole companies? How can we imagine the developers of Ryuk, Emotet and WannaCry?

In August 1986, computer sabotage and the unauthorized manipulation of data and data carriers were included in the penal code as a special form of damage to property. The term “hacking” is often equated with criminal intent, especially in German-speaking countries. But not every hacker is a criminal – some are consulted or even booked by companies in IT security matters in order to test the internal systems for possible security gaps. Depending on compliance with the laws and the intention of their activities, hackers can be assigned to different groups:
  • White Hats: The “ethical” hackers move legally through the systems of companies that have hired them to search for vulnerabilities in their IT infrastructure
  • Black Hats: Also known as “crackers”, they are the black sheep of the hacker herd. Sabotage of systems, extortion and theft of confidential data and information, that’s what Black Hats are after. With their hacks, they often do great financial damage. The motives have different backgrounds.
  • Grey Hats: There is not always black or white. Between the white hats and the black hats, this group of hackers operates in a legal “grey zone”. They find vulnerabilities in systems and publish them on different platforms so that they can be repaired as quickly as possible by those responsible. This distinguishes them, for example, from white hats, which report security vulnerabilities directly to those affected without going public. The public “denunciation” of IT vulnerabilities also reaches black hats.

Some hackers gained special attention through their activities. They are considered “inventors” of special hacking techniques. Some have penetrated highly secure government and corporate networks, or uncovered top secret documents. Here are a few of them:

The Father of Social Engineering: Through his social engineering techniques, Kevin Mitnick captured sensitive corporate information, source code, and database access. Among other things, he is said to have penetrated the US Department of Defense and the NSA networks several times. In the 1990s, the FBI declared him the “most wanted hacker in the world”. After spending several years in prison, Mitnick changed sides. Today, he works as a penetration tester and lecturer and as managing director of his own company, advises large companies on security issues relating to their systems.

Hagbard Celine: Karl Koch, also known as “Hagbard Celine” is one of the best-known German hackers. Together with other hackers, he sold data from US computer systems to the Russian secret service KGB. Koch was found dead in his car at the age of 23. However, the exact cause of death has not yet been fully clarified.
John Draper alias “Captain Crunch” was one of the first telephone hackers (phreakers) and became known for his use of a toy pipe from a Cap’n Crunch muesli package to transfer the fees of an American telephone company. Together with some of his friends, he developed the Blue Box, which can play the 2600 Hertz tone in order to make free telephone calls. Organized crime was also very interested in the phreaking business and was able to record a good “turnover”. At the same time, however, the telephone companies were in the red and sued Draper as the inventor and causer of this development. He was sentenced to five years’ probation, four of which he spent in state prison. In the 1970s, he met Steve Jobs and Steve Wozniak, the founders of Apple. Draper also developed Apple’s EasyWriter word processor. In July 2018 Draper published his autobiography “Beyond the little Blue Box”.
Whistleblower: Under the pseudonym Mendax (lat. liar) Julian Assange attacked foreign computers and was found guilty in 24 cases of illegal hacking. In 2006 he founded the disclosure platform Wikileaks and distributed censored and confidential documents that are normally not or only partially accessible to the public. As a result of this work, Assange was arrested several times and sued unsuccessfully. Over the years, the Wikileaks founder has often been in conflict with the law; in April 2019, he was arrested by the London police and has since been in a high-security prison in the UK.

The motive matters

The digitalization, the Internet of Things and global networking are making it possible for hackers to carry out their mischief in larger areas of society, business and politics, even beyond national borders. The goals and motives behind the hackers’ activities are very different: Some strive for wealth, others want to cause political and economic change.
Hacktivists are cyber criminals who use their hacking skills to manipulate the systems of companies, governments or authorities out of political, religious or other ideological convictions. A well-known example is the Anonymous activist group. The group has been active against various organizations such as the NSA, the IS, and Scientology. Hacktivist actions are an example of what protests and rebellion could look like in the digitalized future. In July of this year, hacktivists invaded the servers of the Bulgarian tax authority NAP and stole records of some 5 million Bulgarian citizens and businesses. In an e-mail to the state media, the hackers demanded the release of political activist Julian Assange.
Professional criminal organizations are also taking advantage of digitalization and are increasingly outsourcing their illegal activities to networked environments. The danger posed by these groups is high, because they not only have many resources, but also the necessary criminal energy.
Hackers who work on behalf of governments are primarily targeting espionage, but manipulation and crippling of public services are also on their to-do list. The cyberattack on Iranian uranium centrifuges in 2010 was allegedly initiated by state actors. Microsoft reported in July that around 10,000 users were attacked within a year by hackers working for other governments. In contrast to private cybercriminals, it is easier for state-sponsored hackers to enter foreign networks because their resources are virtually unlimited.
Understanding a hacker’s motives can be extremely helpful for businesses. By identifying the attacker, possible attack scenarios can be identified in advance. For example, does a hacker “only” intend to enrich himself or is it a kind of attack that really damages a company? Politicians, authorities and business see a great threat from cyber espionage, critical infrastructures are subject to the growing risk of being sabotaged by cyberattacks.
Basically one thing can be said: The image of an outsider created by Hollywood fades. The result are highly differentiated groups that, as our world is becoming increasingly digital, are showing all sorts of facets of it – from good to evil, on their own or in a team, to harm others or for the common good.
The age of information: What makes your data so valuable?

The age of information: What makes your data so valuable?

Advertisements tailored to your needs, fast ordering and timely delivery of goods of all kinds, easy payment with just one click. The internet makes a lot of things possible and much more convenient for consumers. However, a return service is often expected: Your data.

Do you know where, what kind and how much personal data you have already disclosed? Often this involves your name, date of birth and contact details as well as your address, but also more sensitive information such as bank and credit card details. At least a handful of companies can use this information to identify you, and store it in their systems. You also indirectly divulge data about yourself: When you search online for the perfect gift for your partner, an Amazon book about Buddhism or the nearest ENT doctor,. you leave behind digital traces. Companies can display these and make suitable offers based on this data.

The combination of different information begins to produce a “clear” picture of you. What constitutes you, your personal data, but also values and interests, or wishes that develop from individual parts to form an overall picture – your identity. For a company that wants to know what you need, to win you as a customer, these details are the jackpot. They can identify you and address you specifically with their products … but your data is not only a valuable asset for companies – hackers also crave it.

Again and again, data heists of well-known companies adorn the headlines of various media outlets: Equifax, MasterCard, Marriott and the Cambridge Analytica scandal on Facebook, to name just a few. Often, the damage cannot even be quantified percisely. Although affected companies fight for their reputation and the continued existence of their customers, but what about the users’ side? What makes user data so valuable? How bad is it when you lose control over your data?

Data: The resource of the digital world

This metaphor is often encountered within this topic, and it paints a clear picture of the value of the data for companies, which has grown strongly in recent years. There is a reason that new occupational fields are emerging, which deal solely with the collection, analysis and processing of data: Big Data Scientist, Category Manager, Data Strategist or for example expert for artificial intelligence.

In a study on data protection, 85 percent of 1,000 IT decision-makers surveyed said that data was as valuable as means of payment for overcoming business challenges. 56 percent also said they used the analyzed information to determine demand.

According to a survey conducted by Foresight Factory on behalf of the GDMA, consumers are also aware of the contribution their data can make to the economy. A majority of 60 percent of the surveyed Germans assume that the more private the data is, the more a company could be expected to pay in return. Therefore a better service, discounts or free products are mentioned as possible services. However, the services offered are strongly adapted to the available user data: Android users, for example, pay less for Amazon purchases than iPhone users.

Gross or net? – Your data as merchandise

The business idea of some companies is based exclusively on the collection and analysis of user data. Take Google or Facebook, for example, which have many daily users. Both companies offer their services to consumers free of charge, and they earn their money primarily with advertising space. It should be possible to define these as precisely as possible, which requires a lot of data. Just a few clicks and likes on Facebook are enough to determine exactly what your preferences, interests, political views, intelligence and sexual orientation are.

At the beginning of the year Facebook made headlines with a current research project. The media company reportedly paid users between the ages of 13 and 35 up to 20 dollars a month to gain a very detailed insight into their smartphone activities. Activities such as chat conversations and visited websites. That brings us to the next question: How much is your data worth? Is $20 a month enough to reveal your identity?

The concrete value of your own data is hard to grasp. The Financial Times nevertheless tried to do this in 2013 and set up a calculator, which users can utilize to calculate a lump sum value for their data. The tool, which is based on US data, gives an idea of how the value can change due to certain information such as specific health data or family status. What is striking is that everything stays under one dollar.

The Equifax fine gives a completely different impression. In 2017, the US credit agency was the victim of a devastating data theft in which sensitive information was tapped by more than 140 million Americans. The company paid a fine of up to 700 million US dollars, part of which went to the victims of the hack by financing credit surveillance for all those affected. This was intended, for example, to monitor suspicious activities on the accounts.

Your data identity

The legislator has a very clear opinion about the value of personal data: Every person is individual and worthy of protection. Within the framework of the General Right of Personality, the Federal Republic of Germany has made a clear statement in Art. 2 (1) i. In conjunction with Article 1 (1) of the Basic Law, every person has been granted a right to informational self-determination. The purpose of this right is to determine for oneself the use and publication of one’s data. Building on this, the Basic Data Protection Ordinance entered into force in May 2018. Personal data of natural persons are the property worthy of protection. Information from companies or associations is therefore not included.

Personal data is data that identifies or makes identifiable a natural person, such as names and birth dates. An indirect link is sufficient, so that customer numbers or IP addresses also fall under this protection. In addition, there is data that the law classifies as particularly sensitive. These include religious and ideological beliefs, health information, genetic and biometric data. The DSGVO thus grants consumers even more comprehensive rights and imposes stricter requirements on companies that want to collect data. For example, the collection and storage of data must always be purpose-oriented, follow the principle of data minimisation and be protected against unauthorised access by third parties.

The Principle of Integrity and Confidentiality – Corporate Data Security

Personal data must be protected from access by unauthorized third parties by the respective companies. This includes unauthorized processing and the protection of data against damage and loss.

The Basic Data Protection Ordinance requires companies to ensure data protection, and prevent data loss through cyber-attacks. In the event of a violation, a much higher penalty threatens than at the time of the Federal Data Protection Act. Up to four percent of the worldwide annual turnover can be set as a penalty.

If a company becomes a victim of a cyber-attack, not only is the personal data of customers, employees and business partners at risk … but also company-related data such as confidential files and trade secrets are at stake. Although this data is not covered by the Basic Data Protection Regulation, comprehensive protection must also be provided here. Companies therefore have a double responsibility: they must protect their own data as well as that of customers, business partners and employees.

If a company becomes a victim of a cyber-attack, not only the personal data of customers, employees and business partners but also company-related data such as confidential files and trade secrets are at stake. Although this data is not covered by the Basic Data Protection Regulation, comprehensive protection must also be provided here. Companies therefore have a double responsibility: they must protect their own data as well as that of customers, business partners and employees.

There are many measures a company can take to protect itself and sensitive data from hackers. Within the framework of this risk management, one measure is the the encryption of data. Various encryption mechanisms can be used for transmission from sender to receiver or for data storage, such as end-to-end encryption for email communication. The stored or sent information is no longer transmitted as plain text but converted into a coded message that can only be read again with the appropriate key. Only those employees who are authorized to access it have the appropriate key. The risk of unauthorized access can thus be considerably minimized.

Recognize the value of your data

Data is a precious commodity in business life. Consumers are also becoming increasingly aware that data is being collected about them. This awareness is strengthened by the high level of transparency demanded of companies by the DSGVO. The protection of this data is another high priority for companies. But what the stored data is ultimately used for, what conclusions can be drawn from it and where all this data is collected at all will hardly be clear to anyone.

Diagnosis cyberattack: When hospitals become the target of cyberattacks

Diagnosis cyberattack: When hospitals become the target of cyberattacks

When the clinic’s computer becomes the target of cyber-criminals, human lives are at stake. The healthcare sector is becoming increasingly digitalized: Patient data is no longer stored in paper files, but on computers. Data from pacemakers and insulin pumps is transferred to smartphones via Wi-Fi. Many medical devices are connected to the internet. The increasing connectivity is causing more and more gateways for cyber-attacks, which can have fatal consequences. For example, if patient data is no longer accessible to nurses and doctors due to an IT failure, medication could be given incorrectly. Which dose of which medication does the patient receive at which time? An overdose can be life-threatening, especially with heart or diabetes medication. And there is also an immense danger in the OR: even a minimal manipulation of a medical device during an operation on a patient’s heart or brain can lead not only to irreversible damage, but also to death.

Network-enabled machines in medicine – a danger?

In the medical sector, digitalisation and networking play an increasingly important role – whether in the OR, in the laboratory, or in nursing care. For example, the DaVinci medical robot, is already being used in many US clinics and German hospitals for minimally invasive surgery. The surgeon controls the instruments from a control panel, and DaVinci’s robotic arms execute the hand movements.

Robots that help humans in the laboratory handle potentially dangerous substances and nanorobots that move through blood vessels to bring pharmaceutical substances to the required point in the body. The future of medical technology is promising, but also facing a constant danger: Because every IT system can be attacked if security is inadequate and represents a potential target for cyber criminals.

As early as 2015, security researchers found almost 70,000 medical devices with security breaches, including equipment for nuclear medicine, infusion devices, anaesthesia machines and imaging systems. The vulnerabilities are also found among cyber-criminals. In July this year, the German Red Cross in Saarland and Rheinland-Pfalz became victim of a Ransomware attack. The blackmail software encrypted databases and servers, thus shutting down the entire network of the GRC hospital. For security reasons, the servers were disconnected from the internet. However, the care of the patients was guaranteed at all times, patient admissions and medical reports were done with pen and paper. After a few days the servers of the GRC were put back into operation. Luckily, the data could be restored from a backup.

In the following year, the Neuss Clinic was targeted by hackers. An employee opened an infected attachment of a malicious email which downloaded a Blackmail Trojan onto the internal IT system, which spread across all of the hospital’s computers. Within a very short time, the employees of the highly digitized hospital in Neuss had to switch back to the analogue documentation methods.

Major security vulnerabilities in healthcare facilities

Security measures in hospitals and other health care facilities are less mature than in large companies. Everyday hospital life is busy, computers are often left unlocked when leaving the workplace, and there is hardly time for software updates. Outdated devices and systems are connected to each other through the Internet – security gaps arise in many places. The attack in Neuss shows that the main gateway to cyber-attacks is primarily via email. A lack of awareness among employees allows attacks with malicious attachments in emails to encrypt, copy or steal data. Hackers demand a ransom for decryption, usually in form of crypto currencies like Bitcoins. In the Neuss hospital case, the data could be restored thanks to a backup and no ransom was paid, but the systems still had to be shut down. Despite the backup, the cyber-attack cost the hospital around 1 million Euro.

How can hospitals protect themselves?

Cyber-attacks are no longer just a problem for large corporations in the industry, they belong to the world’s biggest threats, according to the World Economic Forum’s Global Risk Report 2019. In view of the global dangers of cyber-attacks, especially attacks on hospitals and other critical infrastructures, there is a great need for action to secure IT systems.

The problem: Cyber-criminals are using more and more perfidious approaches to smuggle in malware and other harmful programs. A simple anti-virus program is no longer enough to protect the entire company’s infrastructure. In-depth filter systems with sophisticated detection mechanisms, with which malicious emails can be detected at an early stage, form the basis for full protection.

To reduce the success rate of social engineering attacks such as CEO fraud or phishing, the hospital staff needs to learn more about the characteristics of malicious email through IT security training – that reduces the risk of an employee spreading malware and causing subsequent damage.

But the financial means to secure IT systems are limited. And the current legal situation also makes it difficult for hospitals to secure medical devices, because once they have been certified, they can no longer be changed – not even with software updates. Ultimately, digitalization offers more attack vectors for cyber criminals if security gaps are not considered. Although there has not been a targeted cyberattack on a hospital that has harmed a patient, appropriate and effective precautions must be taken to avoid this. The security of the IT infrastructure in hospitals must be given higher priority – because ultimately, any cyberattack on a healthcare facility can not only have financial but also health consequences.

Sources
Cybercrime – a global risk?

Cybercrime – a global risk?

Droughts, tidal waves, water crises and mass extinction of species – these are threats that endanger our way of life. But it is no longer just environmental disasters that have a terrifying impact on our existence. Cybercrime is a growing danger to national and global safety.

Cyber attacks are no longer an invisible threat: By 2021, experts estimate that companies worldwide will have to expect damage of up to 6 billion US dollars. The loss of image and monetary losses which companies have already suffered as a result of hacker attacks are tremendous. But what physical impact can cyberattacks have on public safety? What visible and noticeable damages can hackers cause by an attack?

According to the Global Risk Report 2019, for the third year in a row, cyber attacks are among the most severe global threats, along with weather extremes, the failure of climate protection and natural disasters. In addition, widespread cyberattacks and the collapse of critical infrastructures due to a cyber attack are considered to be the second most frequent danger in terms of probability and potential impact.

The stability of societies worldwide is no longer only influenced by natural disasters or terrorism; the effects of cyber attacks must also be taken into account in global security precautions. The focus of cybercriminals is no longer limited to large companies or private individuals in order to enrich themselves financially. Industries and critical infrastructures such as hospitals and other public utilities are increasingly targeted by cyber attacks. In 2010, the computer worm Stuxnet in the IT system of Iranian nuclear power plants caused irreparable damages to several uranium centrifuges. The attack is regarded as the first cyber-physical attack that caused immense defects to a military target.

When the electricity doesn’t flow: Attacks on public utilities

A study by the Ponemon Institute revealed that 90 percent of utilities in the United States, England, Germany, Australia, Mexico and Japan, and many more, were victims of at least one successful cyber attack. More than 700 security experts working in critical infrastructures were surveyed. The participants reported that about half of the attacks led to downtime in utility service.

The blogpost „Critical infrastructures – probably the most vulnerable point of a country“ already gave an insight about the devastating consequences of a cyber attack on public utilities. An attack that causes a blackout would lead, among other things, to the collapse of the traffic system and the failure of cooling systems. Especially in hospitals, the refrigeration of special vaccines or medicines is essential for their efficiency.

An attack on the Ukrainian power grid showed that hackers are quite capable of shutting down critical infrastructures: Shortly before Christmas 2015, cyber criminals took over the country’s infrastructure. An employee opened an email containing a malicious program that installed the malware “Black Energy” which eventually led to the failure of the supply systems. The result: 700,000 people had no electricity for about 24 hours.

Increasing number of attacks on the healthcare sector

In recent years, healthcare facilities have increasingly become the focus of cybercriminal activities. In 2016, hackers introduced a malicious program into the network of the Lukas Hospital in Neuss. The hospital had to switch back to the use of paper and pen. Radiotherapy for cancer patients had to be stopped and the emergency room had to be shut down.

In 2018, the Fürstenfeldbruck Clinic had to manage daily work without their computers for more than a week – due to a cyber attack. Only patients who were seriously injured or ill were taken to the hospital. In summer of 2019, several facilities of the German Red Cross were attacked.

These incidents show how vulnerable the IT systems of hospitals are. And what happens if cybercriminals exploit the vulnerabilities to infect medical devices with malware, for example?

The worst-case scenarios: If patient data is encrypted, nurses and doctors no longer have access to old files in which, for example, possible allergies to antibiotics and other drugs are noted. An allergic reaction or overdose can be fatal for a patient. But it is not only data that can be encrypted, stolen or manipulated by hackers. Today, various medical devices are connected to the Internet, including diagnostic imaging devices such as MRI and CT or infusion pumps and cardiac pacemakers. Manipulation of the devices during an operation on vital organs can cost lives.

Minor vulnerability, major impact

Our digital world connects our analogue lives with our online activities. The magnitude of attacks on the IT infrastructure of, for example, government or healthcare facilities can have a major impact on physical life. This is proven by the numerous examples mentioned. A growing number of cyber attacks, such as on critical infrastructures, which are being focused on more and more alongside companies, is definitely to be expected. However, currently it is unlikely that one of the worst-case scenarios described will actually occur. Nevertheless, it is essential to raise awareness of IT security and the risks of cyber attacks. Because even a small security gap can have serious consequences – which are now considered one of the greatest global threats along with the dangers of natural disasters.

Sources
It Can Wait Till Next Year…

It Can Wait Till Next Year…

How many times have you said that or heard that in the office environment? Probably more often than you care to admit. When that statement is made it usually applies to the costs associated with initiatives that sit on the budget bubble. These items or initiatives teeter on being shelved, usually as a result of a lack of enthusiasm or support. 

Regrettably, IT security has more commonly become an initiative that businesses discuss year-round but fail to act upon, instead waiting till next year to address the topic. That sense of urgency to act, to be proactive fails to be triggered, and most often it takes a devastating event such as a cyber-attack to force businesses to act.

Why the complacency?

Cyber-security is often seen as one of those big problems that only large corporations (i.e. banks, tech companies, governments) must worry about.  That only these larger entities have the resources, time and budget to address such initiatives come budget time. In fact, more people should be concerned with cyber-security at their workplaces, and not just the big corporations. It’s the smaller businesses, companies with less than 1000 employees (SMBs) that are at the greatest risk.  And, they are the greatest number of businesses in the US, which only increases the likelihood of being a target for a cyber-attack.

So, even though companies realize the inherent risk of being a target ripe for exploiting, there are a great number who shun enhancing their IT security in lieu of other projects and initiatives.  There also exists an increasing pool of SMB targets for cyber-criminals, more than at any time on history.  As a result, cyber-threats continue, becoming more sophisticated and developing new attack vectors into a businesses’ infrastructure and IT systems/applications.

“Wait till next year” wins again – and then there’s a cyber-attack

A phishing email is sent, malicious code deployed, and your businesses’ IT systems brought to a full stop.  Your IT perimeter has been breached, your data and applications hijacked. Everything is being held for ransom. What happened?

 

An employee tells the “IT person” they’re unable to unlock their laptop. They remember reading an email and clicking on a link that supposedly led to an invoice marked “PAY TODAY“. Then, all went blank on the screen.

The IT staff are responding but unable to react quick enough. Your IT systems are completely shut down, inaccessible, held for ransom. Productivity has slowed to a snail’s pace and the increased effort leads to increased costs. The public now finds out about the successful attack or breach, your company’s reputation now takes a hit.

Then, your customers and vendors are affected by the breach.  Cyber-attackers have found their way into your financial information and then your customer’s/vendor’s financial/transactional data. And that’s how it starts.

Cyber-criminals knock on as many doors as possible, they assume you’re one of those small- to medium-sized businesses who’s “waiting till next year” to address their emailweb and data security. 

Cyber-criminals thrive because of the lack of on-going IT security initiatives this year, not next year.  Cyber-criminals look for any open door, any weak spot.  They simply won’t stop.  They’re developing new threats, sophisticated threats that learn from their mistakes utilizing AI and machine learning. 

These new, cultured threats only exacerbate the problem and relish in our laziness. 

Here are just a few statistics published on hackmageddon.com that demonstrate the stark reality of today’s malware cyber threats:

 

  • 155 events in April 2019, a 10% increase compared with March, when this number was 141
  • Top Three Attack Motivations – In April, Cyber Crime ranked #1 with a slight increase (81.9%) compared to 79.4% recorded in March 2019. Cyber Espionage was 14.2% and Cyberwarfare dropped to 2.6% (from 4% in March 2019)
  • Top Three Attack Methods in April 2019 – Ransomware, Account Hijacking and Targeted Attacks

There is also the Top 10 Malware Activity to consider, published by cisecurity.org it accurately portrays the collection of dangerous malware variants that led to more than half of all malware notifications sent in January of 2019:

 

The MS-ISAC Top 10 Malware

    1. Emotet
    2. WannaCry
    3. Kovter
    4. ZueS
    5. Dridex
    6. IcedID
    7. Gh0st
    8. Mirai
    9. NanoCore
    10. Pushdo

Hornetsecurity News


Stay in touch

Sign up to get the latest News about Cloud Security.

So, we understand there’s a constant threat. Malware and ransomware are working harder than ever to get inside your IT security perimeter. We also realize the threat is getting smarter, banking on our vast gullibility to make a mistake. That mistake may likely come in the form of a dismissive delay, a “wait till next year” mentality.  But be forewarned, stifle being (pro)active about your IT security for yet another year and the results could be disastrous.

 

Why assume that risk for yet another year?

 

One misstep, like the urgency over an invoice attached to an innocuous email could open the door for a cyber-criminal. Now repeat that a million, gazillion times. Because that’s how often business gets done over email.  As of 2018, there are about 124.5 billion business emails sent each day, the average office worker receives 121 emails per day. Add in the growing number of SMBs in the US market alone. That’s one appetizing bowl of fresh meat for any cyber-criminal.

So, what can SMBs do to reduce the risk of cyber-crime?

Start a conversation about your needs and then, act. First and foremost, uncover where you are vulnerable in relation to your IT security.  Listen to experts in your field who are well-trained and certified/accredited to provide the right IT security solutions.

 

These things involve time, but I can assure you that talking about your IT security and beginning to act is far better than delaying it till next year. Those few initial steps are crucial; it means you are acting and simply not reacting to a potential cyber-related event at your SMB.  It displays you’re being proactive about your businesses’ defenses, data and e-communications.

Critical infrastructures – probably the most vulnerable point of a country

Critical infrastructures – probably the most vulnerable point of a country

What happens when there’s no more electricity? Food and essential medicines can no longer be cooled, life-supporting appliances in hospitals fail, the lights go out and the streets sink into chaos. A scenario that seems unimaginable. But the danger exists. Cyber-criminals are increasingly targeting vulnerable facilities that form the basis for the common good – critical infrastructures.

The president of the german Federal Office for Information Security Arne Schönbohm also sees operators of national water and power plants or, for example, the pharmaceutical industry increasing in the focus of professionalized cyber-attacks. Why? Manipulation of operating procedures in these economic sectors could put the population at risk. Protective measures for internal IT should have a high priority.

In the following, we will take a look at the critical infrastructures and give an outlook on the enormous consequences of a cyber-attack on these sensitive organizations.

A critical matter

Critical infrastructures include organizations or institutions that play an important role for the state community. They provide services or products that consumers and businesses depend on. These include facilities in energy sectors, IT and telecommunications, health, water, nutrition, transport, finance and insurance, government and administration, as well as media and culture.

Critical infrastructures are considered particularly sensitive regarding their IT infrastructure, which is why the government wants to protect them especially with the IT security law that came into force in July 2015. Operators must report faults in their IT systems and allow them to be checked regularly. The aforementioned sensitivity of the systems resulted from the fact that most of them were developed in the distant past. IT security aspects were not considered from the outset, but physical security aspects, such as the construction of highly complex fencing systems and the provision of security personnel, were initially pursued.

Another reason for this was the separation of IT systems from Internet access. However, digitization has not simply passed by. It has led to considerable changes in recent years. For example in modern industrial companies many machines, devices, and employees are now connected to the Internet. There are many advantages that arise within the networking, but there are also disadvantages that are significant: Critical infrastructures are thus even more vulnerable to cyber attacks.

Danger of a total Blackout

The extent of a cyber attack on critical infrastructures shows an unprecedented attack on Ukraine’s electricity grid in 2015. Hackers paralyzed the entire electricity supply. Households remained in the dark for hours, hospitals had to access emergency power generators. The hacker attack was allegedly carried out by state actors who sabotaged the country’s power supply with the help of the malware ‘Industroyer’. In 2017, a Saudi Arabian power plant fell victim to hackers. The aim of the attack was probably to destroy the plant.

The attack was discovered purely by chance. In this way, worse things could be prevented. According to media reports, the attack took place via a security system that is used worldwide in oil and gas power plants as well as in nuclear power plants – also in Germany. The Triton code used in the attack was published on the Internet shortly afterwards. This created the basis for further attacks by experienced hackers. According to their own statements, security researchers were able to locate another attack with the Triton code in April 2019. However, it remains unclear when the attack took place and which system was in focus. During their investigations, the researchers came to the conclusion that the attackers wanted to cause physical damage. This would also suggest that further operators of critical infrastructures were being targeted. For this reason, the researchers have made details of the detected malware public in order to support IT managers in detecting and preventing it.

Past events are worrying. But a good sign is the increasing awareness of IT security within critical infrastructures. For example disaster control has praised the growing IT security.

The worst case: cyber attack on operators of critical infrastructur

However, this does not mean that the topic is off the table for a long time, but rather that it is intended to sensitize people to the further establishment of security measures. What if this was the case? We are starting from the worst case scenario: A cyber attack turns the power off in Germany. According to Schönbohm, the network and energy supply is an attractive target for paralysing an entire country. According to this, extensive supply bottlenecks would arise in the event of a longer and larger power outage. This also raises concerns in the field of disaster control. Let us take a closer look at a possible attack scenario

The cyberkillchain

An attack extends over a total of seven steps, which are combined in a so-called Cyberkillchain. The concept of the attack chain has its orign in the military and was transferred to the IT sector.

An attack of a ransomware expires in the following steps:

  1. Reconnaissance
  2. Weaponization
  3. Delivery
  4. Exploitation
  5. Installation
  6. Command & Control
  7. Actions on objective

Reconnaissance: Identification of the target

There are basically two types of attacks: targeted and mass attacks. Killchain is mainly about targeted attacks. First, the target is chosen. As much information as possible is collected to find out how the company is set up and if there are gaps that could be used for intrusion. In focus, are usually employees that share a lot of information about themselves: contact details, job titles, holiday plans and more. Once the right vulnerability has been found, the next step is taken.

Weaponization: Preparing the attack

The attacker selects a suitable tool depending on the desired goal and the planned procedure – if possible it should be perfidious. Often an encryption trojan is the best solution, which keeps itself covered at first and collects further information. Many of these codes are freely available in darknet.

Delivery: first steps to execute the attack

In this phase the criminal has to choose a distribution channel. The criminal can use a CD-ROM, an USB-stick, or the classic email. Particularly popular are phishing e-mails that either link to a malicious website or contain an infected document that the recipient is supposed to open. The advantage of the phishing method takes us directly to the next step.

Exploitation: Detection of security vulnerabilities

The lack of awareness of employees is a popular incidence vector. Keyword “social engineering”: Phishing, CEO fraud, or whaling are used to exploit the uncertainty and ignorance of employees to get into the system. But also open attack surfaces can lie in technology, such as unpatched security holes in programs used throughout the company.

Installation: Implementation of a backdoor

Logically, no pop-up will appear once the malware has been installed. The installation runs hidden and without the knowledge of the user. The malware nests and waits for its big moment.

Command & Control: Remote control of the target system

To keep control of the malware, the remote desktop protocol can be used for remote access. Remote control is essential to achieve the actual goal. It is now even possible to use artificial intelligence so that the malware can perform self-learning actions, such as reloading other malware or spying on personal data.

Actions on objective: Achievement of objectives

The great moment has come, and the attacker can make his action concrete after the complete infiltration of the system. In our case the power supply is switched off. It can take several years until the malware is executed or detected.

From the killchain it becomes clear that the prevention and defense against sophisticated cyber-attacks is only possible with special tools and a strong and regular sensitization of employees. These include services that can detect perfidious and complicated malware such as advanced persistent threats with special analysis engines, freezing and sandboxing.

The fact is, that cyber-attacks will continue to increase and protection measures must be taken at an early stage.

In summary, cyber-attacks on critical infrastructures can pose a threat to national security. An attack on the energy network or the water supply can have consequences that could not only result in financial losses, but could also completely change life as we know it.