Timing – A Hackers Greatest Weapon
If you ever have the opportunity to talk to someone in charge of security at a maximum penitentiary, they will tell you the same thing. The prisoners have all the time in the world. All the time to watch and observe, looking for vulnerabilities within the patterned behaviors of the guards and penitentiary staff. They look for the slightest moment of distraction to exploit to their advantage.
Everyone Has Some Level of Security
Like the classic song by Louis Armstrong says, “We have all the time in the world.” That is the case for the modern-day hacker. Professional threat actors don’t pounce on their victims immediately upon accessing the network of a targeted organization. Like the penitentiary, every responsible organization has security protocols and tools in place to stop a generic attack. Internal IT personnel or MSP technicians have backups in place to restore files and critical systems in the event of a ransomware attack.
But while zero-trust security is the battle cry today when combatting the growing number of threat adversaries across the world, it is realistically unattainable for the average SMB. While your business must secure all your attack avenues and endpoints, a hacker only needs to score one small victory.
Brief Windows of Opportunity
Any good magician knows that the key to a successful trick is to distract the audience. Hackers don’t usually create distractions. They look for brief windows when their human prey is already distracted. For instance, December is often referred to in song as “the most wonderful time of the year” due to all the major holidays during the month. But the time crunch to find that perfect gift and attend as many holiday celebrations as possible makes that month a wonderful time of the year for scammers and hackers as well. They know all too well how to take advantage of the stressful and busy season.
Tax season is another reoccurring time cycle that phishing campaign creators take full advantage of. Who wouldn’t experience anxiety at an email supposedly coming from the tax office? The end of every month or fiscal budget year coincides with a flurry of invoices that require payment, so cybercriminals take advantage of it by attempting to slip a fake invoice into the chaos.
These brief opportunities aren’t just regular calendar events. A great example was the recent decision by Elon Musk to offer $8 subscriptions to Twitter. The purpose of the subscription was to validate users so that the audience following these accounts can be certain who they are following. Ironically, the subscription campaign resulted in an onslaught of phishing attacks launched at users who were either anxious to subscribe or confused by the entire matter. Phishing emails incorporating the look and verbiage of Twitter’s own branding were used to scare users into clicking a link to sign into their Twitter accounts or face suspension. One of the most prevalent attacks had an embedded link directing users to a Google Doc that prompted them for their username, password, and phone number. Twitter was forced to suspend the $8 fee plan only days later due to a combination of confusion, exploitation, and the fact that so many of the verified accounts were turning out to be phony anyway.
Attacks are Engineered
Social engineering tactics are used in phishing and other types of cyberattacks. There is a reason why the word “engineering” is used. There aren’t half-baked schemes that a bunch of teenagers came up with in their mother’s basement. The people behind these attacks understand the art of manipulation. They know what phishing lures to use that will trigger a response in a well crafted email phishing scam. These masterful manipulators utilize things such as a simple GIF file in a Teams session to exploit unsuspecting users. For cybercriminals it is a game of percentages as they know that X percent of users will click the link and X percent of them will fall for the scam completely.
In the case of a data breach or ransomware attack, a great deal of planning goes into the next stage of the attack once a beachhead is established. The silent perpetrators move laterally across the invaded network performing reconnaissance to learn as much as possible about implemented security systems and protocols as well as the culture of the organization. Only when they are ready, does the actual attack take place.
Humans are the Weak Link
It’s also ironic that in the highly digitized world that we live in, it’s humans that cybercriminals target for the most part. Those days of banging away at the perimeter firewall to find an opening are long behind us. It’s the people behind the office keyboards that are the weak links today. Human vulnerability cannot be eliminated by digital security tools alone. In the same way that pedestrians are encouraged to be aware of their surrounding on a deserted city street, computer users need to be mindful of their digital environment as well. Personal responsibility goes a long way when it comes to security.
The need for the populace at large to incorporate better cyber hygiene skills is so important, that the President of the United States along with Congress took measures in 2004 to declare October as Cybersecurity Awareness Month. It’s part of a broader effort to promote better awareness of cybersecurity issues on a grand scale to reduce the vulnerability of the public to these malicious actors.
SMBs Need Assistance
While hackers and other external threat actors may have all the time in the world to find the ideal window to exploit their victims, the average SMB doesn’t. Those that do have the luxury of an internal IT team usually don’t have people with advanced security skill sets to detect the silent presence of attackers lurking within their networks. Overstretched IT staffs and MSPs don’t have the time to inspect every email, company text, and online session to protect users twelve months out of the year.
That’s why many SMBs turn to a third-party security operations center (SOC) for assistance. A SOC is a centralized team of highly trained experienced security professionals that utilize the security analytics of your network environment to provide real-time response and often times automated remediation. Many insurance companies are recognizing the value that a SOC can bring to their clients as they face the financial hardship of paying on many of these policies due to the increased number of attacks since the pandemic. Many are requiring their customers to utilize a SOC now in order to retain their policies.
Conclusion
We don’t know when the next prime opportunity for cyber exploitation is going to arise. We certainly can’t limit cybersecurity awareness to only a single month of the year. Cybersecurity is a 24/7 endeavor. Its also about more than assembling an arsenal of best-of-breed security tools. Its about taking the human element into consideration because cybercriminals certainly do. Make sure you have human resources necessary to secure your business as well.