There is growing speculation that Australia and other countries outside of the Ukraine will become the latest victims of Russian cyber attacks. Some global experts are warning every country to be aware of the dangers.
Are we ready if this scenario plays out?
Should this prediction eventuate, all organisations and government agencies must consider themselves as potential targets. With that comes the opportunity to reevaluate current security policies and procedures for both systems and people to ensure a robust and holistic defense.
Cybersecurity is everyone’s responsibility. Make sure you are aware of the potential attack vectors and red flags.
Who is a target and what could the potential outcomes be?
Banks and financial institutions are a target as a portal to move fraudulent money from victims to criminal organisations.
Infrastructure is a target due to disruption and affects to supply chains.
Governments are a target due to the very nature of confidential and personal identifiable information, state secrets and defense details etc.
All levels of business are a target resulting in disruption, stealing money, personal identifiable information, intellectual property and more.
The Education sector from childcare centers through to universities have a lot to lose such as personal information, intellectual property, and research as well.
Our Health sector is a critical element to ensure the health and well-being of our citizens and the results of a successful cyber attack have the potential to cause loss of lives in addition to the loss of our personal health details.
Communities and Individuals would not only face disruption, money stolen, personal information stolen from any of the above-mentioned scenarios, there is also the potential for us as individuals to become the victim of a cyber attack.
What kind of cyber attacks do we need to be aware of?
Phishing emails – malicious emails designed to elicit a response to click on a link, open an attachment, provide login details or in the case of Business Email Compromise (BEC) request a financial transaction to a third party posing as a colleague.
Smishing – the SMS version of Phishing. Here we see text messages such as ‘your delivery could not be made, click here’ or ‘you missed a voice message, click here to hear it’ or ‘we have footage of you through your laptop camera, click here to see it’. Once you click you are taken to a fake website and are then instructed to download some software which is malicious and will steal your data and everything else from your phone.
Vishing – the Voice version of Phishing. These can be real people of the other end of the phone or a recorded message. As with the other ‘ishings’ vishing is designed to extract details from you that can be used to steal your money or use your personal information to steal your identity. Imagine if a bomb threat came through vishing or smishing – are you prepared?
Deep Fakes – you have heard about them, and they are getting very hard to spot. Deep fakes can be only audio or video and audio.
USBs or charging cables – there are reports of cybercriminals sending out USBs with malicious software on them via the post. Unsuspecting people plug them in at home or at work giving complete access to systems as a result.
Ransomware – usually delivered via a phishing email or via unpatched software or unsecured systems. Ransomware is a malicious form of software that when deployed will encrypt data and not allow system access until a ransom is paid.
Tips to prepare and increase awareness
Increase defences against possible cyber attacks with a focus on monitoring the movement of large sums of money or data.
Patch all your software.
Start the round table discussions for potential scenarios and plan for them.
Check with your local authorities for latest threat reports and keep up to date with their recommendations.
Raise awareness of potential deep fake attacks with the increase in sophistication of this technology. This includes voice and video.
Step every single one of your employees/users/people/students/staff/volunteers through best-in-class security awareness training. This will go towards protecting you and them as they learn to make better decisions when it comes to security.
Finally, for individuals please do your best to stop and think before you act on ALL incoming communications (email, SMS, voice calls, mail etc.) at work and at home. It is the incoming communication that has a high chance of being something malicious.
One more thing for individuals, please refer to point 6 and ask your organisation what they have planned for you to increase your knowledge and be more cyber safe.
Until next time
JJ
USEFUL LINKS
Contact your local authorities for latest threat reports and assistance:
AUSTRALIA https://www.cyber.gov.au/
NEW ZEALAND https://www.cert.govt.nz/
SINGAPORE https://www.csa.gov.sg
JAPAN https://www.nisc.go.jp/eng/index.html
USA https://www.cisa.gov/
UK EMEA https://www.ncsc.gov.uk/