The hacker knows your machine better than you ever will and wants to get their hands on your intellectual property, at any cost. It’s all about staging the attack and knowing when and who to target. PHILIP PIETERSE, Senior Security Consultant at Trustwave in South Africa explains the rules of hacker engagement.
With a little bit of research, some crafty writing and the right technology, cyber criminals make a good living running targeted virtual attacks to steal corporate and government data.
A new e-book, Inside a Hacker’s Playbook (available here), Trustwave cyber security experts give us an inside look at how the bad guys can get their hands on valuable data and maybe even hit the jackpot with the target’s most important intellectual property.. Highlights from the e-book include:
1.tStage your attack
Cyber criminals spend a lot of time researching their target as they dig for information. Then, they use that info to find the right employee to ‚”spearphish‚” once the bait’s taken they have access to the corporate network where they can use that employee’s PC to spread malware, infect different connections, and install more tools to steal and exfiltrate data.
2.tSpecialise and outsource
It’s not what you know, it’s who you know. Cyber criminals can put together their own little group of specialists who work together to hack and scam vulnerable people. The top 5 common specialities named by the FBI include Coders (write malware), Vendors (trade and sell stolen data), Criminal IT Guys (maintain criminal IT infrastructure like servers and bullet-proof ISPs), Hackers and Fraudsters.
3.tScale the attack
Once they’ve put together their A-team, they are ready to milk each vulnerability dry. Say for example they bought an exploit kit for a new vulnerability in a company’s retail Point Of Sale (POS) system. They can then use that kit to work on other POS systems at other franchises of the same brand. They can steal ten times the data but only really do the work once.
4.tPlay the player, not the game
There’s a good chance that the target’s employees will be oh-so-helpful without even knowing it. The phone rings, you pick up the phone, and the voice on the other end says, ‚”Hi, it’s Johann from IT we’re just doing an upgrade, can I have your username and password please?‚” Cyber criminals can also use ‚”social engineering‚” techniques, whereby the put on a uniform, clutch a bunch of flowers, and watch the corporate doors open.
5.tGet social for better recon
Employees often give away a lot of corporate info on their social media platforms such as Facebook and Twitter. Not only can cyber criminals figure out where you went to school, when your birthday is, and your mother’s maiden name, but there’s also a good chance they can find out where you work, who your boss is, big projects coming up, etc. All this info can be valuable hints at passwords and system challenges. Even if cyber criminals know that you like knitting, they can send malicious emails to your work address with ‚”free patterns‚” and once you click on the link, they’re in‚Ä¶
6.tProbe for every weakness
Why break a window when you’ve got the key for the front door? Cyber criminals look for user credentials at every step of the way to find clues about the target’s IT infrastructure. This will allow them to find the right malware kit or custom build something that can help them pick the proverbial locks.
7.tReinvent old web and email attacks
Say a cyber criminal got his hands on a target’s organisational chart, and read in the company blog that they’ve just hired John Smith as the new marketing manager. The criminal can create a Gmail account under the name of the HR manager, write and send an email to the whole company with an attachment of John’s salary and benefits. Employees open ‚”JohnSmithCompensation.xls‚” and bang curiosity killed the network.
One open door to a corporate network is good, but of course more is better. That way, if one intrusion is detected and malware is eliminated, there are still a few other routes to take instead.
9.tHide in plain sight
Stealth is the name of the game in these targeted attacks. Sometimes these cyber criminals can just smash-and-grab, but generally the most profitable way is to drain the database little by little, over a long period of time.
10.tTake data quietly
Cyber criminals spend a lot of time trying to get in to the network, so they will be patient as to not blow their cover, and will quietly and slowly exfiltrate data out of the network. This way, they won’t set off any alarms.
Targeted attacks are successful because they are stealthy, specific and disarmingly personal. If they do it right, advanced attackers can quietly infiltrate a network and steal data or information over months or even years, and so businesses need to do all they can to protect themselves against cyber attacks. This could include employee awareness campaigns, identifying which employees have access to specific data, protecting data with a multifaceted security approach, managing devices that have access to the corporate network, regularly review systems to ensure that proper data capture and reviews are taking place, and last but not least, understand what the emerging threat landscape looks like and continuously update systems and processes to stay on top of (and even ahead) of attacks.
A career in data science – or your money back
The Explore Data Science Academy is offering high demand skills courses – and guarantees employment for trainees
The Explore Data Science Academy (EDSA) has announced several new courses in 2020 that it says will radically change the shape of data science education in South Africa.
Comprising Data Science, Data Engineering, Data Analytics and Machine Learning, each six-month course provides vital digital skills that are in high demand in the market place. The full time, fully immersive courses each cost R60 000 including VAT.
The courses are differentiated from any other available by the fact that EDSA has introduced a money back promise if it cannot place the candidate in a job within six months of graduation and at a minimum annual starting salary of R240 000.
“For South Africans with drive and aptitude, this is the perfect opportunity to launch a career in what has been called the sexiest career of the 21stcentury,” says Explore founder Shaun Dippnall.
Dippnall and his team are betting on the explosive demand for data science skills locally and globally.
“There is a massive supply-demand gap in the area of data science and our universities and colleges are struggling to keep up with the rapid growth and changing nature of specific digital skills being demanded by companies.
“We are offering specifically a work ready opportunity in a highly skills deficient sector, and one which guarantees employment thereafter.”
The latter is particularly pertinent to young South Africans – a segment which currently faces a 30 percent unemployment rate.
“If you have skills in either Data Science, Data Engineering, Data Analytics or Machine Learning, you will find work locally, even globally. We’re confident of that,” says Dippnall.
EDSA is part of the larger Explore organisation and has for the past two years offered young people an opportunity to be trained as data scientists and embark on careers in a fast-growing sector of the economy.
In its first year of operation, EDSA trained 100 learners as data scientists in a fully sponsored, full-time 12-month course. In year two, this number increased to 400.
“Because we are connected with hundreds of employers and have an excellent understanding of the skills they need, our current placement rate is over 90 percent of the students we’ve taught,” Dippnall says. “These learners can earn an average of R360 000 annually, hence our offer of your money back if there is no employment at a minimum annual salary of R240k within six months.
“With one of the highest youth unemployment rates in the world – recently announced as a national emergency by the President – it is important that institutions teach skills that are in demand and where learners can earn a healthy living afterwards.”
There are qualifying criteria, however. Candidates need to live in close proximity (within one hour commuting distance), or be prepared to live, in either Johannesburg or Cape Town, and need to be between the ages of 18 and 55.
“Our application process is very tough. We’ll test for aptitude and attitude using the qualifying framework we’ve built over the years. If you’re smart enough, you’ll be accepted,” says Dippnall.
To find out more, visit http://www.explore-datascience.net.
Triggerfish launches free digital learning Academy online
Platform designed for anyone wanting to understand more about career opportunities in animation.
Triggerfish, in partnership with Goethe-Institut and the German Federal Ministry of Economic Cooperation and Development, has launched Triggerfish Academy, a free digital learning platform for anyone wanting to understand more about the career opportunities and how to get started in the field of animation.
The website features 25 free video tutorials, quizzes and animation exercises introducing animation as a career and the principles of storytelling, storyboarding and animation, as well as several additional resources to help guide aspiring animators into a career in animation.
“The South African animation industry is growing – and so is the demand for skilled animators globally,” said Noemie Njangiru, head of Culture and Development at Goethe-Institut Johannesburg, pointing to the success of recent Triggerfish projects like the Oscar-nominated Revolting Rhymes; Mama K’s Team 4, recently announced by Netflix as their first original animated series from Africa; and this year’s New York Children’s Festival and Shanghai International Film and TV Festival winner Zog.
Njangiru also highlighted the opportunities for animation outside the traditional film industry, within fields like advertising, app and web design, architecture, engineering, gaming, industrial design, medicine, and the motor industry, not to mention growth sectors like augmented reality and virtual reality.
The course was created by Tim Argall, currently the animation director on Triggerfish’s third feature film, Seal Team. He’s roped in many of the South African animation industry’s brightest stars, from Malcolm Wope, character designer on Mama K’s Team 4, and Annike Pienaar, now working at Illumination in Paris on Sing 2, to Daniel Snaddon, co-director of the multi-award-winning BBC adaptations Stick Man and Zog, and Faghrie Coenraad, lead dressing and finaling artist on the Oscar-nominated Revolting Rhymes, as well as Triggerfish head of production Mike Buckland. The featured talent share not just their skills but also their stories, from how they broke the news they wanted to be animators to their parents, to common myths about the animation industry.
“As kids, animation is part of our lives, so we don’t really think about the idea that animation is actually somebody’s job,” said Argall. “When I was a kid, I loved animation and I loved to draw. I remember when I was about 12, I thought: ‘I really want to see my drawings come to life. I want to be an animator.’ But I had no idea where to even begin.”
Triggerfish Academy is his attempt to make it easier for the next generation of African animators: an accessible starter kit for anyone considering a career in animation.
“By the end of working through this course, you’ll have all the background you need to know whether animation is a good choice for your career,” said Njangiru.
Aspiring animators can also use Triggerfish Academyto learn how to write and animate their own short story, then post their animation on the Academy’s Facebook group for feedback and advice from professional animators.
Triggerfish Academy is set up so that youth can play with it directly, but it’s also been designed to double as an activity plan for teachers, NGOs and after school programmes to use. Schools, organisations and other animation studios who are interested in using it can contact Triggerfish for additional free classroom resources.
Triggerfish Academy is just one of a number of Triggerfish initiatives to train and diversify the next generation of African animators, like sponsoring bursaries to The Animation School; the Mama K’s Team 4 Writers Lab with Netflix; the pan-African Triggerfish Story Lab, supported by The Walt Disney Company and the Department of Trade and Industry; Animate Africa webinars; Draw For Life; and the Triggerfish Foundation schools outreach programme. For more information, visit www.triggerfish.com/academy.