An employee working from home opens an attachment in an existing email thread with coworkers. Someone else quickly types in a URL to look something up while working on a project, without noticing they made a small typo. A new colleague receives an email that looks like it comes from a payroll company and responds with their Social Security number and bank account information.
Each of these scenarios could be just part of a normal day for an employee who spends most of their time working at a computer. But they’re also opportunities for a cyber attack that could wreak havoc for an entire company, its employees, and its customers. Now that more employees are working remotely for all or part of the work week, outside of the security of a company’s internal IT systems, the threat is even greater. In the first few months of the pandemic, cyber attacks on cloud infrastructure skyrocketed by 600%.
“Employees have a role to play, but more sophisticated attacks make it next-to-impossible to spot them,” says Ian Pratt, global head of security for Personal Systems at HP. “That’s why it’s key that employees feel empowered to inform IT when something looks off.”
According to a study conducted by HP and Morning Consult, roughly half of
remote workers believe that remote and flexible work would not be possible
without the efforts of their IT department. IT, however, can only do so much to
protect organizations from an increasingly sophisticated threat landscape.
“It’s a shared responsibility,” says Ashley Allocca, an analyst for cyber threat
intelligence provider Flashpoint. “There are more threats if people aren’t
properly instructed on how to keep up with good cyber hygiene.”
While remote employees don’t need to become experts in cybersecurity,
it’s critical that they understand how to identify potential threats. Here are
seven terms every remote or hybrid employee should understand in this new
reality.
1. Ransomware
Ransomware is a type of malware that prevents users from accessing files
on a device or network until a ransom is paid to the attacker. It’s essentially
a way for cyber criminals to hold your digital assets hostage, and is often
perpetrated through email attachments, ads, links, or websites that lock users
out of their devices until payment is made, typically in cryptocurrencies.
Two-thirds of the global IT organizations surveyed by Sophos reported being
victims of some form of ransomware attack in 2021, a 78% increase from 2020.
Keeping your operating systems, applications, and software up to date; using
spam filters that scan or block suspicious emails and attachments; and backing
systems up frequently are all tactics to help prevent ransomware attacks.
2. Spear phishing
Phishing is a type of cyber attack that attempts to trick users into clicking on
a malicious link or download an infected email attachment. You can think of
spear phishing as its more targeted cousin; attackers will actually do research
on their targets to try and craft messages that look safe to them, often by
posing as trusted sources. Phishing and its variants were the most prolific
cybercrime type in 2021, according to the FBI, which received more than
324,000 reports of such attacks.
“Phishing attacks can really enable an actor to gain a foothold in the network,
and they generally require much less technical acumen to perform, compared
to other attack types,” says Allocca. Upon receiving a suspicious communication
Allocca says employees should avoid responding and report it to IT right away.
3. Spoofing
Spoofing is one of the many ways in which a spear phishing attack is
perpetrated. Once the attacker has some sense of its target’s habits, they
disguise themselves as a trusted source, often by changing an email address,
name, phone number, or URL by just one letter, symbol, or number.
Unless the target is paying close attention, the subtle change can easily go
unnoticed.
Once attackers convince their targets that these “spoofed” communications
are from a trusted source, they can use that trust to ask for sensitive
information, money, or trick them into downloading malicious software.
When in doubt of an email, text message, phone call, or website’s
authenticity, be sure to take a very close look at the address, and
if you’re unsure, reach out to the supposed sender on a different
platform to confirm the communication is real.
4. Pretexting
Like spoofing, pretexting is a type of attack in which cyber criminals assume a
false identity, but this type of attack goes a step further. Instead of just assuming
the identity of a known and trusted source, the attacker assumes the identity of
some sort of authority figure or service provider by concocting a plausible
situation.
For example, the attack could be perpetrated by someone claiming to be a
bank representative checking on a suspicious transaction. More sophisticated
attackers might even have some basic information about their targets — such
as their name, phone number, and the last four digits of their bank card —
which they can use to establish credibility when requesting more sensitive
information, claiming they need it for verification purposes. That’s why it’s
always important to confirm the identity of any unfamiliar caller or email asking
for personal information for any purpose.
5. Typosquatting
Typosquatting, also referred to as URL hijacking, occurs when a malicious
actor purchases a domain name that closely resembles a trusted brand’s
website. It’s a more passive form of spoofing, but in this case, attackers are
depending on users to misspell a website address themselves. If a user were to
accidentally misspell the URL they are looking for, they might end up on a site
that looks like the one they wanted to visit, but is actually set up to perpetrate
an attack. For example, website URLs like Goggle.com and Goole.com have
been used in the past to attack unsuspecting users intending to visit
Google.com. Some of these sites just want to serve up popup ads to bring
in some advertising revenue; others will seek to install malicious software
onto visitors’ devices. It might seem like a minor mistake, but it can have significant consequences,
so always double check any address you type in manually before clicking “enter.”
6. Shoulder surfing
During the pandemic, laptops stayed put at home. But as employees move
their devices back and forth between the office and home, travel for business,
and set up temporary digs in other shared workspaces, there’s a greater
potential for risk. Stealing sensitive data in these scenarios is as easy as
glancing for just a beat too long over a would-be-target’s shoulder to spy
what’s on their screen, where someone can pick up login credentials or a
PIN code. Shoulder surfing, as it’s known, is a form of social engineering
where an attacker attempts to gain secure info to later access devices or
services. One way to get around this is with a product like HP Sure View,
an integrated privacy screen that blurs what can be viewed from an angle
and can be toggled on and off in less secure situations.
7. Zero-click attack
Zero-click attacks, also known as “zero-click exploits,” require no action on
behalf of the victim, meaning that even the most vigilant employee can fall
prey. To make matters worse, these types of attacks often leave little trace
behind, which makes detection extremely difficult.
Instead of relying on social engineering, these attacks depend on exploiting
vulnerabilities in software applications, often messaging and voice calling apps.
Once they get access, attackers can extract information or money from their
targets in a variety of ways, such as installing ransomware or stealing customer
or employee data. While individual employees may not be able to spot a
zero-click attack, they can help prevent them by keeping their operating
systems and apps up to date, only downloading apps from official app stores,
and deleting any apps that are no longer in use.
“Threat actors will continue to target employees because they view them as
the weakest link,” says Pratt. “But with the right communication and training,
employees can become an organization’s strongest line of defense.”
No comments:
Post a Comment