Cyber attacks are on the rise, but opportunistic hackers have shifted their attention from individuals to businesses.
A report by the cybersecurity firm Malwarebytes found that while threats to consumers waned, the number of cyber threats to businesses has soared by 235% in the last year. Last year over four in ten businesses (43%) suffered a cyber breach or attack, according to government figures, and a recent study of 5,400 businesses – small, medium and large – by the insurance company Hiscox found that 55% had faced an attack in 2019, up from 40% last year.
But while cyber threats continue to mount, readiness levels for an attack remain in the doldrums. Analysis by PwC found that 17% of those asked admitted their business doesn’t prepare for cyber attacks at all. And fewer than half (49%) run penetration tests to examine their defences.
The risks, as the figures illustrate, are substantial. Average losses from breaches soared from £176,000 to £286,284 in 2018, an increase of 61%. But while the risk feels tangible, a phrase like ‘cyber threats’ might be difficult to comprehend. It is a broad term, after all, encompassing all sorts of tactics and tricks under its umbrella.
So which threats should you be on the lookout for – and how can they be avoided? Here’s our common sense guide to the most common types of attack.
Phishing typically stems from a malicious email that’s set up to dupe an unsuspecting victim into either accidentally downloading malware or divulging sensitive information. The sender presents themselves as a trusted source: a bank or a supplier, perhaps.
As far as cyber threats go, it’s one of the oldest in the book – but it’s still around because it’s successful. Proofpoint’s annual State of the Phish report found that 83% of respondents experienced phishing attacks last year, up 76% from the previous year.
There’ve been some pretty spectacular phishing instances. The infamous hacks of Hillary Clinton’s presidential campaign in 2016 were, primarily, successful phishing attacks facilitated by poorly trained campaign workers.
The Democratic Party hacks were examples of ‘spear phishing’. These threats stem from emails supposedly sent from colleagues, the names of which the Clinton hackers parsed from social media.
Once they had the names, the Washington Post reported, the hackers “sent a link to an Excel document named ‘hillary-clinton-favorable-rating.xlsx’ from an email account meant to look like a member of the Clinton campaign team”. Clinton staffers who opened the Excel document were directed to a dummy website that stole their personal data.
An insidious variant of spear phishing is an attack known as ‘whaling’. The modus operandi is similar – but instead of just any colleague, the email is from a senior figure in the business, like the CFO.
Recently, a hacker group known as London Blue compiled a list of 35,000 CFOs, including some at the world’s biggest banks and mortgage companies. The scammer masquerading as the CFO (or CEO) sends an email to a subordinate regarding a change in payment details or a new payment request.
These scams are hard to spot, with email addresses that are cunningly similar to the official work email address, with an extra letter here or there that’s easily glanced past when you’re busy.
The best way to fight phishing and all its variants is training: these attacks are quite simple to prevent. As the State of the Phish report found, nearly 60% of businesses saw an increase in employee detection of phishing attacks once their staff were better trained.
The government’s national cybersecurity centre (NCSC) also offers practical steps to avoid falling prey to phishing:
- Scrutinise the sender’s email address
- Look at the email’s spelling, grammar and punctuation. Scammers are often from overseas and might not have a good command of English.
- Is the email addressed to you by name, or does it use vague generalisations like ‘valued customer’, ‘friend’, or ‘colleague’?
- Is the email pressuring you to act urgently?
Man in the middle attacks
A man in the middle (MitM) attacks is a very literal description of how this scam works: attackers plant themselves into a two-party transaction. They do this through two common methods, according to Cisco Systems:
- On unsecured public WiFi, attackers can put themselves between a visitor’s device and the network.
- Through malware that has breached a device. An attacker can install software to steal the victim’s data.
A particular form of MitM attack combines itself with elements of phishing. Once scammers break into the CEO’s mailbox, for example, they can set up a series of rules to forward all emails sent to that account to another email account.
A hacker can then wait for a suitable email chain and send a message regarding a change in payment details or a new payment request. These attacks are hard to spot once they’ve been enacted.
That’s why the key is prevention. Two-factor authentication is your friend. A password isn’t enough these days, and two-factor authentication is simply an extra layer of security that requires something that the user has on them – most commonly their phone.
Educate employees on using unsecured WiFi to access sensitive work materials. A technical solution is a virtual private network (VPN). These are encrypted ‘tunnels’ that secure the employee’s and the company’s confidential networks over links like WiFi.
SQL Injection Attacks (SQLi)
Very few things from 1998 remain relevant in 2019. There are perhaps a few die-hard Savage Garden fans that still have ‘Truly Madly Deeply’ on heavy rotation, but largely ‘98, like Beckham’s red card, is consigned to the past.
The exceptions, perhaps, are SQLi attacks. First uncovered in 1998, they are hacks that exploit Structured Query Language (SQL), which is used to query, operate, and administer database systems like Microsoft SQL Server.
A SQLi attack happens when an attacker inserts malicious code into a server that uses SQL and forces the server to reveal information it normally would not. In some cases, hackers can do this simply using a vulnerable search box on a website.
In other words, it’s not rocket science. The cybersecurity expert Tyler Hunt got his three-year-old child to emulate an SQLi attack. And if these attacks are easy, their impacts are severe.
The most effective way to stamp out SQLi attacks is via whitelisting. Whitelisting examines each piece of user input against a list of permitted characters and limits what they can search for.
Cross-Site Scripting (XSS)
When HTML code – the standard language behind web pages and applications – is generated dynamically, and the user input is not ‘sanitised’ (basically designated as ‘safe’), an attacker could insert their own HTML code.
This is what’s called Cross-Site Scripting (XSS). These attacks allow attackers to impersonate users, perform actions on behalf of them, and gain access to the users’ sensitive data. The most infamous example of XSS is still Samy, which propagated across MySpace in 2005. It affected over a million users.
At its source, XSS can only be stopped by the website developers. But your business can be proactive and run regular penetration testing to seek out weaknesses. If a weakness is found, see that it is patched immediately.
Malware is simply software designed with malicious intentions (the name comes from malicious + software). These software programmes can delete files, spy on users, and open the door for other malwares.
And then there’s ransomware, software that blocks access to a computer system until a sum of money is paid. These attacks are on the decrease – but that’s not necessarily good news: cybercriminals now focus more on precision and impact infections than volume.
The main attack vector is Microsoft’s Remote Desktop Protocol (RDP). RDP is used for remotely connecting to Windows systems: the near-ubiquitous operating system in businesses across the globe.
Exploiting a weakness in RDP, hackers forced an American health insurer to pay over $50,000 in ransom to regain access to critical data. If you don’t need RDP, disable it. As for your critical data, regularly back it up so you aren’t completely exposed to ransomware attacks.
If the ransomware attack has already happened, disconnect the machine from any others and from any external drives. Take the machine offline. Take a photo of the ransom note, you’ll need it when you file a police report. And finally, use an antivirus to clean the ransomware from the machine.
You can take a look at some decryption software. No More Ransom offers a list of decryption tools – but if this doesn’t work, then another option is to pay the ransom (although many vendors caution against this).
A DoS attack is a brute force, targeted attack aimed at taking a specific website offline, and the first was carried out by a 13-year-old named David Dennis in 1974.
These attacks can be characterised by attempts to flood a network (which is known as a DDoS attack) or targeting a specific individual or device. Whatever the type, it’s aimed at blocking legitimate uses of the network.
In one infamous case, a malware known as Mirai scoured the internet for vulnerable tech and infected the devices. Mirai then used these devices to launch huge distributed denial-of-service attacks. It slowed or outright stopped access to Twitter, Spotify, PayPal and many more services.
There are a few ways to protect against DoS and DDoS attacks. You can distribute your servers geographically, a tactic known as ‘load balancing’, to make it harder for hackers to attack the whole system, you should protect your servers with firewalls and web application firewalls, you can employ DDoS-specific security to sit in front of these firewalls or even take your DNA servers into the cloud.
People, processes and technology
Effective cybersecurity is built on three pillars: people, processes and technology. You can invest in the right tech, you can set up the correct processes – but, in our experience, it’s often the people side that’s neglected by businesses.
The point of entry for an attack is usually from human error rather than a technological fault. Every employee is a potential weakness, and an untrained employee is an incident waiting to happen.
But ultimately, it’s not the employee’s responsibility. Building a “security culture” starts at the top. And the more you educate yourself and your staff about the risks, the better equipped you are to deal with them.
ThreatAware is passionate about bringing clarity and simplicity to cybersecurity. If you’d like to step up your cybersecurity, then get in touch.