Want to stop the latest cybercrime bogeyman? Then for the umpteenth time, put in place well-known and proven strategies for repelling online attacks.
That's one takeaway from a recent threat report issued by Britain's National Cyber Security Center. Based on open source reporting, the alert calls out a trio of attack campaigns: phishing emails that pretend to be speeding tickets but which instead deliver malware; attackers using stolen or fraudulently obtained digital certificates to "sign" malware; and the cybercrime-extortion group known as the "The Dark Overlord," which continues to hack into organizations' websites, hold data for ransom and cause chaos.
"The Anonymous attacks hold up a mirror to our neglect."
The Dark Overlord is especially pernicious, as seen by how the group has shaken down Hollywood studios, leaked data stolen from healthcare clinics as well as threatened schoolchildren's parents in Montana and Iowa, leading some school districts to suspend classes (see Cyber Ransom Group Hits Soft Targets: US Schools).
"The group has a history of hacking organizations to obtain sensitive information before demanding money in exchange for not leaking it into the public domain," according to the alert from NCSC, which includes Britain's computer emergency response team, CERT-UK. "They leak snippets of data to the media to encourage them to report on their activity. This is aimed at 'proving' that a breach has taken place, and increases the pressure on the victim to pay the ransom."
NCSC is using the group's attacks to issue a wake-up call for any organization that stores sensitive data.
"Any organization that deals with sensitive personal information (e.g. medical institutions, law firms) is at a higher risk of being targeted and owes a particular duty of care to its clients because of the risk of severe emotional distress if client data is made public," NCSC says. "Whilst evidence of the stolen data is often provided, the volume and sensitivity of the data may be exaggerated to maximize impact."
This isn't just "be a good citizen" advice. While NCSC doesn't name-drop the EU's General Data Protection Regulation, enforcement begins in May 2018, when regulators can begin to impose massive fines on breached organizations that didn't have proper cybersecurity practices in place (see Think GDPR Won't Apply to You? Think Again).
Déjà Vu Redux
But we've been here before. The Dark Overlord, which is being investigated by the FBI and no doubt other law enforcement agencies, is the latest in a long line of online adversaries that can be blocked if only organizations would put in place basic, essential information security defenses.
In 2010, it was Anonymous, followed by LulzSec - motto: "Laughing at your security since 2011!" - and Lizard Squad, among many, many others.
If there's one commonality between attacks old and new, it's that so many flaws exploited by attackers could have been fixed in advance. Security experts have long warned about the need to find and eradicate SQL infection flaws, which attackers have been exploiting for years to dump internet-connected databases. Nevertheless, London-based telecommunications giant TalkTalk was hacked in 2015 via a SQL injection attack against a database that lacked patches released in 2012 that would have protected it (see Solve Old Security Problems First).
As the famous comment attributed to Joshua Corman goes: "The Anonymous attacks hold up a mirror to our neglect."
Don't Fear Self-Proclaimed Dark Overlords
But Anonymous did get more organizations thinking about cybersecurity, and The Dark Overlord will no doubt do so again. If this helps not-yet-hacked firms and especially the small businesses that The Dark Overlord seems to favor, so much the better (see Hollywood Studio Hit By Cyber Extortion Says: 'Don't Trust Hackers').
Studying recent attacks by the group, NCSC singles out the need to use unique, strong passwords, to never share them and to store them using a password manager.
"Breaches can impact systems that have not been breached if a user has a shared password between the services," NCSC warns.
This is great, longstanding advice that all end users, organizations and government agencies should follow (see Parliament Pwnage: Talk Weak Passwords, Not 'Cyberattack').
4 Bogeyman Defenses
But organizations need to be doing more. Security experts' gold standard in "if you do nothing else, then at least do this handful of things" comes from the Australian Signals Directorate. In 2011, the ASD listed these as being the top 4 mitigation strategies for repelling targeted cyber intrusions:
- Using application whitelisting;
- Patching applications and operating systems;
- Using the latest versions of applications and operating systems;
- Minimizing administrative privileges.
"No single mitigation strategy is guaranteed to prevent cybersecurity incidents," ASD says. Even so, "at least 85 percent of the adversary techniques used in targeted cyber intrusions which ASD has visibility of could be mitigated by implementing [those] mitigation strategies."
Since 2013, all Australian government organizations have had to comply with those strategies. But if more organizations did so, the world would be an even safer place (see Hacker Steals Joint Strike Fighter Plans in Australia).
Organizations that want to further improve their odds of repelling attacks can look to the ASD's recently revised and complete "Strategies to Mitigate Cybersecurity Incidents" recommendations, listing 37 mitigation strategies as well as evaluating potential user resistance to each one, upfront cost as well as ongoing costs. The ASD has also listed which strategies excel for combating targeted cyber intrusions, ransomware and external adversaries who destroy information, and malicious insiders who steal information or destroy information.
Organizations that implement the ASD's recommendations - even the ASD Top 4 - stand a good chance of repelling targeted cyber intrusions by the like of The Dark Overlord and its inevitable descendants. Organizations that continue to fail to heed these warnings get to be tomorrow's cybercrime-bogeyman victim.