In this fast-paced industry, digitization and staying connected are playing a vital role. This is further coupled with the proliferation of cloud-based and mobile technologies.
"Why focus on security?" is a question that has moved from mere security team discussions to board room discussions, and it doesn't stop there either. This, now, is the talk of the industry today. Everyone we know around us, in our work places or otherwise, is talking about security, one way or the other. Security is no longer just a requirement of an IT administrator, or security administrators in an IT organization. It is now the requirement of all those entities who are connected in one way or the other with any type of data.
The importance of cybersecurity, as the name suggests, will be the crux of the discussion in this chapter, and we will closely look into the following:
- The history of breaches
- The importance of securing networks and applications
- The threat landscape
- How security helps
The general notion encircling hacking is that it started a few decades ago. However, in reality, hacking was in practice even before that. it goes as far back as 1834, yes almost two centuries back. Historically, it came to light in the year 1836 when two persons involved in the act were caught. During the last decade of 1700, France implemented its national data network to transfer data between Paris and Bordeaux, which was one of its kind at the time. It was built on top of a mechanical telegraph system, which was a network of physical towers. Each tower was equipped with a unique system of movable arms on the tower top.
The tower operators would use different combinations of these arms to form numbers and characters that could be read from a similar distant tower using a telescope. This combination of numbers and characters was relayed from tower to tower until it reached the far end. As a result, the government achieved a much more efficient mechanism of data transfer, which resulted in greater time saving. Interestingly, all this happened in the open. Even though the combinations were encrypted, and would've required an experienced telegraph operator to decode the message at the far end to bring up the original message, the risks were just around the corner. The following image is one such tower:
This operation was observed by two bankers, Francois and Joseph Blanc. They used to trade government bonds at the exchange in Bordeaux, and it was they who figured out a hack to poison the data transfer in between, and include an indicator of current market status, by bribing a couple of telegraph operators. Usually it took several days before the information related to Bond performance reached Bordeaux by normal mail, now, due to this hack, they had an advantage to get that same information well before the exchange in Bordeaux received it. In a normal transmission, the operator included a Backspace symbol to indicate to the other operator that he needed to avoid the previous character and consider it as mistake. The bankers paid one of the operators to include a deliberate mistake with a predefined character, to indicate the previous day's exchange performance, so that they could assume the market movement and plan to buy or sell bonds. This additional character did not affect the original message sent by the government, because it was meant to be ignored by the far end telegraph operator. But this extra character would be observed by another former telegraph operator who was paid by the bankers to decode it by observing through a telescope. Also, the Blanc brothers did not care about the entire message either; all they needed was the information related to market movement, which was well achieved through this extra piece of inert information. The Blanc brothers had an advantage over the market movement and continued to do this for another two years, until their hack was discovered and they were caught in 1836. You can read more about such attacks at https://www.thevintagenews.com/2018/08/26/cyberattacks-in-the-1830s/.
The modern equivalent of this attack would perhaps be data poisoning, man-in-the middle attack, misuse of the network, attacking, or social engineering. However, the striking similarity is that these attacks often go unnoticed for days or years before they get caught. This was true then, and it's true today. Unfortunately, the Blanc brothers could not be convicted as there were no laws under which they could be prosecuted at that time.
Maybe the Blanc brothers' hack was not so innovative compared to today's cyber attacks, but it did indicate that data was always at risk. And, with the digitization of data in all shapes and forms, operations, and transport mechanisms (networks), the attack surface is huge now. It is now the responsibility of the organization and the individuals to keep the data, network, and computer infrastructure safe.
Let's fast forward another 150 years, to the late 1980s. This is when the world witnessed the first ever computer virus—Morris worm. Even though the creator of the worm, Robert Tappan Morris, denied the allegation that it was intended to cause harm to computers, it did, indeed, affect millions of them. With an intention to measure the vastness of the cyber world, Tappan wrote an experimental program that was self-replicating and hopped from one computer to another on its own.
This was injected to the internet by Morris, but, to his surprise, this so-called worm spread at a much faster rate than he would have imagined. Soon, within the next 24 hours, at least 10% of the internet connected machines were affected. This was then targeted to ARPANET, and some reports suggested that the of connected computers at the time was around 60,000. The worm was using a flaw in the Unix email program, sendmail, which typically waits for other systems to connect to the mail program and deliver the email, and a bug in the fingerd daemon. This worm infected many sites, which included universities, military, and other research facilities. It took a team of programmers from various US universities to work non-stop for hours to get to a fix. It took a few more days to get back to a normal state. A few years later, in 1990, Morris was convicted by the court, for violating the Computer Fraud and Abuse Act; unlike at the time of Blanc brothers when there was no law to prosecute, this time there was.
Fast forward another two decades to 2010, and the world saw what it never imagined could happen: an extremely coordinated effort to create a specifically crafted piece of software, Yes Software, which was purpose-built to target the Iranian nuclear facility. It was targeting Industrial Control Systems, otherwise known as ICS. This was designed only to target a specific brand and make of ICS by Siemens, which controls centrifuges in a nuclear facility to manage their speed. It is presumed that it was designed to deliver onsite, as per some reports, because the Iranian facility that it was targeting was air-gapped. This was one of its kind industrial cyber espionage.The malware was purpose-built so that it would never leave the facility of the nuclear plant. However, somehow, it still made its way out to the internet, and there is still speculation as to how. It took researchers many months after its discovery to figure out the working principle of the malware. It's speculated that it took at least a few years to develop to a fully functional working model. After the Stuxnet, we have witnessed many similar attack patterns in forms of Duqu, and Flame, and it's believed by some experts in this field, that malware similar to these are apparently still active.
Currently, we are seeing extremely new variants of attack with new modus operandi. This is to earn money by using ransomware, or to steal data and then try to sell it or destroy it. Alternatively, they use victim infrastructure to run crypto miner malwares to mine cryptocurrencies. Today, security has taken center stage, not only because the attack surface has increased for each entity, or the number of successful high profile and mass attacks are a norm, but because of the fact that each one of us now knows that the need for securing data is paramount, irrespective of whether you are a target or not.
To make it more intuitive and simpler, let's look into a few scenarios as we proceed further with this chapter to discuss the need for security:
- Scenario (organizations in general): Try to visualize an organization with standard digital and IT functions that caters to their business needs. As an organization, it is important that the digital and IT infrastructure that you use is always up and running. Also, the organization has the responsibility to secure the identity, data, network, equipment, and products that you deal with. Digitization is the norm today for all businesses and organizations. Digitization brings in connectivity and a mixture of all the various different technologies working together to achieve the set business goals for the organization. With the increase in digitization, the level of connectivity also increases, within the boundary and outside the boundary of the organization. This connectivity also poses a risk to the security of the organization (we will discuss this further in the following chapters).
Digitization and connectivity largely fits into three macro aspects, namely: identity (by which we allow the users to interact), data (individual, business, personal, or system), and network (the connection part). Furthermore, we should not forget the factors that bring them all together, namely: equipment, solutions, and various business processes and applications. Any organization today controls the level of access needed to view, modify or process data, or access a business application/system through identity. It is the de-facto requirement for the organization to secure these identities. You also need proper measures to secure the data you are handling, be it at rest, motion, or during compute. And it is an obvious fact that the network perimeter, be it physical or in the cloud, has to be secured with proper measures and controls. This scenario is to set the context; we will talk more about these aspects in the following chapters.
- Scenario (everything is moving to cloud): As most organizations are moving to cloud at a rapid speed, the need for higher processing capability and reduced operating cost benefit is increasing. Cloud, as a technology, provides more scalability for businesses when it is required. Also, as the global footprint of each business is now increasing, the need for collaboration is important and cloud makes it possible. Employees nowadays prefer working remotely, thereby eliminating the need for office infrastructure. The other important benefit of cloud computing is that it takes away the burden from IT about constantly keeping track of new updates and upgrades of software and hardware components.
But, as it is true that technological advancements bring in more control, speed, power, accuracy, resiliency, and availability, they also bring in security concerns and risks. Cloud is no different when it comes to security concerns and the risks that are exposed if it is not properly implemented or used. The biggest boon of cloud is that the organizations are reaping the benefit of not owning any infrastructure or operations of their own. This boon also brings in security risks and concerns, such as who has access to the data that is positioned in the cloud, how do you maintain and manage security regulatory requirements, and how do you keep up with compliance mandates such as GDPR and others? Cloud computing also complicates the disaster recovery (DR) scenario for each organization because it depends on the service provider's terms and conditions and their business model around data recovery. Moreover, organizations have no control where the cloud provider will bring up their data center and operate from, which raises concerns around data sovereignty. There are many other challenges and risks around operating from cloud, which will be discussed in relevant portions of this book.
I am sure, by now, that you have a grasp of security and its importance to some extent. So, let's take a look at what attack surface is, and how we define it, as it's important to understand the attack surface so that we can plan well for our security. In very simple terms, attack surface is the collection of all potential vulnerabilities which, if exploited, can allow unauthorized access to the system, data, or network. These vulnerabilities are often also called attack vectors, and they can span from software, to hardware, to network,and the users (which is the human factor). The risk of being attacked or compromised is directly proportional to the extent of attack surface exposure. The higher the number of attack vectors, the larger the attack surface, and the higher the risk of compromise. So, to reduce the risk of attack, one needs to reduce the attack surface by reducing the number of attack vectors.
We witness all the time that attacks target applications, network infrastructure, and even individuals. Just to give you an extent of attack surface and the exposure, let's look into the Common Vulnerabilities and Exposure (CVE) database (https://cve.mitre.org/cve/). It has 108,915 CVE entries (at the time of writing this chapter), which are all those that have been identified so far over the past few decades. Certainly many of these are now fixed, but some may still exist. This huge number indicates how big the risk of exposure is.
Any software that is running in a system can potentially be exploited using vulnerabilities in the software, remotely or locally. This applies particularly to software which is web facing, as it is more exposed, and the attack surface is much larger. Often, these vulnerable applications and software can lead to the compromise of the entire network, and also pose a risk to the data it is managing. Apart from these, there is another risk that these applications or software are exposed to all the time: insider threat, where any authenticated user can gain access to the data that is unprotected due to badly implemented access controls.
On the other hand, an attack surface that exposes network attacks can be passive or active. These attack surfaces can allow the network services to collapse, make it temporarily unavailable, allow unauthorized access of the data flowing through the network, and so on.
In the event of a passive attack, the network can be monitored by the adversary to capture passwords, or to capture information that is sensitive in nature. During a passive attack, one can leverage the network traffic to intercept the communications between sensitive systems and steal the information. This can be done without the user even knowing about it. Alternatively, during an active attack, the adversary will try to bypass the protection systems by using malware or other forms of network-based vulnerabilities to break into the network assets; active attacks can lead to exposure of data and sensitive files. Active attacks can also lead to Denial-of-Service type attacks. Some common types of attack vectors are:
- Social engineering, scams, and so on
- Malicious URLs and scripts
- Browser-based attacks
- Attacks on the supply chain (which is rising day by day)
- Network-based attack vectors
The attack surface also brings in another term, threat landscape. We, in the cybersecurity community, talk about it every day. Threat landscape can be defined as the collection of threats that are observed, information about threat agents, and the current trends of threats. It is important that every security professional keeps track of the threat landscape. Usually, many different agencies and security vendors will release such threat landscape reports, for example, ENISA (European Union Agency for Network and Information Security), and NIST (National Institute of Standards and Technology), along with some of the big security corporations.
Moreover, the threat landscape is an extremely dynamic space; it changes very frequently, and is driven by many factors, such as available tools to exploit vulnerabilities, the knowledge base of available resources and vulnerabilities, and the skill requirements to place an attack. (This is becoming increasingly easy due to the freely available tools on the internet.) We will talk more about the threat landscape resources in following chapters in this book. The following is a list of different threats in 2016-2017 and their relative rankings:
The preceding image is the threat landscape for 2017 based on a report from ENISA. This brings us to a point where it is important to know a little bit about some common types of attacks:
- Unstructured attacks: These are one of those attacks where the adversary has no prior knowledge of the environment they are launching an attack on. Mostly, in such scenarios, they rely on all the freely available tools. Unstructured attacks are often targeted en masse, based on any common vulnerability and available exploitation.
- Structured attacks: In the case of a structured attack, unlike an unstructured one, the adversary is much more prepared and well planned in carrying out the attack. In most of the cases of structured attacks we notice that the attackers demonstrate their advanced skills of programming, and knowledge about the IT systems and applications they are targeting. These attacks can be highly organized in nature and mostly targeted towards an individual entity or industry vertical.
- Social engineering (phishing, spear phishing, and so on): This attack is targeted towards one of the weakest links, humans. In this attack, the user is exploited in various ways. Often these attacks are successful because of a lack of knowledge or ignorance. Information is extracted from the user by tricking them one way or the other. The most common way is by phishing and spear phishing. In a phishing and spear phishing attack, data is extracted by impersonating something that looks authentic to the user, such as, posing as an administrator helping the user to reset their password, and other account details, via a web portal. These portals are specially crafted to suit the purpose of extracting data which the attacker wishes to collect. Users fall prey to those, and share sensitive information.
- Eavesdropping: This attack can be performed by gaining unauthorized access to the network and listening to the network communications. Commonly, all the traffic that is not encrypted can be easily targeted by the attacker.
- Denial of Service (DoS and DDoS): This is one of the oldest forms of network-based attacks, where the attacker will attempt to overwhelm the processing or computing capacity of the application or device by sending such a flood of data that it is more than the application or the device can handle, thereby disrupting the system. On the other hand, distributed denial of service (DDoS), is launched from multiple sources towards a single victim application or system on a very large scale, more than the amount that can be handled. This is one of the hardest to mitigate without proper technologies in place.
- Man-in-the-middle attack (MITM): In this attack form, the session or the network is hijacked in between by manipulating the communication between server and client, and acting as a proxy server, often without the knowledge of the victim.
- Malware: Malware can be defined as disruptive software, which is intentionally designed to cause damage or achieve any other malicious intent by its creator. Most of the time, this access is gained by exploiting the computing system's security, or any vulnerabilities, with help from the malware. Worms and Trojans are different forms of malware, and these have a very specific capability to spread from computer to computer and replicate themselves. Malware can cause theft of data, mass destruction of computer systems, disruption of network activities, and also can help in corporate espionage. Most of the latest malware may have unique capabilities to hide itself extremely well from the security systems and detection mechanisms, and stay active for weeks to years.
- Botnets: When computer systems are infected with malware, or any other malicious remote tools, and these infected computer systems are controlled by the attacker remotely, it is known as a bot. Furthermore, when there are many computers which are compromised by this malware, and controlled by the attacker, this network, or collection of compromised computers, is called a botnet. The remote mechanism and the control method are also termed as "Command and Control". Botnets can be used for various other purposes by the adversary, and, to achieve these, the botnet master will keep updating the malicious program's binary. Botnets used to be single-focused in terms of their mission. However, in the recent past, they have changed to become multiple-purpose malicious applications.
- Cross-site scripting: Cross-site scripting, commonly known as XSS attack, is an exploitation of flaws in web applications, which allows the adversary to inject malicious client-side script and compromise the user, without their knowledge in most cases. In general, these flaws exist due to poor input validation of web-based applications. Once the XSS is sent to the user, the browser will process it because the browsers have no mechanism to stop XSS based attacks. There are multiple forms of XSS attacks. Stored and reflected types of XSS are very common. Stored XSS allows the attacker to leave permanent malicious scripts in the victim's server, while reflected XSS usually takes place when the attacker sends a specially crafted link with a malicious query in the URL to the user, and the unsuspecting user clicks on the link, which then takes the user to a malicious site and captures the user's sensitive data, which is then sent to the attacker. Reflected XSS is possible only if the user clicks on the link. Or, another method is if the attacker tricks the user into clicking it.
- Drive-by download attack: This form of attack is very commonly seen over the internet. It has been one of the top threats in the past couple of years. In practice, attackers will compromise a well-known benign website and host their malware there, by embedding malicious links. Once users visit these non-suspecting websites, they get compromised by automatically being redirected to the malware download locations. Often, the links of compromised websites could be spread via spam or phishing emails, where a user might click a link out of curiosity, or unknowingly, and get the malware downloaded into the system.
- SQL injection attack: SQL injection attack is usually targeted towards the database exposed via the web. An attacker would execute malicious queries via poorly configured web applications, mostly in the data input mechanism to run SQL commands. The attacker, if successful, can gain access to the database, manipulate sensitive data, or, at times, also modify data. SQL injection can also allow arbitrary commands to manage the operating system remotely. This vulnerability is successful mostly due to the poor input sanitization at the web application, rather than at the database end, because databases are designed to execute queries as they receive them and return results accordingly. So, the developers must take care about input sanitization and only accept data input as desired, and check for any malicious inputs, before sending it to a database for query execution.
- Advanced persistent threat (APT): This attack has been on the rise over many years. The modus operandi of these attacks is mostly to launch highly targeted attacks against specific individual organizations, industry segments, or even a nation. These threats are called "advanced persistent" because the attacker, or the group of attackers, will use many advanced and stealthy techniques to stay undetected for a very long time. Often, it is found that the attack and persistent methods are specifically crafted for the particular attack and have never been used in any other attacks. APT based attacks are mostly well funded and they are mostly a team driven activity. APT is used to target intellectual property, any form of sensitive information, disruptive activities, or may even be for corporate espionage, or sabotage of data, and/or the infrastructure. APT attacks are entirely different from the other forms of attack; the adversary/adversaries take a very organized approach to know their target and the mission they want to achieve, and they do not rush to attack. The attack infrastructure is very complex at times. The main goal of the attacker/attackers is to stay in the compromised network as long as possible and stay hidden from security detection. One of the significant natures of APT, is that it can only impact certain parts of the network, or certain persons in the company, or just a few systems in the network that are the point of interest. This, therefore, makes it more challenging to detect APT activities by security monitoring systems.
- Web-based attacks: In these attacks, as the name suggests, the target systems are mostly those which are internet facing devices, applications, services, and so on. Practically, we can say that the majority of internet applications are exposed to web attacks. These can be attacked via flaws and vulnerabilities, not only in the applications, but, also, in the medium by which we access those applications, such as web browsers. Web browser exploits have been on the rise for many years. Web servers are always a very lucrative target for the adversary/adversaries. Some of the famous attack forms are drive-by downloads or watering hole attacks (where a legitimate web application, used by the target/targeted organizations, is compromised and then the attacker waits for the employees/users to visit the website and, thus, it becomes compromised).
- Insider attacks: Insider attacks are the human element of cybersecurity that are extremely vulnerable and very difficult to track, monitor, and mitigate. This threat indicates that the users with authorized access to the information assets will cause harm to the entity/business, or the organization. This is sometimes done unknowingly by becoming prey, or, sometimes, they are the ones conducting the attack. In general, there are no definitive ways to detect or monitor insider threat proactively; it can only be found when the damage has already been done in most cases. It's been a rising trend over many years, as the advanced attackers try to exploit insiders to gain access to the organization or businesses. This has been a major threat to governments and it's increasing day by day. Even if the organizations have a bullet proof network with a lock down environment, and strong perimeter defenses, insider attacks are considered to be the most effective. The mitigation of an insider threat is beyond the technical implementation. The organization also needs to include the social culture and education of its own users about how to treat security and stay vigilant.
- Ransomware: Ransomware has done a lot of damage recently and has come up as a prominent threat. The modus operandi of ransomware is mostly to gain monetary profit by holding the user's data/system in ransom by making it unusable. This is achieved by compromising the system with one or other form of existing exploits and vulnerabilities and then encrypting the data in the user's system. Once encrypted the attacker would demand money in exchange for the decryption key. The following screenshot shows an example of a ransomware message:
Ransomware attacks are extremely dangerous because of their mechanism. Anyone with a little knowledge and access to freely available exploitation tools can use them to gain access and encrypt data. This is mostly done on a wide scale to generate more profit by volume, and the process is entirely automated. There are dark net groups that have created ransomware-as-a-service to offer the infrastructure and tools needed to generate such a campaign. Ransomware attacks are now being targeted more at organizations, such as banks and other financial institutions, to generate huge profits by disrupting their business and asking for ransom. WannaCry and NotPetya are the two most disrupting examples of ransomware that we have seen recently.
One of the notorious examples of ransomware even had the modus operandi to make the system unusable, which implied that it not only encrypted the data on the systems, but also had overwritten the master boot record that makes the computer unusable if rebooted. The impact of ransomware is unimaginable when it comes to attack against infrastructure like airlines, hospitals, governments, and emergency services.
- Espionage: This is one of those serious issues that has always been there since the beginning of human warfare. Today, this is taking place between corporate, governments, and various other entities, and the battleground is cyberspace. It's beneficial, in a sense, because no one is directly coming in front to perform this espionage; they are all behind the hidden cyberspace, and the attackers can stay anonymous. We have already seen in the news in the past couple of years how one government is trying to damage or disrupt the other by using a cyber form of espionage, by compromising sensitive information, and then leaking it to the public, to cause chaos and disruption. Even corporations are not far behind. They do it to gain access to each other's intellectual property to stay ahead of the competition. Cyberspace is way more interesting and dangerous when we think from this perspective of cybersecurity.
With every passing day, the network of connected devices is increasing, and, while this growth of connectivity continues to grow bigger, the risk of exposure is also increasing. Furthermore, it is no longer dependent on how big or small the businesses are. In today's cyberspace it is hard to establish if any network of application is not prone to attacks, but it has become extremely important to have a sustainable, dependable, and efficient network system, as well as applications. Properly configured systems and applications will help reduce the risk of attack. But it might not ever be able to eliminate the risk of attack completely.
A modern IT security system is a layered system, as a single layer approach to security is not enough anymore. In the event of a network breach, the victim can sustain a huge impact, including financial, disruptions to operations, and loss of trust factors. In the recent past, the number of breaches has increased for various reasons. The attack vectors for these breaches could be many, such as viruses, Trojans, custom malware for targeted attacks, zero-day-based attacks, or even insider threats. The following table shows the biggest data breaches of the 21st century:
For instance, one of the biggest data breaches that happened with Target Stores in December 2013, was planned during the Thanksgiving holidays and the organization did not discover it until a few weeks after the actual attack. The attack was started from an internet enabled air conditioning system and then to the point of sale systems. Eventually this attack led to the theft of about $110 million in credit and debit card data. The after-effect of the attack led to the resignation of the, then, Target CEO and the cost impact to Target was in the region of $162 million. (For readers, a more detailed report can be found here: )
Attacks on computers, as we see today, may have evolved in terms of the techniques and sophistication of the attack itself, but one thing that has not changed is the reason for the breaches—data. Data has always been the center of attraction for all the hackers, both past and present.
Looking into the past for data breaches, one cannot miss the incident that was one of the most critical at the time, in 1984, which exposed personal and financial information of about 90 million users. TRW (today known as Experian), at the time, was hosting one of the largest databases of confidential records of about 90 million users and their credit history. TRW was responsible for providing information on users' credit history, employment details, banking and loan details, and, most importantly, social security numbers. These were transmitted over a telephone line to their many subscribers, who were mostly banks and department stores in remote locations. The following screenshot shows some online news coverage that this incident received:
Quite interestingly, the access to these databases was not so secured, and the subscribers could log in to the TRW database as needed to query the required information about a user. These details were confidential in nature, and only to be accessed by the bank officials or the department store operators. Even though the data accessed was read-only and no one could change any data, one could still expose it and misuse it, which is exactly what happened. The password and the manual on how to operate the TRW system and access the database was leaked from a department store in one location, and, once the adversaries got hold of the login and access information, they posted it in bulletin boards, (something equivalent of today's social media). Now, not only did the attackers have the login information, but also a whole profile of those who were connected and had access to the bulletin board.
Surprisingly, the incident was not detected by TRW officials for many months (it's not clear how long). The breach was reported to TRW by an external party. As per the investigation reports at the time, it was believed that the database was accessed via the store line, and TRW had no clue about how many times it had been accessed. Experts said during that time that a proper monitoring and detection could have flagged this activity (note that this is true even in today's environment). Investigators at that time also suggested that, if TRW had implemented a system to call back the telephone number via which access was requested, and verified before the information was transmitted (today we can compare this with our two-factor authentication), and rotated the user password frequently in conjunction with a few other methods, the attack could have been averted.
The points that we need to focus on in this incident of 1984, and compare with today's attack scenarios, are that the attack vectors, methods, and the mitigation that could have averted this, are quite unchanged. Firstly, one is that the attacker used some sort of social engineering to get hold of login credentials, which is still a very common method today. Secondly, they had full and complete information about the TRW systems by getting access to the manual, which might have helped them stay undetected for a very long time. Thirdly, they targeted user data not to damage or tarnish the company. It's the same as today, attackers get silent access to the systems with various methods, and try to stay undetected as long as possible, and make use of the stolen data.
At the beginning of the last decade of the 20th century, the world witnessed the start of a new challenging problem—computer viruses and worms. This changed the course of computer security in the years to come. In 1989, Robert Morris created a program to measure the size of the internet by counting the number of connected devices. He developed a program that would self-propagate using a vulnerability (we discussed this at the beginning of this chapter). But this incident did not get fixed or barred there, and there was more to come. The early 90s saw the rise of another virus, which was dubbed the "Michelangelo virus", designed to attack DOS systems at the time and modify the boot sector of the disk to stay put. This virus infected any media that was attached to it, such as hard disks or floppy disks, during that time. The Michelangelo virus was designed to stay dormant all the time, except for a particular date, 6 March, which is when it would come alive and act. (It was this date because, the researchers believed, it is the birthday of the famous Renaissance artist Michelangelo, but it's a mere coincidence.)
It was during these years that we saw the rise of antivirus companies too. Viruses and worms gave birth to a whole new industry, which became mainstream business in the computer security industry in the forthcoming years. The last decade of the 20th century continued to witness more viruses and worms, which moved into the new millennium with increased sophistication.
This was the decade which saw the rise of computer attack sophistication and was much more targeted towards its motive and mission.
In early 2000s, the world was devastated with a new form of virus and the way it spread. The virus was dubbed the "ILOVEYOU" virus, which infected millions of computers, and caused the email systems across the world to collapse. The virus started spreading by email attachment with a VBScript code. Anyone who opened that file executed the VBScript. The VBScript was designed to download another payload, which then created various persistence methods by including entries in a registry, and the malware started itself whenever the system was rebooted. This executable also installed other malware to steal passwords, and, at a later stage, sent all the captured password from the system to the attacker via email.
Another subroutine in the malware that helped it to spread across the world was designed in such a way that, the moment the malware was executed, it captured all the email addresses in the mail client address book and sent a copy of itself as an attachment with the subject like ILOVEYOU from the user's address. All the unsuspecting users, thinking it came from a known source, did the same mistake and tried to open the attachment, repeating the whole process. In the days that followed, there were many other variants of this similar modus operandi.
This decade also saw the rise of worms, viruses, and attacks by exploitation of software, OS, and other system vulnerabilities. One of the famous was the SQL Slammer worm that eventually became the fastest spreading worm of that time; it was active for many years, causing massive internet disruption. This worm exploited a vulnerability in the Microsoft SQL Server. This worm was so agile that it spread over close to 100,000 hosts (maybe even more; the exact count is not available) over the first hour of its infection. It used a buffer overflow bug in the SQL Server and Desktop Engine (MSDE) products. This worm generated random IP addresses and then tried to communicate to those IPs over a destination port UDP/1434 (SQL port).
Once it found the host, it exploited the vulnerable SQL server or the MSDE, and sent a copy of itself to the same host, thereby infecting the host. Once this new host was infected, it repeated the same process. Even though the patch to this bug was made available by Microsoft six months before the attack was launched, most of the systems over the internet were not patched. This indicates how important it is to keep the systems updated with the latest patches.
In November 2008, we witnessed yet another massive attack by another worm, which targeted Windows machines (ranging from Win 2000 to Win 7). This worm eventually impacted 10-15 million servers worldwide in over 190 countries, as a rough estimate. The worm impacted governments, military bases and fleets, corporate and home users, and, in fact, practically everyone in its path. Between November 2008 and April 2009, there were five variants that were found, Conficker A, B, C, D, and E. This worm not only created a massive infection around the globe, but it also created one of the biggest botnets of the era. Maybe the motive behind the worm was to create a large botnet to do more serious attacks, but nothing was made conclusive regarding the actual motive to generate an attack of this scale. This worm also used many new techniques that had never been used before this time. This included methods to block disinfection, infections of USB and other removable devices to spread further, along with a few other propagation methods, including files shares, and admins shares. The most innovative was the method to "call home" to the botnet controller via a communication framework based on random domain generation algorithms, later famously known as DGA algorithms, and these became the norm for other malware infections and botnet commands and control infrastructure. This method allowed the worm to generate hundreds and thousands of random domain names every day by a pre-determined algorithm and seed value (usually the date and time).The same algorithm was used proactively by the attacker to register one, or a few, of the domains from the random list for each day. This domain name was used by the malware on the particular day for command and control activities.
By the end of the decade, the industry was taken by surprise with the discovery of a major espionage activity by using a carefully and meticulously created malware, named Stuxnet. This was specially targeted towards a nuclear plant in Iran, with a single purpose of creating disruption in their nuclear programs. To a major extent, this attempt was successful in damaging the nuclear plan in target. This malware brought up some serious issues and concerns within the security fraternity regarding the safety of operational technologies controlling industrial systems, such as SCADA systems, and other similar ones.
In the days to come, the attack sophistication will not only increase but will also be highly targeted, as we have seen in the case of the Bangladesh bank heist where approximately $81 million was siphoned out of the bank in an extremely well-coordinated and planned activity.
With the rise of technologies, most corporations and business houses are moving towards adapting newer and newer technologies to be in the race to keep their businesses ahead of the competition, and enhancing customer experience. With this also comes the potential risk of cybersecurity.
Customers trust corporations and business houses with their data. Making sure that the data is secure is the sole responsibility of the corporations, governments, and businesses. If the data is breached, then the business loses trust from the customer and ultimately loses business and brand value.
It is extremely important for customer-facing businesses to maintain trust and progress towards digitization to ensure smooth business operations. As in today's scenarios of mobile first approach, and IoT approach, connectivity is paramount to stay in business and give customers a richer experience. The only binding factor is trust. And trust can only be achieved by making sure that the data is secured, avoiding breach situations, and, if there is a breach, then recovering as quickly as possible from a breach situation without causing much impact to customers and their data. In other words: to minimize the impact.
Companies must build security into their products and services from the beginning. This will decrease the risk of compromise or any breach, thereby strengthening the trust factor. As no business today can run alone, they have to partner with third parties. It is the responsibility of both the company and the third party to ensure the safety and security of consumer data and intellectual properties. So, as the enhancement of technologies are important for businesses to become profitable and sustain growth, building a security-first culture is also paramount to maintain consumer trust.
In this chapter, we explored the various aspects of the internet and how digitization has brought in a new era of cyber crimes and attacks. We also learned about the history of cyber attacks, which broke our usual belief that cyber crimes started a few decades ago. As we progressed, we learned about the various aspects of cloud computing and how it brings data under threat.
By reading this chapter, you will clearly have understood the importance of security in the current technological landscape, gained visibility of the cybersecurity landscape, and how organizations, as well as individuals, can protect data from being stolen. This knowledge is useful in identifying potential threat areas and designing a defensive game plan.
As we continue the discussion, we will explore the evolution of security from legacy systems to machine learning, AI, and other turnkey technologies. This will help us gain an insight about the past, present, and future of cybersecurity.