The Australian Cyber Security Centre (ACSC) recently released its 2016 Threat Report (Report) following on from its first ever report in 2015. Media coverage has predominantly been focussed on the Report’s prediction that terrorist groups may soon have cyber capabilities to significantly disrupt a secure government network and mention of high profile case examples including the 2015 cyber intrusion on the Bureau of Meteorology’s network and the disruption to the Australian Bureau of Statistics 2016 online Census.
However as the Report points out, this emotive conceptualisation of cyber security incidents runs the risk of blinding us to more prosaic cyber risks. We need to avoid seeing cyber security incidents as something restricted to the realm of sophisticated state actors stealing state secrets or hunting the likes of Jason Bourne. The reality that we must accept (if you haven’t already) is that a broader (and it is very broad) landscape of cyber threats exists. The Report makes it clear: business big and small is a potential target; your data is valuable and the cost of compromising your network is low and the rewards high.
In exploring this broad landscape the ACSC looks at how we should understand cyber security incidents, summarises the state of cyber targeting and exploitation techniques and provides suggestions for how you should prepare and respond to cyber security incidents. A full copy of the report can be found here.
“Cyber attack” – the wrong phrase?
To start unpacking the broad cyber threat landscape the Report explains that “calling every incident a ‘hack’ or ‘attack’ is not helpful for a proportionate understanding of the range of threats” and “treating every adversary as though they are all equally sophisticated and motivated detracts from a balanced perspective of risk and vulnerability.” To only frame cyber security incidents in terms of an “attack” fails to address the multitude of malicious activity that they have seen comprises government and business networks. Malcolm Turnbull discussed this issue in his keynote address at the recent Australia-US Cyber Security Dialogue asking academics and the media to turn their minds to the problem of cyber lexicon and that “cyber discussions be normalised so that they are held in the context of all threats, risks and opportunities”.
How can your network be threatened?
The Report, supported by case studies, outlines the main types of cyber activities used to target Australian organisations which include:
- Spear phishing – emails that contain a malicious link or file attachment that appears to be from an individual or business that you know. These emails take advantage of personal and corporate information available online including annual reports, media releases and social media. Using this information cyber adversaries forge a chosen identify in an email and gain access to the target network if the email recipient accesses the malicious link or file attachment. An adversary’s success is dependent on gaining the trust of their victim. Given the increased amount of information we upload to information repositories like LinkedIn these emails are becoming ever more sophisticated and difficult to distinguish from legitimate correspondence. Are your employees educated about the role of spear phishing so that they can spot suspect messages and deal with them appropriately?
- Ransomware – malicious emails or websites that encrypt files on a computer then demand ransom payments to decrypt the files. The victim is given a time limit to pay the ransom with the amount possibly increasing or files being progressively deleted if the ransom is not paid on time. Similar to spear phishing, ransomware often imitates email addresses, websites and domains the recipient is familiar with to bait them into clinking the link or downloading the attached file. Again, are your staff trained to spot these risks?
- Malvertising – malicious or malware-infected advertisements into legitimate online advertising networks and webpages. A person can compromise an advertisement on a well-known and reputable websites which visitors encounter in their normal browsing with malicious code then being downloaded if the victim clicks on the advertisement. Malvertising can be extremely difficult to detect, particularly when adversaries use sophisticated advertising placement techniques.
- Secondary targeting – intruders gain access to targets of seemingly limited value but which share a trust relationship with their ultimate target. For example the supplier of stationery or some other input for your business may be targeted by a cyber adversary as a means to ultimately infiltrate your own network. Have you taken an interest in the security arrangements of your key contractors and service providers in addition to your own? Requiring all suppliers to meet a minimum level of cyber resilience is a sensible way to mitigate your own risk.
What can be done?
Noting that relatively few organisations have adequately prepared for a cyber security incident the Report emphasises that “prevention is better than a cure”. However, effective management of an incident will still be critical in mitigating the severity, damage and cost of any intrusion. The Report identifies 3 stages in dealing with cyber security incidents and actions that should be taken during them:
- Planning and preparation – assign primary responsibility for incident response in your organisation, having monitoring in place to assess the environment for cyber security threats, identify critical systems and understand what type of support your IT service providers offer.
- Responding - assess how quickly you can access resources key to mitigating an incident and ensure you have the ability to identify and isolate an affected workstation or server.
- Reporting – understand your legislative requirements and obligations for incident reporting and have procedures in place to provide information and reporting to relevant parties during an incident (as flagged below, new mandatory breach reporting legislation has recently been introduced to Parliament and you will need to understand the implications of that legislation for your business).
Consequences of inaction
The Report also stresses the consequences of not adequately understanding and preparing for cyber security incidents. Malicious cyber activities risk “the profitability, competiveness and reputation of Australian businesses” while the “ongoing theft of intellectual property from Australian companies continues to pose significant challenges to the future competiveness of the Australian economy.” In this regard, the Report issues a wake-up call to the private sector noting that many companies are hesitant to report incidents with many incidents across the private sector being either undetected or unreported. More critically the Report believes “the private sector's ability and willingness to recognise the extent of the cyber threat and to implement mitigation strategies varies considerably across and within sectors [and] those without direct experience of being targeted or a victim may not be aware of the potential economic harm malicious cyber activity can cause their businesses, do not understand the value of the data they hold, and cannot conceive why they would be targeted.”
For many the companies, the first stage of dealing with a cyber security event may simply be acknowledging that the threat exists. The Computer Emergency Response Team (CERT) responded to 14,804 cyber security incidents last financial year. This number is likely only a small portion of total incidents affecting Australian businesses given reporting is voluntary. However, the Government has plans to take voluntary reporting out of the hands of organisations to some extent. On 19 October 2016 it introduced the Privacy Amendment (Notifiable Data Breaches) Bill 2016 for its first reading. If passed (it has bipartisan support) the Bill will amend the Privacy Act 1988 to introduce mandatory reporting of data breaches involving personal information that could result in serious harm to the individuals affected.
So if you still have doubts about whether you could be the target of a cyber security incident the answer is a resounding “yes!” You’re data is valuable and the methods employed by intruders are becoming increasingly sophisticated. The Report shows that these various cyber threats are becoming the new norm and to that extent the risks to you are foreseeable. If you haven’t already, you should be satisfy yourself that your organisation has taken adequate and appropriate steps, particularly at a governance level, to be cyber-secure and cyber-resilient.