The information security and cybersecurity threat landscapes are always changing. Threat actors are becoming more sophisticated and threat surfaces are expanding. Exploitable gaps in new technologies are increasing and cybercrime business models are also growing. Added to this mix, are the fragile geopolitical situation in many parts of the world, a tightening of the global economy and simple opportunism. Here are three new and emerging cyber threats to know about, monitor and guard against:
Geopolitics
Geopolitics describes how politics, geography, demography and economics affect foreign policy and the relationships between countries. Recent wars and civil wars, the 2007/2008 global financial crisis, the Covid-19 Coronavirus pandemic, and the effect of climate change has reshaped the competition for global resources and created new political and economic alliances. Some countries are increasingly active in offensive cyberattacks and information security beaches to advance their political and economic goals. Russia, Belarus, North Korea, Iran and China have been identified as countries involved in sophisticated cybersecurity operations, many aimed at critical national infrastructure targets. Most countries have defensive cybersecurity capabilities. Hacktivism has also grown, some political, some environmental and some related to cybercrime and money laundering.
For many companies and organisations, the threat landscape has become complex and sophisticated. There is a need to grow threat intelligence capabilities, monitor key geopolitical events and understand that cyberattacks are not always targeted on their operations specifically, but often cause knock-on effects. Cyberattacks can affect businesses and organisations because they are part of a targeted supply chain, are based in a country, use certain IT services, supply critical infrastructure services or trade with certain foreign states.
Deep Fakes
A deep fake is media such as images, videos, or audio recordings that have been recreated or altered by manipulating a person’s appearance, actions or voice using artificial intelligence techniques such as deep learning. Some deep fakes have included politicians, business leaders and celebrities saying and doing things they would not normally do. Deep fakes may be used to initiate state-related espionage, cybercrime, sophisticated social engineering or traditional crimes like blackmail and extortion. Companies and organisations should educate themselves, develop techniques to spot deep fakes and identify the most likely sources. They should also use technologies to limit its impact and report incidents to National Cyber Security bodies or CERTS, so that trends can be monitored and high-level responses and best practices can be developed.
Vishing (Voice Phishing)
Vishing uses fraudulent phone numbers, voice-altering software, text messages, and social engineering to trick users into divulging sensitive information. Vishing generally uses voice data to trick users. Smishing, is a related form of phishing that uses SMS text messages to trick users. This smishing technique can be used alongside voice calls, depending on the attacker’s preferences and objectives. Businesses and organisations should control and monitor the use of voice data, especially among senior officials. Public disclosures of voice data should be kept to a minimum and 2-factor authentication techniques should be used to avoid impersonation, social engineering, fraud and identity theft.
Conclusion
Chief Information Officers (CIOs), Chief Information Security Officers (CISOs), Data Protection Officers (DPOs), Chief Privacy Officers (CPOs), Chief Data Officers (CDOs) and Senior Leaders should ensure that they receive detailed and diverse sources of threat intelligence. They should aim to understand evolving analysis and attack-pattern information that they receive. Leaders should try to share information with trusted parties and partners to build resilience and reduce the risks and impacts of cyberattacks. Businesses and organisations should update their cybersecurity insurance policies to make sure that they are sufficiently covered for new and emerging cyberattacks. Above all, leaders should be continuously learning and display high levels of curiosity and analysis.
For help, advice, consulting and strategy support services, data protection reviews, GDPR gap analysis, cybersecurity policies and procedures and access to our data breach response services, contact PrivacySolved:
London +44 207 175 9771
Dublin +353 1 960 9370
Email: contact@privacysolved.com
PS082022
Briefing
Ransomware is malicious software, or malware, that stops organisations and computer users from accessing their computer files, systems and networks. This is accompanied by a demand for a financial ransom payment to restore access to systems, unencrypt databases or return data. Ransomware attacks can cause significant disruption to IT operations. Critical business information and personal data can be lost. Ransomware can be introduced to a computer or system by users accidentally downloading ransomware by opening an email attachment, clicking an advertisement, clicking on a hyperlink or visiting a website that has been deliberately infected with malware. Globally, across all sectors, these attacks have increased in scope, frequency, sophistication and the levels of financial payments demanded. It is now a major component of global cybercrime. Combatting these cyberattacks can be complex, especially for the largest businesses and organisations.
A Sophos poll of 5,400 IT decision makers in mid-sized organizations in 30 countries across Europe, the Americas, Asia-Pacific, Central Asia, the Middle East and Africa found startling results. The total cost of recovery from a ransomware attack has more than doubled in a year, increasing from $761,106 USD in 2020 to $1.85 million USD in 2021. The average ransom paid is $170,404 USD. Only 8% of organisations managed to get back all their data after paying a ransom, with 29% getting back no more than half of their data.
Here are five steps that all businesses and organisations can take to improve their resilience, their offensive capabilities and their defensive success:
Strategic, Systematic and Regular Backups
Ransomware should be treated at a strategic and existential threat. An attack should be regarded as inevitable. Organisations should create backups to build resilience. These are crucial for recovering data after an attack. The industry standard approach is called 3:2:1. Three sets of backups, using two different media, one of which must be kept offline. Backups should be programmed to be completed regularly.
2. Prevent Malware from being Delivered and Running on Systems
Businesses and organisations can reduce malware and ransomware reaching your devices by filtering to only allow file types that they expect to receive, and blocking known malicious websites. Content can be actively inspected, and signatures can be used to block known malicious code. Network services are used to fulfil these tasks and tools include intercepting proxies, internet security gateways, safe browsing lists and mail and spam filtering. Disabling Remote Desktop Protocol (RDP) if it is not needed, enabling Multi-Factor Authentication (MFA) at all remote access points into the network and using a secure Virtual Private Network (VPN) can provide effective responses to the most modern ransomware deployment practices.
A defence in depth approach should be in place. This assumes that malware will reach your devices. Businesses should take steps to prevent malware from running by using device-level security features. Organisations should centrally manage devices to only permit applications trusted by the enterprise to run on devices and use up-to-date enterprise antivirus or anti-malware products. Scripting environments and macros should be disabled or restricted by enforcing PowerShell Constrained Language mode via a User Mode Code Integrity (UMCI) policy. Also, systems can be protected from malicious Microsoft Office macros and autorun for mounted (activated) media can be disabled.
To avoid attackers forcing their malicious code to execute by exploiting vulnerabilities in devices, these must be well-configured and kept up to date. Security updates should be installed as soon as they become available to fix exploitable bugs, enable automatic updates for Operating Systems, applications, and firmware (if possible). Using the latest versions of Operating Systems and applications to access the latest security features is advisable. Host-based and network firewalls should be configured to bar inbound connections by default.
3. If Attacked: To Pay, or Not to Pay the Ransom?
A wide range of law enforcement agencies around the world discourage the payment of ransom demands. However, sometimes payments must be made as a pragmatic response and to aid business continuity. At all times, organisations must avoid committing a criminal offence by sending payments to sanctioned individuals, entities or organisations or those involved in money laundering. Companies should liaise with their insurers, lawyers and risk professionals. Even after payments are made, confidential personal data could still be published online, breaching data protection and global privacy laws. There is no guarantee that organisations will regain access to their data, computer systems or networks. An IT system may still be infected long after the ransomware attack. Repairing, recovering and remediating the systems can be expensive and take many weeks or months.
4. Train Staff and Prepare for Incidents
Businesses and organisations should develop a corporate training strategy, on a rolling basis, that is updated to include the latest developments in malware, ransomware and information security threats. Different types of staff will need varying depths of training and awareness.
Organisations should identify their critical assets and determine the impact if these were affected by a malware attack. This is a very important preparatory step. Preparation also includes developing an internal and external communication strategy (including any impacts from collateral third-party malware not intended for the organisation). Incident management plans should be rehearsed and reviewed. This helps to clarify the roles and responsibilities of staff and third parties, and to prioritise system recovery. War-games and hackathons to rebuild virtual environments, servers, files, physical servers and rebuilds from offline backups, under pressure, should be included. Developing a plan to continue to operate critical business services or a minimum viable service or product, is also essential.
5. Report and Share Intelligence
There are legal obligations to report certain cyberattacks and data breaches to personal data regulators, governments, information services regulators, financial services regulators and market regulators. These reports should be done quickly, to receive help and to reduce liability. There is a growing drive to voluntarily report ransomware to government agencies and law enforcement. This should be considered because they may hold information that could be useful for the organisation’s response. Reports also help them to better understand the level of the threat and can deploy offensive and defensive capabilities to protect a sector or group of companies. The most difficult and controversial decision will be whether to report ransomware attacks to sector groups, fellow businesses and potential competitors. This is increasingly being encouraged, but will rely heavily on mutual trust, non-disclosure agreements and clear memorandums of understanding to protect each party. The more information and intelligence about ransomware that can be collected and skilfully used, will reduce the impacts and costs of ransomware.
For assistance with Personal Data Beach Response, Ransomware, Cybersecurity Strategy or Information Security Training, contact PrivacySolved:
London +44 207 175 9771
Dublin +353 1 960 9370
Email: contact@privacysolved.com
PS112021
Briefing
Information security is vital for economic security, innovation and business continuity. Cybersecurity is becoming a high-impact board and senior leadership issue. Digital transformation efforts and cloud service adoption increases the reliance of business-critical functions on digital infrastructures. Malicious actors seek to exploit human and technical vulnerabilities, for profit. Increasingly, data breaches and cybersecurity incidents affect all parts of organisations, their value chains and supply chains. The human element, seen in employee errors, phishing and social engineering, are significant weak points in the fight for information security resilience. Now that boards are increasingly paying attention, their priorities, strategies and actions are crucial for sustainable impact and success. Priorities should be risk based, context-rich, applied in a multi-disciplinary way across the organisation and based on proactive analysis.
The Increasing Problem of Ransomware
The information security landscape changing rapidly, but key indicators and trends can be identified and monitored. The Verizon Data Breach Investigations Report 2021 reported that 85% of data breach incidents involved the human element, 36% involved phishing and 10% included Ransomware (the latter is double the rate of the previous year). The median breach cost per incident is $21,659 (USD), but most organisations can expect their costs to rise to $650,000 (USD) for large incidents. The UK Cyber Security Breaches Survey 2021, found that 39% of businesses and more than a quarter of charities (26%) report having cyber security breaches or attacks in the previous 12 months. For the organisations that have suffered breaches or attacks, around a quarter (27% of these businesses and 23% of these charities) experience these at least once a week. Phishing is the most common method for cyberattacks. Among the 39% identifying breaches or attacks, 83% had phishing attacks, 27% were impersonated and 13% had malware (including ransomware). For those who suffered breaches or attacks, 21% of businesses and 18% of charities lost money, data or other assets. Of all the organisations surveyed, 43% have cyber insurance cover in place, a rise from 32% in the previous year.
Ransomware is a form of malicious software, or malware, that prevents organisations and computer users from accessing their computer files, systems, or networks with a demand that a financial ransom is paid to restore system access or for data to be returned. Cyber attackers often demand that ransom payments are paid in cryptocurrencies, which are hard to trace. Ransomware attacks can cause significant disruption to IT operations and the loss of critical business information and personal data. Ransomware can be introduced to a computer or system by users accidentally downloading ransomware onto a computer by opening an email attachment, clicking an advertisement, clicking on a hyperlink or visiting a website that has been deliberately infected with malware.
Ransomware can be introduced to an IT system by phishing or spear phishing emails, which aim to appear legitimate to users who open and click on infected hyperlinks. These emails may also enter a system as unwanted spam, hoping that an unwitting user will unknowingly click on the link. Highly targeted campaigns, using social engineering, aim to target high profile and senior figures in companies and organisations in order to access the most sensitive information and have the most impact because of the high levels of trust the senior user enjoys internally. Ransomware can also be introduced using Remote Desktop Protocol (RDP) vulnerabilities (after gaining user access credentials) and by exploiting software vulnerabilities. Malware and ransomware are pernicious and can ensnare a wide range of individuals. As a result, board awareness, continuous staff training and vigilance are crucial.
Ransomware is at the frontline of global cybercrime. Companies and organisations have been warned that these tactics can be used by rogue states, by hackers, to avoid international sanctions, for money laundering, for terrorist financing, for illegal drug trafficking or for modern slavery. The effect of ransomware attacks can also be technically devastating to IT systems and to an organisation’s critical data. Services can be stopped, IT systems can be destroyed, data disclosed on the dark web, confidential information published freely online and data permanently deleted. Ransomware can be an existential threat to a company’s reputation and the future commercial viability of businesses and organisations. Several organisations and governments have adopted official policies of not paying ransom demands and not engaging with ransomware gangs. Paying ransoms do not guarantee that stolen data will be returned or that IT systems will be repaired. Of all the persistent cybersecurity threats and risks, it is ransomware that creates the most uncomfortable and unforgiving catch 22.
The Cybersecurity Insurance Puzzle
Cybersecurity insurance is important for good governance, financial resilience and business continuity. However, many businesses and organisations are under insured against modern cybersecurity threats and risks. Some companies and organisations rely on the information security coverage in their general business insurance policies. These protections are often narrow and can be excluded when claims are made after information security incidents and cyberattacks. Some companies and organisations have specific cybersecurity insurance policies, but these can be poorly underwritten and are not future proofed to cover modern and evolving threats and risks.
When information security claims are made, companies and organisations could find that their claim is rejected, or that the payments received do not meet the true costs of the claim. Boards and senior leaders need to realistically assess their organisations’ standing and take strategic decisions as to the optimal range of insurance coverage. Organisations should learn about the cyber insurance market for their industry and sector and balance this against their business, regulatory and financial needs. A company’s or organisation’s supply chain should also be regularly audited for information security compliance and adequate insurance cover.
Increasingly, general insurers and cyber insurers are refusing to pay the ransoms demanded by ransomware attackers. This is because these activities often contradict their corporate values or may be illegal if the ransom is linked to terrorism, money laundering, illegal trafficking or breach international sanctions. These insurers also understand that paying ransoms can incentivize criminality and create greater information security risks due to increased sophisticated cyberattacks. Paying ransoms is always very risky because it involves dealing with those involved in illegal or unethical activity. The risk-reward calculations often reveal significant risks.
Board and Leadership Prioritiesand Solutions
Boards and Senior Leadership should adopt a “whole organisation” and multi-disciplinary approach to resourcing and empowering their internal teams, partners and supply chains to:
i. Improve and extend cybersecurity strategies to include a cybersecurity insurance strategy as part of financial governance arrangements with Chief Financial Officers or the heads of finance in smaller organisations. This work should be done in conjunction with the Chief Information Officer, Chief Information Security (Risk) Officer or Head of Security in smaller organisations. This group of stakeholders should also include the General Counsel, the organisation’s lead lawyer or the compliance lead in smaller organisations. Human Resources leaders and external specialist advisors should also be included or consulted to strengthen internal resources.
ii. Develop internal expertise about emerging cybersecurity threats and risks. Board and leadership teams should receive summaries of specialist reports and then update their strategies to reflect the changes to the cybersecurity landscape, new business models and the cyber insurance market. This should not be treated as an IT-only issue.
iii. Include insights from work on international sanctions compliance, export controls, international cybercrime trends, anti-money laundering standards, blockchain strategy and cryptocurrency financial controls into the cybersecurity strategy and ransomware policies and procedures. This will apply most to complex global businesses and organisations.
iv. Refine and clarify the personal data breach and personal identifiable information (PII) compromise response procedures to specifically reference the nature of ransomware attacks. This will include legal duties to notify data protection and data privacy regulators, informing individuals affected, liaising with cyber insurance providers, informing enforcement authorities and the police, dealing with ransom groups and establishing a team of first responders. Compliance with the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), other national laws and sectoral laws is also vital. Fines and financial penalties for data breaches could be 2-4% of global turnover, in addition to the financial impacts of the ransomware attack.
v. Improve information classification and data management by categorising data according to its value to the company or organisation and establish physical and logical separation of networks and data for different organisational units. For example, high value research and development or business data could be deliberately held on a separate server and network segment from the organisation’s email environment. Virtualised environments could be used to execute operating system environments or specific programmes.
vi. Improve information security awareness and training for all levels of the company or organisation. Ransomware often targets end users and so employees should be told about the threat of ransomware, how it is delivered, ways to identify it and how to report likely malware. Training should also include key cybersecurity definitions, principles and techniques.
vii. Increase information security hygiene and resilience activities by regularly backing up data and verifying its integrity. This includes ensuring that backups are not connected to the computers and networks that they are backing up. For example, these could be physically stored offline. Backups are vital in ransomware resilience efforts. After a ransomware attack if computer systems are infected, backups may be the best way to recover business critical data. Backups are very important for recovery, business continuity and ransomware mitigation.
viii. Systematically and regularly patch operating systems, software and firmware on all devices. All endpoints should be patched as vulnerabilities are discovered. This can be made easier by using a centralised patch management system. Ensuring that anti-virus and anti-malware solutions are set to automatically update and that regular scans take place. Another solution is to disable macro scripts from Office files transmitted via email. For example, Office Viewer software could be used to open Microsoft Office files transmitted via email instead of the full Office Suite applications.
ix. Set up application whitelisting to only allow systems to execute programs that are known and permitted by security policy. It is also useful to implement software restriction policies or other controls to prevent the execution of programs in common ransomware locations, such as temporary folders supporting popular internet browsers, and compression and decompression programmes. This includes those located in the AppData or LocalAppData folder. Other solutions include applying best practices for RDP use, including auditing networks for systems using RDP, closing unused RDP ports, applying two-factor authentication where possible and logging RDP login attempts.
x. Implement the least privilege for file, directory, and network share permissions. If a user only needs to read specific files, they should not have write-access to those files, directories, or shares. Least privilege should influence how access controls are configured. Requiring user interaction for end-user applications communicating with websites uncategorised by the network proxy or firewall is also helpful. For example, mandating users to type information or enter a password when their system communicates with a website that is uncategorised by the proxy or firewall.
xi. Invest in developing zero trust networks, especially in mission critical parts of IT systems. Agile project management could be used to test, review, assess and repeat trials and experiments to find the right balance between confidentiality, availability and integrity. Zero trust practices can then extend across the IT system and into critical supply chains. Introducing blockchain technology can accelerate these processes.
xii. Audit supply chains for cybersecurity risks and increase standards through clear contractual obligations, practical and accessible information security schedules, Key Performance Indicators (KPIs), robust reporting and dynamic analysis.
For assistance with Personal Data Beach Response, Ransomware, Cybersecurity Strategy, Board Awareness or Information Security Training, contact PrivacySolved:
We use cookies for necessary website functionality and to optimise user experience. Analytics, social media and advertising cookies are also used. See our Cookies Notice to manage cookies and make choices.
Functional cookies
Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.