2016-08-29

In our Introduction to IT Security article, we covered a number of ways to help protect your data, systems, and customers’ information against security threats. But new types of threats are emerging that can compromise your business. Here’s a quick guide to some trends in IT security and a few ideas to safeguard yourself against them.

Classifying the type of attack: Active attacks vs. passive attacks

First, an important distinction to make is active attacks vs. passive attacks. These differ both in how they are accomplished and what they do once the unauthorized party gains access.

Passive attacks happen when a program is constantly searching for vulnerabilities, and when one is found, it gains entry. These can be vulnerable plugins, active versions of old plugins, or open ports. Server ports are basically how each application or service running on a server can send and receive requests from a client. They’re numbered and assigned to a service, such as email or FTP. If a port isn’t protected by a firewall, it’s open to the outside world—leaving the network behind it open as well. Attacks of chance are passive attacks, too, and account for about 99.9 percent of attacks. They typically happen when a program passively scans the web for open ports and gains access from there.

When a passive attack occurs, the unauthorized eavesdropper is mostly just listening in and gathering information and not making any changes to the data or system. They can, however, often serve as a scouting mission for an active attack in the future.

An active attack has more effort behind it—and often more dangerous implications. Once an active attack is successful, the hacker’s goal is to make changes to the network or system, intercept data, or modify and send messages or data from the network. This can be achieved through stolen login information (e.g., a masquerade attack or a session replay, both of which involve compromised credentials) or by more elaborate means—like a denial of service (DoS) attack. DoS attacks gain access to a network and then lock authorized users out, which can lead to all kinds of disruptions until access is regained.

A brute force attack is an active attack specific to cryptography—and even more specifically, passwords. A hacker will use software in an attempt to guess a password. The more characters a password has, the more possible combinations there are—which can take exponentially more time (and more resources) to crack. The same theory applies to cracking an encryption key—the more bits in the key, the harder it is to guess.

How can you prevent brute force attacks? There’s really no substitution for a solid password. Encrypting or obfuscating the data attackers are attempting to access is another important layer.

Injection attacks: Giving your database a mind of its own

Injection attacks are a whole other class of active attack. These are difficult to ward off because of the sheer variety of them—SQL, code, command, and XML injection, to name a few—but also because there’s a lot of opportunity for them. These attacks target a web app’s data, and because most web apps need data to some degree in order to function, there are many targets.

Essentially, a SQL injection attack takes control of your database by injecting data into the app that gives the database instructions from the hacker. As a result, your database is performing functions you haven’t authorized, like leaking data, removing data, or manipulating stored data.

The good news is that you can ward off these types of attacks with basic steps like validation, escaping, and solid coding of SQL queries—something a skilled SQL programmer can help with. Then, enforce a Least Privilege Principle in the event that hackers do get in—this keeps user rights (and authorized or unauthorized users can do) to a minimum.

Injection attacks go hand in hand with one of the other most popular and successful types of attacks on web apps: code injection and cross-site scripting (XSS). Code injection and cross-site scripting are similar, but code injection deals with injecting source code into an app while XSS injects JavaScript code into the browser. Both give your app instructions to run that you haven’t authorized. Input Validation will be key in warding off these types of attacks, ensuring any input into an app or site is from authorized end-users, not malicious sources.

Hacking Humans: Social Engineering and Phishing Scams

Sometimes, we are our own worst enemies when it comes to cyber crime. Two ways hackers continue to successfully break into networks are by targeting the people who use them: through social engineering and a popular form of it, phishing scams. It may seem far-fetched to think you can just ask someone for their password and they’ll hand it over, but many hackers have found this technique is far easier (and faster) than trying to hack into the network themselves. And it’s all based around trust and manipulation.

Social engineering preys on human flaws using various means of impersonation. These cons can happen in person, over the phone, or over social networks. If thieves can get a person to trust them—whether by impersonating someone they trust, wearing an official-looking uniform, or building a relationship through chatting—they can often glean the information they need to steal that person’s identity.

Phishing attacks happen right in our inboxes. In these email-based attacks, thieves send legitimate-looking emails with the end goal of getting users to willingly give up personal information, login credentials, credit card numbers, or account numbers. These emails can look extremely real through the use of HTML, logos, and return email addresses, all designed to look like it’s been sent from a trusted company. It’s fairly easy to trick someone into responding if they aren’t familiar with the telltale signs that indicate a message is suspicious.

Given the volume of phishing emails sent out—to millions of potential victims—it only takes a small percentage of people responding to them for the scam to be a success. The most effective way to guard against these is by educating users, making them aware of suspicious emails, and giving them a way to report anything they suspect to be fraudulent.

A Cyber Criminal’s Weapon of Choice: Malware

One of the key threats companies must safeguard against when it comes to internet security is malware. When downloaded onto a computer, this malicious software can monitor activity, access personal data, and create “backdoors” into networks that can be accessed by unauthorized users. Backdoors lead to large-scale attacks like data breaches.

Potential ways to prevent any of the malware listed below are to keep all operating systems updated and to install firewalls. Antivirus and antispam experts and firewall developers can help you put preventative plans in place, or you can engage a developer who specializes in malware removal to help you get rid of malware that’s infected your computer or network.

Malware can include a lot of variants, which serve different purposes:

Spyware: This malware watches activity on a computer, then exports data about the activity to the hacker.

Ransomware: Another type of malware, it locks you out of your computer or data until you pay a ransom to get it back. It’s big business, with hackers making an estimated $5 million a year off of ransomware victims.

Viruses: A virus is malicious code that attaches itself to a program and replicates when a user opens and runs that program.

Worm: A worm is a bit different than a virus in that it doesn’t rely on a program or executable file to spread throughout your system—it uses a computer’s existing services to replicate itself without any help from a user. A worm is malware that can replicate itself over and over, spreading from computer to computer over a network. They can have different effects: a worm can enable unauthorized access to a network, or can use up so much of a server’s memory that it stops responding, taking your site down with it.

Trojan: Trojan horse malware appears helpful or legitimate, but once it runs, it can be devastating—sometimes by creating a “backdoor” for hackers to get in and access your files or network.

Scareware: This type of malware is cloaked in the disguise of a warning-like popup or reminder that gives a user a jolt of panic so they click it, thinking that downloading that software was helpful, not harmful.

Malware has even been used in ATMs to steal users’ information. Very sophisticated malware is able to run on a system without being detected, like the recently uncovered malware believed to be state-sponsored that’s been running undetected for five years.

More on Ransomware and How to Fight It

Ransomware essentially holds your machine, system, or data hostage until you pay up—typically in Bitcoin. It’s extortion for the modern age, and it has large-scale implications for some pretty big organizations. How does ransomware work and how can you protect against it?

Popular ransomware encryption programs include CryptoWall, CTB-Locker, and TorrentLocker. Even as hackers continue to update and evolve these programs to outsmart anti-virus software, anti-virus programs are still going to be your best bet in protecting against this kind of malware.

Here are a few more ways to protect against ransomware:

Back up files consistently in an insulated, external environment so if you’re locked out, you can access them there—without having to pay a fee. This is probably the most important thing companies can do to recover from a ransomware attack, and can be the difference between getting your system back up and running within hours rather than days.

Stop malware where it starts. Solid endpoint security is a big step to preventing malware from infecting machines and getting onto the network. Educate users about phishing scams, suspicious links, and malicious attachments, and update browsers and use ad blockers to prevent against malvertising attacks.

Update everything. This means security software, browsers, and any third-party plugins that are targets for attacks, like Flash plugins or Java applets. If holes are detected in security software and patches are issued, stay on top of them.

What Is Malvertising?

Malvertising is a new way that hackers have devised to get malware and ransomware onto user’s computers: through online advertising. It’s another way hackers tap into the weakest link in the security chain: human users.

Basically, websites and advertising networks can host seemingly legitimate advertising that’s actually concealing malvertising. Users who might normally be safe from these kinds of malware because of firewalls or other security measures are susceptible to these attacks because they reside online on sites that are highly reputable. A site that you trust and regularly visit could be compromised by malvertising.

One way to prevent this type of malware is through ad blockers and keeping browsers regularly updated.

The Enduring Value of Encryption

Encryption is often viewed as one of the most tried and true ways to keep data safe—whether that data is living on a database or in transit between users, browsers, and the cloud. If you’re hacked—on a computer, in a data center, or in the cloud—that data will be pretty hard for a hacker to do anything with unless they have an encryption key. Encryption keys themselves should be stored somewhere safe, separate from the encrypted data.

For companies that are storing very sensitive data for the long-term, future-proofing that data through encryption is a priority. For these organizations, one threat that’s on the radar—however far off it may actually be—is attacks by quantum computers. Quantum computers are incredibly powerful—enough to solve problems in a fraction of the time of traditional computers.

Learn more about encryption and creating an encryption strategy that works for you in this article, Pro Tips for an Effective Encryption Strategy.

Conclusion

The truth about cyber attacks? Hackers are very persistent. Even as companies come up with new, stronger means to defend themselves, hackers will work even harder to find holes in those defenses. With every new patch, hackers will be trying to find a way through it.

The key to staying ahead of attackers is to stay informed. While this article just scratches the surface of the types and variety of attacks that can occur, staying educated should be a priority. You can consult an internet security expert who can help ensure your systems are updated, your encryption key management strategy is secure, and that you have contingency plans in place in the event of an attack. For more information on the skills to look for to keep your data safe, read our article Data Security: The Top 10 Skills You Need On Your Team.

Show more