The US Senate and the International Monetary Fund (IMF) are just the latest in a growing line of high profile companies that have been subjected to a targeted cyberattack. Sony made unwelcome headline news when it had to shut down its PlayStation network after hackers were able to steal customer information, including addresses, dates of birth, etc. In that case over 70 million people’s details were exposed. Other examples include Citibank, where personal information was stolen also; and Google, who disclosed that some Gmail accounts had been compromised. How many of us keep usernames and passwords for different sites such as online banking and shopping in our Gmail or Hotmail accounts?
Going back 10 years and more we saw malware like the, “I love you,” Netsky and Bagel grabbing the headlines. The motives behind those threats though were very different. It was more akin to graffiti, wanting to infect as many people as they could and become infamous too.
The recent attacks demonstrate that the bad guys are not interested in an ”infect all” strategy any more, but rather using more targeted methods. They do not just go after financial information like bank logins or credit card details; they’re in fact collecting everything they can get hold of. As we predicted at the beginning of the year, we are now in an age of "steal everything”.
It's obvious what the criminals will do with stolen credit card details, but what about my date of birth, my address or even my hobbies? Well one thing they can do is what we call spear phishing; and this seems to be how the IMF was compromised in the first place.
This form of attack is where an individual or organisation is singled out, usually via email. Now most of us receive lots of spam emails and we simply delete them. But what if you get an email that purports to be from your bank/credit card company and to prove it they put the last 4 digits of your credit card number and your date of birth? This looks much more credible and we are more likely to click on any links in the email. Such a link may contain malware. This in turn would also be finely tuned to the target's operating system and applications that run on it. They could get information of this kind by trawling social networks for titbits of information and/or even calling staff at the organisation. By creating a specific piece of malware just to target one organisation, it stays under the radar of security companies and law enforcement agencies. In the case of the IMF it looks like it may have been there unnoticed for several months!
So what do we need to learn from these targeted attacks? First, if we are seeing more high profile attacks you can bet that there are a greater number of low profile attacks that don’t make the headlines. Small organisations do not expect to be targeted and are also less likely to have elaborate IT security defences in place.
Second, technical solutions can never be enough. Education must play a key part too. Staff awareness is essential in any modern organisation. We need to foster a culture of security awareness so that people know what kinds of social engineering tricks are commonly used. By doing this we are more likely to get buy-in from staff for what we are trying to achieve. So, for example, when they get a reminder to change their password and for it to be a specific length and complexity, they will understand the importance of following the advice, instead of just ignoring it.