Taking proactive measures in cybersecurity through penetration testing and staying informed about emerging threats will help organisations minimise impacts from attackers amid a fast-changing landscape of threats, said Gregory Pickett, chief executive of Hellfire Security and also a white hat hacker.
Hellfire Security is a cybersecurity consulting firm specialising in assessment, along with managed security services.
Thailand has vulnerabilities in internet infrastructure, utilities, and corporations. These vulnerabilities involve remote access being enabled for critical systems, which should only be accessed internally, Mr Pickett told the Bangkok Post.
He said one cause of this vulnerability lies in a solution-based engineering approach. Security measures like firewalls are implemented as afterthoughts, rather than being designed around the specific needs of the systems they are meant to protect.
"We know we need a firewall. We know that we need adequate protection. Then we try to take what we have to protect and try to fit them to the firewall," Mr Pickett said.
Critical infrastructure sectors such as telecom, energy, finance and banks, industrial manufacturing, and tourism, require a more robust approach to cybersecurity compared to others, he added.
THREAT MODELLING
Mr Pickett suggests such critical infrastructure conduct threat modelling based on thorough analysis of the critical systems and the data they hold, followed by the creation of a security strategy specifically designed to protect those assets.
By prioritising a clear understanding of the threats and what requires protection, security solutions can be tailored to effectively address vulnerabilities.
He emphasised the importance of using genuine penetration testing, where security professionals simulate real-world attacks to identify weaknesses.
"A genuine penetration test involves actively trying to exploit vulnerabilities, like a real attacker would," he added.
"They went all the way. It goes from guessing 'we think this might happen' to knowing because someone actually does it."
Penetration testing should be based on a problem-based approach. This means understanding what needs to be protected and then implementing solutions to secure those systems, he said.
By adopting threat modelling and genuine penetration testing, organisations can gain a clearer picture of their security posture and implement more effective safeguards, he added.
SMART CONTRACT EXPLOITS
Mr Pickett said crypto-targeted attacks mainly involve cryptocurrency exchanges and individual investors.
Exchanges act as custodians of digital assets, making them prime targets. Security measures need to be constantly reviewed and updated to address new threats.
The individual investors are targeted in various ways, including wallet attacks, as hackers are employing various techniques to steal directly from individual wallets. High-net-worth individuals are a prime target, but social engineering scams like "romance scams" are also prevalent.
Mr Pickett said smart contract exploits refers to a recent, complex attack, involving the insertion of malicious code into a decentralised autonomous organisation. The malicious code, if approved, could have potentially allowed the attacker to steal funds, he said.
A smart contract refers to digital contracts stored on a blockchain network.
Individual investors should be cautious of romance scams that involve cryptocurrency investments, he added.
"Investors should be cautious of online solicitations, especially those promising high returns. Only use reputable exchanges and wallets, and employ strong passwords and multi-factor authentication," he said.
He added that while blockchain technology offers security benefits, it is not foolproof. If a large enough group of validators agree, a blockchain can be rewritten. Quantum computing could pose a future threat to blockchain security, Mr Pickett said.
SOCIAL ENGINEERING SCAMS
Mr Pickett also highlights the growing threat of generative artificial intelligence (GenAI), which can create realistic audio and video for social engineering scams. Attackers can use this technology to impersonate trusted individuals, making it harder to identify and avoid these scams.
Social engineering refers to a technique that exploits people in order to gain private information, spreading malware infections, or giving access to restricted systems.
Therefore, strong security policies are important, such as call-back verification to confirm the identity of any entity requesting sensitive information or actions, Mr Pickett said.
KEEPING PACE WITH TRENDS
Ransomware attacks are a major global concern, potentially causing significant disruption and financial losses.
The lack of reported ransomware incidents in Thailand does not necessarily indicate a lower risk; underreporting of cyber-attacks might be a contributing factor, Mr Pickett said.
There are two schools of thought on whether to pay a ransom or not, the first being pay if unprepared: if you have not backed up your data or have a weak Business Continuity Plan (BCP), paying the ransom might be the only way to resume operations quickly.
The second option is do not pay if prepared: if you have robust backups and a tested BCP, you can rebuild your systems and data without paying the attackers.
Ransomware is considered a top threat, closely followed by scams.
Banking Trojans remain a persistent threat, targeting online banking credentials. The emerging threats include bio hacking, but Mr Pickett considers these to be less likely in the near future.
However, keeping pace with ever-evolving attack methods requires penetration testers to constantly adapt their strategies.
"By implementing strong passwords, adopting zero-trust security principles, and maintaining separate devices for different purposes are all key steps individuals and organisations can take to improve their overall cyber hygiene," said Mr Pickett.
