Three common ways hackers gain access and how to defend against them
3 ways hackers gain access: social engineering (e.g., phishing), targeted attacks (e.g., spear-phishing), and network exploits (e.g., DDoS). Defend with end-user training, multi-factor authentication, device security, and better firewall protection.
Let’s be honest, at this point, you or someone you know has been hacked or suffered through a computer virus or malware.
From Facebook passwords to bank accounts, we’ve all felt the growing struggle of keeping our digital identities secure. Websites require passwords of different lengths, with and without certain characters, that need to be changed at varying intervals. Some apps use fingerprints, some send codes, others email you links. It’s a hassle to keep up with.
Meanwhile, businesses face growing friction with end-users as they enforce stricter security policies while trying to protect petabytes of data, intellectual property, and personally identifiable information for every employee and every customer. IT departments are racing to keep up with new threat trends and end-users are left feeling exhausted from excessive security measures that may or may not be successful. But without the right tools and processes in place, your network is vulnerable to potentially irreparable damage.
So let’s talk about the three most common ways hackers gain access to your network and how you and your end-users can help defend against them.
Social engineering is accomplished by manipulating people into providing privileged or private information. There are a few popular ways to achieve this, including baiting and scareware, but for a business, the most common possibility is phishing.
Phishing can be done through texts, social media, phone calls, websites, and email. Typically:
- The message looks like it’s coming from someone they know
- The message is sent with a high level of urgency
- The goal is theft or sabotage:
- If theft, they may ask for a payment or login details
- If sabotage, it would contain links or attachments that corrupt the device
These attempts are sent out in droves to increase an attacker’s chance of success. And, if done by a sophisticated hacker, the fake legitimacy of the messages can run several layers deep.
Phishing attacks in the news
From 2013 to 2015, Facebook and Google lost over $100 million. The hacker, Evaldas Rimasauskas, created a fake company that posed as an actual client of his victims, and invoiced them repeatedly over two years. The scam included documents that appeared to be signed by top executives at both companies. Eventually, Google and Facebook caught on, Rimasauskas was jailed, and they recovered only half of what they lost.
While this was a large-scale attack on high-profile targets, these attack types are just as common at smaller and mid-sized organizations. According to a recent study, in 2022, the typical mid-market company can expect to face between 56,000 and 86,000 attacks – that’s five to seven attacks, per employee, per month.
How to defend against phishing attacks
In this situation, end-user training is critical. Your employees need to see as many real-life examples as possible. They should become a line of defense, flagging anything and everything that looks suspicious. If the email address is formatted weirdly, if an executive is reaching out to someone directly for the first time with a strange request, if an attachment seems suspect or a link looks off, they need a clear process to follow to report the potential scam. And to ensure their training keeps up with trending phishing scams, send test messages and offer additional training where needed.
From an IT perspective, you should, at a minimum:
- Ensure all devices include security software, like antivirus, firewalls, and spam filters
- Block end-users from common and potentially malicious websites
- Utilize patching services to ensure the software is up to date
- Build proper BYOD policies
- Require multi-factor authentication
- Deploy tools like Microsoft’s Attack Simulation Training or Knowbe4 to send test scam emails to end-users and flag points of failure for additional testing
Targeted attacks come in the form of spear-phishing or whale phishing. The methods here are the same as phishing, but instead of sending out messages to every user across multiple companies, this attack targets a high-profile employee with highly privileged access to company data.
Targeted attacks in the news
In the case of the Equifax data breach of 2017, hackers gained personal data of 148 million compromised Americans. That information, including names, addresses, birth dates, social security numbers, credit card numbers, and driver’s license numbers were then shared on the dark web for anyone to find and use.
This type of data dump can lead to situations like Colonial Pipeline’s cyber attack in 2021, where hackers used a single password to disrupt fuel supplies to the U.S. Southeast.
How to defend against targeted attacks
Don’t allow exceptions to the rules. Oftentimes, C-level employees request leniency in security for the sake of convenience – this is mistake #1.
Additional defense tactics include:
- Create safeguards for travel
- Assess personal cyber security threat levels
- Use tools like LifeLock or Identity Guard to monitor for identity theft and monitor the dark web for data leaks
- Continue to enforce password protection through multi-factor authentication or magic links
While phishing attempts rely on the potential for human error, some hackers prefer to exploit your network through applications. This could mean hacking an IoT device or initiating a Distributed Denial of Service attack to overwhelm your servers.
IoT devices are internet-connected smart devices, like Nest thermostats and Alexa devices, that regularly collect large amounts of data from their environments and users. Hackers will either download malware to the device or uncover as much personal data as possible – email addresses, passwords, password reminder phrases – anything they can use to attack larger company data and/or steal whatever money they can find.
IoT device hacks in the news
In 2013, Target exposed millions of customer credit card numbers, causing them to pay $18.5 million for the breach. The hackers accessed the network through their internet-enabled air conditioning supplier.
In 2015, two researchers proved that Jeep vehicles could be hacked, connecting to the vehicle through Uconnect and taking control of the brakes and accelerator while the vehicle was going 70 mph.
How to defend against IoT device attacks
There are two important steps to thwarting these types of attacks:
- Device security – enforce strong password requirements, encryption, and multifactor authentication
- Patching – update firmware on your devices regularly to ensure security loopholes are closed
Distributed Denial of Service (DDoS) attack
An attempt to overwhelm a website with an unmanageable amount of traffic, impacting the availability of the site for legitimate users. In this case, the damage comes in the form of loss of revenue and diminished brand trust.
DDoS attacks in the news
In 2016, the digital world went into a panic as Twitter, Netflix, Reddit, CNN, and many other sites all went down for hours during the infamous Mirai botnet attack. The DDoS attack used a network of infected computers to overwhelm servers with so much traffic that they collapsed. Because the Mirai botnet is made up of mostly IoT devices, it used personal digital cameras, DVR players and the like to generate the traffic necessary to crash the site.
How to defend against DDoS attacks
Build better firewall protection, both at the office and at home. Top firewalls on the market, like Fortinet, Palo Alto, and Cisco Meraki all offer critical security and prevention features like:
- Intrusion prevention, which scans traffic coming in and out of your firewall to check for and block malicious actors
- Honey pot, which gives you a fake network that hackers can access, alerting you to and blocking the attack from your real network
- Content filtering, which stops users from going to malicious websites
- ASIC processors, which handle network traffic more efficiently and more securely
- Scalability, with a suite of connected products to build additional layers of security as your company and number of connections grow
At home, there is a much greater challenge. Most homeowners do not adjust security settings in their network, primarily because they don’t know how, or even that they should. Take time to educate your end users on how to improve the security of their home networks, especially if you have BYOD policies in place.
Malware + Viruses
Malware, short for malicious software, is designed to harm a system or exploit data. The software is activated through phishing emails, fake websites and apps, USB devices, and adware. Typically, these attacks are done with one of three motives:
- Take over a machine, network, or server through viruses or worms
- Hold files hostage until financial demands are met, as seen with Ransomware
- Data theft, which usually leads to dark web data dumps (remember Equifax?), often done through spyware and adware
Examples of malware in the news
Some of the most infamous malware attacks date back nearly 20 years, including the Mydoom worm of 2004, which holds the record as the fastest spreading email worm to this day. Mydoom caused $38B in damages and infected over 50 million computers worldwide.
More recently, the Emotet trojan wreaked havoc from 2014 through 2021, spreading through spam emails. Once connected to a network, it then used brute force methods to connect to additional systems. The hackers also used the malware to create a botnet of infected computers, which they sold use rights to through Crimeware (or Cybercrime-as-a-service).
The good news is, according to the 2022 Cyber Threat Report by SonicWall, malware attacks were actually down 4% in 2021. Unfortunately, ransomware attacks rose a staggering 105% with nearly 20 attempts every second. Some ransomware examples from 2021 alone include:
- WordPress websites were hit with fake ransomware messages, misleading viewers into paying for content that wasn’t actually encrypted
- Lockbit 2.0, which offers Ransomware-as-a-Service through a ready-to-use app built to carry out an attack
- The double-extortion trend seen with Conti ransomware, where not only are files held hostage, but the hackers threatened to publish sensitive data as well
Most notably, in 2017, the NSA was hacked and a cyberattack exploit they developed, EternalBlue, was leaked online, leading to the WannaCry ransomware attack. It used the exploit to target computers running unpatched or outdated versions of Windows OS, encrypting their data and demanding bitcoin payments, infecting over 200,000 computers in 150 countries with damages up to several billion dollars. It’s successor, NotPetya, used the same exploit later that year to gain bitcoin payouts, but did not include a decryption code to restore the data, causing more than $10 billion in damages.
How to defend against Malware attacks
We’ve talked about the importance of educating your employees and implementing the right firewall. We also mentioned system patching, encryption and multifactor authentication. These are all equally important for a malware defense strategy.
In addition, you need to enable strong antivirus protection. This should include:
- Polymorphus attack detection, which scans for malware that evolves to avoid detection
- Automatic updates to thwart off new attack types
- Real-time scanning to stop the spread of malicious content
- Vulnerability detection to alert you of security gaps in your apps
- End user security through website, email, and hardware protection
You may also consider avoiding Universal Plug and Play (UPnP). UPnP has a long list of benefits, but it does pose major security threats. If a device with malicious software is connected through UPnP, it can gain access to your network and enable viruses and malware.
While all the tactics we’ve discussed here are imperative in defending your organization from various cyberattacks, sometimes it isn’t enough – mistakes happen, even in companies with the most mature security posture. In addition to following cybersecurity best practices, it can also help to maintain a bitcoin balance in the event that mission-critical data is hacked and encrypted. In these moments, companies often find that the time, money, and resources spent trying to decrypt or restore (if backups are available) their data is oftentimes outweighed by the immediate need to regain control. In this case, having a budget to pay the hacker and regain access is an unfortunate necessity.
Need help getting started?
Unfortunately, cyber security is often overlooked until an attack happens. Don’t wait until it’s too late.
Kickstart your cyber security defense strategy with a free security assessment from Wellforce. Contact us today to get started!