Businesses may be slowing down for the approaching holidays; a perfect time to stage a cyber crime.
And so this is Christmas…How much time are you taking off? Just a few days, or are you ‘shutting down’ between Christmas and New Year. I don’t blame you if you do, whats the point of going into the office, it’s very quiet and not much is happening. Everything will be fine until January 2nd.
If I was a cyber criminal and I can promise you that I’m not, this time of year when the most people are distracted by presents, mince pies and family conflicts, would be the perfect time to undertake an attack on the less protected members of the business community.
I’m not alone in these thoughts as distraction has been used to great effect in many crimes. In the film adaptation of Frederick Forsyths cold war thriller, The Fourth Protocol, MI5 officer John Preston (Michael Caine) breaks into the residence of British government official George Berenson (Anton Rodgers) on New Year’s Eve. He gains access to a safe, by ‘gently’ blowing off its doors. The explosion, muffled by an ingenious use of a plastic bag full of water, occurs exactly on the stroke of midnight, when fireworks are going off and everybody is looking the other way. This wasn’t an opportunistic crime of course, reconnaissance had been undertaken, as had planning. He used a wonderful social engineering trick of appearing drunk on New Years Eve (who isn’t) in order to confuse the doorman and gain access to the building of his target.
With a few weeks of reconnaissance on the websites and social media feeds of a few soft cyber targets, but with high net worth assets, what could you possibly find. Well, it would be relatively easy to find the times when they are closing for the Christmas period, as this is often posted for all to see. So that’s a good window of opportunity to start with. Employees are often celebrated in news stories, so cross referencing this with social media can usually pull up some form of contact information. Then using a fake email address, very east to set up, you could ping a few emails over in order to get their ‘out of office’ message that will tell you when they will ‘return to their desk in the new year’.
A cyber criminal can then be confident that they could masquerade as an employee and using a few password cracking technologies gain access to the infrastructure.
I may be being overly simplistic here, but the conventional thinking of business going quiet over this holiday period requires challenging. In fact, it would be worth seeing it as a high risk period for cyber crime. With many of the hot beds of cyber criminal activity being based in countries and within communities that do not celebrate the same holidays as us in the west, to them it is ‘business as normal’.
Prior to finishing at the office this week companies would be well advised to check and double check their threat monitoring and the chain of command for any incident that may occur – even if it’s on the stroke of midnight on New Years Eve! Perhaps it would it be worth inhibiting any staff password change requests, in case they are fraudulent. What IT coverage is in place for this period? Do you know? And remember that often during these quieter periods of SME business activity IT departments take advantage of it by doing essential maintenance, upgrades and other activity, which in itself can cause a few glitches that a cyber criminal can hide behind. Actually, such ‘downtimes’ are often posted on companies websites! Just the Christmas present a cyber criminal could be longing for!
We all know that the constantly connected world has given us many benefits, but the one downside is that it is ‘constant’, it doesn’t recognise holidays, celebrations and other human constructs that frame our lives. Leading to the requirement to have highly vigilant cyber risk mitigation strategies, both automatic and human, in place all the time. There is no let-up in the battle to protect data, prevent hacks and to quash the ambitions of the cyber criminal. I don’t want to sound like The Grinch and steal your Christmas, but it’s a sad fact of this modern world that cyber crime and cyber war in all its guises never stops.
There was a highly mythologised Christmas Day truce between British and German troops in the First World War trenches in 1914, where they met in no man’s land and exchanged gifts, took photographs and some played impromptu games of football. War has taken a very different shape in the last century and opposing sides in cyber war are unlikely to follow such a humanistic convention. Happy Xmas (War Isn’t Over).