Vigilance is crucial in face of shifting cyber security threats

Entrepreneurial cybercriminals are continuously searching for new opportunities to breach corporate systems and profit from their data, and Canadian companies must be more vigilant than ever to protect their business.

That’s one of the key takeaways from Trustwave’s latest report on the shifting landscape of data compromises. Based on hundreds of the global security solutions provider’s own breach investigations, incident reports and vulnerability research, the 2016 Trustwave Global Security Report examined a growing range of cyber threats, including the rise of “ransomware”, which locks up data until companies pay.

For Canadian companies, the report reveals important lessons about how they need to shift their thinking in order to more proactively guard their interests.

"For Canadian companies, the report reveals important lessons about how they need to shift their thinking in order to more proactively guard their interests."

Retail, Hospitality face challenges

The report notes that in 2015, “criminals shifted their focus slightly from broad-based attacks on Retail to a tighter focus on specific industries and platforms.” Although the Retail industry continues to be a prime target, its share of incidents investigated by Trustwave fell to 23 percent, down from 43 percent the previous year.

The Hospitality industry was a key focus of cybercriminals. Major breaches affected many prominent hotel chains, as attackers used point-of-sale (POS) malware to collect payment card data from travelers, exploiting a vulnerability in credentials managed by third parties, such as software vendors.

Expect these types of focused attacks to continue, predicts Stewart Cawthray, Senior Director of Rogers Enterprise Security Products & Solutions. Attackers have demonstrated over the years that they work in a kind of cycle, pressing an attack on an area they think is vulnerable until companies build up defences, and then moving on to another area.

“Cybercriminals may have been attacking Hospitality because it was weak at that time,” says Cawthray, “but as that industry starts to implement controls, other areas will become a little complacent and attackers will swing their focus. Attackers go down the path of least resistance.”

Ecommerce and point-of-sale vulnerabilities

The Magento open-source ecommerce platform was also a favourite with hackers, accounting for 85 percent of compromised ecommerce systems. At least five critical vulnerabilities were identified and publicized in 2015, and according to the report, most affected systems were not fully up to date with patches—some were behind more than 12 months.

Networked Point-of-Sale (POS) devices also proved to be vulnerable. According to the report, 59 percent of intrusions affecting POS environments involved malicious remote access. Although the introduction of EMV chip cards (a global standard for credit and debit payment cards) will help, it’s a problem that Trustwave recently detailed won’t go away soon.

“You have to control remote access to your networks,” stresses Cawthray. “A lot of POS networks rely on third-party organizations to manage and monitor them, and those third-party connections may not employ a high degree of security.”

Indeed, cybercriminals already appear to be branching out. Forty percent of incidents investigated by Trustwave for this report were due to compromises in corporate/internal networks, up from 18 percent a year earlier. This general category experienced intrusions due to a broad range of contributing factors, including phishing, misconfiguration and weak passwords.

Investments in self-detection

The report also highlighted notable improvements in firms’ cybersecurity efforts. Trustwave found that 41 percent of breaches were detected by the companies that were attacked, up from 19 percent in 2014.

Cawthray points to this as evidence of important investments that retail firms in particular made after highly publicized breaches in 2014 at Home Depot, Target and others. “Before that, retailers had no idea if they were breached or not,” he says.

“The first step in securing yourself is knowing what is being attacked,” says Cawthray. “Often a company can identify a breach earlier. By the time a credit card company detects it, or law enforcement or a third party of some kind, the attackers have been inside for so long the damage is usually much worse.”

In fact, the report noted that median time between the dates of intrusion, detection and containment all fell from 2014 to 2015, a good sign that companies’ security measures are paying off.

Vulnerability Management is key

As companies assess their ability to defend against cyber threats, Cawthray recommends paying attention to vulnerability management. With new vulnerabilities identified on an almost weekly basis, quarterly or annual reviews are not enough. “There are so many software components in an environment,” he says, “and you’re up against a whole system of people focused on finding just a single gap.”

The effort is worth it, says Cawthray. Even if there isn’t a patch available, other steps can be taken, like deploying firewalls or intrusion prevention systems in front of the vulnerability.

“But security is more than just defining what technology to put in place,” says Cawthray. “You have to have an incident response plan for when, not if, your data is compromised.” A plan should evaluate the need for cyber insurance and when to alert law enforcement.

“But security is more than just defining what technology to put in place. You have to have an incident response plan for when, not if, your data is compromised.”

- Stewart Cawthray

Most cybersecurity incident response plans also include: event handling, where different types of events are defined and categorized; identification of team members and working groups that are part of the decision-making process; response plans for each incident type and information asset type, as well as a checklist for necessary actions and notifications that must be made during a cyber attack; and post-incident procedures, including debriefs around lessons learned and updates to the plan based on the latest experience.

Ransomware in particular makes this a necessity—in some circumstances, companies may prefer to just pay. “Ransomware has been a hugely successful criminal campaign because it’s instant money,” says Cawthray. “When a hacker harvests credentials or data, they typically have to go find some place on the black market to sell that data to make money on it. But with ransomware, they make money right away, even from a single laptop.”

Cybercriminals will surely not relent in their efforts, but by staying ever vigilant and ensuring the proper defences and mitigation plans are in place, your firm can minimize the risk of cyber threats and keep your business operating at maximum efficiency.