In 2014, cybercrime will cost the Swiss Confederation’s companies over CHF 200 million(1). ProtonMail, the Cantonal Bank of Geneva, the media (20minutes.ch) or even the interbank exchange system SWIFT have seen their respective sites compromised or their data stolen, following the example of international giants such as Facebook, JP Morgan, Twitter, Adobe or LinkedIn. However, while computer attacks mean a financial loss, they also have a major impact on a company’s image and the confidence of its customers, especially when the confidentiality of data is threatened. Some attacks are so crippling that they go so far as to stop the production of the targeted business …
However, we only protect ourselves well from what we know. For companies to effectively protect their information systems, and thus secure the Swiss Web as a whole, it is important for decision-makers to know what they are up against. Net4All is therefore part of the process of democratisation of IT security in order to best support Swiss companies in integrating this dimension into their digital thinking.
Hackers: who are they?
With the rise of the Internet, computer security has evolved a lot. The number of potential targets has greatly increased (a proliferation of protagonists, sites and applications that can be targeted) and attacks have become easier, due in particular to the appearance of tutorials and documentation that are accessible to everyone. At the same time, the cyber attack industry has likewise become increasingly widespread. The population of potential attackers, whether direct or indirect, is therefore increased.
However, hackers with malicious intentions (“black hats”) often have very different objectives from one another, depending upon their motives, their means or otherwise their technical skills. Three main types of pirates can be distinguished:
- The “script kiddies” are looking to make a name for themselves and often seek to acquire a reputation in the community of hackers. However, they do not have advanced technical skills, so most of their attacks are mere industrialisations of exploits exposed online.
- The ” ideologues ” use hacking to convey messages of a predominantly political or religious nature. The latter primarily attack the images of companies, or use insecure sites as a propaganda medium (as in the case of the OpFrance operation, in early 2015 among our French-speaking neighbours).
- The “professionals” aim to make a profit by selling their services or blackmailing the companies under attack. These are the most dangerous. They often form part of an organised network, but may also work alone, and their technology may be very advanced.
Cyber Attacks Are as Varied as the Technology Itself
Viruses have formed part of the IT landscape for a long time, and are known to the vast majority of Internet users. However, new threats, which are more or less sophisticated and resistant to anti-virus software, abound these days. As we have seen, the most frequent objective of these attacks is a large-scale theft of personal or professional data, but they may also be aimed at espionage or the integration of victim servers into a zombie machine park.
There are many techniques that hackers use to achieve their ends, depending on their objectives and technical competence. Most of the time, an attack requires several of them to be used at once. Here are the best known and most commonly used methods.
Malware (malicious software)
Malware is a program designed to damage a computer system. It may be propagated by e-mail alone, or through a download, for example… There are several types.
- The purpose of viruses and worms is for them to propagate to as many machines as possible, and they in particular serve to grow zombie farms.
- A Trojan is software that looks legitimate, but contains a malicious feature (a parasite) that can, for example, create a flaw in a system.
- A ransomware attack is a particular type of malware that consists in making data inaccessible to its owner and then asking him/her to pay a ransom so that he/she can regain access to it.
The exploitation of system or application flaws
This method involves searching for a vulnerable component on a platform, for example using a vulnerability scanner, and exploiting it to invade the information system. Application vulnerabilities, especially those listed in the Top 10 OWASP, are more commonly exploited; however, system components are nevertheless not forgotten! Here are two examples of loopholes that we are hearing a lot about right now:
- Code injection consists in sending the targeted server requests containing code, often via the fields of a form, in order to retrieve all or part of the corresponding database. The best known, the SQL injection (thus written in SQL language), forms part of the Top 10 OWASP.
- 0-day vulnerabilities are specific vulnerabilities that do not benefit from any patch, as they have not yet been (or have only just been) published. They can be discovered by a hacker who exploits them until the target realises it, or by a white hat (a hacker with honourable intentions) who informs the company or the media so that a fix can be provided as soon as possible. Heartbleed, Shellshock or the recent flaws in Drupal and Imagemagik are just one or two examples.
Software Attack via Social Engineering
Social engineering is one of the oldest forms of cyber attack… And yet, it means getting away from the technical side of things! Hackers practising this method use the force of persuasion and masking to look for a human flaw at the team level rather than at the system level. There are two main types:
- Phishing or scamming involves sending an e-mail that appears to be legitimate and requesting personal information from the target. A common example is an e-mail where the author poses as a bank and asks the victim to change his or her login password. To do this, the victim clicks on a link redirecting him or her to a fake site, identical to that of his or her bank but controlled by the hacker, where he or she enters his or her details, which are then retrieved.
- Live social engineering can take on very significant proportions. Hackers gain a person’s trust and then abuse it to obtain information. This is a scam, sometimes on a large scale. In companies, a social engineering attack will often be targeted at people who have valuable access to the information system, but who are not necessarily protected or trained for this type of attempt (support services, such as administration, marketing, accounting …).
As its name suggests, data interception consists of intervening between the sender and the recipient of a data transmission (e-mail, HTTP request …) to spy on communications. This is called a “man-in-the-middle” attack. Such an attack may be implemented within a local network, but not exclusively: a public WiFi, if it is poorly secured, can be a gold mine for a hacker, who only has to be placed where he or she can retrieve the data of all the people simultaneously connected…
The case of DDoS
The acronym DDoS stands for Distributed Denial of Service. These attacks consist of sending a large number of requests to a website, in particular through zombie machines (bots). Faced with the drastic increase in requests, the server is quickly saturated and is no longer able to handle all its tasks. The site is then unavailable.
Computer security: a Lernaean Hydra
This article is far from being exhaustive, but it gives an initial idea of the diversity of cyber attacks existing… and therefore of the need to protect companies! Threats are constantly evolving, and security needs to keep pace. A system can easily be taken over by the innovations of hackers. Fortunately, white hats are not being outdone, and organisations specialising in information system security are now providing increasingly effective solutions. All that remains for companies to do is to integrate IT security into their processes!