Man in hoody

Coming to terms with a ‘man in the middle attack’

The term a ‘man in the middle attack’ is becoming well known as more instances of them take place.

What is a ‘Man in the middle attack’?

What exactly does ‘man in the middle attack’ mean?  It is when a cyber-criminal secretly intercepts and possibly alters communication between two parties, who both believe they are directly communicating with each other.

A common example is where the cyber-criminal uses bogus emails to trick solicitors into issuing the proceeds of a house sale, to their own bank account, rather than the bona fide person.

Another example, is where an Internet connection is intercepted, often by a user not checking that they are using a valid Wi-Fi. The hacker uses a device to emulate the valid Wi-Fi in, say, a hotel and the unsuspecting victim connects to this. The hacker allows them to browse as normal until the victim goes to a site of interest, such as a bank account. Then the hacker will allow the user to log on to their account but will break the connection to the victim keeping the link to the bank open. The victim thinks the connection was lost due to the hotels’ poor Wi-Fi but the hacker continues to empty the victim’s bank account.

These kinds of attacks highlight weaknesses in an organisation’s data security strategy. Either the business has been hacked with malware, which allows the monitoring of systems, it may be due to an insider attack, where someone with internal system access is selling information to third parties, or simply poor user education or monitoring.

Data protection rackets

Increasingly today, incidents of data protection rackets, where malware is embedded and cunningly hidden, are being reported.  These attacks are designed to be undetected by the organisation and the data held by the organisation scanned. The objective is, that when valuable data is found or a file changed, such as an intellectual property modification, the content is sent to the hacker who can then sell on the information to competitors. Another data mine is where an organisation is bidding for a large contract and the hacker gains access to the proposal and sells it to other competitor bidders, so they can undercut. Over time the hacker might make the organisation aware of its activities and use this, just like the old fashioned protection rackets during the prohibition era, demanding money not to send out information.

And, a ‘man in the middle attack’ is not confined to email correspondence. It could also include voice communications, as most telephone systems use VOIP (Voice Over Internet Protocol).

Systems must be strengthened

Steps must be taken to strengthen systems against such attacks. Strong internal controls and audit procedures are needed in order to stop malware infiltrating systems in the first place, taking over the network.

Adopting advanced threat protection is vital as it stops bad processes starting, instantly blocking malware attacks. It can signal any unusual behaviour of staff and systems i.e. showing when an application is sending out data when it should not.

And of course, robust internal controls and checks should be employed when using support companies as well as the checking of system logs and user access, to understand who is touching the data, ensuring that access to it is normal. Anything odd should raise a flag.

Emails should be secure, especially if personally identifiable information is being sent and use clarification techniques, such as send and receive reports. These should not be under the control of the receiver, such as in Outlook, where a receiver can block read receipts.

Adopting Cyber Essentials Plus

The Cyber Essentials Plus Certification can offer solutions too. A government information assurance scheme, operated by the National Cyber Security Centre (NCSC), launched in 2014 and has become a key element of excellence for cybersecurity, in all its forms.

It does this by encouraging organisations to adopt good practice in information security and includes a simple set of security controls to protect information from threats coming from the Internet.

The Cyber Essentials Plus Certification requires verification of cybersecurity, carried out independently by a Certification Body, a more rigorous form of certification.

Joining up to the scheme can ensure that systems are regularly assessed and weaknesses dealt with so as to stop any security breaches, not just ‘man in the middle’.

Every organisation can benefit from added protection.

Give us a call on 0844 586 0040, or email [email protected], and we’ll be happy to advise you.