IT Security

Criminal Hackers - Logging in is easier than hacking the system

07. February 2022, Avatar of Felix ZechFelix Zech

The steady flow of news about cyberattacks on businesses and other organizations worldwide make it painfully clear that robust, active and multi-faceted digital security is not just a good idea but an absolute must! Whether it’s Colonial Pipeline in the US in mid-2021, or European retail icons like MediaMarktSaturn Retail Group or IKEA later in the year, large, well-known companies and small businesses alike have been targeted by criminal hackers launching costly and damaging ransomware attacks.

Digital security experts cite a variety of attack methods, though human error – usually someone clicking on an emailed malware link – most often opens the door for criminals. Attackers typically send their potential victims a Word, Excel PDF or image file that at first appears harmless. Malware is embedded in the file, which is usually activated by the victim through a clicked link or a macro. That’s usually the first step. The actual malware, increasingly ransomware, is loaded in a second step.

The reason for this?

Criminals first use the secret back door installed in the first email to spy on the user’s network access rights. If it’s a user with limited access, an attacker typically sees installing ransomware on their PC as a waste of time. Instead, they use the ability to simply log into that PC to identify other more lucrative targets that the initial user communications with, often higher-level managers or members of the IT team.

 
Over time, the attackers can draw an increasingly precise picture of people and access rights in the company and “optimize” their attacks in a very targeted manner. High-level targets may then be sized up and manipulated over the course of a few weeks or even months in such a way that at some point, for example, they receive a fake e-mail with ransomware, unsuspectingly open it and spread the attack throughout the company.

Vulnerabilities in software and system configurations

We also shouldn't forget that hackers are always interested in exploiting vulnerabilities in software and system configurations. Criminals try to use the time from when a vulnerability is identified and when a patch or a fix for the gap is issued and installed. For example, IT teams worldwide were very busy before and during the 2021 year-end the holidays responding to the Apache Log4J vulnerability That makes it especially important to have fast and efficient patch management procedures.

What does this mean for the IT teams and SecOps?

No one is immune to human error, but simply surrendering to fate is not a solution either. Rather, it is important to have a comprehensive security strategy in the company that includes:

  • Taking the “human factor” into account, reminding users in their various roles within the company of the continuous challenge of digital security, providing regular and recurrent training, and distributing test emails.
  • Considering technical factors comprehensively such as
    • Installation of modern cybersecurity solutions such as firewalls, virus scanners, etc.
    • Active monitoring of all software suppliers for security gaps, patches and hotfixes as part of comprehensive asset management.
    • Solid and sophisticated update management for all applications and systems.
    • A rights management system that only grants access rights as necessary.
    • Efficient and secure management of endpoints across all platforms
    • Careful configuration of all applications and platforms (an underestimated attack vector, for example, in website development and hosting).
    • Restrictive use of cloud services and shadow IT.
    • Tracking of logins of employees into approved cloud services such as Microsoft 365 based on time and geography, e.g., because a log-out at 6:00 p.m. with an IP address from Germany and a new log-in from America or Asia only an hour or two later can indicate suspicious activity warranting immediate investigation.
    • Consideration of the security measures of partners, customers and suppliers, i.e., supply chain security.
    • Don't forget physical security and isolated backups.

There are two things to remember above all:

  1. No point may be left out. The security chain is only as strong as its weakest link. Even if you carefully implement all the steps above and leave just one faulty configuration or one unsecured IoT device, the entire system is at risk.
  2. Communicate with and actively engage employees on cybersecurity issues. Employees must first understand that all the measures in place are to protect the company and them. They must also understand that they play an essential role in cybersecurity efforts. Criminals not only attack through technical vulnerabilities but will actively seek the weakest link (people) using a variety of social engineering and other tactics that exploit curiosity or inattention.

And only if the company's security strategy encompasses and supports both people and technology with quality and care will companies be able to increase their own security over the long term.

Fazit

Und nur wenn die Sicherheitsstrategie des Unternehmens beide Säulen – Mensch und Technik – als elementaren Bestandteil der Cybersecurity versteht und auch beide mit Leben, Qualität und Sorgfalt versieht, werden die Firmen in der Lage sein, die eigene Sicherheit nachhaltig zu erhöhen.

Read more

Entries 1 to 3 of 3