Top Cyber Risks Businesses Should Prepare for in 2018
This year's top six cyber risks for businesses, according to The Chertoff Group principal Adam Isles, include: increase in destructive attacks targeting…
January 05, 2018 at 12:45 PM
6 minute read
The original version of this story was published on Law.com
This year's top six cyber risks for businesses, according to The Chertoff Group principal Adam Isles, include: increase in destructive attacks targeting industrial control systems, expansion of IoT as a threat vector, evolution in nation-state activity tradecraft, advances in identity subversion as a tactic, increased use of software subversion to bypass security controls and increase in third-party risk.
Every five years, the U.S. intelligence community releases a Global Trends Report, and the one released in January 2017 cited destruction of important civilian infrastructure as an increasingly likely form of emerging warfare. The rise in attacks targeting industrial control systems (ICS) can be attributed to factors including the relative ease at brute forcing default or weak passwords on ICS equipment, an increase of the number of ICS accessible to the public and an uptick in motivation by malicious actors to control ICS for political influence or monetary gain.
“Threat is a function of motivation, capability and opportunity,” said Isles. “2018 is expected to bring additional advances particularly regarding autonomous/artificial intelligence-enabled systems and their use in both private and professional settings. As this trend advances, so too does the opportunity to exploit such devices for malicious purposes.”
In the last few years, many cyber-attacks were seen using IoT devices like CCTV cameras in large-scale DDoS attacks, including an October 2016 attack that disrupted Internet services throughout the U.S. for almost a full day. These attacks highlight large-scale challenges in ensuring that IoT devices are properly configured to prevent a compromise of those devices. Even if U.S. authorities were to introduce legislation for producers to lock down IoT vulnerabilities, the threat from exposed devices from other countries does not diminish, per Isles.
“Where malicious activity can be attributed to state actors, U.S. authorities have worked with allied governments to take responsive action–for example, sanctions and criminal indictments plus related cooperation through extradition and mutual legal assistance treaties,” he explained. “So, the ability to act without the attendant consequences of attribution will be of increasing utility to threat actors. In that vein, state actors are increasingly relying on capabilities–people and technology–with roots in organized crime.”
Per the 2017 indictment of individuals allegedly involved in the Yahoo breach, including officers of Russia's Federal Security Bureau (FSB): “One of the criminal hackers has been the subject of an Interpol 'Red Notice' and was listed as one of the FBI's 'Most Wanted' hackers since 2012. He resides in Russia, within the FSB' s jurisdiction to arrest and prosecute. Rather than arrest him, however, the FSB officers used him.”
In addition, while state actors have access to zero-day exploits, the state of unremediated vulnerabilities makes it more likely they will use recycled malware and hacking tactics to minimize chances of attribution. The security vulnerabilities of passwords are well-covered in security literature, and we are now seeing significant consequences of compromised passwords via “credential stuffing” attacks, which involve automated machine-gun style access attempts via compromised username/password pairs. So, according to Isles, understanding these risks, organizations are increasingly shifting to the use of multi-factor authentication to reduce risks around single-factor approaches.
“We should expect to see increased reporting across three trends: newly discovered vulnerabilities in multi-factor approaches based on increased focus by security researchers, exploitation of unremediated vulnerabilities by malicious actors and resort[ing] to social engineering to subvert the identity-proofing process that underlies multifactor authentication,” he said.
There is a flaw in the technology underlying token-based authentication systems–they use public-key-infrastructure (PKI) to maintain confidentiality of the supporting keys. This flaw, discovered in the chip underlying the tokens in question, effectively means that it takes much less time than previously thought for a malicious actor to reverse engineer the private key from its public counterpart, per Isles. The consequence is that attacks are more feasible against systems protected by those tokens. In this case, the security researchers who identified the vulnerability worked with the impacted token providers, who themselves aided customers in remediating the vulnerability.
“Likewise, there is an increase in threat reporting around the compromise of text messages that provide one-time passcodes as a second factor,” he said. “In turn, there is also an increase in reporting around social engineering schemes that trick customer support centers into updating the mobile phones associated with an account from the legitimate account holders to that of a malicious actor.”
As seen during the 2017 NotPetya and other incidents, adversaries are using third-party software as an entry vector to deploy malware on targeted systems. Security controls were bypassed through the subversion of trusted third party software, so malicious actors could infiltrate at the source of a supply chain, compromise the third-party software in question, and leverage this compromise to inject malware into victim computer systems, which then spread laterally through those systems. Maersk ported an impact of over $300 million, as did pharmaceutical provider Merck.
“In 2018, we expect to see a greater emphasis on review and securing all phases of the software development lifecycle, not only testing before release but also during the planning, development and update phases as well,” Isles explained.
Allowing partner organizations access to sensitive data, systems can help a company focus on what it does best rather than the extraneous support functions. But the risks from the trend have multiplied as organizations have increasingly offloaded specialized services to others, in particular, cloud service providers. Uber CEO Dara Khosrowshahi said that “external attackers inappropriately accessed user data stored on a third-party cloud-based service that we use to gain unauthorized access to this information. While this compromise did not breach our corporate systems or infrastructure, it did result in the compromise of personal information for 57 million Uber customers around the world.”
Isles added, “Even cloud services that have strong security built-in can entail vulnerabilities if customers do not properly configure and maintain them. Thus, we expect more focus in 2018 on services that can help customers spot misconfigurations and risky levels of access on cloud services.”
Amanda G. Ciccatelli is a Freelance Journalist for Corporate Counsel and InsideCounsel, where she covers intellectual property, legal technology, patent litigation, cybersecurity, innovation, and more.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllMarriott's $52M Data Breach Settlement Points to Emerging Trend
2024 Ransomware Payments Poised to Shatter Record, as Gangs Target 'Big Game'
2 minute readCleared in HP Fraud Trial, British Tech Tycoon Mike Lynch Now Missing at Sea
FTC Probing Use of Browser Histories, Other Personal Info to Individualize Product Prices
4 minute readTrending Stories
- 1Judge Denies Sean Combs Third Bail Bid, Citing Community Safety
- 2Republican FTC Commissioner: 'The Time for Rulemaking by the Biden-Harris FTC Is Over'
- 3NY Appellate Panel Cites Student's Disciplinary History While Sending Negligence Claim Against School District to Trial
- 4A Meta DIG and Its Nvidia Implications
- 5Deception or Coercion? California Supreme Court Grants Review in Jailhouse Confession Case
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250