CYBERCRIME AND INDUSTRY #4: HOW CYBERCRIME IS AFFECTING THE AUTOMOTIVE INDUSTRY

In the 1990 Arnold Schwarzenegger film, Total Recall, there was a futuristic car, called a ‘Johnny Cab’. The Johnny cab was a sort of self-drive automobile, although driven by a robot. In one scene, Arnie was being chased by some baddies. He jumps into a Johnny cab and asks the cab to ‘drive, drive!’ but of course, the robot doesn’t know where to drive. The end result is Arnie, ripping out the robotics of the car and driving it himself. The Johnny cab was a prediction about the near future of the automotive industry, one of robotics, automation and the Internet of Things.

Only 16 years on from the film and we have found ourselves with our own self-driving cars, at least in prototype. BI Intelligence is predicting that by 2020 there will be around 10 million self-drive cars on our roads. Google has its own self-driving car project. Tesla has created the first semi-automated car that is in release, the Model S – although a recent crash by a test pilot has sent some shockwaves through the industry around the safely of the self-drive.

And then there are the changes happening within the industry due to the Internet of Things (IoT). IBM’s Watson, for example, is an IoT platform that is used across the automotive industry. It allows you to connect, collect, and analyze data associated with all aspects of transport. It is being used to manage vehicle fleets, improve car efficiency, and handle data across the extended supply chain of the automotive industry. With Gartner predicting that 250 million connected cars will be on the road by 2020, we can expect an enormous amount of Cloud bound data to be generated by this industry sector.

In terms of cyber security threats, the automotive industry feels the same cyber pain as other industries. They are threatened by phishing, extorted by ransomware, and breached by APT’s. In the 2016 IBM X-Force review of cyber attacks, automotive was one of the most targeted industries seeing 30% of the total attacks across manufacturing, which came in as the second most targeted industry sector.

However, it is the future that may hold the most concern for the automotive industry as it becomes ever more connected.

Future Fears – Cyber Crime and the Automotive Industry 

Platforms, like Watson, which offer a way of creating highly connected networks, are creating greater opportunities by improving collaboration. In an IBM survey, 74% of executives rated collaboration outside of their key industry as being a positive change and bringing growth to their business. However, collaboration and connectivity require you to reach out and share data. The IoT allows the sharing of this data across fast Internet connections. In the automotive industry, this includes information used to keep us safe as we drive, and data that reveals company and product proprietary information to our partner suppliers. Once you begin to store and then transfer data, especially large amounts of sensitive data, the data radar of the cybercriminal begins to twitch.

The problem starting to unfold with the IoT is that in the rush to market to get IoT connectivity into products, and be ‘first to market’, security has taken a back seat. A Hewlett Packard report on the Internet of Things found that at least 70% of IoT devices had security flaws.

We are already seeing IoT focused cyber attacks. For example, the worm, Linux.Darlloz was specifically designed to target IoT devices. Last year a white hat hacker showed how easy it was to hack a self-drive car. The researcher used an off-the-shelf device, like a Raspberry Pi, to trick the car into thinking there was an obstacle in its way – potentially causing it to crash.

This insecurity of things has a greater impact when the ‘things’ are multiplied. One of the issues that the automotive industry has at a larger scale than most other sectors is that of its highly extended supply chain. Vehicles tend to be built from parts created by a myriad of specialist suppliers. As the IoT starts to pervade all aspects of the build, manufacturers will be put under pressure to ensure the security of each part is upheld – it is bad enough having a single point of failure, but multiple points of failure can place manufacturers in a difficult position.

The Supply Chain as a Point of Failure

Keeping the supply chain secure, as our automotive industry embraces the cutting edge of technology, is crucial to not only the protection of sensitive and proprietary data, but also the physical safety of anyone using this new technology. As digitization of the industry takes hold, each individual part that is manufactured is at risk of being compromised by a cyber attack. The software that is created to control engine emissions may end up infected with a worm, that then replicates itself across any digitized part of the vehicle, including IoT sensors. This has already happened to an Internet enabled security camera that had infected software installed during manufacture.  The company ended up being fined for security violations by the FTC.

Vehicle manufacturing is an industry highly dependent on an ecosystem of players, utilizing parts from a variety of companies across the supply chain. This means the automotive industry has to have a clear and effective vendor risk management program. Making sure that each part of the whole is manufactured using security best practices, keeping watch on counterfeit parts entering the chain, and generally managing the changes across the security landscape as new automation enters the industry is more important than ever. It is vital to have a holistic approach to the security of our vehicles to retain consumer safety and trust in the industry.


CYBERCRIME AND INDUSTRY #3: HOW CYBERCRIME IS AFFECTING OUR MANUFACTURING INDUSTRY

In the third in our series of articles on cybercrime and industry we will look at how manufacturing is being impacted by the rise of cybercrime. The manufacturing industry is going through a period of fast change. Many industrial systems are being overhauled to bring them into an era of high connectivity. The Internet of Things and automation / robotics are being used as a productivity booster, and a way of bringing the notoriously complicated manufacturing supply chain more closely under control.

The manufacturing sector has some fundamental challenges above and beyond those of the previously discussed sectors, healthcare and financial. This includes protection of intellectual property and corporate espionage / sabotage.

Manufacturing Pain Points

Advanced Persistent Threats (APT) in manufacturing: APT’s play the long game. Cybercriminals use techniques like spear phishing to get malware onto a system, and then use stealth and avoidance techniques to slowly exfiltrate data, such as proprietary information, often over many months. APT’s are a real threat to manufacturing because of the difficulty in detecting the underlying malware. This is down to the ability of the hacker to remotely control the malware (using a ‘command and control’ center) – morphing it to hide it from detection by traditional anti-virus and monitoring techniques. Kaspersky run an APT logbook, and it’s interesting to see how APT’s have become more prevalent over time. Filtering the logbook across manufacturing related industries shows how this area has become an increasing target for APT style attacks.

Intellectual property: Intellectual property (IP) is the mainstay of our manufacturing industry and its theft is a major contributor to economic issues in the USA. According to the IP Commission’s report into IP theft, they found that $hundreds of billions worth of IP was stolen each year from U.S. firms of all sizes. They described the situation as “the greatest transfer of wealth in history”. The loss of IP affects jobs and innovation. The theft is often state sponsored, the IP Commission report pointing to China as being a likely source, but insider threats are also an issue, including supply chain insiders. Verizon found that 46% of IP theft cases start with an employee. The staff member is likely collaborating with cybercriminals to extract the data – the prime driver being financial gain. When insiders are used, access is often through misuse of privileged credentials. But it may not be the system administrator actually behind the breach. Centrify found that in a survey of U.S. IT staff, 52% had shared a login credential with a contractor, and 59% with a fellow worker.

Cyber-espionage: According to Verizon’s “2016 Data Breach Investigations Report” manufacturing is one of the top three industries to suffer from cyber espionage. Cyber espionage is an external threat, sometimes state sponsored, or at least competitor sponsored, where the target is proprietary data and trade secrets. The vector into the manufacturer is most often via a spear phishing email, which is ultimately behind an APT attack (see above). The attackers can then quickly get at the credentials needed to login to the system and implant malware that exfiltrates data back to source. Another method that is gaining ground are drive-by-downloads; This vector is the sneakiest of all and is completely silent, so the user isn’t aware that they have been infected with malware – usually keyloggers which then go on to steal login credentials. Drive by downloads use exploit kits within a website – typically a site that is commonly used by that sector will be infected by the hacker. If the user visits that site, the exploit kit then looks for a vulnerability in a browser or other software application like Adobe Flash. The exploit kit uses this vulnerability to silently install the malware. It literally takes seconds, and you don’t even notice it happening. Once infected user credentials can be stolen, allowing access to the extended network.

Attacks against automation: The fourth industrial revolution is built upon automation and robotics. These devices are primary candidates for cyber attack. In an industry that is heavily reliant on connected and automated components, points of automation-targeted attacks make the industry highly vulnerable. In a report by the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), they found that in the 12 months from October 2013 there were 245 cyber security incidents, with 32% of those affecting the energy sector and 27% critical manufacturing; of these 55% of them were due to APT’s (see earlier). You can imagine a scenario whereby a hacker has accessed a crucial automation unit, and sends malicious commands to it, causing chaos, resulting in the shutdown of the unit. Similarly critical infrastructures, such as those controlled by power and water suppliers are under increasing threat, including threats of cyber-terrorism. Examples include the 2014 cyber attack against the U.S. federal weather station network (NOAA) and the 2014 German steel mill attack, which caused the failure of multiple automated systems.

As our manufacturing industry becomes ever more interconnected, and the extended supply chain becomes more intrinsically hooked up to the network, the threat surface will become more complex. This brings deep level security issues that need to be addressed at the operating system/platform level. This does not however preclude the need for security training and awareness. The ever-present threat of phishing, especially spear phishing, which often is connected to an APT attack, can be handled through user training programs. The cyber security problems facing manufacturing as they undergo the fourth industrial revolution, need to be handled by a multi-layered approach, from ensuring that the systems manufacturers use are themselves utilizing appropriate safety measures to the awareness of security risk across the extended supply chain.


CYBERCRIME AND INDUSTRY #2: HOW CYBERCRIME IS AFFECTING OUR FINANCIAL SERVICES INDUSTRY

In the second in our series of articles on cybercrime and industry we will look at how the financial services industry is being impacted by the rise of cybercrime. The financial services sector has always been a traditional target for cybercrime. However, as we saw in the previous article, healthcare has taken over the title from financial services as the number one most targeted industry sector. But does this mean the beady eyes of the cybercriminal are no longer focused on financial services? This article will explore the current climate for hacking our financial sector.

Cybercrime and Financial Service

The financial sector is like the perfect package for a hacker. Bank and other financial institutions contain information that spans everything a cybercriminal wants all wrapped up in one place; from your financial details and bank account, to identity data. If you look at some of the breaches in the financial services sector just in 2014 and 2015, you can see that they are some of the most major in history. For example, in 2014 JP Morgan Chase had 83 million bank accounts exposed in a phishing (including Text phishing or SMishing) scam.

Security attacks are perpetrated using several methods. Phishing is still a major issue for the financial sector as it has been now for many years. The Carbanak bank heist, which purportedly has cost around $1 billion so far, began with a phishing email. The email contained a piece of malware that stole login credentials once installed. The fact that access to bank accounts can be potentially compromised from an email shows how integrated banking is in all of our lives. A new variant of this is the targeting of personal accounts that use mobile banking. For instance, an Android-based malware spots what bank a user is navigating to from their smartphone, and overlays a spoof page that looks identical to the mobile banking page. It then steals the credentials used to access the site, which the hacker can then use to access the real mobile banking account.

But phishing isn’t just hitting individuals. Companies are being targeted by a variant known as Business Email Compromise or BES. This technique uses the natural hierarchy of an organization to scam employees. Typically, a company accountant or other similar role, will receive an email from someone high up in the organization, like a CFO or CEO. The email will look exactly like it is from that person is supposed to be from – as the phisher will have done a lot of research into their target. The email will ask that the person make an urgent transfer of money to a supplier who has had to change their bank account for some reason. This scam has already cost around $2.3 billion according to the FBI.

Advanced Persistent Threats which use stealth and the long game to extract information and monies, are also being used against the financial sector. In a recent Financial Sector Cyber Intelligence Group identified APT threat, spear phishing was the way in for the APT actor. The first step in this type of attack is to implant a Command and Control center (C&C) so that hackers could add further malware to the compromised system. A C&C is like the hacker having their finger right inside the pie – they can control malware and update it remotely. APT’s are notoriously difficult to detect as they morph (via the C&C) when any hint of possible detection is observed.

Financial sector attacks are not just about direct access to money anymore. They are also about identity theft and breaching data. The financial sector was ranked third for identity theft last year by the Identity Theft Resource Center. This is because in the world of cybercrime, personal information equates to money. Financial records fetch on average $221 per record- compared to the $30 that a U.S based stolen credit card commands on the dark web.

Denial of Service (DDoS) attacks are also a major threat for the financial sector with DDoS and web app attacks against financial services having increased 31% since 2015, according to the ‘2016 Data Breach Investigations Report’. However, DDoS attacks are less about pulling down websites and more about being a smokescreen to allow hackers to implant malware, which is then used to steal data and login credentials.

Where Should We Concentrate Our Efforts in Controlling Financial Sector Security Threats?

One of the issues in the banking sector is getting the word out to all the stakeholders, including the board, that cybersecurity is a company wide issue, not just a problem for IT. This is a general problem for any sector, but financial services are feeling the impact in a massive way, and right across the ecosystem, from direct attacks, to supply chain breaches as well as business and personal account compromise.

Because the financial sector, more than most, has very close touch points with its customer base, and has an extended supply chain with direct ties into the main company, it is a sweet target. Even with a broad thinking and strategic security plan, and state of the art security tools in place, with such a wide ecosystem, the sector is at risk. PWC in their ‘Global State of Information Security Survey: Financial Services 2016’ stated that third party vendor security assessment and management, is the single biggest challenge of the industry in controlling security threats. PWC points out that industry organizations that use risk based security frameworks to communicate with third party vendors were more successful in controlling security risks within the vendor ecosystem.

Going forward, the increased awareness of threats to the financial sector, brought about to a large degree by the major attacks perpetrated against the industry, will mean that we should all become more vigilant. This should include a generalized education program, not just for those employed within the sector but also the supply chain and customers. The push for a more secure financial services sector needs to be a top down approach. The board must engage in a program of security, which includes frameworks for communicating security information across the supply chain and beyond. As cybercriminals continue to up their game, the financial sector can win the cybersecurity war by upping their game too.


SecurIT awarded as one of the best Security service providers in MT1000

Management Team 1000 has announced the best Dutch B2B Service providers of 2019 based on a study by the Erasmus University, and SecurIT has landed a spot in the top 1000 best service providers of The Netherlands! SecurIT has been awarded the highest Net Promoter Score and the best customer service in the category ‘IT-security’. We are very proud to announce that this also resulted in a second-place overall in IT-security. 

Best business service providers in the Netherlands

In this 3rd edition of the study, more than four thousand business decision-makers were asked about their experiences with service providers. Who has the best products (product leadership), who is the most customer-service and who has the most Operational Excellence? That, combined with NPS, which measures whether people recommend the service to others, provides a fascinating overview. The list is objective to come to Erasmus University and Management Team; it is not about the size of the marketing budget, the turnover, the workforce, but the opinion of the customer. SecurIT scored 5 out of 5 in customer service, 5 out of 5 in NPS, 4 out of 5 in product leadership, and 4 out of 5 in Operational Excellence.

An overview of the different categories

A boost for 2020

With our many years of experience in Identity and Access Management, this national recognition is, of course, the cherry on the cake. We are very thankful for the hard work of our colleagues and the attention of our customers. It gives SecurIT an interesting perspective for 2020!

See the full list of MT1000’s category Security


CYBERCRIME AND INDUSTRY #1: HOW CYBERCRIME IS AFFECTING OUR HEALTHCARE INDUSTRY

This is the first in a series of articles looking at how the cybercrime wave is affecting different industry sectors. This first article will look at our healthcare industry. Healthcare is arguably one of the most information intensive sectors. During any individual interaction with a healthcare service, a multitude of data is created, shared and stored. Electronic health records (EHR) contain enormous amounts of information about us: from personal details, such as name, address and our age, to medical data for past, present and potentially future physical or mental health issues, to financial details. It is a very rich source of information making the healthcare industry a prime target for cybercriminals.

Cybercrime and Healthcare – Levels, Costs and Attack Types

IBM’s X-Force in their 2016 Cyber Security Intelligence Report stated that healthcare is the “most frequently attacked industry”. 2015 it seems has been the year of the healthcare breach. Most of the serious healthcare breaches since 2010, took place in 2015. This included:

·      Anthem: Almost 80 million records breached

·      Premera Blue Cross: 11 million records breached

·      Excellus: 10 million

·      University of California, Los Angeles Health: 4.5 million

·      Medical Informatics Engineering: 3.9 million

Any organization that has a breach that involves 500 or more records has a legislative obligation to inform the Office of Civil Rights under Health and Human Services (OCR). The breach is then posted to a website, jokingly called the ‘wall of shame’ for the world to see. According to the information found at the OCR website, in 2015 over 112 million healthcare records were breached.

All of the above incidents were, according to the OCR site, caused by a “hacking/IT incident” on a “network server”. The likely reason behind the breach was to steal medical records and this is because medial information is valuable. According to a Ponemon study, 2015 Costs of Data Breach, a U.S. medical record is worth, on average, $368 compared to a mean of $217 for other record types. This makes the healthcare industry a very lucrative target for a cybercriminal, who can sell these data on the dark web.  And the data theft doesn’t stop there. Once stolen, personal data is used for social engineering attacks against individuals. It is also used for secondary attacks, like the IRS breach where personal data is used for verification purposes; in the IRS case, to make fraudulent tax claims. Stolen PHI is the gift that keeps on giving.

In 2016 we are seeing a possible change in the tactics used by cybercriminals against healthcare, away from pure data theft, to cyber extortion. There has been a spate of ransomware attacks against healthcare organizations in the U.S.

A recent report by the Health Information Trust Alliance, found that 52% of the healthcare organizations interviewed in the U.S. has been a victim of ransomware.

Healthcare and Legislation

Healthcare is one of the industries that have specific legislation protecting individual data. In the healthcare industry this is known as Protected Health Information or PHI. PHI covers a gamut of data, including personal identifying information (PII) such as name, address, age and so on. It also includes medical data that relates to physical or mental health issues in the past, present or future. It also includes details such as biometrics, device identifiers and DNA. PHI is protected under the Health Insurance Portability and Accountability Act (HIPAA), brought in to protect the security and privacy of health data.

The Health Information Technology for Economic and Clinical Health Act or HITECH, was an act originally introduced to set the framework for electronic health records (EHR). It helps to extend the reach of HIPPA in term of protection of health data. An extension to HITECH, section 13407, which is enforced by the Federal Trade Commission (FTC), has brought the supply chain into focus. This clause specifies that the rules of data protection and privacy covered by HIPPA covered entities, now extend to all third party business associates, including contractors and sub-contractors, that have anything to do with health data handling. This creates a chain of organizations that have strict rules applied to how they must manage the security and privacy of the health data under their remit.

Healthcare Information and Futures

Healthcare is always going to be a prime target for cybercrime because the industry is a data innovator. Data is used as part of its prime objective, to care for us, but also to build better procedures and healthcare outcomes. The healthcare industry is one of the early adopters of Cloud based big data sharing. The Google Genomics project, for example, allows medics and researchers from across the globe to share genetic information.

Healthcare is also embracing disruptive technologies such as mobile and the Internet of Things (IoT). Analysts MarketsandMarkets are predicting the healthcare IoT market to be worth around $163 billion by 2020. IoT devices are being used across the healthcare ecosystem from individual wearable’s relating health data to the Cloud, to medical devices used within a hospital context – the FDA now being fully on-board with the use of IoT devices in a medical context. As for mobile, a study has shown that at least 87% of physicians use a mobile device for work related tasks.

With all of this data being generated across an increasingly diverse and interconnected playing field of devices and Cloud platforms, healthcare is a cybercriminals dream. With HIPPA and now the extended HITECH ruling on third party ownership of data security, it has never been a more important time for the healthcare industry, and its extended supply chain and partners, to step up to the plate and create a healthy cyber security strategy. 


en_USEnglish
nl_NLNederlands en_USEnglish