Having the latest technology is only one part of cyber security. You also need to train your people and have good corporate governance too.
The great disruption brought by the online revolution is not just disrupting business models - it's created a new wave of business risks, not least cyber attacks.
Senior managers of your organisation are responsible for considering and addressing the risks of cyber attack. In the first part of this article, we'll sketch out the nature of the risks, and the ways senior managers can address them, starting with the simple activities such as educating staff to help manage cyber risks, through to corporate governance and systems accreditation. In the next issue we'll focus on the specific challenges of cloud computing.
How big is the problem of cyber threats in Australia?
Australia's relative wealth, high levels of online traffic and use of technology make it an attractive target for cyber adversaries.
In July this year, the Australian Cyber Security Centre (ACSC) released its first ever unclassified cyber security threat report. The report, while perhaps not adding new concepts, demonstrates that "the cyber threat to Australian organisations is undeniable, unrelenting and continues to grow."
Cybercrime - "criminal acts involving the use of computers or other ICT, or targeted against computers or other ICT" - is a much more prevalent issue, with an estimated cost to Australia of $1.06 billion over a 12-month period (an estimate the report acknowledges might be too low).
What are cyber attackers trying to do?
Cyber attacks can come from criminals seeking to make money, business rivals seeking an advantage, or hacktivists (or even bored teenagers) seeking to make a point. Their goals can include:
- getting information which they can reuse (such as customers' credit card numbers or identity theft, or industrial espionage);
- affect your ability to perform your business or functions by seizing control of your systems or stopping them from operating effectively; or
- hijacking your systems to use them for their own purposes (such as sending out millions of spam or scam emails).
A very common threat to organisations is the surreptitious addition of malicious software ("malware"), which can suck up information and send it to the attacker. A variant is ransomware, which "typically locks a computer's content and requires victims to pay a ransom or regain access." It can also involve a message alleging that the computer has been used for some illegal activity and demanding payment of a fine. This can cause related difficulties if the victim has not performed a recent backup.
How do they mount cyber attacks?
Cyber attacks will target your weakest links, which will often be human error. Critically, your people's failure to protect access to systems through poor passwords, password protection or betrayal will be the easiest way for cyber attackers to gain access.
The next level of sophistication is the use of social engineering techniques, such as carefully crafted emails to entice a user to click on a link or open an attachment, which are also known as spear phishing. This tricks the unwary into introducing software which can wreak havoc. Organisations with poor cyber security are especially vulnerable to spear phishing.
Even if your own staff is well trained, avoids spear phishing attempts and has secure passwords, cyber attackers can exploit technical backdoors left open by you or third parties.
For example, the growth of "bring your own device" practices and the blurring of the work/life distinction have meant more business is done on smart devices, which are relatively insecure and provide access to the firm's IT systems.
Another technique is the use of a watering-hole. This is a legitimate website, frequented by a cyber attacker's intended targets, which has been compromised - malicious software has been covertly added to the site with the purpose of compromising viewers' computers. In 2014, the ACSC identified incidents involving watering-hole exploitation of websites frequently visited by Australian Government employees. The ACSC notes that this technique is no longer opportunistic, but has become an activity targeting Australian government and business.
Finally, there are the risks unique to cloud computing, which we'll consider in the second part of this article.
Future trends in cyber attacks
Although the ability to detect cyber threats continues to improve and the development of robust cyber defences is progressing, cyber adversaries are constantly improving their tradecraft to tackle network defences.
The ACSC report has predicted that both spear phishing and ransomware will continue to be popular, and there will be an increase in:
- cyber criminals;
- the use of watering-hole techniques;
- the number of cyber adversaries with destructive capability; and
- electronic graffiti (eg. web defacements and social media hijacking).
How you can defend your organisation against cyber threats?
Any action has to start with your people. This means, as a bare minimum, training them to understand the risks of spear phishing and poor password security.
This must be backed up by good corporate governance across your organisation. Many people will have a crucial role to play in managing information security: the legal team, IT infrastructure and procurement team, the CEO and COO and whoever else is responsible for risk management, those with information security oversight and management (such as information security managers and the CIO), those with system/security design, development and implementation responsibilities and those who test, monitor and audit information systems. You should also consider getting external advice, both on technical and legal issues.
Of course, getting everyone in a room is only the first step. Responsibility should be assigned, and processes mapped - and maintained. For example, you should look at using cyber drills or authorised attacks by third parties to test your systems periodically, create and update cyber risk protection documentation, maintain asset registers know what hardware is accessing your systems, and ensure all relevant systems are accredited.
A structured response to incidents is also a useful tool. This can be achieved by developing, implementing and then testing (annually) an incident response plan. This would ideally encompass responses to data spills, e-discovery of data and ways to obtain and analyse evidence (eg. time-synchronised logs, hard disk images, memory snapshots and metadata).
Finally, there is a lot of very useful guidance on the technical aspects of information security and protection from cyber attacks coming from the public sector. The US Government's National Institute of Standards and Technology's Framework for Improving Critical Infrastructure Cyber Security, released in February 2014, sets out a risk-based approach which is evolving to meet new threats. Closer to home, there's the Australian Signals Directorate's four strategies:
- application whitelisting;
- patching applications (such as PDF readers, Microsoft Office, Java, Flash Player and web browsers);
- patching operating system vulnerabilities and using the latest versions; and
- minimising administrative privileges.
As the ACSC report notes, organisations must be proactive, invest resources in cyber security and implement measures to make them a harder target. This needs to be supported by Australia's ICT community, academia and decision-makers in the public and private sector, by keeping up to date with developments, identifying new vulnerabilities and advising Australian organisations on strategies to mitigate emerging threats. This will be critical to provide a high degree of confidence in network and information security and to enable government departments, private entities and Australians generally to enjoy the benefits of the internet.
You might also be interested in...
- Pulling up the drawbridge: protecting yourself against cyber attacks Part 2: Cloud computing
- Cyber security: Risk management
- Big data and the public sector
- Australian Cyber Security Centre releases first ever public threat report
Clayton Utz communications are intended to provide commentary and general information. They should not be relied upon as legal advice. Formal legal advice should be sought in particular transactions or on matters of interest arising from this bulletin. Persons listed may not be admitted in all states and territories.