Following our popular article '10 Cyber Security Threats In 2017 That You Can't Just Ignore... [How Vulnerable Are You?]', we decided that it was time to create an updated list!
The threats present in 2017 are still around, but their reach and capabilities have expanded further... People are becoming more aware of the threats posed by hacking and the damage it can do to your organisation.
The new EU General Data Protection Regulation (GDPR) will come into effect in four months' time and it's just one response to a world where 'data is king', but we need to do more to prevent and actively deal with breaches.
Cracking is essentially gaining access to a password allowing the attacker access to permissions a regular user would have, whilst posing as that user and bypassing security concerns. In the past, cracking has comprised of three different types of attack:
Remember every sign up you've ever done telling you not to use 'password' as your password? Not to use words? That's because of dictionary attacks, dictionary attacks go word by word through the dictionary hoping a user has a word as their password. Oh and don't expect using multiple words to be very effective against this kind of attack, they run through those as well, with a computer dedicated to cracking passwords it won't take long.
BRUTE FORCE ATTACK
When chewing up a dictionary doesn't do the trick it's time to move along to the next stage, a bigger dictionary. Brute Force Attacks target dictionary words and non-dictionary words, attempting to move through number and word combinations, so don't fool yourself into thinking 'passw0rd' is going to stop hackers. From the Hackers perspective Brute Force Attacks are slow and extremely heavy in processing power requirements.
Companies don't store passwords as plain text for anyone to read, instead they are converted into hashes - the numeric value of an encrypted password. Any hacking attempt that aims to find the numeric value for your password by a rainbow table will find it very quick to break in if the password's numerical value is already recorded.
How fast? Arstechnica did their own testing with an everyday typical computer and ran through 8.2 billion password combinations. Per. Second.
To defend against these attacks, programmers can add 'salt' to the algorithm will ensure a much safer password. This essentially adds extra random digits to the password to make them more uncommon and unlikely to show up on a rainbow table. As a user however you can aim to be as uncommon as possible in your password choices to limit the possibility of your password hash already being available online, it may not stop someone cracking your password, but it may stop you being the chosen target if hackers are attempting to break into as many different areas as possible.
2. PHISHING / SOCIAL ENGINEERING
There's an easier way to get your password, that's to ask for it. It sounds simple but how often have you acceded to authority because it's more convenient and you fear slowing down official business even if you're completely unsure? Of course you have, we are living in a world of huge networks and extremely complex systems, it's impossible to have tabs on everything.
Potential attackers take advantage of this, calling up claiming to be from the IT department or from a legitimate business. Real life phishing is made even easier through these channels because people attempting to crack passwords are going to know about computers far better than a typical user and thereby appear more authoritative.
These encounters can take place beyond the realm of computer and digital interaction, a trainee doctor I knew once said to me "At the hospital, you can get anywhere, everyone is so busy, if you look like you know where you're going then you won't get stopped" the true can be said anywhere, countless pranks exist online based on this premise, the comedian Sasha-Baron Cohen began his career this way.
Social engineering (real life phishing) has been ranked in the past as the most common vulnerability found by experts, with weak passwords coming second. In such cases it is important for employees of all levels to make sure their passwords aren't on display, stickied to monitors etc. These are easy ways for a hacker to get into your account with minimal effort.
One way to make sure you're defended against such attacks whilst keeping your password easier to remember is to do make your password longer but easier to remember, a long password comprised of random uncommon words will be well defended as well as easier to remember.
Here's a great password checking site where you can test the strength of different types of password.
3. DISTRUBUTED DENIAL OF SERVICE
Distributed Denial of Service is often a contentious area in regard to the legality of the action at the moment, hence it's widespread use in protest movements. A DDoS works by utilizing a large network of computers to repeatedly load the target website, thereby dramatically increasing the inbound traffic to the website, often overloading the system and causing the site to be unreachable. In the past DDoS Attacks have been compared to online sit-ins, though they often don't cause damage to systems or compromise information, they can still be extremely costly in terms of lost revenue and customer frustration.
Several DDoS attacks such as the sustained attack on the Rio Olympics and the Russian Banks have made the news over the past few years, but to imagine that DDoS only aims at big business is a mistake. Whilst it's true that big companies often attract negative media attention that can result in a DDoS attack, individuals often have access to a wide array of computers in a botnet to activate and attack at a moments notice. In 2016 Arbor Networks tracked 124,000 DDoS attacks each week between January and June.
The best defence against DDoS is to have regularly updated anti-DDoS software.
Do you recall the WannaCry attack that gripped the world?
Yeah that one...
The one that completely crippled the NHS and showed just how vulnerable older systems are. Wannacry managed to hit 300,000 computers across 150 countries with F-secure calling it the "biggest ransomware outbreak in history."
WannaCry was an extremely effective ransomware attack. Ransomware works usually by gaining access to a system through email attachments. Whilst many in and outside the industry know it to be best practice to leave these emails well alone, it only takes one unsuspecting or ill-trained person to unleash ransomware across an entire system.
Once in a system Ransomware 'bricks' a computer, making it completely useless or alternatively takes control and demands money. There are few ways to unlock the computer, one is to give in to the demands of the attackers (unlikely to help), to accept that your IT suite is completely useless, or to keep repair tools on a USB, to have cloud backup or other copies. These are ways to keep your files safe despite your computer being infected.
5. SQL INJECTIONS
According to Beyondsecurity, Structured Query Language (SQL) injections are the most common form of website attacks, they are a persistent threat which will not go away and despite their destructive potential, remains relatively easy to pull off.
SQL injections work well by taking advantage of coding, exploiting vulnerabilities, commonly in user forms. The malware can be hidden in code stealing information, up to and including gaining access and downloading entire databases.
Though SQL can be defended against through vetting user queries and managing administrative access, it is still an attack that companies are hit by frequently. Check out this Hall of Fame site and take note at the size of some of those companies, such as Siemens that are listed, make sure you never end up on the Hall of Shame.
With the EU GDPR only four months' away, it is critical for all businesses to be aware of the changes coming into place. The five-day Certified EU General Data Protection Regulation (GDPR) Foundation & Practitioner training course will prepare you to achieve full compliance.
Beyond the cost of fines, working towards compliance can be costly, especially for organisations that aren't prepared. The money, time and attention that goes towards fixing these regulations often comes at the expense of other Cyber Security concerns.
Are you interested in more of our articles? Well, look no further!