One of the biggest security problems is perception: The threats companies think they face are often vastly different than the threats that pose the greatest risk. For example, they hire consultants to deploy state-of-the-art public key infrastructure (PKI) or an enterprise-wide intrusion detection system when really what they need is better patching.
The fact is most companies face the same threats — and should be doing their utmost to counteract those risks. Here are the five most common (and successful) types of cyber attack.
- Socially engineered malware
Socially engineered malware, lately often led by data-encrypting ransomware, provides the No. 1 method of attack. An end-user is somehow tricked into running a Trojan horse program, often from a website they trust and visit often. The otherwise innocent website is temporarily compromised to deliver malware instead of the normal website coding.
The maligned website tells the user to install some new piece of software in order to access the website, run fake antivirus software, or run some other “critical” piece of software that is unnecessary and malicious. The user is often instructed to click past any security warnings emanating from their browser or operating system and to disable any pesky defenses that might get in the way.
Sometimes the Trojan program pretends to do something legitimate and other times it fades away into the background to start doing its rogue actions. Socially engineered malware programs are responsible for hundreds of millions of successful hacks each year. Against those numbers, all other hacking types are just noise.
Countermeasure: Social engineered malware programs are best handled through ongoing end-user education that covers today’s threats (such as trusted websites prompting users to run surprise software). Enterprises can further protect themselves by not allowing users to surf the web or answer email using elevated credentials. An up-to-date anti-malware program is a necessary evil, but strong end-user education provides better bang for the buck.
- Password phishing attacks
Coming a close second are password phishing attacks. Approximately 60 to 70 percent of email is spam, and much of that is phishing attacks looking to trick users out of their logon credentials. Fortunately, anti-spam vendors and services have made great strides, so most of us have reasonably clean inboxes. Think of an effective phishing email as a corrupted work of art: Everything looks great; it even warns the reader not to fall for fraudulent emails. The only thing that gives it away is the rogue link asking for confidential information.
Countermeasure: The primary countermeasure to password phishing attacks is to have logons that can’t be given away. This means two-factor authentication (2FA), smartcards, biometrics and other out-of-the-band (e.g., phone call or SMS message) authentication methods. If you can enable something other than simple logon name/password combinations for your logons, and require only the stronger methods, then you’ve beat the password-phishing game.
- Unpatched software
Coming in close behind socially engineered malware and phishing is software with (available but) unpatched vulnerabilities. The most common unpatched and exploited programs are browser add-in programs like Adobe Reader and other programs people often use to make surfing the web easier.
Countermeasure: Stop what you’re doing right now and make sure your patching is perfect. If you can’t, make sure it’s perfect around the most exploited products, whatever they happen to be in a given time period. Everyone knows that better patching is a great way to decrease risk. Become one of the few organizations that actually does it. Better yet, make sure that you’re 100 percent patched on the programs most likely to be exploited versus trying unsuccessfully to be fully patched on all software programs.
- Social media threats
Our online world is a social world led by Facebook, Twitter, LinkedIn or their country-popular counterparts. Social media threats usually arrive as a rogue friend or application install request. If you’re unlucky enough to accept the request, you’re often giving up way more access to your social media account than you bargained for. Corporate hackers love exploiting corporate social media accounts for the embarrassment factor to glean passwords that might be shared between the social media site and the corporate network. Many of today’s worst hacks started out as simple social media hacking. Don’t underestimate the potential.
Countermeasure: End-user education about social media threats is a must. Also make sure that your users know not to share their corporate passwords with any other foreign website. Lastly, make sure all social media users know how to report a hijacked social media account, on their own behalf, or someone else’s. Sometimes it is their friends who notice something is amiss first.
- Advanced persistent threats
There is one major corporation that has not suffered a major compromise due to an advanced persistent threat (APT) stealing intellectual property. APTs usually gain a foothold using socially engineered Trojans or phishing attacks.
A very popular method is for APT attackers to send a specific phishing campaign — known as spearphishing
Countermeasure: Detecting and preventing an APT can be difficult, especially in the face of a determined adversary. All the previous advice applies, but you must also learn to understand the legitimate network traffic patterns in your network and alert on unexpected flows. An APT doesn’t understand which computers normally talk to which other computers, but you do. Take the time now to start tracking your network flows and get a good handle of what traffic should going from where to where. An APT will mess up and attempt to copy large amounts of data from a server to some other computer where that server does not normally communicate. When they do, you can catch them.
Other popular attack types such as SQL injection, cross-site scripting, pass-the-hash and password guessing
Lastly, avail yourself of a product or service that specializes in detecting APT-style attacks.
