There is a growing number of cyber attacks and almost all the successful attacks have come from an insider being compromised through deception, negligence or a lack of awareness. In this era of endless cyber attacks, companies need to attack or face being attacked and stand to lose everything. This is according to J2 Software’s chief executive officer, John Mc Loughlin.
The common response to a cyber attack is to quickly identify the culprit, blame him and try to cover up the damage. It is time that business leaders realise they are simply not doing enough to protect their organisations.
Having dealt with many intelligent and highly qualified people in recent months, it is clear that they are simply missing the (end) point. The conversations are very similar when discussing the various risk vectors, how they are being addressed and what collection of solutions and processes is used.
Some have large budgets, some are small and several haven’t even thought of information security or risk mitigation to prevent and reduce the impact of breaches as an item to budget for.
Business leaders often feel that these topics are too complicated to discuss, and it means that they generally have no idea where to start. The worst possible response is that it is not the right time to worry about cyber risks right now. Do they really think there are more pressing issues than company security?
Visibility is the solution
When is the right time? When your company is headline news as the next big public data breach or when your competitor takes your top three customers from under your nose?
Companies also need to realise that anti-virus and gateway security is not the solution, as they are just a small part of the solution. If companies don’t have total visibility on what is happening at the end point, they will simply continue to run in circles and will never be able to claim compliance.
Without absolute visibility at the end point, one also cannot tell what risks employees are bringing into the company or what data is being taken out.
Network log analytics and are very good at aggregating vast amounts of data from many different systems, and this gives out a whole lot of data. Network and firewall logs are informative, and data from the end point around user activity, email activity and device changes brings real value.
One must correlate the actual user activity against known risky behaviour to identify anomalies. Lateral movement doesn’t only happen from outside parties, as internal users also take advantage of their knowledge and use things such as system or administrative accounts to make changes, move around the environment and steal data, load malware and cause damage.
The rise of global breaches brings account compromise into play as well. The dark web is teaming with stolen credentials, so without adequate monitoring and active enforcement one will never know that you have been breached in the first place.
Where to start
One needs to begin at the end point because with complete visibility, business leaders will be able to understand what is normal. When you know what is normal, abnormal is easily identified and you have the capability to respond before damage is done.
Your team needs eyes everywhere and most importantly, this needs to be at the end point with the user or systems that are actually doing the work. When you increase your field of vision, you improve your security and reduce risks.
Have a look around your entire environment and ask yourself whether you really know what is going on at the end point. Do you know which users log on to specific machines, what they have done there and the data they are moving around? If not, you have a problem and you need to consider your options.
It is time to take security more seriously. You know that the biggest problem is already staring you in the face, so if you do not have visibility and provide adequate additional protection and awareness to your users, you will miss far more than you are able to protect.
Relying purely on network monitoring works in a perfect world, but we work in an imperfect world. Users make mistakes, click on links, download software they shouldn’t and are given far more access than they require – simply because there are inadequate controls and no monitoring.
Companies need to make real progress in terms of security, and not simply tick a box on an audit requirement. This is only possible by obtaining valuable input into the security operations of your business by increasing visibility and increasing your capability to identify and respond, before you are in the news.
Delving deeper into the South African context
According to Mc Loughlin, in the last six months they have noticed a massive increase in targeted attacks against businesses and people in South Africa. “I believe this could be a rise of targeted information received via large data breaches such as the Deeds database breach or even large corporate breaches, where masses of information were stolen,” he says. “The details contained in the breach records are then sold on the dark web, traded and used to begin cyber attacks.”
Recent reports state that there was a 22% increase in attacks against South Africans in the first quarter of the year. A report by Kaspersky Lab stated that they saw 13 842 attempted attacks per day. This is simply the tip of the iceberg – this number is a fraction of the actual attacks because it does not speak about attacks they do not see.
“I believe that the attacks targeted against South Africa are three to five times bigger than last year,” says Mc Loughlin. “This comes from the information we see in our J2 Cyber Security Centre (CSC). We have seen this increase in frequency and also changes in the complexity of the attempted attacks. The cyber-criminal syndicates are focused and adapt their attack strategy depending on what security platforms the target company is using.
“For example, if your company uses an email security platform that scans links in emails to stop malicious links, the attackers will use legitimate SharePoint sites, Dropbox or WeTransfer etc., and place their malware on the sites via a compromised account. The user then receives the email because it is not stopped, clicks the link to the legitimate site and downloads the malicious document, file etc. We have seen hundreds of these events recently.”
Another massive targeted attack vector is to falsify supplier invoices. This is called invoice fraud and it happens when an attacker intercepts email and makes copies of the documents. They send these to the targets and get them to make payment into the wrong bank account. As soon as the funds hit the attacker’s fake account, the money is taken out.
“Recently we were involved in investigating fraud where the client of a financial services business lost over R300 000,” explains Mc Loughlin. “We have seen these types of attacks range from a few thousand rand and the largest was late last year, when fake details led a business to pay out R2,3 million to online fraudsters.”
Where are businesses going wrong?
The truth is that South African businesses are being targeted and are suffering huge losses on a daily basis. These businesses will not and do not report these attacks because of the potential reputational damage. Home users, SMEs and large businesses are all victims, and most of the time it is simply because the most basic groundwork is not done.
People are not aware of the high number of breaches, they use the same passwords on everything and companies do not monitor their environments for strange or out-of-the-ordinary behaviour. South African businesses also do not follow very good update or patch management programmes – this is seen every day. Many businesses will have computers, servers and critical applications that have not been updated or patched in over a year. If this is the case, you have likely already been breached.
“I always say there are two types of businesses in South Africa: Those that have been breached and those that do not know that they have been breached,” Mc Loughlin firmly states.
It is important to note that while there are many international cyber rings, it is not only the Russians and Chinese who are launching attacks. We have a massive number of South African cyber-crime syndicates and these numbers are growing. The fraudsters use local bank accounts at all the major banks. The truth is that South Africa is not immune and to be honest, with very limited enforcement capability from the government, cyber crime is a low-risk, high-return business.
“The attacker can leverage new vulnerabilities very quickly, prey on naive users and can launch hundreds of attacks per day,” Mc Loughlin concludes. “The attacker only needs to get it right once – for the business or end-user, we need to get it right every time.”
Acknowledgement and thanks go to John Mc Loughlin from J2 Software for the information contained in this article.