HR crimebusters: fighting cyberthreats

Stolen identities, computer hackers and cyber-espionage may sound more like the ingredients of a Hollywood action movie than things you are likely to encounter in your daily HR routine, however, new statistics suggest otherwise. Evidence from the 2014 Data Breach Investigations Report (DBIR) by security solutions provider Verizon and figures released by the Hong Kong Computer Emergency Response Team Coordination Centre (HKCERT) reveal that data breaches within companies across the globe are at an all-time high. HR needs to be mindful that now more than ever before sensitive information could be falling into the wrong hands and putting their organisation at risk.

This is worrying news for HR. That said, whilst cybercrime is becoming a harsh reality of any business operating in a modern integrated society, the good news is that you do not need to be a superhero to fight it. In this issue’s cover story, HR Magazine delves into the criminal underworld of online crime to explain key risks, what the cyber security crisis means to organisations in the region and offer practical advice on how HR can protect their organisation and employees from falling prey to it.

Virtual reality
There is no doubt about it; the number of data breach incidents is firmly on the rise. The HKCERT recorded close to 1,600 incidents of security threats in Hong Kong in the fourth quarter of 2013 alone—a 52% increase from the 2012 figure. The DBIR from Verizon reports a total of 1,300 confirmed data breaches up until April this year—the highest number of cases over the entire 10-year range of the study.

The DBIR also confirmed more than 63,000 security incidents across 50 organisations spanning the globe, ranging from unsuccessful attempts to penetrate a firewall, to successful facility break ins, to petty cyber vandalism. The Report reveals that 92% of all security incidents over a ten-year period can be traced to nine basic offensive mediums that vary from industry to industry. These patterns are: crimeware (various malware aimed at gaining control of systems); physical theft/loss of hardware or user credentials; web app attacks; phishing; point-of-sale intrusions and payment card skimmers; denial of service attacks aimed at simply bringing down a website; insider/privilege misuse and miscellaneous errors such as simply sending an email to the wrong person.

Top three cybercrimes
Although nine patterns of cybercrime have been identified, the following three are the most prevalent and require the urgent attention of HR and IT departments.

1. Lost or stolen user credentials such as usernames and passwords continues to be the number one way to gain access to information, accounting for two thirds of all breaches reported in the DBIR. The Report also shows that, while external attacks still outweigh insider attacks, insider attacks are up—especially with regard to stolen intellectual property. The Report points out that 85% of insider and privilege-abuse attacks used the internal corporate network, and 22% took advantage of physical access.

2. Second to this is malware infection, where a system is infected with software that gives the hacker control over the computer. This issue was brought to light with the HKCERT’s recent discovery that over 2,500 machines across Hong Kong were infected with the ZeroAccess botnet, a programme (viruses reproduce autonomously, botnets generally reproduce manually) which allows the hacker to secretly take over a group of computers and use the machines for a number of illegal purposes. This worrying trend is also being witnessed across the globe and only seems to be worsening. The increasing trust that organisations have been putting in their web platforms has led to a sharp increase in the number of attacks targeting these applications.

3. Finally, one of the oldest hacking tricks has recently come back into style, phishing—wherein the attacker, pretending to be a trustworthy entity in electronic communication with the targeted entity, is given access to secure systems and information.

There are numerous other intrusion methods that are being employed by cyber criminals. So who exactly are the criminal masterminds behind these cyber attacks and what are their motives?

Cuplrits
The DBIR indicates that most attacks are orchestrated by external actors, as opposed to employees and partners—good news for HR at least. Financially motivated criminal gangs are still the dominant type of perpetrator in external attacks, although espionage increasingly appears in the data set. In fact, cyber-espionage represents a more-than-three-fold increase compared with the 2013 report, with 511 incidents recorded. China still leads as the source of the most cyber-espionage activity—ahead of other regions of the world including Eastern Europe—and these attacks were found to be the most complex and diverse, generally using what are known as “zero day” hacks that target previously unknown vulnerabilities in a system. These attacks are normally rare and almost impossible to defend against without pre-emptively predicting and closing unseen holes in security. It is because of this, many organisations are turning to reformed hackers in order to protect their data.

Motives
According to the DBIR, the majority of the breaches have been aimed at financial information as attackers are mainly going for payment and bank data that could be used to steal money from accounts held by clients or the organisation. The motivation in this case is simple: financial gain.

The second most popular target for data breaches is valuable information such as medical records, corporate secrets or classified government documents. The motives here can be varied but generally can be placed in one of two categories: actions by those who wish to expose illegal or immoral actions by an organisation or government and competition, or rival companies or political factions. Some companies have seen the increasing prevalence and relative efficiency of cyber corporate espionage as an opportunity and have been turning to hackers to obtain the corporate secrets or even customer records of competitors to gain an edge in business. It comes as no surprise, therefore, that the rise in espionage attacks is reflected in the growth in theft of secrets and internal data. Even governments have joined the ring when it comes to cybercrime. In Russia’s 2008 invasion of Georgia, the first shots were fired online 20 weeks before any ground invasion, in the form of DDoS attacks targeting Georgian servers. These attacks were followed by the cybervandalism of several high profile Georgian websites that had their content replaced by images comparing the then Georgian president Mikheil Saakashvili to Adolf Hitler. Another cyber attack spanning 2009 and 2010 brought Iran’s nuclear program to a standstill. A virus took control of the centrifuge controls in facilities across the country and proceeded to destroy the machines responsible for refining nuclear material. The virus also took control of a number of workstations and speakers, causing them to play AC/DC’s song “Thunderstruck” from their 1990 album “The Razors Edge”—it is interesting to note that this song as well as many other like it are banned in Iran. While no one can confirm the source of these attacks it is generally assumed that they could not have been completed without the aid of a government.

Impact
Wade Baker, principal author of the Data Breach Investigations Report, pointed out that the costs of a data breach could be enormous not only in terms of the remediation costs and potential fines but also the damage to an organisation’s reputation and loss of customer confidence, which could impact its success for years. He also pointed out that in many cases, incidents of data breach can go undetected for long periods of time, if not completely undiscovered. Many organisations are also unwilling to report breaches in their security fearing exposure or investor backlash. He added, “Organisations need to realise no one is immune from a data breach. Compounding this issue is the fact that it is taking longer to identify compromises within an organisation—often weeks or months, while penetrating an organisation can take minutes or hours.”

This warning is echoed by Leung Siu-Cheong, Senior Consultant of HKCERT, who commented, “Cyber security activities are becoming camouflaged, if not invisible. Owners of compromised computers are unaware that their computers are being used to attack others on the Internet.” He explained that in order to get a clearer picture of the scene in Hong Kong, HKCERT is working with global security researchers to collect data to proactively identify these ‘invisible bot machines’, or compromised computers.

Solutions
All is not lost because, whilst it seems that no organisation is immune to a data breach, there are strategic measures that HR can take to enable a more focused and effective approach to fighting cybercrime and help reduce the risk of such threats.

Baker offered some reassurance, “After analysing 10 years of data, we realise most organisations cannot keep up with cybercrime—and the bad guys are winning. But by applying big data analytics to security risk management, we can begin to bend the curve and combat cybercrime more effectively and strategically.”

Many companies never recover from a major data breach so it is imperative that they take action now to prevent this from occurring. Below is advice for HR on how this can be done.

Seven ways HR can tackle cybercrime:

• Be vigilant. Organisations often only find out about security breaches when they get a call from the police or a customer. Log files and change management systems can give you early warning.
• Make your people your first line of defense. Teach staff about the importance of security, a very popular method of cyber infiltration is by obtaining the credentials of a single, low level member of staff, infecting their computer and using it as a staging platform to attack the organisation. Ensuring that your staff uses secure passwords (length over complexity) is the greatest line of defense that your organisation has. An 8 character random string of letters number and symbols takes roughly 5 hours to brute force. A memorable 9 character long password takes far longer to compromise. “We are the knights who say NI!” is an infinitely more secure password than “$3s05(8*”
• Keep data on a ‘need to know’ basis. Limit access to the systems staff need to do their jobs and make sure that you have processes in place to revoke access when people change role or leave.
• Patch promptly. Attackers often gain access using the simplest attack methods, ones that you could guard against simply with a well-configured IT environment and an up-to-date antivirus.
• Encrypt sensitive data. If data is then lost or stolen, it is much harder for a criminal to use. Well encrypted data is a hacker’s worst nightmare. It is normally virtually impossible to decrypt data. It costs a great deal of money and time. High level encryption can be obtained for free on open source licence.
• Use two-factor authentication. This won’t reduce the risk of passwords being stolen, but it can limit the damage that can be done with a single lost or stolen credential.
• Don’t forget physical security. Not all data thefts happen online. Criminals will tamper with computers or payment terminals or steal boxes of printouts. There is literally nothing you can do to prevent someone with physical access to a computer from accessing any data stored within.
  Source: Verizon

Back up and encrypt
Leung also pointed out that this year emerging security threats such as ransomware, where a hacker gains access to data in order to extort the original owners of the data. In today’s world of cybercrime the hijacking of system servers to launch powerful attacks and hacking of cloud user accounts to steal data for financial gains are expected. He explained that another key aspect to data security is encryption; the majority of attacks that resulted in a breach but no information being leaked were saved by encryption. Keeping files encrypted can ensure that even if the file is taken, the data within may remain secure.

Analysing the cyber security scene in Hong Kong, Leung offered some additional advice to companies on how to reduce the risk of falling prey to such attacks. He said, “Organisations, especially SMEs, and the public should pay more efforts to protect sensitive data. On top of regularly backing up the data and keeping it at a safe offline location to minimise risks of ransomware, they should use strong encryption to protect data while transferring files through untrusted channels.”

Handle with care
The issue of handling sensitive data also puts the spotlight on the employees within an organisation. A recent experiment carried out by the US Department of Homeland Security placed USB drives, loaded with ‘malware’, on the pavement and parking lots of government offices. Alarmingly, they found that over 60% of the collected drives were plugged into office computers, and were able to deploy their payload. Had this been an actual attack, just one drive plugged into the right computer would have resulted in countless computers becoming vulnerable and terrifying amounts of data being exposed. The key lesson here being that organisations must remember is that every employee is responsible for the security of the entire company.

Leung added that, with the growing trends of mobile payments and ‘Bring-Your-Own-Device’ in the workplace, mobile attacks may become more mature and sophisticated. He advised, “The public must also implement proper security measures on their mobile devices, and use strong passwords and two-step authentication in Internet services. In addition, they should be wary of unsolicited software or hyperlinks.”

Every cloud has a silver lining. With data breaches increasing by a whopping 62% and over 552 million identities being exposed worldwide in 2013, according to Symantec’s latest Internet Security Threat Report, the demand for cyber security professionals is currently so high that, in the US alone, there are currently an estimated 300,000 cyber security jobs left vacant.

Surprisingly, Symantec estimates that 20% of these positions could be filled by individuals without a four-year college degree. To help address this global workforce gap the Symantec Cyber Career Connection has just been launched. The pilot scheme will initially be rolled out in New York City, Baltimore and the San Francisco Bay Area in August 2014 and utilises a cyber security curriculum developed in partnership with nonprofits Year Up, NPower and LifeJourney.

The training incorporates a virtual mentorship programme designed to immerse students into the industry, after which they will be placed in cyber security internships for further learning. Stephanie Cuskley, CEO, NPower commented, “Our New York City programme will prepare these talented young adults to obtain industry-recognised CompTIA Network+, Security+ and Ethical Hacker certifications.”