Don’t be tricked this Halloween. October is Cybersecurity Awareness Month
Halloween is the one night of the year when ghosts and ghouls freely roam the streets, however in this brave new online world that we all inhabit scary stuff isn’t limited to a single day. Disguised as cyber threats, digital ghosts and ghouls are ever-present, waiting to strike their next victim. In 2019 there were more tricks than treats so as cybersecurity month comes to a close in Europe and the US, here are some of the ghastliest cyber tricks employed from within the depths of the dark web.
- Trick #1 -Phishing — The old reliable in the world of cybercrime remains popular because it works. It has been reported that approximately one in every 99 emails is actually a phishing attack, and 30% of these malicious messages make it past security systems. The world economic forum reports that 2020 will be known as the year of the advanced phishing attacks, owing to the number of phishing kits available on the dark web. These kits will require that cybercriminals only need basic technical knowledge to run their own phishing attack campaigns. Your first contact with a phishing scam will likely be via your email inbox. We’ve published several articles on the scourge of phishing scams and how to mitigate against them however, I recommend this recent one: Clicking on Links Accounts for 99% of all email attacks.
- Trick #2 – AI Deepfake – Cybercriminals have started to create and employ advanced attacks using AI to compromise defences. Phishing emails sent via AI’s are becoming far more dangerous than those sent from humans. AI’s have the ability to use deep learning to draft targeted mails that are capable of bypassing traditional security measures. One area of AI attack that is of particular concern, is that of Voice Deepfake. Voice Deepfake is where AI is used to mimic a real person’s voice. This is a new form of the commonly used and all too frequently successful CEO Scam. The first instance of this kind was reported by Forbes only last month and resulted in a UK based company making an unsuspecting payment of €220,000 to fraudsters. With this type of scam, the victim will receive a phone call the claims to be and sounds exactly like a person, they know (usually someone in seniority). They will most likely be given an instruction to make a payment to an account for a reason that seems plausible and given that it sounds like the boss, they are unlikely to question the instruction. While only one such instance of this has so far been reported, it is nonetheless very concerning and should be closely monitored.
- Trick #3 – Ransomware – In 2018 it was reported that ransomware was on the decline, however, unfortunately, the news isn’t so good for 2019, with a noticeable increase report by the major cybersecurity providers. While overall ransomware is still below the level of 2016 and 2017, it continues to pay dividends for cybercriminals and most worryingly of all is the volume of ransomware attacks via Remote Desktop Protocol (RDP) at 31% of all reported cases. A strong password policy is your best defence against this form of attacks and similar to phishing scams, if you aren’t 100% confident as to the origin of a link, Don’t Click.
- Trick #4 – Insecure APIs — Custom build, and open-source API’s are increasingly becoming a popular choice to help organisations streamline app development. They do however also present opportunity for hackers if the code isn’t properly encrypted and access isn’t effectively gated.
- Trick #5 – Insider threats — Organisations will continue to face insider threats as a major form of cybersecurity breaches. The users of the IT systems in your organisation and that means everyone, are your weakest link. Former employees who may still have full or limited access are also a major threat. The only real solution to insider threats is ongoing training of staff and rigid cybersecurity policy.
Security Awareness Month 2019 Themes
As I’ve mentioned October is Cyber Security Awareness month both here in Europe and in the US. To finish off this Haloween themed article, I’d like to look briefly at the US themes for cybersecurity month. This year they have three overarching themes:
- Own IT — Take responsibility for IT security at all levels — from social media to mission-critical apps. This puts the onus on the user and encourages personal accountability. Given that users are your weakest link, I believe that this should be a priority for all users and organisations.
- Secure IT — Take steps to secure IT behaviours and limit attacker success. This theme promotes employing stringent security measures by way of security applications, strong password policies and multi-factor authentication.
- Protect IT — Take action to protect both device connections and data collection across the organization. This theme warns against the use of free open public wireless networks that are easily compromised. It highlights the importance of security updates and patches and most importantly highlights the importance of data handling and protection. This is even more vital here in Europe since the implementation of GDPR in May 2018 and your responsibilities regarding the handling and protection of user’s data.
To read a detailed description of the 2019 Themes please visit the National Initiative for Cybersecurity Careers and Studies (NICCS).
John Grennan – IT.ie