Opportunity driven cyber security

By Martijn Sprengers, Information security advisor at KPMG IT Advisory

In this article Martijn Sprengers, information security advisor at KPMG IT Advisory, talks about the developments of cyber crime. He enlightens us with his view on the risk of cyber crime and furthermore he explains different cyber security methods.

Managing cyber risk through the eyes of an attacker
Open the newspaper or your favorite online blog and you see examples of identity theft, cybercrime, hacking and digital espionage every day. Should organizations worry? Should you worry? Yes you should, but not more than with any other risk.

Security, and especially digital security, is often approached from the perspective of Fear, Uncertainty and Doubt (FUD). Because of its digital and intangible nature it can be hard to grasp, let alone understand, all the threats and possibilities of threat actors. Therefore, it has become a key theme in today’s business reality. Now that the success of many organizations has proven to be dependent on digital assets, they should start looking at cyber security as an opportunity that will add extra value to a company’s products and services. In this article, I will mainly focus on the aspect of learning from your opponent: become more resilient to digital threats by looking through the eyes of an attacker.

Looking through the eyes of an attacker
To ensure that the company’s most important (digital) assets are safe, it is important to know who wants to attack our organization, and why? In other words: what are the most relevant threat actors and what are their motivations to target you or your organization? Is it digital vandalism? Hacktivists who pursue idealistic goals? Organized crime or stage sponsored espionage? The threat landscape is changing: first the aforementioned groups operate independently, whereas currently they are more and more connected. For example, a hacker can work alone on one day, join an activist campaign the other, and get hired by the government to develop state sponsored malware later. Given their fear, companies want to protect all their assets, but that’s unfeasible. It’s not a matter if attackers will breach their security, but when. Therefore, companies should focus on implementing preventive, detective and responsive measures while assuming the attacker has already compromised their first layer of security. For example: It is not only about focusing to keep viruses and malware out of your employees laptops, but also about detecting any malicious behavior or misuse, as I usually see that five to eight percent of the laptops is infected with malware.

During my penetration testing activities, I don’t have to attack the structured data sources (e.g. databases or the ERP applications) anymore. Infecting one end-user who has access to Sharepoint or shared folders is usually enough to steal the ‘crown jewels’ of organizations. You will also see this new approach in the cybercrime underground. The last year, an emerging group of hackers called FIN4 also uses these methods. They don’t penetrate deeply into the network of their victim company, they only obtain access to e-mail inboxes of specific, targeted, employees (such as finance departments). They then use the information obtained, such as upcoming mergers and acquisition deals and trading information, to gain advantage on stock exchanges or sell this data on online marketplaces.

From system to data oriented security
Since systems are more and more connected, organizations are continuously exposed to all kinds of digital threats. Some companies get attacked even thousands of times a day. However, this does not mean that these attacks are successful and the hackers are able to modify or steal your most important data. Earlier, these ‘crown jewels’ were tangible and easily protected by putting them in a (digital) vault, for example in structured sources such as databases. As a result of this tangibility and simplicity, companies organized their IT security on system level. This means that on a technical or operational level, the individual systems are usually reasonably well protected. However, the focus of IT security should actually be on a data level: where in your (digital) organization are these crown jewels stored? They can be virtually anywhere, especially in unstructured data sources: in e-mail boxes of employees, cloud services (like Dropbox) or smartphones. An attacker doesn’t look at the security of the individual safety, he is looking for the weakest link in the complex IT environment. During my recent penetration tests, in which I test the security of companies by trying to hack my way in, I don’t have to attack structured data sources anymore. Infecting one end-user’s laptop which has access to sensitive data is usually enough to steal the company’s crown jewels. This is also a pattern that is identified in the dark side of the Internet. For example, one of the prevalent threats is the group of hackers called FIN4. Without penetrating deeply into their target’s network they copy the e-mails of employees, usually by carefully selecting their targets. This group is especially interested in information regarding mergers and acquisitions for large multinationals and financial institutions. The information is then sold on the black market or used to their own advantages in stock trading. Another upcoming threat is the theft of intellectual property, usually performed by nation states such as China. A recent example of this is the breach of ASML’s security. The problem with these attacks is that nothing gets ‘stolen’, only ‘copied’: the data is not modified and still residing on the organization’s systems. To mitigate such attacks, the focus of companies should be on protecting their data, not only their systems.

Encryption provides less security than expected
Another preventive measure that organizations use to protect their data is encryption: using a secret key to ensure that only authorized personnel with knowledge of this key can access the crown jewels. However, encryption can give a false sense of security, as it is often not correctly implemented or insecurely configured.

As a professional hacker, encryption never held me back (for a long time) from stealing the ‘crown jewels’ of organizations while testing their security. With just simple attacks (like an SQL-injection or weak password) it’s easy to obtain unauthorized access to a database, or get access to the underlying operating system which stores the encryption keys for the database. Like one of the founders of the RSA-algorithm already suggested: “Cryptography usually gets bypassed, not penetrated”. Managers often give software developers responsibility over implementing information security in their applications. However, this leads to a false sense of security. Developers are usually not capable enough to deal with all possible security vulnerabilities and attack paths, especially in the field of cryptography. However, the apparent safety hazard is lurking, because encrypting (and implementing the encryption) is a discipline on its own. Implementing security protocols and cryptography is a science on its own.

Who should take responsibility then?
To ensure that enough attention is paid to the security of the company’s valuable information, management has to take an important role. The awareness that security isn’t the responsibility of one team or one person, but everybody’s responsibility, has to become business as usual in every layer of the organization. This aside, organizations tend to have a focus on external threats and only react when major incidents occur, such as the Gemalto-hack or the theft of Uber’s taxi driver database. By only focusing on the principle of “Fear, Uncertainty and Doubt” (FUD), security will become nothing more than symptom treatment. However, you should compare security with steering on ‘quality’ in an organization. That should not be a responsibility of the so called ‘quality team’, but a responsibility for the company as a whole, especially management and board of directors. Therefore, security should be integrated into day to day business, causing it to be a regular process of improvement. As a result, cyber security will then be embedded in the business strategy and will offer a solid foundation for protecting the company’s most valuable assets and related business processes.

PLEASE: NOTE: The information and views set out in this article are those of the author and do not necessarily reflect the official opinion of KPMG Advisory N.V. Responsibility for the information and views set out in this article lies entirely with the author.