Understand-cyber.png
Cybersecurity can be confusing and it’s sometimes this lack of understanding that can prevent organisations from making the necessary security improvements. For others it’s the belief that it will never happen to them or that their business has nothing of value for hackers.

Whatever the reason, security inaction is no longer an option and the threat against companies of all sizes continues to grow. Understanding is the first step to putting in place fundamental security measures and, whilst you can never be 100% secure, even the most simple security presence can have a dramatic improvement.  

To help you understand more about cybersecurity, and its importance in relation to your business, we’ve put together this information page — in which you’ll learn:

  • What cybersecurity is and why it’s important?
  • Who the hackers are and what they are after?
  • The attack techniques hackers are using


 

What is cybersecurity and why is it important?

Our modern lives are dominated by data and the amount of information we put out into the world is staggering. From our social media accounts to online banking, our information is everywhere, both publicly and privately. This information is valuable to individuals, businesses, governments and of course hackers.

The threat of cyber-attack is increasing every year and according to the Online Trust Alliance, 2017 was the worst year yet in terms of cyber-attacks on businesses, doubling from 82,000 in the previous year to over 159,000.

The reality is that most attacks are opportunistic and take advantage of simple security mistakes such as unpatched operating systems, poor password security, or employees clicking on infected phishing emails.

93% of all breaches in 2017 could have been avoided with simple cyber hygiene practices, such as regularly updating software, blocking fake email messages, and training employees to recognise phishing attacks. — Online Trust Alliance, 2018

Ignoring cybersecurity is no longer an option and companies of all sizes need to be putting in place the appropriate security measures, especially when you take into account GDPR and the potential fines associated with a major data breach.

But what is cybersecurity?

Cybersecurity is the protection of digital information and the defence of such data against malicious threats and unwarranted access. It is made up of three main elements:

  • Confidentiality
  • Integrity
  • Availability

...the CIA triad.

Confidentiality - who really needs access to your information?

Confidentiality is all about privacy and works on the basis of ‘least privilege’. Only those who require access to specific information should be granted it, and measures need to be put in place to ensure sensitive data is prevented from falling into the wrong hands.

The more critical the information, the stronger the security measures need to be.

Measures that support confidentiality can include data classification policies, data encryption, IDs and passwords, two-factor authentication, biometric verification, air-gapped systems or even disconnected devices for the most sensitive of information.

Integrity - how do you ensure the accuracy of your data?

The integrity of your information is essential, and organisations need to take the necessary steps to ensure that it remains accurate throughout its entire life cycle, whether at rest or during transit.

Access privileges and version control are always useful to prevent unwanted changes or deletion of your information. Backups should be taken at regular intervals to ensure that any erroneous data can be restored. When it comes to integrity of information in transit, one way hashes can be utilised to ensure that the data has remained unchanged.

Availability - how do you keep your business up and running?

Keeping your business operational is critical and you need to ensure that those who need access to hardware, software, equipment or even information can obtain this access at any time.

Disaster planning is essential for this and organisations need to plan ahead to prevent any loss in availability should the worst happen. This could include plans to deal with cyber-attacks such as DDoS, plans to deal with potential data centre power loss, how to deal with a natural disaster or even information bottlenecks which could slow down company communications.

Each company may have differing priorities in terms of the three elements of the CIA model. But whatever the case, using this as the starting point will instantly make your organisation more secure by it’s very design.

 


 

Who are the hackers?

Hackers are just normal people, with above average computer skills; they could be your neighbour, your colleague or even your friends. So, if hackers are just normal people, how do you defend yourself against them? In this section we take a look at some of the types of attacker you need to know about.

  • State sponsored groups - advanced persistent threats

State-backed hacking groups are one of the biggest threats in terms of cybersecurity today. With highly advanced skills, as well as huge resources, these groups are focused on infiltrating foreign targets at the highest level. Think government agencies, national election campaigns, critical national infrastructure, political parties, financial authorities and defensive targets.

Information gathering is usually the key objective for this type of attacker, but it can go much further than that. It has been suggested that these groups have been responsible for bringing down and disrupting national infrastructure, meddling in national elections, launching worldwide ransomware attacks such as NotPetya, and launching revenge attacks against those looking to expose national secrets.   

Anonymity is essential for these groups and they will use a variety of techniques to cover their tracks or obfuscate the true nature of their work. Plausible deniability is also key and no state would freely admit to sponsoring a group that had carried out a critical attack — the consequences would be disastrous. Instead governments can always pin the blame on rogue ‘patriotic’ groups.

  • Organised cybercrime

It has been reported that 51% of data breaches are perpetrated by organised crime and online criminal gangs are well-known for using advanced hacking techniques in order to profit from fraud, theft and ransom.

Just to demonstrate how lucrative this can be to the criminals - ransomware payments were estimated to have been over $1 billion dollars in 2016, and it’s growing.

But it’s not just about criminals exploiting a victim for profit. There’s also a lucrative black market in selling techniques, exploit kits and contraband on the dark web. That’s right, cybercrime-as-a-service.

What’s surprising is that organised criminal groups can often operate much like a legitimate business. Selling products and services, adopting leadership hierarchies, incorporating specific job roles, structured promotion and recruitment, even introducing support functions such as ransomware call centres.

They’re also using open source, commercial tools such as Slack, WhatsApp and Google Groups to communicate, as well as social media to market their offerings.  

  • Hacktivists

Hacktivists are ideologically motivated and use a range of hacking techniques in order to advance their political or social agenda. This could be anything from exposing government corruption to disrupting organisations who may be involved in animal testing. Other areas under attack include freedom of speech, human rights and information ethics.

As systems have become more secure, the Hacktivists have had to evolve. Hacktivists acting alone are now a rarity and instead groups such as Anonymous, LulzSec and Wikileaks have formed in order to utilise collective skills and resources.

  • Script kiddies and curious teenagers

Script kiddies and curious teenagers are your more immature attackers in terms of their skill level, yet they can be just as effective as those more technically advanced. Due to their low level of skill, they utilise existing techniques, programmes and scripts to randomly search for vulnerabilities, hoping to find one which they can then exploit.

The speed at which these hackers get hold of sophisticated attack techniques is increasing all the time and, as such, they will continue to be a dangerous threat, even though they are not taken seriously by the hacking community.

Take for example the TalkTalk beach in 2014, where the personal data of over 150,000 customers was exposed. It wasn’t a criminal gang behind it, but a teenager who ran an automated tool against the website contact form and the database came out.

Many of these hackers are looking to develop their skills and to see how far they can get. Whilst they are not the most skilled of attackers they sometimes get lucky and can exploit simple vulnerabilities often overlooked by more sophisticated hackers.

Which type of hacker is most likely to target your company?

Unless you’re a government agency, or have access to extremely sensitive national information, you can probably rule out being targeted by a state sponsored group. The same goes for hacktivists, unless you have some political affiliation or engaged in contentious social or moral issues.

For everyone else, it can be any of the above. All companies are fair game.


 

What are the hackers after?

As we have seen above, there is a variety of hackers out there, all with differing motivations. But what are these attackers really looking to achieve? Whilst intent and objectives can vary wildly, here are the more typical motivations.

  • Money

Financial gain is often the biggest motivator for criminal hackers and they can use a variety of attack techniques to get victims to pay them directly. Ransomware is the most publicised of these techniques, and is designed to play on fear and panic to extort cash in return for access to systems.

  • Personal data

Personal data is valuable. As well as selling it directly on the dark web, attackers can also use this information to launch further attacks against individual targets in the future.

For example, with the information gained threat actors could launch convincing spear-phishing attacks, or use stolen credentials to gain access to a host of sensitive sites such as online banking. With the right information they could even set up credit cards in victims’ names or take out loans.

  • Using you to get to others

If you were a hacker dedicated to gaining access to a secure organisation or government, how would you do it? Attempt to hack it directly? It’s going to take a lot of time and effort, not to mention the increased chance that you’re going to be caught.

No, the most effective way would be to target the organisation’s potential weaknesses. This often includes the company’s supply chain. That’s how hackers think, and just because you’ve been breached doesn’t mean you were the eventual target. They could be using you to get to others, your customers, your suppliers, your contacts.

You only have to look at the American store Target for an example of this.

In 2013, hackers managed to gain access to Target’s systems and we’re able to place malware on the store’s till systems. This meant that attackers then had access to the card details of every customer who purchased something at the store during that time.

But hackers didn't target the store directly, they breached their air conditioning supplier. Using this access they were able to pivot onto Target’s systems and install the malware.  

  • Intellectual property and organisational secrets

Every company has sensitive information and/or valuable intellectual property — whether it’s a recipe, an algorithm, a patent or a process. And you need this to be kept away from prying eyes.

With each year that passes, companies can harness and leverage improved technologies at lower costs, but these leaps in technology have also led to leaps in malware and hacking techniques, allowing threat actors to infiltrate, access, and steal valuable IP in ways that simply weren’t possible 20 years ago.

If an attacker was to access, copy or steal your critical IP, they could use it for financial gain and the negative results could be disastrous for your business.

Learn how to keep your business secrets safe in our blog 

  • Qudos and notoriety

Hackers usually want to keep their work a secret, avoiding detection at all costs. However, there are some groups out there that are just looking for their slice of fame, advertising their hacks brazenly for the whole world to see.

This usually includes taking over popular websites and social media channels, changing messages to advertise the fact they they got in. One example of this is the HBO hack of 2017.

US cable network HBO was subjected to three separate attacks, data was stolen, unreleased episodes of Game of Thrones leaked — and to add insult to injury the hacking group OurMine managed to take over HBO’s social media accounts to boast about their breach.

HBO-Hack

 


 

The techniques used by hackers

Attackers can use a variety of techniques to gain access to your information, but once you know how it’s done you can start to put in place the necessary measures to prevent your organisation from becoming a victim. In this section we uncover some of the most common attack methods.

The ways in

  • Unpatched vulnerabilities

Have you ever pressed the ‘remind me later’ button when asked to update your software? Of course you have, we all have. But by doing so you’re at increased risk of attack.

Updates aren’t just about design changes, they also carry with them vital security updates to ensure your software remains protected against the latest known vulnerabilities. Attackers know this and once a patch has been released the race is on to reverse engineer the update, find the previous vulnerability and launch an attack.

The time between patch release and attack release is getting shorter all the time, meaning that the more you delay the more chance you have of becoming a victim.

Learn more about the importance of patching in our blog

  • Weak passwords

Passwords are still the default protection for most sites and people should be using strong, individual passwords for every site they access. The key word here is ‘should’ and far too many people still use the same password across multiple sites, as well as continuing to use weak passwords such as ‘password123’.

Hackers can easily guess these passwords, and data breaches can mean that people’s passwords are exposed for anyone to see. With this information attackers can access sites and use the credentials to gain access to other information, including your company systems.

  • Social engineering

Social engineering is when attackers try to deceive victims in to sharing information. Phishing, spear phishing and smishing are some of the most popular techniques, and attackers will impersonate legitimate organisations and individuals in an attempt to trick victims into sharing personal details, their passwords or even bank account details.


  • Exploiting poor security design

Hackers can utilise a number of security design flaws to gain access to your network. From badly designed or coded applications and insecure network design, to lack of data encryption and unchanged IoT default passwords.

These are just some of the ways in and organisations need to ensure they are testing security on a regular basis. Uncovering their security flaws and putting in place the necessary improvements to protect themselves.

What can they do once inside?

  • Man in the middle (MITM) attack

If a hacker was able to gain access to your router they can perform a ‘man in the middle’ attack. This is where they can monitor the traffic sent between your computer and the web server.

With this type of access an attacker can monitor traffic, intercept sensitive information, steal details from insecure http sites or can even change the content of websites to display whatever message they like.


  •  Ransomware

Ransomware is not like other attacks and is designed to alert victims to the fact they’ve been breached. Once inside the system, attackers will launch the ransomware malware, locking users out of their systems and demanding a ransom in return for access.

In most cases all data will have been wiped/stolen and paying the ransom will be completely useless.

Find out more about Ransomware with our blog

 


 

How Secarma can help

At Secarma our aim is to improve your security mindset — through our blog, our educational workshops, our on-site consultations or our rigorous security testing. Whatever method suits your needs or goals, our security consultants are here to help you.  

To find out more about the services Secarma can offer your organisation please browse the services area of our website. Alternatively, fill out the form below to request information from one of our experienced account managers today.

Contact us