Hacking

Cyber attack: preparing for the inevitable

By: Steve Norman, business development director, Stone Group and Jay Abbott. Security Expert & Founder, JustASC
Published: Monday, November 23, 2015 - 12:23 GMT Jump to Comments

In 2014, 81 percent of organisations in the UK reported a cyber-security breach. So far this year, 40 percent of public sector organisations alone have been hit by a cyber-attack.

On average, these attacks and breaches cost between £600,000 and £1.15 million for larger organisations and £65,000 to £115,000 for smaller ones. That’s a hefty price to pay for not being vigilant.

It’s important to understand that everyone is at risk. It’s not a matter of if, it’s a matter of when. If you openly demonstrate weaknesses in your approach to cyber security by failing to do the basics, you will experience some form of cyber-attack. So, here’s the lowdown on cyber-crime and some of the measures you can put in place to make sure you’re not part of the statistic:

Cyber-crime – the basics

The internet has given us many wonderful things, not least of which is the ability to easily, openly and anonymously share information with each other. What this means for cyber-crime is two part. It provides a mechanism for people to discuss, document and share the approaches, tools, and techniques needed to perpetrate it as well as the open and anonymous market needed to monetise the returns from it.

Why are you at risk?

It’s all down to the barrier to entry being so low. 20 years ago, if you wanted to hack a bank to make millions it took some serious effort and a whole lot of technical skill. Now it just takes an email, and you don’t even have to target the bank. All you need to do is send an email to a few million people asking them to change their password, or to look at an invoice attached to the email or any number of other easy to achieve ruses.

More importantly, not only is the approach quite simple but the tools, techniques and approaches are very well documented and you can even purchase “Hacking-as-a-Service” to get someone else to do it for you for a fee.

How do cyber-criminals get in?

Most attacks against organisations follow a simple flow of activities, although the specific attacks used can be anything. It all starts with some basic reconnaissance and probing. They start by scanning all of your systems and services on the perimeter of your organisation, looking for weaknesses they can exploit. They also start to leverage public sources of data to learn all they can about your organisation such as staff names, sector issues and anything else that might be useful.

If they find an obvious vulnerability in something like your website or a mail server then this will be exploited to get a foothold in the organisation. From there, they can use the device or service to “pivot” through your perimeter into the organisation’s internal networks and systems.

If that doesn’t get them in then its over to trusty social engineering. Typically this starts with an email, just because it’s easy and effective. The ‘bad guy’ constructs a suitable scenario that will leverage social and psychological techniques to encourage you to open it and either hand over your sensitive details or run a program they want you to run for them.

If the email doesn’t work, then it’s over to the phones where they’ll leverage what they’ve learnt so far to start having conversations with people inside the organisation, each time learning more sensitive information. Once they have the trust of someone they are talking to, its time to get them to open the doors, either by opening an email sent to them or by going to a website that can then compromise the user’s computer.

If social engineering fails then the next step is to go after the wireless, as it can be accessed from outside of the organisation but is typically providing an internal network connection. Numerous tools and approaches exist to do this, so let’s just say it has a high success rate.

Assuming none of the above approaches work its time for the cyber-attackers to get their coats, quite literally. The last stage of social engineering is the physical approach. Walking through the front door and getting physically inside the organisation through some plausible context of which there are many.

Once inside, all the attacker has to do is find a network port, plug in and they are inside and able to start quickly compromising systems to create a back door. More often than not these days the easy way to do this is to just deploy a device into the network.

Once the attackers are in, its typically open season on any vulnerable systems on the network. Every network is the same: unpatched servers, discontinued operating systems, badly configured equipment with default usernames and passwords; the list goes on. This is how you take down any organisation of any size. 

What guidance is available for you?

The government has introduced a number of pieces of guidance to ensure safe protection against cyber-crime, including The 10 Cyber Security Steps available here and Common Cyber Attacks: Reducing the Impact here.

What can you do to prevent attacks from happening?

Think like the attackers do, or get help from someone that can. Secure your systems against the basic threats and make yourself just that little bit harder to attack than everyone else. Work out what types of attackers might come after you and how, and gear your defenses up to these threats first. Basic housekeeping activities in IT are not there to annoy – they’re there to help, so do them. Patch and configure – it’s not optional.

What plans and procedures should be in place?

Plan to be hacked. It’s inevitable, so work out what happens when it does. Who says what to who, what do you say, who’s going to help you figure out what happened, who’s going to stop it happening again? All of these questions need answers.

More importantly, how do you know you haven’t been hacked already? Data isn’t deleted, it’s copied. So what monitoring is in place around access to data? Are all the systems monitored for malicious activity? Could you tell if your internal servers were being probed for known vulnerabilities? Do you know if a new device is plugged into your network?

More and more attention is being paid to cyber-crime by those perpetrating it and those looking to prevent it. As such, doing nothing is no longer an option. Any specific legislation or guidance relevant to your industry or sector is going to need to be considered, as it might mandate specific approaches or have requirements that need to be covered.

For example, Daniel Jones, Kable’s senior analyst for defence and security says: “In the public sector a new Government Security Classification Policy is in place, which requires organisations to enter data into three bands, instead of the previous five. These are OFFICIAL, SECRET AND TOP SECRET. Data is categorised and controlled accordingly.”

It’s simply not possible to do it all yourself either. Professional support will be needed in certain areas and a little advice can go a long way towards what the best route for investment in defenses might be.

Final thoughts

There’s no such thing as 100 percent security. Your organisation will probably experience some form of cyber-attack at some time. What’s important is having effective policies and plans in place that can help to reduce the impact of the attack, clean up the affected systems and get your business back up and running within a short time.

The views and opinions expressed in this article are those of the author(s) and do not necessarily reflect the official policy or position of The Information Daily, its parent company or any associated businesses.

Comments

Latest

Outdated infrastructure and an increasingly fragmented market threaten the future of technology-enabled integrated care.

County Durham voters back devolution in the North-East, Sir Digby Jones considers run for West Midlands mayor…

The recent launch of The Mayoral Tech Manifesto 2016 on London’s digital future, sets out a clear agenda…

The manufacturing industry is currently facing scrutiny from parties concerned for its survival. Far from facing…

Almost a year ago, I made some predictions for what would take place in government and public sector customer…

Sheffield, Warrington and Doncaster announce cuts, Lincolnshire is held to data ransom, fight begins for West…

Working for an education charity delivering numeracy and literacy programmes in primary schools, I’m only…

Northamptonshire County Council recently received the maximum four star rating from Better connected after putting…

Historically, the entrance of new generations into the workplace has caused varying levels of disruption. The…

Following another commendation for digital services, Surrey County Council's Web and Digital Services Manager,…

We cannot carry on spinning the roulette wheel that is cyber security, knowing that the “castle and moat”…

This week David Cameron wades into row over £69m of cuts planned by Oxfordshire CC; Stoke on Trent plans…