In Cybersecurity we are programmed to prepare for the constant Internet attacks.
But there are many aspects to these attacks, including what is considered a watering hole tactic.
A watering hole tactic is where just like in the desert water is important , and in an oasis there is a watering hole. What does that mean? Just like in an oasis the predators will also be at the watering hole to attack unsuspecting animals as they are drinking. Ok that is the analogy, but how does that affect us in computer infrastructure?
In computers a watering hole is considered a website that is popular that many people look at and in that website an unsuspecting attack occurs by using non viewable text. when one views a website there are several viewable and non-viewable text and code. It is the non-viewable text that can be set up to attack your computers. I.e. if you visit a website, it looks normal , but it actually is attacking you, and if you do not have proper defenses then you will be breached.Watering hole attacks can be mitigated by patching (updating) your systems.
Besides a watering hole attack there are several myths I would like to dispel:
- My data isn’t important, it’s not a big deal if I am hacked
- Being hacked can cause many issues including losing access to data, getting all of your personal data placed for hackers to use in trying to swindle you and your family (or where you work) . All of that data can be abused in many ways. Your client data can be taken and hackers have extorted clients of the company hacked. It all depends on what the situation is (some doctor offices). Older post about Triple extortion!
- I have a strong password, I am safe
- Having a strong password is good, but is it 24 digits long? These days the fact that one may have a complex password (UPPER , lower , num83rs , Sp$ci@l characters) but it is not enough. Strong passwords need to be long and complex(are you using a password manager)? Or use 2FA (Two Factor Authentication) But 2FA is not a panacea – as in this older article/post(Paypal2FA bypassed).
- I don’t have a computer(or X device), I can’t be hacked
- This statement is not true, because your phone is a computer. Your TV is a computer, and even your car has a computer (especially electric vehicles). There are computing devices in many areas of our lives. Do you really believe that we are going to use computers less? I have a nice bridge to sell you… (just kidding) … I’m not interested in selling bridges.
- Security costs too much
- Whatever you think security costs how much does a failure to secure cost? I.e. your reputation costs how much? When you have to contact all of your friends, family, customers, and employees what will happen? The hackers now also go after the clients of the hacked company and will create an atmosphere of extortion to the clients. The multi – million dollar criminal underground has become sophisticated and they need to make more money. You ultimately have to decide if the risk of being breached is worse than paying a reasonable amount on security policies and other vulnerability assessment tasks. Let’s say an extra $2K or $3K?
- It is easy to spot phishing
- Phishing and other social engineering methods (Vishing – voice, Phishing – email, Smishing – text, Quishing – QR codes) have telltale signs and can be spotted but they are not easy. In fact the reason phishing works so well is that in some unguarded moments there is a chance that a good email is mistaken with the bad. Or in Business Email Compromise just like in this 2023 post.
What do all of the above have in common? It is good to review and assess your cyber defense. The attacks are getting more sophisticated so it is high time you one also does more to defend your computers. Which includes creating security policies, and vulnerability assessments among many other actions.
Check out my store that includes various products and services for companies to prepare for the inevitable cyber attacks. Let know how I can help – my info in about us or contact us.