Aus dem Unterricht des CAS Digital Masterclass mit Ralph Hutter berichtet Samantha Mueller:

What risk are there in the digital world? Answering this question and highlighting the many issues and challenges facing cyberspce was the objective of this class lead by Ralph Hutter the HWZ CAS Digital Risk Management Course Administrator.

It is impossible to keep up with all the screen shots that could be included to illustrate all the digital risks in the internet today. The following are just three examples of what can happen when criminal minds or rogue states decide to use the internet for their own gain:

The world is a dangerous place, Elliott, not because of those who do evil, but because of those who look on and do nothing.
– Mr. Robot

Digital technologies raising new legal questions and causing reputation damage

All the data that is being collected via all our digital devices opens up new dimensions of legal regulation. For example, can data Alexa (Amazon’s intelligent personal assistant) might have recorded be used in a murder case? This is an actual case currently making headlines in the US State of Arkansas.

Another case closer to home, is the malfunctioning of the Postfinance E-Banking systems. The reason is still unknown, but this has caused huge reputation damage to the company. Several more cases were highlighted showing how there are many new risks in the evolving digital world today.

Cyber Crime Statistics

KOBIK (Koordinationsstelle zur Bekämpfung der Internetkriminalität) The Swiss agency for fighting cyber crime) released some frightening numbers in its Annual Report 2014. The number of registered complaints about cybercrime have dramatically increased in particular with regards to financial crime. Fraud, phishing, data destruction, sextortion, stolen email accounts, romance scam, etc. It is a big business!

The Enisa threat landscape report 2016 (European Commission) indicates that the picture is the same in Europe as in Switzerland. The number one issue is malware, second place are web based attacks on the web browser technology and third place are web application attacks (native apps).

An additional report, Emerging Cyber Threats Report 2016, highlighted 4 key themes:

  1. The privacy tug-of-war between individuals and organizations has become a tug with no war.
  2. Exponential growth in the Internet of Things over the past two years creates a larger cyberattack surface.
  3. The digital economy is growing more complex while a lack of highly trained security workers persists worldwide.
  4. Cyber espionage shows no sign of abating.

Who are these Cyber attackers?

  • Recreationalist: Just for fun
  • Criminals: Not very sophisticated small crime
  • Hacktivist: Targeted attacks usually to make a statement. Example: Anonymous movement, wikileaks, etc.
  • Organized Crime: Established network, highly organized for financial gain
  • State Sponsored: Espionage either state secrets or to gain an economic advantage

Hacktivists such as Anonymous who don’t do harm could be seen as serving a positive purpose in cyber space in that they bring “justice” to unfair operators. Not all hackers have malicious intent but can be a big nuisance. However, fake news produced by troll farms are usually sponsored by a state and have an objective of harming or influencing a process or institution. For example the Russian involvement in the US elections.

Case Studies

  • Israel attack on the Iran’s uranium enrichment program: A great documentary on Netflix is a recommended must see on this case.

 

  • Carabanak cybergang stealing USD 1 billion from a bank: The gang basically hacked the system via an employee and studied the processes of the bank and once learned they transferred the money “officially” to another account. Great documentation also made on this case. 

What is the role of the authorities in Switzerland?

There are two organizations in Switzerland for cyber security: MELANI (oversight of infrastructures of national security and prevention of attacks) and KOBIK (The Cybercrime Coordination Unit). The two organizations have slightly different mandates which are detailed below:

Group Work: Anatomy of a hack – Ransomware Attack

We watched a movie about how cyber criminals managed to hijack a company’s IT with randsomware in exchange for bitcoins. We then reviewed how they did it.  Here is how they did it:

Step 1: Social Engineering: Researching about the target person and mimicking their behaviour to send an email to staff with an malware attachment.

Step 2: Employee opens email and malware is installed blocking the system

Step3: Send ransom demanding bitcoins for a unlock code

Results: Company stock drops, company has huge reputational damage due to data leak and CEO resigns.

What was the motivation of this attack? The bitcoins from ransom plus profiting from the drop in the stock.

How to best preventing attacks on personal data

The number of attacks have increased exponentially since 2004. To check your personal account got to: https://haveibeenpwned.com/ and enter your email to see where your data has been illegally accessed. It is scary!

To protect your accounts, it is recommended that you change your passwords and don’t reuse the password for other accounts. Manage these passwords in an online safe for example on:

The best passwords have more than 8 letter with upper and lower cases including numbers and no words or phrases.

Secure Browsing

According to the Kaspersky Report, 48 percent of attacks come via browser! Stay away from apps and sites that offer free services which would normally be expensive. Example, a free photoshop app. If it seems to good to be true it will most likely infect your system.

Here some more tips on how to best surf and ensure you protect your system from attack:

  • Don’t use Internet Explorer use Opera
  • Avoid using plug ins like Java and Adobe reader
  • When using public Wi-Fi always use a VPN
  • Use ghostery to prevent add tracking
  • Use alternative search engines such as duckduckgo.com
  • Clear browser history and cookies on a regular basis

Possible solutions for backing-up your data

  • External HD: Backup data and eject it from computer.
  • NAS (Network Attached Storage): Alternative to an external HD.
  • Cloud: Virtual data storage which can be accessed externally.
  • Apple Time Machine: Backs-up entire computer on a regular basis allowing you to go back in time to see the content at any given time.
  • SpiderOak: Mix between drop box and time machine in a cloud. It has a good free option.

Key Learnings from the course

  • The threat is real! Cyber criminality is a big business.
  • Chances that you are personally attacked is not very high but it is still important to protect yourself.
  • Beware of phishing attempts.
  • Guard your password and make sure it’s a secure one.
  • Use the right browsers and a VPN when surfing on public Wi-Fi.
  • Password protect your computer.
  • In a family, every member should have a separate account on the PC and only one person should be the administrator.