Thought leadership. threat analysis, news and alerts.
Global Cyber Attacks Could Be as Costly as Major Hurricanes
Hurricane Katrina and Sandy are two of the costliest hurricanes in the past three decades. The total damage from Katrina is estimated at $156 billion and $69 billion from Sandy. Lloyd's of London estimates that economic losses from global cyber attacks have the potential to be as big as those caused by major hurricanes.
2 Potential Cyber Attack Scenarios
Lloyd’s report called “Counting the cost: Cyber exposure decoded” showed two global cyber attack scenarios that could have the potential economic impact:
1. Cloud Service Provider Hack
According to Lloyd’s, the average losses in the cloud service disruption scenario could be $53.1 billion for an extreme event and could go as high as $121.4 billion.
2. Cyber Attacks on Mass Software
For the mass software vulnerability scenario, according to Lloyd’s, the losses could range from $9.7 billion for a large event to US$28.7 billion for an extreme event.
“This report gives a real sense of the scale of damage a cyber-attack could cause the global economy,” said Inga Beale, CEO of Lloyd’s. “Just like some of the worst natural catastrophes, cyber events can cause a severe impact on businesses and economies ….”
Vulnerability of Cloud Service
“The Cloud” is the process of accessing data, computer resources and software over the web. It’s used as a substitute for accessing data from a local computer. Although cloud, also known as network-based computing, dates back in the 1960s, it was only in the early 2000s that its popularity soared as small and medium-sized businesses adopted this new method of accessing data.
In the second quarter of 2016, Synergy Research Group found that Amazon cornered 31% of the cloud infrastructure services market, followed by Microsoft (11%), IBM (7%), Google (5%), Next 20 including Alibaba and Oracle (26%) and others (20%). More than 90% of the over 2,000 cyber security professionals surveyed in McAfee’s “Building Trust in a Cloudy Sky” report stated that they were using some type of cloud service in their organization.
In February this year, Amazon’s cloud services suffered a costly outage. According to Amazon a typo caused the outage. Amazon said in a statement:
“The Amazon Simple Storage Service (S3) team was debugging an issue causing the S3 billing system to progress more slowly than expected. At 9:37AM PST, an authorized S3 team member using an established playbook executed a command which was intended to remove a small number of servers for one of the S3 subsystems that is used by the S3 billing process. Unfortunately, one of the inputs to the command was entered incorrectly and a larger set of servers was removed than intended.”
Amazons’ February 2017 outage cost companies in the S&P 500 index $150 million according to Cyence.
According to Lloyd’s, cloud infrastructure services like Amazon, Microsoft, IBM and Google rely upon a common cloud infrastructure. If a major security flaw were found in this common cloud infrastructure, cloud customers of these cloud services could suffer from a breach, Lloyd’s said.
Vulnerability of Mass Software
In April 2017, the hacker group known as ShadowBrokers published on the internet a compilation of hacking tools that was believed to be used by the National Security Agency (NSA). These publicly released hacking tools could give anyone with technical knowledge the capability to exploit certain computers running Microsoft Windows.
In March 2017, a month before the alleged NSA hacking tools were released to the wild, Microsoft released a free patch or security update for Windows 10. Microsoft, however, didn’t release free security updates for Windows XP, Windows 8 and Windows Server 2003. The company only released free patches for these old Windows operating systems at the height of WannaCry – a ransomware that affected more than 300,000 computers in 150 countries in May this year.
6 Trends that Contribute to Cyber Vulnerability
Lloyd’s report identified these 6 trends that cause further cyber vulnerability:
1. Old Software
Old software refers to software that’s abandoned by its maker. It also refers to software that’s patched by its maker but the end users fail to update the software. Failing to install a security update leaves a computer user vulnerable to hacks. This happened to WannaCry. Users of Windows 10 succumbed to the ransomware attack for failing to install Microsoft’s March 2017 free patch. Users of Microsoft’s older operating systems (Windows XP, Windows 8, and Windows Server 2003) also fell victim to WannaCry as Microsoft only released the free patch for these older Windows operating system after WannaCry spread around the world last May 12th.
2. The Number of Software Developers
The number of people developing software has grown substantially over the past 30 years. Each software programmer could potentially add vulnerability to the system whether unintentionally through human error or intentionally. Proprietary software, for instance, is developed by different teams and outsourced contractors who are spread across the globe. Linux Kernel – an open source software project which started in August 1991 – has over 13,500 developers as of August 2016.
3. Volume of Software
More programmers mean more codes are being developed each day. “More code means the potential for more errors and therefore greater vulnerability,” Lloyd’s said. A typical new car, for instance, has about 100 million lines of code.
4. Open Source Software
While the open source movement has resulted in unprecedented digital innovations, it has opened new digital vulnerabilities. Lloyd’s said, “Any errors in the primary code could then be copied unwittingly into subsequent iterations.” Most open source software don’t go through the same level of security scrutiny as custom-developed software.
5. Multi-layered Software
In multi-layered software, a new code is written over an existing code. Most programmers today work on maintaining existing codes, rather than creating new codes. Multi-layered software, Lloyd’s said, “makes software testing and correction very difficult and resource intensive.”
6. “Generated” Software
In generated software, the code is written by a computer program, instead of being written by human programmers. Lloyd’s said, “Code can be produced through automated processes that can be modified for malicious intent.”
Not understanding your technology vulnerabilities is no longer an option. Assess it today to gain a valuable insight, and take an immediate action to addresses the gaps. Connect with us today and speak with our vulnerability assessment and management experts.
Steve E. Driz, I.S.P., ITCP