Big business is at greater risk of cyber attack

SOCA

The number of cyber criminals targeting UK corporates rose sharply during 2011, according to new figures.

Cyber attacks are now a high-level concern for government and business leaders for the cost and disruption they cause, and because they regularly target suppliers of critical infrastructure like electrical grids, gas and oil.

The study of 447 UK businesses by PwC found that large organisations on average suffered 54 significant attacks in 2011, twice the level of 2010. Large companies now face an outsider attack every week, the consultancy claims.

The increase represents a rising cost to business. Companies’ single worst security breach of the year cost between £110,000-£250,000 for large businesses and £15,000-£30,000 for small ones.

Separately, figures released by the FSA show that UK companies reported 185 breaches during the three months of June, July and August 2011. However, because reporting breaches is voluntary in the UK, the actual number of cyber attacks for the period is thought to be much higher.

The fact that the UK Department for Business, Innovation and Skills supported the PwC survey demonstrates how important the issue is to government.

Cyber criminals seek to attack companies with valuable digital assets. In addition, direct action groups target organisations that they believe are acting unethically. More sinister still are the attacks by nation states on one another. The world’s most sophisticated cyber crimes are funded and co-ordinated by governments.

 

The emergence of cyber attacks as a threat to UK corporates

Cyber attack tool kit

Cyberkey

 

Who’s attacking businesses and how they are fighting back

The perpetrators
Digital activists known as ‘hacktivists’ are purportedly driven by political or ethical values. Hacker group Anonymous attacked PayPal and MasterCard when they pulled their services from WikiLeaks over the affair of the leaked US embassy cables in November 2010. LulzSec (short for Lulz Security) is a splinter group of Anonymous.

Disgruntled employees who may have insider information are also potential cyber threats to corporates. Competitors - who have always been motivated to gain insider information on their corporate counterparts - now have more options for commercial skulduggery.

Counter techniques
Simulating a cyber attack is one way to check out how robust defences are. The official London 2012 Olympic website, for example, went through a simulated DDoS (distributed denial of service) attack this year.

One response to cyber threats is encouraging hackers to become ‘white hats’, whereby they are paid a reward for informing corporates when they discover a security vulnerability. Nine people in the UK have been paid a total of $11,000 (£6,800) in ‘security bug bounty’ by Facebook. To qualify for the cash, they have to abide by Facebook’s responsible disclosure policy, and typically receive a reward of $500 per reported bug.

 

Cyber attacks in the UK

Lush Cosmetics

Breach originated through a third-party email supplier
October 2010 to January 2011
Cyber criminals
Lush lost the payment details of 5,000 customers and was found to be in breach of the Data Protection Act by the UK Information Commissioner, but was not fined.

Sony PlayStation Network

What Sony termed “external intruders” made off with unencrypted files
April 2011
Cyber criminals
The attackers stole personal details of 77 million customers and forced the service offline for 24 days. In a separate hit, hacker group LulzSec subsequently targeted the service, taking even more unencrypted information.

Play.com (online retailer)

Phishing and malicious websites
March 2011
Cyber criminals
Hackers targeted one of Play.com’s third-party marketing websites where user information was held. The criminals took users’ names and email addresses to use for phishing email scams, directing recipients’ to bogus websites in attempts to extract sensitive information.

RSA Security

Malware
March 2011
Unknown hackers
Hackers co-ordinated a sophisticated attack targeting the security firm’s own security software, used to protect company and government systems. The attack is thought to have been organised to facilitate a subsequent attack on arms maker Lockheed Martin.

Lockheed Martin

With user information gathered from the successful RSA attack, the hackers tried to gain entry through Lockheed Martin’s remote access system
May 2011
Unknown hackers
The company spotted the attack quickly, closing down the remote access function, foiling the hackers. Lockheed Martin manufactures satellites, Trident missiles and fighter jets, and it is suspected the attackers aimed to steal sensitive intellectual property.

Monster.com (job hunting website)

Monster did not disclose the hacking technique, though a similar attack on the company in 2007 originated in Ukraine
January 2009
Cyber criminals
Personal information was stolen from 4.5 million users of the job board, including names, addresses and dates of birth. Monster quickly admitted the attack and sent out guidance letters to affected customers.

Booz Allen Hamilton

Anonymous left a statement saying that the data had been taken from a poorly protected server
July 2011
Anonymous (hacker group)
The consulting firm had been working for the US Department of Defense. The hackers took 90,000 email addresses and passwords of military personnel. Anonymous claims to publicise security flaws through hacking, rather than intending to steal data.

Nissan

Malware was placed on the employee entry portal, gathering workers’ login details
April 2012
Unknown hackers
The car manufacturer put out a statement saying that it believed the attackers were after intellectual property concerning its electric vehicle ‘drive train’ system.

BAE Systems-Lockheed Martin joint strike fighter project

Hackers gained access to an offline computer containing fighter jet designs worth $300bn
2008-09
Unknown hackers, who appear to have originated in China
Sophisticated hacking techniques led the attackers to an internal communications link, giving them access to a computer that was not connected to the internet, where information about the plane was stored.