InfoSec / Cyber

Types of Cyber Attacks: Phishing

This article is linked to a series of articles about different types of Cyber Attacks. They can be viewed in the Information/Cyber Security News section of the Data Protection Education website or as part of the Information & Cyber Security Best Practice Area. Each article discusses a different type of cyber attack, steps to try to minimise the risk and guidance.

Phishing is a type of cyber attack in which an attacker tries to trick the victim into giving away sensitive data, such as passwords, credit card numbers, or other personal data.  This is typically done by posing as a legitimate organisation, such as a bank, a social media platform, or an email service provider.

Phishing attacks can take many forms, but they often involve the use of emails or messages that appear to be from a trusted source, but are actually designed to lure the victim into clicking on a link or downloading an attachment that contains malware or other malicious code.  The attacker may also use social engineering tactics to convince the victim to provide sensitive information, such as by posing as a customer service representative or a technical support agent.

The Anti Phishing Working Group's latest report analyses phishing attacks: APWG Summary third quarter 2022

The DfE reports: Of the 39% of UK businesses who identified an attack, the most common threat vector was phishing attempts (83%). Full survey is here:

DfE Cyber Security Breaches Survey 2022

Office for National Statistics - Phishing attacks - who is most at risk?

 

 

How can you protect  yourself and your organisation?

The National Cyber Security Centre (NCSC) – a part of GCHQ – has published practical advice on how to spot phishing attempts and report suspicious messages.

If you have any doubts about a message, contact the organisation directly.  If you think an email could be a scam, you can report it by forwarding it to: This email address is being protected from spambots. You need JavaScript enabled to view it.

How do you train your staff to spot phishing emails article:

Raise awareness of staff through training (also NCSC cyber security training for staff) and posters

Remind staff about the importance of passwords. View our password checklist.

Ensure virus software is running.

Be wary of public Wi-Fi.

Keep software up to date. View our Cyber/Information Security Best Practice Area.

What to do in the event of a Cyber Attack 

Incidents or attacks where any security breaches may have taken place, or other damage was caused, should be reported to an external body. 

The SLT digital lead will be responsible for assigning someone to report any suspicious cyber incidents or attacks. This person will need to report this to: 

  • Report Fraud on 0300 123 2040, or the Report Fraud website 
  • the DfE sector cyber team at This email address is being protected from spambots. You need JavaScript enabled to view it. 

You may also need to report to: 

You must act in accordance with: 

Police investigations may find out if any compromised data has been published or sold and identify the perpetrator. 

Preserving evidence is as important as recovering from the crime.

Forward suspicious emails to This email address is being protected from spambots. You need JavaScript enabled to view it.. Report SMS scams by forwarding the original message to 7726 (spells SPAM on the keypad).

Little Guide to ACTION FRAUD

 

Types of Cyber Attacks: The Insider Threat

This article is linked to a series of articles about different types of Cyber Attacks. They can be viewed in the Information/Cyber Security News section of the Data Protection Education website or as part of the Information & Cyber Security Best Practice Area. Each article discusses a different type of cyber attack, steps to try to minimise the risk and guidance.

The Cybersecurity and Infrastructure Security Agency (CISA) defines insider threat as the threat that an insider will use their authorised access, intentionally or unintentionally to do harm to the organisation's mission, resources, personnel, information, equipment, networks or systems.  This can include theft or unauthorised access to sensitive data, installing malware or other malicious software, or disrupting normal operations.

They are people who have authorised and legitimate access to a company's assets and abuse it either deliberately or accidentally.

There are three insider threat sources:

  1. Negligent or inadvertent users
  2. Criminal or malicious insiders
  3. Attackers that stole user credentials

How might an insider threat attack happen?

  • People rushing to finish a task or project who have access to sensitive data or admin rights can cut corners.
  • Remote working opens the organisation to personal devices being used and data intervertently being downloaded.
  • People losing devices or having devices stolen.
  • Clicking on a phishing email.
  • Not installing regular updates.
  • Installing non-organisation approved software which has malware.
  • Leaving devices open to physical attacks such as a server not in a locked cupboard or room, is open to accidental spillages, USB devices being plugged in, turning off of all the organisation's systems by pressing the power button.
  • Lack of IT expertise in the organisation could mean that someone unwittingly does not have all the appropriate systems controls in place.
  • Deliberate sabotage.

How can you reduce the risk of a cyber attack?

Remember: insiders don't act maliciously most of the time - a cyber attack is sometimes caused by a disgruntled employee but it's mostly by accident or negligence.

The role of cyber negligence in insider threats

 What to do in the event of a cyber attack?

Tell someone!  Report to IT. Report to SLT. 

Unplug the computer from the internet by removing the ethernet cable or turning the Wi-Fi off.

If you are a victim of a ransomware attack we would recommend reporting this to Action Fraud: https://www.actionfraud.police.uk/ as well as your data protection officer so they can advise about the data loss.  Most cyber crimes like these will also need to be reported to the ICO by your data protection officer.

Isolate the infected device and pass to IT 

Always ensure there are backups you can restore from.

Little Guide to ACTION FRAUD

Why your data is profitable to cyber criminals

This article covers ways in which cyber criminals profit from their cyber crimes.  Often we might think our data, if it is not financial, is not interesting or profitable to hackers, so this article discusses the different types of data that are stolen and why.

Financial data is the main data type that we all think of when considering why a hacker might steal information.  Financial data can be sold to various individuals for different purposes. It is not uncommon for thousands of records to be sold within 24 hours, making this a lucrative endeavour for the attacker and market owner.  More about this can be read in this blog by a reformed black hat hacker: Cybercriminals, Debit Cards, Credit Cards, and Underground Markets

Personal data is relatively easy to steal and will be information such as names, addresses, phone numbers, email addresses and national insurance numbers.  They can use this information to create fake identities or commit identity theft, which can then allow them to access bank accounts, credit cards and other financial resources.  This is why hackers find school MIS data attractive. WH Smith Recent Cyber Attack is a recent personal data attack.  The NCSC have written a paper about the cyber threat to Universities: https://www.ncsc.gov.uk/report/the-cyber-threat-to-universities

Intellectual property is when hackers steal such things as patents, trademarks, copyrights and trade secrets.  They can sell this information to competitors or use it to create their products.  This often happens between governments.  MI5 report a new body has been created to help the UK combat national security threats. - See more at: https://www.mi5.gov.uk/news/new-body-will-help-the-uk-combat-national-security-threats#sthash.hgLZxMI8.dpuf

Ransomware is when hackers encrypt data on a victim's computer and demand payment in exchange for the decryption key. This can be especially lucrative for hackers who target businesses or organisations that rely on their data to operate, such as schools.  See our previous article about schools that have been targeted in this way recently: VICE SOCIETY -  Ransomware attacks on schools.

Health data is stolen such as medical records or insurance information.  This information is used to commit identity theft or insurance fraud.  NHS Ransomware Attack.

Hackers profit from the data they steal in various ways, including:

  1. Selling the data on the dark web: The data can be sold to other cybercriminals who can use it for their nefarious purposes.

  2. Using the data themselves: Hackers can use the data to access accounts, commit identity theft, or create fake identities to commit further fraud.

  3. Ransomware payments: If the hacker uses ransomware, they can demand a ransom payment in exchange for the decryption key.

  4. Blackmail or extortion: In some cases, hackers may threaten to release sensitive information unless the victim pays a ransom or takes some other action.

In conclusion, hackers steal a variety of data from their victims, and they profit from this data in different ways, depending on the type of information stolen and the hacker's goals. To protect against these threats, it is essential to take cybersecurity seriously and implement appropriate security measures.

Visit our Info/Cyber Security Best Practice Area for help, guidance and support for cyber cyber security and data protection.

This website lists all the cyber crime statistics for the UK: https://proprivacy.com/blog/latest-uk-cybersecurity-cybercrime-statistics-2020-2022

What to do in an attack:

Tell someone!  Report to IT. Report to SLT. 

Unplug the computer from the internet by removing the ethernet cable or turning the Wi-Fi off.

If you are a victim of a ransomware attack we would recommend reporting this to Action Fraud: https://www.actionfraud.police.uk/ as well as your data protection officer so they can advise about the data loss.  Most cyber crimes like these will also need to be reported to the ICO by your data protection officer.

Isolate the infected device and pass to IT 

Always ensure there are backups you can restore from.

Remember – ‘Hackers don’t break in they login’!

Types of malware and how they are linked to data protection

Malware is malicious software designed to harm computer systems and is linked to data protection in several ways.

Malware can be used to steal or compromise sensitive data stored on a computer system or network. This data could include personal information, financial data, or confidential business information. In this sense, malware poses a significant threat to data protection, as it can lead to data breaches and other security incidents.

Malware can be used to destroy or corrupt data, making it inaccessible or unusable. This can be particularly damaging if the data is important or essential for business operations, and can result in financial losses, reputational damage, and legal liabilities. 

Malware can be used to exploit vulnerabilities in computer systems or networks, potentially enabling attackers to gain unauthorized access to data or systems. This can result in data theft or other malicious activities, and can also compromise the security and privacy of individuals or organizations. 

 

Name What it is What it Does & How it infects  Examples
A type of malicious software that rapidly replicates and spreads to any device on a network.  Worms do not need a host program to spread.   A worm infects a device through a downloaded file or a network connection before it multiplies and spreads at an exponential rate.

Famous worms: Conficker, CodeRed, Morris Worm, Stuxnet

Further guidance on worms

  A trojan virus is disguised as a helpful software program.  The user downloads it, then the Trojan can gain access to sensitive data and then modify, block or delete data.  It can be extremely harmful to the performance of the device.  They are not designed to self-replicate,  Zeus Gameover mostly used for stealing victim's bank information.
  Spyware is malicious software that runs secretly on a computer in the background and reports back to a remote user.    It targets sensitive information and can grant remote access to predators. It is often used to steal financial or personal information Keylogger - records your keystrokes to reveal passwords and personal information.
   Adware is malicious software used to collect data on your computer usage and provide appropriate adverts to you. Adware is not always dangerous but can cause issues for your system.  Adware can redirect your browser to unsafe sites and it can even contain Trojan horses and spyware.  Significant levels of adware can slow down your system noticeably.

Appearch is a common adware program that acts as a browser hijacker.  It is usually bundled with free software and inserts so many ads into the browser that it makes surfing almost impossible. 

   Ransomware is malicious software that gains access to sensitive information within a system, encrypts that information so that the user cannot access it, and then demands a financial pay-out for the data to be released.  Ransomware is usually part of a phishing scam. By clicking a link the user downloads the ransomware.  The attacker then proceeds to encrypt specific information that can only be unlocked with a special code.   Cryptolocker was one of the first examples. Fake Windows Updates. The VICE Society attacks schools.

Malware is closely linked to data protection, as it poses a significant threat to the confidentiality, integrity, and availability of sensitive data. Effective measures to prevent, detect, and respond to malware attacks are essential for ensuring data protection and maintaining the security of computer systems and networks. 

Check  your cyber resilience using our Information and Cyber Security Checklists

Visit our Information and Cyber Security Best Practice Area for support and guidance.

What to do in the event of a Cyber Attack 

Incidents or attacks where any security breaches may have taken place, or other damage was caused, should be reported to an external body. 

The SLT digital lead will be responsible for assigning someone to report any suspicious cyber incidents or attacks. This person will need to report this to: 

  • Report Fraud on 0300 123 2040, or the Report Fraud website 
  • the DfE sector cyber team at This email address is being protected from spambots. You need JavaScript enabled to view it. 

You may also need to report to: 

You must act in accordance with: 

Police investigations may find out if any compromised data has been published or sold and identify the perpetrator. 

Preserving evidence is as important as recovering from the crime.

Forward suspicious emails to This email address is being protected from spambots. You need JavaScript enabled to view it.. Report SMS scams by forwarding the original message to 7726 (spells SPAM on the keypad).

Little Guide to ACTION FRAUD

 

How a school fought back after a cyberattack

The following article talks about how a school thwarted a cyber attack, more through luck than judgement.  Our advice is for the whole organisation to be cyber aware and review how your organisation might respond when attacked.    The article gives ideas on how to begin making a cyber ready plan.

In October 2020 Kellett School was subject to a ransomware denial-of-service (DoS) attack orchestrated by a Russian criminal hacker group.  After the attack, a post mortem diagnostic showed that they had most likely got into the school's system through a member of staff clicking on a link in a phishing email, which, because staff had admin rights to their school devices, installed malware on the school system.  The full article can be read here:

 https://www-tes-com.cdn.ampproject.org/c/s/www.tes.com/magazine/leadership/data/how-our-school-fought-back-after-cyberattack?amp

Things to note from this attack:

  • Staff had been given admin access to to their school devices so that they could download any software from home that they needed during the period of home learning.
  • There were no protocols in place to ensure that access to the school network was limited to current staff.
  • There were no additional controls in place to the creation and deletion of admin accounts.
  • Staff had not been made to change their passwords for years.
  • Shutdowns and updates on school devices had not been forced
  • Staff had never been trained in cyber-awareness

Recommendations:

  • Senior Leadership makes cyber security part of the organisational culture
  • Everyone in the organisation should understand cybersecurity.  The organisation should make use of complex passwords.
  • Policies and procedures should be correctly followed.
  • There should be cyber insurance and emergency support in place
  • There should be an incident response plan
  • There are recommended experts on stand-by for help

Further resources can be found in our Information Security best practice area: 

https://dataprotection.education/index.php/best-practice-library/best-practice/information-security

and our Cyber Security checklist:

https://dataprotection.education/component/tjucm/itemform/cyber-security?id=90881&cluster_id=114

What to do in the event of a Cyber Attack 

Incidents or attacks where any security breaches may have taken place, or other damage was caused, should be reported to an external body. 

The SLT digital lead will be responsible for assigning someone to report any suspicious cyber incidents or attacks. This person will need to report this to: 

  • Report Fraud on 0300 123 2040, or the Report Fraud website 
  • the DfE sector cyber team at This email address is being protected from spambots. You need JavaScript enabled to view it. 

You may also need to report to: 

You must act in accordance with: 

Police investigations may find out if any compromised data has been published or sold and identify the perpetrator. 

Preserving evidence is as important as recovering from the crime.

Forward suspicious emails to This email address is being protected from spambots. You need JavaScript enabled to view it.. Report SMS scams by forwarding the original message to 7726 (spells SPAM on the keypad).

Little Guide to ACTION FRAUD

Search