Your organisation’s computer systems – and the information they hold – can be compromised in many ways. It may be through malicious or accidental actions, but invariably made possible due to a failure of having the right safeguards in place. Whilst you need to consider all potential risks, it is malicious attacks from the Internet that are hitting the headlines and damaging organisations.
Forms of attack
Internet born cyber-attacks can be broadly segmented into two forms – un-targeted and targeted attacks – and each approach can be carried out in a variety of ways as follows:
Un-targeted attacks: In un-targeted attacks, attackers indiscriminately target as many devices, services or users as possible. They do not care about who the victim is as there will be a number of machines or
services with vulnerabilities. To do this, they use techniques that take advantage of the openness of the Internet, which include:
- phishing – sending emails to large numbers of people asking for sensitive information (such as bank details) or encouraging them to visit a fake website
- water holing – setting up a fake website or compromising a legitimate one in order to exploit visiting users
- ransomware – which could include disseminating data-encrypting extortion malware
- scanning – attacking wide swathes of the Internet at random.
Targeted attacks. In a targeted attack, your organisation is singled out because the attacker has a specific interest in your business, or has been paid to target you. Groundwork research could take weeks or months so that they can find the best route to deliver their attack directly to your systems (or users).
A targeted attack is often more damaging than an un-targeted one because it has been specifically tailored to attack your systems, processes or personnel, in the office or outside. Targeted attacks may include:
- spear-phishing – sending emails to targeted individuals that could contain an attachment with malicious software, or a link that downloads malicious software
- deploying a botnet – to deliver a DDOS (Distributed Denial of Service) attack
- subverting the supply chain – to attack equipment or software being delivered to the organisation.
Regardless of whether an attack is targeted or un-targeted, those perpetrating Internet-born malicious attacks have a number of strategies, tools and tricks they use to attack organisations of any size. They primarily target businesses with little or no cyber defenses that would otherwise make their mission difficult. These cyber villains typically use a four-step process to achieve a desired result: –
1. Survey – searching for targets and vulnerabilities
2. Delivery – introducing malicious software, known as malware
3. Breach – accessing or gathering information through software flaws
4. Affect – negatively impacting the target to get a desired outcome
Development firm attacked by email
A real estate investment and development firm lost over £600,000 after cyber thieves drained its bank account of funds. It all began with a hacked email account.
Once attackers had access to the owner’s email, they could see a long history of correspondence with his book keeper.
They had everything they needed to commit a bank transfer fraud. They impersonated the owner and convinced the book keeper to transfer funds from the firm’s accounts to their own in China.
The attackers also accessed the owner’s Outlook calendar. This helped them schedule transactions while he was busy in meetings, so they had plenty of time to access the money, delete all communications, and run.
Construction firm attacked by Trojan
A construction firm lost about £400,000 to a cyber-attack. Thieves added a Trojan to one of the company’s systems which allowed them to capture online banking credentials and make a series of transfers from the company’s accounts.
The money was gone in just seven days. The firm’s bank was able to reclaim some of it, cutting the firm’s loss to £225,000. However, the firm then had to pay interest on hundreds of thousands of pounds in overdraft loans from the bank in order to keep in business.
The firm sued the bank for failing to provide a ‘commercially reasonable’ security process for the transfers. The firm initially lost, but later won on appeal; however, the real toll was the distraction and time taken to deal with the crisis.
Is your business sufficiently protected? We can help assess your level of cyber security – call or email us now