In a business landscape profoundly altered by the COVID-19 pandemic, the workplace is rapidly developing to suit the changing demands of workers. A study published in January of 2021 showed that only 6% of the workforce worked from home before the pandemic. In May of 2020, this figure rose to over 33% and as of December of 2020, 25% of workers are still working from home. So it should not come as a surprise that an increased dependence on technology has resulted in more pronounced cyber security vulnerabilities. KuppingerCole, an international analyst firm, reported a 238% increase in global cyberattack volume during the pandemic.
Unfortunately, this does not mean that traditional non-remote businesses are immune to these vulnerabilities. The willingness of companies to pay ransoms to cybercriminals and increased viability of cryptocurrency to facilitate anonymous criminal transactions resulted in a 158% increase in cyberattacks throughout North America between 2019 and 2020.
So to what degree can poor cyber security affect your business? And how can you protect your business from these harmful cyber-attacks?
Common Cyber Attacks
Social Engineering Attacks
This category of attacks targets the weakest link of the security framework of a business: the people. According to Verizon’s 2021 Data Breach Investigations Report, around 35% of data breaches involved social engineering. Human error is exploited to gain access to secure networks and obtain valuable information. A typical internet user is likely the most familiar with this category of attack; receiving spam emails and encountering bogus popup banners continue to be common experiences associated with social engineering attacks.
This tactic lures victims with seemingly authentic or curiosity-inducing advertisements, or physical media. Perpetrators embed harmful code within advertisements that direct curious users to compromised servers. Connecting to the server triggers a process of installing malware onto the user’s system. These harmful advertisements, or “malvertisements”, can avoid detection by constantly changing the URL of the page that the user is directed to. Furthermore, these tools are able to evaluate each victim’s system to determine its weaknesses so it can more effectively infiltrate its processes.
The most prominent form of baiting with physical media is the USB drop attack. In this variant of baiting, hackers will leave USB devices in conspicuous places for curious victims to find and plug into their computer. Inserting these infected USB devices into a computer can trigger three different kinds of attacks. The first and most basic possibility is the immediate injection of malware into the computer from the USB drive. This malware may activate automatically upon viewing and download additional malware from the internet. Second, the insertion of the USB may direct the user to a fraudulent website that attempts to convince the user to disclose personal information or credentials. And lastly, the hacker may give themselves remote access to the victim’s system through the USB device. In other words, plugging in the bait may possibly surrender full control of a system to a hacker.
A famous example of a successful USB drop attack can be seen in what was considered one of the most serious breaches of the Pentagon’s computer systems in history. In 2008, a worm called “agent.btz” spread throughout networks belonging to the U.S. military as a result of a USB drive found in a parking lot being plugged into a Department of Defense computer network. In response to this breach, Operation Buckshot Yankee was launched; it took the Pentagon almost 14 months to exterminate the worm and the U.S. Cyber Command was established as a result.
Oftentimes taking the form of a pop-up advertisement, this form of social engineering attack exploits a user’s fear to convince them to install harmful software or reveal personal information. A bad link may lead a user to a landing page that overwhelms them with notifications telling them that their system has been infected and they need to download specific software to remove the threat. Additionally, the notification may direct them to call a fraudulent number where they will be convinced to give up personal information or remote access to the system. Scareware has also been used by vendors to sell products. A recent example of this scheme can be seen in the case of Office Depot in 2019. The Federal Trade Commission ruled that Office Depot and its software supplier Support.com had to pay $25 million and $10 million respectively to refund consumers who were duped into buying PC repair services by scareware.
One of the most common forms of a social engineering attack is phishing. Malicious users will impersonate trusted contacts or companies in order to trick them into giving up login credentials or personal information. The most prevalent vector of attack for phishers is the email message. An attempt to steal login credentials might look like an email claiming that the user’s password to a website is going to expire soon. Clicking on the link to “reset” the password would redirect the user to a fraudulent website asking for their current password and desired new password. Obviously, the hacker would store the given information and use it to take control of the account.
Another variant of the phishing scam is voice phishing, or vishing. This increasingly frequent social-engineering attack attempts to steal personal information by impersonating trusted entities over the phone. Typically, scammers will set up pre-recorded messages informing people of an outdated warranty, an issue with a tax return, issues with Medicare/Social Security, etc. This form of phishing has become more frequent in recent years due to the ease at which callers can fake their caller ID and make massive amounts of phone calls.
One recent example of a data breach resulting from phishing is the attack on Sony Pictures in 2014. North Korean hackers targeted Sony in response to the release of the movie, “The Interview”. Phishing messages embedded with malware were sent to the company and employees of the company through social media and email. Upon investigation, it appears that the hackers were able to access Sony’s network as a result of an employee opening a malicious file attached to an email. Consequently, the North Korean hackers were able to steal confidential data and render thousands of PCs inoperable.
How to Protect Against Social Engineering Attacks
The first step to preventing social engineering attacks is spreading awareness of this issue. If users are unaware of this potential threat, it is almost inevitable that at least one user will fall victim to one of these scams. Teach users to recognize the signs of social engineering attacks. In the case of a phishing scheme, users should be on the lookout for unsolicited emails, threats or a sense of urgency, suspicious attachments, and requests for credentials or personal information. USB drop attacks are another potential breach that can be avoided simply through spreading user awareness. Avoid costly mistakes by stressing the dangers of introducing unknown devices to a network. Furthermore, encourage users to report any instances of suspected phishing attacks. Proper communication will avert the majority of social engineering attacks. Reporting suspicious activity enables systems administrators to make improvements to security measures.
Controlling user access to attachments and external devices is a reliable fail-safe against even the most clever social engineering attack. Microsoft Outlook’s protected view is an example of a feature that protects against phishing attempts by restricting access to attachments. In brief, files that are determined to be in an unsafe format or are from unsafe locations are opened in a read-only mode that prevents malicious applications from executing on a user’s computer. Systems administrators may even completely prevent users from exiting protected view, which would neutralize this vector of attack at the slight cost of convenience. Another example of a security measure that may be implemented by a systems administrator is requiring permission from the administrator to use any external hardware. In the previously mentioned case of Operation Buckshot Yankee, the Pentagon completely banned the use of USB drives in response to a worm originating from a rogue USB drive.
Brute Force Attacks
A brute force attack is a simple cyberattack in which a hacker will try to breach an account by guessing the account’s password. In other words, it is the cyber-equivalent of trying every key on a keyring to unlock a door. Once the password is cracked, attackers will typically collect the account’s sensitive information and credentials to sell to a third party. Thankfully, the simple nature of this attack means that there are simple safeguards that can be put into place to prevent them.
The most common variant of brute force attacks is the dictionary attack. Attackers will choose a target username and will run a program that runs through extensive lists of possible passwords to try logging in. Password-cracking dictionaries can be easily found through a simple Google search. An example of one of these lists gives attackers access to 1,493,677,782 words, and is described as containing “…every wordlist, dictionary, and password leak… every word in the Wikipedia databases… as well as lots of books from Project Gutenberg”. These lists are fed into software such as John the Ripper or Hydra, which have the capability to combine words in the list as well as add numbers and special characters.
A recent example of a successful brute force attack can be seen in the case of Apple’s iCloud breach in 2014. Apple failed to limit the maximum number of login attempts for their accounts, so attackers were able to run simple programs to crack user passwords. As a result, hackers were able to compromise around 300 million iCloud accounts. Additionally, these hackers sold private pictures of celebrities, which further pushed Apple’s failure into the mainstream spotlight.
How to Protect Against Brute Force Attacks
In short, strong passwords are longer than 8 characters, contain symbols and numbers, and should be difficult to guess. A longer password length and complexity make it almost impossible for a dictionary attack to succeed. Avoid common and easy to remember passwords. Even if users substitute numbers for letters in a common password (“p4ssw0rd123”), brute force software is smart enough to attempt these variants of weak passwords. Additionally, users should try to keep different passwords for different accounts. In the case of one account getting breached, other accounts belonging to the user will be unaffected.
So how are we expected to remember all of these different, complex passwords? Fortunately, this is where password managers come in. These dedicated apps can create and store strong passwords, eliminating the need to memorize countless passwords (excluding the master password to the manager app). With cybersecurity breach awareness on an upward trend, there are countless trustworthy password manager applications available to any user needing to bolster their password strength.
Multi-factor authentication, or MFA, is a security measure that requires users to present multiple pieces of evidence to authenticate their identity and log in to an account. Account credentials fall into one of three categories: what you know (passwords or PINs), what you have (access cards) and what you are (fingerprints or facial recognition). MFA requires credentials from at least two of these categories for a user to log in to an account. A common example of MFA is a website sending an authentication code to a user’s phone after logging in with a username and password.
Although using phone calls and text messages to authenticate logins has been a well-established method, experts have recently been warning users that these methods are the least secure methods of MFA. Texts and calls are transmitted in a way that can be easily intercepted by a determined hacker with the right tools. A more secure alternative to call and text message-based authentication is using dedicated authentication apps. An account using this method of authentication will request a one-time use code from whichever app is linked. The user will then log into this app to retrieve the time-sensitive security code and submit this to the account.
CAPTCHAs and Login Limits
The presence of security features such as CAPTCHAs and login limits are precautions that systems administrators can implement to slow down and even completely discourage potential brute force attacks. CAPTCHAs are automated tests usually implemented on login pages to deter scripts or bots from attempting to log in to an account. Applying login limits to an account will lock the account after a certain number of unsuccessful login attempts. Furthermore, administrators can include a delay in between failed login attempts to additionally slow any hacking software down. Hackers looking to attempt a brute force attack are looking for easy targets; a combination of these two security features will likely dissolve any interest from an attacker.
Distributed Denial of Service Attack (DDoS)
A distributed denial of service attack is a cyberattack that attempts to disrupt the traffic of a network by overwhelming it with an unexpected flood of requests. Typically attackers establish networks of infected systems and use them to consume network resources and create widespread outages. Users attempting to access a service or website affected by a DDoS attack will be met with significantly slower response times or even a complete outage.
A very recent case of a disruptive DDoS attack can be seen in the case of Bandwidth, a VoIP provider. In September 2021, a Russia-based hacking operation conducted a DDoS attack on multiple VoIP providers demanding a ransom. These providers suffered significant service interruptions; users were not able to access the provider website and their phone calls were afflicted with drops and overall low quality.
The biggest DDoS attack on record happened in September of 2017, where a state-sponsored hacking group utilized four Chinese internet service providers to flood Google networks with requests. The attack lasted for over six months and peaked at 2.5 Tbps (2,500,000,000 bits) of traffic.
How to Protect Against DDoS Attacks
Don’t be fooled by these high-profile cases of DDoS attacks; small businesses are also targets of cyber criminals since they often neglect to dedicate resources to DDoS protection. The key to mitigating these attacks is implementing basic protection and maintaining redundancy. Attacks from DNS servers and ping requests can be nullified by configuring the network firewall to drop these requests. System administrators may also want to check if their web host offers server-level DDoS mitigation tools. Establish redundancy by leveraging a cloud-based solution or content delivery network. A cloud-based service effectively raises the bar that attackers have to overcome before they succeed with a DDoS attack. The bandwidth supplied by a cloud-based service ensures that only the most severe DDoS attacks will disrupt a business’ service. Using a content delivery network, or CDN, allows users to connect to alternative servers to access data in case of a DDoS attack.
Malware can be defined as any program or file that is intentionally designed to damage or gain unauthorized access to a computer. Ransomware alone is projected to have caused $20 billion in global damage in 2020. As previously mentioned, the growth of cryptocurrency as a popular means of exchanging money anonymously has increased the incentive for hackers to attack user systems and harvest information to sell. Consequently, educating users on the different types of malware and how they can safeguard their systems against harmful software will be a continuous process as technology becomes increasingly advanced.
These two types of malware are similar in that their main purpose is to cause damage and disruption. Additionally, both viruses and worms are designed to self-replicate and spread as quickly as possible. Viruses are attached to files and execute when they are opened. Viruses can damage hard drives and corrupt files, causing frequent crashes and significantly reduced performance. Complex viruses may even use an infected system to send spam to other users to continue spreading the infection. In the case of worms, the user does not actually have to do anything to catalyze the spread of the worm. Worms will automatically spread throughout a network, overwhelming a network’s bandwidth and damaging files along the way.
In 2004, a computer worm named “Mydoom” caused an inflation-adjusted cost of $52.2 billion, and is actually still around today. This worm spread by sending spam emails to infected users’ address lists. As user systems were infected, they were used to conduct DDoS attacks against various software companies. Even 17 years after its creation, “Mydoom” still sends out 1.2 billion copies of itself per year.
Spyware is malware specifically designed to collect information about a user. Once a user’s system is infected with malware, hackers are able to monitor all of a user’s activity on their computer. Data that is collected includes login credentials, banking and credit card information, browsing habits, and address lists. In 2019, Kaspersky found that there were more than 500,000 cases of spyware being present on user systems in the first eight months of the year.
This category of malware populates a user’s screen and browser with unwanted advertisements and potentially harmful browser extensions. Once infected with adware, users can expect to see large amounts of advertisements while browsing the internet. Furthermore, new toolbars and plugins will be installed in their browser without permission and the browser performance will slow to a point near complete non-functionality.
The primary goal of a ransomware attack is to extort money from a victim by holding their computer systems and data “hostage”. Once a system is infected, the ransomware encrypts the system’s files and the hacker will then demand a ransom from the victim to regain access to these files. More easily accessible ways to exchange payment anonymously has resulted in a significant uptick in ransomware cases.
In September of 2020, an ambulance transporting a woman suffering from an aortic aneurysm was turned away from a hospital because it was under attack from ransomware. The patient’s treatment was delayed by more than an hour and she died shortly after. This incident has been highlighted as the first possible death as a result of ransomware.
A particularly costly example of ransomware can be seen in the case of CWT in 2020. The travel management firm had files stolen and more than 30,000 computers were disabled. After extensive negotiation, CWT agreed to pay the hackers 414 bitcoin, which at the time converted to around $4.5 million.
How to Protect Against Malware
Install Antivirus Software
Modern antivirus software typically protects users from most variants of malware. These programs will prevent harmful files from executing on a user’s system and will scan their system to make sure that there is not any existing malware. Furthermore, some antivirus programs will automatically block advertisements and spam to completely neutralize those vectors of attack.
Keep Software Updated
Regularly updating software to keep it up to date ensures that users are using the version of a program that is the most secure against malware. Developers regularly push out patches in response to security vulnerabilities, so this is an easy way to bolster overall system security.
Backup Your Data
Making regular backups of data significantly diminishes the impact of a ransomware attack. In a situation where hackers are holding data ransom, a company with regular backups would be able to restore their data with little to no downtime. It is crucial that these backups are stored in a secure location separate from the primary network, so that it is not accessible to any potential hackers.
As is the case with all things regarding security, user awareness is a fundamental aspect of protecting assets against a breach. In essence, users and system administrators can never be too careful when interacting with files from an unknown source. This precaution alone will protect against the majority of social engineering attacks. Today’s technological climate also requires that system administrators implement robust security measures, including, but not limited to, antivirus software, multi-factor authentication, and a regular back-up schedule. Avoid becoming a statistic; analyze your security framework and take steps to protect your data, customers, and finances.