Don’t Bite The Phish Hook

Phishers Target Best Buy

You there, corporate decision-maker. Are you ready to respond to a cyber threat? How confident do you feel in your ability to handle and mitigate the situation?

If the answer is “not very,” you’re in good company. Recent research by San Francisco-based cyber security company RiskIQ, aggregated in the company’s 2017 State of Enterprise Digital Defense Report, shows 68 percent of corporate decision-makers have little to no confidence in this area. They don’t know how big their “digital attack surface” is, or how they can reduce it to create a smaller target for criminals.

Considering the sheer volume and variety of cyber attacks out there, it’s easy to see why corporates are intimidated. They’re getting hit with significant incidents an average of five times per year, including malware, targeted attacks, mobile exposures, rogue mobile apps and website or brand abuse, just to name the most common types. Oh, and don’t forget phishing and social impersonation.

Brands have been eager to invest in digital transformation in recent years. That’s a good thing. After all, having a mobile presence enhances products and communication with both consumers and employees in fields such as manufacturing, healthcare, pharmaceuticals and, of course, financial services.

But digital is still a new environment, and the bad guys are simply learning their way around it faster than the good guys. All those great new tools that are making brands “stickier” with consumers are also great new tools for cyber adversaries to harm a business.

Digital Attack Surface

Here’s a new bit of jargon: “digital attack surface.” What does it mean? The digital attack surface, according to RiskIQ CMO Scott Gordon, comprises “all internet-facing assets connected to your business.” That includes web servers, web and mobile apps, advertising and affiliate organizations.

For instance, a major website may outsource part of its website to a third party in another country to localize it. But if the company isn’t careful, that could leave a foothold for an adversary to modify a page where the consumer is being asked to enter sensitive information. A hacker could create an identical page and use it to harvest the sensitive data.

In eCommerce, a common and well-documented exploit allows criminals to inject Javascript code onto a merchant’s website if that merchant is running an outdated or unpatched version of shopping cart software. This malware logs consumers’ keystrokes, which lets criminals steal credit card data they use to purchase items that they monetize by shipping abroad.

In financial services, mobile transactions have exceeded web transactions. Gordon said it’s not unusual to see those official mobile apps being placed on unofficial sites, or even for unofficial mobile apps to represent themselves as the real thing — or as an add-on to the real thing.

The digital attack surface varies by industry, and it’s constantly changing. Gordon called it a “living organism,” which means new vulnerabilities can open up at any time. There’s no one-time fix. But, if an organization can fix exposures as they emerge, it can reduce its attack surface drastically.

Fighting Back

The thing most of these attacks have in common, said Gordon, is they’re coming from outside the firewall. Companies have done a good job of shoring up their networks and clouds, he said, and those investments were not wasted. But today, Verizon’s latest data breach report shows 70 percent of threat actors are attacking outside that firewall. That calls for new and improved defenses.

The good news, according to Gordon, is people see the problem and recognize the need to invest in tools. Close to half of the organizations surveyed told RiskIQ they planned to up their security spending by 15 to 25 percent over the next year to year-and-a-half. About a third of companies said they planned to invest in outsourcing digital defenses, recognizing the problem is bigger and more complex than they can handle on their own.

Gordon’s advice for those companies? Invest in three things: people, process and tech.

First, the people. Many organizations are introducing new departments to cover digital, mobile and app security. The employees in those new departments are specifically trained to identify and mitigate cyber threats, and threat investigation and response courses are beginning to incorporate these topics into their curricula.

Second, the process. Gordon said companies need to look in the mirror and ask how they are understanding and responding to various threats outside the firewall. If they’re an eCommerce provider in an affiliate program, how are they ensuring agents are following corporate guidelines on their own sites? If someone impersonates the brand online, what is the process with the security and legal teams for disputing, and how could it be more efficient?

Finally, the tech. Many organizations have invested in various tools, and many of these are effective, said Gordon. At the same time, there’s still a lot of room for growth in this area.

For instance, in the case of fake mobile banking apps, banks still rely on customer service calls to diagnose the problem, but such a manual method is way too slow in the fast-paced cyber-crime environment. Wouldn’t it be better to shutter those fake apps before customers could be duped? Digital threat security technology could identify the impersonation right off the bat and empower the bank to issue a cease and desist before its customers were harmed.

In a more general sense, Gordon predicted organizations are going to start consolidating solutions to improve efficiency and scope across channels. Many of the solution structures today have been architected in a piecemeal fashion, he said, and that’s going to change in the coming years. He expects interoperability between threat intelligence tools will become more critical, and automation will reign, as the pace of threats continues to increase and companies find themselves unable to keep up with manual solutions.

On the bright side, he said, the process has already begun.

“I think the tools are out there,” Gordon said, “and they’re getting more sophisticated.”