Three common hacking tactics and how to defeat them

By Justin Ware. Published at Oct 25, 2018, in Ctrl Alt Del

As we have come to know all too well, leaked documents and files can have a devastating effect on companies.

Look no further than British Airways and Cathay Pacific. The two airlines are now on the hook for considerable payouts to customers whose credit card details may well already have been sold.

As of August 29 this year, some 215 million records had been leaked or exposed via cyberattacks in 2018.

215 million.

When the number is that high, there’s a good chance that those in charge of security aren’t on top of their game as much as they should be. So if major companies are struggling, what about mid-sized business?

If you are running a business of any size, below are three common forms of cyberattack that companies are likely to face, and what can be done about them:

PHISHING:

Phishing is an old tactic, but the methodology behind phishing is becoming increasingly sophisticated.

Phishing costs mid-size companies US$1.6 million on average, with phishing attacks up 65% over the last 12 months.

Hackers will often wait for opportune moments to launch phishing attempts (such as security breaches in similar companies etc.) in an attempt to weed out those that wouldn’t fall for it normally.

A hacker will use phishing to pose as a legitimate third party or administrator, duplicating a copy of the email or website, prompting users to perform a password ‘reset’. Once the user clicks the email, they will be taken through to a site that looks like the real thing.

Upon entering their ‘old’ password, the hacker gains access to the user’s current password, compromising the entire system.

Tip: If you receive a password reset email, flag it with your system administrator or IT support team immediately and inform co-workers.

RANSOMWARE:

Simple rule: if you receive an email with an attachment from someone you don’t know: don’t open it.

It is age-old advice, but it couldn’t be more relevant today. Ransomware attacks have become a go-to move for hackers – surging a ludicrous 2,502% in 2017 alone. Yes, you read that figure correctly.

Ransomware is as egregious as the name suggests: a hacker will deploy a malicious file onto your server and utilise phishing (producing fraudulent emails from a reputable source) to send an email to everyone on the server.

If a user clicks through on the attachment, the ransomware file is deployed, encrypting highly sensitive files on the user’s computer or servers. The only way to unlock them again is to pay a specified amount to the hacker (which is usually through an untraceable medium like bitcoin).

Tip: If you don’t know who the email is from and the URL link looks odd – BIN IT

CRACKING:

If you get lackadaisical with your passwords then listen up.

One of the most common forms of attack is through cracking, where a hacker will run a program that generates and authenticates billions of variations of simple passwords.

I’m as guilty of this as anyone: we still use laughably simple passwords, even for important log-ins.

* yolo

* Iamthebest

* Person’s DOB

* 111222

* favourite sport team

This trend is disturbing because we then love to re-use these passwords, which means if a hacker cracks one of your passwords on one account or device, you could be completely compromised.

You’d think the threat of this would be enough to encourage users to put more thought into stronger passwords, but we simply aren’t learning.

According to a recent study by preempt, an astonishing 35% of users have a ‘weak password’, while another 65% of passwords can be cracked if given enough time.

To counteract this, the study makes the following recommendations:

It doesn't take too long to crack a password, so protect yourself properly.
It doesn't take too long to crack a password, so protect yourself properly.

Use a password policy to enforce complexity and password expiration. (Note: Preempt can help force a password change when there is an indication that a password was compromised or is considered weak.)

1.Require longer passwords (8 bad, 10 ok, 12 good)

2.Educate people to:

1.Not share passwords with other employees

2.Not share passwords with other cloud services

3.Not use simple patterns, personal data or common words (make it unpredictable)

4.Not repeat passwords when a password expires (enumeration included)

3.Add additional factors to authenticate users. For example, on suspicious logins, you could send end users a simple email notification or push an immediate notification to their mobile device. (Preempt can help in such cases.)

4.Implement a context based solution - train and enforce password policy based on users activity (1b, 4).

These are just three attacks to be mindful of. There are plenty others. However if companies are vigilant and on top of trends, they can go a long way to protecting themselves and their customers’ sensitive information.

S3 Consortium Pty Ltd (CAR No.433913) is a corporate authorised representative of LeMessurier Securities Pty Ltd (AFSL No. 296877). The information contained in this article is general information only. Any advice is general advice only. Neither your personal objectives, financial situation nor needs have been taken into consideration. Accordingly you should consider how appropriate the advice (if any) is to those objectives, financial situation and needs, before acting on the advice.

Conflict of Interest Notice

S3 Consortium Pty Ltd does and seeks to do business with companies featured in its articles. As a result, investors should be aware that the Firm may have a conflict of interest that could affect the objectivity of this article. Investors should consider this article as only a single factor in making any investment decision. The publishers of this article also wish to disclose that they may hold this stock in their portfolios and that any decision to purchase this stock should be done so after the purchaser has made their own inquires as to the validity of any information in this article.

Publishers Notice

The information contained in this article is current at the finalised date. The information contained in this article is based on sources reasonably considered to be reliable by S3 Consortium Pty Ltd, and available in the public domain. No “insider information” is ever sourced, disclosed or used by S3 Consortium.