Data hacking costs the world billions of dollars every year. Cyber security is most sensitive recent days. Hackers attacks range from disrupting the use of computer systems to stealing sensitive economic/social data. Looking at the context of Nepal itself, as various incidents have become public in the last few months, we need to understand some of the general processes of cyber security to be vigilant. The following are some common ways cyberattacks occur:
1) Weaknesses / risks in web software
First of all, it is important to understand that different levels of software are used to develop any system. Some software is self-built and some third-party is used. Most of the attacks on web software in which data is stolen have some level of vulnerability in the web software. Data theft can occur if the data entered by the user in the form, dynamic-urls, etc. used in the web software is not properly tested by the system on the server. Taking advantage of code errors, hackers can easily extract sensitive data from a database by bypassing the Privilege Protection Logic in the database. These include attacks such as SQL Injection, Remote File Inclusion, Remote Code Execution. In some cases, data can be stolen directly from the user’s web browser. These include attacks like CSRF, XSS.
2) Weakness / risk of network level
Users’ usernames, passwords and other data can be stolen from a company’s wifi / lan by abusing the network protocol. In some cases, fake Wi-Fi (fake wifi) is made and the user is signed in and data is stolen. This includes an attack called man-in-the-middle.
3) System software / OS vulnerability / risk
It takes advantage of errors in the computer’s OS to steal data. Most of the attacks have been on older and untested OS. This includes the current ransomware attack.
4) Hardware level vulnerabilities / risks
Although it is not often used in security audits, researchers have found that cyber attacks can be caused by hardware-level errors. For example, when you put your smartphone aside and type it into the computer, you can know what letter is written from the vibration.
5) Staff / Person level weakness / risk
This method, which has been the most successful attack so far, is also called social engineering. It involves hackers stealing e-mails, phone calls, malware / viruses that seem to be official and stealing data without the user’s knowledge.
Who is responsible for cyber attack?
Depending on the nature of the attack, software developers, company staff, software operators, network distributors, OS manufacturers, hardware manufacturers, etc. may be to blame.
However, in most cases, attacks are caused by a lack of effective security auditing processes during software development or during software implementation phases. Lack of public awareness of cyber security is another major reason for the increase in the number of attacks.
How to avoid cyber attacks?
1) Cyber attacks can be avoided if we are aware of some basic practices as users:
- Use strong passwords (including long and special characters)
- If your system has two-factor authentication, use it
- Do not use open-wifi without knowing the security
- Different passwords for each system
- Your current password may have been stolen, so to check it, go to https://haveibeenpwned.com and keep your online account to see the details.
- Put firewall and antivirus in the computer
- Keep all software updated
- Do not give your password to others
2) To make effective security auditing mandatory for all software companies during software development. During the construction of the software, to take data or to do a meticulous study on the point of showing. Use of current best practices, such as: forcing users to use strong passwords (long and special characters), using two-level authentication, requesting / receiving data using SSL, encrypting and storing data. Is safe
3) To make all the staff of the company, big or small, aware of the best practices of cyber security. To prepare the cyber policy, protocol and physical infrastructure of the company and make all the staff fully abide by it.
4) To prepare audit logging mechanism if any company has very sensitive information. In extreme cases, use a method like Honeypot.