According to PWC research, 71% of CEOs are extremely concerned about a cyberattack. And rightfully so. Cyberattacks occur constantly, and it can feel like it’s only a matter of time before your own organization is struck by a cybersecurity breach.
While a cybersecurity breach may feel inevitable, in reality there are steps that can be taken to greatly reduce threats. The first part of cybersecurity is understanding the many possible vectors of attack a hacker can take.
In this post, we will discuss three different security breaches. We’ll walk through what they are and best practices that can be implemented to prevent them. Let’s start with the most common and least technological threat: social engineering.
What is Social Engineering?
Social engineering is a wide net that can be used to describe numerous different scams and hacks. The basic premise though is manipulating members of an organization to steal confidential data and gain unauthorized access. One of the most common social engineering methods is phishing. Another example is impersonation, where a hacker will claim to be an employee to obtain information. Let’s first take a look at phishing.
What is Phishing?
Phishing is when a hacker sends an email that appears legitimate, but is not. The email is the bait, the hacker is the fisherman, and you are the fish. The purpose of a phishing attack is to obtain data by claiming to be a person or organization of authority. Phishing emails appeal to the user’s sense of urgency, or some other psychological aspect that would get someone to click the link. Let’s look at a quick example.
Let’s say you received an email from the “Human Resources Department”. In the email, it says that your badge is going to expire tomorrow, and you must click the link in the email to reserve a badge replacement time. If you do not reserve a spot, your badge will expire and you will no longer be able to come to work.
This email appeals to our sense of urgency. We don’t want to not be able to access our workplace. It also appeals to our sense of authority — i.e our HR department is a legitimate source. Assuming you unfortunately click the link, you will be forwarded to a fake website that would ask you to put in your email and password to reserve a badge replacement time. Now the hacker has your username and password and can do unprecedented amounts of damage to you and your organization.
How to Prevent a Phishing Attack
The best way to prevent a phishing attack is to look for red flags. Make sure all emails that are coming from outside your organization are sequestered into a separate email folder.
Next, advise your IT staff to set up phishing emails to send to employees so they can practice what to look for when it comes to phishing attempts. Oftentimes, phishing emails will have misspelled words or strange wording, as if the person who wrote it doesn’t speak English.
Phishing attempts will always appeal to the employee’s sense of urgency to get them to click the link. E.G, it will say something along the lines of, “you will no longer be able to work here if you don’t update your address on this link.” Remember: Stop and think before clicking that link.
What is Impersonation?
The next form of social engineering is impersonation. A hacker will claim to be an employee of the organization and try to get their password reset. The hacker will often trawl logs that leak onto the website. They can use this to obtain information they wouldn’t otherwise have. Then they call the IT department and give information that will seem credible such as employee numbers, date of birth, and other information.
How can Impersonation Attacks be Prevented?
Impersonation attacks can be prevented by well-trained employees who vigorously follow procedural compliance. For example, check the phone number that the number is coming from. If it is not a recognized number, that is a red flag. Ask the “employee” who their manager is and who their co-workers are. Ask them a little bit about their job. If they fumble, then that is a bad sign.
When talking to people, it is human nature to be as helpful and assistive as possible; this is a crucial mistake when dealing with IT security. If you are suspicious, ask followup questions or simply hang up the phone and inform your manager of a potential cybersecurity attack.
Impersonation is one of the more insidious aspects of cybersecurity, because it is so personal. Next, let’s talk about how ransomware can cripple your organization, and what steps can be taken to prevent it.
What is Ransomware?
Ransomware is a type of virus that threatens to publish private data or withhold critical data until a certain demand is met. Typically the demand is monetary compensation in the form of cryptocurrency.
It is a sad reality that ransomware attacks are becoming commonplace. In 2021 alone, there have been dozens of ransomware attacks, ranging from the Buffalo Public School System to Colonial Pipeline Systems. More often than not, the organizations have to pay the criminals the ransom to get their data back.
Protecting against a ransomware attack after it has already occurred is sort of like locking the barn door after the horses ran away. Once the hackers have your data, they have your data. However, there are numerous steps that can be taken to harden your security infrastructure to prevent these travesties from occurring
Endpoint Hardening Can Prevent Against Ransomware
One of the best ways to prevent ransomware is to ensure your software engineers are taking a proactive approach to security when designing a system. This is called Security by Design.
One such method of preventing ransomware is to harden your endpoints. Think of an endpoint as an access point to your application. Whether it is via a login screen, or a URL for a REST endpoint. Make sure that all data is sanitized so that hackers cannot send malicious data to the endpoints. This is often referred to as SQL injection or Cross-Site request Forgery.
Another good way to harden your endpoint is to disable Cross-origin Resource Sharing (CORS). This will ensure that only your app is only communicating with an authenticated server. Please note, though, there are some instances we want CORS enabled. For example, Google Fonts require CORS.
Lastly, two-factor authentication should be enabled on all devices. This will make it much more difficult for a hacker to steal somebody’s device and crack the password.
Keeping Software Up to Date is Crucial
Another important strategy to prevent ransomware is to keep all software and frameworks up to date. For example, if your team uses Spring Boot for their Java framework, make sure it is on the latest version. That goes for all other frameworks such as React and Angular.
The organizations responsible for maintaining these frameworks are constantly finding security vulnerabilities in their code and updating them accordingly. If you do not update the code, it is only a matter of time before a hacker exploits it.
While many hackers utilize proactive approaches such as social engineering and ransomware, often all they have to do is wait for a vulnerable security misconfiguration. Let’s walk through that, because it is becoming such a serious issue.
Beware of Cloud Security Misconfiguration
In every case of a cloud hack, it has been traced back to a misconfiguration. Google, AWS, and Microsoft go through great length to ensure their data storage tools are uncompromisable. In the cloud world, however, there is a shared responsibility model that determines what is the duty of the cloud provider and what is the responsibility of the user. Each cloud provider has some version of the model, but the AWS version looks like this:
Notice that the customer is responsible for a wide swath of duties, ranging from their data, to access and management, all the way to firewall configuration. These are where hacks most often occur. Let’s talk specifically about S3 buckets, AWS’s flagship data storage model.
What is an S3 bucket?
For the uninitiated, think of an S3 bucket as a scalable document-based database. Any data imaginable can be stored in these buckets, and it is completely scalable to meet your needs. It’s accessible via endpoints or a user interface on the AWS console.
Why are S3 Buckets Cybersecurity Threats?
In June of 2017, a hacker revealed 198 million voter records from a misconfigured S3 bucket. Suffice to say, that is not good. It can be traced back to an S3 bucket being misconfigured to public accessibility. If that is not a wakeup call to cybersecurity experts, I don’t know what is!
S3 buckets are created secure by default. In other words, they do not have access to the internet. However, configuring S3 endpoints and determining which ones should have access to the internet can be challenging. It is a process rife with misconfiguration, and often, AWS engineers will accidentally give an S3 bucket access to the internet.
Once an S3 bucket has this access, any hacker can hit that endpoint and retrieve huge amounts of data. For example, Grayhat Warfare can be used to find public S3 buckets. Then, they can ransom it back to the organization, sell it to a third party or blackmail somebody.
How to Prevent Misconfiguration
The easiest way to eliminate this threat is to be very careful when configuring the S3 buckets. Have more than one person verify the configurations before putting it out into the wild. Only allow users who are certified in the technology access to the cloud console. Test engineers can also create integration tests that ping the bucket to verify it does not have access to the internet. If it does, the test fails and the software engineering department is notified.
This is not exclusive to Amazon buckets. Azure and Google buckets can potentially be misconfigured in the same way.
In this post, we talked about three major vectors of attack: social engineering, ransomware, and cloud security misconfiguration. Each one of these are very different and diverse. Also, each involves different employees in the organization. Social engineering works by tricking people, ransomware is exploiting security bugs, and cloud security hacks exploit configuration errors.
It is important to remember that Cybersecurity is not relegated to one particular team. It is everyone’s responsibility. Everyone, from the CEO down, should have some level of cybersecurity awareness training.