Matthew is responsible for the systems of a rapidly expanding startup. Most of the work he has undertaken has been automated, allowing him to focus on optimization and providing technical support to the rest of the team, rather than resolving issues.
Matthew was taken aback when he received a notification from his cloud service provider informing him of potential financial charges. Upon further examination, he realised that they had exceeded their allocated budget for the month within a 24-hour period. This was an unforeseen circumstance that left him in a state of shock.
Matthew has been made aware that an unauthorised individual has gained access to his company’s cloud computing services and has been running programmes without permission. In other words, Matthew’s organisation has become a victim of a cyber attack, as is the case with 30,000 other websites daily.
Research suggests that cyberattacks will cause an estimated cost of over $3 trillion by 2023, with potential losses of up to $10.5 trillion by 2025, due to the increasing prevalence of remote working and cloud computing.
Businesses are increasingly investing in cybersecurity and leveraging DevSecOps to construct more robust systems with fewer vulnerabilities. Nevertheless, it appears that technological advancement works both ways, with stronger protection leading to the creation of better tools to bypass it.
It is a fundamental principle that a system is only as secure as its weakest link, which makes designing with security in mind a complex task. Any flaw or omission could open the door to a range of potential vulnerabilities.
It is essential to take into account the human factor when discussing cyber security. Unlike computer programmes, people cannot be upgraded to patch any vulnerabilities. Consequently, we are potential targets for exploitation by a knowledgeable social engineer.
Methods of Social Manipulation
It is not unexpected that the actuality of cyber-attacks diverges significantly from the way they are commonly portrayed in the media. It is as improbable that a team of ingenious hackers could intercept a transmission and write code rapidly as it is that an 80s action hero could walk into a building and defeat opponents with martial arts.
Phishing and man-in-the-middle attacks are two of the most common types of cyberattacks, and they focus on deceiving the recipient. This can be accomplished with minimal technical expertise in computer programming.
It is more efficient to obtain credentials from an insider than attempting to hack an account. When access to a network can be granted in this way, there is no need to seek out potential vulnerabilities.
Internal scams can come as a surprise to those affected, as they are not always anticipated. Social engineering can be successful as it exploits people’s cognitive limitations and their belief that others are fundamentally trustworthy. Consequently, our susceptibility to such attacks is rooted in our inbuilt mental limitations and our natural inclination to trust.
For instance, when USB sticks were popular, hackers would distribute them like a form of free advertisement for fraudulent companies. If an employee unsuspectingly inserted one of these devices into their PC, it would give the hacker access to the individual’s device, as well as the potential to breach the entire corporate network.
It is difficult to imagine that someone distributing free promotional materials could be part of an international network of cybercriminals. Most businesses use advertising to promote their brand, and this is an assumption that hackers rely on for their activities to go unnoticed.
It is reasonable to assume that most people are aware of suspicious emails or phone conversations. Unfortunately, criminals recognise that there is still a chance that one person out of a hundred may not recognise the potential danger. It is important to remember that even a small lapse in security, such as an unprotected USB drive, can cause a great deal of harm.
Once again, technological advancements have presented unforeseen challenges. As an example, the emergence of Discord, a social networking and chat platform for gamers, is worth considering. It can be incredibly enjoyable to connect with individuals who share similar interests and partake in collective activities.
Discord is known for its versatility, but it can also be a source of potential security risks, such as remote access Trojans. Care should be taken to ensure that employees do not accidentally download malware while using the platform, even if they are accessing it from a trusted source on a work computer.
I’m safe against that kind of thing happening to me.
The assumption that anything like this could never happen to you is perhaps the greatest danger. A brief tale, if I may.
As a regular consultant for a local tour operator, I am responsible for providing ticket sales data to a specific airline every three weeks. The airline has implemented a web-based platform where agents can log in and submit the reports required.
A representative requested my assistance in uploading the necessary files due to the challenging user interface. The programme presented more issues than expected, one of which resulted in a “page not found” message. Although the programme is constructed using a commonly used framework, it has the disadvantage of always displaying debugging.
The server’s 404 page provided more than a standard “page not found” message; it presented a comprehensive debugging report, including the source code, server’s routing table and other relevant information to aid in understanding the server’s architecture. It is important to note that the application is intended to store sensitive data such as financial records and personal details.
It is essential to mention that turning off debugging mode is a fundamental recommendation prior to deploying to a live environment. Consequently, I have sent an extensive email to the site admin, clearly emphasising the potential risks of leaving the option enabled.
After a few days of waiting, I was reassured that the risk was low, as only a few people had access to the web app. However, I was an example of someone who was not an agent but still had knowledge of the software, so this was not the case.
The error is a result of users entering arbitrary text into a web browser’s address bar. This negligence can be detrimental to a security system, as overlooking a potential threat because it appears innocuous can be disastrous.
Preparing Your Own
It is recommended that all staff, regardless of their role, attend a security workshop to ensure they have a thorough understanding of the fundamentals of security measures. This could help to prevent any potential security errors from occurring.
It is essential to create a security policy framework and incentivise its adoption. Unfortunately, behaviours that prioritise safety are not often rewarded. Those who demonstrate exemplary behaviour to promote a secure environment are rarely acknowledged, whereas those who make mistakes are frequently reprimanded.
In conclusion, human input is just as crucial to cyber security as it is to physical security. While technology is beneficial, it can only take us as far as our current techniques allow.