Cyber Security:
The Ultimate Guide for Businesses

First, the good

• Cryptocurrency: Virtual or digital money. Bitcoin is the most recognizable, though there are dozens of others. It’s not inherently good or bad but is often associated with criminal payments because of its anonymity and lack of traceability.
• Data Encryption: A positive, proactive action that businesses can take to render closely-held information unreadable by those attempting to steal that data. Once the data is encrypted, the bad guys may access it but can’t collect it in a readable format.
• Vendor Risk Management (VRM): The process of measuring and mitigating the risk that your 3rd-party vendor relationships pose to your information, network, and organization.
• Cyber Attribution: The process of tracking and identifying the perpetrator of a specific cyber attack. There are severe consequences for businesses regarding public relations, privacy, compliance, reputation, and finances.
• Patching Cadence: Refers to how often an organization reviews systems, networks, and applications for updates to remediate security vulnerabilities.
• Off-site Backups: Storage that is separate from your day-to-day systems used for saving critical business data. If you fall victim to an encryption ransomware event, viable cloud-based backups may be your only lifeline to regain control of your business operations.
• Cyber Security as a Service (CSaaS): The average small- to mid-market business (SMB) doesn’t have the internal resources to battle cyber crime. You can now outsource cyber security to specialized IT services providers to stand watch with you.
• Ransomware Incident Response Plan: A must-have in 2021 and beyond. Having a vetted plan in place before a breach occurs gives you the best shot at post-breach business continuity. Here’s a great way to get started on your business’ incident response plan.

Second, the bad

• Monetization: In the cyber world, monetization is about cyber criminals’ creative ways to convert your stolen data into money.
• Malware: Malicious software purposely designed to infiltrate computer systems. Virus, worm, and trojan horse are malware terms you may already know. This is different than ransomware.
• Killware: A new kind of malware, different from other forms of malware in that the perpetrator(s) are not financially motivated but rather seem intent upon harming or killing people.
• Vendor Email Compromise (VEC): An email cyber-attack strategy targeting companies doing business in today’s global supply chain management measured in the tens of billions of dollars a year and growing.
• Vulnerability: A system or network that is more susceptible to attacks for one reason or another. Here’s a real world example from late 2020.
• Exploit: Known software vulnerabilities that hackers continue to take advantage of to establish a toehold in your systems. Exploits are often associated with older software that no longer receives ongoing security update patches from the manufacturer.
• Distributed Denial-of-Service (DDoS): An attack vector that generates an avalanche of traffic requests on websites to undermine them for a time. DDoS is not an easy cyber attack to monetize but can negatively affect any company’s online reputation. Recently a massive DDoS attack on 200 government websites shut down most of an entire country’s internet infrastructure. Make sure you follow our tips for improving your web security to avoid this happening to you).
• Botnets: Automated networks of hijacked computers used to carry out various scams and cyber mischief.
• Drive-by Download: The unintentional download of malware from a compromised website onto a computer or mobile device without a user’s knowledge or consent.
• Social Engineering: A multi-level process of psychological manipulation by bad actors to trick users into making security blunders or giving away sensitive information. It’s a critical component of successful phishing attacks.
• Shadow IT: Systems and applications that are used without explicit knowledge and permission by your IT department. Click here to view our Shadow IT infographic.

Third, the UGLY

• Phishing: When a bad actor uses email, social media, or texting to impersonate a legitimate or trusted corporation that directs the recipient to take immediate action. This action would then give the “phisher” an access point to critical data or information. Variations include spear-phishing and whale fishing.
• Data Breach: Refers to when cyber criminals steal confidential business data and personally identifiable information (PII) like medical records, social security numbers, birthdates, phone numbers, etc.
• Data Exfiltration: The process of downloading monetizable data once a breach occurs. Most large ransomware attacks in 2021 involve data exfil.
• File Encryption: The first phase of a ransomware event, rendering your computer files unusable, bringing business operations to a halt. By the time you recognize it’s happened, it’s too late.
• WebShell: A script running on a web server that enables unauthorized remote admin access. It’s a platform often used for ongoing cyber attack schemes to delete backup volumes.
• Exploit Kits: Pre-packaged collections of proven malware made available for purchase on the dark web. These are relatively inexpensive, all-in-one tools that make it super simple for entry-level hackers to use exploits without much technical knowledge.
• Advanced Persistent Threat (APT): Established groups that receive guidance and overwatch support from nation-states like Iran, North Korea, the Russian government, and China. Cyber security leader, FireEye, tells us that while most cyber attacks are hit-and-run, APT attackers stalk their high-value targets over months, even years.

What is a phishing attack?

Phishing attacks use digital media—email, mobile SMS texts, even voice calls, and robocalls—to compromise business email systems to obtain confidential information. Attackers disguise these messages as coming from trustworthy entities like banks or package delivery tracking services from Amazon, FEDX, etc.

There is built-in urgency into the message designed to play on an individual’s financial or emotional well-being. These attacks trick unaware recipients into clicking on a fake link which launches the next phase of the attack campaign.

One particular scam involves displaying a warning that your company’s website is copyrighted material “owned by” the sender and they’re threatening legal action.

Targeted phishing campaigns

Phishing attacks, aka Business Email Compromise, have been evolving over the years, as well-financed criminal organizations are taking a more dominant role. The majority of pre-2020 attacks cast a wide net, using automated systems to send messages to millions of harvested email addresses.

Today we see a shift from an automated process to targeted, highly creative phishing attack strategies that use social engineering and psychological manipulation to land bigger fish and a monster payday.

Spear-Phishing Attacks

Spear-phishing targets a business’s department-level staff, often HR or Accounting. A typical payoff here is funds transfer fraud, tricking an employee into wiring money to a hijacked vendor bank account to the tune of millions.

Whale Phishing Attacks

Whale phishing points squarely at business owners and C-suite executives. These are longer-term scams that begin with deep research into an executive’s business and personal life.

Nothing in a CEO’s private world is sacred or off-limits: family, personal email accounts, social media profiles, pet names, religious practices, hobbies, doctors, home contractors, community interests, politics, golf handicap, charities, writing style—anything to glean enough information to impersonate an executive online successfully.

CEOs are very busy people and don’t want to spend extra time on complicated security practices. Without knowing, owners of small- to mid-market businesses can make significant cyber security mistakes. The good news is that these are preventable.

What is ransomware?

Ransomware is a form of targeted malware that downloads onto your system, quickly encrypting all files and any backups, rendering them unusable—scorched earth.

Ransomware is hugely lucrative because large corporations continue to pay exorbitant ransom demands, chalking it up as a “cost of doing business.”

The FBI says financial setbacks due to weak cyber security will reach $6 trillion by 2021.

Common types of ransomware

Systemic ransomware impacts multiple organizations in a single blast attack and usually doesn’t rely on hands-on action by threat actors. It’s highly automated malware with names like NotPetya or WannaCry. These scattershot attacks are typically broad in scope and geography.

Targeted ransomware focuses on individual organizations or entire industries. These attacks often involve data exfiltration of classified, personal information that the attacker threatens to release into the wild unless a company pays up. Stolen data can be auctioned off to the highest bidder, even if the company pays the initial ransom.

How does ransomware work?

An encryption ransomware attack happens to your business when a staff member clicks a bogus email link or visits a compromised website (ensure you have an SSL to help prevent this). In the blink of an eye, all files and data backups are encrypted and become unusable by you. Attackers demand a cash ransom to purchase a “decryption key” to restore the integrity of corrupted files and resume normal business operations.

Ransom demands vary, from a few hundred dollars to millions of dollars. Whatever the market will bear, payable in Bitcoin or other untraceable cryptocurrencies. Colonial Pipeline recently paid a roughly $5 million ransom to the DarkSide ransomware group.

If you don’t pay, the only other option would be to start from scratch and try to restore your entire technology infrastructure from off-site backups, assuming you have those. Even if you have viable cloud backups, it could take weeks or even months of business downtime to restore network servers and reimage all workstations.

Identifying cyber security risks

Cyber crime activity is a moving target. Attackers change up attack patterns, tools, and tactics as the security industry catches up.  As a user of everyday technology, you unknowingly expose yourself to cyber security threats on a daily basis.

A pre-breach vulnerability assessment is one of the best tools businesses can use to solidify breach defense. Many legacy systems still in use today are no longer being patched for security flaws.

Phase one of a vulnerability assessment is a one-time, fixed-cost project with observations and recommendations for additional security measures to prevent or mitigate damage from an attack. As a follow-up, ongoing quarterly reassessments can help keep you ahead of shifting cyber attack strategies.

What is an incident response playbook?

A ransomware attack happened. Now what?

Most likely, you’ll be dealing with career criminals looking for an easy score. These large groups are professional, well organized, well funded, and well versed in cyber operational security (OpSec).

Ransomware attackers research how much your business can reasonably afford to pay and whether you have cyber security insurance coverage to defray the ransom cost.

If you decide to pay, you’ll receive a decryption key to rescue your files. Instead, you might choose to restore your information systems from backups. Depending on the size of your IT infrastructure, that could take days, weeks, or even months of lost productivity.

See also, “Ransomware Wars: To Pay Or Not To Pay” for a detailed discussion of this very important topic.

When ransom attacks go wrong

Ransomware as a Service (RaaS) and the abundance of exploit kits available on the dark web has introduced a new layer of disarray into an already chaotic situation. 2021’s cyber attack landscape is like the wild west, and standard “rules” no longer apply.

Even if your organization agrees to pay the ransom, newbie hackers with eyes on a big payoff can complicate the process in many ways. Some, fearing law enforcement, get cold feet and break contact completely.

These types often re-negotiate the ransom amount or demand payment in an obscure cryptocurrency—not the standard BitCoin. This back-and-forth can significantly increase lost productivity.

Paying the ransom doesn’t guarantee that your files will decrypt correctly. New for 2021, many criminal syndicates offer “helpful customer service” to help with decryption efforts.

Double-extortion ransomware

Some companies choose not to pay for a decryption key if they know they can restore systems from backups quickly. Attackers employ double-extortion to increase the likelihood of getting paid.

They download sensitive information from the victim’s systems in advance of encrypting their files—intellectual property, customer information, financials, and the like.

The threat actor can now make an additional ransom demand to prevent broadcasting sensitive data to the public. More and more often, attackers are seeking payment before agreeing to show what data they exfiltrated.

Will cyber attacks ever die?

Not anytime soon—but there are hopeful signs. The recent ransomware attack against Colonial Pipeline, a jugular of US energy infrastructure, appears to have crossed a line.

According to the responsible party, criminal syndicate DarkSide, the attack was strictly money-motivated. Yet, the real-world blowback came in the form of millions of dry fuel tanks and a spike in energy costs across the board. That single episode demonstrates our society’s vulnerability to cyber terrorism.

Seemingly on the heels of that event, the White House responded with an executive order calling for “bold changes” and “significant investments” to a nation’s cyber security posture.

The May 12, 2021, Executive Order on Improving the Nation’s Cybersecurity is a long-overdue wakeup call and begins:

 
The White House document continues on to define its role in the context of non-stop attacks on our business and technology infrastructure:

 
This marks a significant turning point in US policy toward combating international cyber crime.

What is the future of cyber warfare?

• Make cyber attacks more difficult to carry out. Enforce adoption of solutions like multi-factor authentication, data encryption, and Zero Trust Architecture.
• Make ransomware attacks unprofitable. As it becomes more costly for criminal organizations to exploit a shrinking pool of vulnerable targets, we’ll reach a tipping point where those organizations will evolve and move on to other, more profitable crimes.
• Reliably trace cyber attribution. Accurate determination of which threat actors are held accountable for each attack would be a significant step toward criminal prosecution.
• Make it easier to punish cybercrime. Cyber attacks thrive in the darkness and anonymity afforded by nation-states, international treaties, cryptocurrency, and the Dark Web.
• Encourage businesses not to pay ransom demands. Paying or not paying is a much-debated question in banking and insurance circles, and raises more questions. What are the roles of Organized Crime, terrorist groups, and money laundering? How do OFAC restrictions affect ransom payments?