Multiples of past and present crime surveys have confirmed the ongoing impact of Cyber Crime on business was, and is high, and were measured to have increased by an average of 25% on previous years of reporting, were seeing financial losses increase by 18%+ and rising. However, these statistics only represent the known knowns of cyber impact, and do not include those unknown unknown factors of the non-report, and non-detected successful cyber incursions.
The advent of Malware, and Ransomware variants, and their associated strains of payload have particularly focused attention on the end-game of Project Planned hack-attacks impacting multiples of business, and public authorities. Such as a well-publicised successful attack against the UK Local Authority born out of insufficient levels of adequate security being implemented to protect against a known known threat. Such cyber compromises as these hold the ability to impact the business, and/or end user’s PC or Laptop with an adverse payload, which may impose one of, or even all the following miscreant actions:
- Allow remote viewing of sensitive and private files stored on the local PC’s hard drive
- Allow access to information relating to bank accounts and other such on-line financial transactions
- Sending emails from the system/email account without the owner’s knowledge
- Invoking the attached Web Cam to visually infiltrate personal space to view the locality from afar
- Using a compromised system, potentially to launch a Distributed Denial of Service Attack [DDoS] against other machines and/or organisations
- Activate other attached devices, such as microphones
The enhanced threat imposed by Ransomware however will allow Cyber Criminals to leverage adverse manipulation of say, encryption to prevent the authorised user from accessing their own files. Whilst the attacker may offer the impacted owner the opportunity to pay to regain access to their locked files, there is no guarantee that they will be unlocked once the transaction has been concluded.
Recent attacks encountered within the UK have also seen an increase in threat born out of the distribution of communications by Social Engineering emails, claiming to be from a bank or a government agency, such as HM Revenue and Customs, or PayPal urging the end user to go online to check their account, or to claim an outstanding refund. However, the real purpose of these communications is to capture, and of course abuse the valuable and sensitive credential and data objects. So, what? Well to fact of this situation is, such attacks are still so very successful, implying that the message it not getting out to the general, unaware public – thus I conclude more must be done to educate.
Following the well-publicised historic Stuxnet computer programme considered to have been created by Israel/US hands, which succeeded in infecting and sabotaging Iran’s uranium production in 2012, the SCADA industrial control systems of hundreds of European and US Energy companies have also been infected by a sophisticated cyber weapon operated by a state-backed group, with apparent ties to Russia. And remember the use of that powerful piece of malware , known as “Energetic Bear”, which allowed operators to monitor energy consumption in real-time, or to cripple physical systems such a wind turbines, gas pipelines. What this tells us about the prospects of insecurity associated with Smart Metering is only to be anticipated! But again, in the opinion of the author, feel it can only be adverse as the required due diligence security controls up to the start of 2015 were considered ineffective, and now we see Smart Meters becoming a new member of IoT and a brand-new target.
The Hackers, and Cyber Criminals are also getting smarter with imaginative miscreant evolution of criminal techniques. But this state of Cyber insecurity is nothing new, and has been a subject of conversation for many years. In fact, it was around 10 years ago in a conversation with a UK CPNI representative who commented that the ‘Cyber Exposure was way over hyped and a product of imagination!’ – the problem being no one has been willing to listen. In fact, these threats were also clearly outlined in a report some ten years ago, written by myself, which was, at that time classified by a CPNI representative as the product of scaremongering! So to some extent we are where we are, and it is going to take a quantum leap of mindset change across the spectrum to deliver what will represent a robust security model.
The overall conclusion is the time to act has gone well past its sell by date, and thus, if the technological age is to strive forward, delivery of the right set of security controls is now a must do, and represents a value add proposition – and should no longer been seen as an incurred cost.