Between July 2015 and July 2016 there were 14,804 cyber security incidents affecting Australian businesses according to the Australian Cyber Security Centre (ACSC). Of those attacks, 418 were detected to involve systems of national interest and critical infrastructure. However, the actual number of security breaches is expected to be much higher.
“This figure only represents reported attacks and there are likely to be many more unreported cases”, says Commander David McLean, Australian Federal Police Manager of Cybercrime Operations. The CeBIT team had the chance to talk to Commander McLean in the lead up to his presentation on Cybercrime: Appreciating the threat and formulating a response at CeBIT 2017. Read on to get his take on the state of attacks on Australia, the industries that are being targeted, what tactics cyber criminals are using and why companies need to look at education and reporting within a business to keep big data safe.
The state of attacks on Australian business
According to the ACSC 2016 Threat Report, the threat of cyber attacks against Australian government, infrastructure, industry or other networks, has grown following a series of high-profile disruptive and destructive incidents in other countries over the last five years.
While this estimate gives a good indication of the current threat level nationwide, it only really represents a snapshot of the whole picture. “Incidents affecting industry and critical infrastructure networks is heavily reliant on voluntary self-reporting”, say Commander McLean. ”The challenge is that many companies are hesitant to report incidents to investigative government bodies due to concerns the disclosure may negatively affect their reputation or create legal or commercial liability.” This is even though multiple industries are now being targeted by cyber criminals and greater transparency would help advance security and respond to threats at a more appropriate pace.
Industries being targeted by cyber criminals
The ACSC report revealed that the energy and communications sectors had the highest number of compromised systems. DDoS activity was highest in the banking and financial services and communications sectors. And, the energy and mining resources sectors had the highest number of malicious emails being received. “On paper this may seem shocking,” says Commander McLean. “But these sectors understand that consumer confidence is paramount to their success. This means that their level of investment into security is often quite high and they’re well equipped to defend themselves against malicious attacks.”
What tactics are being used to target Australian businesses
Commander McLean says the AFP’s main role at ACSC is to focus on criminal activity, including intrusion, extortion, hacktivism and illicit marketplaces. Their investigations have highlighted common tactics that are frequently being used by online criminal syndicates to attack Australian businesses, government departments and critical infrastructure. “There’s a lot of ransomware and DDoS extortion,” he says. He suggests rather than personalised individual attacks, the online criminals often go after large data sets, combing through them and looking for information that could damage an individual’s reputation. Interestingly, these criminals often don’t always keep the information, but will on-sell it to other criminal syndicates.
Other techniques ACSC combatted between 2015 and 2016 were:
Spear phishing: A classic technique where emails contain a malicious link or file attachment. ACSC says the methods used are becoming more convincing and difficult to spot.
Ransomware: This tactic was a major contributor to many issues in business and government around the globe in 2016. Locky, one of the most well-known and aggressive ransomware codes to hit the web in 2016, led to hospitals, libraries and many more businesses’ data being held illegally until the business fronted the ransom to unlock it. In the official threat report, ACSC said these campaigns are constantly evolving and highly successful. And they’re not targeted at one sector or industry. Even home users are increasingly falling victim to the code. CERT notes while almost all ransomware is delivered via email, there is also some web-based exploit kits. “Phishing emails also use attachments to deliver their ransomware, such as malicious macros in Microsoft Office files which contain instructions on how to enable and run macros,” ASCS Threat Report 2016.
Common program vulnerabilities: While Microsoft Office has been identified as a program used by hackers to exploit victims, so has Adobe Flash. The report states cyber adversaries will use the security holes in these programs to enable compromised websites and malvertising to host crimeware tools.
Secondary targeting: There’s also been an increase in criminals gaining access to data through seemingly unrelated connections. This could be a third party that shares a trusted relationship with the main target.
Bulk targeting: ACSC has identified that Australian businesses that hold bulk personal information will continue to be targeted by cyber criminals. They suggest businesses consider how much information they actually need on their customers. Their research shows that there are no signs of these attacks slowing down.
The importance of education
The AFP team works intimately with everyone at the ACSC to investigate these crimes but also works to educate all Australians about online safety. Commander McLean says it’s a concentrated joint effort through ACSC to lift the nation’s education level regarding cyber security to a height that can have a broad impact.
The Department of Defence has produced a guide: Strategies to mitigate targeted cyber intrusions, which lists 35 actionable tactics companies can employee to keep data safe. It’s estimated it can prevent 85% of intrusions businesses face today.
ACSC has also produced literature to help small businesses to install basic online security practices to educate employees. It was developed in collaboration with ANZ Bank, Australia Post, Commonwealth Bank, National Australia Bank, Westpac and Telstra. While aimed at small business, it’s a document that could be sent to all staff as a reminder about what to do and what not to do to stay safe online.
The tips include:
- Teaching employees about online risks and proactive ways to avoid falling victim to a crime
- Using two-factor identification on their accounts as additional protection
- Learning how to identify if a URL is unsafe
- How to keep security software up to date
- How and why staff should back up data and keep it safe
- Teaching employees about the various suspect online activity that they may fall victim too if they don’t take precautions
What to do if a company becomes victim to an online crime
Commander McLean says taking a proactive approach on cyber security can prevent businesses from becoming a victim in the first place. He suggests getting the IT team to regularly visit the CERT website and familiarise themselves with the content there, as well as becoming a member. Members are updated via email about threats. He also says businesses need to understand they must legislate cyber security within their companies and organisations. “Accept that you need to educate everyone,” he says. “Everyone needs to invest time and money to make sure we lift awareness and our standards if we’re going to truly take cybercrime seriously.”
If a company does fall victim to a cybercrime, report it. "These threats are always evolving," Commander McLean says. "We have a reliance on each other to get this right." With so many attacks going unreported due to fear of being publicly shamed and rattling investors, it does not enable the authorities to have accurate data to stop these crimes and catch their perpetrators.
Cybercrime and big data are two topics at the forefront of many CIO’s minds. If you want to learn more don’t miss Commander McLean’s presentation on Cybercrime: Appreciating the threat and formulating a response at CeBIT 2017. Secure your spot today.