Malware and Malicious Hackers are critical threats that require different, but often complimentary, means of defense. To effectively defend against these two types of attacks one must first understand what they are and why they exist. It will become clear that despite the relative simplicity of defending against malicious hackers, they pose the most current danger to organizations.
The term malware is used to describe any kind of malicious software that executes commands without the user’s approval. Most common types of malware are injected into a system through an innocuous looking email; the second most common type is a passive download that happens through a “drive by” without the user’s knowledge. These types of attack are characterized by strange emails or cleverly ironic advertisements on webpages for anti-virus software.
While malware is passive software usually sent out over the internet, a malicious hacker is someone that is actively working to disable security systems with the intent of either taking down a system or stealing information. Often romanticized in movies, these malicious players (called hackers) are shown, breaking into back doors in software systems or writing programs to “brute force” password walls. Unlike the movies, however, most malicious hackers don’t rely on code. Instead they leverage social engineering to get a vulnerable user to give them credentials and access. This approach often takes the form of spoofed emails that look like they come from a company’s internal IT department, or a phone call from someone portraying themselves as the internet service provider.
The goals of these two scenarios differ as much as their method of attack. Primarily, malware isn’t meant to steal much at all. Since it isn’t made to look for specific things it is usually just meant to wreak havoc. While an effected business might not be losing valuable information to theft, they typically lose access to information making it completely un-retrievable. Many kinds of malware will delete files or lock them down and hold them for ransom giving the infected user instructions on how to pay the programmers to return access to their files. For businesses that rely heavily on this information for daily operations, this can be a devastating attack.
An interesting question that comes up when evaluating security breaches is who makes malicious software? The simple answer is bored software developers. There is both speculation and proof that malicious software focused on obtaining money, comes from international regions without cyber-crime regulations like China, Africa, and Eastern Europe. Generally considered professional “hackers”, . their goal is to make money directly from stealing funds electronically, extorting in the form of ransomware, or selling information on black markets after stealing it. Surprisingly, there is also a secondary group consisting of recent computer science graduates that think writing malware is fun and a validation of their newly acquired programming skills. These individuals write code for notoriety, industry recognition and just to see what they can accomplish.
With these two distinct kinds of threats there are many ways to protect an organizations information. One of the easiest and most cost-effective forms of defense is to educate an organization’s staff on ways of recognizing phishing, or social engineering attacks. As mentioned before, a mainstay of the malicious hacker is to simply disguise a request for user information to gain access. A way that an organization can defend this kind of attack is clearly laying out to its personnel the correct ways that their IT service provider will request user information, usually in person, on the phone, and never over email. Simply making sure the personnel know how to identify malicious requests can prevent most malicious hackers.
Along with social engineering defenses, an organization will want to have either internal or external information security experts fortify their systems. This area is where the technical controls like firewalls and malware protection are applied to protect from malicious software.
The question of what is worse (and most costly) really comes down to which type of attack is most effective; by the numbers a malicious hacker is much more effective. According to Wombat Security’s 2016 State of the Phish report, 85% of organizations have been victims of phishing attacks. That’s up from 72% in 2014, so these kinds of attacks are becoming more sophisticated and prevalent. In fact, they now represent the top method of delivering malware. Despite this troubling trend, according to Barkly’s Security Confidence Heading Into 2017, 52% of organizations that were victims of cyber-attacks in 2016 have “no changes planned”. The sad part about this statistic is that the solution is simple and low tech: educate employees on how to recognize prevent attacks. While firewalls and security software will always be a critical part of any security program investing in helping improve awareness of one’s digital surroundings will pay back increasing dividends long term.