From targeted attacks to ransomware, security firm Symantec Malaysia predicts another challenging year in cyber security.
THE New Year is only three days away, but the Sony Pictures hacking fiasco does not seem like it is going to abate before the countdown.
Not that it is any surprise for the security firms which have been busy looking into their crystal balls since April, when some servers and websites were cracked open by the Heartbleed bug, causing a massive leak of sensitive data.
As software security firm Symantec Malaysia warns, the prominent data leaks of 2014 would keep cyber security in the spotlight in the new year.
“In 2015, attackers will continue to look for new vulnerabilities so that they can ‘hack the planet’,” says Nigel Tan, Symantec Malaysia’s director of systems engineering.
With the growth of e-commerce and Internet banking in the region, there is fear that cyber criminals will target Asia next year.
But says Tan, the interconnected nature of a global Internet and cloud infrastructure means everyone, everywhere, is vulnerable.
“Cyber criminals don’t discriminate when it comes to vulnerabilities. They go across the board but as they are opportunists, they will go where it is easy and has the biggest reward.”
The increased use of mobile devices in the region, including Malaysia (which has a 140% mobile penetration) will make them even more attractive targets for cyber attackers.
And as mobile carriers and retail stores transition to mobile payments, a wealth of personal and confidential information is expected to be stored in the mobile devices.
Another weak link in the protection of mobile devices is users’ willingness to sacrifice privacy in exchange for apps.
“While many Internet users are reluctant to share banking and personal identifiable information online, they are willing to share information about their location, access to photos, contact lists and fitness information for free mobile apps.”
Of course, there are those who are genuinely unaware of the dangers. Norton Research has shown that while some Millennials think they know what they are allowing access to, the reality is they have very little idea of what they are agreeing to when it comes to trading information for apps.
Being careful with our password remains important in preventing our personal online assets and identities from being compromised online, even as cyber security moves beyond passwords.
“You don’t want to be the weak link,” Tan cautions, as more advanced persistent threats (APT) are expected next year as cyber criminals up their game with more advanced technology and “tricks”.
Scammers will continue to run profitable ransomware scams – in 2013, ransomware attacks grew by 500% and continued to turn vicious as 2014 rolled on.
Ransomware attacks, or holding encrypted files for ransom, are not entirely new, but getting the ransom paid was previously problematic for the crooks.
With the expansion of electronic payment systems such as Bitcoins, Webmoney, Ukash, greendot (MoneyPak), however, ransomware makers have found convenient and anonymous avenues for the payment of their reward.
And as the Sony hacking suggested, hacktivism, including by state-sponsored hackers, is expected to rise next year, leading to a higher number of distributed denial-of-service (DDoS) attacks.
Another cyber trend Symantec sees exploding in 2015 is the use of the Cloud to host sensitive and personal data.
“But as this move occurs, businesses will need to take a closer look at data governance and ensure their data is cleaned before it is hosted in the cloud.
Corporations need to do their diligence when they use a cloud to store their corporate information like intellectual property, human resources data and others,” says Tan.
In Malaysia, the cloud adoption is ramping up but the security still seems to be an afterthought, he adds.
“Many companies still do not have their privacy policies in place – to say what can be stored and what cannot be stored, and how to use the application. For example, if you want to use the file-sharing application that syncs all your devices, you would need to dictate what can and cannot be up there – maybe intellectual property or personal data of your staff with sensitive information cannot be put up there.
The individual users need to be aware of what sort of risks you will face when you use the cloud.
“Always assume that whatever data you put on the cloud may one day become public, even if your settings say “private”. Don’t upload anything that you really don’t want anyone else to see,” Tan stresses, advising users to always research the terms of condition before signing up and using the cloud service; and to make sure the provider/service has privacy policies in place before using it.
In Malaysia, the Personal Data Protection Act has made a difference, he says:
Going forward, however, it is important that the Government consider an inclusion of the mandatory notification requirements for Data Breach in the Act.
“Organisations need to inform the public when there is a data breach like the Sony hacking, because it will empower them to take steps to protect themselves like changing their passwords and blocking their credit cards and making updates to secure their personal data,” he stresses.
“Without the mandatory notification, there is nothing to compel the company to disclose a breach, leaving users vulnerable.”
Tan believes that in the world of cyber security, both sides – criminals and cyber security industry – have made advances:
“While a lot of the vulnerabilities are made known widely, the organisations take longer to respond and rectify the problem, giving cyber criminals a chance to exploit this weakness.
“Heartbleed and Shellshock (another software bug attack in September this year that caused major data breaches) had organisations scrambling to secure their websites.”
For the new year, it is imperative that organisations look at the latest forms of security because cyber security is constantly a cat and mouse game, he stresses.
“Organisations need to be correct all the time to defend and protect data. Cyber criminals need to be right only once. You need to up your game all the time and be lucky all the time. Cyber criminals need to be lucky only once.”
Machine learning will be a game changer in the fight against cybercrime: A new generation of business platforms is emerging from the convergence of machine learning and big data – it will enable us to analyse the logs to identify the indicators of compromise including where it is compromised.
“This will help us stay “proactive” against threats instead of reacting to them and machine learning will help security vendors stay one step ahead of cybercriminals,” says Tan.
Are we prepared for the cybersecurity challenge of 2015 then?
“Will I say that we are 100% prepared? Of course not, a lot of organisations in the security industry and the authorities need to constantly educate the public on the dangers and threats, then only will the message sink in. It’s a constant journey.
“But there have been some good collaboration between the different agencies and corporate/government collaboration to raise public awareness,” Tan notes.
Responsibility lies on both sides, he adds, “It takes two to ensure security and keep away threats.”
Did you find this article insightful?