Another day, another cybercrime story. HBO made headlines in July when its network systems were hacked and 1.5 terabytes of data was stolen and held to ransom. And just a few days ago, half a million pacemakers were recalled by the US Food and Drug Administration (FDA) due to security holes that put them at risk of being hacked. These vulnerabilities would have allowed hackers to gain unauthorised access to the devices, and then use this access to deliberately run the battery flat or conduct “administration of inappropriate pacing” – both of which could potentially result in the patient’s death.
You might not have a pacemaker, but you and your business will have myriad other devices that are potentially exposed to cyberattacks – phones, computers and smart TVs, to name just a few. Even devices like printers and baby monitors aren’t safe anymore.
So what are the recent cybersecurity risks you need to be aware of – and what can you do to mitigate these risks?
Here are 3 of the biggest cybersecurity risks facing you and your business today.
1) Distributed denial of service (DDOS) attacks
As the Internet of Things (IoT) gains ground, so too does its risks, one of the biggest being the potential for DDOS attacks.
DDOS attacks work by infecting devices with malware and coordinating those devices to create a ‘botnet’ that then bombards web servers with junk traffic, causing them to crash. While botnets used to be built primarily with PCs, internet-connected devices with lax security are now making it possible for botnets to be built with more inconspicuous devices, such as routers, baby monitors and webcams.
In October 2016, a botnet known as ‘Mirai’, which was built with IoT devices, took down some of the most popular websites in the world, including Twitter, Netflix, Reddit and CNN, in one of the largest cyberattacks of all time.
Just last week, 300 apps were removed from Google’s Play Store after they were found to be hijacking Android devices to use them in DDOS attacks. The resulting botnet, ‘WireX’, is predicted to have infected at least 70,000 devices in over 100 countries – and this estimate is ‘conservative’.
The number of DDOS attacks is only going to increase – research firm Gartner predicts there will be 6.4 billion devices connected to the internet by 2018, and that by 2020, a quarter of known cyberattacks will involve IoT.
What to do to prevent it
To lower the risk of DDOS attacks, take a close look the IoT devices in your home and office, and get rid of any unnecessary devices that are accessing the internet for no reason. For those that need to remain connected, be sure to change default passwords and ensure the firmware is up to date.
You should also monitor your websites carefully, looking out for any unusual traffic spikes that can’t be explained. A strong firewall and upstream filtering, which passes traffic through a tunnel to determine what is good and bad, can also help to protect online assets.
Ransomware is an especially malevolent type of malware, which works by encrypting data on the infected computer, preventing the user from being able to access it. Once all the files are encrypted, the malware demands money in order to release the data, and threatens to destroy the data if the money is not received.
While ransomware is not new – the first instance of it appeared in 1989 – it exploded in 2016, increasing by an estimated 748 per cent. And it doesn’t look like it’s slowing in popularity any time soon.
Earlier this year, in May, we saw ransomware WannaCry sweep the globe. By exploiting a vulnerability in Windows PCs, WannaCry was able to run rampant and affect over 300,000 victims in over 150 countries. It even managed to bring down the NHS in the UK, resulting in cancelled operations, diverted ambulances and unavailable patient records.
Screenshot of WannaCry
Not long after, in June, the world was hit by NotPetya, so called because it masquerades as a previous form of malware known as Petya. Similarly to WannaCry, NotPetya demands money to unscramble the data it has encrypted. However, upon further investigation, it was discovered that the mechanisms built to collect money from the victims had quickly disintegrated. Even if victims wanted to pay the ransom, they weren’t able to – there was no way to save their data from being irrevocably destroyed. It seemed NotPetya was built with the sole purpose of spreading mayhem, rather than for financial gain.
NotPetya has wreaked havoc in Ukraine, which appears to be ‘ground zero’ – it has even affected the automatic radiation monitoring systems in Chernobyl. Other organisations that have been hit include pharmaceutical company Merck and shipping conglomerate Maersk. And Australia didn’t escape unscathed – NotPetya also managed to stop production at the Cadbury chocolate factory in Tasmania.
Mobile ransomware attacks have also soared, growing 50 per cent this year compared to last. One, called Lockerpin, claims to be the FBI and accuses the victim of harbouring illegal content, saying the charges will be dropped if the victims pay a ‘fine’. Another, called Charger, steals the data from your phone and threatens to sell it unless a ransom is paid.
The sad fact is that ransomware works – it’s quick and easy to build and deploy, and difficult to protect against – so expect ransomware to become more sophisticated and more rampant in the coming months.
What to do to prevent it
Email is by far the most popular way to spread ransomware, so be wary of emails that seem suspicious – if the email address is strange or the email itself is poorly formatted, these could be warning signs. Educate employees at your company to be able to recognise emails that are potentially infected, and ask them to double check any emails they are unsure about with IT before opening them.
While not quite as old as ransomware, phishing has also been around for a number of years, originating around 1995. A fairly common type of fraud, phishing is where scammers send emails that seem to be from a reputable source, as a means to get you to divulge personal information, which is then used to commit identity theft.
Most people would be familiar with these types of emails, and many might think they’re good at recognising them. But many still get unwittingly caught out. According to Bloomberg, 2016 was a record year for data breaches – and phishing accounted for 56 per cent of those breaches. Turns out it’s easier to trick people than to penetrate complex digital defences.
Not to mention phishing scams are now more sophisticated than ever. In May, Google Docs users were caught out by a particularly convincing phishing scheme, which sends targets an email from someone they know inviting them to edit a file in Google Docs. Clicking on the link within the email takes them to a real Google sign-in screen, after which the target is then redirected them to a third-party app falsely labelled ‘Google Docs’, which allows phishers to access their email and address book. While this breach was quickly resolved by Google, it shows how much phishing scams have evolved, and gives some insight into why they are such a big contributor to data breaches.
Last week, MacEwan University in Canada lost nearly $10 million in a phishing scam, when staff received an email claiming one of its clients was changing its bank account details, and transferred money into the fraudulent account. And, deplorably, hackers are even taking advantage of Hurricane Harvey, a natural disaster that devastated Texas, with phishing emails and scam websites that claim to be supporting hurricane relief efforts.
Like DDOS attacks and ransomware, phishing is not going to go away anytime soon. Data breaches in effect feed phishing by supplying more targets, and with this recent spate of data breaches, more people are vulnerable than ever.
What to do to prevent it
As with ransomware, it’s important to be on the lookout for red flags. Things like suspicious domain names, poor spelling or grammar, or a link-to address that is different to the hyperlink that’s displayed are warning signs.
The safest thing to do is to read your emails in plain text – phishing emails often contain convincing clickable images, and reading your emails in plain text will alert you to any URLs that seem off.
You can also take extra measures, like installing an anti-phishing toolbar for your browser, and using both a desktop firewall and a network firewall.
And as a general precaution, always ensure software (particularly anti-virus software), applications and operating systems are up to date, and make sure to regularly and securely back up your data, so that in the event of an attack, your files can easily be restored.
Vigilance is key
While these sorts of threats have been around for years, in the recent months they have evolved to become more sophisticated, more virulent and more destructive than ever before. It’s important, therefore, to not become complacent.
As Josh Ray, managing director at Accenture Security, said in a recent press release, “... a new bar has been set for cybersecurity teams across all industries to defend their assets in the coming months."
To learn more about cyber security and the Internet of Things, download our ebook. It explains the biggest challenges in cyber security over the next decade, identifies common cyber-attack sources and will help you prepare your organisation well enough so that they can survive a cyber-attack. Download it today!