- Security TWENTY
- Women in Security
In the United States, the National Counterintelligence and Security Center (NCSC) is offering videos and brochures, for the private sector to guard against what the federal body calls growing threats from foreign intelligence entities and other adversaries.
NCSC Director William Evanina said: “Make no mistake, American companies are squarely in the cross-hairs of well-financed nation-state actors, who are routinely breaching private sector networks, stealing proprietary data, and compromising supply chains. The attacks are persistent, aggressive, and cost our nation jobs, economic advantage, and hundreds of billions of dollars. To enhance private sector awareness, we’re arming US companies with information they need to better understand and defend against these threats.”
The Center points out that less-secure suppliers and vendors in the supply chain can be entry points to steal information from companies’ networks. And as for business travel, when abroad, don’t expect electronic privacy for your smart phones, laptops or other electronic devices, the Center warns. Wi-fi networks overseas are regularly monitored by security services and others who can insert malicious software into your device, it warns; and the hotel safe may not be really ‘safe’.
The NCSC gave four recent examples:
– Cyber actors associated with China’s Ministry of State Security were indicted by the US for computer intrusion campaigns targeting intellectual property, confidential business information, and other data at managed service providers, US tech companies and US government agencies.
– In September 2018, US charges were announced against a North Korean, state-backed hacker for his role in the Global WannaCry 2.0 ransomware, the cyberattack on Sony Pictures, spear-phishing attacks on US defence contractors, and other acts.
– In March 2018, the FBI and Department of Homeland Security (DHS) issued a joint technical alert about an intrusion campaign by Russian government cyber actors.
– Also in March 2018, the US levied charges against nine Iranians for a hacking campaign into US universities.
See also NCSC’s 2018 Foreign Economic Espionage in Cyberspace report.
Javvad Malik, security advocate at cyber product firm AlienVault, said: “Without understanding the threat landscape, it is difficult to come up with a suitable defence plan. Which is why it is great to see NCSC raising awareness of the threats which many companies face. Combine this raised awareness with greater collaboration and threat data sharing, and companies can create a solid strategy on being able to defend, detect, and recover from cyber attacks.”
And Sam Curry, chief security officer at data security product company Cybereason said: “Today there are two types of businesses, those that have been hacked and those that will be. We live in a world where businesses today have a much harder task of keep adversaries at bay because of the increasing network attack surface that security teams have to monitor. I welcome the NCSC’s new campaign to educate businesses and it is indeed good news. But the real weak link for any business is its employees that regularly fall victim to phishing scams, open attachments from unknown parties and visit suspicious websites. And until we change human behavior the hackers will continue have the upper hand. As an industry we have come a long way and making cybercrime unprofitable for hackers is achievable if businesses use the right tools and deploy the right strategy.
In the short term, businesses should start fostering a healthy sense of paranoia amongst staff. Look, if the CEO sends an email and it’s sitting in the inbox, people are going to open it. That’s fine and to some extent can’t be avoided without something that makes it look inherently bad or filters it to a special folder. But let’s assume that the bad guys can get past any defence and the employee will open it. The trick now is for the employee to think… 1) would the CEO write to me and not my boss on this? 2) does the CEO do things like this normally? If the answer is yes to both, this is where process saves us. And that process should be out-of-band and depending on thresholds seek the right approval. The same rules to protect against embezzling and money laundering and separation of duty will also protect against this.”