With malware and DDoS attacks on the rise how highly do you value your security?
Mention ‘cyber security’ and a series of thoughts spring to mind depending on your generational experience. If you’ve seen the 1990s blockbuster ‘Hackers’ then I sympathise with you, not least for the performances of Angelina Jolie and Johnny Lee Miller.
The Internet is changing. From its baggy-trousered early days, it is now more streamlined with flashy lights and adult pants. We see new malware samples increasing by the thousands every day. Each year high profile data breaches rise with developments in artificial intelligence to protect the fortunes of the 500 and those they work for.
From a business outlook, cyber security is a costly, ever evolving issue that is both protected against and bolstered by the advancement of technology. Each year we are seeing new regulations coming into effect to protect the consumer and encourage businesses to protect themselves from cyber security risks and fraud.
Connectivity, of course, has increased insurmountably since the nineties with 4G settling in and its younger brother 5G ready to join the party in the next couple of years. IoT has been the industry buzzword for a while now, but many analysts are spotting the security dangers of its development.
We now see phrases like ‘dead apps’, ‘digital businesses’, ‘bring your own device’ (BYOD) and my personal favourite regulation the ‘NIS directive’ (very Next Generation). We’re going to aim to tussle all of these issues here to give an idea of what the future could hold for cyber security in 2018 and beyond.
Malware samples are the main sources for researchers to collate data when developing techniques to increase defenses against cyber attacks. On occasion, they mine ‘honey pots’, otherwise known as malicious URLS. The collation of malware is also useful for indicating the rise and decline of cyber security risk.
Panda Security marketing manager Neil Martin told Mobile News that at the start of 1990 there were only 12 Malware samples around. Martin said: “By 1995 there were more than a thousand viruses, and for the next couple of years it continued to grow, so by about 2005 there were around one and a half million malware samples out there and this was causing a big problem.”
The malware indicator in Q3 of 2017 revealed 57.6 million new malware samples. According to the December 2017 McAfee Labs report, there was more new malware detected than in any previous quarter, up 10 per cent from Q2 of 2017.
Although this is an alarming figure, the way in which we determine and indicate the cyber security level is now evolving. Many suggest a drop or rise in malware samples wouldn’t necessarily mean an increase or decrease in security prospects.
Martin said: “Attacks are becoming a lot more targeted. We’re seeing a switch away from the mass email epidemics like the ‘I love you’ and ‘the Kournikova’ breaches that we saw throughout the 90s to more advanced Trojan attacks.”
Trojan malware is disguised as legitimate software, so as to gain access to users’ systems and databases. A high-profile example of a Trojan attack is Zeus (aka Zbot) which was first detected in 2007. It is understood hundreds of millions of dollars has been pilfered from bank accounts by Zeus.
It mainly uses keylogging, where a computer program records every keystroke made by a computer user remotely to gather data and full access to accounts. Analysts and security professionals like Martin are suggesting we’re now seeing more targeted attacks, as well as the emergence of self-destruct malware – a malware that having infected a device and completed its nefarious purposes deletes itself.
Martin added: “If the malware laboratories like Panda labs can’t get hold of the sample of the malware it makes it a lot harder to create a solution to stop it. This is also compounded by the fact that IT environments are becoming more complex.”
Iot And Bring Your Own Device
Attacks on operating systems other than traditional IT environments like Windows are still less frequent and smaller in magnitude, according to the McAfee report, yet this doesn’t mean there isn’t a serious issue with emerging IT environments.
We are beginning to see that most IT environments are becoming more complex, with people often using their own devices while being connected 24/7 from various locations.
This creates a necessary development from traditional security solutions; even though they are evolving, are they evolving fast enough? Pangea managing director Daniel Cunliffe told Mobile News companies must ensure employees adhere to security rules.
He said: “We do allow some employees to bring their own devices. This can have some issues related to it, but that also has positives for productivity. So we try to get people to make sure they’ve got the latest updates.”
Cunliffe also suggested that employees and employers alike should be wary of dead apps, which could potentially be an entrance for a data breach. Some devices can hold old versions of apps for months, increasing the chances of cyber security issues.
The BYOD culture and the increasing IoT landscape has an obvious interrelated nature, but how safe is this new environment for business?
Cunliffe said: “Obviously, being an IoT ecosystem provider is a massive part of our thought process. Specifically when it comes to security, 5G and what lower latency over mobile means to the internet of things.
“At the moment I would say IoT malware is still a little bit in its infancy, however, it’s going get more advanced. The more devices we connect to the Internet, the more opportunity there is for someone to come in and do something that is a threat when you overload.”
This creates a major concern with cyber security as we edge further into 2018 and the availability of Internet connected devices increases while vulnerable operating systems continue to be underdeveloped.
Corero Network Security’s vice-president Stephanie Weagle, told Mobile news: “A lot of these devices rely on default standard passwords, so hackers are not really trying too hard to get access to the device itself.
“And once that individual device is connected to the Internet you just continue to expand the number of devices that are connected to be used as a target, that then becomes a very useful tool to launch DDoS attacks.”
If you haven’t heard of the distributed denial of service (DDoS) attacks yet, then by the end 2018 you most definitely will. A DDoS attack is an attempt to make an online service unavailable by overwhelming it with traffic from multiple sources.
With the botnet (Internet connected devices and or computers) activity increased by the developing IoT landscape, this is another sign companies need to develop IoT security.
Weagle added: “As we know too well, these DDoS attacks are easy to launch and it doesn’t require any real in-depth knowledge of programming or networking. It’s becoming harder to ignore these security risks that are associated with IoT. This is why we believe that this particular threat will continue to dominate in 2018.”
One of the ways that cyber security can battle the IoT war of the botnet is with artificial intelligence. Not the sort that Miller portrays in the critically acclaimed 90s wonder film ‘Hackers’, but the simulated puzzle solving mystical algorithms of the mind of the future.
Artificial intelligence in the form of digital assistants are becoming a common occurrence in the consumer world, adorning living spaces and devices. Now these digital assisted devices are being utilised in the workplace.
With Amazon’s announcement of the Alexa for Business Platform, there is now an option for employees to download individual assistants to help with updates, company protocol and office duties.
It may sound like the perfect solution for the IoT update issue, but MWR labs cyber security researcher Mark Barnes thinks otherwise. In a report for the cyber security research centre in November Barnes concluded that AI digital assistants can be prone to hacking.
According to the report, the technology used in Amazon’s Alexa is similar to that of Google Assistant and Siri voice recognition software that has major security flaws. A hacker could utilise the listening device and break through various entry points for a DDoS attack.
Digital assistants are not the only AI solution influencing cyber security, as big data becomes another byword in the industry, and cyber security innovation is moving in the direction of AI data processing.
In a recent BICS report AI is seen as a major way forward. BICS head of fraud operations and services Katia González told Mobile News: “We need to find ways to process large amounts of data coming from very different sources, to be able to have systems that learn fast enough, smart enough, to bring interesting information. There are a lot of people working on AI initiatives.”
The department for Digital Culture Media and Sport (DCMS) has warned organisations may run the risk of fines up to £17 million if they fail to implement the correct and or effective cyber security measures in the future. One of these fine-bearing regulations is the General Data Protection Regulation (GDPR) that comes into force on May 5.
This regulation could be seen as a response to the growing fears of cyber security risks in 2018, but it’s not the only implementation this year. The Network, Information and Security (NIS) Directive is the first piece of EU-wide legislation on cyber security due to come into force on May 9.
Weagle said: “The NIS Directive does have a structure similar to GDPR but it’s based on critical infrastructure services that could be taken down as a result of the cyber threat, not only the breach implications but just the interruption of service availability for those critical infrastructure organisations.”
The NIS directive aims to highlight that all critical infrastructures should assume a cyber attack will happen at some point, and when it does those organisations must be prepared to deal with it.
The organisations must have proactive mechanisms in place to minimise the impact, especially on social services. So what is the future of cyber security?
If you work under the assumption that most modern companies have run a cyber security risk assessment, then implementation is often not hampered by imagination and information, but rather the size of budget and the time available to implement security measures.
Considering this, if any organisation had the money they would obviously lavish their systems with state-of-the-art cyber security protection. The main cyber security fears of 2018 are the ever evolving target malware attacks, DDoS attacks, and the advancement of IoT.
It seems by the end of the year we could be looking back at a series of data breaches at an unprecedented level, not to mention the cyber security regulatory fines. So the question is, just how much do you value security?