Explaining the actual state of ransomware damage, examples of Japanese companies, and countermeasures
2023 December 10[Webinar] U.S. Antitrust Law and Intellectual Property Law: Latest Issues and Trends Part 3
2023 December 11There is no end to unauthorized attacks on corporate websites and servers, and the importance of countermeasures against cyberattacks is increasing for all companies.This book explains information that corporate security personnel need to know, including basic knowledge of such cyber attacks, recent trends, purpose of attacks, specific examples, and countermeasures.We will also introduce preventive measures against attacks, what to do in the event of an infection, and a company specializing in cybersecurity that you may want to work with in case of an emergency.
What is a cyber attack?
Cyber attacks refer to acts of destruction, theft, and falsification of data on computer systems such as servers and personal computers.The targets vary from those targeting an unspecified number of individuals and companies to those targeting specific companies and countries.Cyberattacks can be called cyberattacks, but they have a wide variety of purposes and methods, such as infiltrating systems and stealing confidential or personal information, or attacking and bringing down websites and online services.
Recent trends in cyber attacks
Around 2000, when cyber-attacks began to be recognized, there were a lot of cases of pleasurable harassment, such as emails sent indiscriminately that infected computers with viruses and destroyed data.Since then, attack methods have gradually become more sophisticated, and in recent years, ``invisible attacks'' such as ransomware, which is a ransom-demanding virus, have become mainstream.
Cyber attacks are on the rise not only in Japan but also worldwide.As IT infrastructure diversifies and evolves, with the proliferation of personal smartphones and the use of cloud computing by businesses, attack methods continue to evolve.
Purpose of cyber attack
The objectives of cyber attacks vary, but recently there has been an increase in crimes for financial gain.In addition to information manipulation, theft, and espionage activities, such as theft, unauthorized access, and leakage of national and corporate information, crimes committed by thinkers for the purpose of making political and social statements, and the destruction of corporate and national systems. Cyberattacks are carried out for a variety of purposes, such as disrupting operations by disrupting operations, so cyberattacks are not a problem for all companies.
Types of cyber attacks
Cyber attacks continue to evolve day by day, and there are many different types.I will explain each method.
Malware
Malware is a general term for software that infiltrates devices such as computers and performs malicious activities. The word is a combination of "Malicious" and "Software."This includes data destruction, theft, and unauthorized access to systems, and typical examples include viruses, Trojan horses, and spyware.
Ransomware
Ransomware is a type of malware that is a ransom-demanding virus.Its characteristic technique is to encrypt files and data to make them inaccessible and demand a ransom in exchange for recovery, and many countries and companies have suffered significant damage in recent years.
nowhere ransom
Noware Ransome is a new cyber attack method that skips the data encryption seen in standard ransomware attacks and blackmails with stolen data.Signs of attacks that do not use data encryption have been seen since around 2021, and the lack of encryption makes it difficult to notice the damage occurring.
Phishing scam
Phishing scams target an unspecified number of people and impersonate services such as credit cards or online banks, and steal users' login information.This is a familiar and constant method for many people, such as credit card abuse.
DoS attack/DDoS attack
A DoS attack/DDoS attack is a cyber attack that sends a large amount of access or data to a targeted server.Placing a load on the server can cause website access problems and server downtime.The purpose is to harass a specific company or to demand money in exchange for stopping the attack.
Targeted attack
A targeted attack is a cyberattack that targets a specific organization or user.This is an attack that attempts to infect a device with a virus by pretending to be a customer or an existing company or organization, and sending emails with malicious attachments or links that lead to fraudulent sites.
Major cases of damage caused by cyber attacks
We will introduce some of the major cases of damage caused by cyber attacks, as well as the situation and details of the damage, based on reported cases of computer viruses and unauthorized access.
[Source] Information-technology Promotion Agency, Japan “Reported Cases of Computer Viruses and Unauthorized Access”
https://www.ipa.go.jp/security/todokede/crack-virus/ug65p9000000nnpa-att/000108764.pdf
Computer virus detection/infection damage
One of the company's computers was infected with a virus, and it is assumed that the infection was caused by browsing the website.In response, the infected computer was initialized and a new computer was purchased.As a measure to prevent recurrence, we have thoroughly applied content filtering when viewing websites.
Damage from cyber attacks demanding ransom
Unauthorized access that appeared to be caused by ransomware was confirmed on a company's server, and upon investigation, it was discovered that hundreds of computers were infected with ransomware called LockBit.It is assumed that the attacker exploited a vulnerability in his VPN device to infiltrate the company's system and encrypt his computer.In addition to shutting down the network and updating the OS and software, we strengthened our monitoring and security management systems.
Unauthorized access by exploiting vulnerabilities or misconfigurations
After receiving a report that a suspicious page had been published on the website of a rental server operated by a company, we investigated and found multiple phishing sites on the server.Later, during recovery efforts, the server became inoperable, and upon re-investigation, it was discovered that all files on the server, including the system area, had been deleted.We speculated that the cause was that he was using a vulnerable version of his CMS, and as a measure to prevent it from happening again, we shut down the website, took measures to address the cause of unauthorized access, and switched to a service with enhanced security. We have implemented the migration.
Unauthorized access through ID and password authentication
On an e-commerce site run by a company, it was discovered that a specific member had placed multiple orders in a short period of time.The investigation revealed that the attacker fraudulently registered as a member and conducted an attack to verify the validity of the credit card.It is assumed that this was exploited by an attacker because there was no limit on the number of times credit card information could be entered.We have taken measures to prevent recurrence, such as limiting the number of times credit card entries can be made and introducing a service that has a function to block access deemed to be an attack.
Measures against cyber attacks
Cyberattacks can target any company or individual.We will explain what specific measures you need to take to protect yourself from various cyber attacks.
Measures that individuals (employees) should take
Measures that individuals should take include:
- Do not open attachments or links in suspicious emails
- Update the OS and software to the latest version
- Do not access unauthorized sites
For example,By implementing these, you can improve your online security and protect yourself from cyber attacks.
In addition, by regularly backing up your important data and saving the backup data offline or in cloud storage, you can avoid panic in the event of an emergency.When using public Wi-Fi, it is important to avoid sending personal information, use strong passwords, and avoid reusing passwords.
Measures companies should take
For companies, a broader and more strategic approach is required than for individuals, and the following measures are required.
- Introduction of EPP/EDR, introduction of SASE
- Restrictions on external memory connection and website browsing
- Implementation of security training for employees
- Consultation with a specialized cybersecurity organization
The introduction of security software such as EPP/EDR is basic.Now that remote work has become commonplace, it can be said that the introduction of SASE (Secure Access Service Edge), which comprehensively improves endpoint security, will become mainstream from a zero trust perspective.
It is also important to increase employee security awareness.To achieve this, create an internal security policy and enforce it thoroughly within your organization.In addition, we will establish a management system that includes regular cybersecurity training for employees, sharing information about cyber attacks, creating safe passwords, and cautioning employees when handling information.In addition to taking preventive measures to prevent problems from occurring, it may be difficult for cyber security personnel to take measures alone in order to quickly resolve problems in the event of an emergency.It is a good idea to have a cooperative system in place with a specialized organization for cybersecurity.
What to do in the event of a cyber attack
No matter how many precautions you take, there are always unexpected accidents and unavoidable troubles.In the event of a cyber attack, we will explain how to quickly respond to prevent damage from spreading and secondary damage.
Cutting off infected information terminals from the network
By disconnecting or isolating a compromised system from the network and taking it offline, you can prevent infected equipment from infecting other equipment.However, in recent ransomware, there are many methods known as lateral movement, in which the ransomware infiltrates the network, takes control of administrative privileges, and expands the attack range to include domains.Therefore, there is a high possibility that the risks cannot be suppressed simply by disconnecting the network, and it is appropriate to promptly request an expert to investigate the extent of the impact and the extent of the damage.
Confirmation of damage details
It is necessary to identify the type of attack, its nature and method, and understand the scope of the impact.Knowing exactly what data and systems have been compromised will help you resolve the issue.
Recover with decryption tool
While it is ideal to recover important data from backups, decryption tools may be effective for some types of ransomware.On the other hand, be careful as there are also fake decryption tools.Appropriate methods must be chosen and implemented quickly to minimize damage.
Request an investigation from a cybersecurity specialist
In either case, there are many cases that are too difficult and complex for in-house security personnel to resolve alone, and the reality is that it is difficult to respond to increasingly sophisticated methods.If the initial response is delayed, there is a risk that the damage will expand.If you have suffered a cyber attack, it would be wise to immediately request an expert to investigate.
For countermeasures against cyber attacks and what to do when attacked, please consult FRONTEO.
When you notice damage caused by hacking or malware infection, you need to investigate the extent of the damage such as information leakage, whether there was virus infection or unauthorized access, and what route it took.As security damage continues to increase, there are specialized companies that accept all kinds of consultations regarding cyber attacks, from investigating and explaining the causes to prevention.Companies that handle personal information are obligated to quickly ascertain the facts and report to the relevant parties, and the support of a specialist is essential to take this series of steps as quickly as possible.
FRONTEO, which boasts a track record of investigating more than 10,600 frauds, offers a "Cyber Security Investigation Package" that can respond to today's increasingly complex cyber attacks.By packaging multiple investigations, we have strengthened our system to quickly support the initial response to incidents, especially for small and medium-sized enterprises.FRONTEO's ``Cybersecurity Investigation Package,'' which compiles the minimum amount of investigation required in the event of an emergency, is effective for investigating cyber attacks.