Russian hackers have managed to get into the German government's computers. We don't know exactly how they did it. But we do know which common mistakes make it easy for hackers to find an in and cause damage.
If a cyber-spy wants to launch a successful attack and protrude deeply into a system he needs lots of information — the more, the better. The deeper he gets into a network, the more information he can gather. And that in turn will help him launch an even deeper attack. A good hacker has also gathered information about the chain of command and work processes at the company he plans to attack and knows how to convince people to do what he wants.
The greatest protection administrators and users can put up is being stingy with personal data and maintaining a healthy degree of secrecy. But in most offices and businesses, this is much easier said than done.
Here are the most common mistakes users and administrators make that could open doors to hackers.
1. Insecure and publicly kept passwords
The most common mistake people make is using the name of a pet or loved one, a street address or similar term that an attacker can quickly find out, as a password. Secure passwords contain letters (both upper and lower case), numbers and special characters. Passwords should also be changed at regular intervals. Common practice, still a bad idea: Writing the password onto a piece of paper and sticking it to the memo board behind your desk. If you then use your webcam in the public domain, you could just as well share your password on Twitter.
2. Using the same password for different purposes
Some users try to keep it simple. They only want to remember one password. If an employee of a high-security-level institution uses his work password for managing his hockey team's website as well, he is basically inviting hackers in. Especially small volunteer organizations do not have the capacities to maintain a high degree of cyber security. Laymen maintain computers and they often do not update software in time. Data security is usually not the first priority of, let's say, rabbit-breeders. That makes it easy for cyber spies to find out an admin's password and then use it to access his work account.
3. One password for an entire group, saved in a central location
Often, colleagues have to share a password, for example to access a specific software- or web-application with only one workplace license. It's common to store such a password in a word file somewhere on a common file server or in another shared application. This way, all colleagues have access to it — but so does the hacker, even if he intrudes with the identity of a simple user with no admin rights. Then, the intruder can continue on his way through the system, step by step.
4. Phishing and Spearphishing — targeting victims directly
An initial attack often involves a phishing email. These emails make a user open an attachment or click on a link, which then loads and activates malware. Many phishing mails come in as spam and can be easily identified.
That is not the case, however, with spearphishing emails. They target people personally. The attacker addresses a person by making his intention appear legitimate — sometimes even emphasized by a friendly telephone call. The malware can be included in an application letter to Human Resources or in an invoice to the procurement department. For this the cyber-criminal needs skills to communicate and appear credible. He also has to forge the email's sender ID to make his claim believable.
5. Careless administrators
Ambitious attackers want to get admin rights to control the entire system. Once they find an in, like the ID of a regular user, they may continue by looking at the company's directory on the intranet. Then, they can find out who the IT people are: names, phone numbers, email addresses. On Facebook or other social media platforms they may find out more: hobbies, preferences, personal information — maybe the names of friends, family and other colleagues. Then, the intruder can design a special, personalized attack, claiming to be an insider. After all, why wouldn't you open an email attachment from someone who is introduced to you by a good friend?
6. Attack on day zero: a security gap that's closed too late
Even if administrators are working carefully and quickly patch all software gaps, they can still be too late to keep out hackers. There can be months between the first discovery of a vulnerability in the software design and the release of the respective patch. One reason is that software companies often wait a while before going public with information until they have designed a matching patch. They know that the bad guys are eagerly screening all announcements to move quickly once a fault has been announced, before users have an opportunity to patch it. The worst case scenario is for a hole in the system to become public before a patch has been designed. But the danger isn't over once there's a patch, since users and admins aren't always fast enough to install it before the attack hits. That was the case with the ransomware "WannaCry," for example.
7. Sloppy server setup
Many IT service providers are working under pressure to save time and money. If they receive a request to set up a server, they might leave the original access password of "1234" or "qwerty" in place for a later admin to change. But if the person taking over as admin is not a security expert, he may forget that. After all, as long as the system is running smoothly, everything's fine, right? Another common source for security breaches: frequently changing responsibilitites and administrators.
8. Mail servers are disclosing too much
Secure mail servers respond very sparsely — if at all — to faulty requests from the outside. The reason: Attackers can gather valuable information about the software design and setup of the server by sending an email to a false address with the respective domain name. But badly designed email servers will respond with a detailed error-message that includes the entire path the email traveled, with descriptions of the software version of the respective server programs. All that helps the intruder plan his attack.
9. No sandbox in the system
Most operating systems and web browsers today are designed with sandboxes. If malware comes into the system, it is confinded to one section, like a firebomb thrown into a sandbox. A strict administration with limited rights for each user can further contain possible damage. If many users have been given too many rights, however, the malware can find its way quickly — and the fire will spread.
10. Software is not up-to-date
Last but not least: The operating system and all applications must be up-to-date to be secure. While anti-virus software is still important, it is not the first line of defense anymore. Today, the structural immunity of a system is more important. That includes the detection of suspicious activity which may or may not be linked to a virus. Good software will detect and intercept such activities, even if your anti-virus software did not detect the latest malware.