BLOG

APAC Security: 2 Opportunities for business, 1 for Hackers

缩略图
Published May 01, 2016

I’ve just completed a security evangelism tour through Asia-Pacific North (APAC), and I wanted to share some of the challenges and opportunities around security in that part of the world. APAC, as a region, is not as technologically developed as the Americas (AMER), Australia/New Zealand (ANZ), and Europe/Middle East/Africa (EMEA). The area’s technological lag provides three interesting opportunities: two for business, and one for hackers.

Scaling Up

The sheer number of possible consumers in APAC means there are incredible opportunities for growth. Take the Philippines, for example; it has a population of 90 million people, most of whom don’t have smartphones but are likely to in the future. The telecom service providers in the Philippines are provisioning for transition. During my recent visit there, one provider purchased four of F5’s topline chassis filled with 18 of the highest-performing blades F5 offers. They’re building for a network expecting tens of millions of smartphones to come online in the next decade.

Similarly, one company in India wants to transform its massive potential consumer market by offering $5 smartphones with a plan of $5/month. (As someone in the developed world whose smartphone plan exceeds $100 a month, I am jealous!) India, with a population of over 1.5 billion, represents one of the largest possible markets in the world. The question is, can the Indian telecom industry build an infrastructure to support that many smartphones before they come online?

 

 

Untapped Victims

There’s a new hack in the US called “CEO fraud” that’s already cost organizations billions. CEO fraud is a social-engineering hack that starts with a malware infection. An attacker spear-phishes his way into an organization to the point where he compromises the email system. If he can, he watches email and learns the business processes, then forges an email from the CEO to the CFO asking for a routine money transfer--but to the attacker’s own account. I talked with one customer in the midwestern US who almost fell for this attack; the heist was stymied because the attacker didn’t quite effect the same email conversation tone of their CEO. But many US companies have indeed fallen prey. The FBI has, in fact, issued an advisory about CEO fraud.

 

The “fix” against CEO fraud is to verbally confirm large transfers with the executive who originated the transfer; that is, to pick up the phone and just make sure the transfer is legitimate.


No one that I talked to in APAC had heard of this attack yet. Attackers using the technique are targeting richer clients in AMER who aren’t yet inoculated via threat intelligence. At some point, everyone in the States will be familiar with this ruse, either because they themselves lost money from it, or because it happened to a friend of a friend, or because they read about it in a blog entry like this.

The attackers will begin targeting other regions when the US gets saturated. Singapore will be an obvious choice given how many financial institutions make transactions there. Organizations in banking centers like Singapore and Hong Kong should take steps now to improve their processes before the attack spreads to their cities.

 

Opportunities to skip failure

The concept of disruptive technology isn’t new. Over 20 years ago, Philip Anderson and Michael L. Tushman wrote Technological Discontinuities and Dominant Designs: A Cyclical Model of Technological Change1, in which they looked at disruption in the cement, glass, and transportation industries.

According to their research, technological change follows four steps in a cycle:

  1. Disruptive technology (provides discontinuity)

  2. Era of ferment, during which several designs compete for dominance

  3. Dominant design emerges (which is often not the disruptive design)

  4. Era of incremental change (this is where sales peak)
     

Then another disruption occurs and the cycle restarts.

There’s a new hack in the US called “CEO fraud” that’s already cost organizations billions. CEO fraud is a social-engineering hack that starts with a malware infection. An attacker spear-phishes his way into an organization to the point where he compromises the email system. If he can, he watches email and learns the business processes, then forges an email from the CEO to the CFO asking for a routine money transfer--but to the attacker’s own account. I talked with one customer in the midwestern US who almost fell for this attack; the heist was stymied because the attacker didn’t quite effect the same email conversation tone of their CEO. But many US companies have indeed fallen prey. The FBI has, in fact, issued an advisory about CEO fraud.

 

The “fix” against CEO fraud is to verbally confirm large transfers with the executive who originated the transfer; that is, to pick up the phone and just make sure the transfer is legitimate.


No one that I talked to in APAC had heard of this attack yet. Attackers using the technique are targeting richer clients in AMER who aren’t yet inoculated via threat intelligence. At some point, everyone in the States will be familiar with this ruse, either because they themselves lost money from it, or because it happened to a friend of a friend, or because they read about it in a blog entry like this.

The attackers will begin targeting other regions when the US gets saturated. Singapore will be an obvious choice given how many financial institutions make transactions there. Organizations in banking centers like Singapore and Hong Kong should take steps now to improve their processes before the attack spreads to their cities.

 

Opportunities to skip failure

The concept of disruptive technology isn’t new. Over 20 years ago, Philip Anderson and Michael L. Tushman wrote Technological Discontinuities and Dominant Designs: A Cyclical Model of Technological Change1, in which they looked at disruption in the cement, glass, and transportation industries.

According to their research, technological change follows four steps in a cycle:

  1. Disruptive technology (provides discontinuity)

  2. Era of ferment, during which several designs compete for dominance

  3. Dominant design emerges (which is often not the disruptive design)

  4. Era of incremental change (this is where sales peak)
     

Then another disruption occurs and the cycle restarts.

There’s a new hack in the US called “CEO fraud” that’s already cost organizations billions. CEO fraud is a social-engineering hack that starts with a malware infection. An attacker spear-phishes his way into an organization to the point where he compromises the email system. If he can, he watches email and learns the business processes, then forges an email from the CEO to the CFO asking for a routine money transfer--but to the attacker’s own account. I talked with one customer in the midwestern US who almost fell for this attack; the heist was stymied because the attacker didn’t quite effect the same email conversation tone of their CEO. But many US companies have indeed fallen prey. The FBI has, in fact, issued an advisory about CEO fraud.

 

The “fix” against CEO fraud is to verbally confirm large transfers with the executive who originated the transfer; that is, to pick up the phone and just make sure the transfer is legitimate.


No one that I talked to in APAC had heard of this attack yet. Attackers using the technique are targeting richer clients in AMER who aren’t yet inoculated via threat intelligence. At some point, everyone in the States will be familiar with this ruse, either because they themselves lost money from it, or because it happened to a friend of a friend, or because they read about it in a blog entry like this.

The attackers will begin targeting other regions when the US gets saturated. Singapore will be an obvious choice given how many financial institutions make transactions there. Organizations in banking centers like Singapore and Hong Kong should take steps now to improve their processes before the attack spreads to their cities.

 

Opportunities to skip failure

The concept of disruptive technology isn’t new. Over 20 years ago, Philip Anderson and Michael L. Tushman wrote Technological Discontinuities and Dominant Designs: A Cyclical Model of Technological Change1, in which they looked at disruption in the cement, glass, and transportation industries.

According to their research, technological change follows four steps in a cycle:

  1. Disruptive technology (provides discontinuity)

  2. Era of ferment, during which several designs compete for dominance

  3. Dominant design emerges (which is often not the disruptive design)

  4. Era of incremental change (this is where sales peak)
     

Then another disruption occurs and the cycle restarts.

There’s a new hack in the US called “CEO fraud” that’s already cost organizations billions. CEO fraud is a social-engineering hack that starts with a malware infection. An attacker spear-phishes his way into an organization to the point where he compromises the email system. If he can, he watches email and learns the business processes, then forges an email from the CEO to the CFO asking for a routine money transfer--but to the attacker’s own account. I talked with one customer in the midwestern US who almost fell for this attack; the heist was stymied because the attacker didn’t quite effect the same email conversation tone of their CEO. But many US companies have indeed fallen prey. The FBI has, in fact, issued an advisory about CEO fraud.

 

The “fix” against CEO fraud is to verbally confirm large transfers with the executive who originated the transfer; that is, to pick up the phone and just make sure the transfer is legitimate.


No one that I talked to in APAC had heard of this attack yet. Attackers using the technique are targeting richer clients in AMER who aren’t yet inoculated via threat intelligence. At some point, everyone in the States will be familiar with this ruse, either because they themselves lost money from it, or because it happened to a friend of a friend, or because they read about it in a blog entry like this.

The attackers will begin targeting other regions when the US gets saturated. Singapore will be an obvious choice given how many financial institutions make transactions there. Organizations in banking centers like Singapore and Hong Kong should take steps now to improve their processes before the attack spreads to their cities.

 

Opportunities to skip failure

The concept of disruptive technology isn’t new. Over 20 years ago, Philip Anderson and Michael L. Tushman wrote Technological Discontinuities and Dominant Designs: A Cyclical Model of Technological Change1, in which they looked at disruption in the cement, glass, and transportation industries.

According to their research, technological change follows four steps in a cycle:

  1. Disruptive technology (provides discontinuity)

  2. Era of ferment, during which several designs compete for dominance

  3. Dominant design emerges (which is often not the disruptive design)

  4. Era of incremental change (this is where sales peak)
     

Then another disruption occurs and the cycle restarts.

There’s a new hack in the US called “CEO fraud” that’s already cost organizations billions. CEO fraud is a social-engineering hack that starts with a malware infection. An attacker spear-phishes his way into an organization to the point where he compromises the email system. If he can, he watches email and learns the business processes, then forges an email from the CEO to the CFO asking for a routine money transfer--but to the attacker’s own account. I talked with one customer in the midwestern US who almost fell for this attack; the heist was stymied because the attacker didn’t quite effect the same email conversation tone of their CEO. But many US companies have indeed fallen prey. The FBI has, in fact, issued an advisory about CEO fraud.

 

The “fix” against CEO fraud is to verbally confirm large transfers with the executive who originated the transfer; that is, to pick up the phone and just make sure the transfer is legitimate.


No one that I talked to in APAC had heard of this attack yet. Attackers using the technique are targeting richer clients in AMER who aren’t yet inoculated via threat intelligence. At some point, everyone in the States will be familiar with this ruse, either because they themselves lost money from it, or because it happened to a friend of a friend, or because they read about it in a blog entry like this.

The attackers will begin targeting other regions when the US gets saturated. Singapore will be an obvious choice given how many financial institutions make transactions there. Organizations in banking centers like Singapore and Hong Kong should take steps now to improve their processes before the attack spreads to their cities.

 

Opportunities to skip failure

The concept of disruptive technology isn’t new. Over 20 years ago, Philip Anderson and Michael L. Tushman wrote Technological Discontinuities and Dominant Designs: A Cyclical Model of Technological Change1, in which they looked at disruption in the cement, glass, and transportation industries.

According to their research, technological change follows four steps in a cycle:

  1. Disruptive technology (provides discontinuity)

  2. Era of ferment, during which several designs compete for dominance

  3. Dominant design emerges (which is often not the disruptive design)

  4. Era of incremental change (this is where sales peak)
     

Then another disruption occurs and the cycle restarts.

There’s a new hack in the US called “CEO fraud” that’s already cost organizations billions. CEO fraud is a social-engineering hack that starts with a malware infection. An attacker spear-phishes his way into an organization to the point where he compromises the email system. If he can, he watches email and learns the business processes, then forges an email from the CEO to the CFO asking for a routine money transfer--but to the attacker’s own account. I talked with one customer in the midwestern US who almost fell for this attack; the heist was stymied because the attacker didn’t quite effect the same email conversation tone of their CEO. But many US companies have indeed fallen prey. The FBI has, in fact, issued an advisory about CEO fraud.

 

The “fix” against CEO fraud is to verbally confirm large transfers with the executive who originated the transfer; that is, to pick up the phone and just make sure the transfer is legitimate.


No one that I talked to in APAC had heard of this attack yet. Attackers using the technique are targeting richer clients in AMER who aren’t yet inoculated via threat intelligence. At some point, everyone in the States will be familiar with this ruse, either because they themselves lost money from it, or because it happened to a friend of a friend, or because they read about it in a blog entry like this.

The attackers will begin targeting other regions when the US gets saturated. Singapore will be an obvious choice given how many financial institutions make transactions there. Organizations in banking centers like Singapore and Hong Kong should take steps now to improve their processes before the attack spreads to their cities.

 

Opportunities to skip failure

The concept of disruptive technology isn’t new. Over 20 years ago, Philip Anderson and Michael L. Tushman wrote Technological Discontinuities and Dominant Designs: A Cyclical Model of Technological Change1, in which they looked at disruption in the cement, glass, and transportation industries.

According to their research, technological change follows four steps in a cycle:

  1. Disruptive technology (provides discontinuity)

  2. Era of ferment, during which several designs compete for dominance

  3. Dominant design emerges (which is often not the disruptive design)

  4. Era of incremental change (this is where sales peak)
     

Then another disruption occurs and the cycle restarts.

Because APAC, as a region, is several years behind AMER and EMEA and ANZ, there may be a unique opportunity for APAC organizations to skip the era of ferment (failed designs) that those other regions are sure to suffer, and go right to the dominant design.

Here’s a concrete (ha!) example around transportation.

Sugar train, Australia, image by Gwernol CC BY-SA 3.0

In Australia, the steam-powered train was a disruptive technology for their transportation industry, which until then had been largely based on shipping. As locomotive technology was developing, three designs of train gauge (width) competed to be the standard. Train companies laid tens of thousands of kilometers of tracks of different widths in different provinces.

These divergent rail widths still exist today in Australia. There are several places where passengers have to debark a train that uses one width and board a different train with a different width to continue their journey across provinces. More than 250 fixes have been proposed to address this Australian era of ferment, and all have been rejected. No dominant design has emerged after over 150 years.

 

Image by KimonBerlin - Flickr, CC BY-SA 2.0

Compare that ridiculous situation with the amazing high-speed train systems in APAC, which were built over a century later when the modern dominant designs emerged. APAC took longer to get those train systems, but their final result is much better for it.

 The same opportunity exists for cyber security in APAC. Some of the new technologies that organizations in AMER are investing in today may turn out to be the initial disruptive technology, but not the ultimate dominant design. The engineers who can figure out which technologies are which in APAC can make a huge difference going forward.

Worms and cheese

One of my favorite quotes is a combination of two famous sayings: “The early bird may get the worm, but the second mouse gets the cheese.”

Given its potential scale and technological lag, APAC may be the second mouse getting an enormous slice of cheese. On the other hand, for APAC organizations that don’t learn from the lessons of cyber victims in AMER, APAC organizations may get caught in the same traps.

Both ways are food for thought.