The media is awash with news of the possible hacking of the plans for ASIO’s new headquarters in Canberra. As announced on ABC’s Four Corners program the story reveals that hackers, working from overseas, have targeted key Australian Federal Government departments and major corporations with intent to steal national security secrets and vital business information. There have also been recent reports of secret US military data being obtained by hackers – this includes weapons system information for the F-35 fighter.
As shocking as this news may be, what can be more alarming is the fact that it’s not just government and big business that is targeted. With the rapid growth in Internet connectivity, online services, BYOD policies, mobile devices and remote access (to name just a few) the chances of any business, or home, being compromised have risen to new levels. The crooks are getting more cunning and widening their attack targets.
Some of the common views we come across are “it won’t happen to me”, and “I don’t have anything the hackers would be interested in”. The first opinion is actually quite wrong as it’s not “if” it will happen to you but rather “when”. No company or individual is safe anymore. And the second opinion is undervaluing what these hackers can use you and your technology for.
Cyber attacks can typically be put into 3 categories:
- Random - generally occur by a user clicking on a web page pop up, connecting an unknown but infected USB device to their computer or opening an attachment or link in a spam email
- Targeted – where the hacker will specifically be looking to directly attack your business in order to gain information or cause damage…or both
- Relayed – where the attack is not directed from the hacker straight to you but can occur through a third party, for example another business you work with; alternatively you may be the third party business that the hacker is using as a relay point to their intended target
The first category is the most common and will often be user initiated – someone will browse to a website and a message will pop up advising their computer has performance problems and that by clicking a few buttons this can be improved; or that a virus has been detected and they should click a button to remove it.
Alternatively the user will receive an email with a link advising they need to change their PayPal/eBay/banking password, claim a refund from the tax department, or they have won a prize and need to visit a site to claim it, however the link goes to a site that looks legitimate but isn’t (this is called phishing). Some of these fake warnings and websites can look very legitimate, and they do catch out a lot of people on a weekly basis. Once infected it can sometimes take a while for you to notice anything is wrong with your computer, by which time any number of “secrets” may have been stolen from you.
These random attacks can also include the recently reported ransomware incidents where data files on your computer are encrypted and you need to pay money, through various international clearing houses, to have any chance of regaining access to your files – be they documents, photos or accounting data. There is never any guarantee you will get your data back though – this is where reliable backups, and a long history of them, are extremely useful.
The second category is nothing short of an outright attack against you or your business. Hackers will be trying to either take information from you that they deem valuable, or they will be seeking to create enough damage that systems will fail, and then so will your business, either by not being able to trade or by creating enough disruption that your clients stop dealing with you.
If you are a financial services company they could be after your client list or inside information on your financial products; a pharmaceuticals company’s secret new product; a manufacturer’s bill of materials and logistics information; a retailer’s special supplier agreements and pricing models – or consider what makes your company that bit more special.
These attacks can be both brutal and sneaky, depending on the capabilities and resources of the attacker and the integrity of your systems.
An all too common method for these attacks used to be called “drop the floppy” but is more accurately now called “drop the USB drive” where an infected USB flash drive may be left for an employee to find (for example in the car park or near a door to the building) – the employee will then be tempted to plug it into their computer to see what’s on it. We have seen examples where a file called “staff salaries.xls” is on the drive, looking like an Excel document. When the user tries to open the file (being a nosy human!) they receive an error reporting the file is corrupt and cannot be opened, however the damage has been done with the malware now installed on their computer and beginning its nasty work.
The third category is very much the sneaky kind, where the attacker will infiltrate another business in order to get to the final target. If your business were the target then they may gain access to a supplier or business partner, then use their network or systems to gain access to yours.
One recent example of this involved a very large US based manufacturing company that has many smaller contractors supplying it. A hacker wishing to steal information from this manufacturer infiltrated a document sharing facility that one of the contractors managed and used to share information with the large manufacturer. It was able to do this thanks to poor security protocols employed by this contractor, which included not keeping their systems up to date with security patches.
The manufacturer did have the right systems in place and was able to prevent the attack from affecting them, and they were able to trace the source of the attack as far as China – the origin of most hacking attempts happening today.
These relay type attacks are becoming more common, affecting businesses like yours. So whilst you may not necessarily have information an attacker is after, you may well work with a business that has information others seek. And if your business is found to be the point from which the attack was launched you’re not likely to be let off with just a warning!
We could go on for pages and pages with warnings and stories but that won’t really help you. What you need to do is be on your guard at all times and seek the right advice for your business. This begins with a risk analysis and review, to determine the most obvious problems and identify the best way to reduce these risks. This does not have to be an expensive exercise, nor complicated. Often it’s a few simple changes that can make dramatic improvements toward protecting your business.
The sad fact is you can have the most advanced security systems in the world but the biggest weakness in all networks will always be the people. Educating staff on the risks and teaching them some simple techniques can lead to better security. It’s more than just anti-virus software and decent passwords, but it doesn’t need to be difficult.
Calvert Technologies has a great deal of experience with risk assessment, education and security implementation. If you want to know how to improve the security and integrity of your business it begins with contacting us to arrange a meeting.
We encourage you to pass this article on to others so they too can be aware of cyber security – you never know, the business you help save could be the one the hackers try to use to target you!