WHAT DO I NEED TO GUARD AGAINST CYBER THREATS?

Cybersecurity threats are always changing.  Threats that target businesses are malware, phishing, ID theft, Distributed Denial of Service (DDoS) attacks, software threats, data diddling, password attacks, Man-In-The-Middle (MITM) attacks, salami-slicing, IoT hacking, and cyber extortion.  These are the most common cyber threats that small business companies need to be protected against.  It is highly likely your business can reasonably prevent and mitigate many of these type cyber threats.

MALWARE AND VIRUSES

Malware is malicious software that has been created to cause damage to either a computer, a server or a network.  Malware can perform a variety of harmful actions. These actions include: slowing down or crashing a computer, changing computer settings, surveilling a user which includes tracking keystrokes and taking screenshots, turning computers into spam sending machines, holding data ransom and threatening to delete it if not paid, installation of a backdoor, and other programs, interrupt network connection, and modifying or deleting files.  Basically, various forms of disruption.  In March of 2018, the Boeing corporation was hit by a cyberattack. Boeing executives believe that they were hit by the WannaCry malware which hit thousands of computers in 2017.  The WannaCry virus is a form of malware known as ransomware.  The virus locks up the computer systems and data of its targets by encrypting them until ransom payment is received.  Payment is generally in the form of e-commerce, such as Bitcoin.  Even when the payment is made the decryption of the data and systems is not always assured.  Boeing publicly reported the cyberattack only affected a small number of their systems.  The purpose of the attack was to cause damage to computer systems.  “Kill switches” have been designed to stop a WannaCry attack although hackers have developed new variations of WannaCry that can stop the “kill switches.”  This is a never-ending game of Cat and Mouse.    Mitigation: It is possible to prevent malware from infecting your computer systems and network.  These include: Installing anti-virus/anti-malware software and keeping them up to date.  Running regularly scheduled virus scans.  Keeping your operating system (OS) up to date.  Always secure your network with a password.  Use a WPA or WPA2 encryption.  Never click on unknown or untrustworthy links or websites.  Never use an “open” WI-FI connection.  As much as feasible, back up all of your files to an external hard drive.  Using a variety of strong passwords.   Finally, try your best to never use the same password for all your accounts.

PHISHING

What is phishing?  Phishing is when a bad actor emails an unsuspecting target invidual or company to obtain sensitive information (such as passwords and credit card information).  This by pretending to be a legitimate individual or a trustworthy company.   Phishing attempts are commonly associated with emails, yet over this past year, phishing has rapidly spread to social media and software applications.  Most phishing attacks do not have a preferred victim.  Once a business is a target of a phishing attempt, it is statistically more likely to be the subject of future attempts. 

Earlier this year, WhatsApp (a messaging platform) released a feature allowing video chat.  Scammers used the launch of this new feature to send out fake invites to WhatsApp users. These fake invites will bring users to a site known as “Whatappvideostart,” which when downloaded, compromises the security of the user’s smartphone and provides the hackers the user’s account information and passwords.  An example of a WhatsApp phishing attempt occurred during the 2017 holiday season when WhatsApp users were the targets.  This scam made users believe that they were being offered free air travel from Air Emirates.  A fake survey was used to share a link with 10 “friends” on WhatsApp to “claim” their prize.  Mitigation: The easiest way to prevent becoming a victim of a phishing attack is to double check the legitimacy of every single email and associated links. An additional way to prevent phishing attacks is to call the person or company to verify the legitimacy of the email or link.    

IDENTIFICATION THEFT

Cybercriminals attempt to change or steal the personal identifying information (pii) held by government-related agencies, commerce suppliers and financial institutions about companies.  The reason behind the theft is cybercriminals use the pii to open new credit accounts inside the victim company’s network.  Hackers can fraudulently purchase merchandise, while the bill is sent to that victim company.  Some cyber criminals take out loans in the victim company’s name.  Corporate identities are stolen in a few different ways.  Some occur over the Internet, email, telephone, and through the physical mail.  Website forgery is when an individual is redirected to a fake website that is made to look real so that the user enters their sensitive information.  A Wapack Labs analyst recently received a fake Apple web page that look very authentic.  The sending email was erroneous and caught the analyst’s attention that it was fraudulent.  Yet the graphics looked almost identical.  Another way is by phishing or in the case of high-level executives, “whaling,” which attempts to get subordinate employees to reveal account and other sensitive information to the fake executive.  Low-tech phishing is another hacking technique that occurs through physical mail or by fax.  Low-tech phishing is the same as phishing except for the way that it is conducted.  Mitigation: Corporate identity theft can be prevented by simple techniques.  Shredding documents such as bank, payroll, and tax records and corporate credit accounts will prevent sensitive documents from being obtained and exploited for criminal use.  Create a solid document management policy, which is an important step in keeping sensitive company information secure.  Educating employees on how they should handle and destruction of sensitive pii and internal documents will help to keep ones’ company secure.  Hard drives, USBs, Cell phones, old copy machines and CDs should be stored and destroyed properly to keep sensitive information secure.  Partnering with a professional cyber security organization, that protect corporate information, will ensure that business accounts and information are secure.  Wapack Labs recommend Trusted Internet LLC for support, https://www.wapacklabs.com/trustedinternet/   Always question anyone who is requesting your personal pii.

DISTRIBUTED DENIAL OF SERVICE

A denial of service attack is also known as a DDoS attack.  A DDoS attack occurs when a cybercriminal or group controls a vast number of devices that are connected to the Internet and attempts to log onto your company’s website at the same time. The amount of traffic attempting to log on at once crashes your website.  Customers are not able to log on once the server crashes.  In February of 2018, the platform developer GitHub was hit with a 1.35 terabit per second of traffic DDoS attack. This attack is the most powerful DDoS attack ever recorded.  The method of this attack is becoming more popular as it does not require a botnet.[1]  The attack caused GitHub intermittent outages.  This method of DDoS attack is known as an amplification attack.  An amplification attack method does not require a malware driven botnet like other DDoS attack methods.  The attackers spoof the IP address of their target and then proceed to send small queries to multiple Memcached servers.  DDoS attacks are very difficult to prevent although they can be mitigated.  When GitHub was hit by the DDoS attack, GitHub sought support from a cyber security mitigation team.  This team acted as a middle man by routing all the traffic going in and out of GitHub to scrubbing centers.  Scrubbing centers weeded out and blocked malicious packets.   This is one example of how to respond to a DDoS attack and how to quickly mitigate it successfully.  This this mitigation strategy, GitHub’s attack lasted for only 20 minutes.  Another method is for the infrastructure community to remove exposed Memcached servers[2] from the Internet and keep them behind firewalls on Internal networks.

SOFTWARE THREATS

There are 3 different forms of software threats: deprecation, inherent vulnerabilities, and piracy.  When a software manufacturer ceases updating their software or stops updating their software plug-ins; it is called deprecation.  In 2014, Microsoft stopped updating the streaming media plug-in, Silverlight.  By not updating this plug-in, the vulnerabilities it created placed users at risk.  Another form of software threat is inherent vulnerabilities. Some software has built-in vulnerabilities that are present when downloaded such as Adobe Flash Player.  These built-in vulnerabilities pose a threat to companies.  Mitre/CVE bulletin notes detail Adobe Flash Player has over one thousand inherent vulnerabilities which is why Apple does not permit Adobe Flash Player to run on their products.  The third type of software threat is piracy.  Pirated software does not come with the same security features as the legal version.  Pirated software has most of its security features disabled.  Disabled security features often hide malware on the pirated copies of software being sold.  The National University of Singapore found that 34% of 165 pirated software CDs/DVDs contain malware. Most of the pirated copies lead to unwanted advertisements, which contain malware. Mitigation: There are several ways to protect your system against malware.  Always buy your computers or laptops from trustworthy and reputable sell.  Always buy genuine and trustworthy software.  Use multi-factor authentication mechanisms.  Train and re-train your employees on safe cyber practices.  Retire all old and unsupported versions of software and immediately replace them with more secure and modern versions.  Always check to make sure all your software and operating systems are up to date.

DATA DIDDLING

35642934?profile=originalData diddling is when an unauthorized user (typically an insider threat) alters data before or while it is being entered into a computer system.  The malicious user then changes it back after the computer system is done processing.  Data diddling can be used by an employee to steal from their company, as well as creating counterfeited documents.  Mitigation: keeping vigilant with employee relations for possible insider threats.

PASSWORD ATTACKS

There are 3 types of password attacks: brute force attack, dictionary attack, and a key logger attack.  A brute force attack occurs when a hacker uses a program or script to attempt to log into an account with various password combinations.  A company can prevent brute force attacks by adding an administrator lock.  After 3 failed attempts, the lock blocks the account until the administrator unlocks the account.  Another way is to implement progressive delays. This locks a user out for a set amount of time after a couple failed attempts. Another method is using a challenge-response test.  This test prevents automated submissions to the login screen.   A dictionary attack occurs when a hacker uses a program or script to try and log into an account by cycling through possible combinations of common words.  These attacks are generally successful as most people use short single word passwords that are easily predicable and identified through social engineering techniques.[3]  To prevent a dictionary attack from being successful use passwords longer than 7 characters and/or multi-word passwords.  A key logger attack is when a hacker uses a malicious program to track all of a targeted user’s keystrokes.  This records everything that the user has typed including passwords, usernames, and more.  A key logging attack first requires malware to infect a targeted user’s device or network.  To prevent a key logging attack from being successful, companies have started using multi-factor authentication.  This requires your password to access the system, but also provides another generated one-time use access code to complete the second factor or layer each time a user one logs on.  Some users complain about this security practice, but it ensures higher security parameters.   

MAN-IN-THE-MIDDLE ATTACK

35642827?profile=RESIZE_710xA man-in-the-middle attack or (MITM) is when an attacker gets in between a computer and a server or website.  Once in place, an attacker can then “listen” or intercept the transmission of data that is being exchanged.  The data being exchanged can be modified during transmission by the attacker.  The attacker will then attempt to trick the end user into providing sensitive information.  An attacker needs access to an unsecured Wi-Fi router or a poorly secured router to conduct a traditional MITM attack.  A new method of MITM attack can occur when an attacker injects malware into a computer.  The malware then installs itself into the Internet browser and records the data being sent between the victim and targeted websites.  Mitigation: Always use encryption.  Encrypting all network traffic, not only sensitive information.  This will improve ones’ defense against MITM attacks.  If an MITM attacker intercepts unencrypted data, even if it is not sensitive, the attacker can insert data allowing malware to be sent to devices.  Users should ensure that only applications with valid certificates and certifications are used.  Other steps include providing that your HTTPS is always in the URL of visited sites.  Never connecting to public Wi-Fi directly.  If possible, using a virtual personal network (VPN).   

SALAMI-SLICING

A salami-slicing attack occurs when cyber-criminals steal money and, or resources bit by bit over time so there is no noticeable difference in the overall size.  The most common use of salami-slicing is for electronically stealing money.  Salami-slicing can also be used to steal and gather any type information over time.  Mitigation: To prevent a successful salami-slicing attack, network administrators should carefully examine their assets, transactions, and the sharing of sensitive information.

INTERNET-OF-THINGS HACKING

Internet-Of-Things (IoT) hacking occurs when an attack breaks into a system through a weak point in the system (such as a web cam, medical devices or automobile onboard computer).  Researchers found out that it takes around 30 minutes to find discover a camera and connected services default password.  Once one knows all of this information, cameras of the same make and model can be added onto a botnet. These botnets can be used to perform DDoS attacks.  As smart devices (IoT) are beining more common, ingenious hackers have discovered ways to attack and control these devices.  There is an average of 27,716 open entry points in a typical hospital that utilize IoT type medical devices.  The major IoT issues discovered in hospitals were lighting, air conditioning, and printer IoTs.  Most of these devices run out-of-date software, which create serious vulnerabilities.  Mitigation: To prevent this type hacking, IoT devices should be secured immediately prior to usage.  Reset all default passwords.  When provided, install all new security patches.  Regularly check and update IoT device’s firmware.  Protect the IoT Wi-Fi networks.  Disconnect old unsecure IoT devices and replace them with newer more secure models.  Creating a preventative update and, or IoT replacement program will ensure higher security.  

CYBER EXTORTION

Cyberextortion occurs when a hacker infiltrates an organization’s systems, and then threatens the organization with an attack unless they receive a ransom.  There are several types of cyberextortion: cyber blackmail, threatening DDoS attacks, ransomware, and database ransom attacks.  Cyber blackmail is a break into a company’s network and threaten an action unless they are paid.  An example of this would be in 2017 when hackers blackmailed Netflix.  The extortion directed at Netflix was to pay a ransom, or the hackers would publish pending episode releases of the show Orange is the New Black.  Netflix did not pay the ransom and the episodes were released.  Hackers may also threaten a company with a DDoS attack unless they pay, or they may perform a DDoS attack on a company and offer to stop it for a ransom. Although the DDoS attack does not always occur if not paid, hackers just emply the threat of DDoS.  Ransomware is another type of cyberextortion.  Ransomware malware infects a targeted computer and encrypts its files.  The ransomware then holds hostage these files or data on the infected device; then threatens to delete the files or data if a ransom is not paid.  Ransomware can be picked up from a variety of sources which include: email attachments, infected websites, and pop-up ads. Database ransom attacks are another type of cyberextortion.  These attacks occur when hackers hijack databases running MySQL, Haddop, MongoDB, and Elasticsearch or other databases that have not been fully patched.  Attackers replace the data on these servers and demand a ransom to replace the changed data.  Mitigation: To protect a company’s data and from being the victim of a cyberextortion attack, employ preventative measures:  encrypting your data will help protect it and keep it from being exposed to cybercriminals.  Back up your company data on an external hard drive.  Have clear corporate recovery procedures and disaster recovery plans in place and regularly have your administrators test these plans.  This will help prepare your organization for a cyberattack and make sure that your organization will be able to recover from an attack.

Conclusion

These threats are the most common threats that your company may face regarding cybersecurity.  Mitigation techniques are often similar yet are proven to be successful.  As threats change over time (at times, day to day) it is important to keep cyber security topics current and identify which threats which may pose a danger to your company.  It is also important to identify what steps you can take to prevent and mitigate these threats.  Identifying what cyber threats target your organization, and how to prevent and mitigate these threats, will help to ensure the threats relevant to your organization are addressed and properly handled.  By doing these simple prevention steps, your company will be better protected.  An ounce of Prevention, is worth a pound of Cure. 

For questions or comments regarding this report, please contact our lab directly at 603-606-1246, or feedback@wapacklabs.com   

 

[1]     a network of private computers infected with malicious software and controlled as a group without the owners' knowledge, e.g., to send spam messages.

[2] Memcached is a general-purpose distributed memory caching system. It is often used to speed up dynamic database-driven websites by caching data and objects in RAM to reduce the number of times an external data source (such as a database or API) must be read.

[3] the use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes.

You need to be a member of Red Sky Alliance to add comments!