This week in our blog, we offer a snapshot of cybersecurity, privacy and data security news of interest to the executive suite. Periodically, we’ll recap insights from the growing cadre of voices in this space as well as lend our own views on the issues that impact executive governance of cyber risk and response.
As May prepares to give way to the promise of the month of June, it’s time to look back at some of the cyber stories that dominated the headlines during the month. The month begins with May Day, a tradition handed down from ancient times, when children dance around maypoles, festooned with flower crowns. The ancient rites celebrated the end of winter, and the dawn of a new season, a time to have hope. Locals could brag about who had the biggest maypole, perhaps the beginning of another practice that lasts to this day. As it happens, May Day is an apt characterization of the month’s cyber events, particularly if said three times in rapid succession.
The Beat Goes On
Cyberattacks involving ransomware — in which criminals use malicious software to encrypt a users’ data and then extort money to unencrypt it — increased 50 percent in 2016, according to a report from Verizon Communications Inc. And criminals increasingly shifted from going after individual consumers to attacking vulnerable organizations and businesses, the report said. Government organizations were the most frequent target of these ransomware attacks, followed by health-care businesses and financial services, according to data from security company McAfee Inc., which partnered with Verizon on the report published Thursday. Instances of ransomware attacks have grown along with the market for bitcoin, the digital currency that is most commonly how cybercriminals demand ransoms be paid because of its anonymity. While overall most malware was delivered through infected websites, increasingly criminals were turning to phishing — using fraudulent emails designed to get a user to download attachments or click on links to websites that are infected with malware — to carry out attacks. A fifth of all malware raids began with a phishing email in 2016, while fewer than 1 in 10 did the year before, according to the report.
Cybercriminals had a very good year in 2016 — and we all paid the price. These digital bandits became more ambitious and more creative and that resulted in a year marked by “extraordinary attacks,” according to the 2017 Internet Security Threat Report from Symantec. “Cyber crime hit the big time in 2016, with higher-profile victims and bigger-than-ever financial rewards,” the report concluded.
And The Beat Goes On
Organizations around the world were digging out Saturday from what experts are calling one of the biggest cyberattacks ever. Hospitals, major companies and government offices were hit by a virus that seeks to seize control of computers until the victims pay a ransom. Experts said that even as the spread of the attacks apparently has been stymied, its full ramifications are not yet known because the virus may be lurking still on computers around the world. Cybersecurity firm Avast said it had identified more than 75,000 ransomware attacks in 99 countries on Friday, making it one of the broadest and most damaging cyberattacks in history. Avast said the majority of the attacks targeted Russia, Ukraine and Taiwan. But U.K. hospitals, Chinese universities and global firms like Fedex (FDX) also reported they had come under assault. Security experts said the spread of the ransomware had been inadvertently stopped late Friday. The ransomware was designed to repeatedly contact an unregistered domain in its code. A 22-year-old security researcher in the U.K, who goes by MalwareTech, registered that domain to analyze the attack, but it turned out the ransomware needed it to remain unregistered to keep spreading. “Thus by registering it we inadvertently stopped any subsequent infections,” he told CNNTech. However, a hacker could change the code to remove the domain and try the ransomware attack again.
A top cybersecurity firm say it’s “highly likely” that the biggest cyberattack the world has ever seen is linked to a hacking group affiliated with North Korea. The global ransomware attack known as WannaCry targeted hundreds of thousands of computers in around 150 countries, hitting hospitals, businesses and other organizations. In a blog post late Monday, security researchers at Symantec said the “tools and infrastructure used in the WannaCry ransomware attacks have strong links to Lazarus,” a hacking group that has previously been tied to North Korea. “We have high probability that these two are absolutely connected,” said Vikram Thakur, Symantec’s security response technical director. Lazarus has been linked to the hack on Sony Pictures, for which the U.S. government blamed North Korea, and a wave of attacks on banks around the world, including a major theft from Bangladesh’s central bank.
Drums Keep Pounding A Rhythm To The Brain
Organizations must rethink their security measures. Focus on training, getting rid of old tech, and overcoming apathy. Some learn best through observation, others only after making a costly mistake. Unfortunately, many businesses have failed to heed the cybersecurity lessons learned from the litany of major attacks over the past few years. Modern cybersecurity threats have evolved far beyond the days where keyloggers and suspicious emails were considered sophisticated threats. They’ve grown to incorporate new attack vectors such as connected devices, as used in the 2016 Dyn distributed denial-of-service attack that disrupted many popular websites. Businesses must also contend with leaked exploits discovered by government intelligence agencies, such as the Vault 7 ikileaks revelations around security flaws in virtually every major operating system and application.It’s time for organizations to rethink their approach to security. Keeping your organization safe must be a full-time commitment, not simply a passing concern following the latest report of a data breach.
In the near future, as artificial intelligence (AI) systems become more capable, we will begin to see more automated and increasingly sophisticated social engineering attacks. The rise of AI-enabled cyberattacks is expected to cause an explosion of network penetrations, personal data thefts, and an epidemic-level spread of intelligent computer viruses. Ironically, our best hope to defend against AI-enabled hacking is by using AI. But this is very likely to lead to an AI arms race, the consequences of which may be very troubling in the long term, especially as big government actors join the cyber wars. My research is at the intersection of AI and cybersecurity. In particular, I am researching how we can protect AI systems from bad actors, as well as how we can protect people from failed or malevolent AI. This work falls into a larger framework of AI safety, attempts to create AI that is exceedingly capable but also safe and beneficial. A lot has been written about problems that might arise with the arrival of “true AI,” either as a direct impact of such inventions or because of a programmer’s error. However, intentional malice in design and AI hacking have not been addressed to a sufficient degree in the scientific literature. It’s fair to say that when it comes to dangers from a purposefully unethical intelligence, anything is possible.
Harvard Business Review
After nearly 20 years of trying and billions of dollars in investment, why are organizations are still struggling with cybersecurity? In fact, the problem seems to be getting worse, not better. Answering this question requires moving beyond a purely technical examination of cybersecurity. It’s true that the technical challenges are very real; we don’t know how to write bug-free code, for example. But if you look at the challenge more broadly, even if we resolved the technical issues, cybersecurity would remain a hard problem for three reasons:It’s not just a technical problem;The rules of cyberspace are different from the physical world’s; Cybersecurity law, policy, and practice are not yet fully developed. The first reason — that cybersecurity is more than just a technical problem, incorporating aspects of economics, human psychology, and other disciplines — has been explored in other articles in this cybersecurity series. However, the other two reasons also contribute strongly to making cybersecurity difficult, and our approaches must take them into account.
La de da de de, la de da de da
By Tom Davis, SDI Cyber Risk Practice
May 30, 2017