From 2020 to 2021 there was a 31% increase in the number of attacks per company, with this sudden increase and the current geopolitical climate, it is wise for organisations in any industry to be aware of the current threats affecting their business.
It is commonly stated that humans are the weakest link in the cyber security chain. This has continued to be the case as 82% of breaches this year so far have involved the human element. Social Engineering is the term given to an attack which involves some form of human interaction. Common techniques for social engineering attacks involve:
- Baiting – luring a victim into a trap to steal their personal information
- Scareware – bombarding a user with popup threats to make the user install malicious software
- Pretexting – when a malicious actor asks a victim for personal information for a fake reason that will later be used for attacks such as identity theft
Methods that can be used to help protect against social engineering are:
- Train staff to know what attacks to look out for – e.g., phishing, spear-phishing etc.
- Never give out sensitive information unless the source asking for it is verified
- Multi-factor authentication – will prevent an account being compromised if an employee leaked their credentials
Due to its prevalence in cyber security, we think Phishing needs its own subheading. In 2022, Verizon’s annual data breach report stated that phishing was the second highest recorded path leading to a data breach. Phishing typically refers to communications initiated by an attacker with the victim, to manipulate the victim into performing an action to benefit the attacker. Commonly this is to encourage the disclosure of passwords that can be used by the attacker to compromise internal data. Most phishing attempts are sent by email, but phishing can also be done by text message (Smishing) and by voice call (Vishing).
One of the main ways of preventing Phishing emails from being successful is to train staff to be able to spot the general signs of a phishing attack. These general signs include:
- Creating a sense of urgency – make the victim panic and act impulsively
- Request for credentials or other personal details – email may ask for users to update their login credentials.
- Suspicious Attachments – files with extensions (.zip, .exe., .scr, etc.) are commonly associated with malware
Additionally, staff training should also be combined with appropriate security measures to help improve the likelihood of a phishing attack not being successful. This can be done by:
- Configuring accounts to follow the principle of least privilege
- Using an email filter to block suspicious emails – should be tailored to the businesses needs
- Using an anti-phishing toolbar – these toolbars run checks against URLs visited for known malicious websites
Over the course of the past two years, ransomware has seen a significant increase in number of incidents occurring each year. In 2021, the number of ransomware cases almost doubled, going from 1389 reported attacks in 2020, to 2690 in 2021.
Ransomware is a type of malware which prevents the victim from being able to access their systems or personal files by encrypting data, rendering it unreadable. A ransom is then demanded to supply the decryption key and restore access to the data. However, there is no guarantee a malicious actor will decrypt the files once the ransom is paid.
To mitigate the impact a ransomware attack would have, it is important to:
- Make regular backups of important files
- Make sure the backups are kept offline (ideally offsite)
- Disabling RDP if it is not needed (ransomware style attacks primarily happen remotely)
- Use the principle of least privilege, applied to both user management and network segregation, to reduce and isolate the spread of malware
An insider threat is when an employee of a company, due to financial gain, ignorance, or general disgruntlement, performs damaging actions against the company whilst an employee. These issues can be particularly damaging due to the privileged information granted to employees of an organisation, with even the lowest level employee being significantly better placed to damage an organisation.
There are three types of insider threats, these being:
- Malicious Insider
- Careless Insider
A malicious insider is usually an employee or former employee who holds some form of grudge against the business and intentionally tries maliciously steals information to later sell or use for personal motives. Malicious insiders can be particularly dangerous as they will be familiar with the internal operations of the business. This can also extend to impairing functionality within the organisation, as many employees are privy to administrative functions that can be subverted to lower productivity within the organisation.
A careless insider is when an employee accidently exposes a system or personal information to an outside threat. This is typically caused by an employee leaving a device exposed or by falling victim to a social engineering attempt.
A mole, also known as an imposter, is when a malicious actor from outside the business can gain access to a privileged network while posing as an employee or partner of the business.
Typical indicators for an Insider threat include:
- Activity at an unusual time – an employee signing into their account out of work hours
- Large volume of traffic – an unexpected large amount of data being transferred
- Unusual type of activity – unexpected resources being accessed
To help protect against an insider threat, it is important to:
- Enforce policies – organisational policies should be well documented and known by employees.
- Track employee actions – even simple indicators such as out of hours logons can be useful indicators of potentially malicious behaviour.
- Protect critical assets – ensure only those with a ‘need to know’ can access data.
Third-party exposure is when a malicious actor can circumvent the security systems set in place by a business by attacking a network owned by a third-party supplier that may not be as well protected. This can cause an attacker to gain access to the business if the third-party has privileged access to the business. An example of this happening was in 2021 when a hacker leaked over 214 million accounts from Facebook, LinkedIn, and Instagram. This happened due to the hacker breaching the third-party contractor called Socialarks which had privileged access to all three businesses.
When managing third-party risks, it is important to:
- Assess the vendor before onboarding – determine security posture, any potential cyber threats
- End contracts with bad vendors – If a vendor does not provide the required level of security, then they should not be used
- Assess fourth-party risk – Determine who the third-party relies on and what risks they bring
- Use Principle of Least Privilege – do not give the third-party more access than is required
Configuration mistakes are one of the most common vulnerabilities that attackers use to breach a network. The report “Under the Hoodie” published by Rapid7 stated that penetration testers were able to abuse at least one network misconfiguration on 80% of targets. The most common type of misconfiguration mistakes is:
- Default Credentials – out of the box software being used with default credentials
- Delayed software patching – most common vulnerabilities exploited are exploits within older software
- Logging turned off – while this does not prevent any malicious actions, it does help to detect when a breach has occurred and track what the hacker attempted
Cloud computing has seen a drastic increase in usage over the last few years. This is due to the benefits of cloud computing for businesses, such as:
- Potential cost savings
- Scalability – computing capabilities like storage can be increased or decreased when needed
- Ubiquitous access – authorised users can access the data from any authorised device.
While the cloud does offer businesses with many benefits, it is important to also consider the potential issues that can arise from a poorly implemented cloud system, such as:
- Data breaches
- Insecure APIs
- Malicious Insiders
- System Vulnerabilities
Data breaches most commonly occur when a user within the business accidently downloads malware, or an attacker exploits a vulnerability within the cloud provider. Businesses can protect themselves from data breaches or mitigate the damages they cause by performing routine security audits, encrypting servers, and creating an incident response plan.
APIs are commonly used to easily enable the sharing of data between two or more applications and can be a source of cloud vulnerabilities. Businesses can protect themselves from these vulnerabilities by, performing penetration tests that emulate API attacks, using SSL/TLS encryption on transmitted data (only TLS 1.2+ should be used), and disposing of API keys that are no longer needed.
Malicious insiders most commonly occur due to negligence, rather than being malicious in nature. However, it is still important to follow strong security practices such as, limiting access to critical data, teaching staff on the importance of
following best practices for data security and teaching staff on attacks such as phishing.
System vulnerabilities usually occur due to common mistakes made by third-party applications. These common vulnerabilities usually include, lack of input validation, improper error handling, and not closing database connections. It is possible to protect a business from system vulnerabilities by implementing a web application firewall (WAF) which can protect web applications from most of the common system vulnerabilities.
Denial of Service
The goal of a Denial-of-Service (DoS) attack is to render the target application inaccessible. A typical DoS attack is designed to overload the target with too many requests from a small number of attacking systems. In a scenario where thousands of systems were used generate a small number of requests that when combined, will overload the target is called a Distributed Denial of Service (DDoS) attack. These types of attacks are usually performed by hackers to:
- Demonstrate new techniques or for fun
- Take down a site that has views the attacker disagrees with
- Create bad publicity for the business
- Extort money from businesses by threatening to perform a DoS attack
The following protection can be used to help protect against DoS attacks:
- Firewall or Intrusion Detection System – used to drop suspicious packets
- Server Redundancy – using multiple servers makes it harder for attackers to take down the whole network at once
- Have a DoS response plan – while not preventing DoS, should still be used to cover what actions need to be taken in the event of a DoS attack.
Internet of Things
The Internet of Things (IoT) has grown from a technology few took seriously, to a global phenomenon that all businesses now adopt to improve their productivity and functionality. However, the increase usage of IoT devices has also increased the attack surface for attackers. In January 2021 to June 2021, it was recorded that there had been 1.5 billion IoT breaches. This is primarily due to IoT devices not receiving the same level of care when it comes to security as other bigger applications of a business. IoT devices usually suffer from the following vulnerabilities:
- Hardcoded passwords – publicly available default passwords that have not (or cannot) be changed
- Lack of an update process – usually IoT devices get forgetting about in the update process
- Outdated app components – most IoT devices work on third-party frameworks that may have known vulnerabilities
IoT devices should not be treated as an install and done type application. They also require constant monitoring, protection and planning to secure. This can be achieved by:
- Not using default passwords – changing default passwords to more secure ones (NCSC’s three random words)
- Updating apps regularly – IoT devices should be patched when new updates come out
- Secure API integrations – old versions should be removed, and only authorised devices should be able to communicate with APIs
- Monitoring IoT apps – IoT devices should be monitored and tested like the rest of network
Due to the Covid-19 pandemic, there has been an increase in the usage of mobile devices. Covid-19 also led to an increase in the adoption of mobile wallets and contactless payment methods. This has led to the work force having to work remotely which has made businesses start to adopt a Bring-Your-Own-Device policy where users could use their own devices for the purposes of work. However, allowing users to use their own devices can be dangerous as an employee’s own device may not be as well protected as a business application. According to the report Mobile Security Report published by Check Point Software, in 2021, 46% of businesses experienced a security incident involving a malicious mobile application being downloaded by an employee. Due to this, the following security measures should be implemented:
- Having a mobile security policy – policy should include mobile usage, issues encountered and how old mobile devices are. Policy should be reviewed regularly
- Mobile Device Management (MDM) – allows businesses to manage apps installed and software updates centrally on mobile devices
- Enable multi factor authentication – in addition to a password, pins, fingerprints, and facial recognition can be used to secure mobile devices
- Encrypt data – converts data to an unreadable format unless decrypted
- Update devices regularly – should be enforced by MDM or employees should be informed on the importance of keeping devices updated
Keeping your business safe from security threats is a never-ending task that requires businesses to be vigilant and cautious. It is impossible to make any environment 100% immune to all vulnerabilities, new ones get discovered daily and mistakes happen. Putting effort towards defending your business from these top ten threats will significantly improve your defence against cyber-attacks.