Cyber Resilience your new year’s resolution
We asked leading figures from the world of cyber security to focus on key ways that small businesses and individuals can contribute to their own and their business’s cyber resilience.
Refresh your knowledge of how to maintain your personal cyber resilience by heeding the advice here.
Test your security systems and processes
Commander Chris Greany, National Coordinator for Economic Crime City of London Police
The City of London Police sees the threat from cyber daily as we run Action Fraud, the national fraud and cyber reporting centre. With the average financial loss from cyber now reaching £45k we see businesses and livelihoods destroyed and the most frustrating part of most of these crimes is that they were preventable. Far too many still see the threat as too complex or for others to worry about, and this needs to change.
Businesses of all sizes have plans for emergencies like a fire with all employees knowing what their role is through robust and tested procedures. But ask many businesses of all sizes and sectors if they have plans for a data breach or some other form of attack and many will look blank and refer you to their IT department or provider.
Help to test your systems and processes isn’t difficult to find either. The Mayor’s Office for Policing and Crime has set up the London Digital Security Centre, which aims to secure and protect London’s small and medium sized businesses against cyber risks and threats.
Beware of Phisherman
John Wilson, Field CTO Agari
Just as it is the default business communication tool, email has also become the most popular tool for cyber criminals. Phishing, which sees the criminal impersonate an individual or brand to trick a target, is a cyber-criminal’s preferred method of obtaining sensitive information or money from businesses or individuals. These attacks have become both more sophisticated and more prevalent, and this is set to continue into 2017.
There are a number of methods used with phishing emails. One example is where the perpetrator sends an email from what appears to be a legitimate organisation like a bank or a vendor, with a link to a fake website. Often these websites are infected with malware, a type of malicious software which is able to gain access to your private computer system and gather sensitive information – bank details, credit card numbers and so on. The sender uses something called spoofing, the creation of email messages with a forged sender address, to trick the receiver into thinking it’s from a genuine sender.
A more elaborate, and harder to detect, method is Business Email Compromise (BEC). Again, the email address will be spoofed, usually so it looks as though it is from the CEO or another high ranking executive. The attacker will often target the finance department and request a large amount of money be transferred to pay an invoice, or another similar request. The attacker, posing as the CEO, will give the details of a fraudulent bank account and will often state that they are held up in a meeting and the invoice needs paying immediately to rush the target into skipping usual policies.
One of the largest instances of a phishing attack this year was at Snapchat’s HQ. A scammer sent an email to the payroll department impersonating the CEO and requested confidential information on current and former employees. Neither the targeted employee nor the security team spotted the fake, and the data was handed over.
These attacks should be dealt with using a combination of technology and employee education. Humans are the weakest link, and attackers know this, so they will continue to evolve and develop their methods for deceiving people.
Employee education and training is an important factor in identifying and preventing these breaches. Employees should receive regular training in identifying a number of potential cyber attacks and what to do if they suspect they have detected one. The organisation should have clear policies and procedures in place on how to handle sensitive information and the sharing of it, as well how to deal with the transfer of funds. However, social engineering techniques are being adopted by the fraudsters to circumvent employee training and company policies. Therefore, emphasis for prevention of targeted attacks must be placed on other, technology-based methods of detecting and blocking these emails from reaching their intended targets.
Protecting data in the Cloud
Jonathan Sander, VP of Product Strategy Lieberman Software
The consumer’s view of good security is much like their view of good health – they know they ought to get lots of exercise and use unique passwords on every website, yet they’re not really doing either. They’re both hard to do regularly. One good thing about all the breaches in the news is it has forced news programmes to repeatedly bash good practice into most people’s heads. My aging relatives can tell me they are supposed to use complex, different passwords everywhere and be careful about the emails and links they click on.
While this awareness is growing and it’s encouraging to see, at the same time, people have been given conflicting advice. They’re told to watch out for how much sites like Facebook can invade their privacy, then also that using social login like the now ubiquitous Facebook button may be more secure. They’re told to protect special accounts like their Microsoft or Google account if they use those for their primary email, but then that makes them feel they can’t hit the “Login with Google” button without compromising that security.
Even Apple, which once had the reputation of being the most secure, has been hit with attackers trying to prove it wrong and hacking into celebrity iCloud accounts and leaking personal data.
Clever people can be forgiven for getting easily confused by all the details one has to master to do personal security well on today’s internet. As the internet morphs into the internet of things, pulling in more and more devices to be connected and services to be offered, it’s likely to get a lot more confusing before it’s done.
However, one crucial step people can take to protect their accounts is to use multi factor authentication whenever it’s available. iCloud accounts, for example, offer turning on the Apple ID two step verification. Most other major online vendors – Google, Amazon, Yahoo, and more – have their own version of this process. The single most common mistake users of public cloud make is to not take advantage of the security protections being offered to them. When you have the option of using two factor authentication to make cloud storage safer, use it. While it might seem slightly more inconvenient as an extra step to security, think about the data that could be stolen. Locking the door to your house is an extra step, but one that we all know is well worth the extra time it takes.
Keeping your smartphone safe
Richard Patterson, Director, Comparitech
Smartphones have grown from allowing users to simply browse the internet, check email or socialise to doing online banking, shopping and controlling home appliances (and even vehicles) when paired with other devices.
Our smartphones contain sensitive information from personal photos to business contacts and password logins. And due to people’s reliance on and wide usage of those devices, they have become an appealing target for cyber criminals. Thus, understanding how to keep smartphones safe is crucial.
First of all, make sure that the manufacturer (Google, Apple, etc.) hasn’t granted unnecessary access to any private data. Indeed, every time you install a new app, don’t just scroll past the permissions page and hit accept. Especially if the app is from a less well-known publisher – ask yourself whether it really needs all those permissions. In addition, you could switch off permissions such as location tracking or access to camera/microphone as these are features that you don’t need all the time.
VPNs are another important aspect to consider when looking at mobile devices protection, because they aim to encrypt internet traffic to and from a device, in order to keep the web browsing and app usage private. Indeed, many socialising apps such as WhatsApp, Viber, Snapchat and Facebook Messenger have some level of encryption. Yet whether your messages remain private depends on how difficult it is for a hacker to reverse engineer the app or how easily the company gives into government coercion.
With all the recent cases of IoT devices being hacked due to weak passwords, the importance of strong passwords in smartphone security is undeniable. In addition to having strong, varied passwords, you could use a password manager that encrypts and stores all passwords into a single app.
When you’re backing up your phone data in case your phone is lost or stolen make sure all sensitive information is encrypted. Boxcryptor, Viivo and Cloudfogger all make free apps that you can use to encrypt files locally before uploading to your cloud storage. Similarly, always remember to remove your SIM card when repairing your phone, as it can be used to make purchases or sign up for accounts.
Finally, keeping the device software up to date will nullify vulnerabilities in deprecated or obsolete older versions. We recommend you stick to the latest stable release, but there’s generally no need to use beta or nightly versions that are still being tested.
Modern day Dick Turpin – Ransomware
Troy Gill, Manager of Security Research AppRiver
Ransomware catapulted into the news in 2013 when CryptoLocker started holding people’s files to ransom. Since, we’ve seen a number of other programs making a name for themselves. With unprecedented levels of ransomware circulating this year, victims have to make the hard decision of losing their data or paying the cyber criminal’s demands.
Or do they?
What is Ransomware?
Ransomware pretty much does what it says on the tin. It is a malicious program that encrypts a victim’s computer and then displays a message from the criminals demanding payment in return for the decryption keys. Having paid, the victim receives a file that will unlock the machine – if they’re lucky.
How serious the problem is depends on which ransomware is involved. Locky and Zepto are still some of the reigning champs, as far as ransomware volume goes, but here are a few others making a name for themselves:
Princess: this ransomware stands out due to its high ransom price and the pink tiara it boasts once you are infected. The usual asking price for most ransomware is around the $300 mark, however Princess has a starting price of around $1800. If you’re too slow to pay, that doubles to around $3,600 (or 6 bitcoins) to get the key.
EduCrypt: This one was aimed at teaching users a lesson as, once the virus ran and encrypted files, it would let the user know that a key had been hidden on their computer and they just needed to find it to get their files back and decrypt them. The note that pops up has some often recommended advice of not downloading random things on the internet.
Internet of Things Ransomware: Hackers were able to demonstrate that they could successfully infect a thermostat with ransomware. While this is a very specific situation with a certain model of a thermostat, it brings up a point that security researchers have been trying to bring to light: the Internet of Things can be a security nightmare.
MarsJoke (aka Polyglot): The newest ransomware, this one is aimed at targeting government agencies and educational institutions. The attack has mainly been seen via links in email messages that lead to the malicious download.
If you’re unlucky enough to fall victim to the modern day highwaymen, and thinking of paying the demands, remember that these thieves are often associated with larger criminal organisations, which use your money to fund their illegal activities.
Instead, before you do anything else, take the time today to back up your files, update your software and hardware, and make sure you have layered security, then you won’t find yourself caught between a rock and a hard place.