5 Common Cyber Attacks and How to Protect Yourself and Your Business
In today’s digital world, cyber-attacks are a near constant threat. Threat actors target all sorts of businesses and organizations, from Fortune 500 companies and government agencies to small mom & pop stores. The digital revolution has transformed the way we interact and conduct business. But, while having an internet presence and network infrastructure is integral in today’s economy, all participants are potential victims of cyber-attacks. Distinguishing between different types of common attacks will help you and your business prepare and defend against lingering threats.
This article examines some common methods threat actors use, and ways you can defend against those methods.
What’s the Risk?
When an unauthorized user gets access to a device, network, or system, that’s a breach. We typically think of these users as “hackers,” but unauthorized access doesn’t always happen with malicious intent. Either way, this access is indicative of one or more vulnerabilities in that network or system’s security fabric. Intentional or not, unauthorized users getting into your network can result in data loss, data manipulation, or system shutdown. And that can lead to financial loss, brand erosion, and damage to your organization’s reputation.
It can’t be overstated these days: there needs to be a top-down, organization-wide focus on cybersecurity. Everyone—from the CEO to the newest employee—must be cognizant of these common threats and what to do if they encounter them. An organization-wide security strategy greatly reduces the possibility of cyber-attacks because unauthorized access only requires one mistaken click.
Perhaps the most common infiltration method used by cyber-attackers is phishing. Phishing is a type of social engineering where attackers send spoofed, fake, or otherwise deceptive emails or messages posing as a legitimate source to trick a person into providing sensitive or secret information (often user credentials).
More sophisticated versions of phishing include spear phishing—targeting a specific person. Criminals using the spear phishing method aren’t sending their scam emails to thousands of individuals, hoping for a bite. With spear phishing, attackers probably already know their targets name, job title, email address, and specific information about their role.
Whaling is another type of phishing attack, where the attacker will pose as a busy executive or manager, feigning urgency in hopes that a lower-level employee will do as they command. “Smishing” and “vishing” are other phishing methods where cellphones replace emails as the medium for the message.
Tips to Avoid Phishing Attacks
Thoroughly review all your emails. Look for spelling and format errors in the body of the message. Pay close attention to the email address of the sender, too. Attackers often use a slight variation on a popular domain name. For example, using @gnail.com instead of gmail.com.
Implement a password change monthly or quarterly for all users. Awareness does not completely prevent phishing. We know this because billions are spent on security awareness training every year. Forced password changes are a small hassle to ensure dwelling attackers are kicked out of the network when stolen credentials expire.
Use an email quarantine. Most enterprise email platforms have a built-in spam filter. Quarantine takes it to another level. Emails from non-trusted senders will be automatically filtered into a quarantine inbox with extra warnings concerning attachments and links.
Ransomware is typically used to conduct cryptoviral extortion. Attackers release malware into a victim’s network that encrypts the victim’s data. The attacker then demands a payment, or ransom, from the victim for the decryption key. Ransomware has its roots in a Trojan written in 1989, but it’s become extremely prevalent and increasingly sophisticated in recent years.
Ransomware attacks can be costly for underprepared organizations, and we’re not talking about paying the ransom. Encrypted systems can shut your company down for months, or even permanently if you are unable to access a backup or decrypt crucial information.
Tips to Avoid Ransomware
Like most attack methods, ransomware cannot be completely avoided. However, there are many recommendations for mitigation. Ransomware is known to dwell under the radar before it’s commanded to actively encrypt files, so early detection and immediate removal is paramount.
Install security updates and patch vulnerabilities. When a vendor releases a security update, make sure it is installed on every machine in your organization. Most software companies identify emerging threats and patch against them, but it’s also a good idea to have your IT or cybersecurity team track new threats as they are discovered by the cyber community.
Maintaining backups is critical. Yes, backups plural. Today’s ransomware can delete or encrypt locally stored backups if they are accessible via your network. Maintain “offline” backups that cannot be accessed from any potentially infected machines. If you’re using cloud backups, ensure connected computers only have append permissions so they cannot overwrite or delete previous backups.
Reduce the attack surface. The attack surface basically the sum of access points through which an unauthorized user may try to access your network. Basic strategies include reducing the amount of code running in your environment, reducing entry points available to untrusted users, and eliminating underused or unused services. Turning off unnecessary functionality means fewer security risks.
A Structured Query Language (SQL) injection is a code injection technique used to attack data-driven applications. Attackers can use SQL injections to steal large amounts of data, even entire company databases. This method also allows attackers to destroy data, compromise its availability, or make themselves administrators of the database server.
Tips to Avoid SQL Injection
Use web application firewalls (WAF). A WAF cannot completely prevent SQL injection vulnerabilities from making their way into a codebase, but they can slow an attacker down during the discovery process.
Parameterized statements can be used in most development platforms. This means your variables aren’t query strings that would accept arbitrary SQL inputs. Instead, they require the developer to define all code, so SQL injections would likely be treated as invalid parameter values.
As well as XSS attacks, cross-site scripting can also serve as a software bug. Attackers can use clickable content to send malicious scripts to a browser. By altering the script, the attacker causes the user to act in a way the user is unaware of. Users are usually unaware that fraudulent activities are taking place, believing the process to be legitimate.
When a hacker attempts to use XSS on a bill payment, he may fake a transfer request with his own name instead of the recipients. However, the recipient would not receive the payment, despite the success of the transfer of the sender. Also, you can alter the amount of the transfer.
Tips to Avoid XSS Attacks
Create a list of entities that you are allowing to be on your whitelist. It will allow the web application to accept only those entries that have been endorsed by the user.
The best idea is to use a process called sanitizing. By doing so, all entries in the system undergo thorough checks to make sure they are not harmful or suspicious.
Straight password cracking isn’t as prevalent as it once was since there are several other tools in a modern attacker’s toolbox, but one should still practice using complex passwords. CAPTCHA bots and login attempt limits have greatly reduced brute force password cracks. Today, social engineering may allow an attacker to glean personal information from a victim, so make sure your password isn’t a pet name, birthdate, or interest.
Tips to Avoid Password Attacks
Make sure security questions aren’t easily answered with information attackers can find on your social media.
Consider using a “passphrase,” a string of three to four words that you can remember but would be extremely difficult to guess.
Don’t use the same password for everything. Most people have several dozen accounts for various things on the internet. Don’t let one leak compromise everything.
Change your passwords often. No need to change them weekly, but if you’ve gone more than a year without a password change, it’s time.
The Best Defense is a Layered Defense
In this age of interconnection, cyber-attacks are always a possibility. The frequency of cyber-attacks has grown exponentially since 2020 when many users were quickly turned remote. Attacks have led to financial loss, IP theft, data destruction, and company closures. Preventing attacks and defending against them is a community-wide effort. Every non-criminal computer user has an onus to be aware of methods used by cyber criminals.
And while no level of security can prevent every cyber-attack, the best defense is made of layers like a fortress. When you’re paying attention, installing security updates, patching vulnerabilities, reducing your attack surface, using a next gen antivirus, educating your employees on security awareness, utilizing firewalls and an EDR or XDR, an attacker is likely going to be discouraged into going after an easier target. But if they really want to get in, there’s probably a way. At this level, detection time is the name of the game and that’s where building or hiring a security operations center comes in.