A cyberattack is a deliberate attempt to breach the information system of an individual or an organization. Below we describe some of the most common types of cyberattacks.
Man-in-the-middle (MitM) attacks
This type of attack occurs each time a hacker gets fraudulent access to a client-server or other private communication. The most common types of man-in-the-middle attacks are the following.
Session hijacking occurs when an attacker hijacks a session between a trusted client and a server. The attacking device will replace its IP address with the one of the trusted client. If the server continues the session, the attack is successfully executed.
IP spoofing is utilized to disguise the attacker’s IP, usually with randomized numbers. IP stands for Internet Protocol, which is the set of rules governing the format of data sent via the internet or local network. The IP address is the identifier that allows data to be sent between devices on a network: they contain location information and make devices accessible for communication.
To prevent such attacks, organizations rely on deep packet inspection (DPI) solutions, which utilize granular analysis of all headers not just the IP address.
A replay attack occurs every time a hacker intercepts and saves old communication and then reopens a discussion, impersonating one of the participants.
To counter such attacks, IT security teams utilize session timestamps and a cryptographic nonce “number only used once” which is a random number that can be used just once in a cryptographic communication.
Denial-of-service (DoS) and distributed denial-of-service (DDoS) attacks
A denial-of-service attack overwhelms a system so that it cannot respond to service requests. Similarly, a DDoS attack targets the system’s resources, but it is launched from several host machines controlled by the perpetrator.
Unlike cyberattacks that are designed to penetrate a system to get unauthorized access, DoS attacks do not provide direct benefits for attackers. However, if the targeted resource belongs to a competitor, then the benefit to the attacker can be measured.
A DoS attack can also be used to take a system offline to facilitate a different kind of attack.
There are several types of DoS attacks, such as teardrop attacks, botnets, etc.
Drive-by download attacks
Generally, the drive-by download attack is utilized for spreading malware. Hackers often look for insecure websites and exploitable vulnerabilities to include malicious scripts into HTTP or PHP code on some of the pages. These scripts might easily install malware directly onto the victim’s device if she/he visits the website, or it might redirect the victim to a second website controlled by the hackers.
A drive-by download will target an app or a web browser that is vulnerable due to lack of updates.
To protect your organization against such attacks, you should keep your browsers and operating systems up to date and avoid loading unsecure, suspicious websites.
Phishing & spear phishing attacks
Unfortunately, phishing attacks are increasingly popular among hackers. This type of cyberattack usually involves sending emails that appear to be from trusted sources with the goal of gaining personal information or influencing victims into taking certain action.
Such an attack combines social engineering and technical methods. It could be an email attachment or a link to an illegitimate website that can trick you into downloading malware or disclosing personal information.
Spear phishing is a targeted type of phishing activity. Attackers closely investigate their targets and create messages that are personal and relevant. Therefore, spear phishing can be very hard to identify and even harder to defend against.
Hackers usually utilize email spoofing for conducting spear phishing attacks. Basically, they change the sender’s email address, making it appear as if it is coming from someone you know, maybe a manager (e.g. CEO fraud) or a colleague/partner.
To reduce the risk of being phished, you should apply the following suggestions:
Analyze any email you consider suspicious.
Move your mouse over the suspicious link, but do not click it! Just move your mouse cursor over the link to see the destination URL.
Email headers define how an email got to your address. The “Reply-to” and “Return-Path” parameters should lead to the same address included in the email.
Password attacks
As we all know, passwords are the most used mechanism to authenticate to any information system. Access to a person’s password can be obtained by using social engineering, gaining access to a password database, etc.
Two of the most common password attacks are brute-force attacks and dictionary attacks.
The brute-force attack occurs when hackers or preconfigured bots try many different combinations, such as old passwords, stolen personal information, etc.
The dictionary attack involves a dictionary of common passwords that is used to attempt to gain access to a user’s computer and network.
To protect against dictionary or brute-force attacks, you should implement an account lockout policy that will block any login attempt after a few invalid user/password combinations.
SQL injection attacks
SQL injection has become a common issue with database-driven websites. It occurs when the hacker executes SQL queries to the database via input fields.
A SQL injection attack can allow the perpetrator to read information from the database, insert, update, or delete database data, execute admin operations, recover the content of a certain file, etc.
To protect your organization from a SQL injection attack, apply the least privilege model of permissions in your databases.
Cross-site scripting (XSS) attacks
XSS attacks use third-party resources to run scripts in the victim’s browser or application. The attacker injects malicious JavaScript into a website’s database. When the victim loads a web page, the server transmits the page with the attacker’s payload as part of the HTML body to the victim’s browser, which executes the malicious script. For instance, it might send the victim’s cookie to the attacker’s server, and the perpetrator can extract it and use it for session hijacking.
To defend against such cyberattacks, always make sure that you treat anything that generates data from outside your system as untrusted. Validate all the input data and create a whitelist of known, acceptable input. Examine and remove unwanted data.
Malware attacks
Malicious software can be described as unwanted software that is installed within the victim’s information system. There are many types of malware that hackers use such as: macro viruses, file infectors, polymorphic viruses, trojans, etc.
Conclusion
A good defense requires understanding the offense. Unfortunately, attackers have many options, such as DDoS assaults, malware infections, and brute-force password attacks trying to gain unauthorized access to business data.
Measures to mitigate these threats vary, but IT security basics stay the same. So, keep your systems and anti-virus databases up to date, regularly train your employees, configure your firewall to whitelist only the specific ports and hosts you need, keep your passwords unique and strong, use a least-privilege model in your IT environment, make regular backups, and continuously audit your IT systems for suspicious activity.
Springfield
/in City /by MihaiSecurity Information & Event Management
/in IT Security /by MihaiWhat is a SIEM solution?
A Security Information and Event Management (SIEM) solution is a 24/7 intelligent threat detection system. It collects logs, makes statistical correlations, analyzes threat alerts across your network, combines data from several different sources, and helps security teams remediate issues before they cause serious damage to your company.
Your firewalls, intrusion detection systems, anti-virus software, wireless access points and Active Directory servers all generate tons of security alerts every day. With a SIEM, you can collect all of these in one place, with one set of reports and one centralized system for generating notifications.
NOTE! It can take several days, even months, to identify a data compromise. Modern IT security tools can generate millions of security alerts over the course of a day, but a SIEM solution filters out the noise, so the real threats get immediate attention.
Why Is SIEM Important?
The longer it takes to detect a threat, also known as “discovery time,” the more potential damage to your organization. A SIEM solution will identify real threats faster so your response team can act quickly before a breach occurs. It provides real-time visibility into what’s happening across your entire network 24/7.
A SIEM solution provides logging and reporting for compliance purposes. It provides centralized, built-in, easy-to-use, real-time log collection, alerting and reporting features.
Real threats are identified, isolated, and remediated quickly before they can cause serious harm and costly business disruptions.
SIEMs can help detect, mitigate, and prevent advanced threats, including:
A full SIEM solution also blends geolocation to increase its accuracy, ensures notifications are actionable in order to reduce false positives.
How Does It Work?
We call it E-R-I-N.
Events
Firstly, it collects millions of security alerts, or events, from your entire network, including cloud resources and mobile devices.
Rules
Secondly, we apply rules to determine which events are actionable threats. These threats become incidents.
We customize the ruleset to your network specific device types and against an established traffic baseline. We tune these rules continually based on changes to the threat landscape and changes to the customer’s hardware/software environment, as well as apply new rules based on new threats.
Incidents
Based on the criticality, an incident may be simply logged, it may be written in a report to be viewed later, or it may require immediate attention, generating an immediate notification.
Notifications
Finally, your response team is instantly notified so remediation can begin.
Who Needs a SIEM?
With today’s ever-evolving cybersecurity landscape, a SIEM solution plays a crucial role in staying ahead of the latest threats.
While every business can benefit from a SIEM, those that must comply with industry and government regulations and those looking to qualify for cybersecurity insurance will find it essential.
Businesses in healthcare, finance, accounting, and government agencies must meet specific regulatory requirements. An effective SIEM is key to complying with PCI, HIPAA, and FFIEC standards.
SIEM can check all the boxes on today’s stringent cybersecurity insurance applications. And once you get coverage, a SIEM can provide the detailed forensic analysis insurers require before they pay out in the event of security breach.
Next-Gen SIEM Capabilities
User and entity behavior analytics in advanced SIEM solutions utilize artificial intelligence and deep learning to look at patterns of human behavior.
Next-gen SIEMs may detect the first stages of a ransomware attack and perform the necessary containment steps automatically on affected resources, before the attacker can encrypt the data, while simultaneously generating notifications.
For more information about SIEM and how it can help protect your organization, please reach out.
Physical Servers Vs. Cloud
/in Tech Tips /by MihaiThe differences between a physical server and a cloud server can create confusion. In just a few words, a virtual server that is hosted by a cloud computing company (Microsoft Azure, Amazon AWS, and Google Cloud are the most common), known as a cloud server, allows users to utilize its resources remotely just by using an internet connection. On the other hand, a physical server is hosted by you most commonly within your office environment.
Physical servers are relatively safe, independent, easy to operate, and offer good performance, but they cost more on the purchase, maintenance, upgrade, security, and expansion of the physical infrastructure.
Cloud servers are flexible, easy to deploy and migrate. Cloud solutions are highly dependent on the internet condition. Especially if are not managed properly, cloud solutions can cost more in terms of feature expansion and business continuity.
NOTE! The functions and operating systems supported by cloud-based servers are identical to those of traditional physical servers housed in a local data center. In addition to that, they can have comparable performance features.
Should I Choose A Physical Server?
Complete access to a dedicated server is one of the main advantages of a physical server. This means that you will never encounter delayed processing during busy time intervals, you will be able to configure it, upgrade it as you see fit.
With just a few exceptions, there will be no interruptions on the company-owned server. However, if you need a powerful server, physical servers might take up a lot of your office space. This means that you are responsible for keeping up the space where they are located, as well as for any service or repairs that may be necessary, which might be problematic if something goes wrong, stuff like power outage, natural disasters, etc.
Or Maybe A Cloud Solution?
As opposed to physical servers, cloud-based servers allow users to run several operating systems at once, maximizing the use of the available hardware and eliminating the need to run separate servers for each operating system. One of the main benefits is the lower cost, which is perfect for both small and large organizations.
Also, when it comes to data encryption, it can be difficult for some organizations to encrypt data across their entire environments, but with public cloud providers, such as Microsoft Azure, organizations have various options to closely manage encryption or encryption keys.
Automation of any tasks is one key feature of cloud solutions that is extremely helpful to any business. Additionally, it allows users to make repairs faster by signaling any interruption in automated processes brought on by a malfunction.
The backup and recovery processes are handled easily with virtual servers that can switch to another computer if a server happens to fail.
Therefore, to choose between a cloud solution and a physical server, you must identify and compare the advantages you would obtain, but also the downsides.
For example…
If you run an e-commerce website with seasonal traffic surges, a cloud server would easily allow you to scale up and down.
If you are working on a project that requires a custom server, then a physical server is probably the better option.
If you manage a small business or a startup and you barely afford the physical infrastructure and maintenance cost, then configuring a cloud server is a more appropriate solution.
Physical servers are reliable, standalone, and relatively easy to use. However, it is more expensive to buy, manage, update, and expand the physical infrastructure. Cloud servers, in contrast, offer more flexibility, state of the art security, a pay-as-you-go option, quick deployment, a simple migration, and require no initial hardware investment.
NOTE! Microsoft alone spends $15 billion annually on cloud research and development, with 1$ billion dedicated to cloud security.
Conclusion
Cloud technology provides a high degree of adaptability, agility, and privacy. By choosing a cloud server over a physical server, you have the possibility to optimize costs by adapting your spending. Sometimes, combining cloud and physical servers may be most beneficial, as this option can offer organizations the best of both worlds.
Nowadays, even huge organizations are moving their online operations to the cloud for more flexibility. If you are unsure of which environment is the best for you, please reach out with any questions. Our engineers will guide you towards a viable solution.
Differences Between NOC And SOC
/in IT Security /by MihaiNetwork Operations Centers (NOCs) are responsible for maintaining a company’s computer system’s technical infrastructure, while Security Operations Centers (SOCs) are responsible for protecting the organization against cyber threats.
The Network Operations Center (NOC)
A typical NOC team includes engineers and technicians who cautiously track an IT infrastructure. The team has many responsibilities, such as network and server monitoring and management, software installation and management, patch management, IT performance reporting, etc.
A NOC team will provide technical support and will ensure the organization can quickly identify and solve incidents related to uptime and performance. For instance, if NOC engineers notice any IT issues that can cause a network to slow down, they can remediate these problems before they lead to downtime that eventually impacts the organization’s staff or customers.
Network operations centers focus on preventing and solving network issues caused by natural disasters, power outages, and internet outages. In addition, a NOC can perform software patching for servers during off-hours to ensure minimal operational downtime. Also, NOC engineers work to constantly improve the organization’s IT performance. They may prevent incidents from happening, something that may help an organization simultaneously lower its IT costs and boost its productivity and efficiency.
The Security Operations Center (SOC)
Similar to a NOC, a SOC is another important part of an organization. As we have just seen, a NOC focuses on the IT infrastructure and its performance, but a SOC will maintain and improve the state of security of an organization.
Today’s companies are increasingly exposed to malware, DDoS, and other types of cyberattacks, but a SOC can protect your organization against such threats. A SOC team will include analysts who monitor and evaluate activity across enterprise applications, networks, websites, and other systems. If SOC analysts identify a suspicious activity, they will investigate it, and if they find that the organization’s system has been breached, they will take the necessary steps to address the incident in a timely manner.
As organizations implement more and more security tools there is a false sense of protection. Many tools will provide alerts when something suspicious occurs, but they still require human intervention to remedy the issue. Unfortunately, many attacks occur late at night, or before a long weekend due to a recognized holiday. Security is a 24×7 operation, and implementing a SOC will ensure you are protected 24x7x365.
NOC And SOC Challenges
The modern IT trends continue to put pressure on the existing IT teams that implement NOC or SOC functionalities. Organizations need to consider these challenges when developing NOC or SOC capabilities.
More Endpoints
The modern network continues to add devices and resources at a massive pace. In addition to the traditional endpoints, the modern network also includes a large array of connected devices such as, smartphones, tablets, smart TVs, printers, etc.
Bring-Your-Own-Device (BYOD) also adds complexity to the mix because the IT team needs to verify if the BYOD device abides by company policy for updates, endpoint protection, etc.
NOC teams struggle to adapt traditional infrastructure to more connected devices and bandwidth requirements. SOC teams share the same focus as each connected device and additional traffic stream adds to their monitoring and analysis requirements.
Remote Work & Cloud Solutions
As the number of devices, installed and utilized applications increase, this situation complicates network monitoring. Wireless 4G and 5G connections now connect operational technology that used to sit isolated in the office and the shift to the cloud now moves many assets outside of the corporate perimeter.
Additionally, as the staff continues to shift to remote work, corporate networks are exposed to consumer grade or unsecured public wi-fi connections. These unprotected resources will continue to put pressure on both NOC and SOC teams that must configure and maintain strong IT security plans to create proper defenses against modern security challenges.
Cost Of Downtime
As we get more and more dependent on technology (applications, websites), the cost of downtime continues to increase, therefore NOC teams have a limited time frame to fix network disruptions even as they cover more devices and more physical and virtual distance. Meanwhile, the perpetrators move faster and attack more viciously challenging the SOC personnel to act faster to prevent or mitigate cyberattacks.
Nowadays, several tools utilize artificial intelligence or machine learning to handle repetitive analyses that improve the team’s response time. Still, the AI/ML assistance requires both NOC and SOC teams to learn more tools and adapt their methods to incorporate such solutions.
Organizations seeking to secure their networks should incorporate both a NOC and a SOC to build a modern and secure IT infrastructure. Therefore, a good collaboration between NOC and SOC will improve the efficiency of your response during a crisis situation.
Securing The Hybrid Workspace
/in IT Security /by MihaiWith a more distributed workforce, your organization is exposed to a series of new threats. Everything must be monitored to ensure that if anything goes wrong, the issue does not lead to a massive data breach in your business.
Keeping your hybrid office setup safe can be challenging. By taking the time to understand the challenges early and addressing them before they become security emergencies, you will be saving your business a ton of money.
Secure access
Making sure that your team not only has a VPN to use, but also that they know how to use it properly is a critical first step in protecting your hybrid office setup. The best systems use an automated approach where team members utilize preconfigured devices that will not login to your network without proper authentication. These setups are crucial because they give you more control over the protocols that are in place and remove human error from the process.
Strict access control for employees
There is a need for strict access control for anyone who needs to use the network. At the basic level, you need two-factor authentication or multi-factor authentication. On top of strong authentication practices, you should implement role-based access control (RBAC) to make sure that if anything does happen, you will be able to mitigate the damage inflicted on your IT assets.
With RBAC, employees can only access files that are critical to their roles. This makes it harder for hackers to gain full access to business data. Also, even if they get access, their possibilities will be limited.
Disaster recovery and backup services
This is imperative for basically every organization, regardless of their office structure. A robust backup and recovery plan is something that could potentially save your organization numerous times. It doesn’t just help you stop hackers from stealing your business data, because you can erase everything and restore from the backup, but it also protects it against natural disasters.
You need to make sure that you keep a full disaster recovery plan in place to cover any potential problems that can come up.
Network monitoring
Strong network monitoring practices help you catch problems before they become serious threats. With network monitoring, you are watching your network for anything unusual, suspicious activities, malicious code, or unauthorized access. When you take a proactive approach, you start noticing little things that might take down your network and you will be able to stop them in a timely manner.
Patch management
Keeping work-related devices up to date can be a simple way to reduce potential attack vectors. The challenge is that patch management can become a monumental task as your business and workforce evolve.
Patching your software regularly is mandatory because it will address security issues that exist in your system. These security issues can be exploited by perpetrators to gain unauthorized access to your network.
DNS Filtering
When your employees are working from home and are outside of the protection of the corporate firewall, a DNS filtering solution can help prevent a malware infection keeping your corporate data and your employees’ devices safe. By redirecting users’ web traffic through a cloud-based, DNS security solution, businesses can enforce web access policies, block malicious websites, ensure regulatory compliance, and stop threats at the network’s edge.
Mobile Device Management (MDM)
MDM is hugely important with distributed workforces. It allows you to monitor and manage the devices your staff utilizes. If something suspicious occurs, you can lock down and wipe the device before hackers have a chance to access the data (or your network). Mobile Device Management will ensure that any device used by employees is as secure as possible. This helps a lot, especially if you have a bring your own device policy in place.
IT Security Training
Creating good habits is crucial when it comes to hybrid workforce. It is not enough to simply install security software and monitor your network. You need to make sure that your staff knows what good security practices look like. That’s where training sessions come in. You can’t rely on people reading through documentation and remembering everything.
Security training gives you and your team hands-on experience that helps you learn the best security practices. It includes security drills, like sending out fake phishing emails to employees to make sure the training sticks. All it takes is one employee not paying attention when they check their email to compromise your entire organization.
Looking for help securing your hybrid workspace?
We have been helping organizations secure their offices for more than 16 years and have the skill set necessary to implement strong remote working practices. We can also train your team on the best IT security practices and help create good habits that are going to keep your company safe.
As the world adapts to new ways of working, the security needs of these setups are slightly different from the needs of the traditional office structure and will continue to evolve.
Most Common Types Of Malware
/in IT Security /by MihaiMalware uses a vulnerability to breach a network when a user clicks a dangerous link or downloads/opens an email attachment, common methods used to install malicious software inside the system. The term malware includes various types of threats including spyware, viruses, and worms.
Malware and malicious files inside a computer system can:
Types of Malware
Ransomware is an increasingly popular type of malware that denies access to the victim’s data, threatening to publish or delete it unless a ransom is paid. Advanced ransomware uses cryptoviral extortion, encrypting the victim’s data and making decryption impossible without the decryption key.
Viruses attach themselves to executable code or associate themselves with files by creating a malicious file with the same name but with an .exe extension.
Worms are often installed through email attachments, sending copies of their source code to every contact in the infected computer email list. Unlike viruses, they do not attack the host, being self-contained programs that spread across networks and devices. Worms are frequently utilized to overburden email servers to conduct denial-of-service attacks.
Trojans are programs hiding inside other programs for malicious purposes. Unlike viruses, a trojan does not replicate itself and it is commonly used to establish a backdoor that can be exploited by hackers.
Spyware is what we call a software installed to collect data about users, their systems or browsing history, sending the captured data to a hacker. The attacker can then use the information for blackmailing purposes or to download and install other malicious programs.
Keyloggers are similar to spyware, except that they track the victim’s activity. Everything the victim types in is sent to the hacker and can eventually be used for blackmail or identity theft.
Which devices can be affected?
No device is immune to malware.
Also, both Android and iOS mobile devices can be infected with malware. Many types of mobile-specific malware are spread via SMS, besides the standard email vectors.
Common symptoms of malware infection
The most common signs that your device has been compromised by malware are:
The more of these common symptoms you see, the higher the likelihood your device was infected.
How to protect your data against malware
Even though there are a lot of types of malware out there, there are solutions and tips your staff can implement to protect your business against such threats.
Protect your devices.
Keep your operating system and applications updated. Hackers look for vulnerabilities in old or outdated software, so make sure you install updates as soon as they become available.
Never click on a link in a popup. Just close the window and never revisit the website that generated it.
Only install apps you need and use regularly. If you no longer use an app, it is advisable to uninstall it.
Use a mobile security solution. Malware and adware campaigns are getting increasingly popular, so make sure your mobile devices are protected against such threats by utilizing a top-tier mobile security solution.
Do not lend out your smartphone or leave your computer unattended. Also, in case your default settings have been changed, or a new app has mysteriously appeared, this might be proof that spyware or a keylogger has been enabled.
Avoid clicking unknown links. Whether it comes via email, a social account, or a text message, if a link seems suspicious, stay away from it.
Only use known and trusted websites. So, avoid risky websites, such as non-HTTPS websites.
Keep an eye on emails requesting personal information. If an email appears to come from your bank and instructs you to click a link to reset your password or access your account, do not click it. Go directly to your online banking website/app and log in there.
Pay extra attention to downloads and other software purchases.
Make sure you purchase security software from respectable companies using their official stores.
Don’t utilize jailbroken or rooted devices, in order not to put your data at risk.
When looking for your next favorite app, make sure you read app reviews first, utilize only official app stores, and if something looks fishy, it would be safer to avoid it.
If you are concerned that your device may be infected, run a scan using a security software you trust.
Do not open an unexpected email attachment, even if it came from a friend or someone you know.
With these tips and a reliable security software, you will be on your way to protecting your data and devices from all kinds of malware.
Denial-of-Service & Distributed Denial-of-Service Attacks
/in IT Security /by MihaiA denial-of-service attack overwhelms the system’s resources so that it cannot respond to service requests. A distributed denial-of-service attack is also an attack on system’s resources, but it is launched from a considerable number of other host machines that are infected by malicious software all controlled by the perpetrator.
Unlike attacks that are designed to enable the attacker to gain or increase access, denial-of-service does not provide direct benefits for attackers, unless the attacked resource belongs to a business competitor, then the benefit to the hacker is real and measurable. Another purpose of a DoS attack can be to take a system offline so that a different kind of attack can be subsequently launched.
There are several types of DoS and DDoS attacks. The most common are ping-of-death attacks, TCP SYN flood attacks, teardrop attacks, smurf attacks, and botnets.
Ping of death attacks
This type of attack uses IP packets to ping a system with a packet size of over the maximum of 65,535 bytes. IP packets of this size are not allowed, so the attacker will fragment the IP packet. Once the target system reassembles the packet, it can experience buffer overflows making the system vulnerable.
Ping of death attacks can be avoided by using a firewall that checks the total size of fragmented IP packets.
TCP SYN flood attacks
This type of cyberattack aims to make a server unavailable to legitimate traffic by consuming all available server resources. The attacker floods the target system’s connection queue with initial connection request (SYN) packets, but it does not respond when the attacked system replies to those requests. This causes the victim’s system to time out while waiting for the response from the attacker’s device, which makes the system unavailable when the connection queue fills up.
To counter such cyberattacks, you should consider setting up a firewall to stop inbound SYN packets and you can also increase the size of the connection queue while decreasing the timeout interval on open connections.
Teardrop attacks
This attack involves sending fragmented packets to a machine. The attacked system attempts to reconstruct packets during the process but fails and eventually crashes.
If you do not have patches to protect against teardrop attacks, then you should disable SMBv2, and block ports 139 and 445.
Smurf attacks
By utilizing IP spoofing and Internet Control Message Protocol (ICMP) echo requests, hackers can overwhelm a target network with traffic. These ICMP requests originate from a spoofed “victim” address. For instance, if the victim’s IP address is 10.0.0.90, the attacker would spoof an ICMP echo request from 10.0.0.90 to the broadcast address 10.255.255.255. This request would go to all IPs in the range, with all the responses going back to 10.0.0.90, overwhelming the network. Unfortunately, this process can be automated to generate huge amounts of fraudulent network traffic.
To protect your devices from a smurf attack, you should disable IP-directed broadcasts on the routers. This will prevent the ICMP echo broadcast request at the network devices. Another solution would be to configure the end systems to not respond to ICMP packets from broadcast addresses.
Botnets
Botnets are a network of computers infected with malware under the hacker’s control. These bots are used to execute attacks against a victim’s system, often overwhelming the target system’s bandwidth and processing capabilities. These DDoS attacks are difficult to trace because botnets are located in different geographic locations.
Botnets can be mitigated by RFC3704 filtering that denies traffic from spoofed addresses and traces traffic to its correct source.
Another solution is black hole filtering, which rejects undesirable traffic before it enters a network.
Conclusion
NetScout Systems, a network performance software vendor, reported that in the first half of 2021, threat actors launched 5.4 million DDoS attacks. More than 50% of those were DDoS extortion attacks in the financial industry.
According to Kaspersky, in the last quarter of 2021, the total number of DoS attacks increased by 52%, compared to previous quarter, and 4.5 times higher than in Q4 of 2020.
As businesses and financial institutions evolve, it is essential to have a cybersecurity strategy in place that includes not only professional human intervention, but also automated solutions that can detect and block modern DDoS attacks.
Types Of Cybersecurity Attacks
/in IT Security /by MihaiA cyberattack is a deliberate attempt to breach the information system of an individual or an organization. Below we describe some of the most common types of cyberattacks.
Man-in-the-middle (MitM) attacks
This type of attack occurs each time a hacker gets fraudulent access to a client-server or other private communication. The most common types of man-in-the-middle attacks are the following.
Session hijacking occurs when an attacker hijacks a session between a trusted client and a server. The attacking device will replace its IP address with the one of the trusted client. If the server continues the session, the attack is successfully executed.
IP spoofing is utilized to disguise the attacker’s IP, usually with randomized numbers. IP stands for Internet Protocol, which is the set of rules governing the format of data sent via the internet or local network. The IP address is the identifier that allows data to be sent between devices on a network: they contain location information and make devices accessible for communication.
To prevent such attacks, organizations rely on deep packet inspection (DPI) solutions, which utilize granular analysis of all headers not just the IP address.
A replay attack occurs every time a hacker intercepts and saves old communication and then reopens a discussion, impersonating one of the participants.
To counter such attacks, IT security teams utilize session timestamps and a cryptographic nonce “number only used once” which is a random number that can be used just once in a cryptographic communication.
Denial-of-service (DoS) and distributed denial-of-service (DDoS) attacks
A denial-of-service attack overwhelms a system so that it cannot respond to service requests. Similarly, a DDoS attack targets the system’s resources, but it is launched from several host machines controlled by the perpetrator.
Unlike cyberattacks that are designed to penetrate a system to get unauthorized access, DoS attacks do not provide direct benefits for attackers. However, if the targeted resource belongs to a competitor, then the benefit to the attacker can be measured.
A DoS attack can also be used to take a system offline to facilitate a different kind of attack.
There are several types of DoS attacks, such as teardrop attacks, botnets, etc.
Drive-by download attacks
Generally, the drive-by download attack is utilized for spreading malware. Hackers often look for insecure websites and exploitable vulnerabilities to include malicious scripts into HTTP or PHP code on some of the pages. These scripts might easily install malware directly onto the victim’s device if she/he visits the website, or it might redirect the victim to a second website controlled by the hackers.
A drive-by download will target an app or a web browser that is vulnerable due to lack of updates.
To protect your organization against such attacks, you should keep your browsers and operating systems up to date and avoid loading unsecure, suspicious websites.
Phishing & spear phishing attacks
Unfortunately, phishing attacks are increasingly popular among hackers. This type of cyberattack usually involves sending emails that appear to be from trusted sources with the goal of gaining personal information or influencing victims into taking certain action.
Such an attack combines social engineering and technical methods. It could be an email attachment or a link to an illegitimate website that can trick you into downloading malware or disclosing personal information.
Spear phishing is a targeted type of phishing activity. Attackers closely investigate their targets and create messages that are personal and relevant. Therefore, spear phishing can be very hard to identify and even harder to defend against.
Hackers usually utilize email spoofing for conducting spear phishing attacks. Basically, they change the sender’s email address, making it appear as if it is coming from someone you know, maybe a manager (e.g. CEO fraud) or a colleague/partner.
To reduce the risk of being phished, you should apply the following suggestions:
Analyze any email you consider suspicious.
Move your mouse over the suspicious link, but do not click it! Just move your mouse cursor over the link to see the destination URL.
Email headers define how an email got to your address. The “Reply-to” and “Return-Path” parameters should lead to the same address included in the email.
Password attacks
As we all know, passwords are the most used mechanism to authenticate to any information system. Access to a person’s password can be obtained by using social engineering, gaining access to a password database, etc.
Two of the most common password attacks are brute-force attacks and dictionary attacks.
The brute-force attack occurs when hackers or preconfigured bots try many different combinations, such as old passwords, stolen personal information, etc.
The dictionary attack involves a dictionary of common passwords that is used to attempt to gain access to a user’s computer and network.
To protect against dictionary or brute-force attacks, you should implement an account lockout policy that will block any login attempt after a few invalid user/password combinations.
SQL injection attacks
SQL injection has become a common issue with database-driven websites. It occurs when the hacker executes SQL queries to the database via input fields.
A SQL injection attack can allow the perpetrator to read information from the database, insert, update, or delete database data, execute admin operations, recover the content of a certain file, etc.
To protect your organization from a SQL injection attack, apply the least privilege model of permissions in your databases.
Cross-site scripting (XSS) attacks
XSS attacks use third-party resources to run scripts in the victim’s browser or application. The attacker injects malicious JavaScript into a website’s database. When the victim loads a web page, the server transmits the page with the attacker’s payload as part of the HTML body to the victim’s browser, which executes the malicious script. For instance, it might send the victim’s cookie to the attacker’s server, and the perpetrator can extract it and use it for session hijacking.
To defend against such cyberattacks, always make sure that you treat anything that generates data from outside your system as untrusted. Validate all the input data and create a whitelist of known, acceptable input. Examine and remove unwanted data.
Malware attacks
Malicious software can be described as unwanted software that is installed within the victim’s information system. There are many types of malware that hackers use such as: macro viruses, file infectors, polymorphic viruses, trojans, etc.
Conclusion
A good defense requires understanding the offense. Unfortunately, attackers have many options, such as DDoS assaults, malware infections, and brute-force password attacks trying to gain unauthorized access to business data.
Measures to mitigate these threats vary, but IT security basics stay the same. So, keep your systems and anti-virus databases up to date, regularly train your employees, configure your firewall to whitelist only the specific ports and hosts you need, keep your passwords unique and strong, use a least-privilege model in your IT environment, make regular backups, and continuously audit your IT systems for suspicious activity.
What To Do After A Data Breach?
/in IT Security /by MihaiAll organizations face the risk of a data breach because of a cyberattack or another type of security incident. Recovering from such an incident could be complicated, no matter how big or small your company is, especially if sensitive data is exposed.
How To Respond To A Data Breach?
If your business is the victim of a data breach and you are wondering how to react efficiently, consider the following steps to help minimize the impact.
Contain The Security Breach
Some people might be tempted to delete as many files as possible after a data breach occurs, but preserving evidence is crucial to assess how the breach occurred to prevent it from happening again.
Firstly, try to determine which servers, applications, and/or devices have been compromised and contain them as quickly as possible to ensure that the attack does not spread and damage more assets.
To stop an attack from spreading within your network, you should disconnect the affected servers and take your network offline as quickly as possible.
Change the credentials for all your critical accounts and servers.
If your IT staff is not specialized in digital forensics you may want to hire a specialist to conduct the investigation.
Assess the Security Breach
You need to determine the root cause of the breach within your system to help prevent the same kind of attack from happening again.
If you have discovered that you are a victim of a broader attack that targeted multiple organizations, follow updates from authorities charged with monitoring the situation and report accordingly.
Key Aspects:
You need to identify who has access to the servers that were compromised, which network connections were active when the breach occurred and how was the attack initiated.
You may be able to pinpoint how the attack vector penetrated your system by checking your firewall logs, your antivirus program, the email service, or your Intrusion Detection System.
You also need to find out who may have been affected by the breach, including employees, customers, and third-party vendors.
Assess how severe the data breach was by identifying what information was targeted, such as mailing addresses, specific accounts, credit/debit card numbers, etc.
Data Breach Notification Plan
Communicate with your staff and let them know what happened. Define clear authorizations for team members to report on the issue both internally and externally. Remaining on the same page with your team is paramount while your business is recovering from a security incident.
You may need to consult with your legal team to figure out the best way to avoid a legal hassle.
If you don’t have a cybersecurity plan in place or an IT security team to handle such situations, StratusPointIT professionals can help you defend against and recover from IT security incidents.
Key Aspects:
Notify your cyber insurance provider.
When a cyber event occurs, your insurance company may have experts who will walk you through the proper response steps. Contact your insurer as quickly as possible to limit the consequences of such an attack and for planning the next steps.
Notify your customers.
Communication is key to maintaining a positive, professional relationship with your customers. Provide them with means to specifically ask questions related to the breach.
Your employees should be aware of your organization’s policies regarding data breaches. Also, consider restricting your employees’ access to sensitive data based on their job roles and regularly train them about how to prepare for a data breach and how to avoid one.
Prevention Methods
The FBI has provided additional tips that can help businesses protect themselves against cyber incidents.
Never download attachments or click links within emails received from senders you do not recognize.
Do not provide usernames, passwords, social security numbers, financial data, or other personal information in response to an email or phone call.
Avoid using the same password for multiple accounts.
Your organization must evaluate the technologies in place and invest in more up-to-date solutions to ensure best protection.
Make sure you review and update information security policies, business continuity plans, and data breach response plans.
Also, conduct frequent security checks to help reduce the likelihood of a similar incident occurring again in the future and educate your staff about data breach protocols.
A data breach can be undoubtedly stressful, but if you take the necessary steps, it can make your business better prepared next time a similar incident occurs.
How to create an incident response plan?
/in IT Security /by MihaiAn incident response plan is a well-documented plan that includes a series of phases that helps IT security professionals recognize and properly react to cybersecurity incidents.
According to Gartner, the SANS Institute (founded 1989) is one of the world’s premier cybersecurity training organizations. The SANS Institute methodology includes 6 incident response phases as follows: Preparation, Identification, Containment, Eradication, Recovery, and Lessons Learned.
Within each phase, there are specific areas that should be considered. Next, we will analyze each phase and identify the items that need to be addressed.
The Preparation Phase
This phase is all about ensuring your employees are properly trained regarding their incident response roles and responsibilities in the unfortunate event of a data breach.
Make sure all aspects of your incident response plan (security training, hardware, software resources, etc.) are approved and funded in advance.
Thoroughly explain and document everyone’s roles and responsibilities. This phase must be tested to assure that your employees will perform as they were trained. The more prepared your employees are, the less likely they will make critical mistakes.
Make sure that everyone has been trained on security policies, that your incident response team know their roles and have participated in mock drills.
This is also a good time to update and patch your systems, review your remote access protocols, change all user and administrative access credentials, and harden all passwords.
The Identification Phase
During this phase the security team will determine whether your organization systems have been breached. A cybersecurity incident could originate from many different areas.
Briefly, you will acknowledge how and when the incident was discovered, also who discovered it. You will follow the necessary steps to identify the source (point of entry) of the attack vector. Then you will assess how it affects your operations.
The Containment Phase
When a breach is first discovered, people are usually tempted to securely delete everything so they can just get rid of it. This approach will likely hurt the organization in the long run because you will be destroying valuable evidence that your IT security team will need to determine where the breach started and create a plan to prevent it from happening again.
Instead, contain the breach, quarantine the malware you have identified, so it does not spread and cause further damage to your business. If you can, disconnect affected devices from the Internet.
Have short-term and long-term containment strategies in place. Keeping up-to-date backups is essential to restore your business operations.
The Eradication Phase
Once you have contained the issue, you need to find and eliminate the root cause of the breach. This means all malware should be securely removed, systems should again be patched, and updates should be applied.
Whether you do this in-house, or hire a third party to handle it, you need to be thorough. If any piece of malware or security vulnerabilities remain in your systems, you may still be losing valuable data, and the liability will only increase.
The Recovery Phase
This is the process of restoring the affected systems back to a pre-attack version. During this time, it is important to get your systems, devices, and business operations up and running again.
Make sure you monitor the situation, especially the systems/apps that were previously affected to ensure similar attacks will not reoccur by updating your security incident response plan accordingly.
Lessons Learned
Once the assessment is complete, gather all incident response team members and discuss what you have learned from the security incident. At this point you will analyze and document everything about the breach.
Documentation may be used for data breach insurance. This can save the company from prospective legal costs and fines, not to mention the brand damage associated with a data breach which can be harsh for a business, especially if the organization is a startup.
Identify what worked well in your response plan, what changes need to be applied, what weakness did the breach exploit, etc. All the lessons you learn are valuable and will strengthen your organization against future cyberattacks.
No one wants to go through a security incident, but it is essential to prepare for one. Know what to do when it happens and regularly test your plan’s efficiency. For this purpose, regularly orchestrate cyberattacks to test your organization’s incident response plan and how fast your team reacts. This habit will generate at least two important results: a deep understanding of your plan (tasks, processes) and a list of gaps that should be addressed. If there is room for improvement, all changes must be properly documented for them to have real, lasting value for your security operations team.