Since the start of 2019, we have been working towards our ISO27001 Information Security certification. As part of this journey we have been scrutinising the security practices we have in place, improving and tracking them.
Recently, Ross gave a ‘Think Out Loud’ skill-sharing session on cyber scams with the goal of improving team-wide awareness of threats. Here are some of the topics we covered. We hope these insights will help you recognise threats before it’s too late.
About 80% of known attacks would be defeated by embedding basic information security practices for your people, processes and technology. - Sir Iain Lobban, Director GCHQ 2014
Hacking is when a criminal manages to gain unauthorised access to a computer system.
They might employ a brute-force attack where a program is used to guess the password that allows access to a system. Stronger passwords can be created by using long, unique and complex phrases. Here’s a great tool that shows how long a computer would take to crack your password. We use 1Password to generate strong passwords and store them securely.
Application attacks are also a form of hacking. They involve targeting a system weakness. The recent Whatsapp spyware scandal was an example of a ‘zero day’ bug: where attackers find a vulnerability before the company can patch it. Spyware was injected onto the phone by exploiting a vulnerability when a phone receives a call. The victim didn't need to pick up to be infected, and the calls often left no trace on the phone's log. Zero day bugs will always happen now and then, but the best course you can take is to keep your software up to date at all times.
We encrypt all data by default, so that if it is accessed or stolen it cannot be read. Most devices have pre-installed encryption software, so start by checking if it’s switched on!
A Distributed Denial of Service attack is when you’re web-based service is made unavailable by overwhelming it with data traffic. Usually, what happens is that a flood of simultaneous requests are made to the server, causing it to crash as it struggles to respond to more than it can handle.
DDoS attacks in themselves do not cause damage to your systems, however the downtime caused could instead lead to loss of sales or reputational damage. In other cases DDoS attacks are used as a distraction technique to other cyber attacks happening elsewhere simultaneously.
Investing in DDoS mitigation is a great way to reduce your risk. Solutions work by analysing data traffic, identifying any rogue traffic and preventing it from reaching your server.
Malware is malicious software. It is designed to gain unauthorised access to computers, disrupt their normal operations and/or gather information from them. This includes spyware (e.g. the recent Whatsapp scandal), ransomware (e.g. Wannacry, 2017) and viruses (e.g. Cloudbleed, 2017).
To protect yourself against malware, start by using a firewall. They control traffic entering and leaving a network using filters. You should also make regular backups, and of course, encrypt them.
Malware often gets onto devices by someone opening a link or an attachment in an email. More on that next ...
Phishing is a request for secret information that tries to trick recipients into thinking they came from a legitimate source. This could be a bank, an online shopping site or a government department. The aim of the email is to get the victim to reveal confidential information (e.g. passwords or bank details) or to download malware (as above) in an attachment.
Software is available that spoofs an email address in the sender line, so it appears the message is from someone it’s not. Phishing emails might also be sent from a similar-looking address (e.g. @dvlep.co.uk instead of @dvelp.co.uk).
Spearphishing is the more targeted form of phishing. It is when the email is customised to a specific person. The attacker could be using knowledge about that person found online (e.g. public social media feeds or company websites) to give extra credence to their disguise.
Our own EA, Ruby, has emails in her inbox right now pretending to be from our CEO Tom asking her to make certain payments. The way we help our team avoid these attacks is by keeping everyone up to date with the tell-tale signs of a fraudulent email. If someone is still unsure about the email’s validity, they should contact that person via another channel (e.g. Slack) to confirm the request.
We recently ran our own internal phishing assessment (with this free tool) to help us identify any team members who needed extra coaching in phisher-spotting.
We hope this information helps other businesses improve their defences against cyber scams. For more about the ISO27001-compliant infosec practices we’ve adopted at DVELP, have a look at our Cookbook.