12 methods that hackers use to attack, steal, and destroy business data (Part 2)
Welcome back to the second half of our two-part article on a full dozen different ways hackers can gain access to your business data.
(Here’s part 1 if you missed it)
Last time we talked about the tenacity of hackers, how they often don’t care about what happens to a business after they hack it, and six different attack methods ranging from worms to fault injection. Join us today as we pick up where we left off at one of the most recognisable forms of hacker invasion, passwords.
7) Password hacking
The next form of hacking we’ll talk about is one that most of us have been aware of since the early days of the internet, or whenever we were introduced to basic digital security. Passwords are the beginning of all cybersecurity measures and for this reason, hackers are also incredibly well practiced at cracking them. As usual with older and more widespread forms of securing your data, accounts, and access permissions, there are several ways for a hacker to try and crack an employee, exec, or customer password and thousands of ways to use a cracked password to wreak havoc.
The first form of password hacking, before there were special programs to do this automatically, was simple guessing. Early passwords and the passwords of people who don’t know how to protect themselves from hackers are often easy to guess. PIN numbers will be birthdays or significant life dates and passwords are often the names of children and pets, perhaps combined with a birthday or favourite colour. Especially with social media, people are easy to psycho-analyse and a hacker looking to crack a few passwords has all day to guess.
Of course, as passwords get more complex and methods develop to prevent pure guessing, password crackers were invented. These use password trends and methodical number/letter combination guesses to try thousands of possible passwords a minute. Password cracking is done much in the same way as safe code combination cracking and has become more advanced along with the technological advancement of software and cryptography as a whole
Defending against password hacking
To protect your employees and customers from having their passwords guessed or cracked, the best defence is a smart set of password creation rules. While it used to be in-vogue to make completely unreadable passwords made of a random mix of numbers and letters and to force users to make new passwords every 6 months, this has been found to be more tedious than useful and better at stopping guessing than the more popular cracking method. Instead, the length and semi-randomness of your password matters more, as the larger number of characters challenges the cracking programs to make thousands more guesses.
The best method today is four random words like “rhythmlettervoicecookie”. These are both easier to remember because you can write yourself a little mental joke or story and they provide an incredible challenge to both guessing and cracking hacks.
8) “Free” software
Companies are always looking for a way to get the same or better value for a lower cost. This is true in all things from your product inventory to recruitment methods so naturally, the same rule applies to your business software as well. Software for businesses comes in an incredibly wide range of prices and, unfortunately, a wide range of quality as well, and the two don’t often match. It is entirely possible to get low-priced software from a developer start-up that is superior to the high-priced industry standard package.
However, this search for the perfect low-cost software suite can also lead companies straight into another hacker trap, bugged software. For the hackers with actual programming abilities, it’s a breeze to take working, useful, and possibly already open-sourced software, rebrand it, and sneak malware features into the background functions that will infect your systems, steal your data, and possibly even turn destructive when your business starts using the software. The trap, usually, is that these programs are free or very close to free making them incredibly tempting.
Defending against infected software
When you’re on the lookout for undiscovered gems in the bargain software bin, it can be difficult to tell the difference between earnest programmers looking to make their name in the industry and hackers looking to infect your network. In fact, many infected pieces of software also work pretty well except that they are also malware carriers. There are two major approaches to self-protection. The first is to stick with software that has been reviewed by several other provably legitimate businesses (watch out for fake reviews) and the second is a combination of malware and antivirus scanning programs that may be able to detect malicious code inside the software, which is how it usually identifies suspect programs lurking on a computer.
You will also want to watch out for unusually inexpensive downloads of mainstream software, as these are usually hacked, cracked, and infectious which is why they’re being offered at ‘a steal’.
9) Payment card device skimmers
If you have a physical venue where customers pay by card, as most modern merchants do, you’ll want to be very careful to watch out for the new direct hacker trend of device skimming. This is done with a special device unique to the card scanners your company uses. The hacker must first gain unobserved access to your card reader and then replace, attach, or insert their skimming device which will read cards as they go through your system. The interesting thing here is that they can avoid detection simply by not interrupting the transaction. Customers can still buy things from you normally with their money going to your business and all information is logged in the usual fashion. However, now the hacker has their card data.
Some skimming devices collect data and must be retrieved from time to time while others are able to send via Bluetooth or wifi signal to the hacker themselves who is waiting somewhere nearby. The most common kind of skimming is done at gas stations where it’s easy to get unobserved access to the pumps further away from the shop or to block camera view with one’s body while “filling up” to install the device. However, as this video shows, there are a number of custom-made devices that can be quickly installed and often go completely undetected.
Defending against payment card device skimming
As this hacking epidemic has been identified to be incredibly widespread, detection devices have been developed and are now available that can pick up and identify the Bluetooth signals sent by the vast majority of these skimming devices. You will also want to have clear security camera coverage of every payment device and a close inspection of your devices whenever security coverage is interrupted by obscuring or malfunction.
10) Cracking into guest and business wifi
Another recent wave of hacks that have focused specifically on hotels has involved cracking into wifi services offered by venues to their guests. It’s easy for hackers to gain initial access simply by sitting in the lobby or restaurant of a business offering guest wifi and logging in like any other customer. However, with software already installed on their personal devices or sometimes even directly sneaking into and hacking your wifi router, hackers can gain access to what others are doing on your wifi network.
This is most often used to spy on business guests in hotels in order to access and steal the data they work with while working from their hotel room. In fact, sometimes a hotel’s wifi is cracked specifically because an already targeted executive will be staying there and the hacker wants insider information that can only be accessed through that exec’s wifi-connected laptop.
However, if you don’t offer guest wifi, don’t assume that you’re safe. If a hacker can get close enough to your router to even try to log into your wifi network, it becomes possible for them to begin a cracking attempt. If your business wifi access is insufficiently secured, your entire local network could be at risk. Hackers may also find ways to gain access to a businesses’ wifi through their guest wifi network if the two are connected.
Defending against guest wifi cracking
The first step to protecting any wifi network you generate and host is advanced security measures. For business wifi, you may want to specifically whitelist only approved computer IP addresses and known employee devices and for all networks, be sure you are using the latest anti-hacking software and techniques. If you do offer guest wifi, be sure to keep your business network and the guest network completely separate so that there is no bridge to breach.
11) Offering fake guest wifi
Another way that hackers use wifi as an avenue of attack is similar to how they have accessed business exec files through hotel wifi as we just mentioned. Rather than trying to crack into someone else’s secure wifi, they will generate their own local network. However, there’s nothing stopping them from collecting browsing, login, and accessed data from anyone who joins their malicious wifi network. These are often disguised as free guest wifi networks in shopping malls cafes, and other places you would expect to find free wifi and are usually named for nearby shops so that they seem legitimate.
While employees inside your building using business wifi might be safe from fake guest wifi networks, those working out in the field or on-the-go are at a significantly higher risk as they are more likely to be accessing local wifi spots in order to work from various locations. This can expose proprietary information and complete employee login credentials to hackers who will not hesitate to take advantage of the windfall in their trap.
Defending against fake guest wifi
There is very little you can do to know the difference between legitimate and fake guest wifi. Therefore your best defence is a savvy universal approach to protecting your business and login data from all public wifi networks. First, your employees should never actually access anything important or enter any passwords while outside a known wifi network. However, because work often does need to take place away from the office or home, the best solution is to carry your own wifi hotspot and only work on your own private, secured wifi network while out in the field.
12) Third-party websites
The final method of hacking we’re going to cover today, though there are still an astounding number of avenues still out there unexamined, is gaining access through third-party websites. The fact of the matter is that most modern businesses do not function on completely independent and privately owned servers. Business social media sites like LinkedIn, industry online resources, and of course SaaS style subscription online business software and services will all contain important data about your company on servers that you have no control over and no way to secure.
While you can trust the vast majority of your third-party partners to keep their data as secure as you keep yours, if not more so when that’s their business model, you also can’t prevent your business partners from getting hacked. If even something as minor as an employee’s social media account is compromised, the password they use there is likely to be used in other places opening you up to a classic password hack. However, this can be far more catastrophic if something like your SaaS CRM is compromised, potentially opening up your entire customer database to hacker invasion.
Protection from compromised third-party risks
Because hacking can’t be predicted, it’s nearly impossible to completely protect yourself from the risks of third-party companies getting hacked. However, you can increase your own security rigour in a way that will provide you the maximum amount of protection. Choose business partners that are well-known for their own rigorous security measures, encrypt everything you have access to from the moment you have access to it, and encourage employees to use passwords for their business accounts that are not used anywhere else.
Whew! If you thought that was a lot of ways for hackers to gain access, consider that we didn’t even cover most of the more complicated invasion methods involving advanced programming and specific vulnerability targeting. Joining the digital world, like any new and complex environment, means also exposing yourself to the dangers of the digital predators. Fortunately, security measures are getting more and more advanced every day.