Just because your business is boring, doesn't mean they're not out to get you
Since the dawn of the internet age, Medina has been involved in security. He's the founder of esCERT-UPC, the Spanish Computer Emergency response team, and its director since it was set up since 1994. He's also scientific coordinator at the European Chapter of the Anti-Phishing Working Group (APWG.eu), as well as an advisory member of ISMS Forum Spain (the Spanish Association for the Advancement of Information Security).
Molist is a journalist specializing in computer security. She is passionate about hacker culture, a co-organizer of the first Spanish Hackmeeting, and author of a history of the hacker underground on the Iberian peninsula.
The pair have decided to pool their knowledge and set out why security has become so fundamental to all businesses, regardless of their size, in a new book called Cibercrimen.
"We wanted to explain it with real examples that have been in the news, to raise awareness that anybody can have their computer or phone hacked without being aware of it," Medina said.
"Many companies think 'this won't happen to me because I don't publish interesting information'. But they're wrong. The likelihood of a cyberattack occurring is about 10 percent a year, for all users, no exceptions. Information has strategic value and criminals are not the only people interested in it. Competitors are too."
Identity theft
The recent theft of personal data of at least four million current and former federal workers in the Obama administration underlines Medina's point. Not even a team of over 500 people analyzing data from a security program called EINSTEIN, used by US government agencies since 2008 to detect unauthorized intrusions and unusual traffic, could guarantee the security of government systems.What went wrong? Why was it impossible to detect the traffic generated by a spyware program, possibly developed in China?
The authors of the book have different hypotheses: the spyware may have been present on the organisation's systems but not gathering information for some time, allowing it to remain undetected, or it may have been introduced directly onto one of the agency's computers, enabling the spyware to bypass the usual network security tools desgined to stop such malware in its tracks.
The attack is far from the first such incident to hit US systems. In their book, Medina and Molist highlight that last year in the US, there were 621 major incidents, resulting in the theft of 77,890,487 user records.
The financial sector alone reported 24 incidents that compromised nearly 1.2 million customer records, and the commercial sector experienced 215 incidents resulting in 64 million stolen records. In Europe, ENISA (the European Union Agency for Network and Information Security), an organization where Medina was formerly deputy head of the technical competence department, has warned that the theft of personal data is growing by 25 percent annually.
"[Details of] a credit card are sold for €1 or €2 and a clinical history for €8 or €10," Medina said, admitting it can be worrying to think about what can be done with such a large amount of sensitive information.
Social engineering
While "we are still easily fooled," according to Molist, the number of phishing attacks designed to steal users' personal identity and financial account credentials is still on the up and criminals are having to adapt their behaviour to lure more victims.
"Between 2004 and 2010, Spain was a global power in phishing attacks and no Spanish bank was spared... The phishing campaigns were launched by non-Spanish native criminals and for this reason the phishing attacks were not very successful. Spanish is one of the languages most used on the internet, and targeting Spanish-speaking victims was one key goal of the criminals, but they had to discover that there are significant differences between the Spanish spoken in every country," Medina said.
"Once they addressed this issue, the messages were tailored to the specificities of each country, and they have been much more successful."
As users become more and more familiar with spoofed emails that appear to come from their bank, email-based attacks have had to evolve - prompting the growth of spear phishing. Currently, spear phishing, where attacks are honed to attack specific individuals or companies, has a success rate 10 or 100 times that of standard phishing, according to the authors of the book.
"For medium-to-large companies, which are attractive to criminals, it's a really big security problem. For smaller firms, their main issue is data kidnapping, namely ransomware," Medina said.
Ransomware encrypts a user's data and demands its owner hand over cash in return for the key to decrypt the information. The authors of Cibercrimen say the phenomenon began with the arrival of Cryptolocker malware in 2013, and call ransomware "a global scourge" that can "ruin a company."
"If you pay, you have a 90 percent chance of retrieving the information, but criminals may also leave something on your computer to blackmail you again in the future," Medina said.
Protection
So, what to do? A company's most basic line of defense should be to "distrust, verify, and contrast", according to Molist and Medina. Simply put, that's "think before you click" and when in doubt, go back to the source of the email - your bank or coworker - through a different channel, such as on the phone, and double check if they really did try to contact you. And, of course, have a regularly-updated, active, and properly-configured antivirus package and firewall.
That advice extends to mobile devices as well as PCs and laptops. According to Medina, attacks on mobile devices are beginning to overtake those targeting desktops. Mobile attacks are a particular problem for online banking, given people use the same device to access their bank's website or app as well receive the SMS alert they use for two-factor authentication for the same service.
"We have become accustomed to a policy of punishment instead of promoting training and responsible behavior," Medina said.
"Government agencies punish the organizations that fail to keep their systems safe... Take the Data Protection Agency, for example. It bases its fines only on the impact of a breach, rather than taking into consideration the strength of the attack, the readiness of the victim organization, or the actions that organization took to mitigate the impact or to detect or prevent the threat," Medina said.
He's calling for the creation of local or regional Computer Security Incident Response Teams (CSIRT), coordinated by organizations such as CESICAT (Catalan Information Security Centre), INCIBE (Spanish Cybersecurity Institute), CERT-EU ENISA (Computer Emergency Response Team for EU institutions) or EUROPOL and EC3 (European Cybercrime Centre). While none of the organisations has sufficient resources to support all SMEs directly, they could ultimately work to train up professionals who could provide security services to small businesses for a fair price.
With the popularity of social networks and the early growth of the Internet of Things (IoT), the data that businesses need to protect is increasingly large and increasingly diverse.
In January 2014, it emerged that refrigerators, televisions, and other devices spent Christmas sending hundreds of thousands of spam messages. The search engine Shodan.ie warned a couple of years ago that there are millions of devices connected to the internet with simple passwords such as 1234. While users are no stranger to terrible password security, passwords on appliances are often determined by the manufacturer and can't be changed, said Molist. Clearly, the principle of introducing 'security by design' into products still has a long way to go.
What's more, for Medina, currently a professor at Polytechnic University of Catalonia (UPC), "Europeans should require cloud services providers to keep data on European soil to ensure the data protection directive applies, which gives some assurances to citizens. We should also demand that they have updated and protected servers," he said.
From the smallest business to today's tech giants, security always needs to be front of mind.
Read more on security