The next generation of cyber security threats (and how to protect against them)

Cloudjacking: a new threat to data

Many charities and other organisations with a high proportion of staff working from home use applications running in the cloud, and also use the cloud as a collaboration space where documents, spreadsheets and all kinds of data can easily be stored and shared.

The security of most cloud services is generally very high, because most cloud cyber security measures are the responsibility of the cloud service provider who ensures that any security weaknesses are fixed and software is updated automatically on behalf of all its customers. But some of the responsibility for the cyber security of cloud services lies with customers, who need to ensure that they keep their passwords secure, configure their storage correctly, and access the cloud services over secure networks from malware-free computers.

Hackers understand that there are rich pickings to be had in the cloud, which explains a new type of threat which is emerging: cloudjacking. This involves exploiting any weaknesses in cloud services and the ways that home workers connect to them in order to get access to the documents, customer information and other data that may be stored there.

The simplest reason that hackers are able to pull off cloudjacking attacks is because of misconfigurations. A common example is when someone uses cloud storage to share documents with colleagues but mistakenly configures the storage so that anyone can view it. Earlier this month researchers from CyberNews announced the discovery of a database stored on Amazon’s cloud service containing 350 million email addresses which was publicly accessible.

Hackers can also use phishing attacks to steal passwords, allowing them to access cloud services with stolen login details. More sophisticated attacks involve hackers tricking home workers into downloading modified versions of the client software used to access some cloud services. The modified software allows the hackers to steal login details as well as any data stored in the cloud service.

How to protect against this

Charities and other organizations using cloud storage should check the configuration of their storage regularly, and use a service such as Amazon Macie to identify sensitive data such as credit card numbers or client details and ensure that it is encrypted or suitably protected in some other manner.

All home workers using cloud services should also use two factor authentication to log in to these services, along with a strong, unique and hard-to-guess password. Ideally, home workers should use a dedicated computer which is not used by other members of the household to access cloud services, to help minimise the risk that the computer is infected with malware. Where available, home workers should also turn on account alerts so that they are notified if an attempt is made to access their account from a new device or location. If they suspect a hacker at work they should change the account password immediately.

Charities can also make use of services from companies like Skurio to monitor the Dark Web to check that their data is not being offered for sale by cyber criminals. If it is for sale on the Dark Web then this is an indication that a cyber security breach has occurred, and advice should then be taken on removing the data, informing users, and investigating the breach to ensure that it cannot happen again.

Mobile malware is becoming a problem

Charity staff working from home probably do a very high proportion of their work on a laptop or desktop computer, which should be running endpoint protection software and other cyber security measures such as a firewall.

But smartphones are now personal computers in their own right, so it is inevitable that many charity staff choose to access and reply to emails, open Word and Excel files and even access cloud based applications such as constituent relationship management (CRM) on their phones from time to time.

Working on smartphones is not in itself a new development, but what is new is the large number of home workers who may not be aware of the security risks of using a smartphone for work purposes, or the cyber security measures that they should be taking.

Hackers are beginning to exploit this in a number of ways, most significantly with malware designed to infect smartphones and enable the hackers to access data stored on them, and accounts that the devices can access.

"As more and more critical and sensitive tasks are performed on smartphones, it is only a matter of time before mobile malware emerges as one of the most prominent cybersecurity concern."

 

- John Emmitt - Director of systems management company Kaseya.

How to protect against this

Basic mobile device cyber security measures include ensuring that a smartphone can only be accessed after entering a PIN or biometric (such as fingerprint or face scan), and that a system such as Apple’s Find My or Google’s Find My Device is running so that a lost or stolen phone can be locked or the contents deleted remotely.

Smartphones should also have antivirus software such as Norton Mobile Security, Avast Mobile Security, or Bitdefender Mobile Security installed to protect against malicious websites and malware (such as password-stealing key loggers) concealed in email attachments.

For charities with more than a handful of staff working at home, it can also be a good idea to use a cloud-based mobile device management (MDM) application such as ManageEngine, IBM Maas360 or Microsoft InTune to ensure the security of employees’ smartphones. An MDM allows the charity to configure staff smartphones with appropriate security measures, check that a smartphone has not been jailbroken (because this compromises security), and can also impose restrictions such as preventing staff from downloading apps such as games from untrusted sources (because such apps may contain malware).

5G insecurities

For charity staff working from home in areas where ADSL or fibre broadband services are not available, a common way to get a high-speed internet connection is to use a router which connects to a 4G or 5G mobile network.

One possible cause for concern here is that many of the most popular routers supplied by mobile networks or for sale on sites like Amazon are made by Huawei – a Chinese company which many intelligence agencies believe collects data for its government.

Another concern surrounds the use of 5G connectivity, for the simple reason that the technology is relatively new and unproven. That means that there will inevitable be vulnerabilities in the technology and in the firmware of 5G routers, and hackers will undoubtedly be working to discover and exploit them.

How to protect against this

Charity staff should avoid using 5G routers until the technology is more mature and its security is proven. Charities concerned about Huawei should encourage staff to use 4G routers from trusted manufacturers such as TP-Link.

Future Deepfakes

Artificial intelligence (AI) technology is advancing at a very high rate, and one area that hackers are likely to use this in the future is in the production of "deepfake" voices which mimic the voice of a real person.

Using deepfake voice technology, hackers could reproduce the voice of a charity leader, and then call a charity employee working from home. Using the deepfake voice the hacker could then tell the employee to transfer money to a bank account using some plausible pretext.

How to protect against this

This is a new twist on a scam where the hacker impersonates a charity leader in an email, and the same security precautions should be taken: instruct home workers to check any unusual payment requests with another charity leader, preferably by phone, to confirm the payment request. Charities should also establish a documented internal process for requesting payments, and any request made outside this process should automatically be queried.