You are here
Wanted cyber warriors
IMAGINE, for a second, that you are a human resources manager in a top aerospace company. Most days, you get into work at 9am. Today, a Monday like any other Monday, is no exception. You check your e-mail first thing in the morning. As usual, most of the e-mail you get are job applications. One of them catches your eye; you know that the aero engine division has a vacancy because work on a new jet engine is moving quickly.
The e-mail is from someone who appears to have the right qualifications. You download the attachment named "CV" and forward the e-mail to the aero division head for her consideration.
Somewhere else in the building, the aero division head reads your e-mail and downloads the attachment, too, before heading off to a meeting on the new engine design which she is very excited about.
Neither of you know that these two downloads have triggered pings in a computer far away, in another country.
The person sitting in front of the computer wears a quiet smile.
That's because a small piece of malicious code had been attached to the document that was sent to you, and your downloading it gave the hacker access to the computer by creating a "backdoor" - a hard-to-detect connection to the Internet that bypasses security protocols.
The hacker uses this backdoor to send in more malicious code and gains full access to the two computers - and through them, the company network.
This job application e-mail wasn't sent randomly. The criminal group, to which the hacker belongs, had been hired to steal your firm's intellectual property.
The hacker finds what he is looking for - a detailed 3D engineering drawing of the new jet engine with notes. He exfiltrates this file and other important documents he finds during his search, before hitting a "kill switch" which erases the malicious code and leaves with virtually no trace.
This incident, while hypothetical, is entirely feasible.
Similar incidents have in fact happened through what is known as Advanced Persistent Threats (APT), arguably the most dangerous and sophisticated form of hacking.
New threats, new opportunities
While this is the sort of thing that keeps chief information officers (CIOs) up at night, cyber threats are also fuelling a burgeoning demand for cybersecurity professionals.
David Koh, chief executive of the Cyber Security Agency (CSA) of Singapore says: "We tend to hear and read about the negative or 'dark side' of cybersecurity, but there is also an upside - cybersecurity is an emerging growth sector with the potential to provide over 2,500 job openings by 2018."
"The cybersecurity sector in Singapore is projected to grow by about 9 per cent a year to reach around S$900 million by 2020."
Today, there is a shortage of cybersecurity expertise worldwide.
Last year, a Robert Half report found that 85 per cent of Singaporean CIOs expect more cybersecurity threats over the next five years because of a shortage of skilled information technology (IT) security professionals.
"New technologies raise new security concerns. This trend has resulted in an IT security skills gap since the available expertise has not kept pace with the evolving IT threats," David Jones, senior managing director, Asia Pacific at Robert Half, had said in the report.
According to data cited by ISACA - a professional association focused on IT governance - the world will face a shortage of 2 million cybersecurity professionals by 2019.
Where there is scarcity, there is also earning opportunity.
A report by the Center for Strategic and International Studies and Intel Security which surveyed eight countries said: "The median cybersecurity salary reported in surveyed countries is at least 2.7 times the average wage, according to the OECD (Organisation for Economic Co-operation and Development)."
"Cybersecurity jobs in the United States pay an average of US$6,500 more than other IT professions, a 9 per cent premium," it added.
CSA's Mr Koh notes that in order to strengthen Singapore's cybersecurity, "we need to not only build technological capabilities, but also a highly-trained cybersecurity workforce."
The government has introduced a Cybersecurity Professional Scheme of Service for the public sector. Centrally managed by CSA, the scheme will develop a central core of cybersecurity professionals to be deployed across agencies to strengthen Singapore's cyber defences.
Elsewhere, other chances to acquire new skills are emerging.
"...the Ministry of Defence has announced the creation of a new cyber defence vocation for national servicemen. Other initiatives aimed at training and upskilling cybersecurity enthusiasts include the Cyber Security Associates and Technologists Programme and the Work-Study Degree Programme," says CSA's Mr Koh.
The private sector is also trying to plug the gap in the supply of cybersecurity expertise.
Minister for Communications and Information, Yaacob Ibrahim, recently noted that companies such as Singtel, ST Electronics (Info-Security), Quann, Accel, and Deloitte have joined the Cyber Security Associates and Technologists programme to train more cybersecurity professionals for the industry.
The formidable foe
Even as companies and governments try to marshall their cybersecurity troops, they will face a formidable foe that is well-versed in cyber guerrilla warfare.
"Perpetrators often acquire legitimate user credentials or gain access through unprotected software or hardware, allowing them to easily bypass traditional security tools like firewalls," says Sanjay Aurora, Asia Pacific MD of Darktrace, which specialises in detecting sophisticated cyber threats.
It can take up to 230 days for a company to realise they have been breached and critical systems compromised. "At Darktrace, we once started working with a customer, only to find that there was a sophisticated threat inside their network that had been there for eight years," he says.
Bill Chang, CEO Group Enterprise at Singapore Telecommunications (Singtel), notes that hackers have the means to break any password.
There are password-breaking machines... Any password in seven-alphanumeric format can be broken in minutes, 11-alphanumeric could be broken in two weeks, says Mr Chang, who oversees Singtel's vast and growing security practice, says Mr Chang, who oversees Singtel's vast and growing security practice. (See Clarification note)
Many people think malware to be a virus or a code, he continues. "But nowadays it (is) more a case of a 'who' rather than a 'what'.
"'Who' could be whether it is a nation-state, a very sophisticated group with immense resources that could target an organisation and bring it down or target a government. The 'who' could be a cybercriminal who is doing it for financial gains.
"The 'who' could be a group that just wants to steal IP and technology companies are very worried. The 'who' could also be an activist group like Anonymous who are out to get a government or organisation with whom they don't agree."
The problem is compounded by the fact that today, you don't need to be a coding specialist in order to be a hacker.
Online tools are easily available for hacking. "There is a Russian forum that... sells everything under the sun that you could use as attack tools. The underground web grows quickly. You need less than US$6,000 to create all these attack tools, a website to target people and you could use ransomware on them and could earn as much as US$90,000 a month even if you only attract a small percentage of people to download the ransomware," Mr Chang notes.
"With that kind of RoI (return on investment) you can imagine why this is growing so fast."
He adds that people in the hackers' ecosystem usually attack people and organisations in other countries and so apprehending them is difficult because of the lack of cross-country jurisdiction.
Safe habits save data
If you do not have a burgeoning cybersecurity career in your future, there is still more that you can do as an individual.
The key findings from CSA's first cybersecurity Public Awareness Survey of 2,000 respondents showed that many still do not practise good cybersecurity habits. For example, only one in three manage their passwords securely.
"We need a change in mindset," says CSA's Mr Koh. "Many of us believe that we are not targets, because cyber criminals will only target wealthier individuals and more profitable companies. Or we are deterred (from taking a taking a pro-active stance), thinking that cybersecurity is too technical."
Staying safe online is not as hard as one may think. Here's a list of some easy steps one can take to stay safe online:
- Install reputable antivirus and anti-malware software from a trusted source. This is one thing you shouldn't skimp on; buy the best and never download "free" anti-malware software.
- Keep all software up-to-date, including the all-important operating system (OS) - always click "yes" on OS update notifications.
- Protect devices and accounts with strong passwords and change them regularly.
- Minimise the chance of your device getting infected by not giving special access to any software that doesn't need such access. For example, if the free calculator app you downloaded wants to access your contacts or location, that should raise a red flag.
- Similarly, don't plug an unknown flash drive into your computer, unless you get it from a trusted source. The reverse is also true - don't plug your thumb drive into unknown computers. Instead, send files by e-mail or share them through sites like Dropbox and Google Drive; they are free, safe and easy to use.
- Don't download apps from less-than-reputable sites. Spend some money in the app store and buy from well-known brands.
- Never get tricked into downloading an attachment or clicking on a link from an unknown source which say things like your password is about to expire or that you've won a prize somewhere in a competition that you didn't participate in.
- Remember that the government or your bank will never ask you over an e-mail for your password, or send you a link to a website where it asks you to key in your existing password. And beware of some of the spoof websites which look remarkably similar to the official ones. Phone up your bank or government department to confirm before clicking.
Finally, always remember why you lock your front door and look into a keyhole to see who it is before opening the door. You do so because you don't want someone you don't know getting into your home.
Use the same habits online; don't keep your virtual door open and don't get tricked into letting an intruder in.
Fighting the cyber threat is the new frontier in IT - Singapore and its denizens need to be among the winners in this battle for cybersecurity. In this space, every individual can contribute by staying safe themselves. As with any other battle, the spoils go to the victors. So suit up, and get ready to man the ramparts.
Clarification note: This article has been updated to reflect that Singapore Telecommunications does not possess or use any password breaking machines.