Hackers are friends not foes, says Alyssa Miller in this opening argument for our latest debate
Register debate Welcome to the latest Register Debate in which writers discuss technology topics, and you – the reader – choose the winning argument. The format is simple: a motion is proposed, the argument for the motion is published today, and the argument against will be published on Friday.…
???Destroying things is much easier than making them.??? This quote from The Hunger Games rings true in software; developers spend months perfecting their innovative applications only to see it all crumble at the nimble fingers of a speedy cyberattacker. So how do you beat them? Improve your secure coding know-how early on and keep it sharp. ﾂ?
More than half of organizations in North America provide developers with some level of security training annually, or less often. A lack of consistent, accessible, and meaningful developer training can easily cause roadblocks as you???re asked to shift security left and write more secure code earlier in your workflow.
And as most coders graduate from college without foundational secure coding knowledge, it???s increasingly important that developers (and developers-in-training) can access effective educational platforms throughout their careers to keep up with changes in vulnerabilities and coding best practices.
That???s why, to inspire the next generation of coders, we???re excited to announce the Veracode Hacker Games!
The newly-launched competition from Veracode brings together students from top universities in the U.S. and the U.K. over the course of two weeks to test their secure coding skills. Packed with real-world challenges, the games will be hosted using Veracode Security Labs, and will challenge the teams to quickly solve as many labs as possible to rack up points for their teams.
Over the course of two weeks, contestants will explore vulnerabilities and threats that they???ll face on the job, learning how a cyberattacker might exploit an application and then discovering how to fix and prevent those flaws in the future. It???s practical training and valuable experience that they can take with them through their studies and beyond.
Because it???s no easy feat to beat a serious flaw, we didn???t skimp on the prizes. We???re giving away over $ 15,000 overall, including a $ 10,000 donation to the first-place school and a $ 5,000 donation to the second-place school. We???re also offering generous monetary prizes for individual contestants, and complimentary Veracode scanning software for participating universities so that students can continue refining their skills even after the games are over.ﾂ?
Which schools are in? Here???s a list of the universities participating in the inaugural Veracode Hacker Games:
- University of Virginia
- Stonehill College
- Queen???s University Belfast
- University of York
- University of Warwick
- Tufts University
- Indiana University
- University of Birmingham
While winning students might not get to take a lap around Victor???s Village like in The Hunger Games, they???ll walk away with bragging rights and some fresh secure coding skills to take with them into their careers.
If you missed the signup for this competition, don???t worry! You can reach out to us here and let us know that you???re interested in getting your school involved. Start practicing early in the complimentary version of Veracode Security Labs.
You can also track progress during the challenge by following #VeracodeHackerGames on social, and perusing our leaderboard for updates. Check back on March 26th to see who wins!
Our vulture Iain argues against this week’s motion
Reader debate Welcome to the latest Register Debate in which writers discuss technology topics, and you – the reader – choose the winning argument. The format is simple: a motion was proposed this week, the argument for the motion was published on Wednesday, and the argument against is published today.…
In today’s rapidly evolving cybersecurity landscape, the battle for privacy and security is relentless. Cybercriminals are masters at using technology and psychology to exploit basic human trust and compromise businesses of all sizes. What’s more, they often hide in plain sight, using both covert and overt tactics to cause disruption, steal money and data, and wreak havoc with MSPs and SMBs.
While cybersecurity advice is often focused on technology like endpoint protection, firewalls and anti-virus, it’s important to remember that behind every breach is a human. Knowing who they are and why they target your business is essential to remaining cyber resilient.
As we mentioned in a previous blog, hackers come in many forms, but their methods can generally be classified into three distinct types of cybercriminals:
- The Impersonator – Hackers that pretend to be others, often using social engineering and human psychology to trick users.
- The Opportunist – Hackers that exploit public events and socio-political crises for disruption or personal gain.
- The Infiltrator – Hackers that target specific organizations and work to breach systems using a variety of tools and tactics.
Each one has their own methods and protecting against them requires a multi-layered approach. Let’s look at a few primary examples.
Who is the Impersonator?
An impersonation attack recently made headlines with the 2020 Twitter/Bitcoin scam, in which 130 high-profile Twitter accounts were compromised by outside parties to steal bitcoin. The perpetrators gained access to Twitter’s administrative tools in order to pose as legitimate CEOs and celebrities to trick users into sending bitcoin with the promise of doubling their investment. Unfortunately, attacks like this work, and the hackers received $ 121,000 that was never paid back. This is a scam that’s been around for years and since no one can reverse a cryptocurrency transaction, it’s very likely here to stay.
This type of cybercriminal manipulates victims into opening doors to systems or unwittingly sharing sensitive information by pretending to be someone you would inherently trust. The most notable attack is the “Nigerian prince” email scam, also known as “foreign money exchange” scams. These typically start with an email from someone overseas claiming to be royalty, offering to share a financial opportunity in exchange for your bank account number. Nowadays, you’re more likely to receive an email from your boss’ boss asking for gift cards or money, but these scams are still active in many forms, as the Twitter attack shows.
Impersonators are known to use phishing, Business Email Compromise (BEC) and domain spoofing to lure victims, and they’re always looking for new ways to innovate. In fact, our 2020 Threat Report found that impersonators are now imitating legitimate business websites to release malicious payloads or steal data, and a shocking 27% of phishing sites use HTTPS to trick the user into clicking phishing links, which makes these attacks even more dangerous. It’s easy to assume an official-looking website with an HTTPS address is safe, but hackers can also use HTTPS sites to launch phishing emails and distribute BEC scams as obtaining SSL certificates is trivial now. This is why a multi-layered approach that can block phishing sites (including HTTPS) in real time, is key for staying safe.
What Does the Opportunist Want?
While attacks of opportunity are nothing new, the tactics of the opportunist have gone to a new level with the recent coronavirus pandemic. According to our COVID-19 Clicks report, at least one in three people have fallen for a phishing email in the past year. This year has been all about the pandemic and the fear surrounding it. These phishing attempts often appear in the form of articles about the best ways to avoid coronavirus or links to documents that have lists of people with COVID-19 “in your area.” These documents will ask users to enable an embedded macro that then delivers malware, usually in the form of ransomware. Over 90% of malware campaigns used the pandemic in their initial phishing email this past year.
Opportunists wait for the right opportunity to strike, and just as impersonators take advantage of trust, opportunists also rely on trust and familiarity to deceive users into downloading malicious payloads. Unlike other hackers, however, they don’t have specific victims in mind. The opportunist capitalizes on urgency, fear and unpreparedness to catch as many victims in their net as possible.
As we point out in a popular Hacker Personas podcast, other opportunist attacks like those exploiting U.S. government stimulus payments are also on the rise. Business leaders in particular should watch out for these tactics, as phishing emails can compromise company devices. With the increase of remote workers using unsecured systems and personal devices to access corporate networks, all businesses are at risk from opportunists who bait remote employees.
How Do Infiltrators Breach Systems?
One of the best examples of an infiltration attack is the 2020 SolarWinds breach, in which a foreign state hacked the SolarWinds supply chain to infiltrate at least 18,000 government and private networks including over 425 of the fortune 500. Nation-state hackers took advantage of SUNSPOT malware to insert the SUNBURST backdoor into software builds of the Orion platform, and unbeknownst to SolarWinds developers, they released it as a normal update to their customers. Several significant US agencies, including parts of the Pentagon, the Department of Homeland Security, the State Department, the Department of Energy, the National Nuclear Security Administration, and the Treasury were attacked. What’s more, the fallout of this attack is still ongoing and we may never know the full damage.
The Infiltrator is the opposite of an opportunist in that they target specific victims and have a clear-cut approach to getting what they want. Rather than casting a wide net and hoping for the best, they usually know the system they want to infiltrate, and they use stealthy measures to breach systems, often coming away with a large payout in the form of a costly ransom to criminal enterprises or valuable intel to nation states.
What Steps Should MSPs and SMBs Take to Stay Cyber Resilient?
If knowing your enemy is the first step to protecting your business, the next step is to develop a strong cyber resilience posture that protects against their attacks. Part of that is understanding that cyberattacks are often a matter of “when, not if.” Even if you’re not the target of an infiltrator, for example, your business or employees may be the unknowing victims of an opportunist or impersonator.
Protecting your business includes:
- Implementing a multi-layered cybersecurity approach that includes complete endpoint protection, firewalls, real time anti-phishing as well as Security Awareness Training
- Continuously educating and training employees, staff and customers to follow cybersecurity best practices and to stay up to date on cyberattack news
- Using a backup and recovery solution that can restore critical files after an attack and keep the business up and running during a crisis.
To learn more about hacker personas and strategies to protect against their various attacks, check out our eBook, Hacker Personas: A Deeper Look Into Cybercrime. You can also follow our Hacker Files and Lockdown Lessons series that include a variety of guides, podcasts and webinars covering these topics and more.
The post Hacker Personas Explained: Know Your Enemy and Protect Your Business appeared first on Webroot Blog.
Click on the links below to visit my top-rated products. These–as well as any link on my website could be an affiliate link, and if you visit these links, you will directly support my Youtube channel with small commissions! I don’t accept sponsorships, however, and each review and opinion is completely my own.
►Privacy Review/tier list website with all ratings: https://vpntierlist.com/
►Merch store: https://tomsparkreviews.threadless.com/
►Have you seen my favorite products page? Check it out to see my most recommended products! https://www.vpntierlist.com/tom-spark-favorite-products/
🕵🏽 Best VPN Provider : TorGuard VPN http://bit.ly/tomsparkTorGuard
👨🏼💻Best Private Browser: Brave Browser http://brave.com/tom352
⛓ Best Antivirus Program: MalwareBytes http://bit.ly/2DINT4K
📡 Best Web host Provider: Dreamhost http://bit.ly/DreamHostTom
📧 Best Encrypted Email Provider: PrivateMail http://bit.ly/2KOGnbM
🔒 Best Password Manager: LastPass http://bit.ly/36bd5gp
Disclaimer: This video and all my videos are solely my opinion, to provide educational content and to entertain my audience, and thus are protected by the first amendment in the USA.
I am affiliated, but not sponsored by any VPN. This means I do make money when you click on the links provided, but keep my own opinion to be legit and truthful without bias. I do not host sponsored content on this channel, which means I am not paid to promote VPNs in a positive manner. All of my opinions on this channel are strictly my own!