The Cybersecurity Conference “Les Assises de la Cybersécurité” was held two weeks ago in Monaco. Cybersecurity experts and major industrial players gathered for 3 days to discuss the new threats in cyberspace and how companies can better secure their assets. DirectIndustry e-magazine was invited to cover this event. Here is a recap of what you should know to better protect your organization.
Since 2001, Les Assises has given decision-makers, chief information security officers and managers in charge of cybersecurity issues key information to help them understand current and future attacks. This year, the event presented the new cyber threats and the best practices to implement to better protect your organization.
What is the Current State of the Threat?
Until 20 years ago, viruses and malware were aimed at infecting disks or programs and consisted mostly of isolated acts of computer vandalism.
Since the 2000s, new malicious programs have been specifically designed to hack computers in order to earn money illegally. As a result, the threats to businesses today are no longer limited to simple computer downtime but have become financial and the work of rogue organizations. In this context, the digital transformation has been a great opportunity for cybercriminals.
With the explosion of IoT devices, the number of entry points that hackers can exploit is expanding. An internet-connected thermometer or a humidity sensor can be a way to break into a network and take control of a whole information system, as Théodore-Michel Vrangos, CEO and co-founder at i-Tracing, explained:
“Today, in factories, production lines have robots driven by programmable logic controllers that are connected to the Internet so that maintenance can be provided remotely. But having connected devices makes the whole system vulnerable. In addition to this, companies no longer have IT tools “at home.” All the data is stored on external servers that are connected to the cloud. The cloud brings data sharing with the outside world. So cybersecurity has now become a theme for everyone.”
Nicolas Arpagian, Director of Cybersecurity Strategy at Trend Micro, confirmed:
“Until recently, culture in industry was based on technical isolation and there was little interconnection with the outside world. But as the industry started to deploy sensors and automates to increase productivity, there started to be interactions with supervision tools that were interconnected, and thus doors were opened. But at the time, we didn’t think that a small sensor to check the temperature of a tank, which is not a major technical tool, since it was interconnected, could be an entry point to a system for attackers.”
Remote connection while teleworking on workstations during COVID-19 that were not intended to be used like this accelerated the risk.
What Do You Risk in Case of a Hack?
According to Kaspersky, 90% of companies have experienced some form of external incident. And 1 company out of 3 that experienced a data breach suffered a temporary shutdown of their business with a cost of around $38k for SMEs and $551k for large companies.
According to Fanny Forgeau, CEO of bug bounty platform Yogosha, the implementation of GDPR in Europe puts an additional strain on companies. Since 2016, every company operating in Europe is legally required to secure all the personal data they possess and declare any incidents to the competent authorities. They can face financial penalties of up to 4% of the company’s revenue:
“As soon as someone can enter and retrieve all the personal data of a company, it’s a double penalty for the company: first there is the fine and then there is potentially a stop in production. For e-commerce players, there is also the concern of having vulnerability that allows criminals to order for example 50 washing machines and pay only for one. These flaws are very common.”
Nicolas Arpagian from Trend Micro added that:
“Companies must be aware of the legal obligations imposed on them. In cases of loss or theft of personal data, beyond the fine and litigation, investors may also ask what kind of protection the company has taken and agencies may lower the rating of a company that has not taken sufficient protection measures. The weighting of a rating by a rating agency has a cost that conditions access to borrowing on the financial markets for example. Insurance is also an important point. Insurance companies can recognize the fact that you have been robbed. But at the time of the compensation, the insurers will start to check if you had taken protective measures or not.”
The reputational value of a company is also at stake: In a case of data theft, for example, the attack will result in a loss of reputation and deterioration of the image of the brand as well as a loss of confidence from its customers, suppliers and financial partners.
In the event of ransomware, if it becomes common knowledge that the company paid a ransom, then it might gain a reputation as an easy target and be more at risk to be retargeted by cybercriminals.
What are the Major Cyber Attacks Today?
Badly protected security systems along with human factors are at the center of all cyber attacks. Many of them also rely on social engineering which is a set of manipulation techniques aimed at influencing an individual to commit a malicious act unintentionally.
Being aware of the most common attacks is crucial. Here is a list of the attacks you are most likely to encounter.
A password is the most common way of authenticating access to an information system. Password attacks are therefore widespread because via a person’s password, a criminal can access confidential or critical data and systems, including the ability to manipulate them.
Attackers use different methods to crack a password (social engineering, gaining access to a password database, etc.). A new method, known as a “brute-force attack” uses a program that tries all the possible combinations of information to guess the password.
Malware is unwanted software that is installed on your system without your consent. It can be hidden in legitimate code, in applications or even reproduced on the Internet.
There are several subcategories of malware including the following:
- Ransomware: Ransomware is one of the most frequent types of cyber attack at the moment. In France 60% of attacks observed by IT service management Wavestone are ransomware. Malware blocks access to your data and threatens to delete or disclose it unless you pay a ransom. Your content is then totally or partially encrypted, so that it cannot be used without the decryption key. Usually, the hacker asks to be paid in cryptocurrency, such as Bitcoin for example. They are the work of rogue organizations
- Spyware: this software is generally installed when you download a free application and its aim is to collect information about users, their browsing habits or their computer. This software monitors your every move without your knowledge and sends this data to the cyber-attacker(s).
- Trojan horses: this is a seemingly legitimate program that has malicious intent. Cybercriminals use social engineering techniques to trick you into loading and running this Trojan Horse for example to steal passwords or to copy personal or sensitive content.
- Viruses: these infect applications by attaching themselves to the initialization sequence and replicate themselves, infecting other code in the computer system.
Personal, financial and health data can be of interest to criminal organizations because it can be easily converted into cash over vast geographical areas. This data can be used for identity theft, fraud and phishing.
This technique consists of luring a victim into divulging confidential information. It involves sending emails that appear to come from trusted sources in order to collect personal data or entice victims to take a specific action. These attacks can be hidden in an email attachment or use a link to an illegitimate website to trick you into downloading malware or transmitting personal data.
Denial of Service Attacks
A denial of service attack consists of making an online site or service inaccessible by saturating the server with requests. The over solicited server then crashes. The consequences can be serious. On a merchant site, this type of attack causes an immediate interruption of transactions. Denial of service is often linked to blackmail and extortion operations and can damage a reputation.
According to Nicolas Arpagian from Trend Micro,
“A denial of service attack can sometimes be a distraction so that you focus on repairing the access to your website while an attack is taking place somewhere in your system, for example stealing sensitive data.”
Man in the Middle Attacks
This technique consists in intercepting encrypted exchanges between two parties in order to decode their content. The hacker receives messages from both parties and responds to each pretending to be the other.
SQL (Structured Query Language) injection is a recurring attack affecting websites that use databases. Cybercriminals execute a piece of SQL code to manipulate a database and access potentially sensitive content.
Fake President Fraud
With this kind of attack, cybercriminals contact an employee of the company, generally from the financial department, pretending to be the CEO or one of his/her representatives and ask the employee to make a bank transfer to a bank account abroad. The attackers have generally previously researched the company and have a good knowledge of the staff and reporting relationships. They often present this request as urgent and confidential so as not to give the employee time to think about it. This fraud is a perfect example of social engineering.
This attack exploits a vulnerability inside a network that is new, before there is any patch or any preventive measure released. This attack requires the hacker to be very fast because there is only a small window of action.
Attacks via Suppliers
An IT supply chain attack aims to damage targeted companies by attacking the least secure elements of their application supply chain, for example, by infiltrating a Trojan horse through software produced by one of their vendors.
SMEs Increasingly Targeted but Poorly Protected
For Guillaume Poupard, CEO of ANSSI, the National Cybersecurity Agency for France, decision-makers are now aware of the importance of cybersecurity. At his inaugural keynote speech at Les Assises, he said
“Information systems security is now everybody’s daily life; companies, organizations, administrations.”
More and more companies are now appointing a CISO or at least an IT manager in charge of cybersecurity topics. But Mr. Poupard reckoned:
“SMEs are clearly a blind spot and are prime targets for cybercriminals.”
Small to medium-sized enterprises are less mature in their awareness of cybersecurity and are struggling to take steps to protect themselves due to a lack of financial resources and knowledge. They are thus less well protected and easier to attack.
Miguel de Oliveira is the CEO of AISI Pure Player Infrastructure. The company provides cybersecurity solutions for SMEs. According to him,
“In the majority of cases, the companies we set up risk monitoring tools for come to us after having experienced an attack. We try to offer our services before the attack but often the financial trade-off means that the structure is not ready to pay for a solution before.”
What Can You Do to Prevent an Attack?
For Olivier Ligneul, President of Les Assises and CISO for French energy provider EDF,
“Companies today take into account the importance of cybersecurity, the state of the threat and the danger of this threat. But the impact of implementing protective technologies in order to be less exposed to this threat is difficult to implement due to its level of complexity. Besides, the additional efforts are not necessarily compatible with the constraints of operational activities.”
There are, however, best practices to put into place to better secure an organization, whether it is an SME or a larger group.
Changing passwords regularly and using a different password for each application is crucial. You can also require double authentication. You can check on this website Have I Been Pwned? if your email address has had a breach. If this is the case, your password could have been stolen and you must change it.
Endpoint Detection Response
For Théodore-Michel Vrangos,
“The main entry point is an attack on the workstation, via email, and access to websites. Therefore, we recommend installing an EDR. This new generation of desktop antivirus detects and identifies weak signals of attack for example through attachments. A surveillance eye will identify what is going on and, depending on the situation, the system will isolate a part of the system to prevent the virus from spreading.”
Back up your data on a device and on the cloud to be able to retrieve it in the event of ransomware.
Regularly updating your applications and equipment is fundamental. Cybercriminals very often exploit security flaws that result from the decrease or suppression of the maintenance of the information systems by one of your editors.
Encryption and the use of digital certificates provide effective protection against man-in-the-middle attack.
You must constantly remind your staff not to open suspicious attachments or links of unknown origin on their computer.
You must also make your teams aware of the existence of fake president frauds and remind them, for example, of the procedures for entering and controlling bank transfers including not validating transfers in a hurry.
“The main issue in cybersecurity is the lack of skills and experience”, said Théodore-Michel Vrangos from i-Tracing. Since attacks are becoming particularly sophisticated today, companies require special expertise and agile threat management practices. This is why several external companies have specialized in assisting companies in managing their cyber risk, offering them constant monitoring of their system to be able to detect vulnerability before potential attackers do. Some companies even offer dedicated solutions to SMEs with an adapted budget.
An External SOC
A SOC is an external Security Operation Center that makes it possible for consultants and analysts to exploit the data of cybersecurity tools 24/7 on behalf of a company and to constantly update the protection when new problems occur.
A SOC is for example able to detect weak signals on the workstations and to know if a workstation has connected to a suspicious server. The SOC operator then informs the customer and together with the company, they take containment measures, for example, in this case, the isolation of the machine.
i-tracing is providing this type of expertise, explained Mr. Vrangos:
“First, there is a consulting phase where we help the client identify his weaknesses and priorities. We can’t cover everything so the client must choose what is vital. Depending on the company, this audit can last several weeks or several months. Then we do the engineering, we choose and integrate the tools according to the needs of the customer, his budget, his organization. We have already tested these tools, we work with the major publishers in each field. We then implement the solution. The deployment of a SOC takes 1 or 2 months.”
The company says they provide SOC for 35 customers, including CAC 40 companies, over several years, 24/7, with centers in Hong Kong and Montreal to cover the 24/7. According to Mr. Vrangos, companies resort to external SOCs because of the difficulty to ensure permanent control of the installations. He also said he noticed more and more industrial companies are asking for a SOC.
“All of our customers in the industrial sector (logistics, storage) have a huge end-to-end chain security problem (robotic control, valves, automats) so we have more and more SOCs dedicated to the industrial sector.”
But this has a cost: the audit phase to determine the client’s priorities of protection costs around 20 000€ with i-tracing, while a SOC costs 500 to 700 000€ per year.
But SOCs are not just for big groups and lower-cost solutions are also available.
AISI Pure Player Infrastructure supports SMEs in identifying their risks and defining a strategy to cover them via a security operation center. They say that in a month, they can build a SOC for an SME with security technologies and tools they can install on the client’s network, or on its machines, or on its servers. The SOC
For Miguel de Oliveira, the CEO,
“We choose the editors based on a benchmark that we have made of all the editors on the market. We work with vendors like Sentinel One, Microsoft or Fortinet. We have adapted this benchmark exclusively to SMEs. We adapt to the budget of the companies and we choose technologies that require a minimum of intervention time in order to reduce the service costs. The goal is to avoid having to pay a ransom.”
Their first solutions start at €2,500 per month and they have multi-year plans for tens of thousands of euros.
One of the major cybersecurity challenges in industry is linked to the heterogeneity of the equipment and the fact that the equipment works 24/7, explained Nicolas Arpagian from Trend Micro:
“There is a succession of historical technologies in industry with different generations of software, different operating systems which contribute to heterogeneous sets. The problem is that these systems work 24/7 and the risk is to weaken them with security systems. For example, we can not necessarily stop blast furnaces to install safety systems. So there are industrial constraints to be taken into account when carrying out safety maintenance for example. It can also happen that software publishers no longer maintain their old products which creates vulnerabilities.”
Trend Micro created Virtual Patching, a patch that responds to the heterogeneity of systems and fills in the security gaps that would result from the reduction or suppression of information system maintenance by a given editor. Their console, Vision One, provides harmonized metrics on the supervision of networks, the cloud, messaging and applications to provide the most readable picture possible.
“We provide an operational console for the people in charge of security so that they have an up-to-date view of their security status or the nature of the insecurity when a problem occurs. This allows us to program and characterize detection tools, to establish processes for exposing alert signals, to document operating procedures and to have tools that can be used and read.”
Companies that have launched a new system or equipment can often be victims of a Zero Day attack where cybercriminals exploit a potential fragility in the equipment.
Bug bounty platforms can help with this, by creating an environment that allows ethical hackers to work on software, hardware and operating system vulnerabilities with a controlled process of identification and validation of these vulnerabilities in order to develop patches in cooperation with the industry. The idea is to be proactive in order to continuously improve information systems.
Fanny Forgeau from bug bounty platform Yogosha explained:
“We have software editors that come to us to test their solutions to prove that their systems are completely safe. We also have start-ups who need to be compliant before serving large groups.”
Guillaume Vassault-Houlière is the co-founder of Yes We Hack, another French bug bounty platform. He shared with us an interesting case study:
“During the COVID crisis, Doctolib intensified teleconsultation and accelerated development to bring out a product very quickly. They came to us to make sure that their systems were safe before releasing it to the public.”
All these available solutions, however, should not make us forget that there will always be new attacks because everything revolves around human activities which are by definition fallible.
Olivier Ligneul warned,
“In view of the colossal and asymmetrical means used to undermine companies, whatever their sector of activity, it is not possible to close all the open doors because we do not have enough capacity to do that on the entire exposed surface. We have to focus on the most important threats, on those that can impact the activity of the organizations in order to focus on the appropriate means of defense, the means of detection and the means of reaction”