Ownership

The existence and mitigation of a vulnerability may be the responsibility of a system’s administrators, but the ownership of the vulnerability and the results of its exploitation belong to the senior management of the organization. In a majority of instances, an attack is generally more damaging to the organization overall than just some data being accessed, stolen, or damaged.

On its website, PCH Technologies (https://pchtechnologies.com) reports the following for 2020:

• Smaller companies (fewer than 50 employees) averaged $24,000 of loss per incident.

• Mid-sized companies (fewer than 250 employees) lost an average of $50,000 per incident.

• Larger companies (fewer than 1,000 employees) averaged $133,000 per incident.

• Enterprise organizations (more than 1,000 employees) lost an average of $504,000 per incident.

The average amounts of loss in this list aren’t suffered only by the Information Systems departments. Rather, these losses impact an entire company. This, if for no other reason (and there are other reasons), is why the responsibility and ownership of threats to the organization and its systems start at the top with the most senior managers.

Threat Actors

You know that a vulnerability presents an opportunity for exploitation that could be carried out by a threat actor. A threat actor is an attacker who attempts to gain access to a computer or a network for most likely a devious, criminal, or destructive purpose. When a vulnerability is exploited by a threat actor, it becomes an attack vector or the point of attack for the attacker.

Threat actors can be categorized by their motivations, objectives, and, in many cases, methods. Some of the more common categories of threat actors are the following:

• Cyberterrorists—Unlike hackers that have a political, religious, or national cause, cyberterrorists are mainly focused on disruption and destruction. Terrorists aren’t new to the world, and cyberterrorists are just terrorists using computers. Their primary goals remain the same: to cause harm and devastation.

• State-sponsored—This category of threat actors is essentially an extension of the government or organization that funds and directs attackers’ actions and targets. State-sponsored, also known as government-sponsored, threat actors access data to steal or capture intellectual property, classified information, and money as directed by the sponsoring government or agency.

• Cybercriminals—Criminals in cyberspace are not any different than criminals anywhere. Cybercriminals are looking to steal valuable data, money, and PII for the sole purpose of financial gain. Salable content is typically sold on the black market or dark web. Their methods may also include the use of malware or ransomware to extort money from a target.

• Hacktivists—Often likened to crusaders, a hacktivist seeks to expose confidential or secret information to the world to create awareness. For example, hacktivists supply confidential information to the Wikileaks website.

• Insiders—Network and system users and other company employees cause nearly one-fourth of all attacks. These attacks, whether intentional or not, are mostly misuses of access rights or permissions and can be the result of human error, phishing, malware, or stolen or captured credentials. An insider is a threat actor who is a current or former employee, a contractor, supplier, or anyone who has had authorized access to the system, network, and especially, data.

• Script kiddies—A beginning hacker may not have the knowledge, tools, or methods to launch an attack on a website or network server. This beginner, a script kiddie, finds and uses existing tools or scripts on the web that were developed by those-who-came-before. In many cases, the script kiddie does not even know what the script will do, but the fun is in the attempt and the self-satisfaction of becoming a hacker.

Social Engineering

Not all threats require gaining access to a system. Some attacks may be physical, such as with break-ins or vandalism, targeted to get a user’s PII, or make a reader believe a fabricated story and give money or access to the sender. In general, these threats are categorized as social engineering, which involves a human interaction that results in one party performing an action he or she would not normally do.

Social engineering attacks bypass technical controls to take advantage of human kindness or the desire to be helpful. Social engineering threatens employees of an organization and can also extend to outsiders. Social engineering aims to trick people into revealing PII or other sensitive data, such as passwords or credit card information. A common attack attempts to get a user to give up his or her passwords or other private information via email, shoulder surfing, or other types of subterfuge to get information.

Many forms of social engineering can be used to gain information. Following are some of the more prevalent forms:

• Baiting—This social engineering attack attempts to lure someone into disclosing PII or security credentials using a something-for-nothing or a too-good-to-be-true offer.

• Dumpster diving—This social engineering method is less prevalent today than it was when computer outputs were mostly printed documents or reports. It can be successful because a surprising amount of personal information is discarded carelessly. Dug out of a trash barrel or a dumpster, it can easily end up in the hands of the wrong people. Dumpster divers look for paperwork, reports, writing tablets, but also removable storage devices and hard disk drives.

• Honey trap—An attacker pretends to be romantically or sexually interested in a victim and entices her or him into an online relationship, which is carried out up until the victim discloses confidential information or pays, lends, or gives the attacker a sum of money.

• Phishing—The “ph” at the beginning of this social engineering attack’s name reflects its origins as a “phone” scam. A phishing attack is another social engineering scheme that deceives people into involuntary actions, such as downloading malware or navigating to a spoofed website. Phishing scams are becoming commonplace on social networking sites. Attackers attempt to acquire personal, sensitive, or confidential information by masquerading as a friend or colleague. The purpose of the attack is to gain PII, such as credit card numbers, username/password credentials, or bank account information. Three variations of phishing are angler phishing, which uses spoofed customer service accounts to lure in victims; spear phishing, which targets a specific individual or group; and whaling, which is actually a variation of spear phishing that specifically targets senior executives of a company or organization.

• Pretexting—Pretexting is basically impersonation in which an attacker pretends to be somebody else to gain the trust necessary to get PII from the target. Common pretexting attacks involve the attacker claiming to be a network administrator, a security office member, or even a coworker or friend.

• Scareware—This form of social engineering inserts malicious code into a webpage that causes pop-up windows with flashing colors, alarms, and threatening messages to appear to be claiming that your system has a virus or has an out-of-date application and immediate action is required. You are told that you should purchase and install security software or an updated application using your credit card and PII. Some simply disappear then, but many install real viruses on your system.

• Shoulder surfing—This social engineering method is used to gain PII and login credentials through observing another user by looking over his or her shoulder. It is included here in the context of office computers and workstations, but this method is also used on automatic teller machines (ATMs) and other cash withdrawal devices.

• Watering hole—In a watering hole attack, an attacker infects a legitimate website that a target is known to visit, much like a water hole in the desert attracts animals. When the target logs onto the website, the target’s credentials and other PII is captured. The attacker can then use the captured information to breach the target’s network to steal data or install malware.

Antisocial Defense

In the world of network security, most attacks can be prevented and managed through security-oriented administrative procedures and the use of secure protocols, security devices, and firewalls. However, in the majority of social engineering attacks, such as phishing and its variations, user education is the best line of defense.

Some preventive steps are recommended to stop, limit, or reduce attacks:

• Double-check the sender’s address on any email or message asking for any personal information.

• Do not click on any hypertext link within an email that is asking for any form of your PII. Instead, search on the name of the requesting entity to learn who or what it may be and if you believe it to be reputable. Remember that government agencies, financial institutions and other regulated institutions do not ask for PII by email.

• Never enter PII into a pop-up screen.

• Keep spam filters, antivirus, anti-spyware, and firewall software or hardware current with dictionary and database files or firmware.

• Only open email attachments from trusted sources.

Identify Theft

Identity theft occurs when a cybercriminal acquires and uses your PII to masquerade as you, typically online, but it can go offline as well. The perpetrator may use your information to secure identification in your name, take out a loan, access and use various accounts, participate in online gambling, apply for jobs as you, and perform transactional and financial transactions your information permits. The PII that an identity theft cybercriminal is after includes, but is not limited to your name, credit card and bank account numbers, date of birth, home and work addresses and telephone numbers, Social Security account number, and especially your driver’s license number and information.

A cybercriminal with only one bit of this information cannot do much damage to you. However, by gaining two or more of your identifiers, a criminal may have enough information to take on your identity and use it online. Your PII should not be shared online where others could access it. Never transmit any personal information over an unsecured wireless connection, especially not over a public hot spot.

Cybercriminals have any number of creative ways to access and harvest your private data all at once or one piece at a time, and they need only a couple of PII values to begin to steal your identity. Remember that a cybercriminal cannot discover, access, harvest, or use information that does not exist openly on a public network.

Maintaining your privacy and controlling your personal information are critical for staying safe online. It is not just you that must exercise caution and security, but everyone in a household must also exercise the same best practices for sharing and storing sensitive data online. One often overlooked reality is that if a computer is shared in the home or office, an attacker can surreptitiously install or trick you into downloading a keystroke logger or another type of malware. Once compromised, anyone who uses the infected computer is at risk.

Malware and Ransomware

Malware is the short form of “malicious software,” which is software developed for encrypting, stealing, damaging, or destroying the data of a targeted individual or organization. Beginning in 1971 with the virus “Creeper” and the antivirus “Reaper,” the battle between the attackers and the defenders has grown to be a greater threat than ever and a multi-million-dollar industry, respectively.

The range of the software that falls under the umbrella of malware spans from nuisances and hoaxes to stealth capture to data destruction to system-seizing ransomware. As malware has progressed and grown more malicious, the anti-malware software publishers are continuously being updated to keep pace and their customers safe. The role of users in this raging battle is to be aware of how malware is spread, how to protect their systems, and the best practices for recovery in the event of a catastrophic attack.

Viruses

Although they are frequently used interchangeably, a virus and malware are two different things, mostly. A computer virus, as opposed to the flu or COVID, is malware that has a specific function or objective. A virus is able to spread by making a copy of itself and inserting the copy into otherwise legitimate nonvirus software or files. Back in the day of floppy disks, a virus would attach itself to a file on the disk and jump to the next computer(s) in which the disk was inserted. Viruses have continued to use this method of contagion on other forms of removable media. However, along with the introduction of new technologies, viruses have found new ways to spread webpage content, especially graphics, flash drives, and as attachments to email. In most cases, viruses depend on a computer’s user to activate them to do their damage.

While many forms of viruses exist, most can be classified in one of three groupings:

• File corruptors—This type of computer virus penetrates executable files to infect a standalone computer or spread across a network. Some file corruptors or infectors can overwrite an operating system and erase or reformat its secondary storage.

• Macro viruses—This type of virus is written in the same macro language used in application programs that support the use or creation of macros. A macro virus attaches itself to a macro-enabled document and runs whenever the document is opened. Macro viruses are commonly transferred as a compressed (zip) email attachment with a curiosity-invoking filename.

• Polymorphic viruses—Polymorphic refers to an object being able to assume different identities, shapes, and sizes. A polymorphic virus has the capability to modify its own coding while retaining its original algorithm. It can also copy, encrypt, or change its filename and file extension to hide itself from anti-malware programs.

Following are some of the more common types of viruses:

• Keylogger—A surreptitious program that records the keystrokes entered from a computer’s physical keyboard. The collected data are sent to the attacker for extraction and analysis.

• Rootkit—Software that facilitates malicious programs to be loaded to your system.

• Trojan horse—A malicious program that appears to be a legitimate program but is generally a backdoor virus that allows an attacker to gain access to an infected computer and a user’s PII. This type of virus is considered one of the most dangerous viruses.

• Spyware—As its name implies, this type of virus captures and stores an unaware user’s web activities. The stored information is uploaded to a source, human or computer, which generates a stream of ads and pop-ups to the user.

• Worm—Standalone software that replicates itself to target operating system files and runs until it has emptied a disk drive of its contents. Worms, unlike a virus, which attaches itself to another file, reside in their own containers.

The various types of viruses and malware have varying levels of consequence. For most forms of malware, an up-to-date virus scanner is effective at detecting and blocking and/or removing the malicious software. Malware is a moving target, constantly being altered to avoid detection. Of course, if the virus definitions on your system are outdated, they will not be able to detect and remove the newest malicious software from your system.

Malware

Malware is a collective term for every type or form of malicious software, all of which has the same overall objectives. In general, malware is focused on one or more of the following outcomes:

• Copying or destructing sensitive or proprietary information

• Harvesting credit card and other financial data

• Infecting a computer or network to collect valuable information or to mine for cryptocurrency

• Seizing control of one or more computers to launch denial-of-service attacks on remote networks

• Using deception to harvest PII from a targeted victim

Malware Types

Like there are different types of malware, a variety of attack methods are used by the different malware types. Following are the more common types of attacks:

• Blended threat—Different types of malware are packaged as a group to discover and exploit different types of vulnerabilities.

• Evasion—This is less a type of attack and more of a survival tactic used by some malware to avoid detection and removal by anti-malware systems.

• Escalated privilege—This type of malware allows an attacker to raise the permissions and rights of the account being used for the attack.

• Exploit—A vulnerability is discovered and attacked by one or more forms of malware.

• Zero-day—An undisclosed vulnerability or flaw in an operating system or application program that an attacker has discovered and exploited prior to it being made public.

Malware Movement

Malware moves or replicates itself in a variety of different ways, which include the following:

• Defect vulnerabilities—A defect or omitted feature in an operating system or application software that can be attacked by malware.

• Network homogeneity—Malware jumps from one computer on a network to another computer on the same network that is running the same operating system.

• Open doors—An intentional opening or an unintended flaw in an operating system or application software that can be used to access its source code. Also known as a backdoor.

• Unintended download—A user unknowingly downloads a file to which malware is attached or embedded from a website.

Ransomware

The concept of ransom is not complicated: take away something someone values and then make that someone pay a relatively large sum of money or something of great value to regain that something. This is essentially the same idea behind an encryption or locker attack that has come to be generally known as ransomware.

The most commonly used type of ransomware is an encryption attack that encrypts specific important documents or data or the entire hard disk drive. If the attack targets certain documents, those documents are replaced with encrypted copies, and the attack encrypts the entire hard disk, which locks up everything, programs and data. After the attack has encrypted the targeted resource, the attacker requests a ransom payment. When the ransom is paid, the encrypted resources are usually decrypted. The requested ransom is typically some form of untraceable currency, such as cryptocurrency or a prepaid debit or credit card.

Ransomware gets onto a system in much the same way any malware gets on a system. It could be downloaded in a corrupted file or document or received as an email attachment. The attacker likely spoofs the sending address to an internal user or a generic address from a trusted organization.

Most of the better-known anti-malware software packages now include protection against ransomware. However, having the ability to completely reformat the affected computer, do a clean install of the operating system and applications, and the restoration of the data files from a very recent backup is perhaps a better recovery plan. New versions of all malware types tend to stay ahead of the anti-malware software, even if only a few days.