Part One: Our Guide to Cyber Attacks and how to Tackle Them
Welcome to part one of our guide to cyber-attacks, where we list the common types to be aware of, alongside real-life examples and advice on tackling them.
No. 1 Phishing – Also Known as Social Engineering
A while back, I made phishing phone calls (sometimes referred to as vishing) to test the vigilance of a financial services firm’s employees.
As a Scottish woman, my colleagues saw my potential as a social engineer, believing people would trust my accent.
Everything was meticulously planned, including a well-rehearsed script. I was phoning on behalf of the firm’s IT provider following a hacker alert. We had to lock everything down, and I needed to re-set some stuff now. My goal was to get people to give me their login password.
Initially, I was excited; I enjoy something different and like to think I’m a good actor. It was horrible. Reactions ranged from polite wariness to incredulity and mocking laughter. Deep breath, I ploughed on through the list of phone numbers; I had to be quick before word spread.
The order of the phone calls had been down to me, and I’d started with junior personnel figuring they’d be softer targets. I was wrong; the job became easier as I climbed up the chain. At call number six – bingo, I got my first password.
Despite regular stories in the press, people get duped every day. It’s not because they’re daft; it’s often because they’re distracted and busy. Catching my prize took a few tricks:
- Credibility. I’d done my homework and knew who their IT provider was. By naming them, I established trust.
- Urgency. By advising the employee that this was a live hack situation and stressing the need for fast action, I put pressure on them.
- Unwavering confidence. Although I was wobbling on the inside, I assumed an air of calm authority – I expected the person’s password.
- Quick thinking. When someone questioned the legitimacy of my call, I name-dropped their colleague and said that they’d shared their password. Good old LinkedIn, although I prayed they weren’t sitting beside each other.
So, objective achieved – password obtained. (Come to think of it, that chocolate orange I was promised for doing a good job never materialised.)
And the lesson of this story? You could have 1,000 cyber-savvy people in your company; all a hacker needs is the one who isn’t. Phishing comes in many guises; you’ll find other examples of social engineering in our blog series.
Think you’re too small to be a target, or that there are richer pickings out there? Please think again.
Smaller businesses – and sadly, charities – are seen as vulnerable because they have less money to spend on security. And they have things that are in high-demand by hackers, such as credit card numbers, payroll details and donor lists.
A penetration test is a trusted way to check your organisation’s defences. Read more in our blog; Five Reasons Why Your Business Needs a Pen Test which we can wrap up with a mini social engineering assessment to keep your costs down. Just mention you read this blog.
No. 2. Ransomware
An infamous example of ransomware is WannaCry, which infected 300,000 computers across the globe in 2017. The vehicle for the crippling damage was, in fact, a phishing email.
Recipients were tricked into opening attachments which infected their PCs with malware, effectively locking them out of their files by encrypting (scrambling) them. Ransomware payments of $300 to $600 were demanded to restore access.
In the UK, the NHS was especially badly hit, as the core systems of at least 33 health trusts were struck down, including telephones. WannaCry forced health professionals to revert to their private mobiles and pen and paper.
One particularly harmful consequence of WannaCry was the impact on patients, as services were pared down to medical emergencies only.
There are two lessons to this story. The first is to keep your systems up-to-date and patch them regularly; a penetration test will reveal any you’ve missed.
Secondly, if you have even a scintilla of doubt about an email, an attachment or a link, don’t touch it. Phishing awareness training will teach your people what to look for, and if you mention this blog, you’ll get a 10% discount.
No. 3 Password Attack
Passwords; love them or hate them, we use them daily. They remain the most common way to permit access to our systems, which is why they’re worth their weight in gold to cybercriminals.
There are nefarious ways of finding passwords out, including:
- Brute-force – using randomly generated passwords to attempt access. Computer programmes can make hundreds of attempts a minute. Some hackers will also apply logic and try to guess your password using the information they’ve gleaned from social media.
- Dictionary attacks – entering common passwords to access your account.
- The dark web. Passwords are regularly shared (for a price) with the criminal underworld. For convenience, many people use the same password for personal and corporate use. If your employees are in the habit of doing this and their password leaks onto the dark web, your data and applications could be exposed.
In 2017, a brute-force attack struck at the heart of government, as up to 90 email accounts at the UK Parliament were compromised. A similar attack was launched against Scottish Parliament only weeks later.
And the lessons here? Sound password policies and extra user authentication controls. A penetration test can include a review of your password policy and recommend improvements.
No. 4. Computer Viruses
A computer virus is about as welcome as a cold but usually stays around for a lot longer. The Conficker virus, like a Zombie, refuses to die. First discovered in 2008, in 2010 it took down Greater Manchester Police force’s computer systems for three days.
Conficker caused so much havoc worldwide that Microsoft posted a bounty of $250,000 (£193,000) for the capture of its inventors. The virus continues, to a lesser extent, to do damage to this day. No one has ever claimed the bounty.
Viruses are designed to self-spread from one programme and computer to another, which they do by copying themselves. They’re nasty and inconvenient; in fact, you’d probably prefer a cold. There are several signs of a computer virus, including:
- Your PC often crashes or is unusually slow.
- Unfamiliar programmes appear when you start up your computer.
- You experience lots of pop-up ads, encouraging you to visit different sites or download anti-virus or other software programmes.
- Your account sends mass emails.
With some of the more advanced viruses, you’ll be none the wiser. They can also lie dormant and are triggered by a specific action, such as running a programme.
If you’re concerned that your systems are harbouring viruses, we can help. Our services include technical audits and configuration reviews, intrusion analysis and forensics.
Contact us for a no-obligation chat about your options. Alas, we can’t help with your coughs and sneezes.
No. 5 Spyware
As the name suggests, spyware is the secret agent of the malware (malicious software) pack. It’s a programme that covertly records what you do on your devices, usually to steal confidential information.
You may have heard about the security vulnerability on WhatsApp which exposed users to spyware – I was a victim of the WhatsApp hack.
If you’re worried about cybercrime and would welcome a guiding hand, reach out to us for a free cybersecurity assessment.
No. 6. Denial-of-Service
A denial-of-service attack (or DoS) is where hackers attempt to overwhelm your systems. The intention is to prevent legitimate users from accessing services. Sometimes a denial-of-service can happen innocently, for example during Black Friday sales when thousands clamour for a bargain.
In 2017, Lloyds Bank successfully fought off a two-day denial-of-service attack, as cybercriminals attempted to block access to 20 million UK accounts.
We hope you found this an enlightening, but not too depressing, read. You can catch part two here. The good news is that by taking a proactive approach to your security, you can mitigate your risks.
Explore our cybersecurity services or request a free cybersecurity assessment if you’re not sure where to start.
As always, thanks for reading and stay safe.