Cybersecurity Case Study with examples
Cybersecurity is one of the biggest threats facing businesses, governments and individuals. In 2014 there were 42.8 million security incidents reported. This is the equivalent of almost 120,000 attacks every day. In this blog, we explain the case study of cybersecurity 2019 with examples.
Cybersecurity is nothing new, but the threat has grown considerably over the last few years as we have grown more connected and as organizations have begun to rely more on their digital systems.
In a survey from professional services firm, PwC, the cost of the average cyber attack against large companies in the United Kingdom in 2014 was between £600,000 and £1.15 million.
In this blog, I will introduce you to the topic of cybersecurity and cover some of the basics to give you a base level of understanding. We’ll cover who the main actors are and what their motivations and targets might be. We’ll then move on to consider where the security risks lie in social media and what you can do to safeguard yourself against them.
Cyber attacks are not necessarily highly sophisticated. Likewise, there are some simple but effective steps that you can take to ensure the security of your social media accounts.
What is cybercrime?
Cybercrime is the term used to describe criminal activity on computer systems. A hacker is someone who aims to exploit weaknesses in computer systems for some kind of gain.
The hacker’s motivation is not always monetary and there are a number of reasons why people engage in hacking. From teenagers getting up to mischief in their bedrooms to nation states waging cyber warfare, there are a number of different players and motivations.
Cyber risks pose a threat to both individuals as well as companies. Everyone is aware that fraud and identity theft are common crimes perpetrated in order to steal money.
But there are less obvious risks posed to individuals. For example, many people go on holiday and post photos on social media of themselves relaxing, perhaps enjoying a beer on a beach.
Unfortunately, criminals have realized this and have started targeting people who geotag their posts with their location. There have already been cases of people having their homes burgled while they were away on holiday because geo-tagged social media posts have alerted burglars to the fact they are not at home.
Who poses a threat?
Cyber risks pose a number of threats to businesses too. Whether it be to steal money or designs for their latest products, the risk is already high and growing. So, who are these ‘cybercriminals’ and ‘hackers’?
The key players are:
Organized crime. Criminal gangs who engage in hacking for financial gain by stealing money from banks or personal information and intellectual property to sell on the black market.
Nation states. The term ‘cyber warfare’ describes how nation-states are using techniques to attack or defend against their adversaries. Nation states might use computers for intelligence gathering or develop and deploy cyberweapons that target a foreign country’s utilities or infrastructure.
Hacktivists. The word ‘hacktivist’ comes from the word ‘activist’ and usually defines groups of hackers who break security in order to publicize a social or ideological message.
For example, some hacktivist groups are opposed to internet censorship, or indeed censorship of any kind, so launch attacks against governments or organizations who they see as supporting censorship.
Some groups believe in the freedom of information and focus their energy on hacking to bring non-public, or confidential, information into the public realm.
Insider. The insider is a special category and refers to someone inside a company or organization. The insider may be used as a mule, unaware that their account is being used for hacking.
For example, an external hacker may send malicious software to someone within a company in the hope that they will install it. This software could give the attacker access to the insider’s computer. Insiders, therefore, pose a big threat to organizations.
Independent hackers. There are many types of independent hackers, however, the main ones are:
‘Blackhat’ hackers: these are the hacker groups most commonly portrayed in popular culture or films. Blackhat hackers break security for little reason beyond malicious intent or personal gain. Blackhat hackers may break into computer systems to destroy or steal data, or to make the systems unusable.
Professional or elite hackers for hire: this group of hackers is highly skilled and often employed to uncover vulnerabilities in computer software and to write code that will exploit those vulnerabilities.
An ethical hacker, also known as a ‘white hat’ hacker, is someone who breaks security for non-malicious purposes. This could be in order to test a system’s security and uncover weaknesses so that fixes can be applied. Ethical hackers perform ‘penetration tests’ or ‘vulnerability tests’, usually under contract.
These are relatively unskilled hackers who break into computer systems using tools created by black-hat hackers. Script kiddies can wreak havoc, but without their tools, they have little understanding of the underlying computer concepts.
What’s at risk?
As mentioned above, the threat presented by hackers goes beyond the financial.
The things that an attacker can target include:
Money. Money is often a big motivator. Hackers may try to break through your security in order to access your bank accounts and steal money by transferring it out of your accounts.
Corporate secrets are valuable: if they weren’t, they wouldn’t be secrets! What is valuable to your company would probably be valuable to others, whether that is a competitor, a government or an independent hacker who wants to sell your secrets on the black market.
Business deal information.
Information about business deals, such as planned mergers or acquisitions, is sensitive as any insider knowledge about the deal could impact the stock market or could be used by the opposing party.
For example, if your organization is planning to sell part of its business and has set a minimum price, that information would be extremely valuable to the purchasing party. Again, information with a high value will always be targeted by hackers.
Personal data. If someone were to get hold of all of your personal data, it would make it much easier to steal your identity, which is why personal data can have a large intrinsic value to criminals.
Hacktivists may also target personal data because they want to expose it online in order to embarrass the company that controls it and causes the uproar from all of its customers and employees. In this case, a hacktivist may not make money from the hack, but the company they targeted may be fined by a regulator.
The hacktivist’s goal is to cause as much pain to their target as possible. Intellectual property. Designs for your latest products or the inner workings of your existing products clearly have a high value, especially to your competitors.
If hackers were able to get a feature list of your new product and pass it on, it would erode a competitive advantage, which is why intellectual property is often a target.
Payment information. Rather than stealing money directly from a company, it might be easier and more rewarding instead to steal the payment information of all of your customers. These payment details could either be used by the criminals to make purchases themselves, or they could be sold on the black market to other criminal gangs.
Operational data. This may not seem obvious at first, but if a hacker was able to obtain data about how your business operates, they could use that information to their advantage for large cyber attacks in the future.
Alternatively, if an attacker can find out information about your delivery trucks, they might be able to work out the best time and place to rob them.
Industrial control systems. The systems that control water filtration plants, the electricity network, power stations and so on are called industrial control systems.
These systems are usually targeted by hackers for cyberterrorism. Their purpose is to disrupt a nation’s utilities or to have a large impact on normal citizens, for example by manipulating water filtration systems.
Although not exhaustive, this list does help to show that there are a large number of incentives for cyber attacks. The key takeaway is to apply the same caution to your information assets as you would to your physical property.
If something is valuable, it could be targeted, and should, therefore, be protected. If an attacker can gather intelligence about your company by stealing your operational data, then they will be able to use that data against you in the future.
Why is account management important?
I’m sure you’ll agree that it would worry you if it was easy for a hacker, or anyone with malicious intent, to get access to your corporate social media accounts. Unfortunately, there have been lots of examples of this happening, and in many cases, the reason has been poor account management.
There are a number of tools and techniques available to hackers that they can use to gain access to your social media accounts. In this section, we’ll examine the ways that hackers achieve this, and look at what you can do to guard against it.
On the flip side, if the inappropriate or offensive content is posted on your social media account, it might not be because of a cyber attack. It might be an innocent mistake made by someone in your team who mixed up your corporate account with their personal account.
There are a lot of examples of this, so we’ll look at what you can do to stop this from happening but you should also read blog 6 for guidance on how policy and awareness can reduce the risk of this happening.
The problem with many social networks is that they were initially conceived as tools to allow people to connect with each other.
Only later did organizations start using social media to connect with their customers and promote their products. Because of this, many social networks only allow one username and password to be associated with a social media account.
So, if you have a Twitter account with the handle @[your_company_name] and have a team of 10 who need to use it, you’ve really only got two options: 1) share the username and password among your team; or 2) use some kind of social media management tool to control access. The easiest option might be to simply share the login credentials with your team;
There are other problems with sharing account credentials. Because everyone in your team is logging into the same account, it makes it almost impossible to control what is being posted.
Another advantage of using a social media management tool is that it will provide a different interface for your team when logged in using their mobile devices. We often operate on ‘autopilot’, completing simple and common tasks while barely thinking about them.
It’s this behavior that has caused some people to confuse the corporate account with their personal account. However, when a social media management tool is used, access to the corporate account will be controlled through the management system’s own mobile application.
This means that the personal account will be configured in the social network’s native application on your phone. The interfaces are likely to be significantly different from one and other, which will reduce the risk of a mix-up.
I don’t know anyone who likes having to remember lots of different passwords or who enjoys having to regularly change them. However, good password management is an unfortunate necessity. It’s tempting to set them to things that are easy to remember, such as the birth date or name of your first child.
But the problem is that it’s now even easier than ever to find out information about peoples’ lives: a quick look on someone’s public social media profile can often give a very detailed picture of their life: when and who they married, when their children were born, their names, where they live, where they go on holiday and so on.
It’s complicated further by the fact that the average person now has a multitude of different online accounts, which makes it tempting to just use the same password for every account. However, the problem with this is that if any of those accounts get hacked, the attacker will have access to all of your other accounts.
Even if you signed up to a website just once to see what it was all about and never returned, if you used the same password as you use for your other accounts then you are at risk of your main accounts being hacked, even though you only used the website in question once.
In our personal lives, there are a few occasions when we might disclose our passwords to someone else. In theory, this should never happen, but I’m sure there are times when we have shared our passwords, perhaps with loved ones to allow them access to our emails or social network.
In a corporate setting, one of the few occasions, when passwords will be shared, is when a new account is being created. Many companies operate a security model whereby the user has a global user ID (GUID) and password, which they use for all, or at least most, corporate systems.
This is good because it means that the user doesn’t need to remember a large number of passwords and there’s also no need for them ever to share that password. However, not all applications will use this security model and an exception might be a social media management system.
This means that every time you create a new user you will need a way of communicating the password to them. The management system may have built-in mechanisms to deal with this, for example, by emailing the user a temporary password and providing a link for them to change it on first use.
However, if this isn’t the case you’ll need another way of communicating the password. As a rule, you should never use the same method to communicate the username and the password. For example, you might email a person their username and tell them their password over the phone.
Alternatively, you might text them their username and verbally tell them the password face to face. Whatever you choose, you should ensure that the username and the password are not communicated in the same way because it decreases the likelihood that the details could be intercepted.
It’s obviously an extra hurdle and could be quite frustrating if you were in a location without any mobile phone signal, or without your phone, however, it’s one of the best ways to significantly reduce the risk of your account being hacked.
You should check the account and security settings on your social networks and other online accounts to see if two-factor authentication is an option.
If it is, there will be details about how to register your phone and turn it on. Some online services try to make it even easier for you by letting you identify certain trusted computers that do not require you to continually log in.
Viruses, spyware, and malware
Some of the tools hackers use against their victims are actually tools that unsuspecting users have running on their own computers. Often, malware (malicious software) is sent to users in phishing emails or can be automatically downloaded when a user visits a malicious website.
Malware is the term used for any software installed on computers that perform unwanted tasks. There are different types of malware; the key ones are as follows:
Virus. Viruses have been around for almost as long as personal computers started to appear in peoples’ homes. A computer virus replicates itself on the infected computer and spreads itself to other computers, normally through a computer network or via email.
A virus can damage an infected computer by corrupting the hard drive or by taking up all available memory to render the computer unusable.
Spyware. There are many types of spyware but their main purpose is to covertly spy on a user’s computer usage. Information about what the user is doing is then transmitted to servers controlled by the hackers.
A ‘Trojan horse’ (or Trojan) is a type of malware that often acts as a ‘backdoor’ into the victim’s computer. Some Trojan horses can give the attacker full control over the user’s computer.
Adware. Software that serves up irritating adverts on a user’s computer, often bombarding the user and severely impeding productivity.
Ransomware is a particularly vicious type of virus that encrypts a user’s hard drive, effectively locking the user out of their own computer, and holding them to ransom. The user must pay a ransom (often in the region of around £250 but sometimes considerably more) to get the key to unlocking the hard drive.
Often a time limit is imposed whereby if the user does not pay up in the given time the contents of the hard drive will be permanently deleted. There’s no guarantee that the decryption key will be provided if the user pays.
Ransomware is not new but became more popular among cybercriminals around 2013 with the release of a widespread ransomware package called ‘Cryptolocker’.
These are types of spyware, often included in Trojan horses, which record all keys pressed by a user. Usually, the keylogger will run in the background of the computer and is difficult to detect by the average computer user.
Because keyloggers record all keys pressed it means that they can capture all passwords entered. The fact that passwords are usually hidden on screen does not matter if a keylogger is installed because they record every key.
The best way to avoid unexpectedly installing malware on your computer or network is to ensure that your anti-virus and anti-spyware software is up to date. You should also have a good firewall to protect you from attacks over the internet and to detect whether malware is attempting to secretly transmit to criminals.
A firewall is a security system that controls inbound and outbound network traffic based on a set of rules. If malware is trying to submit information to an attacker elsewhere on the internet, a well-configured firewall will block the connection attempts.
In the corporate environment, most of this should be the responsibility of your IT team, so unless you are in that team you shouldn’t need to install these programs yourself.
Malware is also attached to malicious phishing emails so you should avoid clicking any links in any suspicious emails. Phishing is covered in more detail in the next section.
A less obvious way that malware can get onto your computer is through devices connecting with it, for example, a USB stick, a mobile phone or even a USB charger. Malicious devices can be programmed so that whenever they are connected to a computer (or mobile device), they automatically install malware.
For this reason, many large organizations lock down the ability for users to plug anything into their computers by disabling USB or other inputs altogether.
So, you might want to think twice the next time someone asks you to do them a favor and let them charge their mobile phone using your laptop or computer. That mobile phone may be loaded with malware that will silently infect your computer.
Likewise, USB memory sticks are now very cheap and often given away for free at conferences. Be warned – by accepting the ‘free’ memory stick and plugging it into your computer you might be handing over control of your computer to a cybercriminal!
2 million passwords stolen and posted online
In December 2013 reports emerged that more than 2 million passwords for a wide range of online services had been stolen. The stolen login credentials were then posted online.
The site, written in Russian, claimed to offer valid logins to 318,000 Facebook accounts, 70,000 Gmail, Google+ and YouTube accounts, 22,000 Twitter accounts and 9,000 Odnoklassniki accounts (a Russian social network).
The passwords appeared to have been stolen from computers infected with keylogging malware. Keylogging malware logs all keys pressed on a keyboard, then sends them to servers controlled by the hackers.
Analysis of the stolen passwords by security firm Trustwave showed that the most popular password in the database was ‘123456’, which was listed 15,000 times. Facebook said that all users found in the database had been put through a password reset process.
The moral of this story is that online users should be more careful with their passwords. Don’t use the same password for all of your online accounts, make sure that the passwords you do use are not simple or easy to guess and ensure that you change them regularly.
An extra level of protection would be to use two-factor authentication, which would significantly reduce the likelihood of your account becoming compromised if your passwords are stolen.
Social engineering describes techniques used by hackers to deceive people in order to extract information or to encourage them to do things for them.
Social engineering usually exploits an insider at a company, either by phoning or emailing them and making them think that the attacker is someone else, such as a senior member of the company.
Social engineering is a very powerful way of manipulating people in order to bypass controls or break a company’s security.
An attack may consist of multiple attempts to manipulate users to build a picture of how an organization operates, get hold of names, phone numbers and other information that they can then incorporate into their deceptive techniques in order to make them more believable to their next victim.
In the context of social media, there are two types of social engineering that pose the biggest threat to an organization: impersonation; and phishing.
Impersonation is when an attacker disguises their identity by impersonating someone else. The attacker may try a number of different techniques, such as impersonating senior members of staff or by claiming that they are calling from the company’s IT department.
The attacker can be creative and will normally spend a lot of time building a picture of what it’s like to work at the company, who its suppliers are, who the key people are and so on. The more information an attacker can get, the more convincing he or she can be when they contact their victim.
The victim will often receive a phone call or an email from an attacker who is claiming to be someone else. The attacker’s objective is to either extract information or to get the victim to perform certain tasks. For example, the attacker might claim to be a headhunter interested in hiring the victim.
Once the victim gets talking they might expose information about the size of the team, the working hours, the types of social media accounts they have and so on. This information may seem harmless on its own, but it is extremely valuable to the attacker, as it allows them to build a more accurate picture of how the team operates.
They could then use that information to call a new member of staff claiming to be the boss’s boss and ask that the user hands over their login credentials, even issuing threats to the victim should they not comply.
An attacker may also ask information such as the browser version which the employees use. This helps the attacker focus their attention on hacking the specific browser version in use at the company and discounting any others.
Other information that an attacker might want to gather from a victim could be the team’s holiday schedule or information about when nobody is in the office.
This could then be used to launch attacks in a quiet time when there is less chance of it being noticed. Information about whether employees can access the corporate social media accounts on their phones could also be useful to the attacker.
In some cases, the attacker might be able to persuade their victim to explain the process for setting up access on a mobile device. Internal documentation, such as policies and procedures, can also be useful to an attacker as they often include details about key contacts or instructions about how to complete tasks within the organization, such as how to submit new content for approval on a social network.
Social media can also present the risk of impersonation. If you or someone within your company is widely known, for example, a well-recognized CEO, a reporter from a news agency, or a celebrity or film star, then members of the public can create false accounts in their name.
False social media accounts can be damaging in many ways, and there are numerous reasons impersonators may decide to set one up. A key motivator can be to satirize or mock the company or person or to damage a reputation in some other way.
Fake accounts can also be created as part of a wider attack, for instance by mimicking a bank and contacting people through social media to tell them that fraudulent activity has been identified on their account in the hope that the user will provide their details.
Many of the social networks have tried to combat fake accounts by designating certain accounts in some way to show that they are official. On Twitter, for example, a blue tick appears beside official accounts which Twitter has verified. Other social networks have similar ways to help users identify official accounts.
Using deception to impersonate another person or organization is a violation of most social networks’ terms and conditions so you should ensure that you follow the network’s procedures to report the impersonated account as soon as possible.
However, because many social networks support freedom of expression, many allow parody accounts to be created provided that certain conditions are met.
For example, the social network may require that the parody is clearly identified as such by explicitly stating that the account is not official.
If you find that your company has been impersonated and you are not happy about it, the best action to take is to report it to the network. Unfortunately, the network may take a long time to review the reported account and, as stated above, may allow the account to exist if it complies with the network’s terms and conditions.
If this is the case, the best thing that you can do is to work harder to ensure that you attract supporters and that the content you create resonates with users.
If you are facing criticism over a recent crisis it may be best to simply weather the storm and commit to producing high-quality content and engaging with your customers and followers effectively.
Breaking: Two Explosions in the White House and Barack Obama is injured
This tweet had a particularly big impact because the Associated Press had nearly 2 million Twitter followers at the time so it was picked up and retweeted by other social media users almost instantly.
It even had an impact on the stock market and one minute after the tweet was posted the Dow Jones Industrial Average started a short nose-dive.
A Bloomberg reporter wrote that in the three minutes after the post the ‘fake tweet erased more than $136 billion in equity market value’ before recovering shortly afterward.
About an hour after the hack, the SEA claimed responsibility. Reports in the media claim that the SEA gained access to the Associated Press Twitter account through a phishing attack.
An innocent-looking email asked AP staff to click on a link, which then downloaded malware to their computer to spy on them. This goes to show that cyber attacks don’t need to be highly sophisticated to be effective and, more often than not, humans are the weakest link.
Securing your network and data
The more security you put in place, the more difficult it becomes for users to access your systems. The most secure computer is one that is without power in a protected vault in an unknown location where nobody can access it. However, the computer is clearly not going to be very useful this way.
Therefore, you need to strike a balance between security and usability. When implementing an enterprise social network you’ll need to consider how to configure your network. You’ll need to assess the risks and make an informed decision about how users will be able to access it and what data they will be allowed to store within it.
Enterprise social networks are excellent collaboration and knowledge-sharing tools. Your colleagues are able to connect with each other and share documents, or even collaborate to create documents within the enterprise social network itself. Because of this, as time progresses the amount of valuable, and potentially sensitive, information within your network will increase.
This will make the network an extremely attractive target for a hacker. If an attacker can gain access to your network they will have free reign to search and download a huge amount of information. Because of this, it’s vital that you ensure your network is well protected.
A data classification framework will help you set policy decisions about the types of data you will allow in your network. For example, you may allow internal information to be shared freely on the network, but more sensitive data to be shared only within closed groups with extra controls in place.
You will need to consider how your users will access your enterprise social network. The network provider will offer different options, such as simple web-based authentication or more complex requirements around the use of a virtual private network (VPN). A VPN allows users to connect to the private corporate network across a public connection.
For example, you may use a VPN to connect to your corporate network from home. The advantage of using a VPN is that it’s an added layer of protection which authenticates your corporate users and allows them to access company systems, such as your enterprise social network, when outside the office.
The disadvantage is that it requires extra configuration and support from IT in order to set up and run the network. It also requires users to configure their devices to access the network.
From a user perspective, the simplest way to authenticate a user into your enterprise social network is to allow them to connect to it by using a web login.
The problem with this is that without any additional controls, a user could go on holiday and decide to go to an internet cafe and access your enterprise social network.
The computers in the internet cafe could be riddled with malware spying on the user’s login credentials. Once the login credentials have been exposed in this way it will give the attacker an easy route into your enterprise social network.
Configuring your enterprise social network to only allow connection from within the corporate network, or via VPN, is an extra hurdle your users would need to jump through. However, I believe that the added protection that this offers is worth it.
Most enterprise social networks allow users to upload and share documents, as it is a very practical way of enabling effective knowledge sharing. However, some organizations make the decision to prohibit documents from being uploaded due to security concerns.
The organization may be worried about losing control over sensitive documents uploaded to the network. If you decide to allow documents to be uploaded, you should consider what types of file you want to permit.
For example, you may wish to prohibit executable (.exe) files from being uploaded because you want to reduce the risk that users might accidentally, or deliberately, upload malicious software to the network. Many good enterprise social networks have built-in features that scan any uploaded files for viruses.
If you allow files to be uploaded, it’s essential that this feature is enabled. You should also consider how the virus definitions (the rules the software uses to detect viruses) are kept up to date.
This may be a question for the vendor but is one that you should definitely raise during your preliminary discussion. If virus definitions are not updated regularly it could mean that newer viruses get missed by the software.
Security is an important part of social media risk management and governance. There are large numbers of hackers around the world who work tirelessly, so IT security professionals need to be ever vigilant in order to stay one step ahead.
IT security is evolving, but in many organizations, the ‘traditional’ IT systems get more attention than the newer ‘social’ systems. This can result in weaknesses that not only impact the social systems themselves but also threaten a company’s IT network more broadly.
In this blog, we introduced the topic of cybersecurity and looked at the key actors and their motivations. The good account and password management are one of the simplest things to get right;
however, many people neglect best practice because they don’t perceive the extra effort as worthwhile. However, even some of the most notorious hacker groups launch attacks using fairly unsophisticated techniques that have proven very effective.
We looked at some of the practical things you can do to protect yourself and your team online, such as enabling two-factor authentication on your social network accounts.
Finally, we considered how an attacker might target your enterprise social network and looked at some of the steps that you can take to secure your network, such as by prohibiting connections that do not use the corporate VPN.