By Ajita Kadirgamar:
Warnings and advice on some of the most common and often fatal Cybersecurity traps
Cybersecurity, most often the lack of it, is a buzzword that commands attention. In March 2021, Sri Lanka ranked 77th on the National Cyber Security Index[1] - a global live index, which measures the preparedness of countries to prevent cyber threats and manage cyber incidents, while placing 83rd in the Global Cybersecurity Index.
Sanj Chandran, Founder/CEO of tech solutions company 10QBIT explains why his company for instance, is placing a heavy focus on Cybersecurity not only for itself, but as a service offering. “When a country is in survival mode, we immediately prioritise the threats that are in front of us and get distracted from what could be a larger issue. The lack of priority allocated to Cybersecurity is common across most organisations because we don't fear what we cannot see. When the mindset assesses threats based on what has happened, rather than what could happen, it puts organisations in a vulnerable position.”
Penetration Testing
Typically, Management tends to assign a lower priority to intangible threats, because most often the executives who see such reports don't have the overall technical knowledge to understand the risks. However security reports need to be taken seriously and issues remedied immediately.
Dinuja Wickramarachchi, Security Lead at 10QBIT, recently completed several lengthy Security Assessment Findings Report for clients and partners operating in Sri Lanka, to evaluate the security posture of their infrastructure compared to current industry best practices.
Using an external Penetration Test which emulates the role of an attacker attempting to gain access to an internal network without internal resources or inside knowledge, in one instance, Dinuja discovered several ‘Critical’ and ‘High’ security risks which could cause considerable damage to the organisation.
Currently, Sri Lanka has a slew of cybersecurity specialist firms and of the top five, the oldest of them has been in operation for 25 years. Cybersecurity testing methods currently in use by 10QBIT are based on the AmericanNational Institute of Standards and Technology (NIST)Cybersecurity Framework, Open-source Intelligence (OSINT) Framework, the Open Web Application Security Project (OWASP) Testing Guide, ISO Testing Guide, and other customised testing frameworks.
Social Engineering
One of the deadliest forms of ‘social engineering’ (use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes), is business email compromise (BEC) attacks.
Leading technology website ZDNet[2] recently stated that according to the FBI, BEC losses amounting to $43 billion had been reported in at least 177 countries. The numbers could be higher because this kind of scam requires a low level of hacking, involving nothing more than a laptop and an internet connection.
A scammer merely needs to find out who the CEO of a company is and set up a fake email address. He will then email an employee requesting a financial transaction to be carried out speedily and discretely. The employee will typically do as the boss asks and approve what could be a large sum of money.
Cybersecurity professional Dinuja recently tested such a phishing method, impersonating a company CEO and asking employees to do something or send sensitive information back. All employees, even high-tech people, fell into this CEO fraud trap in 2022.
A component of vulnerability assessments and security audits includes looking for employee data that is publicly available on search engines, social media, and thousands of sources, to ascertain whether they are doing something to bring threats to their organisation. Employees tend not to realise that their personal life can affect the Cybersecurity of their work pace.
An experienced ethical hacker (white hat hacker), Dinuja points out that, “When someone takes a selfie near their desktop, even if the selfie faces the opposite side of the desktop, an attacker can still retrieve valuable information from the reflection of the person’s eyeglasses, for instance. Often employees post selfies of themselves at their workstations, where one can clearly see the applications opened on their desktop, installed software, operating system versions, and much more information. Thereby, it is easy for malicious parties to reap the benefits and knowledge of known vulnerabilities for those applications and versions, thus facilitating their plans to attack the company.”
Attackers use a variety of techniques to trick unsuspecting individuals into opening malicious links, download infected attachments, or visit compromised websites in an effort to directly steal their banking credentials, network logins, IP, or on a larger scale, administrative access to launch larger crimes.
According to Dinuja, if an attacker is able to get through to his target on the phone, they have an extremely dangerous ability to be convincing and talk in a friendly, confident manner. During each second of the conversation, the hacker is listening to background noises, conversations and other details. Sometimes from the notification tone they hear, they know which platforms and devices are being used, all of which provides them valuable ammunition to plan their next attack.
Compromised Credentials
When Cybersecurity experts investigate corporate data breaches and leaks, it is clear that most instances occur through compromised credentials. People tend to use weak passwords instead of ones that are complex and hard to crack.
Cybernews.com[3], a research-based online publication recently published its list of ‘The Top 10 Most Common Passwords 2022’. They are: 123456; 123456789; qwerty; password;12345; qwerty123; 1q2w3e; 12345678; 111111; 1234567890.
Reusing passwords for multiple sites as most of us do, may seem like the most efficient way, but if a ‘lazy’ password of just one account gets compromised, attackers can check that known password with your other accounts, websites, and they will rip into your personal life.
It is always advisable to use a reputed, secured password manager for personal affairs and for organisations to use password managers and do password audits regularly. Another excellent step to reducing credential compromises is employee Cybersecurity Awareness training, for both technical and non-technical staff.
Easy for Hackers to Steal Valuable Information Online
Today, more than ever before, every aspect of our lives is computerised or digitalised, resulting in a greater risk of information being stolen. We do everything online or through mobile phones - paying bills, transferring money, buying groceries, banking and so on.
But what about the security aspect? How can we ensure the app or the payment gateway we use to pay bills will protect our credit card information? It takes a concerted, high level of awareness to protect oneself, instead of taking the easy or lazy way out.
For instance, when you install an app and register with your personal information, do any of us actually read the tedious, lengthy privacy policy? What do they do with your data and where do they share such data? What do they collect? How long is it stored? For what purposes? This is valuable personal data that we should not share recklessly.
After a cyber-attack most companies are remorseful, they ask their clients and ‘victims’ for forgiveness, yet put all the blame on the hacker. But is it really the hacker's fault? Was there enough protection in place for your data? Was there a silly mistake or lapse that led to this breach?
The moment one puts valuable information on a computer, website, app, or any computerised system, there is always a risk of getting this information stolen. It is imperative therefore to follow security practices and to think multiple times before entering valuable data.
Technology is evolving at the speed of light, and cyber criminals are taking advantage to further their mission. For example, hackers now use artificial intelligence (AI) for their malware and tools and consequently they earn more money than they used to.
Ransomware
Ransomware is a malware used to deny individuals or organisations access to files on their computer. By encrypting these files and demanding a ransom payment for the decryption key, cyber attackers hold organisations to ransom. Paying the ransom becomes the only way to regain access to their files.
Today, organisations must have a solid countermeasure against rising ransomware attacks. Only those who have ever been a victim of a such an attack will know the true pain resulting from this type of incident. Most of the time ransomware targets specific entities such as hospitals, where vulnerable members of society receive treatment, proving just how heartless cybercriminals are.
Vulnerability Assessment
Do
vulnerability assessment and threat hunting before the bad guys do, is a key
piece of advice. Though hard to believe, there are tons of multi-million
businesses that have never conducted a vulnerability assessment on their
websites. According to Dinuja, “Even a 15-year-old who learns to use some
script or tool on YouTube can easily inflict huge damage to a multi-million
business. This is how poorly some businesses value the security protection of
their organisation, partners, customers,
and employees. Sadly, it is only after a hacking incident that companies
will belatedly dedicate a huge budgetary allowance towards the Cybersecurity of
their company. A lost reputation and breached trust, however, cannot be
regained easily.”
It is mandatory to harden and shield websites, applications, and employees. There could be millions of ways to hack a website that no one knows of. There could be tons of ‘zero-day’ exploitswhich no one has heard of, but a malicious person who has established their territory in the deep web has easy access to.
If a company has an app that brings in customers or revenue to the company, and that app has never been security-tested, they might be already hacked. As Dinuja points out, “Today it’s just a drag and drop to access the full decompiled source code of an app where you can easily see the unhidden API keys and much more information that a hacker can benefit from when trying to access your cloud services, systems, customer data, payment information and so on. Organisations must have a solid plan to find and address every potential Cybersecurity issue, and always be aware of their current security status and level that they are at.”
‘Work-from-home’ Poses Security Concerns
Post Covid-19, most companies have shifted to the work-from-home format and cyber criminals have taken advantage of this situation to target organisations. Home workers can unwittingly act as unintended malicious imposters because of the lack of Cybersecurity practices in their home environment.
Dinuja points out the obvious. “Typically, when working from home, we use our home router to access the internet, and all other occupants in the house use the same router. If one person’s devices - laptop, PC, tab, mobile - get infected or compromised, the attacker can access the internal network which is hosted by the router. Thus, an attacker can ‘pivot’ through that compromised device into other devices.”
For those who use a company-provided laptop from a home router that other people use, there is always risk. Unlike in a company's physical office environment which is secured by multiple firewalls and security measures, the home environment does not have any of these. A simple solution is to always use a reliable VPN, together with powerful anti-malware software for protection since one has to be extra careful when using the internet.
It is clear that even work-from-home individuals must implement a proper backup policy for their online life, which includes never using pirated software, keeping malware protection up-to-date and most importantly, using malware protection which is capable of detecting and blocking unauthorised file modifications. Security experts will emphatically tell you it’s always better to prevent an attack than cry over it after the fact!
Prioritising Cybersecurity
Cybersecurity must be a company’s priority and the IT department should take responsibility to implement and maintain it. If a company has no specialised resources for cybersecurity operations, professional advice should be sought to implement and maintain security measures.
Every company must have its security policies in place and must update them at least yearly. Employees must have a good understanding of these policies and there must be an auditing procedure to ensure that all employees are following the policies, with disciplinary actions in place for policy violations.
The global Cybersecurity market is projected to grow from US$ 155.83B in 2022 to US$ 376.32B by 2029, exhibiting a CAGR of 13.4%[4]. This is good news for Sri Lanka with its IT literate population, as it opens up new avenues of employment within the IT industry.
It’s a new and
scary world out there in cyber space, one where the good guys and the bad guys
will continue to butt heads for technological superiority.
[1] https://ncsi.ega.ee/country/lk/
[2] https://www.zdnet.com/article/your-biggest-cyber-crime-threat-has-almost-nothing-to-do-with-technology/
[3] https://cybernews.com/best-password-managers/most-common-passwords/
[4] https://www.fortunebusinessinsights.com/industry-reports/cyber-security-market-101165