3aaa Apprenticeship
Wednesday 10th October 2018
Cyber Security is vital to everyone – including Governments, Businesses, Schools, Hospitals all the way down to private individuals at home.
Everybody is subject to being attacked or hacked. Rarely a day goes by without there being news of new hacks – both large and small. This online resource is updated regularly with the latest information about Cyber Security News.
Nobody is immune from being hacked! If you or your business have not been hacked, then that just increases the chances that you will be hacked soon – unless you take steps to prevent it or mitigate the impact.
Every level of organisation needs to have cyber security professionals on staff. We look to support all companies through our apprenticeships in Cyber Security, not just IT companies.
A common attack which everyone is susceptible to is Social Engineering.
Social Engineering takes advantages of the weaknesses of people – your employees. There is no tool to prevent Social Engineering and, in most cases, people will not be aware of an attack. Essentially, this type of attack is about getting users to give out confidential information to unauthorised people. They are fooled into thinking it is all legitimate. The most common way this occurs is by telephone or even face-to-face but a particularly prevalent form of Social Engineering these days is the Phishing Attack.
With a Phishing Attack the victim is sent an email which encourages them to click on a hyperlink, apparently directing them to a website. The point about this is that the website is almost certainly not legitimate. A hyperlink is typically text underlined in blue but what it says, such as the address of a website, is not necessarily the site it will take you to. What you see underlined is simply plain text. It is the properties of the hyperlink which dictate the address you will be taken to. This may well be a malicious website controlled by the hacker with the aim of getting you to enter confidential information.
Other versions of a Phishing Attack include Spear Phishing, which targets a particular group or type of people with something in common, and Whaling which targets typically C-Level members of a company – the big phish!
Whilst some technologies try and combat Phishing, the best and cheapest way is by educating users – company employees. They need to understand what to look for and what to do when they see it – or suspect it. Everybody uses email, and everybody is vulnerable to this attack.
Vulnerabilities is another huge concern for everybody using computers.
Every machine should be constantly updated – not just the operating system (Windows, Linux, MacOS etc.) but the software or programs installed on it. Hackers look for vulnerabilities and all software installations have vulnerabilities. Manufacturers such as Microsoft learn about the vulnerabilities and release patches to fix them. It is then the task of a user, or the Company IT Department, to ensure that those fixes are installed as soon as possible after they are released. If a patch is not installed, then it may give access to the computer to a hacker who is aware of it.
The third type of attack is an attack on passwords or authentication.
Everybody should be using a username and password to access their computer – both at home and at work. Nobody should be using the same password for more than one purpose and ideally in today’s high-tech world where cracking passwords is a serious occupation for hackers at all levels, everybody should be using two factor authentication whenever possible – using something you possess (a token/device generating a unique number) or something you are (biometrics such as fingerprints or facial scans).
Passwords which we remember and type in are simply not good enough and we should all be using password managers both privately and in commercial companies. Password managers generate, store and automatically enter all your passwords. They are protected by your master password, which you must remember, and if required 2 factor authentication. Next time you read about passwords being stolen when a company is hacked you do not need to worry as much because the hacker does not have the second factor required.