How Are We Attacked?

We've gone through what digital security entails. But how are businesses and enterprises, as well as private individuals, actually attacked?

According to a survey from the Norwegian Business Security Council, serious security incidents cost businesses 85,000 kroner on average in 2020.

Security incidents can have many and complex causes. Businesses often attribute them to bad luck or coincidences, human error, a lack of security focus among the employees, and that existing procedures are not being followed. As we can see, people—not machines—are the common denominator with regard to these causes.

Despite the fact that businesses, and people in general, are becoming increasingly more aware of digital threats, the general level of ICT security, both in the private and public sector, is too low, according to NSM. Threat actors exploit this for purposes such as opportunistic gains, spreading disinformation, surveillance, and damaging infrastructure.

Let's take a closer look at various cyberattack methods.

Malware is a collective term for program code that, without the user's permission, performs actions with the user's systems or information. There are many different types of malware—among the best known are worms, trojans, and viruses.

The spread of malware often occurs through mass mailing or personalised email, that is, so-called phishing or spear-phishing, or through compromised websites that have been subjected to cyberattacks.

Spreading malware can be used to commit various forms of online crime. For example, data breaches, espionage, and financial crimes linked to ransomware.

Simply put, a virus is program code that is inserted into an existing program file—also referred to as a host. The name naturally comes from biology, and digital viruses have much in common with the ones we know from the physical world.

The virus copies itself into other files on the computer when the program file is run, and spreads further to other machines when the infected program files are shared.

Viruses are typically spread through emails, file downloads, social media, and memory sticks, and there are also viruses that send out emails themselves with infected files, thereby contributing to the files being shared further.

In recent years, there have been several high-profile security incidents that have affected various actors and digital infrastructures. In particular, there have been many examples of so-called ransomware.

This is a type of attack where the cybercriminals lock the victim out of their own systems, or prevent them from accessing their own files. In other words, they hold the digital systems and data hostage, and demand a ransom to return them.

Often, it is a case of data being encrypted—the data is essentially shuffled around to the point of being unrecognisable, so it essentially becomes worthless—and the owner must pay up to be able to decrypt it.

A Trojan (or Trojan horse) is a program that hides in a legitimate program, and is therefore installed without the user knowing about it. It usually accompanies the program at download and installation, for example through file-sharing clients and browser extensions.

Criminals can enter the computer through this program and carry out unwanted actions, such as stealing information and transferring money.

Here we say that a backdoor is created on the computer. Through such a backdoor, cybercriminals can potentially register the computer in bot networks, i.e., a network of virus-infected machines, which can then be used to send out spam, denial of service attacks, and other types of cyberattacks—without the owner of the computer knowing about it.

A computer worm is a type of virus—the difference is that a computer worm does not depend on a host to spread.

Simply put, computer worms are software that enters a system by exploiting specific security weaknesses. The worm then looks for connected machines and systems. If it finds a new weakness, it multiplies and infects the new system.

In 2010, the computer worm named Stuxnet enabled someone—there is a widespread belief that the US and Israel were behind—to gain access to control systems at a nuclear plant in Iran, causing great damage to nuclear centrifuges.

Social manipulation involves “using psychological means to attack users of IT systems,” according to the Great Norwegian Encyclopedia.

By playing on emotions like fear, greed and curiosity—often in combination with short deadlines—scammers try to get you to give up account information, passwords, social security numbers and other sensitive information. They often pretend to be someone you know and trust.

As obvious scams are usually caught by security systems and furthermore set off most people’s warning lights, the scammers have become much more sophisticated. It is increasingly common to receive emails and SMS messages that are targeted toward specific individuals, with details taken from their Facebook or LinkedIn profiles or their employer's website, making it seem very believable.

It's easy to think that you won't click on links in an email saying you've won a new iPhone that you need to claim within 24 hours. But when the email appears to be from your boss or your bank, it can be much harder to distinguish scams from genuine interactions.

The most well-known form of attack of this kind is what is called phishing.

You've definitely seen it yourself: You receive an email or message that appears to be from a genuine source, asking you to click a link—either to claim a prize, take advantage of an exclusive offer or to receive a shipment. Once you click on the link, you are asked to provide personal information or enter payment information.

The purpose of phishing is to fleece you of sensitive information or to spread malware. Threat actors who use phishing generally don't address you as an individual—instead, they rely on mass mailings of messages and hope that someone takes the bait.

They trick you into giving up data they can use for profit or other crimes, such as identity theft.

In this way, social manipulation is used in phishing and many other forms of fraud and cybercrime.

Messages that appear to come from your boss, or others in management where you work, are an increasingly common tactic of social manipulation. This is called CEO fraud.

Such an attack can be very elaborate and cunning: The scammers may have studied how your boss usually expresses themselves—and may even have “stolen” their voice, which is reproduced in a phone call using so-called deepfake technology.

The scammers will then typically come up with a very urgent request, too time-sensitive to be communicated through the normal channels, for example to urgently transfer a large sum of money to a “customer” ... which of course in reality is the scammers' bank account.