As we look back on 2023, the cyber security landscape has been anything but static. It’s been a year of evolving threats and significant challenges for both individuals and businesses.
To get a clear picture of what’s happening, we’ve turned to our expert consultants for their insights. They’ve shared their perspectives on the latest threats, the complexities they introduce, and effective strategies to counter them. Covering everything from cunning social engineering tactics to vulnerabilities in widely used digital platforms, our experts help break down the key trends.
Rising Threats: Phishing and Vishing
Social Engineering have been a common threat in 2023. Major organisations including OKTA and UBER have fallen victim to those attacks in, but there have been a lot of smaller organisations that have also seen the impact of phishing and vishing attacks on their organisations.
In the ever-evolving landscape of cyber security, social engineering attacks continue to be a persistent and growing threat. These attacks exploit human psychology rather than relying on technical vulnerabilities, making them a formidable challenge for individuals and organisations alike. As we delve into the recent trends, it becomes evident that social engineering has evolved to become more sophisticated and targeted, posing a significant risk to personal and corporate security.
One of the notable trends in social engineering attacks is the rise of personalised phishing campaigns. Cybercriminals have become adept at collecting and leveraging personal information to craft convincing and targeted phishing emails. These emails often appear as though they are from trusted sources, making it increasingly challenging for individuals to discern their authenticity.
While phishing attacks commonly target email and messaging platforms, vishing has emerged as a noteworthy trend. Attackers use voice communication, often through phone calls, to manipulate individuals into revealing sensitive information. This can involve posing as a trusted entity, such as a bank representative or a government official, creating a sense of urgency to prompt immediate action.
– Chris Pickering, Head of Security Testing
The Payment Security Landscape
Has 2023 proven to be a turning point in the payment security landscape? Well, one thing that has been noted is that the number of data breaches are increasing every month. It appears events that once would have been headline stories on the evening news, are no longer even reported on… They have become too regular to even be categorised as newsworthy.
It seems even the major players in the financial industry have adopted this stance and accepted that data loss is going to happen. The card schemes have adjusted their thresholds for triggering an investigation of such events too. A few years ago, any compromised entity would have undergone a thorough investigation to ascertain the root cause of the breach and would have been given assistance to contain and remediate the issue as quickly as possible. This only happens now for the very largest of incidents.
The takeaway from this past year is that 2024 will be another challenging year. Data breaches have almost become the accepted normality now, which is worrying for anyone who purchases things online. When the new PCI DSS standard kicks in, we may see a change but, in all honesty, don’t expect anything visible for at least 18 months.
– Paul Brennecker, Head of Professional Services
Challenges and Upcoming Changes to the PCI DSS
Common PCI DSS Challenges
A significant hurdle that persists for many organisations is the development and maintenance of comprehensive PCI DSS policies that are truly fit for purpose. Despite having policy documentation in place, a common oversight is the regular review of these policies. This negligence often leads to last-minute scrambles during assessments, which not only creates stress for the client but also unnecessarily extends the involvement of the Qualified Security Assessor (QSA).
The root of this issue often lies in treating documentation as a mere ‘paper-based’ exercise, rather than as a crucial tool for enforcing effective information security practices. This attitude can stem from various factors, such as a lack of resources or the absence of clear responsibility and control within the organisation.
Proactive Measures for Effective Compliance
In light of the critical role that appropriate documentation plays in PCI DSS compliance, we emphasise to our clients the importance of this aspect right from the beginning of our engagement. To help organisations that struggle in this area, we offer services that include the creation and provision of necessary documents, ensuring they are not only compliant but also practical and relevant.
Upcoming PCI DSS Changes
A significant development in the field of PCI DSS is the upcoming launch of version 4.0. This update, which is set to replace version 3.2.1 by March 2024, is essential to keep pace with evolving technological landscapes. Version 4.0 offers greater flexibility in how organisations meet the requirements, but it also introduces several new requirements.
Organisations, as well as QSAs, need to be well-prepared for this transition. It’s important to really understand and get used to the small but important details of the new version. Organisations shouldn’t underestimate the time and effort that will be required to implement the new controls and requirements. Early awareness and preparation are key to a smooth transition to PCI DSS v4.0.
– Rish Auckburally, Principal Information Security Consultant
Common Challenges in Website Security
Rising Challenges and Threats
A critical aspect of cyber security challenges revolve around the use of Content Management Systems (CMS). Looking at the cases we worked on in 2023, WordPress, often coupled with WooCommerce for payment processing, was involved in 40% of the cases. Magento followed closely, accounting for 38% of incidents. Other CMS platforms like OpenCart, PrestaShop, and custom applications were also targeted but to a lesser extent.
Our investigations revealed several critical vulnerabilities. The primary issue across platforms was the lack of regular software updates, particularly with WordPress, WooCommerce, and Magento, some unpatched since 2018. Other common vulnerabilities included missing HTTP Security Headers, Content Security Policies (CSP), and HTTPS Strict Transport Security (HSTS), leaving sites open to XSS attacks and MITM risks. Additionally, many sites lacked crucial security features like Anti-Cross Site Request Forgery (CSRF) tokens and new headers like Referrer Policy and Permissions Policy.
The main attack vectors we identified were exploiting unpatched CMS vulnerabilities and brute-force attacks on administration panels, often found at default locations without multifactor authentication.
Best Practice Measures for Securing Your Websites
Our recommendations emphasise the importance of regular patch management, updating software, and reviewing HTTP Security Headers. E-commerce sites should also conduct regular security audits of JavaScript, implement File Integrity Monitoring (FIM), and enforce strict password policies with multifactor authentication for administrators.
A key takeaway from 2023 is the inadequacy of fully hosted payment models in e-commerce sites as a standalone security measure. Despite their widespread use, attackers have found ways to intercept card payment details. Therefore, it is crucial for merchants to keep their CMS updated to safeguard against emerging cyber threats.
– Mario Bateman, Digital Forensics and Incident Response Consultant
Navigating the cyber threat landscape can be a complex and daunting task, but you don’t have to face it alone. Our team of experts are dedicated to helping your organisation strengthen its cyber defences and stay ahead of emerging threats. We have a deep understanding of the latest trends and challenges organisations face and are well-equipped to help keep you cyber secure and resilient.
If your organisation does fall victim to a cyber incident, the team at 3B Data Security are on hand 24x7x365 to support you. Our rapid response and expertise ensure that your business is supported at every step, minimising impact and guiding recovery.
