In the third in our series of articles on cybercrime and industry we will look at how manufacturing is being impacted by the rise of cybercrime. The manufacturing industry is going through a period of fast change. Many industrial systems are being overhauled to bring them into an era of high connectivity. The Internet of Things and automation / robotics are being used as a productivity booster, and a way of bringing the notoriously complicated manufacturing supply chain more closely under control.

The manufacturing sector has some fundamental challenges above and beyond those of the previously discussed sectors, healthcare and financial. This includes protection of intellectual property and corporate espionage / sabotage.

Manufacturing Pain Points

Advanced Persistent Threats (APT) in manufacturing: APT’s play the long game. Cybercriminals use techniques like spear phishing to get malware onto a system, and then use stealth and avoidance techniques to slowly exfiltrate data, such as proprietary information, often over many months. APT’s are a real threat to manufacturing because of the difficulty in detecting the underlying malware. This is down to the ability of the hacker to remotely control the malware (using a ‘command and control’ center) – morphing it to hide it from detection by traditional anti-virus and monitoring techniques. Kaspersky run an APT logbook, and it’s interesting to see how APT’s have become more prevalent over time. Filtering the logbook across manufacturing related industries shows how this area has become an increasing target for APT style attacks.

Intellectual property: Intellectual property (IP) is the mainstay of our manufacturing industry and its theft is a major contributor to economic issues in the USA. According to the IP Commission’s report into IP theft, they found that $hundreds of billions worth of IP was stolen each year from U.S. firms of all sizes. They described the situation as “the greatest transfer of wealth in history”. The loss of IP affects jobs and innovation. The theft is often state sponsored, the IP Commission report pointing to China as being a likely source, but insider threats are also an issue, including supply chain insiders. Verizon found that 46% of IP theft cases start with an employee. The staff member is likely collaborating with cybercriminals to extract the data – the prime driver being financial gain. When insiders are used, access is often through misuse of privileged credentials. But it may not be the system administrator actually behind the breach. Centrify found that in a survey of U.S. IT staff, 52% had shared a login credential with a contractor, and 59% with a fellow worker.

Cyber-espionage: According to Verizon’s “2016 Data Breach Investigations Report” manufacturing is one of the top three industries to suffer from cyber espionage. Cyber espionage is an external threat, sometimes state sponsored, or at least competitor sponsored, where the target is proprietary data and trade secrets. The vector into the manufacturer is most often via a spear phishing email, which is ultimately behind an APT attack (see above). The attackers can then quickly get at the credentials needed to login to the system and implant malware that exfiltrates data back to source. Another method that is gaining ground are drive-by-downloads; This vector is the sneakiest of all and is completely silent, so the user isn’t aware that they have been infected with malware – usually keyloggers which then go on to steal login credentials. Drive by downloads use exploit kits within a website – typically a site that is commonly used by that sector will be infected by the hacker. If the user visits that site, the exploit kit then looks for a vulnerability in a browser or other software application like Adobe Flash. The exploit kit uses this vulnerability to silently install the malware. It literally takes seconds, and you don’t even notice it happening. Once infected user credentials can be stolen, allowing access to the extended network.

Attacks against automation: The fourth industrial revolution is built upon automation and robotics. These devices are primary candidates for cyber attack. In an industry that is heavily reliant on connected and automated components, points of automation-targeted attacks make the industry highly vulnerable. In a report by the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), they found that in the 12 months from October 2013 there were 245 cyber security incidents, with 32% of those affecting the energy sector and 27% critical manufacturing; of these 55% of them were due to APT’s (see earlier). You can imagine a scenario whereby a hacker has accessed a crucial automation unit, and sends malicious commands to it, causing chaos, resulting in the shutdown of the unit. Similarly critical infrastructures, such as those controlled by power and water suppliers are under increasing threat, including threats of cyber-terrorism. Examples include the 2014 cyber attack against the U.S. federal weather station network (NOAA) and the 2014 German steel mill attack, which caused the failure of multiple automated systems.

As our manufacturing industry becomes ever more interconnected, and the extended supply chain becomes more intrinsically hooked up to the network, the threat surface will become more complex. This brings deep level security issues that need to be addressed at the operating system/platform level. This does not however preclude the need for security training and awareness. The ever-present threat of phishing, especially spear phishing, which often is connected to an APT attack, can be handled through user training programs. The cyber security problems facing manufacturing as they undergo the fourth industrial revolution, need to be handled by a multi-layered approach, from ensuring that the systems manufacturers use are themselves utilizing appropriate safety measures to the awareness of security risk across the extended supply chain.

In the second in our series of articles on cybercrime and industry we will look at how the financial services industry is being impacted by the rise of cybercrime. The financial services sector has always been a traditional target for cybercrime. However, as we saw in the previous article, healthcare has taken over the title from financial services as the number one most targeted industry sector. But does this mean the beady eyes of the cybercriminal are no longer focused on financial services? This article will explore the current climate for hacking our financial sector.

Cybercrime and Financial Service

The financial sector is like the perfect package for a hacker. Bank and other financial institutions contain information that spans everything a cybercriminal wants all wrapped up in one place; from your financial details and bank account, to identity data. If you look at some of the breaches in the financial services sector just in 2014 and 2015, you can see that they are some of the most major in history. For example, in 2014 JP Morgan Chase had 83 million bank accounts exposed in a phishing (including Text phishing or SMishing) scam.

Security attacks are perpetrated using several methods. Phishing is still a major issue for the financial sector as it has been now for many years. The Carbanak bank heist, which purportedly has cost around $1 billion so far, began with a phishing email. The email contained a piece of malware that stole login credentials once installed. The fact that access to bank accounts can be potentially compromised from an email shows how integrated banking is in all of our lives. A new variant of this is the targeting of personal accounts that use mobile banking. For instance, an Android-based malware spots what bank a user is navigating to from their smartphone, and overlays a spoof page that looks identical to the mobile banking page. It then steals the credentials used to access the site, which the hacker can then use to access the real mobile banking account.

But phishing isn’t just hitting individuals. Companies are being targeted by a variant known as Business Email Compromise or BES. This technique uses the natural hierarchy of an organization to scam employees. Typically, a company accountant or other similar role, will receive an email from someone high up in the organization, like a CFO or CEO. The email will look exactly like it is from that person is supposed to be from – as the phisher will have done a lot of research into their target. The email will ask that the person make an urgent transfer of money to a supplier who has had to change their bank account for some reason. This scam has already cost around $2.3 billion according to the FBI.

Advanced Persistent Threats which use stealth and the long game to extract information and monies, are also being used against the financial sector. In a recent Financial Sector Cyber Intelligence Group identified APT threat, spear phishing was the way in for the APT actor. The first step in this type of attack is to implant a Command and Control center (C&C) so that hackers could add further malware to the compromised system. A C&C is like the hacker having their finger right inside the pie – they can control malware and update it remotely. APT’s are notoriously difficult to detect as they morph (via the C&C) when any hint of possible detection is observed.

Financial sector attacks are not just about direct access to money anymore. They are also about identity theft and breaching data. The financial sector was ranked third for identity theft last year by the Identity Theft Resource Center. This is because in the world of cybercrime, personal information equates to money. Financial records fetch on average $221 per record- compared to the $30 that a U.S based stolen credit card commands on the dark web.

Denial of Service (DDoS) attacks are also a major threat for the financial sector with DDoS and web app attacks against financial services having increased 31% since 2015, according to the ‘2016 Data Breach Investigations Report’. However, DDoS attacks are less about pulling down websites and more about being a smokescreen to allow hackers to implant malware, which is then used to steal data and login credentials.

Where Should We Concentrate Our Efforts in Controlling Financial Sector Security Threats?

One of the issues in the banking sector is getting the word out to all the stakeholders, including the board, that cybersecurity is a company wide issue, not just a problem for IT. This is a general problem for any sector, but financial services are feeling the impact in a massive way, and right across the ecosystem, from direct attacks, to supply chain breaches as well as business and personal account compromise.

Because the financial sector, more than most, has very close touch points with its customer base, and has an extended supply chain with direct ties into the main company, it is a sweet target. Even with a broad thinking and strategic security plan, and state of the art security tools in place, with such a wide ecosystem, the sector is at risk. PWC in their ‘Global State of Information Security Survey: Financial Services 2016’ stated that third party vendor security assessment and management, is the single biggest challenge of the industry in controlling security threats. PWC points out that industry organizations that use risk based security frameworks to communicate with third party vendors were more successful in controlling security risks within the vendor ecosystem.

Going forward, the increased awareness of threats to the financial sector, brought about to a large degree by the major attacks perpetrated against the industry, will mean that we should all become more vigilant. This should include a generalized education program, not just for those employed within the sector but also the supply chain and customers. The push for a more secure financial services sector needs to be a top down approach. The board must engage in a program of security, which includes frameworks for communicating security information across the supply chain and beyond. As cybercriminals continue to up their game, the financial sector can win the cybersecurity war by upping their game too.

This is the first in a series of articles looking at how the cybercrime wave is affecting different industry sectors. This first article will look at our healthcare industry. Healthcare is arguably one of the most information intensive sectors. During any individual interaction with a healthcare service, a multitude of data is created, shared and stored. Electronic health records (EHR) contain enormous amounts of information about us: from personal details, such as name, address and our age, to medical data for past, present and potentially future physical or mental health issues, to financial details. It is a very rich source of information making the healthcare industry a prime target for cybercriminals.

Cybercrime and Healthcare – Levels, Costs and Attack Types

IBM’s X-Force in their 2016 Cyber Security Intelligence Report stated that healthcare is the “most frequently attacked industry”. 2015 it seems has been the year of the healthcare breach. Most of the serious healthcare breaches since 2010, took place in 2015. This included:

·      Anthem: Almost 80 million records breached

·      Premera Blue Cross: 11 million records breached

·      Excellus: 10 million

·      University of California, Los Angeles Health: 4.5 million

·      Medical Informatics Engineering: 3.9 million

Any organization that has a breach that involves 500 or more records has a legislative obligation to inform the Office of Civil Rights under Health and Human Services (OCR). The breach is then posted to a website, jokingly called the ‘wall of shame’ for the world to see. According to the information found at the OCR website, in 2015 over 112 million healthcare records were breached.

All of the above incidents were, according to the OCR site, caused by a “hacking/IT incident” on a “network server”. The likely reason behind the breach was to steal medical records and this is because medial information is valuable. According to a Ponemon study, 2015 Costs of Data Breach, a U.S. medical record is worth, on average, $368 compared to a mean of $217 for other record types. This makes the healthcare industry a very lucrative target for a cybercriminal, who can sell these data on the dark web.  And the data theft doesn’t stop there. Once stolen, personal data is used for social engineering attacks against individuals. It is also used for secondary attacks, like the IRS breach where personal data is used for verification purposes; in the IRS case, to make fraudulent tax claims. Stolen PHI is the gift that keeps on giving.

In 2016 we are seeing a possible change in the tactics used by cybercriminals against healthcare, away from pure data theft, to cyber extortion. There has been a spate of ransomware attacks against healthcare organizations in the U.S.

A recent report by the Health Information Trust Alliance, found that 52% of the healthcare organizations interviewed in the U.S. has been a victim of ransomware.

Healthcare and Legislation

Healthcare is one of the industries that have specific legislation protecting individual data. In the healthcare industry this is known as Protected Health Information or PHI. PHI covers a gamut of data, including personal identifying information (PII) such as name, address, age and so on. It also includes medical data that relates to physical or mental health issues in the past, present or future. It also includes details such as biometrics, device identifiers and DNA. PHI is protected under the Health Insurance Portability and Accountability Act (HIPAA), brought in to protect the security and privacy of health data.

The Health Information Technology for Economic and Clinical Health Act or HITECH, was an act originally introduced to set the framework for electronic health records (EHR). It helps to extend the reach of HIPPA in term of protection of health data. An extension to HITECH, section 13407, which is enforced by the Federal Trade Commission (FTC), has brought the supply chain into focus. This clause specifies that the rules of data protection and privacy covered by HIPPA covered entities, now extend to all third party business associates, including contractors and sub-contractors, that have anything to do with health data handling. This creates a chain of organizations that have strict rules applied to how they must manage the security and privacy of the health data under their remit.

Healthcare Information and Futures

Healthcare is always going to be a prime target for cybercrime because the industry is a data innovator. Data is used as part of its prime objective, to care for us, but also to build better procedures and healthcare outcomes. The healthcare industry is one of the early adopters of Cloud based big data sharing. The Google Genomics project, for example, allows medics and researchers from across the globe to share genetic information.

Healthcare is also embracing disruptive technologies such as mobile and the Internet of Things (IoT). Analysts MarketsandMarkets are predicting the healthcare IoT market to be worth around $163 billion by 2020. IoT devices are being used across the healthcare ecosystem from individual wearable’s relating health data to the Cloud, to medical devices used within a hospital context – the FDA now being fully on-board with the use of IoT devices in a medical context. As for mobile, a study has shown that at least 87% of physicians use a mobile device for work related tasks.

With all of this data being generated across an increasingly diverse and interconnected playing field of devices and Cloud platforms, healthcare is a cybercriminals dream. With HIPPA and now the extended HITECH ruling on third party ownership of data security, it has never been a more important time for the healthcare industry, and its extended supply chain and partners, to step up to the plate and create a healthy cyber security strategy. 

This year has gotten off to a great start… if you’re a cybercriminal. Already threats like ransomware are on the rise, with the FBI’s April blog post on the issue showing the prevalence and success of this type of malware. Of course, if you’re not a cybercriminal then this isn’t such a great start. Cyber security, which was once almost an afterthought, is now a critical part of a business strategy and a board level consideration. As our business and vendor eco-systems become ever more connected, through Internet communications and the ensuing Internet of Things, cybercrime considerations can only become even more of a focus for our businesses. This is why it is of paramount importance to extend your security thinking and strategy out into the reach of your vendor eco-system, as you can guarantee that cybercriminals will take advantage of any chink in your armor. 

With this in mind, let’s look at some approaches to keeping your vendor relationships optimized for security.

Top Tips to Keep Your Vendor Eco-System Secure

Controlling vendor risk management is the key to creating secure vendor eco-systems. It results in an all-round better way to do business as it increases trust and decreases risk. If done well, it can also bring about more collaborative and productive partnerships that can be used as best practices for other relationships. The following tips are a good place to start on the road to a more secure vendor relationship management program. But the main thing to remember is that this is a process and all good processes need feedback from which to improve.

Tip 1:  Don’t reinvent the wheel: Use NIST advice.

Before you set out on creating your own vendor relationship security strategy, you should get to grips with the Cybersecurity Framework developed by the National Institute of Standards and Technology (NIST). The framework outlines a set of guidelines that give you the starting points for creating a robust security strategy. The five main areas it looks at are: Identify, Protect, Detect, Respond, and Recover. You can read more about this on the Atlas blog.

Having a well thought out security strategy in place is the starting point for creating an extended strategy for your vendor eco-system. Your security strategy must reach out to encompass all of your assets, which includes those shared across that eco-system. Setting out your stall in this way lets you have a clear view of your security needs and allows you to move onto the next part of the process of securing your vendor relationships.

Tip 2: Make wise choices. 

Choosing which vendors can become part of your wider eco-system is part of the process of risk management. This process can also encompass security, by adding in security requirements to your vendor due diligence.  Knowing how a vendor handles, for example, the sharing of sensitive documents, can give you a heads up of any issues that may occur down the line. Attending to potential vulnerabilities at the point of entry to a partner program can alleviate future breaches. Having a partner program and vendor enrolment process, which emphasizes security aspects of the relationship, creates an ethos of secure thinking. If a vendor has an issue with this at the start, then they may not be right for your organization going forward.

Tip 3: Communication is king.

One of the driving forces in modern cyber security is collaboration. The U.S. government has brought in the Cyber Intelligence Sharing and Protection Act (CISPA), for the purposes of sharing information between commercial and government organizations around security threats; the idea being that a “problem shared is a problem halved”. Not everyone agrees with the tenets of the act, but the concept of collaboration around security issues is a sound one. Having inter-vendor security collaboration will help you to mitigate risks though a program of education and shared knowledge. Even setting up partner program awareness sessions, covering general security training and compliance requirements can be an important step in ensuring everyone is at the same level of security thinking.

Tip 4: Get authentication right.

We’ve seen from a number of high profile cyber attacks that the root cause has been poor authentication measures. For example, the Target Corp. attack was due to a third party (HVAC) vendor being phished; their username and password used for privileged access to Target’s systems being stolen. If there had been better authentication measures in place this could have been prevented, even if the original vendor had been successfully phished. There are ways authentication can be hardened against phishing attempts. Second factor authentication can be applied to many applications. This can be in the form of an SMS text code, mobile app code, or hardware token code. If user experience is a concern, then you can use adaptive authentication to ‘up the ante’ in terms of authentication requirements. For example, if you detect a login request is coming in from an internal IP address, then you can apply single sign on (SSO), but if it’s from a third-party vendor’s IP address, or other, then you can force the use of second factor, or even further login credentials, like requesting an answer to a personal question.  In any extended system where you have an arms length control, strong authentication should be a serious consideration.

Tip 5: Automation equals  

Don’t go it alone.  Most modern enterprise organizations are dealing with tens of thousands of vendors in their supply chains.  Manual spreadsheet assessments and required documentation sent and received via email worked just fine when there were only a couple of hundred outside vendors to deal with.  As mentioned earlier, supply chains are only getting larger and we are growing more connected over time.  To truly pinpoint risks in the supply chain, you must have an automated system on which to conduct vendor assessments and collect supporting documentation.

Tip 6: Assume there is no perimeter and always innovate around security. 

The world has never been smaller because of the interconnectedness of almost everything. This is being embraced by vendor platforms too, with Cloud delivery being seen as a way of increasing productivity. This takes your security thinking into a new arena of web-based threats.  If you encompass the previous 1-5 tips to begin the process of securing your vendor relationships, and you use the advice from OWASP on the top ten web threats, then you will be well on your way to having a robust overall security strategy for your eco-system, protecting your own organization as well as all of those in your vendor programs.

Logging into any type of application has to be one of the most talked about topics in security. It sometimes feels like it is the last frontier as far as technology innovation is concerned. Why is this so? Well it is likely because it is the point where the human – computer interface first comes into contact. This creates usability vs. security conundrum which is always hard to resolve. Part of the issue has been ‘password fatigue’ which has been a topic raging in the industry for many years and yet we don’t seem a lot further forward. But this isn’t true, technology in the area of authentication is moving forward. I’ve named this post “The Good, Bad and Ugly…” but in truth, each authentication measure can have a little of each and it really is more about choosing the right one, for the right scenario that counts.

The Password is Dead, Long Live the Password

The first ever type of login option in computing, used by MIT in 1961, was of course the humble password. We have used it almost religiously ever since, for everything, from logging into online banking to offline desktop computer login. It is so successful because it is both easy to program support for username and password access, but its also easy for the user logging in…mainly.

I say mainly because we now find ourselves in a situation whereby both security and usability have been severely compromised. In terms of security, the use of username and password in an Internet connected world has left the password highly vulnerable. Phishing, and in particular spear phishing, has meant that cybercriminals can very easily steal a username and password. Either by sending the phished individual to a spoof site which then tricks the user into revealing their login credentials, or by installing malware which exfiltrates them when they are used.

And then there is the usability aspect. The average user has to use passwords across many multiple sites and counting. Either you use the same or a few similar passwords, which is insecure, or you have to remember a different one for each site. Whichever it isn’t ideal. A report by identity vendors CSID found that amongst U.S. consumers, 61% reused the same password across multiple sites and 46% of them had 5 or more passwords to remember. You can, of course use a password manager, but that brings its own issues.

As an alternative, social and similar platforms, such as Facebook, Twitter, Google, Papal and Amazon, offer federated login which can be used as an alternative to a username and password. There are pros and cons to the use of this type of credential, of course.

And when you bring the password into the Enterprise, usage behavior becomes even more concerning.  Password sharing is one of the most prevalent insider threats. A survey by Centrify into password habits, found that 52% of U.S. based IT administrators had shared their username and password with a contractor and 59% of them with a colleague.

A Multitude of Options with Multiple Factor Authentication

The above username and password issues leads onto how can we improve things without upsetting the apple cart too much, after all, we like passwords, in the main.

If username and password are something we know, we can call this a first factor. If something we have, like a mobile device is also used to login with, alongside username and password, then that becomes a second factor or 2FA. 2FA is becoming more popular for the reason that it allows you to multiply the security needed to login to any system and it can be highly preventative in any phishing attempt.

The types of second factor authentication available are increasing, but the most common are mobile device based apps, or codes set by SMS text. You do also get hardware devices or ‘security tokens, especially in enterprise environments, but these were becoming less attractive as they cost per device and BYOD meant that employees were using smartphones at work, so why not utilize those. However, a recent innovation in security tokens, U2F, has made them more attractive as an option.

Mobile App Based 2FA

Mobile based 2FA apps offer support for the following options:

• HOTP: A code is sent to the mobile app. This code is hashed. The user enters the code into the application during login, after they have entered their first factor.
• TOTP: This is also a code but it is time-limited, i.e. It only lasts for a few seconds and must again be entered after a first factor has been entered for login.

One of the issues surrounding mobile code based access is the security; some implementations being more secure than others. The most secure way of using a mobile app based 2FA method is for the app to communicate the code directly to the back end of the application, rather than the user inputting the code into a user interface, which is open to a Man-in-the-Middle attack.

SMS Based 2FA

Mobile phones, including those that aren’t smart, as well as modern landlines, can use SMS based codes to login as a second factor. One of the downsides of using SMS code based 2FA is that it costs the vendor who is sending out the codes as generally this is done via a third party SMS gateway system.

Security Tokens

The security tokens mentioned earlier have been improved in recent years using a new authentication protocol called U2F developed by a consortium of large technology vendors, including Google, and known as the FIDO Alliance. In fact Google have implemented a version of U2F based on a key, which is inserted into a USB port, the user ‘clicking’ a button on the key to sign into web apps. Of course the issue with this is that if you are using an iPad or Smartphone for access there is no USB port.

You’ll Know It’s Me

The next major advance in authentication is the biometric. Anyone with an iPhone 5S or later, will know about their TouchID biometric login system, which uses a fingerprint to open the phone for use. This is probably the most well known type of biometric in common use and certainly it has broken down some of the barriers to biometric acceptance.

One of the earlier barriers to success with biometrics was an alarmingly large rate of false negatives or positives. Advances, such as that seen at Carolinas Healthcare System, which uses the veins in a person’s palm, has seen match rates increase to 99.9% in the last ten years. This is another issue with biometrics that is breaking down to allow a more global uptake of the method.

It looks like biometrics will start to be used more. As we see advances in biometric management, accuracy of biometrics results, and as the spectrum of biometric types increases, then it is a natural way to login and so will be opted for by the user.

Adaptive Authentication

Adaptive authentication is less of an authentication method and more of how you use existing methods, more efficiently, with added security and improved usability. Adaptive authentication allows you to configure policies, which determine the level of authentication required under any given circumstance.  It works by accessing the risk level of a specific access attempt. The best way to describe it is with examples. So, for example, you could set a policy that says that if a user is attempting access from a given IP or IP range, such as you’d get by accessing within the headquarters of an enterprise, then single sign on (SSO) is allowed. Or you could allow access from certain devices within a given geographic location but only using a second factor. Another example could be to increase the requirements of login, even going as far as to ask knowledge based questions, if you don’t meet certain criteria, or there is a pattern of failed login attempts and so on.

Adaptive authentication is a really good method of making the most of what you’ve got and it can really help with resource protection and handling varying levels of risk, especially in an extended supply chain where a variety of people across many jurisdiction require access rights.