The largest attack at the start of the year was Wannacry. Historically, this was one of the most devastating ransomware attacks to date, affecting several hundred thousand achines and crippling banks, law enforcement agencies, and other critical infrastructure. The ransomware exploited a vulnerability in Microsoft’s Server Message Block (SMB) protocol.
This was followed by NotPetya which started as a fake Ukranian tax software update, and went on to infect hundreds of thousands of computers in more than 100 countries over the course of just a few days. This ransomware used the same exploit behind WannaCry. It caused major financial damage such as costing pharmaceutical giant Merck more than $300 million in Q3 alone, and is on track to hit that amount again in Q4.
Then in late October, a ransomware campaign hit Eastern European transport systems and media outlets with a further variant of the Petya ransomware called Bad Rabbit.This was installed by using a fake Flash installer. The impact hit Bulgaria, Estonia, Germany, Hungary, Japan, Slovakia, Ukraine, and Russia, and was then used to deliver the fake Flash installer to visitors from Japan, Turkey, and Russia, among others.
So as we look back on the year we can see significant evolution in Ransomware attacks and we are seeing evidence of self-propagating Malware. The ability to defend gets ever harder with such a rapid pace of attack evolution and ease of distribution.
If the above were not enough of a challenge, we are witnessing a frightening acceleration in the democratization of threat. What I mean by this is the ability for anyone, even with basic skills to start an attack. A year ago, it was almost impossible for anyone without strong programming skills to launch a denial of service (DDoS) attack. Today the tools are available on the open internet that would allow even a child to launch an effective DDoS attack.
We are witnessing the birth of a megatrend where literally anyone can be attacked and where individuals can easily be the attacker and where the growth of (and popularity of ) anonymous payment systems enables the masking of true identities. Spare a thought for the law enforcement agencies that need to try to make sense of this, defend and bring to justice those perpetrating the crimes.
To add icing to the cake we as society are Complacent in our actions. Companies, Schools and Families are rarely openly discussing threats such as cybercrime. Education in the subject in the workplace or home, is virtually non- existent. Without such awareness programmes and with the human always the weakest link, how are we meant to reach even a very basic standard of defence?. It is not just pure financial crime that we need to be concerned with, in our last edition we explored the startling rise of sexual harassment in the workplace. In this edition, Charlotte Aynsley opens our eyes to the world of sexting which is affecting children even below the age of 10.
In the UK, there has been the birth this year of an initiative by the London Digital Security Centre to raise grass roots awareness of basic protection capabilities among the small and medium enterprise sector of firms in London. This initiative whilst a huge challenge to execute on given the over 1 million small businesses in London, collaborates closely with the National CyberSecurity Centre (NCSC). We have an article which sets out the progress and some of the partners helping the initiative succeed. It is also worth noting that the idea, whilst still in its infancy, has been highlighted as sufficiently good to take national.
I have had the pleasure this year to attend two excellent cybersecurity conferences in Europe organized by CyberSecurity Trends, the parent of this publication, supported and endorsed by the United Nations. The first conference took place in Sibiu, Transylvania, Romania in September, now in its fifth year. The second conference took place in Porrentruy, on the Swiss / French border in December, its inaugural event. Both conferences are annual and a third conference is being added in Noto, Sicily in May 2018.
In addition to being excellent events with pan-European experts, the conferences are a true mix of Public and Private worlds converging together for two days to work out how to collaborate better. It is only through awareness and knowledge sharing can we be better prepared to defend and react faster.
Whilst the conferences have a part Regional theme the dialogue and discussion and networking is truly European. It has been fascinating to mix with and discuss issues with Government bodies, Military and Intelligence Agencies, United Nations think tanks and private companies both large and small. You can find details of future events in these publications and it is highly worth attending as collaboration is key to insight, knowledge and therefore effective preparation and defence.
The day prior to the main two day event is set aside for a local child awareness conference where Police Forces and Child Safety experts get together. The Sibiu event in September has over 1,079 children participating. This is a good example of encouraging the next generation to be more aware and to learn from leading thinkers in the space.
As we look to 2018, the General Data Protection Regulation (GDPR) is on most minds. In part, this regulation upgrade was designed to encourage collaboration within organisations to protect individual data and privacy, but it seems highly likely that this is not the case. Almost everyone I speak with acknowledges that the problem has been thrown down into the organization usually to the Security or Technical Operations teams.
These teams are already often over-stretched due to the increased attack activity seen in the year. Layering on more (sole) responsibility to lead with GDPR compliance makes the role even harder. When we add to this the increased pace of staff turnover seen this year, due to the growing demand for technical support skills, we get a mess to manage. It is more than likely that a continual environment of crisis could be the theme for 2018 and this will bring side challenges related to individual stress that Companies will need to be aware of.
With the above almost certain to happen, 2018 will also likely bring a rash of companies promoting their artificial intelligence and machine learning products. Whilst such tools and platforms can certainly help a business, it only increases the need for a strong culture and greater investment in training individuals.
If we are to address complacency then it is Board and the Executives that need to set the tone of the culture to discuss and address these issues. Without an effective culture, collaboration even within the business will fail and breaches will remain common place.
The goal of this publication remains to open up knowledge and information sharing across research and commercial activities, so providing a bridge between public and private dialogues, in an aim to help our world operate more safely giving the growing frequency of attacks that seem to endlessly get media attention.
If you would like to contribute articles or have suggestions for us to cover in future editions of the magazine, or even wish to purchase hard copy versions of the magazine to give to your customers, please do contact us via email at firstname.lastname@example.org.
On our website http://www.cybersecuritytrends.uk you can also view publications in other languages / countries and purchase advertorials for future editions.
The next edition to be published at the end of March will have a special focus on Artificial Intelligence in CyberSecurity, which probably represents the hottest future growth trend in the industry and on the agenda of CTO’s and CISO’s.