As hackers continue to advance their malicious tactics, it’s no surprise that increasingly sophisticated cyberattacks and fraud are costing business big time. In this week’s Hacker Tracker, Simon Ragona III, director of data forensics at T&M Protection Resources, joined PYMNTS to discuss if tapping international law can actually help to keep cybercriminals at bay.
Businesses Paying Up
The costs of cybercrime just keep going up — in more ways than one.
Cisco’s 2017 Annual Cybersecurity Report (ACR) report revealed companies that suffer a data breach are expected to have customer, opportunity and revenue losses exceeding 20 percent.
Nearly 29 percent lost revenue, and another 23 percent of breached organizations lost business opportunities, the report showed.
“Hackers have changed their methods to defraud companies, and there is one common theme — users have gained an awareness over time, and each attack method gradually becomes less effective,” Ragona told PYMNTS.
“Although there are technical mechanisms to detect and prevent malicious attacks, the underlying root cause is still the user doing something they shouldn’t, whether it be clicking on a link in a phishing email, opening an unsuspecting email attachment or downloading internet content from an untrusted source,” he continued.
Cisco’s data also showed that more than 50 percent of the nearly 3,000 chief security officers (CSOs) and security operations leaders surveyed said organizations face public scrutiny after a data breach takes place. The CSOs surveyed also noted that there were many barriers to advancing the security postures of their organizations, such as budget constraints, poor system compatibility and a lack of trained talent.
But Ragona said that the tried-and-true method to ultimately preventing users (and companies) from becoming victims is to provide effective user awareness training on a regular basis.
“This means that an annual training presentation that simply informs users of the risk is not going to be effective in actually preventing the attacks from being successful. Effective user awareness training should be unannounced, and the training methods should be dynamic in that they evolve with the ever-growing threat landscape,” he added.
Malware Drones Take Off
Researchers at Ben-Gurion University’s cybersecurity lab developed a method to get around a security protection dubbed an “air gap” in which sensitive computer systems are separated from the internet to keep the information protected from hackers.
The answer? Drones.
The researchers discovered a way to use malware installed on a drone to steal data off of computers by watching the optical stream of the LED on the computers’ hard drives and sending it to a camera outside the window.
“If an attacker has a foothold in your air-gapped system, the malware still can send the data out to the attacker,” Ben-Gurion researcher Mordechai Guri explained a report highlighting the demonstration. “We found that the small hard drive indicator LED can be controlled at up to 6,000 blinks per second. We can transmit data in a very fast way at a very long distance.”
With this method, hackers could potentially use the malware to discreetly steal the secrets off a machine that is supposed to be isolated and thus protected. According to the report, every blink of a hard drive’s LED indicator can provide sensitive information to a hacker with a line of sight to the computer, whether it’s by using a drone or a telescopic lens.
The researchers in their demonstration were able to move data at around 4,000 bits a second, which the report noted is close to a megabyte per half hour. The person receiving the data can then record it and use optical messages at a later time to decode all the information.
Does IoT Security Need International Law?
Cybercriminals are using malware to target the rapidly increasing market of IoT devices in “jackware” or “ransomware of Things” (RoT) attacks.
As more connected devices become available, the threat of RoT has the potential to become a pervasive and disruptive phenomenon, Wired reported.
Ido Kilovaty, a cyber fellow at the Center for Global Legal Challenges and a resident fellow of the Information Society Project at Yale Law School, argued that the security of IoT devices can be addressed on an international level since many of the manufacturers of these products operate globally.
But in order for this to actually work, IoT security standards must first be agreed upon by nations, and then, an independent third-party organization should be established to implement updates when needed.
However, while an international security standard is great in theory, Ragona said that the effectiveness of it is still up for question.
“Even if an international security standard was developed and enforced by the end of 2017, there would be millions of ‘connected devices’ already in use at homes, offices and even hotels that would not be in compliance with the international security standard,” he explained.
“Sure, updates could be released to correct certain security flaws, but the reality is many users are not updating their IoT devices. We are only at the beginning of a dangerous age of IoT hacking.”