Cybercrime keeps pace with information technologies. Fraudsters are getting more qualified; there appear new ways to bypass security services. Such issues as a counteraction against cybercrime and security of data and software are becoming strategic for businesses and deserve their own item on the budget. It’s high time to hire a chief information security officer (CISO) whose duties are becoming more and more versatile. We’ve written thisarticle to remind you one more time about the price you may pay for software not updated in a timely manner or for a weak password.
Cyberattacks: by whom, on whom, and why
It seems we’ve lost the war with cybercrime — what victory is there to talk about if security agencies in different countries order cyberattacks on the government organizations of unfriendly states from anonymous criminal groups? Year after year the number of attacks and the amounts paid to hackers hits record numbers. In 2021, the companies collectively paid $350 million, which is three times as much as 2020. CNA, the insurance company, paid the record-breaking amount of $40 million after it had lost control over its database and access to the network for top managers for 2 weeks.
There is another unsettling cyberattack statistics. In October 2021, Check Point informed that the number of cyberattacks had increased by 40% globally and that in every 61 organizations there was one attack by hackers on a weekly basis. The number of attacks on corporate networks has gone up one-and-a-half times as compared with 2020. The intruders are primarily focused on educational and research websites, the sites of governmental and military agencies, as well as sites in the communication industry.
Who stands behind cyberattacks, and why do they do that? Hackers creating problems for companies have motives varying from romantic to political. Stolen data can be sold in the DarkNet, held for ransom, or published for free access because this is what the conscience or its lack permits. Websites are hacked out of revenge, to soothe vanity, or to influence such global processes as the presidential election. Money, ambition, boldness, and feel of power — in summary, these are the main reasons for cybercrimes.
It is possible to describe the current trends in cybersecurity by observing the technical progress and changes in people’s everyday life.
Serverless architecture and use of cloud technologies. The coronavirus and subsequent transition to remote work made businesses pay attention to SaaS solutions. Their clients are not able to protect data from attacks on their own. This is the task of the operators who are not always good at this. It is predicted that there will be more attacks on the microservices used by cloud service providers.
Deepfakes. Even five years ago they could convincingly compromise celebrities who “had filmed in an adult movie”. But before long, it will be possible to use them to dull the vigilance of both living people and biometric access control systems.
Attacks on supply chains. SCM systems are used to manage the flow of goods, data, and finances related to the goods or services: where production resources are sold and at what price, how the finished product is delivered to the consumer, etc., and its vulnerability is increasing. In 2021, the servers of JBS, the largest American meat processing company, were hacked, which could have broken the beef supply chain and increased the beef price.
Zero Trust model distribution. This is a system protection model that by default treats every user or device seeking access to the system as non-secure and requests them to repeat authentication.
Crossfunctional teams. With increasing frequency projects will be carried out by teams consisting of members who are not only capable of developing websites and applications but can also set up infrastructure and maintain its code base security.
Increasing payments to cyber criminals. The amount of $40 million CNA paid to hackers suggests the idea that the records of data leaks and payment amounts will be broken again and again.
Cybersecurity: the origin of the threats, their types, and ways to avoid them
Do you remember all those movie scenarios about zombie apocalypses? Someone in a secret government laboratory breaks a flask with some experimental green steaming ooze, and here we go. Basically, early viruses were not created to infect the computers of common citizens or rob corporations. For example, the Brain virus created in 1986 by the Pakistan brothers, Basit and Amjad Farooq Alvi, was written as a tool to fight pirate copies of their medical software but finally became the source of the cyber epidemic. In the ’90s, hackers romanticized by a pop culture already squared their shoulders.
If all developers wrote originally pure and tested code checked hundred times, there would have been peace on the Earth and no viruses at all. Alas, even the very development languages, libraries, frameworks, CMSs, and other site and application development tools are written with errors that open the floodgates to your website for spies, thieves, and saboteurs.
Security breaches appear during the code design, implementation, and configuration, that is, all the time. Design errors manifest themselves inconspicuously because they occur at the level of algorithms and interrelation of different interface parts. Such errors include, for example, a narrow bandwidth that can lead to server failure in case of a massive unpredicted influx of users. Vulnerabilities arising at the implementation stage are caused by code errors which can later require rewriting the application anew. The same poorly written and poorly tested code leads to errors at the stage of hardware and software parts configuration. Breaking a weak password is one of such vulnerabilities.
Let’s talk about the most common types of cybersecurity threats.
Phishing is the leader among other ways to get illegal access to data. Phishers create a site looking quite normal or even a copy of a popular site and under a specious excuse collect your bank card numbers, passwords for email or other services, banking details, etc. The user’s confidence can also be gained through an email from the manager or an international organization fighting against evil. Thus, in the early days of the coronavirus, people participated in online surveys “conducted” by the Center for Disease Control and Prevention and left their email login and password.
Phishing changes its masks but its outcome is the same — it makes you poorer. To avoid this, pay attention to the site address: is this really Netflix, not some Nutflex? You can also be provoked with a special offer expiring in five minutes, which is why you have to leave your card number and CVV code. Only vigilance will protect you.
DDoS (Distributed Denial of Service)
In layman’s terms, DDoS is an attempt to bring down the server using a huge amount of traffic. To this end, the hacker combines the infected computers or IoT devices into a botnet and simulates the volume of requests the server is not able to process. In this case, no malicious code is injected on the server — the users just cannot open the site because the server is busy dealing with the line of fake requests.
Protection against DDoS attacks includes a server architecture initially adjusted for high loads. But if you are implementing a project for a large audience, your server must a priori be ready for a large number of requests. And what if you have a small-scale project?
Brute force is a type of attack where a malicious program is trying to get access to the system or some of its protected sections by sending various combinations of symbols trying to guess the required “login–password” pair. If you happened to forget a password and receive a warning about three attempts to type in the correct password, you saw the most trivial way of protection against a brute force attack: after the first unsuccessful attempt, the system starts suspecting that you are an intruder searching for passwords. And when at the stage of registration you are requested to invent a more complex password, the intent is to protect you from such attacks.
IDOR vulnerability (Insecure Direct Object Reference)
In case of such attacks, nonsecure objects can include the URL addresses of pages, files, and directories that can be accessed by any user. In most absurd cases, it is sufficient for a cybercriminal to add “/admin” to the URL to be able to behave as the administrator, i.e add, replace or delete your content, communicate on your users’ behalf, or transmit money from your account to the criminal’s account. This problem is solved by setting up the user roles and limiting access rights.
XSS vulnerability (Cross-Site Scripting)
XSS vulnerabilities fall into three types depending on where the code is stored: the stored, if the code is stored on the server and is executed automatically, the reflected, if it is contained in a link, and DOM-based, if it is executed in the browser. As a result, a hacker can change pages on the site or embed scripts in the code to drive up the number of pageviews on other sites, or mine cryptocurrency – perhaps this is why your computer has been so slow lately.
XSS protection includes the neutralization of malicious JS code. Here mnemonics can help: HTML symbols are replaced with their equivalent and the page no longer interprets the text entered by the intruder as the code. The more radical way out is just to filter off all tags.
In a similar way, through the users’ data entry on the page, hackers can change a GET or POST request and cookies to get access to the database, especially if it is based on the MySQL architecture. To prevent and eliminate such attacks, the developer has to be attentive to responses to requests and filter special symbols from the user data as we already explained in the previous example (the so-called screening).
How to prevent and eliminate cyberattacks
Sometimes it makes sense to give way to reasonable paranoia and think that one day someone will want your passport number, the login and password for the service you used once many years ago, the content of your correspondence, etc. It’s even scarier to risk your clients’ data and repair their damage and your reputation. This is why the first bastion in the fraudster’s way must include:
- complex passwords that do not include the day of birth, place of work, and other data of the page owner or system administrator which can be used to guess this password;
- disabled login and password AutoComplete function;
- avoidance of WiFi networks not protected with passwords;
- two-factor authentication;
- clearing cookies;
- reliable antivirus software.
Here is the extended list of precautions protecting you from multimillion payments.
Software versions update
All your development tools will sooner or later expire. As we mentioned above, the seeds of software vulnerabilities are planted all the way from its creation to configuration. Be it an operating system or a library, every major update is followed by notices of detected vulnerabilities. Developers respond to such news by releasing patches addressing the identified vulnerability. There may be a lot of patches between major updates, hence all those 6.6.66 in the product names.
If your website is built on Drupal CMS, you are lucky as this is one of the most secure CSMs in the world. The Drupal’s security team issues updates and patches for supported Drupal versions following a strict procedure: every first Wednesday of the month is devoted to the release of the new minor patch version with bugs fixed (if the bugs are critical, the patch version is released ahead of schedule), every third Wednesday of the month is for the Drupal core update, and every Wednesday is for the update of profiles, themes, and modules not included in the core. But the most important event is the update of the major Drupal version. Among other things, it means that the security of the previous CMS versions will degrade and with time will cease to exist. The release of Drupal 10 is announced for December 2022, and the owners of websites built on Drupal 7 and Drupal 9 will have 11 months for the update.
Testers invent penetration scenarios on their own and change the test tools settings so that any unknown vulnerabilities could be identified manually. Penetration tests can be carried out either for the whole network or product or for its separate functional parts, which is cheaper and takes place more often. Considering the high cost and duration of the check (up to several days), it is recommended that this measure should be taken in large projects with a high risk of cyberattacks. The recommendation is to carry it out once a year with the involvement of highly-skilled professionals.
Vulnerability scanning is often mixed up with the penetration test, but these are two different things. The aim of this method is to identify any issues in the network, network software, and equipment — firewalls, routers, switches, servers — in the automatic mode. As a result, potential threats rather than the vulnerabilities themselves are identified. Unlike penetration tests, vulnerability scanning is cheaper and can be done by the network admin.
Threat Hunting is the method of searching for cyber threats when the professional speculates on how the intruder can hack the system and starts checking the guesses to find the traces of the intrusion. The guesses are based on the data on the infrastructure state, findings of penetration tests, intelligence, security news, and other insider and public information.
Interaction of the red, blue, and violet teams
The red team consists of third-party professionals who check the security program vulnerability for the company that hired them. The blue team, on the contrary, defends the system against the red team in order to use the gained experience to respond to real cyberattacks. If these teams need a deeper mutual integration, the violet team is invited. This team teaches the red team to attack and the blue team to defend more effectively and trains them all to work effectively with each other. This means that the violet team is not needed if the two other teams are on the same page.