Last week we began a two-part series on fraud. We looked at the profile of a fraud perpetrator and how every business is susceptible to these malicious behaviors. Today we will dig a little deeper into fraudulent activities with a look at computer attacks and social engineering, as well as some ways you can keep your computers virus-free.
Computer Attacks
Every computer connected to the internet, which is basically every computer, is at risk of computer attacks. Hackers, foreign governments, terrorist groups, disaffected employees, industrial spies, and competitors are attacking computers in search of data or seeking to harm the system. This means that preventing computer attacks is a full time job. Attacks can take on a number of different forms. Let’s take a look at a few of them.
Hacking involves the use of a computer to gain unauthorized access to data in a system. Generally hackers will break into systems through known flaws or weaknesses within an application or program. Some hackers are looking to steal data such as trade secrets, customer lists, credit card numbers, etc. Others are motivated by the challenge of breaking into a system. Either way a breach of this type can be destructive and set your organization back for hours, days, or even months.
Denial of Service In computing, (DoS) attack is an attempt to make a machine or network resource unavailable to its intended users, such as to temporarily or indefinitely interrupt or suspend services of a host connected to the Internet.
Zero- day attack, vulnerability refers to a hole in software that is unknown to the vendor. This security hole is then exploited by hackers before the vendor becomes aware and hurries to fix it—this exploit is called a zero day attack.
Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications. XSS enables attackers to inject client-side script into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy.
Buffer overflow, or bufferoverrun, is an anomaly where a program, while writing data to a buffer, overruns the buffer’s boundary and overwrites adjacent memory locations. This is a special case of the violation of memory safety
SQL injection is a code injection technique, used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker).
Man-in-the-middle attack (often abbreviated to MITM, MitM, MIM or MiM attack or MITMA) is an attack where the attacker secretly relays and possibly alters the communication between two parties who believe they are directly communicating with each other.
Dictionary attack is a technique for defeating a cipher or authentication mechanism by trying to determine its decryption key or passphrase by trying hundreds or sometimes millions of likely possibilities, such as words in a dictionary.
Another vulnerability to companies is called Social Engineering. Social engineering is a non-technical method of intrusion hackers use that relies heavily on human interaction and often involves tricking people into breaking normal security procedures. It is one of the greatest threats that organizations today encounter.
In order to avoid or minimize social engineering, consider establishing the following policies and procedures.
- Be aware of people entering a restricted building. If your organization has key card access restrictions, be sure that others are not gaining access by following you in.
- Avoid logging in for someone else on any computer. This is particularly important if you have administrator rights.
- Do not give away sensitive information via phone or e-mail.
- Do not share passwords or user IDs
- Be aware! Exercise caution if anyone you do not know is attempting to gain information or access through you.
As you can see there are a many different ways in which a computer system is vulnerable to attack and therefore businesses are at risk for fraud. Educating yourselves on the potential risks is one of the best ways to reduce your risk. Implementing trainings, a company culture of integrity, and effective internal controls will also help your company to avoid becoming a victim.