Introduction
Cybersecurity can feel like a buzz word that everyone around us keeps using, but do you actually know what cybersecurity is? It may seem like dark magic to people who don’t speak the lingo. Well, in a nutshell, cybersecurity can be defined as all things related to security. How secure is your data online? How safe are you from hackers? How do you protect yourself from the bad guys looking to cause you harm? I know, it is quite a broad definition and people tend to use different words interchangeably, but they effectively mean the same thing. Some examples are:
- Computer Security
- Ethical Hackers
- Hacking
- Information Security
- IT Security
- Penetration Testing
This blog post aims to shed some light onto the cybersecurity world. If you have any further questions, feel free to drop us a message on our contact us page!
A Not So Brief Explanation
So, you have heard many stories from your friends and family about social media accounts, personal email boxes or in extreme cases, bank accounts being hacked. Have you ever thought about why this has happened? In my experience growing up in Malaysia, incidents like these never really gets resolved. Why is that? People normally talk about this with their friends and family to warn them about the trending attacks at the time. In some cases, they would write a lengthy post of social media such as Facebook or Instagram. However, the root cause of this has never really been identified and fixed.
Let’s take a recent trending attack that you may have seen on social media as an example. People are claiming that their bank accounts are transferring money out to an unrecognised recipient. They became aware of this only because they are receiving text messages from their respective banks with the authorization codes, which is required to authorize a payment. The victims have not used the authorization codes but their money will mysteriously go missing from their bank accounts. As they are worried and on the phone with their respective banks, the banks responded by saying that they have done their investigation and nothing seems to have gone wrong on their side. At the same time pushing all the responsibilities to the users.
As a cyber security expert, I see several possible ways why this could have happened. At the time of writing this blog post, the simplest way of how this could have happened in my opinion is due to targeted attacks. To successfully pull off this kind of attack, an attacker would need access to your mobile banking account and access to your phone for the authorization code. There are also several possibilities to how an attacker could have gotten inside your bank account. It could be that the mobile application had a security vulnerability that allowed an attacker to perform transfers without knowing your login credentials, or it could have a vulnerability that leaked your login credentials all together. As for your phone number, did you know that phone cloning is a thing in our industry? Yes, it is exactly like the James Bond movie you saw where someone places a device near your phone and it can clone your phone. The aim to doing this is to clone your phone number, allowing an attacker to gain access to any messages you receive such as the authorization codes. You must think that I am bluffing at this point. Obviously, there are a lot of information an attacker will need to successfully clone your phone. This includes personal information such as IC number, date of birth, full name, the address where you registered the phone number and others. All of this have already been compromised, back in October 2017. The Star news published a news release stating that the Malaysian telecommunication companies have been hacked, leaking 46.2 million entries of personal information. Yes, the ones needed to clone your phone. The population of Malaysia was around 32 million at that time, so it was suspected that the leak included tourists as well. I am not eliminating the possibility of phone cloning without the need of being physically near you, as the possibilities of how a cyberattack could go in this industry are countless. With all of this information, an attacker would then be in a position to perform this attack and steal your money. You will probably never get it back because the authorities would have done their investigation and saw it on their logs that the authorization codes were used to approve the transfer.
So, let’s assume again that the mobile application installed on your phone do not have any security vulnerabilities to allow an attacker to initiate a transfer. Who is to say that your login credentials were not compromised when an attacker cloned your phone via physical access? Nowadays, it is quite popular to have your phone rooted or jailbroken. It gives you further access to functionalities to your phone (which may seem cool), but at the same time cloning your phone will give an attacker access to all the mobile applications installed on your phone. Yes, this may have been the way attackers got a hold of your mobile banking login credentials.
Have you also wondered why you keep receiving telemarketing phone calls from people or companies you have never heard of? In extreme cases, you might even get a phone call to try and ‘scare’ you into paying money. They could say that you are wanted by the police and you need to pay X amount of money, or fraud calls saying that you have won a prize. I’ll stop with the examples because I am sure you have either experienced this or heard stories from friends and family. In our industry, we call this social engineering attack. More information can be found here. You may have asked this in the past, why is this happening to everyone? How did they get my phone number? How do they sound so legitimate and are able to even tell me my personal details? Well, with the lack of cyber security of course, not to mention the 46.2 million entries of personal details leaked I talked about above. On top of that, this is the only cyberattack we know about. What about those that were never caught? Or the ones that were detected, but were never reported by the news?
Going Beyond Technology
You may ask, does cyber security end at technology? The straight answer is a big NO. The sensitive personal data you entered on a website is stored on a computer, and the computer is a physical thing where its located in server rooms. When you enter the data via the Internet, you have the luxury of the countless firewalls and encryption algorithms to protect you from an attacker. However, what happens if an attacker gains physical access to the server room? They would then be able to bypass all the security firewalls and access your data from the computer. In the IT security industry, we call this physical social engineering.
Again, this may sound like another scene out of a James Bond movie where you talk your way through the reception of a building, steal a staff member’s ID card and scan it to enter the server room. Plug a USB in and you download all the personal data off the server. In my personal experience performing tests for our clients, I would be willing to try anything to get inside your office. As I am quite an athletic person, I have climbed windows on the second floor that were left opened in the middle of the night just to get inside of a locked company office. Don’t worry, it is completely legal (for me at least). We get authorization from our clients before conducting such tests.
Cybersecurity Awareness
After all the stories we have heard and fraud phone calls received, the public people have grown quite security aware. Well, that is the nice way of saying things, but we essentially have trust issues now. Saying that, trust issues are a good thing. It gives an extra layer of protection to public users, making them more aware of cyber security attacks. If we go back to the examples mentioned above. We can clearly see that the public users can’t do much, as the data leak that happened in the first place was not their fault. However, I think the general public needs education of what the people can do if you find that your personal details have been leaked, either intentionally by companies selling them off or unintentionally by being hacked.
Data Protection Act
After going through all those negative stuff about cyber security, you may feel like the general public are left to fend for themselves. Let’s move on to some of the more positive stuff, like what are the things available out there to protect you.
One of the things that governments across the world has introduced is the Data Protection Act. Different countries will have varying policies of this enforcement. The Malaysian government has published a Personal Data Protection Act in 2010, enforcing this with law enforcement in 2013. The official publication can be found here. Don’t bother to even read it, unless you are really interested in the legalities of IT security in Malaysia. I will try to highlight the important aspects of the publication here.
In summary, companies who process personal data will need to take protective measures to make sure they don’t get compromised. If an attacker successfully exfiltrated any personal information from their systems, they could be fined by the department of Personal Data Protection Malaysia. Depending on how severe the data leak is, the fine is ranged from one hundred thousand to five hundred thousand Ringgit Malaysia. In extreme cases, this could even include jail sentences of up to three years. The management team or anyone responsible within the business will have to bear these punishments. This means that if you believe that your personal data has been leaked by a specific company, you can report the incident by submitting a complaint on the official portal here. The authorities will launch an investigation and if proved to be true, fines and punishments will be issued to the company.
Note that, the leakage of personal data includes unintentional leakage, such as hackers exfiltrating information from servers, and intentional leakage, such as companies selling off personal data to make a profit.
Security – Some Basics
I have always chosen to believe in myself rather than relying on others to keep me secure. Saying that, would the involvement of the Malaysian government be enough to keep you safe? In my opinion, there will always be rooms for improvement. So, let’s discuss some basic things that you can start doing today to help secure yourself from the bad guys.
From my research of how people generally react to security incidents such as fraudulent phone calls or emails, I would think the majority of people do have the cyber security awareness. However, there is much work to be done.
Individuals
As the owner of your own personal details, you should always stay vigilant on where your data shows up. The majority of young Malaysians seems to spend their free time on social media nowadays. Sharing locations, uploading photos, updating statuses to including what they are currently doing, and the activities goes on and on. A bad guy planning a targeted attack on you can easily collect this information. Updating your statuses once in awhile may seem insignificant, but an accumulated amount of data will allow an attacker to map out your habits, and use them to attempt social engineering attacks on you. They will be able to sound extremely convincing that they are contacting you from a legitimate authority as they have all your personal information.
I will not suggest my readers to stop using social media. In fact, I am merely recommending you to stay alert on what you share online. Maybe have a look through your list of friends on Facebook, are there anyone on the list that you do not recognize? Is your profile settings set to public? How many followers do you have on Instagram? And how many of them do you trust to let them know where your favorite coffee shop is or which gym do you go to every Saturday?
Many articles online will suggest you to use a strong password on your accounts, such as the use of special characters, alphanumeric characters or even replacing the letter ‘a’ with 4 and ‘e’ with 3. I agree that this will make a password stronger, but when passwords get complex, users will tend to memorize a single one and reuse them across every account they have. This means game over for you if the bad guys get their hands on your password. You should reconsider your approach. Try using passphrases instead of passwords. Use a combination of three or four words and use symbols somewhere in between. That way, your passwords will be longer, making it harder for hackers to brute force it. In addition, you will have the flexibility to customise your passwords for each account. This way, all your accounts will have unique passwords and you will be able to memorize them better.
Businesses
Lately, I have seen larger organizations making efforts to secure the personal data they possess. They are hiring cyber security experts to join their team and implement security measures. Some are even doing penetration testing exercises to help identify what kind of security vulnerabilities they have. If you don’t know what penetration testing is, more information can be found here.
In my personal opinion, smaller businesses seem to have a false sense of security. They may think that the bad guys will not even think about trying to attack them. In my years of experience within the cyber security industry, the bad guys will attack anyone and everyone, no matter the company size. As long as there are financial benefits they could gain, they will always look for opportunities to attack you.
From everything I discussed in this blogpost, it may seem that most cybersecurity incidents evolve around compromising personal data. However, there are still many other ways the bad guys can gain financial benefits. A very common and well-known method is to spread ransomware within your internal network. This will encrypt all your files, and demand a ransom for them to decrypt it for you.
On top of the PDPA enforced by the Malaysian government, an attacker compromising your systems could inflict a great amount of financial impact on your organization via fines. Not to mention that different industries have different compliance requirements to meet in order for you to further your business ventures. As a business owner, you must ask yourselves. Are you fully prepared for a cyberattack, and are you a fully compliant organization within your industry?
No matter the size of the company, big or small. I would always recommend prevention over cure. One of the methods will be engaging in regular penetration tests. We offer a large range of services to aid our clients to achieve their cyber security needs. Saying that, most of our clients do not even know where to start. If this is the case for you, I urge you to get in touch with us. Our experienced team will aid you from start to end to secure your assets.
Obviously, there are still many more things to consider; however, I think this blog post is already too long at this point. If you have any questions regarding cyber security, feel free to drop us a message here.
Conclusion
I would like to wrap up this blog post by stressing the needs of IT security. It is obvious that implementing these security measures do not come cheap, this is especially true for getting penetration tests. However, it is also clear that the pros far outweigh the cons. By spending a smaller amount of resources, you can rest better at night without having to worry about cyberattacks on your organization.
Finally, the opinions and examples discussed within this blog post are purely examples. There could still be other ways bad guys can launch cyberattacks, and the limit is only defined by the creativity of the attackers. Thank you for your time in reading this blog post, and I hope it helped to shed a light into the world of cyber security.
One Response
I take pleasure in, cause I found exactly what I was having a look for. Cordelia Jacky Dripps