What’s trending now?
In January 2010 when Stuxnet was discovered, the way that wars were fought and won was transformed irrevocably. Stuxnet entered the fray as a malicious software that wormed its way through a network to discover, seize and control the operations of industrial machines by specifically targeting the controller used to automate the spinning rotors within a centrifuge. What makes this attack unprecedented, is the fact that Stuxnet was designed to fool the digital fail-safe into believing that there is no problem. Stuxnet has since been credited as the world’s first digital weapon and was unleashed on the Natanz Uranium Enrichment Plant in Iran in an effort to cripple Iran’s nuclear programme.
According to Paul Laudicina of Forbes Magazine, 2017 Will Be the Year of Cyber Warfare. Referencing AT Kearney’s predictions for 2017, Laudicina discusses the first prediction on the list which states that “the first crippling cyber-attack will be launched on critical infrastructure in a major economy”.
To launch a cyber-attack, one must assume a cyber-weapon, and in a world where products and services are increasing “digital”, it is not difficult to see how weapons have made the leap into the virtual space too. Let’s consider the idea of cyber-warfare for a moment: Pierluigi Paganini, Chief Information Security Officer at Bit4Id, proposes that a cyber-weapon needs to be recognised as a sophisticated, multi-faceted attack, delivering a series of ‘payloads’ designed to cripple or destroy a target.
What this means, using Stuxnet as an example, is that one piece of malware has the capability to execute several instructions, install programmes at will, allow access to command-and-control and even feedback information outputs to mask the fact that internal processes have been compromised.
Investigating the anatomy of the attack on the Natanz Nuclear Facility, scientists have reverse-engineered the programme to understand what it did to destroy almost one-fifth of Iran’s nuclear centrifuges. Stuxnet was designed to enter the facility on an infected USB flash drive and worm its way through to the machinery that fitted the pre-programmed attack profile.
In his TED talk, Ralph Langner called it a “cyber weapon of mass destruction”. Langner, together with his team, helped to crack the Stuxnet code and expose the true intention behind the Stuxnet virus. “The attackers took great care to make sure that only their designated targets were hit. It was a marksmen’s job. On target, the attack was surgical and took advantage of deep process and equipment knowledge”, he wrote in his summative article.
Why it’s important
On the bleeding edge of warfare, scientists and programmers backed by a political (or a corporate) agenda, now have the technology to target the hardware and the infrastructure of industrial facilities in order to delay manufacture or shut down operations completely. And that’s not even touching on their corporate espionage capabilities. Most industrial plants rely on often-out-of-date computerised industrial control systems, leaving the critical infrastructure of government, and business, vulnerable to attack. What Stuxnet taught us was that any industrial facility – it could be a power plant, or it could be an automobile factory – could be the target for such a generic attack.
Stepping out of what seems to be a Mission Impossible-style Hollywood movie, and back into the realm of business-as-usual, we also find that cyber-crime is on the increase, with the perpetrators using unwitting human carriers as guinea pigs to get into the building and unleash viruses onto the companies’ computer systems. As one of the architects of the Stuxnet plan has reportedly said, “It turns out there is always an idiot around who doesn’t think much about the thumb drive in their hand.”
These weapons can find their way in on a dirty USB and shut down an entire company, or an entire country for that matter. AT Kearney’s prediction for 2017 does not sound so unbelievable anymore.
What’s the butterfly effect?
Stuxnet is out there, available on forums for any hacker to download and repurpose.
And companies are at risk, now more than ever. In an article discussing the threat of cyber-warfare, TIME lists the worldwide cost of cybercrime close to $445 billion in company losses.
In light of the new digital war we face, companies cannot rely solely on their anti-virus firms and their expensive software to protect them. Companies still face the fact that the human component is the weakest link in the chain. IT security is no longer within the remit of the Chief Technology Officer alone, either. CEO fraud, which uses social engineering to trick employees into wiring unduly authorised funds out of the business, has accounted for $740 million in losses since late 2013. Cyber-crime is an increasing bugbear for the Chief Financial Officers of the world, too.
So, where does that leave us?
New startups have recognised the need to plug holes in corporate security defences and now offer training to employees which enable them, through the use of software and training tools, to be more vigilant of suspicious threats. We are also seeing security consulting companies leaning in on the C-suite conversation around IT Security policy.
Companies like the Ireland-based startup Cyber Risk Aware offer a service that evaluates staff’s risk levels by implementing dummy Phishing campaigns to test for “dumb-clicking”. Users are then assigned a risk level and taken through level-appropriate training, designed to decrease penetrability on a human level by making people more aware of the tactics used by hackers and scammers to defraud companies and steal company information.
Trend forward network security solutions specialists, like the Johannesburg-based Layer 7 Networking, are becoming increasingly involved in conversations around secure enablement. In an era where employees increasingly demand off-site and cross-device, cross-browser access, IT teams need to be more sensitive to the negative impact on employee productivity that boxing people behind firewalls can have.
In the future, security boundaries will move a lot closer to the user, and companies looking to extract the most value and productivity from their human assets will support the transition to a mobile-first, device-agnostic way of working. It is up to companies that want to stay ahead of the curve to empower users with the technology and the know-how to protect themselves against the threat of cyber-crime and to decrease their vulnerability to malicious cyber-attacks.
The global hot spots?
The internet, coming to a computer near you.
By: Loren Phillips
Loren considers herself of the eternally curious persuasion. As a great lover of the question “But, why?” Loren has managed to unearth some fascinating things about humans and why they do what they do. She walks a road less trodden and dreams of one day living on a farm with her family, one cow, two chickens and three huskies. Loren is obsessed with technology and sometimes thinks she may have missed her calling as a hacker/spy/submariner.
Image credit: The World Wide Web AND Loren Phillips