Halloween has passed but your chances of getting hacked are scarier than ever. Here are some hacks that can get you, even after you’ve been sufficiently spooked.

#1 Social engineering & Phishing

The easiest way to break into a computer system is to bypass a computer’s protection(s) altogether by aiming at a computer’s operator – a regular human being. 

These days, our devices come loaded with so much security software that it’s pretty difficult to find and exploit a technological vulnerability in a victim’s machine. Although it’s possible, spending days probing for weak spots is expensive and cyber attackers tend to go for the cheapest targets with the highest ROI.

Our operating systems come with pre-installed security measures, we have antivirus software, adblocks and a variety of plugins to help us stay safe and feel secure.

Trick Fix: The biggest takeaway for you is to spend a reasonable amount of time on security training to increase awareness across the whole company. You’re probably not spending enough on it – few companies have this in check – to find a way to improve existing processes and give more love to your corporate training.

This solution applies to the following situations as well.


#2 Malicious websites serving dangerous content and exploits

Even tech-savvy users may visit malicious websites on occasion. These sites can infect their computers and compromise their data’s safety. There are many attack vectors out of which very popular ones, and so-called ‘drive-by-download,’ attack.

Drive-by-download attacks happen when a user authorizes the execution of untrusted and malicious software without realizing the potential danger – e.g. clicking ‘Run’ on malicious Java applet prompt.

The name on the malware is often identical to its trusted counterpart, so harmful software is downloaded without the user knowing – e.g. hidden exploits attacking popular software, such as web browsers or web browser plugins.

Trick fix: The solution to this one is outlined in point #1 – consistent employee education and monitoring endpoint workstations to ensure they’re running correctly updated software.


#3 Malicious USB stick plugged into the computer

This risk is often self-generated by good people who have nothing else but good intent. They try to figure out whose drive they’ve found in a parking lot to give it back. But in a malicious scenario, something terrible happens as the USB stick was dropped on purpose by a criminal and it contains a USB stick with malware on it.

It doesn’t take a targeted attack to get yourself infected with malware. If you insert random devices such as CDs/DVDs, USB drives or any other device such as found mouse/keyboard, then you’re risking an infection which may originate from an infected computer of a previous unconscious owner.

Trick fix: Good way to lower the risk is to use respected AntiVirus and have it enabled to scan all connected devices. While it’s not foolproof and it doesn’t take much to bypass AV software, it’s definitely a good thing to have that will reduce the likelihood of successful attacks performed by random malware or malware created by low-skilled attackers.


#4 Weak passwords are still the case

You can have the appropriate software protections in place, but it’s all for nothing if your users use weak passwords. No AntiVirus software or advanced web application protection techniques can protect a user from data leakage if their password is john1989.

The biggest lie people tell you and themselves is that they know how to create strong passwords and this is one of the biggest problems in our industry. We’ve seen government organizations, big corporations, and individual tech giants use simple or obvious passwords, which can lead to the hacking of personal accounts and/or company-wide breaches.

Trick fix: The most practical advice here is to teach people how to create solid passwords and to build internal systems that don’t allow weak passwords. A strong password should be memorable, but it must also be long, unpredictable and unique so that hackers can’t guess it.

Popularize usage of password managers within your organization. These terrific tools can significantly improve the security posture of your corporation by easing the process of endpoint password management.

See more here: https://xkcd.com/936/


#5 Insiders – why “trust but verify” is real

There is an entire industry built around stealing proprietary data, so don’t make the mistake of assuming your company won’t be the target of sophisticated cyber attackers seeking the easiest way to steal your data. Hackers will often do everything they can to gain your trust, join your company and then infiltrate your networks.

But it doesn’t end there, because sometimes disgruntled employees go rogue after learning they’re to be terminated. Bitterness and anger can push otherwise reasonable people to leak corporate data or destroy internal systems in hopes that no one will know who is responsible.

Whether intentional or not, data leaks happen often. [Smart Content Governance is something many companies lack and need to take advantage of for added data protection.]

Trick fix: It is best to have the proper auditing software to monitor for anomalies in employee behavior. It is also wise to have good configuration of logging systems to trace attacks back to the person(s) at fault.


#6 Physical attacks

Many organizations forget how critical it is to protect their physical offices. Some even completely neglect doing so.
If you were an attacker, would you invest hundreds of hours hacking technology when you could easily follow an employee driving to the office in the morning? A real-life attack could mean hardware theft or connecting a malicious device to the corporate LAN in order to attack connected machinery and sniff the traffic.

Trick fix: Consider hiring a pen testing company to do a physical penetration analysis or read team engagement.


#7 BYOD – Bring Your Own DOOM

The greatest risk comes when employees bring outside devices and plug them into a corporate network. Connecting to corporate resources such as internal applications from an unsecured computer can be even more dangerous.

Often, employees connect their smartphones to corporate networks just to browse personal websites. This opens the company up to digital risks because compromised devices can spy on and infect local networks.

Also, when employees are allowed to bring their own infected laptops to work, which often have a variety of unmonitored software installed, their operating systems may lack security patches and basic security hygiene tools like AntiVirus systems.

When such computers are used, it’s almost impossible to know when malicious software like Keylogger is installed. This can infiltrate corporate credentials and allow hackers an easy way in.

Trick fix: One effective approach to BYOD is to provide employees with corporate computers they can take home if they need to. Enabling WFH policy allows you to remain in control, because otherwise employee may feel tempted to use their personal computers to do ‘the few little things’ which require connecting to the corporate VPN.

Inform employees that they may use their corporate laptops anywhere they wish, but that they should refrain from treating them like private computers, on which they may otherwise install games and other programs for personal use.


#8 Good ol’ network hacking

For years, companies struggled with the same things over and over again.

Organizations are often unaware of all the many assets that belong to them. They lack the proper patch management policies and procedures to ensure they’re covered against newly-discovered software bugs.

While 10 years ago, it was more acceptable to be a little out of date, there is no place for such neglect today. There are bots that continuously scan the Internet, enumerating and checking public services. Everyday, bots try to crack passwords to web applications and other services, including FTP and SSH.

We’re all exposed and there is no place to hide, so ensure your external infrastructure is properly hardened, or you’re endangering yourself and your company. We’re living in an era when the business behind cyber attacks is more lucrative than ever. There are many ways to monetize obtained access, including selling corporate data on the dark web and deploying ransomware to obtain personal information.

Trick fix: Know your assets, monitor them, audit them, and regularly apply patches to be ahead of the security curve.


#9 Know what “attack surfaces of web applications” are

In some cases, hacking a web application deployed in your framework may lead to a completely compromised infrastructure. The vulnerabilities in your applications aren’t limited to those that can cause damage to the application alone.

Often, breached web applications allow for elevated privileges and pivot deeper into networks, depending on how well architected the application & infrastructure are and what type of security vulnerability exists within the application.

The joke’s over when there is Remote Code Execution, Local File Inclusion, or SQL injection vulnerability in your web application.

Trick fix: If you produce software, then secure coding training is critical to the well-being of your and your customers’ organizations. Web applications don’t float in space. They’re deployed in infrastructure which must be hardened and properly secured so if one application is compromised, it doesn’t put you out of business.


#10 Security vulnerabilities in internal applications

This deserves a special point, given on how common it is to find internal corporate resources on the Internet. The problem with internal applications is that they usually don’t receive as much attention as commercial software and products. Usually, the mistaken assumption is that if it’s internal, no one will look for it and securing such devices requires a much smaller budget.

Remember that when someone is trying to hack you, they’re looking for the weakest link in the digital chain. If you’re not paying enough attention to securing corporate apps, hackers will take advantage of this by breaching the less-secure assets.

Trick fix: The solution is simple, but often not easy to implement. Use more resources to secure your internal apps and/or put them behind a corporate firewall/VPN to reduce risk. Doing this will minimize exposure and attack surface to internal hackers.



There are no comments.

Leave a Reply