Awais Rashid warns that an organisation’s only defence against cyberattacks is constant vigilance and commitment at board level
Protecting a large organisation in cyberspace is akin to NASA scanning the skies for objects on a collision course with earth. The potential for threats is vast, the trajectories unpredictable and the variables almost endless. There, however, the similarities end. Unlike the threats to earth from space debris, the dangers that an organisation faces in the cybersphere are almost constant. They
are driven by myriad motivations and cost the global economy an estimated $250bn to $1tn annually.
The fact is that, while the internet opens up a range of new business opportunities and ways to access customers, it also exposes a large attack surface for cyberthreats. Any organisation that uses the internet is vulnerable.
Before the advent of online banking, if someone wanted to rob a bank, physical access was a must. Today, all that is needed is access to a computer and the internet and basic technical know-how. The tools are mostly freely available online. They range from malware, viruses and automated toolkits that launch denial of service attacks against systems, to password-cracking programs. The more sophisticated attackers can build customised versions that are harder to spot and to trace back to the originator.
This worrying scenario should not be taken to imply that banks, financial institutions and other corporations do not have adequate cybersecurity measures in place. On the contrary, responsible organisations invest substantially in cybersecurity technologies, training for employees, customer awareness campaigns and penetration-testing to detect and plug vulnerabilities. However,
attackers change their tactics frequently as vulnerabilities are dealt with. The upshot is a cat-and-mouse game.
The most dangerous weak points are known as “zero day vulnerabilities”.
These are previously unknown chinks in the internet armour, where the developers of the system in question, or the cybersecurity team, have had zero days’ notice to put countermeasures in place. In 2010, in an operation dubbed Aurora, hackers exploited zero day vulnerabilities in Microsoft’s Internet Explorer Web Browser software to breach the security of a number of large corporations around the world.
In fact, we are seeing a growing trend towards exploitation of vulnerabilities in application software, such as web browsers and word processing systems, as software vendors make computer operating systems more secure and resilient, and sophisticated intrusion
detection systems offer improved protection for an organisation’s networking infrastructure.
An organisation’s exposure to cyberattacks is not, however, only a consequence of its own online presence. Today’s entities operate in a complex network of relationships, procuring products and services from a range of suppliers. This chain can often open up vulnerabilities as attackers target particular points. The Heartland Payment Systems breach in 2009, for example, shows how hackers can use a combination of sniffer programs and a known vulnerability, in this case structured query language (SQL) injection, a code used in database management, to conduct a “data in transit” attack targeting the middleman credit/debit card
Similarly, at the start of last month, attacks in South Korea harvested electronic certificates used in financial transactions in an attempt to legitimise fraudulent activity. Information sharing is the key to guarding against a cascading effect from such breaches. In fact, the clear-up after the Heartland Payment Systems breach showed that a similar breach had occurred at another middleman organisation a few months earlier but had not been shared across the sector in an attempt to avoid reputational damage and maintain competitive edge.
Though infiltration of databases is common this should not suggest that other types of cybercrime are not, or that they do not pose a threat to an organisation’s security.
We have seen the emergence of sophisticated viruses such as Zeus V3, which is capable of performing financial transactions while providing customers with a view of their accounts that masks all the fraudulent activity. Website vulnerabilities are also often exploited, as by the hackers who simply substituted account numbers in the text that appears in a web browser’s address bar to gain
access to the customer data of a large bank. Similarly, social engineering attacks are on the rise, employing a variety of tactics to gain the trust of individuals or groups within an organisation and use it to gain access to sensitive data and information.
The potential threats in cyberspace are many and varied. Countering them requires vigilance across an organisation and among its partners, and commitment at board level. Treating cybersecurity as a strategic priority is the only way to ensure that exposure is kept under constant supervision and, so, minimised.
Awais Rashid is director of Security Lancaster, an EPSRC-GCHQ Academic Centre of Excellence in Cyber Security Research.