While there are countless ways for cyber criminals to launch a cyber attack and hacking techniques are continuously evolving, businesses and their employees should be aware of the most common types of attacks.
Short for "malicious software", malware covers any program introduced into the target’s computer with the intent to cause damage or gain unauthorised access.Types of malware include viruses, worms, Trojans (malware disguised as legitimate software), ransomware and spyware, or any type of malicious code that infiltrates a computer to exploit specific computer functions such as:
- Deleting files
- Collecting personal information and sharing it with third parties
- Recording keystrokes and watching users through webcam technology
- Using a single computer to hack other computers
- Disabling security settings
- Sending spam
- Hijacking web browsers
Ransomware is sophisticated malware that locks down and encrypts computers on a network to prevent users from accessing computers and systems unless a ransom is paid. If payment isn’t received, victims can lose their information or have it published online. Ransomware is one of the fastest growing types of cyber threats.
Phishing scams and spear-phishing
Phishing scams and spear-phishing – the practice of collecting sensitive information through the use of fraudulent websites – are some of the easiest methods of attack for cyber criminals. Hackers send authentic-looking emails and text messages, which appear to originate from trusted sources, in order to steal sensitive information such as login credentials or personal and financial information. These faked emails can also appear to originate from internal sources such as the IT department or supervisors or leaders and may contain a call to action for employees. The aim is to trick targets into clicking on a link or downloading an attachment to update, validate or confirm an account. This means if your staff aren’t trained to know what a phishing email looks like, your business and its operating systems are at risk.
During phishing attacks, anyone in the company with access to a device is targeted. During a spear-phishing attack hackers target particular individuals. Cyber criminals have identified the best methods of targeting users based on their job function and seniority. Those people most likely to be the subjects of spear-phishing attacks are:
- CEOs, CFOs and other top executives due to their ability to make high-level decisions, their access to sensitive information and their authority to sign-off such things as electronic transfers of funds. Spear-phishing attacks on executives usually take the form of requests for sensitive information from a credible sender. Requests to executives from other trusted executives are less likely to be denied.
- Administrative assistants due to their access to company and individual executive accounts. Attacks on assistants are often in the form of requests from executives asking for financial information or for an attachment to be viewed. If eavesdropping software is installed on an assistant’s system, hackers gain access to privileged communications.
- Salespeople and business development managers constantly interact with existing and prospective customers in person, on the phone and by email. They are eager for emails and are as responsive as possible. This means that cyber criminals can be reasonably confident that any email they send will be opened. A successful phishing attack could deliver customer and price lists, and confidential deal information. Theft of customer accounts can provide a further channel to finance, management, and accounts teams who are likely to trust fraudulent traffic in the form of emails from company salespeople.
- Human resources executives communicate with current and prospective employees. Phishers can infiltrate HR systems by sending fake emails either from potential employees with malware posing as resumes or from executives requesting personnel information.
Man-in-the-middle and man-in-the-browser attacks
To view content online, web browsers must send information back and forth with web servers. If this information is unprotected, it can be stolen and exploited by an unauthorised third party known as a “man in the middle” (MITM).
In MITM attacks, hackers gain access to an unsecured or poorly secured wi-fi router and then scan the router for vulnerabilities like a weak password. They can then intercept and exploit the target’s transmitted data.
In a man-in-the-browser attack (MITB), the hacker inserts malware into the target’s computer. This can be done by phishing. The hacker sends an email to a target pretending to be a representative from their bank or contacts the bank pretending to be a customer. By clicking on a link or opening an attachment in the phishing email, the target unintentionally loads malware onto the computer. The malware installs itself on the browser without the target’s knowledge. The malware records the data sent between the target and specific websites, such as the bank, and transmits it to the hacker.
Distributed denial of service
Distributed denial of service (DDoS) attacks occur when a targeted server is intentionally flooded with traffic until it crashes (shuts down) the business’s website or network system. Multiple compromised systems, which are often infected with a Trojan (malware disguised as legitimate software), overload the bandwidth or resources of the targeted system causing a denial of service, thereby making the system and website unavailable.
DDoS attacks do not only consist of longer duration, high-volume activity. Hackers can use low-volume attacks of short duration to stress test your network and identify vulnerabilities in your system’s security.
Advanced persistent threats
Advanced persistent threats (APTs) are long-term targeted attacks that aim to repeatedly gather sensitive data from a network over time. Once cyber criminals have gained access to the target network, they work to avoid detection while establishing their position in the system. If a breach is detected and repaired, the attackers have already secured other routes into the system so they can continue to steal data. Hackers infiltrate a network in five distinct phases to avoid detection:
- Reconnaissance: Hackers assess the target network to comprehend the systems and find weaknesses.
- Incursion: Attackers break into the network and insert malware targeted to susceptible individuals and systems.
- Discovery: The organisation’s security systems are analysed so that hackers can create a plan for data capture.
- Capture: Hackers access systems and capture data over a lengthy period of time. Malware may also be installed to disrupt the system.
- Exfiltration: Sensitive information is sent back to the attack team’s system for analysis and exploitation.
A high percentage of data breaches leverage stolen or weak passwords. End-users can make it easy for criminals to pick up passwords by giving them out over the phone, writing them down or storing them in spreadsheets or Word documents.
Weak passwords are an easy target for hackers, and there are legions of lazy passwords that are exactly what a happy hacker would expect. Many end-users make their password too short, use passwords based on information posted on social media, or use the same password across a number of applications. And there are still systems that can be accessed, with full administrator privileges, by means of user names and passwords simple enough to guess; or devices with passwords that have never been changed from the default ‘Password123’. Further, while many SMEs don’t have password policies, the majority of those that do have them don’t enforce them.
In password attacks hackers often use automated systems in which different combinations of passwords are tried in a series of trial-and-error experiments to gain entry into a network to access databases, accounts and other sensitive digital information.
There are three main types of password attacks:
- Brute-force attacks, which involve tools that automatically attempt to login over and over again using countless username and password combinations until the hacker gets in
- Dictionary attacks, which use an automated program to try different combinations of words from the dictionary
- Keylogging, which use malware to track a user's keystrokes without their knowledge to access sensitive information including company data, logins, passwords and credit card information.
While cyber risks like phishing, ransomware and DDoS attacks must be appraised, it’s also important to consider cyber security threats from within your own company. When businesses create a cyber risk profile, external attacks are commonly number one on the list but protecting systems from internal threats receives less attention, possibly due to the perceived difficulty of enforcing a rigorous security policy.
Employers might find it hard to understand why an employee would expose the company they work for to cyber risk. There are a number of possible reasons:
- The business may not have clear cyber security policies; if it does, they may not be fully understood by employees due to either a lack of attention or adequate training
- Mistakes can be made by employees through carelessness or haste that affect one or more components on the network
- Simple greed can be a motivator – an employee may create, or happen upon, an opportunity to benefit through fraudulent activity. Fraud can range from loss of sensitive company information and theft of intellectual property to financial and even criminal damage.
Inside attacks also occur when someone with administrative privileges deliberately misuses their credentials to access confidential company information. Employees, suppliers, contractors and, in some cases, clients may have access to parts of the company network and databases. They can leverage their existing access to scan for vulnerabilities, with the aim of gaining unauthorised entry to systems. Disgruntled former employees who have left the business on bad terms can also pose a threat to security through targeted malicious behaviour.
Remote desktop protocol
A decentralised work force, remote working, and cloud-based technologies enable SMEs to access a wide range of talent and skills. To maintain their networks many SMEs outsource their tech support using remote desktop protocol (RDP). This software provides a user with a graphical interface to connect to another computer over a network connection. It enables an IT person to login to your computer and take over your keyboard and mouse to identify and resolve issues.
RDP is a useful tool but when left exposed to the internet the unguarded remote desktop becomes a potential point of access by cyber criminals. Hackers can attempt to gain entry by cracking RDP passwords in a brute-force attack. RDP brute-force attacks have become a popular way of staging ransomware infections.
Bring your own device (BYOD)
Employees bringing their own devices rather than using company-provided devices is becoming the rule instead of the exception. There are good reasons for a bring-your-own-device (BYOD) business model – facilitating remote working, flexibility and increased productivity. However, a BYOD policy can expose an organisation to security risks with potentially the same devastating consequences as those resulting from outside attacks. Mobile devices are the most susceptible to attack; but banning BYOD may not in fact be the simple answer it appears to be. Many employees will use their devices on the organisation network even if they’re not permitted to do so, which means they won’t be following security measures, resulting in higher cyber risk.
BYOD can expose a business to cyber risk in a number of ways:
- Data leakage is the unauthorised electronic transfer of data. It can occur when employees are able to access company data from any location at any time
- An employee fails to install, or update, anti-virus or anti-malware software on their device, thereby exposing the business to cyber attacks
- Both company and personal data are on the same device. If the device is lost or stolen, company data can be accessed by the finder
- Mobile phone apps come with privacy and security issues. Although operating systems may request user confirmation when an app requires certain permissions, users are often unaware of the security implications associated with them
- Unsecured Internet of Things (IoT) devices can make networks vulnerable to DDOS attacks.
So what does this mean for SMEs?
No organisation, no matter how small or big, is spared cyber risk. Disruption to normal business operations is likely to be the most critical consequence of a cyber attack. But losing valuable data from cyber breaches can have a devastating and enduring impact on a company’s finances, customer base, growth and reputation.
Despite market competition and reputation being a key concern, SMEs continue to put themselves at risk by underestimating the impact a cyber attack can have on their reputation. SMEs need to make cyber security a priority to reassure their customers that their data is secure.
Protecting business data not only helps preserve reputations, but puts SMEs in a strong and competitive position to offer the service that customers now expect.
How can you reduce your risk and reduce insurance premiums?
With Dacreed's powerful online compliance training you can train managers and staff in cyber security. Once completed, you'll be able to demonstrate a lower risk profile to our partner insurers and get lower premiums - saving you and your business money.