By: Logan DeWitt, Manager, Security Operations Center (SOC) at Cerberus Sentinel
Cybersecurity threats continue to evolve in sophistication and severity as the number of endpoints, such as desktop computers, laptops, and mobile devices, increase and digital and physical attack surfaces change. Hackers are often highly intelligent criminals capable of coordinating and launching attacks from anywhere in the world. These attacks exploit system weakness to hijack networks, steal passwords, compromise login credentials, and disrupt business.
Though implementing a cybersecurity culture program can provide an organization with tools and resources to mitigate threats, attacks are not “one-size fits all.” Here are eight of the most common cybersecurity threats and ways to prevent them:
Ransomware attacks often occur after an employee falls for a phishing email or other social engineering method—it only takes one—that gives malicious actors access to a corporate network. Hackers can also infect a system with ransomware through unpatched systems (see #3) and the other attacks described below, and lie in wait until the right time to surface. Hackers then lock up or encrypt access to the organization’s network or files in exchange for payment. And in the case of a double extortion ransomware attack, the hackers leak selected material on the dark web as they increase their financial demands.
Prevention. Create regular backups of all essential information so it’s not necessary to pay a ransom to get data back or unlocked. Undergo penetration testing/threat hunting to find system weaknesses and vulnerabilities. Use a reliable managed detection response (MDR) platform that has a rollback feature, which targets ransomware, and includes ransomware insurance. Develop a strong and effective incident policy. And institute security awareness training that teaches all employees how to recognize and report these attempts.
2) Social Engineering/Phishing
Social engineering refers to malicious activities designed to trick victims into providing confidential information, such as passwords or other credentials, or taking an action that gives the attacker financial or personal information. This can include vishing—fraudulent but authentic-sounding texts or phone calls; pretexting—building a false sense of trust to obtain personal information; and baiting—offering a reward for providing credentials or confidential information. Phishing is a form of social engineering where bad actors send fake emails with malicious links and/or downloadable attachments containing malware orransomware. Sometimes these links take victims to spoof websites that encourage them to validate login credentials and provide other sensitive information.
Prevention. These attacks work because they rely on human curiosity, greed, fear, and willingness to help. Regularly scheduled security awareness training as well as planned phishing exercises to see who clicks on the links are the best ways to counter them. This training can teach staff how to recognize social engineering/phishing attempts and how to avoid them. It’s also important to have reporting mechanisms in place so employees can report suspected attempts. Phishing detection tools such as email filters, anti-virus software, and firewalls can also flag suspicious activity.
3) Unpatched Systems and Misconfigurations
Unpatched systems. Attackers can exploit unprotected or poorly protected computer systems that have unpatched software and/or no or out-of-date virus detection applications. These weaknesses enable hackers to launch an attack either directly or indirectly and then run malicious code that can lead to a ransomware attack.
Misconfigurations. When security settings are not properly defined and implemented or improperly maintained, these misconfigurations present an easy attack vector for malicious actors.
Prevention. Keep network systems up to date with the latest security patches to avoid exploitable vulnerabilities that give hackers access, or ensure compensating controls are in place to protect systems where patching is not possible. Actively monitor device settings and applications across the network to identify and mitigate misconfiguration threats and update unpatched software and virus detection systems before they cause damage. Manually executing these preventative steps, however, can be time-consuming and complex, so using a managed service is a great idea as it will do of heavy lifting for you and likely provide better protection.
4) Credential Stuffing
Credential stuffing happens when an attacker – either a bot or a person – uses stolen credentials from one organization to access user accounts at another organization and then uses these usernames and passwords to attempt to access multiple systems.
This type of attack differs from password spraying, in which an attacker uses a known username with a commonly used or generic password, such as password1234, to try to gain access to the account(s).
Prevention. Implement multi-factor authentication (2FA), combined with other proactive measures, such as security questions, PINs, or secondary passwords.
5) Password Cracking Attacks
In password-based attacks, hackers use password-cracking software that can test thousands of potential passwords and brute force attacks to access secure accounts. These machines are successful as password rules, such as requiring capital letters, special characters, and numbers, have actually made passwords less secure. This is because users often follow patterns, such as adding the number 1 or an exclamation point (!) at the password’s end that are easier for machines and hackers to guess. Users may also reuse these more complex passwords on different accounts, so if hackers breach one account, they’ll use this same password on others (credential stuffing, described above).
Prevention. The best way to secure accounts is by creating passwords that are legitimately random. Give up the habit of using the street you grew up on or your locker combination from high school. Long passwords are also much more difficult for machines to guess. And consider using a password or credential manager. Also, limit the number of password entry attempts—this can stop brute-force attacks. And use different passwords for business and personal uses and change them on a regular basis following the guidelines in the previous paragraph.
6) Man-in-the-Middle Attacks
Man in the middle (MitM) attacks occur when attackers position themselves between a user and an application to eavesdrop or impersonate one of the parties, creating the illusion of a “business as usual” environment.
The goal of the MitM attacks is to steal personal information such as login credentials, account and credit card numbers, and other information useful for identity theft. MitM attacks usually target financial applications, SaaS business, e-commerce sites, and other websites where it’s necessary to log in. These credentials also make it possible to get into a secured perimeter and infiltrate an organization’s network.
MitM attacks involve two distinct phases: intercepting traffic to gain the credentials, such as setting up a free malicious WiFi hotspot, and decrypting any two-way secure sockets layer (SSL) traffic without alerting the network administrator or application owner.
Prevention. Users should avoid nonsecure/nonpassword-protected WiFi connections and not use public networks when performing sensitive transactions. It’s also a good idea to log out of secure applications when not using them and pay attention to browser notifications reporting a website isn’t secure.
Application/website administrators should use secure communication protocols to robustly encrypt and authenticate data that is transmitted, and use these protocols on every page, not just the ones that require logins. Most users, however, also access many sites and applications that their employer doesn’t have control over. Given password recycling is rampant, if your users’ passwords for those services are observed via MiTM attacks, attackers may have success accessing the users corporate resources using the same credentials. One of the best ways to avoid this is to pre-configure all of your users endpoints with an always-on VPN client, that routes all internet traffic through an encrypted connection back to a company owned VPN server. Most next-gen firewalls, such as Fortigates and WatchGuard devices, have this capability built in. This is especially effective because it forces all traffic through the encrypted connection, meaning even if the user is sending completely unencrypted data across the internet, an attacker that intercepts the communication via a MiTM attack wouldn’t be able to decipher the traffic without first finding a way to break the encryption established between the VPN client and server.
7) Denial-of-Service Attacks
In a denial-of-service (DoS)attack, hackers render a website inaccessible by overwhelming it with traffic and data until the website crashes. Although denial-of-service attacks do not cause direct financial hardship to the victims in the same way a ransomware attack does, it can lead to lost sales/revenue and takes time and resources to get the website up and running again.
E-commerce websites are the most likely targets of denial-of-service attacks; other types of high-profile businesses, including media agencies and government organizations, are also at risk.
Prevention. Keep anti-virus software and security patches up to date and monitor traffic reports. A sudden increase in traffic or other strange traffic patterns could be an early sign of this type of attack. Create network resiliency by putting servers and data centers on different networks to prevent traffic bottlenecks on the network in case of attack. There are also a variety of services that provide purpose-built DoS protection, such as Cloudflare and Azure. Going the extra mile by using one of these services is a great step, especially when you fall within one of the highly targeted business sectors.
8) Drive-by Download Attacks
Hackers use drive-by download attacks to spread malware. The attacker takes advantage of an app, operating system (OS), or browser that contains security flaws, such as out-of-date software/firewall systems. Users do not have to click a link, download an attachment, or do anything else to enable the attack. A drive-by attacker can infect an entire network with malware or inject Trojans to hijack or disable devices, spy on activity, or compromise data.
Prevention. Keep OS, browsers, and applications up to date with the latest patches, and remove any outdated or unsupported software or components. Install protective web security software and keep it updated, and require admin accounts to use long random passwords or utilize a password generator.
Plan for the Worst. Stay Vigilant. Protect Your Business. Prevent Attacks.
Reducing risk in an IT environment often means a complete and honest audit of your operations, as a cyber incident can not only disrupt your business but also trigger compliance fines, remediation expenses, financial setbacks, and damage to your business reputation. Take the crucial step to dealing with ALL these attacks—and any type of cyberattack— and have an incident response plan in place with trained staff who can quickly and effectively address and manage the aftermath of a security incident.
To better understand how to safeguard your organization’s data and reputation against these and a myriad other cybersecurity threats, reach out to Cerberus Sentinel today.