The Anti-virus Times

Thursday, January 12, 2023

In our issues of the Anti-virus Times, we often talk about the various dangers that users encounter online. The world of digital threats is truly diverse. The numerous types of malware that threaten your home computer are just the tip of the iceberg. Malicious Internet activity, aimed at finding vulnerabilities and conducting network attacks, is being carried out constantly—after all, any information system a priori is vulnerable, as long as the intention exists to damage it And this vulnerability very often lies not in the software or incorrect network settings.

Hacking into a corporate network infrastructure is a tempting morsel for virus writers and hacker groups. A successful attack can cause at the very least considerable financial damage and slow down the work of an enterprise for a significant period, and in the worst-case scenario, it can put the very existence of a company at risk. The trend of recent years is industrial espionage using targeted attacks and encryption ransomware attacks carried out on large companies. Over the past couple of years, the number of known, "high-profile" incidents can be measured in the dozens, and the total damage amounts to billions of dollars. One may wonder why this is happening. Don't large companies use modern anti-virus software and a set of technical measures to prevent such situations? Most often, of course, they do. Attack scenarios may vary, but we can say for sure that often the most accessible entry point to a corporate network is the average person—the company employee. In this Anti-virus Times issue, we will analyse how employees affect the information security of a company and state several reasons why even a conditionally protected system becomes vulnerable to intruders.

Reason №1. A lack of knowledge about a threat

Not only large companies can get hit by cybercriminals. Most attacks are not targeted; attackers often just scan the network for potential targets for hacking or, for example, send emails containing malicious attachments. Small companies often don't care too much about protecting their digital environment, and this applies not only to employees but also to executives. Of course, a commercial anti-virus can be installed on their computers because "that's how it should be". And their network server can be located somewhere in a warehouse with free access. There are no regulations or rules of conduct in terms of information security for employees. In addition, there is no built-in access system informing employees about threats and no clear plan for responding to computer incidents. This approach still exists today, and it is difficult to explain it as anything other than a lack of knowledge about the threat and the consequences of an accidental attack.

Reason №2. A lack of understanding about the value of data

Most often this applies to those employees who have not been properly instructed and involved in the data-protection process in a company. Lack of integration in this area is the cornerstone for a vulnerability affecting an entire network infrastructure. Unfortunately, it is not enough to use modern software and a well-configured network if employees do not realise the value of the information they are working with. In this case, it is much easier for cybercriminals to access a network using social engineering techniques than to look for software flaws in the defense. And the worse a company’s built-in protection is, the higher the risk of an incident that could start with the launch of an unknown flash drive on an office computer or an attachment from a chain email.

Reason №3. A lack of training for staff

A company can have a protective infrastructure and its own information security department. But it is also important that its employees know how to behave to prevent threats from occurring. For this purpose, it is not enough to have just regulations and rules, which in practice often exist only on paper. After all, employees are usually only focused on performing their daily tasks and rarely think about digital hygiene. Even savvy technicians may not know how to prevent incidents or respond to them correctly. Appropriate workshops and regular testing of their knowledge not only reinforce safe behaviour but also enhance the overall culture of digital security.

Reason №4. The intention to cause harm

Unfortunately, such cases are also not uncommon. The most serious vulnerability for a system is an intruder within it. In this case, the damage directly depends on what permissions an employee has at the time of attack. It is worth highlighting the vulnerability of physical access, when a person has direct access to a target for attack—for example, to an important server. In this case, the intruder has almost complete discretion—they can do anything from engaging in minor malicious activity to completely destroying data. Another vulnerability is related to the presence of elevated privileges in the targeted system. We are talking not only about having the ability to access various network resources but also about working in a system with more privileges than are needed to perform tasks. All this can be compounded by related problems in the infrastructure: backups don’t work; there is no system for monitoring and preventing network threats; network equipment is configured incorrectly, etc.

So, the information security of a company depends not only on its hardware and software security tools and special departments. It also relies greatly on its staff. Cybercriminals are well aware of the most vulnerable element in a protected corporate environment and constantly try to use old tricks and techniques—phishing, malicious mailings and even tossed flash drives. Unfortunately, experience shows that you can spend big money to build a reliable corporate protection system, but it will not be reliable until the human factor is minimised.