What Cyber Threats and Trends Might We See in 2019?

‘Tis the season to get out the crystal ball and play at being the cyber equivalent of “Mystic Meg” (no that’s not me in the picture).

For 2018 I predicted a number of things that were spot on, these included the following:

  • The change from mass ransomware campaigns to more targeted ones asking for higher ransom payments.
  • The move from ransomware to cryptomining/cryptojacking as the primary monetisation payload/method.
  • GDPR being used for extortion/blackmail attempts.
  • Organisations still not focussing on the basics and best practice for their industry/vertical and wondering why they suffered security breaches/incidents.

So what will 2019 bring, according to OMG?

  • More targeted extortion attempts; Ransomware, GDPR, DDoS, etc. All with higher ransom being demanded.
  • Organisations will still be mainly focussed on the latest, must have “shiny toys/technologies” rather than dealing with the basics and best practice for their industry/vertical.
  • A mainstream move towards two or multi-factor authentication, as password theft is increasingly seen as the main way that bad guys and girls get in; other than social engineering (phishing) or via the supply-chain/business-partner. This move will be required due to massive Credential Stuffing attacks in 2018 fuelled by the many data breaches where user ids and passwords were stolen.
  • More supply-chain breaches as a method to gain access to the intended victim organisation.
  • Cloud service breaches and/or take-downs and mis-use by the Bad Guys n Girls.
  • The skills-gap and staff shortage will increase, again. And those of us in the industry will be in demand and frequently head-hunted or just pestered by desperate recruiters that don’t read your LinkedIn profile and still approach you with roles that you are not interested in or have the skills/background for.
  • More Business Email Compromise attacks (aka Fake CEO/CFO, etc.); these will rake in far more money in 2019
  • Artificial Intelligence and Machine Learning will continue be touted as “The” solution to deal with cyber threats and breaches; they are useful but generally too prone to false positives (detect things that are not an issue) and more worryingly false negatives (don’t detect what they should do).
  • The Internet of Things will start to “grow-up” as manufactures start to bake in security and offer it as a differentiator to competing products/services.
  • However, despite this we will continue to see IoT devices/infrastructure used as an attack platform and I suspect that we will start to see volumetric DDoS attacks exceed 2Tbps (largest so far was 1.35Tbps against Github in 2018). 
  • We may well see some critical infrastructure attacks (outside of Ukraine) that are successful, and that cause major outages and/or physical damage/loss of life.
  • Too many organisation thinking that using a single Cloud provider will give them a fully resilient infrastructure; it won’t. Just like having multiple data-centers, you need multiple Cloud providers (this should be part of your Business Continuity and Disaster Recovery Plan), no single-points of failure!
  • GDPR will finally start to bite (hard) and organisations that should have already been following industry best practice for data/privacy will finally do something about it (well, most of them)!
  • Blockchain will be finally recognised as not being the solution to everything!
  • Increase in use of Sextortion, Bomb and other extortion/blackmail emails/calls, despite the fact that most Sextortion campaigns did not net piles of bitcoin as those behind them expected.
  • More social-media scams mainly focussed around crypto-currency giveaways; like the many Elon Musk themed ones we saw in 2018.
  • People will still mainly fail to learn from history; we will see yet more old techniques/technologies dusted off and re-used by the Bad Guys n Girls, for victims that weren’t around (or paying attention) the last time it was successfully used…

Don’t have nightmares, remember that 80-90% of all security breaches/incident I have dealt with could have been avoided by just following best practice and doing the basics… This includes taking (and testing) backups, educating (and testing) your staff, patching your systems, applications and writing secure code, good Identity and Access Management, and so on…

Effective End-User Training, Compliance and Testing

What do most staff think when they hear the words “end-user security training” or “security awareness training“?

They think, “Oh no, is it really that time of the year again? What a waste of my time; it is so boring and doesn’t teach me anything that is useful to me. Security is the IT department’s problem/job, not mine!

In many organisations security awareness training is dull, impersonal and does not use “real life or real world” stories to add colour and flavour and help explain the problem, the risks, and the impact of security breaches/incidents. In most cases the training is to read a policy document (Internet Usage Policy/Security Policy, etc.) or to watch a video or attend a webinar where they are preached to rather than being allowed to participate in an interactive or interesting session.

Staff need to understand that in today’s world, security is everyone’s job, because if your staff are not part of the solution, they are part (if not most*) of the problem!

[*] 95% of successful cyber attacks are the result of a phishing scam.
Source: (2017) Ironscales,Email Security Report.

Add to this that many staff treat end-point protection (anti-malware, personal firewall and related security tooling) as an “authentication” method; “if I can open this link/file in the email, go to this site, etc. and my system gets hacked/infected, it is not my fault, it is the security/IT departments fault!” This is captured very nicely in this cartoon.

Given the above perceptions of many staff/end-users, what can we do to try and reverse this situation, so that staff see security as part of their job/responsibility and become part of the extended security team?

What do you need to make end-user security training successful, rather than something that is hated/despised/loathed and avoided at all costs for as long as possible by most staff in almost every organisation?

Here are some top tips:

  1. Make it fun; use gamification, where they are engaged, entertained, involved and tested throughout each module.
  2. Keep it short and punchy; no longer than 20 minutes, backed up with bite-size (5 minute) modules to reinforce an individual topic/threat. Don’t try and do the whole organisation at the same time; do it in groups and stagger the roll-out to be more effective.
  3. If you can make it a competition; who can report the most spam/scams/phishing emails, etc. Give prizes, or at least recognition!
  4. Make is personal; teach them skills that they can use in everyday life, including at home.
  5. Phish your own staff (after training them, and before) so that you can gauge the effectiveness of the training, but do it wisely and sparingly as otherwise they will quickly become fatigued and disinterested.
  6. Don’t penalise those that fall for the phishing test emails; use this instead as a “teachable (not preachable) moment“, rather than shame or blame them, try to understand why they fell for it, and explain how they could have recognised it for what it was.
  7. Make sure you set-up an email address such as: “[email protected] which can be used by employees when they suspect they have received a phishing email. Explain what steps they should take in order to report the email and give them with the necessary tools/guidance to report a suspected phishing email, such as a “report-phish” button in their email program.
  8. Training is not a one-time or once a year thing; good awareness training is part of the culture of an organisation and needs to be topped-up and refreshed all the time to stay effective. Make sure all staff, from the C-Suite down to the most junior staff in the organisation are included, not just techies.
  9. Ask for feedback, especially ask them about what they are worried about, e.g. Ransomware, Scams, Sextortion, Social Networks, Privacy, Passwords, GDPR, Data Breaches and how it impacts them personally and the company/organisation/industry, etc.
  10. You could always bring in a real-life “hacker” (an Ethical one, also known as a Penetration Tester or White Hat Hacker) and let them talk to your staff and answer their questions; they will have lots of real-world stories and good advice. T here are some that are good at talking to non-techies without resorting to acronyms and technical jargon.  These rare individuals will use humour, analogies and stories to help illustrate and bring the subject to life; they will often be very passionate about security, and this will keep the audience engaged.

However, you will find that 10-20% of your staff will just not be trainable (from a security awareness perspective)and you need to identify them and work on ways to reduce the risk that they pose to your organisation.

As the old saying goes:
The Bad Guys n Girls only have to get lucky once;
the Good Guys n Girls have to be lucky all the time
“.

So, what is a good solution that isn’t going to break your budget, but still allow you to deliver most of the above as a managed service and tie in to your Active Directory do that you can assign training to groups or individuals and see the results (meta data) from the training and testing?

One vendor that I have found to be very effective in this space is Techguard Security, this is what they say about their offering:

“Empowering your workforce to recognize and respond to sophisticated threats is only a click away. TechGuard S.H.I.E.L.D is a cutting-edge and comprehensive training solution for businesses of all sizes.”

You can use the following link to find out more about Techguard and their offerings, including the end-user training and phishing testing offerings, and what’s more, if you decide you like what you see and sign-up with them, you will get 10% off the price!

To find out more and claim your 10% discount when you sign up, use this unique web link: https://www.techguard.com/omg-cyber-security/

If you don’t use that link to register your interest, you won’t get the discount when you sign up.

Don’t just take my word for the effectiveness of good Security Awareness training, here are some statistics:

  • According to research by Ponemon, even the least effective training programmes have a 7-fold return on investment.
  • Most cybersecurity training programmes result in a 37-fold return on investment.
    Source: (2015) Maria Korolov, Does security awareness training even work?

If you don’t train your staff and carry out phishing tests, the Bad Guys n Girls will, and the results won’t be pretty…

I have been doing security for over 30 years and I often state “The day I stop learning will be the day they bury me“, in other-words, I’m still learning and will continue to do so until I die.

Sextortion – Your Money, or Your Pride!

I have been hearing about the recent wave of sextortion emails (these are not a new phenomena) that many are receiving and I was feeling a little left out, as I haven’t received a single one of the new campaign…..until the other day!

Here’s an edited screen shot of the sextortion email I finally received on the 11th of October, 2018:

It included what it claims is not only my email address, but also my user ID and password for the site they claim I accessed.

Let’s look at this in a bit more detail…

Should I be worried, panic, and pay up?

Of course not, why?

  1. The credentials (user id and password) are ancient and lifted during one of the many data breaches over the last 10 years.
  2. I don’t visit porn sites (yes, really!)
  3. There is NO video, it is all a bluff to get you to panic and pay up, just in case…
  4. I stopped using FaceBook a while ago, in fact I closed my account and requested all my data to be deleted weeks ago (well before I got the sextortion email).
  5. I have been working in anti-malware and malware analysis for over 30 years, and I’m used to catching and analysing new malware; guess what, there is no malware on my systems (unless I put it there to analyse it, in a safe environment).
  6. There is NO unique pixel in the email (it is just pure plain ASCII text, no graphics, no HTML, no scripting, no risk). They do not know if you have received or read the email (there isn’t even a receipt request in the email).
  7. The Bitcoin address is not unique, it is used for the whole sextortion email campaign, so they have no way to see if you have paid or not. This is how many modern ransomware attacks and DDoS extortion attempts work; they have no intent in giving you back your data or actually carrying out any DDoS attack. It is all about getting you to believe in what they are telling you, so that they can make lots of money by frightening you in to paying up…

At the time of publishing this article, over 5 days had elapsed (so my pay up deadline had expired) and guess what happened?

NOTHING, NADA, ZILCH, etc.

Update 1st November, 2018: Well I checked out the Bitcoin Wallet this scammer was using, this wasn’t a very profitable scam as they had only two victims pay up, which is around 1,600 USD. A later variant of the scam I received managed to get thirteen victim to part with 700 USD each, netting around 9,100 USD.

I was at a conference last week and one of the delegates there approached me after my talk and showed me yet another variant of this scam, he was really concerned that his phone and system had been hacked (it hadn’t). I analysed the email and found no trace of any beacon, malware or any active content. This new scammer was more successful as he/she was asking for 803 USD per victim and eighteen paid up, netting the scammer almost 14,500 USD

Update 8th December, 2018:

More new campaigns and a few of them are starting to get more bitcoin payments, but others are getting almost nothing. Hopefully the word is getting out and less people are falling for this?

A new twist (but not unexpected), the Sextortion scammers are now including links to booby-trapped sites/files that contain Malware (mainly Ransomware, at the moment, but this will change). This means that clicking on ANY links in these Sextortion emails is now far more dangerous; just delete the email or report it, don’t click on any links in them, not even on how to buy Bitcoin!

Here is a screen shot of the activity for a number of Bitcoin wallets that were involved in Sextortion scams:

I will continue to monitor these Bitcoin Wallets and investigate new versions of this scam; stay tuned!

However, this is a growing crime wave and victims do fall for it, look at the statistics below to see how bad it can be, and what you should do if you receive such as threat:

  • What is sextortion?
    – Being blackmailed by cyber-criminals that claim they have got hold of explicit material of you or one of your children, including: Photos, Video, Chat, Text messages, etc.
  • How common is it and who are the main victims?
    – Over 1,304 reported cases in 2017, up from 428 in 2015, although the number is likely to be significantly higher as many of these crimes go unreported. This is just in the UK (not globally, and it is a global scam).
    –The target is usually male, in their teens or twenties. Although some girls have also been targeted.
  • How do they work?
    – Victims are usually groomed for weeks/months before the blackmail attempt.
    – Often this happens via fake social media accounts or via targeted phishing emails.
    – Occasionally this may start with a video call, such as via Skype.
    – Many are just scams, they have no data/video of you or a family member.
  • What should you do?
    – Don’t Panic.
    – Don’t Pay.
    – Call the Police (sextortion is a criminal act). It is a form of blackmail.
    – Don’t contact the blackmailers (stop all communication).
  • What are the costs?
    – Amounts requested vary, but typically between £300 and £3,000 is asked for
    – At least 5 males have taken their own lives due to being a victim of this type of blackmail/extortion

Stay safe and educate yourself about the risks and ways to reduce your own attack surface; that will make it harder for the Bad Guys n Girls to succeed.