Social engineering: 11 tips to avoid the risk

admin / May 29, 2024

Social Engineering: 11 tips to avoid the risk By Helen C Imagine your business has had a cyber leak and you have lost the data of nearly 70,000 customers exposing them to the risk of social engineering. The cause of this is most likely human error and the hole in your security system has been ominously lurking, unchecked, in cyber space waiting for the moment when an opportunistic cyber criminal will attack. Case Study: Welsh Rugby Union That is exactly what happened to the Welsh Rugby Union (WRU) this week, who allegedly had a hole in their security system which was exposed by cyber criminals. The hole was a publicly accessible Amazon Web Services (AWS) Simple Storage Service (S3) bucket. This is by default locked and private, but it can also be made publicly accessible without much prompting from the source that this change was being made and the potential impact this change could have. Misconfiguring the settings on an account, often a human error which is the result of an absent-minded click or uncertainty in what to click, leads to the creation of holes in cyber security which can then be exploited. Data suggests that 95% of all data breaches result from human error, but investigations are still currently underway to investigate what the cause was for this hole in the WRU’s security. Reports suggested that the exposed information held 1419 text files holding the personal details of 69,317 of WRU’s members. These are the fans who have subscribed to the WRU, who support and maintain the Union by purchasing memberships which provide perks such as exclusive content and priority tickets for matches. Inconvenient timing In a discussion two weeks ago with BBC Wales Scrum V discussing the state of the sport this season, former Wales centre Tom Shanklin, stated: “We have to be careful at the moment otherwise we are going to have fans turning away from watching rugby and they are going to be finding another sport.” With a string of defeats under their belt, the timing of the WRU cyber attack could not be worse. That’s the problem with a cyber attack though, you never know when it will happen and the impact it can have on a business can be catastrophic. What can happen to a business? The loss of sensitive information to cyber criminals can impact a business in the following ways: Loss of sales Loss of customer faith Loss of customers Long and short-term damage to reputation Negative feedback across social media and media channels which can be difficult to manage ICO fines Business closure Although business closure is an extreme response, it is possible if fines are imposed, and consumers loose compete faith in the business. The average cost of a cyber-attack in the last year to a small business is estimated to be £1,100 and £4,960 to a medium or large business. Imagine having to release a statement to your customers to reassure them that their data is safe now to mitigate the damage of a cyber-attack. The WRU statement said: “No other vulnerabilities or suspicious activities have been found in WRU systems after a thorough review of all systems and processes.” As a business, it is better to follow procedures and keep data secure through regular reviews and by having good cyber security protocols and tools in place to protect the confidential data you hold. The importance of good cyber hygiene cannot be emphasised enough. Offering reassurance to customers that their data is now safe is positive, but for the customers who have had their data stolen they could now be facing cyber security threats of their own. Although there are many different types of cyber-attack which could occur following a data breach, in this situation members of the WRU are most likely to be facing the threat of social engineering. What is social engineering? Social engineering is a manipulative tactic used by cyber-criminals to exploit people in a non-technical way. Attackers often exploit people into performing tasks, such as transferring money from their bank account, by conning them into believing they are talking to someone they can trust such as a bank manager or even friend. People are duped into breaking their own security practices during this kind of attack which plays on psychology and human emotion. The types of data leaked in the WRU attack included email addresses, phone numbers, names and dates of birth; personal information which could be used by cyber criminals to convince unsuspecting victims that they are legitimate. Effectively modern-day con artists, attackers armed with confidential personal information can successfully dupe people into opening emails containing malware, con them into sending money, or even get them to divulge confidential business information. The key danger with social engineering is that it enables an attacker to gain legitimate and authorised access to confidential information by employing tactics which play on human emotion. To click or not to click; would these emails fool you? Social engineering attacks are designed to be compelling and draw you in. Let’s look at a few examples of what may be used to emotionally grab your attention and call you to action. An email from the boss You could receive an email from your boss asking for information which you know should not be shared and seems uncharacteristic but looks legitimate. You may be asked to not follow protocol and chances are if you think it is from the boss you will feel emotionally compelled to do what is asked in order to retain job security. An urgent call for help An old friend needs money for a treatment which is not provided on the NHS, you were once close but have lost touch and you did know this person. Out of kindness you act and provide bank details to an account you are directed to, but in reality this is not a friend, but a criminal. A trusted business who email you often You often interact with this business and

Blog

Phishing: a dive into the world of cyber-attacks

admin / May 21, 2024

Phishing: a dive into the world of cyber-attacks By Helen C & David Bloxberg Whether you are a person fishing for the animal as a hobby or a criminal phishing to steal data from your next victim, these two very different activities share one common tool – a hook. A literal hook catches the fish, but an emotional hook is usually what entices a person to respond to a phishing cyber-attack. Here, we take a detailed look into phishing to provide your business with the information it needs to defend itself. Introduction Phishing is a cyber-crime where individuals are approached through email, websites, phone calls, or text messages by hackers claiming to represent legitimate organizations. The aim is to deceive individuals into divulging private information, including personally identifiable information (PII), protected health information (PHI), banking and credit card details, passwords, and other confidential data. The term itself, a homophone of “fishing,” hinting at the tactic of baiting individuals into exposing their private data, mirroring the act of waiting for a fish to bite when bait is placed on a hook. This deceptive practice is a significant threat in the digital world, as it is a type of cyber-crime which uses the vast reach of the internet to exploit human vulnerabilities across the world. History Phishing has been around since the early 1990s, coinciding with the rise of the internet. Initially, attackers targeted AOL users in a famous phishing attack from 1995, tricking them into divulging their login credentials. These early attempts were relatively straightforward, often involving direct messages requesting users to verify their accounts or confirm their passwords. As phishing techniques advanced, the sophistication of these attacks significantly increased. A notable example of this evolution is the 2020 Colonial Pipeline attack. Here, attackers used a compromised password to access the network, leading to massive disruptions in fuel supply across the Eastern United States. This incident illustrates the shift from simple deceptive messages to complex, multi-layered cyberattacks that exploit both technological vulnerabilities and human error. This progression from the primitive phishing scams of the 1990s to today’s highly elaborate schemes highlights the adaptability and persistence of cyber criminals in exploiting new technologies and human psychology. In today’s digital age, understanding phishing is crucial for two key reasons. Firstly, the internet has become part of nearly every aspect of day-today life. The inescapable nature of the internet combined with the proliferation of digital transactions make individuals and organizations perpetually vulnerable to these attacks. Secondly, a successful phishing attack’s financial and reputational damage to a business can be devastating. Understanding How Phishing Works Phishing is a digital deception technique cyber criminals use to fool people into divulging sensitive information. It’s effective because the lies are carefully crafted believable requests or alerts that appear to come from trusted sources. Personal data can be used for identity theft, unauthorized transactions, or even sold on the dark web. For organizations, the stakes are equally high, with potential losses running into millions and severe damage to customer trust. Therefore, awareness and education on the nature of phishing attacks, their indicators, and prevention strategies are vital components in safeguarding both personal and organisational assets in the digital landscape. Who Are the Targets? Initially, phishing scams cast a wide net, targeting the general internet population. But in England and Wales, data provided by the National Office of Statistics shows that those between the ages of 25 to 44 are most likely to be affected. However, as techniques have evolved, so has the specificity of targeting. Today, anyone can be a target—from individual internet users to employees at any business. Specific campaigns, known as spear phishing, target high-value individuals or employees with access to sensitive corporate data. Larger-scale campaigns may aim to collect data from as many individuals as possible or install malware for various malicious purposes. The New Future of Work Report published by Microsoft stated that security professionals had found a 62% rise in phishing campaigns over any other type of attack. Why Are Attacks Successful? Phishing scams leverage social engineering to exploit human psychology, in other words they appeal to our human nature to get a response. They often create a sense of urgency, fear, or curiosity to prompt immediate action. Official logos, familiar layouts, and language mimicking legitimate organizations add to their believability. This psychological manipulation makes it challenging for individuals to distinguish phishing attempts from genuine communications, leading to high success rates for attackers. For cybercriminals, phishing is a low-risk and high-reward activity. Compared to other cyber-crimes, it requires minimal investment but has the potential for significant financial gain or access to valuable information. Phishing can also serve as a stepping stone for more complex attacks, including those on corporate networks or government agencies, by enabling the installation of malicious software or the theft of credentials. The Evolution of Phishing with AI The integration of Artificial Intelligence (AI) into phishing schemes marks a significant evolution in cybercrime. AI algorithms can automate the creation of phishing emails, phone calls or messages, making them more personalized and more challenging to detect. These algorithms sift through extensive data sets to pinpoint the most efficient phishing tactics to provoke a response. Furthermore, AI can help create more convincing fake websites and mimic human behaviour in chatbots or emails, increasing the sophistication of attacks. This evolution underscores the need for advanced detection systems and heightened awareness among businesses and individuals. Understanding the dynamics of phishing scams is crucial in developing effective countermeasures. As these scams become more sophisticated with AI, the importance of staying informed and vigilant cannot be overstated. Different Types of Phishing Attack Email Phishing Email phishing is the quintessential model of phishing attacks, notorious for its wide net and simplicity of execution. This method involves sending out large quantities of fraudulent emails, targeting a broad audience without discrimination. The success of email phishing hinges on a numbers game; even a tiny fraction of recipients succumbing to the scam can lead to substantial data breaches or financial benefits for the attackers. Example of a phishing email Email

Blog

What is a ransomware attack?

admin / May 14, 2024

What is a Ransomware Attack? By David Bloxberg and Helen C. There are many types of cyber-attack, but ransomware attacks make-up 10% of all security breaches in 2024. A ransomware attack can be devastating to a business with the consequences reverberating through businesses for months, even years. In 2023, organisations around the world detected a staggering 317.59 million ransomware attack attempts and the UK had the second highest number of targeted ransomware attacks at over 71 million. With figures like that, it is an important topic to understand and discuss. What is a ransomware attack? Ransomware is a type of malware that is used by cyber criminals which prevents the rightful user from being able to access their own data. Kicking the user out by encrypting data, the criminal holds the rightful owner of the data to ransom to gain access to their data again. Often, the ransom comes with a deadline and the sums of money asked for can be crippling to individuals and businesses alike. This type of attack poses a daunting prospect, and is a threat that should be taken seriously. Is this a cyber-threat my business should worry about? Ransomware, now exacerbated by the advancement of technology using Artificial Intelligence, (AI), stands as a critical threat in the modern digital environment. It impacts individuals, corporations, and governmental bodies globally. This sophisticated malware is engineered to breach computer networks and encrypt files, databases, and even entire systems by denying access to legitimate users. The involvement of AI in ransomware attacks serves to escalate the complexity and efficiency of recovering from this type of breach. How serious is a ransomware attack? Some ransomware has become increasingly sophisticated, making them increasingly difficult to prevent and counteract. Using a diverse range of infective malwares including phishing emails and malicious attachments and through the exploitation of security vulnerabilities, ransomware attacks are a brutal breach of your cyber security. The aftermath of a ransomware attack can be catastrophic, leading to critical data breach, substantial financial losses, and severe reputational damage. As ransomware evolves, it becomes imperative for organizations and individuals to prioritize preventive measures, such as regular data backups, software updates, and comprehensive security training to mitigate the risks of these harmful cyberattacks. Being aware of the process of a ransomware attack is crucial to understanding why prevention is the best option for your business. Stages of a Ransomware Attack: From Infiltration to Recovery Understanding the various stages of a ransomware attack is crucial for prevention and effective response. 1: Initial Infiltration Stage: Before encryption, the ransomware must first access the system. This often occurs through phishing emails, by exploiting software vulnerabilities, or malicious downloads. Understanding the initial infiltration stage is crucial as this is the point where you can still stop the attack. 2: Installation Stage: After infiltration, the ransomware installs itself on the system. During this phase, it may also attempt to spread to other connected systems or networks, increasing its impact. 3: Data Harvesting Stage: Some advanced ransomware variants may extract sensitive data from the infected system before encrypting it. This stage adds a layer of complexity as attackers can threaten data leaks and encryption. 4: Lockdown Stage: Post-encryption, some ransomware variants display a ransom note or lock the user’s screen, making it evident that an attack has occurred and providing instructions for payment. 5: Communication Stage: If the victim engages, this stage involves communication between the attacker and victim, usually anonymously, about payment and decryption. This stage is emotionally draining for the victim and leads to a serious dilemma – pay and communicate or don’t. 6: Disclaimer and decision stage: Choosing to pay the ransom offers no data recovery guarantee. In the UK, the National Cyber Security Centre (NCSC) note that law enforcement services do not endorse this choice as it can lead to further attacks, means you are funding cyber-crime and data recovery is not guaranteed. It might encourage further criminal activities, and refusing to pay can lead to permanent data loss or public exposure of sensitive information. 7: Decryption Stage (Conditional): If the ransom is paid and the attacker is willing to provide a decryption key, this stage involves decrypting the locked files. This task alone can be technically challenging, and your computer is likely to still be infected with the malware. 8: Post-Attack Analysis and Recovery Stage: This stage consists of assessing the damage, removing the ransomware, restoring data from backups if available, and implementing measures to prevent future attacks. This stage occurs whether you choose to pay the ransom or not. 9: Reporting and Legal Follow-Up Stage: In cases where people are put at high risk there is a regulatory requirement to report the attack to the Information Commissioners Office (ICO). The NCSC should also be informed as they will be able to provide support and incident response to help mitigate the impacts, while also learning cyber security lessons to help other businesses in the future. The Financial Impact of Ransomware The financial repercussions of ransomware in 2023 were profound and widespread, significantly impacting businesses and economies. With 59% of businesses affected by ransomware globally and the cost of a ransomware attack increasing by 500% from $400,000 to $2 million this year alone, a ransomware attack can financially cripple a business. This substantial increase in incidents signifies a growing boldness and sophistication amongst the cybercriminals orchestrating these attacks. Cyber security has never been so important. The need for adequate ransomware protection is critical for all businesses, not just large organizations. Ransomware poses a significant threat to small and medium-sized enterprises (SMEs). Specific industries have been disproportionately affected by ransomware, with the healthcare sector being a notable example. This critical industry has suffered losses exceeding $7.8 billion due to operational downtime caused by ransomware attacks. Such figures underscore the sector’s vulnerability and the severe consequences that ransomware can have on essential services and patient care. Case Study: The impact of ransomware on the NHS In May 2017, WannaCry ransomware, a type of ransomware known as cryptoworm, infected computers running the Microsoft Windows Operating System. Spreading autonomously between computers, encrypting data and demanding Bitcoin ransoms, this attack

Blog

Easy to hack passwords banned in the UK

admin / May 7, 2024

Easy to hack passwords banned in the UK by Helen C. May 2024 Passwords are the frontline of defence for most people when protecting their data online and there is now a new law in the UK which bans people from having certain easy to hack passwords. New laws came into effect this week in a significant step to protect consumers from the soaring number of cyber-attacks that are affecting both businesses and individuals. It is now mandated that internet connected smart devices must meet minimum-security requirements which are set out in the new laws. What do passwords do? Passwords can be thought of as house keys. The password being the key and the information being our house. The key lets you in and is unique to your house – it won’t let you in next door’s house, just like a password does. If you give your key to someone or you lose it, then your house is not secure and other people can gain access. Passwords are the gatekeepers to our information, and it is vital that they are strong. All a hacker needs to get in is your account name and a password. Now your account name is usually an email address or your name, so it is vital that your password is secure enough to protect your data. When a data breach happens in a business, often what’s stolen is a huge list of email addresses, which means that cyber criminals are one step closer to your information and that is one of the reasons the government have changed the legislation. The 5 most common passwords used by businesses in the UK NordPass have been keeping track of the password habits of business executives across several levels of management, revealing that the top 5 passwords are: 1: 123456 2: password 3: 12345 4: 123456789 5: qwerty Alarmingly, these passwords can often take hackers less than a minute to crack. Is your password on the list? The need for this legislation is clear, and the government has pledged £2.6 billion as part of the wider National Cyber Strategy, which aims to protect and promote UK national interests in cyberspace and online. In today’s world where Smart devices are owned by nearly 99% of UK adults and the average UK home has 9 connected smart devices this legislation is a crucial step forward in cyber security. Speaking about the impact of the new law, Minister for Cyber, Viscount Camrose said: “From today, consumers will have greater peace of mind that their smart devices are protected from cyber criminals, as we introduce world first laws that will make sure their personal privacy, data and finances are safe.” A world-first The UK is the first country in the world to these laws which mean that all internet enabled devices, including phones, games consoles and even fridges, must meet legally required standards to protect consumers from hacking and cyber-attacks. Data and Digital Infrastructure Minister Julia Lopez said: “Our pledge to establish the UK as the global standard for online safety takes a big step forward with these regulations, moving us closer to our goal of a digitally secure future.” In a recent Which? investigation they found that a home filled with smart devices could be facing over 12,000 hacking attacks in just one week. They also discovered that across just five devices in 1 week, 2,684 attempts were made to guess weak and default passwords. This means that the average UK home faces 4,697 password hacking attempts to guess weak and default passwords a week. That is 20,409 attempts in a year. Strong passwords should form an integral part of any cyber security strategy and the changes made on Monday not only recognise this but have brought into law the need for strong passwords. Hopefully this will highlight the importance of strong passwords across all devices, whether mandated in law or not. It is essential that strong passwords are always used to keep your data secure. What makes a strong password? Lots is written on this and there is a lot of guidance floating around the web about what makes a strong password, so let’s keep it simple: Your password should be unguessable and random, with no identifiable information used that could be found easily on the web or guessed after a quick glance at a social media page. We recommend a minimum of 20 characters, using upper and lower case letters, symbols and numbers, but the longer and more random the more secure it will be. Aim to have something that does not read like standard English and that you wouldn’t find in a dictionary. Good password example: P9*joo&Ghj^rdf£40slE3JH Bad password example: Panda Always create a new password for each site you use. Lots of random unique passwords, like the example of a good password above, are essential. Never re-use the same password across multiple sites. Change your password frequently, more frequently when you are using a site which contains more sensitive or personal data, such as a bank. Never keep your password on a piece of paper or somewhere where it can be easily accessed by others and don’t share it. These steps will help you to create a strong password, but we recommend a multi-faceted approach to using passwords to keep your data safe and