Disparate factors merging to “exponentially” increase cyber threats.
Who would have thought it necessary for IT and treasury to be wary of malicious refrigerators?
Recently the treasury director at a major healthcare company noted in a NeuGroup peer group meeting that the volume of cyber attacks against the company had increased starting last summer and into late fall. And they’re coming a in a wider variety of ways. For instance, the company has strict security protocols that must be followed to make wire transfers, but like most Fortune 500 companies it perpetually pursues acquisitions, and that’s where business email compromise (BEC) attacks can arise. In fact, the company just avoided a $100,000 wire scam aimed at an acquired company that had not yet adopted the healthcare company’s cyber security protocol.
“We pursue acquisitions and at different points when the acquired company is not fully integrated into our processes is where cyber risks open up,” the director said.
Other types of change foster cyber vulnerabilities as well, and companies’ adoption of the Internet of things (IoT), in which computing devices in every-day objects are interconnected via the Internet, appears to be an area that is ripe for growing cyber risk. The healthcare treasury director noted “weird” queries seeking information about mundane office equipment, such as copy machine serial, fax and other numbers.
“Who knows what they wanted … People may ask for something that seems innocent, but it may be [a new type of fraudulent activity] they can run with,” the director said, adding that the volume of such unusual queries as well as more traditional cyber-attacks had increased since summer.
In fact, the queries may very well have been from a cyber criminal exploring potentially new sources of corporate vulnerabilities. Copiers, like a range of other office machines, including refrigerators, coffee machines and thermostats, as well as the sensors companies are starting to place throughout their supply chains to monitor production, tend to run on the same types of operating systems as computer hard drives, browsers and other traditional cyber targets.
Rick Burke, head of corporate products and services for TD Bank, said the volume of cyber-attacks has recently increased in both frequency and intensity, for both corporates and banks, in part because the number of cyber criminals is growing and they’re continuously thinking up new avenues of attack.
“We also think this increase has to do with the IoT,” Mr. Burke said, adding that business executives typically may have had a desktop and a laptop that risked infection, and now there are numerous other office devices using similar operating software. Where there may have been 10 devices before that could be infected, now they’re may be 50 or 100. “There’s an order of magnitude increase in the potential devices that can work together to gather information, attacks websites and cause problems,” Mr. Burke said.
Mark Nicholson, a principal at Deloitte, said the consultancy has also seen an increase in corporate cyber intrusions, both in terms of scans for system vulnerabilities to exploit as well as actual attacks.
“We also saw over the last year a migration of some of that scanning activity to other ‘telnet-like’ services that other device types expose, indicating there was scanning activity specifically outside traditional devices such as desktops that sought to exploit members of the IoT—things like printers and thermostats,” Mr. Nicholson said. “Much of the increase in activity included searches for IoT vulnerabilities.”
Successfully planting command-and-control malware in certain types of devices could be especially problematic for specific industries. Companies using hijacked printers used to copy contracts or legal documents could see that critical information whisked away into fraudster’s hands, and likewise for the valuable trade secrets of innovative technology and pharmaceutical companies. Mary Ann Miller, a senior director at NICE Actimize, which provides a financial crime, risk and compliance platform, noted that copy machines could be very important targets for cyber criminals.
“My understanding of that type of technology and the type of malware that could be placed in it suggests that’s very feasible,” Ms. Miller said.
Mr. Nicholson noted that the precursor to an attack typically entails cyber criminals using tools to scan for open ports, which essentially allow computers to communicate using a network. Over the last year, Deloitte has seen a migration of some of that scanning activity to telnet-related ports, indicating scanning activity in devices that were not traditional desktops or laptops but IoT members.
“It’s a bit of a softer target, because often the same rigor that has been applied to protect more traditional targets has not been applied to other types of devices with the same operating systems and core vulnerabilities,” he said.
Once cyber criminals find vulnerabilities, they can insert malware to steal information or otherwise exploit the device, or a command-and-control program. A few years ago, denial-of-service attacks were common, where cyber criminals gained control of multiple machines that they used to inundate a target server with messages, sometimes paralyzing it unless a ransom was paid. Technology was developed to minimize the impact of those types of denial-of-service attacks.
“Over the last few months, however, we’re seeing those type of attacks step up again, because there’s a higher magnitude of devices. Now the attack can come from a fridge or a smart TV; malicious code can wait in there and be triggered from afar,” Burke said.
Nicholson said another factor increasing the volume of cyber attacks is that increasingly sophisticated tool kits to seek out and exploit vulnerabilities are now available for sale over the Internet, so less technologically sophisticated criminals, and thus more of them, can use them. In addition, more companies are developing web-facing applications to develop a competitive edge and rushing them to market without sufficiently rigorous testing.
“I think we’re at an inflection point. The number of computing devices in various formats is only going to increase, probably exponentially, and so vulnerabilities will increase exponentially as well,” Mr. Nicholson said.