It's that time of year again, so we've put together four of the most common user-targeted security threats to look out for.
Social engineering can come in many forms in the cyber world. These cunning tactics can happen over the phone, by email, or even in person. But socially engineered malware is one technique that cyber criminals are striking gold with - with hundreds of millions of successful attacks each year.
How it works:
Often led by data-encrypting ransomware, socially engineered ransomware provides the number one method of attack. Your end user can be tricked into running a Trojan horse program on a website they often visit. The legitimate website, which the user would otherwise trust, is temporarily compromised to deliver malware instead of the normal website coding.
The malicious website can instruct the end user to install harmful software that is ‘required’ in order to visit the site, or that they must run some (fake) antivirus software. Security warnings may pop up, but the unsuspecting victim is encouraged to click past any notifications or defences that may arise.
An up-to-date anti-malware program is a basic and simple measure to take, but this on its own is not enough. Strong ongoing employee education on the cyber security risks they and their companies face, is vital.
Raising awareness on spotting the warning signs of these types of damaging emails, as well as how they should be reported, should be just as common practice as installing security-based software.
In one of our more recent blogs, we covered the damning statistics of phishing attacks - and the types of figures that we found can be pretty nerve-wrecking to look at. The prevalence alone of these emails is terrifying (60-70% of emails are spam, most of which are phishing attempts), but the lengths and detail of which these emails are designed are even more damaging.
How it works:
Phishing emails come in all types of styles, but they mainly aim to encourage the recipient to part ways with credentials or other sensitive information. They can be delivered through mass-mailing attacks with the hope of catching a number of victims under a considerably sized web.
Or, they can be detailed templates that act on prior knowledge of a victim, in what are often known as ‘spear phishing’. High-level executives aren’t immune either, with ‘whaling’ attacks using similar techniques to target the big fish of organisations.
In a recent report we conducted on spear phishing, the level of compromised credentials grew massively compared to the more basic and generic email templates - and it was all down to a small level of prior research on our client’s users.
How to combat the attack:
One of the most underused methods of countering criminals who phish for login credentials is with added security layers such as two-factor authentication (2FA). If you enable something stronger than a simple username and password, you stand a much better chance of beating the password-phishing game.
Of course, end users need to also be educated on the threats of phishing. The fact that over 90% of successful cyber security breaches either originate from or contain a notion of human error is something we can’t brush under the rug.
Anti-phishing tools such as phishing simulators, as well as e-Learning platforms are proven to significantly improve a business human firewall.
In a modern world of socialising online, many of us often give away more information about ourselves than we realise. Social sites such as Facebook, Twitter and LinkedIn put is in arm's reach of strangers on a daily basis, and we’ve all received an odd friends request at some point.
How it works:
Accepting these requests from accounts you don’t recognise can be the first step to parting with sensitive information to a potential cyber criminal. Hackers love to exploit an employee’s personal social media accounts in order to obtain credentials that might be shared across their corporate login details.
There's also the threat of malicious ads, otherwise known as ‘malvertising’. These ads can direct users to malicious sites that aim to obtain usernames and passwords.
How to combat this attack:
When a social media account is hacked, it is often the owner of the account who is last to know. The person's online friends or network can raise concerns to the account holder that something may have been posted or shared that is strange or spammy - it’s important here that the end user knows how to report a hijacked social media account. Again, setting up 2FA is a good early step to ensuring that an account is considerably safer.
Also, many end users are still in the mindset that social media is completely external from work. It’s important to educate and inform employees of the social media risks they face, and to reinforce the fact that they should never reuse their passwords for corporate devices/ networks.
Software with unpatched vulnerabilities is another (quite frustrating) type of attack vector. Even with vulnerabilities that can be easily patched, many businesses still fail to ensure that they’re adequately covered - meaning that there are huge unneeded risks.
How it works:
The most common unpatched and exploited programs are browser add-in programs like Adobe Reader and other programs people often use to make surfing the web easier. This type of issue isn’t anything new and has actually been around for many years now.
How to combat this attack:
It’s well known that better patching is a great way to decrease risk - try to become one of the few organisations that actually do it. Better yet, make sure that you’re 100% patched on the programs most likely to be exploited versus trying unsuccessfully to be fully patched on all software programs.