Cybersecurity is as essential as locks on doors and soap in bathrooms. While the COVID-19 pandemic has seen a drop in many kinds of crime, cybercrime is an unfortunate exception. According to the Australian Cyber Security Centre (ACSC), cyberattacks increased by more than 13 percent from 2020 to 2021.
Like all technologies, cyber-threats evolve constantly. Keeping on top of the latest developments is a daunting task with a high price for failure. Even more worrying is the general view summed up in FedTech magazine by Tom Kellermann, member of the United States Secret Service Cyber Investigations Advisory Board:
“[There is] the assumption that you’ll be breached at some point — period. That inevitability is such that it’s a reckoning that 100 percent prevention is impossible.”
That said, much of your exposure comes down to how well you understand the threats you face across the three broad categories:
- Social engineering – such as scams and phishing
- Software exploits – such as outdated versions and broken authentication
- Malware – such as ransomware.
In this article, we are going to look at each of them. You’ll read about how they work, how to protect yourself, and where to get the latest information.
Social Engineering – The Human Factor
Social engineering is a broad term for any “hacking” technique that capitalises on human foibles to gain access to a system – whether that system is a physical building or a computer network. If you’ve ever seen a movie where characters access a restricted area by dressing as maintenance workers, that’s an example of social engineering. Janitors are everywhere, expected, and unobtrusive: most people simply don’t have the mental bandwidth to be suspicious of everyone in a work uniform. It’s a simple oversight that leads to a big vulnerability.
Now consider being a busy office worker in a large business. Say one normal day you receive a routine-seeming call over the internal/intercom line from someone called “Bradley” who says he’s from the IT department. Bradley explains that they’re updating the printer settings throughout the premises and that your connection has been generating errors (“typical printers,” you groan in agreement). He just needs you to check which printer is set to default on your terminal. You chit-chat about company gossip as he guides you through the printer check. While you’ve never met Bradley, it’s clear from the conversation that you two know some of the same people. This casual side conversation seems 100-percent innocent and plausible.
In any event, you navigate to the menu he instructs and he gets you to read out a few boring details about your default printer. “Bradley” sighs and says that this is all in order, and so the error must be elsewhere. He thanks you and hangs up. You go about your day, unaware that “Bradley” doesn’t exist, the phone call was faked, the office gossip was scraped from social accounts and the “boring details” about your printer revealed a vulnerability in the set-up of your office WI-FI.
Many cybercriminals are so good at this sort of fakery that they can even get users to explicitly reveal privileged information, such as passwords. Any online attack that depends on tricking you into doing “something” is a kind of social engineering. It might be a vague but plausible email about a package delivery, or the classic “Nigerian prince” scam – these techniques all depend on an unwitting user either clicking a supplied link or engaging with the scammer directly. It’s also important to know that social engineering is often a gateway technique that presages another kind of attack. For example, a hacker might use social engineering to capture a password, and with it then install malware on a system.
Phishing
“Phishing” is the name for the most common type of social engineering. According to Verizon’s Data Breach Investigation Report, 32 percent of data breaches are the result of phishing. Phishing seeks to trick you into providing your details by reaching out to you with a simulated email, SMS or messager alert from a trusted source. The branding and identities of popular platforms, such as Paypal or Apple, are commonly used as disguises for these attacks. Further, cybercriminals are becoming increasingly subtle and sophisticated in their attacks. Many phishing operations are now even adopting HTTPS protocols to make their websites look like legitimately secure servers.
As if phishing wasn’t bad enough, now there is also “Spear Phishing” – a more advanced form that tailors its attack to a specific target. Many broad data breaches do not give attackers direct access to passwords, but do reveal certain personal details about individuals. Cybercriminals troll through the breach looking for the right kind of details that they can leverage to craft phishing communications with enough specificity to overcome their target’s scepticism.
Supply Chain Breaches
Supply chain security breaches are among the lesser-known forms of social engineering, albeit one that is both shockingly prevalent and on the rise. According to the UK National Cyber Security Centre (NCSC), more than 90 percent of firms surveyed around the world have experienced some form of supply chain breach. Like all forms of social engineering, this approach relies on exploiting “structural” weaknesses in how people and businesses make decisions. In this case, it exploits the fact that virtually every organisation depends on a network of suppliers in order to support its operations. Your security is thus often in their hands. While you may have protocols in place to ensure your security in-house, how thoroughly have you audited the security protocols of your suppliers?
Business Email Compromises
Sensitive business emails are a top target for hackers. Real emails might be mined for valuable information and fake emails can be fabricated to manipulate a company’s image or staff. Business email compromises are usually facilitated by other kinds of attack, such as phishing. As is the general trend, these kinds of attacks have also grown in both frequency and severity. According to the ACSC’s annual cyber threat report for 2020-21, the average cost of such an attack has grown to $50,600 – an increase of more than 150 percent compared with the previous year. You can also learn more about Business Email Compromise from our whitepaper here.
What Can You Do About Social Engineering?
Because social engineering attacks depend on you – or some other legitimate party – unwittingly handing over the keys to the kingdom, vigilance is the only answer. The ACSC has several tips for avoiding these attacks. Some of the golden principles include:
- Avoid interacting with your accounts via email links
- Do not interact with emails from unknown sources
- Knowing that legitimate emails will address you by name
- Keeping in mind that banks and similar institutions will not ask you to enter your password or financial information via email.
Supply chain breaches represent a special case because they depend on actors over whom you do not have direct control. For more information review this guide to supply chain breaches.
Software Exploits – When The Bits Have A Poisonous Bite
Software exploits are coding flaws in software that allow hackers to gain access to closed systems. Because these “backdoors” are written into widely used software, they are fiendishly difficult for end-users to address. The best defence against software vulnerabilities is, however, surprisingly simple: update your software regularly. As the ACSC recommends, this generally involves three steps: 1, regularly updating operating systems; 2, installing software updates as soon as you are notified of them by the software’s publisher; and, 3, regularly backing up your business data.
Malware – Computer Programs With A Nasty Streak
The next category of cybersecurity threat is malware. A compound word, it is short for “malicious software”. The many forms of malware range in form and intent, the most common are:
- Viruses and worms
- Botnets
- Ransomware.
Some kinds of malware are purely for digital vandalism – the aim is simply to disrupt your systems. Other kinds are more insidious, giving the operator access to your system, after which they can siphon off information, take control altogether, or use your network to augment their own computing power. Let’s look closer.
Viruses and Worms
This category comprises programs that are intended to sabotage or disrupt a computer by way of malicious code. Both are self-replicating and designed to spread to other computers. Even when a worm or virus is not innately destructive, it can cause substantial issues by consuming processing power and bandwidth.
Botnets
Closely related to worms, botnets are systems that infect a network of computers to perform tasks for the program’s owner. Like worms, they aim to spread to as many computers as possible by scanning across a network looking for exploitable software. When they install themselves, botnets monitor the system for valuable information or appropriate processing power for high-demand uses. Once infected, your computer could be used in brute-force attacks or even be pressed into service to illegally mine cryptocurrency.
Ransomware
Ransomware is a relatively recent form of malware that is used by hackers to blackmail businesses and individuals. Once the software is installed, the attackers can then lock you out of your files. A ransom demand for the safe return of your data will soon follow. Although victims are often individuals, even major tech companies are vulnerable. In 2020, Garmin is believed to have paid $10 million after a ransomware attack.
What Can You Do About Malware?
Malware can be installed in three main ways:
- Via social engineering that tricks you into installing it yourself
- Piggybacking on other software (i.e. trojan horses)
- Security exploits – either manually or by a botnet.
Each of these approaches requires a different counter-tactic. In order to avoid social engineering, you must remain wary of links, software, and files from unknown sources. To prevent installations from outside sources, keeping your cybersecurity systems up to date is the best answer. Meanwhile, regularly backing up business data and separating copies from your primary systems will reduce the effectiveness of ransomware attacks.
How Can You Stay Informed About Cybersecurity Developments?
Remaining informed and up to date is the first step to strong cybersecurity. Software providers will usually issue alerts and updates in response to known issues, but a range of other sources is also available. Government agencies, such as the ACSC or the NCSC, maintain information pages outlining the latest threats. In addition, news outlets that focus on cybersecurity can keep you abreast of new trends and developments.
Constantly researching cybercrime may not sound like your idea of fun, and fair enough. Consider talking to the experts to make sure your concerns are addressed. Internet 2.0 is managed by a team of ex-military and ex-intelligence specialists who make it their business to understand and address the latest threats. Contact Internet 2.0 to have a confidential discussion about how to “set and forget” your cybersecurity.