There is an old proverb that Generals and soldiers are always prepared to fight the last war. This has proved true on a number of occasions throughout history. Winston Churchill wrote in his biography, “It is a joke in Britain to say that the War Office is always preparing for the last war.”1 This demonstration of the last war mentality can be traced to the days of Napoleon who consistently beat opponents who tried fighting the “last war.” The same can be said for cybersecurity as well.
Organizations are consistently fighting the “last threat,” unaware that the changing landscape of cyberthreats and tactics has already changed. It isn’t just the fact that cyberthreats are changing, it is the pace of this change that is further unsettling. During the first six months of 2017, ransomware was identified as the #1 cybersecurity threat amongst industry leaders. The WannaCry and NotPetya attacks over the summer of 2017 garnered headlines across the world as some of the largest global corporations were brought down for days and weeks. Yet, within the course of one year, an entirely new threat called Cryptomining had eclipsed ransomware of its #1 stature. The tidal threats of ransomware appeared to recede as fast as its tsunami like entrance onto the world stage. This sudden transition was due to several reasons such as the skyrocketing price of Bitcoin and other cryptocurrencies as well as the growing propensity of ransomware victims to not pay up. These changing dynamics helped propel cryptomining attacks to increase by as much as 10,000 percent in some parts of the world in late 2017.
Those who singularly focused on ransomware were unprepared for cryptomining, and those who have singularly focused on this recent threat, will miss the next one. Even now, the threat of cryptomining is diminishing, giving way to bank trojans and the rise of ransomware While this constant “changing of the guard” plays out for all industries, just what the next threat is depends on the industry you are in. Below we will look at some of the different threat types for each industry.
Different industries face different types of threats for a number of reasons, one being that they use a unique technology or process that is singular to them only. An example is the network of automatic teller machines that are ubiquitously present today. In January of 2018, the U.S. Secret Service began warning banks about a wave of new attacks referred to as Jackpotting. Jackpotting is a type of attack in which thieves install malicious hardware/software at ATMs that force the machines to dispense large volumes of cash on demand. While U.S. banks have been exempt from this attack methodology that has plagued other parts of the world, it has now made its way to the states. In the end of course, an ATM is nothing more than a computer – a computer that happens to be connected to a hoard of cash. As veteran cybersecurity professionals know all too well, it is hard enough to protect an ordinary workstation at a bank.
While every industry sector needs to prioritize its efforts to thwart cybersecurity threats, the financial sector must consume itself with this task more than others. The reason is simple. Financial services firms fall victim to cybersecurity attacks 300 times more frequently than businesses in other industries and incur a greater cost of cleanup and recovery. Some of these threats are obvious such as the inherent vulnerability of online bank accounts. According to Kaspersky Lab, the installation of banking malware apps reached a historic high in the second quarter of 2018 (61,000). Banking Trojans are now the leading cyberthreat for financial institutions and their customers as banking trojans accounted for nearly 59 percent of all malicious email payloads in the first quarter of 2018. Other less obvious points of vulnerability include the inherent dependency of banks on third-party service providers that provide digital services to augment their service platforms. According to a report by the U.S. Office of the Comptroller of the Currency, operational risk remains a main risk area for banks due to the growing complexity of their enterprises that constitutes a multi-layer security strategy.
While ransomware may not be the colossal threat it once was, that is not the case when it comes to the healthcare industry. According to a poll commissioned last year that included 1,758 U.S. and Canada-based healthcare employees, 27 percent said they were aware of a ransomware attack against their employer within the past year. Even worse, of those who mentioned being aware of an attack, one third of them cited a repeated attack. In 2017, 45 percent of all ransomware attacks targeted the healthcare sector compared to only 12 percent for the financial services industry.
Ransomware attacks are not always deployed in order to garner extorsion money. According to the U.S. Department of Health and Human Services, there were more than 100 cybersecurity incidents in 2019 that affected more than 500 individuals. Ransomware was a common thread in many of these attacks as cybercriminals now use ransomware as a way to cover their tracks after a breach.
Ransomware isn’t the only threat that the industry faces. The growing use of medical devices has increased the attack surface of healthcare organizations. According to the Food and Drug Administration, medical device vendors reported 400 percent more vulnerabilities per quarter last year. Medical devices are plagued with outdated operating systems, out-of-date firmware and even a dearth of authentication processes. All of this has induced the FDA to issue guidance for connected medical device security.
When one thinks of security threats singular to the retail industry, one usually thinks of skimming. Whether it is a clerk skimming one’s card for an added transaction or a strain of POS malware that allows hackers to remote in and take over these devices, skimming continues to be a common threat to retail establishments. But skimming isn’t just about POS machines. Thanks to malicious code threats such as Magecart, hundreds of thousands of credit card accounts have been exposed to hackers. Magecart is a decentralized global campaign that uses the mage.js script to steal credit card information from online shoppers. This isn’t the only threat that online retailers must worry about. According to the Verisign Q2 2018 DDoS Trends Report, DDoS attacks increased by 35 percent, with the average size of the attacks increasing 111 percent year over year. Contrary to popular conception, DDoS attacks don’t just affect large retail conglomerates. A DDoS attack on a large online retailer equally affects those third-party retailers that depend on it. Similarly, an attack on a single payment services provider can devastate hundreds or even thousands of retailers in a single instance.
According to the Cisco 2017 Annual Cybersecurity Report, nearly one in three retailers suffered revenue losses in 2016 as a result of a cyberattack. Sadly, just 52 percent of retail organizations consider their security infrastructure to be up-to-date and upgraded with the best technology tools. Retail more than any other business sector must defend itself against both the localized small time criminal as well as sophisticated international hacking organizations.
In some ways, manufacturing is one of the final industries to begin the digital transformation process. While Manufacturers are enjoying the advantageous leaps in productivity and innovation that the digitalization can bring, they are also discovering the resulting vulnerabilities to cyberattacks as well. According to the National Center for Manufacturing Sciences, manufacturers have traditionally relied on physical isolation as a way to secure assets, an approach that no longer works in an environment dominated by digital sensors and IoT devices. A recent survey by Deloitte found that only half of companies isolate their Industrial Control System from their standard networks, opening themselves up to risk. A study commissioned by IBM showed that 87 percent of automotive manufacturers are quick to implement IIoT (Industrial Internet of Things), but slow to secure it.
Today’s smart factory isn’t just about digital devices; it is about connected devices. The burgeoning IoT connected ecospheres vastly increase the attack surface of today’s industrial complexes. While manufacturers may be new to the concept and practices of cybersecurity hygiene, their hacking adversaries are not. The thirst to acquire intellectual property in order to reduce competitive advantages is a driving force in nation state backed attacks. As a result, a generic cybersecurity plan isn’t enough for those in the manufacturing sector. As a recent article in CSO Magazine stated, “Are you nation state “defense ready?”
Not Just Controls, the Right Controls
Nearly every company and organization today knows they need some type of security controls in order to defend against cyberthreats today. But merely having controls isn’t enough. It’s about having the right controls. You need the right tools, supported by the proper strategies to combat the threats of tomorrow, not just the past. Just as important however, is the knowledge to understand the threats that are specific to your industry and business.
One of the ways to accomplish this is to establish a Foreseeable Risk Index. An FRI conducted by HALOCK can provide keen insights, recommendations and direction into what you need to do to secure your particular enterprise from the risks you will face both today, and tomorrow. HALOCK can review your controls in the context of industry specific threats. In addition, they can provide gap and risk assessments, penetration tests, incident response planning and compliance audits. The speed in which threats transform and metamorphosize continues to accelerate. You don’t have time to keep up with the hastening pace of threat innovation, because HALOCK already does. They specialize in key industries and business sectors and have the understanding and knowledge base to secure your enterprise in a way that can not only keep your users and devices safe, but serve as a competitive advantage as well.
Analysis is key. Ask yourself, “Was the data breach foreseeable?“
Winston S. Churchill _The Second World War_ I (Boston: Houghton Mifflin, 1985) 426