Imagine you arrive at work one day to find everyone in the office standing around and chattering loudly, while row after row of computer screens flash a ransom message. Someone quickly approaches and breathlessly informs you: “We’ve been hacked!”
The in-house IT security expert explains over the din that what the company has just experienced is a denial-of-service attack—likely perpetrated by a hacker who got past the firewall using sophisticated hacking techniques. As the security expert talks, FBI agents and TV reporters start filing into the office. Over the dull roar, you can barely hear the IT guy explaining to the agents “…they stole every last bit of bytes from the company’s servers and hard drives!”
Or maybe not. While this scenario would make for a heart-pounding episode of “CyberCop,” cyberattacks are usually a lot quieter and less dramatic. Indeed, the majority of companies never even report cyberattacks, largely because of the negative publicity that would likely ensue.
All that being said, the main problem with this scenario is the nature of the attack itself. While a handful of hackers use sophisticated techniques, most do not need to. The reason is human nature: most people are easily duped, and they fall for the same tricks, again and again.
The most common, and usually most successful, cyberattacks are known as “social engineering attacks.” These attacks take advantage of human weakness to trick victims into giving out sensitive information, providing access to data, or allowing someone to enter a building without verifying his or her identity. Phishing scams and ransomware are types of social engineering attacks that can be highly successful, even when the threat of encrypting a victim’s data may actually just be a bluff.
What can a “regular person” do to thwart the most common cyber threats? For starters, it’s important to realize that hackers have basically two types of targets: easy ones, and just-slightly-harder ones. This means that the hackers who go after regular folks will most likely use techniques that are easy to deploy, unsophisticated, and inexpensive.
If the hacker has a lot of time and money— let’s say he’s a member of an organized crime syndicate or on the payroll of a foreign government— then he can resort to the more rare, time-consuming, expensive, and sophisticated attack methods. If you are not a bank or a voting machine, you probably don’t have to worry about this type of hacker.
Most of us need to worry about low-complexity cyberattacks, including ransomware, compromised credentials, extortion schemes, and exploit kits. The following list, adapted from the blog of Adam Meyer’s column in Security Week, tells how you can protect your company (and yourself) from these threats:
- Ransomware: This type of malware can be introduced using infected file attachments that can encrypt a target computer’s files, or even the entire hard drive. To prevent ransomware, you should scan email attachments, restrict administrator privileges, install patches and updates, and limit users’ ability to disable ”inconvenient” security features.
- Compromised credentials: Passwords can be stolen, or cracked easily, especially when they are reused. Using two-factor authentication, coupled with strong passphrase generation and management, will lower the risk. (Passphrases are more secure than passwords, so be sure to use them.) Automatic passphrase resets also help force users to change their passphrases regularly.
- Extortion: This occurs when an attacker steals information from an organization and threatens to expose it online unless he or she is paid. The attacker usually “exfiltrates” (that’s a 20-dollar word for “steals”) information by exploiting vulnerabilities in social media accounts and by using software “backdoors.” There are tools that examine data leaving a computer or server, and these tools can alert an administrator to unusual activity – but the best way to avoid extortion is to limit the amount of potentially embarrassing material stored on your system.
- Exploit kits: These are software programs designed to run on web servers, which then exploit vulnerabilities found on client machines. Anti-phishing software and patches that target common CVEs (common vulnerabilities and exposures) should be installed. Lists of CVEs are regularly updated, so organizations can add them to their exploit libraries in order to protect against them.
And don’t forget: Train your users in cybersecurity on a regular basis, using real-life scenarios and fresh, engaging content!