Recognizing and Responding to Cyberattacks
Any network connected to the internet is exposed to holes in their cybersecurity defenses. These targets can include any system that has an IP address or host name that resolves publicly in domain naming service (DNS).
Therefore, if your system uses a VPN, remote desktop protocol (RDP), or other access tools, you’re at risk of hackers entering your network.
This section describes six major types of cyberattacks, their trends, causes, and effects on doing business in solo professional offices and practices. You’ll learn to recognize attack threats and how to reduce the risk of being a target.
Ransomware: Pay Up or Get Locked Out
Smaller organizations including solo professionals and professional services practices are getting more attention from cyberattackers than ever. That makes ransomware a serious threat—the #1 threat in 2020—to small businesses.
How ransomware works
Ransomware is a type of malware. It encrypts files on a device, making them and the system that relies on them unusable. Attackers demand payment (ransom) to give your access back. The hackers demand payment in the form of cryptocurrency, a credit card, or untraceable gift cards.
This exploit is panic-inducing, maddening, and effective. Unfortunately, paying the ransom doesn’t guarantee that you regain access. Even worse, victims who do pay are frequently targeted again. And infection of one machine or device can spread ransomware throughout your entire network—and sometimes to other businesses in your supply chain.
More sophisticated ransomware attacks
In earlier years, during a ransomware attack, you could tell hackers, “no way” that you would pay and restore files from backed up copies.
Now, ransomware tactics have changed. First, attackers steal and then encrypt all the files that they can. Then, if you refuse to pay the ransom, they threaten to publish confidential files. That means that now you must encrypt sensitive business information such as IP as well as important data that you store or send along the internet.
There are several ways that ransomware can get into your computer or system:
- Email spam and phishing techniques. These messages include a malicious attachment or link to a malicious or compromised website. Unwary users click a link, and malware enters your IT infrastructure.
- Exploit kits. These software toolkits are available on the dark web for about $50. Hackers use these kits to find and take advantage of easy-to-enter spots in your browser or programs.
- Fake software updates. This method tricks users into giving hackers admin capabilities and enables them to install malicious code.
Early warning signs of ransomware attacks
There’s no preventing ransomware attacks. The best one can do is reduce the odds of infecting your computer or system. That means someone who’s computer-savvy must go through your computers, devices, and network, looking for vulnerabilities such as:
- Known or suspected phishing attacks. Most ransomware attacks arrive in the form of an email attachment. Look for emails with strange or unfamiliar domains that have landed on your network.
- Many login failures occur in Active Directory.
- Evidence of brute-force attacks in your network.
- Logs that show a string of questions about a single machine.
- Security tools used in places they weren’t assigned to. Where did that instance of Mimikatz (a legitimate tool often used in phishing attacks) come from?
- Unusual time stamps that appear on VPN connections. Who was up working at 0237? Are you sure?
- System redirects traffic to scary places on the Dark Web. No one using your network should go near TOR, for example.
Ransomware attack response
If you get attacked, there are quite a few things you can do and others that you should avoid.
What not to do. Do not panic or pay the ransom. If you refuse to pay, you’re in good company—more than 75 percent of small businesses make that choice.
What to do immediately. Here’s what you should do to limit damage to your network. (If you have a cloud host or MSP, it’s their job to engage in these steps):
- Trace the attack. Where did it enter, and which systems and devices are affected?
- Unplug your connections. Make sure to cut all connections to the internet and between IoT devices.
- Notify your IT security pro if you have one. If you engage managed services providers, they might have 24-hour response services. If not, get on the phone.
- Notify the authorities. This can be a complex process, which requires more time and effort to report than other cyberattacks. For example, check out this post, which lists notification requirements for legal offices.
- Inform all employees and customers. Don’t delay completing this step. Your working relationships with partners and suppliers might be affected by a slow-motion response.
- Update all your security systems.
And if you don’t have a breach attack plan, create one as soon as possible after the dust settles.
Phishing Attacks: Take the Bait and the Consequences
Scammers use email or text messages to trick you into giving them your personal information. They might try to steal your passwords, account numbers, or Social Security number. If they get that information, it’s “Open, sesame!” They can gain access to your email, bank, or other accounts.
The goal of phishing remains the same, access to information that they can eventually turn into cash. Nevertheless, the top targets of spoofing (fooling account owners) are changing.
Phishing attack trends
With layoffs skyrocketing, and more employees working from home, hackers are pouncing on all types of small-office businesses. However, mass phishing campaigns of the past are becoming more targeted and sent at lower volumes.
In the past, a single phishing email might be sent to hundreds of recipients. In 2020, most phishing campaigns were sent at much lower volumes and used new methods to carry the malware.
Why the change? Mass phishing waves are easier to detect than low-volume attacks. This trend shows that phishers are getting smarter about picking their targets.
Businesses might improve account user awareness, but phishers are getting more skillful, too. They’ve even started spoofing phishing awareness training platforms.
How phishing attacks work
An attacker impersonates a trusted contact and sends the victim fake mail messages. The victim opens and clicks on the malicious link in the mail or opens the mail’s attachment. One click and voila! Attackers gain access to confidential information and account credentials.
In addition to traditional phishing methods, COVID-19 phishing emails and shared file notifications are more common since the pandemic began. On SharePoint, OneDrive, and Dropbox platforms, workers receive shared-file notifications from these well-known applications daily. In 2020, hackers increasingly exploited the credibility of these services to conceal both their identities and intentions.
Phishing attack causes
Human nature (inattention or being rushed) has not changed, but the sources of phishing bait are new and more complex.
Phishing attack early warning signs
There are many ways you can protect yourself from this attack, but the main one is vigilance. The main thing to remember is that successful phishing expeditions run on adrenaline—yours. So, stay cool and watch for these telltale signs:
- A suspicious document sent by a company or institution you know or have dealings with.
- A message based on a story that makes you want to click on a link or open an attachment.
- User or tech comments about noticing suspicious IT activity or log-in attempts.
- A claim that there’s a problem with your account or your payment information.
- Notices that ask you to confirm personal or business information.
- Communications that include an invoice.
- Urgent messages that want you to click on a link to make a payment.
- Messages that claim that you’re eligible for a government refund.
Responding to phishing attacks
There is good news about phishing attacks. They are avoidable. Here are some ways to make you less of a target.
Reducing the Risks of Phishing Attacks
There is no 100-percent protection from any security risk, but here are solid methods that can stack the odds in your favor:
- Protect your computers and devices by using security software.
- Protect your mobile phone by setting software to update automatically.
- Protect your accounts by using multi-factor authentication.
- Protect your data by backing it up.
Keep Your Trigger Finger on Hold
If you get an email or a text message that asks you to click on a link or open an attachment, STOP. Then ask yourself, “Do I have an account with the company or know the person that contacted me?”
If the answer is no:
- Find and review the indicators described in the “Phishing attack early warning signs” earlier in this guide.
- Next, look for signs of a phishing scam.
- If you see any, report the message.
- Delete the message.
If the answer is yes:
- Contact the company by using a phone number or website you know is real.
- Don’t use the contact info in the bait message. Clicking attachments and links can install harmful malware.
- Report the message.
- Delete the message.
If You Think Your System Is Infected…
OK, you couldn’t stop yourself in time. You clicked a link that sent you straight to a cybercrook. Now what?
- If you think a scammer has your information, like your Social Security, credit card information, or bank account number, go to IdentityTheft.gov and take the specific steps based on the information that you lost.
- If you think you clicked on a link or opened an attachment that downloaded harmful software, update your computer’s security software.
- Finally, run a system-wide security scan.
Reporting the Attack to Officials
If you got a phishing email or text message, report it. The information you give can help fight the scammers.
- Forward the phishing email to the Anti-Phishing Working Group at [email protected].
Or, if you got a phishing text message, forward it to SPAM (7726).
- Report the phishing attack to the FTC at ftc.gov/complaint.
Password Attacks: Getting Illegal Access
Password cracking means recovering passwords from a computer or from data that a computer transmits. Password attacks are exploits, in which a hacker identifies your password or other sign-in credentials with various programs and password cracking tools like Aircrack, Cain and Abel, or John the Ripper.
More sophisticated attacks and defenses
Faking voice data and video imitation aren’t future attack tools. They’re here, now. In 2019 hackers used AI and voice technology to impersonate a business owner. A company’s CEO was convinced enough of the owner’s identity to transfer $243,000 to a hacker.
But security defenses are more robust, too. For example, passwords are now stored using a key derivation function (KDF). This method runs a password through a one-way encryption cipher, and a server stores the encrypted version of the password.
Attack. Defend. Redesign. Repeat.
Think about password attacks as tit-for-tat wars between cybercrooks and IT product designers and engineers. Security exploits get more effective, so software and hardware are developed to make attackers use more time and other resources to crack into your network. Attackers respond by designing exploits that are faster, stronger, or more unexpected than their previous efforts.
This scenario has been part of IT security reality for years and will continue for years. Here’s a list of the most common password attacks:
- Phishing: Tries to entice you to click on attachments or links that lead to malware
- Man-in-the-middle. Inserts a bad actor into the communications stream of a user and a destination user in a target network.
- Dictionary and other brute force attacks: Uses trial-and-error and high-speed, high-volume data analysis methods to identify passwords or other credential information.
- Keylogging: Enters a network by stealth and captures all data typed on system keyboards.
- Credential stuffing. Tries to gain unauthorized access to user accounts by directing many (often tens of thousands) automated logins requests at a web application.
Causes of password attacks.
You can summarize the causes of these attacks in a word: humans, often the weak link in the security chain. In password attacks, human nature expresses itself in several ways.
Poor account password management.
- There are no established password/passphrase policies, or they are enforced in a hit-and-miss fashion.
- There is no password/passphrase update schedule.
Poor account access management
- Too many users have access to specific company assets.
Defending against password attacks
Even if your IT ops involve only a handful of computers and IT devices, your business is still an attractive target to hackers. It pays to consider a multi-layered approach to defending your work and communications processes. This approach includes setting up:
- Password and network access policies. (Details below)
- Multi-factor authentication. Some security specialists consider MFA procedures that use phones and text messages as obsolete. Forward-looking MFA products now include two- or three-tiered identification options, which combine messaging and biometrics capabilities (fingerprints, facial recognition, voice recognition, and retinal scans).
- Network monitoring equipment and schedule. DIY network monitoring capabilities take inhouse IT techs into deep water. Commercial software is available, but unless one has serious knowledge and experience, choosing and installing this equipment should be left to professionals.
- A password attack simulation. Sometimes called a pen test, this valuable method puts your system through its paces by mimicking a password attack.
Yes, setup and monitoring duties require time and effort, perhaps more than you can or want to engage in. If you prefer to delegate these tasks, consider hiring a third-party security services provider.
Making it hard for hackers to enter your system.
As always, you never totally prevent a password attack. But making it too much trouble for hackers to enter your system can help you avoid harm. The best ways to do this include creating policies for passwords and access to valuable data and sensitive business information.
Password policies are a set of rules meant to require users to create and maintain dependable, safe passwords. These rules are at the top of the security to-do list. They go beyond suggested best practices (although it’s fine to have these, too).
- Adopt passphrases as a standard. Create passphrases instead of passwords. Passphrases are usually harder to crack due to their length. Create a strong passphrase as you would a password—symbols, numbers, and letters (upper and lower case).
- Require longer, stronger passphrases. Long ago, four-character passwords sufficed. Now, 10 to 16 characters are the new standard for strong passwords and passphrases. Why so long? They make hackers use more resources to get into your system.
- Do not use personal details. Just say no to passphrases that refer to users’ personal information. That means forget your favorite cat’s name, your mother’s birthday, or your favorite NFL team.
- No duplicate passwords. Ever. Make sharing passwords or using them for more than one account taboo.
- Avoid previously compromised passwords. If you were hacked in the past, get rid of all passwords in use when the attack occurred. Hackers often come back.
- Use a password manager—and keep it offline. Either a software password manager or a list of passwords on a Word doc is fine. Just make sure to keep the list on a machine that’s not connected to the internet. If the password/passphrase information is connected to the internet, it’s vulnerable to hackers.
If all this effort seems like a bit much for a single-person business or a small professional practice, we understand. The secret to IT security success is having clearly defined standards and following them consistently.
Reducing damage of password attacks
If you get hacked, you’re in good company. About 50 percent of smaller businesses share your experience. Remember, when you get hit, act quickly to reduce damage to your IT infrastructure and business relationships: by
Containing the damage immediately.
Reset all passwords and remove any corrupted files. In a serious breach, you might have to take the entire system offline, isolate part of your network, block website traffic or install temporary firewalls.
Contacting authorities and members of your business network.
If the attack stole sensitive financial information, calls to the FBI and FTC should be on the top of your to-do list.
Contact customers, suppliers, partners, and service providers. Being thorough here will build goodwill along your supply chain.
When a data breach occurs, the threat—deliberate or accidental—often comes from the inside. An insider threat can be a partner, employee, or contractor inside your organization; or an unpredictable event based on a moment of carelessness.
If you’re doubting insider threats can touch your practice, think again. The stereotype of an insider threat—a disgruntled employee leaving with a briefcase filled with sensitive information—is still relevant but less so than previously.
And now, you can add internal threat as a service (ITSaaS) to the mix. You can buy almost anything on the dark web, where you can find organized cells of recruitment infiltrators. In this scenario, bad actors become trusted employees, with the goal of being interviewed, entering your workforce, and stealing highly valuable IP and other information.
Insider threat early warning signs
Human error, not to mention greed and malice, can always be counted on to expose IP and sensitive business, legal, or financial information to bad actors. Here are six things to watch for:
- An unusual number or types of access requests.
- A user assigns themselves higher access privileges.
- Employees bring USB drives or DVD burners to work.
- Employees send emails to destinations outside those in your business network.
- Someone gets access to information after hours or when they’re on vacation.
- Employee behavior changes unexpectedly (colleague relationships sour, someone quits suddenly).
Man-in-the-Middle Attacks: Eavesdropping Conversations
In this exploit, hackers intercept communications between a system user and the server the user is trying to reach. Hackers can steal passwords and other sensitive data or actively alter information by injecting malware into the communications session.
Avoiding MitM attacks
These attacks are especially relevant to smaller-sized businesses because most man-in-the-middle attacks are targeted at organizations that don’t have the money for expensive cybersecurity solutions.
MitM attacks are preventable. Just remember to:
- Avoid using public Wi-Fi routers. When you get access to sensitive business information, stay away from free unsecured networks like those at your local coffee shop or library.
- Use a VPN. If you must use unsecured networks, a virtual private network (VPN) can shield and encrypt the data you send and receive.
- Keep software current. Update to the latest versions of secure web browsers such as Chrome or Safari and security scanning apps such as WebRoot. Make sure to change all security software settings to update automatically.
- Pay attention to browser alerts. These alerts report that a website you want to enter is not secure. It’s easy to blow them off but remember: They exist to help you avoid becoming an entry point to malware or other malicious software.
- Take precautions needed to avoid malware and phishing attacks. Software that enables these attacks often provide MitM hackers access to your data and communications. For detailed how-to information, refer to “Password Attacks” and “Phishing Attacks” sections in this guide.
Distributed Denial of Service Attacks
In a distributed denial-of-service (DDoS) attack, hackers use malware or other cyber tools to make computers or network resources unavailable to its intended users.
When run with hundreds of thousands of bits of malware, DDoS attacks can bring activity of the largest companies to a halt. These attacks can run on their own or with password attacks to deliver an extra bit of damage to its targets.
Many DDoS attacks target a network layer that controls connections between networks. As attackers send large volumes of junk traffic to your IT infrastructure, your site can become slow or even inaccessible to users. Eventually your site becomes unusable. Your business and its revenue streams stop.
Recent attack trends
DDoS attacks have grown more powerful and complex over the years, and they victimize networks of all sizes. Mammoth attacks (2.3 Tbps in February 2020 and up to 1.5 Tbps in 2016) continue to amaze IT security pros. But smaller attacks are also effective against under-protected internet assets of smaller businesses.
Early warning signs of DDoS attacks
The best way to detect and identify a DDoS attack would be via network traffic monitoring and analysis. These symptoms can indicate a DDoS attack in progress:
- Unusually slow network performance when users open files or enter websites.
- A particular web site becomes unavailable.
- All websites become unavailable.
- Contact your ISP to confirm whether the service outage is due to an external or inhouse network problem.
It’s important to understand the warning signs of network slowdown, intermittent website shutdowns, and loss of other important system functions. These general rules and guideline apply to all small-office IT operations. When you engage in specialized practices, however, there are more requirements to consider.
Working with Compliance and Liability Requirements
Depending on your specialization, your practice might work with various types of sensitive legal, financial, and healthcare data. Each of these types of information is protected with security standards, laws, and regulations.
Each country and each US state has its own data protection laws and recommendations. Here are compliance tips for U.S. law firms:
- Perform detailed background checks when hiring new employees.
- Identify the location and type of sensitive data that you store and handle.
- Encrypt sensitive information at rest and in transit.
- Verify user identities carefully by using multi-functional authentication.
- Minimize the number of users who have access to sensitive information.
- Install and use an employee monitoring solution.
- Pay special attention to privileged users, who have access to your organization’s critical data and infrastructure.
- Check vendors’ compliance with cybersecurity standards and which vendors get access to your important company assets.
- Write and enforce incident response and threat protection plans.
Many agencies govern how legal firms gather, store, and handle information. Here are the major entities that guide these activities in the U.S. and European Union:
- American Bar Association developed the Model Rules of Professional Conduct.
- National Institute of Standards and Technology (NIST) established and maintains Special Publication 800-53.
- General Data Protection Regulation (GDPR) guides compliances of companies that operate in the EU or manage the data of EU residents.
These industry acts and standards describe the necessary data protections for specific types of data. These include:
- HIPAA for healthcare information.
- PCI DSS for financial and credit card data.
- SOX for accounting and investor information.
In medical practices with fewer than 20 employees, doctors are often reluctant to spend money on HIPAA security measures. They don’t believe they’re at risk for a data breach. But then, all it takes is a lost laptop, theft of a tablet, or human error to release patient data accidentally. And then, there’s the risk of ransomware or a data breach.
Small businesses are liable to a wide variety of cyberattack. Here are some hints and pointers to agencies that can guide your practice through the modern age of cyberattacks.
HIPAA Security Rule
The HIPAA Security Rule focuses on securing the creation, use, receipt, and maintenance of electronic personal health information by HIPAA-covered organizations. This rule sets guidelines and standards for administrative, physical, and technical handling of personal healthcare information.
Healthcare data breaches are very frequent. We published a research piece highlighting the incidence of healthcare data breaches in the US between 2009 and 2019.
Complying with the HIPAA Security Rule
Here’s a list of capabilities that medical practices must be able to show in data audits:
- Educating healthcare staff (general security awareness and knowledge of HIPPA requirements)
- Restricting access to patient data and applications
- Controlling how patient data is used and stored
- Logging and monitoring access- and use-related data
- Encrypting data on mobile devices
- Securing mobile devices
- Reducing the risks of operating Internet of Things (IoT) devices
- Conducting regular data risk assessments
- Using off-site data backup facilities
HIPAA: The Health Insurance Portability and Accountability Act is a federal law that aims to make it easier for people to:
- Keep their health insurance when they change jobs.
- Protect the confidentiality and security of healthcare information.
- Help the healthcare industry control their administrative costs.
International Standards Organization: ISO 22301: 2012 an international standard that provides a best-practice framework for implementing an optimized business continuity management system (BCMS). There are more ISO standards that apply to medical patient data. You can find them here.
Financial Services Practices and Advisors
To ensure that financial services professionals and their firms take cybersecurity seriously, the Securities and Exchange Commission (SEC) and U.S. state securities regulators are starting to crack down on financial advisors’ cybersecurity practices. Here are recent changes in compliance-related enforcement activity. The:
- SEC now performs cybersecurity examinations as well as regular inspections.
- SEC now charges firms that fail to keep client data safe.
- Securities Industry and Financial Markets Association works with financial firms and government regulators to simulate real cybersecurity attacks.
- American Institute of Certified Public Accountants has developed cybersecurity certification such as the Systems and Organization Controls. Similar certification is being developed for financial services firms and advisors.
Establish a formal security framework.
- The National Institute of Standards and Technology (NIST) Cybersecurity Framework describes best practices that cover five core areas of cybersecurity identification: protection, detection, response, and recovery.
- The Federal Financial Institutions Examination Council (FFIEC) Information Technology Examination Handbook provides a comprehensive list of security guidelines.
Developing these capabilities should make complying with GLBA, PCI DSS, and SOX standards easier.
Strengthen your employees’ security knowledge.
Most malware attacks succeed by using online social engineering schemes that manipulate unsuspecting users to open the door wide for hackers. To prevent this scenario:
- Teach users attack identification techniques and other security best practices.
- Set up and enforce rules for using password managers and logging out of devices before leaving them unattended.
Perform continuous threat monitoring.
Recognize patterns of vulnerability. For example, the RSA 2020 State of Security Operations report revealed that 35% of threats were detected between 8 p.m. and 8. a.m.
Discover, assess, and manage vulnerabilities.
With the average organization deploying 129 apps, there are ample opportunities for bad actors to find weaknesses in your IT infrastructure.. No organization can address all vulnerabilities. That’s where vulnerability assessments come in. They help you:
- Understand what’s going on throughout your IT infrastructure, including software and systems that have weaknesses.
- Prioritize the highest-value vulnerabilities, so you can fix them first.
- Monitor and scan your system for vulnerabilities, regularly and consistently.
Manage third-party risks.
Financial services businesses rely on many types of vendors, suppliers, and partners, who can expose your business to trouble. Across all sectors, Ponemon Institute found that 59 percent of those surveyed said they’ve experienced a breach due to a third party.
Yet only about a third kept an inventory of their third parties and even fewer—16 percent—said they effectively mitigated the risks. Protect your network by:
- Establishing and verifying security practices of your vendors and partners.
- Using SLAs to require business associates to maintain security best practices.
- Segmenting your network and limiting third-party access to critical information assets.
- Using a threat detection and response solution to monitor your network for odd behavior.
Devise an incident response plans
You should have well-defined methods that you can find and use quickly to quarantine, block, or eliminate malicious network traffic. If you don’t have them, you should. Your effort needn’t be a burden. Just create a document that provides answers to questions about everyone in your business network:
- Whose job is it to inform clients, partners, suppliers, and employees if an attack affects their operations?
- If data has been lost, who and what should be done to recover it?
Or, if you have an MSP, whom should you contact?
Answering these and other questions ahead of time can reduce post-attack confusion and pave a smoother path to recovery.
These sources provide background information about regulations that affect day-to-day cybersecurity operations and how to set up your security compliance system:
As you can see, recent changes in cyberattack tactics and targets put your business in the crosshairs of actors who will try to do you harm.
Protecting yourself from these groups will require more time, effort, and money than in the past. But remember, your potential savings of time money and perhaps your reputation will be larger, too.