10 Ghosts of Christmas Cybercrime: Reasons to conduct urgent Pen Tests!

Clanking of chains… Wailing of the Spirits condemned to the Dark Internet.

The sad face of Jacob Marley, your former business partner at the firm of Scrooge and Marley (whispered to be on the FCA’s watch list and subject to early morning visits by PCI forensic investigators seeking evidence of card fraud), appears fleetingly on your brass knocker, his look of despair the result of a serious breach that has compromised his organisation’s “cash-boxes, keys, padlocks, ledgers, deeds, and heavy purses wrought in steel.”

[Ed: Does anyone have door knockers in this day and age? And shouldn’t we be generous even to merchant bankers at Christmas? – Oh, go on then].

The Ghost of Christmas Past has an important message for businesses about securing your ecommerce portals this Online Shopping Season 2013. In the years that have gone before, threats and exploits were plentiful but your defences were as thin as Scrooge’s excuses for being mean with the drinks and entertainment budget in this Season of Goodwill. Bah, Humbug!

What cybercrime nasties came to haunt our confidential assets in the decade or so taking us up to 2013?  Let us visit the rogues gallery of “issues” encountered by our Pen Testers.

[Stage direction: the Ghosts appear, one by one, from out of your ‘device’].


1. Code Red! – and other viral infections

Viruses like Code Red (2001), Slammer (2003) and Blaster (2003) caused havoc. They spread automatically over the internet, breaking into other computers and networks without human intervention. Were they really such a threat? Well, they certainly got a few million people very worried.

2. Botnets

Downloading instructions from a central server to your PC for distributed computing tasks gave the spammers a great way to boost their volumes. They co-opted innocent bystanders to work for them as email senders. Were you one? Was it embarrassing? You bet. Bots, or zombies as they’re also known, are still a huge threat – even high-profile credit bureaux are known to have been infiltrated. We showed that AV scanning and penetration testing could save you from having to send emails to your customers and bemused friends, apologising for spam that the bot sent using your trusted name and email address. Don’t wait for this to happen.

Talk to experts at IT Governance Technical Services – test your defences!

3. Bring Your Own Device (BYOD)

You own a smartphone or tablet. You love it. Your significant other is threatening to leave. He/she sent a txt which you read on your device.

The company laptop that leaves marks on your legs when you use it on the train is not the device you want to travel with, so you’ll do an hour of extra work each day, for free. In return, the company will let you get at your email, or your sales leads, on your iPad or your Android. Should IT agree?

Determining your policy and putting effective controls in place could be the best thing that you do in 2014. We can help your organisation to do this for what amounts to peanuts compared to being cracked by cyber-criminals.

4. Spam, Spam, Spam!

In some email systems, the spam was out of control. Or so it seemed.

We helped to reduce the amount by giving timely advice about filtering.

5. Phishing

It was Game On for the cybercriminals.

Fake logins still trap the unwary into giving away online account credentials, but we’re learning to be more careful when we login. Well, some people are. Surprisingly, many organisations still have no cyber security awareness training. They usually haven’t heard of ISO27001. (TIP: Follow the link to our ISO27001 & Information Security information pages – there’s a lot there for FREE!)

We showed managers how to avoid using (and not to send out) links in emails that lead to sign-in screens. The crooks were a bit upset about this.

6. Fake anti-virus

Crooks have taken to charging people for *not* cleaning up viruses! Just pretend they’re infected, take their cash, and then pretend they’re clean.

The scans that they offer are free but the fake clean-up costs you money.

A real scam.

7. Social networking

Making friends and business contacts online is fun, and can be profitable.

Facebook and Linkedin are changing our lives, but many people remain disturbingly casual about privacy, since part of the “fun” is to share things with them that perhaps you ought not to. Has your organisation got a social media policy? We can help you to put one in place – worth a call!

Who is telling you the crooks and your competitors what they need to know to gain access to confidential data? Online friendships can be false.

8. Metasploit

Metasploit is a toolkit that helps you break into other people’s computers using pre-packaged exploits. It’s open source now. Anyone can obtain it.

Testing your system for exploits before the trouble starts is a wise move.

Call our pen testers. They can make sure that you are patched up to date.

9. Lulzsec (Anonymous?)

Hacking’s not-for-profit franchise, dedicated to stealing and revealing your data – because they can, and because (let’s be honest) they don’t like you.

Several of the members have been identified, convicted and sent to prison.

Are you safe now? Give us a call: 0845 070 1750. Find out.

10. Surveillance

Strangers know more about us than, well, anyone we know… now the intelligence services from the US and its allies have been collecting all this.

Many of us seem surprised. (And some of us can’t see the irony, either.)

Let’s make an effort in 2014 to give ‘unlawful individuals’ less than half a chance. Before they make the good guys look like un-repentant Scrooges.

*  *  *  *

Let’s make an effort in 2014 to give ‘unlawful individuals’ less than half a chance of spoiling what is left of the happy life that we all want to lead.

The Ghost of Christmas Present has given you a glimpse of how to make things better. Don’t wait for the Ghost of Christmas Future to find out what will happen to your assets if you don’t follow.

Best advice from the reformed Uncle Scrooge:

If you would like to find out more about ISO27001:2013 and how to set up and run an Information Security Management System (ISMS), talk to our consultants by calling: 0845 070 1750.

Bookmark this page as well!