If you’re not scared, you probably should be. According to the newly released Internet Security Report from global internet security firm Symantec (best known by consumers for Norton Antivirus) in 2015, internet security threats worsened according to nearly every available metric as cybercriminals continued an organisational shift towards establishing professional hacking businesses with corporate structures (including ‘best practices’).
“Advanced criminal attack groups now mirror the skill sets of nation-state attackers,” says Kevin Haley, Symantec’s director of security response. “They have well resourced and highly-skilled technical staff that operate during normal business hours – they even take weekends and holidays off. We are even seeing low-level criminal attackers create call center operations to increase the impact of their scams.”
Professional hacking groups are first to leverage ‘zero-day vulnerabilities’ (newly discovered weaknesses that are used for particularly lucrative targeted attacks) and use or sell them to lower-level criminals on the open market. In 2015, 54 zero-day vulnerabilities were discovered, up 124% from 2014.
Similarly, the number of malware variants increased to 430 million, showing that professional cybercriminals are leveraging vast resources to try to overwhelm defenses.
Who’s being targeted?
Individuals are increasingly being targeted with ransomware, where a hacker encrypts all the personal files on a device and then charges for their unlocking. Ransoms can vary from a couple of hundred dollars to a few thousand. Mark Shaw, technology strategist for Symantec in the Pacific, estimates that for an outlay of about $5,000, a non-skilled person could buy a million email addresses, some custom ransomware, a template that will get users to click on the email. The return for a 10% infection rate and 3% pay-rate, a hacker could get a return of $80,000.
Symantec have also seen a resurgence of many tried-and-true scams, including fake technical support scams (up 200%) where scammers send fake warning messages to devices, driving users to attacker-run call centers to con them into buying unnecessary services. As people conduct more of their lives online, attackers are increasingly focused on using the intersection of the physical and digital world to their advantage.
Small and medium sized businesses are being targeted at an increasing rate, through it’s not just hackers from Eastern Europe or China looking to extort owners. Sometimes it’s someone right down the road. And their tactics may be much simpler.
Shaw tells the story of General Linen Service, a linen service company (of course), who discovered that it’s main competitor, a larger company also called General Linen Service, had been stealing pricing information, pricing lists and invoices. How did they manage it? Malware? Hacking? Espionage? No. Both used the same CRM software, but the hacked company hadn't changed the default admin username and password. So the competitor just logged on and spent two years gathering information and changing its pricing accordingly.
And you heard about the Ashley Madison hacks that outed cheaters and ended marriages? The hackers told Vice that “nobody was watching”. Many of the admin passwords were “pass1234”!
How big is the problem?
2015 saw the largest data breach ever publicly reported with 191 million records compromised in a single incident. There were also a record-setting total of nine reported mega-breaches. While 429 million identities were exposed, the number of companies that chose not to report the number of records lost jumped by 85 percent. Symantec’s conservative estimate of unreported breaches pushes the number of records lost to more than half a billion.
“The increasing number of companies choosing to hold back critical details after a breach is a disturbing trend,” says Haley. “Transparency is critical to security. By hiding the full impact of an attack, it becomes difficult to assess the risk and improve security to prevent future attacks.”
It turns out getting targeted by hackers is one of the many things in which we punch above our weight.
“New Zealand [is] an increasingly popular target for cybercriminals,” says Mark Shaw, technology strategist for Symantec in the Pacific. As a ransomware target New Zealand ranked fourth in Asia Pacific and 21st globally with the average of 108 ransomware attacks per day. The country was also ranked 21st globally for social media scams.”
What can you do about it?
Use advanced threat and adversary intelligence solutions to find indicators of compromise and respond faster to incidents
Implement multi-layered endpoint security, network security, encryption, strong authentication and reputation-based technologies. Partner with a managed security service provider to extend your IT team.
Prepare for the worst. Incident management ensures your security framework is optimised, measureable and repeatable, and that lessons learned improve your security posture. Consider adding a retainer with a third-party expert to help manage crises.
Provide ongoing education and training: Establish simulation-based training for all employees as well guidelines and procedures for protecting sensitive data on personal and corporate devices. Regularly assess internal investigation teams—and run practice drills—to ensure you have the skills necessary to effectively combat cyber threats.
Use strong and unique passwords for your accounts. Change your passwords every three months and never reuse your passwords. Additionally, consider using a password manager to further protect your information.
Think before you click: Opening the wrong attachment can introduce malware to your system. Never view, open, or copy email attachments unless you are expecting the email and trust the sender.
Use an internet security solution that includes antivirus, firewalls, browser protection and proven protection from online threats.
Be wary of scareware tactics: Versions of software that claim to be free, cracked or pirated can expose you to malware. Social engineering and ransomware attacks will attempt to trick you into thinking your computer is infected and get you to buy useless software or pay money directly to have it removed.
Safeguard your personal data: The information you share online puts you at risk for social engineered attacks. Limit the amount of personal information you share on social networks and online, including login information, birth dates and pet names.
Read the full report here.