Did you know that 81% of organisations in the UK reported a cyber-security breach in 2014? And so far this year, 40% of public sector organisations alone have reportedly been hit by a cyber-attack.
Did you also know that these attacks and breaches cost on average, between £600,000 and £1.15 million for larger organisations and £65,000 to £115,000 for SMEs?
That’s a hefty price to pay for not being vigilant.
Attacks on UK public sector organisations show no signs of slowing down. As Robert Hannigan, Director of GCHQ (Government Communications Headquarters) confirms: “we continue to see real threats to the UK on a daily basis, and the scale and rate of these attacks shows little sign of abating”.
And yet, despite the large number of organisations having already been victims of cyber-crime, there’s still an even larger number out there (74% if the reports from GTIR – Global Threat Intelligence Report – are to be believed) that don’t really know:
- What it’s all about
- Why and how cyber-criminals get in
- The importance of having correct policies, plans and procedures in place to avoid such malicious attacks
- How you can stop your organisation being next on the hit list
GCHQ believe that understanding the capabilities behind these attacks, the vulnerabilities they exploit, and how they are exploited is central to your organisation’s ability to defend itself against them.
It’s important to understand that you’re all at risk. It’s not a matter of if, it’s a matter of when. And if you openly demonstrate weaknesses in your approach to cyber security by failing to do the basics, you will experience some form of cyber-attack.
Let’s start with the basics.
What is cyber-crime?
In short, one of the fastest growing economies on the planet with the easiest route to entry! What we really mean by that is that the barrier to entering the economy is no longer skill – its motivation. The internet has given us many wonderful things, not least of which is the ability to easily, openly and anonymously share information with each other. What this means for cyber-crime is two part. It provides a mechanism for people to discuss, document and share the approaches, tools, and techniques needed to perpetrate it as well as the open and anonymous market needed to monetise the returns from it.
Why are you at risk?
It’s really all down to that barrier to entry being so low now. Let’s say 20 years ago, if you wanted to hack a bank to make millions it took some serious effort and a whole lot of technical skill. Now it just takes an email, and you don’t even have to target the bank. All you need to do is send an email to a few million people asking them to change their password, or to look at an invoice attached to the email or any number of other easy to achieve ruses. More importantly, not only is the approach quite simple but the tools, techniques and approaches are very well documented and you can even purchase “Hacking-as-a-Service” to get someone else to do it for you for a fee!
Now when we say “you” it means the personal/consumer you as well as the business you. It doesn’t matter what size or industry or sector you’re in, if you have a bank account and some money in it, you’re a target.
Why and how do cyber-criminals get in?
Most attacks against organisations follow a simple flow of activities, although the specific attacks used can be anything as there are literally thousands.
It all starts with some basic reconnaissance and probing. They start by scanning all of your systems and services on the perimeter of your organisation looking for weaknesses they can exploit. They also start to leverage public sources of data to learn all they can about your organisation such as staff names, sector issues and anything else that might be useful. If they find an obvious vulnerability in something like your website or a mail server then this will be exploited to get a foothold in the organisation and from there, they can use the device or service to “pivot” through your perimeter into the organisation’s internal networks and systems.
If that doesn’t get them in then its over to trusty social engineering! Typically this starts with an email just because it’s easy and effective. The bad guy constructs a suitable scenario that will leverage social and psychological techniques to encourage you to open it and either hand over your sensitive details or run a program they want you to run for them.
By now, you’re probably thinking, “No. I would never fall for that!” Guess again. There’s always a perfect storm of circumstances that can get anyone to open an email!
If the email doesn’t work, then it’s over to the phones where they’ll leverage what they’ve learnt so far to start having conversations with people inside the organisation, each time learning more sensitive information that can be leveraged in the next conversation they have. Once they have the trust of someone they are talking to its time to get them to open the doors, either by opening an email sent to them or by going to a website that can then compromise the user’s computer.
The goal of both of the social engineering approaches is simple. It is to get full remote control over someone’s PC inside the organisation so that it can be used as an attack platform.
If social engineering fails then the next step is to go after the wireless as it can be accessed from outside of the organisation but is typically providing an internal network connection. Numerous tools and approaches exist to do this so let’s just say this has a high success rate!
Assuming none of the above approaches work its time for the cyber-attackers to get their coats, quite literally! The last stage of social engineering is the physical approach. Walking through the front door and getting physically inside the organisation through some plausible context of which there are many.
Once inside, all the attacker has to do is find a network port, plug in and they are inside and able to start quickly compromising systems to create a back door. More often than not these days the easy way to do this is to just deploy a device into the network. Raspberry Pi works well, as they are low power and very cheap. One of these with a 3G dongle in makes the perfect remote access tool that can be hidden in a cupboard or in a floor box out of the way running either from the Power over Ethernet (PoE) on the network or a battery.
Once the attackers are in (and believe me if they want to get in they will), its typically open season on the vulnerable systems on the network. Every network is the same: unpatched servers, discontinued operating systems, badly configured equipment with default usernames and passwords; the list goes on.
This is like shooting fish in a barrel and there are many tools designed to find and exploit known weaknesses with little or no effort.
So this is how you take down any organisation of any size. So the question really is how easy are you going to fall? Do you get taken at step one, or do they have to work for it? The reality of cyber-crime is a determined attacker will get in, but there are enough potential victims in the world that being secure enough to deter the basic attackers will, unless they really are targeting you, make them just move onto the next victim.
What guidance is available for you?
The government has introduced a number of pieces of guidance to ensure safe protection against cyber-crime, here’s a few that might be of interest:
- The 10 Cyber Security Steps
- Common Cyber Attacks: Reducing The Impact
- Cyber Essentials Scheme
- UK Cyber Security Strategy
What can you do to prevent attacks from happening?
Think like the attackers do, or get help from someone that can. Secure your systems against the basic threats and make yourself just that little bit harder to attack than everyone else. Work out what types of attackers might come after you and how, and gear your defences up to these threats first. Basic housekeeping activities in IT are not there to annoy – they’re there to help, so do them. Patch and configure – it’s not optional!
What plans and procedures should be in place?
Plan to be hacked, it’s inevitable, so work out what happens when it does. Who says what to who, what do you say, who’s going to help you figure out what happened, who’s going to stop it happening again? All of these questions need answers.
More importantly, how do you even know you haven’t been hacked already? Data isn’t deleted, it’s copied. So what monitoring is in place around access to data, are all the systems monitored for malicious activity? Could you tell if your internal servers were being probed for known vulnerabilities? Do you know if a new device is plugged into your network?
I’m guessing that’s probably a no.
Why is this important?
More and more attention is being paid to cyber-crime by those perpetrating it and those looking to prevent it. As such, doing nothing is no longer an option, unless you particularly want an empty bank account of course!
What else do you need to be aware of?
Any specific legislation or guidance relevant to your industry or sector (such as those mentioned earlier) is going to need to be considered as it might mandate specific approaches or have requirements that need to be covered. It’s simply not possible to do it all yourself either. Professional support will be needed in certain areas and a little advice can go a long way towards what the best route for investment in defences might be.
Jay’s Top Tips:
- Get the basics right. Good IT housekeeping will help an awful lot.
- Attackers don’t just focus on the perimeter, they can get inside the organisation easily so make sure you’re as secure inside as at the edge.
- Security awareness is a good tool. Every employee can be part of the security team if they have the right knowledge.
- Monitoring is the only way to get ahead of the attackers so a well-thought-out monitoring solution looking at the right systems can be the alarm that sounds and lets you stop them in their tracks.
There’s no such thing as 100% security and your organisation will probably experience some form of cyber-attack at some time. What’s important is having effective policies and plans in place that can help to reduce the impact of the attack, clean up the affected systems and get your business back up and running within a short time.
The cyber world can be a hostile environment. The threat of attack will never truly cease as new vulnerabilities are released and tools are produced to exploit them. Doing nothing is not an option; protect your organisation and your reputation by putting in place even the most basic cyber protection to make sure that your name isn’t added to the growing list of victims.
If you’d like any support or advice on how you can protect your organisation from the threat of a cyber-attack then get in touch – we’re here to help.
Learn from the mistakes others have made. Don’t be a victim, be a hero.