Booking.com and Expedia recently made the headlines – and not because of the hotel deals they were offering as people eased out of lockdown. Instead, it had been discovered that one of their software providers had not stored sensitive data correctly, running the risk that the details of millions of hotel customers could have been exposed.
Around the same time, Ticketmaster UK was fined £1.25 million following a cyber attack in 2018 which flagged that it was failing to keep its customers’ personal data secure. This however was small fry compared to the £18.4 million fine handed to Marriott International for a cyber attack that took place between 2014 and 2018 and compromised the personal information (including emails addresses, phone numbers and passport details) of countless customers.
Cyber threats are a real and significant problem. According to the latest Trend Micro’s Cyber Risk Index, carried out by the Ponemon Institute and released in early December, 23% of global organisations suffered seven or more attacks that infiltrated their networks over the past year.
‘It won’t happen to me’
Many people still believe they are immune to hacking despite regular sensationalist news stories about the latest data breach, and evidence to the contrary. I confess, before I joined Turnkey, this was my worldview; cyber space felt like a distant planet, a known-unknown that was unlikely to affect my life because why would anyone want to attack me?
The reality of course is that anyone with data stored online (which is most of us these days) is vulnerable; this vulnerability is exacerbated by so many of us being unsuspecting – making us walking targets.
So what changed to make me understand the very real risk that cyber threats present to daily life? Essentially it came down to knowledge. A project saw me undertake research into the types of threat actors that are currently active, their aims and motivations, the entities they are targeting, how they gather personal information and some of the methods they use.
Why phishing works
The more technology becomes an integral part of our daily lives, the more it is designed to be easy to use; we can engage with it more deeply in order to perform increasingly sophisticated tasks, without having to understand its complexities. That is also the premise behind phishing. Attackers are designing increasingly seamless emails with legitimate signatures, logos and information, all of which conceal that these messages contain malware or links that prompt the recipient to provide personal details and credentials. An email from Amazon asking the user to log in and track the package that they ordered could catch anyone off-guard.
It was this realisation that led me to go into overdrive – become paranoid if you like – examining every email I received for any clues that it was about to defraud me personally, or enable bad actors to cause havoc in my employer’s network.
Motivations and methods
Hackers fall roughly into three categories:
- Motivated by financial gain, individual hackers and smaller groups want credentials or other sensitive information to commit identity fraud and steal money; the pandemic, which allows them to play on a victim’s emotions, is the perfect backdrop.
- Mercenaries, hired by a third party, are also driven by monetary reward; they might carry out activity that is revenge-based (around personal issues such as divorce disputes), or provides competitive edge in business.
- State-sponsored actors have political/geopolitical motivations and are usually trying to steal information such as intellectual property (Covid-19 vaccine details for example) or leverage system weaknesses, such as executing malware that will disturb regular operations.
In addition to digital phishing, voice phishing (‘vishing’) persuades victims to provide details over the phone. To gain access to networks, groups also study and then take advantage of weaknesses in system configurations such as Powershell backdoors and unpatched vulnerabilities in Microsoft Office. Using fake IDs to access a data centre or office building where, for example, computers could be unattended and unlocked, makes physical hacking another option.
Education is the best defence
What can be done to combat all of this? My epiphany centred round becoming knowledgeable – and that’s exactly what we should be encouraging. As the way in which we interact with technology evolves, how we protect ourselves also need to change. It’s a topic that should be integrated into the education system and constantly reinforced and kept up-to-date through cyber awareness campaigns. Today we need to know how to recognise the emails that are trying to scam us; in two years time threat actors may be trying different methods.
Organisations also need to take responsibility for understanding why they could be the target of an attack and then make the necessary measures to reduce this risk. The importance of robust cyber threat intelligence practices has been brought home during the coronavirus pandemic which has increased the opportunity for attackers to take advantage of system and human vulnerabilities; anxious employees, working on their own at home are more likely to click on malicious links, perhaps for items such as face masks.
Identifying threats of this nature – before, during and after the pandemic – is critical for preventing breaches. Mitigation strategies can then be deployed, with ongoing awareness training and testing for employees, being the best defence.
In addition, penetration testing helps organisations identify and mitigate risks before they can be exploited. And effective incident reporting combined with extended detection and response (XDR) enables escalation and quicker response times. Tracking malicious emails and vishing calls can provide valuable understanding into the motivation for attack and allow the defence to the offence to be tailored accordingly.
Everyone needs to be vigilant
Although today’s world is driven by technology, most users have no visibility about its backroom workings – which makes us, and the systems we rely on, vulnerable. Individuals and organisations all have a role to play in keeping the bad actors at bay. And personally, armed with my newfound knowledge of the threats around us, I believe it’s wise to be at least a little paranoid.
Merry Song, analyst, Turnkey Consulting