There is no doubt that the threat of cyber crime is on the rise, and the Australian Cyber Security Centres 2016 Threat Report seems to indicate that whilst the complexity, extent and impact of the attacks is evolving, the underlying nature is not that different to previous years. Spear phishing, ransomware, web-seeding and malware are still the tools of choice for attackers.
The report highlights a range of instances where government agencies have assisted organisations to respond to cyber threats and incidents. Whilst some indicate that the threat report doesn’t contain anything new, this in itself is interesting in as much as what that says about cyber attacks in Australia.
The report says the ‘initial foothold’ is typically gained by phishing emails with a malicious file or link and, once inside the business perimeter, the attacker will embed themselves before getting down to the real dirty work of exfiltration.
If you have been around the security industry for a while, none of this will be of any real news to you. Whilst the software applications, extent of reach, damage done and costs of remediation continue to spiral ever upward, it does beg the question – what are we missing?
I agree that the report provides an important contribution to Australia’s cyber security posture, but also note that the response thus far has been by the technical community – and this is indicative of our continued iron grip on thinking of cyber attacks as a technical problem which must have a technical solution. Greater security and access controls, and activity monitoring are the backbone of IT security systems – but what about the greatest weakness? What about that infallible constant throughout our security history – the human element?
YOU ARE THE WEAKEST LINK
Who would have thought the words uttered by host Cornelia Frances to strike terror into the heart of game show contestants in 2001 and 2002 would apply to modern day cyber warfare. Whether unintentional or malicious, people are inherently the weak link in the cyber security chain. The most secure ring-fencing cannot protect against human nature.
At its most basic premise, those who have access are targeted by those who would exploit that access. All the money spent on firewalls, encryption and other proactive security measures can be nullified by the actions of an insider who opens the door to an attack. The types of attacks described in the ACSC report are all aimed at you – you are the weakest link.
Combined with social engineering, these types of attacks are potent weapons of the cyber battleground. A recent example of a staff member receiving both an email (containing false information) backed by a supporting telephone call made for a healthy pay day for the attackers. The employee simply overlooked the fact that they received the call and didn’t initiate it. Regardless, the ‘verification’ of the information proceeded and the door was opened for a significant funds transfer. This scenario is not uncommon.
Without a robust ‘Insider Threat’ plan that engenders a cultural change toward cyber security, we are destined to continually leave the door open for attackers. The heart of such a program relies on understanding:
- the electronic landscape of your organisation;
- the threat to your organisation;
- the response and understanding of the threat by your people.
Cyber security is not just an IT problem – it is also a people problem. It is not about blame – it is about empowering staff with the knowledge and framework to identify a potential threat and take action. But most importantly it needs understanding and support from the top of an organisation, to take control away from the hackers and embed it into the hierarchy.