Cyber Security – Threats and Vulnerabilities 101 – Business Continuity
This information is from my new book, The Ultimate Business Continuity Success Guide: How to Build Real-World Resilience and Unleash Exciting New Value Streams. Happily it is now Amazon’s #1 searched business continuity book. I hope you enjoy the chapter. and the book.
Business Continuity Tips, Techniques and Secrets
Cyber Security – Threats and Vulnerabilities 101 – Business Continuity
Warning: Please do not read this chapter before you go to sleep.
Threats to the security of desktop, mobile devices and the data on those devices has exploded in recent years. We all know of organizations that have been compromised. There is a saying that there are only two types of companies; the ones that have been cyber compromised and admit it and the ones that have been cyber compromised and do not admit it. The vast majority of cyber-crime instances are not publicized.
When I interview high level leaders in organizations and ask the very important question, ‘What keeps you up at night? ‘, the number one operational concern in recent years has been cyber security and systems related issues including ransomware, viruses, malware, data-breaches, latency and critical systems not being available.
I realize most people reading this book are not Cyber Security or IT experts, although I sometime straddle the line, but if sensitive data is stolen from your organization that has not been encrypted or malware originating from a desktop or mobile device infects your intranet, encrypts all of your files and demands ransom or else everything will be deleted, you will have a major business continuity event on your hands.
This chapter is not intended to be a comprehensive course on cyber security. My goal is to make you aware of threats, vulnerabilities and in an upcoming chapter discuss best practices that can help you avoid a nightmare scenario. Consider these chapters a launchpad for you.
I do feel it would behoove you to learn as much as you can about cyber security, especially if it interests you. Unfortunately, it will only become more important in the coming years as cyber-attacks become more complex and occur more often. It can also open new career avenues for you. I know business continuity professionals that transitioned to red-hot cyber related positions such as Chief Information and Security Officer (CISO). You are in the perfect position to learn as much as you want to about cyber security as it will help you do a better job. It is the cousin of business continuity and resilience. In many organizations cyber security, IT, risk and business continuity report to the same management. Knowledge of business continuity, resilience and cyber security will put you in an enviable position.
Information in this chapter spans mobile and desktops threats and vulnerabilities. Most of the threats apply to both platforms. Where a threat is mobile specific I try to point it out.
The use of mobile devices including phones, tablets and Internet of Things (IOT) devices is growing exponentially. Billions of devices beyond traditionally tethered desktops now ride the internet and often have access to our internal networks. Business Resilience – Business Continuity (BRBC) Professionals should be VERY concerned that these devices have proper security controls. Many of them do not! Mobile and desktop vulnerabilities that are exploited can become high profile difficult business continuity events. Upper management should understand that heads will roll.
Malware (software intended to do evil), ransomware, phishing, viruses, worms and theft of portable devises increases every year. Vulnerabilities are out of control in many organizations. Cyber criminals use a variety of attack methods, including intercepting data as they are transmitted to and from mobile devices and inserting malicious code into software applications to gain access to users’ sensitive information. These threats and attacks are facilitated by vulnerabilities in the design and configuration of mobile devices, as well as the ways people use them. Common vulnerabilities can be as simple as the failure to enable password protection and include operating systems that are not kept up to date with the latest security patches.
You can use a lot of the info in this chapter when speaking with your IT people. We do not want anyone to lose their job as a result of being complacent and thinking ‘it won’t happen to me’ – until it does!
Examples of nasty, expensive, embarrassing disruptive events include:
- Fines against a company for distributing malware versions of an application that triggered mobile devices to send costly text messages to a premium-rate telephone number.
- Many Android devices in China were infected with malware that connected them to a botnet. The botnet’s operator could remotely control the devices and incur charges on user accounts connecting users to pay-per-view video services. The number of infected devices able to generate revenue on any given day ranged from 10,000 to 30,000, enough to potentially net the botnet’s operator millions of dollars annually if infection rates were sustained. Believe it or not that number of botnet devices is relatively small compared to botnets numbering in the millions of devices!
- An ex-NSA contractor allegedly stole 50 terabytes of data including top secret documents. That amounts to over 50 million pages of information. To put it in context the Library of Congress print collection is ‘only’ approximately 15 terabytes!
- The FTC reached a settlement of an unfair practice case with a company after alleging that its mobile application was likely to cause consumers to unwittingly disclose personal files, such as pictures and videos, stored on their smartphones and tablets. The company had configured the application’s default settings so that upon installation and set-up it would publicly share users’ photos, videos, documents, and other files stored on those devices.
- I discuss the alleged cyber-attack by North Korea on SONY (R) Corporation later in the chapter. It was reported that that virus was sitting in their network for months before the attack
- The Las Vegas Sands(R) Corporation, owner of major casinos, had a major cyber-attack in 2014 that was not revealed until 2016. Malware crippled thousands of servers and workstations on their network.
- The WannaCry Ransomware attack hit on Friday, 12 May 2017. Within 24 hours it was reported to have infected more than 235,000 computers in over 150 countries. I can confidently assure you it was more damaging than the publicized numbers. Speaking with cyber security friends, I know of many companies impacted by the event. In my opinion had the malware been released earlier in the week it would have caused a much bigger financial impact. Many companies had the weekend to ‘hopefully’ clean up the mess. I say ‘hopefully’ in the hope that it did not leave ‘sleeper agent software’ on networks. The kicker is the virus was completely avoidable if systems had simply been patched. We will discuss patching and other best practices in the upcoming ‘Cyber Security – Best Practice Tips’ chapter.
- Please also read the ‘Cyber Security – C’s On The Hot Seat’ chapter a bit later in this part of the book for a buffet of other cyber causalities.
Sources of Threats and Attack Methods Vary
The increasing prevalence of attacks against desktop, mobile and IOT devices makes it important to assess and understand the nature of the threats they face and the vulnerabilities these attacks exploit. We do not need these threats to manifest into serious business continuity events.
Threats can be unintentional or intentional. Unintentional threats can be caused by software upgrades or defective equipment that inadvertently disrupt systems. Intentional threats include both targeted and random attacks from a variety of sources, including botnet operators, cyber criminals, hackers, foreign nations engaged in espionage, disgruntled employees, students and terrorists. These threat sources vary in terms of the capabilities of the organizations, their willingness to act and their motives. These include monetary gain, political advantage or anger at a specific organization. For example, cyber criminals are using various attack methods to access sensitive information that is stored on and transmitted by connected devices. There is a lot of profit in selling sensitive data or encrypting it and demanding ransomware to ‘set it free’.
Here is a short list of people that can compromise your network and take you down:
*Some of the information below originates from the GAO report: ‘Information Security – Better Implementation of Controls for Mobile Devices Should Be Encouraged’, with my additions and annotations.
Threat – Botnet operators:
Botnet operators use malware distributed to large numbers of desktop and mobile devices to coordinate remotely controlled attacks on websites and to distribute ransomware, phishing schemes, spam, and further malware attacks on individual mobile devices. When you read front page news about Distributed Denial of Service (DDoS) attacks making popular websites inaccessible, they are often initiated by large botnets. Botnets can be in the tens of millions of computers directing traffic at a targeted site. DDoS is very difficult to stop and can bring a business that is not prepared to a standstill. Botnets and the underlying bots are getting exponentially more sophisticated.
Threat – Cyber criminals:
Cyber criminals generally attack devices for monetary gain. Ransomware is becoming a weapon of choice. Cyber criminals may use viruses, worms, spam, phishing, and spyware/malware to gain access to the information stored on a device, which they then use to commit identity theft, online fraud, and computer extortion. They may encrypt files and demand ransom in the form of electronic currency to decrypt the files. In addition, international criminal organizations pose a threat to corporations, schools, government agencies and other institutions by attacking mobile devices to conduct industrial espionage and large-scale monetary and intellectual property theft.
Threat – Foreign governments
Nation-state attacks are launched by foreign countries. Some are extremely sophisticated. It has been suggested that North Korea attacked SONY and Russia hacked the Democratic National Convention. Both front page news. It is often difficult to track the origination to a particular country. There have also been suggestions various nation states have gained unauthorized access to sensitive governmental systems. In fact, it has been widely reported that Russia initiated 6,500+ cyber-attacks against the Ukraine within a 60 day period.
Tip – A great book on cyber warfare is, ‘iWar: War and Peace in the Information Age’ by Bill Gertz.
Tip – I have a lot more to communicate about the coming Cyber Wars in chilling articles in the Ultimate Business Continuity Tips, Techniques and Tools Newsletter. I will also be describing nation-state system probes and damaging attacks that have already occurred against critical infrastructure.
Not a Threat – Ethical Hackers – the good guys
Before I describe unethical hacking I just want to mention that in the software development profession the term ‘hacking a system’ and ‘ethical hacking’ can mean coming up with something creative or testing a system to discover vulnerabilities and close them before an unethical attack.
Threat – Unethical Hackers – the bad guys
I enjoyed the movie WarGames with Matthew Broderick, back in the day. It still holds up in a quaint sort of way. Unfortunately, unethical hackers can cause havoc on mobile devices. Hackers may attack mobile devices to demonstrate their skill or gain prestige in the hacker community. While hacking once required a fair amount of skill or computer knowledge, hackers can now download attack scripts and protocols from the Internet and easily launch them against desktop, mobile and millions of IOT devices. It does not take a lot of technical talent. The Dark Web is packed with scripts and stolen sensitive data including credit card and social security numbers for sale to all takers. I strongly suggest that you do not venture onto the Dark Web.
Terrorists may seek to destroy, incapacitate, or exploit critical infrastructures such as computer networks to threaten national security or damage public morale and confidence. Terrorists may also use phishing schemes or spyware/malware to generate funds or gather sensitive information from mobile, desktop or IOT devices.
Common Attack Techniques Used by the Groups Described Above:
These exploits are designed to take advantage of vulnerabilities in software used to access websites. Visiting certain web pages and/or clicking on certain hyperlinks can trigger browser exploits that install malware or perform other adverse actions on a mobile device. Older versions of Internet Explorer had many browser exploits, as it was targeted due to its popularity. Additional details on a few types of common browser exploits are listed below.
Thieves can easily pick up open Wi-Fi and read (sniff) unencryped data. If you send un-encrypted data on the Internet it can pass through many servers in clear (readable) text. Only send un-encrypted data if you do not mind anyone reading and using it. Data on the Internet travels in funny ways. Using IP (Internet Protocol), messages sent to your friend who lives on your street can traverse the globe and go through many servers. The message can be intercepted and read at any point. It is quite easy to intercept (sniff) messages.
This is a type of malware that records keystrokes on desktop or mobile devices in order to capture sensitive information, such as credit card numbers. Generally keystroke loggers transmit the information they capture to a cyber criminal’s website or e-mail address. This is very dangerous and very prevalent. At a dinner party a while back a friend asked me if his spouse could intercept what he was inputting on his desktop or mobile device. My answer was, ‘yes, it is easy with a keystroke logger.’ His face turned red – uh, oh!
Unfortunately, too many people have been a victim of malware. Malware targets desktops, mobile devices and IOT devices. Malware is often disguised as a game, patch, utility, or other useful third-party software application. Malware can include spyware (software that is secretly installed to gather information on individuals or organizations without their knowledge), viruses (a program that can copy itself and infect the mobile system without permission or knowledge of the user), and Trojans (a type of malware that disguises itself as or hides itself within a legitimate file).
Once installed, malware can initiate a wide range of attacks and spread itself onto other devices. The malicious application can perform a variety of functions, including accessing location information and other sensitive information, gaining read/write access to the user’s browsing history, as well as initiating telephone calls, activating the device’s microphone or camera to surreptitiously record information, and downloading other malicious applications. Repackaging—the process of modifying a legitimate application to insert malicious code.
Malware can also install sleeper agent software. It is insidious code that lies in a waiting for a particular trigger, such as a future date, to launch itself and attack your systems. It can also open ports, back doors and/or steal your data.
One malware attack on your organization can bring your network and business to a standstill. Be careful, malware is a very serious concern. I will have more to say on malware prevention and mitigation in the cyber best practices chapter.
Old Operating Systems: Operating systems that are out of date or being phased out can pose great risks. For example, systems running on XP are probably not being patched and can be easy targets for hackers to gain entry to your network. I know of critical systems that were still being run on XP log after it was actively supported and perhaps are still a risk. I have a feeling if I had a dollar for every computer running XP I would be a rich man.
Unauthorized location tracking:
Do you want the bad guys to know where you are OR are not? It is like saying, ‘I am not home, come break into my house and rob me!‘ Location tracking allows the whereabouts of registered mobile devices to be known and monitored. While it can be done openly for legitimate purposes, it may also take place surreptitiously. Location data may be obtained through legitimate software applications as well as malware loaded on a user’s mobile device. Also, use care when posting pictures on social media. The pictures can contain location metadata that can be used by criminals.
Phishing is a one of the most popular scams. A phishing attack frequently uses e-mail or pop-up messages to deceive people into disclosing sensitive information. Internet scammers use e-mail bait to “phish” for passwords and financial information from mobile users and other Internet users. I have done ethical phishing tests for organizations where 70% of users clicked on a link that, had it not been a test, would have infected a network. Phishing emails are hard to detect from the real thing. I have suggestions on dealing with phishing in the next chapter. I also have a recommendation on a phishing prevention company that I respect.
SCADA software and hardware: Supervisory control and data acquisition (SCADA) is a system of software and hardware elements that allows industrial organizations to control industrial processes locally or at remote locations. It also can monitor, gather, and process real-time data. The risk can be great and physically dangerous. Often SCADA systems are not patched in a timely manner or at all if the vendor no longer exists or does not publish a patch. An attack on a SCADA system can melt down critical infrastructure components or spin a nuclear centrifuge out of control. Both have happened. I go into more detail on SCADA risks and breaches in the Ultimate Business Continuity Tips, Techniques and Tools Newsletter.
Spam is unsolicited commercial e-mail advertising for products, services and websites. Spam can also be used as a delivery mechanism for malicious software. Spam can appear in text messages as well as email. Besides the inconvenience of deleting spam, users may face charges for unwanted text messages. Spam can also be used for phishing attempts. Spamming goes back to the dawn of email decades ago. If you think it does not work you would not be correct. Unfortunately, spam can be very profitable as the cost to send spam is so inexpensive. Some spammers can make a fortune with click thru’s of only one in a million.
Attackers may create fraudulent websites to mimic or “spoof” legitimate sites and in some cases may use the fraudulent sites to distribute malware to mobile or desktop devices. Email spoofing occurs when the sender address and other parts of an e-mail header are altered to appear as though the e-mail originated from a different source. Spoofing hides the origin of an e-mail message. Spoofed emails may contain malware. Security firewalls and software sometimes will mistakenly think an address is being spoofed when you actually want to have a large number of emails come into your intranet. An example of this would be the use of an outsourced mass notification tool. In that case your IT department can white-list the vendor IP address sending the emails to your employees. Otherwise the messages will be blocked.
This is a difficult one to deal with. A zero-day exploit takes advantage of a security vulnerability before an update for the vulnerability is available. By writing an exploit for an unknown vulnerability, the attacker creates a potential threat because mobile devices generally will not have software patches to prevent the exploit from succeeding.
Now let us discuss a range of vulnerabilities below which can become serious business continuity events. Some of these are mobile specific and many apply to mobile and desktops. In the chapter after the next we will talk about compensating controls for many of these vulnerabilities. You can even use some of that information as awareness tips in your newsletter, tabletops or website.
Mobile, desktop and IOT devices are subject to numerous security vulnerabilities that can facilitate attacks, including password protection not being enabled, the inability to intercept malware, and operating systems that are not kept up to date with the latest security patches. While this is not a comprehensive list of all possible vulnerabilities, the following 11 vulnerabilities can be devastating. Fortunately, many are easy to correct.
- Devices often do not have passwords enabled. Mobile devices often lack passwords to authenticate users and control access to data stored on the devices. Many devices have the technical capability to support passwords, personal identification numbers (PINs), or pattern screen locks for authentication. Mobile devices running IOS and Android also include a biometric reader to scan a fingerprint for authentication. However, many employees do not use this feature. As racewalker and runner I have found when my fingers sweat the biometric reader does not work – grrrr. Additionally, if users do use a password or PINs they often choose passwords or PINs that can be easily determined or bypassed, such as 1234 or 0000 or their spouses first name… Without passwords or PINs to lock the device, there is increased risk that information from stolen or lost phones could be accessed by unauthorized users who could view sensitive information and misuse mobile devices.
- Two-factor authentication is not always used when conducting sensitive transactions on mobile devices. According to studies, people generally use static passwords instead of two-factor authentication when conducting online sensitive transactions while using mobile devices. Using static passwords for authentication has security drawbacks: passwords can be guessed, forgotten, written down and stolen, or eavesdropped. Two-factor authentication generally provides a higher level of security than traditional passwords and PINs, and this higher level may be important for sensitive transactions. Two-factor refers to an authentication system in which users are required to authenticate using at least two different “factors”—something you know, something you have, or something you are—before being granted access. Mobile devices themselves can be used as a second factor in some two-factor authentication schemes. The mobile device can generate pass codes, or the codes can be sent via a text message to the phone. Without two-factor authentication, increased risk exists that unauthorized users could gain access to sensitive information and misuse mobile devices.
- Wireless transmissions are not always encrypted. Information such as emails sent by a mobile device is usually not encrypted while in transit. In addition, many applications do not encrypt the data they transmit and receive over the network, making it easy for the data to be intercepted. For example, if an application is transmitting data over an unencrypted WiFi network using hypertext transfer protocol, http rather than secure https, the data can be easily intercepted. When a wireless transmission is not encrypted, data can be easily intercepted by eavesdroppers, who may gain unauthorized access to sensitive information. Chat systems often do not use encryption, so be careful.
- Mobile devices may contain malware.Employees download malware unknowingly because it can be disguised as a game, security patch, utility, or other useful application. It is difficult for users to tell the difference between a legitimate application and one containing malware. One piece of malware can wreak havoc on your network.
- Mobile devices often do not use security software. Many mobile devices do not come installed with security software to protect against malicious applications, spyware, and malware-based attacks. While such software may slow operations and affect battery life on some mobile devices, without it, the risk may be increased that an attacker could successfully distribute malware such as viruses, Trojans, spyware, and spam, to lure users into revealing passwords or other confidential information.
- Operating systems may be out-of-date. Security patches or fixes for mobile devices’ operating systems are not always installed on mobile devices in a timely manner. It can take weeks to months before security updates are provided to devices. Depending on the nature of the vulnerability, the patching process may be complex and involve many parties. For example, Google develops updates to fix security vulnerabilities in the Android OS, but it is up to device manufacturers to produce a device-specific update incorporating the vulnerability fix, which can take time if there are proprietary modifications to the device’s software. Once a manufacturer produces an update, it is up to each carrier to test it and transmit the updates to the consumer’s devices. However, carriers can be delayed in providing the updates because they need time to test whether they interfere with other aspects of the device or the software installed on it. I know it is a hassle getting so many mobile – new updates. I do not like it either but it is important we apply the updates asap.
- Mobile devices that are older than 2 years may not receive security updates because manufacturers may no longer support these devices. Many manufacturers stop supporting smartphones as soon as 12 to 18 months after their release. Such devices may face increased risk if manufacturers do not develop patches for newly discovered vulnerabilities.
- Software on mobile and desktop devices may be out-of-date. Security patches for third-party applications are not always developed and released in a timely manner. In addition, mobile third-party applications, including web browsers, do not always notify us when updates are available. Unlike traditional web browsers, mobile browsers rarely get updates. Using outdated software increases the risk that an attacker may exploit vulnerabilities associated with these devices.
- Mobile devices often do not limit Internet connections. Many mobile devices do not have firewalls to limit connections. When the device is connected to a wide area network it uses communications ports to connect with other devices and the Internet. These ports are similar to doorways to the device. A hacker could access the mobile device through a port that is not secured. A firewall secures these ports and allows the user to choose what connections he or she wants to allow into the mobile device. The firewall intercepts both incoming and outgoing connection attempts and blocks or permits them based on a list of rules. Without a firewall, the mobile device may be open to intrusion through an unsecured communications port, and an intruder may be able to obtain sensitive information on the device and misuse it. Speak with your IT and cyber security experts to see if this is a vulnerability in your organization.
- Mobile devices may have unauthorized modifications. The process of modifying a mobile device to remove its limitations to add additional features (known as “jailbreaking” or “rooting”) changes how security for the device is managed and could increase security risks. Jailbreaking allows users to gain access to the operating system of a device so as to permit the installation of unauthorized software functions and applications and/or to not be tied to a particular wireless carrier. While some users may jailbreak or root their mobile devices specifically to install security enhancements such as firewalls, others may simply be looking for a less expensive or easier way to install desirable applications. In the latter case, users face increased security risks, because they are bypassing the application vetting process established by the manufacturer and thus have less protection against inadvertently installing malware. Further, jailbroken devices may not receive notifications of security updates from the manufacturer and may require extra effort from the user to maintain up-to-date software. I suggest you never jailbreak and take precautions so that your employees cannot do it.
- Communication channels may be poorly secured. Having communication channels, such as Bluetooth communications, “open” or in “discovery” mode (which allows the device to be seen by other Bluetooth-enabled devices so that connections can be made) could allow an attacker to install malware through that connection, or surreptitiously activate a microphone or camera to eavesdrop on the user. In addition, using unsecured public wireless Internet networks or WiFi spots could allow an attacker to connect to the device and view sensitive information.
Ok, whew! We made it through the bad stuff. Now let us go onward and upward to discuss some possible controls to prevent or mitigate these threats. But before we do let’s put a smile on our faces and say hi to little Flakes my Yorkie in the next chapter.