Unless you’ve been living under a rock for the last ten years, you probably already have a sophisticated understanding of what a cyber attack is and what it can do.
All of us have had experience with suspicious emails. We all know what viruses and worms are; most of us have heard of ransomware and malware and don’t confuse them with safer options like Tupperware. Fewer of us have heard of or are comfortably conversant with things like injection attacks, cross-site scripting or clickjacking attacks, DNS cache poisoning, broken authentication or session management attacks, remote code execution attacks, and social engineering attacks. That last one you may not recognize, but have probably been the victim of someone calls you at home and tells you they represent the CRA, the IRS, or some other entity and that you need to provide some personal data (social insurance/security or credit card numbers) for some reason. The pitch employs a high-degree of intimidation and that is the social engineering angle of the attack. You are being engineered to surrender data and the thief needs to access your financial accounts.
We already have covered a few examples of the denial of service (DoS) attacks that are so popular with ransomware attacks. Hackers access a system and encrypt a service or section, essentially locking it down, and refuse to release the system until a ransom is paid. Very similar to a burglar who slips into your house when you aren’t there and changes all the locks. A worm is a piece of malware that once insinuated inside a program can propagate itself from computer to computer; a virus is also a piece of malware, but unlike a worm, it is not stand-alone or self-propagating: you send it on its merry way by running the infected program.
Whatever its name, an attack is coming, and it probably already has. It could be rather trivial and not much more than a nuisance or it could be catastrophic and crippling. Even though we know how vulnerable we are very few of us, either personally or in our businesses, are doing much about it.
According to a PWC survey of the threat of cybercrime and business preparedness, the most frequent cyber attacks reported were malware, phishing, network interruptions, spyware attacks, and distributed denial of service (DDoS) attacks.
Unfortunately, the report summarizes, “The cybersecurity programs of US organizations do not rival the persistence, tactical skill, and technological prowess of their potential cyber adversaries.”
But why though?
First and foremost, businesses, even the most prepared, have less overall incentive than the cybercriminal. Call it the Jordan Belfort syndrome: if you are starving and that is all you have ever known all you ever want to do is eat; the appetite for more is never sated. The cybercrime world is that Great White shark that must keep moving and eating to live. Cybercriminals are hungry, and you have what they want.
And it makes perfect sense. The digital world, in many ways, could not be more appealingly constructed to match the needs and incentives of the criminal: the payoffs are high and the risks of entry relatively low (as are the penalties). The worst possible scenario for any business is one that incentivizes criminal attacks. And the more data that businesses migrate to the cloud only exacerbates the equation.
A subtle but profoundly important point that needs to be made here is that while an attack is a criminal decision, how or even if the target defends itself is a business decision; on the other hand, the decisions a business makes about its vulnerability and security is exactly what incentivizes an attack.
For instance, if I receive a security update notice on my personal computer and choose to ignore it, that’s my decision. The result is this: by ignoring a security update I choose to expose my computer to an increased likelihood of a hack. Obviously, a hacker knows exactly when and how operating systems update their customers about security. After all, an update is in many ways nothing but a roadmap-in-reverse to a defect. So, if you decide to ignore the update you are essentially handing a hacker an incredibly valuable key to assist him penetrating your system.
Now take that very simple example and magnify it a million or ten million times in complexity and you have your business profile, only in this case you are not receiving one update now and again but maybe hundreds or thousands. And unlike the individual who may or may not be the victim of a hack, you and your business not only have been hacked but are likely to be hacked quite a few times. Unfortunately, too, because you are probably also running some legacy software on your system you won’t be getting any security. In other words, your company or business is at risk. The real questions: Do you know exactly what the risk is? If you have increased your investment in IT security, are you sure you understand exactly what it will do? Do you even know what you are buying? Do you know what the cost of a hack will be in indirect as well as direct costs?
It should be no surprise that social engineering and vulnerability exploitation are the great yin and yang of cyber attack strategies. As the McAfee’s “Net Losses” survey makes clear, the problem is that “if companies are unaware of their losses or underestimate their vulnerability, they will underestimate risk.”
In important ways, the crucial vulnerability you and your company confront is not technological but psychological. It is social engineering that can put the keys to your company’s front door into the hands of an ambitious hacker. This type of action is an overall failure to properly assess how, why, and where your company’s system is exposed.
Please reach out to me by email (arodov at qacstaging.wpengine.com) or via LinkedIn.
Alex Rodov is the Founder and Managing Partner of QA Consultants.