When cybercriminals strike, it is often the groups or individuals responsible for the attack (e.g., Anonymous, Guardians of Peace, MafiaBoy); the victims (e.g., Target, Sony, Dyn) or the malware itself (e.g., WannaCry, Shamoon, Conficker) that make the headlines. The critical role of botnets in the organization and the launch of cyberattacks is less commonly written about. This article explains what botnets are, how they operate and what can be done to protect your computers and devices from being recruited to a botnet.

Understanding Botnets

As we discussed in a previous post about cybersecurity ignorance, over 70 percent of Americans are unaware of what a botnet is. When the security of a computer or connected device is compromised by an attack, there are several things that its payload can do. It could execute a piece of ransomware, encrypting user files and display a message demanding payment for their release. It could launch spyware to collect information about the user, stealing personal data or harvesting contacts. It could even cause damage to your hardware and shut down your device – although this is not usually in the cybercriminal’s best interest.

Or it could connect your computer to a hidden network of similar hijacked devices and inform its master that it is ready to take orders. It would become what is termed a bot or a zombie, and while it may still operate normally in other respects, it has become the latest addition to a botnet.

Once recruited, a bot will start monitoring for messages from its new master or masters. These messages could originate from a dedicated server (sometimes termed a command and control server) or even via code on a website. This is the traditional server-client botnet. Some of the latest botnets operate on a peer-to-peer (P2P) basis, with each new device acting as both zombie and zombie master in a distributed network.

Methods of Attack Using Botnets

So what can a botnet do? There are certain types of attack that a botnet will usually instigate, although its activity can be quickly changed through altering instructions. Since the devices in question are already compromised, there is no security to overcome and no resistance to its orders.

One of the most common tasks of a botnet is to distribute spam, which will usually contain ransomware. To give an idea of the scale of the problem, Cisco’s 2017 Annual Cybersecurity Report shows that spam accounts for 65 percent of all email, with 8 to 10 percent cited as malicious. Due to a combination of spam filters and consumer education, this method of attack is relatively unproductive and relies upon vast numbers of messages being sent out. For example, when ESET uncovered the Windigo botnet in 2014, it was sending out 35 million spam messages per day.

Another mode of operation is the infamous DDoS attack. In an instant, all bots in the botnet can be instructed to flood a server or servers with connection requests, effectively taking that service out of action. Again, this is a blunt, relatively unsophisticated weapon and, due to improved DDoS mitigation technology, is usually short-term in nature.

For client-server types of botnets, the messages are usually transmitted using the internet relay chat (IRC) protocol. Such communication can be relatively easy to detect and block or even hijack, so smarter forms of attack are being developed to outwit the cybersecurity provider. For example, it has been proven possible to issue commands via Twitter, LinkedIn and even JPEG metadata and to switch between such channels. The P2P type of botnet mentioned above also avoids the pitfalls of IRC communication.

Lack of Vigilance is Still the Weakest Link

Facing up to the power and sophistication of botnets can be scary at first, but it must be remembered that there are equally smart minds at work in the battle against cybercrime. The best forms of protection remain unchanged: install regular security updates, use strong password protection, look for the padlock next to a URL before divulging sensitive information and never click on email or social media links unless you are 100 percent sure they are genuine.

As explained in Malwarebytes’ ‘State of Malware Report,’ there are specific concerns about the prioritization of security when it comes to the Internet of Things and DDoS attacks. These vulnerabilities were ruthlessly exploited in October 2016 by the Mirai botnet, which targeted Dyn Inc. and effectively shut down Twitter, Spotify and other sites.

It was discovered that Mirai’s ability to launch such a ferocious DDoS attack (at one point reaching speeds of 1 tbps) was due to its choice of bots – IP cameras, home routers and other devices rather than PCs. Many of these were configured with their factory passwords and so were simple to hack.

As the Internet of Things grows, it will become more important than ever for companies to choose devices with robust security protection, to update passwords upon setup and to up-skill their IT support teams to monitor for threats. Likewise, homeowners should shop for smart devices with security in mind and change their default passwords.

Why the Worst Cyberattack May Never Happen

If the fear of botnets bringing down the internet is keeping you up at night, then this end section should give you some reassurance. Setting up a botnet that can successfully evade all of the security measures set up to detect and bring it down is resource-intensive; this makes it an incredibly valuable asset. The bigger a botnet is, the harder it becomes for it to fly under the radar. When large botnets are detected, it is often in the wake of a big attack that exposes its chain of command. Once found, botnets often fall hard with significant computer resources put out of action by law enforcement and people sent to jail.

In most cases, it serves the cybercriminals best to use botnets as stealth weapons, launching the occasional assault before covering their tracks, evolving and then looking for the next opportunity to strike.

It seems as though data breaches affecting millions of Americans are constantly in the news these days. If this makes you anxious about the safety of your personal information, that’s understandable. You can protect your data by using secure internet connections rather than public Wi-Fi when you’re providing sensitive information such as financial account numbers online, keeping your computer and mobile device safe against malware that may be lurking in email attachments, pop-ups and banner ads, downloading apps and other programs only from trusted sources, and being wary of anyone who contacts you unexpectedly asking for it. You can also use the security settings on social media sites to restrict who can see your posts.

In the offline world, you can reduce the possibility of identity theft and fraud by sending bill payments from public mailboxes rather than from the mailbox in front of your house and collecting your mail promptly, shredding documents that contain account numbers and other personal information when they’re no longer needed and not carrying your Social Security cardaround with you.

But when businesses have your data, you can’t control how well it‘s safeguarded. There are some simple steps that you can take, however, to make it harder for fraudsters to use your personal information if they get ahold of it.

• Create separate passwords for your most sensitive accounts. Sure, it’s convenient to use the same password for everything. Crooks know that, so if they get your password for one account, they’ll try it to log into accounts on other websites. Any account that has your financial information, Social Security number or other sensitive data should have a unique, strong password to keep would-be intruders guessing.
• Beef up your authentication. If your username, which is often your email address, and a password is all it takes to access your accounts, your defenses are relatively weak. Two-factor authentication – your password plus something that only you have, such as a one-time code that is sent to you as part of the login process – provides much stronger protection.
• Freeze your credit file. This prevents identity thieves from opening new credit accounts in your name because the lenders won’t be able to access your credit record. Since some landlords and employers also check applicants’ credit records, freezes can also stop fraudulent attempts to get jobs or rent apartments using your identity. Contact the three major credit reporting agencies – Equifax, Experian, and TransUnion – to request a security freeze. You can lift the freeze anytime you need to and reset it. In some situations you may be able to do this for free; otherwise, there will be a small fee.

Investing in smart home technology is more than just a cool party trick, it can also help you save money and energy.

1. SET SCHEDULES WITH A SMART THERMOSTAT

Your heating and cooling system can be a big contributor to your electricity bill. One of the easiest ways to save money and cut down this cost is to install a programmable thermostat. WiFi thermostats, for example, the ecobee4, allow you to save energy and change the temperature or schedule your thermostat from anywhere. You can create schedules, set reminders/alerts, make sure the temperature is turned off when you’re away from home, and more. When used effectively, smart thermostats may generate noticeable savings every month.

Shop all smart thermostats that work with Alexa

2. SWAP OUT INCANDESCENT LIGHT BULBS

Did you know that incandescent light bulbs can give off more energy in the form of heat rather than light? Because of this, the extra heat coming from your light bulbs could be making your home warmer, causing you to use more energy to cool it down. Simply changing your light bulb to CFL or LED lights can help you save money on your electricity bill. You can also reduce energy usage by swapping out your light switches with dimmers, timers, motion detectors and smart switches. Set timers and presence detection around your home to make sure your lights are turned off when you’re not at home. Connect your smart lights with your Echo device and simply say, “Alexa, trigger I’m leaving” to have all of your lights turn off at once.

Shop all smart lighting that works with Alexa

3. MONITOR ENERGY USAGE

Ever look at your electricity bill and wonder where all of that electricity is going? Take out the guesswork by using smart plugs to help you monitor which appliances in your home may be using the most energy. Many appliances, like home entertainment systems, may be consuming energy even when you’re not using them. Connecting these to a smart plug can help you track how much energy these appliances are using through an app on your smart phone. You can also set up timers to automatically turn these off when they are not in use to help you save more money on your electricity bill.

Shop all smart plugs that work with Alexa

Maybe you know someone you’d like to encourage to be more security-conscious. Or perhaps a friend or family member is already concerned about their own privacy. They’ve already got tin foil (albeit for the turkey, not to use as a hat), so what else should you get for them? We have a few suggestions.

1. RFID Wallet

Due to concerns over security, you can turn down the offer of contactless payment on debit and credit cards. Nonetheless, fewer people are using their PINs anymore.

Criminals can take payment from contactless cards. Indeed, warnings are occasionally issued on social media about thieves preying on users of packed trains and the subway. You can do something about it, however. Radio Frequency Identification (RFID) wallets block the wireless signals interacting between a card terminal and the card.

2. Nest Indoor Security Cam

Internet Protocol (IP) Cameras are all about peace of mind. They can be used for security reasons or as baby monitors. These are digital video recording devices that generally connect to your smartphone or device to offer 24/7 surveillance. Some allow you extra remote control and will further track smart home accessories

The Nest Cam Indoor security camera is designed to help you look after your home and family – even when you’re away. With 24/7 live streaming, a versatile magnetic stand, person alerts with Nest Aware and one app for all your Nest products, Nest Cam Indoor helps you keep an eye on what matters. From anywhere.

3. WALI Dummy CCTV

Not too sure whether your family member of friend will like a camera keeping score of proceedings all the time? Opt for a fake CCTV system instead!

Dummy cameras are a deterrent to your average criminal. They won’t be keen to have their mugshots taken. Even if some suspect they’re fake, they’ll have to risk getting up close to check it out for sure.

You can typically rely on WALI’s products, and this four-pack of dummy cameras is a substantial present that’s a surprisingly good price. They’ll certainly come in handy around most homes, and because they’ve got a flashing LED, they look real.

4. Litom Solar Lights

Solar lights are fantastic: not only are you utilizing the sun’s power but you’re also improving safety and security. They come in a vast array of variations, and are available everywhere, but for Christmas, we recommend a motion detector solar light.

These simply light up an area whenever something moves within its radius. Intruders are instantly spotlighted, and homeowners are alerted that there’s someone on their property. If whoever you’re buying for has a pond or swimming pool, lights are vital to make sure no one has an accident at night.

Litom’s a solid make. These are deceptively small considering the amount of light they give off. They’re cheap too, but if the recipient places them strategically at a doorway or garage, effective enough to deter would-be criminals.

5. Shredder

Everybody needs a shredder. No, more than that — everybody needs a cross-cut shredder. Cross-cut shredders cut pieces diagonally, rendering anything you put in virtually unreadable. In this age of hacking and ransomware, you shouldn’t underestimate the importance of a good old shredder. Because plenty of important things need cutting up.

Credit card slots are ideal, but some further chop up CDs — more infrequently used, of course, but this is a present to last! Typically, the finer a shredder will cut, the better. Also consider measurements: will this be used in a workplace environment or be kept at home, and how does this affect the size you’re considering?

6. VPN Router

This could be the priciest item on the list, so you’ll want to save it for someone especially dear to you, or as a family gift. But as ever, it depends on which model you go for.

It’ll also require a lot of research. Virtual private networks (VPN) afford a solid level of security by encrypting data sent between a computer and a website. Anyone who can intercept details sent on that connection cannot read it anyway. There are many VPN services available, including for free via the Opera browser

VPN routers give a whole household a high level of security. No need for individual installation on each device. Anything connecting to this router will use encryption. The receiver just needs to set it up and then everyone can browse the internet, hassle-free… in theory.

Shop around. Roqos is a dependable brand, and yet cheaper makes might also catch your eye. Shopping for routers should be a rare occurrence, so ask yourself whether it’s worth spending a bit more to achieve some longevity. And of course, are the recipients worth it?

Follow these five guidelines to keep your organization's data protected.

Consider that the average cost of a single data breach is $3.62 million. On top of this, data breach incidents reportedly cause 65% of individuals to lose trustin the organization experiencing it. This loss of customer trust may take years to recover, if it even can do that at all.

1. Understand what constitutes a data breach. A data breach is an incident in which sensitive, protected, or confidential personal data potentially has been viewed, stolen, or used by an individual unauthorized to do so. This can include sensitive information discussed in a doctor's office, viewed on someone's laptop screen, hacked from a computer, or perhaps left on the printer. It could involve thousands of records, or just one. Depending on the regulation, it could involve identifiers, such as a name or identification number. Or it could be images of individuals, in photos or videos. It also could be data revealing racial or ethnic origin, political opinions, religion, trade-union membership, genetic data, health information, personal preferences, and so on.

2. Be aware of your surroundings. Workers should be trained to always be aware of their surroundings. Employees frequently use mobile devices to access and share data, often in full view of others. There's increased risk of data exposure inside the office too. Open-office floor plans remove physical barriers that in the past helped shield computer screens. Those who work in public spaces and in heavy-traffic areas like emergency departments, public lobbies, government offices, and guest-service desks should know to look for suspicious behaviors, such as identifying a visitor who is pointing a smartphone toward a computer screen.

3. Deploy layers of protection to avoid breaches. Add layers of protection as part of a defense-in-depth security approach. This often involves perimeter technologies, such as firewalls, data encryption, and two-factor authentication. Using privacy filters can help protect sensitive data displayed on computer and device screens by blocking unauthorized side views. Other important protection measures include implementing clean-desk policies, using password-protected screensavers, and requiring that sensitive information be printed and stored in locked areas, and then finely shredded when disposed. Regular assessments can help identify vulnerabilities in these areas, as well as other gaps, such as poorly trained employees.

4. Collect only what you need. In the spirit of improving the buying experience, many organizations are collecting an increasing amount of personal information about their customers. They are asking for birthdays, ages of children, etc. Collecting this level of information requires organizations to be aware of privacy laws, such as the GDPR, that are very stringent in how personal information is used. As a best practice, organizations should proactively identify and collect only the personal information necessary for their intended purposes, for a period strictly necessary (minimization principle), and they should ensure that personal data will not be made accessible to an indefinite number of people.

5. Be ready to respond quickly. Have a documented breach response plan that details roles, responsibilities, and processes. Schedule regular training exercises to help ensure your organization's incident response and breach notification policies and plans will work. Conduct tests to see if employees know who to alert if their device is compromised or they become aware of a data breach. Make sure you have the forensics in place so you can quickly communicate what happened and what the company is going to do about it.

Together, these five tips can help safeguard data privacy, build customer trust, and protect your company's brand.