Dipping Through Geometries

In 2019-2020, the Russian Foreign Intelligence Service successfully mounted what the U.S. General Accountability Office called “one of the most widespread and sophisticated hacking campaigns ever conducted against the federal government and private sector.”  Since then, cybersecurity experts have repeatedly called attention to the risks of software supply chain attacks.  Despite these warnings, companies have continued to fail to learn from the SolarWinds attack and fall victim to such attacks.  In 2022, for example, supply chain cyber attacks in the United States alone reportedly affected 1,743 entities — the highest reported number since 2017.

The threat of software supply chain attacks, however, is by no means limited to the United States.  A December 6 report by security resilience vendor SecurityScorecard stated that 90 percent of the world’s 48 largest energy companies have suffered a supply chain data breach in the past 12 months.  For this report, SecurityScorecard analyzed the cybersecurity profiles of the 48 largest energy companies in the United States, United Kingdom, France, Germany, and Italy. The companies included the coal, oil, natural gas, and electricity sectors.  In total, SecurityScorecard examined more than 21,000 domains, and its analysis included both their third-party and fourth-party vendors.

Specific findings in the report included the following:

• 100 percent of the top 10 U.S. energy companies experienced a third-party breach.
• 92 percent of the energy companies evaluated have been exposed to a fourth-party breach.
• 33 percent of energy companies had a C Security Rating or below, indicating a higher likelihood of breach.
• In the last 90 days, SecurityScorecard identified 264 breach incidents related to third-party compromises.
• MOVEit was the most prevalent third-party vulnerability in the last six months, with hundreds of companies affected around the world.

While this report examined only energy companies, it should serve to remind companies in all industries, including other aspects of critical infrastructure, that supply chain risk is a serious and continuing threat that requires immediate attention. Moreover, recent developments show that inadequate attention to software supply chain risks may pose not only operational and reputational risks, but legal risks as well.  On October 31, the Securities and Exchange Commission (SEC) announced that it had charged both SolarWinds and its chief information security officer, Timothy G. Brown, with fraud and internal-control failures relating to allegedly known cybersecurity risks and vulnerabilities.  Because the SEC’s jurisdiction extends not only to U.S. companies but to foreign companies whose shares are traded on U.S. securities exchanges, those companies need to make software supply chain risks a key priority in their cybersecurity programs.

One of the oddly persistent myths about online fraud is that it is a “Western” problem – i.e., that online fraud is a problem only for North America and Western Europe.  In fact, online fraud, in all of its many forms, has long been a global problem, with worldwide consumer and business losses just to e-commerce fraud reaching an estimated $48 billion in 2023.

Both more- and less-affluent countries on multiple continents have experienced an explosive growth in certain types of online fraud.  In the Middle East, for example, a survey by the King Abdul Aziz Center for National Dialogue (as reported in 2022 by the Global Anti-Scam Alliance) found that 62 percent of Saudi Arabian consumers received spam and scam messages, mainly on their mobile devices. Fraudsters impersonated banks in 72 percent of the cases, police in 18 percent of the cases, and delivery services in 10 percent of the cases.  In addition, 14 percent admitted that they fell for the scam and lost money.

Recognizing the frequency of bank-related online fraud schemes, the Kingdom has not only had Public Prosecution pursuing cases against criminals purporting to be bank employees,  but has issued a number of warnings to the public about various online schemes such as domestic labor services, Hajj and Umrah pilgrimages, and other financial fraud schemes.

On September 19, the Saudi Arabian Monetary Agency (SAMA), the Saudi central bank, announced the first edition of the Cyber Anti-Fraud Program (CAFP).  The CAFP, which will run for three months, is directed at training and developing a cohort of trainees, drawn from SAMA and local banks, through intensive cyber fraud education and on-the-field training.  It will incorporate best international standards and practices in the field of cyber fraud training.  It is designed to support national talent within the financial sector, in collaboration with a leading British university and renowned global entities specializing in cyber fraud prevention and detection.

If the CAFP proves successful, it may provide a template for other countries, not just in the Middle East, to enhance their financial sectors’ capabilities to combat online fraud and to better protect banking customers.

In recent years, it has become conventional wisdom that corporate employees pose the greatest threat to companies’ cybersecurity.  A recent survey by IT security provider Ivanti indicates that senior executives need to recognize that they may be an even greater cybersecurity threat to their own companies’ cybersecurity.

In its December 13 State of Security Preparedness 2023 study, Ivanti surveyed 6,500 executive leaders, cybersecurity professionals, and office workers.  Some of the study’s most concerning findings pertained to behaviors by professionals such as CEOs, vice presidents, and directors:

• More than one-third of surveyed leaders had clicked on a phishing link — four times the rate of other office employees
• Leaders (one out of four) were much more likely than employees to continue to use the same passwords for years rather than updating them regularly;
• Nearly one in four leaders “use easy-to-remember birthdays as part of their password.”
• Leaders were “five times more likely to share their password with people outside the company.”
• More than 1 in 3 leaders “have fallen victim to phishing scams, either by clicking a scam link or sending money.”

While 73 percent of security professionals and leaders reported that their organizations were planning to increase their cybersecurity budgets in 2023, and 74 percent of security professionals stated that they budget for security breaches, other responses about the actual state of organizations’ cybersecurity were more concerning:

• Only 52 percent of leaders and security professionals responded that “they have ‘high visibility’ into every user, device, application and service on their network.”
• 45 percent of security professionals said that “they either suspect or know that former employees and contractors still have active access to systems or files in the form of still-active usernames, passwords and login information.”
• Although 92 percent of security professionals said that “they have a method to prioritize which vulnerabilities to patch”, “when asked which types of patches are prioritized, security professionals tell us all types rank high — meaning none do.”

In addition, Ivanti asked 1,356 executive leaders and security professionals whether they would be willing “to wager a chocolate bar” on the cybersecurity protections their organizations have in place.  Even though 97 percent of security professionals and leaders surveyed said that “their organizations are as prepared or more prepared today than one year ago”, 20 percent would not wager a chocolate bar on their cybersecurity.

Information security officers should include details of the Ivanti report in briefings and training materials, and not only for their own teams or mid- and lower-level employees.  As the report recommends, “organizations need to develop customized training curricula and tech interventions for CEOs and other high-level executives.”  As business email compromise schemes are projected to continue to grow through 2027 at a compound annual growth rate of nearly 20 percent, it is incumbent on senior executives to model proper cybersecurity behavior consistently to subordinates and each other.  Failure to do so can have disastrous results for their companies – and for their continued employment.

In the past year, competition authorities in Egypt and Saudi Arabia have shown increased assertiveness in enforcing their national competition laws.  Pursuant to their respective competition laws, the Egyptian Competition Authority barred the use of anti-competitive contractual clauses imposed by a market-dominant food-delivery enterprise, and the Saudi General Authority for Competition blocked proposed transactions in the energy and food-delivery sectors.

A recent joint action by both competition authorities indicates that they are anticipating exercising their enforcement authority with regard to transnational anticompetitive conduct.   The Chief Executive Officer of the General Authority for Competition, Dr. Abdulaziz bin Abdullah Al-Zum, and the head of the Egyptian Competition Authority, Dr. Mahmoud Mumtaz, signed a Memorandum of Understanding (MOU) that, according to Arab News, “seeks to prevent monopolistic practices that restrict competition, in an effort to boost cooperation while respecting the laws of both countries.”

Dr. Al-Zumm reportedly indicated that the  MOU “includes areas of cooperation and exchange of consultations and experiences through mutual visits to the headquarters of competition authorities in the two countries, as well as through official electronic communication channels and other means of communication between experts and technicians of the two parties on issues of common interest.”  Dr. Mumtaz further explained that the  MOU “focuses on a number of areas of cooperation that include exchanging information and experiences in the field of promoting competition and preventing monopolistic practices, in a way that facilitates and enhances the performance of the functions of both sides, especially with regard to the role of competitive guidance and how to set policies that enhance competition in markets.”

Even as the world of computing become ever more complex in many respects – greater computing power, smarter devices, and more advanced artificial intelligence and machine learning, to name a few – one of the most conceptually simple cybercrime techniques remains a significant threat to computers and networks around the world.  Phishing, as defined by APWG (formerly the Anti-Phishing Working Group), “employ[s] both social engineering and technical subterfuge to steal consumers’ personal identity data and financial account credentials.”

On September 22, the APWG issued its Phishing Activity Trends Report for the second quarter of 2022.  Key findings in the report include:

• General: APWG observed 1,097,811 total phishing attacks in Q2 – “a new record and the worst quarter for phishing that APWG has ever observed. The number of phishing attacks reported to APWG has quadrupled since early 2020, when APWG was observing between 68,000 and 94,000 attacks per month. ”
• Most-Targeted Industry Sectors: For Q2 2022, APWG founding member OpSec Security found that phishing attacks against the financial sector (including banks), “remained the largest set of attacks” (27.6 percent of all phishing). Attacks against webmail and software-as-a-service (SAAS) providers accounted for 19.1 percent of all phishing. While attacks against retail/ecommerce sites dropped from 14.6 to 5.6 percent, phishing against social media companies dramatically increased from 8.5 percent of all attacks in 4Q2021 to 15.5 percent in 2Q2022.
• Ransomware: APWG member Abnormal Security observed not only a decrease in ransomware volume over 1Q and 2Q 2022, but also (as of June 2022) “the smallest number of ransomware victim companies since January 2021.” The five industries most frequently victimized by ransomware during 2Q included manufacturing (24 percent), business services (12 percent), retail and wholesale (10 percent), healthcare (8 percent), and construction  (7 percent).  In addition, approximately 56 percent of victimized companies had less than US$50 million in revenue, while nearly 13 percent of victim companies had revenues of more than US$500 million.
• Business Email Compromise (BEC) Schemes: According to APWG member Agari by HelpSystems, in Q2 2022 “gift card requests were the most popular cash-out method used by criminals” (39.9 percent), followed by payroll diversion attempts (25.9 percent), advanced fee fraud (15.5 percent), and wire transfers (9.6 percent).  The average amount requested in wire transfer BEC attacks was $109,467, an increase from $91,436 in Q1 2022.  In addition, two strains of malware accounted for 90 percent of all malware delivered to corporate email boxes: Emotet (47 percent) and Qbot (43 percent).

Information security teams in every business sector should closely review the APWG report and incorporate pertinent details into internal briefings and training for corporate executives and employees.  Because maintaining effective cybersecurity in any environment is a constant challenge, it is essential that senior leadership maintain a clear understanding of the most prevalent and immediate threats to their corporate environments and provide information security teams with the tools and resources to cope with those threats.