It would be easy to say that 2019 is going to be the year of the state-sponsored hacker, but it would also be easy to say that this year is going to be the year of the cryptojacker. Or I could say that this is the year when cross-site scripting is going to be a major threat. But the reality is that 2019 promises to be all three.
The reality is that 2019 is going to be a year of unprecedented risk for cyber-attacks, and to even narrow it down to three types would be a mistake, because attacks are getting significantly more sophisticated, and the attackers are getting better and more numerous. Better because the skills of the state-sponsored cyber warriors are being transferred to cyber-criminals. More numerous because hacking kits are widely available on the internet, and so is the information needed to use them.
The true breadth of state-sponsored cyber-attacks is only now beginning to become known. For example, it now appears that the Equifax attack of 2017 was probably carried out by a state-run organization such as the Russian Internet Research Agency, although there’s no indication that it was the Russians who did it. There’s a belief by several researchers that the Equifax data was taken so that it could be paired with data from other sources, such as the Office of Personnel Management breach, to identify susceptible individuals who can be turned into spies.
‘Script Kiddies’ as Dangerous as Veteran Hackers
On the other hand, the number of attackers who can make use of the resources on the internet to launch their own, relatively unsophisticated, attacks is growing rapidly. While these so-called “script kiddies” aren’t experienced hackers, there are so many of them that the likelihood of their finding a vulnerable target is fairly good. And from your point of view, it doesn’t matter whether a successful attack comes from an experienced hacker or one that’s just lucky.
With this new level of threat in mind, here’s are some things to keep in mind about today’s new level of security threats:
- While anti-virus and anti-malware software are still important, they’re not enough to protect you against today’s attacks. You also need secure network design and defense in depth. A secure network design means, among other things, a properly segmented network so that a single breach doesn’t provide an attacker with unfettered access to everything in your organization. Defense in depth means that perimeter protection isn’t enough; you also need intrusion detection, network monitoring, solid authentication and encryption.
- Size doesn’t matter. While you may think that your organization is too small to be of interest to a state-sponsored hacking organization or a cyber-criminal, you’re wrong. Even though you may not have any important secrets, the state-sponsored attackers are after information that they can use for a greater purpose. For example, the computerized health records in a medical office or a mental-health facility may provide details that those hackers want to use to blackmail a susceptible individual.
- Except for some very specific organizations, you probably can’t do this alone. This means that you will need to engage professional help to make sure your computing facilities are secure. You also need to ensure that your testing is comprehensive. This means more than just a security review, although that’s important. It means penetration testing, it means help with network architecture to ensure your network is properly segmented, and it means making sure that all data is encrypted, so that even a successful breach won’t yield useful data.
- Handled properly, the cloud can be a secure refuge for your organizations. Any of the major cloud providers will almost certainly have better security than you can afford in your data center, but that’s not the end of cloud security. You must also make sure that you make use of the security features that are offered by your cloud provider, that your cloud access is also secure and that you train your employees to manage their access to the cloud securely.
- You owe it to your customers to provide for their security. This means that your organization’s website must be kept free from malware, and that you must make sure that your website cannot host cross-site scripting, malware payloads or any other means of extracting information from visitors, or to provide a platform for attacking them. This means that your web pages must be programmed so that external inputs can’t be placed there, that external software can’t be implanted onto them, and that you monitor activity on those pages.
It’s also important to take steps that your single biggest vulnerability, your employees, are trained to protect your company. This means actively and repeatedly training them not to click on links in email or on websites, not to respond to phishing emails and not to respond to social engineering attacks that may appear through a variety of means, including the telephone. And it means that you need to examine your organization’s website to make sure that you’re not supplying the information needed to enable social engineering or phishing attacks.
So you’re going to have to make sure that the email addresses for your corporate management aren’t available to website visitors, and you have to protect information such as cell phone numbers, since mobile devices can provide a pathway for attackers.
Yes, it’s a lot of work, but the nature and level of the attacks has changed to the point where there’s more risk than ever before. Sadly, that risk isn’t going down any time soon, so it’s critical that you be prepared for it now, and then get ready for next year when it gets even worse.