October is National Cybersecurity Awareness Month (NCSAM). This year’s theme is “Do Your Part, Be Cyber Smart.” While the knowledge of cybersecurity best practices and data hygiene has increased during the seventeen years since the first NCSAM, the threats posed by hackers and other bad actors has increased too.
Even with the cybersecurity industry projected to grow ten percent over the next several years and the passage of increasingly stringent regulations and penalties for data breaches, there’s a steady march of news stories about cyber crimes and other security fails.
Studies suggest that hacking attacks occur roughly 2,200 times per day (that’s about one every 39 seconds). Meanwhile, the average lifecycle of a data breach is nearly a year. Now for the bigger problem: only 36 percent of Americans have ever checked to see if they have been compromised in a data compromise, and still more don’t know what steps to take if their personal information is compromised.
While some may look at the rising costs of data breaches and the seeming inevitability of successful cyberattacks and feel compromise is inevitable--and to some extent that is true, but to do so makes matters worse: Cybersecurity awareness training reduces the risk to companies and individuals alike.
While it’s impossible to eradicate the threat posed by hackers, organizations that invest in training have been shown to reduce the likelihood of a successful cyberattack by 10-15 percent, sometimes more, and the overall financial loss from a data breach decreased by over 75 percent.
“[T]he best solution… is creating a culture of cyber threat awareness and best practices,” says CyberScout founder and chairman Adam Levin. “There is no one way to solve the cybersecurity quagmire, but there are very established routes through it, and you owe it to your company to learn them and teach them to everyone you work with.”
Being aware of the five greatest cybersecurity threats may not prevent every attack, but it can go a long way toward mitigating their potential fallout.
Regardless of the industry or sector, ransomware is the cybersecurity threat that has consistently made the most headlines over the last five years, and with good reason. As a vector of attack, it has brought multinational corporations to a screeching halt, shut down local governments, caused school closures, and has led to at least one death by disrupting medical services.
“While the sophistication and methods of attack may vary, the short answer is that ransomware is a type of malware that encrypts critical data on a computer or computer network so that users can’t regain access without paying a ransom,” says Levin.
One of the ironies of ransomware is that it deploys encryption, a technology designed to increase data security, to overcome the security of a user’s device. By encrypting files on a local device (one that is not connected to the internet) or across a network, the damage can be mitigated. Minor frustration and inconvenience does not compare to an extinction-level event due to an organization or an individual being unable to access critical data and services.
“In effect, ransomware is the weaponization of a cyber-protection protocol,” says Levin.
The earliest known example of ransomware dates back to 1989, and was distributed via floppy disk at a World Health Organization conference. Attendees who installed the malware, labelled “AIDS information - Introductory Diskettes” soon found that the files on their computers were either encrypted or hidden until they sent $189 to a mailbox in Panama.
Ransomware remained a relatively minor threat until the mid 2010s, when the explosive growth and perceived value of cryptocurrencies, specifically Bitcoin, provided fertile ground for the attacks. Now there was an untraceable form of online currency and nearly unbreakable encryption technology, which set the stage for targeting even more people. A general lack of cybersecurity knowledge formed the basis of the opportunity.
Since then, ransomware has become more widespread. North Korea incorporated it into their arsenal of cyberattacks to fund weapons programs, and in criminal circles ransomware has evolved into a full-fledged industry, with “ransomware as a service” (RaaS) providers leasing out their code in exchange for both fixed fees and percentages of ransom acquired from targets.
Given the sheer breadth of ransomware variants and the number of different industries, organizations, and individuals that are targeted, there’s no one primary means of avoiding ransomware attacks. That being the case, Levin suggests four main strategies to minimize the potential risk and mitigate the damage from a ransomware:
- Back up everything: “If the loss of your data is potentially catastrophic, the most straightforward solution is to back up your systems and data and do it often,” says Levin. “Bear in mind that your data backups will be of no use if they are also encrypted by a ransomware attack, so keep them stored separately and offline.”
- Call for help: “If you expect your existing staff to be able to resolve a ransomware attack with the resources at your disposal, think again. They can’t do it,” says Levin, who recommends finding a contractor specializing in ransomware recovery before an incident occurs.
- Silo your data: “Run and maintain separate servers and storage for your data,” advises Levin. “While it may require more resources in the short term, doing this will greatly aid in the containment of the damage from a ransomware attack.”
- Get insurance coverage: “Insuring your company against cyber-risk is and should be viewed as a basic requirement of doing business,” says Levin.
Of all of the major cyber threats to businesses and individuals, phishing is the most common. Recent studies indicate that 65 percent of U.S. organizations experienced a successful phishing attack in 2019, and 22 percent of data breaches began with phishing campaigns.
“In its simplest form, phishing is the practice of sending a link via email or text or embedding a link on a website that, when clicked, downloads malware onto the user’s device as well as any other devices that are connected to the same network,” says Levin.
“From there, any number of things can happen. There are viruses that send hackers your most sensitive logon information, and others that recruit your machine into a botnet used to send illegal spam through networks that can create enough computing power to disable important servers. Your privileged access at work can be grabbed to transfer funds, hijack databases loaded with sensitive customer and employee information or steal intellectual property.”
The commonplace nature of phishing as a method of cyberattack is due in part to the fact that it typically relies on relatively simple methods to deceive targets, but it also owes something to the security of email as a platform.
“Email currently has a 90.1% penetration rate… in the United States, compared to 68% for Facebook and 23% for Twitter,” says Levin. “Email addresses are still the main way we authenticate ourselves to do business online, and because of that email represents an extremely weak link in your collective cybersecurity.”
While phishing traditionally relies on email, it can incorporate other means of communication, including voice calls and SMS texts, comprising what is sometimes referred to as “the pantheon of -ishings”:
Vishing (voice phishing): Is a phishing scam conducted by phone. Scammers will often contact their targets claiming to be representatives of banks or financial organizations and attempt to get information about their accounts or wire money.
“Vishing is how hackers take advantage of phone number databases... They’ll call you and claim to be from your bank (they just need your account number and routing information), the IRS (just confirm your Social Security number) or even Microsoft (just let them log into your PC remotely) to try to gain access to your personal or financial information or even install malware on your devices,” says Levin.
Smishing (sms / text phishing): Smishing is a phishing variant that targets mobile device users. Like vishing and phishing, criminals pose as representatives of familiar organizations or businesses in an attempt to gain access to sensitive information or to trick users into clicking a link that installs malware on their devices. Smishing attacks will typically target individuals, but can be leveraged into a wider-scale attack against an organization.
The early 2020 hack of Amazon founder and CEO Jeff Bezos through a malware link sent via WhatsApp is an example of this exploit.
“[I]f you use your smartphone to access the internet, bear in mind that there are hidden dangers everywhere, and pause before you pounce on text warnings,” says Levin.
While phishing and similar schemes continue to be effective, their relative simplicity as an attack vector means that proper and regular training for employees can help identity all but the most clever campaigns. Levin suggests that individuals follow the Three M’s of cybersecurity to protect themselves: Minimize, Monitor, and Manage.
Minimize risk of exposure by practicing good cyber hygiene, not sending sensitive information over email or unencrypted connection, and be skeptical about any messages alerting them to “urgent” issues with accounts.
Monitor accounts by checking credit and bank accounts, signing up for alerts, and double-checking every transaction. Many victims of phishing scams aren’t aware that they’ve been had until weeks after the fact.
Manage the damage by reporting scams to the proper authorities, sign up for identity theft protection when possible, and change logins and passwords if they suspect they’ve been breached.
Social engineering is a comparatively low-tech method of cyber attack where a hacker or scammer will use deception to coerce or otherwise manipulate their target into providing information that can be used in a data-related crime.
While there is some overlap between phishing and social engineering, one of the main elements specific to social engineering is that it targets human behavior through personal interaction, rather than more technologically-oriented methods like spoofed phishing pages.
One of the most publicized examples of social engineering was the July 20 hack of Twitter, where more than 130 social media accounts were compromised, including those of Elon Musk, Michael Bloomberg, Jeff Bezos, Joe Biden. It was a cryptocurrency scam that netted $118,000 from its victims. Hackers were able to gain access to administrator access on Twitter by pretending to be employees of the company and quickly changing the email addresses associated with their hijacked accounts, and disabled two-factor authentication.
While the alleged hackers behind the attack were arrested and Twitter adjusted the policies that allowed them to take control of these accounts in the first place, it was a stark reminder that our cybersecurity policies are only as secure as our most vulnerable employees.
“All of the firewalls and encryption in the world can’t stop a gifted social engineer from rifling through a corporate database. If an attacker wants to break into a system, the most effective approach is to try to exploit the weakest link—not operating systems, firewalls or encryption algorithms—but people,” says reformed hacker Kevin Mitnick, who coined the term social engineering.
“Whether you call it social engineering, wetware or the human element, we are often the cause... The bottom line here is that if someone asks for your information, make sure you know who’s doing the asking. If you receive a phone call from a company with which you do business, hang up and call them back. Ditto with a cold call from a company or government entity you either think you know or don’t know,” says Levin.
One of the elements that makes social engineering most difficult to protect against is that it’s rooted in organizational culture, rather than policy, according to Levin.
“[P]rinciples--creating a culture of cyber awareness--is generally effective, which is why I favor cyber training that is aimed at minimizing, monitoring, and managing cyber risk,” says Levin.
Business Email Compromise
Business email compromise (BEC), also known as “CEO fraud,” “W2 fraud,” or email account compromise (EAC) is a more targeted and damaging form of phishing, where the primary attack vector is to either hijack or “spoof” the email account of an executive or other position of power within a company or organization. The end goal is typically to convince an employee of the company to wire money.
In the FBI’s annual Internet Crime Report, BEC scams accounted for $1.7 billion of the $3.5 billion in the reported money lost to online scams.
“The back-of-the-napkin math isn’t pretty. Taking into account unknowables, we’re talking about a ballpark cost of roughly $75,000 per BEC-related complaint,” says Levin.
“That is exponentially more expensive than other cyber events. Consider that the average cost for a ransomware attack against a business is about $4,400, and your run of the mill phishing incident weighs in at a much less hefty $500. Perhaps most importantly, the FBI report’s 2019 numbers are a significantly higher figure than the reported $1.3 billion in BEC scam-related losses the year before.”
“BEC/EAC is constantly evolving as scammers become more sophisticated…BEC/EAC scams routinely began with the hacking or spoofing of the email accounts of chief executive officers or chief financial officers, and fraudulent emails were sent requesting wire payments be sent to fraudulent locations. Over the years, the scam evolved to include compromise of personal emails, compromise of vendor emails, spoofed lawyer email accounts, requests for W-2 information, the targeting of the real estate sector, and fraudulent requests for large amounts of gift cards,” stated the FBI report.
In response to the rising number of BEC cases, the U.S. government has formed the Recovery Asset Team (RAT) through the Internet Crime Complaint Center (IC3) to help victims recover stolen funds. In its first full operational year, RAT managed to recover over $304 million of $384 million reported stolen in 1,307 incidents in 2019. Despite a relatively high success rate, Levin encourages businesses and organizations to still practice extreme caution.
“[D]on’t let the 79% recovery rate lull you into a false sense of security,” says Levin. “The loss of time, worker focus and business opportunities can be catastrophic is the aftermath of an attack, and is yet another reason no company should be without a robust cyber insurance policy in place.”
The FBI and IC3 released a checklist for organizations to follow in the event of a BEC:
- Contact the originating financial institution once fraud is identified.
- Filed a detailed complete with IC3.
- Follow up regularly on the IC3 website for announcements regarding BEC trends.
- Verify any payment charges with intended recipients.
- Continue to file reports with law enforcement.
“In a work environment where the dangers are manifold and more or less non-stop, a cultural shift needs to happen. We need to always assume that a scam may be afoot, and proceed accordingly. Our motto: ‘Distrust AND verify.’ A culture of caution has never been more important,” says Levin.
Spoofing is a method commonly used by hackers across a wide range of cyberattacks including but not limited to phishing, social engineering, ransomware, and business email compromises.
While the techniques and technology can vary, spoofing allows a hacker to alter their identity to appear to be a trusted source, such as a co-worker, relative, or secured online service.
The danger posed to companies and organizations by seemingly authentic communications from trusted sources could pose an extinction level event.
“[A] single official-looking email can open the door to innumerable types of fraud, both internally and externally… People wire money on the basis of a phone call all the time. The harm caused by a phony corporate communication to shareholders or the general public could represent a catastrophic loss of money and confidence,” says Levin.
While the more widely known examples of spoofing come in the form of phony email and phone calls, hackers will often deploy more high-tech methods of duping their victims. One common technique is typosquatting, where an attacker will acquire domain names similar to existing websites, and create convincing facsimiles.
“Typosquatting is when third parties buy variants of domain names based on simple and common spelling errors, e.g. "gooogle.com," or "gooogl.com" instead of Google.com,” says Levin, who refers to a recent study indicating that 2.7 percent of 15,000 analyzed domain names directed users to websites associated with some form of cybercrime.
“If 2.7 percent seems like a small number, consider that there are currently at least 360 million registered domain names.” warns Levin.
Another more sophisticated form of spoofing is in the form of DNS hijacking. DNS, or the domain name system, is a service underpinning the entire internet which helps to translate machine-friendly internet addresses, e.g. “220.127.116.11” to more human-friendly addresses, in this case “Google.com.”
“That moment when a name is matched to a number is where hackers can intervene. There are a number of ways it can happen, but DNS hijacking is when your page request doesn't go to the site you asked for… there's no obvious way to tell that it's happening,” says Levin.
In some cases, DNS servers themselves are hacked and adjusted to reroute large-scale internet traffic to spoofed websites. Hackers will often use these to acquire victims’ login credentials, or deploy malware to targeted computers.
While there’s no one sure-fire way to identify spoofed communications or websites, paying close attention to URLs and email addresses can help prevent the majority of them. Always double-check the web address on websites, use and regularly update security software, and confirm emails and phone calls with employees.