New hacking methods and technology put all of us at increased risk
By: Bill Zoils
I think that most of us have always assumed that our own risks from hacking and cyber attacks were pretty remote because, we tell ourselves, our laptop and our company server are just two of a couple of billion devices in the world, and who would ever bother to attack us?
This is absolutely dead wrong, and I’ll tell you why in just two letters: AI. Artificial intelligence.
The days when a hacker was a person sitting in a basement somewhere far away, scanning your website, figuring out the format for your email addresses, trying ADMIN and PASSWORD and 12345 as passwords until they got into your system are pretty much – though not entirely — behind us.
From what I’ve read, and from what the people who know these things have told me, what we have to look out for now is hackers who use powerful software to automatically scan thousands of websites, and email systems, and social media accounts to detect lapses in basic security. When those systems find an obvious flaw, they flag your account and alert the hacker that you have left your back door unlocked.
Of course, targeted attacks also still occur regularly, in which a hacker picks a website and computer system of what looks like a promising target, and then spends hours looking for flaws and lapses that will let them take over as administrator of the site.
They might be able to break directly into your corporate server. Or they might break into one of your employees’ emails, find a password he used seven months ago for an account to download movies, use the same password to log into your server as that person and… hello ransomware. (A ransomware attack involves a hacker taking control of an entire computer system at a company or organization and locking out the legitimate users until a ransom is paid.)
Sometimes the flaws exploited by hackers are in the software. This is why it’s important to download all software updates immediately (since updates are often used to fix flaws). Sometimes the flaws are in the “back end” of the system, and allow hackers to gain administrator powers over the system. This is why the I.T. people have to stay up to date on threats and follow the latest security protocols.
But sometimes – often – the flaw is just a simple and common mistake or oversight that lets a hacker access data on your device. That may lead to fraud and identity theft or, depending on what information is on your device, even allow the hacker to find a way into the workplace system you log onto.
What are some of those common lapses in security? There are many, and most of them are obvious and common sense, but here are a few that come up again and again.
Passwords. The most obvious problem here, of course, is using a common password. There are lists on the Internet of the 100 most common passwords that people still use, but our hacker’s AI system has a list of thousands of common passwords.
Another problem is keeping a list of passwords or mentioning a password in a communication that can be accessed once a hacker is in through that unlocked back door. Remember that AI programs can spot any combination of characters that look like a password, whether it’s in the text of a message or in a file marked Muffin Recipes. Oh, and writing them all backwards? Uh uh. They thought of that – and almost every other clever idea that you and I can come up with.
Then there’s using the same password, or simple variations, for multiple applications. The bad guys crack one, and they’ve got them all.
Solution: Use secure passwords, eight or 10 or more characters long, using upper and lower case letters, numbers and special characters. Use a different password for every application. And don’t write them down anywhere – or try to remember them all. Use a secure “password keeper,” a program that securely stores your encrypted passwords.
Sharing secure information. Sending someone at work your user name and password so they can do some work at your desk. Or sending someone your credit card number and the code on the back of the card so they can buy something online. Sending banking information for any reason. Or sending your cousin, who’s organizing a family trip to a destination wedding, a picture of your driver’s licence and the information page from your passport so they can buy the tickets. Once the hackers are into your email – or the email of the person you’re sending information to – it’s game over.
Solution: Don’t send anyone – anyone – confidential information like this for any reason. Ever. (And if you have a photo of your passport information in your pictures file, delete it now, and then empty your trash folder.)
Phishing. We all get multiple phishing messages – emails that look like they’re from legitimate senders, but are actually trying to trick you into giving them information. Some of them are crude and obvious, with misspellings and odd characters designed to get past the spam filter in your email system. Others are more clever – they’ll look like they’re from, say, a major online retailer, complete with logo, and tell you there’s a problem with your payment, or that they need you to confirm information for delivery, or that you’ve won a lucky draw. The beauty of the scam, from the hacker’s point of view, is that if they send that message to a million random people, a few thousand of them will, in fact, have placed an order with that major online retailer and will, in fact, be expecting a package. They could easily fall into the trap.
Solution: There’s really only one reliable way to be safe from phishing scams. Do not respond to any out-of-the blue message from anyone that requests action or information from you. And don’t ever click on links in suspicious emails. Even if it looks like it’s from a friend or a local business you trust – hackers can crack that person’s site and then email everyone on his contact list. If you’re worried that your bank might really need to talk to you, or there really might be a problem with an online order, or whatever, delete the email anyway, and then sign in to your account with the bank or retailer to see if there is a genuine notification there.
Insecure networks. If you sign on to your company’s internal network to access your email, or work collaboratively or join a meeting from an Internet hotspot at a coffee shop or hotel or train station waiting room, you’re exposing yourself and your company network to two big risks. The first is that the hotspot has been compromised by some bad actor, who can now read everything you send. The second is that the entire hotspot is nothing more than a trap, designed – not by the hotel or coffee shop – to harvest log-in information from unwary users.
Solution: First, get yourself a VPN – a virtual private network. This is basically software that will scramble your data in such a way that anyone intercepting your communication will receive nothing but meaningless gibberish. Second, if you have to work away from your secure work network, or your strong-password protected home connection – you have a strong password on your home connection, right? – you should consider keeping sensitive data off your travel computer altogether. Yes – a stripped-down travel laptop with nothing on it, except maybe the protected logins for meetings, is a pretty good idea if you’re, say, the CFO for your organization.
Loss of devices: If you travel a good deal, and if you’ve been to some of the world’s big airports, you have undoubtedly walked beside, and even sat beside, people whose sole purpose for being at the airport is to steal laptops and cell phones and whatever else is light, portable and momentarily out of your sight. And, of course, anyone can leave his or her bag in a taxi.
Solution: First, don’t let your devices out of your sight or, better yet, out of your hand. Second, make sure you have a secure login and strong password to access your computer – chances are good that the thieves won’t bother trying to crack your login if you don’t make it too easy. They’ll just wipe the data and sell the device. Third, again, don’t travel with sensitive data on a device.
Cyber insurance: Okay, everyone in your workplace knows all this stuff and is very carful about online security. You keep all of your software up to date. Your I.T. people are on the ball and have complete, up-to-date backups of all important data in a secure, off-line facility. You have experts do regular tests and audits of your security.
But still you’re worried. Especially about third-party liability if your system is held for ransom, or all your client data is up for sale on the dark web (the illegal side of the Internet).
That’s why there is such a thing as cyber liability insurance. It won’t protect you against risk – that’s your job – but it will help you manage and mitigate the risk.
Finally, in researching this blog and reading some of the experiences of other organizations, I’m starting to realize that there is a second psychological barrier to cyber security. It’s not just the “it wouldn’t happen to us” assumption. There’s also a feeling that if sophisticated hackers can break into some of the most secure systems in the world – which they regularly do – we don’t stand a chance anyway.
But we’re not dealing with foreign intelligence agencies. We’re dealing with crooks who scan millions and millions of bits of Internet traffic looking for the obvious flaw, the easy mark. All we need to do is to make it hard enough to get into our systems that anyone scanning all our emails, or reading every line of code in our websites won’t find any obvious, easy way in.
They’ll probably move on pretty quickly.
Cyber Risks and Liabilities. July/August 2022. Great information from Penmore.
I really appreciate comments, ideas, suggestions or just observations about the blog or any other topics in benefits management. I always look forward to hearing from readers. If there’s anything you want to share, please email me at email@example.com.
© Penmore Callery Group 2022 All rights reserved. All of the content herein is the sole property of the Penmore Callery Group, and may not be reproduced, transmitted, or stored in a retrieval system – in whole or in part – without the written permission of the Penmore Callery Group. Links to the originating article at www.callerygroup.com are permitted.
The Buzz Bits