What on earth is that and what’s it got to do with my organisation and me?
Well, everything I’d say. Let me explain;
I heard a security guard on a site I was visiting recently, explain his frustration in trying to keep trespassers out on an evening as “like an onion with holes” when asked what he meant, he said every time he put up another new barrier someone found yet another way through. But now with several deterrents, all targeting different areas in place working together alongside the guard surveillance, they were finally achieving the desired results. The more I thought about this the more I came to think it also applied in the IT world for cybersecurity. Today IT systems worldwide from a one-man band to a large multinational company are under constant threat from many different increasingly clever ways, some you may have heard of in the news, others you might not, some of the ones we come across include:
· Deceptive Phishing. This is the most common type of phishing scam, whereby fraudsters impersonate a legitimate company and attempt to steal people’s personal information or login credentials. Those emails frequently use threats and a sense of urgency to scare users into doing the attackers’ bidding. For example, eBay scammers might send out an attack email that instructs them to click on a link in order to rectify a discrepancy with their account. In actuality, the link leads to a fake eBay login page that collects a user’s login credentials and delivers them to the attackers.
· Spear Phishing. Some Phishing attacks use personalisation. For instance, fraudsters customise their attack emails with the target’s name, position, company, work phone number and other information in an attempt to trick the recipient into believing that they have a connection with the sender. The goal is the same as deceptive phishing: lure the victim into clicking on a malicious URL or email attachment, so that they will hand over their personal data. Spear-phishing is especially commonplace on social media sites like LinkedIn, where attackers can use multiple sources of information to craft a targeted attack email.
· Whaling or CEO fraud. Spear phishers can target anyone in an organization, even top executives. That’s the logic behind a “whaling” attack, where fraudsters attempt to harpoon an executive and steal their login credentials. In the event their attack proves successful, fraudsters can choose to conduct CEO fraud, the second phase of a business email compromise (BEC) scam where attackers impersonate an executive and abuse that individual’s email to authorize fraudulent wire transfers to a financial institution of their choice. Whaling attacks work because executives often don’t participate in security awareness training with their employees.
· Targeting colleagues or friends. People are often wary of giving out their own information but will often give out other peoples, recently I heard of someone who had been the victim identity fraud and when investigated, his pc had been hacked his email contacts were all sent one of various questions, such as “oh I’ve forgotten Fred’s birthday, I don’t want to miss sending him a card, could you tell me?” or “what’s Fred’s address I need to send him something, but don’t want to ask him as it’s a surprise” In this way the sender gets a full set of information which they can then use to set up fake accounts amongst other things.
· Firewall Penetration Attack. It is very easy to find out a company’s public IP address. Attackers will then set up a system to look for open ports or weakness in your company’s firewall, this could mean your firewall crashes stopping all internet traffic, or worse if an open port is found they could be on your network looking at unsecured data or the trying to attack a server or place a virus.
Above is just a few of the many ways information is illegally obtained and I haven’t listed things like Ransomware, false encryption, popup attacks amongst many more otherwise this would be a very long and boring document and you may never turn your computer, tablet or smartphone on again
How can you protect yourself and how can DCS help?
So back to that onion, think of all your devices right in the middle, then each subsequent layer is a different type of protection physical, mental, cloud-based it doesn’t matter but each layer is there to stop a certain set of attacks letting others through to get stopped at another. Some of the layers could include:
· A reputable, functioning and up-to-date anti-virus product installed on ALL your servers and workstations.
· Any devices that are portable should be encrypted if any devices are stolen then the data is unreadable, this also helps with GDPR compliance.
· Strong password policy; passwords should be changed for both administrators and regular users. They should be of a complex nature – something like Password1 is weak, a coded version of a phrase like “Sunshine In Doors“ … “SunSh1n3!nD00rs#4” is much stronger and if the phrase means something to you, you have a chance of remembering it!
· 2FA, two-factor authentication can be set up for high-risk users or on important devices, giving the second level of login security.
· Your IT system should be protected from external attack with a firewall
· Educate your end users with security awareness training to identify suspicious e-mails and not to open e-mails from an unknown or unusual source.
· Ensure daily offsite backups of your data take place. If you have a backup of your data, you cannot be held to ransom! Also, don’t forget any data on users’ local machines. The backup routine on your server would not normally back this local machine data up.
· Internal accounting procedures should be put in place to stop accidental payment
Want to know more? Why not join us for our FREE Cyber Security Workshop on the 16th October 2018 REGISTER HERE, concludes with a complimentary lunch