Headlines abound on Cyber Security. Do these threats affect you and your firm or do you believe that these attacks “always happen to someone else?” By now, all of you reading this should have your local drives encrypted to comply with your state’s security breach law. Our rule is that all data should be encrypted, in motion and at rest, including local drives and in any Cloud storage. Cloud-based applications have changed the way we work, play, and access information.  New threats, such as spear phishing, ransomware, data breaches, and identity theft, represent key new threats to organizations which should be part of your internal control structure.

The benefits and risks associated with software-as-a-service (SaaS) and hosted applications are very different from traditional on-premises information technology, and the implications for evaluation of general computer controls are significant.  Despite the enthusiasm for Cloud applications, some traditional items used in an on-premises forensic investigation, like the transaction audit trail, user access logs, and computer access logs, are often difficult to obtain for Cloud solutions and may even be unavailable by the time you or your client suspect a crime.  What are the top Cyber Security issues? What are the new risks associated with Cloud solutions as well as some techniques which can be used to limit these risks?

What Are the Top Cyber Security Issues?

According to Jack Danahy in “Cybersecurity Made Simple” from Barkly Protects, Inc. in 2015, there are five top Cyber Security issues:

  1. Not knowing that a problem exists creates a security blind spot

  2. Not knowing how to break down a problem

  3. Not having the expertise to address the problem

  4. Not having the resources necessary to carry out an action plan

  5. Your arch nemesis is always organizational inertia

You need to determine your needs, agree on what’s important and determine what it will take to accomplish your security goals, execute your plan and review & repeat. Just as getting backup right or having a business continuity plan, security planning is a continuous and unending process.

What Type of Risks Are There?

There are more new and sophisticated attacks and risks than can be enumerated in a short article. To name a few: Phishing, Tax-Related Identity Theft, Data Breaches, Ransomware, other viruses and malware, The Internet of Things has inadequate security, Cyber-espionage, Cyber theft/crime, Insecure Passwords, BYOD, unauthorized data access, data stored improperly without controls, privacy and regulation, and staff engagement are all examples of risks. What are some of the contributing factors to the scope of security concerns? Each of these are contributing factors:

  • Large amounts of data to store and secure

  • Rapid increase in mobile devices

  • Need for anytime, anywhere access to data

  • Large number of organizations being hacked

  • Relative risks of the Cloud compared to on-premise data storage/processing

We could quote a broad array of statistics on data breaches, exploits and other attacks. We suggest you simply search for data breach statistics and see for yourself. The key thing to remember is that whether your organization is large or small, everyone is a target. It requires a wide array of tools to protect your organization, including, but not limited to:

  • Exercising due diligence in making data security decisions

  • Choosing well-designed IT security policies

  • Selecting hardware tools designed to mitigate threats

  • Using software and services designed to mitigate threats

  • Deploying strong user authentication, using multi-factor capabilities, not just user IDs and passwords

What Are the Elements of a Cyber Attack?

We need to consider several factors that Cyber attackers exploit as well as understand what has to be protected to improve our Cyber security. First, we have to protect our endpoints. These are frequently the target of the attack and include individual PCs, servers, networks or Cloud providers. The purpose of an endpoint attack is to control, corrupt, or disable the endpoint. Attackers are looking for vulnerabilities; that is the weakness that permits the endpoint to be penetrated. Vulnerabilities include software flaws, system design weaknesses, insecure configurations, and human errors. Attackers use malware, that is malicious software. There are many different types of malware and attacks often involve more than one strategy. Our organizations are attacked with a delivery vehicle, that is the malware is delivered to victim machines through a variety of techniques from social engineering such as phishing to USB sticks. Finally, the method of execution (MoE) is the means through which attackers get the resources necessary including access, processing time, data, etc. to execute an attack.

Common types of malware include depositors, ransomware, backdoors, credential stealers, viruses, worms, and vandalizers. For example, a few of the popular ransomware infections include CryptoLocker, CryptoWall and Locky. These types of ransomware infections are designed to hold data hostage. They have been very active from late 2013 to the present. Typically, a user opens a program on a local PC that was e-mailed to the user embedded in a file or accessible via a web link. The malware program installs itself in numerous places and then connects to a command and control server run by the perpetrators which gives the ransomware a public key. This key is used to encrypt all Office files, database applications, pictures, etc., on a computer. Once data is encrypted, users are presented with an ultimatum and must pay within 72 hours or the private key (needed to unscramble the files) will be destroyed. Recent variants have been infecting Remote Data Services (RDS/Terminal Servers) and/or Citrix servers in public and private Cloud installations.

Numerous CPA firms, healthcare entities, businesses and government agencies have fallen victim to CryptoLocker. The ransoms demanded range from $300 to $18,000. Users must pay in Bitcoin or by anonymous wire transfers. Anti-virus and anti-spam applications do not detect many variants of this threat, but some strategies such as using white listing, geofencing and other techniques have slowed down the rate of infections. However, attackers are getting smarter and choosing new methods for attack.

So What Are Some Potential Tools to Prevent Cyber Attack?

There are a few defenses that have been used for some time including a well-maintained firewall and a backup that runs almost continuously. It’s clear that a properly installed and maintained anti-virus product is the first line of defense. Signature based anti-virus products are not quite as effective as they once were. In fact, anti-virus is dead according to a Wall Street Journal interview with Brian Dye in May of 2014. Mr. Dye is Symantec's senior vice president for information security. Symantec’s Norton anti-virus suite has been at the forefront of PC security for years and years and the product has evolved to their Endpoint Protection product. Nevertheless, don't let the claim distract: anti-virus isn't being retired, and Dye's words reflect the new reality in anti-virus protection. Dye told the WSJ that he estimates traditional anti-virus detects a mere 45 percent of all attacks.  Second, a properly configured firewall can help protect your network whether you are running in a public Cloud or have created your own private Cloud on-premise. We recommend firewalls in all business locations, and prefer business grade firewalls in homes, too. Many states do not have mandated encryption and even though compliance with the encryption regulation may have been painful for your organization, this protection is a strong third line of defense. Your fourth line of defense should be Identity Management including multi-factor authentication with a product like Duo or AuthAnvil. These products allow your IT team or contractor to enable a mobile phone or other method, such as a token, to be used to authenticate a user. Remember that single factor authentication is something you know, like a user ID and a password, where multi-factor authentication is something you know and something you have. The broad acceptance of cell phones and the availability of inexpensive tokens plus the availability of multi-factor authentication from providers like Microsoft or Google leads us to recommend multi-factor authentication this year. Finally, and fifth, it may be time to consider Security Information & Event Management (SIEM) tools that can identify unauthorized or destructive behavior on your network.

And We Are Not Done Yet…

Why are the “bad guys” attacking our businesses and homes? The simple answer is to gain money and/or intellectual property. Another result of these attacks includes Identity theft. According to the U.S. Department of Justice, identity theft and identity fraud are terms used to refer to all types of crime in which someone involves frames or deception, typically for economic gain. Essentially, someone exploiting your personal information for their personal gain is the basis of identity theft. What happens with the stolen data? A few examples from the Dark Web using the TOR network: 1) $180 USD will buy you the login information for PayPal Accounts with a $1701 USD verified balance, 2) or perhaps you need U.S. Citizenship Documentation. For $5K you can have a “real” social security number, birth certificate, passport, driver’s license, etc. 3) Finally, you can obtain a credit card or access to a bank account with a $1500 available limit for about $100 USD.

There are threats beyond those identified in this short article. Hopefully, you now understand that the threats are real, and that there are reasonable steps you can use to protect yourself, your family and your business.


About the author:

Randy Johnston is a shareholder in K2 Enterprises. K2 provides CPE training through State CPA Organizations on Cyber Security as well as other technology topics. Learn more at www.k2e.com.

TrackBack URL for this post:
http://www.scacpa.org/blog/56/cyber-security---scare-tactics-or-reality-

Comments


Sponsors