Read Time: 4 Minutes
The holiday season is approaching fast. Fun as it is, it is unfortunately also a time of increased hacking, email scams and DDoS attacks.
One of the largest corporate hacks in history, the Sony Pictures hack, even though from last year, is by no means old news – it could happen to any business at any time. Most probably starting with an employee clicking on a malicious email.
A year from the Sony breach, DDoS attacks are more common than ever, and the approaching holiday season is only likely to increase the pace. In case someone wishes to harm you, what better time to attack someone with a Denial of Service than the holiday season? That is, after all, usually one of the busiest times for business, and if missed, will have severe consequences on the financial results. Also, DDoS attack tools are a commodity, openly sold on the web as a service. Therefore, it is no wonder they reached an all-time high in Q2/2015. According to a report from Akamai, the growth rate from Q2/2014 to Q2/2015 was 132%.
Email phishing scams are another form of cyber-attacks that typically increase during the approach of the holiday season when business is at its highest. According to an article in Forbes, the number of unique types of phishing email attacks has today increased into hundreds of thousands of discrete types of attacks per year. These attacks simulate mails from popular services such as Facebook, PayPal, Microsoft, and banks for example, and often use malicious attachments to breach the unsuspecting target.
Currently there is a large global phishing campaign targeting all DHL customers. This campaign targets both consumers and businesses alike. And it can hit any company, big or small. Attackers using phishing often target smaller companies also, maybe thinking them an easier victim.
With the upcoming holiday season getting near, wouldn’t it be time to re-evaluate your business security? You don’t want to be one of the first, easy targets. To fight against cyber-attacks, you need to make sure your company data is secured at all times. Understanding what steps to take to avoid being the next phishing or DDoS attack victim is therefore a good way to start the preparations for the holiday season.
Jarno Niemelä from the F-Secure Labs shares some basic instructions on how to minimize the success of DDoS or phishing attacks:
When it comes to DDoS attacks, the most important thing to remember is to be a moving target and keep the initial point of contact, that is your web page (www.company.com), mobile from a networking point of view. It might be a very good idea to use some large cloud provider that has multiple data centers for your public web services, so that you are able to run services in multiple locations or move the service around in the provider’s cloud.
Most attackers do not understand the structure of your service, so they will hit the public web page and block any services running on the same network connection, thus potentially causing large collateral damage to your systems. For example in Finland, a bank was hit with DDOS on their public web page, and unfortunately this public web page was on same Internet connection as the payment processing services. This meant that the DDOS attack prevented customers’ credit and debit cards from working, so they could not use them to pay for their shopping or withdraw cash from ATMs.
So to avoid similar incidents:
- Make your public-facing web and other services run in the cloud, or otherwise make sure that they are isolated from your actual infrastructure, so that any DDOS attack hits only the web page, and the rest of the service can still function.
- Make sure that the service provider you are using for hosting public services does provide an anti-DDOS service and the service is included in your contract.
With phishing attempts, the most important security precaution you can take is to have proper endpoint protection in place, as there will always be someone who is distracted or hasn’t yet had his morning coffee and will click a link or attachment that they would not normally fall for. Training your employees to be cautious and to know how to react to suspected phishing attempts is also highly recommended.
Also, you should enable two-factor authentication on all services that are critical for the company, such as public Twitter and Facebook profiles, and favor banking and other services that offer two-factor authentication. With two-factor authentication, a stolen password is not nearly as dangerous as with systems that only use plain passwords.
For services that allow only passwords to be used, it is important to have a unique, fully random password and to store passwords in a secure container, so that users will always get the password from the container. The unique password may be stolen, but at least it will work only on that single account, so losing one password does not give an attacker full access to the corporate identity on all services.
And please remember to use two-way authentication with your important assets, such as servers containing passwords.