Vital information about Cyber Attacks
By Rob Taylor CISSP at Onyx IT
Rob is one of the UK’s 7,972 qualified CISSP’s (Certified Information Systems Security Professional). The World's Premier Cybersecurity Certification, granted by the International Information System Security Certification Consortium.
This paper is important for the following reasons : -
- Any interruption to your business computer systems can be painful but a cyber-attack can be particularly crippling.
- Government bodies, such as Hackney Council suffered one of these cyber-attacks in October 2020 and it is not anticipated that all their systems will be fully functioning until December 2021. It took 4 months to recover front line services.
- The number of officially reported HMRC-branded phishing scams increased from 572,029 in the 2019–2020 fiscal year to 1,069,522 in 2020–2021.
- Impersonating an authoritative organisation like HMRC is a tried and tested way for cyber criminals to create a sense of urgency and fear.
If any of the above is concerning for you and your business then read on and learn about how Onyx IT can assist you.
Why are cyber attacks so damaging?
Any interruption to your business computer systems can be painful but a cyber attack can be particularly crippling.
Many have experienced the consequences of a hard drive crash where an IT engineer has to come and replace the drive and restore the data. This, while annoying, is easily rectified with systems being down for potentially 2 days while parts are sourced, and your last good backup is restored. Generally, business functions can continue with that short interruption. If they are more critical than that then ‘hot’ standby servers are usually put in place.
For example, if you take nightly backups and your server hard drive suffers a mechanical fault and dies at 10am. The drives are replaced, and the previous night’s backup is used to restore your system and then the data is re-entered.
Why are certain cyber attacks different? In a word it is integrity!
The average time it takes for a network intrusion to be detected is 190 days, over this time the bad actors could have mapped out your network, installed backdoors, modified data and given themselves admin privileges. Without the proper monitoring in place, you will be unaware of the presence of a bad actor, it's only when they perform a destructive action like encrypting all the data on your server they make their presence known at which point it's too late and the ransomware attack has been successful.
The process of dealing with a ransomware attack is similar to that of a malfunctioning hard drive you simply restore the data. If the bad actor hasn’t encrypted your backup that is. This unfortunately is where it gets difficult! At what point do you restore the system? If the bad actor has been in your system for 190 days you potentially need to restore your system back to that time and re-enter all the data from the last known good backup point. Every other system has to be reinstalled. At each stage the network has to be checked that it is still clean and free of bad actors.
The hackney council attack is a good example of this : - https://www.bbc.co.uk/news/uk-england-london-54606375
The attack on the council was discovered in October 2020, it is not anticipated that all their systems will be fully functioning until December 2021.
It took 4 months to recover front line services.
The cyber-attack caused mayhem for the council and their customers. A number of house sales fell through after staff were unable to process land search requests. Having accurate records of rate payers were lost, some were charged rates having left the borough, and then couldn’t be given a refund because systems are still not running properly.
How many trading businesses could survive such disruption?
The number of officially reported HMRC-branded phishing scams increased from 572,029 in the 2019–2020 fiscal year to 1,069,522 in 2020–2021, according to data obtained under the Freedom of Information Act.
Lanop Outsourcing, the accountancy firm that made the FOI request, revealed that most of the scams claimed to be tax rebates or refunds. The data also reveal a 66% rise in voice scam attacks during the past financial year, rising from 203,362 to 336,767. Attacks related to the DVLA – HMRC also receives reports of such attacks and is empowered to act on the agency’s behalf to initiate website takedowns – rose more than six times to 42,233 from 5,549.
The favoured delivery method for scams exploiting HMRC was via email. Attacks originating via this method more than doubled from 301,170 to 630,193. Reports of suspected SMS scams, or smishing, rose 52% from 67,497 to 102,562, and reports of phone call scams increased 66% from 203,362 to 336,767.
Commenting on the report, Tessian CEO Tim Sadler said: “Impersonating an authoritative organisation like HMRC is a tried and tested way for cyber criminals to create a sense of urgency and fear, to manipulate people into sharing financial information or credentials via phishing or smishing scams.
Due to its prominent public profile, HMRC is probably the government brand that is most frequently abused by criminals to add credibility to their scams. As a result, the department has long led discussions and schemes on cyber issues at Westminster, running its own Cyber Security Operations unit to identify and shut down scammers. It has also pioneered the use in government of DMARC protections for email, and other technical controls to stop its legitimate helpline numbers from being spoofed. Nevertheless, cyber criminals persist.
Cyber criminals are most likely to target people using credential harvesting and impersonation techniques, according to a new report. Avanan’s 2021 Global Phish Cyber Attack Report found that credential harvesting is used in 54% of all phishing attacks.
This is more than double the number of BEC (business email compromise) emails that Avanan found (20.7%), which is often regarded as a more significant threat.
Meanwhile, the researchers found that the most attacked industries are IT, healthcare and manufacturing. “These industries are the most targeted because they hold incredibly valuable data from health records to social security numbers, combined with the fact that healthcare and manufacturing tend to use outdated tech and often have non-technical board of directors,” the report said.
The Onyx Essentials cyber package provides cyber security training to all users on a regular basis, testing their knowledge a reaction to phishing attacks. The package also applies DMARC protection to the business websites and email protecting its customers from being spoofed.
PrintNightmare is a zero-day critical Windows bug that allows Remote Code Execution. It affects all supported Windows machines. See https://nakedsecurity.sophos.com. The bug was initially documented by Microsoft as opening up an EoP (Elevation of Privilege) hole in pretty much every supported Windows version, all the way from Windows 7 SP1 to Server 2019. But on 21 June 2021, Microsoft upgraded the security update page to admit that the bug could be used for RCE (remote code execution) as well, making it a more serious vulnerability than an EoP-only hole.
EoP means that someone who has already compromised your computer but is stuck with the sort of access that you would have yourself when logged on as a regular user, can promote themselves to a more privileged account without needing to know the password for that account.
That’s bad enough, but RCE refers to a bug by which cybercriminals can break into your computer in the first place, without needing any password for any account on your computer.
If an RCE bug also permits EoP, then that’s even worse, because it essentially combines breaking in and taking over into a single, high-drama security hole.
Onyx Essentials cyber package includes continual vulnerability scans to pick up on required patching. However, Onyx Recommended cyber package includes host-based intrusion detection. Starting on July 2, 2021, Onyx used released IPS signatures for endpoint and firewall tools that target remote add printer driver calls.
It is clear that the supply chain of a business has to be recognised on the business risk register. Risk is central to the National Cyber Security Centre (NCSC) 10 steps to cyber security.
All Onyx cyber security packages have risk management at their core. Further though, the Onyx Advanced cyber package includes application whitelisting, which is the best way to ensure that only trusted applications are ever invoked.