Australian CISOs should be on high alert as ransomware continues to pose a grave security risk to organisations, but they shouldn’t overlook the threats from supply chain issues, where one breach can have a multiplier effect spurring attacks on many organisations.
The dual threats stand out in what’s been an exceptional year in cybersecurity, and not in a good way, with a year-on-year jump in ransomware attacks greater than the past five years combined, according to the latest Verizon Data Breach Investigations Report.
The last year was also notable because of well-publicised critical infrastructure attacks and massive supply chain breaches driven by financially motivated criminals and nation-state actors, the report, now in its 15th year, revealed.
Supply chain joins ransomware as persistent threats for CISOs in Australia
With a collective 13% increase in ransomware, this is something for CISOs, in Australia as elsewhere, to take note of. “Cybercrime doesn't have any boundaries and local security chiefs need to keep an eye on global attack trends”, Verizon senior manager and head investigative response for APJ Anshuman Sharma says.
With ransomware on the higher side, organisations need to be aware of the four key access points into an organisation — credentials, phishing, vulnerability, exploitation and bots, Sharma tells CSO Australia. “Now, if we can help and block these most common routes, to a large degree, we'll be able to evade ransomware to greater degree,” he says.
Globally, some 40% of the ransomware incidents involve desktop sharing software, which includes Teams, Zoom, Slack and many others. With just over 35% of these breaches involving email to deliver the ransomware, this is a significant attack vector. “Basically, if someone can reach their system from anywhere on the internet, so does an adversary,” Sharma says.
One positive finding is that organisations appear to be improving how they contain ransomware, noted Verizon security solutions consultant Aaron Sharp, who spent a decade at its Australian security operations centre. “If it [a ransomware attack] happens, it’s only impacting a smaller part of the IT inventory, rather than running rampant,” Sharp tells CSO Australia.
Across the board, organisations are also facing the challenge of dealing with risks from their supply chain, with the report finding 39% of data breaches occur through partner organisations, such as services providers and other third parties. However, securing this is easier said than done as this is a significant number, says Jo Stewart-Rattray, president of ISACA Sydney Chapter, and one number that CISOs need to be aware of and to have protections in place.
“Responsibilities of partner organisations must be enshrined in service level agreements and/or contracts which include what the partner is and will do to protect the client organisation’s data and the security measures in place including incident response and escalation on the partner side,” says Stewart-Rattray.
An incident response approach designed for the operating context and environment that is tested and updated on a regular basis, along with employee checks will ensure the organisation can react and respond to attacks without delay, says Stewart-Rattray.
For CyberEX CISO and president Asaf Ahmad, COVID-19 laid bare supply chain dependencies — including to cyber criminals. “They're aware of this and with increases in online activity and digitalisation, threats from partners are becoming bigger and more sophisticated,” he says.
Organisations and their partners must have alignment in the security posture at people, process and technology levels. “The use of threat intelligence and preventive technologies must be used to mitigate the cyber threats,” Ahmad says.
The makeup of security threats in Asia-Pacific
While ransomware and third-party risks are omnipotent threats for all organisations, in the Asia-Pacific region, the report analysed 4,114 incidents, with 283 confirmed data disclosures, and found the majority of incidents were external and involved social engineering, basic web application attacks, as well as more complex scenarios like system intrusion. “System intrusion is a bit more of a sophisticated one and requires three to five steps to get into the organisation’s network,” Verizon’s Sharma says.
Regionally, using stolen credentials is four times more likely to be a method of access than exploiting a vulnerability, the data analysis showed. Verizon’s Sharp explained that while some of the attack patterns may vary from region to region, the basics remain the same. “If you've got good strong authentication, privileged access management, patching, vulnerability management and so on, you're going a long way to prevent those likely attack vectors. And always benchmark where you are and follow the data,” he said.
In mitigating these risks, organisations can’t overlook basic cyber hygiene, explained Stewart-Rattray, to ensure staff are aware of their rights, roles and responsibilities in relation to security and the data that they handle, create, store and transmit through ongoing education and awareness. “Security should be a two-way street, protecting the individual as well as the organisation,” she says.
“Continual vulnerability scanning, audit and remediation should be at the top of the CISO’s technology list, together with having the best platforms that an organisation can reasonably afford to ensure that the appropriate monitoring and altering processes are in place so that security teams are able to investigate anomalous network traffic and behaviour in a timely fashion,” she says.
People are still the weakest link
Social engineering attacks continue to be persistent threats for the APAC region as they are for other parts. When it comes to the threat landscape in Australia, people are the weakest link, whether it’s stolen credentials, phishing, misuse or error, 82% of breaches involved human element. This line of attack “is going to stick around for as long as it keeps working for attackers,” says Sharp.
“People are also our last line of defence,” said Ahmad. Recommending a continuous program of training, “CISOs must design and execute rightly tailored cyber awareness training, considering the exposure to cyber threats and knowledge of IT and cyber security,” he says.
Stewart-Rattray said that education is important but in doing so, CISOs need to ensure that security controls are expressed in non-technical terms without using jargon and to demonstrate how this can help individuals in their personal lives too.
Security training and defences must also take a cross-organisational approach because there are real convergences between cyber security, traditional information security, physical security, risk and assurance and privacy.
“If you think of this as a Venn diagram, there is a part in the middle where all of these converge so it makes sense to take a collaborative approach to training and development rather than separate and potentially overlapping awareness raising which will get a big ho-hum from staff. Use of some friendly phishing campaign tools that have an education and feedback component can be really useful too. There really does need to be a ‘What’s in it for me”, so look at how you can tailor that to your organisation and its staff, processes and practices,” she says.
For Australian CISOs, fundamentals of strong security remain the same
When it comes to what data has been compromised in breaches across the APAC, in large part it’s credentials (72%), followed by internal information (26%), organisational secrets (18%), and other non-categorised information, the report found.
To help mitigate risks, Sharma says CISOs should understand which particular incidents there have been in their industry. “They also need to be aware of what kind of tools, techniques and procedures were used by threat actors in those recent attacks, again pertaining to their industry verticals. Do you have an independent risk profile to help you understand where your exposure lies? And one of the most important is how has the cybersecurity spend changed for your organization? How does it compare to your industry peers? Is it on par, has it increased or decreased?” he says.
For Ahmad, CISOs must understand governance and management aspects of IT and how it aligns with the business. “CISOs must know how risks are analysed, assessed and how management decisions are made to address the risks. And they must know how best practices are implemented and used and how regulatory compliance is addressed,” he says.
Stewart-Rattray says continuous vulnerability scanning, auditing and remediation is vital together with appropriately scoped regular external assessment, which will give an independent view of the threat and vulnerability landscape. Also on her list are robust policy raft, commitment to security from the top of the organisation, education, training and awareness and appropriate tools and platforms.
“And the right resources: physical, human, and financial are the most obvious. However, this is an everchanging environment and the need for new approaches may only be a heartbeat away,” she says.