From the days of dial-up internet to the age of cloud computing, I’ve supported customers and businesses with their hardware and software needs, set up networks, and even ventured into the world of information and cybersecurity. And let me tell you, being the personal that is ultimately responsible for the safety of a business’s digital security is not for the faint of heart.
The battleground is constantly changing, and new types of attacks are springing up all the time. But fear not, dear reader, for I am here to share with you the battle plan for protection. Here are some of the most common types of cyber attacks and what you can do to defend against them.
Phishing Scams
Ah, phishing scams. The classic “Nigerian prince” email may seem like a thing of the past, but these scams are still going strong.
Phishing is a type of cyber attack where the attacker poses as a trustworthy source to trick the victim into revealing personal or sensitive information. The term “phishing” is a play on the word “fishing” as the attacker is essentially “fishing” for information from the victim.
Phishing attacks can take many forms, such as emails, texts, or social media messages. They often appear to be from a legitimate source, such as a bank or online retailer, and will often include a link or attachment that the victim is asked to click on. Once the victim clicks on the link or attachment, they may be directed to a fake website or prompted to enter their login credentials or other personal information.
One reason why phishing attacks are so successful is that they are constantly evolving and improving. Attackers are constantly finding new ways to make their emails and websites look more legitimate and convincing. For example, some phishing emails now use personalized information to make it seem like the email is coming from someone the victim knows or trusts.
As a result of this ongoing threat, many enterprises are now proactively running phishing tests against their own employees to find those who need training. These tests involve sending fake phishing emails to employees to see who falls for them. This allows companies to identify those who need additional training on how to identify and avoid phishing attacks.
In my opinion, phishing is one of the most likely ways that a large enterprise will be breached. While companies can invest in expensive security software and systems, all it takes is one employee falling for a phishing email to compromise the entire network. That’s why it’s so important for companies to invest in employee education and training on how to identify and avoid phishing attacks.
Malware
Malware comes in many forms – viruses, worms, Trojans, and ransomware. These malicious programs are designed to damage or disrupt computer systems.
It can be spread through various channels including email attachments, malicious links, and software downloads. The impact of malware can range from minor nuisances to serious threats such as data theft, system crashes, and financial loss.
There are several types of malware, each with its own unique characteristics and objectives. Here are some examples:
- Trojan: A Trojan is a type of malware that disguises itself as a legitimate program or file. Once it is installed on a system, it can perform various malicious activities such as stealing data or installing additional malware.
- Virus: A virus is a type of malware that can replicate itself and spread to other systems. It can cause damage by corrupting or deleting files, slowing down system performance, and even rendering the system unusable.
- Worm: A worm is a self-replicating malware that spreads through networks and devices without any user interaction. It can cause damage by consuming network bandwidth, deleting files, and even crashing systems. Some examples of worms; Blaster and Sasser from 2003-2004 are early examples which caused widespread issues, but also Emotet stealing banking details, Conficker and WannaCry (which is also ransomware, discussed below).
- Ransomware: Ransomware is like the ultimate hostage situation. It encrypts files on a computer system, making them inaccessible until a ransom is paid. The WannaCry attack of 2017 was a prime example of ransomware gone wrong, affecting businesses and organizations across the globe. It can cause significant financial loss as well as damage to an enterprise’s reputation.
The quality of malware attacks has improved over time as cyber criminals have become more sophisticated in their techniques. Malware is now often designed to evade detection by antivirus software and firewalls, making it more difficult to protect against.
Social Engineering
Social engineering is like the art of deception. Hackers use these tactics to gain access to sensitive information by tricking people into revealing it. This can be done through phone calls, emails, or other forms of communication. Social engineering includes Phishing (see above), Baiting (sign up here for your free X, where signing up involves providing your personal details), Tailgating (following someone through a locked door or restricted area).
Remember the famous Kevin Mitnick? He was a master of social engineering in the 1990s. Speaking of which, I haven’t watched Operation Takedown for some time… Not that is overly factual, but still a fun watch.
Protect yourself by always being cautious about sharing personal information and verifying the identity of anyone requesting sensitive data.
Weak Passwords
Ah, the dreaded weak password. This is like leaving the front door to your house unlocked. Weak passwords make it easy for cyber criminals to access personal or business accounts.
Weak passwords are a common vulnerability that can make it easy for cyber criminals to access personal or business accounts. A weak password is one that is easy to guess or crack, such as a common word, a birthdate, or a simple string of numbers or letters.
To protect against weak passwords, it’s important to use strong passwords that are difficult to guess or crack. One popular method for creating strong passwords is the XKCD model, which suggests using a series of random but memorable words instead of complex strings of characters. For example, a password like “correct horse battery staple” is much stronger than a password like “P@ssword123”, because it is a longer password made up of four random words, making it harder for cybercriminals to guess or crack.
“P@ssword123” is a common password that is easily guessable as it follows common patterns and includes common substitutions, such as replacing the letter “a” with the “@” symbol. This type of password can be easily cracked using brute-force attacks that systematically try every possible combination of characters until the correct password is found.
On the other hand, “correct horse battery staple” is a passphrase that is much longer and made up of four random words that have no obvious connection to one another. This makes it much harder for cybercriminals to guess or crack the password using brute-force attacks. Additionally, because it is a passphrase rather than a password, it is easier for humans to remember and less likely to be written down or forgotten.
However, even strong passwords can be defeated by poor behavior. For example, if a person writes their password on a post-it note and sticks it to their computer monitor, it becomes much easier for a cyber criminal to gain access to their account. Additionally, using the same password for multiple accounts can also be risky, as it increases the potential impact of a data breach.
Here are some tips for creating strong passwords and protecting them:
- Use a unique password for each account: This reduces the risk of multiple accounts being compromised if one password is breached. The site “Have I Been Pwned” is an excellent resource for cross referencing if a site you use has been breached.
- Use a mix of upper and lowercase letters, numbers, and symbols: This creates a more complex password that is harder to guess or crack.
- Consider using a password manager: Password managers can generate and store complex passwords for each account, reducing the need to remember multiple passwords. That said, with the number of breaches of hosted password managers recently…
- Don’t write down passwords or share them with others: This increases the risk of the password being compromised.
The security of information, computers and networks is a never-ending challenge, that requires constant vigilance and proactive measures. By staying informed about the latest tactics, investing in employee training, and regularly testing for vulnerabilities, companies can minimize the risk of falling victim to an attack. With the proper battle plan for protection, we can keep our digital information safe and secure. Stay vigilant, my friends, and never let your guard down!