Following the report of a partnership between Malaysia headquartered International Multilateral Partnership against Cyber Threats (IMPACT), which is the cybersecurity executing arm of the United Nations' specialised agency, the International Telecommunication Union (ITU) and information management specialist Nuix, Computerworld Malaysia asked IMPACT's chief operating officer Anuj Singh for a take on the top threats in the Asia Pacific region across all industries this year.
Photo [file] - Anuj Singh, COO, IMPACT Alliance
What are the top cyber security threats in order of priority faced by organisations in the Asia Pacific region?
Technically, these are top threats we see plaguing the APAC region this year:
Botnet Operators - Botnets are still the backbone of any cyber-criminal operations. A huge network of the compromised systems can be used by an intruder to create denial of service attacks.
Distributed Denial of Service (DDoS) Attacks - Multiple compromised systems attack a single target system or service to make it unavailable or forces service to shut down, thereby denying service to the system to its legitimate users.
Code Injection - Code injection attacks are on a sharp rise. They are combined with other threats to successfully infect victims. Hackers are in the position to launch large vulnerability scans in short time.
Exploit Kits - Used software tools offering a large variety of functions, configuration options and automated means to launch attacks on exploits/vulnerabilities.
Malicious Code: Worms/Trojans - Malicious software and Trojans have been reported highly due to the use of available toolkits allowing for the generation of user defined malware through variations of existing codes.
Growth of Malwares - Botnets are ranging from DDoS attacks to sending spam or illegally mining Bitcoins at the expense of the victim. It's not just the PCs that need protection. Malware in Android mobile operating systems is on the rise.
Spam and Phishing - phishing attacks have expanded in the scope of their targets from not only banks, credit unions and other financial institutions, to a variety of other organizations.
At ITU-IMPACT, we believe threats to cybersecurity should be scrutinised from a wider perspective and not just technical area. Lack of coordination between a country's relevant cybersecurity agencies as well as cooperation among governments, industry, academia, and international organisations, in sharing threat information and leveraging on expertise poses threats to global cybersecurity.
Since achieving cybersecurity is a collaborative effort of multi-stakeholders, public-private partnership is seen as a vital tool to address threats in cyberspace.
Within the legal measures, it is important for countries to start adopting laws to deal with cyber criminals since right now the globally accepted legislation guideline for cybercrime is still not in place for prosecution and paralysis of cyber criminal activities.
Protection of critical national information infrastructure (CNII) remains vulnerable if governments and operators fail to coordinate as well as harmonise the security policies and protocols according to international standards. To this effect, standards development bodies play an important role in addressing security vulnerabilities in protocols.
Another threat in establishing cybersecurity is the lack of organisational structures. Watch and warning systems and incident response such as national Computer Incident Response Team (CIRT) are crucial in responding to cyber attacks. In addition, governments have to address factors contributing heavily in effective incident management including funding, human resources, training, technological capability, government and private sector relationships, as well as legal requirements. Organisational structures at a regional level should facilitate communication, information exchange and recognise digital credentials across different jurisdictions.
Capacity building is also an area worthy of attention in the pursuit of cybersecurity. Programmes aimed at levelling the playing-field by raising basic awareness on vulnerabilities and threats in cyberspace and building users' capacity at all levels have to be in place in order to develop a sustainable and proactive culture of cybersecurity. Users of ICTs have to understand the important role they play in a cybersecurity environment, whether they are in government, industry, academia, or the home.
All these factors or areas needing to be addressed in order to secure the cyberspace in a comprehensive manner.
Is the APAC region facing the same cyber security threats as other regions such as the U.S and UK?
In general, countries face the same kind of threats across the globe. In the 2014 Data Breach Report, Verizon identifies nine recurring attack patterns for the past 10 years, some of which are more common than others in specific industries: errors (such as sending an email to the wrong person); crimeware; insider/privilege misuse; physical theft/loss; web application attacks; denial-of-service attacks; cyber-espionage; point-of-sale intrusions; and payment card skimmers. Don't forget the global BYOD phenomenon which is posing a unique and complex challenge to CISOs/CIOs in terms of dealing with company policy.
However, regions do experience certain types of attacks based on difference in specific technology trends or advancement. Generally in Asia, attacks on Microsoft Software Developer Support (MS-DS), represent 85 percent of incidents as a result of abundance of counterfeit Microsoft products in the region, as findings from Alert Logic's Spring 2014 Cloud Security Report suggests.
Meanwhile, the advancement in mobile purchasing methods in Japan sees mobile devices users there often face malicious apps acquired through, for instance, mobile email account. Users are asked to download and install an app by clicking the link in the email which they open in their mobile devices. Once installed, criminals have access to victims' contacts and spam out invitation messages to others in victims' address book. Similar attacks done through SMS were carried out on mobile phone users in South Korea.
Another type of attack also emerged this year in South Korea where legitimate app developers had their apps compromised by hackers and replaced with a variant of Android.Fakeguard.37. A notification of a routine update was then sent to users and once downloaded the malicious code allows hackers to access the user's mobile device.
Are many companies / organisations generally aware of these threats?
Many companies were not aware of the possible financial and physical damages to their organisations as a result of cyber attacks. This is evident from the survey done by PricewaterhouseCooper in 2013 where the majority of the large and small organisations surveyed were not aware of their data security having been breached by outsiders.
SMEs on the other hand have a false sense of security feeling because of their small operation size, they are unattractive prey to the cyber criminals. Perhaps the figures are changing, thanks to widely media reported incidents like the NSA leak and credit card breaches of Target, Marcus Nieman, and at least three other big retailers in the United States.
Even so, often companies fail to realise prevention is always better than trying to find a cure. Vulnerabilities such as the recent Heartbleed for instance had been in the open source software for two years before it was discovered and publicised, while all along organizations worldwide including government agencies have been using this free software to retain business and clients' sensitive information.
The World Economic Forum Global Risk Report's finding on cyber threats being one of the top five global risks should serve as a wake-up call to organisations big or small and regardless of business nature to realign their priorities in securing their assets. Costs of addressing cybersecurity from every possible angle should not be a primary consideration to the board of directors since the organisation's financial stability and reputation is at stake. CISOs/CIOs should be the ones identifying which critical information assets need protection.
More importantly to internalise, security is more than just an IT problem - every stakeholder of an organization is responsible for exercising caution in protecting the network and machines from being compromised by people with criminal intention.
Are security leaders proactively moving to protect their data against these threats?
Since protecting networks involves procurement of products and solutions, it is possible to see organisations' direction in securing their assets against cyber threats by referring to developments in the network security market. A market research company, Markets and Markets, forecast the global cybersecurity market growth to reach USD120.1 billion by 2017 while a separate forecast by another market research firm put the market to be worth US$77.7 billion in 2014. Markets and Markets also expects the wireless network security market to grow to US$15.55 billion by 2019.
This tremendous growth by leaps and bounds signals public and private organisations alike are putting cybersecurity as one of their primary concerns and worrying about the costs in securing critical assets will become a thing of the past.
Organisations cannot fight cyber threats alone in a silo. More and more organisations are realising the importance and effectiveness of working together in securing the cyber space, be it among industry players, governments, academia, and international organisations exclusively or cross collaborations between these sectors, at national, regional, or international levels.
The key in getting a head start is being proactive. Organisations large or small, public or privately owned have to possess the desire and in-depth understanding to protect their critical assets against cyber attacks, followed by taking proactive actions. One of them can be an early warning system installed in organisations' networks to capture data and alert the security team about possible breach attempts.
Is the public more aware of and putting more pressure on organisations to take precautions to keep their private data safe from cyber threats?
Pressures between users and providers do take place and where great reputation is at stake, the results are encouraging. Take Target, for instance. The devastating breach late last year saw the company's board of directors taking a leaping jump in security by acknowledging the CIO position should have an insight identifying which information assets need to be protected and putting them in charge of overall technology and security.
The incident served as a wake-up call for the U.S. retailers and moved them to form an industry group for collecting and sharing intelligence about cyber security threats in a bid to prevent future attacks.
Meanwhile, as a result of users' concerns about what data was shared when they logged into other apps or sites through Facebook, the social networking service will now let users have control over how much personal information they want to share with other websites or apps.
Following a lawsuit in California last year and heavily scrutiny by parents and privacy advocates, Google has permanently removed ad scanning in Gmail Apps for Education that were scanning students' email, mining data, and creating user profiles for the purposes of advertising.
Another example is Microsoft issuing a fix for a dangerous Internet Explorer bug that left the browser highly vulnerable, through a patching update to all Windows versions, including XP, which the company stopped supporting early April this year.
Collaborative efforts by the media, government public announcement, industry, and non-governmental bodies are important in bringing awareness on cybersecurity to the public. With the advancement of communication technologies, even members of the public can play an active role in this effort, utilizing tools such as social media to share news and knowledge on cyber threats. Together, we can build a global culture of cybersecurity and reduce the risk of cyber threats.
What is ITU-IMPACT actually doing to help raise awareness, as well as help organisations prepare for cyber threats in the APAC region?
ITU-IMPACT coalition was established as the first United Nations-backed global platform bridging the gap between governments, industry and academia to combat cyber threats. Our current focus is to work with governments at policy level to enhance countries' cybersecurity readiness. This is done through various technical and non-technical offerings such as technical assistance, training programmes, regional cyber drills, assessment and implementation of national Computer Incident Response Team (CIRT), and the Child Online Protection (COP) initiative.
In terms of technical assessment on countries' cybersecurity readiness, one of the ways to do this is through cyber drills. For this, we have organized six regional cyber drills with the participation of 70 countries around the world. Specifically for the APAC region, two cyber drills were organized for the CLMV countries (Cambodia, Laos, Myanmar, and Vietnam). The drills are meant for countries to identify the gap in their technical expertise and for us to help them to strengthen that area. Again, countries cannot fight cyber threats in a silo. Being physically present at the drill together with other national CIRTs from the same region and also international experts provides the participants with a sense of understanding of the importance of communication and regional, as well as international cooperation. Other regions covered for this regional drill include Arab, Europe and Americas.
ITU-IMPACT engages with partners in the industry, academia, and international organisations and uses their expertise to fulfill individual country cybersecurity requirements. We work with technology ABI Research, a market intelligence company; Nuix, specifically in digital forensics area; Kaspersky Lab, Symantec, Trend Micro, and Bitdefender on threat information sharing; TCG on COP, and many more. These organisations partner with us so that countries are able to leverage their priceless expert contributions.
Scholarships are another avenue to help raise cybersecurity awareness among countries and create more cybersecurity professionals globally. Through our collaborations with renowned cybersecurity training providers such as SANS Institute and EC Council, ITU-IMPACT have deployed more than 370 scholarships for professional cybersecurity certification. This has seen an increase of certified cybersecurity professionals globally.
ITU-IMPACT also assists partner countries in establishing their national CIRT as it functions as the country's first line of defence for the operations of critical national information infrastructures as well as the public and private sector against cyber threats. To date, ITU-IMPACT has successfully implemented national CIRTs for countries such as Burkina Faso, Ivory Coast, Kenya, Montenegro, Tanzania, Uganda and Zambia.
ITU-IMPACT sees early warning systems for cyber threats as a critical element in organisational cybersecurity and as a result will be rolling out the solutions within Q2 of 2014. One of them is HORNET (Honeypot Research Network) - strategically deployed sensors feeding real-time intelligence to help countries better understand the threats they are facing and work on the necessary counter measures. AWARE (Abuse Watch Alerting Reporting Engine), on the other hand, helps countries in threat monitoring by collecting and processing data from various abuse feeds and sends out actionable reports to be disseminated to relevant cybersecurity and law enforcement agencies for appropriate actions.
Finally, our social media channels are there to help raise awareness on broad cybersecurity issues such as current and future threats, infrastructure, national cybersecurity policy and strategies, human capital, useful cybersecurity tips, and so forth.
Sign up for CIO Asia eNewsletters.