The Hacker Will Always Get Through - If You Let Them
In insight / By Charles Christian / 11 April 2017
With hacking and cybersecurity now pretty much constantly in the news, the question is: will the hacker always get through?
For example, at the time of writing this piece, an emerging story was that a criminal gang in Brazil had hacked a bank’s servers so effectively that customers were unaware they were logging into a fake website and disclosing their online banking security details to the bad guys.
But let’s start with a little history. Back in the 1930s, UK politicians were terrified by predictions that “the bomber (airplane) will always get through” and cause appalling civilian casualties in the event of any war. One figure suggested there would be over 250,000 deaths in the UK in the very first week whereas in fact during the entire six years of World War Two there were just over 40,000 deaths in total from aerial bombing raids on the UK. Those of you who fall into the Baby Boomers generation group (reporting for duty) will recall similar dire threats about the impact of nuclear warfare.
Fast forward fifty years and you could be forgiven for thinking the computer hacker will always get through as every there are more reports of cybersecurity breaches and online frauds being perpetrated against both individuals and organisations – and that includes lawyers and the law firms they work for.
Of course we have the technology to deal with this but this is where a problem arises. Most organisations tend to focus on what might be broadly termed perimeter security – firewalls, spam filters and similar security measures to stop hackers penetrating the network. Sadly, this is only half of the story. It is one thing to try to stop the bad guys on the outside from getting in – but what about the idiots on the inside who let them in?
The one blind spot within many organisations, and this includes law firms, is the lax behaviour of their own users when it comes to security precautions. This, incidentally, is also a reason why (in the US at least) a booming area in law firm technical education is currently cybersecurity awareness
Space doesn’t permit me to cover all aspects of this topic but the two most frequently exploited cybersecurity attack strategies against end-users are passwords and ‘phishing’. Latest figures suggest over 30% of all online fraud/cybercrime in the UK stems from password abuse while almost all corporate ransomware attacks begin with phishing expeditions. And, we are talking big money here. According to KPMG, last year saw reports of cybercrime rise by 1266% over the previous year, with the total value of fraud dealt with by the courts was £1,137 million.
But back to those cybersecurity awareness issues… The basic problem with passwords is too many people use simple, easy to crack passwords – and they use the same password on multiple accounts. Everything from iTunes – to email login and corporate intranet access – to online banking. Break it once and you have access to everything.
How simple are these passwords? A recent survey of “dumbest passwords” found the most popular are still the likes of 123456, password, qwerty, abc123, admin and letmein. For the record, probably the weakest password security ever was at the Greek finance ministry where, in the aftermath of a hack in 2013, it was discovered that 37% of all staff user accounts used the same 123456 password.
At least use a combination of upper and lower case letters, interspersed with random numerals and symbols – and ensure the letters do not spell an obvious word that can be traced back to you, such as your name, or your partner’s name or maiden name, or those of your kids, or your pets, or your house name or make of car. And, if some form of dual-factor authentication is available – whether by dongle, keycard, security token, SMS messaging or special app – opt-in for it. That way even if your password has been compromised, there is still a second line of defence in place.
Having said this, you can’t help sympathise with end users as we now have so many services we need to log into, it is hardly surprising people resort to simple to remember passwords, re-use passwords, or keep all their passwords stored together in a little black book!
Turning to phishing, again there are different permutations but essentially the hacker emails the intended victim with a message that purports to come from a legitimate, trustworthy source – an online service provider, your bank, your own email provider, PayPal, Amazon, Facebook, even your own organisation – asking you to supply sensitive information such as passwords, usernames, and credit card details by clicking on the link in the message.
The catch is although the email may seem genuine, with the appropriate logos in place, and the website you link to also looks genuine (this is known as “spoofing”) the entire operation is bogus and they just want to harvest your confidential information and/or cause you to download a virus or malware into your computer. (A variant currently in widespread use is the unsolicited job application email with malware buried in the attached file containing the CV.)
As long ago as 2014 Microsoft estimated the annual global impact of phishing could be as high as $5billion and since then phishing has also become a popular way of delivering ransomware. And yes ransomware is a problem for law firms – last year over 20 major UK law firms were hit by such attacks.
However, as with password security, a little bit of cybersecurity awareness can go a long way to limit the problem. Don’t just be sheeple clicking on the link without a second thought, stop to read the email more carefully.
Some can be immediately discounted. For example, why would Barclays or Netflix contact you if you don’t have an account with them? Check the grammar and spelling, you can safely assume a company like Apple knows how to spell words like “receive” correctly. Check the email address and website link addresses carefully. Why would a reputable organisation be using an anonymous email address with a suffix (the dot com or dot co.uk bit) belonging to some Eastern European or Central Asian state? Check also the address is not subtlety different or points to a subdomain. So, instead of Barclays.com it points to Barclays.bankscam.com – but that’s not a Barclays address, that’s going to take you to site pretending to be Barclays on the bankscam website. And, if the actual link is hidden behind text – so instead of seeing the URL you only see “Click Here” most email clients or web browsers will show previews of where a link will take the user in the bottom left of the screen, while hovering the mouse cursor over a link.
To sum up: the hacker will only get through if you allow them to – and there are some relatively simple cybersecurity awareness precautions you can take to substantially reduce the risk. Happy surfing.