Every day, it seems that there is a story about an organization that has experienced a data breach. From stealing credit cards to exposing an executive's email, these attacks can be crippling.
But, do you ever wonder how hackers go about executing these intrusions? Many people assume it takes a computer whiz, and sometimes that may be the case—but not always. Many of these hacks don’t require much computer knowledge at all to pull off. In this post, we will cover four tactics hackers use to infiltrate an organization's data.
When it comes to simple hacks, phishing may be the easiest—and most popular. Phishing is when a person acts as a legitimate entity in an attempt to get information from their target.
For example, someone might receive an email saying their password has expired. This email might contain a link leading them to a site which looks like their email settings. It may ask them to enter their username and password. Even going so far as to send them to a success page.
The user will then go on with their day and have no idea that they were the subject of a hack. These attacks are so easy to pull of that Homeland Security Chief, Jeh Johnson, says it's one of his team’s "biggest threats." He also states, "sophisticated attackers almost always begin with the simple act of spear-phishing." The article provides the Podesta emails as an example since he fell victim to a fake Gmail message.
Another way hackers are attempting to infiltrate users is through Apples’ apps. Over the past month, many iCloud users have received fake iCal and Photo Sharing requests. These requests are sent to see whether an email account is active or not. Because even if a person declines an invite, it alerts the hacker of their response, and that the account is still active. Currently, hackers use these invites to scam a target, but, it’s not out of the question that the invites may evolve into a new way to phish people.
Another simple and innocent way a hacker can target your company is through a USB stick. They are generally loaded with a virus that auto runs when plugged in. These attacks can be carried out in a couple of different ways.
For one, a flash drive could be plugged into to an unattended computer. Another, and more popular way, involves dropping a USB stick in a company parking lot.
Recently, a researcher from Black Hat USA dropped a total of 297 flash drives in a college parking lot. He found that over half of the people who found drives had plugged them in. Most people responded that they had plugged them in to find out who they belonged to. These drives, which seem innocent, can cause a lot of unsuspecting damage. For this reason, it is important to ensure employees never plug a random USB drive into your machine.
Like the flash drived based hack, malware involves software intended to provide access or damage the intended target. And while many of these flash drives contain malware, we will focus on internet based programs.
Malware is generally downloaded by an unsuspecting user trying to get a legitimate program. It can also comes packaged with popular software, if downloaded from a suspect location. And while firewalls are a great way to combat malware, it is evident that many companies don't use them.
In 2016, many companies have been subject to malware, which compromised their data. For example, both Noodle & Company and Oracle MICROS fell victim to a malware attack. The attacks in question resulted in the compromise of their customer’s credit card information. What makes these types of intrusions shocking is that they can start at one workstation. To avoid these types of attacks, companies should use a firewall and have an up-to-date virus scanner. While these won't stop all malware, it is a step in the right direction and can help thwart many attacks.
While password hacking might be the most simplistic in terms of execution, it is still a popular way to target organizations. Also known as "brute force" attacks, password hacking is an easy and effective way to get access to data.
These intrusions can range from guessing a user password to social engineering (like phishing). And since many people use the same or a similar password for their accounts, finding out one can be a gold mine. This means, if one account gets compromised, a hacker could use that password for others.
To combat this, your security awareness training should teach employees how to create strong passwords, as well as how often to change their passwords. On top of that, if you have employees working remote, you should institute a system of two factor authentication. This can make a breach nearly impossible in an event a password gets compromised or the employee’s laptop is stolen.
While it may be impossible to stop hackers, there are many steps that you can take to mitigate risk. Implementing some of the steps we laid out above is a great first start. But, cyber security awareness training is a great solution for further diminishing your risk. It is always better to be proactive rather than reactive when it comes to cybersecurity.
We're sorry this resource is no longer available, we've redirected you to our Resource center.