Cyber Security - There goes 2014 but what about 2015
2014 saw yet another increase the number of successful Cyber attacks on businesses of all sizes. Here a few of the most memorable: -
eBay suffered two attacks allowing users account credentials to be harvested in one instance by users being redirected to a false website seeking users’ details.
JP Morgan had very sophisticated security provisions but a persistent attack enabled hackers to gain access to the bank’s security details as well potentially accessing details of over 50 million household accounts across the US.
The Heartbleed attack was a security bug within the OpenSSL authentication protocol used by over half a billion websites and systems across the globe. Systems required a patch to resolve the problem and more than half have been patched leaving a considerable number of systems still vulnerable. Some of the well-known sites using the protocol included Amazon, Google and Facebook.
The after effects of the Point of Sale software attack on the US retailer Target continues with banks being given permission to sue the retailer for their losses estimated to in excess of $300 million. In this case the entry point for hackers was a small third party maintenance company and that enabled cybercriminals to collect credit card details from as many as 100 million users.
The Sony Pictures attack has had a great deal of publicity and the full details of how the attack was carried out and by whom are not yet known.
The overall number of successful attacks will never be known as attacks on many businesses and organisations go unreported for fear of reputational damage. Most authorities acknowledge that the volume of attacks is becoming unwieldy and the investigation of even the more costly beyond existing resources.
So what will 2015 bring?
The IT industry continues to develop more secure systems and faster responses to known and potential threats, this in turn leads to greater ‘creativity’ (misplaced as it is) by the cybercriminal. Many of the existing threats will remain and evolve but new issues will have to be faced and technology continues to pervade our world.
Email – the nature of emails will become more sophisticated over the coming year and more targeted. The latter will lull the unprepared, and possibly even the prepared, user into opening emails loaded malicious code of some nature.
Legacy systems – many systems continue to use open source code written many years ago and containing, hitherto, unexploited vulnerabilities. Heartbleed is just one example of this latent reservoir of threats.
Single sign-on authentication – the ease of access to many systems that consolidating your authentication is becoming more widespread and users enjoy the simplicity of the approach. However, once the depository for the passwords and login names has been accessed, other systems become vulnerable. Mobile phones and cookies are well-established examples that can ease the access of multiple systems.
The ‘Internet of Things’ (IoT) continues to expand with new devices becoming Internet aware. Household appliances such fridges, heating systems, lights etc can now be readily accessed from anywhere in the world. Little is known about how the likely vulnerabilities in such systems will be exploited by cyber criminals but once again the ‘creativity’ will be called into play.
Data depositories – the data typically being extracted and exploited to date has centred on credit card numbers and details. There are many other types of valuable data that can be more useful and more pervasive, such as medical records held by a wide range of institutions and businesses alike, such as hospitals, doctors surgeries, treatment centres, and recreational centres.
There is no doubt the level of cyber attacks is akin to digital warfare and as a society we need to be prepared to repel, and recover from, such attacks in a robust manner.
The need for best practices to be adopted by all businesses is recognised as essential to protect the UK economy and as such the Government has encouraged and supported the development of IASME, a security standard specifically for SMEs. The standard could be described as ‘ISO 27001 lite’ but only because the cost of implementation, auditing and maintenance is much less.
In June 2014, HM Government launched through the Department for Business, Innovation and Skills (BIS) two new cyber specific standards, namely, Cyber Essentials and Cyber Essentials Plus with a view to enabling businesses of any size to adopt the standard and to demonstrate good security provisions.
Yellowspring has actively contributed to the development of the CE standards and is well placed to advise and guide businesses in enhancing their security provisions as well as securing the CE accreditation.
If you would like further information regarding our Cyber Essentials service, please contact Maria West on 01268 494160 or email firstname.lastname@example.org