The 5 Greatest Cyber Threats to Your Business and How to Prevent Them

While Cybersecurity is still a new topic to many organizations, Healthcare remains the number one targeted industry by cyber-criminals. After years of working with organizations of all kinds, we’ve compiled a list of the 5 biggest threats to your practice along with expert tips to help defeat them. Some of these tips can be implemented before lunch and significantly increase your organization’s security.

The 5 Greatest Cyber Threats of 2019:

  1. Password Spraying & Stuffing
  2. Unpatched & known vulnerabilities
  3. Lack of security self-awareness
  4. Advanced Phishing / CEO Fraud
  5. Lack of asset management

Password Spraying & Stuffing

Something unknown to many that are outside of the industry is a commonly used tactic known as Password Spraying & Stuffing. Password Spraying is when an attacker obtains a list of emails & usernames for your organization, usually through scripts that crawl google and LinkedIn, and then attempts commonly used passwords on every single account.

It is a well-known trick for red teamers (advanced pentesters) that because of common password complexity rules, and 90 day password rotating policies, people often fall into the habit of structuring the password like the following:

"SeasonYear!" or "CompanyNameYear!"

An example of this might be: Winter2018!, when their password rotates, Spring2019!, by following this scheme, the employee will always be able to remember their password, always have a fresh password, and always fit into password complexity rules! How convenient!

Yes perhaps, convenient, until attackers figure this out too. And surprise, they have. Now it's both very convenient and very insecure.

So how can I stop this happening? The first thing you can do is try to educate your employees on this simple rule, and try to communicate how crucial it is that they never follow this kind of password scheme, instead they should try and use something like a Password Manager, or even Diceware!


Source: https://xkcd.com/936/

So that's password spraying, what about password stuffing? Password stuffing is a bit more complex, but essentially attackers obtain a list of emails and will lookup those emails in paid-for services such as weleakinfo.com. These services index breaches from over the years, such as the Adobe breach, the Linkedin breach, the Dropbox breach, the Bit.ly breach (the list goes on).

Due to how humans have a proclivity to reuse passwords, they rely on the fact that some employees have reused the password on their company accounts, or used some permutation of it. The sad fact of this issue is that the bigger the company, the more risk they face with this issue, as there is more surface area for people to make mistakes.

How can you fix this? By hiring a well-skilled firm to perform your annual penetration test, they will test for Password Spraying & Stuffing and help you to identify your risk in this area (among many other things).

Unpatched & Known Vulnerabilities

This is something that is so simple, yet commonly overlooked. Something that occurs often in the cybersecurity community is that people test applications and find vulnerabilities in applications, such as VMware ESXi, Jira, Microsoft Word, Wordpress, Drupal, Apache Tomcat, (and pretty much any physical or web application you can think of).

Once they've identified the vulnerabilities, they contact the vendors and ensure fixes are deployed. Then often, other individuals will develop exploit-code for these vulnerabilities (code that allows an attacker to fully control the device).

Now you'd hope that people that run this software would be aware of the new vulnerabilities, and then update their software. However this rarely happens, especially in Small Businesses to Medium Enterprise. This means that at any one time, there are thousands of businesses running insecure software, and the longer they leave it, the more vulnerabilities come out.

How do you make sure you're not running old or insecure software? The answer is Vulnerability Scans, a vulnerability scan assesses (internally and externally) your software versions and checks them for known vulnerabilities. We usually expect to find lots of high-risk vulnerabilities when we scan an organization for the first time. If your organization has never had a vulnerability scan, you're likely very vulnerable.

This opens you up to all sorts of threats such as ransomware and worms, as well as kids running random exploit-code against organisations all over the world for kicks.

This opens you up to all sorts of threats such as ransomware and worms, as well as kids running random exploit-code against organizations all over the world for fun, or worse, criminals that obtain and sell your sensitive data.

Lack of Security Self-Awareness

This threat is a far too common one. When you speak to some people that have never invested in security, their common reasons involve: "We are too small", "Nobody would want to hack us", "We've never been hacked before".

The problem with these statements is that they show a huge lack of self-awareness with regards to the security landscape. You don't need to be anybody notable if you're connected to the internet or anything you own is exposed on the internet, automated systems that scan the internet constantly will identify your devices and exploit them. No Human intervention needed. Very often, using publicly released exploit code, or weak/common passwords.

Companies such as Greynoise.io identify these devices, and if you look through their explorer, there are thousands of devices scanning the internet everyday looking for vulnerable hosts.

The natural equivalent of exposing a device to the internet is that of dropping meat in piranha-infested waters. If not properly secured, it will be quickly consumed.

So how can I improve my security self awareness? An easy way to know where you stand from a security perspective is to have a Baseline Assessment, a baseline assessment is a bundle of services with an easily digestible, overview report. If you've never had a pentest or a vulnscan before, or invested in any sort of security services, then a baseline assessment will help you quickly know where you stand, and what actions you need to do.

You get a checkup every 12 months at the dentist, you get your car serviced annually, why wouldn't you want to do the same with the security of your organization?

Advanced Phishing & CEO Fraud

The title says advanced phishing, but the fact of the matter is that regular old phishing is still a huge issue, and is still causing lots of trouble for medium enterprises.

Phishing is where an attacker crafts an email that impersonates a company or an individual, in an attempt to get you to perform an action that will aid the attacker.

Usually entering your username and password into a website that looks identical to the service they're impersonating, or running a malicious attachment to give the attacker full remote access of your workstation.

Once upon a time Phishing was just emails that were poorly written with unconvincing phishing pages. Today, that is a very different reality. Phishing pages are almost indistinguishable from the actual pages, with the only telltale sign being that it prompted you to login.

CEO Fraud

CEO Fraud is a very devious attack, criminals identify people in certain positions, such as a manager, and impersonate them to try and get them to preform an action.

Sometimes they will imitate their style of speaking, their email signature, and even use slang from within the company. Common trends involve a manager asking an HR employee to change payroll accounts or to wire certain transactions to different account numbers.

How can you defend against this? Education through training plans such as Knowbe4 can be invaluable to protect against this type of thing. Awareness is king in the human-oriented security industry.

Teaching people to actually call the person, and verify certain actions can save a lot of trouble and problems, especially on big things like payroll redirection.

Lack of Asset Management

Asset Management is the process of keeping track of what assets you own, where they are, what they do, and what data they store.

It is too common that corporations and management completely forget that certains servers or systems exist. Remember that Jira server you used in 2010? That just happens to have no regular patches, no vulnerability scans, and also contains critical user information, but nobody remembers it existed.

This is very scary from a security perspective, and is actually very common.

Asset management can start with something as simple as a spreadsheet, and quarterly asset audits can be very helpful in helping to be aware of your devices so that you can actually secure them.

How can you expect to protect your assets if you don't know what you have?

Conclusion

Lots of businesses are trying to sell you their 'advanced magic-bullets', so certain threats are overhyped, and finding good, unbiased information about real threats that organisations face day-to-day.