In our first piece we looked at some of the most common risks and trends associated with cyber attacks. In this installment, we’ll examine some of the most common ways cyber criminals initiate their attacks and offer some fundamental cyber risk management steps to repel, mitigate and respond to cyber attack.
These Guys are Out to Get You and They Know How to Do It
Social engineering
Social engineering is one of the most common techniques employed by cyber criminals who are bent on luring unsuspecting users into sending them their confidential data. The end result – they infect the computers with malware or links set to infect the sites.
It's important to understand the use of social engineering by cyber criminals, because if social tactics are successful, the likely result is a malware infection.
Almost every type of attack contains some kind of social engineering. For example, the classic email "phishing" and virus scams are laden with social overtones. Phishing emails attempt to convince users they’re from legitimate sources. This is an attempt to procure personal or company data. Emails that contain virus-filled attachments often appear to be from trusted contacts or offer content that seems to lack any harm because they seem "funny" or "cute."
Phishing
Phishing is a mail delivery designed to get user confidential financial information from the user. Phishing is one form of social engineering characterized by attempts to fraudulently acquire sensitive information such as passwords and credit card details. It is done by masquerading as a trustworthy person or business in an “apparent” official electronic communication, such as an email or an instant message.
The messages typically contain links to a deliberately false site, where it suggests that the user enter the number of his/her credit card and other confidential information.
Pharming
Pharming (pronounced ‘farming’) is a form of online fraud like phishing. Pharmers rely upon the same bogus websites and theft of confidential information, but where phishing must entice a user to the website through “bait,” pharming re-directs victims to the bogus site even if the victim has typed the correct web address. This is often applied to the websites of banks or e-commerce sites.
The primary method of pharming stems from an older form of attack called DNS cache poisoning. Here, an attack is made against the internet naming system that allows users to enter meaningful names for websites, like www.bank.co.us, rather than the numbers associated with the actual IP address.
In some cases, attackers use very simple methods of social engineering to gain network or computer access. For example, a hacker might frequent the public food court of a large office building and "shoulder surf" users working on their tablets or laptops. Doing so can result in the compromise of a large number of passwords and user names, all without sending an email or virus.
Some attacks rely on actual communication between attackers and victims in which the attacker pressures the user into granting network access under the guise of a serious problem that needs immediate attention. Anger, guilt and sadness are all used in equal measure to convince users their help is needed and they cannot refuse.
Many employees and consumers don't realize that with only a few pieces of information – name, date of birth or address – hackers can gain access to multiple networks by masquerading as legitimate users to IT support personnel. From there, it's a simple matter to reset passwords and gain almost unlimited access.
Protection against social engineering starts with education. Users must be trained to never click on suspicious links and always guard their login credentials, even at the office or home.
The Human Factor
The “human factor” is one of the most overlooked factors in cyber security. A business may spend considerable time and resources creating a system to protect login privacy, yet they neglect the weakest link – the human factor.
It’s important to create a plan for securing data, but we can’t forget the importance of educating employees on best practices to keep data safe. This includes not only being mindful of the topics mentioned in this miniseries, but also ensuring a general awareness of things to be avoided, such as writing down passwords on sticky-notes or scratch pads that may get thrown in the trash, thus creating a potential security breach.
You must instruct computer users to minimize data retention, keeping only as much data as needed to do their work. Avoid storing client’s credit card numbers and similar information unless that information is absolutely required to handle their assigned responsibilities.
Are You Ready for a Cyber Attack?
As the number of cyber attacks is on the rise, it appears only the largest and most sophisticated businesses are truly making themselves ready to repel or respond to such an attack. Even cyber savvy businesses are prepared at the “IT Core” level. In some cases, this approach is only “tech” deep.
Cyber preparedness begins from the top down. The most successful businesses in terms of the ability to repel and respond are those that have involved top management in their preparations. The real responsibility for cyber risk management begins with the leaders of a business – the CEO, administrative staff, board of directors, etc. This means that top management must be continually made aware of cyber security related issues so that the needs of the business related to cyber security can be incorporated into the overall business plan (and budget). Cyber risk management must be an essential element of the business planning process.
Training, which typically means human resources staff, is critical to Cyber Risk Management. It is necessary to not only provide ongoing training regarding cyber risks and trends, but best practices to avoid becoming a victim of cyber-attack. There should be real testing to evaluate Cyber Risk Management metrics based upon the specific roles and responsibilities for each computer user. Cyber awareness and security adherence should be part of the performance evaluation of all personnel.
Cyber Risk Management Process Documentation is essential. In many other aspects of business we might refer to this as loss control procedures. Businesses must develop policies and procedures relative to cyber security and then clearly document those. They should also provide a method for tracking and recording compliance.
Top Notch Technology is critical in managing Cyber Risk. Software and Hardware designed to repel, mitigate and respond to cyber-attack must be implemented and maintained. This means staying abreast of the latest technological advances and offerings, not simply waiting to renew existing cyber security software subscriptions or replace cyber security hardware when it becomes aged or obsolete. Cutting edge internal and external data encryption as well as enhanced multi-layer authentication as part of the business network is becoming the norm, not the advanced exception.
Cyber insurance is often ignored. Many businesses believe they have this coverage as part of their standard business liability coverage. Almost no standard commercial insurance provides this level of protection. You must seek it out, typically as either a special rider or a companion policy to your liability insurance.
Ten years ago, such coverage was unheard of. Today, it’s developing so fast within the insurance sector that many policies are becoming specialized for different aspects of coverage.
For example, some policies protect data in your possession (like client credit card or social security numbers) that is lost or compromised because of a cyber-attack. This coverage is providing protection for your fiduciary responsibility to maintain that type of data securely. But such policies may not cover the loss of your own data.
On the other hand, a policy may provide coverage to protect your business from the loss of data that precludes your ability to operate – as in a ransomware attack. The same policy may not cover the loss of data within your fiduciary responsibility.
It is absolutely necessary to thoroughly review all aspects of cyber risk insurance to ensure it protects all of your potential risks.
Next time, we will get down to the nitty-gritty and dig our heals into some specific and practical Cyber Risk Management techniques you should apply.