Cyber Threats and Vulnerabilities – Escape to nowhere?

You might have come across the cases where:

• A sender of an e-mail or SMS or WhatsApp says “Your electricity will be disconnected if you
  don’t pay Rs. 9500 immediately”.
• Someone calls and tells you “your son is under our custody for rape charges” and demands
  Rs. 5 Lacs to be deposited by you in a particular account. The caller will not give you time to
  think.
• A lady is at home and receives a call that her husband has met with an accident and some
  emergency procedure need to be carried out. Rs. 2 Lacs are immediately required to be
  transferred to such and such account. The caller even makes her listen to the voice of her
  husband

These are some of the cyber-crimes with increasing degree of sophistication. These people who commit such crimes are called threat actors. These actors collect sensitive information through various sources and use it for their purpose. The sharpness of attack depends upon how specific is the information possessed by them.

In first case above, they just need a directory of mobile numbers of people working in an organization or living in a society building. They will select a few targets either randomly or based on some more inputs about usual electricity bills. In the second case, the caller has a specific information about the name and age of your son and knows enough about you and your spouse on your ability and inclination to cough up the money under this situation. The third case is much more sophisticated. The caller knows all about your family. About your and your wife’s routine of life. He also has your voice samples and is able to produce the sentences using AI. This is called ‘impersonation’.

How do they collect all this information about you?

There are some easy ways and some not so easy ways. If you are careless and you throw or leave unattended important records like your electricity or mobile bills, medical records including Lab / Radiology reports, Income Tax related documents, society maintenance charge receipts etc.,you become an easy prey. These could be picked up by such actors and used to do data mining about you. You freely share your Aadhar card, Voter id card or Driving licenses, they pick-up and strengthen their data bank further. They can steal your identity by acquiring such information. They can hack into your e-mail account, mobile etc. They can get the mobile number changed in the Bank Records or Aadhar Card or PAN Card and later on use it to receive OTPs.

Advanced Techniques

These threat actors are now equipped with various advanced techniques to collect data about individuals. Some of these techniques are listed here:

Phishing

Phishing is an age old technique of data collection. Phishing means revealing some information about the target upfront so that the target gets confidence and reveals the remaining information to the attacker. The attacker sends a fraudulent e-mail or text message from a seemingly trusted individual or organization. The aim is to persuade the recipient to open an attachment that will enable an attacker to obtain login information and infect the IT infrastructure with malware.

Social Engineering

Social engineering makes use of personal information provided by the victim on social media. People share a lot of personal information on platforms like Facebook or Instagram without thinking that this could be misused. The attacker mines such information and uses it for Phishing, Impersonation or other forms of attacks.

E-mail spoofing and impersonation

You might have witnessed the cases where a CFO receives an e-mail from the CEO to transfer a large amount of money to a particular amount. The e-mail presents urgency and exigency to such an extent that the CFO gets tempted to comply without thinking further. If you look at sender’s e-mail id carefully, you will be able to figure out that this is a different person but often people neglect finer details.

Key Logging

Once the attacker gains access to the IT infrastructure of the victim, a malicious software is installed on victim’s computer and this software records each and every keystroke pressed by the user using keyboard of the computer. The attacker effectively uses it to steal passwords and other sensitive information.

Actions of Threat Actors

Once this threat actor gains access to the IT infrastructure of the victim, the following actions may follow:

Passing information to interested parties – This is called an act of Trojan Horse. The malware does not actively harm other than stealing sensitive information and passing on to the attacker.

Placing information in Dark Net for selling – The attacker steals the sensitive information and places in cyber space called ‘dark net’. Normally a small portion of data is placed there inviting interested parties to purchase that data at a negotiated price.

Distributed Denial of Service (DDoS) Attacks – The malware installed by the attacker generated millions of messages and floods all across the network with an intention to choke the network. The victim is not able to perform any business activity over the network. This is called ‘Denial of Service’. Once this attack spreads across all segments of the network, it is called ‘Distributed Denial of Service (DDoS)’.

Ransomware Attack – This type of attack goes a step further. It encrypts all the sensitive information contained inside IT Infrastructure of the victim and asks for large sum of money to be deposited to an account as a price to decrypt and enable the victim to run the operations again.

These are some of the actions performed by attackers. However, this list is not exhaustive. These threats and vulnerabilities are ever growing and individuals, organizations and nation states are all actively working to deal with this menace. Cyber warfare is one of the forms of attacks that a nation state may perpetrate on the other.

There are no short-cuts to deal with cyber risks. If we intend to take advantage of internet and global connectivity, there is an associated price attached with it. We must follow principles of cyber hygiene to stay safe. Some of the key precautions are listed below that help Individuals and Organizations to stay safe from such attacks.

Preventive Actions at Individual Levels

• Increase your awareness on Privacy and Security
• Follow your gut – take a pause and verify the inputs coming from an unknown source.
• Avoid using public network to access internet
• Protect your electronic devices with a leading anti-malware
• Remove unnecessary Apps from your mobile devices
• Do not click on URLs or Open attachments from the e-mail where sender is not trusted
• Keep your passwords safe and keep periodically changing them
• Do not call back on calls coming from unknown numbers
• Do not reveal sensitive personal information to unknown callers
• Never share OTPs with anyone
• Report any cyber incident to cyber police

Preventive Actions at Business / Organization Levels

• Increase your employee awareness on Privacy and Security
• Have a well-defined information security policy
• Follow standard Information Security framework (e.g. ISO27001)
• Get your cyber security posture assessment and audit done at regular intervals
• Create a dedicated team for Information Security management and Response
• Invest in tools to monitor and protect Information Security Posture
• Follow a zero trust policy