The IT industry is often surrounded in complicated jargon that experts use to explain the concepts they talk about. Here I will try to explain the difficult and sometimes perplexing issues of a Cyber-attack clearly and concisely.
So, what is a cyber-attack?
This is where a person or group try to break into an information technology system (your office or home computer). Some of the main drivers for hacking a system are:
- To gain access to control or disrupt the operation of the system for fun or financial gain.
- To prove that well publicised “unbreakable” systems (like government or military networks) are anything but unbreakable.
- For the challenge of doing it, and for the recognition of the achievement from peers, the public and the world.
- To prove a point that is personal, political, social or economic.
- For revenge for some wrongdoing (perceived or real) and to show the protagonist that they are powerless.
- To disrupt the system or release private information based on the assumption that they have a right to know.
The brief history of hacking
At the start of the information age in the 1950s to late 1970s, a new type of academic study started, these were students and engineers that played with technology for the fun of it and some of them created the first computer worms. (a type of program that is designed to change the function of a system.) We call these viruses or malware now.
But by 1980 with the advent of personal computers, the technology moved from the domain of students and engineers to the public. The idea of a hacker as a bright kid was born as school kids and enthusiasts played with computer technology. We also started to see the growth of the security industry to counter the threats of the new information age. This changed the scope of the challenge facing the hackers and they adapted to the new environments by inventing new ways of getting around the countermeasures built by the security companies.
By the start of the 1990s, personal computing was well on course to be in every home. We had started to see high profile breaches of computer systems showing up in the press and the emergence of cyber-criminals and data protection rules.
By the new Millennium, and with the winding use of the new internet (HTTP and EMAIL), we watched as the level, complexity and frequency of these breeches grew. The cyber-criminals switched tactics from large companies and government systems to the smaller business and public where the risks were lower and the profits higher. Today we have come full circle with state-sponsored hacking now occurring.
What type of person or group of people hacks a system?
The stereotype of a hack is some bright kid bored in his bedroom with time and a computer. However, this image is misleading. The age and background of a hacker are wide and varied, and it’s important not to stereotype. A Cybercriminal could be just about anyone.
How to protect yourself from cyber attacks
The simple truth is that you can’t!
As a security expert, I work with is fond of saying “Yes you can protect your data and systems from hackers and cybercriminals! All you have to do the following: Go to your computer, disconnect it from the network and power. Then put back in the box it came in and use it to hold a door open!”
It’s important to realise that nobody - not even Sony, Facebook or even the White House - are invincible to cyber-attacks. You can only make it harder for hackers and limit the damage they do when they get in. The same way you cannot prevent your house from being broken into; you can only make the risk of the perpetrators being caught higher than the next house on the street, and have insurance to cover you for the damage if they do get in.
Attacks on businesses happen more often than you will probably realise.
In 2007 the year that Twitter was founded, the US government department (US-CERT) received almost 12,000 cyber incident reports for the US alone. That number had more than doubled by 2009, and according to new statistics from the US Government Accountability Office, it had quadrupled by 2012. The simple truth is that if the cybercriminals are skilled and determined they will find a way in.
What can I do?
There are some common-sense techniques that you can implement that could dramatically reduce the possibility of you suffering an attack.
Keep your systems up to date and know when your software and hardware supplier updates their software or firmware (software that lives in the hardware). Unpatched software exposes your information and systems to a higher risk of an attack. The older the product is the more likely a random attack or known exploit/bug will work.
If your systems (hardware or software) have outstanding patches waiting to be deployed, assuming that you have not got an operational reason for not deploy them, they should be deployed without delay.
- Know when your software or hardware supplier will end support of your products. Microsoft has ended support of Windows XP in 2014 and it is estimated that 60% of the world’s PC is still running this operating system.
- If you have unsupported products then you should look to replace them as soon as possible.
- Limit the amount of old information you hold.
If you need to hold old data, but do not use it regularly store it offline or in an isolated system (not one connected to your network.)
Most cyber-attacks come in the form of social engineering. Social engineering is a way of grooming or tricking a staff member into opening an attachment or to release information that can then be used to access a system
To reduce this risk by doing some of the following:
- Regular staff training on cyber-awareness (See UK Gov Site for information). see NCSC site.
- Have a good (must be kept up to date) anti-virus solution.
- Use external Email content checking services, this will remove most spam and malware emails.
- Ask for expert advice and support
The next most common form of attack is from the “Inside man” threat. The Inside man is where a disillusioned, disgruntled, malicious or corrupt employee uses their position to gain access to information or systems. Once they have access they can use it to disrupt the operation of the system, release private information or extract information for financial gain.
- Don’t let employees collect information (access rights), and remove their access to information if their job changes.
- Limit the amount of information an individual employee has access to.
- Have a ‘need to know’ policy and implement it
- Add an information / cyber assessment to your HR disciplinary process to identify high-risk employees. So, when looking to dismiss or discipline a member of staff, a risk assessment is undertaken on the amount of access that person has and damage the staff member could inflict on the business. A view should be taken on the information they have access to and the risks associated with its loss or release into the public domain. It may be necessary to remove access rights to systems, provide closer monitoring or in cases of dismissal (following HR advice), immediately remove the person from the site.
- Have regular reviews of access rights and remove them if required
- Disable USB interfaces on devices or limit their use. Remember that most mobile phones have vast memory storage capabilities, 64-128Gb in device storage is not uncommon. How much of your valuable business information can you lose in that amount of storage, let alone the risks of a virus/malware infections. That can be introduced to your network by an employee innocently plugging in a phone to charge off your business computers!
There are risks with wireless connections and knowing who is accessing your network. Using Wi-Fi like it’s a cable connection is a bad idea, even when you have an encrypted network. Your communications will be visible (even though the data is encrypted), to anyone within the broadcast range of the transmitter. You have simply provided a single and remote (low risk) point of attack, so all the hacker has to do is break or find the encrypted password used on the connection setup and they will have access to all traffic.
- Wi-Fi should be used to gain access to the internet and not via the business network.
- Any business services that are accessible from the internet can be used via this connection the same way that a device would connect from say the coffee shop around the corner. This is known as a DMZ or indirect connection.
- Wi-Fi enabled device like printers that are connected to the business network should not be used or have the wi-fi components disabled.
- If your business network has sensitive information on it, you may wish to isolate devices like printer and scanner from the man network connecting to their services via a print server on the other side of a firewall. This type of network design is said to have a compartment architecture.
We hope that these simple tips will help and inform.
This information is proved free and without warranty or accepting any Liability. By reading this document you agree that IsSoftware Ltd is not held responsible for the implementation or any costs or damages from any loss whether direct or consequential from the use of this information.