How Modern Cybercriminals Attack and How Data Breaches Affect Organizations

The tactics and techniques of how modern cybercriminals attack and how data breaches affect organizations is commonly used to bypass cybersecurity defenses and it catches organizations off guard.

Cybercriminals are for the most part smart and the successful ones are constantly altering their hacking techniques to bypass increasingly advanced cyber security technical controls.  This allows them to deliver credential phishing attacks, business email compromise, and different forms of malware to unsuspecting corporate users.  The unfortunate part is most employees click with rarely thinking twice about it.

How Data Breaches Affect Organizations?

An organization can suffer in many ways when it falls victim to a data breach, one of which is dealing with the huge potential financial repercussions coming down the pipe.

With the recent change to the Canadian Privacy Act, there is a wide range of different costs associated with a data breach, such as paying back any money taken as a result of the data breach, compensating affected clients or consumers, share value plummeting as well as having to pay for the right protection to ensure a data breach does not happen again.

More information: Canadian Privacy Breach Notification Rules Changed November 1, 2018

After the business pays off all the fines, the data breached organization also must deal with reputational damage. Data breaches have a massive negative impact on an organization’s client base, particularly if the breach involved sensitive personal data.  Clients lose confidence in the brand as they do not feel that their data is secure.  Another negative note is that a public data breach will also put off potential new clients.

The impact of a data breach is tied to the type of data involved. If confidential data has been exposed, it can have catastrophic effects in many ways.  If personal and financial details of staff and customers are breached, those people are left open to the risk of identity theft, financial loss, and much more.

Your security is only as strong as your weakest link therefore we are offering a quick security awareness user training video to share with your organization. This 7 minute video can save you a lot of headaches.

According to the Cofense Phishing Defense Center, Their researchers analyzed data and found the following:

• They analyzed 31,429 malicious emails sent between Oct. 2018 and March 2019
• Approximately 23,195 of them included credential phishing attacks
• Another 4,835 included malware delivery
• Over 2,681 of them contained a business email compromise
• A little amount of 718 contained some form of spam
• They are included subtle tactics such as changing file types, shortened URLs, etc.

As part of their Cofense Phishing Defense Center 2018 report, they analyzed nearly 1.5 million user-reported emails.

The report produced so alarming numbers including the following:

• 55,404 credential harvesting attacks
• 27,501 campaigns delivering malicious attachments, including abuse of file-sharing services
• 4,152 business email compromise (BEC) attacks

The reality here is that these emails are easily bypassing technologies such as email gateways and spam filters resulting in employee mailboxes becoming ticking time bombs.

Many managed IT services providers and IT department continue to actively make simple adjustments to their cyber security measures, but the real question is will it work?

Credential-phishing emails use fake log-in pages therefore they are tough to stop at the gateway because often associated infrastructure does not look malicious.  Some phishing or malware campaigns have a good disguise as well as send emails from genuine Microsoft Microsoft 365 or Gsuite email tenants that have already had compromised credentials or even sometime legitimate accounts.  The fake login page is hosted on Microsoft infrastructure is “nearly impossible” to distinguish for most users, even some tech savvy ones.

Cyber security researchers have reported that many secure email gateways do not scan every URL. Many of them focus on the type of URLs users actually click.  As more phishing attacks leverage single-use URLs, the organizational risk grows.  Cyber criminals only need one set of legitimate credentials to break into a network, which is why credential phishing attacks is a popular cyberattack technique.

Cloud adoption and cloud service are changing the game for cyber attackers hunting for employee login data. Businesses are shifting the location of their login pages and, consequently, access to network credentials. This adds a layer of protection, but it does not mean cyber criminals have given up.

It is important to understand that as organizations continue to move to cloud services, cyber criminals are constantly going after their cloud credentials.  Cyber criminals are also using popular cloud services such as SharePoint, OneDrive, and Windows.net to host phishing kits.  Once they obtain the user credentials, they are then able to log into the hosted service as a legitimate user.  Many times, they stay there watching for opportunity.

It is not simple task for organizations to stay ahead of these cyberattacks. The ability for IT departments and managed IT services providers to defend against cloud-based threats is difficult since visibility to logs in the cloud is different than onsite infrastructure.  Many organizations engage cloud providers however they fail to review security details in order to ensure their monitoring and visibility needs are met.

Most cyber attackers use different file types to bypass attachment security controls of email gateways in order to deliver payloads.  As an example, cyber security researchers point to when Microsoft Windows 10 changed file-handling for .ISO files, which gave hackers an opportunity to shift away from the .ZIP or .RAR files that were usually inspected by security tools.  They also reported that in April 2019, some unnamed cyber attackers started to rename .ISO files to .IMG therefore successfully transmitting malware through secure gateways and other security measures.

How does this cyberattack cheat the system?

Cyber Attack # 1 – Bypassing the email gateway or spam filter

The email gateway or spam sees this attachment.  You can download the file to the device as Windows 10 treats it as an archive and opens it in explorer.  This allows the victim to click the contents within the attachment. Basically, nothing changed in the malware, just the file extension name.

There is an ever-growing challenge in defending against these types of cyber threats because there are legitimate attachment types you cannot block without disrupting the business.  There are PDF files that include links to the malicious websites.  They then spoof a login page where they can capture the user login credentials.  The unfortunate part is that organizations cannot blindly block these file types, or it will grind everything to halt.

Cyber Attack # 2 – Welcome to “installation-as-a-service” cyber threat

Cyber attackers have a trick up their sleeve, it’s called “installation-as-a-service”.  Using this service, they can pay to have malware installed on a machine or a group of machines anywhere in the world.  One example is Emotet which started as a banking Trojan.  It gained popularity as a loader for other malware as the cyber criminals transformed Emotet into a complex bot responsible for several functions.

Over 45% of cyber attackers who sent malware via malicious attachments in the past year had a strong preference for exploiting a Microsoft Office memory corruption vulnerability. In previous years, they used malicious macros, which only accounted for 22% of malware delivery tactics this past year.

A recent global survey of over 1,000 IT security decision makers released some alarming numbers:

• 64 percent believe they have had either a direct or indirect breach due to employee access in the last year
• 62 percent believe they have had a breach due to vendor access
• 82 percent believe employee behavior continues to be a challenge for their organizations
• 60 percent stated writing down passwords is an issue
• 58 percent stated telling colleagues each other passwords is an issue

Believe it or not, geographical location makes a difference;

• 20 percent of UK businesses are worried about employees downloading data onto a memory stick
• 42 percent of Asia Pacific (APAC) region feel the same way
• 71 percent of organizations agree that they would be more secure if they restricted employee device access

Unfortunately, restricting employee device access is not usually realistic or conducive to productivity.

Organizations are faced with the struggle to address both internal employees and third-party vendors as they need privileged access to be able to do their jobs effectively.  They need this access granted in a way that does not impede on productivity and security.  Cyber threats are growing and there has never been a greater need to implement organization-wide strategies and solutions.  The need to manage and control privileged access in a way that fits the organization, users, and third-party partners.

What are some more alarming stats for cyber security and data breaches?

• Some organizations surveyed reported an average of 182 vendors logging in to their systems every week
• With large organizations over 5,000 employees, 23 percent say they have more than 500 third-party vendors logging in regularly, highlighting the extent of risk exposure.
• Their trust in vendor access is now lower than trust in employee access
• Approximately 25 percent of organizations say they trust vendors and third-party suppliers
• Approximately 37 percent of employees say they trust vendors and third-party suppliers
• Just over 72 percent of businesses admitted that they have cultures that are too trusting of third parties

What are some emerging cyber threats organizations need to consider?

• Internet of Things (IoT) poses a big concern with the visibility of logins from IoT devices
• 76 percent are confident they know how many IoT devices are accessing their systems
• 80 percent are confident they know how many individual logins can be attributed to these devices
• 47 percent of security decision makers perceive at least a moderate risk from Bring Your Own Device (BYOD)

For all organizations, IT is becoming ever more complex.  Technology ecosystem are growing at rapid pace as well as the evolving landscape of cyber threats.  As employees are granted more trust, organizations need to accept that the way to mitigate risks is by managing privileged accounts through integrated technology and automated processes that not only save time, but also provide visibility across the network.

The goal is a proper cyber security policy and practice.  By implementing cybersecurity policies and solutions, organizations will also increase business performance while eliminating roadblocks in an employee’s way.

Cyber security strategy, cyber security planning, and cyber security procedures are effective for protection.

An effective web protection strategy requires policies to reduce the surface area of attack, appropriate tools and technology to enforce those policies, and protection to block attacks at every layer.

Establish the following best-practice policies and educate your user population about why they are important for the security of your organization.

Web Protection Policy Checklist

1. Safe Surfing Policy – A safe surfing policy will block unwanted and inappropriate site categories to reduce the cyber threat surface area. Based on connectivity, organizations may also wish to control other categories in the interest of productivity, security, profitability, or available bandwidth.

Your minimum Safe Surfing Policy should exclude the following categories:

• Adult, sexually explicit, nudity
• Anonymizer proxies
• Criminal activity, hacking
• Gambling
• Illegal drugs, alcohol and tobacco
• Intolerance and hate
• Phishing, fraud, spam, spyware
• Tasteless and offensive
• Violence and weapons

2. Strong Password Policy – All organizations should strong password policies for creating strong passwords and maintaining a constant change.

Here is some password policy guideline that can be used:

• Use long passwords
• Include numbers, symbols, and upper- and lowercase characters
• Do not use common dictionary terms
• Do not use personal information such as names or birthdays
• Change passwords every 90 days
• Do not write passwords down

Another option for a strong password policy is to use a sentence.  This is not a new concept, full sentences and phrases are very secure due to their complexity and multiple ways in which they can be constructed.

3. Application Control Policy – Standardize and limit the number of Internet browsers, applications and plugins in your organization and enforce this policy.

• Browser: Use mainstream browsers only such as Internet Explorer, Google Chrome, Firefox, Opera, or Safari
• Java: Unless there is a business requirement, limit or remove Java from your network
• PDF reader: Use a single mainstream PDF reader. Keep it patched and updated.
• Media player: If not required, avoid media player addons and codec packs. If needed, use operating system provided ones as your OS patch will keep it updated.
• Plugins, add-ons and toolbars: If not require, do not use unnecessary browser plugins and toolbars

4. Patch management policy – Ensure your managed IT services provider or IT department are updating your network consistently. You can also ensure the following applications have auto-updates activated where possible. Your IT team will ensure that you are actively applying updates or patches as they become available.

Solutions To Reduce Risk of Data breach

Security comes down to a multi staged approach and proactive security employee training.

You must ensure your managed IT services provider or IT department are keeping your perimeter secure as well as other protective measures. Look at security services as well as two-factor authentication, encryption, next-gen firewalls and anti-virus with built-in learning AI services.

Encryption is great because this kind of control, but it must be the right kind of encryption. If a specific file or email is encrypted properly, you can control who can read it.  Even if your organization experiences a data breach of your IT system and cyber criminals gain access to sensitive data, they will not be able to read it.

This will reduce your data breach risks and protect your organization from cyber criminal’s high data breach costs.

This is one of a few security measure an organization can put in place to protect themselves.

Our complimentary network and security assessment can put your IT infrastructure and business to the test.

Going to the cloud? We are your leading Cloud Services Providers Toronto.

365 iT SOLUTIONS is Toronto’s leading IT consulting boutique firm offering industry leading IT solutions including Managed IT Services, IT Support Services, IT Outsourcing Services, Tech Support Services and Cloud Services.