Cyber threats are evolving, fast. From social engineering to exploring the dark web for company specific information, even placing rogue individuals into an organisation as employees, criminal gangs are embarking upon increasingly targeted attacks. The implication for organisations is serious: while the tools employed by IT teams to secure the business are increasingly sophisticated, they are also generic and simply cannot counteract the specific, increasingly intelligence led attacks now in force.
Organisations need to fight intelligence with intelligence. Are employees trustworthy – and if so, are they switched on to the risks associated with social networks? Are potential business partners, suppliers and investors who they appear to be? Is a competitor looking to cause reputational damage? Or is a specific company weakness being discussed or traded on the dark web?
From penetration tests to demonstrate employees’ vulnerability to social engineering to dark web vulnerability reports and thorough background checks, by fusing intelligence led security measures with existing security tools and processes, organisations change the game. As Tony Sweeney, Cyber Security Director, KCS Group Europe, explains, armed with intelligence of specific, rather than generic, threats organisations can effectively leverage security tools and skills to pre-empt an attack.
Paying the Price
When two thirds of FTSE companies admit to being hit bit by a cyber breach in the past year¹, questions must be asked as to just how well the C-suite understands the level of risk now posed by cyber security. In a continually evolving threat landscape, the fact that half the boardrooms are not even informed when an incident occurs would suggest a worrying lack of intelligence and insight into the true threats being faced.
Given the reputation loss and financial cost associated with cyber breaches, the implication of this lack of C-level insight is serious. How many CEOs realise that cyber security now includes social engineering, with employee social network profiles routinely explored and exploited to gain access to corporate data? Or that criminal gangs increasingly employ physical activity alongside cyber techniques – from cutting fibre optic cables to using cleaners to enter a building and load malware via thumb drives? Or that criminals are using the dark web both to discover corporate information and vulnerabilities and to trade stolen data?
The truth is that the cyber threat and the cyber criminal have changed in recent years – yet few companies have evolved their strategies as required and too many are paying the price.
There is no doubt that the security tools and procedures implemented by the Information Security team to counter the cyber threat are increasingly sophisticated. The problem is that they are, by default, designed to address the generic attack; and the criminal fraternity is getting personal. It is too easy to set up fake Facebook and LinkedIn profiles, send friend requests and gain immediate access to an employee’s connections. With information about the dog’s name, the child’s birthday and favourite football team – information used in around 90% of passwords – a hacker’s brute force password attack becomes far more effective.
The dark web can also provide extraordinary detail into an organisation’s activities, suppliers, invoices and billing types, creating the material to support highly sophisticated phishing attacks. How can a business protect itself against a spoof phishing email that appears to come from the finance team?
To combat this targeted, sophisticated threat, organisations need to get personal in return. Embracing intelligence led security in tandem with the tools and policies already in place enables a far more focused and effective response to specific cyber threats.
Employees are obviously a key area of vulnerability for every business and there are a number of steps that need to be embedded within core processes to minimise the cyber risk. The primary step must be to improve the vetting of employees, including contract staff such as cleaners, to minimise the chances of rogue individuals exploiting permitted access to introduce malware that enables remote hackers to gain full access to systems.
In addition, employees need to be made far more aware of social engineering and the potential business risk. For example, using sophisticated penetration tests and ethical hacks to highlight potential areas of weakness can be extremely revealing. How many employees accept invitations from false social media profiles? How many click on phishing emails from outside the organisation; or from those spoofed to appear to come from within?
While, of course, employees are encouraged to build their business networks, many individuals will be surprised by their lack of rigour when qualifying invitations. The insight delivered by these penetration tests provides the business with a chance to specifically target employees or teams with social media training and education, raising awareness of the sensitivity of information shared and the need to be discerning about accepting connections.
In addition to improving every aspect of employee related security, organisations can also explore intelligence led security that is continually tracking activity on the dark web. Dedicated experts with access to forums can rapidly identify if an organisation is at risk of attack or discover if a breach has already occurred. For example, one company recently discovered it had been breached when it was informed that one million customer names, with email addresses, were already being traded on the dark web.
This intelligence gathering can also identify other risks – such as those companies with employees that used corporate email addresses on Ashley Madison style websites. When that site was hacked, the use of the corporate addresses not only posed a security risk but also raised serious potential concerns regarding business reputation.
Indeed, damage to reputation is one of the biggest cyber risks – from competitors defacing web sites to the loss of sensitive data or unintentional association with inappropriate business partners. And given the specific, targeted, business specific nature of these attacks, organisations clearly need to evolve beyond the current generic approach to cyber security. A monthly vulnerability report combining dark web intelligence with assessment of the security infrastructure, including penetration testing and ethical hacks, delivers a far more intelligent and specific insight into the actual level of cyber threat for each organisation.
Cyber hackers no longer operate only online; they increasingly exploit ‘traditional’ criminal skills in person to bypass cyber security procedures and gain specific insight into a corporation and its employees. And they invest huge amounts of time and resources to target specific organisations, for a range of objectives.
There is simply no way that the cyber security tools currently deployed can fight this form of targeted attack. It is only by fusing intelligence led security that delivers insight into specific risks with the right security tools and processes that organisations can start to fight back.