October is Cybersecurity Awareness Month. According to Verizon, 46% of all cyber breaches impact businesses with fewer than 1,000 employees. As a Cybersecurity Engineer at SimVentions, I want to share what potential threats to be aware of, examples of what they may look like, and possible solutions. With more than 40% of cyberattacks targeting small businesses, cyber criminals are always on the lookout for weak system security and vulnerabilities in businesses, making them a primary target. Studies have shown that 83% of small businesses do not have a disaster recovery plan for business continuity after a cyberattack. Being proactive rather than reactive can make the difference in continuing business as usual verses having to close your doors due to the inability to recover from a security breach. A security breach can affect your business’ downtime, financial loss due to recovery, loss of customer data and information, and tarnish your business reputation. Being aware of what the potential threats are, is key to knowing how to protect your business and lowering the risk of a security breach. I will be addressing some of the most common types of attacks such as social engineering, insider threats and artificial intelligence (AI) attacks exploited by threat actors. Best practices such as password and social media policy implementation and system configurations will also be listed below with suggestions on how to implement them. Solutions are paired with each threat, advising on how to implement mitigations to better protect your business. Let’s dive in!
Social Engineering
Social engineering tactics use deception to manipulate individuals into giving up sensitive information or access to it.
Examples of this could be a threat actor sending out phishing emails to employees. A phishing email is an email that is designed to look like it was sent from someone you know, and in the email, they will ask you for information. The goal of the threat actor is to get the employee to give them sensitive information to use later.
Example: A phishing email could look like a legitimate email sent by your IT department prompting you to click a link to change your password. By clicking on the link, you are then connected to the attacker and providing them with your credentials.
Solution: Train your team to know what to look for in suspicious emails such as misspellings, improper grammar, request of gift cards, and emails sent during non-business hours. Advise your team not to reply or engage with these emails by clicking on links, or opening attachments within the email. Also encourage the team to report any suspicious emails to your security team for investigation.
Being aware of threat actors trying to gain physical access to your business. It would surprise you how easily some threat actors can just easily walk right through the front door of your business, using social engineering.
Example: An example of this could be a threat actor attempting to gain access to your building that is secured through scan access, and they have their hands full with lunch or donuts for “a meeting” so someone is more willing to hold the door for them. The nice and polite gesture allowed the threat actor to gain access into your building.
Solution: Implement an identification system for your employees. This allows you to identify who is part of the team and may be easier to spot those without access. Training employees not to allow piggybacking into your business, this makes it harder for the threat actor to gain access and easier for you to identify people on your team.
Threat actors will utilize open-source intelligence, which is information available to the public on the web, such as social media platforms, company websites, and newsletters.
Example: A threat actor can easily find new hires that may have posted pictures of their excitement of joining your team with their new company badge. This allows the threat actor to see what your company badges look like, and duplicate them from this public platform, allowing them to blend in with your employees.
Solution: Implement a social media policy for your employees to follow as this could lessen the likelihood of the threat actor using public information on social platforms to later target your business. Encourage your team to report anyone who looks unfamiliar or suspicious.
Insider Threats
Businesses place a large focus on keeping threat actors out, but what if the threat actor is someone within? Current employees, former employees, contractors, vendors, or business partners who have, or have had, authorized access to an organization’s network and computer systems are all considered insiders and could pose an insider threat, whether intentional or unintentional. They can use this access, whether intentionally with malice or unintentionally without malicious intent, in ways that can negatively affect your organization.
Example: An example of an unintentional insider threat could be an employee that is unaware that they have received a phishing email and click on a link that downloads a malicious malware script to your company’s network, exposing proprietary information and data. An example of an intentional insider threat would be someone working for another company, posing as a new employee, gaining trust and access, then exfiltrating data and proprietary information to another company. Another example of an intentional insider threat could be a disgruntle employee being let go, still having access to files at the end of the day and having the ability to delete important files for a project or new product launch.
Solution: Training your team to know what to look for with cyber threats such as spotting emails that can lead to a security breach. Without training your team, they are the biggest vulnerability to your business. Everyone has a cyber role no matter what their title is. Having separation of duties for high level asset tasks, such as accounts payable, will create accountability, and requires two or more people to achieve the process of sending money to an account. Audits performed randomly can help you discover potential insider threats in your business. Monitoring logs and flagging large files being downloaded or sent out from your network, during off hours could be signs of data exfiltration attacks. Creating least privilege for accounts, where each account will only have access to what they need to perform their job, and nothing more. This helps prevent users from seeing data and information that does not pertain to their role. Being aware of suspicious behaviors of employees who may be logging in after hours. Monitoring terminations and having an off-boarding procedure in place to have the terminated employee’s account disabled and escorted off the premises to avoid disgruntle backlashing behavior.
Artificial Intelligence
As technology has progressed, so has the toolkit of a threat actor. Artificial Intelligence (AI) has been commonly leveraged when performing a social engineering attack. Threat actors may use AI to simulate the voice of the people you know by collecting voice recorded snippets of a person’s voice. AI is then able to generate what the person’s voice would sound like when speaking.
Example: An example of this could be a threat actor knows an executive is traveling to an annual conference. The threat actor uses AI to call the executive’s assistant, spoofing the phone number on their phone to show up as the executive. When the assistant picks up the phone, “the executive” asks for the numbers on their passport for traveling documentation purposes. The phone number showing up on the assistant’s phone appeared as the executive, the voice sounded like the executive, so the assistant had no issue giving “the executive” the Personal Identifying Information, PII.
Solution: Implement a code word that you and your team use when you are asking for or about sensitive or proprietary information. This will allow you and your team to spot anyone attempting to use AI to gain access to proprietary information and report it immediately.
Another form of AI that most people are familiar with is ChatGPT. ChatGPT is an AI tool that allows the user to ask questions in a chat/texting format, and the tool will respond with a descriptive answer to the user’s question. ChatGPT might offer great solutions for your business needs in a simple and fast manner; however, this is also a form of data collecting on your business that threat actors can use to their advantage.
Example: An example could be that you are creating business documents through ChatGPT. This may have been a quick and simple solution for you. A threat actor targeting your business, could ask ChatGPT about your business best practices and it would provide information to them, that ChatGPT provided you, putting your business at risk for a breach. Anything asked by ChatGPT is collected and can be used as a response from ChatGPT.
Solution: Implement a policy for the misuse of AI tools such as ChatGPT, to include asking questions that involve or could potentially lead back to your business or customers. Any input into ChatGPT to include, confidential or proprietary information can be later accessed and exploited by threat actors. Talk to your team about how data collection on your business, business practices, and input of customer data can lead to a security breach.
Password Policies
Weak password policies can be a vulnerability to easily exploit to gain access into your network for threat actors. A password cracking tool can assist a threat actor to use brute force to guess user passwords. Brute force is a password attack that uses password possibilities through password guessing and continues to run through password guesses until it reaches the correct password to match the user’s actual password.
Example: The use of short, common, and dictionary like words allows a faster and successful brute force attack. Passwords written down and taped to a desk, monitor or keyboard gives the threat actor full access to your network without alarming an intrusion detection system, as they are using approved user credentials to gain access to your network.
Solution: Implement a complex password policy for users. A complex password can contain upper case, lower case, characters, and have a minimum length requirement. This will make it harder for threat actor to use brute force to gain access to user accounts and gain access to your network. Have passwords expire after a certain timeframe, such as password expiring in 90 days, this forces employees to change their password after 90 days. Implementing a password history limit for employees not to reuse the same password they have used in the past, lessening the chances of a password being compromised. Training employees not to reuse the same password for different platforms. Employees could become compromised on a different platform and the threat actor could use a credential stuffing attack, reusing account credentials from the compromised account on your network, gaining access to your network, due to using the same password for your network. Train employees not to write down passwords, encourage them to memorize their passwords, and explain how writing down passwords lowers the business’ security posture making them more vulnerable to a security breach.
Supply Chain
Securing trustworthy and vetted vendors for your business supply chain needs are crucial to a business’ security posture. Threat actors can take advantage of supply chain by finding out who your vendors are, disguise themselves as these vendors, gain access to your business and to then exploit your network. Threat actors can also manipulate products within your supply chain.
Example: An example of product manipulation could be adding built-in keyloggers to keyboards to record keystrokes of employees, management, and executives. This information would be sent to the threat actor, thus them gaining access to business proprietary information, trade secrets, and data.
Solution: Use vendors that are vetted by others to ensure you are using a reliable resource for your supply chain. Have your IT department inspect any new hardware to ensure there are no additional parts added to products received. If you have credit card machines, wiggle the face of them to ensure there is not a device overlay communicating to threat actors. Keep a log of vendors and have them identify themselves to an access point like a manager or security to verify identification and authorization of being in the facility.
Approved Software
Be aware of the software that is being downloaded on your company devices. Threat actors are malicious and with that come malicious intent. Software can be embedded with malware, trojans, viruses, worms, and even keyloggers.
Example: An example of trojan malware would be an employee is trying to pass the time and downloads a game of Tetris, or what they think is solely Tetris. When downloading the game, it looks and plays like the game Tetris; unfortunately, a malicious malware code and keylogger was attached to this game allowing the threat actor to gain access to your business network and proprietary data and information.
Solution: Have a software policy in place that does not allow external downloads to be made. You can create an allow list on your security policy on your devices and make certain configuration rule set to your firewall settings to control what is allowed and not allowed on company devices and your network. Also be sure to have an antivirus solution that can scan for protentional malware threats.
Update Software and Operating Systems
Threat actors can find vulnerabilities in your outdated operating system or software and exploit these vulnerabilities to gain access to the network.
Example: An example of this could be a company having a legacy, outdated, version of Windows XP that is no longer supported by Microsoft. Since there is no support from Microsoft, the user does not receive software updates or patches to push to their system to protect it. A threat actor can easily see system versions through a network scan and can exploit this vulnerability, gaining access to the network and database, collecting data and information, and now the company has a breach of security.
Solution: Implement automatic updates for your system and software to avoid employees missing updates due to manually launching updates. These automatic updates can be customized to deploy during non-business hours. To avoid business disruption, make sure to perform system updates after business hours. There are possibilities of system updates being interrupted, or the update could malfunction. Performing updates after normal business hours avoids business downtime. These system and software updates will allow new security patches to be pushed to the machine, thus having a stronger security posture of your system and software.
Invest in Security
Knowing the current security posture of your business is crucial, as you cannot protect your system without knowing your vulnerabilities. A threat actor can exploit any point of attack mentioned above that will lead to a security breach. Threat actors can take advantage of employees that are not well trained and exploit them to gain access to your business information and data.
Solution: Have a third party, like SimVentions’ Cyber Assessment Team, perform a cybersecurity assessment to evaluate your current security posture. Once you know the vulnerabilities, you can take the necessary steps to mitigate them to strengthen your overall security posture. Investing in software that can detect strange behavior on your network could help business owners be a step ahead of a threat actor. An example could be implementing an Intrusion Detection System (IDS), to help detect unusual traffic on the network. The last recommendation would be the most important of them all; train your team. Implementing cybersecurity training for your team is the best protection for your business as they are the weakest point of security, thus becoming the primary target of a threat actor, putting your business at risk.
Business owners and their teams work hard to establish, build, and grow the business. As unfortunate as it can be, the reality is that a threat actor can tarnish a business reputation with one security breach. Being proactive rather than reactive in security can help build stronger security posture for the company. Consumers come to a business for a service or product; elevate your customer’s experience by ensuring them that you have their data and information secured and continue implementing good cybersecurity best practices within your business. Technology is constantly changing, and threat actors take advantage of that by creating new ways to steal data and information. As a community, we can work together to stay ahead of the threat actors and continue to be aware of new cybersecurity trends and how to mitigate them. For more information on our Cyber Assessments reach out to us at [email protected] . As our SimVentions motto states, “Your Success, Is Our Honor™.”
Jamie Nash, Cybersecurity Engineer, SimVentions