Five Cyber Attacks You’re Most Likely to Face

One of the most significant security problems is perception: the threats companies think they face are often vastly different from the threats that pose the highest risk. For example, they hire me to deploy state-of-the-art public key infrastructure (PKI) or an enterprise-wide intrusion detection system, when really what they need is better patching. The fact is, most companies face the same threats—and should be doing their utmost to counteract those risks. Here are the five most common successful cyber attacks.

Cyber attack No. 1: Socially Engineered Malware
Socially engineered malware, lately often led by data-encrypting ransomware, provides the No. 1 method of attack (not a buffer overflow, misconfiguration or advanced exploit). An end-user is somehow tricked into running a Trojan horse program, often from a website they trust and visit regularly. The otherwise innocent website is temporarily compromised to deliver malware instead of the normal website coding. The maligned website tells the user to install some new piece of software to access the website, to run fake antivirus software, or to run some other “critical” piece of software that is unnecessary and malicious. The user is often instructed to click past any security warnings emanating from their browser or operating system and to disable any pesky defenses that might get in the way. Sometimes the Trojan program pretends to do something legitimate, and other times it fades away into the background to start doing its rogue actions. Socially engineered malware programs are responsible for hundreds of millions of successful hacks each year. Against those numbers, all other hacking types are just noise.

Countermeasure: Social engineered malware programs are best handled through ongoing end-user education that covers today’s threats (such as trusted websites prompting users to run surprise software). Enterprises can further protect themselves by not allowing users to surf the web or answer email using elevated credentials. An up-to-date anti-malware program is a necessary evil, but end-user education provides better bang for the buck.

Cyber attack No. 2: Password Phishing Attacks
Coming a close second is password phishing attacks. Approximately 60 to 70 percent of email is spam, and much of that is phishing attacks looking to trick users out of their login credentials. Fortunately, anti-spam vendors and services have made great strides, so most of us have reasonably clean inboxes. Nonetheless, I get several spam emails each day, and a least a few of them each week are darned good phishing replicas of legitimate emails. I think of an effective phishing email as a corrupted work of art. Everything looks great; it even warns the reader not to fall for fraudulent emails. The only thing that gives it away is the rogue link asking for confidential information.

Countermeasure: The primary countermeasure to password phishing attacks is to have logons that can’t be given away. This means two-factor authentication (2FA), smartcards, biometrics and other out-of-the-band (e.g., phone call or SMS message) authentication methods. If you can enable something other than simple login name/password combinations for your logins, and require only the stronger methods, then you’ve beat the password-phishing game. If you’re stuck with simple login name/ password combinations for one or more systems, make sure you use accurate-as-can-be anti-phishing products or services, and decrease the risk through better end-user education. I also love browsers that highlight the true domain name of a host in a URL string. That way windowsupdate.microsoft.com.malware.com, for example, is more obvious.

Cyber attack No. 3: Unpatched Software
Coming in close behind socially engineered malware and phishing is software with available but unpatched vulnerabilities. The most common unpatched and exploited programs are browser add-in programs like Adobe Reader and other programs people often use to make surfing the web easier. It’s been this way for many years now, but strangely, not a single company I’ve ever audited has ever had perfectly patched software. It’s usually not even close. I just don’t get it.

Countermeasure: Stop what you’re doing right now and make sure your patching is perfect. If you can’t, make sure it’s perfect around the most exploited products, whatever they happen to be in a given time period. Everyone knows that better patching is a great way to decrease risk. Become one of the few organizations that actually do it. Better yet, make sure that you’re 100 percent patched on the programs most likely to be exploited, versus trying unsuccessfully to be fully patched on all software programs.

Cyber attack No. 4: Social Media Threats
Our online world is a social world led by Facebook, Twitter, LinkedIn and their country-popular counterparts. Social media threats usually arrive as a rogue friend or application install request. If you’re unlucky enough to accept the request, you’re often giving up way more access to your social media account than you think. Corporate hackers love exploiting corporate social media accounts for the embarrassment factor to glean passwords that might be shared between the social media site and the corporate network. Many of today’s worst hacks started out as simple social media hacking. Don’t underestimate the potential.

Countermeasure: End-user education about social media threats is a must. Also, make sure that your users know not to share their corporate passwords with any other foreign website. Here’s where using more sophisticated 2FA logins can also help. Lastly, make sure all social media users know how to report a hijacked social media account—on their own behalf, or someone else’s. Sometimes it is their friends who first notice something is amiss.

Cyber attack No. 5: Advanced Persistent Threats
I know of only one major corporation that has not suffered a major compromise due to an advanced persistent threat (APT) stealing intellectual property. APTs usually gain a foothold using socially engineered Trojans or phishing attacks. A very popular method is for APT attackers to send a specific phishing campaign—known as spear phishing—to multiple employee email addresses. The phishing email contains a Trojan attachment, which at least one employee is tricked into running. After the initial execution and first computer takeover, APT attackers can compromise an entire enterprise in a matter of hours. It’s easy to accomplish, but a royal pain to clean up.

Countermeasure: Detecting and preventing an APT can be difficult, especially in the face of a determined adversary. All the previous advice applies, but you must also learn to understand the legitimate network traffic patterns in your network and be alert to unexpected flows. An APT doesn’t understand which computers normally talk to which other computers, but you do. Take the time now to start tracking your network flows and get a good handle on what traffic should be going from where to where. An APT will mess up and attempt to copy large amounts of data from a server to some other computer where that server does not normally communicate. When they do, you can catch them.

Other popular attack types such as SQL injection, cross-site scripting, pass-the-hash and password guessing aren’t seen nearly at the same high levels as the five listed here. Protect yourself against the top five threats, and you’ll go a long way toward decreasing risk in your environment. More than anything, I strongly encourage every enterprise to make sure its defenses and mitigations are aligned with the top threats. Don’t be one of those companies that spend money on high-dollar, high-visibility projects while the bad guys continue to sneak in using routes that could have easily been blocked. Lastly, avail yourself of a product or service that specializes in detecting APT-style attacks. These products or services either run on all your computers, like a host-based intrusion detection service or collate your event logs looking for signs of maliciousness. Long gone are the days where you’ll have a hard time detecting APTs.

Myriad vendors have now filled the earlier void and are waiting to sell you protection. Overall, figure out what your enterprise’s most likely threats will be, and prepare for those the most. Too many companies waste resources concentrating on less-likely scenarios. Use your threat intelligence in the context of your environment’s makeup and vulnerabilities, and determine what you really need to anticipate.