Good hackers aren’t nerds holed up in their parent’s basement, hiding under a hoodie with their monitor’s light framing their hunched-over silhouette in the dim darkness, as they punch keys and send messages in 1337 5p34k.
A good hacker is someone who knows how you or I think. Someone who knows what it takes to get another person to act. Someone we’d label as “extroverted.”
A great hacker is someone who never runs any code, or breaks down firewalls. The perfect hack is tricking someone else to do the hacking for you.
Why does this matter? Because in this blog, we’re going to cover the five most common tools hackers use to break into your business’ network — and they all hinge on one mutual factor — your employees.
THE DREAM OF SECURITY
Every organization wants their network to be completely invulnerable from any and all hacking attempts — this is impossible, however. The only example of a completely secure network is one that has cut all connections to the outside world — otherwise, there is a vulnerability to exploit. Unfortunately, there is no way to cut ties with the outside world without severely limiting what your business can accomplish.
No matter how secure your organization’s network is, however, there will always remain one exploit in your business’s defenses, and it happens to be the most fallible of all — your employees. The vast majority of successful hacks occur due to some form of human error: a poor password, an errant click on a phishing email, or even outright being duped into giving out sensitive information.
In the world of cybersecurity, any foothold for a hacker to exploit is referred to as a point of failure. For every device, connection, server, router, switch, and users that makes up your network, there is another point of failure. And, as mentioned above, a hacker’s preferred point of failure is often the people that use your network.
Below, you’ll find the most common security risk businesses face today, as well as the best methods for protecting yourself from them.
1. EMAIL PHISHING
We have all heard of them. Some of us have undoubtably experienced them. The infamous email phishing scam. And because it is such a well-known practice, most of us believe we are ready for them. This, however, couldn’t be further from the truth.
There is a reason we have listed this as the number one cyber security risk businesses face today — we still fall for them.
Unfortunately, there are little-to-no fool-proof methods for defending against phishing attempts. Why is that?
It is best to think of your email’s inbox as the front door to your computer. As soon as you open an email, you opened essentially open the front door to the network your device is connected to. And as soon as you click on a link in that email, you welcome whatever was attached to that link into your home.
Email phishing is a scam that requires perfect vigilance to combat — and only a single click to bring everything crashing down.
There are, however, warning signs that usually crop up in these nefarious emails that you can identify to decipher the true nature of the message you’re reading:
- Not addressed to you personally
- Improper spelling and grammar
- Multiple direct links
- The address the email came from does not match your contact’s usual email
There’s also a pattern most phishing scams will follow:
- Begin with a warning that requires action from the recipient to fix
- Provide an explanation of the event that supposedly transpired
- Provide a link with the quickest fix to said problem
For example, a phishing email could contain the following message:
“Your account has been hacked. You need to change your password now before your account is terminated. Click here to change your password.”
Once the link has been clicked, depending on the nature of the phishing email, a few different events can occur. Upon clicking the link, you could inadvertently unleash a virus, giving it free rein to corrupt your device. Or, this email would actually take you to a false website with fields to input your current password, and your new password.
Once you have input your current password, it will be captured by the hackers who originally sent the phishing email. The hackers will then use your password to access your account, and either lock you out, steal your data, or commit some other malicious deed.
There are two tactics you can use to check links if you are worried the email you are reading is indeed from a reliable source, and only seems like a scam:
- Hover over the link provided, but do not click. If the URL that shows up at the bottom of your email client does not show a URL that matches up with what it should be, you are most likely looking at a phishing scam.
- Reach out to the service or business the email appears to come from yourself via your internet browser. If you do not know the website, just Google it, or even call the business.
It is always safer to reach out to the business in question yourself. In fact, this is always your best course of action — even when receiving a phone call from your bank, hang up and call them back. Phishing can even happen over the phone. The prize is your personal information. The methods of stealing that information are only limited by the channels of communication available to you.
In addition to reaching out to the business in question, always send any suspicious email to your system administrator. They will be able to give you an accurate answer as to the validity of the email you are worried about. Email phishing is the gateway for most hacking attempts — it blends the fallibility of your employees with the ease of network access, all with minimal effort of the hacker’s part.
The only reason ransomware has not claimed the top spot on this list is due to the omni-present problem presented by phishing. Out of all the security risks, however, ransomware might just be the most dangerous — and, it is by no means a rare occurrence.
Rather than downright destructive like a virus (which we will cover later), ransomware does not infect your network or device in order to cause a loss of revenue — it turns your files and data into revenue. And worst of all, your business is stuck footing the bill. Here is how it works:
- The device or network is infected (the culprit usually being a phishing email)
- Malware is installed, and then embeds itself into the system
- The hacker will send a message demanding payment before removing the malware
There are various methods of infecting devices with ransomware:
- Malspam (covered below)
- Malvertising (covered below)
There are also multiple types of ransomware, designated by degree of severity and what course of action they force the victim to take:
Usually appearing in the form of annoying pop-ups, but on your desktop itself, scare-tactic based ransomware will display mildly-annoying and mildly-threatening messages warning you of a virus that has infected your device. The message will usually demand a payment be sent to a link, and claim that doing so will solve the issue.
This brand of malware is designed to trick users into believing the malware is actually helping them. By masquerading as anti-virus software, this type of malware can easily propagate in a system that is used by employees who lack the knowledge necessary to determine the true nature behind the messages displayed on their device.
Because of this, scare tactic malware can often be difficult to pin down, as users may actually engage with the malware, or simply ignore it, allowing the malware to infect other devices on the network.
This nasty version of ransomware will completely lock you out from accessing any device it has infected. As soon as you turn an infected on, you will be met with a single screen — usually claiming that your device has been locked by the NSA or FBI due to illegal activity — and that the only way to unlock your computer is to pay a fine. This, of course, is completely false, and often paying this “fine” won’t help to resolve the problem.
Screen locker malware preys on victims using the same methodology as scare tactic malware — tricking users into believing the malware is helping them solve the issue. A user with limited knowledge concerning data and privacy laws may assume they have indeed broken a law, and rather than reporting the problem to their IT department, will attempt to solve the issue on their own.
Hackers are smart, and after receiving a payment from an infected device, will temporarily turn off the malware that has infected that device — only to re-affect the device at a later date, ensuring a steady steam of incoming money. This can go on for long periods of time, especially when an employee is unsure if they have actually broken a law, and is doing their best to hide “evidence” from their IT department.
Out of all ransomware, this is the most dastardly. After your computer is infected, over the course of hours, days, or even weeks, malware will sift through your files in order to find sensitive or confidential information. Then, the files will be encrypted with a key you do not have. Essentially, this locks anyone from accessing those files without the encryption key, meaning your business will lose access to any file encrypted by the malware.
Finally, the hacker will reach out to you, demanding payment before providing you with the key — and due to the nature of encryption, without the key, you are out of luck, and unable to access your data.
This is why ransomware is so dangerous. Often, your only avenue of action is to give in to the demands of the hacker — but that does not always guarantee your business will gain access to those files. Often, hackers will demand extra payments, and sometimes will simply take a payment and run without delivering on their end of the bargain.
Encryption ransomware is not always used to lock your organization out of important or sensitive files. Sometimes, ransomware is used to interrupt a service your business provides, such as a recent ransomware attack on GPS giant Garmin. After the ransomware had infected Garmin’s network, all GPS devices connected to that network were rendered inoperable, leaving users without access to the service they had paid for.
Not only did Garmin have to pay the hackers to remove the lock placed on their GPS services, the company also had to apologize to its customers, and perform some heavy-duty brand beautification — creating a costly scenario for Garmin.
While it is possible to un-encrypt files with powerful programs, and rid your system of the malware that supports the ransomware with a diligent sweep of your network, the best defense against ransomware is a robust backup solution or to avoid it completely.
3. SOCIAL ENGINEERING
Just as a mechanical engineer will design a vehicle to transport someone from point A to point B, a hacker will design scenarios that trick your employees into divulging sensitive information. Hackers will use every vulnerability in your network to their advantage — including those that live outside the digital realm.
Social engineering focuses on using people’s trusting nature against the interests of themselves and your network. There is no exact definition of social engineering — and this is due to the fact that it can happen in any setting — on the internet, or over the phone, at professional events or client meetings, during service calls or cocktail parties.
In its purest essence, social engineering is the act of creating a bond of trust with someone in order to gain information you would otherwise be unable to access. The vehicles of implementation are myriad, but the result (if successful) is always the same: your data is stolen to the benefit of someone else.
Sometimes, the vehicle is a phishing email telling an employee to change their password due to an insecure account. Sometimes, it is a helpful stranger reaching out via LinkedIn or Twitter, who only needs access to one data point in order to improve an aspect of your business.
Other times, it is a confident “service tech” who “only needs to access your server room for a few minutes - sorry, I’m behind schedule, don’t have time to check in, I just need to install one thing. Again, sorry, but I’ve gotta rush - my boss is gonna kill me if I don’t have this done in time.”
As mentioned above, hackers design specific scenarios in order to conduct social engineering — an occurrence that seems benign, but is intentionally designed to dupe your employees. These scenarios can range from simple conversations that invite an employee to lower their guard, or a time-sensitive, stressful encounter that will end as soon as the employee gives the hacker access to the information they need.
No matter what the situation social engineering occurs in, however, it is designed to be imperceptible from any other social interaction. The better a hacker is at social engineering, the less noticeable their social engineering attempt will be.
Social engineering can lead to a lot of different outcomes, such as installing ransomware or malware, or even outright stealing company data. Regardless, it is never good for your business.
While not entirely the same as social engineering, “dumpster diving” is often used in conjunction with social engineering attempts. This less-than-pleasent epithet refers to a hacker sifting through your business’ trash to find any sensitive information printed or written on physical documents.
This information can be used to gain access to your network. Or, it can be used to create a scenario for the hacker to disguise themself as an outside contractor, using knowledge they gleaned from your discarded documents to present a believable situation that will grant them access to your office, which they can use to the gain access to your network.
To avoid dumpster diving from taking down your business, always make sure to properly dispose of any printed document — and keep track of who is printing what with print management software.
Keyloggers are a hacker’s dream, and your network’s nightmare. These nefarious tools log every keystroke you input into your device — meaning everything your employees type, such as emails, spreadsheet data, social PMs, RFPs, and passwords.
If a device is infected with a keylogger, any and all inputs are collected and sent to the hacker the keylogger belongs to — allowing the hacker to passively collect information that belongs to your business.
If a device is infected, any input is viable to the hacker. The implications of such a tool are truly chilling — without your employees ever knowing, their personal information can be stolen and used for someone else’s benefit.
There are as many ways to install a keylogger as there are ways to infect a device — whether that be malware, a link in an email, an errant download, or even a USB drive. While there are methods of removing a keylogger, the best defense against them, like all the risks listed throughout this blog, is to avoid them all together.
Keyloggers are especially dangerous because they capture all of the data that is input on your network — including passwords, access codes, email addresses, client data, and proprietary information.
Last, but most certainly not least, we have come to malware. “Malware” is a generic term for any virus or program that infects your computer to the benefit of the hacker from whom the malware originated. Below, you will find two types of malware: malspam and malvertising.
Malspam is very similar in both fashion and implementation to phishing — but rather than convincing you to click a link in order to steal your information, malspam is used to provide the avenue of infection. If you are tricked into downloading a file, or clicking a link that leads to a malicious website, your device will be infected with the malware. After that, what happens is anyone’s guess — malware is as versatile as there are combinations of binary.
Malvertising is simultaneously more intricate and simpler than malspam. Malvertising makes use of what are called “iframes,” the colloquial term for the invisible boundary that surrounds advertisements online. Hackers will create an iframe that covers more real estate on your screen than the ad you see, and thus “catch” your click without you even noticing. Once you click on this invisible link, your device will connect to a server that will infect your computer with whatever piece of malware is on that server.
The best defense against this is to only visit sites you trust, and only give your email out when you trust the site you are giving it to. Malware is undoubtably the most straight-forward of all of the security risks listed throughout this blog — but it can also be the most damaging to your business. Malware is often designed to simply damage a system as much as possible, with little intent to steal data from your business.
Due to the straight-forward nature of malware, it is often the easiest security risk to detect, and most forms of malware can be defended against by using robust and up-to-date anti-virus software. Do not assume malware is simple to stop, and allow your business to become complacent — malware, once it has infected a network, is fast acting, and pervasive.
THE BEST DEFENSE AGAINST THESE 5 THREATS
You just read a lot about the different tools hackers use to break, steal, and cause general mayhem throughout your business and its network. So, what can you do to prevent it?
Well, remember how we discussed how effective phishing emails are, largely due to the fact that users (your employees) are fallible? There’s a solution: security awareness training.
What is security awareness training? Essentially, security awareness training is a program you can sign up for to safely test your employees security habits. There are many ways to implement a security awareness training program, but the following list is a standard set up you can expect:
- Provide preliminary training on cybersecurity tips for employees
- Set up a phishing test with your IT team
- Send out (fake) phishing emails to employees (without them knowing they are fake, or expecting them)
- Collect data on who interacts with the test emails
- Re-train employees who interacted with the email in a way that would have led to a breach
Through your security awareness training program, these steps can be repeated as many times as necessary, and it is recommended that your company and employees go through these five steps at least once every year. Security awareness training also covers other security risks, like malware, and ransomware.
By constantly imparting this threat knowledge to your employees, you help ensure they stay vigilant against the hackers trying to trick them and play on their politeness every day.
Want to learn more? Head over to our blog for everything on cybersecurity.