Threats

In Greece, the Notifiable Data Breaches scheme means many organisations must tell you if your personal data has been involved in a data breach and this has put you at risk of serious harm. This could include serious physical, psychological, emotional, financial, or reputational harm. When an organisation notifies you about a data breach, they must also provide recommendations for how you can protect yourself.

• Minimise the amount personal information shared with an organisation. Only tell organisations the information they need to provide the services, rather than everything they ask for. For example, be careful about how much information you give away in security question for password recovery on websites: it might ask for your mother’s maiden name, but you can put something else in there if you will remember it.
• Look for organisations that have a commitment to cyber security. Think twice about using businesses with a poor security reputation; take your business elsewhere if their cyber security is inadequate.

• Avoid re-using passwords, so that if one of your service providers loses your password, it doesn’t compromise your access to other services. If you did use a compromised password in other places, reset the other service’s password immediately.
• Back up important information. A data beach may not just result in a loss of personal information; it could also result in a loss of access to some information held by the affected organisation.
• Use multi-factor authentication for critical services, such as your online tax return, or even email.

• Know how you are affected. If you are informed of a breach, or read about one in the media, make sure you understand what data may be affected. Visit the website of the affected organisation and look for any official communications. The personal impact to you will vary depending on what has been breached.
• Validate communications from an organisation. Scammers might try to take advantage of you during the confusion of a data breach. For example, if you receive an email notifying you of a security breach, and asking you to reset your password, use the legitimate password reset process, rather than a link in the email.
• Review access logs. Some online services, like webmail, allow you to view what devices, logins, or transactions have recently accessed your service. If you think your account has been compromised, check if you can view the logs. .

• Never respond to extortion emails, even to refuse payment.
• Contact your internet service provider, CDN or DDoS provider to get assistance.
• Initiate your incident response plan.

You can take a few simple steps to prevent DDoS attacks:

• Regularly apply IT security patches to your website.
• Use a CDN or DDoS mitigation provider to front your online services.
• Be careful not to allow details about the address of your ‘origin servers’ to leak onto the internet, so that attackers cannot attempt to access it directly, bypassing the CDN or DDoS mitigation provider.
• Protect your ‘origin servers’ from direct access by implementing network filtering that limits access to traffic coming through your CDN or DDoS mitigation provider.
• Harden DNS servers against DDoS attacks.
• Consider mirroring part or all of your DNS infrastructure with DDoS resilient DNS providers.
• Run online services on different infrastructure to your critical business systems where practical.

Like breaking into someone’s home, thieves have to look for a way in. Using software code, either developed themselves or available in a ready-to-use kit online, hackers look at ways to gain access to a network. Often finding out a password is the first step in cracking a network’s security.

Once in, a hacker can modify how a network works, steal data, obtain passwords, get credit card information, watch what you are doing or install malicious software (malware) to further the attack.

While hacking is often highly targeted, some hacking tools such as ransomware or phishing malware can spread on their own via links and attachments. Malware can compromise your system or accounts without someone specifically targeting you.

• Install anti-virus software on all devices and set it to automatically apply updates and conduct regular scans.
• Always install updates for applications and operating systems when they are available. The longer you delay, the longer you are vulnerable to hackers or malware.
• Use unique, strong passwords that are passphrases for each account (don’t duplicate across accounts) and always use two-factor authentication where possible.
• Always backup your data so if your system is compromised, you won’t necessarily lose everything. Make sure the backup hard drive is not left connected to your system after you’ve finished.
• Always practice safe online browsing behaviour and be on the lookout for suspicious links or email attachments.

A cybercriminal may look to steal a range of personal information including:

• Name
• Date of birth
• Driver’s licence number
• Address
• Mother’s maiden name
• Place of birth
• Credit card details
• Tax file number
• Medicare card details
• Passport information
• Personal Identification Number (PIN)
• Online account username and login details

Look out for these common warning signs:

• Your bank statements show purchases or withdrawals you have not made.
• You stop receiving mail you may be expecting (e.g. electricity bills) or receive no mail.
• You receive bills or receipts for things you haven’t purchased or statements for loans or credit cards you haven’t applied for.
• A government agency may inform you that you are receiving a government benefit that you never applied for.
• You have been refused credit because of a poor credit history due to debts you have not incurred.
• You may be contacted by debt collectors.

Cybercriminals can learn a lot about you from your social media accounts. Here are some tips to protect yourself and your family:

• Limit what you share online. Reconsider sharing information on social media like your birthday, photos of a new house that include your address, or photos that identify your children’s school, or details of schools you attended. These details are often used for security questions on financial and other important accounts.
• Set your social media privacy settings to ‘private’. Ensure you’re only sharing your photos and posts with people you know and trust.
• Don’t accept ‘friend’ requests from strangers.
• Cybercriminals try to trick you into giving away your personal information. They often impersonate well-known organisations to ask you to confirm your personal details via messages or websites. Because of this, many companies now state they will not ask you to update or confirm your details, like passwords, PINs, credit card information or account details via links in messages.
• If there really is a need to update your details, you should do so by typing the organisation’s official website address manually into your internet browser and not use links from messages.
• Think twice before entering your personal details into a website you’re not familiar with. See our advice about shopping online safely and browsing the web safely for questions to ask to help determine if a website is genuine.

Use strong, unique passwords (passphrases) for each online account. 

Cybercriminals use bugs in software to gain access to devices.

Keep your devices updated with the latest software, including antivirus software. Installing software updates will give you the latest security. You can even set updates to install automatically.

Other tips for protecting your online identity:

• Don’t use Wi-Fi hotspots when you are doing something personal or sensitive on the internet as the Wi-Fi may not be secure. Learn more about using public Wi-Fi networks safely.
• Regularly check your account statements including credit cards, bank statements, telephone and internet bills for possible fraudulent activity.
• Check your credit report at least once a year to help you catch any unauthorised activity.
• Always lock your mailbox and shred any sensitive documentation you no longer need.
• Be wary of phone calls that ask for your personal information
• Be wary of people trying to view your PIN while you are using ATMs and making other purchases.

If you suspect any fraudulent use of your identity, there are some steps you should take:

• Immediately report it to your bank, local police, social media account’s website or other online account that you may be concerned has been hacked into (these sites usually have a ‘Help’ section where you can report fraudulent activity to and seek help).
• Lodge a report with the Greece’s Cyber Incident Response Team .
• Change the passwords on your accounts and close any unauthorised accounts.
• Request a credit report from a reputable credit reference bureau. A credit reporting body must give you access to your consumer credit report for free, once every 12 months.

Report illegal activity to the police.

Recovering from a malicious insider depends on the damage they have done. If they have damaged your website, installed malware or otherwise stopped your systems from functioning properly, you can put in place technical solutions to those problems.

However, if they have stolen data, there is very little you can do to recover. If you have unique logins and auditing on your systems (more information below), you or the police might be able to identify who the malicious insider is. However, this will not recover the stolen data. That is why prevention is key.

How to protect against malicious insiders will depend on your organisation, systems, culture and business processes, and how well this is communicated and understood by staff.

A malicious insider’s system access and knowledge of your business processes (particularly its checks and balances) can make them hard to detect. But there are practices you can put in place to reduce the risk of a malicious insider in your organisation.

One of the easiest ways for a malicious insider to steal data is simply to plug in a removable storage device, like a USB stick. If possible, control who is allowed to connect removable media to your network, and what devices can be connected.

You could also block you network from connectivity with unapproved smartphones, tablets and Bluetooth/Wi-Fi/3G/4G devices.

Another way for a malicious insider to steal data is to email it to themselves, either through their work email address or personal webmail. They could also use upload files to cloud-based storage services. To prevent this:

implement a system to block and log outgoing emails with sensitive keywords or data patterns

block the use of unapproved cloud computing services including personal webmail.

Malicious insiders may set out to ruin your business by destroying your information systems. Keeping regular backups, which are only accessible to trusted staff, will reduce this risk.

Requiring strong passwords and using multi-factor authentication means that even if a malicious insider gets hold of a colleague’s user id, it is difficult for them to get access to that account to perform malicious actions.

If your business is dependent on critical intellectual property, or other highly sensitive and vulnerable information, you should restrict staff access to only what they need to do their job.

If that is impractical and wider access is provided, ensure transactions are logged, monitored and audited, and that staff are aware this is an ongoing practice. If possible, consider having a separate team to review audit logs.

Tracking the assignment and use of privileged accounts will help control who can do what on the network and restrict unauthorised activities.

Staff should have unique logons to systems. Don’t let staff share a logon unless there is no other practical alternative. If staff must share a logon, try to devise a way to control this arrangement.

When an employee finishes with your organisation, or their role changes, make sure their associated network and system access is deactivated at the same time.

Any shared passwords the person knows should also be changed. For example:

• shared office WiFi password
• alarm code
• bank account passwords
• remote access details
• shared email accounts
• administrative or privileged user accounts.

To help in this process, keep a checklist of all systems a staff member potentially has access to so that the access removals and password changes can be systematically checked and actioned as necessary. Provided the list is updated as new systems are added, the task of keeping it up to date should not be too onerous.

Many business information systems will log, monitor and audit staff network activities. You should investigate what logging capabilities your system has, especially for high-risk systems, such as ones that authorise payments.

Of course, without unique logons, auditing loses its value if you cannot identify who did the transaction.

Similarly, when looking to buy new software or cloud services, you should check that appropriate technical controls are included for critical transactions.

To be effective, you need to make sure audits of your system are regularly reviewed and that unusual activity is followed up. Make sure your staff know of your auditing and review process, so they are deterred from considering unauthorised activities

The culture of your organisation and overall contentment of your staff is important in mitigating the insider threat. The more integrity and transparency you have in your work environment, the harder it is to act dishonestly. Additionally, happy, valued and challenged staff members are less likely to act to harm your organisation.

Collaboration can also help discourage malicious insiders, by discouraging a culture of lone operators and reducing the incentives and opportunities for staff to work against your organisation.

An active approach to staff welfare will help you support your staff, and provide early warning signs of changes in their circumstances which might put them, and your organisation, at risk.

For all employees, irrespective of their system access, pre-employment and background checks are a good first step.

Be clear with new starters on how you can and will verify pre-employment information and conduct background checks. You should also include a dispute process to identify incorrect information from these checks.

Identity should be established using a recognised form of identification, such as an Australian state or territory driver’s licence or Australian passport.

Police records checks are obtainable through State and Territory police forces.

You can check referees and previous places of employment.

In addition, there are firms that specialise in doing background checks on individuals.

You could also consider ongoing, periodic checks to ensure that you employees’ situations haven’t changed.

Malware (short for ‘malicious software’) is software that cybercriminals use to harm your computer system or network. Cybercriminals can use malware to gain access to your computer without you knowing, in targeted or broad-based attacks.

Malware is the term used to refer to any type of code or program that is used for a malicious purpose.

Cybercriminals use malware for many different reasons but common types of malware are used for stealing your confidential information, holding your computer to ransom or installing other programs without your knowledge.

Take the following steps to significantly reduce your risk of being affected by malware:

Use anti-virus software and automatically download signature updates daily. Learn about anti-virus software.
Keep all your other software up to date too. Learn about updating sofware.
Use strong passwords and passphrases. Learn how to create – and remember – strong passwords.
Backup your files regularly – ideally every day. Learn about how to back up files.
Disable Microsoft Office macros. (Macros are small programs used to automate simple tasks in Microsoft Office documents but can be used maliciously – visit the Microsoft website for information on disabling macros in your version of Office).
Use safe behaviour online. Learn about how to use email safely and browse the web safely.
Stay informed on the latest threats – sign up for the ACSC’s Alert Service.
Regularly check the software installed on your computer, tablet and other devices and uninstall any programs or software that is unused. If you see new programs or software that you did not agree to install, search the program name or ask your local computer repairer or retailer about the program, to see whether it is safe to use.
Prevent malware by installing applications safely

Malware is distributed in several ways:

By spam email or messages (either as a link or an attachment)
By malicious websites that attempt to install the malware when you visit, by exploiting weaknesses in your software
By masquerading as a good application you download and install yourself. Some malware even pretends to be anti-virus or security products.

Don’t download applications from third-party download sites.
Don’t click on online ads to download applications and do use ad-blocking software.
Don’t download and install applications from peer to peer networks – you never know who has changed the files.
Don’t click on links in emails or instant messages, or execute attachments unless you are sure  they are legitimate. Use a spam filter to protect yourself from  malicious messages.
Don’t install applications received from contacts, say via email or USB sticks, without scanning them with your anti-virus application first.
Learn more about malware

There are many different types of malware but most are used to either steal your information, your computer’s resources or your money. This table lists some of the most common types of malware affecting people and businesses in the wild today.

Type What it does
Trojans and backdoors

Traditionally trojans were programs that appear to serve a useful purpose but do something malicious when run. Trojans may steal information, download additional malicious files or even provide a ‘backdoor’ into your computer for a hacker – allowing them to do almost anything they like.

Malware that makes your computer or files unusable until you pay a fee. Essentially extortion by malware.

Logs every keystroke you make and then sends that information, including passwords, bank account numbers, and credit card numbers, to scammers for fraudulent use.

Viruses and Worms Viruses are malicious programs that infect files, inserting themselves into the file’s code and then running whenever the file is used. Worms are standalone malicious programs that spread themselves from computer to computer. Similar to trojans, viruses and worms can have many different payloads – for example, they can steal your information, download and install other malicious files, delete your files or even send spam.

The following signs may indicate there is malware on your computer:

your web browser starts on a different homepage than normal
your files are inaccessible
random error messages appear, or
new programs, toolbars and icons have been installed.

To check if your computer is infected run a full scan using your anti-virus software and follow the instructions to remove it. 

Phishing is a way that cybercriminals steal confidential information such as online banking logins, credit card details, business login credentials, passwords/passphrases, by sending fraudulent messages (sometimes called ‘lures’).

These deceptive messages often pretend to be from a large organisation you trust, to make the scam more believable. They can be sent via email, SMS, instant messaging or social media platforms. They often contain a link to a fake website where you are encouraged to enter confidential details.

Watch video to find out what a phishing message looks like and how they work: https://csirt.cd.mil.gr/wp-content/uploads/2020/07/6A-SOCIAL-NETWORKING-AND-MOBILE-PHISHING.mp4

Phishing emails have been used by cybercriminals to steal financial details from Greeks for a number of years (phishing emails were first observed in Greece in 2003) but have become increasingly sophisticated since then.

Business brands that are commonly copied include: state and territory police or law enforcement (fake fine scams), utilities such as power and gas (fake bills and overdue fines), postal services (parcel pick-up scams), banks (fake requests to update your information), telecommunication services (fake bills, fines or requests to confirm your details), and government departments and service providers such as the Australian Taxation Office, Centrelink, Medicare and myGov.

It used to be easy to recognise and ignore a phishing email because it was badly written or contained spelling errors, but current phishing messages appear more genuine. It can be very difficult to distinguish these malicious messages from genuine communications.

Because of phishing, it is now standard policy for many companies that they will not call, email or SMS you to:

ask for your user name, PIN, password or secret/security questions and answers
ask you to enter information on a web page that isn’t part of their main public website
ask to confirm personal information such as credit card details or account information
request payment on the spot (e.g. for an undeliverable mail item or overdue fee).

Many companies also have security pages that identify active scams using their branding. These pages often include examples and pictures of scam messages to help you tell fake messages from real ones.

Tip: If a message seems suspicious, contact the person or business separately to check if they are likely to have sent the message. Use contact details you find through a legitimate source and not those contained in the suspicious message. Ask them to describe what the attachment or link is.

More dangerous still are a class of phishing messages known as ‘spear phishing’. These messages target specific people and organisations, and may contain information that is true to make them appear more authentic.

These messages can be extremely difficult to detect, even for trained professionals, as they catch people with their guard down.

For example, you might get a message that appears to be from your own company’s IT help desk asking you to click on a link and change your password because of a new policy. 

Spear phishing often uses a technique called ‘social engineering’ for its success. Social engineering is a way to manipulate people into taking an action by creating very realistic ‘bait’ or messages.

Criminals are getting better at social engineering and putting more time, effort and money towards researching targets to learn names, titles, responsibilities, and any personal information they can find.

Social media accounts provide rich information about events, conferences and travel destinations that can be used to make an approach seem real and accurate. So consider what personal information you share online and learn how to use social media safely.

The best way to protect yourself from phishing attempts is to stay abreast of current threats, be cautious online and take steps to block malicious or unwanted messages from reaching you in the first place.

Take the following steps to protect yourself from phishing attempts:

Don’t click on links in emails or messages, or open attachments, from people or organisations you don’t know.
Be especially cautious if messages are very enticing or appealing (they seem too good to be true) or threaten you to make you take a suggested action.
Before you click a link (in an email or on social media, instant messages, other webpages, or other means), hover over that link to see the actual web address it will take you to (usually shown at the bottom of the browser window). If you do not recognise or trust the address, try searching for relevant key terms in a web browser. This way you can find the article, video or webpage without directly clicking on the suspicious link.
If you’re not sure, talk through the suspicious message with a friend or family member, or check its legitimacy by contacting the relevant business or organisation (using contact details sourced from the official company website).
Use a spam filter to block deceptive messages from even reaching you.
Understand that your financial institution and other large organisations (such as Amazon, Apple, Facebook, Google, PayPal and others) would never send you a link and ask you to enter your personal or financial details.
What to do if you think you have revealed confidential information

If you think you’ve entered your credit card or account details to a phishing site, contact your financial institution immediately.

Malicious web shells are a type of software uploaded to a compromised web server to enable remote access by an attacker. While web shells may be benign, their use by cyber adversaries is becoming more frequent due to the increasing use of web-facing services by organisations across the world.

Web shells are installed through vulnerabilities in web application or weak server security configuration including the following:

• SQL injection;
• Vulnerabilities in applications and services (e.g. web server software such as NGINX or content management system applications such as WordPress);
• File processing and uploading vulnerabilities, which can be mitigated by e.g. limiting the file types that can be uploaded;
• Remote file inclusion (RFI) and local file inclusion (LFI) vulnerabilities;
• Remote code execution;
• Exposed administration interfaces;

A web shell is usually installed by taking advantage of vulnerabilities present in the web server’s software. That is why removal of these vulnerabilities are important to avoid the potential risk of a compromised web server.

The following are security measures for preventing the installation of a web shell:

• Regularly update the applications and the host server’s operating system to ensure immunity from known bugs
• Deploying a demilitarized zone (DMZ) between the web facing servers and the internal networks
• Secure configuration of the web server
• Closing or blocking ports and services which are not used
• Using user input data validation to limit local and remote file inclusion vulnerabilities
• Use a reverse proxy service to restrict the administrative URL’s to known legitimate ones
• Frequent vulnerability scan to detect areas of risk and conduct regular scans using web security software (this does not prevent zero day attacks)
• Deploy a firewall
• Disable directory browsing
• Not using default passwords

Web shells can be easily modified, so it’s not easy to detect web shells and antivirus software are often not able to detect web shells.

The following are common indicators that a web shell is present on a web server:

• Abnormal high web server usage (due to heavy downloading and uploading by the attacker);
• Files with an abnormal timestamp (e.g. newer than the last modification date);
• Unknown files in a web server;
• Files having dubious references, for example, cmd.exe or eval;
• Unknown connections in the logs of web server

For example, a file generating suspicious traffic (e.g. a PNG file requesting with POST parameters); Dubious logins from DMZ servers to internal sub-nets and vice versa.

Web shells may also contain a login form, which is often disguised as an error page.

Using web shells, adversaries can modify the .htaccess file (on servers running the Apache HTTP Server software) on web servers to redirect search engine requests to the web page with malware or spam. Often web shells detect the user-agent and the content presented to the search engine spider is different from that presented to the user’s browser. To find a web shell a user-agent change of the crawler bot is usually required. Once the web shell is identified, it can be deleted easily.

Analyzing the web server’s log could specify the exact location of the web shell. Legitimate users/visitor usually have different user-agents and referers (referrers), on the other hand, a web shell is usually only visited by the attacker, therefore have very few variants of user-agent strings