Stop Blaming China & Russia for All Your Cyber Attacks Pt. 1

By Joseph Carson

In this two part series we will first debunk the 5 myths of sophisticated cyber attacks and then cover the ‘reality’ behind cyber criminal’s attacks and give you actionable cybersecurity hygiene steps to increase your security.

Cyber-attacks can originate from anywhere, but there appears to be an unabated trend of pointing the finger at either “sophisticated attackers” or more blatantly, naming and blaming nation-states like China and Russia (all right, maybe North Korea and Iran too).

The truth about attribution (who is the attacker) is often overlooked for something more dramatic. Especially in situations where sensitive information or brand reputation is at stake. Specifically, we see businesses often try to save face by blaming attacks on state actors when the businesses have failed to make proper cybersecurity investments by “cutting corners,” on cyber security.

Cyber-attacks can be quite devastating for an organisation, especially in terms of:

● Damage to organisation’s brand
● Liability exposure for a “Class Action”
● Loss of customer trust
● Significant financial penalties
● Loss of jobs to make up for increased breach expenses & remediation

The blame game tactic is simple. Switch the focus from internal bad practices and shift the blame to “sophisticated, nation states and or criminal gangs”. Lazy, but effective.

Yet, there often isn’t concrete proof that backs up these claims, and time and again the victim business ends up with egg on their face as the attacker turns out to be both an unsophisticated and unrefined script kiddie. The amateur only succeeding because of bad cybersecurity hygiene on the part of companies that don’t have their house in order.

This blog attempts to debunk some of the myths and misconceptions around why most cyber-attacks succeed, and it offers some tips on what instead should be done to deny and disrupt these attacks.

Myth #1: All Cyber Attacks are Sophisticated and Complex

While it is easy to assume that all successful attacks are complex and require whole team of nation-state hackers, sitting in a room and coordinating with one another, this isn’t always the case. The reality of cyber-attacks is often far more straightforward.

The list of attack motivations can be quite long but there are probably a handful of reasons why many attacks succeed.

● Business executives refuse to acknowledge they are a target
● Businesses ignore or do not focus on the basic tenets of cybersecurity
● Immature or non-existent cybersecurity and IT controls

The next time you hear about a complex cyber-attack on a business, there is a better chance that the attack succeeded not because it was conducted by a nation state or clever attacker, but rather by one individual or a small group taking advantage of bad cybersecurity hygiene.

The fact is, not even cyber criminals would want to admit how easy it was to attack the breached company. A sophisticated attack sounds more serious, and if a business has cyber insurance, this is going to be the story-line to make a claim.

Myth #2: All Cyber Attackers are Professional and Highly Skilled
While known hackers and foreign militaries clearly do carry out cyber-attacks, it is safe to assume that most of the time, cyber-attacks are conducted by individuals with little experience. I like to call this group, “the bored but curious teenagers” (also known as script kiddies). These probing script kiddies are often either looking for weaknesses in systems and processes, or they poke around just for the fun of it.

These folks don’t usually have a clock to work against, unless they’re trying to breach a highly-sophisticated defense system. Most of time they will look for the easiest way to hack into a system. Trying to break into a system that has an advanced defense system takes up too much time. They use a variety of methods to load up malware—or exploit a known vulnerability—and then bide their time.

Myth #3: Throwing Money at Cybersecurity is the Answer

JPMorgan was on the receiving end of a successful cyber-attack despite having spent close to US $250 million on cybersecurity in 2014. Although they almost doubled the spending to US $500 million since the attack, it’s safe to say that they could still be hacked!

Please repeat after me: “Only throwing money at cybersecurity will not protect me.”

Before spending a penny, or a dollar, more on any technology or employees, one must ask:

● Have we got the basics right? It’s often the basic hygiene, the basic controls that are overlooked in the search for a panacea that does not exist. Most security breaches can be prevented by having layered cybersecurity controls throughout the enterprise. If a company has one weakness such as an unprotected development server, a hacker will find it and exploit the server–even if it is out-of-scope for the cookie-cutter audits performed to satisfy SOX or PCI regulations.
● What are our GAPS? Have we carried out a GAP assessment and or external audit to determine the areas of weakness and strengths?
● Have we adopted a formal risk based approach to information security to ensure services or products procured mitigate the most important and relevant risks?

It is a misconception that just throwing loads of money at cybersecurity will keep you safe.

Myth #4: Only People on the Outside are Launching Cyber Attacks

Related to myth number 2, most people assume that cyber criminals are external to an organisation. The race to blame an external source distracts from the truth that, regardless of the origin of the attacker—internal or external—most regular and complex attacks need the privileges or the access rights of an insider to succeed and escalate.

If you can properly manage the privileges and access rights of privileged insiders you can usually deny success to a large number of cyber-attacks.

A privileged insider can be anyone, often linked to an IT person, who has the privileges and rights to carry out administrative tasks on critical systems and or access confidential data. Some examples of privileged users are:

● Active Directory Enterprise or Domain administrators
● Anyone who has the rights to backup system files
● A business privileged user who has rights to access confidential data.

According to the 2016 Verizon Breach Report, the insider threat represented roughly 15% of breaches. Do note, however, these figures are only from those that are reported.

Myth #5: Companies Claim Nothing Could Prevent the Attack

There may be some truth in this myth! We have heard and read the phrase about the two types of companies, one hacked and one clueless that it is hacked. That maxim still stands.

However, pleading powerlessness is not an excuse. There are simple steps that an organisation can take to significantly improve its chances of denying and disrupting an attack from both the script kiddie or a sophisticated attacker.

For instance, many companies may not have the proper cybersecurity controls in place such as logging, layering of security controls, having alerts established to detect an intruder, not filtering malicious traffic, improper DNS settings, etc.

Stay tuned for part two where we offer some tips on what should be done to deny and disrupt these attacks.

Source:: Thycotic