• United States




A look back at cybercrime in 2018

Dec 07, 20185 mins
CyberattacksCybercrimeData and Information Security

Prepare now to mitigate the most cyber risk in 2019!

network security hacker virus crime
Credit: Thinkstock

Last year IBM’s predicted that:

  • Internet of things would make the news.
  • Orchestration & Automation would be a top priority.
  • Business would rush to prepare for GDPR

These were very accurately predicted as areas of great impact!

Symantec’s 2018 cybersecurity attacks report reported that IOT experienced a 600% increase in attacks in 2017 over the 2016 period. An astonishing 8500% increase in malware coin miner detections, Coin miners not only slow down devices but can overheat batteries and sometimes render a device useless.  These are browser-based attacks so no need to download the malware to a victim’s PC. 

The number of targeted attack groups Symantec tracks has risen to 140. The opportunities have risen so more cyber criminals are at work today.

Symantec reported 71 % of all targeted attacks started with spear phishing to infect victims. This is not a new tactic. The cybercriminal strategy appears to be not only to target the weakest links but always change it up a bit and always go where the users ae going. Bitcoin and IOT are great examples.

Implanted malware grew by 200%, impacting the software supply chain.  Another tactic used before is hijacking software updates as a solid way to gain trusted access. You wouldn’t expect anyone to be using an outdated OS like XP, would you?  The research showed that only 20% of Android smartphone systems were using the newest version.  This makes these systems very vulnerable to attacks.

Cellphone #s – the new SSN?

It was also noted that grayware apps in the mobile marketplace were not only problematic but also leaked the user’s phone number. Speaking of leaking phone numbers and mobile devices: Protect your cellphone number! Don’t post it anywhere, as it’s becoming the new SSN. You are doing most of your browsing and even shopping and banking on that device.

I know many people who are receiving many unsolicited calls a day on their mobile phone. They reported that they tried the carrier’s call protection software, which is mostly ineffective. In the US, the FTC and FCC enforce a law called the Telephone Sales Rule, part of the Telephone Consumer Protection Act of 1991. This law addresses the following but apparently can’t be enforced against a global onslaught of cybercriminals:

  • Who can be called, no calls to cell phones – US national do-not-call registry
  • Rules governing calls, 8am to 9pm
  • Call abandonment
  • Unauthorized billing
  • Recordkeeping
  • Robo call rules 2012
  • Does not preempt state law

If you are experiencing issues with lots of unsolicited calls to your cellphone, report it to the FCC online and do what the FCC recommends: contact your carrier and demand a technological solution, one that they don’t charge you for.

Symantec reportedly blocked an average of 24,000 malicious applications last year. That’s applications, not malware!

While ransomware variants have increased 46% it has also become a commodity with a price drop to $522 in 2017. It’s being surpassed by coin mining while cryptocurrency values are up. In the end, Symantec reported that with each passing year digital threats continue to come from new and unexpected sources. The attack volume keeps increasing, but so does the diversity of methods and tactics.

What can you do to mitigate your risk?

Know what your critical data is – ePHI, PCI DSS, conferential finance data – and know where it’s located: data at rest and data in transit in and out of the org. Visit NIST for standards to apply across the enterprise.

Adopt the 20 CIS Security Controls:

Basic CIS controls:

  1. Inventory and control of hardware assets
  2. Inventory and control of software assets
  3. Continuous vulnerability management
  4. Controlled use of administrative privileges
  5. Secure configuration for hardware and software on mobile devices, laptops, workstations and servers.
  6. Maintenance, monitoring and analysis of audit logs

Foundational CIS controls:

  1. Email & web browser protections
  2. Malware defenses
  3. Limitation & control of network ports, protocols and services.
  4. Data recovery capabilities
  5. Secure configuration for network devices, such as firewalls, routers and switches.
  6. Boundary defense
  7. Data protection
  8. Controlled access based on need to know.
  9. Wireless access control
  10. Account monitoring and control

Organizational CIS controls:

  1. Implement a security awareness and training program
  2. Application software security
  3. Incident response and management
  4. Penetration tests & Red team exercises.

Complete details on all 20 CIS controls can be found here. 

To sum things up…Knowing where we have been is important, but were we up to speed on these trends at the beginning of 2018? How prepared was your organization? Did you have the people, processes and  technology in place?

One thing’s for certain: cybercriminals are always upping their game. To survive on the internet in any business, you need a solid cyber risk management strategy, and this includes threat intelligence.

So, what’s ahead in 2019?  Early predications look like more of the same, plus. Ian Kilpatrick, executive vice president of cybersecurity at Nuvias Group, listed the top 10 trends that will impact cybersecurity in 2019:

  1. Increase in crime, espionage and sabotage by rogue nation-states
  2. GDPR – the pain still to come
  3. Cloud insecurity
  4. Single factor passwords – the dark ages
  5. Malware – protect or fail
  6. Shift in attack vectors will drive cyber hygiene growth
  7. IOT – the challenge will only increase
  8. Increasing risks with shadow IT systems and bad housekeeping
  9. DDoS – usually unseen, but still a nightmare
  10. Cybersecurity in the boardroom

A senior security and compliance specialist, George Grachis has over 25 years’ experience in the tech sector. Some of his experience includes over a decade supporting the Space Shuttle program for Computer Sciences Corporation & Grumman Aerospace, security management for CFE Federal Credit Union, IT auditing & consulting for Deloitte and serving as Chief Security Officer for Satcom Direct.

George holds both the CISSP, and CISA certifications. George received the ISSA fellow Designation in 2016 and is currently an active senior board member of ISSA. George has been interviewed by WFTV ABC TV and Fortune Magazine. When not working he enjoys spending time with family & friends, Big Brothers Big Sisters, Playing the Drums, motorcycling, fitness, and writing articles for his blog, Virtual CISO.

The opinions expressed in this blog are those of George Grachis and do not necessarily represent those of IDG Communications Inc. or its parent, subsidiary or affiliated companies.