Author: Ivan Shyshkou

Introduction

Artificial Intelligence (AI)  is a groundbreaking technology that has become integral in various fields. It enables us to offer innovative solutions in software development, decision-making, and other business areas. However, AI use can also bring security risks. In the article, we are analyzing these risks, and their impact on businesses and people who use AI. We will also show how companies can protect themselves from these risks, and keep their AI systems safe and secure.

AI Vulnerabilities and Threat Landscape

The use of AI in different areas has revealed new ways for attacks and weaknesses in the apps and systems where it is used. These weaknesses are real and can damage trust, dependability, and operation of AI systems, affecting both companies and individual users.

Here are some common examples of AI attacks:

1. Input Attacks. These attacks manipulate the content fed into the AI system, altering its output to serve the attacker’s objectives. As AI systems operate by receiving inputs, performing calculations, and returning outputs, tweaking the input can lead to disastrous consequences. Imagine the aftermath of altering a physical stop sign to a green light. What would happen to a self-driving car?
2. Poisoning Attacks. These corrupt the data that train an AI system, causing it to misinterpret information and act erroneously. Such attacks take advantage of AI’s primary sustenance, namely data. Spoil the data, and you spoil the AI system.
3. Risk of AI Theft. AI models may be stolen through various means, including network attacks, exploitation of existing vulnerabilities, and deceptive strategies. Various attackers, from hackers to corporate spies, can carry out such illicit activities. Once they access AI models, they can modify and use them for harmful purposes, hence increasing the overall social risks associated with AI.

In addition, it is crucial not to overlook the security testing of web applications that either operate with proprietary AI or utilize third party APIs. In our testing practice, we discovered vulnerabilities in such applications. To be more exact, there was a case when a client’s application utilized OpenAI, a third party AI, to generate responses. We managed to bypass the limit of free generations. This allowed us to perform numerous generations every second. As a result, the client incurred service payment costs. 

In another case, one could view other users’ conversations with AI and the results of their requests by cycling through chat IDs. Therefore, it is imperative to conduct regular security testing of web applications, as well as use DevSecOps solutions working with AI to prevent such vulnerabilities and potential financial losses.

OWASP Machine Learning Security Top Ten List

Considering the topic, it is essential to mention the OWASP Machine Learning Security Top Ten list. The latest OWASP Machine Learning Security Top Ten list, an initiative by the nonprofit OWASP (The Open Web Application Security Project), serves as a valuable resource for developers in the realm of machine learning security. This list delineates the top ten security issues prevalent in machine learning systems. Its primary aim is to provide an overview of these critical security concerns, offering insights into vulnerabilities, their potential impacts, and recommended preventive measures. This essential guide assists in understanding and addressing security challenges in machine learning systems, aligning with the general threat models discussed in our article.

For more detailed information, please refer to OWASP Machine Learning Security Top 10.

Here is the top five from the list:

1. Input Manipulation Attack (ML01:2023): This attack type involves the intentional modification of input data with the aim of deceiving models. It leads to incorrect classifications and potentially allows attackers to bypass security measures or inflict damage to the system.
2. Data Poisoning Attack (ML02:2023): In these attacks, assailants manipulate training data to provoke models into exhibiting undesirable behavior that causes the model to generate incorrect predictions and make false decisions leading to serious repercussions, including the compromise of sensitive information and system integrity.
3. Model Inversion Attack (ML03:2023): This attack involves attackers gaining insights into the training data used by the model, potentially revealing sensitive information on the dataset, thus posing a significant risk to user privacy and data security.
4. Membership Inference Attack (ML04:2023): In this attack, a hacker manipulates the training data of a model to expose sensitive information. For example, a malicious actor can train a model on a dataset of financial records and use it to find out whether a specific individual’s record is included in the training data. This allows the hacker to infer sensitive financial information. The attacker can gain insights into financial data, resulting in a loss of confidentiality, and potential legal and reputational damage.
5. Model Stealing Attack (ML05:2023): This attack type occurs when an attacker, say a competitor, gains access to the model’s parameters to steal it. For instance, attackers might reverse engineer a company’s valuable machine learning model to recreate and use it for their own purposes, causing significant financial and reputational loss to the original company. The impact of such an attack is substantial, as it affects both the confidentiality of the data used to train the model and the reputation of the organization that developed the model.

Securing AI: Measures and Strategies

To be protected from the multifaceted threats to AI, it is essential to implement comprehensive security measures and strategies. These include close monitoring of AI services, regular checks for any suspicious activity, and addressing any vulnerabilities in the code. To this end, you can use applications for building threat models, such as OWASP Threat Dragon and PYTM, as well as services for working with logs like Zabbix and Logstash. 

To prevent undesirable outcomes, it is crucial to ensure that the input and output data be clean and validated. For this reason, it is recommended to implement SAST, DAST, IAST, RASP, and SCA tools like Acunetix, OWASP ZAP, Burp Suite, PagerDuty, BlackDuck. Organizations should also focus on training their staff on the best practices of using AI and create security policies to ensure the secure use of this technology.

Data security is another critical aspect of AI security. It is vital to store consolidated personal data in secure environments to prevent unauthorized access and implement data management strategies to store data without directly associating it with users.  Implementation of methods that prevent user data from entering the training model’s data sets, and limiting the volume and duration of the stored data to the minimum are also essential steps in mitigating data leaks. Therefore, there is a need to use tools for secure management, such as Vault, and establish a secure development environment, for example, through Cloudflare.

The quality of AI’s recommendations is largely dependent on the quality of the training data. If AI systems are trained on unreliable or biased data, it may lead to incorrect recommendations that adversely affect various sectors. Organizations must actively focus on the quality of data used for AI training, conducting data analysis to identify errors and biases, and continuously updating and auditing AI algorithms. Implementation of quality control mechanisms for AI outputs contributes to prompt detection and rectification of erroneous decisions.

IBA Group’s Expertise in AI Security

IBA Group is always ready to help you keep your AI applications safe. Our skilled team excels not only in AI protection but also in providing a range of security services. These include helping with secure development, testing for security vulnerabilities, checking for security risks, training your employees in security, and many other aspects. Do not hesitate to contact us, and let’s team up to strengthen your AI projects and keep things safe and secure.

Author: Ivan Shyshkou

Introduction

The advent of cloud computing has ushered in a new era of technological advancement, reshaping the way organizations approach data management and information technology. With cloud technologies becoming increasingly pervasive, their adoption has transcended geographical boundaries, offering businesses a versatile and scalable framework for their operations. In the era of widespread integration, when cloud technologies have become a cornerstone of digital transformation, the imperative for robust security measures has never been more evident.

Current prevalence of cloud technologies is substantiated by persuasive statistics on adoption rates. Recent studies indicate that over 80% of businesses actively use cloud services, showcasing a transformative shift in the digital landscape. Companies predominantly store employee data (44%) and customer data (44%) using cloud storage solutions, and about 80% of companies adopt a hybrid approach incorporating both public and private clouds.

Cloud services offer a number of benefits, including on-demand access to computing resources, rapid deployment of applications, and reduced infrastructure maintenance costs. However, cloud security remains a paramount concern for many businesses, as it involves entrusting sensitive data and valuable applications to a third-party provider. The present article deals with the complexities of cloud security exploring common vulnerabilities, effective strategies, and best practices to maintain a secure cloud infrastructure stemming from the extensive experience and IBA findings in the domain of cloud security.

Key Cloud Security Challenges

As organizations embark on the transformative journey of adopting cloud technologies, the spotlight on security becomes more intense. Seamless integration of cloud solutions demands meticulous attention to safeguarding digital assets and sensitive information. Apart from the promises of efficiency and innovation, firm commitment to addressing key cloud security challenges becomes imperative. Below follow some of the most common security challenges.

Misconfiguration. Misconfigurations stemming from human error or lack of comprehension have the potential to make cloud resources vulnerable to security threats caused by, for instance, the use of default accounts and passwords, the deactivation of monitoring and logging features, insecure automated backups, and unrestricted access to non-HTTPS/HTTP ports. In general, the main problems here typically originate from the employees. For instance, in 2022, 82% of breaches involved the human element. According to checkpoint research, the misconfigurations were of the primary cloud security concern in 2022 affecting about 59% of respondents.

Breach of Access Control. Unauthorized access to confidential and personally sensitive information stored in the cloud may occur when access to an API is restricted to only one host, however another instance with privileged service-account attachment has access as well. Moreover, weak password policies may facilitate early password guessing or a cloud provider may not require MFA for all users, making it easier for attackers to gain unauthorized access. For example, permissions set to all users or authenticated users can expose data to the public posing a risk if the data are sensitive. It is crucial to restrict anonymous and public access, especially to Cloud KMS cryptographic keys, to prevent unintended data exposure.

Insecure Sensitive Data Storage. Keeping passwords in plaintext inside Docker containers also poses a security risk. To mitigate unauthorized access and potential security breaches, it is crucial to constantly encrypt credentials. Storing sensitive data, such as API keys and encryption credentials, in plaintext within cloud environments can allow attackers to easily escalate their privileges. According to the findings, only 45% of cloud data is being currently encrypted on average.

Over-permissive or Insecure Network Policies. Inadequate implementation of cluster ingress controls can lead to unregulated communication among pods, while unrestricted internet access on any port heightens the potential for lateral movement and external attacks, thereby increasing the overall risk.

Granting the Editor role to a service account provides extensive privileges, it’s generally contradicting security best practices. Such roles should be assigned judiciously to minimize the risk of unauthorized access and potential system compromise. 16% of attacks occur through valid accounts.

Ineffective Logging and Monitoring with Lack of Policy and Incident Response. Unauthorized actors exploit the situation by obtaining authorization credentials with maximum access rights. Subsequently, they can boldly explore the internal infrastructure without taking covert actions and proceed to add the initially granted account to all conceivable access groups. This allows attackers to locate and acquire sensitive details, including credentials for various services within both cloud and external platforms. Furthermore, they may propagate dummy malware files and manipulate data in storage, posing a significant threat to the overall system security.

It is imperative to promptly detect and respond to the situations described. The longer attackers remain within the system undetected, the greater the potential damage they can inflict. Early detection and immediate response are crucial to mitigating the impact of such security threats.

Strategies for Ensuring Comprehensive Cloud Security

It is important to adopt a series of interrelated best practices to guarantee reliable protection. Further follows an overview of possible approaches to data protection.

1. Establishment of an all-encompassing identity and access management (IAM) system. This system acts as the guardian managing access to cloud resources through strict verification methods, including multi-factor authentication.

2. Regular inspection of cloud infrastructure (Security Assessments) which helps in pinpointing and resolving possible hazards like configuration errors or antiquated systems. Review of permissions for compute service account’s custom role on the Principle of Least Privilege.

3. The ‘zero trust’ principle is a key tactic in contemporary cloud security. This approach is based on the premise that trust is never implied, regardless of the origin of the request. Access is provided only after rigorous validation, it’s reducing the risk of both internal and external intrusions.

4. Implementation of secrets management solution. Deployment of a robust secrets management system like HashiCorp Vault to handle sensitive data such as tokens, passwords, and API keys. Ensure that secrets are not hard-coded in source code or configuration files.

5. Data Encryption and Backup. Encrypting data, whether stored or in transit, preserves their integrity and confidentiality, protecting the data from unauthorized intrusion and breaches. Moreover, consistent data backups are important to avert data loss from various dangers, including cyber-attacks and system failures.

6. Vulnerability scanning, which involves using specialized software to automatically scan systems for known vulnerabilities. Unlike the manual in-depth approach to ethical hacking, vulnerability scanning provides a broader, ongoing review of the cloud environment.

7. Introduction of necessary responses to suspicious activities by high-privileged principals. Define clear incident response procedures when Event Threat Detection identifies suspicious activities involving high-privileged accounts. Implement automated response actions where possible, such as revoking credentials or isolating affected resources. Train your security team to respond to high-severity finds, which may indicate unauthorized access to privileged groups or roles. Use tools like the Security Command Center to monitor and alert to suspicious bucket access patterns.

Conclusion

The multifaceted nature of cloud services challenges the system security and causes the need to apply comprehensive, dynamic strategies to protect against evolving threats. This necessitates high-quality training of employees not only in using cloud services, but also in how to work safely with them.
No doubt, while the Cloud Service Providers (CSPs) assume responsibility for securing the architecture utilized by customers, it is equally crucial to regularly validate it through penetration testing and red teaming.

If you are facing challenges in securing your cloud environment, IBA Group is here to help. We have a proven track record of delivering successful Red Team and cloud security projects. Our expertise in cloud security is tailored to meet the specific needs of each client.

If you are interested in bolstering your cloud security, leave us an inquiry, and let’s explore how IBA Group can provide the security solutions you need.

Author: Ivan Shyshkou

Introduction

In an era where digital transactions and communications form the backbone of most businesses, the threat landscape has become increasingly sophisticated, posing significant challenges to both cloud and on-premises environments. A 2023 report by Statista highlights the pervasiveness of such threats, revealing that phishing attacks continue to be the most common form of security breach, as it affects 74 percent of companies in their on-premises operations. Furthermore, the data shows a notable prevalence of user account compromise in the cloud, with 27 percent of respondents encountering such issues, slightly lower than the 31 percent facing similar threats in their office networks.

Cyber Threats Businesses Face Today

The evolution of cyber threats has been marked by the increased personalization of phishing scams. Personalized scams leverage artificial intelligence (AI) to craft highly convincing fake messages. This represents a significant shift from the generic, easily spotted phishing attempts of the past.

Ransomware attacks, known for their disruptive potential, have also advanced, employing more complex encryption methods that target not just the information technology infrastructure but also operational technology (OT) environments, thus broadening their impact.

Another rising threat is supply chain attacks, where attackers exploit vulnerabilities in the interconnected web of third-party vendors and software, a reflection of the increasingly complex ecosystems in which businesses operate..

New Threats

Among the newest fronts in the cyber threat landscape are AI-powered attacks. Cybercriminals are now using AI to automate the creation of attacks, significantly enhancing the speed and adaptiveness of threats. This development, alongside the use of deepfakes and AI-generated content for impersonation and fraud, introduces unique challenges in authenticating identities and information.

The advent of quantum computing also looms as a potential future threat, with its capability to break traditional encryption methods, prompting businesses to explore quantum-resistant encryption techniques.

Moreover, the increasing adoption of blockchain technology and smart contracts has opened new avenues for exploitation, with vulnerabilities potentially leading to the theft of cryptocurrencies or manipulation of decentralized applications (dApps).

Impact of Cyber Attacks on Businesses and Customers

The repercussions of cyberattacks extend far beyond immediate financial losses and operational disruptions. They can inflict lasting damage on a company’s reputation, eroding the trust and confidence of customers and business partners. This is particularly concerning in instances where breaches result in the theft of personal data, raising the specter of identity theft, financial fraud, or the sale of sensitive information on the dark web.

A notable instance in 2023 involved the U.K.’s Royal Mail, which faced a ransomware attack leading to the encryption of crucial files and a six-week halt in international shipments. Despite refusing to pay the demanded $80 million ransom and subsequent lower demands, the incident cost over $12 million in remediation work and security improvements.

Data Protection Strategies for Companies

In response to these challenges, it is advisable that companies adopt a multifaceted approach to cybersecurity. Implementing Multi-Factor Authentication (MFA), conducting regular security audits and penetration testing, and fostering employee awareness about phishing and social engineering attacks are fundamental steps. Additionally, regular data backups and the adoption of a Zero Trust architecture, which assumes no entity within or outside the network is trusted by default, can further bolster defenses. Keeping abreast of the advanced technologies and implementing the latest security patches is also crucial.

The development of a comprehensive cybersecurity plan is essential for businesses to navigate the threat landscape effectively. Such a plan should encompass a multi-layered approach, including risk assessment, security policy formulation, technical controls, continuous monitoring, and employee education. Regular reviews and updates are necessary to ensure the plan remains relevant in the face of evolving threats.

Business Sectors Most Susceptible to Cyber Threats

Certain business sectors are particularly vulnerable to cyber threats due to the valuable data they hold or the critical services they provide. The healthcare sector is a prime target because of the sensitive personal health information (PHI) it manages, which can include everything from patient medical records to billing information. Financial services firms are also at high risk, as they are targeted for both direct financial gain and the sensitive customer data they possess, including account details and transaction histories. Retail and e-commerce businesses, with their rich sources of payment and personal data, are attractive targets for cybercriminals looking to commit fraud or identity theft. Meanwhile, the manufacturing sector and critical infrastructure are increasingly subjected to espionage, sabotage, or ransomware attacks aimed at disrupting supply chains and causing significant operational damage.

These sectors’ attractiveness to cybercriminals underscores the pressing need for robust cybersecurity measures to protect against potential breaches and attacks.

New Cybersecurity Trends & Impact on Business

Increased Use of AI and Machine Learning. Businesses are increasingly leveraging AI and ML for both defensive strategies and prediction of potential cyber threats. However, this technological advancement also means that attackers are utilizing AI to craft more sophisticated attacks, presenting a continuous arms race in cybersecurity capabilities.

Regulatory Evolution in AI and ML. The landscape of cybersecurity regulation is evolving, with significant legislative actions in the EU and executive orders in the U.S. focusing on establishing ethical frameworks for AI and ML use. These regulations aim at transparency, public welfare, and ensuring that AI development aligns with the public interest, setting a precedent for global AI governance trends.

Rising Complexity of Ransomware. Ransomware attacks are anticipated to grow in sophistication, with cybercriminals targeting cloud environments and backup data stores to maximize their extortion efforts. This shift is largely due to the increased digitization of business operations and the storage of sensitive data in the cloud.

Sophisticated Attack Techniques. Cybercriminals are employing advanced techniques to evade traditional security measures, including polymorphic malware and advanced persistent threats (APTs). These methods allow malicious software to change its code to avoid detection and remain hidden within networks for extended periods.

Targeted Ransomware Attacks. Moving away from indiscriminate attacks, there is a noticeable trend towards targeted ransomware attacks. Cybercriminals are focusing on specific industries, organizations, or countries, using ransomware tailored to exploit particular vulnerabilities. This strategy enables attackers to demand higher ransoms from entities with critical infrastructure or sensitive data.

Integration of Ransomware with Other Threats. Ransomware attacks are becoming more complex by integrating with other cyber threats, such as through sophisticated phishing campaigns or as a secondary phase following an initial breach by different malware. This multifaceted approach significantly complicates the detection and mitigation of attacks.

Adoption of Privacy-Enhancing Computation Technologies. In response to growing data privacy concerns, the adoption of Privacy-Enhancing Computation (PEC) technologies has become crucial. These technologies protect data during processing, enabling businesses to analyze and utilize data without exposing sensitive information, a key strategy in today’s data-driven world.

Stringent Data Protection Regulations. Data protection laws are becoming increasingly stringent, requiring businesses to adopt more transparent and secure data handling practices. Privacy by design and by default are becoming regulatory mandates, pushing organizations towards technologies that minimize personal data use while preserving functionality.

Sector-Specific Cybersecurity Standards. Governments are recognizing the unique vulnerabilities and threats faced by critical infrastructure sectors, such as finance, healthcare, energy, and telecommunications. In response, sector-specific cybersecurity standards are being implemented, mandating robust security measures, regular assessments, and incident reporting to bolster defenses against cyber threats.

These trends underscore the dynamic nature of the cybersecurity landscape, highlighting the need for businesses to remain vigilant, adaptable, and proactive in their security strategies. With this in mind, they will be able to navigate the challenges ahead effectively.

Author: Ivan Shyshkou

Intelligence is the product resulting from collection, collation, evaluation, analysis, integration, and interpretation of collected information. Information gathering is the first step of hacking. At this stage, they formulate the purpose of the attacks and the idea of how to carry out the attacks. The hackers also identify potential weaknesses for further actions, including the names of employees and internal mail templates.

We distinguish between active and passive intelligence. These differ in the methods of obtaining information. With passive intelligence, hackers investigate publicly available sources and they do not interact with the object under investigation. As for active intelligence, hacking systems directly interact with the object under study. Active intelligence provides more data that is useful for a hacking attack, but the object may become aware about the intelligence gathering. Both approaches are applicable in penetration testing.

What are they looking for in the course of intelligence?

If the target is a particular person, an attacker might gather information through a passive search:

• Physical location
• Social media profiles
• Email addresses, nicknames, aliases, infrastructure owned by the user, such as servers and domain names
• Biography information, including criminal records, licenses, and jobs via official databases or professional organizations
• Publications, including articles, blog posts, and news releases
• Phone number, type of the mobile device the person uses

In case of a corporation or an organization, an attacker is interested in:

• Identifying the focus and types of work performed
• Infrastructure used, including ranges of IP addresses, network devices, firewalls and other means of protection, technologies, and types of servers
• Information from open devices, such as surveillance cameras, routers, servers, and online repositories
• Information about clients and partners
• Mail templates
• Public documents, marketing strategies, and financial technologies
• Information about financial performance from reports, financial statements, and purchases and sales

In case of active intelligence, the targets are as follows:

• Information about the device and the devices connected to it, other devices on the network
• Information about open ports, the version and type of the operating system, running services, and discovery of new hosts
• Subdomains, hidden pages, configuration files, and backup files
• Meta information, comments, error texts, and response headers

Intelligence Role

Based on the investigation, the attackers decide on the next steps of hacking. Having learned the types and versions of the software used, the hackers select appropriate hacking tools and suitable payloads. Having identified the templates of emails and email addresses of employees, they prepare phishing attacks on the employees. It is especially effective when they have revealed information about the situation in the organization and the processes taking place in it. Having identified open ports, the attackers try to interact with the attacked system via the ports. Having information about the location of users, they select appropriate lists of possible passwords. If they detect an additional resource that is less secure resource than the main one, the hackers can target attacks through this resource.

The data about the target allow for reducing the time of influence on the system. It is important because security methods are constantly evolving and can detect hacking attempts and notify the responsible department. Alternatively, the attackers may not have enough time to sort through all possible tools and payloads. Thus, intelligence increases the chances of success by reducing the time of influence on the system. Even if there is lack of reliable systems for responding to specific activity, the attackers’ activity affects the system in various degrees and the resource administrators might notice it if the attackers blindly resort to all possible means to hack the resource. Finally, the intelligence can signal about the expediency of carrying out further actions with the resource. The result may not even be comparable to the extended efforts.

What can you do to reduce the chances of attacks?

– Conduct intelligence on your own

Find out what data are available on the network and assess their threat to the security of your company

– Organize regular training of employees

An untrained and careless employee has always been the weakest link in any security system. Therefore, it is necessary to conduct regular training of employees. This will contribute to reducing chances of attacks, as well as to the employees’ awareness of how to act in case of any suspicious activity.

– Conduct cybersecurity audits

Systematic checks of programs, services, ports, networks, and infrastructure are a must. They will make it possible to identify weaknesses and vectors of attacks on systems, reduce risks in case of attacks, and respond to incidents faster.

Conclusion

In the rapidly evolving security landscape, intelligence provides a crucial advantage, minimizing system vulnerability. By embracing a holistic cybersecurity approach that integrates intelligence gathering, organizations can enhance their resilience against dynamic threats and protect their digital assets.

At IBA Group, we are committed to delivering comprehensive cybersecurity solutions. Our services encompass cutting-edge penetration testing, where we replicate real world attacks to identify vulnerabilities and reinforce defenses. Moreover, we prioritize human-centric security by offering customized training to empower personnel against social engineering and phishing threats – two prevalent risks in the digital era.

Stay tuned for more cybersecurity insights and explore the first, second, and third parts of our series for comprehensive coverage.

Author: Ivan Shyshkou

Phishing is a type of internet fraud when an attacker tries to steal confidential user data in any available way. Phishing is the easiest cyberattack method. However, it is one of the most dangerous and effective cyberattacks. By providing various examples of phishing emails, we will explain how to identify and avoid phishing scams.

What danger does phishing pose?

Phishing attacks are especially dangerous because they target a person and it is impossible to be fully protected from these attacks. Evidently, it is advisable and necessary to conduct regular workshops or other training programs in companies to increase the level of the employees’ awareness in the field of information security.

Phishing techniques have been constantly changing and growing in sophistication. If a user ‘takes the bait’ and follows a phishing link, then he or she is directed to a website that imitates a legitimate internet resource. On this website, the user are asked to log in using their account name and password. As soon as they do that, their data fall into the hands of the attackers, who then use these data to steal confidential information.

Mailing lists are mainly used for the following two purposes:

• Without arousing suspicion, steal confidential information from a person using the body of a letter and input fields (for example, on a phishing site or in a program that simulates internal corporate software)
• Trick the user to download a file (from a letter, a website, a torrent) and do something with it (for example, launch an application, open a document in Word, enable macros), also without arousing suspicion. Eventually, the downloaded malicious file can exploit vulnerabilities in the user’s system and simply steal data

How to identify phishing?

There are several signs that can help you understand that you are dealing with a phishing email, website or message:

• Domain. While phishing, the domain name of the site where users have to enter their data is very much alike the original one. But if you study it carefully, you can spot the differences. For example, using the letter ‘l’ instead of the letter ‘I’ in the domain will be practically indistinguishable. An inexperienced user may not notice the substitution and attackers are counting on this.
• Contents of the letter. As a rule, both the subject of the letter and its contents are composed in such a way so as to exert psychological pressure on the recipient. They provoke the victim to follow the phishing link without delay and with no questions asked in order to pay a fine, extend a domain, collect winnings, delete compromising materials, etc.
• Appearance of the letter. If the letter contains a lot of grammatical errors or an outdated company logo, then it is highly possible that it is phishing. It is also worth paying attention to how the sender of the letter addresses the recipient. If the greeting begins with an impersonal address, for example, Dear friend, or the recipient’s email address is indicated, then most likely the letter is phishing and attackers use mass mailing.

Examples of phishing emails

Fake invoice scam

Let’s start with arguably the most popular phishing template out there – the fake invoice technique. Like many phishing attacks, this scam relies on fear and urgency, pressuring an end user to submit a payment for goods or services they have never even ordered or received.

Fake invoice scam

Finance departments are the obvious targets for this sort of attacks, although there are plenty of potential victims to be duped.

Unusual activity scam

When receiving an email or text stating that there has been “suspicious activity on your account”, alarm bells start ringing at full pace. That is why this scam works so well for scammers, as victims do not just face urgency and panic, but also confusion.

Unusual activity scam

This is just one example of where an unusual activity scam can come from. Any app, website or platform – whether it be your bank or even your Instagram account – can be used by an attacker for this damaging technique.

Nowadays, hackers and ordinary scammers resort to sophisticated methods of social engineering. For example, to make a letter look more authentic, hackers can pretend to be employees of your company. To get fewer questions about the letter’s contents, attackers can send letters dealing with the technical component of a product to non-technical specialists, thereby inducing them to open the letter and take the necessary steps.

Let’s look at more examples of phishing emails.

A letter is sent to non-technical employees on behalf of IT employees. It deals with testing of a new remote access scheme and suggests clicking on the phishing link to check the availability of the service by entering your credentials. The phishing portal’s appearance, design, and the text are tailored to fit the corporate style.

Phishing email for the first script

And technical specialists are sent letters dealing with HR specialists’ paperwork, encouraging them to go through the steps indicated in the letter. For example, arranging vacations or medical insurance.

The following scenario is provided for technical support specialists of different levels. They received a letter from an HR manager on the possibility of obtaining a voluntary health insurance. A .docx file with an alleged insurance program was attached to the letter.

Phishing email for the second script

The opened file looked empty. It was to provoke the recipient to “Allow editing” in the hope of finding the text. At that moment, the account under which the document was opened is automatically authenticated. On the side of our server, the domain account name and the NTLMv2 hash of the password are fixed.

Intercepted hash from domain accounts

Conclusion

Phishing has remained one of the most common types of attacks so far, as hacking a user rather than a computer is much easier. A popular saying goes that the most vulnerable component of any information system is located between a computer chair and a keyboard. A person can be absent-minded, inattentive, or insufficiently informed, thus becoming the target of phishing attacks, and the consequences of the latter are sometimes really detrimental.

The conclusion is obvious. The reliability of the weak link in question must be checked no less carefully than software or hardware configuration. And we at IBA Group offer penetration testing services with additional training of personnel in how to resist social engineering and phishing attacks.

This is the third part of our cybersecurity series that I prepared in cooperation with my team, namely Artyom Litvin, and Ivan Shyshkou.

Stay tuned to discover more about cyber security and read the first and second part about it here.

Author: Ivan Shyshkou

How Dangerous are Data Breaches and Cyberattacks for Companies?

From the media, we often hear about data breaches and reputational losses worth millions of dollars for companies across the globe.

Consider the 2019 cybersecurity breach of the Capital One bank holding company that specializes in credit cards, auto loans, banking, and savings accounts. As a result of this cyberattack, the hacker gained access to 140,000 Social Security numbers, one million Canadian Social Insurance numbers, and 80,000 bank account numbers along with people’s names, addresses, credit scores, credit limits, balances, and other information, as reported by the bank and the US Department of Justice. In addition, the company’s stock price dropped nearly 6% immediately in the after-hours trading session, losing 13.8 percent within two weeks after the leak was publicly reported.

Another data breach incident occurred in October 2013 at Adobe. Nearly 3 million customer credit card records, transaction details, and other data from up to 150 million accounts of Adobe users were affected in this incident.

The Uber leak of 2016 is also worth mentioning. The attackers gained access to 57 million customer and driver records, including passenger names, phone numbers, email addresses and where they were registered, drivers’ salaries, travel reports, and in some cases, drivers’ license numbers. Uber did not disclose the leak and was eventually fined $148 million for the concealment and for the leak itself.

What is the Impact of Cybersecurity Breaches?

Firstly, there are fines and compensations in case of a breach, but that’s not all. According to the Forbes Global Study on the Economic Impact of IT Risk conducted in association with IBM, in the event of a data breach, the value of shares immediately drops by 5% at the time the incident is disclosed. Further, if the company, in which the leak occurs reports the leak and quickly responds to the data breach, it is able to restore the previous share price in an average of seven days. If the company does not respond on time and does not notify users about the ongoing efforts to recover the share price, it takes them more than 90 days to recover. There is a dependence between the fall in the value of shares and the speed of return to the previous level for incidents related to security breaches.

If a security breach occurs at a high security company, the share price falls by no more than 3% at the time the incident is disclosed and in about 90 days, the stock price exceeds the pre-crisis level. In case of a leak at a company with a low level of security, the share price recovers in more than 90 days.

How Cyberattacks Damage Reputation

If it is impossible to get access to a service, the client loses trust in the company. It is especially true for financial institutions. This may result in the loss of customers, as they may switch to competitors. Trust is difficult and time-consuming to gain and maintain, but is very easy to lose. When clients use your service, whether it be a product ordering system, cloud storage, computing power, or mobile communications, they trust you with their personal data and expect that their data be protected and the service be available.

In the event of a hack or leak, trust in the reliability of the company is undermined. As a result, new customers stop coming and the old ones begin to refuse the services you offer. Information about incidents is distributed via the Internet, which means that almost instantly it becomes known about the denial of service for an application. And no one cares, whether the application is unavailable due to hacker attacks or because of the poor service performance. Everyone expects resilience from the service, if that’s what you promise.

According to the IBM Global Study on the Economic Impact of IT Risk, downtime can be categorized into minor with an incident time of about 19.7 minutes, major that can last up to 442 minutes, and medium with a downtime of around 111 minutes. The same study shows that minor incidents are three times more likely than major ones.

The price of a one-minute failure for a minor incident is lower than a minute of a major incident (about $53,223 for major, $32,229 for minor, and $38,065 on average). In aggregate, the estimated cost of a failure for a minor incident is up to $1 million and for a major incident from $14 million to $100 million, the average cost being $4 million. The evaluation criteria are cost of users’ idle time and lost productivity because of downtime or system performance delays, cost of forensics to determine the root causes of disruptions or compromise, cost of technical support to restore systems to an operational state, cost associated with reputation and brand damage, revenues lost because of system availability problems, and the cost associated with compliance or regulatory failure. It is worth noting that although the cost of consequences of minor incidents is much lower than of major incidents, the high frequency of minor incidents leads to higher costs over time.

Unaware does not Mean Protected

Small and medium-sized businesses are an easy target for hackers, because these enterprises have less stringent protection and fewer resources to implement cybersecurity. They are less aware of cybersecurity threats and often lack a cybersecurity strategy. The consequences of cyberattacks for such enterprises are often more devastating. According to recent studies, about 60% of enterprises shut down within six months after a cyberattack.

How to Prevent Cybersecurity Breaches

Data Backup

First of all, you need to start duplicating data. Backups will help in the event of a natural disaster when a building or equipment is damaged, as well as in the event of a cyberattack. This way, it is possible to increase fault tolerance.

Regular Cybersecurity Training

Human errors are one of the biggest threats, if not the biggest threat. If an employee is not aware of cybersecurity measures, you should not expect him or her to be cautious with a suspicious link or a random flash drive. Likewise, in case of a cybersecurity incident, an employee probably would not be able to respond properly.

Cybersecurity Audits

It is necessary to assess the cybersecurity state of both networks and applications. Penetration testing and vulnerabilities help identify weaknesses, inconsistencies, and shortcomings, as well as give an idea of ​​the company’s level of cybersecurity. Following a cybersecurity audit, a report that contains recommendations for eliminating weak points is generated. Repeat audits are also indispensable.

Employee Access Restrictions

Damage from a compromised employee account can be significantly less, if the employee has access only to the necessary parts of the system, not all. Access should be revoked over time. Admin accounts also should not be left omnipotent and with default passwords. After termination of an employee’s employment, it is worth deleting his or her account and revoking access to company resources.

Software Update

Any software may have security vulnerabilities. Hence, it is always necessary to check the relevance of the software version you use to reduce the risks of exploiting legacy vulnerabilities. Software vendors are not required to provide security updates for unsupported products.

This is the first part of our cybersecurity series that I prepared in cooperation with my team, namely Maksim Martsinkevich, our Team Lead, and Artyom Litvin. Stay tuned to read about zero day attacks.