Skip to content

Cybersecurity Awareness

Ideally, we should all know this stuff by heart, but as you know that’s just not the case. It’s far from it. Cybersecurity awareness is an expression that probably bores people to death when they hear it – and rightly so! We are the ones that gave it a bad name, by doing weird and unnatural tests on our users, usually to please auditors/upper management/c level.

This notorious term usually means your organization has provided you with a bunch of videos to look at, that you, as a let’s say someone from sales or accounting, won’t care much about nor will understand fully.

Same goes for the phishing campaigns that are internal for the companies. They can actually work against you, as users can adopt the attitude of everything’s suspicious, I am not going to click or reply to any emails before forwarding them to the Cybersecurity team which is better than clicking on stuff blindly, but can easily saturate your team’s capabilities to investigate, leading to much slower resolutions and other issues. This is one of the more benign examples, but its still quite real. And if your SOC team is checking every email, they might miss some much more important event.

Obviously, social engineering is extremely tough thing to crack and control, especially since emails are also hard to defend from appropriately (not to mention that there’s almost no real solution for detecting a fraudulent email that’s coming from an internal compromised mailbox) and its what’s the crux of the whole issue. As with all things, you need to strike some balance here.

Educate your users of course – I still feel this is one of the (if not the) most important thing, but also set aside some time to understand their context, thus their ‘answers’ if you’ve just did a phishing campaign. There’s usually a reason behind every one of those user-based actions, and ideally you are going to understand your users and why they do such thing.

To conclude, I still feel that education on Cyber awareness is paramount, but if you’re going to do it blindly with out of context surveys, random videos, and phishing campaigns (that you grade on how they passed just to impress upper management) – I dare say better not to do it at all!

With that out of the way, let me try and connect some dots, and talk about the most common things an organization might experience, regardless of its size or maturity.

Common Attacks

For this article, I opted to talk about social engineering (phishing), malware and ransomware, as well as passwords and authentication. In the second, upcoming, part of this article I will talk more about MFA, backups, patches, and other things you can do to stay safer and endorse a better cyber hygiene.

Social Engineering

Social Engineering, sometimes known as People hacking is a term that is used to describe a cyber attack that targets a human, rather than a computer/electronic device.

No need to brute force and waste your CPU/GPU, when you can ask nicely, right?

All jokes aside, these social engineering attack can be extremely complex, and quite devastating to the victim as well. These attacks are usually layered and can escalate quite a bit. Imagine an attacker taking some of your publicly available information to use and obtain more information on your phone, email, ISP.

With these steps, they can eventually escalate to something like your bank account! Check this video out, as it is a prime example of how attackers can obtain your information.

Social engineering is a huge topic! And I mean huge. It also doesn’t necessarily entail a human interaction. Most notorious examples of this are the parking lot ‘lost’ USB an attacker would drop in hopes of an employee plugging it into a computer that belongs to the company. Another one is leaving the charging cable plugged in, in a very public place. Similarly to the lost USB, the cable most likely has some keylogging software or another tool to help the attacker gain control of your device.

Social Engineering: Phishing

Phishing is as we all know one of the most common attacks out there, used by many different types of threat actors, from scammers to more advanced threat actors. This is the stage zero for an attack, usually. This attack vector is used to gain access to your org’s infrastructure, before trying to move laterally, escalate privileges, drop payloads, or anything else.

This is an attack that’s a ‘subgroup’ of the social engineering class of attacks, and as the name implies, is directed against humans instead of computers.

When we say phishing, we usually mean emails, but phishing can be done through voice/calls – aka Vishing or through SMS – aka Smishing.

These are particularly dangerous since threat actors will use these tactics on an enormous scale, usually leveraging leaked/stolen phone numbers and/or emails.

I’ve already talked about most common ways phishing tries to get us to act – e.g., urgency, calling you to action, basically anything to make you act quickly without much contemplation.

There are also three main forms in which we can see phishing:

  • Spearphishing – More targeted than general/regular phishing, spearphishing usually aims at an individual or a group. These campaigns are usually more carefully crafted than the email messages and bad sites you can see with general phishing since they are created with the idea to target a specific group. Oftentimes, as a part of a much larger campaign against the said group.
  • Whaling – More targeted than spearphishing, whaling refers to targeting individuals of high-value – think C-level execs. These messages tend to be most sophisticated as well, thus, much harder to notice.
  • Phishing – There’s no personal/individual component here, these attacks are usually of a larger scale, simpler and are generally much easier to spot since the messages are usually not that carefully crafted, and the malicious sites they try to refer you will mostly contain some obvious red flags that will signal for you that it’s time to get the hell out.

Individually, you might encounter general phishing attacks, but if you work at a high level in a big company that’s an interesting target, your business email might be of particular interest to the threat actors, making you become a prime target for these more sophisticated attacks such as whaling and spearphishing.

Good/best practices Recap

I already talked about this extensively, but there’s never enough awareness when it comes to phishing, if you ask me, so let me add these here as well:

  • Untrusted email? Delete without opening, or even better, if you have a Cybersec team at your company, forward it to them. You can also report as a spam to your email provider.
  • Never open attachments from untrusted sources. Even if the contact is legitimate but the content/email message wasn’t expected by you.
  • Do not click on embedded stuff in the emails – if possible, go to that site through your browser (no clicks in your email client!) and try to see the content there.
  • Check for misspelling in the domain names, etc.
  • Try not to publicly share your personal information. Segment your stuff. If necessary, create another email, or even do ‘burner’ email addresses that you will use for a specific purpose before discarding it.

Also remember that any one of us can fall prey to phishing. If this happens to you, change any passwords that are tied to the breach (if you have multiple same passwords – ouch, please don’t do this though – change all the instances of the compromised password). Report immediately to IT/Cybersec team if this happens on the work email.

Malware

It doesn’t matter if our AV solutions are becoming better and better, scanning against large databases that collect malicious hashes/signatures for malware, this is still a big threat and it is always being worked on, developed.

Malware or malicious software is any piece of software that was designed with the intent to do malicious things to your system. There are many different types of malware, and I will be looking into this in the future, but for now I will just focus a bit on one of the most infamous types of malware, that we have all heard being talked about in the past couple of years, a lot – Ransomware.

Ransomware

Ransomware is a special type of malware, used to infect systems while encrypting the data so that it is held for ransom, hence ransomware. In theory, if the victim was to pay the ransom, the data is then returned to its owner. However, most security experts would advise you not to pay ransom but to rather have DLP policies and good backups so you can recover from this attack.

Even if the data’s returned, there’s no guarantee that it wasn’t leaked first. The payment is usually made in cryptocurrencies (such as Bitcoin).

Ransomware spreads by exploiting vulnerabilities in software (think MS Office, Windows, etc.) and can be quite fast to spread. The idea is to infect as much systems as possible, so they are rendered inaccessible and then ask for ransom – paying the attackers to give you their key to decrypt the data.

There’s usually a window that displays the message with the conditions, once the malware completes its encryption.

Wannacry Ransomware window – Instructions on paying the ransom

Tips on how to protect yourself

Generally, its best to combine good awareness with up-to-date systems that are patched up. This is especially important for OSes!

  • Update your OS and other software regularly
  • Don’t open suspicious emails or click on suspicious links. Don’t open attachments. Similar to phishing best practices.
  • Back up your important data and store it somewhere safe and outside of reach
  • Keep you AV solution up-to-date
  • Never plug unknown USBs and other media (cables too) into computers that you care about or are important!!

Lastly, don’t pay the ransom! Rather, have a strategy in place if this happens, and contact authorities. Try to contain the infection as well, by disconnecting your network gear if and where needed. However, keep in mind that you might not want to power off the infected device since this can backfire on you, leaving you with no options to decrypt it without paying the ransom.

Conclusion

There’s much more that threat actors use, and there are many other types of malware out there. In time, I hope to cover most of them, but until then just keep in mind that you don’t necessarily need to be a tech expert or an Infosec pro to stay safe online. Most of the stuff I outlined in this, and previous articles pertains to best practices e.g., adopting good habits. This is something anybody can do and is for sure something that pays off to adopt.

Until next time!

Cover image by Michael Geiger

#cyberawareness #malware #phishing #common-attacks #ransomware

About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About VRX
VRX is a consolidated vulnerability management platform that protects assets in real time. Its rich, integrated features efficiently pinpoint and remediate the largest risks to your cyber infrastructure. Resolve the most pressing threats with efficient automation features and precise contextual analysis.

×

Hello!

Click one of our contacts below to chat on WhatsApp

Social Chat is free, download and try it now here!

×