Phishing
What it is:
Any attempt to compromise a system and/or steal information by tricking a user into responding to a malicious message. The most common phishing attacks involve emails armed with malware hidden in attachments or links to infected websites, although phishing can be conducted via other methods such as voicemail, text messages, and social media, too.
What makes protection a challenge:
For one thing, employees are already in the habit of clicking things because that’s how you interact with modern computers. For another, phishing emails are much more sophisticated than they used to be. Scammers can take over legitimate email accounts or spoof their email addresses to make it look like messages are coming from someone employees trust.
Once a victim is tricked and becomes compromised, the attacker now has their access credentials. They can reach all the same servers, log into the same web applications, and download the same files as if they were that employee. The challenge with protecting against this is you need to limit what servers employees can access or how they can access them. There are times that may run counter to what they need to do their jobs.
Additionally, even if you train employees to be on the lookout for suspicious emails, some phishing attacks can be extremely targeted and look just like any other email from a trusted source who is being impersonated. The most convincing examples of t hese “spear phishing attacks” don’t provide any red flags until it’s too late.
Social Engineering
What it is:
There are two ways to steal anything — you either take it yourself or you get someone else to give it to you. Social engineering is a broad umbrella term for any tactics designed to exploit and manipulate trust, so the victim hands the attacker what they want — access to information, accounts, or computers inside a secured area. Think fake customer service calls designed to reset passwords or a criminal spoofing your CEO’s email address and asking someone in finance to send an urgent wire transfer — a type of scam referred to as a business email compromise (BEC).
What makes protection a challenge:
Everyone — repeat, everyone — can be conned, defrauded, fooled, or manipulated. Being vulnerable can sometimes come down to a lack of training or experience, but more often it can simply come down to distraction and mental fatigue.
Since this attack targets people directly there’s very little that technical safeguards can do, especially if the action isn’t outside the employee’s typical responsibilities or usual behavior — like resetting a password for a desperate user (a typical tech support con).
Ransomware
What it is:
Malicious software designed to encrypt a victim’s files and then demand payment, generally in anonymous Bitcoin, in exchange for decrypting the files.
As with other malware infections, ransomware attacks typically start with employees falling victim to phishing emails or visiting compromised websites. Unlike other malware infections, however, the primary goal of ransomware isn’t to gain stealth and persistence for long periods of time. Instead, its priority is to spread as quickly as possible, encrypt as much data as possible, then actively alert victims of its presence so criminals can extort them.
What makes protection a challenge:
Ransomware will lock up any drive the employee has access to, including connected USB drives and network shares. Once files are encrypted the only way to regain access to them is to a) hope you have a reliable, up-to-date backup; b) hope a security researcher has cracked the encryption and made a decrypting tool available; or c) hold your nose and pay the ransom. Paying up is anything but a sure thing, because, well, ransomware authors are criminals. Being dishonest is what they do. They’re also occasionally less than spectacular at coding, so there’s also the risk of paying the ransom only to find your files were accidentally destroyed or rendered unrecoverable.
One reason ransomware is hard to protect against is because it’s built to turn a strength — making files accessible across an organization — into a weakness. Additionally, with ransomware developing into a billion-dollar industry, there’s plenty of incentive for criminals to continue investing in delivery and evasion tactics to keep their business model humming. That means they can change faster than your signature-based security solutions can keep up.
Downloaders
What it is:
Normal-looking programs designed to fetch and install malware without raising any security alarms. In effect, what downloaders allow attackers to do is to get a “man on the inside” prior to committing to a full attack (it’s no coincidence they’re typically called “trojan programs”). Once a downloader creeps its way onto a victim’s system it can scope out the security settings, then smuggle other dangerous malware in after it’s established the cost is clear. Even after an attack is discovered and the other malware has been removed, as long as the downloader is still there hiding away, it can grab more malware and start the process all over again.
What makes protection a challenge:
Downloaders are one step removed from the actual dirty work involved in executing an attack. That means they don’t have to pack the same kind of functionality that might get other malware blocked. Instead, malware makers can focus solely on designing downloaders to be extremely good at avoiding detection.
Think of it as attackers choosing to have a team made up skilled specialists rather than mediocre generalists. The downloader is a prolific passer and the malware it downloads is a sensational scorer. With both of them able to focus on their respective speciality, they’re able to be much more effective when paired together.
Drive-by Downloads / Download Hijacking
What it is:
In nature, the big predators hang out at common water holes and wait for their prey to come by. On the Internet, the big predators find ways to turn popular website visits into covert attacks. In some cases, they inject code through comments that force unsuspecting visitors to automatically download malware. In other cases, they compromise the web server and inject malicious code into seemingly legitimate downloads. Another trick is to utilize exploit kits, programs designed to actively probe the website visitor’s system for software vulnerabilities that can be exploited.
What makes protection a challenge:
Not only do attackers have the element of surprise in these situations, they also have a collection of tricks to make sure they’re successful. If you update your browser, they’ll update their code. If you patch a vulnerability they’ll move on to a new one. It’s also not as if we’re talking about strictly sketchy websites. Some of the web’s most popular sites (The New York Times, the BBC, AOL, the MSN homepage) have been compromised in the past. You usually can’t ask employees to stop using the Internet altogether.
Malvertising
What it is:
Marketers aren’t the only ones who like to utilize advertising to get in front of the crowds of website visitors. Criminals do the same thing, creating fake ads or inserting malicious code into legitimate ads so they can quite literally capture their audience.
What makes protection a challenge:
Online advertising is already incredibly prevalent and chances are it’s only going to grow more aggressive. At the same time, people are also becoming increasingly used to ads, including pop-ups, etc. and they’re no longer viewed with as much mistrust. In terms of protection, the quick knee-jerk reaction is to use ad-blocker software. Unfortunately, many websites don’t work unless you deactivate it. And if employees have to choose between their ad-blocker and a top 10 list of cat videos...
Zero-Day Attack
What it is:
Traditionally, a zero-day refers to any undisclosed vulnerability that attackers can exploit before victims and software vendors become aware of it and have the chance to patch it. The term “zero-day attack” is also sometimes more broadly applied to attacks that utilize new tactics, exploits, or malware variants that haven’t been seen before, giving them an advantage.
What makes protection a challenge:
It’s difficult to protect yourself against something you’ve never encountered before, especially if it blindsides you. Signature-based security solutions are particularly susceptible to getting bypassed by zero-day attacks since the way they identify malicious files is by comparing them to a list of previously captured malware samples to see if there’s a match. If an attack is using a never-before-seen exploit or piece of malware, there’s a good chance it’s going to claim a victim.
Because of their effectiveness, zero-days are in high demand, and criminals have become increasingly incentivized to discover more of them. Unfortunately, that means uncovering and patching one vulnerability may only offer you momentary protection before attackers move on to exploiting the next one.
Password Cracking
What it is:
A login and password isn’t what most people think it is. It’s actually a complicated set of processes that can involve multiple systems, secure transport to and from the servers, a trusted network of server identity assurance and revocation, code to evaluate the complexity of the user-generated password, more code to make sure the person entering the code is indeed a human, a secondary factor of authentication, and a means to recover lost passwords. So password cracking is more than just running a program to guess the password — it’s about cracking the password process to take over a user’s account.
What makes protection a challenge:
Any system that allows users to access it from anywhere and also requires those users to make, safeguard, and remember their own passwords is a system that’s going to be difficult (if not impossible) to defend.
According to what OSSTMM researchers refer to as “The Somebody Sequence,” the more interaction somebody has in the security process, the greater its attack surface. Asking employees to manage their own passwords is like giving them full control over the keys to an important lock. You can purchase one of the strongest locks money can buy, but how secure can it ultimately be if there are keys for it floating around everywhere?
Distributed Denial of Service Attack (DDoS)
What it is:
There is only so much traffic a computer system can process before it starts to slow down and becomes overwhelmed. By gaining control over a large number of hijacked systems and devices (referred to as a botnet), attackers can direct large amounts of connection requests or packets of random data at a single target all at once, with the intention of overloading the system and taking it offline.
What makes protection a challenge:
The larger the botnet, the more damage a DDoS attack can do. The best you can hope for when you’re attacked is that you’re subscribed to an anti-DDoS service, but even that doesn’t provide a guarantee you’ll stay up and running if you’re dealing with an attack with a high level of magnitude.
To make matters worse, sometimes attackers will contact their targets ahead of time and threaten to knock them offline unless “protection money” is paid up front. It can be difficult to discern whether such threats or simply scams, and — as is the case with ransomware — giving in to criminal extortion demands never comes with a guarantee.
Scareware
What it is:
You’ve probably seen the pop-ups — “Warning! A virus has been detected on your computer. Download VirusBlaster to clean and remove it.” The malware that really infects your computer is the program that pop-up is trying to trick you into downloading. Scareware can come in a variety of forms from fake antivirus programs to fake browsers or software updates.
What makes protection a challenge:
We know that social engineering works because it preys on the distracted and mentally fatigued. Combine that with eagerness to please or help and thus begins the “good intentions” downward spiral that leads employees to make really bad decisions.
Once scareware gets inside the system it has all the privileges, passwords, and logins of the employee who installed it. Getting it out may be as easy as just wiping the system and starting fresh or recovering from backup. Or it may be more difficult and timeconsuming if the malware spreads to other systems.
SQL Injection
What it is:
If a website has an input box or entry form (like when you’re entering in your username and password, or your credit card number if you’re buying something) then an attacker can try inserting structured query language code to gain access to or make changes to the stored data.
What makes protection a challenge:
SQL injection exploits a trust between the web application and its database to let the attacker do pretty much whatever it wants with the database. If all you can think of is “delete data” then you’re underestimating the depths a criminal can stoop to. Besides adding, removing, and changing data, and in addition to stealing info like client credit card numbers, personal data, and health records, there’s also the possibility of inserting malicious code to be passed back to users when they use the form, instead of the data they’re looking for. Once criminals start using that tactic they can abuse popular websites to do their dirty work for them like distributing drive-by downloads, building a botnet army, even hijacking DNS requests to send visitors to malicious versions of legitimate websites they know and trust. If the login form is vulnerable, SQL injection can even help with password cracking by the bypassing the login altogether.
Any place where a user can input information into a website with a database, it has the potential to be SQL injectable, which unfortunately makes it a widespread problem. You can’t just remove all user-input interactions from your website and still get any purchases or feedback.