Cybersecurity: making the pre-emptive strike can save millions

Hackers are getting increasingly more sophisticated and persistent, but some 80 percent of hacks happen through compromised credentials, taking some 250 days to recognize the breach. A first cybersecurity step for operators is conducting a vulnerability and penetration test, to not be another one of the 94 percent of companies that have been hacked.

Experts from Continent 8 at ASEAN Gaming Summit 2023 point out how pre-emptive spending saves in the long run but warn that your partners are also your vulnerabilities.

Here are some of the highlights:

02:06 – DDoS (denial of service) attacks are becoming more sophisticated. Now hackers are trying to directly get at your website to render it incapable.

04:40 – The biggest problem is that companies now feel that they’re protected by antivirus software – until something happens.

07:06 – Trends within the industry. Anything that’s connected to the internet is vulnerable. Home computers are twice as likely to have malware and to be compromised.

08:06 – Within iGaming there’s been a 405 percent increase in DDoS attacks. Rise of API exploitations, possibly one of the most vulnerable things. Example of DraftKings last year, where they took money directly from users’ accounts.

10:12 – Cybercriminals becoming more sophisticated and persistent – want to make money out of compromising machines.

11:35 – Impacts are not only restricted to the short-term (loss of revenue etc), there’s also medium to long-term damage also. During the pandemic, businesses changed how they worked, with more working from home. Criminally-motivated individuals targeted this, making lots of money that they reinvested in themselves, upgrading their tech, organizations and capabilities.

13:12 – Only takes a little over an hour for an attacker to compromise a network nowadays.

 1-10-60 rule – identify a threat in one minute, understanding threat within 10 minutes and responding within 60 minutes. But average time for an information security (InfoSec) team to mediate a threat is 162 hours.

14:40 – How is system access granted? 20 percent through unpatched vulnerabilities and 80 percent through using compromised credentials. Some 94 percent of organizations have experienced a data breach, and 79 percent were breached in the last two years. Average cost of a data breach is $4.35 million, about $10 million in the US.

17:20 – Initial access brokers – selling access to your data – estimated market of $8.38 billion in 2022, rising to $28.4 billion by 2030. Admin accounts can be sold for $100,000 and up. Takes on average 250 days for companies to realize a legitimate account has been compromised.

Attacks against cloud infrastructure rose by 288 percent in 2022. Cloud systems have shared responsibility for security – you’re not fully in control of your systems.

19:40 – Attackers now chaining small vulnerabilities together to get full access.

20:00 – New trends – AI for social engineering, deep fakes for impersonation, phishing attacks and auto-hacking. Shift to AI will really change security.

22:45 – How to mitigate risk? First thing is to figure out where you are weak, seek a vulnerability and penetration test – security experts (essentially hackers) will go and attack your environment without creating damage and expose the weaknesses.

Audience Questions

What percentage of hacks are done by competitors and what percentage is done to get the data?

28:12 – From a DDoS perspective, it’s usually overwhelming your ISP connection, when you talk about applications – that’s where API and web application firewall will protect you, then access to smartphones or devices – that’s where you have security incident event management.

Regarding cost – can be as small or as big as you like. No starting or minimum entry point (example of having one client being charged $200 per month).

29:44 – Also partners that you partner with – if they’re attacked, it will affect you as well.

30:07 – Regarding percentage of competitors versus data – if you’re a business you don’t want your client base to know, don’t want anyone to know. Most of the time it’s amateur hackers looking for a Bitcoin. Recommend nobody ever pays a ransom, criminals tend not to uphold their end of the bargain, they will come back.

31:10 – Are DDoS more likely to be competitors?

31:18 – All you need is an IP address to target a DDoS attack. Can go on Youtube and see DDoS attackers advertising their service. Ransoms also happen for DDoS attacks as well.

32:24 – Some people have hacked QR codes, such as putting stickers over official QR codes. Is there a track on that?

33:08 – Don’t have specifically the data for that. From a gaming operator perspective, they can scrape your content from your website and create a duplicate website that looks similar.

33:25 – Unpatched versus compromised credentials, what’s the difference?

Unpatched are inherent vulnerabilities within your programs, even some 70 percent of off-the-shelf programs have critical vulnerabilities. See things constantly updating, that’s trying to patch that infrastructure.

34:30 – Many gaming operators use old systems, don’t want to do new patches because it ‘breaks everything’, so don’t want to update. How do you help them with that?

34:50 – There’s a service you can ‘stick in front of your website’ and it will only allow through to specific functions and block everything else. Having that in place would be like a universal security against your web applications.