Published on August 25th, 2015 | by admin
Cyber Security Risks Series: Technology
In our third article on the types of cybersecurity issues a particular industry sector experiences, we’re looking at technology companies. You may think that technology companies would have a real handle on cybersecurity, experiencing fewer attacks because they have more in-depth knowledge of technology, the Internet and security in general. Well, let’s see if that’s true.
Technology Companies and Cybercrime
When you think of technology companies you think of the likes of Facebook, Google, Microsoft and Sony. The have all had their fair share of cybercrime in recent years. Even dedicated security companies, such as anti-virus vendor, Kaspersky have been hit by cybercrime. Technology companies are certainly not immune to attack as exemplified.
Technology companies are often seen as providing critical infrastructure. For example, cloud providers are often used by governments to host data and so become a target in the same way that a power station is targeted to have maximum impact on a state. In a survey by PWC into the Global State of Information Security, they showed how technology companies are a sector targeted by nation states alongside aerospace and the oil and gas industries.
Often in the tech industry, attacks are motivated by intellectual property theft like competitors using stealth malware, such as Advanced Persistent Threats (APTs) to exfiltrate information. Technology companies are one of the most targeted industries in terms of cyberespionage, just behind manufacturing, public and professional services. Cyber espionage attacks seem to use social engineering as their vector in. Spear phishing is becoming a highly effective tool and companies like Microsoft (see more below) have suffered breaches because of this type of highly targeted attack. In the Verizon Data Breach Investigations Report 2015, it showed evidence that cyber espionage attacks were most often started through a phishing email.
One area of security threat control that the tech industry has jumped on is the idea of sharing security intelligence. This concept has been in the news recently as it has become a U.S. federal government bill, named the Cyber Intelligence and Sharing Protection Act (CISPA) which purpose is to create a legal framework allowing industry to share information about security threats with each other in the hope that this will help to alleviate them. Tech companies like Facebook, Microsoft, IBM and Verizon have openly backed the bill. This is a positive stance taken by these industries. Many of them create the very products that are exploited by malware to perform a cyberattack. This is usually in the form of a zero day vulnerability, which is a hole in a software product, like Microsoft operating system or Adobe Flash, for example, which can then be used to run a security exploit. Sharing information on vulnerabilities and so on can only be positive (assuming it is done in a privacy enhanced and secure manner, of course).
Examples of Technology Company Breaches
Microsoft: Spear phishing was the weapon of choice in an attack on Microsoft in late 2013. The attack targeted system administrators and ultimately led to the theft of document relating to law enforcement request to release customer data. A subsequent attack on Microsoft happened in 2014 where a well-known hacking group known as the Syrian Electronic Army hacked the Microsoft Twitter news account. This was a hacktivist attack to protest against Microsoft’s involvement in the NSA surveillance program.
Sony: The Sony attack of late 2014 resulted in the breach of confidential records of about 47,000 individuals, as well as defacements of Sony’s site and the theft of unreleased films, including the controversial movie, The Interview about North Korea, leading people to believe it was initiated as a revenge attack by the North Koreans. Since that allegation, various theories have been put forward about the vector used to instigate the attack. Privileged access credentials were the starting point, and it’s most likely, that yet again, that favorite method, spear phishing, was behind the attack.
Google: Google has had a number of different types of attacks made against it. In 2010 the infamous Operation Aurora, an APT, was used against the company, stealing source code. Earlier this year Google Malaysia’s site was redirected to a hacking site using DNS poisoning (a way of diverting web traffic to another server).
Kaspersky: Security Company, Kaspersky, found themselves the victim of a highly sophisticated APT attack earlier this year. The hack known as Duqu 2.0 was described by Kaspersky as ‘complex’. (The fact that even one of the world’s most knowledgeable security companies can be hacked is bad news, of course, but it also supports the idea that rapid remediation solutions are becoming increasingly necessary.) Again the vector into the company was a spear phishing email. Once in, the malware took advantage of a zero day vulnerability in the Microsoft operating system.
Tesla Car: The Internet of Things (IoT) is starting to have security implications in a number of technology companies. Tesla was alerted by white hat hackers of at least six vulnerabilities in the Internet connected car, the Model S series. A similar problem was encountered with the Fiat Chrysler Jeep Cherokee where hackers were able to use bugs in the onboard software to take remote control of the car.
A Bright Future for Technology?
Technology firms will continue to be targets for cybercriminals acting on behalf of (often state sponsored) competitors, trying to extract intellectual property, or with intent on damaging the reputation of the organization through DOS attacks and general defacement campaigns.
As the IoT becomes more ubiquitous in the products developed by technology firms, we will also see more connected and widespread attacks – the Tesla car hack being an early indicator of the type of challenges we should expect to see as this technology develops. Certainly, more focus should be assigned to creating a robust security and identity layer for the IoT.
Tech companies have a lot to lose. If even the most seasoned security firms see cyberattacks being successfully deployed against them, then we all need to take note. It is time for a rethink around security protection, looking at a next gen tool kit has never been more pertinent.
Perimeter defenses are insufficient when protecting vulnerable industries, such as tech. These vectors require a holistic approach to cyber security that allows them to rapidly remediate post-attack.