BarnOwl Info Sharing Insight: Cyber Security Trends for 2023 - What to Expect, What to Defend Against with Michael Davies & Tim Gilman

BarnOwl Info Sharing session: Cyber security trends for 2023 – What to expect, what to defend against

BarnOwl Info Sharing session: 23 February 2023

Presented by: Michael Davies, CEO of Pax Resilience | Tim Gilman, CEO of Cyber Armed Security

Introduction

Thank you very much Michael and Tim for your most informative presentation on ‘cyber security trends in 2023’ at the BarnOwl info-sharing event held on 23 February 2023. Thank you too, to all those who attended the session.

Cyber Security has never been and never will be static. It is an ongoing cat-and-mouse game that changes daily. Tim Gilman, ethical hacker of 20 years and CEO of Cyber Armed Security and Michael Davies, CEO of Pax Resilience, discussed the emerging trends in the industry. Their presence at the forefront of technological capabilities that hackers and cyber criminals use, in addition to their knowledge of new types of attacks, will steer the discussion towards what we may start seeing more commonly in the public domain, or as we call it ‘in the wild’.

This information sharing session provides some real-world perspective on how attackers think, how they work, and what new types of trends we can expect. It also provides insight as to how you can proactively and pre-emptively guard against these attacks to avoid becoming the low-hanging fruit at most risk. The session includes a discussion on biometric security and intelligence, passwords, surveillance implants, physical payload delivery (social engineering), and physical access controls.

The cost of cyber-crime

According to an IBM study in 2021 the average data breach costs a South African company 46 million Rand and takes 8 months to detect and contain.

Almost nine in ten organisations in South Africa have suffered a ransomware attack, with a third of the data unable to be recovered. (IT-Online April 2022). So it goes back to the old adage of, it’s not if you’re going to be breached or attacked, it’s when.

It was estimated that cyber-crime came at a cost of about 6 trillion U.S. dollars globally in 2021. That’s bigger than the GDP of most countries. Unfortunately cyber-crime pays and that’s why you have very sophisticated teams of people involved in cyber crime.

There has also been a definite hardening of the insurance market towards cyber-crime so organisations are required to put more time and effort into their cyber security to keep their insurance premiums reasonable.

Types of cyber-attack

Ransomware is the great villain of all data breach / cyber attack, since it grabs the headlines and gets the media going, however there are many areas of data breach that we should be protecting against such as:

Ransomware
Phishing
Business email compromise
Vulnerability in third party software
Stolen or compromised credentials
Malicious insider
Brute force attack
Distributed denial of service (DDoS)

Data is a significant organisational asset

Cyber-crime reminds us that for all organisations and even as an individual, data is a significant organisational asset and that it requires protection.

It is not only intellectual property that we are trying to protect. It is also know-how within the organisation, whether it be standard operating procedures within the organisation or whether it’s just what people do within that organisation and how that organisation processes things, which has a value to the organisation.

As organisations, we deal with other parties, with other individuals, with other companies and as such we will have non-disclosure agreements and contracts put in place including service level agreements. Within all these agreements there will be personal and company information and it may well be information pertaining to customers, to your employees, to suppliers. With more and more regulation, it’s becoming increasingly important to safeguard this information. As we have seen from quite a few publicly revealed breaches over the years, breaches lead not only to financial loss, but also to reputational damage.

In summary, we need to remember the value of data to our organisation and put robust measures in place to protect it.

Standards:

There are a number of standards to assist you with your cyber resilience. Have a look at which ones are relevant to you including those that may be specific to your industry and remember that they are there to assist you:

ISO 27001 – Information security, cybersecurity and privacy protection
ISO 27032 – Information technology, cybersecurity and privacy protection
ISO 21434 –Automotive Cyber Security
National Institute of Standards and Technology (NIST)
System and Organisation control (SOC) 2

Compliance:

Another very good reason for putting all the cyber security processes and systems in place using the standards is for compliance purposes such as:

General Data Protection Regulation (GDPR)
Protection of Private Information Act (POPIA) 2013
National Cyber Security Policy Framework 2015
Non-Disclosure Agreements
Contracts

10 cyber security trends for 2023:

The following are some key cyber-security trends worth considering:

Securing both remote and hybrid workers
Adapting security for increased cloud dependency
Visibility, control, protection and remediation in response to supply chain attacks, IoT attacks and ransomware
Preventing ransomware attacks
Increased popularity of SaaS security solutions
Spotlight on chief information security officers’ liability
Building cyber resilience
Governments prioritizing critical infrastructure
Government and industry collaboration across countries and industries
Realization that people are and will remain the main causes of attacks

A few points worth noting:

Many organisations like to keep it on the quiet as to a breach and like to remedy the breach without advertising it. However, there is more and more legislation forcing companies to lodge these breaches. This is a driving factor for not only more control and protection within the organisation but also for industry wide collaboration to grow cyber security from an industry perspective.

In terms of supply chain attacks and the Internet of Things attacks, we know that there is more integration than before so we need to ensure that we are aware of where those integration points are and apply diligence to ensuring that there is security in place for this.

Cyber resilience is about building layers of protection. Have you got the right protection for your internal systems? Do you have the right awareness going on for employees? Do you have the right monitoring systems for the Internet and the darknet? The correct firewalls in place? It’s about having the appropriate people, processes and systems in place to ensure that you have enough layers to your cyber security.

Organisations should look at establishing key cyber security controls, which may include;

Multifactor authentication for remote access
Endpoint detection and response
Secured, encrypted and tested backups
Privileged Access Management
Email filtering and web security
Patch management and vulnerability management
Cyber incident response and management, planning & testing
Cyber security awareness and phishing testing
Remote desktop protocols
Logging and monitoring / network protection
End-of-life systems replaced or protected
Vendor / supply chain management

Governments understand that they need to prioritise protection of critical infrastructure and for this also need to collaborate with industry.

We also need to realise that the human factor is often the weakest link and the main cause of breaches.

The weakest link – the human factor:

We can put all the systems and processes in place but if we don’t ensure that the human factor is well catered for, then we’ve created our weakest link.

Some of the things to watch out for include:

Phishing
Smishing
Vishing
Social Engineering

What can we do about this?

Training
Awareness
Simulations
Key Cyber Security controls

Who is responsible for cyber resilience?

In terms of cyber resilience people always look to the IT department. There is an expectation that it is the IT manager’s or CIO’s or CISO’s responsibility. Cyber resilience is actually everyone’s responsibility. The board should lead by example, with the risk and audit committee providing governance and oversight of what’s going on. The executive team should lead the charge in terms of cyber resilience by not only talking about it, but by what they do about it. Organisations tend to follow their leaders. If they take a very mature cyber resilience stance, it tends to filter down through to management and employees.

Practical discussion with Tim

Particularly over the last five years, things are changing fast and that can help us to determine what we can expect in the future.

We hear on the news; data leaks there, leaks everywhere. Another million records, another billion records. We don’t really realise the connection between that and us, how it impacts us because a lot of the time we don’t really see it. This is something we need to be more connected and aware of because the hackers see it; they see all our details and can use our details. Valuable countermeasures include such controls as two factor authentication and complex passwords.

Phishing has always been a thing and it’s become more complex now. Attackers are often piggybacking off bigger brands or trusted entities, to make you think it’s fine, but it’s not. Typical targeted phishing doesn’t work easily anymore, so it’s become more tailored and more personable. Successful phishing attacks occur largely at the moment where attackers research an organisation and pretend to be a newly appointed high level executive or a high-ranking person and then send a personable spoofing e-mail to get someone to open a malicious link / attachment. It’s very easy to find telephone numbers, emails of the people within the organisation, especially on the darknet.

Penetration testing once a year is not good enough. For example in our once off penetration tests on an internal Windows network, we’ve achieved Active Directory domain admin rights which is a top level compromise every single time. Organisations are moving towards continuous attack surface management and attack surface intelligence. External endpoints need to be monitored manually and automatically to make sure that alarms are raised proactively and that they are protected. This doesn’t replace a penetration test however, because penetration tests are more intricate whereby you are intentionally trying to breach systems as opposed to observing.

Another thing that’s on the rise is ransomware gangs. We can expect this to increase, but also the world is now starting to realise how they operate and what they’re doing. In addition to huge sums of money being demanded by the ransomware gangs, an organisation has to report a breach to the Data Protection office of your jurisdiction who then straight away investigate you and may fine you if you have been negligent. This can and does destroy businesses. A tool called Cobalt Strike is a highly controlled, powerful professional tool; however, there are cracked versions on the black market, which malicious hackers are using. When they get a foothold, they basically, can control an entire network. I personally find it frustrating that organisations are vulnerable to this tool because this is the tool that hackers, ransomware gangs are using most of the time. Organisations need to make sure that they’re especially not vulnerable to Cobalt Strike type attacks.

Another trend is the increased utilisation of artificial intelligence (AI) by hackers. For example, a novice hacker could the computer to write code to create payloads such as FUDS (Fully Undetectable payloads). In addition, we see polymorphic payloads that anti-virus can’t detect and firewalls can’t stop.

Bug implants are on the rise. Key logger ‘man in the middle’ / keyboard interception device are freely available for purchase on the Internet. For example, you can purchase a malicious iphone charger for $119 with a hidden server inside the cable, which can release a malicious payload into a computer / network. In addition, it has a Wifi range of 5kms. Don’t plug in unknown devices. Organisations should consider cyber sweeping their office environment and physical checks as well. ISO27001 has increased their criteria for physical security monitoring.

In conclusion

Cyber resilience is a continual journey. The bad actors out there who orchestrate cyber-attacks and their modus operandi will continually change. Continual vigilance of what’s happening out there is required and it takes everyone to do their part to avoid breaches. It’s not just about the IT department. Be aware that we as the human factor are the weakest link.

Presentation and video links

Please see attached presentation here, and the info sharing recording here.

Contact us

Cheryl Keller | BarnOwl: cheryl@barnowl.co.za

Michael Davies | Pax Resilience: www.paxreslience.io

Timothy Gilman | Cyber Armed Security: www.cyberarmedsecurity.com

Thank you

Once again, thank you Michael and Tim for your time and for your informative presentation and thank you to all those who attended our info sharing session. We look forward to seeing you at our next info sharing session. Please keep a look out for our upcoming events at: https://api.barnowl.co.za/events/

Kind regards

Jonathan Crisp

Director – BarnOwl GRC and Audit software

About BarnOwl:

BarnOwl is a fully integrated governance, risk management, compliance and audit software solution used by over 150 organisations in Africa, Australasia and the UK. BarnOwl is a locally developed software solution and is the preferred risk management solution for the South African public sector supporting the National Treasury risk framework.
Please see https://api.barnowl.co.za for more information.

About our guest speakers

boif1

BarnOwl Info Sharing Insight: Cyber Security Trends for 2023 – What to Expect, What to Defend Against with Michael Davies & Tim Gilman