When assessing the risks of a security breach, it helps to know what you are up against. Cyber threats can come in many different forms. Understanding the nature of these threats will help us to be more prepared to defend against them. Actually, there is a long list of potential threats — too many to cover here. To give you some idea of the scope of threats you may face, we’ll discuss four major threat areas and provide several examples under each one.
Social Engineering Attacks
When someone tries to manipulate you into facilitating a security breach, you may be a victim of social engineering. Bad actors want you to give up confidential information or allow unauthorized access to sensitive areas of the IT infrastructure. Of course, the criminals will be looking for the most gullible employees to try to penetrate any barriers into IT systems and networks. Everyone must be on alert.
In 2016, Hillary Clinton campaign manager John Podesta noticed a suspicious email in his Gmail account. He reported it to IT support, but then Podesta somehow misunderstood the technician’s instructions. After clicking on a link in the email, all of Podesta’s emails were exposed, and an attacker managed to download all of them. When the messages appeared online at Wikileaks — including personal and professional emails — it was a great embarrassment for the politico and for his political team. Podesta was a victim of phishing, a common form of social engineering.
Tailgating occurs when an unauthorized person passes through an otherwise secure entryway directly behind someone with proper permission. Many companies require badge access on the outside doors, with little security inside the building. Once a criminal breaches the building through tailgating, there’s no telling what systems he may be able to access. Train your people to stand their ground and not allow unauthorized entry into secure areas.
The bad guys can be very clever in their techniques to deceive. They may impersonate an executive, try to create a sense of urgency, or intimidate people into action. Your employees need to be aware that IT security threats may include social engineering as well as more technical hacks.
Online services may be hosted in a company’s data center or on the public cloud. Either way, the proliferation of internet applications means that the cyber threat surface is that much larger. In fact, any web application that you access on a daily basis may be a prime target for cyber attacks.
The Organization for Web Application Security (OWASP) maintains a Top 10 list of web application security risks. Some of the terms may seem a bit technical, but it might help to become familiar with them. Injection occurs when an attacker puts untrusted data into a command or query by adding more text to an online web form field. If an application is not written with the proper safeguards, a hacker could trick the application into accessing unauthorized data or performing unauthorized operations.
Misconfigured software is another vulnerability for applications. If the software is installed with insecure default configurations, or if regular security patches are not performed, the application can be wide open for a savvy attacker to exploit. Software makers like Microsoft are continually offering security updates, and those who fail to take advantage of them are making a big mistake.
The list of possible service attacks goes much longer. From man-in-the-middle (MitM) attacks to IP spoofing, hackers have a lot of options when it comes to compromising your software.
Some cyber threats are particular to wireless networks, although other types may apply. For instance, an attacker may use MitM in a cafe on a public wi-fi, which is considered a software attack. But strictly wireless security attacks have more to do with the equipment and the air interface that runs across it.
A rogue access point (AP) is a piece of wireless equipment that is not authorized for the network. If a cyber criminal connects an unauthorized access point to a wired network, it can be used as a backdoor into systems and data. Sometimes employees may add an unauthorized AP to the network without permission from the IT department, but this can also become an attack point for unwanted data traffic.
It’s not just standard wi-fi networks that are at risk. Bluejacking and bluesnarfing are attacks that exploit Bluetooth traffic. Radio frequency identification (RFID) is often used for inventory systems, and can be compromised as well as other wireless technologies. Wireless connectivity of all types, including mobile technology, should be included in a company’s IT security plan.
Encryption is important in any IT security strategy. But merely the fact that you’ve used encryption is no guarantee of complete security. There are still potential vulnerabilities for an encrypted system.
So what if the encryption is weak? Some older encryption technologies are so vulnerable that they are considered obsolete. Antiquated encryption methods include RC2/RC4, DES/3DES, SHA-1, and MD2/MD4/MD5. Applications secured with these protocols are really not very secure at all.
A brute force attack is like trying every key on your keyring to open the door. While it is considered a cryptographic attack, it is basically a method in which the attacker uses a computer to generate and try every possible combination of digits to access a secure area.
A downgrade attack is used to manipulate a system into lowering its defenses so that it is less secure. For instance, an attack that forces a web server to return an HTTP page rather than the secure HTTPS can open up the system for exploitation.
This has been just a survey of some of the possible types of security threats that you may face. In general terms, the threats may have to do with social engineering, application attacks, wireless, or cryptographic vulnerabilities. We should realize that real IT security means building an impenetrable fortress, not just assembling a scattered jumble of security measures. To do this, it’s best to have a comprehensive IT security plan that deals with all these issues in advance. Always be prepared, because cyber threats are always with us.