Common Cyber Attacks– and How to Prevent Them
The rate and severity of cyber attacks is increasing, and security experts agree that it is not a matter of if but when an attack will occur at any given organization. As your organization implements controls to defend your data against malicious cyber attacks, it is important to remember that not all attacks are the same. They use different methods to achieve different goals, and each type of attack requires different prevention strategies. Here are the most common cyber attacks and how you can prevent them.
Denial-of-Service (DoS) and Distributed Denial-of-Service (DDoS)
A denial-of-service (DoS) attack floods a targeted machine or network with excessive requests, resulting in the system getting overloaded and a disruption of service to legitimate users. A distributed denial-of-service attack (DDoS attack) is similar to a DoS attack, but on a larger scale. Instead of one computer sending requests, the incoming traffic originates from many sources, making it more difficult to stop the attack.
First line of defense: If your organization depends on servers and an internet presence, DoS attacks can be catastrophic. Unfortunately, it is difficult to differentiate between a legitimate request and a malicious one, as they often use the same ports and protocols. However, many firewalls can defend against some DoS attacks with proper configuration and there are several steps you can take to fortify your network architecture against an attack:
Locate servers in different data centers and on different networks
Ensure that data centers have diverse paths
Ensure that data centers, or the networks that data centers are connected to, do not have single points of failure
Consider partnering with a DoS/DDoS protection provider to help defend your services
Consider using next-generation firewalls, which can detect intentionally malformed traffic
Phishing is one of the most common types of cyber attacks, primarily because it is one of the most successful. Human error is typically the weakest point in any security strategy, and phishing attacks use social engineering to trick people into clicking on malicious links or providing sensitive information freely. Often, users who click links in a phishing email will be taken to legitimate-looking websites where they may be prompted to enter their credentials. After the credentials are entered, the hacker will have access to the user’s account and can log in without detection.
Phishing attacks are becoming increasingly sophisticated, and attackers will frequently leverage legitimate security breaches or other publicized events to elicit action from people who would normally not fall for a phish. Phishing attacks often go hand-in hand with spoofing and typo-squatting.
First line of defense: Education. While technical controls can prevent users from visiting known phishing sites, new domains can sometimes slip past email filters and safe browsing software. Comprehensive and recurring anti-phishing training is critical for educating employees about how to spot a phishing email, and how to respond if they do detect one. As a start, Google recently released a free phishing quiz, though more in-depth, recurring education will provide the best results. We have seen as much as a 92% increase in identification of malicious emails following six months of anti-phishing training.
Ransomware encrypts and locks specific (usually sensitive or critical) files on your computer or servers. When a user attempts to open a file that has been encrypted by ransomware, they are faced with a message stating that their files have been locked and demanding a ransom, usually in the form of Bitcoin or another cryptocurrency payment.
Though everyone is technically at risk for falling victim to a ransomware attack, targets are usually medical facilities, manufacturing facilities, and government agencies. Ransomware puts companies in a very sticky situation. If they choose to pay the ransom, there is no guarantee that hacker will release their files, and the knowledge that the organization is willing to pay ransoms will undoubtedly make them a target for future attacks. If they do not pay and have no other way to access their data, they will lose business-critical files, costing them significant time and money to restore functionality.
First line of defense: Data backups. If your business conducts frequent backups that are isolated from your primary network, you will be able to quickly restore critical function without paying the ransom. Even with effective backups in place, if your organization is impacted by ransomware you should conduct an incident response to identify when and how you were breached and remediate any discovered vulnerabilities.
Man-in-the-Middle attacks occur when a user connects to an unsecured wireless network. Wifi in public spaces, such as hotels, coffee shops, and even co-working spaces, is typically unsecured (even if a password is required for access) and can pose a threat to your organization’s security.
First line of defense: As traditional office environments wane in favor of on-the-go work, educating your employees about the risks and ways to prevent man-in-the-middle attacks is critical. Require employees to use a VPN when conducting any business over public wifi and educate employees about the differences between secured and unsecured networks.
Code injection can be used by a hacker to introduce code into a vulnerable computer program and alter the course of execution. Injection can result in data loss or exposure, file corruption, and even complete host takeover.
First line of defense: Keep software up-to-date! Software patches typically contain fixes for newly discovered vulnerabilities.
Cross-site scripting (XSS)
Cross-site scripting is a type of attack in which malicious scripts are injected into a trusted website. These attacks are the result of insecure coding practices being exploited to display malicious code to website visitors. Because the end user’s browser thinks the script is from a secure source, the malicious script can access cookies, session tokens, or other sensitive information retained by the browser. Though many XSS attacks are stealthy, some will deploy a popup that may execute malicious code when clicked. If you have ever gotten a pop-up from a web page that says “Congratulations! You’ve won….” It is probably the result of an XSS attack.
First line of defense: Unfortunately, most of the onus for preventing XSS attacks is on the development side, but there are some precautions that companies can take. The best way to reduce your vulnerability to XSS attacks is to implement automated scanners that will detect when your web server is vulnerable to XSS and identify what web page and HTML element allow for XSS. It is also critical to educate end-users on the importance of ignoring pop-ups.
Spyware is a form of malware that can track user activity on a computer, including keystrokes and webcam activity. Spyware can be difficult to detect, as its entire purpose is to fly under-the-radar and collect information. Most frequently, spyware is used to harvest credentials or steal intellectual property.
First line of defense: Spyware is a fairly broad category, and can range from simple, well-known attacks that can be prevented with standard anti-virus programs to advanced, nation-state attacks that can easily evade detection. Because of this, a layered approach is best. An anti-virus program and good cyber hygiene will help your organization avoid the most basic forms of spyware, but to defend your data against more sophisticated attacks, you should consider a more advanced network monitoring solution.
Email Spoofing is a technique that allows a hacker to forge the sender address of an email. Spoofing is possible because SMTP (Simple Message Transfer Protocol, or how computers transfer emails) does not have any mechanism for authenticating email senders. Spoofing makes an email appear legitimate, which increases the chances that the recipient will interact with the email. This technique is frequently used in wire-transfer scams and phishing campaigns.
First line of defense: Set up controls to automatically send spoofed domains to a junk folder and flag any emails that impersonate employee names. You can also configure these controls to apply to groups that your company interacts with frequently, such as vendors and clients. Additionally, educate employees about how to respond to these emails– they should never interact with a spoofed email, and should always verify unfamiliar addresses through out of bounds communications a quick phone call before clicking or responding.
People are notoriously bad at careful reading. In fact, according to a Cambridge University study, it doesn’t matter what order the letters in a word appear, only that the first and last letter are in the proper place. Hackers can impersonate legitimate domains by rearranging or omitting letters or leveraging common spelling errors. For example, marriott.com could be misspelled as mariott.com or bluestoneanalytics.com could be rearranged to bluetsoneanaltyics.com and very few people would notice the difference. Typo-squatting is often leveraged in phishing campaigns or spoofing attempts.
First line of defense: Education. Include awareness about typo-squatting in your anti-phishing campaign and encourage employees to take time to confirm the legitimacy of domains.
Cracking, also known as brute-force hacking, is the process of using high-powered computers to systematically guess billions of potential passwords. Brute-force scripts can test between 1 and 10 billion passwords per second. Many brute-force scripts prioritize passwords that contain dictionary words, and some can even search databases of leaked credentials to look for variations of old passwords associated with compromised accounts.
First line of defense: Use passphrases instead of passwords. Rather than encouraging employees to use complex passwords like “B1u3st0ne”, which is hard to type, relatively short, and difficult to remember where character substitutions are, encouraging users to create passphrases is a better solution. An example of a passphrase would be “Always sunny in Charlottesville!”. This passphrase would be difficult for a computer to guess due to its length but is easy for a user to both remember and type.
These are just the most common types of cyber attacks. Many attacks, especially more-sophisticated and nation-state-level attacks, use a combination of these features, as well as more-advanced scripts to evade detection and more efficiently infiltrate networks. The best approach to defending your data from these and other attacks is implementing layered security controls and a robust end user training program.
If you’re ready to take the next step in defending your data, contact us.