Something I’ve found in a number of my clients that have had cyber security incidents is that a blanket phrase of “we got hacked” seems to get thrown around a lot. Much like the word “breach” is dangerous to use prematurely, “hacked” also has a number of connotations to it. In some cases, I find that the phrase is used to abdicate responsibilities by making it appear that there was nothing that could be done in order to avoid the hack – which is often not the case. Business leaders need to know the difference between the types of threats out there in order to respond effectively, both in containing the attack as well as having accountability later. In this post I will go through some common attacks, as well as some uncommon ones that get thrown around incorrectly.
While not an attack itself, but a means to perpetrate an attack, a botnet is a collection of computers or devices that operate in unison in order to attack a target. We’ve heard about computer worms where a program can install itself on a computer, and then replicate itself to other computers. A botnet is the next iteration of that, where these replicated worms can be used to act in unison against something, controlled by a well hidden master somewhere on the net. Often, IoT devices can become “infected” due to weak security measures – we saw this in action a few years ago when the Mirai botnet brought the internet to its knees.
Distributed Denial-of-Service (DDoS)
A natural flow from describing a Botnet, would be to move into Distributed Denial-of-Service. A DDoS attack is where a botnet or similar group of machines overload a single server or network with spurious or malformed network traffic. When this wave of network traffic hits a server, it tries to respond to everything, effectively putting legitimate users in a queue which ultimately can be so big that services stop functioning. We’ve seen a number of these attacks in recent weeks on South African internet service providers, with multiple providers experiencing outages in the country.
Possibly the most common issue I see in companies, phishing relates to sending malicious emails that look legitimate enough to trick people into entering their credentials or personal details into a fake site. Phishing requires that all staff are aware of how to spot a fake email and to demonstrate vigilance in not falling for these tricks! Phishing attacks can be catastrophic for a company should a user with sensitive information or administrative access be compromised. One of the best “quick wins” for avoiding a phishing attack is to enable multi-factor authentication on all your accounts, where you are texted a code on login (or some similar method).
Ransomware is particularly vicious in that it installs on a computer or network and then encrypts everything. Once encrypted, you need to pay a ransom in order to get access to your data again, and this is not necessarily guaranteed. This kind of attack can be absolutely crippling, and can even shut your business down. The complexity of ransomware is also not to be scoffed at – in days gone by it would be fine to just clean the ransomware off the network, restore a backup and carry on as usual, but nowadays these ransomware attacks can hit your backups first, encrypting them before you realise you are under attack so that a restore isn’t possible. For this reason it is important to have separated, off-site backups of your systems.
Man-in-the-Middle refers to an attack where someone intercepts your traffic and is able to “eavesdrop” on your network communications. These can take place in a number of forms, but perhaps the most common is that of WiFi attacks on public access points (such as at your local coffee shop). If you are not using HTTPS your traffic (such as your username or password) can be read by an attacker, giving them access to whatever services you are using. I previously wrote an article around protecting yourself on these networks. There are a number of other types of Man-in-the-Middle attacks too, however the above is the most common and easiest to perpetrate.
Lastly is the concept of a Zero-Day attack – which seems to be a very misunderstood term and is often used incorrectly. I’ve heard people say they’ve been “hacked by a zero day attack” where in fact they we’re just hit by phishing – two very different scenarios. You see, while phishing is relatively easily avoided, a zero-day attack means that zero days have passed since an exploit was discovered in a piece of software or hardware, and that the manufacturer has not yet had a chance to release an update that fixes the exploit. Because of this, it is incredibly difficult to avoid a zero-day attack, however they are a lot rarer than the attacks above in a business sense.
I hope this helps clear up some of the differences in the threat landscape, it is important to know that these differences exist, as you will respond differently in each case. Simply saying you were hacked can mean a number of things and could potentially make a mountain out of a molehill, gaining unwanted attention and coverage for something minor.
Ross G Saunders Consulting is a niche data protection consultancy, working with a number of professional partners in order to help you as a business comply with data protection regulation. They help with business process, compliance, documentation and more, and can offer a full range of services to take the hassle out of data protection. Why not reach out to find out how they can help you gain a competitive advantage while simultaneously garnering support from your existing and potential customers.