Year after year, the number of cyber attacks increases around the world. This was especially true during the epidemic, when many people worked from home, using their own devices and networks (which were unsecured). Because of this, cybercriminals have ramped up their efforts to hack into the systems of firms that would otherwise be impossible to reach.
However, not all cyber attacks are the same, and their objectives are not the same. This is exactly what Neven Zitek, Incident Response Manager of the IT firm Span, and I discussed. Zitek is a cybersecurity expert who keeps a close eye on "movements" in the global cybersecurity landscape and is actively involved in safeguarding businesses and their data.
Can you tell us about the "most popular" cyber attacks right now, the most deadly ones, and what we can expect in the future?
Three types of cyber-threats can be identified. We are our own greatest threat and enemy in the first group (type 1). Poor or insufficient security management methods, insufficient control of identities and passwords, equipment or suppliers, and a lack of investment in people and technology are all examples of this. All of these things combine to make organizational vulnerabilities easy targets for malevolent actors and nightmares for businesses. We're talking about things that are absolutely important to protect the organization's security and should be viewed as an investment in preventing loss rather than an expense. If an unwelcome incident occurs, we can only blame ourselves for our own carelessness and neglect.
The second sort of threat (type 2) comprises what are known as "accidental" security events, which are cyber risks that can be found all over the internet, in spam, shared files, and other places. These are generally manual or semi-automated harmful applications and scripts that take advantage of human inattention and/or known flaws. This collection of dangers is distinct in that it will affect someone and not someone else, and the repercussions will be determined by your general attitude toward security. For example, if the company uses a User and Entity Behavior Analytics (UEBA) system, it's easy to notice that the same application arriving from Croatia and then 10 minutes later from Vietnam makes no sense because it's not possible to go from Osijek to Hanoi in ten minutes. As a result, there's a chance the account has been hacked, and you'll need to take action.
Targeted attacks on the organization (type 3) are the third sort of cyber danger, and this is what all enterprises fear the most. Unlike past attacks, these are led by well-coordinated and highly capable teams, i.e. cyber criminal groups with financial or political motivations. Cyber security is difficult in the face of such threats, but that does not imply that attackers should make things easy - the first step is to guarantee that the company is not threatened by the first two points.
In this context, regardless of the type of threat, the most destructive form of assault on businesses and individuals is known as ransomware, which is generally preceded by data exfiltration. Encryption and a ransom demand follow the exfiltration. If the victim refuses to pay the ransom, the blackmailers threaten to make the data public, which might severely harm the organization's reputation, through punishment by the regulator or the state (eg GDPR).
In the future, we will face both new and old challenges: traditional threats will not go away, but will grow more sophisticated and "smarter" thanks to artificial intelligence. We should expect the theft of digital identities and related digital assets as a result of emerging risks (money, cryptocurrencies, NFT tokens, etc.).
Cybercriminals have begun to incorporate artificial intelligence in their attacks in recent years, leveraging developments in artificial intelligence development. And what about those who defend themselves and others against cyber-attacks? Is artificial intelligence (or any other advanced technology) utilized to combat cyber-attacks, and if so, how?
Artificial intelligence is a broad word that, if I may be critical, I believe is overused in both common and professional jargon. In its broadest meaning, it has long been utilized for defensive purposes, and it is employed, among other things, as a tool for identifying threats within the sea of data generated by users, equipment, and services. Perhaps the previously mentioned User and Entity Behavior Analytics (UEBA) is an excellent introduction to the application of artificial intelligence for defense purposes; by monitoring not only the location from which the user logs into the system, but also user habits, the algorithm can detect deviations and, depending on the size of the deviation, take immediate defensive actions. It can, for example, temporarily prohibit a user's access, alert the Security Operations Center (SOC), send an SMS to the user, or phone him to confirm that he has logged in to the system from that device and location. The system will learn whether the user's assumption was correct or not based on the user's answer and will make better decisions in the future.
Artificial intelligence will play a key role in defensive systems in the future, owing to the prevalence of cyber attacks, not only because of the speed with which it can react against humans, but also because of the volume and quality (reliability) of decisions it will have to make to stop and limit attacks. In the future, we may find ourselves in situations where the cyber "war" is solely between "our" and "their" bots.
In Croatia, how common are cyber-attacks? The public usually learns about the most serious ones, but how vulnerable are Croatia and its population to cybercriminals? And are these hackers "domestic" or "foreigners"?
Given the lack of recorded and publicly available statistics on cyber attacks, it's tough to offer an accurate response to this question, but I'd hazard to say they're more common than assumed, or more common than the general public is aware of. These are most typically type 1 and 2 attacks, which are triggered by a lack of investment in the organization's security or negligence, and to a lesser extent, type 3, or targeted attacks, based on my experience.
The reason for this is that, on a global perspective, domestic enterprises are relatively small. Because every cybercriminal criminal group's primary purpose is to make money, it's only natural that they'll resort to organizations that can make a lot more money for the same amount of time invested in compromising them. However, this does not negate the importance of cyber security for domestic organizations, as there are numerous "generic" attacks on the Internet that can be just as damaging to an unprepared organization as targeted threats. And it doesn't matter where the attackers originate from if an unpleasant event occurs or the business shuts down.
So, how do you prevent and defend against a cyber attack? Is this true for both businesses and individuals? That is, how do Croatian businesses and individuals defend themselves against such attacks? What is the Incident Response Team's role in all of this?
The first stage for organizations is an open discussion between the organization's management and the IT department. Communication regarding what is important for the organization's business, i.e., which business services are critical to the organization's survival as a whole. Following that, the business side is responsible for communicating the performance requirements for IT and IT services. Only then, in the architectural design phase, can the organization's IT staff pick and execute solutions that will meet these needs. Unfortunately, the procedure frequently proceeds in the wrong direction, and this later becomes the root of all problems.
Good IT management techniques are the foundation for good cyber attack protection.
This implies that the organization optimizes the management of physical and virtual assets, has a good understanding of the existing situation, manages system changes in a controlled manner, and plans capacity expansion in accordance with business needs. In collaboration with the responsible human resources department (HR) and the management party, it oversees access to the IT environment, access rights, and identities, and keeps its own business / corporate and administrator identities, as well as their access rights, distinct. Furthermore, a foundation for cyber attack protection is established through routine operational measures such as surveillance, backups, and the frequent installation of backup patches on servers and PCs.
Only when these conditions are met can we talk about specialized cybersecurity teams whose mission is to recognize threats, prevent and limit their spread, remove compromised parts, and restore normalcy while continuously raising the level of resistance, reducing detection and response time, and responding to the most advanced threats.
We like to say that a good Incident Response is at its most active when there are no incidents because previous experiences are transformed into new protection and defense mechanisms that work and act preventively, and mistakes made in resolving previous incidents become opportunities for learning and improvement. The Incident Response team consists of a variety of expertise during an incident, including technology experts, cyber security experts, business process and application experts, an incident or crisis manager, and, in crisis situations, communication and legal experts. This is a highly dynamic squad that has been assembled to address a specific incident and for which no playbook has been written. Incident Response Manager is the team's only continuous leader.
As individuals, we now have an increasing number of digital assets such as identities, such as social media accounts, bank accounts, telecom accounts, cryptocurrency accounts, e-mail accounts, and similar services, and we tend to believe that the "other" side is concerned about security. True, we don't have perfect control over our data, which we learn about when the companies we've entrusted it to lose or corrupt it. Good digital asset management techniques, such as the use of complicated passwords that are different for each service, should become second nature. Rather of relying solely on a password to safeguard against illegal access, enable multiple authentication everywhere and always. Alternative communication routes (phone number, email address) should be created in advance in case of a lost or hacked password, and these channels should be securely safeguarded (if not more secure). Avoid installing largely "free" programs (games, "little aids," games of chance, shopping, coupons, and so on), which can slow down the functioning of mobile phones or computers while also posing a security risk. On social media, we should avoid sharing personal and sensitive information with people we don't know. Make sure you enter your login and password exactly where you want them or they're phony pages before entering them. Messages that sound too good to be true ("you got a prize," "99 percent off," "rapid refund," "anything for free," etc.) should be ignored and deleted since they are frequently frauds attempting to gain access to your account. Attacks on private Instagram profiles with a large number of followers are becoming more common, with attackers demanding ransom and threatening to erase anything the victims agree to, considering the amount of effort and time invested in creating the profile. "Something for free"...) should be disregarded and removed because it is almost always a hoax designed to gain access to your account. Attacks on private Instagram profiles with a large number of followers are becoming more common, with attackers demanding ransom and threatening to erase anything the victims agree to, considering the amount of effort and time invested in creating the profile. "Something for free"...) should be disregarded and removed because it is almost always a hoax designed to gain access to your account. Attacks on private Instagram profiles with a large number of followers are becoming more common, with attackers demanding ransom and threatening to erase anything the victims agree to, considering the amount of effort and time invested in creating the profile.
Many people have worked from home or in a hybrid setting in the previous two years. How difficult is it to maintain cyber security and cleanliness in businesses using this method? What are the largest obstacles to overcome, and what should be prioritized, especially since it appears that the trend of working from home will continue to grow in popularity in the future?
With the spread of the COVID-19 pandemic, many businesses have struggled to execute "rapid digital transformation" to allow employees to work in a hybrid or remote environment. This push for rapid transformation may have resulted in "holes," or spaces that attackers might now exploit, putting the organization's efforts at risk. Companies who had previously allowed some sort of remote work and have adopted Cloud technology and services over time, on the other hand, have found themselves in a much better position in a familiar environment. However, even in that scenario, the number of people working remotely has increased, with the focus shifting from the traditional approach of dividing the environment into "secure" and "insecure" environments (corporate network and internet) to a more modern approach of zero-trust.) to people and devices who access business services and applications.
I believe that this shift in work culture and attitude toward remote work has become so entrenched that reverting to the "old" is nearly impossible. We can only expect more growth of the possibilities of remote work in the future, which will throw up new issues, such as the return of the concept of "working room" and working space within the living space. There is now little attention paid to this, although the workplace contains a computer or computers that are accessible to family, guests, and others, and that have access to critical corporate data. This problem is exacerbated when a personal computer (bring your own device) is used to access business services, and future problems will have to include additional data protection in addition to traditional cyber risks (compliance, data leak and data loss prevention, insider risk management). gadgets that aren't controlled directly by the IT department in the typical sense
"If you haven't been hacked yet, it's only a matter of time before you are," someone once said. Can you provide us with any practical advise on what to do if we are targeted by cybercriminals? That is, what should you do to avoid getting into such a scenario in the first place?
When it comes to cyber security, the adage "prevention is better than cure" is undoubtedly true. For businesses, this encompasses all actions beginning with the information system architecture phase, which must be aligned with business needs, maintained according to best practices, and protected in proportion to the value it represents. Aside from technical and technological solutions (SIEM, SOAR), a specialized organization for dealing with cyber threats (Security Operations Center, Incident Response Management), an equally vital aspect of any firm's cyber security is end user education, starting with top management. It is desirable for top management to organize cyber attack simulation exercises (Table-Top Exercise - TTX) in order to obtain insight into how the organization responds to crisis situations and to raise awareness of cyber security risks. These exercises have become increasingly popular among executives, and I prefer to participate in them because, in addition to raising awareness and checking and evaluating the effectiveness of specific Incident Response plans, they can help us identify not only what we could do better, but also what we are really good at and can rely on in a crisis. End-user education is a continual process that must be worked on on a regular basis. Users must be warned of dangers, taught to spot phishing e-mail, and be made aware of the value of data preservation, as well as the importance of responsible password management and the like.
Because our ability to respond to an unfavorable occurrence will be totally determined by what we did before it occurred, including whether we have enough detection methods, the right technology, mature processes, and, most importantly, if we have trained and educated people.
