As the first quarter of the year comes to a close, we wanted to share some important security issues to be mindful of for the rest of 2020 and beyond, along with some tips to protect yourself and your business.
BYOD and Mobile Phones
Malware in mobile apps has been a big issue over the last six months. More apps are being found to exceed the given permissions or outright steal data off users’ devices. Even some initially legitimate apps have had permission changes with updates that introduced malicious adware and data tracking. Like the problems with our next topic on the list, having a mobile device between your home and work networks make both insecure if you don’t keep them updated and aren’t careful about what you download.
The ‘internet of things’ has already started playing a big part in security this year. And on the whole, it will become more of a focus for two very big reasons. First, many more cities and companies are releasing internet-connected devices and services. Second, with 5G entering the playing field, those devices are going to be faster and designed to do much more than we’ve seen in the past.
If you don’t have any IoT devices in the workplace, you are probably better off. But if you work from home and have IoT devices linked to your home network, you risk bringing the security issues of your home to your workplace. IoT has had a very weak focus on security for as long as it’s been out. Hopefully that will change after some of the noteworthy exploits that have taken place, but until the companies that develop internet-connected gadgets start taking security seriously, there will be more problems.
By now you may have heard of Magecart, a group that has been around since 2016 and has refined the criminal act of stealing credit card data almost to an art. They succeed at this by infecting shopping carts and checkout programs run through legitimate businesses with malware that “skims” the credit card data as you enter it into the site’s checkout system. Magecart has pulled off several high-profile infections including Ticketmaster UK in 2018, Newegg in 2018 and MyPillow.com in 2019 among many more.
Constantly evolving with new abilities and elaborate attacks, Magecart infections are very difficult to detect. Many of the infected sites are running a service called Magento to handle sales checkouts. When not properly updated, Magento makes these sites a prime target for Magecart. When an infection is finally detected, alerting the customer who might be affected by the theft can be just as difficult. As a customer, you will not receive any of the warning signs that your card has been compromised unless you are contacted by an outside agency or the company where the breach originated.
The healthcare industry alone suffered $7 billion in losses due to ransom and recovery in 2019. Globally, the ransom requested from just one infection in 2019 topped $930,000 in total. Ransomware is big business and it isn’t slowing down anytime soon. In fact, the average amount of ransom requested is going up: it averaged $41,000 per incident in 2018 but in 2019 that figure spiked to over $80,000 . This is leading to some states attempting to outlaw ransom payment using tax dollars and raising funds to overhaul cybersecurity in smaller communities that are more vulnerable due to budget constraints.
Some experts are predicting that ransomware attacks might actually become more prevalent, testing the resolve of the entities who have decided to not give in. We agree that we will continue to see a rise in ransomware targeting private companies, along with healthcare providers and government agencies which rely on older equipment, operating systems and legacy software to save money.
A stunning nine billion records were breached during 2019, making it one of the worst years for cybersecurity on record. Unfortunately, data breaches will continue to be an issue. You’ll probably see the usual suspects that popped up last year (we’re looking at you, Facebook) but as attacks grow more sophisticated, you may also see more severe breaches. Most leaders in the tech world have started pivoting towards being more security conscious, so companies like Microsoft and Apple are likely to avoid big breaches in the future. And hopefully the larger social networking companies will also learn from last year’s beatings for their breaches and not be so careless with network security and third-party vendors. But for other companies that don’t make security a top priority, it only seems to be a matter of time before they’ll be in the headlines for a hack too.
State-sponsored hacking is bound to be a prevalent security issue, with China at the front of the pack. In 2019 there were 15 Chinese citizens caught performing espionage and 24 individuals have been caught already this year. With tensions between China and the U.S. being exasperated by trade issues, things are only going to get worse. Add an election year into the mix and state-sponsored hacking will no doubt kick into overdrive as Russia is once again is likely to meddle in our political process. Even if it is not Russia directly, it may be countries working on their behalf such as Iran, Korea, Vietnam, Syria and others. These bad actors have already started the year by attacking infrastructure here in the U.S., crippling a natural gas operator via a phishing ransomware attack. Incidents like this show that even with the phishing training available to most employees, one bad click on a malicious email can be devastating.
As demonstrated above, phishing is a persistent problem and is considered an “evergreen” threat for the foreseeable future. There’s no doubt it will continue as a primary cybersecurity threat, and as the attacks get more sophisticated, employers must make phishing training and awareness of scam campaigns a top priority. Phishing is still the most common initial vector for almost every type of malware in the wild, including ransomware like Emotet. Whatever the malicious threat, phishing continues to be the link that binds most of them.
Fileless or ‘Malware-Free’ Attacks
This is a rapidly growing and unique form of attack that involves breaching a network using stolen credentials in some cases, and known exploits in others. Fileless attacks never involve installing malware directly onto a storage device like a hard drive or solid-state drive. This attack has become more popular in recent years due to EKs or exploit kits. An exploit kit is a web-based program used to streamline the hacking process. The EK makes a network more accessible to less experienced hackers, resulting in a surge of this type of hacking. Five years ago, this method was employed by state-sponsored hackers such as China and North Korea and organized hacktivists and its use has expanded rapidly. Originally it revolved around the telecommunications industry but has since branched out to different companies and industries and it’s only going to get bigger from here. We’ll continue to keep you updated on this important and evolving security issue.
How to Protect Yourself
We don’t believe in giving you a list like this without guiding you on how to mitigate malware and other threats to your networks. One of the biggest things you can do as an employer is to provide robust cybersecurity training for your employees. Training is one thing that can affect almost everything on this list. If your employees don’t have the proper training, they will be more likely to fall for the precursors of ransomware and data breaches such as phishing emails and social engineering.
This is exactly why we offer Sagiss clients the option for us to provide cyber-threat education for their employees. It’s so important for the people on the front lines of your business to be aware of both the age-old scams and all of the new threats out there, and what to do when they think they are getting a suspicious communication.
Whether you are a Sagiss client or not, we encourage you to enroll your staff in some sort of cybersecurity training as soon as you can. Get them ready for the eventual phishing email, or any of the forms of social engineering that give hackers access to your data before your organization becomes the next victim of cybercrime.