ISACA Asia Pacific CACS 2019

1. Global Technologies and
Risks Trend
Charles Mok
Legislative Councillor (IT)
2019-4-1 @ ISACA Asia Pacific CACS 2019

2. More devices
More risks
more business operations, payment,
e-services via devices
2

3. How are you keeping up
with the latest risks?
cybercriminals have stepped up
efforts to discover new
vulnerabilities and exploit them
3

4. Up-and-coming in cyber risks
Escalating arms race between attackers and defenders
Credential stuffing
Collaboration app security
AI/Machine learning
IoT / smart electronic devices
Virtualisation
Blockchain
Digital identity
4
Increasingly volatile cyber
security landscape:
Ransomware
DDoS
Phishing

5. Data breach incidents growing in scale
5

6. AI-powered attack: rise in automated attacks
faster attacks, harder to detect
Post-exploitation (discovery and
exploitation of other vulnerabilities
inside)
Data theft: AI-powered data
search and classification
Vulnerability discovery using AI
tools
Exploitation: quickly generate
exploit variants, AI botnet
6

7. Cyber-defence: AI vs AI
Security devices and systems can be trained to perform specific tasks
autonomously, but also can be exploited to
⊗ train devices or systems to not apply patches or updates to a
particular device
⊗ ignore specific types of applications or behaviors
⊗ not log specific traffic to evade detection
7

8. Cyber-physical attacks:
The Internet of Things risk
Wide open: Unsecured, never
updated older devices
- connected video cameras
- home appliances
- smartwatches
built-in web server to allow for
remote access and management
Satori malware (variant of the
notorious Mirai): continue to
exploit zero-day vulnerabilities in
home routers and other IoT
devices
driving up the sophistication,
scale and speed of today’s DDoS
attacks against networks and
mission-critical services
8

9. Attacks targeting cryptocurrencies
lending and exchange platforms
⊗ cybercriminals demand for
payment in cryptocurrencies
⊗ embedding ransom
messages in the attack
traffic
⊗ leveraging botnets to spread
cryptocurrency mining
malware
use of AI to perform scanning,
identify vulnerabilities and launch
targeted strikes
9

10. Crypto-jacking:
Malwares that steal CPU processing resources
More money for less risk
Hackers are placing crypto mining
scripts on apps, networks, and
websites that run surreptitiously
- through phishing-like tactics
- inject a script on a website /
an ad
10

11. Blockchain not ‘unhackable’
cryptocurrency and smart contract platforms at risk
⊗ More security loopholes are
appearing
⊗ private data submitted to the
blockchain can be monitored
or pieced together
⊗ blockchain storage:
susceptible to attack and
loss at very large scale
⊗ “Immutable” myth busted by
hacks: double-spent
cryptocurrencies
⊗ Famous case: DAO attack
(due to a duplicate
transaction logic flaw in a
smart contract
implementation that lead to
a large amount of money
being stolen)
11

12. To counteract the latest risks,
organizations will need to
continue to raise the bar for
cybercriminals and escalate the
cost of launching an attack.
12

13. Thank you!
13
Linkedin / Twitter @charlesmok
www.charlesmok.hk
www.facebook.com/charlesmokoffice
charlesmok@charlesmok.hk