Following the recent cyber attack that disrupted IT services and computers, it is vital that users are aware of potential weaknesses in their company’s IT system and are prepared against incoming threats.
ECT Expert Shane Johnson, discusses the development of cyber security and what individuals and organisations need to do to keep their data – and their clients’ data – safe.
Cyber Security has evolved drastically since it was first developed. People often associate cyber security with computers, but it actually has a far broader application than just this. The first instance of a cyber attack was in 1903, when magician Nevil Maskelyne disrupted John Ambrose Fleming’s demonstration by sending insulting Morse code messages that were projected onto the auditorium’s screen! You can read more about the attack here.
Modern-day Hackers have had 114 years to upgrade and improve at breaking down cyber security systems. Tool and methods for hacking have increased as the internet has grown and it is now much easier to attack a business or an individual in this way. These tools have become known as “Exploit Kits” and are designed to exploit human weakness or vulnerabilities in your PC or Servers; those who operate these tools have been dubbed as “Script Kiddies”.
Effective cyber security is not necessarily about protecting a network, as most Hackers will not attempt to attack a network but instead will target a website or a server. Accessing networks is more difficult for Hackers, as most individuals and businesses have a firewall in place which are difficult for Hackers to penetrate.
Minimum cyber security requirements for a network should be as follows:
Intrusion Detection System / Intrusion Prevention System
Web Filtering Software
Businesses can incur huge fines for failing to protect and handle data effectively. The PCI Security Standards Council are now urging all businesses to ensure they meet the requirements necessary to keep their data secure, especially since there will now be new charges and fines under EU Data Protection Laws. These new laws could see businesses immediately bankrupted by up to £122 Billion in fines.
A staggering 90% of large businesses declared security breaches in 2015, which led to an estimated 1.4 Billion in losses due to the fines incurred. The current penalty for a data breach is £500,000, however by 2018 the European Union’s General Data Protection Regulation (GDPR) will have introduced new fines that will be a minimum of €20 Million, or 4% of the business’ annual turnover, whichever is the greatest.
Communications giant T-Mobile was hacked in 2013 and the data of 15 million users was breached. The health care industry was also targeted, with companies hacked including Premera Blue Cross (affecting 11 million customers), Anthem (affecting 80 million customers) and Carefirst (affecting 1.1 million customers).
Other well-known companies such as Ashley Madison; Sony; Home Depot; JP Morgan; eBay; Amazon; Talk-Talk, and Target have had data breaches in the last five years. Companies such as these demonstrate the increasing need to effectively counter the rising threat of cyber security breaches. Too many companies seem to believe that because they are big, they are harder to take down – this risks both the finances and the reputation of these companies.
There are various methods to ensure that your data is kept secure. For example, you can use a method called “hardening” which is very much like the structure of a conker: the good stuff is inside, but on the outside is a hard shell that will take longer to crack. With logging software in place, any attempt to access the hardened network will be logged, allowing the hacker to be traced.
Moreover, by making use of VPN’s and encrypted connections you can add security into networks by using a radius server, making it much harder for a hacker to get access – many hackers simply will not want to invest too much time in hacking a secure system. Moreover, the longer a hacker spends in a system or trying to crack into a system, the more chance they have of getting caught.
Another method, which is referred to as the “honeypot” method, is a very clever method of tricking a hacker or an attacker. It is known that if the right software is in place, any connection that comes in or out of a network can be traced. Therefore, an area of the network can be created that is deliberately vulnerable. Thus, when the hacker attacks, they will go straight to the vulnerable area of the network – when they get there, they grab the files and leave. But they then later realise it was nothing, and they have left a trace behind of their attack!
If a network is secure, hackers will sometimes target users of the network instead – this is known as social engineering.
Recent trends have seen the rise of social engineering and this has evolved from a simple email asking people to click on a link, to social engineering taking place through internet browsing.
This is the oldest method in the book and as the name sounds, Phishing is the simple way of sending an email or something similar and hoping you get information from the user.
This is Phishing that takes the form of Voice Phishing. Someone will contact you over the phone, pretending to be from a Bank or an Insurance Company, for example.
This is a new form of Phishing that has taken the form of SMS Phishing, where you will receive a text message that looks like it is from your bank, which will ask you to phone a number to verify your identity, or for other personal information.
This form of Phishing is where a social engineer will target a CEO or similar role in a business to get financial information or other business information.
Spear phishing (similar to the Moby Dick story) is where a social engineer will target a specific person or business and try to gain information from them.
All this information can lead to identity theft, which can cost both individuals and businesses a lot of information. It is also very difficult to reclaim the lost information or funds, since it appears the information was willingly given.
Understanding the different forms of Phishing and Social Engineering is the first step to tackling this threat. Remember that even the smallest amount of information, such as a password to a user account, is enough to give hackers access to much more information (such as encrypted data and even encrypted networks).
Recognising cyber threats and being able to protect your organisation from online attacks is now required in order to operate a sustainable business. If you would like to lean more, the ECT is running regular training workshops to support individuals and businesses to protect their data from potential threats.
For more information on how to protect yourself and your organisation, please email [email protected]
If you would like to consult with an Expert and discuss practical steps to keep your IT systems safe from cyber attacks, please visit https://theECT.org/cyber-security-essentials-for-businesses/ for more information on upcoming training workshops.