Cyber security attracted widespread attention in 2014, and the growth of online and digital technologies will no doubt ensure that corporate cyber security remains firmly in the spotlight in 2015. Last year corporates such as Sony, Apple, JP Morgan, eBay, Target and the European Central Bank were all involved in high profile cyber security attacks. Those cyber security breaches have been widely reported, the intention of this post is to share details of how the security infringements takes place. Its all well and good knowing about the various corporate hacks, but you really need to understand how they do it so that you can start to think about the appropriate preventative and risk / damage limitation measures.
1. Phishing Scams
A very legitimate and tailored email or instance message is sent to a person with a link and/or attachment. Unknowingly the user clicks the link/attachment and either malicious software (malware) will be activated or the user is taken to a fake website, where the user enters sensitive information (user name/password/bank details…) which is subsequently captured by the hackers.
eBay is often cited as a website prone to phishing attacks. Users click on a eBay listing and are automatically directed to a harmful site where the users details are stolen.
2. Malware Attacks
Malware is short for malicious software. Malware is a generic terms that refers to software which is used to:
- Cause disruption to a computer / system
- Gain access to a computer / system
- Capture sensitive information from specific users and / or from a system
Malware consists of a variety of malicious software such as:
- Computer viruses
- Trojan horses
Malware can be dispersed in a variety of ways. As daft as it sounds, a free shiny USB stick is quite appealing and therefore an easy channel through which malware can be distributed. Loading malware on to USB sticks which are subsequently handed out to people at a meeting / conference is a widely recognised risk.
3. Exploring & Exploiting Weaknesses
Here the hacker looks for any weaknesses in a company’s network, software and/or systems. Once found, the weak spot is exploited to the max.
One hacking technique used is to ‘test’ and access a system using Wifi. We have all seen various Wifi networks pop up on our mobile phones / laptops when we are trying to connect to the internet. A hacker could quite easily sit outside an office, see the company’s Wifi network and start searching for weak or unsecure networks to gain access to the company’s systems.
Another method is to exploit a company’s remote access channel, i.e. the way in which you connect to your corporate systems when you are out of the office. The user id/ password details can be acquired in any number of ways, some of which are highlighted in this article. Using these details the hacker can login to your company from their front room.
Finding ‘easy’ channels is a highly effective way to exploit shortcomings in a particular system. A high profile case last year was the discovery of the Heartbleed Bug, which was used to steal sensitive data over a 2 year period!!
4. Hijacking an Account by Resetting the Password
Many sites and applications have a process for users to reset their password in case they forget it. This functionality is exploited by hackers who can easily research victims via social media to understand key details like first employer, favourite car, sports team…. and use that information to reset the persons password on a website. Once the password has been changed, they’re in….
5. Database Attacks
This can vary in its simplest form from excessive system access or abusing the level of system access a user may have, through to complex SQL injection. The top 10 database attacks article, by BCS – The Chartered Institute for IT, provides a useful and simple insight into database attacks.
6. Stealing Credentials from Third Party Sites
Many people use the same user-id and password across multiple sites. Once a hacker is able to retrieve user-id and password details from one application or social media website the hackers may try their luck and use the same details to breach the persons work based systems and / or other confidential applications.
Last year JP Morgan revealed a massive data breach affecting 76 million households. Now clearly when a major financial institution is involved the risk is not only that the data may be used to try and access other systems, but the captured account details could be used to make fraudulent payments.
7. Your Staff
Your staff maybe be directly bribed for information which the hackers would subsequently use to breach your corporations security. But it can simpler too – educating your staff about the need for ‘strong’ passwords, and telling workers not to leave passwords written on sticky notes around their desk or on their screen. The Top 25 Most Common Passwords in 2014 is scary reading. Tailgating staff into your office is another tactic used to get into the office to physically see and understand the security set up from within. Simple, high risk but also highly effective for hackers…
Widely reported cases include:
- 74,000 Data Records Breached on Stolen Coca-Cola Laptops
- Several cases of missing data – from losing a memory stick containing personal details through to documents left on a commuter train
Your staff need to be aware of the cyber security threats that are out there, and the critical role they can play in ensuring the safety and integrity of your organisation.
8. Cyber Espionage
We’re increasingly hearing about cyber crime being used by one nation against another or against a corporate. As digitalisation grows into almost every sphere of daily life, cyber espionage will no doubt become an area that attracts increasing attention. The following cases have attracted global media attention:
- The Google hack in China
- Iranian hackers attack Vegas casino’s
- Cyber crime – a bigger threat than nuclear attack?
- How is MI5 tackling the cyber threat?
Many cyber security cases over the last few years are thought to have been conducted by around 100 cybercrime kingpins according to Troels Oerting, the head of Europol’s cyber crime centre. Interesting stuff, eh?
Cyber Security is a BIG Deal
There you have it, my list of 8 cyber security hacks you need to know about. What strikes me is that cyber security is a very complex world, but at the same time there are some very simple measures that you and your company can take to safeguard yourself. As we hear about the Sony cyber attack and the Apple iCloud breach – they do ironically help to increase public awareness of the risks and the necessary protective measures that people can take. There is also recognition amongst corporates that at some point they may well be hacked (Source: Cybersecurity: Defending ‘unpreventable’ cyber attacks). Given such a scenario corporates are now starting to plan how they would react in the event of a cyber security breach, rather than responding in a sudden, unorganised and knee jerk manner. The goal of such an exercise is to contain the risk and ensure minimal damage. The first step though is knowing what the cyber security threats are, and I hope this post has given you a good start….
I’d love to hear your thoughts and comments about this article below….