In the first part of my small trilogy we have learned about the risks, which are waiting over the Emails.
In this article we will have a closer look about most common types of attacks against a company in general. We only can get prepared to defence ourselves against crime methods and attacks we know.
However, this article is not about Force majeure like Earthquake etc. It is only about attacks for third party opponents.
Malware and social engineering are the top two types of cybercrime business methods will face. Here’s how to prevent these attacks from hurting your business.
The most common cybercrime attack methods against businesses are use of malware (including ransomware), social engineering, hacking (mainly attacks on servers or blockchains), web attacks (a subset of the hacking category involving injecting websites with malicious code), credential compromise, and distributed denial of service (DDoS).
1. Social engineering
Social engineering attacks (31%) don’t rely on technical sophistication so much as trusted. Because they prey on human vulnerabilities instead of technological ones, this type of cybercrime is especially difficult to guard against. Types of social engineering attacks include phishing and more elaborate physical schemes. For example, an attacker might leave an infected USB near the entryway to your office building in the hopes that an employee will insert it into their computer.
The phishing topic was also a part the first article in this trilogy.
Depends about the region you are living and the company you are working for, you may have also heard about Dumpster Diving. Dumpster Diving is when the attacker is ransacking the garbage of the victim for clues and clues about the social environment and/or confidential information. These can then be used in a subsequent call to gain the victim’s trust.
Preventing social engineering attacks:
Satisfied employees are good employees. If an employee is basically satisfied, he automatically has a better relationship with the company. If an employee is not happy, he is only concerned if he disposes of certain documents in the trash or in the designated area.
Maintain a healthy scepticism among your employees by creating a culture of security awareness in your organization.
Beware of cold calls, cold emails, unexpected office visitors, and lost USB sticks. Make sure that the employees know when there are visitors in the office, make sure that there is no confidential document around that not authorised guests can see or make photo of it. Make also sure about conversations in front of visitors that you don’t talk about confidential topics.
Make it sure what has to be done with “found” USB Sticks or Disks, people are naturally curious, so it is very important to point out such dangers on a regular basis.
Limit the amount of information you provide on your company’s website, and discourage employees from listing their contact information on the Internet if possible.
Never click on links or download attachments in emails you weren’t expecting. If a trusted brand asks you to reset your password, do not click the link provided in the email. Better to navigate manually to the website and log in there.
If we here talk about hacking, we need to forget all Hollywood movies. It is not that attackers can go to a coffee shop and simply hack into a company, at least not if an attacker just starts with an attack.
What is hacking? Well, typically the term hacking encompasses a wide variety of attacks. Attacks that take advantage of vulnerabilities in software and services, weaknesses in protection mechanisms, and other shortcomings of targeted systems that do not involve social engineering or malware.
Hackers try to find, or exploit known or new vulnerabilities to gain access to the infrastructure.
In the past, there are many examples of this, a well-known one was the SQL injection attack, which was possible because of security vulnerabilities.
To prevent this kind of attacks, we need to follow few rules. We need to use only trusted services we know and with a good reputation on the market. These services should have a strong security reputation.
These includes loud service providers and third party hoster and other services as well.
Use monitoring and accountability mechanisms in place for your employees to discourage insider attacks, including strict physical and digital access controls. Use software for that which teaches routine of employees. As example: if our employee Desmond Miles works only in the headquarter in Zurich and from his Home office Chur, the system should get an alarm if there is a login of Desmond from Florence. Another point is also about tracking the areas where Desmond tries to log in. If he is responsible for Messaging and someone who got his credentials tries to get to SQL services, it also should be alerted.
Last but not least, always keep your software updated!
3. Physical access
In my previous article and in this one I wrote only about the attacks from the virtual world. Mostly the same is if we look on other articles out there in the internet.
However, what helps us to have the best online defence if our physical Door is open. Physical access to the environment are different things, attackers can simply place a USB stick close to a company entrance door and hope that someone who “finds” it will take it into his computer to check what is on it.
Another thing is the physical access to the Building, if there is no physical security concept that prevent access of third-party persons the risk is very high to get in troubles. In this case attackers can try to get confidential information about the company, trying to plug in his own device to the LAN (if there is no MAC address filtering) and can start with attacks from inside.
If an attacker is inside the building, he can try to get to a computer, which is with an unlocked screen. Employees go quickly to the printer and they don’t lock their screens, on the way to the printer they start to talk to a colleagues and their screens are unlocked for 5 – 10 minutes. Enough time for an attacker to do his things.
The same problem I see time by time in shops. If you go to a Multi Media shop where you cannot prevent third party people to enter the building, because they are the customers, it is very important that the computers from the store working employees have security features like USB protection and that the store workers lock the screens when they are not using them.
Prevent physical access
If you are working as an IT, you only can tell to your boss if you see that the physical access security is not working how it should. We are not customs officers who monitor the front door and see who comes in and who does not.
However, every employee is responsible to protect their own “Mothership”
But what we can do is to inform our colleagues to always lock the screen as soon as they leave the workplace. We can protect our LAN ports by filtering MAC addresses that only registered devices have access to our LAN.
Restricting external devices such as USB sticks to the computers as well as the setting of secure passwords are also part of our area of responsibility.
With these points we have already done a lot against a physical attack.
Over half (55%) of all types of cybercrime involve malware, according to the report. These attacks include spyware and remote administration malware, which give attackers a back seat to everything you do on your device. From there, they can gain login credentials, sensitive business data, or information to help them conduct social engineering attacks. The third most popular kind of malware attack is the dreaded ransomware, which typically locks your device or takes your data hostage until you pay the hacker to release it.
In a nutshell, there are the following types of malware attacks:
- Fileless malware
Preventing Malware attacks
Make sure your operating systems, applications, and plugins are running on the latest versions.
5. Web attacks
The power of web applications to connect outside users to data and services easily makes them big targets for attackers. Scanning and testing databases, networks and applications throughout the development lifecycle – from design to development to testing and ongoing maintenance – can offer you a unique perspective on where the vulnerabilities are, how dangerous they are (and for whom) and how to mitigate them.
Web attacks represent another fifth of cybercrimes against businesses. These attacks exploit vulnerabilities in websites to access the data of other users of the sites. For example, hackers might inject malicious code into an e-commerce website that allows them to steal customers’ credit card information.
Preventing web attacks
You can mitigate web attacks by only working with trusted web developers and using reputable third-party services.
6. Distributed denial of service (DDoS)
Although few businesses will ever find themselves the target of a DDoS attack (2%), these can be extremely costly and disruptive. DDoS attacks flood a network with traffic, overwhelming it and preventing legitimate users or employees from accessing the service. Once the network is effectively shut down, the hackers typically demand a ransom to restore service.
However, in my personal experience these attacks mostly goes to web Providers and Streaming Providers.
How to prevent DDoS attacks
Most DDoS attacks require the use of specialized services that use software to identify and divert malicious traffic.
7. Credential compromise
About third type of attacks credential compromise involved, which means that a hacker uses your login information to gain unauthorized access to your accounts. An attacker can get your credentials in several ways: phishing, social engineering, malware, such as key loggers, or hacking (gaining access to a database of credentials and cracking the passwords).
How to prevent credential compromise
Always choose strong, unique passwords and/or passphrases.
Only use services that offer two-factor authentication, and ensure your employees have 2FA enabled. That way, if your credentials are compromised, attackers still cannot access your account.
You can mitigate most of these attacks by using trusted service providers that are committed to security.
It is important to know the dangers and not to take them unserious. Talk to the responsible CISO and employees about these issues and help proactively raise awareness. Use your know-how for your employer because if your network is angry, working for us is more fun.