Kevin Curran

Kevin Curran is a Professor of Cyber Security, Executive Co-Director of the Legal innovation Centre and group leader of the Ambient Intelligence & Virtual Worlds Research Group at Ulster University. He is a regular technology contributor to TV, radio, trade and consumer IT magazines.

Someone recently remarked to me that you should presume that anything you put in the cloud will eventually be leaked. It may seem extreme but the recent increase in major data breaches does seem to lend credence to this statement.

Just a few months ago, the records of 500 million customers of the hotel group Marriott International were included in a data breach. It was the Starwood division guest reservation database which was compromised. It also transpired that the attackers had access since 2014. This was not the largest data breach by any means although 500 million is no small number. Yahoo for instance was basically almost a billion records but the Marriott hotel data breach was a sensitive data breach as the data could be used by criminals for identity theft where they convince targeted individuals to give up something important, like a password or access to banking sites.

The more convincing a phishing email is – the more likely someone is to reply to it. In fact, just last year, Google closed a Google+ because of a problem with a data breach. The data that was compromised was Google+ profile fields which included name, email address, occupation, gender and age. Google did state that the profiles which were mistakenly made viewable “did not include any other data posted or connected to Google+ or any other service, like Google+ posts, messages, Google account data, phone numbers or G Suite content.” It does show however that any company can be breached if targeted by skilled attackers.

Cybercrime Pays

The reason we are seeing so many data breaches recently is simply an indication of where we are in time. We are situated between a time where companies really face no penalties for poor storage and protection of data (apart from reputation loss) and a future world where organisations will be fined enormous sums for allowing data to leak.

People are also in a semi-state of ignorance (or deliberate ignorance) of safe computing practices. Cyber theft is becoming the fastest growing crime in the world. It does not help that there is a shortage of cybersecurity talent within the industry. A recent independent study by Bromium investigated the interconnected dynamics of cybercrime and found that new criminality platforms and a booming cybercrime economy have resulted in $1.5 trillion in illicit profits being spent and reinvested by cybercriminals. It confirmed that there is a thriving cybercrime-based economy which has become a self-sustaining system.

Cyber criminals whether state sponsored or not, are even beginning to devote funds to research and development. Criminals are increasingly moving online because that is where the money is. Network Breaches are increasingly caused by email spam/phishing. Simple but effective. Spam has increased 350% in a year. The trend for ransomware is also showing worrying trends. Malwarebytes show increase from 17% in 2015 to 259% in 2016. We are seeing increases in attacks and breaches like on hotel chains will only make this problem worse. Interestingly, there is more targeting of enterprises rather than infecting individual users as attackers can extort much more when hundreds of computers are infected.

Machine Learning

The zero-day attack market is also flourishing at present and enterprises are a lucrative sector to exploit. Machine learning and other interdisciplinary capabilities are increasingly being used to address the challenges of securing enterprises.  Machine learning can use statistics, artificial intelligence, and pattern recognition to discover previously unknown, valid patterns and relationships in large data sets, which are useful for finding attacks and preserving privacy. We can never achieve perfect security if any system is targeted.

We can of course and should – mitigate risk. Penetration testing is common for probing systems but many unintentional, yet significant security problems cannot be found through pen testing alone, therefore source code auditing is the technique of choice for technical testing. Auditing code manually can be particularly effective for discovering issues such as access control problems, Easter eggs, Time bombs, cryptographic weaknesses, Backdoors, Trojans, logic bombs, and other malicious code.

Machine learning can also be used in scenarios such as detecting irregular financial transactions and customer profiling techniques. Fraud detection methods match test data with profiled anomalous patterns. Anomalous detection systems profile normal patterns to search for outliers and hybrid detection systems combine misuse and anomalous detection techniques to improve the detection rate and reduce the false-alarm rate. Scan detection can be used to detect the precursor of attacks so that it can lead to the earlier deterrence of attacks and profiling networks assists in active protection of systems through extraction, aggregation, and visualization tools. Businesses also need to ensure they comply with GDPR.

Conclusion

So, in this era of data breaches, there are certain best practices that should be adhered to. It is a good habit to review bank accounts, auction accounts, and mobile phone accounts for signs of fraud or charges that a person did not make from time to time. Make this a regular habit. Yes, banks and credit card companies are quite good at spotting fraud but ultimately, it is up individuals to spot fraud on their account.

Software & apps should always be running the latest version. These generally address known vulnerabilities software updated. Running the most recent versions of a mobile operating system, security software, apps & web browsers is among the best defences against malware and other threats.  

Different passwords are a must on all important data retaining sites. Hackers often steal a login and password from one site and attempt to use it on other sites. This is known as credential stuffing. Passwords should be long, strong and unique. It is best practice to install a reputable password manager which will create complex strong passwords and store them in an encrypted file on your own computer. You then only need to remember one Master password and the password manager will automatically take care of logging you into different sites with secure passwords.

It is well worth registering with haveibeenpwned.com. This site collects all the emails accounts associated with publicly known website hacks. You can submit your email to see if your personal details have been released in previous website hacks and you can also register your email to receive future notifications if your details appear in a future hack. If you do find your details registered, then login into the site where you were compromised and change your password. Watch out also for phishing emails from the site just hacked.

It is very important to enable two-step authentication when offered by any site. Most major players such as Apple, Twitter, Microsoft and Google allow you to associate a mobile phone with your account. Two-factor authentication does not allow login to a new device without access to a device like a mobile phone. This ultimately makes it much harder for an attacker to hijack your account (as they do not have your mobile phone to change account details). It really is a crucial step for accounts these days. Yes, like many things in security, it can be a hindrance, but the protection offered is excellent.

It is also good to close out any old defunct online accounts or services. They simply create more points of vulnerability.  Often that might mean having to go through steps to recover an old password you might not remember, but it is worth it. The less footprint you have online, the better in general.

Finally, be of course cautious of any unsolicited communications that ask for your data or refer you to page asking for personal data and avoid clicking on links or downloading attachments from suspicious emails. Phishing emails remain one of the most common attack vectors.