Information Security in 2019
Total Page:16
File Type:pdf, Size:1020Kb
INFORMATION SECURITY IN 2019 Annual report of the National Cyber Security Centre Traficom publications 5/2020 CONTENTS Society needs information security in daily life – together we are the strongest link 3 TOP 3 SECURITY THREATS AND PROTECTION AGAINST THEM 4 Threats and solutions for individuals 5 Threats and solutions for organisations 6 Significant cyber security events in 2019 8 CYBER WEATHER PHENOMENA 10 Network functionality 11 Espionage and influencing 18 Malware and vulnerabilities 20 A large-scale ransomware attack can cost tens of millions 21 Data breaches and data leaks 24 Phishing and scams 26 Internet of Things 31 Key information security risks for individuals, organisations and central government 32 OUR SERVICES 34 Coordination centre handles thousands of cases every year 35 Municipalities have an important role in providing everyday services and protecting residents 35 Information security regulation and assessments 38 Cooperation and sharing of information 42 A better grip on cyber security through exercises 48 Work on the future and development of operations 50 Our KPIs 58 CYBER WEATHER 2019 AND A LOOK AT CYBER YEAR 2020 60 10 Information security forecasts for 2020 61 Cyber weather 2019 64 A busy year of publications, events and campaigns 66 Summary of cyber weather news in 2019 69 2 Society needs information security in daily life – together we are the strongest link The widest societal discussion in 2019 concerned the We were pleased with the wide publicity attract- cyber security of 5G technology. We were ready, as ed by the Cybersecurity label for consumer devices our experts have worked on evaluating the technolog- developed by us last year. This label offers an easy way ical challenges and potential created by the new tech- of improving your personal cyber security. Our active nology and standard since 2017. Our ability to produce campaign on the social media, TV and radio reached technical information for the national risk assessment over 2.4 million citizens, awakening their interest in was also appreciated internationally. information security! Peak moments of 2019 for the NCSC-FI included The new year will bring not only new challenges our international events: the world's first 5G Hacka- but also positive development. The interest generated thon and Galileo Innovation Challenge. These events by the guide ‘Cyber security and the responsibilities were evidence of smooth cooperation between tele- of boards’ published at the beginning of the year is communications operators, hardware manufacturers a good indicator of companies’ willingness to take and the authorities. Our strength lies in cooperation, action. and we must hold on to it. I had the pleasure of starting my work as Director The past year will also be remembered for the rap- of the National Cyber Security Centre at the beginning id exploitation of new vulnerabilities and ransomware of 2020. Active cooperation with our stakeholders pro- with extensive impacts – and it marks the point where vides an excellent foundation for further development scams and phishing became part of our daily life, the of society's cyber security in 2020. new normal. It was also a mega year of cyber security regulation, during which many pieces of legislation on Helsinki, 19 February 2020 information security entered into force. Among other Kalle Luukkainen things, TUPAS authentication protocol became obso- Director-General lete, and changes in identification and trust services National Cyber Security Centre brought competition into this sector. Finnish Transport and Communications Agency Cyberattacks targeting the municipal sector were Traficom one of the starkest wakeup calls in the field of cyber security last year. They showcased the vulnerability of our society and, among other things, obstructed citizens' basic services and daily life. These cases and the investigations in them have sparked discus- sion in central government, municipalities and top management in the business world. It is crucial that this matter does not remain at the level of discussion; essential and concrete actions and decisions must be taken to achieve improvements. In 2019, ‘big game hunting’ made its way to Finland as a new phenomenon. It refers to criminals targeting ransomware attacks at large companies in the hope of extorting large amounts of money. These attacks have caused serious incidents and even busi- ness interruptions for companies, as well as consider- able financial losses. The phenomenon has put overall management of cyber risks, which also covers the supply chains and partners, on the agenda in corpo- rate management. 3 TOP 3 SECURITY THREATS AND PROTECTION AGAINST THEM 4 Threats and solutions for individuals High-quality passwords, periodic security updates and judicious online behaviour. There has been little change in information security threats and solutions for individuals in recent years. The same principles will help you protect yourself and your most important data now and in the years to come. THREATS SOLUTIONS Scammers make away with your data No need to disclose too much information and money A public authority or service provider will not Everyone is a target for scams and phishing. ask for your user IDs or banking credentials Scams are part of daily life for companies, the online. If somebody requests this information public administration, associations, funds, unexpectedly, you should ask why they need foundations and educational institutions alike. it and wonder if the message is genuine. Some are blatantly obvious, while others are Instead of using the link provided, log in skilfully prepared and targeted and comple- through the service provider’s website. This tely credible. The aim of the criminals is to is a safe way of checking if you really need to access the organisation's information systems provide your information or take some action. and, for example, send fake invoices or spy on business secrets. High-quality passwords and strong authentication protect your data Weak passwords and easy access At the very least, a good password is a long to e-services one. Only use each password for one service. Each one of us may use up to several hund- Start using a password manager application. red online services. As you cannot remember It will remember the passwords for you. Also dozens of unique passwords, you often end enable two-step identification and strong up using the same, simple passwords for a electronic identification whenever possible. number of services. This increases the risks: This will increase the security level of such in case of a data breach or leak, all the ac- services as your bank account and social counts protected with the same password media accounts. will be compromised. See to updates and product security Unprotected smart devices By updating your devices, you can also pro- Like your mobile phone, smart TV, and tect them from security threats. If you enable computer are certain to contain valuable automatic updates, you will not have to think information about you. Do you know how about them yourself. to take care of their security and updates? A large share of security updates contain patches to fix security issues in your device or software. Using devices which have not been updated is always a risk. It is like an open invitation to hackers. Are you purchasing a new smart device? Our Cybersecurity label indicates that the device is safe. 5 Threats and solutions for organisations Risk management, preparedness and personnel training are all part of a well-managed cyber security programme in an organisation. As it requires mastering many different areas, cyber security should be a shared practice of the entire organisation. THREATS SOLUTIONS Daily phishing and scams Include cyber security in your Companies, the public administration, associa- organization's risk management tions, funds, foundations and educational insti- Cyber security risks must be addressed. The tutions are targeted by scams and phishing on a same mechanisms apply to them as to more daily basis. Some are obvious, while others are conventional risks: for example, the risk can be skilfully prepared and targeted and they appear eliminated by inactivating a service, or its proba- to be credible. The criminals use these scams to bility can be reduced by using strong electronic access the organisation’s information systems, for identification. The residual risk can be tolerated example to send fake invoices or spy on business if its level is acceptable to the organisation’s secrets. management. Rapid exploitation of new vulnerabilities Practise your response to incidents – traditional prevention & response is no and emergencies longer sufficient What will you do if a cybercriminal has hacked Any vulnerabilities that come to light are ex- into your email system and is sending fake in- ploited almost immediately by criminals in their voices in your name? The best practices can be attacks, and organisations should consequently identified by participating in training and organi- be prepared to update their information systems sing exercises on responding to different cyber and applications at an increasingly faster pace. incidents. This often also is the most cost-effec- This is particularly important for organisations tive way of uncovering any shortcomings. If you working with leading-edge technologies and know your information environment and have innovations, which are a particular target for both practised your routines for updating and backing criminals and