A new report published by manufacturers’ organisation EEF in partnership with insurance firm AIG and the Royal United Services Institute (RUSI) shows that 48% of UK manufacturers have been subject to a cyber-security incident at some time.
Loss and Disruption
Half of those manufacturing companies who admit to being hit by cyber-criminals have said that the incident(s) caused financial loss or disruption to business.
Challenges
The report highlighted several key challenges that the manufacturing industry faces in making itself less vulnerable to cyber-criminals. These challenges include:
The age of equipment and the networked nature of production facilities. Many industrial systems are up to 20 years old and were developed before cyber threats became a big issue. As a result, poorly protected office systems, often the first implemented historically within manufacturing businesses, are particularly vulnerable. Also, a networked building, such as many manufacturing sites, can be hacked and exploited.
Many manufacturing companies hold a large amount of classified information e.g. intellectual property (IP) and trade secrets, which makes them targets for (for example) financially motivated, state-sponsored hackers.
Having no idea of the nature and size of the risks. 41% of manufacturing companies don’t believe they have access to enough information to assess their true cyber risk, and 12% of manufacturers admit they have no technical or managerial processes in place to even start assessing the real risk.
A lack of basic detection that a cyber attack is taking place / has taken place, and a lack of investment in training i.e. 34% do not offer cyber-security training.
Feeling that they are not equipped to tackle the risk anyway. For example, 45% are not confident they are prepared with the right tools for the job.
A lack of confidence. Although 91% of the 170 UK manufacturing businesses polled are investing in digital technologies, 35% think that cyber vulnerability is inhibiting them from doing so fully.
What Does This Mean For Your Business?
For manufacturing businesses facing the very real threat of sophisticated, multi-level attacks, now is not the time to be left with a vulnerable outdated system. Advice from the report includes following the advice of the Government backed ‘Cyber Essentials’ scheme. This includes the 5 security essentials of using a firewall to secure your Internet connection, choosing the most secure settings for your devices and software, controlling who has access to your data and services, protecting yourself from viruses and other malware by using antivirus software, only downloading apps from manufacturer-approved stores, or running apps and programs in an isolated environment, and continually ensuring that operating systems and software are up-to-date and running the latest security patches.
Clearly, manufacturing companies with old systems may need to bite the bullet and invest in more modern, digitised, and well-protected systems. The report also indicates that greater investment in staff training is needed to help them spot and deal with risks, and to avoid the kind of human error that is needed in many modern cyber-attacks e.g. malware / viruses sent by email, phishing, and other social engineering attacks.
Another opportunity for manufacturing companies to boost cyber-security could also come from cyber-insurance. For example, many cyber insurers offer a comprehensive package of pre-loss services to businesses to carry out a cyber health check which could help to highlight gaps in cyber risk management and help identify what security measures should be prioritised.
The latest attacker behaviour industry report by automated threat management firm Vectra shows that UK higher education institutions are now prime targets for illicit cryptocurrency mining, also known as ‘cryptojacking’.
Cryptocurrency Mining
‘Cryptocurrency mining’ involves installing ‘mining script’ code such as Coin Hive into multiple web pages without the knowledge of the web page visitor or often the website owner. The scammer then gets multiple computers to join their networks so that the combined computing power will enable them to solve mathematical problems. Whichever scammer is first to solve these problems is then able to claim / generate cash in the form of crypto-currency – hence mining for crypto-currency.
Taking Coin Hive as an example, this crypto-currency mining software is written in Javascript, and sends any coins mined by the browser to the owner of the web site. If you visit a website where it is being used (embedded in the web page), you may notice that power consumption and CPU usage on your browser will increase, and your computer will start to lag and become unresponsive. These slowing, lagging symptoms will end when you leave the web page.
Why Target Universities?
According to Vectra report, the UK’s universities are being targeted by cryptojackers because they have high bandwidth capacity networks, and they host many students on their networks who are not protected. This makes them ideal cyber-crime campaign command and control operations centres.
This means that students who are using the bandwidth e.g. to watch movies online could unwittingly be giving cyber criminals access to computing resources in the background by using websites that host cryptojacking malware.
It is also believed to be possible that the relative anonymity and power of the computing resources at universities are enabling a small number of students to tap into them, and carry out illicit cryptocurrency mining activities of their own.
Other Targets
Higher education institutions are, of course, not the only main targets. The report highlights the entertainment and leisure sector (6%), financial services (3%), technology (3%) and healthcare (2%) as also being targets for cryptojackers. The effects of being targeted by cryptojackers can be increased power consumption and a reduction in hardware lifespans.
What Does This Mean For Your Business?
For higher education institutions, they can only issue notices to students they detect cryptomining, and / or issue a cease and desist order. They can also provide assistance in cleaning computers, and try to advise students on how to protect themselves and the university by installing operating system patches and creating awareness of phishing emails, suspicious websites and web ads. These measures, however, don’t go far enough to address the challenge of better detection, and / or stopping cryptomining from happening in the first place.
Businesses are also struggling to keep up with the increasingly sophisticated activities of cryptojackers and other cyber-criminals, particularly with a global shortage of skilled cyber-security professionals to handle detection and response. In the meantime, the answer for many enterprise organisations has been the deployment of artificial intelligence-based security analytics. Where cryptojacking is concerned, AI is proving to be essential to augmenting existing cyber-security teams to enable fast detection and a response to threats.
The increased CPU usage and slowing down of computers caused by mining scripts waste time and money for businesses. If using AI security techniques are beyond your current budget and level of technical expertise, you may be pleased to know that there are some more simple measures that your business can take to avoid being exploited as part of a cryptojacking scam.
If, for example, you are using an ad blocker on your computer, you can set it to block one specific JavaScript URL which is https://coinhive.com/lib/miner.min.js . This will stop the miner from running without stopping you from using any of the websites that you normally visit.
Also, a dedicated browser extension called ‘No Coin’ is available for Chrome, Firefox and Opera. This will stop the Coin Hive mining code being used through your browser. This extension comes with a white-list and an option to pause the extension should you wish to do so.
Coin Hive’s developers have also said that they would like people to report any malicious use of Coin Hive to them.
Maintaining vigilance for unusual computer symptoms, keeping security patches updated, and raising awareness within your company of current scams and what to do to prevent them, are just some of the ways that you could maintain a basic level of protection for your business.
The latest McAfee Labs threat report shows that in the last quarter of 2017, organisations faced 8 new cyber threats a second as there was an 18% increase in the number of reported security incidents across Europe.
478 New Cyber Threats Every Minute
The report makes worrying reading as businesses and organisations try to secure their online and data security systems in preparation for the introduction of GDPR.
The McAfee Labs report shows an 18% increase in the number of reported security incidents across Europe with a specific focus the on adoption of newer tools and schemes, such as fileless malware, cryptocurrency mining and steganography.
Cytptocurrency Mining
The rocketing value of the cryptocurrency Bitcoin led to a big increase in cryptocurrency mining / cryptojacking in the last quarter of 2017. For example, cryptojacking involves installing ‘mining script’ code such as Coin Hive into multiple web pages without the knowledge of the website owners. The scammer then gets multiple computers to join their networks so that the combined computing power will enable them to solve mathematical problems. Whichever scammer is first to solve these problems is then able to claim / generate cash in the form of crypto-currency.
Also, at the end of 2017, ransomware operators were found to be hijacking Bitcoin and Monero wallets using Android apps developed exclusively for the purpose of cryptocurrency mining. Many criminals appear to have favoured Litecoin over Bitcoin because there was a lesser chance of exposure.
Fileless Malware Attacks
Another trend uncovered by the McAfee Labs threat report was the adoption of fileless malware and abusing Microsoft PowerShell, which showed a 432% surge over the course of 2017.
Fileless malware involves hijacking tools that are already built-in to Windows rather than installing software on a victim’s computer. It is designed to work in-memory (in the computer’s RAM) and is, therefore, very resistant to existing anti-computer forensic strategies, and is difficult to detect.
The MacAfee report showed a huge 267% growth in the use of the new PowerShell malware. Powershell is a legitimate tool (scripting language) that is built-in to Windows, and provides access to a machine’s inner core, including Windows APIs. This is why it has become a favoured route for fileless malware attacks.
Increase In Attacks On Healthcare
One other disappointing trend uncovered in the McAfee Labs threat report is the dramatic 210% overall increase in incidents against healthcare organisations in 2017. It is believed that these attacks were facilitated by organisational failures to comply with security best practices, or to address many known vulnerabilities in medical software.
What Does This Mean For Your Business?
The report highlights how businesses now face risks on an unprecedented scale, and how, particularly with GDPR on the way, businesses need to prioritise cyber and data security. A collaborative and liberalised information-sharing approach should be taken to improve attack defences and combat escalating asymmetrical cyber warfare.
Cyber-criminals always try to combine the highest returns in the shortest time with the least risk. This is why tactics like cryptojacking, stealthy fileless PowerShell attacks, and attacks on soft targets such as hospitals have become so popular over the last year.
New threats for this year, such as cyber-criminals developing botnets exploiting the Internet of Things (IoT) will pose more challenges to businesses and the security industry.
A freedom of information request by privacy campaign group Big Brother
Watch has revealed the shocking statistic that a quarter of all UK councils have had their IT systems breached in the past five years.
37 Attempted Cyber Attacks Every Minute
The ‘Cyber Attacks In Local Authorities’ report from Big Brother Watch shows that local governments are subject to cyber attack attempts at the staggering rate of 37 per minute!
Thankfully, only a tiny fraction of the attacks launched are successful although this still represents a serious problem. For example, 114 councils experienced at least one incident between 2013 and 2017.
High Stakes
The nature of the work of UK Councils is such that they hold a large amount of up-to-date personal data for people in their areas, so one successful breach can have very serious consequences.
Not Disclosing Breaches
One particularly worrying aspect of council behaviour exposed by the report is that, from the data gathered, few seem to have reported losses and breaches of data, which is something that organisations will be required to do within 72 hours under GDPR when it comes into force in May.
Human Error – Training Needed
As in so many companies and organisations, human error is often a factor in breaches. In 2015, for example, Big Brother Watch has exposed how local authorities committed 4 data breaches a day, all thought to be predominantly caused by human error.
Big Brother Watch has also revealed that that, despite the number and seriousness of the breaches, little action has been taken by UK councils to increase staff awareness and education in matters of cyber security and data protection. For example, it has been disclosed that 75% of local authorities do not provide mandatory training in cyber security awareness for staff, and that16% do not provide any training at all!
What Does This Mean For Your Business?
Some commentators have been quick to point out that bearing in mind how much sensitive data councils hold about citizens, and the incredible amount of attempted cyber attacks against them, they could be making more of an effort and an investment to beef-up security.
Other commentators have noted that cuts to council budgets e.g. with austerity measures may have played their part in limiting cyber security effectiveness in UK councils.
After the shocking findings of the report, Big Brother Watch issued some recommendations to local authorities which could very well apply to other businesses and organisations. These are:
Cyber security should be prioritised, and that rather than investing too much in surveillance technologies, more should be invested in cyber security strategies and in the training of staff.
Cyber security incidents should be consistently reported, and that a protocol needs to be established so that incidents are reported quickly and to the right authorities e.g. the police, the ICO, and the National Cyber Security Centre.
All staff should receive mandatory training in cyber security because Cyber attacks are not only designed to breach computer systems, but also to exploit humans who are often the weakest cyber security link.
The Malwarebytes annual State of Malware report has revealed that the UK
is now the most targeted region in the world for cyber threats.
Big Rises
The UK has been elevated to the unenviable position at the top of the targets table after a huge 165% increase in UK bound ransomware was recorded, and after a 134% rise in hijacking attempts against British machines. This means that as well as being most at risk, the UK’s ransomware attack rate is now double that of the US.
Why Is The UK Being Targeted?
One reason is that ransomware use worldwide saw a 90+% increase against businesses in 2017 up until the end of year, when ransomware’s use began to decrease as criminals turned more to the use of banking Trojans and cryptocurrency mining. In 2017, the UK was famously hit by the massive WannaCry ransomware attack, which is believed to have originated in North Korea, claimed victims in 150 countries, and led to around 130,000 infections of computers. Older computer systems, such as those in the NHS, were particularly badly affected.
Spyware Increase
The Malwarebytes data also showed a big increase in the use of spyware last year – an increase of 882%.
Move To Trojans
The report data also shows that cyber-criminals are turning to different attack methods as awareness is raised about ransomware and more measures are taken to combat it. For example, Trojans are now being used in more than 20% of global attacks, and the use of banking Trojans doubled in the second half of 2017.
Earlier this month, security researchers discovered a new type of malware (called Android.banker.A2f8a) targeting 232 banking apps on Android devices, stealing login details, hijacking SMSs, as well as uploading contact lists and SMSs on a malicious server. Banking Trojans of this kind can spy on the credentials entered by the user, and intercept incoming and outgoing SMS.
Move To Crypotocurrency Mining
It appears that cyber-criminals are also moving into cryptocurrency mining, using cryptomining tools to exploit malware infected machines in order to generate and steal digital currencies. Criminals were attracted by the rapid growth in the value of cyptocurrencies such as Bitcoin and Malwarebytes is reported to have blocked an average of 8 million drive-by mining attempts each day in September.
A recent report by Ernst & Young has also highlighted the fact that 10% of all funds raised through Initial Coin Offerings (ICOs) are stolen by hackers using techniques such as Phishing.
What Does This Mean For Your Business?
In 2018, some security experts and commentators are predicting a further rise in the use of drive-by mining tools, new mining platforms and new forms of malware to steal virtual currencies. It seems that 2018’s criminals are more likely to be interested in simply stealing than rather than trying to hold businesses to ransom.
The IoT may continue to be a target, and businesses should be careful to guard against supply chain attacks, malware possibly targeting Mac computers, and more weaponised zero-day vulnerabilities. Giving 3rd parties in your company supply chain / value chain access to systems and sensitive data, combined with increased levels of sophistication in hacking tools and strategies, plus increased oversight from regulators, and potentially ‘weak link’ companies in terms of cyber-security now make the risk of supply chain attack very real for companies in 2018.
Businesses need to increase cyber-security awareness and training, and employ a holistic risk-based authentication infrastructure across multiple vectors in order to stay one step ahead of the developing cyber threat.
The use of enhanced technologies, and the assistance of greater regulation for cryptocurrencies may also help to reduce some of the risks shown in the Malwarebytes report.
Cyber-security Company, Pan Test Partners, have warned that schools with building management systems that are linked to the Internet could face the risk of hackers turning the school heating system off – or worse.
The Problem
The problem is that many electricians and engineers may be lacking in knowledge about cyber security and/or may have linked a school’s HVAC system to Internet controls against the manufacturer’s guidelines. Also, many smart school heating systems may have vulnerabilities in them that hackers may find easy to exploit.
Tested
The researchers at Pan Test Partners tested for potential hacking risks by looking for building management system controllers made by Trend Control Systems via IoT search tool Shodan. This online tool (see https://www.shodan.io) provides a public API and enables anyone to discover which devices are connected to the Internet. Where they are located and who is using them.
In a test, it was revealed that it took less than 10 seconds to find more than 1,000 examples of a 2003 model of a school heating system known to be vulnerable when connected to the Internet. The visibility of a known vulnerable system via a public website is a clear example that the risk of school heating systems being controlled remotely by hackers is real.
Not Just Schools
The same/similar heating systems may also be used in buildings used by retailers, government offices, businesses and even military bases, thereby highlighting a much wider potential risk.
Incentive
Security commentators have pointed out that there would be very little incentive for hackers to access school systems. Because many hacks are carried out for financial gain.
The risks could, however, increase in future as more devices and systems become part of the IoT.
What Does This Mean For Your Business?
It is possible that some businesses may be in buildings where the heating systems are exposed to a hacking risk. Risks could be reduced if companies used skilled IT workers who are aware of the potential risks and if systems are checked properly after installation.
To make heating systems really secure they should also be configured behind a firewall or virtual private network, and they should have the latest firmware and other security updates.
It is also important to note that some responsibility rests with the manufacturers of heating and other smart building systems. They need to design security features into them because even if a device is not directly connected to the internet, there may be an indirect way to access it.
This story also highlights the wider challenge of tackling security for IoT devices and products. There have been many occasions in recent years when concerns about the security/privacy vulnerabilities in IoT/smart products have been publicly expressed and reported. The truth is that the extent of the current vulnerabilities are unknown because the devices are so widely distributed globally, and many organisations tend not to include them in risk assessments for devices, code, data, and infrastructure. Home users have no real way of ascertaining the risks that smart devices pose, probably until it’s too late.
It has also been noted that not only is it difficult for businesses, including manufacturers of smart products, to ascertain whether all their hardware, software, and service partners are maintaining effective IoT security. But there is also still no universal, certifiable standard for IoT security.
What do you need to do
For businesses, it’s a case of conducting an audit and risk assessment for known IoT devices that are used in the business. One basic security measure is to make sure that any default username and passwords in these devices are changed as soon as possible. For home users of smart products (who don’t run checks and audits), it appears that others need to step in on their behalf and force the manufacturers to take security risks seriously.
Recent Comments