Skip to main content

Clifford Chance

Clifford Chance
Cyber<br />

Cyber

Talking Tech

Stories from the Wild #3

September 2022

Cyber Security 28 September 2022

Welcome to the third edition of our Talking Tech series, Stories from the Wild. Every month, we bring you the latest stories in information security and cybersecurity. You can read our introductory post for why this matters.

Commemorating

John McCarthy

Our third edition commemorates the birthday of John McCarthy, one of the pioneers in, and founders of, the discipline of artificial intelligence. In late 1955, John McCarthy along with Marvin Minsky, Nathaniel Rochester and Claude Shannon proposed a summer project focused on “artificial intelligence”. This project became the 1956 Dartmouth Summer Research Project, widely considered to be the founding event for artificial intelligence. McCarthy himself is credited with coming up with the term “artificial intelligence” in the sense that we deploy it today (alongside other contributions such as the LISP family of programming languages) and, prophetically, noted that “as soon as it works, no one calls it AI any more”.

Catching up with…DCMS

In March 2021, the Department for Digital, Culture, Media and Sport (DCMS) published the Cyber Security Breaches Survey of UK businesses, charities and education institutions as part of the National Cyber Security Programme. The study was re-run in 2022, conducted by writers from market research firm Ipsos and Steven Furnell, professor of cyber security at Nottingham University.  The new, 2022 report was published earlier this year.

The report contains a qualitative study with a range of businesses and organisations affected by cyber security incidents ranging from spear phishing to denial-of-service attacks. Interviews were also conducted with a range of individuals, from IT managers, CISOs, to CEOs.

The survey found that:

  1. There was a consensus that cyber crime is a significant and growing business risk, with cyber attacks increasing in both volume and technical sophistication. Knowledge of this fast-changing threat landscape did, however, vary significantly.
  2. Nearly all participants acknowledged the need for ever greater levels of vigilance and investment in cyber security, as the controls that were appropriate a few years ago are now seen as less effective.
  3. Nearly all participants indicated that their organisation took cyber security "seriously" prior to the breach, though the majority felt their organisations put more of an emphasis on technology than employees to stay secure. This reflected the widespread notion that people and culture are more of a cybersecurity "weak spot" than technology deployed.
  4. There was varying levels of support and interest in cyber security from the leadership teams, and not all were sure that leadership teams fully understood the scale of the threat or the cultural transition required to meeting the growing challenge. However, one positive outcome of experiencing a breach was that the breach underscored the importance of cyber security. For most, leadership then became more engaged, with more serious intent to help the organisation improve.
  5. Relatively few organisations were able to quantify accurately the financial impact of the breach, although broad estimates were available, such as the cost of lost sales, employee downtime and IT consultancy.
  6. Very few organisations implemented a "lessons learned" process in the aftermath of the breach. Despite this, most felt that they were better protected, having strengthened aspects of cyber security technology, policy or staff training.

This report is but one piece of DCMS’s wider programme of research into cyber security, which earlier this year launched part one of a three-year, longitudinal study tracking the cyber security behaviours of organisations. As the minister responsible for cyber, Julia Lopez, noted in a cyber review earlier this year, “[a]mong the businesses that identify breaches or attacks, over a quarter are experiencing these issues at least once a week. However, only half of organisations have taken any action to help identify cyber security risks in the last twelve months.” We trust that the government will continue its work on the National Cyber Strategy, certainly since Ms Lopez has retained her post in Prime Minister Truss’s government.

Catching up with…costs

From one study to another: earlier this year, IBM’s annual, global Cost of Data Breach Report noted that the cost to organisations of security incidents continues to rise, with the average total cost of a data breach reaching USD 4.35 million and of a critical infrastructure data breach reaching USD 4.82 million. The figure was as high as USD 9.44 million (on average) for organisations in the United States, with the Middle East coming in second at USD 7.46 million. Not a ranking one would be proud of, the UK placed 4th, with average costs of USD 5.05 million. Healthcare was for the 12th year running the highest cost industry, with the financial industry in second place and pharmaceuticals in third. With 550 organisations surveyed (and over 3,600 interviews), 83% of organisations had more than one data breach, a clear indication of the endemic nature of incidents.

What were the costs comprised of? Two-thirds of costs were incurred in a combination of lost business and detection and escalation. Breach response and notification comprised the remaining one-third. The duration of a data breach – associated with costs – had not significantly changed, at 277 days from first detection of breach to resolve the situation fully (e.g., it was 271 days in 2016).

How did the breaches occur? Stolen or compromised credentials made up 19% of incidents, phishing 16%, and misconfiguration 15%. The most expensive breaches involved longer mean times for remediation: phishing and business email compromise both took over 300 days on average to identify and contain.

What was the impact of cyber-related factors in breaches? Human factors scored highly: using an artificial intelligence-driven platform, effective formation and testing of an incident response team, and employee training reduced the average total cost of a breach by around USD 250,000 each. Having a DevSecOps approach also scored highly, decreasing the average total cost by over USD 275,000. Factors that increased cost included the complexity of security systems, compliance failures, and a security skills shortage.

What about ransomware? The costs of a ransomware incident decreased slightly to USD 4.54 million (not including the ransom itself). However, its proportion of incidents increased from under 8% in 2021 to 11% in 2022. Ransomware also took longer to remedy, averaging a total lifecycle of 326 days (i.e., 18% longer time than average). Interestingly, the study found that the cost to the business of a ransomware breach was higher for those that didn’t pay the ransom, by some 13% (or USD 630,000).

Any key takeaways? The authors of the study had several key recommendations:

  1. Adopt a zero trust security model. Implementation helped organisations save USD 1.5 million, where maturely deployed.
  2. Sensitive data in cloud environments should be protected using policy and encryption. A framework of audits, risk analysis, and compliance and governance greatly improved detection and containment efforts (and reduced overall cost).
  3. Invest in security orchestration, automation, and response (SOAR) and extended detection and response services (XDR). Use tools to protect and monitor endpoints and remote employees.
  4. Create and test incident response playbooks to increase cyber resilience. Organisations with mature planning processes, established incident response teams and plans, and a detailed playbook saved over USD 2.5 million.

Catching up with…security basics

As we have said before, the basics in cyber security are important.

One of the simplest (but inconvenient) measures is multi-factor authentication (MFA). MFA requires an additional factor for authentication. This second factor might include a PIN that is commonly sent via SMS or email, a physical security token, biometric details (such as a fingerprint scan), or a third party app (such as Microsoft Authenticator). In essence, authentication is conducted by something you know, something you have, or something you are. A password is something you know; a security card is something you have; a fingerprint is something you are.

A common method of MFA, or two-factor authentication (2FA), is to send a text or SMS message to your phone. Many companies and services still use this method of authentication, as Graham Cluley, the security blogger, recently noted.

But SMS-based 2FA is really not that great, as researchers and practitioners have been saying for several years, including NIST in its 2016 Digital Authentication Guidelines. Why?

  • Network security. Pre-5G networks were built on trust. SMS messages are exchanged in plain text – and easily intercepted.
  • Endpoint security. Not only can a phone be hijacked (often silently), it is especially prone to common security risks such as displaying the authentication code on a locked screen. (Yes, showing messages on a locked screen is more convenient, but it is certainly a security risk.)
  • Social engineering. Humans are the weakest link, and SIM-swap attacks are a thing.
  • Authentication logic weakness. Passwords can sometimes be reset by SMS, such that SMS would be a single-factor method rather than 2FA. In one study in the US, a SIM swap was sufficient to compromise accounts with 17 major websites, without requiring a separate password.

Brian Krebs has also posted, in August, about a group of attackers exploiting SMS authentication by phishing, dubbed “0ktapus”. As the post notes, companies are now moving away from SMS for MFA, and/or requiring that remote access to internal networks be managed through work-issued devices loaded with custom profiles that cannot be accessed through other devices.

TL;DR multi-factor authentication is good security practice, but it needs to be implemented properly. Using SMS as the second factor will increasingly become unviable, so consider using other methods like an authenticator app.

CVE Corner

In this edition of CVE Corner, we look back at the basics: what is a CVE?

The Common Vulnerabilities and Exposures system is a reference method maintained by the MITRE Corporation for publicly disclosed computer security flaws. Major vendors like Red Hat, Oracle, and Microsoft are members of the CVE Numbering Authority that assign numbers to CVEs.

Importantly, CVEs are assigned a score under the Common Vulnerability Scoring System (CVSS), a set of standards used to assess the severity of a CVE. Scores range from 0.0 to 10.0, with 10.0 representing a high degree of severity. Scores are derived from three measures: base metrics of exploitability and impact, a temporal metric, and an environmental metrics that include confidentiality, integrity, and availability. The National Vulnerability Database (NVD) also assesses CVEs once published.

Thousands of CVEs are found and published every year, with over 20,000 in 2021. That’s almost 55 per day – clearly difficult to keep track of in a traditional manner (unless you are a security researcher or at a company operating in the field). Vendors and third parties often issue advisories (e.g., VMWare, CISA), for example, for priority issues or patches. the NVD also provides an API that helps with looking up data on vulnerabilities that could provide detail for better remediation. But, ultimately, simply taking an interest in CVEs and knowing where and how to dig deeper is already a good start.

//

Until next time – happy belated birthday, John McCarthy!