IT attacks – Stolen devices, phishing and web-based attacks

Attack on business devices

Part 2 – Stolen devices, phishing and web-based attacks

In part one of our IT Attacks blog series, we looked at some general dangers out there for companies and individuals who use the internet as part of their day-to-day business operations. We told you how vital it is that you and your staff are vigilant about the emails and files you receive, and the importance of comprehensive and up-to-date virus protection. Of course, unless you are on your toes, there are many other ways that malicious hackers and criminals can attack you and your systems. And sometimes you don’t even have to be online, just unlucky. So, let’s take a look at some other dangers that can trap the unwary.

Stolen devices – there’s no honour among thieves

While many IT attacks come about thanks to sophisticated programming, others just come down to good old-fashioned thievery. Stolen devices make up for 50% of cyber attacks experienced by the 30 bench-marked companies in the Ponemon 2014 Cost of Cyber Crime Study and of course your devices (phones, tablets, flash drives and so on) don’t have to be stolen by cunning pickpockets for the data to be compromised. It seems like every other day we read news stories about office managers or politicians leaving laptops containing vital files on a train, or forgetting phones in restaurants. And the risk of losing data this way becomes even greater as ever more companies implement Bring Your Own Device (BYOD) strategies and staff take their work home with them. This means that personal devices, which are often unsecured, can be crammed with company data (69% of employees use smartphones for work). If a staff member is robbed, or even just plain forgetful, this data can end up in the hands of criminals who as a result have access to your systems, intellectual property, and stored passwords.

Stay Safe

Your security policies need to cover company-issued and employee-owned devices, and this means you first have to know exactly how many devices are being used for work by your staff. Put in place a process of Mobile Device Management (MDM) with rules that staff must adhere to, around such areas as the encryption of company data, not jail breaking devices, performing regular upgrades of operating systems, and using screen-lock passwords. Implement a Virtual Mobile Infrastructure (VMI) to ensure your staff can access information securely.

Phishing – don’t take the bait

Phishing scams are so named as they emulate real life fishing. Hackers and criminals tempt you with bait and can be rewarded with a big catch – usually sensitive information like usernames, passwords or bank account details. Most often, the “bait” comes in the form of emails that appear to be from trusted or legitimate companies or people such as banks, service providers and acquaintances. You may be asked to provide certain private information or follow links that direct you to fake (though often very realistic looking) sites that will infect your systems with malware. A common phishing scam is a warning email about fraudulent activity on your account and a request to “verify” information. Such panic-inducing methods can be very successful, as people give an immediate response without thinking. There are other types of phishing such as “whaling” which attacks high profile targets in an organisation, often with “bait’ tailored to enable that individual to seek out insider information. Another method, known as “spear phishing”,  hooks individuals using personal information (often garnered from social media sites). Spear phishing scams are increasingly sophisticated, and are regularly successful since the baited emails seem so personal.

Stay Safe

It’s no longer possible to recognise phishing emails from their bad grammar and formatting alone; they are often barely distinguishable from emails sent by the organisations they are attempting to emulate. The best way to stay safe is to be wary of every single unsolicited email you receive. Check URLs very carefully, and read the email in plain text or HTML so that the URLs that images point to are visible. These can be checked against the sites you know to be genuine. If you suspect a phishing email, delete it from your inbox and your deleted items folder immediately. Don’t panic if you get an emergency email from the bank. Remember that it is very rare that responsible companies would take action like this via email, and they certainly never ask for PIN numbers or passwords. It also pays to be vigilant on social media, making sure that personal information is only visible to friends. If you are in a high-profile position, you should also take the precaution of shredding and destroying your paper correspondence too. Vigilance is key if you don’t want to be caught in the phishers’ nets.

Web-based attacks – a world wide web of worry

While nearly all IT attacks are web-based to some extent, this threat specifically means malware attacks that come via online sources like infected landing pages on websites, rather than being delivered via email or infected devices. This is also known as a “pull-based” attack, where victims unknowingly visit infected sites, rather than “push-based” one’s in which attackers are actively searching for victims. Numbers of web-based attacks are growing as web services become more popular and people use the Internet for business, banking and e-commerce. Malicious URLs are used as channels to propagate malware and, if you visit an infected site, hackers can take control of your system to carry out cybercrimes such as data theft, denial of service attacks, and spamming. A common web-based attack technique is to alert you with fake virus detection messages and ask you to download rogue antivirus software. Sometimes, even legitimate sites can be infected if the hacker gets control of a web server. And the bad news is that your antivirus software and firewalls are of limited use, as they can’t help detect many web-based attacks.

Stay Safe

The big IT players are constantly fighting web-based attacks and fixing vulnerabilities in their systems, so make sure you’re using the latest version of your browser and plug ins. Antivirus software can catch some better-known malware you pick up, so keep it up to date as always. A sandbox approach, in which you provide an isolated environment for suspect software, is also a good idea. When web pages you visit are in a sandbox, it means they are restricted to running only in your browser and so can access a limited set of resources — meaning they can’t view or damage precious local files.

In part three of our series on types of IT attack, we’ll be looking at the problems of malicious code, attacks by insiders, and denial of service attacks.

For any information or tips about keeping your business IT safe from attacks, call the experts at Empower IT Solutions.

Further reading

Part 1: IT attacks – Malware, viruses and botnets

Part 3: IT attacks – Malicious Codes, Malicious Insiders and Denial of Services