Cybersecurity and Third-Party Risk. Gregory C. Rasner
Читать онлайн книгу.Your risk of a data leak is vastly reduced, as the only people who have access to it have the safe's combination. If there is a data breach, the list of culprits likely will not be lengthy.
A vendor has a business relationship with a company—it's business, nothing personal. As a company paying for a service or product, there is nothing wrong with requiring certain risk reduction behaviors that your company does not require internally. Most often the internal and external standards are the same; however, in some areas, such as encryption or access management, they can diverge. For example, internally a company could have a standard of AES‐128 encryption; however, that same company would require a standard of AES‐256 or equivalent externally from others. They want the assurance that their data is kept even more secure when housed outside their environment.
Cybercrime and Cybersecurity
The breaches and security incidents described in this book are primarily caused by cybercriminals and other bad actors. Breaches occur when an unauthorized individual gains access to a network and exposes sensitive data. Cybercrime is when such individuals use computers or the internet to perform criminal activities. The following outlines several types of cybercrime:
Email and internet fraud: A fraudster sends an email enticing the user to a financial gain by offering a scheme, such as you will receive $10,000 or more if you send a portion of that amount to release it.
Identity fraud: This cybercrime occurs when a cyber bad actor uses stolen identity data to commit a crime (e.g., when they apply for a credit card using a stolen identity).
Financial and payment card data theft: Just as it sounds, this cybercrime is the stealing of credit/debit card numbers or nefarious direct access to bank accounts.
Theft and sale of protected corporate data: While the focus is often on PII, there are other types of sensitive data at nearly every company that can be stolen and sold by bad actors, including internal price lists, computer/network information, financial data, and intellectual property.
Ransomware: This cybercrime includes encrypting (i.e., making it unavailable to read) the target's data—ranging from a single desktop to whole server farms—and demanding money to unlock the encryption.
Crypto jacking: This cybercrime is stealing your computer's processing power to “mine” for cryptocurrency and does not include targeting data.
Cyberespionage: Whether done by a state actor (i.e., country), cybercriminals, or a competitor, this cybercrime involves spying on a firm using electronic means (i.e., computer).
The types of bad actors and their motivations can vary just as widely. While the vast majority are out for financial reward, a few other drivers exist:
Cybercriminal: The modern‐day equivalent of the bank robbers, cybercriminals are electronic thieves. Most often, they deploy ransomware, phishing attacks, spear phishing, fake documentation, or denial‐of‐service attacks. The Home Depot attack in 2014 was the work of cybercriminals to steal payment card information.
Nation‐state: Many nations have dedicated, highly skilled hackers who're paid to hack and perform espionage. However, some countries are more like cybercriminals, using their resources to become electronic bank robbers, and are known as Advanced Persistent Threats (APTs) because these organizations have nearly unlimited resources and time to focus on their target. Examples include the Sony attack by North Korean hackers in 2014; and Stuxnet (in 2009) whose origin hasn't been confirmed but largely thought to be a collaboration between Israeli and U.S. intelligence services to damage and delay the Iranian nuclear plans. Stuxnet is largely considered the first occurrence of cyberwarfare.
Disgruntled employee: The insider threat is often not appreciated by business. We like to trust our employees and colleagues; however, there are some who will steal company data or property. For example, in 2018, a Tesla employee sabotaged the computer systems and sent proprietary data to outside parties.
Professional hacking group: Usually this group consists of a loose confederation of highly skilled hackers who pool their resources to target for a political purpose, financial gain, or on behalf of cybercriminals. This group can also be referred to as APT due their resources and commitment. In 2020, the Philippine Long Distance Telephone (PLDT) company had its customer service Twitter account hacked by the Anonymous Philippines group. The group changed the profile name to “PLDT Doesn't Care.” The first tweet by the hackers was aggressive: “As the pandemic arises, Filipinos need fast internet to communicate with their loved ones. Do your job. The corrupt fear us, the honest support us, the heroic join us. We are Anonymous. We are Legion. We do not forgive. We do not forget. Expect us.”
Hacktivist: Driven by political or social causes, this bad actor typically steals embarrassing information to cause reputational damage. The 2012 WikiLeaks' leaking of declassified information from the U.S. State Department and other countries is an example of hacktivism.
Botnet masters: These malware creators create bots, which are an automated collection of internet‐connected devices that an attacker has compromised. These bots are leveraged by the creator to steal data or compromise systems. The botnet Mirai is a prime example. In 2016, the creators of this botnet software launched an attack on a security service company and at its peak infected over 6 million devices.
Script kiddies: These generally unsophisticated hackers use off‐the‐shelf tools to gain access mostly for bragging rights, but sometimes for financial gain. In 2015, a 15‐year‐old was arrested for hacking into the U.K. telecom carrier TalkTalk Group PLC. While the attack was not sophisticated, it exploited an easy SQL injection method to gain access to a database.
Types of Cyberattacks
A cyberattack is defined as a malicious and deliberate attempt by someone to breach the systems of another. Various types of cyberattacks exist, including the following:
Phishing: Nearly 100 percent of email users have received phishing emails. Posing as legitimate emails, these fake emails are used to encourage the email recipient to click a link, download a file, or even call a number so that the attacker can steal credentials or data, plant malware, or contact them for another malicious intent. One of the most concerning successful phishing examples is also a third‐party one as well: In January of 2019, there was a report of how Russian state threat actors had gained access to the U.S. power grid. They didn't accomplish this by attacking the hardened sites at the power infrastructure operators, but at their suppliers. A phishing campaign targeted the vendors for the power grid operators, taking advantage of the trust relationship they had with the intended target.Phishing types can include the following:Spear phishing: This type is targeted at a specific individual, and isn't a typical mass email campaign to thousands of targets. Often, these specific targets are researched on LinkedIn and other company websites before being phished. There are only so many ways an email address is created (e.g., grasner@ or greg.rasner@ or Gregory.rasner@ and so on). If an attacker can focus on one (or a few targets) who likely has privileged access (i.e., IT Admin, HR Sys Admin, etc.), then they only have to try a few dozen options before they likely get it right.Whale phishing: Where do you go to get the best data? To the top! Whale phishing is when attackers target the big fish, such as C‐level or very senior IT/security staff. This phishing type takes a little more finesse than the first two types as many firms are also likely to focus their countermeasures at this team of privileged access users. However, the extra effort can have a larger reward as the attacker gets a level of elevated access that takes a lot longer to attain (and more likely to discover) in a typical security breach.Vishing: Rather than email, this type is performed over the telephone and involves social engineering to convince the target it is a legitimate call. The goal is to attain enough information from the call for the attackers to get their target's credentials directly from the call or gain enough information to make guessing it a lot easier.
Botnets: This cyberattack type is when a network of private computers are infected with malicious software and controlled as a group