For most internet users, it’s difficult to comprehend the potential cost, and the chaos that results from a breach of network security until it’s too late. Although there may be hackers who hack to prove they can (and do little in the way of financial or operational damage), the majority have an underlying motive centered on illegally gaining access to someone else’s assets. Furthermore, adding to the potential of direct financial losses, the victims incur real time and money costs to resolve the underlying cause of the breach and repairing any data that may have been compromised.
Because it’s difficult to comprehend the costs of a breach until one has actually taken place, many internet users fail to take adequate precautions to prevent one. Further contributing to this perverse tendency not to take precautions, is the immunity developing toward the frequent headlines that disclose yet another massive data breach. Perhaps unsurprisingly, we may be conveniently concluding “I’m too small and insignificant, why would anyone be coming after me when the big guy’s are much juicier targets?”
So long as the headlines continue to be about banks, retailers, credit card providers, etc., most of us fail to comprehend the cumulative impact of those breaches, and the underlying profiling of each of us, as individuals, that’s taking place. Profiling that’s for the nefarious purpose of trying to steal or extort “small” amounts from each of us and the companies we work for.
Don’t be lulled into a false sense of security that cyber-criminals targeting large institutions is about them, because it’s not, it’s about you!
Attempting to steal $1,000 from 100,000 individuals adds up to a potential pool of $100,000,000. The cyber-criminals know the risks of being tracked down by 100,000 individuals who each lost $1,000, are far less than the risks of being caught by investigators of a $100 million heist from a single corporation.
In other words, the data breaches at large institutions are not usually about stealing money, they are about stealing snippets of data, and then cross-referencing those snippets into their database which already contains other snippets secured from other breaches. In so doing, they build-up detailed profiles of hundreds of millions of individuals. These profiles are then leveraged to dupe individuals into disclosing private information that allows the cyber-criminal to achieve its end-goal for accessing private accounts to steal, or extort money.
You may think the chances of successfully duping 100,000 individuals is unlikely but, try to think about this in the context of a database into which a hacker has accumulated 100 million records. Think about 1,000 different “duping” campaigns, each of which is targeted at 100,000 individuals (to help keep each campaign under the radar), because it only needs 1/10th of 1% of the audience to be duped to successfully breach 100,000 accounts.
On average, each employee may be subject to as many as 10 cyber-attacks per month. So, a 100 employee company may face as many as 1,000 intrusion attempts every month, with it only taking one careless click for the cyber-criminal to accomplish its goal.
Having built the contact profile, the next step for the cyber-criminal is to try and dupe individuals into unwittingly providing the credentials that enable them to access sensitive information. By far the most common way of accomplishing this is through the use of “phishing” or “spoofing”, terms that we’ll explain momentarily.
Nearly 60 million Americans have been affected by identity theft according to a 2018 online survey by Harris Poll with nearly 15 million of these incidents occurring in 2017 alone.
According to a 2018 study from Juniper Research, cyber criminals stole as many as 18 billion records in 2018 alone, a number that is expected to increase to an annual loss of 33 billion by 2023, of which more than half are expected to take place in the United States. Records stolen include personal information such as name, address, credit card details, social security number, etc. According to The Week, so much information has been stolen by hackers that almost everyone in the United States has been affected by a data breach in some way.
Most small businesses use basic “retail” technology to protect themselves from cyber attacks and spend, on average, less than $500 per year on cyber security.
Because almost everyone in the United States has, at some point, already had their personal information compromised, it’s sensible for every individual to check their email addresses and domains to determine when they were breached, and what breach was responsible for the loss. One simple way to accomplish this is using a free service from “Have I been PWned” (HIBP) developed by Troy Hunt, Microsoft Regional Director and Most Valuable Professional awardee for developer security.
Once it’s better understood the real targets of criminal activity are individuals and the companies they work for, it becomes more relevant for individuals to understand the importance of educating themselves on the most common entry points cyber-criminal use for conducting cyber attacks.
According to Cofense, 91% of cyber attacks start with a phishing email because the criminals know this approach has the potential to bypass typical cyber-security defenses used by individuals and organizations. Having profiled individuals using the means we have already explained, cyber-criminals then have a wide range of “social engineering” techniques at their disposal to dupe the user into clicking on links, opening attachments, or disclosing sensitive information. From impersonating well-known brands, or personal contacts, to creating spoofed websites, or personalizing attacks using other “private” details they have stolen, phishing efforts continue to evolve and become increasingly difficult to differentiate from legitimate communications.
For another educational experience, try this phishing quiz developed by Google to learn how well equipped you are to spot when you’re the target of a phishing attack.
Spoofing is the act of disguising a communication from an unknown source as being from a known, trusted source. The most common forms of spoofing are applied to email, phone calls, and websites. However, it can also be a more technical attack such as computer spoofing an IP address, Address Resolution Protocol (ARP), or Domain Name System (DNS) server.
Spoofing is often used to carry out phishing attacks. For example, in an email based spoofing attempt, an attacker uses a message to trick a recipient into thinking the email came from a trusted source. Of course, these emails will include links to malicious websites or attachments infected with malware, or use social engineering to convince the recipient to willingly disclose sensitive information.
Sender information is easy to spoof and is generally done in one of two ways:
- Mimicking a trusted email address or domain by using alternate letters or minimally adjusting the order of characters to appear only slightly different to the original.
- Disguising the “from” field to be the exact email address of a known and trusted source.
The vulnerability of systems to malicious cyber activities are often the result of user error and are almost always initiated by breaking into massive databases for the purposes of mining email addresses, passwords, and other personal details that are then used to target individuals in hundreds of thousands of separate attacks.
For those who attempted the phishing quiz from the link above, it’s probably clear how difficult it is to be ever-vigilant toward the possibility of an attack, as well as to more fully appreciate how vulnerable users are to being duped into inadvertently providing credentials to sensitive information.
To counter some of these threats, and by entering email addresses (and even domains) into the PWned database, it’s possible to learn which emails and domains may have been compromised and for users to change passwords on compromised accounts and implement other security measures to protect themselves going forward.
By using double authentication, where the user name and password credentials alone are insufficient to access secured information until a code, sent by text message to the users mobile device, is also entered, the chances of unauthorized access can be significantly reduced.
Unfortunately, given the sophistication of the phishing attacks and the apparent authenticity of clever spoofing, even the most vigilant individuals are vulnerable to being duped, especially when busy and under the pressure of normal day-to-day activities. Increased awareness, additional education, and sensible work practices therefore remain the most effective means of protection. At least, that is, until technology catches up with the criminals and they are forced to move on to other areas of vulnerability.