Story image

APAC Cybersecurity trends ahead: The costs of connection

18 Jan 2018

Article by ESET senior research fellow Nick FitzGerald.

In 2017, we saw an increasing number of cybersecurity incidents grabbing the headlines in the mainstream media. As we begin 2018, there is no doubt that cybersecurity will continue to generate further  discussions. In Asia Pacific, we saw sensitive data on Australia’s advanced aircraft stolen, Singapore’s leading universities hit and Malaysia’s biggest mobile data breach affecting some 46.2 million subscribers.

One phrase is likely to be heard time and time again. Cyberthreats and attacks are here to stay. Indeed, they will continue to expand in scope and volume this year. They may evolve and diversify, but a common underlying thread will persist – an effective cybersecurity posture pivots on knowledge of the value of information, coupled with insight into and an understanding of the threatscape.

Arming ourselves with facts and experience, better enables us to control the criminal hive mind swarming online. To help the reader navigate through the maze of such threats, ESET’s thought leaders have zeroed in on several areas that top the priority list in our exercise in looking forward.

Criminals following the money

With data being the most valuable asset (so much so that many have called data ‘the new oil‘), ransomware is poised to remain in great demand among cybercriminals. With an eye to slashing the risk that your data may end up mangled, we offer take-home lessons and observations gleaned from the recent evolution of ransomware.

Cautiously, we extrapolate from recent trends to the foreseeable future. We note the largely indiscriminate nature of ransomware campaigns and highlight the perils of paying up in exchange for (by no means guaranteed) restoration of access to data held ransom. Organisations seen as willing to pay up in lieu of hardening their defenses may run the risk of finding themselves a target of choice, yet with no certainty of getting their data back.

In a world of smartphones and other mobile devices, attackers are more focused on denying the use of devices themselves than on data stored therein.

The generally perilous state of affairs in the Internet-of-Things (IoT) arena presents a host of challenges of its own, as the dramatic increase in the number of smart devices shows no signs of stopping especially with the APAC region expected to lead the IoT charge over the coming years. By contrast, the addressing of security concerns is often an afterthought.

Where cyber meets physical

On a different note, we cannot help echoing our past – and prescient – sentiment that attacks aimed at critical infrastructure are set to continue to generate headlines. Worryingly, industrial equipment targeted by malware known as Industroyer – the biggest threat to industrial control systems (ICS) since Stuxnet – is in wide use, while much equipment in ICS was not designed with internet connectivity in mind.

Making things worse, prompt upgrades, though important in striving for a secure environment, are not always a panacea: the drive towards a cheap generic architecture for industrial devices may introduce additional weaknesses into the supply chain, ultimately endangering our physical safety.

Democracy in peril?

Electronic voting systems – another obvious area where security is playing catch-up with technological advancements – are grappling with vulnerabilities of their own. The preponderance of evidence that such systems can be manipulated highlights the risks of over-reliance on technology for something as significant for our societies as elections. This was the case in 2016 when Philippines suffered an elections hack that affected 70 million people and raised questions regarding the security of the automated voting machines used.

This brings us to the overarching question: can a cyberattack rig the results of a nation's election and, thereby, subvert democracy? We note the use of social media for undermining election campaigns by spreading faux news reports or launching ad hominem attacks.

Admittedly, such attacks may not signal doomsday for democracy, yet technological interference poses critical challenges in opposition to the need to ensure the legitimacy of future elections. To this end, all aspects of an electoral system must be regarded as part of every country’s critical infrastructure, and be safeguarded accordingly.

Privacy and data bonanza

The apparent appetite among some trusted security vendors for the monetization of user data in exchange for free antimalware software is set to persist into the next year. This will add to risks associated with data privacy, which is already under fierce attack given the endless trail of digital exhaust left behind by a plethora of (notably IoT) devices.

Such digital breadcrumbs can be collected to tell a story about us and, coupled with machine learning and artificial intelligence, that story could be used as a basis for manipulating our thoughts and actions. The data detritus should raise concerns of users as to what ‘free’ products or services actually entail and how the data being slurped are used.

While we hope for greater user awareness, we suspect that the stockpiles of data will expand dramatically next year with little awareness on the user’s part. We may not be able to put the toothpaste back in the tube, but we need to make informed decisions and choices lest our privacy be eroded further.

Safer for all

This year has seen ESET’s malware analysts continue to help law enforcement crack down on malicious campaigns and, by extension, the criminals spewing them. We are confident that 2018 will bring further successful investigations as we will continue to lend a hand to authorities so that, ultimately, the internet can become a safer place for everyone – except cybercriminals.

We also believe that the increasing general awareness of cyberthreats and our preparedness to cooperate in tackling any and all manner of felonious wares served up by attackers will accrue to our shared benefit, particularly as technology is now woven through the entire fabric of our societies and we face a host of internet-borne threats.

Thycotic debunks top Privileged Access Management myths
Privileged Access encompasses access to computers, networks and network devices, software applications, digital documents and other digital assets.
Veeam reports double-digit Q1 growth
We are now focussed on an aggressive strategy to help businesses transition to cloud with Backup and Cloud Data Management solutions.
Paving the road to self-sovereign identity using blockchain
Internet users are often required to input personal information and highly-valuable data from contact numbers to email addresses to make use of the various platforms and services available online.
Tech Data to distribute Nutanix backup solution in A/NZ
Tech Data will distribute HYCU Data Protection for Nutanix backup and recovery software to their network of partners across Australia and New Zealand.
Veeam releases v3 of its MS Office backup solution
One of Veeam’s most popular solutions, Backup for Office 365, has been upgraded again with greater speed, security and analytics.
Too many 'critical' vulnerabilities to patch? Tenable opts for a different approach
Tenable is hedging all of its security bets on the power of predictive, as the company announced general available of its Predictive Prioritisation solution within Tenable.io.
Safety solutions startup wins ‘radical generosity’ funding
Guardian Angel Security was one of five New Zealand businesses selected by 500 women (SheEO Activators) who contributed $1100 each.
Industrial control component vulnerabilities up 30%
Positive Technologies says exploitation of these vulnerabilities could disturb operations by disrupting command transfer between components.