Common Cyber Security Issues and Challenges

We’re taking a 30,000-foot view of cyber security to understand the state of the industry from an enterprise perspective and share some common challenges faced by diverse industries. Doing so provides infosec leaders insight into how challenges emerge in their workplace and potentially a sense of relief knowing their industry (and themselves, as professionals) are not alone in this struggle.

Cyber security remains dynamic and turbulent as businesses and technologies grow in complexity and hackers become more sophisticated. There is much discussion regarding the need to increase cyber security spending to expand cyber teams to cover more ground. And, we know that many businesses lack confidence in their current cyber readiness, due in part to many of these common challenges detailed below.

Lack of qualified cyber security experts

Finding cyber security professionals who possess specific technical skill sets is an uphill battle for many infosec leaders who are trying to grow and expand their cyber teams. According to Harvard Business Review, one of the main reasons is that businesses tend to look for people with traditional technology credentials instead of individuals possessing a wide variety of professional and technical skills. As attacks get more sophisticated varied skill sets of both technical (forensics, network analysis, malware detection) and professional (communication, problem-solving, analysis) will be required to combat them effectively, so leaders would be wise to expand their talent searches to include more diverse skill sets moving forward.

Lack of structured upskilling among talent

Senior staff often have a significant advantage over newer hires because they understand the ins and outs of their company. However, simply because they have advanced in their careers, they are not necessarily the most effective when trying to teach junior staff new skills and approaches to cyber security since conducting effective training is often a full-time job itself. Concurrently, it is difficult for IT professionals to consistently remain up-to-date on best practices across all aspects of cyber security. The 2019 IT Security Employment Outlook report and many other resources note a 3 million staffing gap in cyber positions. Skills needed include the ability to identify key cyber terrain and risks, protect organizational assets and data, detect unauthorized access and data breaches, respond to cybersecurity events and attacks, and recover normal operations and services. Investing in consistent, structured, measurable training to upskill existing team members is an effective way to assess and combat these deficiencies. 

Staff retention and fatigue

Since many organizations do not have the proper resources to alleviate heavy workloads and to effectively combat cyber threats, information security employees are often fatigued from long hours, immense pressure, and unreasonable workloads. These issues contribute to dissatisfied employees and high attrition rates across the industry. All of these issues taken together pose a serious problem because organizations that are trusting their security to a fatigued and undermanned or under-skilled cyber team is ultimately a threat to us all. CSO magazine recommends that companies assess “the state of mind of key staff members, create work schedules to rotate personnel off the front lines, and provide the right levels of support, stress relief programs, and career counseling.” 

Combating common cyber security challenges

These challenges are daunting and exist across many industries, keeping many infosec professionals up at night. Fortunately, by expanding the pool of candidates for positions by looking for more diverse skill sets, investing in immersive cyber security training, and understanding the state of mind of key staff members including monitoring their level of job satisfaction and fatigue, firms can more effectively combat these common challenges.

 

Learning from the Top 5 Financial Cybersecurity Incidents

Banks, credit unions, credit card companies, investment firms, and insurance companies are all under cyberattacks—making financial cyber security a hot topic of discussion. For years, the finance industry has been one of the hardest hit with cybercrime according to Deloitte. And it continues to rank in the top five most vulnerable industries. In 2017, 69 material cyber incidents were reported to the Financial Conduct Authority, an increase from the 38 incidents in 2016, according to Information Age. Financial cyber security regulations are keeping companies in check but the pace at which threats evolve in sophistication requires a persistent approach to stay ahead of hackers.

If you bank online or have an insurance policy, you likely understand the convenience of single keystroke access to financial information. It’s easy, convenient and useful to transfer funds from mobile device to mobile device; electronically sign a form; or get a quote for a mortgage company just by entering in new financial details. Unfortunately, the rapid pace of adoption of new technologies that make these everyday transactions convenient is widening the attack surface for hackers and prompting security professionals to consider even stronger finance cyber security risk management processes.

Financial Cyber Security Incidents

Below are some of the most notable cybercrime attacks on financial services firms that we can learn from in order to take a more proactive approach to cyber security readiness.

Equifax 

The consumer credit reporting agency was breached in 2017, exposing the sensitive personal information of more than 147 million Americans. Partial driver’s license data was the primary data leaked. Equifax representatives said the vulnerability that allowed for the attack to occur was the failure to keep its computer systems adequately up to date.

Bank of Chile

State-backed hackers infiltrated the Bank of Chile’s ATM system in January 2019 and stole $10 million. The cyber heist was deployed via hackers initiating a virus as a “distraction” then prompting banks to disconnect 9,000 computers to “protect customer accounts.” Meanwhile, hackers sneaked in and used the global SWIFT bank messaging service to deploy fraudulent transactions.

India’s Cosmos Bank

Unauthorized users accessed their system and siphoned nearly $13.5 million through withdrawals across 28 countries. Unidentified hackers created a proxy switch that approved all the fraudulent payments.

Lazarus group

North Korea’s hacking operations are targeting financial institutions nationwide—completely indiscriminate of a brand or geographic location. The country is linked to attacks in 18 countries, according to a report from Russian cyber security firm Kaspersky Lab. The hacking operation known as “Lazarus” targeted employees at banks who visited the hackers’ list of 150 specified internet addresses. Experts say the attacks are at a “level of sophistication not generally found in the cybercriminal world,” and companies should take proactive measures to carefully scan their networks for the presence of Lazarus malware samples, disinfect their systems and report the intrusion.

Bangladesh Bank 

Bangladesh Bank experienced a hack in February 2016 that drained $81 million from accounts in a few short hours. Attackers subverted the bank’s SWIFT accounts, the international money transfer system, to get what they wanted, reports Wired magazine. Hackers sent more than three dozen fraudulent money transfer requests to the Federal Reserve Bank of New York asking the bank to transfer millions of Bangladesh Bank’s funds to accounts in the Philippines, Sri Lanka, etc. Reports indicate lax computer security practices were to blame (e.g. lack of firewalls installed on the networks), allowing hackers to easily infiltrate the network and find the credentials needed to proceed. The concept of attacking systems on the weekend isn’t a new approach either—other banks like Tesco experienced the same timing in November 2016 when thousands of current account customers were hit with fraudulent transactions by hackers.

Learning from Financial Cyber Security Incidents

Outdated systems, employee exploitation, weakened network security, and a poor ratio of defenders to hackers all contribute to the severity of these financial cyber security incidents.

These attacks tell us a lot about what preventative steps can be taken. To ensure financial services firms have the latest systems updated and in place requires an experienced cybersecurity team to perform regular system checks and updates.

Financial cyber security compliance leaders need to empower their teams with the right tools and persistent learning opportunities so they can be prepared for any malware infection or system overwrite that occurs.

The increase in reported attacks reflects a greater need for accountability across all financial institutions. As the attack frequency grows, so must our cybersecurity vigilance. Cyberattacks will adapt to defense strategies so financial firms need to ensure they are always one step ahead. The best way to achieve this goes beyond hiring our way out of the issue. Training your cyber workforce proactively using gamified cyber range training to combat the latest threats is the key to sustained success.

For more information on how financial firms can upskill their security workforce
download Project Ares subscription brochure.

Photo by Alexander Mils on Unsplash

MEASURING SECURITY

What do you think of when you hear the term ‘information security’ or even the term ‘cybersecurity’? If you think about how it all works, you may think about vulnerabilities, firewalls, intrusion detection systems, anti-virus or perhaps something else entirely. What probably doesn’t come to mind are terms like metrics and measurement. These are elements of information security that seems to get short shrift a lot, in spite of their importance. No matter what aspect of a company’s security posture, metrics are essential.

As an example, if we start on the low end of the scale, the one where everyone has an impact on the company, we talk about security awareness. Companies today generally have security awareness programs to help their employees know how to do the right things when it comes to interactions outside the company and especially with corporate resources and sensitive information. These awareness programs often start with some form of training — computer-based or video. The question is: how do we measure the effectiveness of this training? Ultimately, what is the goal of a security awareness program? To make sure employees know what information security is and the impact they have on it? Of course not. It’s to ensure that employees alter their behavior in order to better protect the organization and its resources. So how do you measure behavior change?

Metrics aren’t always about numbers. Sometimes we just need help retracing the steps after something has happened (e.g. qualitative information). Recently, I was looking at trying to measure some behaviors with respect to firewalls – asking: what happened and when did it happen? What I discovered was that neither iptables nor firewalls, the two Linux-based firewalls, provided any persistent details when rules were changed or what the rule changes were. It doesn’t appear as though it’s possible to even turn on that level of logging. One open source firewall where a Web interface is used to make changes is PFSense. This is a firewall based in the BSD operating system. After making changes to the rules, there was no indication of a change having been made in any of the log files. How do we measure over time the changes to rulesets and the impact they have had if there is no record of the changes to begin with?

Measurement comes down to identifying the problem, much like many other aspects of information technology (or even other industries and endeavors). In the first case above, what is the problem? The problem is that humans can have a negative impact on the security posture of an organization. So, what are we measuring? Are we measuring whether we’ve trained all the people in the organization? We could, and it’s easy to measure that, but what would be the purpose? If your organization has to demonstrate compliance to a set of standards, this may be useful. It’s more important to measure behavior, and more importantly, changes in behavior as a result of training.

One way to measure behavior changes, is to send e-mails with links that should look like they are untrustworthy. If the links are clicked (the URL would be one that goes to a site controlled by information security or information technology), there is evidence that the behavior hasn’t changed. What do you do with the information when behavior hasn’t changed? Put people through the training again? If it didn’t work the first time, what would suggest that it may work the second time?

And this is why measurement is important. Without this data, you don’t know when something is going wrong. You also won’t know what is going wrong. Unfortunately, there are no easy resolutions. More data isn’t necessarily better. The best approach when it comes to measuring security is to clearly identify the problem or situation. It’s essential to take a logical and rational approach to this and not feel like you have to protect against absolutely everything. Once you have identified the situation, you can determine what you need to measure, as in the case of awareness training. The really hard part is in interpreting the data. In the case of security awareness, we know that people are not making decisions based on the training they have had. Do you address that by sending the people through training again? Do you re-evaluate the training?

It’s not always easy to make the right decisions but having the right data to inform your decision is essential. You can only have that if you think through ahead of time what the right data is, so you can ensure you are collecting it.

Sign Up For Our Newsletter

The Importance of Cybersecurity Awareness and Education (or, how to easily attack your friends and enemies)

While it hasn’t received as much conventional press as, say, the Equifax data breach, there was recently a significant event that took place on the Internet. A service called Memcached, which allows chunks of data to be shared between websites, is or was vulnerable to being misused to send large amounts of data to unsuspecting targets. One of these targets was Github, though there were others that have not been named. What made these attacks so significant is their sheer volume. According to Arbor Networks–a company that has made denial of service attack protection their life’s work for more than 20 years–one of their customers received roughly 1.7 terabits per second of attack traffic.

Think about that for a second. Let’s say that you have a fairly conventional 100 megabits per second connection to the Internet at home. It would take you 17,000 seconds to transmit the same amount of data and that’s assuming you had 100 megabits per second outbound at home (you likely don’t) and you were able to saturate the connection. It would take you nearly 5 hours to send that same amount of traffic that it took just a second to push out.

How does this happen? This was an amplification attack, which means the attacker sends a very small amount of data to one place and that place responds with something much, much larger to someone else. Let’s say that Bob wanted to attack Edgar. He sends a box that weighed 1 pound to Alice (using common Internet naming conventions, Alice and Bob regularly do things with each other). However, he tells Alice that the box came from Edgar. As a result, Alice sends a box weighing 15,000 pounds to Edgar. Edgar won’t be able to get that box through his front door. Let’s also say that not only Bob is sending these boxes to Alice to go to Edgar, but Charlie, Fred and Daniel are in on the act too. That’s suddenly several very large boxes

Now back to the recent incident. Some researchers have indicated the amplification rate for the service used isn’t 15,000 as in our example but instead, more like 52,000. What was already a lot of very large, very heavy boxes is suddenly increased by a factor of 3-4x.

The problem here comes, in part, because the developers used the user datagram protocol (UDP). UDP is often used where a lack of overhead is considered a useful feature. Because there is no actual connection between the system sending and the one receiving — the data is just sent, sort of like if you were to start talking into an intercom without having any idea if the person on the other end of the intercom was there — the data can be sent faster, theoretically. When developers use UDP for transmission, they expect that the messages they are sending will never be checked to ensure arrival. They also don’t check to see if the receiving party is at home.

Not checking to see if the receiving party is home allows attackers to use UDP. UDP is an easy protocol to launch spoofing attacks with because there is never any check to see whether the sending address is correct. That allows Bob to send a message to Alice saying he is Edgar. Alice assumes the sending address is correct and so responds to that address. There is no checking by anyone for address validity and veracity.

Any service that listens for messages on the open Internet (meaning there are no or few restrictions on who can send messages in) that doesn’t do some form of validation and verification, is exposing others on the Internet to attack. This is why cybersecurity is everyone’s problem and why cybersecurity awareness is so critical.

The people responsible for these attacks are not the attackers. They are the developers who didn’t consider the potential for misuse and abuse of their service. They are the system administrators who stood up servers running this service without considering the potential for bad people on the Internet who misuse and abuse servers to cause problems for other people and businesses. The servers that were misused and abused were not owned by the attacker. They were owned and maintained by legitimate businesses.

If developers and administrators (not to mention executives who should be expected to sign off on these sorts of decisions), continue to make bad choices because they are not aware of the security implications of their actions, people and businesses will continue to be exposed to these overwhelming amplification attacks. When businesses can’t respond quickly enough to shut down their servers that are being abused and misused, other businesses will continue to have to pay their price for the lack of education, awareness and caring about the welfare of these other people and companies.

Sign Up For Our Newsletter