When you ask a cyber security professional or organization for the top current cyber security threats, you're liable to get a different list from each one. For example, a recent internet search returned a dozen such lists for 2022 alone. However, one famous consistent list is the OWASP Top Ten, a list of the top ten web application security risks (for 2021, the top one was "Broken Access Control"). Some items on the list may seem obscure for anyone other than web software designers, but some, such as "Insecure Design," should be clear to everyone.
Here I'll share five threats that have caused major havoc for organizations.
1. Authentication Issues
Authentication is, and has been, a serious issue for individuals, organizations, and developers. The goal of any authentication system is for a user (or device, but that's a different issue) to prove an identity to a computer system. That system could be a local computer such as a laptop, phone, server, or website. Traditionally, authentication requires the user to memorize passwords, PIN numbers, or other secrets.
Though it's easy to create a strong password, the problem is that human memories don't like learning strong passwords or lots of unique passwords. That leads to choosing and reusing simple, easy-to-remember passwords that other people (or computers) can guess or observe the user entering them.
I discuss this and some alternatives, such as password managers, in the recent post in this series, Cyber Essentials: Time to Pass on Your Passwords.
2. Social Engineering
Kaspersky defines social engineering as "A manipulation technique that exploits human error to gain private information, access, or valuables." *1 That is, bad actors, try to manipulate people into doing things they would not ordinarily do. I discussed one aspect of social engineering in the recent post on Phishing Attacks, but there are other sides to it, too.
Consider a person in a delivery uniform laden down with packages. The delivery person appears at the entrance to a building and cannot open the door due to the packages. When an unsuspecting person opens the door, the "delivery person" enters the controlled area without any authentication. People believe the uniform and the packages enhance the actor's believability. The person opening the door sees the actions as "helping," even though it could be a significant security compromise.
Another type of social engineering example is an attacker asking simple questions to multiple employees of a single company to collect information. An attacker may only ask each employee for a small detail, but an attacker could piece them together to get a much fuller picture of a project or organization.
These are just a few examples of social engineering attacks. The best defense is educated users with a healthy dose of skepticism. The old adage, "loose lips sink ships," is as accurate as ever. It is critical to be wary of the risks at home and work. At home, we need to educate spouses and children, and at work, we need to educate employees (and contractors!) at all levels. The key is awareness!
Malware is a significant issue for many organizations and individuals. The malware most people think of first is viruses. Through some user action, they install software on a device that can corrupt data, steal passwords, or remove files. The Swiss Cyber Institute published a list of the six worst viruses of all time. Some of those were very destructive.
Most general-purpose computers, servers, and many phones have antivirus software today. Antivirus programs work to discover and deactivate or remove multiple types of malware. That's good. The software and the lists of viruses need to be updated daily, and most are. That's good, too. Some viruses are tricky, though: they change how they work, making them difficult to find. Plus, antivirus software could be better: different tools miss different viruses.
Another type of malware is the worm. It sends copies of itself to other computers on a local network or the internet. Ransomware is often spread throughout a local site by a worm.
Zero-day exploits are a significant threat to organizations and individuals in the digital world. A zero-day exploit is a vulnerability in software or hardware that has not yet been discovered or addressed by the manufacturer. These exploits allow attackers to gain access to sensitive information or cause damage to computer systems, leaving organizations and individuals vulnerable until a patch or solution is released. The fact that zero-day exploits go unnoticed makes them particularly dangerous, as they can be exploited without the victim's awareness.
To minimize the risk of a zero-day exploit, organizations and individuals should implement regular software and security updates and proactive measures such as firewalls and antivirus software. Education and awareness of the dangers of zero-day exploits are also crucial to prevent falling victim to these threats.
Ransomware has been big news. Multiple sites are hit daily with malware that encrypts all an organization's data with the promise that it can be recovered when the victims pay a ransom, usually in cryptocurrency such as Bitcoin. Unsurprisingly, the costs for larger organizations can be in the millions of dollars.
One of the most effective ways to defend against such attacks is by implementing backup strategies. Backing up sensitive data regularly helps ensure that critical information remains intact, even in a successful ransomware attack. However, this won't prevent a hacker from executing a data breach of sensitive information, like patient data and social security numbers, in retaliation for an unpaid ransom request. In addition to backup strategies, antivirus software can also play a significant role in protecting against ransomware attacks if the software is kept up to date.
Ransomware is often delivered via phishing e-mails but can also come through text messages to company phones. A single click on a dangerous link can compromise a whole enterprise. Many antivirus tools come with varying levels of protection, but organizations are still being attacked.
5. Configuration Issues
Let's face it — human beings make mistakes. A door intended to lock automatically at 5 pm is mistakenly programmed to lock at 5 am. A software package feature is enabled rather than disabled by default, weakening security. The default for the minimum length of passwords is unset (rather than set to 12 characters as policy specifies), allowing a user to use "123456" as a password (which happens to be the most common password in 2022). A simple typo causes a critical device to fail. There are myriad such instances every day.
The best defense against these issues is to have an additional person double-check for any security misconfiguration. So again, it's that "trust but verify" concept.
See results from Cyber security training at every level.
All these issues are, at their core, human issues. Sure, some software or hardware can fail, but using weak passwords, falling for the manipulation of social engineers, visiting a site that delivers malware and leads to ransomware, and not requiring configuration verification are all human flaws.