Cyber security series | Part 2
“Don´t let the bad guys win!”
Protecting your business against cyber-attacks is crucial for success in this technology driven times ‒ and it is important that every single person is aware of that. This article focuses on employees, and it will teach them how to be more vigilant. It is about knowing the hacker’s strategies and current trends, about algorithms that suggest a false sense of reality and about practical tips to not letting the bad guys win! It is the second part of the cyber security series, based on The Vision Councils Webinar series.
The following article gives definitions and statistics; it answers the question: What´s at stake? And we talk about trends in hacking and what every single employee can do to protect the infrastructure.
Definitions
Email phishing: Is the most common form of phishing. This type of attack uses tactics like phony hyperlinks to lure email recipients into sharing their personal information. Attackers often masquerade as a large account provider like Microsoft or Google, or even a coworker.
Malware phishing: Is another prevalent phishing approach. This type of attack involves planting malware disguised as a trustworthy attachment (such as a resume or bank statement) in an email. In some cases, opening a malware attachment can paralyze entire IT systems.
Spear phishing: Where most phishing attacks cast a wide net, spear phishing targets specific individuals by exploiting information gathered through research into their jobs and social lives. These attacks are highly customized, making them particularly effective at bypassing basic cybersecurity.
Whaling: When bad actors target a “big fish” like a business executive or celebrity, it is called whaling.
Smishing: A combination of the words “SMS” and “phishing,” smishing involves sending text messages disguised as trustworthy communications from businesses like Amazon or FedEx.
Vishing: In vishing campaigns, attackers in fraudulent call centers attempt to trick people into providing sensitive information over the phone.
Statistics
The good news first: 84% of US-based organizations have stated that conducting regular security awareness training has helped reduce the rate at which employees fall prey to phishing attacks. Security training and awareness are so important because the cost of a cybersecurity attack can be enormous. Even though the sum depends on the scale and impact of the attack. For small businesses, the average cost of a cyber-attack is around $25,6121 ‒ and we have seen that on the very low end.
And anyone who thinks this will not happen to me should keep the following figures in mind: 8 out 10 of the most exploited software vulnerabilities involved Microsoft products in 2019 but shifts are moving from O.S. to browsers with vulnerabilities in software like WinRar and Google Chrome.
It is also true that approximately 45% of all emails are spam and that targeted attacks are increasing with AI, looking for new people or tired employees or something specific.
And finally: each year 83% of all companies experience a phishing attack. You do not believe that? Then proof the Office 365 login attempt logs.
What´s at stake?
The unpleasant truth is that 66% of businesses attacked by hackers were not confident they could recover. One challenge is that the service businesses provide, and their extensions can be negatively affected. As mentioned earlier, the financial loss can be enormous and huge financial loss is almost always associated with the loss of jobs. The average cost of IT downtime is approximately $5,600 per minute, translating to over $300,000 per hour.
But also, the reputation damage should not be underestimated. That affects not only the company but also the reputation of single employees. Sometimes it can even have legal consequences. HIPAA for example stands for “Health Insurance Portability and Accountability Act”. This US law is designed to protect health data. It requires companies that work with such protected data to implement and follow certain physical, network and process-related security measures.
And in the end, it is often not just about the company itself, but attacks also affect others in the supply chain. But despite all these hard facts, many organizations still do not know what a ransomware recovery would look like or how they would recover. Therefore, we do not know what else is at stake. That is the reason you need a plan! And a lot of security strategies are group culture initiatives.
Trends in Hacking
Yes, you read that right. Trends are everywhere ‒ even among hackers. Here are the most important ones.
Multi-stage phishing attacks: Attackers are increasingly using multi-stage phishing attacks where an initial phishing email is followed by further interactions to build trust and extract more information over time.
Phishing kits and services: The availability of phishing kits and phishing-as-a-service (PhaaS) offerings on the dark web makes it easier for less skilled cybercriminals to launch sophisticated phishing campaigns.
Exploiting current events: One example of that was the worldwide Crowdstrike incident. Many hackers jumped on taking advantage of people with bluescreened computers.
ChatGPT: FraudGPT uses chatgpt to help non-technical individuals find a way in. If light bulbs are going off in your head about your ex, do not open it. You will get into more trouble by logging in then causing it (-;
Do not underestimate AI
Using AI itself like ChatGPT or the hundreds of specific AI tools out there is a problem as you are recklessly uploading info to ChatGPT. For example if I go in and ask it to edit these trade secrets for me for an email to a CEO and to use a professional tone, it is now part of the world database so someone can go in and do a search for “The Vision Council trade secrets” or passwords, or mergers, or vulnerabilities, because I wrote a draft for ChatGPT to analyze about a security incident or struggle.
Also using AI keyboards for phones and other built-in apps sends your data, again, to less reputable and sometimes nefarious companies. Also be aware of using your google id or apple id or Microsoft ID to be your login. Some sites will let you create a username and password or use your google account to login. Doing so opens your data to that company, and if the company that you need to login to happens to be a foreign country, know you are giving them a ton of information for the convince of logging in. I personally like creating my own login email and passwords and letting my password app choose the password.
Algorithms – a false sense of reality
Algorithms on social media give you a false sense of reality. If you open a Facebook video, Instagram video or TikTok video and read the comments, and then send the same video to a friend and let them read the comments, the top comments will be different for you than for him or her as those comments are based on algorithms. If I open a video on the latest vaccine for something and I run to the comment section for validation, I will see that the top comments favor vaccinations. If I give it to friends who does not trust vaccinations, and THEY go to the comment section they will find validation by the comments that feed them. This drives us all deeper down the Matrix than we would like. And that can be upsetting because you may look at the comments of a post and say “oh im not worried”, if people read the comments, and they see that no one agrees, their impression might be different.
Estimates say ONE out of TEN random posts could come from a foreign government trying to influence your opinion or make you resent one another. A 2020 study from Carnegie Mellon University found that around 45% of accounts discussing COVID-19 on Twitter, now X, were likely bots, but this includes all bots, not just those from foreign governments. NPR reported that a significant number of anti-vaccine posts were linked to Russian trolls. In my opinion, we have to make sure that we make friends and matches on our own. As your feed on social media will probably mislead us. Why does it matter? Because we fall into patterns of being tricked and letting the bad guys win.
The importance of creating a strong password
A survey by Google in 2019 found that 65% of people reuse passwords across multiple accounts, significantly increasing the risk of hacking if one account is compromised. The same survey found that 1 in 4 Americans use passwords that are considered weak and easily guessable. This is not just a phrase but extremely relevant to make sure that hackers do not crack your password within seconds.
If you use a password like your dogs name, or city, or company, or something easily attributed to you …
- I can go to ChaptGPT and ask it to give me every iteration of that word with special characters and capital and lower-case letters.
- I download a free browser plug-in from the Browser Store that attempts to log in and upload all possible passwords to it.
- I tell it to use the username FirstName@gmail.com as login and these passwords and try every 1 minute as not to trigger the too many attempts bot.
- I tell it to email me when you are in. I do this for 10 accounts a day and then refresh my inbox daily and get to work.
If there is one key takeaway from this article, it is the importance of passwords! This is what can happen when you take passwords lightly.
The characteristics of strong passwords are that they have a minimum of 15 characters. A passphrase ‒ consisting of many words and terms – is better than a password. Additionally, the passphrase should be unique per account, and it is safer to use a Multi-factor Authentication (MFA).One example to create strong passphrases:
- Write down a random common word
- Add a second, unrelated word
- Capitalize one or two letters in your password
- Insert numbers and special characters to break up words and syllables, then add new capitals
- Make sure the passphrase is at least 15 characters long
sweatshirt, sweatshirttree, SweatshirtTree, Sweatshirt#Tr33
What you can do and organizations can do
- Avoid Pop-Ups, unknown emails, and links. Never click on unexpected links or download attachments from unknown sources.
- Audio jacking: be aware ‒ unauthorized interception or manipulation of audio signals to eavesdrop or inject malicious content. Audio jacking ruins code words because a person could be in your computer capturing a conversation on teams or zoom and can replicate the word using the right voice and with AI it can know when to answer using the code word when asked a question.
- Connect to secure Wi-Fi – avoid public Wi-Fi. Instead use your phone as a hotspot or connect to a trusted network or VPN.
- Juice jacking – avoid using public charging stations to prevent mobile device compromise.
- USB flash drives – only use trusted flash drives. Unknown drives can carry malware.
- Verify links – always check if website links look valid before clicking. Hover over links to see the full URL.
- Check email headers – ensure the sender’s email address matches the company’s official domain.
- Email purpose – never send sensitive information like passwords or personal details via email.
- Double-check requests – confirm money transfer requests with alternative communication methods.
- Update passwords regularly – change default passwords and update them frequently.
- Use password managers, use tools like 1Password
- Protect your devices – do not let others use your computer or mobile devices.
- Enable Multi-Factor Authentication (MFA)
- Beware of social engineering – be cautious of unsolicited requests for information or urgent actions.
- Use the “Email Analysis” tool in Outlook or others
- Stay informed on scams – keep up to date with the latest scam tactics and cybersecurity news.
- Stay in touch with The Vision Council, look out for emails, link with us if you had or know of an incident to share knowledge, and join us in future efforts to create a team to share security knowledge.
Nabil Gharbieh. The IT-expert Nabil Gharbieh currently leads The Vision Council´s webinar series about cyber security strategies. As an Information Technology Advisor at Dataprise, Nabil provides quality management services to clients across various industries and sectors. With over 17 years of experience in IT, he has developed expertise in program management, technical account management, customer success, sales, and technology advisory. Nabil is certified in Microsoft Technologies, AI, Health Care IT Security, ITIL, Google Cloud, and Apple/Mac Integration.