2019’s biggest cyber security threats are and what you can do to avoid them.
Like a sniper, the most dangerous cyber security threats are the ones you never see coming.
Even with firewalls, antivirus solutions, and cybersecurity awareness training for your employees, cybercriminals still manage to exploit any vulnerabilities they can find. This could be because they exploit attack vectors that are known to your organization (but remain unaddressed for some reason) or because they’ve discovered vulnerabilities that are not yet known to you (what are known as zero-day exploits).
Either way, you still lose. Cyber attacks are not a matter of “if,” but “when” they will occur. Unless you somehow gain omniscience (if that happens, be sure to reach out and we can split the cost of a lotto ticket), there’s really no way for you to know every single vulnerability that exists on your network or within your organization. After all, security risks come in all shapes, sizes, attack vectors, and levels of potency in the digital world. And, considering that threats to cyber security are continually changing and adapting, it’s a challenge to keep up with them all.
So, what can you do? You can take the time to learn about as many cyber security threats as possible and work to identify and address as many holes in your defenses that you possibly can. Granted, we understand that’s no small undertaking. But, see, that’s why we’re here!
While we’d love to provide you with a top 10 cybersecurity threats list, we’re tuckered out after just writing nine. So, we’ll cover nine of the biggest cyber security threats that exist in 2019, provide some recent examples of each, and identify some of the ways you can protect your organization (regardless of its size).
Let’s hash it out.
The term “cyber security threats” is pretty nebulous — it can mean many different things depending on whom you ask. For some, threats to cyber security are limited to those that come through virtual attack vectors such as malware, However, as you’ll discover, cyber threats are continuously changing. SophosLabs’ 2019 Threat Report indicates that:
“The threat landscape is undoubtedly evolving; less skilled cybercriminals are being forced out of business, the fittest among them step up their game to survive and we’ll eventually be left with fewer, but smarter and stronger, adversaries. These new cybercriminals are effectively a cross-breed of the once esoteric, targeted attacker, and the pedestrian purveyor of off-the-shelf malware, using manual hacking techniques not for espionage or sabotage, but to maintain their dishonorable income streams.”
Cyber Security Threat or Risk No. 1: Human Nature
Whether with intent or without malice, people are the biggest threats to cyber security. These vulnerabilities come from employees, vendors, or anyone else who has access to your network or IT-related systems.
On one hand, a cyber attack or data breach can occur simply because of human error or a lack of cyber security awareness — such as using easy-to-guess passwords or falling for phishing emails. They may simply have a moment of forgetfulness or may be tricked by an attacker’s effective targeted social engineering attack. Hackers frequently use social engineering tactics – akin to “hacking without code” because they use other tactics to get information – to get their victims to either provide the information they need or get them to engage with malicious content (such as malicious URLs). We’ll speak more to that a bit later. Right now, we’re focusing on the other side of the coin — intentional threats to cyber security. Employees (and former employees) can be significant cybersecurity threats when they think they have something to gain through their malicious actions — perhaps they want to profit by selling or using the data they steal, or they may want to get revenge against an existing or former employer for some perceived injustice. So, they may install malware, download data, or perform other dire actions. But rogue employees are not the only threat – employees of vendors can also pose a potential risk. We’ll speak more on that momentarily.
Whatever the reason, whomever is responsible, the results are the same: Data is stolen, your customers are compromised, and your company’s reputation takes a major hit. It’s a lose-lose situation for everyone except the perpetrator — one that likely could have been avoided by operating under the assumption that people are your biggest risk.
A Recent Example of a Vendor’s (Former) Employee Gone Rogue
Capital One recently made headlines when more than 100 million customers’ accounts were compromised in a data breach — but it wasn’t a random hacker or even a CO employee. As it turns out, Capital One used Amazon Web Services (AWS) for their cloud hosting. The hacker, a former AWS employee, decided to exploit a misconfigured web application firewall to gain access to:
“140,000 Social Security numbers, 1 million Canadian Social Insurance numbers and 80,000 bank account numbers, in addition to an undisclosed number of people’s names, addresses, credit scores, credit limits, balances, and other information, according to the bank and the US Department of Justice.”
As a result, Capital One expects to face $100-150 million in costs related to the hack, including customer notifications, credit monitoring, tech costs, and legal support due to the hack. This is in addition to any potential company stock value losses.
In addition to keeping strong firewalls and antivirus solutions in place, companies should use the services of an in-house or third-party cyber security operations center (CSOC) to stave off these types of cyber security threats for both their overall organizational cyber security as well as for their website.
The benefit of this is that these individuals are dedicated to the monitoring and analysis of logs for your website, applications, systems to intervene at any sign of a threat and to swiftly remediate the threat.
An example of such a comprehensive solution (in this case, designed for small business websites) is CWatch Web from Comodo Cyber Security, an all-in-one managed security-as-a-service (SaaS) solution. Not only does it provide you with 24/7/365 access to cyber security experts, but it also includes:
▪ Access to Comodo CA’s fully secure global content delivery network (CDN),
▪ A web application firewall (WAF), and
▪ Security information & event management (SIEM).
Furthermore, limit employee access to sensitive systems using access management policies and procedures. Create and maintain a list of access to ensure that only the people who need access to your company’s databases or other systems have access.
Cyber Security Threat or Risk No. 2: Various Forms of Malware
Malware is a truly insidious threat. It can be distributed through multiple delivery methods and, in some cases, is a master of disguises. Some types of malware are known as adaptive malware (such as polymorphic or metamorphic malware) and can change their very “genetic” makeup, their coding. Some forms of metamorphic malware can change themselves entirely with each new iteration — in some cases, they can do it faster than you can say “well, this sucks.”
As we mentioned in another recent article on malware, Microsoft identifies malware cyber security threats pretty generically: “Malware is the overarching name for applications and other code, i.e. software, that Microsoft classifies more granularly as malicious software or unwanted software.” This categorization includes (but certainly is not limited to) malicious software such as backdoors, downloaders, trojans, worms, and macro viruses.
The Top 10 Types of Malware
So, what are considered the biggest cybersecurity threats in terms of malware? The Center for Internet Security (CIS) reports that the top 10 malware in July 2019 were:
There are many things you can do to prevent malware-based cyberattacks:
▪ Use reputable antivirus and anti-malware solutions, email spam filters, and endpoint security measures.
▪ Ensure that your cyber security updates and patches are all up to date.
▪ Require your employees to undergo regular cyber security awareness training to teach them how to avoid suspicious websites and to not engage with suspicious emails (more on that momentarily).
▪ Limit user access and application privileges.
▪ The list goes on and on.
Cyber Security Threat or Risk No. 3: Different Types of Phishing Attacks and Social Engineering
No matter whether you’re a small business or a Fortune 500 enterprise, phishing is a very real — and very costly — cyber security threat.
In its Evil Internet Minute infographic, RiskIQ shares that $17,700 is lost every minute due to phishing attacks. That’s $9,303,120,000 per year based on a regular calendar year (525,600 minutes), or $9,328,608, 000 for a leap year (527,040 minutes).
But what is phishing? In a nutshell, phishing is a fraudulent attempt to elicit sensitive information from a victim in order to perform some type of action (gain access to a network or accounts, gain access to data, get the victim to perform an action such as a wire transfer, etc.). Phishing comes in many forms:
▪ General phishing
▪ Spear phishing
▪ CEO fraud
▪ Clone phishing
▪ Domain spoofing
▪ URL phishing
▪ Watering hole phishing
▪ Evil twin phishing
Phishing activities frequently involve the use of social engineering tactics. They can use domain spoofing or phone number spoofing to make their communications appear more legitimate.
Examples of Major Successful Phishing Attacks
These types of cyber security threats are prolific and can be exceedingly costly. Google and Facebook together lost more than $100 million to a cybercriminal whose phishing attack spoofed a technology vendor. Crelan Bank in Belgium also lost more than $75 million to cybercriminals and their convincing phishing tactics. We’ve written about several other major phishing attack victims if you’d like to read about other examples.
There are several things that you can do to ward off cyber security threats:
▪ Implement cyber security awareness training for every employee across the board.
▪ Emphasize the importance of phishing reporting.
▪ Run random phishing simulations.
▪ Push HTTPS on your website to create secure, encrypted connections.
▪ Institute access management policies and procedures.
▪ Use reliable email and spam filters.
▪ Require two-factor authentication.
▪ Use email encryption and email signing certificates.
The first way to reduce the impact of cyber security threats is to implement cyber security awareness training and make it mandatory for every employee. Regardless of whether they’re an intern, the CEO, or anyone in between, if your employees have access to any company device or network, they need to know how to use it safely and securely. Some of the biggest phishing attacks involved “whaling,” a form of phishing that targets CEOs, CFOs, or other executives. Erich Kron, security awareness advocate at KnowBe4, says that this type of training should be offered throughout the year and not just once per year for it to be most effective.
Second, Kron says that phishing reporting is essential for businesses. “Provide a way to report the suspected phishing emails so your team is aware of campaigns targeting your organization and can tune email/spam filters to protect other employees against the specific campaigns.”
Third, run random phishing simulations. This practice can help you to determine how well the cyber awareness training is being implemented and identify potential areas to focus on in future trainings. Kron shares that the frequency of the simulations is important. “We have found that users need to have simulated phishing attacks at least once per month for the best results.”
Fourth, use HTTPS for your website by installing SSL/TLS certificates. An SSL certificate helps to facilitate the handshake that is required to create a secure, encrypted connection between your users’ browsers and your web server.
Fifth, setting up proper access management is essential. This helps to ensure that no one has access to systems or data that their jobs don’t require access to. This is not a set-it-and-forget-it thing, though — you’ll need to continually maintain the list to ensure it remains up to date. Policies and procedures need to be implemented to ensure that when an employee leaves or is fired, that their access is immediately terminated to limit risk and potential exposure.
Sixth, use effective and reliable phishing and spam filters for your organization’s email accounts. There are third-party service providers on the market that use various methods such as metadata analysis to differentiate phish or other malicious emails from valid messages.
Seventh, implement two-factor authentication (2FA) for employees. Even if an employee’s credentials become compromised, it can still help to prevent a cybercriminal from accessing your network or data by requiring additional user authentication. While 2FA on its own is not necessarily infallible, it is another link in the chainmail of your cyber security armor.
Lastly, if you handle any type of sensitive information via email, it’s vital that you secure that information as much as possible. This includes both in-transit and at-rest data protection through the use of the secure/multipurpose internet mail extension, or what’s known as S/MIME.
An email signing and encryption certificate uses this email signing protocol and public/private keys to:
▪ Encrypt data at rest and in transit so that it’s secure, and
▪ Sign the email with a verified digital signature so your recipient can confirm you actually sent it.
Don’t Get Phished.
Email is the most commonly exploited attack vector, costing organizations millions annually. And for SMBs, the damage can prove fatal: 60% fold within 6 months of falling victim to a cyber attack. Don’t be one of them.
Cyber Security Threat or Risk No. 4: Formjacking
Symantec’s 2019 Internet Security Threat Report shows that formjacking was on the rise in 2018. The internet security company reported an average of 4,800 websites were compromised with formjacking code each month. The report also stated that 3.7 million formjacking attacks were blocked on endpoints.
Notable Examples of Formjacking Attacks
For examples of recent successful formjacking attacks, look no further than the British Airways and Ticketmaster attacks that were believed to be perpetrated bymalicious actors known as Magecart. The British Airways attack resulted in more than 380,000 credit cards being stolen at an estimated loss of $17 million. This is in addition to the record £183 million fine that was levied against the company due to its lack of General Data Protection Regulation (GDPR) compliance. GDPR allows fines of up to 4% of a company’s annual turnover for noncompliance.
Some of the ways that you can prevent formjacking include:
▪ Running vulnerability scanning and penetration testing — this will help you to identify any vulnerabilities or weaknesses in your cyber security defenses.
▪ Monitoring outbound traffic on your site — this will help you be aware of any traffic from your site to another location.
▪ Using subresource integrity (SRI) tags — this practice helps you to ensure files used by web applications and documents don’t contain unexpected, manipulated content using hashing.
Cyber Security Threat or Risk No. 5: Inadequate Patch Management
The purpose of a patch is to cover a hole of some kind. Manufacturers release patches all the time to address vulnerabilities in their operating systems, software, and other technologies. They’re essential to the security of your business — yet, frequently, patching largely gets ignored both by users and IT security teams simply because they have so many other responsibilities to manage.
Why is poor patch management such a big issue? Imagine you own a kayak and decide to spend a day out on the ocean (we live in Florida — this isn’t an unusual notion for us). You load up the kayak and drive to the beach, put the kayak in the water and start to paddle out. After a little while, you notice that your kayak has a very small leak but choose to ignore it and keep paddling. After leaving the small hole unaddressed for a while, that slow leak grows larger. Your kayak’s compartment soon begins to fill with water, causing your kayak to start sinking. Eventually, you’ll find yourself having to swim back to shore.
This analogy is much like inadequate patch management, which leaves gaping holes in your IT security infrastructure. Ideally, patching should be implemented as soon as a vulnerability is known as these holes because they:
▪ leave your organization at risk of cyberattacks,
▪ lead to needing remediation, which can lead to downtime,
▪ cause reputational harm, and
▪ make you noncompliant with many industry and regulatory cyber security standards.
Unfortunately, far too many companies aren’t patching like they should be. This may be in part because not all businesses have the resources to expedite that process in house, so they roll out patches when theycan, or they may need (but think they can’t afford) the services of a third-party service provider. Regardless of the reason, a lot of technology remains unpatched, which leaves businesses and their data vulnerable to even the most basic cyber security threats. For example, research from Avast, a digital security products company, shows that of the 500,000 devices that they analyzed, only 304 — less than 1% — were 100% patched. This is simply unacceptable.
An Example of Patch Management Issues
EternalBlue. It’s a name that virtually everyone in the infosec industry knows as an exploit that was allegedly developed by the National Security Agency (NSA). It’s an exploit of a Microsoft vulnerability that led to multiple worldwide attacks, including the spread of Petya and the WannaCry ransomware.
Although Microsoft had released patches for EternalBlue well beyond the 2017 WannaCry attacks began, many organizations remained vulnerable because they either didn’t apply the patches or because they were operating onold systems that were past their supported end-of-life period. This patching issue led to massive issues for businesses across a variety of industries, including the National Healthcare System (NHS) in the United Kingdom. Thousands of appointments and surgeries were cancelled, the incident cost NHS more than £100 million.
Even now, two years after the WannaCry attacks, EternalBlue continues to impact systems around the world.
Make patch management a priority. It’s not optional; effective patch management is essential to the livelihood of your business and the security of your customers’ data. Developing and implementing effective patch management policies and procedures helps to reduce the attack surface of your organization by closing up the holes in security that can allow data to be stolen.
Automating this process would also be highly beneficial. Patching these vulnerabilities in real time through automation makes your cybersecurity more effective and is also one less task for your team to have to perform manually. It’s a win-win for everyone — except, of course, the hackers who want to take advantage of unpatched vulnerabilities.
Cyber Security Threat or Risk No 6: Outdated Hardware and Software
Wondering why we’ve broken this section out separately? While it’s true that all patches are updates, it’s equally true that not all updates are patches. That’s why we’ve broken them out into two separate sections.
Keeping your hardware and software assets up to date is vital to the security of your organization’s network, servers, devices, data, and customers. If you’re using out-of-date technologies, your security defenses are no better than using a wall made of swiss cheese to keep out enemies.
Imagine that you’re a solider on a battlefield. You’re armed with a sword, a knife, a crossbow, some leather armor. Your enemies, on the other hand, are armed with Kevlar body armor, M4 rifles, and an assortment of other modern weapons and vehicles. Who do you think will be victorious?
The same concept can be applied to your cyber security defenses. If your business is operating using outdated operating systems, security software, and other applications or tools, then you’re not going to be able to stave off attacks from a well-armed cybercriminal. After all, they’ve got the technology, tools, and know-how to plough through such flimsy defenses while evading detection.
Examples of Outdated Systems
Look around the internet — examples of data breaches and other cyber security incidents that resulted from outdated or unpatched technologies are everywhere. Okay, if you still want us to provide a few examples, then look no further than the WannaCry and Petya attacks we mentioned earlier, as well as Equifax’s 2017 data breach that involved a patchable vulnerability.
Unsupported and outdated software are hackers’ best friends, so be sure to put your best foot forward by keeping your systems and software up to date. When a manufacturer releases an update or patch, apply it as soon as possible. Don’t wait.
Pushing the latest updates keeps your operating system, applications, and other assets up to date strengthens your defenses and helping your data to remain secure and out of the reach of cybercriminals. Develop device management policies for your organization and follow industry device management best practices.
Cyber Security Threat or Risk No. 7: Internet of Things Insecurities
Internet of Things (IoT) technologies are marvels to behold — and they’re everywhere. The Internet of Things connects and networks devices across the world. Examples of IoT technologies in the workplace include everything from smart thermostats and videoconferencing technologies to warehouse stock monitors and even “smart” vending machines that can order their own refills.
IoT is popular, and its popularity continues to grow. Gartner reports that they anticipate more than 20.4 billion IoT devices will exist by 2020. But why are they becoming so popular for businesses and private users so quickly? In part, it’s because IoT technologies, a combination of sensors, software, devices, and networks, make homes and workplaces more “intelligent.” They help people and companies around the world make environments more comfortable, and certain operational functions more convenient and efficient through automation. Makes sense, right?
But with all of this enhanced connectivity and convenience come security risks — big ones. It’s no secret that IoT technologies are a gaping hole of need when it comes to cyber security. After all, the very things that make IoT so convenient is also what also makes it vulnerable.
OWASP Top 10 IoT Vulnerabilities
Many of the reasons that IoT insecurities are some of the biggest cyber security threats to businesses and users are covered by OWASP (the Open Web Application Security Project) in their annual list of the Top 10 IoT Vulnerabilities.
Their 2018 list (the most recent) includes the following vulnerabilities:
1. Weak, Guessable, or Hard-Coded Passwords
2. Insecure Network Services
3. Insecure Ecosystem Interfaces
4. Lack of Secure Update Mechanisms
5. Use of Insecure or Outdated Components
6. Insufficient Privacy Protection
7. Insecure Data Transfer and Storage
8. Lack of Device Management
9. Insecure Default Settings
10. Lack of Physical Hardening
Examples of Cyber Attacks That Resulted from IoT-Related Cyber Security Threats
Geez. Where do we start? IoT cyber security threats affect companies and organizations across just about every industry. An unnamed casino’s high-roller database was compromised when hackers accessed the casino’s network using the smart thermometer of the aquarium in its lobby. A British bank was hacked via its CCTV cameras. Botnets — entire networks of connected IoT devices — have been used to launch major distributed denial of service (DDoS) attacks. One such example, the Mirai botnet, nearly brought down the internet along the entire eastern seaboard of the U.S.
The list goes on and on.
While we don’t condone the actions of these cybercriminals — yes, we need to state that to cover our butts — we can appreciate their demonstrable ingenuity and creativity. After all, who typically thinks of pulling off a casino data heist through an aquarium?
A hacker, that’s who. That’s why you need to up your ante and strengthen your IoT cyber security defense to prevent cyber security threats from getting through.
Securing your IoT is about more than just securing your devices — it’s also about protecting data and privacy. As such, look beyond just IoT device security solutions — consider everything from the application and network to the IoT ecosystem as a whole — to identify any vulnerabilities and potential liabilities. Part of this is about creating and implementing organizational mitigation policies and processes that will address IoT device lifecycle challenges concerning cyber security and privacy.
You also can use IoT digital security certificates as part of your PKI infrastructure to facilitate encrypted connections. Like other x.509 digital security certificates, IoT device certificates verify identity to ensure only trusted devices can connect and any messages or data transferred are secure and encrypted.
Look, regardless of how you choose to do it, just make sure your IoT is secure. While we get that accomplishing this task is not an easy undertaking — after all, effective cyber security requires considerable time and resources without the use of automation — securing your IoT is not optional. It’s also significantly less time-consuming and costly than dealing with the aftermath of a cybersecurity attack or data breach.
Cyber Security Threat or Risk No. 8: Man-in-the-Middle Attacks
Man-in-the-middle (MitM) attacks, or eavesdropping attacks as they’re sometimes called, occur when an attacker inserts themselves into two-party transactions. Imagine you’re having a phone conversation with your bank and an unwanted third party taps into your phone line and starts listening to your private conversation, gaining access to your personal and financial information.
It’s the same concept with a MitM attack. These types of cyber security threats are made by cybercriminals who set up fake public Wi-Fi networks or install malware on victims’ computer or networks. Regardless of how they do it, the goal is the same: To get access to your business or customer data. An Example of a Real-World MitM Attack Banks and other financial institutions are popular targets of man-in-the-middle attacks, as are banking mobile apps. However, hackers don’t like to limit themselves and will attack companies and organizations across all industries, including government organizations.
A notable recent example of a MitM attack occurred when a group of intelligence agents from Russia’s GRU (the Main Intelligence Directorate of the General Staff of the Armed Forces of the Russian Federation) tried to hack into the office of the Organisation for the Prohibition of Chemical Weapons (OPCW) at The Hague. They used a Wi-Fi spoofing device (a Wi-Fi panel antenna) to try to get information relating to the results of an investigation. While the attack itself failed, it still goes to show that no one — not even governments — are exempt from being MitM attack targets.
Although SSL/TLS encryption protocols are not 100% perfect, they’re still the best way to help protect your company, customers, and website from man-in-the-middle attacks. HTTPS for websites is not only recommended but is actually required by major browsers such as Google Chrome, Firefox, etc. Without an SSL certificate to facilitate the handshake between your client’s browser and your web server, which protects in-transit data, your site will be flagged as “Not Secure” and you’ll lose traffic and business.
Another way to avoid MitM attacks is to instruct your employees to avoid using public Wi-Fi connections whenever possible. Using virtual private networks (VPNs) on public Wi-Fi can help increase security by creating secure, encrypted connections at times when using public networks are unavoidable.
Cyber Security Threat or Risk No. 9: Poor Digital Certificate Management
Expired SSL certificates. Expired code signing certificates. It doesn’t sound like that big of an issue, so who cares, right? You should. A lot.
We’ve talked about certificate expiries as a form of cyber security threat before. But, if you’re new to our little corner of the internet, you may be surprised to hear just how dangerous and costly poor public key infrastructure (PKI) practices can be for your business. In fact, the average cost of unplanned certificate expirations is $11.1 million. No, that’s not a typo. The number is so high because expired certificates can result in a litany of issues, including website downtime and service outages for your business.
All of these things can significantly impact your bottom line by:
▪ Increasing downtime,
▪ Reducing revenue,
▪ Turning away prospective (and existing)customers, and
▪ Making your organization noncompliant, which leads to noncompliance fines and potential lawsuits
An Examples of What Happens When You Have Inadequate Certificate Management
Certificate expiries can happen to any website or business if they’re not careful. It’s happened to LinkedIn multiple times and also happened to dozens of U.S. government websites.
Ericsson, the Swedish cellular company that manufacturers back-end equipment and management software, is another example of a company that allowed a certificate to expire. As a result, tens of millions of cellular phone users in the U.K. and throughout Asia — those who cell service providers used Ericsson’s management software that had the expired certificate — experienced service downtime.
Learn from their examples: Don’t let your SSL or other X.509 digital certificates expire. Period.
If you’re still relying on Excel spreadsheets and other manual methods of certificate management, saying you’re behind the eight ball is an understatement. Managing a few SSL certificates and their corresponding keys manually isn’t too bad. But when you’re doing it at scale for an enterprise — when you’re managing hundreds, thousands, or even hundreds of thousands of certificates and key — there’s it’s virtually impossible to keep up with them all.
This is where using a PKI certificate management tool can help. For example, Sectigo Certificate Manager (formerly Comodo CA Certificate Manager) is a solution that helps you to mitigate certificate expiry issues by automating rapid certificate renewals, installations, and revocations. It’s a single pane of glass that allows you to manage and monitor all of your certificates and keys, as well as delegate tasks and manage access and roles.
Read the original post at Hashed Out, written by author Casey Crane