When identifying security risks, you should consider the type of threat. This will depend on the company’s type, composition of the workforce, and the nature of the business. There are two types of threats: insider threat and external threat. While insider threats and external threats may overlap in some ways, their impact is often different. You should be aware of the differences and take appropriate precautions to protect your network and its data.
Employee complacency
Employee complacency is a serious external security risk to an information network. According to Cisco, as many as 18% of employees share passwords and keep them in plain sight. This situation is not only a liability, but can also cause organizational inertia, which is an opportunity for hackers to exploit. As a result, it is essential to provide employees with appropriate training and awareness about the dangers of complacency.
While outsiders pose a fixed threat, insiders pose a constantly evolving threat. Even if employees do not have malicious intentions, their lack of training and time can make them unwittingly breach corporate security. Fortunately, there are several ways to combat insider threats. First, you must educate your employees about the risks of using sensitive information and how to protect their devices. Second, you must ensure that your IT department provides secure mobile devices. Third, your company must ensure that employees follow strict security policies, especially when using company networks.
In addition to security threats, the cost of a breach can put an organization at risk. Without a strong cyber security strategy, a company is exposed to a wide range of criminal activity. This can be devastating both financially and reputationally. This is why cyber security is essential for every organization.
Complacency can also be caused by the culture of an organization. Organizations that adopt a “we’ve always done it this way” mentality are likely to be complacent in terms of security. Even if they use multiple security products, complacency can lead to ineffective security.
Careless insider threats
Careless insider threats are those posed by negligent employees, who inadvertently expose an information network to outside threats. These incidents can be caused by an employee accidentally clicking on a malicious website or being fooled by social engineering tricks, like spear phishing.
These attacks are difficult to detect and can last for years. In one case, a former employee at SunTrust stole 1.5 million customer records. While this type of attack may not be motivated by money, it still threatens revenue and brand reputation. In addition, insiders have access to information that they should not.
Another example of a clever insider attack involved a French multinational company. An administrative assistant received an e-mail referencing a cloud-based file-sharing service. She did not open the e-mail but later received a phone call from the alleged vice president. When he asked her to open the file, she didn’t realize that the attachment was a remote-access Trojan. The attackers, who were based in Ukraine, were able to log keystrokes and steal intellectual property from the company.
An insider attack is a difficult situation to identify, but fortunately, it is possible to prevent most insider attacks. The key is to know what your employees are doing and what you can do to prevent it. Using technology to prevent insider threats is an important first step. Using a good firewall and other security measures will prevent hackers from infiltrating your information network.
Careless insider attacks are a major concern for the security of any information network. They are difficult to detect because they require legitimate access to data and systems. However, some employees may need to access sensitive information to do their jobs. In addition, insider threats are difficult to stop because they are not always malicious.
In addition to malicious insider threats, there are other types of insider attacks. These include the infamous turncloak, which involves a malicious insider intentionally using their legitimate credentials to steal information and disrupt operations. The malicious insider can be an employee, contractor, or trusted business partner. They may also be motivated by financial incentives, revenge, or political ideology.
Careless insider threats can happen to anyone within the organization. It can occur through negligence, accidental mistakes, or even malicious insiders. They can harm critical information, systems, and other assets without the knowledge of the organization. Careless insiders can also be the source of phishing attacks.
Careless insider threats are an important source of security incidents. They often lack awareness or are simply oblivious to security policies. For example, careless users are likely to click on links and download malicious content without the intention of compromising the organization’s security. They may also fail to protect their devices and credentials. For example, they might not secure passwords properly or even use single-factor authentication. Additionally, they may talk too loud on their phone calls while on the job.
Threat intelligence tools can help detect malicious insiders using advanced technology. These tools can analyze network data and identify suspicious patterns. In addition, they can detect insiders based on their behavior. Using this technology can identify potential insider threats before they get to work.
Targeted attacks
Targeted attacks pose a variety of challenges for information networks. They can include a variety of methods and tools. These attacks are typically performed by people with access to company information. While these insiders can be hard to spot, they pose a significant risk. For example, a disgruntled employee may post secrets about the organization on the Internet. Another example is a sales person who sells a list of customers to competitors. And even a waiter who stores credit card information could be a target.
Targeted attacks vary in severity. Some are low-level nuisances, while others are serious incidents. In 2018, a ransomware virus encrypted the data of the Atlanta municipal government. This type of attack can affect thousands of devices and cause a system crash. The attacker then demands a ransom to release the data.
Targeted attacks can be internal or external in nature. Internal attacks are usually carried out by employees for their own financial gain. External attacks, on the other hand, rely on systems’ vulnerabilities to gain access to data. These attacks can cost a company a lot of money and reputation. They may also lead to a lawsuit.
Attackers can also use malware to infect devices. The attackers can then use the malware to process the victim’s information. Another type of attack is a denial-of-service attack. These attacks use multiple compromised devices to overwhelm a target system by overwhelming it with traffic.
Top 50 Cybersecurity Attacks 2022
Prologue
In an effort to let my readers know how aggressive evil-doers can be, I have included a list of the top 50 attack and explanations as compiled by CISA, SPLUNK, and AT-NET. The below list is current as of mid-year 2022 and is by no measure complete but comprises the top 50 attacks as measured by activity. The below list is in alphabetical order only.
Be wary of all persons where your data is concerned; The person to the left (Hillary Clinton) looks like someone’s grandmother but she was accused of the cybercrime of sending Classified Controlled Information to her personal email server on July 5, 2016. So as one should understand, criminals can be either internal, external, family, and even disguised as government officials.
The List
- Account Takeover – Rather than stealing the card or credentials outright, account takeover is more surreptitious, allowing the attacker to get as much use out of the stolen card as possible before being flagged for suspicious activity. Banks, major marketplaces and financial services like PayPal are common targets, and any website that requires a login is susceptible to this attack.
- Advanced Persistent Threat Router and Infrastructure Security – An advanced persistent threat (APT) is a highly advanced, covert threat on a computer system or network where an unauthorized user manages to break in, avoid detection and obtain information for business or political motives. Typically carried out by criminals or nation-states, the main objective is financial gain or political espionage. While APTs continue to be associated with nation- state actors who want to steal government or industry secrets, cyber criminals with no particular affiliation also use APTs to steal data or intellectual property.
- Amazon Web Services (AWS) Attacks – Amazon’s “shared responsibility” model says AWS is responsible for the environment outside of the virtual machine but the customer is responsible for the security inside of the S3 container. This means threats that take advantage of vulnerabilities created by misconfigurations and deployment errors have become a bigger problem as companies have adopted cloud technologies rapidly and the organization using AWS is responsible for securing their environment. The problem is there are more threats that AWS customers have to worry about.
- Application Access Token – With an OAuth access token, a hacker can use the user-granted REST API to perform functions such as email searching and contact enumeration. With a cloud-based email service, once an OAuth access token is granted to a malicious application, it can potentially gain long-term access to features of the user account if a “refresh” token enabling background access is awarded.
Bill Fraud – Bill fraud — or payment fraud — is any type of bogus or illegal transaction where the cybercriminal will divert funds away from consumers. And these schemes work — according to recent data from the FTC, consumers reported they have lost over $1 billion in fraud complaints from January 2021 through March 2022. - Brute Force Attack – A brute force attack aims to take personal information, specifically usernames and passwords, by using a trial-and-error approach. This is one of the simplest ways to gain access to an application, server or password- protected account, since the attacker is simply trying combinations of usernames and passwords until they eventually get in (if they ever do; a six-character password has billions of potential combinations).
- Business Invoice Fraud – Business invoice fraud attempts to trick victims into paying out on a fraudulent (but convincing) bill addressed to your organization. In reality, the funds go to imposters mimicking suppliers. These hackers will often bill a reasonable amount so they don’t draw suspicion. But executing these scams hundreds or thousands of times quickly adds up.
- Cloud Access Management – Managing permissions for your organization has become increasingly important in order to avoid a cloud-based breach. Lax or nonexistent security — and in this case, incorrectly configured security controls — can easily jeopardize the security of your data, exposing your organization to an unnecessary amount of risk, including significant damage to brand reputation.
- Cloud Cryptomining – Cryptomining is an intentionally difficult, resource-intensive business. Its complexity was designed to ensure that the number of blocks mined each day would remain steady. So it’s par for the course that ambitious, yet unscrupulous, miners make amassing the computing power of large enterprises — a practice known as cryptojacking — a top priority. Cryptomining has attracted an increasing amount of media attention since its explosion in popularity in the fall of 2017. The attacks have moved from in-browser exploits and mobile phones to enterprise cloud services, such as Amazon Web Services, Google Cloud Platform (GCP) and Microsoft Azure. It’s difficult to determine exactly how widespread the practice has become, since hackers continually evolve their ability to evade detection, including employing unlisted endpoints, moderating their CPU usage and hiding the mining pool’s IP address behind a free content delivery network (CDN). When miners steal a cloud instance, often spinning up hundreds of new instances, the costs can become astronomical for the account holder. So it’s critical to monitor systems for suspicious activities that could indicate that a network has been infiltrated.
- Command and Control – A command and control attack is when a hacker takes over a computer in order to send commands or malware to other systems on the network. In some cases, the attacker performs reconnaissance activities, moving laterally across the network to gather sensitive data. In other attacks, hackers may use this infrastructure to launch actual attacks. One of the most important functions of this infrastructure is to establish servers that will communicate with implants on compromised endpoints. These attacks are also often referred to as C2 or C&C attacks.
- Compromised Credentials – Most people still use single-factor authentication to identify themselves (a pretty big no-no in the cybersecurity space). And while stricter password requirements are starting to be enforced (like character length, a combination of symbols and numbers, and renewal intervals), end users still repeat credentials across accounts, platforms and applications, failing to update them periodically. This type of approach makes it easier for adversaries to access a user’s account, and a number of today’s breaches are thanks to these credential harvesting campaigns.
- Credential Dumping – Credential dumping simply refers to an attack that relies on gathering credentials from a targeted system. Even though the credentials may not be in plain text — they’re often hashed or encrypted — an attacker can still extract the data and crack it offline on their own systems. This is why the attack is referred to as “dumping.” Often, hackers will try to steal passwords from systems they have already compromised. The problem becomes amplified when users replicate the same password across multiple accounts through multiple systems.
- Credential Reuse Attack – Credential reuse is a pervasive issue across any company or userbase. Nowadays, most users have tens (if not hundreds) of accounts, and are tasked with remembering countless passwords that meet all sorts of stringent requirements. As a result, they’ll resort to reusing the same password over and over again, in the hopes of better managing and remembering their credentials across accounts. Unsurprisingly, this can cause major security issues when said credentials are compromised.
- Credential Stuffing – With credential stuffing, cybercriminals will use stolen account credentials — often usernames and passwords procured from a data breach — to access additional accounts by automating thousands or millions of login requests directed against a web application. They want to access sensitive accounts the easy way — by simply logging in. It works because they rely on people reusing the same usernames and passwords across multiple services. If they’re successful, one credential can unlock accounts that house financial and proprietary information, giving them the keys to almost everything.
- Cross-Site Scripting – XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are widespread and occur anywhere a web application generates input from a user without validating or encoding it. The end user’s browser has no way to know that the script should not be trusted, automatically executing on the script. Because it thinks the script came from a trusted source, it can access cookies, session tokens or other sensitive information retained by the browser. These scripts can even rewrite the content of the HTML page.
- Cryptojacking Attack – Cryptojacking is an attack where a hacker targets and hijacks computer systems with malware that hides on a device and then exploits its processing power to mine for cryptocurrency — such as Bitcoin or Ethereum — all at the victim’s expense. The hacker’s mission is to create valuable cryptocurrency with someone else’s computing resources.
- Data From Information Repositories – Information repositories are tools that allow for the storage of information — tools like Microsoft SharePoint and Atlassian Confluence. Information repositories typically facilitate collaboration or information sharing between users and they store a wide variety of data that may tempt attackers. Hackers may leverage information repositories to access and mine valuable information.
- DDoS Attack – A DDoS attack is an attempt by hackers, hacktivists or cyber spies to take down websites, slow down and crash the target servers and make online service unavailable by flooding them with traffic from multiple sources. As their name suggests, DDoS attacks are widely distributed brute-force attempts to wreak havoc and cause destruction. These attacks often tend to target popular or high-profile sites, such as banks, news and government websites, to thwart or deter target organizations from publishing important information or to weaken them financially.
- Disabling Security Tools – Hackers use a variety of techniques to avoid detection and operate without barriers. This often involves modifying the configuration of security tools, such as firewalls, to get around them or explicitly disabling them to prevent them from running at all.
- DNS Attacks
- DNS Hijacking – DNS is often called the Achilles heel of the internet, or the internet’s phonebook, because it plays a critical role in routing web traffic. The DNS is the protocol used to map domain names to IP addresses. It has been proven to work well for its intended function. But DNS is notoriously vulnerable to attack, attributed in part to its distributed nature. DNS relies on unstructured connections between millions of clients and servers over inherently insecure protocols. The gravity and extent of the importance of securing DNS from attacks is undeniable. The fallout of compromised DNS can be disastrous. Not only can hackers bring down an entire business, they can intercept confidential information, emails and login credentials as well. The U.S. Department of Homeland Security 2019’s Cybersecurity and Infrastructure Security Agency (CISA) raised concerns about high-profile DNS hijacking attacks against infrastructure, both in the United States and abroad.
- DNS Tunneling – The traffic passing through DNS often goes unmonitored, since it’s not designed for data transfer, leaving it vulnerable to several kinds of attacks, including DNS tunneling, which happens when an attacker encodes malicious data into a DNS query: a complex string of characters at the front of a URL. There are valid uses for DNS tunneling — anti-virus software providers use it to send updated malware profiles to customers in the background, for example. Because of the possibility of legitimate use, it’s important for organizations to monitor their DNS traffic thoroughly, allowing only trustworthy traffic to continue flowing through the network.
- DNS Amplification – Through DNS amplification, a type of DDoS attack, has been around for a long time, the exploitation techniques keep evolving. The attack is similar to DNS hijacking in the sense that it takes advantage of the internet’s directory by misconfiguring it. But the way the attacks occur are slightly different. A DNS amplification attack typically involves sending a small amount of information to a vulnerable network service that causes it to reply with a much larger amount of data. By directing that response at a victim, an attacker can put in a relatively low amount of effort while making other people’s machines do all the work of flooding a selected target offline.
- DoS Attack – A DoS attack is where cyberattackers make a machine or network inaccessible for its intended users. DoS attacks can be executed by either flooding networks with traffic or by sending information that triggers a system slowdown or complete crash. As with DDoS attacks, DoS attacks tend to focus on high- profile organizations or ones with popular, public-facing websites such as banking, ecommerce, media or government institutions. DoS attacks deprive legitimate users of the service they want to access and cause extensive damage to the victim, due to security and cleanup costs, loss of reputation, loss of revenue and customer attrition.
- Drive-by Download Attack – A drive-by download refers to the unintentional download of malicious code onto a computer or mobile device that exposes users to different types of threats. Cybercriminals use drive-by downloads to steal and collect personal information, inject banking Trojans or introduce exploit kits or other malware to user devices. To be protected against drive-by downloads, regularly update or patch systems with the latest versions of apps, software, browsers and operating systems. It’s also recommended to stay away from insecure or potentially malicious websites.
- Insider Threat – An insider threat attack is a malicious assault carried out by insiders with authorized access to an organization’s computer system, network and resources. In this assault, attackers often aim to steal classified, proprietary or otherwise sensitive information and assets, either for personal gain or to provide information to competitors. They might also try to sabotage your organization with system disruptions that mean loss of productivity, profitability and reputation.
- IoT Threats – There are an estimated 13.1 billion connected IoT devices globally — a number that is projected to increase to 30 billion by 2030. These devices often lack security infrastructure, creating glaring vulnerabilities in the network that exponentially grow the attack surface and leave it susceptible to malware. Attacks delivered over IoT devices can include DDoS, ransomware and social engineering threats.
- IoMT Threats – The Internet of Medical Things (IoMT) has transformed healthcare as we know it, especially in the era of COVID-19. Leveraging IoMT has the power to unleash countless opportunities in diagnosing, treating and managing a patient’s health and wellness, and holds the key to lowering cost while improving quality of care. But as the number of connected devices invariably grows, so does the cybersecurity risk. As of 2020, more than 25% of cyberattacks in healthcare delivery organizations involve IoMT.
- Macro Viruses – A macro virus is a computer virus written in the same macro language that is used for software applications. Some applications, like Microsoft Office, Excel and PowerPoint allow macro programs to be embedded in documents such that the macros are run automatically when the document is opened, and this provides a distinct mechanism by which malicious computer instructions can spread. This is one reason it can be dangerous to open unexpected attachments in emails, or emails from unrecognized senders. Many antivirus programs can detect macro viruses, however the macro virus’ behavior can still be difficult to detect.
- Malicious PowerShell – PowerShell is a command-line and scripting tool developed by Microsoft and built on .NET (pronounced “dot net”), that allows administrators and users to change system settings as well as to automate tasks. The command-line interface (CLI) offers a
range of tools and flexibility, making it a popular shell and scripting language. Bad actors have also recognized the perks of PowerShell — namely, how to operate undetected on a system as a code endpoint, performing actions behind the scenes. - Man-in-the-Middle Attack – The MITM attack, also known as adversary-in- the-middle (AiTM), sets up a proxy server that intercepts the victim’s log-in session, so that the malicious actor can act as a relay between the two parties or systems — thereby gaining access to and/or pilfering sensitive information. This type of attack allows a malicious actor to intercept, send and receive data intended for somebody else — or that’s not meant to be sent at all — without either outside party knowing, until it is too late.
- Masquerade Attack – A masquerade attack happens when a bad actor uses a forged or legitimate (but stolen) identity to gain unauthorized access to someone’s machine or an organization’s network via legitimate access identification. Depending on the level of access the permissions provide, masquerade attacks could give attackers access to an entire network.
- Meltdown and Spectre Attack – The meltdown and spectre attack exploits vulnerabilities in computer processors. These vulnerabilities allow attackers to steal almost any data that is being processed on the computer. This is an attack that strikes at the core of computer security, which relies on the isolation of memory to protect a user’s information. A “meltdown” refers to the breakdown of any protective barrier between an operating system and a program, while “spectre” indicates the breakdown between two applications that keep information from each other.
- Network Sniffing – Network sniffing, also known as packet sniffing, is the real-time capturing, monitoring and analysis of data flowing within a network. Whether it’s via hardware, software or a combination of both, bad actors use sniffing tools to eavesdrop on unencrypted data from network packets, such as credentials, emails, passwords, messages and other sensitive information.
- Open Redirection – Host redirection attacks are very common and increasingly subversive, as hackers become more creative about how they lure their targets. Attackers use URL redirection to gain a user’s trust before they inevitably strike. They’ll typically use embedded URLs, an .htaccess file or employ phishing tactics in order to redirect traffic to a malicious website.
- Pass the Hash – Pass the hash allows an attacker to authenticate a user’s password with the underlying NTLM or LanMan hash instead of the associated plaintext password. Once the hacker has a valid username along with their password’s hash values, they can get into the user’s account without issue, and perform actions on local or remote systems. Essentially, hashes replace the original passwords that they were generated from.
- Phishing – A phishing attack tricks everyday consumers, users or employees into clicking on a malicious link, often driving them to a bogus site to provide personally identifiable information such as banking account numbers, credit card information or passwords, delivered via email, direct message or other communication. Be wary — while these bogus sites may look convincing, attackers will harvest any information you submit to them. Or they may launch malware aimed at stealing funds from your accounts, personally identifiable customer information or other critical assets.
- Phishing Payloads – Despite its simplicity, phishing remains the most pervasive and dangerous cyberthreat. In fact, research shows that as many as 91% of all successful attacks are initiated via a phishing email. These emails use fraudulent domains, email scraping techniques, familiar contact names inserted as senders, and other tactics to lure targets into clicking a malicious link,
opening an attachment with a nefarious payload, or entering sensitive personal information that perpetrators may intercept. The “payload” refers to the transmitted data that is the intended message. Headers and metadata are only sent to enable the delivery of the payload to the correct person. - Spear Phishing – A subset of phishing, spear phishing occurs when cybercriminals selectively target victims with a specific, personalized email message to trick targets or a target company’s employees into giving away financial or proprietary data, or unlocking access to the network. Spear phishers target individuals who either have access to sensitive information or are weak links to the network. High- value targets, such as C-level executives, company board members or administrators with elevated privileges, are especially vulnerable, since they have access to critical systems and proprietary information.
- Whale Phishing (Whaling) – Whaling is when hackers go after one single, high-value target, such as a CEO. The target is always someone specific, whereas a phishing email may go after anyone at a company. The hackers also usually go after high-profile targets because they may possess important or sensitive information.
- Phishing Payloads – Despite its simplicity, phishing remains the most pervasive and dangerous cyberthreat. In fact, research shows that as many as 91% of all successful attacks are initiated via a phishing email. These emails use fraudulent domains, email scraping techniques, familiar contact names inserted as senders, and other tactics to lure targets into clicking a malicious link,
- Privileged User Compromise – It’s widely accepted that many serious data breaches can be traced back to the abuse of privileged credentials. These are accounts with elevated privileges, such as users with domain administrator rights or root privileges. Attackers are increasingly using privileged user credentials to access an organization’s resources and information and exfiltrate sensitive data. An attacker that gains access to privileged user credentials can take control of an organization’s infrastructure to modify security settings, exfiltrate data, create user accounts and more, all the while appearing legitimate — and therefore harder to detect.
- Ransomware – Ransomware is an attack where an infected host encrypts a victim’s data, holding it hostage until they pay the attacker a fee. Recent ransomware attacks have demonstrated that hackers have begun threatening to leak or sell the stolen data, increasing the potential damage of these kinds of attacks by orders of magnitude. There are countless types of ransomware, but certain groups are especially nefarious. One well-known gang, Blackmatter, has targeted a number of organizations critical to the U.S. economy and infrastructure, including the food and agriculture industry. Ryuk is another type of ransomware to watch out for. As of 2019, Ryuk had the highest ransom on record at $12.5 million.
- Ransomware-as-a-Service – RaaS is a business model between ransomware operators and affiliates in which affiliates pay to launch ransomware attacks developed by operators. RaaS kits allow affiliates lacking the skill or time to develop their own ransomware variant to be up and running quickly and affordably. A RaaS kit may include 24/7 support, bundled offers, user reviews, forums and other features identical to those offered by legitimate SaaS providers.
- Shadow IT – Shadow IT refers to IT applications and infrastructure that employees use without the knowledge and/or consent of their organization’s IT department. These can include hardware, software, web services, cloud applications and other programs. In general, well-intentioned employees innocently download and use these applications to make their work easier or more efficient. It’s a phenomenon so pervasive that Gartner had estimated that a third of all enterprise cybersecurity attacks would be from shadow IT resources in 2020. Because users are accessing these applications largely under the radar, they are often unintentionally opening the floodgate for insider threats, data breaches and compliance violations.
- Simjacking – SIMjacking (also known as a SIM swap scam, port-out scam, SIM splitting and SIM swapping) is a type of account takeover that generally targets a weakness in two-factor authentication and two-step verification in which the second factor is a text message (SMS) or call placed to a mobile telephone. Simply put, simjacking is when an attacker impersonates a target to a cellular provider in order to steal their cell phone number by having it transferred to a different SIM card (which is already in the hacker’s possession).
- Social Engineering Attack – Social engineering is the term used for a broad range of malicious activities accomplished through psychological manipulation to trick users into making security mistakes or giving away sensitive information. What makes social engineering especially dangerous is that it relies on human error, rather than vulnerabilities in software and operating systems. Mistakes made by legitimate users are much less predictable, making them harder to identify and thwart than a malware-based intrusion.
- Spyware – Spyware is a type of malware that aims to gather personal or organizational data, track or sell a victim’s web activity (e.g., searches, history and downloads), capture bank account information and even steal a target’s identity. Multiple types of spyware exist, and each one employs a unique tactic to track the victim. Ultimately, spyware can take over a device, exfiltrating data or sending personal information to another unknown entity without prior knowledge or consent.
- SQL Injection – SQL injection is a type of injection attack used to manipulate or destroy databases using malicious SQL statements. SQL statements control the database of your web application and can be used to bypass security measures if user inputs are not properly sanitized.
- Supply Chain Attack – A supply chain attack is a powerful cyberattack that can breach even the most sophisticated security defenses through legitimate third- party vendors. Because vendors need access to sensitive data in order to integrate with their customers’ internal systems, when they are compromised in a cyberattack, often their customers’ data is too. And because vendors store sensitive data for numerous customers, a single supply chain attack gives hackers access to the sensitive data of many organizations, across many industries. The severity of supply chain attacks cannot be overstated. And the recent spate of these attacks suggests this method is now the state actors’ attack du jour.
- Suspicious Cloud Authentication Activities – Organizations need to move away from network security in order to better protect and authenticate user identities. Up until recently, however, this was much easier said than done. Certain technologies simply lacked the necessary integration capabilities, limiting an organization’s ability to centrally monitor the overall security of their resources. Now there are countless technologies available that revolve around access control, like multifactor authentication (MFA). To avoid illegitimate authentication on cloud applications, no user or device — whether internal or external to the organization — should be implicitly trusted, and access to all resources should be explicitly and continuously authenticated and authorized.
- Suspicious Cloud Storage Activities – Organizations need to move away from network security in order to better protect and authenticate user identities. Up until recently, however, this was much easier said than done. Certain technologies simply lacked the necessary integration capabilities, limiting an organization’s ability to centrally monitor the overall security of their resources. Now there are countless technologies available that revolve around access control, like multifactor authentication (MFA). To avoid illegitimate authentication on cloud applications, no user or device — whether internal or external to the organization — should be implicitly trusted, and access to all resources should be explicitly and continuously authenticated and authorized.
- Suspicious Okta Activity – Okta is the leading single sign on provider, allowing users to authenticate once to Okta, and from there access a variety of web- based applications. These applications are assigned to users and allow administrators to centrally manage which users are allowed to access which applications. Okta also provides centralized logging to help understand how the applications are used and by whom. While SSO is a major convenience for users, it also provides attackers with an opportunity. If the attacker can gain access to Okta, they can access a variety of applications
- Suspicious Zoom Child Processes – Essentially, these local privilege escalation flaws take advantage of Zoom’s software architecture designs. These exploits can be launched by a local attacker, in which the adversary is someone who already has physical control of a vulnerable computer. Once the bugs are exploited, attackers can gain and sustain persistent access to various functions of a victim’s computer, which allows them to install ransomware, Trojans, spyware and numerous other types of malicious code into targeted systems for nefarious purposes.
- System Misconfiguration – Security misconfiguration is a widespread problem that can put organizations at risk thanks to incorrectly configured security controls (or lack thereof ). This can happen at almost any level of the IT and security stack, ranging from the company’s wireless network, to web and server applications, to custom code.
- Typosquatting – Typosquatting is a phishing attack where attackers take advantage of commonly misspelled domain names. Often times, the
guilty party isn’t actually looking to carry out an attack, but instead is holding out hope that a company, brand or person will buy the domain off them. But in other cases, thieves create malicious domains that closely resemble those of legitimate brands. - Watering Hole Attack – Like a literal watering hole, a watering hole attack is one in which the user’s computer is compromised by visiting an infected website with malware designed to infiltrate their network and steal data or financial assets. The specific technique is essentially a zero- day attack — the goal being to infect the computer system to gain access to a network for financial gain or proprietary information.
- Web Session Cookie Theft – When an attacker successfully steals a session cookie, they can perform any actions the original user is authorized to take. A danger for organizations is that cookies can be used to identify authenticated users in single sign-on systems, potentially giving the attacker access to all of the web applications the victim can use, like financial systems, customer records or line-of-business systems potentially containing confidential intellectual property.
- Wire Attack – Wire attacks are sophisticated schemes that send fraudulent high-value payments through international wire transfer networks. Often going beyond ordinary wire fraud, attackers can target banks in emerging markets with limited cybersecurity infrastructure or operational controls or lure high-profile targets with sophisticated and believable phishing scams. These cybercrime syndicates are after one thing: money. And lots of it.
- Zero-Day Exploit – A zero-day vulnerability, at its core, is a flaw. It is a weakness within a piece of software or a computer network that hackers take advantage of soon (or immediately) after it becomes available for general use — the term “zero” refers to the same-day window in which these vulnerabilities are abused.
As always, if you have questions call us at 844-506-2116 and we can help improve your cybersecurity posture!
Just so you know about AT-NET Services…
The Best MSP Professionals and Cybersecurity Professionals
Flat Fee IT Service, HIPAA, PCI, SEC, FINRA Services, Business Risk Management Services. IT Project Management, Managed IT Services, Co-Managed IT Services, Cloud Solutions, VoIP Solutions ,IT Helpdesk, Workstation Support, Windows Server Support, Cybersecurity Solutions, Vulnerability Management ,Network Infrastructure, Email Security, Data Backup & Recovery, Phishing Simulation. Security Awareness Training, Security Risk Assessments, Microsoft 365, Security Cameras, Integrated Door Access, and Structured Cabling.
created by Jeff King (Linkedin – Jeff King)