The Cisco 2018 Annual Cybersecurity Report and the Def Con 26 Hacker Conference, held in August in Las Vegas, Nev., both offered warnings that hackers are getting more adept and dangerous—and that the number of targets is growing.


THE CISCO REPORT

Cisco’s 11th annual cybersecurity report (http://bit.ly/2MPe5Od) is divided into two parts. The first half considers the attack landscape, and the second half addresses the defender landscape. Here are some of the unsettling conclusions:

  1. Attackers are evolving malware to unprecedented levels of sophistication and impact.

Cisco researchers describe this as “one of the most significant developments in the attack landscape in 2017.” Network-based ransomware cryptoworms no longer require humans to launch the campaigns, and worse yet, some of these campaigns aren’t looking for ransom. The Nyeta wiper malware, for instance, looks like ransomware, but its payload obliterates systems and data. This self-propagating malware, Cisco researchers say, “has the potential to take down the internet.”

  1. Adversaries are getting better at “evasion and weaponizing cloud services and other technology used for legitimate purposes.”

Encryption, which used to be a tool to ensure security, is now being used by hackers to evade detection. Another defensive tactic, isolating documents in a “sandbox” (i.e., off the network) while evaluating them, can now be defeated with malware that’s activated after the “document_close” instruction erroneously indicates the document isn’t a threat.

Cybercriminals are also adopting command-and-control channels that use services like Google, Dropbox, and GitHub to mask their activity. A new tactic involves launching multiple campaigns from a single registered domain to save money.

  1. With the proliferation of unpatched and unmonitored Internet of Things (IoT) devices and cloud services, attackers have new ways to infiltrate networks.

IoT botnets (networks of autonomous launchers) are expanding, waiting to be activated in distributed denial of service (DDoS) attacks. Security teams have difficulty defending cloud and IoT environments without clear guidelines for who is responsible for these areas.

Security breaches cause real economic damage that can require months or years to repair. According to the Cisco report, “More than half (53%) of all attacks (in 2017) resulted in financial damages of more than US$500,000, including, but not limited to, lost revenue, customers, opportunities, and out-of-pocket costs.” Yet the report concludes that the greatest obstacle to security continues to be budget constraints regarding security spending.


DEF CON 26

For the last 25 years, the international cybersecurity conference Def Con has drawn the widest variety of hackers of all ages, along with federal agents, academics, and researchers.

One of the more interesting work groups this year addressed the geopolitical problem of elections security. In the area called Voting Village, hackers were asked to infiltrate different voting machines, and, in a side room, 39 kids (ages 6 to 17) were asked to get into and take control of websites that were duplicates of state election websites.

The fastest to get into the replica Florida elections website was 11-year-old Audrey Jones, who took just 10 minutes to get where she could change reported election results and information such as where to go to vote. Either of these hacks, if part of a widespread disinformation campaign, could have serious results in a real election.

The voting machine challenge took a little longer, but one hacker took a couple of hours to take over the voting machine and turn it into a music player with animations.

Like the Cisco report, many at Def Con also cited underfunding for security as a primary reason for the vulnerabilities in election management and reporting.

Another interesting discovery at the conference was presented by Doug McKee, a senior researcher at McAfee’s Advanced Threat Research Team. He reported that the RWHAT medical protocol used by medical devices to monitor a patient’s condition and vital signs was hackable in real time. Data sent from the machines to medical personnel could be falsified, and that information could cause a doctor to prescribe incorrect medications or even miss a serious ongoing event, like a stroke or heart attack. The RWHAT protocol requires neither authentication nor encryption for its data streams. An intruder could replace the monitor, not just interfere with the information feed.

Although the two venues could hardly be more different, the warnings from Cisco and the hackers do converge: The challenges are increasing, and the funding to meet them is too often inadequate.

About the Authors