Vulnerable Website Plugins
Plugins are bits of code designed to give extra functions to websites. Like all software, these can have vulnerabilities which criminals can exploit.
Plugins are a great way to add extra functionality to websites easily as developers/designers don't have to spend time writing absolutely everything themselves. The rise of website builders such as Wordpress/Shopify/Wix has meant that thousands of businesses are often using similar plugins, and so criminals can affect a large number of businesses and their customer bases if a vulnerability is exploited.
If a website is hacked through vulnerable plugins, criminals can gain access to customer names/email addresses/passwords/other sensitive information.
Alternatively they could use your website to attack others, making it look as though the attacks are from a legitimate source.
If you are responsible for maintaining your website, then here are a few things to keep in mind when managing plugins:
- Keep your plugins up to date (some plugins may not be supported and no longer have security updates, consider replacing these)
- Choose reputable plugins from reputable sources
- Delete any plugins you're no longer using
- Use only plugins that you need (consider whether your website really needs certain functionalities - by reducing the number of plugins, you reduce the number of potential vulnerabilities you have)
If you are not responsible for running your website, make sure to use a reputable hosting provider
Make sure that whoever is hosting/running your website takes security seriously. Unfortunately, there are constant vulnerabilities being discovered, which means that you need to be confident that your website is receiving security updates. As with any other procurement, do research around a company's track record, and look to see what accreditations they have (e.g. Cyber Essentials/+ can be an indicator that they are aware of security responsibilities).
Use strong and separate passwords
Secure your website login account with a strong password, and do not reuse that password across different accounts. A strong password combines random words into a long phrase - you can also misspell words/substitute letters for symbols and numbers to strengthen a password.
Turn on two-factor authentication (2FA)
2FA is an extra layer of protection which double checks that you are who you say you are when logging in to accounts/applications. A 2FA service will send an extra code to the device that you register it to, meaning that unless cyber criminals have access to that device in some way, they won't be able to log in to your account. If possible, use an authenticator app rather than a text based 2FA service, as this is generally more secure and defends against Sim Swapping attacks.
If you've been affected by this or any other type of cyber crime, report the details to Action Fraud (0300 123 2040 / www.actionfraud.police.uk). Always keep an eye out for any suspicious follow up activity as well.
Ransomware is malicious software that prevents users from accessing their system or files, and demands that a ransom be paid in order to regain access. The RYUK ransomware strain has been around for roughly 5 months now, and has been seen affecting South West organisations.
Unlike some ransomware strains, RYUK is used for more targeted attacks. Typically, it functions by encrypting crucial assets and resources, with its infection and distribution carried out manually by criminals. This means that a lot of ground work is done by attackers, such as network mapping/hacking and credential collection.
There have been similarities to the HERMES ransomware strain, which is known to contain code which will identify and delete backup files on a target network.
RYUK is likely to be delivered via Phishing emails with malicious attachments (e.g. invoices/reports), or through insufficiently protected Remote Desktop Protocol (RDP)configurations.
- Back up your data! If you're hit by a ransomware attack, then you can restore from those backups.
- Whether you're backing up to USB storage devices or separate drives, make sure that your backups are not connected to your internal network, or else they'll be at risk of infection as well.
- Store your backups off-site as well as on-site, so that in the event of environmental damage (e.g. fires or floods) you'll still have backups to restore from.
- Cloud storage is a great option which satisfies the above points and is now much more affordable.
- Educate and train staff to defend against Phishing attacks - see the NCSC's guide on this at https://www.ncsc.gov.uk/phishing. This guidance also includes information for IT staff on configuring email filters effectively, which can counter certain types of BEC.
- Protect your devices by ensuring that all software is frequently being patched and updated. Ransomware exploits vulnerabilities, so make sure to use the latest versions of any software you have, and apply security patches promptly.
- Install and run Antivirus software - make sure that it's updated regularly!
- Ensure that you have firewalls and that they have been correctly configured. If you are not responsible for this, ask your IT manager/provider to confirm this has been done.
- Remote Desktop Protocol (RDP) allows administrators to connect remotely to computers over a network connection. If you have no need for RDP, consider disabling it. If you are using it, make sure that you:
- Employ strong/unique passwords (consider using the 'ThreeRandomWords' technique
- Review port security (e.g. consider reassigning default ports/disable unused ports)
- Use a VPN and Two-Factor Authentication for remote working
- Make use of monitoring tools on RDP
If you suffer a ransomware attack, do NOT pay the ransom. If you do pay, there is no guarantee that you will receive your data back. If anything, paying out means that you're likely to be targeted again. Report the crime to ActionFraud via phone 0300 123 2040 or website (https://www.actionfraud.police.uk).
An attack where criminals redirect users to undesired/malicious websites, usually by compromising devices or servers and changing settings.
The Domain Name System (DNS)is essentially an internet phonebook, which allows domains (groups of devices) to locate and talk to each other so they can access resources such as web pages Locating domains correctly is quite a convoluted process involving a lot of entities.
In a stripped down scenario, when you type in a domain name/URL (e.g. 'www.google.com' for the website hosted by Google), your browser will ask your internet service provider where that domain is located. Your service provider doesn't have this information, so it asks other organisations who are responsible for domain records such as registrars/registries. These organisations will eventually locate the desired domain, and that domain will verify that it is in fact the correct one (i.e. "Yes that website is hosted here and belongs to us, here it is!").
[Note: In this process, domain names are translated to numeric labels called 'IP addresses' - because computers prefer working with numbers!]
If there's a compromise anywhere in this chain then that can be a real problem. Modified DNS settings can redirect a visitor to a malicious website belonging to an attacker. The visitor likely won't be aware that this has happened as they type the same URL in as usual, it just gets redirected in the background. The fake website could be designed to steal sensitive information or get someone to download malware.
There are a few different DNS hijacking methods to be aware of. These are discussed below, along with advice on how to protect yourself against these methods.
Criminals will seek to install malware on your device which modifies the DNS settings on your computer/router. This will silently point you to rogue websites. To counter this, make sure that you:
- Install security patches and updates as they're released.
- Install and frequently update antivirus and anti-malware software.
- Avoid clicking on suspicious links in unsolicited emails/texts/social media messages.
- Don't download dodgy/untrusted applications.
Criminals will hack into your router and change the DNS settings:
One way you can protect your router from being compromised is to make sure you change the default admin username and password for the device. Default factory logins are available readily online, so this is an easy way in for hackers if login info is left unchanged.
As discussed in the Threat section, your internet service provider or external agency may have become compromised. If this has happened, unfortunately there isn't a whole lot you can do. However, bear in mind the following points:
- Be very cautious and suspicious when a site that you visit regularly is behaving strangely (e.g. new pop-ups and unusual calls to action).
- Review your Business Continuity and Incident Response plans, and think about how incidents such as these are factored into your plans.
It's also possible that a criminal will connect to public Wi-Fi networks and masquerade as a legitimate hotspot so that they can eavesdrop on your web traffic. To defend against this, avoid using public Wi-Fi to conduct any sensitive business which requires login information. As a rule, if the Wi-Fi doesn't have a landing page discussing terms of service or similar, be suspicious.
Every Report Matters – if you have been a victim of fraud or cyber crime, report it to Action Fraud (either online at https://www.actionfraud.police.uk/ or call 0300 123 2040).
Denial of Service (DoS) attacks
A class of attacks which are designed to render a service inaccessible to users.
You may have heard about or even experienced DoS attacks that have been launched against websites, however this type of attack can be launched against any system e.g. industrial control systems which support critical processes.
A basic technical description is that an attacker will overload a server (a computer that 'serves' many types of information to other computers) with illegitimate requests for information. This then makes it impossible for that server to deal with the requests from legitimate users, and prevents devices which depend on that network from exchanging information.
DoS attacks can range in duration and may target more than one website or service at a time. An attack becomes a Distributed Denial of Service (DDoS) attack when it comes from multiple compromised devices at once. Multiple compromised devices used for this purpose is often referred to as a botnet. It's important that you secure your devices (frequent updates/not clicking on suspicious links or attachments/utilising anti-virus etc.) so that they aren't used in this way. DDoS attacks are highly prevalent due to the increasing number of connected devices.
Motivations for DoS attacks can be more varied than other type of attacks. As the effect is quite often immediately public, this is a favoured method of political activists/'hacktivists', or even disgruntled former employees looking to cause both PR and financial damages. Of course, criminals can employ DoS attacks for financial gain, either through ransom demands, or if they are operating a DoS service for hire.
Although there is technical advice which can help defend against DoS attacks, the majority of this may not be applicable to all, and not suitable to include in this format. More detailed guidance on DoS attacks can be found on the National Cyber Security Centre (NCSC) website outlined in the 'Useful Links' section below. However, we have included some brief points to consider below:
- Prepare - ensure that you and your service providers are prepared to deal with an overload of their resources. Ask them to explain how they are prepared for these scenarios, and how they can mitigate the threat for your organisation.
- Incident Response - understand what impact a DoS attack would have on your business and create an incident response plan. Think about who needs to be involved both internally and externally (e.g. 3rd party providers), and clearly define the roles and responsibilities for each. Think about having manual backup processes to rely on which can operate whilst the main services are down. Be thorough, and test your plan!
- DoS attacks can be used as a smokescreen to distract from other attacks which have a different aim (e.g. data theft). Be aware of this, and monitor closely for other suspicious activity which could indicate additional attacks.
- Action Fraud - if you are experiencing a live cyber attack, you can contact Action Fraud via telephone on 0300 123 2040, and follow the instructions. If it has been dealt with, then please also report the crime to Action Fraud, as every report will help law enforcement with intelligence building.
DoS guidance collection from NCSC
Guidance to help organisations understand and mitigate against DoS attacks (from the NCSC at https://www.ncsc.gov.uk/guidance/denial-service-dos-guidance-collection).
Lucky enough to get a new device for Christmas? Learn how to protect yourself, your family, finances, and connected devices with these tips (from Get Safe Online at https://www.getsafeonline.org/connectedchristmas/).
Remote Access Trojan (RAT)
A tool used to enable criminals to connect to a victim's machine remotely and perform a number of unauthorised actions.
A RAT will allow hackers access to all files, features of your computer (Microphone/Webcam), and even use your computer to distribute malware to other machines.
Signs of a RAT on your system include a slow internet connection, unknown processes running on your systems, and files that have been modified/deleted/installed without permission. Here is some advice to protect against this type of attack:
- Make sure that your operating systems on your computer, mobile & tablet are updated with the latest security patches.
- Update your software with the latest security patches (e.g. Microsoft Office, Java, Flash, web browsers).
- Install reliable antivirus and firewall programs, and keep these updated.
- Don't click on any unusual links or attachments from emails, websites or social media.
- Only download apps from sources that you trust.
- Regularly back up your data.
If you know or suspect you have been infected with a RAT, here's what to do:
- Install security software from a trusted and reliable source.
- Run a full security scan of your device and remove the threats by following the recommended steps from the security software.
- Once you think that the infection has been removed, change the passwords for your online accounts and check your banking activity.
- Report anything unusual to your bank and, as needed, to Action Fraud (0300 123 2040 / www.actionfraud.police.uk).
- Learn how to protect your computer from future infections and avoid data loss by following the steps outlined above, and from handouts such as the NCSC's 'Small Business Guide').
This time of the year is a gold mine for cyber criminals, as shoppers are rushing to bag bargains, and employees are already mentally clocking out for the holidays.
Fake websites and phishing emails promising truly unbelievable offers are rampant.
So with this in mind, we've highlighted 7 tips below to keep you safe in the run up to Christmas and beyond!
Stay up to date
Installing the latest software and app updates is an essential part of protecting yourself. Updates aren't just for exciting new features, they usually contain really important security updates which can protect you against a number of attacks. Turn on automatic updates where you can!
Use strong and separate passwords
Secure your important accounts with a strong password, and do not reuse passwords across accounts. A huge number of the businesses in our investigations have suffered because of weak passwords, and this. Do not use personal information in passwords. Instead, use a combination of random words, substituting certain letters for numbers/symbols.
Turn on two-factor authentication (2FA), now!
2FA is an extra layer of protection which double checks that you are who you say you are when logging in to accounts/applications. A 2FA service will send an extra code to the device that you register it to, meaning that unless cyber criminals have access to that device in some way, they won't be able to log in to your account. If possible, use an authenticator app rather than a text based 2FA service, as this is generally more secure and defends against Sim Swapping attacks.
Use a password manager
Having separate passwords is important, but it can be difficult to remember them all. You could consider using a password manager to get rid of this problem. Be aware that if you do use a password manager, you should make sure that your master password is incredibly secure (see the above rules for creating a good password).
Take extra care over links in emails and texts
Always be wary of suspicious links, in fact try to get out of the habit of following them if you can. For example, if an email is referencing your account in any way and asks you to follow a link to do something, then go and log into your account separately (i.e. not using that link) to check activity there. Same goes for information on deals/coupons/vouchers, you should always look through other channels to verify information. Links could lead to fake websites designed to steal your information or money, and attachments could be malicious files.
Only shop on sites that you trust, and report phishing emails to Action Fraud or hit the Spam or Report button within your email account.
Don't give away too much information
Normally online stores will ask for some information e.g. address, and some bank information to complete a purchase. If a store is asking for personal information which shouldn't be needed such as where you went to school, or your mother's maiden name, then this could be a red flag that a purchase is not legitimate.
Also, if you can avoid it, don't create an account unless you plan to use a site in the future. You can usually checkout as a guest.
When things don't feel right
If something doesn't add up, then take five and take a second look at what you're being asked to give/do. If you're concerned that you may be at risk of cyber crime, then immediately close down your internet browser. Report the details to Action Fraud (0300 123 2040 / www.actionfraud.police.uk) and contact your bank to seek advice. Whether you've been a victim of fraud will depend on how much information you've provided to the website. Keep an eye out for fraudulent activity on your accounts, and for any suspicious follow up activity through emails/texts/phone calls etc.
We have had a report that criminals are using our name in a phone scam. The report is that criminals are pretending to be from the South West Regional Cyber Crime Unit, and calling people using an automated message that says their internet has been compromised and will be shut down within 24 hours, and if they want to speak to the technical team they should 'press 1'.
This is a scam, if you do receive a call like this, hang up the phone immediately.
The South West Regional Cyber Crime Unit do not operate an automated call service. If we do contact you, we will provide you with a way of verifying that it is us, such as a collar number which you can then give to a 101 call handler if you need to confirm the caller's identity.
If you are concerned that you have been a victim of this or any other type of cyber crime, report to Action Fraud on 0300 123 2040, or online at https://www.actionfraud.police.uk/
For advice on protecting yourself against this type of scam, visit the Take Five campaign website at https://takefive-stopfraud.org.uk/advice/
Business Email Compromise (BEC)
A targeted form of phishing where criminals impersonate senior executives, or departmental authority figures, in order to get others to transfer funds or sensitive information to the imposter.
BEC can happen in different ways, but generally speaking a criminal will either hack into an executives email account, or they will 'spoof' the account (i.e. email from a lookalike account which is very similar to the original account). If an email has been spoofed then email filters may be able to help prevent these from reaching employees.
If an account has been hacked, then this is much harder to combat, as requests are coming from a legitimate account so detection software won't be much help. This type of BEC allows a criminal the opportunity to directly alter invoice attachments, and even set up rules which will redirect emails into folders to cover up their tracks.
Criminals will pose as an account holder and request a new SIM card. Once received, this allows them to effectively take control of the victim's phone. They can then access accounts which use passcodes sent to the victim's phone such as in SMS/call based two-factor authentication.
Attackers will initially use other compromised information to bypass a company's security checks and request the new SIM. This information may be gained from leaked information on the dark web, phishing emails, or malicious software installed on user devices.
Be on the lookout for warning signs. Suddenly losing all service could indicate that a criminal has transferred your phone number to a different device. Receiving random authentication codes could also be a sign that someone is trying to breach your online accounts. Contact your phone company and financial institutions to mitigate any potential damage if you suspect any of the above.
SMS based two-factor authentication is better than nothing, however it is better to use an authenticator app instead (e.g. Google/Authy). Using these apps will protect accounts against SIM swap attacks.
As mentioned, criminals may use other personal information to bypass security checks. Make sure that you are not exposing this sort of information on any of your online profiles. This information could be your phone number itself, or information such as your address / education / mother's maiden name / banking information etc.
Many phone companies will allow you to put a unique PIN on your account.Enable this for another layer of security.
Similarly, make sure that your bank accounts have as many security procedures enabled as possible. For example, in one of these cases, Voice ID prevented a criminal from draining a victim's bank account.
Make sure that you know how to defend against Phishing attacks looking to compromise personal information used to bypass security checks - see the NCSC's guide on this at https://www.ncsc.gov.uk/phishing
Following on from the above point, don't download potentially malicious apps from untrusted sources, these could also steal your personal information to enable SIM swapping.
Many accounts ask you to link your phone number to them. One alternative is to obtain and use a VoIP number (Voice over Internet Protocol), if possible. Since VoIP numbers operate over the internet, they are immune to being SIM swapped.
If you are a victim of SIM Swapping, report it to Action Fraud https://www.actionfraud.police.uk/.
Criminals will automatically enter lists of compromised password/username pairs in order to gain unauthorised access to accounts.
Once an account is taken over, an attacker can drain the account of any value it has, steal any associated personal information linked to the account, and use any of that information for further malicious purposes (e.g. sending spam emails).
Use separate passwords for all of your different accounts. This reduces the likelihood that passwords that have been compromised for one account can be used to gain access to other accounts. Avoid using your corporate network credentials for third-party sites.
Create strong passwords e.g. do NOT use personally linked information such as your pet's name, use the 'ThreeRandomWords' technique.
If you think that your password may have been compromised, make sure to change it. Consider using resources such as 'haveibeenpwned.com' to check whether your passwords have been exposed in a data breach.
Enable Two-factor/Multi-factor authentication on your accounts where possible. Do this, and it will make it much harder for criminals to gain access to your accounts.
Morrisons loses appeal against data breach liability ruling
The supermarket chain has lost its appeal against a High Court ruling that found it liable for a data leak by a former employee, underlining the importance of managing insider threats.
The Court of Appeal ruled that Morrisons must pay compensation to 100,000 employees who were victims of the data breach by disgruntled employee Andrew Skelton, a senior internal auditor at the supermarket’s headquarters who deliberately leaked payroll information. The Appeal Court’s ruling underlines the fact that organisations are ultimately responsible for the personal data they hold.
Morrisons is to appeal to the Supreme Court.
Criminals will inject malicious code into a legitimate web page to steal a user's data. Typically this technique is used on check-out or payment forms on e-commerce sites.
This type of attack has been employed in the recent Ticketmaster and BA data breaches, but these are only a couple of examples of high profile incidents, it's very likely that there are a huge number of websites which may currently be at risk.
Formjacking can be difficult to detect for both user and vendor. Web pages will look and function the same to the user, and the information entered into a form is still sent through to the vendor. It's only in the background that the attacker is copying the data.
Training and Awareness - in some cases, formjacking requires a user to click on a malicious link or visit a malicious website which will prompt them to fill in sensitive data. It's important that you and your colleagues can recognise when attackers are employing this tactic. Make sure to check that the URLs of websites in the address bar are what they should be (e.g. look for misspellings, numbers instead of letters, irregular domain endings).
Ensure that your firewalls have been correctly configured, so that known suspicious websites are not accessible. If you are not responsible for this, ask your IT manager/provider to confirm this has been done.
Where a legitimate website is compromised, it can be very difficult to protect against. Formjacking can be a type of Supply Chain Attack, in that criminals can target companies through the web services that they use. This should serve as a reminder to always do your due diligence when deciding which online services you use, and how you use them. Think about what security measures they have in place e.g. are they Cyber Essentials certified? How would they notify/work with you in the event of a cyber incident?
FOR DEVELOPERS / IT ADMINS
Always integrate security into the development process. Scan internal codebases at different stages of the development cycle for anomalies.
Access Controls - ensure that only employees who need to have the ability to edit important source code can do so.
Strong Content Security Policies - control which domains are allowed to communicate with your website, and how. If done correctly, CSPs can prevent malicious code from sending compromised data to other servers.
Check CiSP! - the Cyber Security Information Sharing Partnership is regularly updated with example code and other Indicators of Compromise (IOCs) to help identify these types of threats.
It’s a common theme in the news ‘Company X has had a security breach and Y customer details have been leaked’
But what does this actually mean?
Cyber Crime is big business and it is believed that through 2017 Cyber Crime may have cost the world around $600 billion. For many of these criminals it is their day job and your data are their pay cheques.
Among many other methods to obtain money, one tactic is for an attacker to infiltrate a business computer network and find personal data stored on their systems. This could be names, email addresses, credit card numbers and details, passwords etc. This information is then uploaded to marketplaces on the Dark Web for other people to buy.
Taken from Experian, below is an estimate on how much your data can be purchased for on the Dark Web:
People purchasing this information can buy specific pieces of information such as a person’s passport details or bulk data with various categories from many different sources.
Other attackers can then use this information to create further attacks, for example someone could find your full name and a password that was used on a breached website. They could then check online for other accounts under the same person’s name, eg Facebook, Linkedin, on-line banking etc. and then try the leaked password on these sites.
How many of us use the same password for multiple site logins?
Therefore, if your data has been leaked and you have been notified of this, you should take all steps necessary to prevent yourself being the next victim.
To find out if your password has been leaked please visit https://haveibeenpwned.com , where you can check your email addresses to see if they are associated with any breaches and also find out what data was leaked.
For any further information please do not hesitate to contact us!
A criminal will create a fake URL (website) which looks like a legitimate and secure website, but is actually set up to steal sensitive information for malicious purposes.
Criminals will attempt to lure users into visiting the fake URL via phishing emails/SMS/social media. Typically, attackers have targeted financial services for a direct profit gain, however they also employ this tactic in many other scenarios.
For example, recently universities in the UK have been targeted by overseas criminal groups. Attackers are using fake phishing websites which then redirect users to real login screens. By doing this, the attackers can then record any login details used, giving them access to online libraries which may include valuable intellectual property.
Make certain that you know how to defend against phishing. For detailed guidance, check out the entry on phishing from the NCSC's Small Business Guide [ https://www.ncsc.gov.uk/guidance/avoiding-phishing-attacks ].
Always check that the URL of the website you are being asked to log into is what you are expecting (look for misspellings or variations of phrasing, and misleading domain endings e.g. 'orguk.com'). Other signs include a website not behaving in a typical way (odd pop-ups, incorrect links, inconsistent content).
Protect your devices by ensuring that all software is frequently being patched and updated. These attacks exploit vulnerabilities, so make sure to use the latest versions of any software you have, and apply security patches promptly.
Ensure that firewalls have been correctly configured to reduce the ability to visit malicious websites. If you are not responsible for this, ask your IT manager/provider to confirm this has been done.
Install and run Antivirus software - make sure that it's updated regularly.
A criminal will identify a website that is frequented by users inside a target organisation, compromise that website, and use it to distribute malicious software to the users.
Watering hole attacks are an example of a supply chain attack, whereby criminals target websites thought to be regularly used by organisations of interest to them. These types of attacks are becoming increasingly successful with the increased use of third party web based services.
A victim may be unaware that malware has been downloaded during their session, this is known as a 'drive by' attack. Alternatively, as they are usually on a trusted site, they may conciously download a file without knowing what it really contains.
Typically, the malware used will be a Remote Access Trojan, which will enable the attacker to gain remote access to a target system to then perform a number of functions e.g. reconnaisance / exfiltrating data / distributing other malware.
Watering Hole attacks are a type of Supply Chain attack, so it's important that both your new and existing suppliers are evaluated for their cyber risk. Consider contractual clauses focused on security, and challenge your suppliers to practice and develop processes for reacting to compromise or data breaches. Note: Cyber Essentials accreditation is a good indicator for a supplier's reputation.
Protect your devices and network by ensuring that everything is frequently being patched and updated. Watering Hole attacks exploit bugs and vulnerabilities, so it is crucial that you are using the latest versions of any software you have, and apply security patches promptly.
Network Security - ensure that your firewalls and any other security products have been correctly configured to monitor and filter web traffic effectively. Monitoring your network for abnormalities is especially key to detecting malicious behaviour. If you are not responsible for this, ask your IT manager/provider to confirm this is being done.
Threats that result from the actions of an employee, former employee, or stakeholder. Insider threats can be intentional or unintentional.
Significant damage can be caused to a company from anyone who has, or at one time had, access to confidential or proprietary information. Insiders have knowledge and understanding of internal processes and structures, making it easier for them to cause incidents. As they already have access to company systems and physical, it can also be much harder for those incidents to be detected; this is a good example of why a company cannot rely solely on security software to detect threats.
If an insider is actively seeking to harm a business, then they may use their login credentials to steal customer data or Intellectual Property, sabotage data or applications, or even expose sensitive email conversations which could cause reputational damage. These types of actors could be acting on personal motives (financial, emotional, or political), for a competitor, or under direction from other malicious parties e.g. extortion attempts.
The unintentional insider threat can be just as damaging. Although there may be no intent to do harm, employees often make mistakes, they can have their accounts compromised, and they can also be socially engineered by attackers to enable malicious actions. Unfortunately, the majority of security incidents can be traced back to human error in some capacity.
Implement good hiring policies - make sure staff are vetted to a suitable degree. This should extend to third-party vendors, sub-contractors and other partners.
Review firing policies - this includes revoking user access to systems before employees are informed that they are being let go, escorting them off premises, and changing any login credentials that they might know of.
Use the principle of 'Least Privilege', which maintains that employees should only have access to data which they need for their role. Reducing the number of privileged staff means fewer staff who can conduct malicious activity, fewer accounts to be hacked, and fewer people to make high profile mistakes. With this in mind, it's important to update employee privileges when they change jobs, so they don't retain access to unnecessary and sensitive data.
Segregation of duties - although you should reduce the number of privileged staff as outlined above, it's also good practice to make sure that business sensitive processes require more than one person to complete them. This can reduce fraud, error, and overreliance on single employees.
Monitor user action. There are software solutions which monitor work sessions and network performance to detect abnormal user behaviour - this can be an option for organisations who have the budget and need to put this in place. Alternatively, if this isn't a suitable option, use the information available to you to observe how staff operate. It may be good practice to analyse business performance at certain times e.g. when certain employees are away on leave/busy financial periods etc.
Implement regular cyber security training - this should cover all manner of threats, including social engineering and associated attacks such as Phishing/Spear Phishing/Business Email Compromise/CEO Fraud. Build a healthy working environment which encourages open communication. Not only can this reduce the likelihood of employees becoming malcontent, but staff will be more ready to discuss any security concerns they might have around their own work and that of others.
A type of phishing attack where criminals impersonate senior executives, or departmental authority figures, in order to socially engineer victims into sending financial or other sensitive information to the attacker.
There are various methods involved in BEC. One method attackers may employ is to use malicious software kits to gain access to a company's webmail exchange service. Once they have this access, they can then intercept invoices and alter payment details, or pose as senior employees to authorise transfers to fraudulent accounts.
Other methods include designing an email to look as authentic as possible. For example, a fraudster may register a domain which looks very similar to a pre-existing legitimate one, and attempt to solicit fraud using associated email accounts. This was raised in a recent ActionFraud report regarding university suppliers. The report highlighted how attackers are registering domains that are similar to genuine university domains such as xxxxacu-uk.org, xxxxuk-ac.org and xxxacu.co.uk.
These domains are used to contact suppliers and order high value goods such as IT equipment and pharmaceutical chemicals in the university’s name. The purchase order typically instructs delivery to an address, which may or may not be affiliated with the university. The items are then received by the criminals before being moved on, however no payment is received by the supplier.
- Educate and train staff to be aware of and recognise BEC.Consider running simulated BEC/phishing exercises.
- Agree secure processes between employees internally and externally for your organisation to confirm certain purchases. Consider segregating duties, and make certain that employees know their responsibilities with regard to these processes.
- Ensure that you verify and corroborate all order requests from new customers. Use telephone numbers or email addresses found on the retailers website – do not use the details given on the suspicious email for verification purposes.
- If the order request is from a new contact at an organisation that’s an existing customer, verify the request through an established contact to make sure it is legitimate.
- Check any correspondence and documents for inconsistencies in spelling, grammar and content – this can be a sign that fraudsters are at work.
- Install and frequently update antivirus and anti-malware software to protect against malicious software.
- Consider employing DMARC - a free email authentication solution from the Global Cyber Alliance (online setup can be found at https://dmarc.globalcyberalliance.org)
- Every Report Matters – if you have been a victim of fraud or cyber crime, report it to Action Fraud (either online at www.actionfraud.police.uk or call 0300 123 2040).
With the release of Chrome 68 this week, Google is now taking steps to make the web safer and is marking all websites that are not HTTPS as ‘Not Secure’
With a HTTP site there is no SSL Certificate to encrypt your connection to the web server therefore anything sent over a HTTP connection is in plain text. Passwords, names, addresses, personal and bank details etc. are not encrypted giving an attacker the opportunity for to intercept this information.
So, if your website is still running as HTTP, any of your visitors that are using Google Chrome will be warned with a ‘Not Secure’ message when visiting your website.
By upgrading to HTTPS you also get the added benefit of Google algorithms favouring your website so that your Google ranking will be higher!
If you need more information please give us a call on 01460 271055
IoT devices are any physical devices that are able to connect to and communicate over the internet. This connectivity allows new opportunities for cyber criminals.
IoT devices such as cameras, home sensors, and even baby monitors have become hugely popular. Unfortunately, security has been an after thought for many manufacturers and consumers. Here are some threats related to IoT devices that you should be aware of.
Weak passwords, and a lack of two factor authentication on many devices can make it easy for an attacker to gain access to your devices.
Lack of Encryption
Unencrypted data, possibly even passwords being sent over the air with no protection (a recent story involved IoT lightbulbs doing just this between each other).
Are cameras showing weak points? Employee screens? Stock levels? An attacker could leverage this for malicious purposes.
Insecure software / hardware / firmware
Some devices are unable to receive updates with security patches. Or, it may be that manufacturers simply do not release updates. This is a huge vulnerability. Similarly, if device credentials are hard coded in (i.e. unable to be changed), then if these are ever exposed then it becomes much easier for an attacker to compromise that device, as well as potentially other devices on that network.
Do you have ports open that shouldn't be? Could the device be compromised to conduct DDoS attacks?
As many organisations want to support mobile, team-oriented and non-routine ways of working, an increasing number of them are looking for assistance in adopting digital workplace technology. A recent Gartner, Inc. survey concluded that only 7 percent to 18 percent of organisations possess the digital dexterity to adopt new ways of work (NWOW) solutions, such as virtual collaboration and mobile working.
Not surprisingly they found that the youngest age group (18-24) are the most likely adopters of NWOW closely followed by the oldest (55-74). The group that were at the low point of the adoption dip (35-44), potentially feeling fatigued with the routines of life as middle age approaches. They were most likely to report that their jobs are routine, have the dimmest view of how technology can help their work, and are the least interested in mobile work.
It seems that the days of snow are finally behind us and that big golden thing in the sky has made an appearance.
It’s time to enjoy the warmer temperatures but have you thought about the effect that the temperature has on your IT Equipment?
You may have seen this error on your Phone or Tablet from time to time and you should always take measures to cool it as soon as possible.
If you are out in the sun get it into the shade and allow it to cool as extended periods of heat can cause faster deterioration of the internal components and shorten the life of the battery. Mobile devices should be kept between 0°C and 35°C
In your server room you run similar risks as extended periods of heat give you a much higher risk of system failure and downtime.
A server should be kept running at between 20°C and 24°C and dangerous temperatures are classed as anything higher than 30°C
If your server room is beyond this limit installation of an air conditioning unit should be considered.
With a Blueloop Packaged Services Agreement we can monitor the temperature for you and take appropriate and safe shut-down action in extreme cases.
A data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unathorised disclosure of, or access to, data.
The reported number and scale of data breaches has continued to increase, with recent examples such as Dixons Carphone and PageUp as examples of larger organisations being exposed. Associated threats are many, including the potential for a number of various frauds using the actual data gained from the breach, or the media awareness around the breach (e.g. phishing/vishing/smishing attempts from attackers masquerading as employees of the affected company, or regulatory authorities etc.).
If an organisation suffers a data breach, then the consequences can be dire. Financial damages can now include hefty fines from the ICO for non-compliance, and the reputational damage can be incredibly difficult to recover from.
The techniques used in many cases are often not particularly advanced. Examples include exploiting unpatched vulnerabilities or spear-phishing, and a large number of incidents have been caused by third party suppliers failing to secure data properly. This highlights the importance of getting basic technical, and procedural security measures right.
A major hardware distributor was the victim of a network intrusion whereby suspects had gained access to the backend of their .eu and .iu domains, through a vulnerability with the company’s webserver. It is believed that the suspect identified the type of webserver which the domains were hosted on using security scanning software tools such as Nmap or Metasploit. Once the type of webserver had been identified, the criminals would have ascertained that the company used the Magento ecommerce payment platform, which is used to manage their online financial transactions. Unfortunately, the Magento software which they use was vulnerable to cross site scripting (XSS), an attack type which we discuss below. This particular vulnerability had been present for over 6 months, and had not been patched.
XSS is a code injection attack whereby an attacker can inject malicious scripts (payloads) into a legitimate website or web application, which are then executed by an end user. The xss would have given the suspect(s) access to the backend of their ie and eu domains, and from there the suspects had brute forced an old admin account which had lain dormant for 2 years. This would have been relatively easy to do, as the account had a weak password.
In total, 138 customers were affected with compromised banking details, which were used in secondary fraud. The investigation identified the route of compromise and also a number of IP addresses, with the suspects using multiple VPN companies to remotely access the victim’s network.
The investigation team was able to trace the malicious file back to a server in Eastern Europe, who had contacted the company using encrypted instant messaging and making payment through the cryptocurrency Bitcoins (BTC).
Through extensive open source enquires and engagement with international law enforcement partners we were able to identify details of the organised crime group behind the attacks and provided this intelligence to overseas law enforcement for them to develop the intelligence and take proactive action against the suspect(s) identified. This investigation highlights the effective intelligence sharing between international agencies to tackle cyber crime on a global scale.
ITIL (formerly an acronym for Information Technology Infrastructure Library) is a set of detailed practices for IT service management (ITSM) that focuses on aligning IT services with the needs of business. This process is adopted here at Blueloop for our customers.
Recent publicity regarding poorly implemented system upgrades for the banking industry clearly demonstrates that upgrade and system improvements need to be well planned and tested in a live ‘pilot’ before implementation. Using ITIL’s industry standard for both IT project delivery and IT support provide suitable controls and measures for organisations in a professional and efficient manner.
Why risk business disruption when there are industry tools for IT service to protect your business?
Type of attack where security flaws or vulnerabilities are introduced into equipment, hardware, software, or services before they are supplied to, or used by, a target.
Supply chain attacks can be used for a number of purposes, including breaching confidential data, stealing login credentials for further attacks, or even supplying defective equipment to prevent a service from being useable (a denial of service).
One example saw attackers compromise legitimate websites through website builders used by creative and digital agencies. The criminals utilised a redirect script to send people to a malicious domain they owned, where malware was downloaded and installed by users who were browsing legitimate websites.
Ongoing servicing, support, or updates may provide criminals with an opportunity to interfere with a supply chain.
GDPR How was it for you? Did the sky fall in?
After the email bombardment and mixed messages that we have all experienced about GDPR, it’s time to take a
step back and reflect on a very sensible campaign that the Information Commissioners Office (ICO) has launched, called “Your Data Matters”.
Their brief is a very straightforward one; “increase public trust and confidence in the way personal data is handled”.
This comes at a time when our confidence on how this data is handled is at low ebb, with a recent Direct Marketing Association (DMA) study showing that 86% of consumers would like more control of how data is held and processed.
The ICO campaign has cross-industry support from companies such as PwC, Sainsbury’s, and the BBC.
Find out about your personal data rights and how to find advice concerning its use by third-parties by visiting https://ico.org.uk/your-data-matters/
Five minutes well spent.
Organisations consider data management and security to be a simple nightly backup but Veeam believe there are 5 steps to data security nirvana and traditional backup is just the first.
- Backup: Back up all workloads and ensure recoverability of data loss or attack
- Aggregation: Manage data backup and recoverability across multiple environments with an aggregated view of SLA compliance
- Visibility: Deliver monitoring, resource optimisation, capacity planning, and built-in intelligence to improve
multiple environment data management
- Orchestration: Move data to the best location across multiple environments to ensure business continuity,
compliance, security, and optimal use of resources with an orchestration engine, that enables disaster recovery
(DR) plans to be automatically and non-disruptively executed, tested, and documented
- Automation: Veeam's idea of nirvana in which data becomes self-managing, via data analysis,
pattern recognition, and machine learning, and so automatically backed up, migrated to ideal locations, secured during anomalous activity, and recovered instantaneously
We are not at the Automation stage yet but it's good to set our sights high.
Blueloop work with Veeam to provide resilient data and system management solutions.
SOUTH WEST POLICE
Regional Crime Unit
A form of phishing where a specific person is deliberately targeted with an email typically containing personal information, purporting to be from a reputable source.
Spear Phishing emails have the same end goal in mind as regular Phishing attacks - they are designed to make a potential victim interact with the email in some way, usually through clicking on a link or attachment. However, they are generally much more difficult to recognise, as the authors include highly relevant information which adds legitamacy to the correspondence.
As an example, criminals often masquerade as vendors and email financial workers with attached invoices relating to recent orders that a company may have placed. Once the attachment is opened, malicious code is executed which can trigger various actions - such as stealing passwords, running cryptojacking software, or taking command of a computer to use in a future botnet for a DDoS attack.
For more information https://www.swrocu.org.uk/cyber.aspx
The aim of the GDPR is to protect all EU citizens from privacy and data breaches in an increasingly data-driven world that is vastly different from the time in which the 1995 directive was established.
Although the key principles of data privacy still hold true to the previous directive, many changes have been proposed to the regulatory policies; the key points of the GDPR as well as information on the impacts it will have on business can be found below.