Offensive Cyber activity has increased dramatically over the past weeks, with multiple Russian Government and state backed hacking groups taking down Ukrainian banking and Government websites and services. As international sanctions against Russia start to bite, it is expected that the scope and scale of these attacks will escalate dramatically.
The Department for Digital Culture Media and Sport, Cyber Security Breaches Report 2021 reports that 99% of all breaches reported by businesses are down to a person falling for a Phishing attack or Impersonation. That highlights how important we are as individuals in defending our personal and professional lives against exploitation. The good news is that we can do plenty of things to stay safe at work and home. This blog covers some of the basic steps we can take and explains some of the cyber security risks we all face.
Cyber security is always critical to both organisations and us all as individuals. Cyber security professionals think of security in three ways, helpfully summed up as ‘CIA’:
- Confidentiality – protecting information from unauthorised access.
- Integrity – ensuring that the information and data you need hasn’t been modified or corrupted and is as you expected to find it.
- Availability – ensuring that the data you need is there for you when you need it.
In both our personal and professional lives, the threats to the ‘CIA’ of our data are remarkably similar.
Basic steps we can all take to protect ourselves both at home and work
It’s surprisingly common for people to reuse passwords and use familiar words and numbers such as names of family or pets and birth dates. It’s understandable why no one can remember lots of unique and complicated passwords. Here are a few tips to help with this problem.
At work (hopefully!), complex passwords will be mandated. It’s easier to use and remember passphrases with a few letters changed for good measure, such as – A11waysl00k0nthebr1ghts1de0fl1fe
At home, on your personal devices, always use a password manager to create, store and autofill complex passwords for you:
- On an Apple device, use the iCloud Key Chain Service. To turn this on, go to Settings > [your name] > iCloud > Keychain.
- On an Android Device, go to settings > system > Languages and input > Autofill service > Add service (LastPass is a popular one)
Be aware of scams and phishing
As mentioned the vast majority of successful hacks are related to human errors, such as people falling prey to scams and phishing. It’s difficult to pick a lock or break down a door. It’s much easier to ask someone for the key. Phishing attacks can ‘ask’ thousands of people, and they only need one or two to fall for it to make it worth their while. They can look very authentic and appear to come from a trustworthy source.
So, at work and at home, always be alert for an unsolicited approach that may look important or exciting asking you to do something. Think of it like an unexpected person knocking on your door and saying you have a problem, you need to do something urgently, or you’ve won something. You’d turn them away. Do the same if that unexpected interaction happens on the phone, text, social media or email.
Keep your devices secure
In order to make sure your devices are as secure as possible always run the latest versions of the operating software (Windows, IOS, etc). And check you have an up-to-date Antivirus software running. Use a PIN number on you phones and set an automatic screen lock.
Back up your data
Your data can get lost, corrupted, or ransomed. The best defence is to keep an uptodate separate copy of your data. At work data stored in business systems, network drives, share point and one drive is all back up for you. However, things stored locally on a device or your laptop’s hard drive are not. It’s the same at home with say photos on your phone, if they are backed up or stored in Google Photos or iCloud photos and you lose your phone then you can still access your photos. If they are just saved on the device all the photos are lost forever.
An explanation of the common types of threats
Threats to confidentiality
Phishing is a cyberattack that uses email, phone, or text to entice individuals to provide personal or sensitive information. This ranges from passwords, credit card information and social security numbers to details about a person or organisation. Attackers pose as legitimate representatives to gain this information, then used to access accounts or systems.
Spear phishing / Whaleling
Spear-phishing attackers methodically target an individual victim to use them as a way into an organisation or to steal information, unlike phishers who target large numbers of people. Whaleling is spear phishing aimed at executive level targets and often involves a more significant investment in time and research.
Like a hunter, the waterhole hacker waits for victims in a place they expect them to gather and attacks them there. For example, rather than trying to compromise a sizeable well-defended business, the hacker could compromise the local football club website. They assume that some supporters will be employees of the business and will at some point log on to the club website. The hacker can then infect the victim’s machine, gain access to information and use this to access their workplace.
Brute force attack
This type of attack is relatively simple and uses trial and error to guess users’ passwords or PINs. Hackers can run log on attempts using common passwords and PIN combinations to see if they can get lucky. If the password is ‘Password’ or the PIN is 1234, the hacker doesn’t actually need to be lucky.
This is an umbrella term for ways hackers may coerce you into giving up valuable information. It includes phishing, ‘shouldering’ (looking over someone’s shoulder to see a PIN being entered), posing as a co-worker or making polite conversation while tailgating you into the building.
Threats to Integrity
This type of attack is where a business’s data is encrypted and held to ransom. The hacker will demand payment to decrypt the data. These types of attack can be devastating to the targeted business. The global WannaCry attack of 2017 is a famous Ransomware example.
Similar to Ransomware attacks, however, the hacker running the Wiper attack is not holding the encrypted data to ransom for money. They are just intent on causing damage and destroying or wiping critical data.
Threats to Availability
Distributed Denial of Service (DDoS) Attacks
DDoS Attacks block access to systems and services for users by flooding targeted systems with bogus access requests. When a user tries to log on, they are stuck in a massive queue of fake log-on attempts, thereby denying access.
It’s called a Distributed DoS attack because the bogus log-on attempts are sent from all over the internet. The hacker does this by controlling a BotNet. This is a network of thousands of ‘Zombie’ computers – personal or business computers from all over the world infected with the hacker’s virus. They show no signs of being compromised, and most likely, the owner will not know they are being used.
Like any business, the council wants to be as secure as possible, and we need our workforce to help with this. Vigilance is the most crucial line of defence for any organisation. It’s making sure we’ve locked that door.
So please be extra aware of unsolicited requests, any password or username requests, or just emails that look like they come from someone you trust, but seem a little out of character in the use of language or the nature of what they are asking. Think twice and flag any suspicious activity to your IT support or service provider. It’s so much better to be on the safe side.