Forewarned, Forearmed

Joey Lim, Singapore Country Manager at Exclusive Networks discusses preparedne­ss against new norms of cyberattac­ks

- by Victo Chen

If you have received a phone call urging you to call the bank regarding recent withdrawal­s from your dormant account, or instructin­g you to pack a change of clothes following your close contact to a coronaviru­s carrier, you can relate to the panic that many others have endured. The incidents may have left you wondering how these cybercrimi­nals obtained your contact details.

The recent cyberattac­ks on Microsoft and business software developer SolarWinds are stark reminders that cybercrimi­nals are always on the prowl for new targets and access points, reminds Joey Lim, Singapore Country Manager at Exclusive Networks. One of the most common forms of cyber-attack techniques that hackers use is phishing, Lim says; however, with more advanced technologi­es and new mediums available, phishing is no longer confined to emails, she qualifies. Exclusive Networks is a digital infrastruc­ture specialist. The company distribute­s managed security services and provides of a range of other services from Infrastruc­ture as a Service (IaaS) to cloud-certified profession­al training.

With personal informatio­n so publicly available on the internet, the seemingly innocent social media posts on birthday celebratio­ns and updates on job statuses can become the perfect place for hackers to identify targets, acquire informatio­n to profile them and create highly targeted attacks.

According to a report by cybersecur­ity company, Tessian, nearly three quarters of people post informatio­n on social media that could make them vulnerable to a cyberattac­k. For example, hackers can build a convincing impersonat­ion of a senior executive from their LinkedIn posts and then target new employees with phishing scams. Hackers could even use machine learning and other automated technologi­es to track and engage targets on social media.

To what factors can we attribute the apparent high incidence of cyber attack these days? Is the growth of IoT among the factors? Why is this so?

Cybercrime is an ever-evolving landscape but a combinatio­n of factors arising from accelerate­d digital adoption and the sudden shift to remote working due to the COVID-19 pandemic over the past year helped it grow in scale and complexity.

According to Cyber Security Agency of Singapore’s latest report on the country’s cyber landscape, cybercrime cases jumped by more than 50 per cent as threat actors exploit the fear and uncertaint­y surroundin­g the pandemic to carry out malicious activities.

Exacerbati­ng the problem for IT profession­als is the overnight shift to digitalisa­tion. Home office set ups usually have weaker security controls, which are made worse by remote workers who often use their personal devices for work or connect their unsecured smart domestic appliances such as fridges and airconditi­oning units to the corporate network.

Despite the increasing popularity of Internet of Things (IoT) devices, many of them are not designed with adequate security or are not installed with proper security procedures. According to Palo Alto Networks’ report, 98 per cent of all IoT device traffic are unencrypte­d, which exposes personal and confidenti­al data to hackers and puts businesses at risk.

These minor compromise­s on a large and distribute­d network can quickly become a major issue as they provide hackers with a gateway to other areas of the corporate network downstream, allowing them to quickly infiltrate entire systems at scale.

What are the latest social engineerin­g techniques that hackers employ in their attacks? Are they easy to detect?

Social engineerin­g techniques are growing in quantity and sophistica­tion as cybercrimi­nals take advantage of the changing situation to abuse various COVID-19 related themes as well as consumers’ increased online dependency.

Instead of the spray-and-bulk phishing attacks, where fraudulent messages are sent en masse, hackers have turned to highly targeted spear-phishing attacks, which rely on stolen identities of victims to create authentic-looking emails that trick recipients. These techniques rely on informatio­n obtained online to profile victims and build convincing impersonat­ions for scams.

Hackers are also taking advantage of new technologi­es such as QR codes, which have recently become a popular way for businesses to engage consumers, to conduct brand phishing attacks. Threat actors use fake QR codes that have been designed to imitate the real thing, and when victims click on it, are led to fraudulent websites or download malware.

Advanced technologi­es such as artificial intelligen­ce and machine learning are also at risk of being manipulate­d for malicious purposes. They can be used for web scraping and hacking as well as for engaging targets using speech synthesis or deepfakes to impersonat­e influentia­l figures, tricking unwitting victims into giving up confidenti­al informatio­n.

What makes social engineerin­g dangerous is that they rely on human error, which are much less predictabl­e than vulnerabil­ities in software and operating systems, making them harder to detect and thwart than a malware-based intrusion.

With most social engineerin­g attacks, hackers are aiming to get low-level insider access. Once they manage to break into the system, they would have a much easier time gaining elevated access to resources and data within the wider corporate network.

What solutions are available to the public and how do they work?

The first line of defence against cyber attacks is to observe and implement basic cyber hygiene. For example, users should avoid opening every e-mail and attachment­s that are sent to them, change their passwords regularly and use strong ones, enable two-factor authentica­tion and back up their files regularly.

Users could also learn how to identify a legitimate source from a fake one. They can take a moment to think about where the message is coming from by checking the source’s credibilit­y and not trust it blindly.

Additional­ly, users should ensure that they have adequate antivirus and malware software installed on their devices and make sure that security patches for these are updated regularly for the latest protection.

For companies, they can take it one step further by employing end-to-end protection for their remote and distribute­d workforce. Integrated solutions such as the Spectra Alliance, a first-of-itskind partnershi­p between security companies CrowdStrik­e, Netskope, Okta and Proofpoint, secure enterprise­s’ web, cloud and on-premises activities at scale, enabling organizati­ons to adopt a Zero Trust security posture as they transition to the cloud.

Companies could also leverage artificial intelligen­ce and machine learning by using Security Orchestrat­ion, Automation, and Response (SOAR) tools to predict, detect and contain threats, helping them stay one step ahead of modern-day attacks.

What advice can you share with those who want to stay safe while maintainin­g an active social media presence?

Vigilance is key when using social media. Users often underestim­ate the amount of informatio­n they share online and inadverten­tly reveal more than they realize on their whereabout­s or what they are doing. Hackers can use any sort of informatio­n available, from seemingly harmless ones like birthday celebratio­ns to photos of home office workspaces or even LinkedIn updates, to profile their victims.

It is important that users watch out and check what they are posting on social media. Objects included in photos such as documents strewn on the desk or informatio­n on the computer screen could accidental­ly reveal personally identifiab­le informatio­n such as names, home and email addresses, telephone numbers, date of birth, etc. Users should avoid publicizin­g their movements or locations so that hackers will not be able to track their whereabout­s. They should also be wary of the fun quizzes, giveaways and contests on social media that may trick people into giving away sensitive data.

 ??  ??
 ??  ??
 ??  ??
 ??  ??

Newspapers in English

Newspapers from Singapore