Information
and information systems are critical for day-to-day life of businesses and
individuals. So, it follows that security of the hardware (system) and software
(information) is also a critical component for day-to-day life. According to Frank
Vahid and Susan Lysecky in Computing Technology for All, security is not only a
function of the hardware and software, but a human component as well. While it
is easiest for someone to target exploits in an OS it is almost as easy to
target a user. Human curiosity will always be one of the easiest targets to
exploit.
There are numerous ways that a business or individual can be attacked. The method for attack could come as a virus in a download, a spam or phish in an email, or malware, a general term similar to a virus, along side a download. Spam and phishing both normally exploit a user while a virus, malware, don’t need action once they are downloaded. We’ll explore phishing and spam a bit more below. All of these attacks are meant to control either software or hardware with intent to harm. The harm may be monetary, personal defamation, or business reputation. Any attack that is successful will almost always result in some kind of loss to the individual or business.
One
particularly annoying and effective attack is a DoS or Denial of Service
attack. This type of attack uses either a virus or email spam to attack a
specific target. When the attack is ready to commence the virus or malware will
send continuous ping requests to the target. The ping requests will overwhelm
the target’s ability to accept new, legitimate, requests and return a “busy
signal” or a denial or service/timeout. Now, the idea of a ping test is a
single ping that returns information about the speed of the computer and
network between locations. The continuous ping in a DoS attack is thousands of
ping requests per second from a multitude of locations and all of them pinging
a single location. If the attack is large enough it can cause a disruption of service
across the location of the attack and the surrounding network. It is possible
for a ping attack to take down an entire portion of the internet around a
specific server.
The
CAN-SPAM Act has defined spam as an unsolicited commercial email that the recipient
has no affiliation with and was sent without consent of the recipient.
Additionally, emails are considered if they were sent in bulk without the
recipient’s consent. While not all bulk emails are considered spam, a vast
majority is just that. Research from the Journal of Cyber Criminology indicates
that 90% of the emails sent are possibly spam, depending on the definition
adopted for spam. Email spam is primarily used for revenue generation or
promoting products, however, there are also used for stealing information and
phishing (hang in there we will get to it). When a spam attack is used properly
it can infect an entire organizations network. With control of the
organizations network and email it can launch attacks such as DoS attacks
without disclosing the identity of the hacker inciting the attack.
Phishing
according to Taking the Bait combines social engineering and complex attack
vectors to create an illusion or deception in the eyes of the email recipient
that the legitimacy of what is being offered or asked is not only truthful, but
persuasive enough to prompt an action by the recipient in some form (Lacey et
al.). Particularly phishing involves getting the recipient to open an email
and/or click to another site and enter their personal information. Once they
have either opened the message or entered their information the attacker has
what they needed, access. If the email message is opened within a business
network the phishing hacker can install ransomware or another type of virus to
seize control and demand a monetary compensation for releasing the businesses
information. To an individual the phishing scam may involve a person believing
they are about to visit a trusted site and enter their personal information. If
this a bank account, the thief now has your keys to the kingdom.
To
protect against both of these types of attacks there are two primary defenses.
The first of these is education. In instances of spam and phishing the attacker
must gain access through a user accepting or opening the email sent in hostility.
Educating the recipients on what warning signs exist and what to do with the
attacker email is the best line of defense we have. Secondly, there are
numerous security programs out there, like SolarWinds MSP, Spam Titan, and Mailwasher,
that are used to filter emails, search for specific verbiage, and compare
recipients on the users white/blacklists. While these types of security
software are robust and can be very helpful they are not perfect. Because these
types of software are available to the hacker just as readily as the user it is
very difficult for the manufacturer to stay ahead. So, it is ultimately the end
user’s responsibility to keep him/herself safe from attacks. Education is the
best line of defense.
References
Lacey,
David, et al. “Taking the Bait: A Systems Analysis of Phishing
Attacks.” Procedia Manufacturing, vol. 3, 2015, pp. 1109–1116,
10.1016/j.promfg.2015.07.185. Accessed 26 June 2019.
Vahid,
F., & Lysecky, S. (2017). Computing technology for all. Retrieved from
zybooks.zyante.com/
Yu, S.
(2011). a under a creative commons Attribution-Noncommercial-Share Alike 2.5
India License 715 Email spam and the CAN-SPAM Act: A qualitative
analysis. International Journal of Cyber Criminology, 5(1),
715–735. https://www.cybercrimejournal.com/Yu2011ijcc.pdf
No comments:
Post a Comment