In 2014, cybercrime cost the world an estimated US$400 billion. Since then, the words “crime wave” sound like an understatement and “epidemic” is more appropriate. In 2019, the total global cost of cybercrime is estimated to be around the US$2 trillion mark.
In 2015, IBM’s CEO said, “cybercrime is now the greatest threat to every company in the world”. Last year there were several high-profile cyber attacks, and as recently as last week, the WannaCry ransomware wreaked havoc on half a million systems.
2016, the year of Mirai & Dridex
Since 2014, the number of cyber incidents has been growing at an alarming rate. In February 2016, cybercriminals pulled off the biggest bank heist in human history using malware called Dridex. The target was the Bangladesh Central Bank, where instructions were sent over the SWIFT network to transfer a total of US$951 million, of which only a part was recovered.
In October 2016, the Mirai botnet infected Internet of Things (IoT) devices and used them for the biggest denial-of-service (DoS) attacks in the history of the Internet. Cybercriminals contacted potential targets and attempted to blackmail them. After the ransom was paid, the criminals continued to demand more money and still executed their DoS attacks to keep their victim's systems offline for days. Chances are that Mirai infected your IoT device - Smart TV, networked storage, or Internet-connected DVR - and was assisting in the attacks as well.
2017, the year of NSA leaks and WannaCry
Fast forward to May 2017, and the Internet worm and CryptoLocker named “WannaCry” found its way into unpatched computers and desktops worldwide at an alarming rate. Once it got into a system, it would encrypt files and spread further and deeper into networks while demanding Bitcoins for ransom. After just three days, the infection had spread to over half a million systems.
To get a sense of the attack, one only needs to look at the WannaCry outbreak timeline:
- Sometime before March 2017 - US’ National Security Agency (NSA) finds a vulnerability in Windows and develops an exploit in secret.
- March 2017 - Microsoft patches the vulnerability (MS17-010) after the NSA reported it, fearing the upcoming leak from Shadow Brokers.
- April 2017 - A group calling themselves the Shadow Brokers leak the stolen NSA hacking tool, “EternalBlue”.
- May 2017 - Cybercriminals unleash WannaCry, which uses EternalBlue to spread.
Looking at the timeline, Microsoft patched the vulnerability in Windows a month before the Shadow Brokers leaked the exploits.
What would have prevented this outbreak?
Here are four simple security mitigations that work for the home or office:
- Application whitelisting - Whitelisting allows only trusted (whitelisted) applications to run. Whitelisting compliments anti-virus/malware software, which is a blacklisting approach, and only blocks known malicious programs from running.
- Patch operating systems, applications and IoT devices - By patching as soon as security updates are available, you close the time window between the vulnerability being discovered and the malware that leverages it to access to your system and hold your files and documents for ransom.
- Minimise administrative privileges - You don’t need to always log in as “administrator” on your laptop to use Facebook, email, or Excel. Should something get in, the privilege separation between regular user and administrator is a good way to limit the damage.
- Implement data restore capability - If your documents get overwritten by a ransomware attack, you will be able to recover the latest version from a backup. A backup is only good if you can restore it, so check your restore capability regularly and backup often.
For some companies, these controls may seem too complicated and expensive to implement. They will instead run penetration tests annually and fix any issues as they are identified.
However, a penetration test will only test for well-known security bugs and missing patches, perhaps together with some individual tests developed by the penetration tester.
What should be the focus of the penetration test?
You cannot relate penetration testing to functional testing, since you can only prove a positive and not a negative. With functional testing, you can prove without a doubt that a system functions according to its functional specifications. However, with a penetration test, you cannot determine a system has zero vulnerabilities.
The first goal of a penetration test should be to check how well your security controls can detect, deter, prevent, and correct a possible breach. This test will also provide a decent simulation of someone rattling the cage, so check if you can hear them doing that. The four mitigations above only cover the “prevent” and “correct” steps, so you will need to augment them to create a more comprehensive cyber defence.
On average, it takes an organisation 203 days to detect an intrusion, but it takes only hours to days for cyber criminals to steal or corrupt sensitive data. In many cases, organisations only find out that they have been breached from a notification by law enforcement, or worse, questions from a journalist.
Cybercrime has become the most damaging form of crime, since the Internet is global and has no borders. This makes it difficult for local law enforcement to locate and capture cybercriminals.
The Bangladesh Central Bank heist demonstrated there is a lot to steal. The Mirai and WannaCry attacks showed how patches and updates are essential to keep systems secure. With the incredible rate of spread and return on investment for cybercriminals, there will likely be more WannaCry-style attacks in the future.
Test your mitigations regularly and make this the key business driver for your annual penetration test.