Dan Taylor

Part 2 - Hacking increasing by 1600%* - 6 issues impacting Data Security?

In this series of articles, we will cover a number of topics around security

1.    What is really going on?

2.    Why is this happening?

3.    Who are they?

4.    What are the different types of threats?

5.    What can you do about it?



Part 2 - Why is this happening and why is the security discussion different now?

In the second part of the series, in this article, we cover the key 6 reasons this happening and why you should be looking at security differently.

1. Availability of Hacking Software - “There's an app for that”

One of the biggest differences is that readily available amounts of cheap malicious code and apps that were unattainable or unaffordable in years gone by.

As an example for even as little as $7, cybercriminals can get their hands on the Russian password-stealing tool that steals information from web browsers. https://www-forbes-com.cdn.amp...-bottom-pricing/amp/

Shodan is the world's first search engine for Internet-connected devices. https://www.shodan.io/explore/tag/printer

2. It is now much easier to train as a hacker - “there's a class for that”

As an example, Cybercriminals can take a class on stealing credit cards http://money.cnn.com/2017/07/1...l-shadows/index.html

And worth a mention, that for the White Hat Hacker (Good Guys) there is a CompTIA security cert https://amp.thehackernews.com/...online-training.html

3. HAAS - You do it for me

If you don’t want to wait or do learn you easily hire a hacker, yes, that’s right, as part of Everything as a Service, you can now pretty much get literally everything and so Haas Hacking as a service is a thing now.

As an example for $8 you can get Crypting services to hide malware http://uk.businessinsider.com/...-account-access-90-5

$5 for DDoS-as-service (distributed denial of service) designed to overwhelm a server/website or another network resource through sheer volume of messages, connections, or packets to causes it to grind to a halt or crash thereby denying services to legitimate users.

 DDoS as service prices are also tumbling. Hemant Jain, vice president of engineering for security company Fortinet, said that he has found providers who are selling an hour of DDoS for $5, a 24-hour day of it for $40 and a week for $260. http://www.cutimes.com/2013/05...for-hire-on-the-rise

For $7 anyone can spread malware and cause serious damage http://news.softpedia.com/news...ernight-517013.shtml

Ransomware will encrypt your file until you pay a ransom

There are more powerful hacking tools to use, like scrapers, browsers and

Phishing-as-a-Service (PhaaS) platform that offers low cost, "automated solution for the beginner scammers," allowing them to trick people into handing over their credentials. http://thehackernews.com/2017/...-as-service.html?m=1

4. The rewards can be huge

Rewards - Through May 2017, organizations have awarded hackers over $17 million in bounties on HackerOne, and over $7 million awarded in 2016 alone. o  https://www.hackerone.com/site...ecurity%20Report.pdf

Even something published the below example of phishing as a joke but were surprised by the high number gullible responses.2018-02-04_22-26-43Here is a more honest example https://haveibeenpwned.com/About

Black Market values

  • A complete medical record – $1,000 more if used for bribery or to sell on to insurance companies.
  • Credit card details :-

· $5 to $30 in the US per person in the US,

· $20 to $35 in the UK

· $20 to $40 in Canada

· $21 to $40 in Australia

· $25 to $45 in the European Union

  • Driver’s license - $20
  • Netflix password - $3.05
  • Spotify passwords - $2.80
  • Email addresses - $2.29
  • Bank login credentials :-

· for a $2,200 balance bank account: $190

· from $500 for a $6,000 account balance, to $1,200 for a $20,000 account balance

· from $700 for a $10,000 account balance, to $900 for a $16,000 account balance

  • Login credentials for online payment services such as PayPal: between $20 and $50 for account balances from $400 to $1,000; between $200 and $300 for balances from $5,000 to $8,000
  •  Login credentials to hotel loyalty programs and online auction accounts: $20 to $1,400
  • Login credentials for online premium content services such as Netflix: as little as $0.55

http://www.thisismoney.co.uk/m...it-card-details.html

White hat hackers who help companies through bounty programs can also make money by finding flaws and flagging them to the companies involved, who encourage the white hat hackers by paying bounties.

2018-02-04_22-28-47

 5. The number of devices out there

According to Gartner, in 2020, 25 Billion Connected "Things" Will Be in Use (up from 4.9 Billion in 2015)

There are more connected devices out there for you to connect to, IOT, fridges, ovens, Segways, even seagoing ship.

2018-02-04_22-30-14

It's also scary what can be done with these connected devices now that it possible to blend the cyber and physical worlds with hacking with cyberweapons like the Stuxnet virus that attacked Iran's Natanz nuclear facility by causing centrifuges to spin out of control. http://www.businessinsider.com...thought-2013-11?IR=T

If you were not sure what I meant about a seagoing ship, this is a 2017 tweet from a hacker.

x0rz @x0rz Duuuuuude, default creds everywhere. I'm connected to a ship as admin right now. Hacking ships is easy pic.twitter.com/UmLPIveTa 10:31 AM - 18 Jul 2017

2018-02-04_22-31-30502 Retweets 755 likes

And this article shows https://thenextweb-com.cdn.amp...-hackable-now/?amp=1

A bathroom IOT tap that has been hacked

2018-02-04_22-33-10

6. Not enough people to battle the new hacking onslaught

At best the number of dedicated security personnel remains steady while the numbers of attacks increases year on year www.cisco.com/go/acr2017

A Cisco study indicates that there’s a global shortage of more than a million IT security pros, and the gap is slated to rise to as much as 1.5 million by 2019. Consequently, many organizations are faced with vacancies in critical security posts, which lead to greater vulnerabilities and higher risks of data breaches.

To end with a quote, "you better start swimmin’ or you’ll sink like a stone. For the times they are a-changin’" Bob Dylan. It's time to take security seriously.

Daniel Taylor

https://www.linkedin.com/in/danieltaylor/

Hacking increasing by 1600%* - What is really going on with Data Security?

Before you switch off as you consider security uninteresting, just remember that if you think about it George Lucas has made $5.3 billion out of a data breach story.

General Tagge  " If the Rebels have obtained a complete technical readout of this station it is possible, however unlikely, that they might find a weakness, and exploit it."

Before we start let us say we aren't self-appointed gurus, we are most likely just like you, a user/business person. During this search, we realised that we both knew very little before and that the threat is much bigger than we had previously understood.

In this series of articles, we will cover a number of topics around security

  1. What is really going on?
  2. Why is this happening?
  3. Who are they?
  4. What are the different types of threats?
  5. What can you do about it?

Switching Sci-FI metaphor to another film, The Matrix, if you were given choice to make.

  • The green pill would allow you to remain comfortably ill-informed, or
  • The red pill would allow you to escape into the real world, but living the "truth of reality" is harsher and more difficult, what would you choose?


If you had chosen the green pill you would be forgiven if you believed that security was the job of the security specialists. Many organisations follow the Hope Strategy, which HK Bain defines as “We lock our filing room, have a password policy on employee computers, and use a firewall on our network. We hope that’s enough to keep out the bad guys. Besides…why would anyone want to me after us?”

2017-10-23_22-01-15

As you chose the red pill and are continuing to read, the harsh reality that you will wake up to is the fact that security is a myth, and you pretty much need to assume you are being attacked right now.

It’s easy to dismiss the topic as scaremongering, in this series of articles I will aim to prove that it’s a serious threat that isn’t being taken as seriously as it should.

If the US Army is vulnerable its difficult to argue that any organisation is going to do better.

Lieutenant General Paul Nakasone of the US Army Cyber Command said “ My first thought was, ‘Wow, it only took them 10 minutes to identify a vulnerability. How long would it have taken for us to discover?”

The reality is that there are plenty of vulnerabilities out there and the only reason why you haven't experienced a breach is pretty much luck.

77% of all bug bounty programs have their first vulnerability reported in the first 24 hours. Hackerone

Are you hoping that private medical data is safe?

“We’re attacked about every 7 seconds, 24 hours a day," John Halamka, CIO of the Boston hospital Beth Israel Deaconess.

If you require further proof and are visual you can actually get real-time visibility into global cyber attacks from Norsecorp, which resembles another film from the 1980’s Wargames.

 “Even if you have the best security in place, there’s still a chance that you may be breached,” said Peter Toren, an attorney specializing in computer crimes at Washington D.C. law firm Weisbrod Matteis & Copley. Toren was also a federal prosecutor for eight years, in the Justice Department's computer crimes division.

4,000 ransomware attacks happen daily that’s 1,460,000 attacks a year. Department of Justice


Here is a chilling real example from a Fortune 100 company CIO following a cybersecurity assessment.

“It took the attackers only six minutes to circumvent the perimeter defences. From there, they achieved domain administrator privileges in less than 12 hours. In less than a week they fully compromised all 30 of our global domains. They harvested more than 200,000 credentials, giving them the ability to log in to the network masquerading as any of us—they could even change our investment elections in our 401(k)s or transfer money out. There was no place on our global network they could not go and only a handful of computers they did not have easy access to—only 10 percent of our manufacturing facilities are behind firewalls, segregating them from our network. The attackers were in a position to electronically transfer millions of dollars out of our bank accounts through our accounts payable system. Their tools did not set off any alarms—our antivirus software did not trigger any alerts. They had direct access to our manufacturing environment and could affect both the quality of our production processes and safety on our shop floors. They had access to our most sensitive intellectual property, including our past, current and future plans for major acquisitions and divestitures as well as the results of the billions of dollars we have invested in a decade of research and development. And, in the end, they were able to steal all the data. We were not able to stop them, or even see them in our network!”
2017-10-23_22-02-58

Why don't we hear more about this, many companies are experiencing breaches but may not necessarily be publicising the fact, or more chilling may not even be aware its happening.

According to PWC 90% of large UK organizations reported suffering a security breach in 2015 - 2015 Information Security Breaches Survey, PwC UK

The reality is that most security breaches go unreported.

More than 89% of security incidents went unreported in 2007, according to survey of about 300 attendees at this year's  RSA Conference.

In the past, we would all have been forgiven for believing we were all much more secure than we really are, and that security and my data was taken very seriously.

There is a belief that you "do security" and then you "are done", yet it’s a constant battle, with everyone in your organisation needing to be involved .

The situation is so serious that the Cyber Insurance market is growing exponentially

Lloyd’s of London has warned that a serious cyber-attack could cost the global economy more than $120bn (£92bn) – as much as catastrophic natural disasters such as Hurricanes Katrina and Sandy.

We will cover GDRP and its impact later on in the series. In the next article in the series, we will cover Why is this happening?

* Verizon Data Breach Investigation Report

×
×
×
×
×