Month: February 2024

As the internet evolved, so did the growing need for user accounts to access online information and services. Consequently, we have hundreds of accounts, each requiring separate login credentials. This proliferation of digital accounts has led to significant issues and risks:

• Unnecessary requirement for login credentials – not every site needs login credentials, yet we are often still required to create an account. I thought about writing this article many times, and then recently, I needed to sign up to 3 separate sites to benefit from the service offered by a single business. In this case, one use account should have been sufficient. Many sites and services shouldn’t need an account at all.

• Remembering numerous passwords – It is inconvenient and introduces security risks – to remember login credentials, people often resort to using simple passwords, repeating the same password for different accounts, or creating lots of slightly different passwords based on a theme. If a hacker compromises one of your passwords, they could easily compromise many.

• Password vaults – there are many different password management solutions, but these are not always foolproof and often require trust and dependence on third-party services. Password vaults do make the use of long, complex passwords viable.

• Risk exposure – the more accounts you have, the more personal information is stored online, which increases the risk of sensitive data exposure in a breach. Also, more accounts mean more emails and communications from online services, and more time and effort are required to distinguish between legitimate messages and phishing attempts from scammers impersonating services to steal login credentials.

• Privacy – each account will collect and store personal information. The more accounts you have, the more places your data is stored, increasing the risk that site owners will misuse or sell your data or track online behaviour, preferences, and interactions, leading to privacy concerns.

• Attack surface – each account is a potential entry point for cybercriminals. The more accounts you have, the larger the attack surface.

• Time-consuming – managing so many accounts can become time-consuming and distract from more productive activities.

• Blocking cut and paste – storing passwords in a vault makes using long, complex passwords convenient. It is not helpful if site owners block cut and paste and require users to type passwords manually. A more recent change is to measure the time it takes to type a password and reject login attempts that are too quick. This blocks pasted passwords and passwords automatically filled from browser-based password vaults. It is well-intentioned but risks replacing complex passwords with simple passwords.

Practicing good cyber hygiene is essential:

• Use a password vault so you don’t need to remember every password – this makes using strong passwords for each account easy. Be careful whose solution you choose. Make sure you select a reputable vendor.

• Establish an inventory of sites where you have online accounts – using a password vault makes this much more manageable.

• Delete accounts that you no longer need. You will still have an account even if you signed up for an online service using Google, Apple, Microsoft, Facebook, or LinkedIn credentials. In addition to deleting the account, it is also necessary to revoke access to the credentials – i.e., remove the service from the list of third-party sites in  Google or other login services.

• Don’t repeat passwords – use a different password for each user account.

• Use Multi-Factor Authentication (MFA) to add security to your online account.The long-term effectiveness of MFA is the subject of much debate, given rapid technological changes and adaptability in cybercrime. The use of MFA is still better than not using it.

• Don’t store credit card details on the sites unless absolutely necessary.

• Avoid using immutable facts for authentication purposes. For example, your mother’s maiden name or the name of your first school will remain the same. Immutable facts are wrong for security, but websites and service providers still use them.

In a nutshell, ransomware is malicious software designed to encrypt data. Threat actors then demand a ransom in exchange for decryption keys and deletion of stolen data. In practice, paying a ransom to unencrypt data or to prevent the release of sensitive information to the public can be highly problematic:

• No guarantee – Paying the ransom does not guarantee that the attackers will provide the decryption key or that they will not release the data. Once you make the payment, you don’t have any control over the attacker’s actions. There is no enforceable contract in place. Someone has committed a serious crime, yet they expect you to trust them. Hope is not a viable strategy.

• Encourages future attacks – Paying the ransom encourages cybercriminals by giving them a highly lucrative incentive to continue their malicious activities. It also signals to other potential attackers that ransomware is a profitable business model. Attackers will add details of businesses willing to pay to a list and sell it to other cyber criminals.

• Deprived of vital resources to improve security posture – Paying the ransom does not address the underlying security vulnerabilities that enabled the breach. In addition, paying the ransom deprives businesses of funding to address such vulnerabilities, leaving businesses susceptible to further attacks.

• Funds illegal activities – The funds obtained through ransom payments can finance further criminal activities, including additional cyberattacks, organized crime, and terrorism.

• Legal and regulatory implications – Knowingly paying the ransom to cybercriminals in countries subject to government financial sanctions is illegal. Many countries have regulations prohibiting financial transactions with individuals and businesses in sanctioned countries, and sending money violates the sanctions. Paying a ransom is not an exception to this rule.

• Payment can lead to a subscription model – Ransoms can be very high, and no guarantee paying once will prevent future demands. Cybercriminals can easily make repeated financial demands to prevent sensitive data from being released and keep demanding more.

If an attack occurs, work with law enforcement, information security professionals, and insurance providers to respond to the incident. There may be a tendency to fear authorities or regulators and choose to deal with cyber criminals rather than face the consequences of allowing an attack. In practice, dealing openly and honestly with authorities and regulators is more appropriate and viable.

Social Engineering is a technique that involves the psychological manipulation of individuals or groups to trick them into revealing confidential information, performing specific actions, or making decisions that benefit threat actors.

• Social Engineering relies on human psychology, persuasion, and deception rather than on any technical vulnerabilities.

• Social Engineering is often used to gain unauthorised access to systems, steal sensitive data, or facilitate other malicious activities.

Social engineering attacks come in many forms, including tailgating, several variations of phishing, and many more. At the heart of social engineering is the exploitation of human trust, empathy, and common courtesy to achieve objectives. Here are many examples, but it is worth noting that social engineering attacks can contain combinations of factors brought together into an attack strategy. There are also many overlaps, but the principles remain the same: psychological manipulation and deception.

One of the more severe threats is the deployment of ransomware, which often involves a social engineering component – being a victim of a social engineering-based attack can lead to the encryption of files that require ransom payment to decrypt the files. Criminals may also gather confidential information and threaten to expose the information, for example, customer data. Ransomware, extortion and blackmail can lead to significant financial loss and reputational damage.

There are thousands of different social engineering tactics and more variations on individual themes, so it would be impossible to try and cover everything in one article.

• Phishing:
  • Broad and indiscriminate, targeting a wide range of individuals and businesses.
  • Typically, it involves sending deceptive emails that appear legitimate but contain malicious links or attachments.
  • The overal objective is to trick the recipients into revealing sensitive information. E.g., credit card details, login credentials, or other personal information.
  • A typical example is a fake email from banks asking users to click a link and enter their account details.

• Spear Phishing:
  • Similar to regular phishing, but highly targeted and personalised to specific individuals or businesses.
  • Threat actors research their targets and craft personalised emails that appear credible and relevant to the recipients.
  • The objective is to trick a specific person into revealing sensitive information or taking a particular action, like transferring funds or downloading malware.

• Whaling:
  • A Whaling attack targets high-level executives and top management.
  • Like Spear Phishing but with a focus on senior executives
  • Threat actors create highly personalised and convincing emails.
  • The objective is to compromise the accounts of top executives, potentially gaining access to sensitive corporate data and systems.
  • A fraudulent email targeting a CEO, asking for confidential company information, is an example of whaling.

• Vishing (Voice Phishing):
  • Targeting businesses and individuals by telephone.
  • Attackers use phone calls to impersonate trusted entities, such as banks or technical support teams, to extract sensitive information.
  • The objective is to convince victims to provide personal or financial information over the phone.
  • Examples include a scam call from someone claiming to work at your bank asking for account details.

• Smishing (SMS Phishing):
  • Smishing targets individuals via text messages.
  • The attackers send fraudulent SMS messages containing links or phone numbers to trick recipients into revealing personal or financial information.
  • The objective is to obtain sensitive information.
  • Smishing is like phishing but using text messages instead of email.
  • A recent observed example is a text message claiming to be from a delivery service asking someone to make a payment to complete a package delivery.

• Tailgating – gaining physical access to a restricted area by following someone with legitimate access to circumvent access control measures. This technique takes advantage of human nature and common courtesy – it is considered polite to hold doors open for people and extremely rude to close a door in someone’s face, especially when we can see they are behind us. Countermeasures include:
  • Implement robust access control measures, such biometric scanners, key card entry systems, or employ security personnel, to prevent unauthorised entry.
  • Enforce strict visitor policies, including visitor registration and escort requirements, for anyone not authorised to access a facility.
  • Install surveillance cameras at entry points to monitor access and identify potential tailgating incidents.
  • Implement mantrap systems that allow only one person to enter at a time and require proper authorisation before granting access to the second door.
  • Ensure that identification badges or access cards are visible and prominently displayed by authorised personnel.
  • Educate employees about the importance of not holding doors open for unknown individuals.

• Baiting – offering something appealing or enticing as a trap to compromise security and steal sensitive information or login credentials. Examples include:
  • Infected USB drives or storage devices are left in public areas, hoping someone will plug them into their computer out of curiosity.
  • Attackers offer free software, movies, music, or other digital content containing malware.
  • Links to fake websites or content that appear attractive or sensational but deliver malware or gather information – covered in previous phishing examples
  • Email attachments that, when opened, execute malicious code or install malware – also covered in previous phishing examples.

• Pretexting – creating a fictional, convincing, plausible scenario to achieve the desired outcome. The depth of research required will depend on the overall complexity, and the approach could be any of the previous types of phishing or face-to-face scenarios. Pretexting aims to build credibility and a connection with the target. Examples include:
  • Someone pretends to be from IT support and requests access to a computer system, passwords, remote access, or a customer service representative updating account information and payment details.
  • The creation of an emergency or crisis to manipulate the target into providing information or assistance
  • Calls about fictitious jobs to extract information about previous employers or contact details of referees
  • Consider a block of flats, and someone needs access to one. They could use the doorbell for other apartments and say they have a parcel to deliver and that their doorbell isn’t working; also, they don’t want to leave it outside as it’s raining or on a busy road, nowhere secure. The story would sound convincing enough for a stranger to gain access to the building.
  • A more common pretexting scenario is with street beggars needing money to buy drugs or alcohol.

• Dumpster Diving – searching through rubbish bins to find discarded items of value. The most significant concern is the recovery of discarded documents and materials containing sensitive or confidential information. Criminals may search for documents containing personal information to steal identities or commit fraud, or competing businesses may want to find proprietary information or trade secrets. Countermeasures include:
  • Businesses and individuals should use cross-cut shredders to destroy sensitive documents before disposal.
  • Where available, use secure containers to dispose of sensitive materials.
  • Establish and follow document retention and disposal policies to reduce the quantity of sensitive information that someone could find in rubbish bins.
  • Securely delete data from electronic devices before disposal.

• Tech Support Scams – attackers claim to be from technical support teams and convince victims that their computer is infected, leading them to give remote access or pay for unnecessary services.

• Fake Job Adverts – scammers advertise fictitious job vacancies that appear legitimate with attractive salaries, benefits, and working conditions to collect data on many applicants.

• Rogue Software or Scareware – tricking users into downloading and installing malicious software by presenting it as legitimate software. An example is a deceptive pop-up message reporting the detection of viruses, system errors, or other security threats. It is a scare tactic that results in users downloading software to fix the problem, which may introduce more problems.

• Romance Scams – fraudsters build emotional connections to exploit trust for financial gain.

• Prize Scams – fraudsters tell their victims they’ve won a prize, but to claim it, they must provide personal information or pay administrative fees or taxes.

• Invoice Fraud – attackers impersonate suppliers to trick businesses into making payments to fraudulent accounts.

• Shoulder Surfing – physically looking over someone’s shoulder to steal information like credit card numbers, passwords, and PINs.

Here are a broad range of countermeasures that you can apply to a variety of different types of attack and help to develop a security mindset:

• Always verify the identity of people requesting sensitive information or requesting that you take action.

• Consider if requests are reasonable given the circumstances or if the request deviates from standard practices or basic common sense.

• Share the minimum amount of personal or sensitive information necessary only when legally required.

• Train employees to recognise and report suspicious requests.

• Use Multi-Factor Authentication to add additional security to access sensitive systems.

• Establish clear policies and procedures to verify requests for sensitive information and ensure employees follow them.

• Curiosity killed the cat – be sceptical of offers that seem too good to be true, especially from unknown or unverified sources.

• Use up-to-date anti-malware software to detect and block malicious content.

• Regularly back up important data to mitigate the impact of successful attacks.

• Turn off the auto-run feature for external devices and drives to prevent the automatic execution of malicious code.

• Avoid distractions and be mindful of when people intentionally try to take your attention away from common sense.

• Don’t be in a hurry to take action. The creation of a sense of urgency is a common tactic. Take time to think things through properly.

• Do not reuse login credentials. Use different passwords across multiple accounts.

• Develop a security mindset and a healthy level of scepticism.

• Be vigilant with our daily interactions with people and technology.

• Understand and implement countermeasures to mitigate risks.