Beware the drive-by attack

Over the past few years, we have identified a new kind of security threat which businesses need to stay alert to – the cyber drive-by attack. It is a phase that has changed over time.

In the humble beginnings of the internet, most online access was through a modem and users were charged for the time they spent online. Opportunists, looking to acquire free online access would literally drive the streets on town in search of a Wi-Fi signal to become available. If this network was insecure, which in those days was a highly likely occurrence, that ‘drive-by’ approach enabled the perpetrator to gain online access for free.

Over time, the drive-by evolved into something more sinister and more precisely targeted. Today, cyber-criminals are focused on latching onto home networks, not simply to access the Internet but more specifically to find their way past badly secured routers by effectively working out the brand, listening to the traffic and weakening the main password over time. Once that password has been compromised, the hacker has ‘carte blanche’ to access the machine and add malware, or some kind of key logger software, enabling them to wait until the users’ access their bank, for example, and then log the keys and decrypt the password.

This kind of cyber drive-by attack is not difficult to execute, it just requires the perpetrator to bring the right level of enthusiasm and impetus to the party. But while the most literal possible interpretation of the cyber drive-by, this kind of attack is typically a one-on-one affair. More concerning for the corporation, is the more random, scattergun variation on the theme which sees criminals spread malware online onto unsuspecting businesses and their users. The fact that they will not be looking specifically for you will be of little comfort if you are one of the organisations affected. And what is especially sinister is that this version of the ‘drive-by’ does not need any user interaction to be effective and only requires one vulnerability to be exposed to the outside world.

Sometimes there is an element of social engineering involved, clicking a link on an infected website which then installs a key-logger or possibly what is known as ‘man in the middle’ software, which allows the attacker to effectively eavesdrop on victims by manipulating a set-up conversation between multiple parties. 

More often than not, however, the drive-by attack has evolved to the point where it can impact on any business user who simply visits a legitimate – but compromised – website, and is infected through a popup or ad, or by being redirected to another infected site. As already referenced, the software installed could be something like a keylogger or some form of spyware, or worse still it could be a banking Trojan, capable of stealing a business’s online banking credentials, or ransomware that simply encrypts all of the company’s data with a key that the organisation cannot access, unless they pay up.

Finding a Solution

Cyber-crime is a growing problem for all organisations today. In 2015, the British insurance company Lloyd’s estimated that cyber-attacks cost businesses as much as $400 billion a year. The cyber drive-by attack is just one element of this, of course, but it is a significant threat to businesses all the same. Its random nature makes it difficult to defend against, especially as it only needs one attack to get through to potentially cause significant damage to the business.

Part of this is about putting the right technology in place. Businesses should ensure they update machines regularly with all the latest security patches and script blocking plug-ins, and be certain to implement state-of-the-art malware detection or antivirus programs across the business. However, there also needs to be a significant element of managing employee behaviour, as well as educating employees around a best practice security approach. It would be a sensible approach, for example, to prevent staff from having local administrative access to their devices.

While providing remote access to the corporate network can bring enormous productivity benefits, companies also need to educate their employees about how best to protect their business devices in the home environment. It’s a good precaution to prevent them from installing devices onto the machine at home – home printers being a good example – as doing so could potentially leave the device more vulnerable to attack. Good password protection is key both in the office and when working from home. It’s vital that passwords not only protect the office network but also the machine more generally because without that additional layer of protection, the user is effectively creating a pathway for malware and other cyber threats to potentially put the business at risk.

Again, much of this comes down to better educating the workforce. There’s a balance to be struck here, of course. Any business wants to give out a message to their workforce that they trust them. It’s a key element of a positive and productive culture after all, but, at the same time, every employee needs to be aware of the cyber threats facing the organisation and what they specifically can do to make the business more secure.

Some companies put their workforce through monthly training cycles. Others send emails with scams embedded within them and then follow up with those individuals who click on the links to provide additional training. But it’s also important not to overdo this. Daily security messages to staff will attract interest and be widely read over the first week or two after they are first disseminated.

Over time, however, if there are no consequences, people will inevitably begin to skim over, or simply ignore them. And in a world where the cyber drive-by attack is a persistent and an ongoing threat that has to be a serious concern.

In today’s complex business and technological environment, it can no longer be the sole responsibility of the IT department to keep organisations secure. Technology will continue to play an important role but employees also need to be aware of the threats that are out there. They need to understand best practice and appreciate that they cannot compromise the security of the whole business for the sake of their personal convenience.

Businesses can’t entirely eliminate the threat of a drive-by attack, of course, but by educating their workforce and encouraging them to behave responsibly at all times, they can significantly reduce the risks. 

Mike Simmonds, managing director, Axial Systems

Image source: Shutterstock/alexskopje