The Pathway to Peace of Mind

Ransomware is a type of malware that prevents or limits businesses from accessing their data and/or systems, either by locking the system’s screen or by locking files until a ransom is paid. More modern ransomware families, collectively known as crypto ransomware, encrypt certain file types on infected systems and force businesses to pay the ransom through certain online payment methods to get a decryption key.

Did You Know?

Globally, ransomware attacks increased exponentially in 2020, with attacks increasing by more than 485% from 2019 and average ransomware payments rising 33% in 2020 to $111,605. Remediation costs, including business downtime, lost orders, operational costs, and more, grew from an average of $761,106 in 2020 to $1.85 million in 2021. 

How It Can Happen

An employee of a retail store clicks on a malicious link in their email and inadvertently downloads malicious software, encrypting all data stored on the company’s network, and thereby disrupting operations. To unlock the encrypted data, a demand for $1M in crytocurrency must be paid within 48 hours to the hacker, or the data will be lost.

Security Controls to Protect Against Ransomware

1. Since ransomware is difficult to detect and fight, different protection mechanisms should be used. The most important action a small business can take is to provide employee security training and establish awareness. Empowering your employees with knowledge is the best defense to ransomware.
2. Proactive endpoint security solutions can assist in preventing ransom attacks by enhancing the security posture of your business.
3. Businesses should back up their data and keep an appropriate recovery process in place. Ransomware will target on-site backups to install an encryption key, therefore businesses should ensure that all backups are maintained securely offline and independently from their onsite backup.
4. Businesses should update user awareness and training manuals and procedures for employees on a regular basis.
5. Businesses should conduct proper patch management and review which services may be vulnerable to hackers.

Phishing is a cybercrime in which businesses are contacted by email, telephone, or text message by someone posing as a legitimate institution and luring them into providing sensitive data such as personally identifiable information, banking and credit card details, and passwords. The information is then used to access important accounts and can result in identity theft and financial loss.

Did You Know?

The average phishing attack costs businesses nearly four million dollars. According to the Anti-Phishing Working Group’s “Phishing Activity Trends Report,” the average wire-transfer loss from social engineering attacks in the second quarter of 2020 was $80,183.

How It Can Happen

Facebook and Google, combined, were scammed out of more than $100 million between 2013 and 2015.A hacker was able to accomplish this feat by sending each company a series of fake invoices while impersonating a large manufacturer each company historically used as a vendor.

Security Controls to Protect Against Phishing Attacks

1. To protect against spam, filters can be used. Generally, the spam filters assess the origin of the message, the software used to send the message, and the appearance of the message to determine if it’s spam.
2. Your browser settings should be changed to prevent fraudulent websites from opening. Your browser should only allow reliable websites to open.
3. Banks and financial institutions use monitoring systems to prevent phishing. You should consult with your financial institution to ensure that they have employed these safeguards, and your accounts have this added layer of protection.
4. Businesses should report phishing to industry watchdog groups where legal sanctions can be taken against these fraudulent websites.
5. Businesses should provide security awareness training to employees to educate them on how to recognize these phishing risks.
6. Educating your employees on how their browsing methods could prevent phishing is imperative. If a website requires verification, your employees should always contact the company before entering any information online.
7. Employees should be trained to hover over any links in an email to determine whether the website is secure and/or legitimate. Secure websites with a valid Secure Socket Layer (SSL) certificate begin with “https.”

ADDITIONAL READING – Spear Phishing

Spear phishing is the act of sending an email to a specific and well-researched target. The hacker poses as a trusted person or organization. The hacker’s goal is to either infect devices with malware or defraud victims of information or money.

While regular phishing campaigns go after large numbers of relatively low-yield targets, spear phishing aims at specific targets using specially emails crafted to their intended victim. Phishing is all about quantity of messages, whereas Spear Phishing is about the quality of a message sent to specific target.

Malware, short for malicious software, is a blanket term for viruses, worms, trojans and other harmful computer programs hackers use to harm your business and gain access to sensitive information.

Did You Know?

A research study conducted by Deep Instinct identified hundreds of millions of attempted cyberattacks that occurred daily throughout 2020.   Malware increased by 358% overall and a ransomware increase of 435% compared to 2019.  The U.S. has the world’s highest data breach costs, with the average attack costing $8.6 million, and according to research by IBM, it takes 280 days to find and contain the average cyberattack.

How It Can Happen

The Stuxnet virus is a sophisticated worm that can infect devices via USB drives, so there is no need for an internet connection. It was famously used in a 2010 political attack on Iran’s nuclear program, by exploiting numerous Windows zero-day vulnerabilities to destroy a large percentage of the facility’s centrifuges.

Security Controls to Protect Against Malware

1. Information Security Policies & Procedures – Your business should document and make employees aware of operational and security procedures to ensure compliance to these very important mitigation procedures.
2. Back up data and test restore procedures – Backup processes are critical to protecting against data loss. In a world of fast-moving, network-based ransomware worms and destructive cyber-attacks, offsite data backup is a necessary procedure for your business.
3. Layered Endpoint & Network Security – Taking a layered approach with next-generation endpoint tools, including firewalls (NGFW), intrusion prevention system (IPS), and web security will help provide a multi-prong protective front.
4. Ongoing Employee Awareness Training – Training employees to recognize which threat actors could impact the business is an important step toward fortifying your security posture.
5. Two-Factor Authentication – Installing two-factor authentication is easy first line of defense for your business.
6. Leverage email & web security – Most ransomware infections are spread through an email attachment or malicious download. Block malicious websites, emails, and attachments.

Distributed denial-of-service attacks target websites and online services. They are designed to overload them with unmanageable traffic, that renders the server or network inoperable. This traffic consists of incoming messages, requests for connections, or fake packets. In some cases, the targeted victims are threatened with a DDoS attack or attacked at a low level. This may be combined with an extortion threat of a more devastating attack unless the company pays a cryptocurrency ransom. A distributed denial-of-service (DDoS) attack is one of the most powerful weapons in a hacker’s arsenal. When you hear about a website being “brought down by hackers,” most-likely it has become a victim of a DDoS attack.

Did You Know?

According to statistics gathered by researchers at Neustar, DDoS attacks increased by a staggering 154 percent between 2019 and 2020 and there’s no sign that the surge is slowing down.

Security Controls to Protect Against DDoS Attacks

1. Use of Web-App Firewalls – A WAF (web application firewall) is a filter that protects against HTTP application attacks. It inspects HTTP traffic before it reaches your application and protects your server by filtering out threats that could damage your site functionality or compromise data. As businesses and employees increasingly rely on web applications, such as web-based email or e-commerce functionality, application-layer attacks pose a greater risk to productivity and security. Your business should implement a WAF due to its critical role in protecting against rapidly emerging web security threats.
2. Configure firewalls and routers – Firewalls and routers should be configured to reject bogus traffic. Remember to keep your routers and firewalls updated with the latest security patches.
3. Contact your Internet Service provider – If your business is a victim of a cyberattack, you should notify your Internet Service Provider immediately to try and reroute your traffic and avoid further damage. Having a backup internet service provider is also an excellent way for your business to mitigate potential impact from these types of attack.

A data breach may expose confidential, sensitive, or protected information to an unauthorized person. The files in a data breach are viewed and/or shared without permission. Anyone can be at risk of a data breach — from individuals and small businesses, to large enterprises and governments. More importantly, anyone can put others at risk if they are not protected. In general, data breaches happen due to weaknesses in technology or user behavior, and while the assumption is that a data breach is caused by an outside hacker, that is not always the case and illustrates why internal controls for employees, vendors, or others with regular access to systems, servers, files, or computers is important.

Did You Know?

US businesses face the highest costs with an average of $8.19 million per breach – up 5.3% from2019. This is driven by an ever-changing, complex regulatory landscape, that varies from state to state, due to breach notification requirements.

PII records are extremely important to isolate and secure as the costs for the infection, deletion or theft of these records could result in substantial damages due to their sensitive nature.

How It Can Happen

Equifax, one of the largest credit bureaus in the US, reported on Sept. 7, 2017 that an application vulnerability in one of their websites led to a data breach that exposed about 147.9 million people. The breach was discovered on July 29, but the company stated that it likely started in mid-May. The breach compromised the personal information (including Social Security numbers, birth dates, addresses, and in some cases, drivers’ license numbers) of 143 million people; 209,000 people also had their credit card data exposed. That number was raised to 147.9 million in October 2017.

Security Controls to Protect Against a Data Breach

1. Businesses should patch and update software as soon as options are available.
2. Businesses should deploy proactive endpoint security to prevent bad actors from targeting them as a means to steal your data.
3. Offsite data backups allow for rapid recovery of lost or encrypted data.
4. Enforcing bring your own device (BYOD) security policies, like requiring all of your employees to use a business-grade VPN service and antivirus protection on their cellphones if they are using them for business purposes, like email or conference calling, can help protect your business against attacks on devices that your IT provider doesn’t have direct control over.
5. Businesses should continuously educate employees on best security practices and ways to avoid the latest social engineering attacks that cyber criminals are using.

Popular methods used by hackers:

• Phishing – These social engineering attacks are designed to fool people into allowing cyber criminals to gain access to your business’ data. Phishing attackers pose as people or businesses you trust to deceive you.
• Brute Force Attacks – Hackers enlist software tools to systematically decrypt an employee’s passwords to gain access to their business’ systems and data.
• Malware – There can be security flaws in any electronic device’s operating system, software, or hardware, as well as the network and servers they are connected to. Cyber criminals seek out these vulnerabilities to install malware, which they might use to gain access to your business’ systems and data, spy on the actions of your employees in those systems to gather information about your business operation or prevent your employees from accessing your business’ systems and data.

Website spoofing is when an attacker builds a website with a URL that closely resembles, or even copies, the URL of a legitimate website that the victim knows and trusts. In addition to spoofing the URL, the attacker may copy the content and style of a website, including images and text.

Domain spoofing is like a con artist who shows someone fake credentials to gain their trust before taking advantage of them. Domain spoofing is often used in phishing attacks. The goal of a phishing attack is to steal sensitive information, such as account login credentials or credit card details, or trick the victim into sending money to the attacker or downloading malware.

To imitate a URL, attackers can use characters from other languages or Unicode characters that look almost exactly the same as regular ASCII characters. (This is called a homograph attack.) Less convincing spoofed URLs may add or substitute regularly used characters to the URL, and hope that users don’t notice. These fake websites are typically used for criminal activities like phishing. A fake login page with a seemingly legitimate URL can trick someone into submitting their login credentials.

Did You Know?

Website spoofing is already a growing problem in the banking and financial industry that has doubled in the last year, resulting in $1.3 billion in losses. This type of attack has been around for decades and continues to be popular because it’s difficult to detect until it’s too late. 

Security Controls to Protect Against Website & Domain Spoofing

1. Take a close look at the URL. Are there any extra characters that don’t belong? Try copying and pasting the URL into a new tab: does it still look the same?
2. Businesses should train their employees to check the SSL certificate of any websites that they navigate to if they have one. Is the domain listed on the SSL certificate the name that you’d expect? (To see the SSL certificate in Chrome, click on the padlock in the URL bar, then click “Certificate.”) A spoofed website may have a real SSL certificate, but for the spoofed domain name, not for the actual domain name.
3. Businesses should instruct their employees to bookmark important websites. Keep an in-browser bookmark of each legitimate website. Clicking on the bookmark, instead of following a link or typing the URL, ensures the correct URL loads each time. For instance, instead of typing “mybank.com” or performing a Google search for the bank’s website, create a bookmark for the website.
4. In the event that your company is breached, subscribing to managed identity theft solution can help your business to respond to a data breach, identify cyber risks, and protect you and your employees from identity theft.