Looking into the crystal ball of cyber threats
The third and final Ethical Hackers Forum for 2014 titled ‘New waves of cyber crime: 2015 security predictions’ was held at the Olympic house Colombo recently. This forum facilitates increased awareness on cyber security issues locally and globally and takes informed decisions to prevent such challenges. It also creates a hassle-free networking and socialising arena for cyber security professionals.
The Chief Guest of this event was LankaClear General Manager and CEO Sunimal Weerasooriya. Akati Consulting, Malaysia CEO and Cicra Consultancies Head of Consultants and Master Trainer Krishnan Rajagopal was the keynote speaker; while Cisco Security Lead India and SAARC Vivek Srivastava was the Guest Speaker in this forum.
Sunimal Weerasooriya shared his experience and thoughts on the security issues pertaining to the financial sector in Sri Lanka; while pointing out that we are not being targeted only on an organisational level but rather on a national level. Hence we need to come together to defend against these attacks.
“Phishing attacks on banks have been escalating in the recent past and also we have seen a few incidents of defacing of bank websites. Looking at the trends from what we have seen for the last few years, it appears that Sri Lanka is becoming a target now, not only for the enterprises or companies but as a country,” he said.
He highlighted that the importance of information security in the financial sector has grown exponentially during the past few years due to several factors. “The first key factor is the regulatory requirement, the mandatory information protection. The other is the growth of electronic banking and the e-payments. Thirdly the increasing number of individuals, that is the employees, customers, third-parties having access to the system,” he added.
Sunimal further spoke about the initiatives taken by LankaClear to strengthen security in the financial sector. “The first initiative we took under the National Payments Council under the Central Bank was to establish a Certification Authority; but according to the terminology used in Sri Lanka we call it a Certification Services Provider. We had to implement this because of the mandate we had from the Central Bank that we need to convert all our payments to electronic payments and be paperless and so we had to get rid of cash. With this, rose the security issues… Luckily for us, the legal framework was actually there to recognise electronic transactions and also to establish the CAs,” he said.
He explained how a central regulator that can be confidentially notified in the event of a breach can help to take measures to prevent further damage. “One of the most recent initiatives we have taken is the Bank Computer Security Incident Response Team (Bank CSIRT). There is a separate country CERT in Sri Lanka but from a central CERT perspective this is probably the first. The purpose of this whole exercise is to jointly protect ourselves. Why B-CSIRT for banks? Some banks are more advance and are more proactive when protecting their security infrastructures. These banks even have special security centres to look after their security operations; but some of the smaller banks do not have the bandwidth to provide that kind of service. Although financial institutes took security measures to protect their own systems earlier, there was no formal collaboration among these institutes,” he stated.
Following on, he underscored that “the Bank CSIRT offers five unique information security services. One is formulating and implementing of baseline security standards for banks. The Bank CSIRT has the responsibility to do this but the Central Bank is actually governing. Then, sharing of de-sensitised fraud, cybercrime incidents and threat intelligence information anonymously among Bank CSIRT members. The others are, issuing of vulnerability, advisory and informational alerts, incident response services and registration of certified third party service providers. Currently, we have 25 financial institutes enrolled as members of the Bank CSIRT.”
He concluded his presentation by showing that sufficient awareness needs to be built from citizens’ level right up to the corporate level if to safeguard from emerging threats.
Pervasiveness of technology
Cisco Security Lead India and SAARCVivek Srivastava focused his presentation on the growing threats and the need for proper Information Security measures.
He started off by presenting how Cisco evaluates the threat landscape and mentioned a few facts including the following: 16 billion web requests are inspected every day through Cisco Cloud Web Security; 93 billion emails are inspected every day by Cisco’s hosted email solution; 200,000 IP addresses are evaluated daily and 400,000 malware samples are evaluated daily.
He discussed the increasing cyber security issues faced by organisations and individuals, as a result of the pervasiveness of technology.
“A few years back, if we had to access our emails we had to be in office. But today I can be accessing emails and different applications, just sitting here. I’m using all sorts of devices like the iPad and iPhone and so on. So where is it going? It is creating more connections; and it’s bringing you more devices to the network,” he said.
“There is more than one application used in an organisation. For example, you use Facebook on the same machine you do your banking or ordering. So the difference between a personal device and a corporate device is also diminishing. This expands the attack surface as there are more devices, more applications attackers can target. It’s like throwing a dart in the dark and knowing for sure it will land somewhere,” he added.
Further he explained the evolving nature of attacks, as he said, “Today I’m not going to create a virus and bring down 50,000 machines, because it will not bring me anything. I will rather use or leverage your platform, your users, your devices so I can probably use your infrastructure to launch a DDoS or something. I can use your laptops or machines to install key-loggers to get your banking information. So the motives have changed. There are organised guys who are behind these attacks; they have money, time, energy and motivation. The techniques they use are very advanced that many times are missed by our security measures.”
Adding on to the matter, he spoke about how difficult it is to set boundaries to information flow especially with the use of Cloud Computing and the increasing number of devices.
Information Security predictions for 2015
Finally, the most awaited Information Security predictions for 2015 was delivered by Akati Consulting, Malaysia CEO Krishnan Rajagopal. He has made a number of security predictions during the past years and is a leading expert on cyber security in the world. He has extensive hands-on technical experience, possessing a vast range of industry and specific certifications that demonstrate high technical proficiency and in-depth knowledge. To date, he holds more than 50 various professional certifications and is recognised internationally as one of the best in the industry for IT/Computer Security.
Rajagopal set the scene for his presentation by discussing a few predictions that were made for the previous years and explaining how these turned out to be 100% accurate. Afterwards, he discussed what should be expected next year.
“First prediction is that individuals will continue to suffer and organisations will continue to suffer as victims, but cyber criminals will focus on the bigger fish. You can relax because your home PC is not going to be under serious target by hackers. That doesn’t mean you’re not going to lose, because they could attack your account at the bank. For example, we think that there is going to be a serious strain of ATM malware,” he said. He also mentioned that JP Morgan was attacked this year even though it was a well reputed bank which spent a lot on Information Security thus was trusted by those with very large accounts.
“Number two, there will be more ‘darknets’, that means these are networks that will emerge from criminals who will start sharing and caring… they are not going to be targeting common stuff like retail, bank but they will target not so common stuff like airlines, train stations.”
Thirdly he mentioned that more mobile based exploit kits and vulnerabilities will surface as this will play a crucial role in getting access to the digital hub of the user. He also said that there will be at least eight million attacks on Android alone and ‘Ransomware’ which have been used so far to lock PCs and laptops will be used on mobile phones as well. “We already think there is a couple of mobile ‘Ransomeware’. It has already started.”
“Previously it has always been the stereotypes. When US companies get hacked, they say, oh they were the Chinese even before they start the investigation. The Chinese think it’s the US before they start investigating. For the last one or two years, Russia has also being pulling inside. So far these were the countries been blamed. We believe there are going to be ‘new kids on the block’. In the start of this year, Malaysia was one of the targets and Sri Lanka was also a target and you will see a lot of new countries emerging as targeted attacks. APT (Advanced Persistent Threat) will become common as normal cyberattacks,” he said as he explained their fourth prediction. “People are going to be relying more on analytics than reactive solutions like firewalls,” he added.
Moving on to the fifth prediction he said, “We think Apple Pay and Google wallet will be big targets next year, because NFC (Near Field Communication) is key. Let’s accept the fact, these criminals are in it to make a gain, so either they will take your personal details, credit card or turn you into a Bot and sell you or rent you. So you will see a lot of NFC related threats.”
Heartbleed, Shellshock, Poodle and similar attacks will continue and in 2015 there will be more attacks targeting open-source software; he stated as their sixth prediction.
“In 2014 there was a company that published close to 40 different online mobile banking apps in Google Play and all of them were fake.” He explained their seventh prediction that banks and telecommunications will continue to be targeted and more complex malware will be spread in these industries.
Value of information
The eighth was regarding the value given to information and how information even as simple as a promotional plan can be traded. “We think people are going to be targeting insider threats to go for the Goldmine, which they can convert. It doesn’t necessarily have to be user names and passwords… people are going to take any kind of information, be it top secret government information, financial information, blue print of a new plan or intellectual property, they will steal it and sell.”
Internet of Things will be targeted and exposed, was the ninth prediction. “We think Internet of Things will be targeted but for 2015 we are safe from technological attacks because at the moment the technology is too diverse. You won’t see serious exploits from the technology but because Internet of Things is at a very early stage, there won’t be serious security as well. So what will happen is people will target Internet of Things to extract data and send it off. For example, if you take Samsung gear or Apple watch it has everything, it even has your health information, credit card information and so on. If someone gets into your watch it’s as good as getting into your phone, the digital hub of your life and it’s as good as getting you,” he emphasised.
Last but not least, he explained how old attack methods will be used to steal confidential data. “JP Morgan was attacked through old methods, SQL injection and cross-site scripting. There were no state-of-the-art, multi-million dollar attacks but a simple attack that threw a 250 million dollar security budget out of the window. But we think that, old is gold! Old attacks are going to continue… old attacks will be rejuvenated, given a new life and they are going to attack new applications.”
He concluded his presentation by suggesting that the ‘Defence in Depth’ is the best method to protect against such attacks.
With this interesting presentation the forum came to a close. Convener of the Ethical Hackers Forums Kamal Liyanage said, “Since there are numerous cyber-attacks targeting corporates on a daily basis around the world, it is vital for cyber security professionals in Sri Lanka to understand what could be future threats. That is why we opted for this current topic.”