The importance of information security (or infosec) has grown exponentially in the past several years. It has always existed to a certain extent, with governments and armies acknowledging the need to keep communications between them secret from the enemy. By World War Two, the Enigma Machine was created to do just this and was decrypted by Alan Turing using a machine that turned out to be the predecessor of what we now know as a computer.
These days, the methods have changed but the principles remain the same: confidentiality, integrity and availability. Threats to this security have likewise morphed to suit the times. In this post we will examine three of the trends in infosec issues, covering state sponsored attacks, old operating systems and employment apathy and negligence, complete with real-world examples.
State-sponsored attacks sound like exactly what they are. One country, often by proxy, criminally hacking another country, usually targeting banks and other, similar organisations. “Cyberattacks on financial institutions are increasingly being linked to nation-states, resulting in destructive and disruptive damages rather than just theft,” starts a recent Reuters article. This means that, while big institutions used to have to deal with attacks from individual cyber criminals, the trend for countries now potentially stealing huge sums from each other seems to be growing.
A notable example of this was North Korea’s December 2018 infiltration of the entire Chilean banking network. Notorious hacker group Lazarus (known associates of the Pyongyang regime) were credited with this particular heist which was pulled off over a Skype call with a gullible employee of Redbanc, the company that interconnects the ATM infrastructure of all Chilean banks. They got away with $10 million. You can find further details of how this was managed here, but it is by no means the only attack of this kind perpetrated by North Korea.
In 2016, again according to Reuters, “North Korean hackers carried out an $81 million heist by breaching Bangladesh Bank’s systems and using the SWIFT network (Society for Worldwide Interbank Financial Telecommunication) to send fraudulent money transfer orders to the New York branch of the U.S. central bank where the Dhaka bank has an account.” Unfortunately, state-sponsored attacks live in an ever changing grey area that is almost impossible to legislate. As with most cyber security issues, a good defence very much seems to be the best offence.
We all have that moment when we see the dialog box appear in the corner of the screen. “Your computer needs an update. Restart now? Or wait until tomorrow?” More often than not, we press snooze, letting our future selves deal with the inconvenience of shutting everything down. This may not have a huge impact when it comes to individuals, but for big organisations it can spell disaster.
Unlike our previous example, another precious commodity was targeted when an offshoot of Marriott International Inc provided hackers with a way to access as many as 383 million guest records in 2018. Data can command a good price on the black market and is often the goal when hacking large organisations – in this particular case, the way in was out-dated software. Hotels are often vulnerable to these kinds of invasions precisely because of their lack of cyber security know-how as well as cost-cutting measures across the board that can leave them vulnerable.
The NHS also proved themselves a prime target. The WannaCry virus struck on 12 May 2017 and affected 200,000 computers in at least 100 countries, demanding a ransom to unlock the computer and prevent its information being deleted. However, in the UK the NHS took a particularly bad hit due to several of the hospitals and organisations under its umbrella still running Windows XP software. The lesson learned here seems to be that although potentially costly and time-consuming, keeping up-to-date can save both time and money in the long term.
For all that cyber attacks are made possible by sophisticated (and sometimes not-so-sophisticated) software and hacking methods, the human element is often what makes them so devastating. Employees, whether through negligence or malicious intent, have the potential to do a lot of damage in terms of infosec. In fact, a 2016 study revealed that 20% of data breaches were actually caused intentionally by disgruntled employees, and a further 65% as a result of negligence. This means that one of the best defences a company can implement is strengthening the engagement of its employees through HR and by treating it as a cultural issue, rather than just a technical one.
In 2018, UK supermarket Morrisons was found liable for a data breach when one of their employees leaked the payroll data including names, addresses, bank account details and salaries, sending them to newspapers and posting them online. Although the perpetrator, Andrew Skelton, was sentenced to eight years in jail, Morrisons is also having to face a class action suit. The Court of Appeal found that the supermarket chain was “vicariously liable for the torts committed by Mr Skelton against the claimants”. They are now appealing to the Supreme Court but the suit has already made its mark, driving home the importance people play in cyber and information security.