What do the cybercriminals (already) know about you?

TL:DR: Cyberattackers are getting more sophisticated in their operations, relying on social engineering and novel hacking tools to infiltrate organisations and steal information. Increasingly, firewalls and antiviruses are not enough—enterprises are turning to intelligence and integrations to secure their digital systems. When developing systems and platforms, cybersecurity should be considered at the outset and not as an afterthought.

Phishing emails used to come in the form of African princes offering to deposit a few million US dollars into your bank account… complete with bad grammar and spelling mistakes.

But not anymore. “Cybercriminals have now perfected their grammar, and it has become harder to spot phishing scams,” said Mr Loi Liang Yang, Security Sales Specialist from IBM Security, speaking at an event titled ‘Cyber security: How hackers hunt for information about your enterprise and you’, held at the NTUC Centre on 9 May 2018.

Social engineering has been tested and proven as one of the easiest methods to access a company maliciously, Mr Loi added, drawing from his experience as a certified ethical hacker and an adjunct lecturer for ethical hacking and network defence.

Cybercriminals are crafting increasingly sophisticated pretexts to infiltrate organisations or steal personal information, posing as individuals in our social circles which we typically don’t guard against, such as our bosses, parents and relatives.

“For example, when you receive an email titled ‘Your bonus and pay increment for 2018’, chances are most people are going to click on it,” Loi said.

We also often think of hackers as they are portrayed in Hollywood movies—guys in black hoodies staring at the computer screen for weeks, even months, not eating or leaving the room. “But in reality, most initial attacks—to completely take over a machine—happen in a matter of minutes… 75 percent of the time, it never [takes more than] an hour,” he explained.

On the other hand, the majority of enterprises take months to respond to a cybersecurity breach. “When a company announces that it has been breached, the hacker has been there for months. They would have already known everything about your organisation.”

Exploiting weaknesses

Have you ever tried typing your own name into a search engine to see what the internet knows about you?

“If you were to run a search on yourself, maybe your passwords are already [viewable] on a database,” said Loi. What cybercriminals do is use such databases of usernames and passwords from websites that have been breached to try and access other accounts.

“You probably use the same login password for different email addresses, and chances are, you use that to log in to your various social media accounts as well. So the moment you are compromised in any of these systems, the hackers would be able to access everything else.”

Holding up a tiny device that resembled a portable mobile phone charger, Loi explained that it was actually a wireless auditing platform. “It is basically a wireless hacking tool that can be powered by a mobile device.”

“When you log in to the device, you can create a pseudo Wireless@SG account, and it will start broadcasting the fake network to the entire conference room. The feature on your mobile phones, called the smart WiFi—which ironically isn’t actually that smart because all it does is to connect automatically to any access points that don’t require a password—will then hop onboard the network.”

Once the connection is established between the pseudo Wireless@SG hotspot and the mobile device, the hackers will be able to view every single message you have on WhatsApp, every email you are reading or transmitting, as well as every website you are visiting. “If I were the hacker, I could then copy these data and use them to gain access to your systems. If you had been carrying out financial transactions on your mobile phones or laptops, I could even replay the entire session on mine,” Loi said.

Getting smart about cybersecurity

On the future of cybersecurity, Loi said, “What we are seeing is a lot of IBM’s enterprise customers moving from layer defences, such as your typical firewalls and antiviruses, into what we call intelligence and integrations.”

This means that the company is striving to, at any point in time, have visibility and vision into the entire enterprise environment. Loi summed up the upcoming trends in three C’s—cognitive, cloud and collaborative.

“Cognitive refers to the question of how we can use artificial intelligence to augment the cybersecurity analysts’ jobs. A lot of companies are also transiting into the cloud enterprise space, so we need to think about how to protect these cloud solutions and platforms,” he said.

“The third C, collaboration, refers to the integration of old and new systems. The larger enterprises have existing legacy IT assets that cost hundreds of millions of dollars, which they have to protect and ensure that they are able to work in an integrated environment together with the new solutions.”

Lastly, Loi advised that security by design should play a prominent role in software and hardware development.

“Most of the time, systems and platforms are developed with convenience as a starting point, and security as an afterthought. It is only when they have completed the project that they say, ‘Okay, so what do we do about the security now?’”

“But security should have been considered from the outset,” Loi emphasised, closing his presentation.