The current cyber security threat landscape

The intensifying threat landscape

The Australian Signals Directorate (ASD), the Office of the Australian Information Commissioner (OAIC) and the Australian Competition and Consumer Commission (ACCC) have been reporting on the intensifying cyber security and scam landscape since late last decade. 

Industry players also provide useful reporting, including the 2024 Verizon Data Breach Investigations Report which provides an analysis of over 10,000 data breach investigations throughout a 12 month period to late 2023. Some of their observations are:

• “We still have the External actors as the top catalyst for breaches at 65%, but we have Internal at a whopping 35%.” External actors tend to be malicious, and on motivation Verizon note “financial has the clear lead, but it is interesting to note that the Espionage motive has increased slightly over last year, from 5% to 7% … this motive is mostly concentrated in Public Administration breaches.” Internal actor threats are mostly mistakes – misdirected emails, leaving documents or USB sticks on the bus, and so on.
• The top three entry points/ways in identified by the Verizon report are use of stolen credentials, phishing, and exploiting vulnerabilities in software systems. They also touch on the growing risks of supply chain attacks.

Verizon reported that in their analysis of data breaches:

• 68% of breaches involved a human element
• 32% of breaches involved Ransomware or Extortion
• 28% of breaches involved Errors including misdelivery, loss (e.g. misplacing paper documents) and misconfigurations
• 15% of breaches involved a 3rd party - includes partner infrastructure being affected and direct or indirect software supply chain issues—including when an organization is affected by vulnerabilities in third-party software.

Use of stolen credentials

According to the Verizon report, use of stolen credentials (usernames and passwords) and related practices such as credential stuffing (trying stolen credentials multiple services of interest, leveraging the fact many people reuse credentials across multiple services) and brute-forcing weak passwords remains among the three top entry points for malicious actors mounting an attack. With stolen credentials, access to systems provides opportunities for the theft of personal information, access to other IT systems or networks, or an avenue for ransomware.

The primary defence is good credential/password management practice, such as using passphrases or complex passwords, changing credentials if any compromise is suspected, never reusing passwords across identities or services, changing single factor credentials (that is, credentials that are the only factor required for authentication) periodically, and using password managers.

Technical mitigations commonly built into authentication services include limiting the rate of authentication attempts, locking accounts for a time after too many unsuccessful attempts, using multifactor authentication or passwordless verification such as FIDO2 keys and passkeys. In the Australian environment, restricting origin of authentication attempts where feasible also provides a useful risk reduction for the time being.

Phishing

Phishing also remains one of the three top entry points for cyber attacks. Phishing targets individuals through email, text messages, phone calls, and other forms of communication. A phishing attack aims to trick the recipient into falling for the attacker’s desired action, such as revealing financial information, login credentials, or other sensitive information. As a popular form of social engineering, phishing involves psychological manipulation and deception. Threat actors masquerade as reputable entities to mislead users into performing specific actions. These actions often involve clicking links to fake websites, downloading and installing malicious files, or divulging private information like bank account numbers or credit card information. It can lead onto data breach, Business Email Compromise, and ransomware & extortion attacks.

The human element is a key factor in many cyber security breaches and is the key element here, so cyber security awareness training is an essential protection for everyone. It protects not just an organisation’s resources and reputation, but also increases its staffs’ resilience and ability to protect themselves personally from scams and loss. Anything done to strengthen the “human firewall” reduces the risk of loss and data breach.

Periodic awareness training has been seen to reduce risk by 20 to 25%. An ongoing monthly program of phishing testing (simulation) coupled with training is most effective, reducing risk by 75-80%.
Technical measures include mail and web filtering for threats and malware, hardening system and endpoint configurations, security monitoring and alerting, and phishing-resistant verification methods (that don’t rely on passwords) such as FIDO2 keys, Windows Hello for Business and properly managed passkeys.

Exploiting vulnerabilities

Completing the trifecta of top entry methods for attacks, the Verizon report identified “substantial growth of attacks involving the exploitation of vulnerabilities as the critical path to initiate a breach when compared to previous years.” A successful exploit provides a foothold the attacker can use to broaden their access, gain access to sensitive information or launch ransomware. Software vulnerabilities can be present in just about any system, including servers, endpoints such as desktops, laptops and smartphones, and network devices. Servers that host internet-facing web applications, and internet-facing network devices such as routers present the greatest risks.
The range of measures required to protect against exploit of vulnerabilities include:

• Prompt application of software updates or “patches”, especially critical and security updates, to servers, endpoints and network devices, especially internet-facing servers and network devices;
• Vulnerability scanning and management to detect unaddressed vulnerabilities;
• Applying mitigations quickly to critical services when zero-day vulnerabilities are discovered or disclosed;
• Partnering with suppliers with better security track records;
• Long-term industry initiatives such as the Secure-by-Design initiative led by a consortium including the Australian Signals Directorate and the U.S. Cybersecurity and Infrastructure Security Agency.

Patching and vulnerability management are the focus of two of the ASD’s Essential Eight sets of technical standards.

Supply chain attacks

As networks, cloud services and supply chains bind us ever closer together, we become more exposed to supply chain breaches. These include both where a partner or supplier’s systems or infrastructure are breached, and direct or indirect software supply chain issues such as when an organisation is affected by vulnerabilities in third party software.

The Verizon report notes these “are breaches an organization could potentially mitigate or prevent by trying to select vendors with better security track records.” It reported that 15% of data breaches involved a 3rd party.

Our guides Questions to ask your SaaS application provider and Questions to ask your IT managed services provider include questions you can ask potential providers about their cyber security accreditations and practices.

Ransomware & Extortion

Ransomware is a common and dangerous type of malware. It works by locking up or encrypting your files so you can no longer access them, and a ransom is demanded to restore access. Cybercriminals might also steal data from your organisation, and demand a ransom to prevent sensitive information and intellectual property from being leaked or sold online. Its effects can include significant downtime while you restore systems and data; permanent loss of data if you don’t have reliable backups; significant recovery costs; reputation damage and loss of income.

Ransomware continues to affect organisations worldwide. Not-for-profits haven’t been spared from such attacks. The health care and social assistance sector remains the second-highest reporting sector of ransomware-related incidents in Australia, according to the ACSC Cyber Threat Report 2022-23.

Entry points for ransomware include phishing attacks, use of stolen credentials, exploiting vulnerabilities, and insecure configurations of networks and servers. The ACSC notes common signs you may be a victim of ransomware include:

• Pop-up messages requesting funds or payment to unlock files;
• You cannot access your devices, or your login doesn’t work for unknown reasons;
• Files request a password or a code to open or access them;
• Files have moved or are not in their usual folders or locations;
• Files have unusual file extensions, or their names or icons have changed to something strange.

The ACSC advises you never pay a ransom. It’s important to have an Incident Response Plan that identifies who will help respond to a ransomware incident (including your IT Support provider, cybersecurity insurer, and agencies such as the ACSC), and how you would respond.

Business Email Compromise

Business email compromise (BEC) refers to cybercriminals impersonating a stakeholder, such as a supplier or staff member, to scam an organisation. This can happen via phishing attacks to gain direct access to the stakeholder’s email to impersonate them, or via pretexting – the use of a fabricated story, or pretext, to gain a victim's trust and trick or manipulate them into sharing sensitive information, downloading malware, sending money to criminals (for example by attempting to have fraudulently-altered invoices paid), update banking details to misdirect payments into accounts controlled by the malicious actor, or otherwise harming themselves or the organisation they work for. 

BEC scams caused the highest business losses, with combined losses of $224 million in 2022. While BEC scams have impacted organisations for years, these scams have become more prevalent and successful in recent years.

BEC scams are often discovered when a duplicate or forged invoice is detected, or a creditor reports a payment was expected but not received, or a stakeholder is contacted to verify a suspect request apparently send by them.

In addition to training staff to recognise and avoid social engineering and phishing attacks, and implementing technical protections against phishing, financial losses can be avoided by specific training for staff roles responsible for financial transactions or information. The key message is, don’t trust, verify. For example, if a request is received for an urgent payment or updates to banking details, contact the supposed sender of the request via a separate channel and using contact information already known, to verify the request is legitimate.

What to do to keep your organisation secure

This will depend on your organisation’s size, the sophistication of the systems and technology you manage, and sensitivity of the information you hold and use.

For starters, every organisation must implement these fundamental security measures: Cyber Security Essentials. This basic level of cyber security capability might be sufficient for small, virtual organisations that use only a few cloud systems such as Google Workspace, and don’t own and manage desktop or laptop computers – or for that matter servers!

Many non-profit organisations will have some infrastructure to manage and/or hold sensitive data. They will want to progress to an intermediate level of cyber security capability: Achieving intermediate cyber security.
Where significant risks or obligations require further mitigation, and resources permit, organisations that have achieved intermediate capability might work towards advanced capability. This will include consideration of Maturity Level 3 compliance with the ASD’s Essential Eight, and of an external certification such as ISO 27001. See Achieving advanced cyber security.

We offer a range of training resources to support your journey, covering such topics as Cyber Security Essentials for NFP Staff, Cyber security self-assessment & work plan development, and Cyber security for NFP managers.