The Cyber-Threat to Mid-Sized Businesses

| October 11, 2017

Politicians and industry bodies have long encouraged smaller Australian businesses to embrace the ‘digital revolution’ to boost sales and streamline processes. However, online opportunities bring their own set of risks and the 2017 Threat Report issued by the Australian Cyber Security Centre underlines the scale posed by cyber-criminals to unprepared mid-sized companies.

The report warns that malicious attacks against Australia’s citizens, businesses and government are increasing in frequency, scale, sophistication and severity. However, while espionage hacks of government agencies and defence contractors by foreign governments clearly imperil national security, the greater threat to Australia’s 51,000 mid-sized businesses may lie in their vulnerability to ‘social hacking’, malicious e-mails and criminal activity exploiting known vulnerabilities which properly protected systems and well observed procedures should protect against.

While firms in the defence and research sectors and companies with large amounts of customer information may be most at risk, criminals routinely scan and probe the internet for vulnerable firms and organisations. This opportunistic hunt for easy victims will quickly locate and exploit firms, devices and individuals who neglect basic security measures. The government backed Cyber-Centre recorded an 11% increase in attacks on ‘non-traditional’ sectors, underlining the importance of the issue for all Australian firms.

Recent headline grabbing cyberattacks, from the ‘wannacry’ ransomware to the string of breaches suffered by major companies such as Yahoo, Cloudflare and Equifax, underline the vulnerability of complacent employees and businesses and the threat a breach can pose to a company’s survival. Firms may only suffer fleeting inconvenience from a particular intrusion, but the long term loss of customer confidence can be crippling.

Although industrial espionage can harvest commercially sensitive information such as negotiation strategies or business plans to the advantage of a firm’s less scrupulous competitors, most cyber-attacks against companies are criminally motivated for financial gain.

Malicious emails accounted for over a fifth of incidents reported by the private sector to the Australian Cyber Security Centre and remain the most common attack vector for compromising company networks. Targeted, socially-engineered, ‘spearphishing’ emails, sometimes combined with credible sounding phone calls, can gain access to corporate networks to put every aspect of the firm’s data and finances at risk. Once criminals have identified a vulnerable firm they will use freely available information, such as annual reports, shareholder updates and media releases, to craft a specific attack while utilising sophisticated exploits, often bought ‘off the shelf’ from malware vendors, to evade detection.

Most ransomware attacks are also launched via e-mail, with millions of messages sent through compromised third party computers at virtually no cost to the criminal. Even a fully-patched and protected device can be infected by the downloading and opening a particularly malicious attachment. As people become more wary of unsolicited e-mail, exploit kits of prepackaged malicious software are being run on web services to infect unknowing visitors to a website. Computers can be infected through corrupted advertisements or silent redirects from legitimate sites. These exploit kits do not require the victim to download a file – simply visiting a compromised website while running vulnerable software is sufficient for infection.

Just as terrorists need only be lucky once, while society must be ‘lucky’ every time to protect itself, so increasing numbers of criminals will move online to target vulnerable firms. Their gains far outweigh their expenses and the risk of identification, apprehension and prosecution when attacking a firm in a far country are fractional compared to robbing an individual or armoured van in their own locale. Each successful attack encourages the perpetrators to redouble their efforts and a host of others to copy them or find new vulnerabilities.

While ransomware extorts funds from individuals and firms, other hackers harvest credentials from firms with large customer bases to commit identity fraud or, more commonly, sell their details to other criminals. To mirror the shift from mainframe and personal computers to mobile phones, criminals increasingly target smartphones and the plethora of personal and professional information they contain. As firms strengthen their technological defences, so criminals and foreign actors try to trick employees into by-passing security protocols impervious to automated attack. Malicious messages are increasingly indistinguishable from genuine communications, and a lack of scrutiny in both the Apple and Android app eco-systems opens almost every mobile phone user to potential abuse.

Even when computers are properly patched and staff adhere to security protocols, the almost invisible spread of the Internet of Things can offer unlocked doors into a company’s network. The security of IoT devices is often poor, and their integration into a firm’s computing eco-system should be undertaken with great care. Many Distributed Denial of Service (DDoS) attacks against companies and websites are launched by large numbers of ‘zombie’ IoT devices hacked for this purpose. Australian routers are also targeted by criminals who scan for vulnerable devices, extract configuration files and modify their settings to gain control of a firm’s internet communications.

The human factor is, as always, as important as any technical defence. The ubiquity of social media has seen many people put much of their personal information online which allows criminals to create false identities or hack genuine accounts to impersonate company officials. ‘Business email compromise’, for example, sees criminals impersonate senior staff to trick other employees into accepting, changing or expediting an invoice and defrauding the company. Most attacks rely on social engineering strategies and spoofed email addresses, although some also inject malware to access computer systems and company information. The Australian Cybercrime Online Reporting Network received reports of fraud worth $20 million through this tactic in 2016/17, an increase of 230% over the previous year, and this is almost certainly only a small fraction of the actual unreported figure.

The 2017 ACSC report notes a sharp increase in the targeting of smaller businesses by themed phishing emails from known contractors whose systems had been compromised by malicious adversaries. The attackers had entered the contractor’s computer network through malicious PDF files or credential phishing and changed its email rules to forward any communications with keywords such as ‘invoice’ to the criminal, while deleting the message from the company email client. The criminal then created fictitious invoices for clients and contractors using the business’ branding but with redirected banking details. In some cases, the criminal even sent emails advising the firm of the change of details, lest they were noticed by financial staff. One cyber-criminal posed as the Chief Executive Officer and Chief Operating Officer of a particular firm to reap fraudulent payments of over half a million dollars by sending requests to its financial controller.

Although many businesses look to out-source their computing activities to third parties to reduce costs and increase efficiency, businesses cannot sub-contract cyber-security at the same time. Criminals are now targeting trusted third party service providers as a successful breach will afford them access to numerous unsuspecting firms which may have few secondary defences. While companies may harden themselves against attacks, they are equally vulnerable to breaches of trusted third parties which may have significant access to their network through software, hardware and services. Client databases can be harvested without the company itself being compromised or its systems can be modified to inject malicious content into customer communications and networks.

Managed service providers are commonly targeted given their wide range of government, military and business clients. MSPs can enjoy widespread access to their customers’ networks and data which allow an attacker free reign. Criminals can use an initial breach to create accounts to access a victim’s network, purporting to be the MSP, with little further scrutiny. Neither MSP nor client will be aware of the breach until it is too late, particularly if both expect the other to be responsible for security. While businesses can mitigate some risks by outsourcing computing services to trusted third parties with greater expertise and resources, such outsourcing must be embarked upon with proper regard to security. Any firm which allows another access to its network may effectively be doubling its risk, rather than reducing it.

Sensitive data can also be released by mistake, rather than criminal activity. Careless use of File Transfer Protocol servers, Network Attached Storage devices and Amazon S3 buckets has exposed vast swathes customer data in several cases. Credentials for network access have also been exposed, affording criminals’ unfettered access before the breach is discovered and passwords are changed. Criminals can use the personally identifiable information exposed in such breaches to impersonate customers to commit fraud or to blackmail companies. The American company Equifax recently admitted that in-depth personal data belonging to 143 million customers had been compromised. Almost half the American population are now vulnerable to identity theft given the release of their name, social security numbers, birth dates, addresses and in some instances, drivers licence details.

The public release of computer network exploitation tools by sophisticated online gangs such as the Shadow Brokers will allow much larger numbers of relatively unsophisticated criminals to harry firms and systems with unpatched systems or unwary employees. More sophisticated criminals will continue to use unpatched zero-day vulnerabilities to attack even up-to-date systems in the future.

The scale of the threat may seem overwhelming, but simple, routine measures such as regular software patching and staff training can mitigate most of the risk. In this article, we outline some simple strategies to reduce the threat of commercial cyber-crime.