CONSIDER this: P52.4 million—the cost of a SINGLE cyberattack at an enterprise-level—is P2.4 million more than the annual fund set aside for the implementation of Republic Act (RA) 10175, or the Philippines’s Cybercrime Act.
Consider if these attacks are brought upon one of the country’s major revenue-generators: business process outsourcing (BPO) firms.
With such a chilling possibility, Singapore-based Ian Lim, field chief security officer of Palo Alto Networks Inc., told the BusinessMirror that the Philippines must not lower its guard because of the strong possibility of attacks on its BPO industry.
Being a global leader in the BPO, the country is a prime target as hackers and cybercriminals are eyeing the Philippines for its upstream activities especially global companies, Lim said.
“The borderless workforce also presents huge opportunities and expands the organizations and enterprises,” Lim told the BusinessMirror. “This made companies jump on that bandwagon really quickly and whenever you do something quickly, chances are you might have exposures that you have not sorted out.”
Lim added that in these uncertain times, cybersecurity has become a major issue for both the government and the private sector.
“Dealing with cybersecurity is not a luxury anymore: it’s a necessity.”
The sense of urgency in Lim’s tone is emphasized with the increase in cases of a cyberattack considered lethal for revenue-generators: ransomware.
Gaining data
RANSOMWARE 2.0 had a banner year in 2020 in the Asia Pacific region, according to cybersecurity provider Kaspersky Lab.
Ransomware 2.0 refers to groups who moved from hostaging data to ex-filtrating data, coupled with blackmail. The aftermaths of a successful attack include significant monetary loss and damaging reputation.
Palo Alto Networks’ recent study revealed that the average cost for one ransomware attack is over $312,000 or almost P17 million.
According to Kaspersky Lab Lead Malware Analyst Alexey Shulmin, the company noticed an interesting re-emergence of two highly-active groups in the Asia-Pacific region: “REvil” and “JSWorm.”
“Both resurfaced as the pandemic rages in the region last year and we see no signs of them stopping anytime soon,” Shulmin was quoted in a statement as saying.
It was his firm that first wrote about “REvil” in July 2019. Also known as “Sodinokibi” and “Sodin,” this group initially distributed itself through an Oracle Weblogic vulnerability and carried out attacks on managed service providers.
While the activities of “REvil” peaked in August of 2019 with 289 potential victims, Kaspersky telemetry monitored fewer detections until July last year, Kaspersky Lab said. From targeting only 44 Kaspersky users globally that month, the ransomware group stepped up their attacks, it added.
Nevertheless, Kaspersky Lab said it managed to protect 877 users in July from this threat, logging a 1,893-percent increase in a span of just one month.
Increasing attack
FURTHERMORE, Kaspersky Lab said its monitoring revealed the people behind ransomware have actively spread their malicious arms from the Asia-Pacific region to the world.
According to Shulmin, back in 2019, most of the victims were only from Asia-Pacific—particularly Taiwan, Hong Kong and South Korea.
“However, Kaspersky detected last year their presence in almost all countries and territories. It is safe to say that during their ‘silent months,’ [the] ‘REvil’ creators took their time to improve their arsenal, their method of targeting victims and their network’s reach,” Shulmin added.
One thing was unchanged, though: the Asia-Pacific region remained one of the top targets for REvil, he said.
The company said that out of 1,764 Kaspersky users targeted by the group last year, 635 or 36 percent of these companies were from the region. Brazil, however, logged the most number of users almost infected with this threat, followed by Vietnam, South Africa, China and India.
In its study, Kaspersky Lab said it found that the biggest targets in terms of industry fall under engineering and manufacturing (30 percent). This is followed by finance (14 percent) and professional and consumer services (9 percent). The legal, information technology (IT) and telecommunications and food and beverage industries received equal attention at 7 percent.
Very urgent
LIKE “REvil,” “JSWorm” also entered the ransomware landscape in 2019. However, the geographical distribution of its initial victims was more varied.
Initially, its spread was detected across the globe, from Brazil, Argentina and the United States through to Italy, France and Germany. Its spread was also detected in South Africa, Turkey and Iran and in Vietnam.
Moreover, Kaspersky Lab staff noticed a shift of the group’s attention towards the Asia-Pacific region. China emerged as the country with most number of Kaspersky Security Network users almost infected by the “JSWorm” ransomware. It is followed by the US, Vietnam, Mexico and Russia.
Last year, however, more than one-third or 39 percent of all the enterprises and individuals this group has targeted were located in the Asia-Pacific region.
Companies like Huawei Corp. became antsy with these developments. It recently opened its largest global cyber security and privacy protection transparency center in Dongguan, China.
Huawei also released its “Product Cyber Security Baseline,” marking the first time the company has made its product-security baseline framework and management practices available to the industry as a whole.
Exchange for cash
JOANNE Wong, LogRhythm Inc. vice president for international markets, pointed out that ransomware attacks are one of the most damaging cyberattacks on organizations, where businesses’ data stores are held “hostage” in exchange for payments.
“Not only does this disrupt operations and potentially lead to the loss of sensitive data, but businesses also face damages in their reputation and a loss in consumer trust,” Wong said.
Last year, she said there was a 160-percent year-on-year increase in ransomware events. Wong believes this figure would rise as established ransomware operators refine their techniques and take advantage of organizations’ fear and anxiety.
“What I’ve noticed is that the ‘double extortion’ tactic has become more prevalent,” she explained. “These malicious actors not only demand a ransom to allow businesses to regain access to their data but they also threaten to release this data online unless their terms are met.”
“Moreover,” Wong said, “they are making copies of the data before encrypting” the data.
“So there is a real potential to leverage a second ransom and a risk of data leak down the line,” she added.
Serious threat
AS recently as last month, a French insurance giant was recently hit by a ransomware attack that disrupted IT operations across offices in Thailand, Malaysia, Hong Kong and the Philippines.
In light of the global pandemic, the Interpol has also highlighted that increasing attacks are carried out across public institutions such as hospitals and medical centers. In particular, hospitals in Indonesia and Thailand have fallen victim to such attacks.
“It has been observed that cybercriminals are taking advantage of the economic downturn and people’s anxiety by tweaking their social engineering tactics to include Covid-19-related themes,” the Interpol said in its “Asean Cyberthreat Assessment 2021” report released this month. “According to our findings, key Covid-19-inflicted cyberthreats are phishing/scam/fraud at 59 percent, malware/ransomware at 36 percent, malicious domains at 22 percent and fake news at 14 percent.”
The Interpol report noted that in the Philippines, “a huge increase in online scams was also recorded.”
The Interpol said there were 869 cases reported within a 6-month period, an increase of 37.3 percent compared to the same period for 2019. Identity theft also increased by 21.47 percent with 362 cases.
Leverage methods
STILL, the telemetry of ESET spol. sro has shown a 31-percent decrease in ransomware detection in the Philippines within the first four months of the year against the same period in 2020.
However, the Slovakian Internet security firm noted this declining trend, which had also been reported by other vendors, might not necessarily paint the full picture
Ransomware sent directly in emails or via links is nowadays an uncommon sight as cybercriminals prefer to deploy it at the last stage of a multistep compromise chain, according to ESET. As most attacks intending to deliver ransomware are identified and blocked at the beginning of a compromise chain—before the ransomware is introduced—they are statistically not logged as a ransomware attack.
On the bright side, Wong said the effects of ransomware attacks can be mitigated, primarily by minimizing the time spent by intruders on the enterprise network.
To achieve this objective, organizations must enforce cybersecurity defenses that allow them to effectively monitor company networks so they can rapidly detect the intrusion and roll out the necessary interventions to eradicate the threat and recover.
“With cyber criminals continuing to leverage more sophisticated methods in their attacks, organizations must remain vigilant and empower their team with the tools they need to respond.”
Borderless environment
SADLY, Lim noted, people are not updating their security paradigm.
Living in a borderless environment, people must remember network security may not be enough and they should change their outlook on security, he stressed.
As far as Palo Alto is concerned, the Zero-Trust architecture is a key step towards a strong cybersecurity program. He recommends that monetary authorities, specifically, move to upgrade cybersecurity of the central bank and not expand explicit trust without verifying first.
According to the United Nations-commissioned International Telecommunications Union, the Philippines ranked in the middle in terms of the Global Cybersecurity Index (GCI).
For Lim, cybersecurity laws should mandate the public and private sectors to improve cybersecurity and transform this into a more board-level conversation. These measures will not only boost GCI ratings but also help the cybersecurity posture of the Philippines to mature, he said.
“The recent cyberattacks in the US have encouraged top officials of organizations to ask questions leading to the creation of a higher baseline for cybersecurity requirements,” Lim said. “Singapore and Australia are doing it right now.”
According to him, the Philippines should investigate ways to mandate for public and private sectors to focus on raising the security posture.
Education matters
LIM pointed out that education plays an important role in accelerating the development of the country’s cybersecurity capability.
Moreover, he believes there should also be a strong collaboration between the public and private sectors to ensure better knowledge-sharing across the board.
“We need to continue fostering local and global collaboration to do more joint initiatives,” Lim said, echoing Huawei’s Hu.
He cited Palo Alto Networks’s initiative called “Cyber Aces (Activities in Cybersecurity Education for Students)” program to help give a clearer understanding for children ages 5 to 15 years old.
“This gives them a better view of cybersecurity and its threats and implications,” he said.
The initiative, according to him, is in light of current problems of the lack in qualified cybersecurity experts.
Lim said the demand for cybersecurity experts in the global market is massive and cultivating the local talent and meeting those demands is a huge challenge.
Nevertheless, he is confident the Philippines can hurdle this obstacle.
“The Philippines, however, is greatly poised to excel in this area and having a huge BPO industry can translate to the fact that the country has a very strong technical workforce,” Lim said. “Given the right incentive, this will benefit companies and organizations. In the long run, this can also manifest in the country’s GDP [gross domestic product].”
Network unity
FOR Lim’s colleague, Palo Alto Networks Inc. Philippines Country Manager Oscar Visaya, the bigger challenge is to persuade organizations to push cyber security programs.
Visaya cited the company’s partnership with the Philippines Institute of Cybersecurity Professionals (PICSPro) and the Women in Cybersecurity Alliance in educating the general public with these threats in the digital space and the need to address the shortage in skills.
He also cited the Asian Institute of Management’s Cybersecurity Executive Education program. The private sector and the academe have launched initiatives to help everybody and attend cybersecurity education initiatives, he said.
“It’s important to have the boardroom understand this also plays a big role in securing technology pieces, aside from cybersecurity officers,” Visaya said. “Incident responders, analysts and architects, along with the management, should work together in educating themselves so that it comes together across all spectrums.”
This, according to him, would help address the skill gaps.
End-to-end visibility
ACCORDING to Lim, addressing all recent cyberattacks, including ransomware variants, boils down to “Zero Trust.”
He cited a recent ransomware attack in the US involved just one password, which led to gaining unchallenged access to critical areas across the company’s environment.
In response to the growing attacks by cybercriminals, there is a call for the establishment of a new paradigm to replace the current setup of security architecture. The existing model is based a lot on implicit trust, wherein people trust an authentication but fail to check its authenticity.
“The new paradigm that we are trying to push is . . . we need to get rid of implicit trust by adopting a ‘Zero Trust’ mindset,” Lim said. In other words, the mantra is ‘Trust No One.’”
Visaya explained that the “Zero Trust” model “is a collaborative effort for an organization.”
“While it is not a product or service, this has been heavily advocated by Palo Alto Networks Philippines by putting in much effort to the education, awareness and training for it,” he said. “This helps the organization to be more ready and create a safer space for digital assets.”
According to Visaya, a Zero Trust mindset must be placed in networks, end-points, in the cloud and the Internet of Things. It requires continuous monitoring and validation, getting end-to-end visibility across all access points and utilizing artificial intelligence and machine learning technology to baseline the normal and what is needed, he added.
Forward looking
FOR Christina Liang-Boguszewicz, founder of BI Consulting Group LLC, the Philippines took the right path in defending its cyber borders in 2018 when it acceded to the Budapest Convention on Cybercrime.
The Convention, also known as Treaty 185, is “the first international treaty on crimes committed via the internet and other computer networks, dealing particularly with infringements of copyright, computer-related fraud, child pornography and violations of network security.”
The Budapest Convention was drawn up by the Council of Europe in Strasbourg, France, with the Council of Europe’s observer states Canada, Japan, Philippines, South Africa and the US. The Office of Cybercrime of the Department of Justice is the authority “mainly responsible for making or receiving requests for extradition or for mutual assistance with another State Party” in relation to Treaty 185.
Still, Liang-Boguszewicz suggests the Philippine government also participate as an active member of the Ransomware Task Force (RTF).
This would allow it to be a stakeholder, have access to the industry best practices, and integrate the policies and solutions as part of the group’s cyber defense framework, she explained.
With over 60 members from software companies, government agencies, cybersecurity vendors, financial services companies, nonprofit groups and academic institutions, the RTF is working on a comprehensive framework of actionable solutions.
“Their work synthesized best practices across sectors, identified solutions in all steps of the ransomware ‘kill chain,’ targeted gaps in solution application, and engaged stakeholders across industries to coalesce around a diverse set of ideas and solutions,” Liang-Boguszewicz said.
In due time
FOR Visaya, however, a cybersecurity law needs to be enacted.
He told the BusinessMirror such law would put in place the correct framework across all industries.
“More than the Cybersecurity Plan 2022 [of the Department of Information and Communications Technology], we need a law to address cybersecurity threats as the country embraces digitization and cloud-first policies,” he said.
The financial aspect is herculean as the country needs to invest at least $2 billion to achieve global standards on cybersecurity, according to Visaya.
“Furthermore, there is a need for all these for best practices to be operationalized as [cybersecurity] can get very complex,” he added.
According to Lim, the Cybersecurity Plan 2022 and other existing laws like RA 10175 must be complemented by mandates with a budget, direction and high prioritization.
“The Executive branch also has to rally together the people so they can do the work that needs to be done,” he said. “Preparedness is the key because without it, [we] are vulnerable to different cyberattacks.”
Lim added that collaboration and coming together are the keys to address skills-gap and the manpower-gap.
“With the Philippines being a market leader in the BPO industry, the country is poised to become a leader in cybersecurity,” in due time.