Cyber super-weapons – what does it take to feel cyber safe?
Written by Viki Bucknell on 26/10/2018
Even if you don’t work in the cyber-security world, you won’t have failed to notice that businesses of all sizes appear to be getting hacked on a scarily regular basis. These news reports may even help you decide whether to stay with a company or not. For example, if your gas provider experienced a security breach and lost your personal information, would you stick with them, or would you move to a seemingly more secure provider? Here’s another question for you: do you wait for hard evidence to back up claims of hacking, or are rumours of an attack enough for you to jump ship?
Bigger isn't always better
Even the biggest organisations with the biggest of security budgets can get hacked. Just ask British Airways who, in September 2018, admitted that a staggering 500,000 payments had been compromised. It was a scripting attack on their payment website, meaning customers’ personal and financial details were stolen. Whilst this highlights the importance of regular penetration testing, the upshot for BA is: this might make people choose to fly with a different operator.
On the other side of the coin, there’s the NHS (and I don’t mean WannaCry). At the start of 2018, an NHS website hosting data in the form of patient surveys was hacked by a team named AnoaGhost. This website held patients’ personal details, including reviews on primary care units. It’s unknown whether the group actually made off with any of this data, as no one has claimed as much (at the time of writing). But they certainly could have, which could be enough to damage public trust in the organisation. Unfortunately, there’s isn’t much option to leave the NHS and source treatment elsewhere (unless you wish to pay privately that is), so patients have to ride out the storm and hope their data isn’t compromised.
With both examples, evidence was made public that the organisations had been hacked. However, there have been hacking events reported in the news that didn’t come with any hard evidence, yet still had far-reaching impacts.
Bad news is bad business
One such example is the story of spy chips, purportedly inserted into Chinese hardware used by US companies. These server motherboards were reportedly found to contain tiny microchips that were not on the boards’ original design, and so were supposedly placed to intercept data. This alleged supply chain cyber-attack had an impact on some major global brands, including Apple and Amazon. The allegation was made by respected journalists from Bloomberg, who claim to have evidence. This evidence has not been forthcoming.
What’s more, following this report, Apple declared “On this we can be very clear: Apple has never found malicious chips, ‘hardware manipulations’ or vulnerabilities purposely planted in any server.” Supermicro, who make the servers, also made a statement saying, “We remain unaware of any such investigation.” Subsequent reports and comments from both sides have been resolute: Bloomberg say it happened, Apple, Amazon and Supermicro (et al) say it didn’t.
With one side of the argument being that these chips exist and have been seen, and the other categorically denying their existence, how can we know the truth?
The general consensus in the industry is one of scepticism, with critics of the report quick to highlight flaws in the alleged method of data exfiltration. There’s also the issue that both Apple and Amazon will have big expensive monitoring systems in place to spot and catch any network traffic that looks suspicious, such as say, data suddenly zipping off to China.
Despite all this, rumours and (potential) ‘fake news’ seem to be enough to drive share prices down. A fact that has been disastrous for Supermicro. Since the story broke, Supermicro saw their share price drop by a staggering 41 percent, with both Apple and Amazon’s share prices dropping by around two percent.
I think it’s worth pausing for a moment: 41% wiped off a company’s share price based on what currently boils down to rumours. It’s out of the scope of this blog for us to comment on the veracity of the Bloomberg report itself, but it could easily seem that cyber news (or perhaps even cyber fake news) is being weaponised. With evidenced examples of cyber-attacks being directed at critical national infrastructure, it seems that cyber-attacks are a new super-weapon for countries and corporations alike. It also seems that it doesn’t always matter if they’re real.
Back on a business level, what might this mean? Whilst consumers might not opt out of using the monolithic mega-corporations like Apple or Amazon, businesses might just be more reluctant to use them. Speculatively, if a company was looking to buy an AWS cloud infrastructure, might Azure now seem a little more inviting?
Real attacks read like fiction
There are many reasons we might be quick to believe a report of a hack, whether there’s any evidence or not. A big contributing factor will be that the real attacks, accepted by all and with a vast amount of supporting evidence, sometimes seem quite unbelievable.
For example, some time ago, hackers made off with a large cache of data having worked their way into a casino’s network through a fish tank thermometer. And, since the emergence of the smart fridge, security experts around the world have been demonstrating just how easy devices of this kind are to hack. So, if it’s proven (with evidence) that your fish tank and fridge are out to get you, then the idea of an actual government installing spy chips is instantly believable.
How to defend against a super-weapon?
So, with outlandish stories turning out to be true, and seemingly plausible stories being very much up for debate, what are we to believe? Well, we should believe whatever can be evidenced. Digital forensics can usually sort the ‘have we/haven’t we been hacked?’ debate out. Unfortunately, that requires a hack to have already taken place. In terms of being proactive, there’s no need to suddenly change your hardware provider due to fear of tiny chips. Invest in a good SIEM and you’ll be able to keep an eye on your entire network and spot if cyber shenanigans are going on, isolate them and block any offending parties.
ISO 27001 and 9001 certified
Tigerscheme qualified testers
PCI DSS v3.2 Level 1
24/7 on-site Security
Get a quote today
If you’re interested in our services, get a free, no obligation quote today by filling out the form below.