Cybersecurity Threats Challenges Opportunities
November 2016
Cybersecurity – Threats Challenges Opportunities 3
they are.”
“It is only when they go wrong that machines
remind you how powerful
Clive James
Foreward 1 Executive summary 4
A brave new world 5 Cyber speak! 6
What is cybersecurity? 7 And the weakest link is… 9
A world without cybersecurity 11
Contents
Threats in the information age 13 The nature of threats 14
The Internet of Things (IoT) 16 Botnet armies 17 When security is an afterthought 18
Autonomous systems 19 Driverless cars and transport 19 ATMs and Point of Sale 21 What about wearables? 22
Cyberwarfare 24 Automated attacks 24 Energetic Bear 24 Cyberattacks on infrastructure 26 When software kills 28
Data manipulation 29 Backdoors and espionage 29 Cloud concerns 29 Blast from the past 30 Virtualised threats 32
Industry and the individual 33 Ransomware and Cryptoware 33 Multi-vector attacks 33 Identity theft 34 The world we live in 34
02 01 03
Cybersecurity – Threats Challenges Opportunities 5
Looking to the road ahead 45 State of the nation 46 What role can you play? 47 Government 47 Education and research 50 Business and industry 50 You, the individual 50
The five pillars of cybersecurity readiness 51 Online resources 52
Through the looking glass 53 Fast facts 55 Glossary 57 References 59
04 05
The future in our hands 35 The 100% secure computer 37
Opportunities 38 The data-driven economy 38 Technology as wealth creation 39 Cybersecurity as job growth 39 Leveraging technology talent 39
Challenges 40 Leadership 40 Learning from history 40 Collaboration 41 Education and awareness 41 You are what you do 43 Legal and regulatory 43 Services and privacy 43 Perception and practicality 44
Foreword You’ve seen documents like this pass your desk before, but we hope this one is a little different. You can gloss over it, seeking the diamonds in the rough, but take the time to delve into the information presented here and you will walk away with a different appreciation of the laptop on your desk, the car that you drive, and the phone that you carry. Not to mention the planes you fly, the banks that hold your money, the hospitals that keep you alive and the very infrastructure that makes our cities run. In short: the basis of our modern lives.
It can be hard to not overuse a word that’s become popular thanks to public awareness, but ‘cyber’ is now firmly entrenched in our language and our mindset, by virtue of the fact that our society today depends so much on technology.
So we’re going to talk about cyber with respect to security, as the two are intimately intertwined. In this guide we aim to break down what is sometimes a large and complex issue into an easy to read and digestible summary that should – if we’ve done our job well – give you the tools to both talk confidently about the issues, as well as equip you with the core information required to make decisions around cybersecurity.
Because, despite the technical nomenclature, the issue of cyber- security is as vital to our way of life as technology itself. In fact, they can’t be separated: our economic health, our national security, and indeed the fabric of our society is now defined by the technology we depend on every day.
What’s left unsaid here, however, is the assumption that this technology will continue to work as we intend – but this is only true if we can protect it from being hacked, manipulated, and controlled.01
Logically, then, protecting that upon which we depend should be front of mind for government, business and industry, academia and every individual with a smartphone in their pocket.
Which is to say, all of us.
If you are part of government, this primer serves as a guide to the greater sphere of cybersecurity and how it relates to our national security, our national interest, and our economic prosperity.
If you are an executive, board member, business leader, or IT professional this is an opportunity to verse yourself in the language and the ecosystem, the threats and the opportunities, and to better communicate the issues and responsibilities around cybersecurity within your organisation.
And if you are simply an individual interested in understanding more about the nature of our digitally- driven world, this guide will provide the basics and a clear overview of how cybersecurity relates to you.
At the ACS we welcome every opportunity to educate and assist. If you have any questions, or would like more information, please feel free to contact me at: anthony.wong@acs.org.au.
Enjoy this guide. We hope it will make a difference to you.
Anthony Wong President, ACS
Protecting that upon which we depend should be front of mind for government, business and industry, academia and every individual with a smartphone in their pocket.
Cybersecurity – Threats Challenges Opportunities 22Cybersecurity – Threats Challenges Opportunities
SECURING AUSTRALIA’S FUTURE At ACS we are passionate about the ICT profession being recognised as a driver of productivity, innovation and business – able to deliver real, tangible outcomes.
This year ACS celebrates 50 years of advancing ICT in Australia. Our founders and pioneers worked on the first innovative computers in government, academia and industry, and our members now work at the coalface of technology development across every industry.
In 2011, ACS brought together its own Cyber Taskforce from our 23,000 members to respond to the Federal Government’s new cyber discussion paper, ‘Connecting with Confidence’, where we highlighted the need to develop co-ordination and a focus on the pipeline of cyber professionals.
To play our part in securing Australia’s future, we continue to perform the role of trusted advisor to government, and deliver
services to identify and certify ICT professionals you can trust, including through the Professional Standards Scheme that assures professionals have the specialist skills business can rely upon.
ACS is part of the global federation of professional ICT societies, the International Federation for Information Processing (IFIP), and the first professional body to receive accreditation under the International Professional Practice Partnership (IP3) – providing a platform for accreditation for ICT professionals and mutual recognition across international boundaries. The ACS currently chairs IP3 and plays a leading role in the professionalism of the ICT workforce.
IP3 has since gained global attention after successful engagements at the World Summit on the Information Society (WSIS) Forum in Geneva and the United
Nations in New York, where the importance of ICT professionalism was acknowledged by the UN General Assembly President in 2015.
In May 2016 the President of IFIP participated in the European Foresight Cyber Security Meeting where he advocated that professionalism of the ICT workforce is “a key element in building trustworthy and reliable systems” and that it is important to ensure that “cyber security and cyber resilience is also a duty of care of the individual ICT professional”.
As we move forward another 50 years, ACS will be there at the forefront meeting the challenges and opportunities of ICT, and supporting the growth and potential of ICT professionals in Australia.
01
Cybersecurity – Threats Challenges Opportunities 4
As technology continues to evolve so also do the opportunities and challenges it provides. We are at a crossroads as we move from a society already entwined with the internet to the coming age of automation, Big Data, and the Internet of Things (IoT).
Executive summary
But as a society that runs largely on technology, we are also as a result dependent on it. And just as technology brings ever greater benefits, it also brings ever greater threats: by the very nature of the opportunities it presents it becomes a focal point for cybercrime, industrial espionage, and cyberattacks. Therefore, protecting it is of paramount priority.
This guide looks at some of the concerns facing us in the near future that include:
• Attack vectors such as botnets, autonomous cars and ransomware.
• Threats including data manipulation, identify theft, and cyberwarfare.
• Tangential issues such as data sovereignty, digital trails, and leveraging technology talent.
Additionally, it provides some background to the nature of digital ecosystems and the fundamentals of cybersecurity.
Critically, this document clarifies the importance for Australia to take responsibility for its own cybersecurity, especially with regards to essential infrastructure and governance.
On the flip side – and as one of the fastest growth industries globally – developing our own cybersecurity industry is also an opportunity for economic growth, job creation, and education – ensuring Australia is well positioned for a future as a digitally advanced nation.
Finally, we look at some of the challenges that countries worldwide are currently dealing with in regards to cybersecurity, including:
• The need for more collaboration in order to mitigate threats.
• Education and awareness; and
• The balance between privacy and security.
Our aim is that this document provides an informative primer on the relevant issues facing Australia in relation to cybersecurity, to generate discussion and debate, and to raise awareness with regards to a fundamental building block of the technologically-dependent society which we have already become.
As you will read in the following pages, cybersecurity is not optional. It must form part of the design of every product, of every database, of every electronic communication. And – through education, awareness, and proactive change – we can all play a part in securing our future.
02
You’re reading this document written with, laid out by, and printed using computers. From start to finish it existed as 0s and 1s – the binary blood of our modern world.
In fact, our lives today are codified by data: almost everything we do, and everything we depend on, involves data and the technology that uses it – there are scant few areas not touched by this revolution we call the information age.
A brave new world
Cybersecurity – Threats Challenges Opportunities 6
And so it follows that in order to keep our way of life – and to continue to prosper through technology – we must ensure that it always operates and works for us as intended.
And for the most part it does, until it’s hacked. In the hands of less than favourable individuals, organisations, and governments, technology and the data it depends on can be turned against us.
When you read yet another report of a multimillion-dollar bank theft, yet another million usernames and passwords leaked on the web, or yet another scam milking millions from vulnerable people – what you are reading about is the lack of cybersecurity: a failure to protect systems, processes, or data and thereby enabling exploitation. Sometimes the end result is just an embarrassment for a company or
individual; at other times it can cause significant financial or operational harm. At its worst, loss of life can be a result.
Cybersecurity, then, is not optional. As our world transitions more products and services online, and we in turn depend on them, protecting this technological infrastructure has become a fundamental building block for information systems globally. It must underpin every technology, every gadget, every application, and anywhere data is stored.
To help understand the risks, this document will explore the threats Australia faces in this digital age: to our economy, our sovereignty, and ultimately, our way of life.
It will also cover the opportunities as a burgeoning industry – one that is projected to be worth $US639
billion1 globally in the next seven years alone – and the possibility for Australia to establish itself as a leader, pioneering new technologies and exporting cybersecurity products to the rest of the world.
We are more than just the lucky country. We are early adopters. We are tenacious innovators. We are a nation with the skills and talent to lead the world in cybersecurity – and with the right mix of leadership and commitment from government, industry, and academia, we can make it happen.
What part will you play?
CYBER SPEAK! Every industry has its own lexicon, and the cyber world is no different. While built on technological foundations that we all know – computers, the internet, smartphones, and similar – as you delve deeper into the subject you start to encounter acronyms and technical concepts that you may not be familiar with.
And, if we’re all to communicate on the subject of cybersecurity – across all sectors of government, business, industry, and academia – then it can help to familiarise yourself with the nomenclature associated with this diverse and compelling subject.
To this end we’ve included a Glossary on page 57. Feel free to flick back and forth as you read to ensure you get the most out this document, spending more time expanding your knowledge and less time scratching your head!
What is cybersecurity? As with any technological advance throughout history, whenever new opportunities are created, there will always be those that exploit them for their own gain.
Despite the threat of viruses and malware almost since the dawn of computing, awareness of the security and sanctity of data with computer systems didn’t gain traction until the explosive growth of the internet, whereby the exposure of so many machines on the web provided a veritable playground for hackers to test their skills – bringing down websites, stealing data, or committing fraud. It’s something we now call cybercrime.
Since then, and with internet penetration globally at an estimated 3.4 billion users (approximately 46% of the world’s population2), the
46OF THE WORLD’S POPULATION IS CONNECTED TO THE INTERNET 02
%
Cybersecurity – Threats Challenges Opportunities 8
THREAT VECTORS BY INDUSTRY The vectors by which industries are compromised. Source: Verizon 2015 Data Breach Investigations Report
The increasing prevalence and severity of malicious cyber- enabled activities… constitute an unusual and extraordinary threat to the national security, foreign policy and economy of the United States. I hereby declare a national emergency to deal with this threat.
Barack Obama, President of the United States, 20153
FINANCE INFORMATION
MINING HEALTHCARE ADMINISTRATIVE
RETAIL ENTERTAINMENT HOSPITALITY
PUBLIC SECTOR EDUCATIONAL FINANCE
PROFESSIONAL INFORMATION
MANUFACTURING
28.5% POINT OF SALE
18%
CYBER ESPIONAGE
10.6%
PRIVILEGE MISUSE
18.8% CRIMEWARE
9.4%
WEB APPLICATIONS
14.7% MISCELLANEOUS
opportunities for cybercrime have ballooned exponentially.
Combating this is a multi-disciplinary affair that spans hardware and software through to policy and people – all of it aimed at both preventing cybercrime occurring in the first place, or minimising its impact when it does. This is the practice of cybersecurity.
There is no silver bullet, however; cybersecurity is a constantly evolving, constantly active process just like the threats it aims to prevent.
What happens when security fails? While what frequently makes the news are breaches of user accounts and the publication of names and passwords – the type that the Ashley Madison hack publicly exemplified – it’s often financial gain, or the theft
of critical business or government intelligence, that drives the cyber underworld.
One fact remains clear: it’s only going to increase. As we integrate technology further into our lives, the opportunities for abuse grow. So too, then, must the defences we employ to stop them through the education and practice of cybersecurity.
LAST TO KNOW
MORE THAN
90% OF BREACHES ARE DISCOVERED BY EXTERNAL PARTIES
WHAT’S THE PASSWORD?
63% OF BREACHES ARE CAUSED BY WEAK, DEFAULT, OR STOLEN PASSWORDS
EASY HACKS, EASY BREACHES Source: Verizon 2016 Data Breach Investigations Report
TOP 10 ESPIONAGE TARGETED INDUSTRIES The most targeted industries in 2015. Source: Verizon 2015 Data Breach Investigations Report
02
MANUFACTURING
PUBLIC
PROFESSIONAL
INFORMATION
UTILITIES
TRANSPORTATION
EDUCATIONAL
REAL ESTATE
FINANCIAL SERVICES
HEALTHCARE
20.2%
13.3%
6.2%
3.9%
1.8%
1.7%
0.8%
1.3%
0.7%
27.4%
In fact a recent study by researchers at the Friedrich-Alexander University of Erlangen-Nuremberg, Germany, revealed that just over 50% of people click on links in emails from strangers, even when they were aware of the risks.4
And so, as a result, cybersecurity isn’t just about technological defences: it’s also about people. From the home user through to industry and government, everyone needs a basic understanding of cyberthreats and how to recognise them – something which comes under the umbrella of digital literacy.
AND THE WEAKEST LINK IS… Humans are inherently complex and multi-faceted creatures with our own agendas, influences, faults, beliefs, and priorities.
Sometimes we’re also simply just too trusting.
Even the most hardened system can be breached through social engineering – the ‘hacking’ of people. No amount of secure network topologies and firewalls or security software can withstand a user innocently clicking on an email link, or being convinced to give up login details over the phone by someone pretending to be from the IT department.
Cybersecurity – Threats Challenges Opportunities 1010Cybersecurity – Threats Challenges Opportunities
A world without cybersecurity
93% OF CASES
HACKERS TOOK JUST
MINUTES TO BREACH
SHOW ME THE
MONEY
NEARLY
30% OPEN
PHISHING EMAILS
EMPLOYEE MISTAKES
WHILE COMPANIES TOOK
WEEKS OR MONTHS TO DISCOVER
95% OF WEB
ATTACKS ARE FINACIALLY MOTIVATED
LOST ASSETS
100x TIMES MORE PREVALENT THAN THEFT
12% DO CLICK THE LINK OR
OPEN ATTACHED FILES
02
One the most damaging targets for a society embroiled in cyberwarfare is infrastructure.
Our reliance on automation focuses single points of failure that can have dramatic consequences if directed at power stations, communication networks, transport and other utilities. By way of example, and to draw from the emerging technology of driverless cars gaining popularity now, is the following example of what might happen if we continue to create products and services without cybersecurity in mind:
Thirty years from now our society runs on automated cars, buses and trains. Planes still require human authority – for now – and drones line the sky. On the one hand, this advance in technology has brought much greater efficiency: traffic jams eliminated, pollution lowered, cheaper cost of transport and more. It’s a golden age.
Then a cyberattack compromises the central network. The systems that co-ordinate all transport shut down, bringing the city of Sydney – now 7 million people – to an abrupt halt.
No cars, no buses, no trains.
Workers can’t get to and from work, and productivity stops. Life-saving medicine doesn’t arrive and people die. Essential services begin to fail, and chaos ensues. The economic and social fallout is immense: a city held hostage by an external force – be it
terrorist, criminal, or foreign power. Australia invaded without the invader ever stepping on our shores.
It’s a stark example, but it demonstrates the Achilles heel the inter-connected society that we are heading for right now, and the reason cybersecurity must be part of all technology from the outset.
Consider this: the internet has enabled entirely new business models that have already shaped our planet. But the Googles and Facebooks and Amazons of this world are not the most profitable organisations that conduct business over the internet today – that crown belongs to cybercrime. It speaks volumes that the most lucrative business on the internet today is fraud.9
SIMPLE MISTAKES, COSTLY LOSSES Source: Verizon 2016 Data Breach Investigations Report
Cybersecurity – Threats Challenges Opportunities 12
Q2 2015 saw one of the highest packet rate attacks recorded... which peaked at 214 million packets per second (Mpps). That volume is capable of taking out Tier 1 routers, such as those used by Internet service providers (ISPs).
Akamai, State of the Internet Q2 2015 Report10
TOP 10 SOURCE COUNTRIES FOR DDOS ATTACKS, Q2 2015 Top sources of mitigated DDoS attacks on Akamai’s network. Source: Akamai State of the Internet Report, Q2 2015
CHINA 37.01%
US 17.88%
UK 10.21%
INDIA 7.43
SPAIN 6.03%
KOREA 4.53%
RUSSIAN FEDERATION 4.45%
GERMANY 4.29%
AUSTRALIA 4.18%
TAIWAN 4.0%
Every minute, we are seeing about half a million attack attempts that are happening in cyberspace.
Derek Manky, Fortinet Global Security Strategist5
Threats in the
information age
03
Cybersecurity – Threats Challenges Opportunities 14
5500,000 ATTACKS AGAINST FORTINET EVERY MINUTE To understand just how technology becomes vulnerable to cybercrime, it helps to first understand the nature of threats and how they exploit technological systems.
You might first ask why technology is vulnerable at all, and the answer is simple: trust. From its inception, the protocols that drive Internet, by and large, were not designed for a future that involved exploitation – there was little expectation at its birth that we might need to one day mitigate against attacks such as a distributed denial of service (DDoS), or that a webcam you buy off the shelf might need security protocols to prevent it being hacked and used to spy on you.
There is much greater awareness today, but even so you can still buy devices that connect to the internet that have poor security measures or no security at all built-in, because up until recently this simply wasn’t part of the design scope. In many cases, the idea that a device might be used
for nefarious purposes isn’t even considered.
And the result is that today cybercrime almost exclusively leverages the lack of security-focused design in everything from your smartphone and web browser through to your credit card and even the electronic systems in your car.
The nature of threats Cybercrime comes in a variety of forms ranging from denial of service attacks on websites through to theft, blackmail, extortion, manipulation, and destruction. The tools are many and varied, and can include malware, ransomware, spyware, social engineering, and even alterations to physical devices (for example, ATM skimmers).
It’s no surprise then that the sheer scope of possible attacks is vast, a problem compounded by what’s known as the attack surface: the size of the vulnerability presented
by hardware and software. That is, if a hacking exploit works on Apple iPhones for example, and everyone in your organisation has one, then by definition the attack surface could range in the dozens to the thousands depending on the size of your company. Or, looking at it another way, if anyone with an iPhone is vulnerable, the attack surface worldwide totals in the hundreds of millions.
This is further compounded by the fact that hardware and software may provide multiple vectors for attacks, such that – and using the above example again – an iPhone might have multiple different vulnerabilities, each of them a possibility for exploitation. In some cases, multiple exploits can be used in tandem to hack a device, as the FBI recently demonstrated when it gained access to the San Bernardino shooter’s iPhone (yes, the good guys can hack you, too…)
00 Thousand
03
And this is to say nothing of embedded systems the type that of which power our infrastructure including transport, electricity, and communications. Here, attacks are often more targeted – even down to specific to systems in a particular plant – but the repercussions are also considerably more dangerous. Shutting down an electrical grid, for example, can have life-threatening consequences.
What you also don’t see – because it’s hidden in the millions of fibre- optic networks and routers that form the internet – is that attacks are happening constantly all around the world, even as you read this. Your modem at home that gives you access to the internet is constantly fending off queries to see if your IP address has any open ports (the virtual addresses that allow software to communicate to and from your computers and network).
According to network security and services company Fortinet, 500,000 attacks occur against its networks every minute5. And that’s just one service provider.
The bottom line is this: almost anything controllable by technology will have a weak spot. In the past year we’ve seen everything from cars (“Hackers remotely kill jeep on highway”6) to medical devices (“Hackers can send fatal dose to drug pumps”7) to toys (“Hackers hijack Hello Barbie Wi-Fi to spy on children”8) succumb to anyone with a little knowledge, time, and opportunity.
To appreciate the scope of the challenge that lies ahead – the new types of threats that we are starting to see emerge now – and thus the importance of cybersecurity for the government, industry, and the individual, the following section delves into our predictions of where cybercrime is heading, and the type of attacks we can expect to see.
There were 19 distributed denial-of-service (DDoS) attacks that exceeded 100 Gbps during the first three months of the year, almost four times more than in the previous quarter. In some cases attackers don’t even have to deliver on their threats. Researchers from CloudFlare reported that an extortion group earned $100,000 without ever launching a single DDoS attack.
Lucien Constantin, Network World, 201628
Cybersecurity – Threats Challenges Opportunities 16
For $6 in Bitcoin, I can rent time on a DDoS tool and bring down most websites. Better yet, if I send just the right type of packet to their web servers, I can crash the site for free.
A Thief’s Perspective (interview), Intel Security, 201518
The Internet of Things (IoT) Perhaps the most recognised buzzword of the moment, the Internet of Things (IoT) encompasses the many and varied devices currently on the market, or soon to be on the market, that will connect to and stay connected to the internet 24/7. Typically this includes products like webcams, smart TVs, and even the much touted internet-connected fridges. But IoT actually encompasses a broad range of products most of which you won’t actually see – electronics, sensors, actuators and software soon to be built into everything from your car to your home: technology to unlock your door and turn on the lights when you arrive home; technology to allow cars to talk to other cars and traffic lights to prevent accidents; technology to let entire cities regulate air-quality, manage energy distribution, and regulate water supply all in real-time from thousands of buildings, each with thousands of sensors, all communi- cating through a city-wide network.
Sound like fantasy? There is already a development in the UK by River Clyde Homes and the Hypercat Consortium to build a Smart Neighbourhood in Scotland by installing hundreds of IoT devices to monitor everything from temperature and local weather through to carbon monoxide levels, potential gas leaks, lift maintenance, smoke detection and communal lighting to name a few. All of these talk to each other to provide an overall real-time knowledge base for the operating of neighbourhood services, and to minimise health and safety risks.
But this is just the beginning. IoT has the potential to encompass a lot more – heart monitoring implants, pathogen monitoring for food, transponders for animals on farms, environmental waste monitoring, field devices for police to detect threats, feedback sensors for firefighters in search and rescue and much, much more.
Perhaps the best way to imagine IoT is – and to borrow a phrase from a research paper at the Social Science Research Network – is to think of IoT as an “inextricable mixture of hardware, software, data and service”11. Which of course is to say that the potential is close to limitless.
According to the CEO of Cisco, Chuck Robbins, the IoT industry is expected to be worth $US19 trillion globally by 202012. Closer to home, Frost & Sullivan is tipping the Australian market for IoT – just in terms of home devices, such as in security or energy management – to be worth $200M by 2020.13
Taken together, this means is that in the near future just about everything you use, and everywhere you go, devices will be hooked up to each other communicating, sharing data, and enabling a future that once was the realm of science-fiction. The potential boon for society is immense, but so too are the risks.
IOT – A FUTURE OF CONNECTED DEVICES As barriers to entry drop we will see an uptake of IoT, creating a future where attack vectors are everywhere. Source: IoT Alliance Australia
20x 99% 1T
40x 60x OF THINGS IN THE WORLD ARE STILL NOT CONNECTED
COST OF SENSORS PAST 10 YEARS
COST OF BANDWIDTH PAST 10 YEARS
COST OF PROCESSING PAST 10 YEARS
1 TRILLION CONNECTED THINGS BY 2035