What is a cyberattack? What are the types of cyber security threats? How can your business minimize the risk of a cyberattack on your business-critical data? Never has there been a more dangerous time for your business and your SaaS data. The threat landscape for businesses today is filled with many different security threats and attack vectors used by hackers and other malicious individuals. On the world scene, 2020 and 2021 have already been challenging years for businesses across the board with COVID-19. Coupled with the current pandemic and the cybersecurity threats that have been very prevalent and growing in recent years such as ransomware, there are many different cyber risk types n 2020 that your business needs to prepare for.
What Is a Cyber Attack?
A cyber attack refers to a type of attack that is carried out by cybercriminals using a computer or group of computers to attack another computer, group of computers, or network. Cyber-attacks have become all too common in today’s world largely due to how organizations have evolved in the way they carry out business.
Today’s businesses, no doubt including your own organization, heavily use technology to carry out business-critical operations and support their organization’s data. Data has been referred to as the new gold of this century as it represents the most valuable asset that a business possesses.
When you think about the fact that organizations rely on their customer data for day-to-day operations, selling, buying, turning a profit, making projections, and performing analytics, it is at the heart of just about every operation. What’s more, most businesses are expanding the way they are using and ingesting data.
Many organizations are starting to use artificial intelligence (AI) and machine learning (ML) to make decisions or perform intelligent analyses. Both technologies rely on massive amounts of data. Besides massive datastores on-premises, organizations are leveraging public cloud environments and cloud Software-as-a-Service (SaaS) environments for storing critical data.
Cyber attacks target data in one way or another. Data can be altered, deleted, encrypted, or stolen based on the intentions and directives of attackers. Attackers may also work in stages to compromise systems and data as they infiltrate computer systems and networks slowly and create backdoors into your network.
What Do Hackers Want?
There are generally three objectives behind cyber attacks:
- Disrupt or damage – This is often the objective that is highlighted by many of the cyber attacks that make headlines, including massive ransomware attacks. With these types of cyber threats, the attacker is looking to disrupt the normal business continuity of your organization to benefit in some way. A great example of this is ransomware. With ransomware, a ransom is demanded by the attacker to allow your business to return to normal operations and regain access to data. Distributed Denial of Service (DDoS) attacks are another familiar type of attack that can prevent businesses from carrying out operations.
- Steal – Attackers can also have the objective to steal highly sensitive or valuable information, often to sell on the black market. These types of cyberattacks often result in damaging data leaks that result in a heavily damaged business reputation and potentially other consequences as a result of fines or legal implications.
- Infiltrate – Another aim of attackers is to infiltrate your organization’s network and slyly stay hidden, moving laterally through the network looking to ultimately compromise an administrator account. Businesses can be compromised for literally “hundreds of days” or even years, without knowing it. Below are figures from the IBM 2019 Cost of a Data Breach Report:
- The average time to identify a breach in 2019 was 206 days
- The average time to contain a breach was 73 days, for a total of 279 days
The potential damage, stealing of data, and widespread compromise that can happen in the meantime can be enormous and catastrophic to your business.
Who are behind cyber attacks?
You may wonder who is behind cyber attacks that are commonly carried out on your business today. These generally fall within two categories of cybercriminals who may have differing motivations for what they do.
- Insider threats
- Threats from the outside
Who or what comprises each group of cybercriminals?
PEOPLE WITHIN YOUR ORGANIZATION
A very common but often overlooked threat to your organization is insider threats. Insider threats come from the very ones that you typically trust within your organization – your own employees. While we certainly are not imputing bad motives on all employees, it only takes one unscrupulous employee to do major damage to your business.
Additionally, well-meaning employees can inflict data loss or data breach on your organization accidentally. Without thinking an end-user can accidentally expose sensitive data to the masses.
The top types of data security threats from insiders are as follows:
- Disgruntled or unscrupulous employee intentionally damaging or leaking data from your organization
- Malicious IT admin with administrative access to business-critical systems
- Careless or even trusted employee who accidentally carelessly exposes, leaks, or damages critical data
Additionally, without controls over third-party applications in Software-as-a-Service (SaaS) environments, well-meaning employees could unintentionally install third-party applications that may in themselves have malicious intent or are “leaky” and expose sensitive data to others.
The other more commonly discussed type of security risk to your enterprise organization is the threat from attackers on the outside. There are many different sources of cyber attacks from criminals on the outside. This includes:
- Organized criminal hacking groups or experienced individual hackers
- Professional hackers working for an organized criminal hacking group
- Nation-state hackers working for various governments
- Amateur hackers who are simply looking to gain experience
What is Ransomware?
According to the US Cybersecurity and Infrastructure Security Agency, Ransomware is an ever-evolving form of malware designed to encrypt files on a device, rendering any files and the systems that rely on them unusable. Malicious actors then demand ransom in exchange for decryption. Ransomware actors often target and threaten to sell or leak exfiltrated data or authentication information if the ransom is not paid. In recent years, ransomware incidents have become increasingly prevalent among the Nation’s state, local, tribal, and territorial (SLTT) government entities and critical infrastructure organizations.
Cyber Attacks in 2021 – Current IT Security Threats
This year has presented challenges on a world scene that no one could have predicted. The Coronavirus or COVID-19 has brought about sweeping changes in the way organizations are carrying out business throughout the world. Most have shifted the workforce to a majority working from home.
With the shift in how and where employees are conducting business activities, hackers are following suit to capitalize on the shift in the workforce as well as even preying on the situation at hand with COVID-19. Attackers know that employees working from home are more distracted than when working on-premises and most are extremely curious and interested in the situation with the Coronavirus pandemic.
This leads to a situation where employees are even more likely to fall victim to phishing attacks or malicious websites that lure employees with relevant COVID-19 headlines or subject lines. In fact, a recent report by ZDNet highlighted the new threat that is evolving where attackers are looking to directly exploit the COVID-19 pandemic in various ways.
In Italy, which has been extremely hard hit by the COVID-19 outbreak, attackers are targeting users with Italian email addresses with messages claiming to be from the World Health Organization (WHO). In the email, attackers have attached a legitimate document from WHO, however, they are also dropping a Trojan on the end user’s machine that steals banking information and also turns the end-user computer into a bot that can be used in widespread cyber attacks.
Attackers are also targeting corporate environments with emails supposedly from contractors or delivery agencies noting how their services will be adjusted during the pandemic. Thinking the emails are legitimate again, corporate end users can be enticed to click on the attachment that drops malware on their system.
Spam E-mails: Cure for the Coronavirus or asking for money or financial information
Other low-level scams have emerged using SPAM emails claiming to have a cure for the Coronavirus or asking for money or financial information for imparting the so-called medical advice. Users who disclose their financial information will, of course, have that information compromised by the attacker.
In an apparent foreign state attack, the U.S. Health Agency was hit amid the COVID-19 outbreak. Foreign state attackers have apparently been using directed attacks to disrupt and spread misinformation during the current pandemic.
As it turns out the risk from COVID-19 is not just a physical virus infecting individuals, it has been the catalyst that cybercriminals are using in 2020 in a large way to infect both unsuspecting end-users as well as organizations alike.
In addition to the cyberattacks directly related to COVID-19, attackers are still using many of the common categories of cybersecurity threats they have used in recent years to attack end-users and your organization in 2020. What are the various types of cybersecurity threats and how are they classified?
Types of Cyber Attacks and Common Categories of Cyber Security Threats
In analyzing the cyber security types of threats that are happening at the moment and with the COVID-19, we have already hinted upon various types of attacks that cybercriminals are using to compromise end-users and corporate networks. However, let’s dive deeper into the classification of security threats and common cybersecurity risks.
We will look at the following categories and the types of attacks that fall within each:
- Malware attacks
- Phishing attacks
- Web attacks
- Password attacks
- Insider Threats
Malware attacks are a family of attacks that can include many different variants that cybercriminals can use to attack end-users and businesses, each of which your organization needs to be aware of.
Ransomware is without a doubt the most well-known type of malware and major cyber threat that is actively used to carry out cyber attacks. The reason for this is that it is easy for attackers to use and it is highly effective and lucrative. Ransomware is popular because it works.
Ransomware encrypts your data using an encryption key. The ransomware then demands a sum of money in the form of untraceable cryptocurrency to unlock the data to regain access. In essence, it holds your data hostage. Ransomware is often used in conjunction with other forms of attack such as phishing attacks that lure end-users in with a tempting email or website and then drops ransomware on their system.
Time and again we see news headlines of government agencies, schools, hospitals, and large corporations alike that have been infected by ransomware and in many cases, have to close their doors at least for a time. Ransomware can inflict untold damage on computer systems and data.
Ransomware is quickly becoming not only a problem for on-premises environments, but also for cloud environments. Ransomware has been shown to be able to encrypt entire user mailboxes by simply granting cloud OAuth permissions to a malicious third-party application by way of a phishing email.
Additionally, if organizations are making use of on-premises to cloud file synchronization, ransomware can easily infect the on-premises environment and then synchronize up to the cloud SaaS storage such as Google Drive or Microsoft OneDrive.
The trojan horse has been around for quite a while. Intuitively, the trojan horse secretly slips into your system, either by masquerading as legitimate software or providing some other function. It then “listens, records, and steals” information that you access. As described earlier with the COVID-19 trojan horse that was planted targeting Italian email addresses, financial information was stolen in mass as end-users opened emails with attachments containing the trojan.
The drive-by attack is a type of attack where hackers will compromise a legitimate website that may have a security vulnerability. They will then plan a script or even compromise an in-page advertisement that installs malware on computers that are visiting the page. The “drive-by” nature of the attack means the end-user does not have to perform any action to become infected with the malware other than simply visiting the site. The infection is automatic and is silent.
The Phishing attack is one of the oldest types of cyber attack. Even though it is seemingly traditional and archaic in concept, it still works very effectively. Hackers often use phishing attacks in conjunction with other types of cyber attack threats such as ransomware. Phishing attacks are a type of social engineering attack where attackers play upon human nature to open an email or other type of message. When end users open the message, they are either enticed to send back sensitive information to what they think is a trusted source, or they are infected with some type of malware on their system. Phishing attacks fall into several categories.
Spear phishing attacks are a type of phishing attack that is aimed at a certain individual, organization, or type of industry. Often an attacker will perform various types of reconnaissance to gather enough information to make the phishing email appear to be legitimate. Once enough information is obtained such as names, email signatures, company logos, and other types of information, the phishing message will be sent to a likely target that is an unsuspecting end user. Often an email is sent to look like it is from a user within the recipient’s own organization. The idea behind the attack may be to steal confidential company information or to trick an end-user into sending or transferring money on behalf of the organization.
Whale phishing is a type of attack that impersonates high-profile individuals in your company such as CEOs, CIOs, or CFOs. Under the guise of a C-level executive, an attacker will send an email impersonating the CEO to another individual in the company who may have the ability and authority to transfer money. The email will then direct the employee to make a wire transfer on behalf of the executive. All the while, the end-user is simply transferring money to the attacker. Due to the highly personalized nature of the whale phishing attack, they can be difficult to detect and are highly effective in many cases.
Vishing is a type of “voice” phishing that may prey upon individuals or company employees using a telephone call. While not as common as the other types of phishing, it is still a type of phishing attack that your end-users need to pay attention to and be aware of.
Web attacks are another form of attack that is employed by an attacker. Using different tools and by exploiting known types of cyber vulnerabilities in your website, an attacker can compromise user data, pivot to other backend systems, and access even more sensitive forms of information.
When not protected properly, online forms and other input fields on websites may be subject to what is known as a cross-site scripting attack. Hackers input various code into web applications in an effort to gain control over or exploit backend systems.
With SQL-Injection attacks, cybercriminals again use malicious code to compromise or delete data that is contained in backend databases. If web developers and other application development teams have not put safeguards in place to prevent this type of attack, cybercriminals can easily exploit web applications to manipulate their backend data.
There are many different ways that an attacker may try to compromise an end user’s password. However, when not properly protected using multi-factor authentication or some other means, once a username and password combination are found, the attacker now has the means to gain entry into your organization. There are many ways that attackers use to do this.
Using programs that can quickly cycle through dictionary-type databases, attackers can quickly try possibly thousands of password combinations for a single user account. If very weak or dictionary-based passwords are used by end-users, there is a high probability that with a bit of time, the password can be “cracked”.
Another type of password attack is called the pass-the-hash attack. The pass-the-hash attack can be used in both Linux and Windows environments to capture the “hashed” or encrypted value of a password and simply replaying that value to access resources. There are many tools available that allow attackers to easily parse system memory, looking for hashed passwords that are stored there. While there are new Windows features available to combat this, many organizations are still running older or unpatched Windows versions that make them susceptible to this form of password cyber attack.
Insider Threats come from your own employees. Well-meaning end-users as well as unscrupulous users both pose different threats to Internet security and your organization’s data. Insider threats include the following.
Shadow IT is any software used by individuals in your organization that is not a company-sanctioned or IT-approved software or service. Users may inadvertently use shadow IT by simply making use of a cloud service to make file sharing easier or by using a new cloud service for communicating with members of the department or team. However, shadow IT is extremely dangerous as it can open your organization up to data leaks and loss dangers, and compliance violations.
Risky third-party apps
Especially in the world of cloud SaaS, third-party applications are extremely popular. Left unchecked or without any control mechanism, end users can easily install third-party applications that can pose dangers to data security. Most end-users simply grant the permissions requested by an application upon installation. If an application is malicious in nature and has been granted the permissions to read data that is stored on a cloud drive, your data can easily be in jeopardy. Risky third-party applications can also come in the form of browser plugins that request similar types of permissions to integrate with and read the information that may be stored in your cloud environment.
How You Can Minimize the Risk of Cyber Attacks
While no cyber security plan or solution is perfect, you can certainly minimize the risk posed by the cyber attacks that are prevalent today as well as during the COVID-19 pandemic. What are some of the ways that organizations can protect themselves?
- End-user training
- Endpoint security
- Multi-factor authentication
- Email filtering and protection
- Controlling third-party apps
End-user training yields tremendous rewards in terms of securing your business-critical data. End-users need to be trained on how they can effectively spot a phishing email they have received. Help them ask good questions and go the extra step to verify the email.
- Who is the email from?
- Does it contain a hyperlink?
- Am I being asked to do something from someone in the organization I wouldn’t normally be asked through email?
- Call the person if there is any question about the validity of the email
Often, end users can easily spot phishing attempts, spear phishing, or whale phishing attempts with a little training to spot the obvious red flags.
While not effective in and of itself alone, endpoint security is one of the necessary layers of security that should be used by your organization. Many endpoint security software solutions are using new “advanced” techniques including machine-learning to more easily spot ransomware that is attempting to infect end-user systems. If an end-user does click on the link in an email that is malicious or they visit a site that is infected with a drive-by attack, the next layer of defense is the endpoint security solution. It can potentially block the malicious code from infecting the end-user system, even when the end-user did not recognize the danger.
Since passwords are often still an extremely weak link in the overall security posture of an organization, using multi-factor authentication is extremely important. Multi-factor authentication requires that you have possession of not only the username and password but also the third piece of information that you have possession of in the form of a multi-factor token such as on a smartphone. By enabling multi-factor authentication, you drastically reduce the opportunity for password-based compromise. Even if the attacker can guess or compromise the password in some way, you still have possession of the MFA token.
Email filtering and protection
Using advanced email filtering and protection is also a crucial part of helping to secure your organization from the risk of a cyber attack. The number one way that users are infected with ransomware is by email. Advanced email filtering can help to eliminate a large number of phishing or malicious emails that are sent to your end-users.
In addition, email protection can eliminate file attachments or attachments with certain types of extensions. They can also strip URLs or links from the body of the email received so that if they are malicious, they are removed from the email before the end-user has a chance to click it.
Controlling third-party applications
If your organization is using a cloud Software-as-a-Service (SaaS) environment (Google Workspace or Microsoft 365), third-party applications and browser plugins can pose a huge danger to your environment. Organizations must have a way to control which applications end users can install and have visibility to what data they have access to. Using a solution like SpinOne’s SpinAudit that allows effectively scanning third-party applications and browser plugins for behavior-based intent as well as whitelisting and blacklisting apps, provides the control needed to ensure third-party applications do not pose a threat to your data.
SpinAudit also allows you to effectively see where data is shared, both inside the company and outside. This is extremely helpful to have visibility of who has access to business-critical data. This allows you to stop compliance or data leak threats and remediate those threats quickly and easily.
SpinOne’s ransomware protection module also proactively protects your cloud SaaS environment from ransomware. It does this by using artificial intelligence (AI) and machine learning (ML) to detect file behavior changes. Once an abnormal change is detected, SpinOne blocks the source of the attack automatically, and then proactively recovers the files that have been affected by ransomware. This is done without any user interaction.
SaaS Data Backups
Saas Data Backups are a key part of your overall security plan. As mentioned earlier, no security solution is 100% effective. You must protect your data at all costs. This involves safely storing a copy of your business-critical data in the form of a backup that can be easily restored if need be.
Following the 3-2-1 backup best practice rule helps to ensure that you have at least (3) copies of your data, stored on at least (2) forms of media, with at least (1) copy offsite.
Don’t forget about cloud environments! Your data is vulnerable there as well. While cloud systems are highly resilient to any type of underlying hardware failure, you are ultimately responsible for protecting your data as part of a shared responsibility model.
SpinOne’s Spinbackup solution allows effectively protecting your cloud-based data effectively. Spinbackup provides:
- Automatic, versioned backups
- Efficient incremental backups
- Backup encryption
- The ability to choose in which cloud your data is stored
- Automatic responses that use backups (ransomware protection)
- Reports and alerting
There are many different types of cyber-attacks that can target your business in 2020. Especially with the current COVID-19 pandemic going on, organizations must do their due diligence to understand the current risks to their business and put in place the protections needed to keep business-critical data safe.
By using solutions like SpinOne’s SpinAudit and Spinbackup, organizations can easily protect and secure cloud SaaS environments from today’s threats and those that will no doubt be looming in the future. As your organization continues to migrate data into cloud environments, it is essential to secure and backup that data. In addition, protecting against risky third-party applications that can easily be granted access by end-users is a must.