What is the Cyber Threat Landscape?

Any potential or acknowledged threats that can impact organizations, user groups, or are specific to certain industries can be included in the cyber threat landscape. This landscape changes all the time – new and emerging threats and new combinations of threats rise in popularity as criminals become more sophisticated and technology advances.

Why Understanding the Cyber Threat Landscape is Important

Like most things, understanding what you’re up against is the first step in learning how to identify and address it. Businesses that take the time to understand the cyber threat landscape will be able to single out risks, prioritize based on urgency and impact to the business, develop security and disaster recovery plans that will truly address the most critical threats, and ensure compliance with necessary regulatory organizations.

Cyber Threat Landscape Potential Impacts

Organizations that fail to take the time to evaluate the threat landscape can experience the following negative consequences:

• Financial: Financial consequences can stem from cyber threats in a number of ways. A data breach that reveals sensitive information can lead to increased expenses for the company or lost revenue as customers decide to take their business elsewhere. If trade secrets are revealed, the competition may be able to gain the upper hand and encroach on previously unoccupied territory. Companies that choose to pay when their data is encrypted with ransomware may lose money and still not recover their data. Paying premiums for cyber insurance coverage or trying to regain lost ground after a cyber attack can also be a costly endeavor.
• Reputational: When an organization experiences a cyber attack, the reputational damage may be greater than the initial financial damage. Some customers or vendors may never feel they can trust a company again after their information is compromised and again take their business elsewhere
• Operational: Supply chain attacks can create far-reaching operational consequences. When attackers target a company’s suppliers, the disruption can cause material shortages, price hikes, and financial losses. Operations can also grind to a halt when a business experiences a ransomware attack or a data breach.
• Legal: Certain industries and data types are governed by regulations that dictate protective measures that should be in place and/or remediating measures a company should take after experiencing a cyber attack. If a business is not compliant, consequences can include fines and other sanctions.

What Are Some of the Most Common Cyber Threats?

Eight of the most common cyber threats include phishing, ransomware, extortion attacks, malware, malicious apps, DDoS attacks, data breaches, and zero-day attacks.

Phishing

Phishing is a common attack vector that relies on social engineering to get people to take a desired action. Social engineering is a tactic that may include impersonation, emotional manipulation, or other human emotions to elicit this goal response.

With phishing, a bad actor will generally send an email or text message under the guise of a legitimate source with the goal of getting the recipient to click on a malicious link or provide personal or sensitive information.

The act of phishing may be highly targeted with a tactic called spearphishing, where personalized information is included in the message to add legitimacy.

Ransomware

A business that is attacked with ransomware may find they are locked out of sensitive data or data that is vital to their daily operations. A cybercriminal will encrypt the data and demand the victim pay a ransom in order to receive a decryption key or other method to access their data again. Organizations that don’t have backup and data recovery solutions can find themselves particularly prone to this kind of attack.

Extortion Attacks

While extortion attacks may be done in tandem with ransomware attacks, they can also be a distinct attack vector. Bad actors who have accessed an organization’s data will threaten to leak some or all of it unless a ransom is paid.

Two increasingly popular forms of extortion attacks include double or triple extortion. In double extortion, the attacker threatens the organization at the corporate level, but in triple extortion, the threat can extend to the customers or end users who may not want their personal information getting out.

Businesses looking to protect their users or have something go away quietly may find themselves tempted to pay the ransom. Most “successful” attacks on the side of the criminals are thanks to this addition of double or triple extortion tactics.

Malware

Malware may feel like a “vintage” threat, but its use is still relevant today. Typically computer viruses or spyware from internet use, malware is often used in combination with other popular cyber threats, including ransomware and phishing. Employing firewalls and keeping software up to date helps protect against malware, but businesses also need to ensure they are keeping up with increasingly sophisticated attacks.

Malicious Apps

Malicious apps are one type of malware that can steal personal information from users if they are installed on mobile devices. They may also have tracking capabilities or be able to send spam messages to other users.

DDoS Attacks

A distributed denial-of-service (DDoS) attack is designed to flood the targeted victim with more requests than it is able to shoulder, leading to a shutdown and lack of accessibility to the system. Sometimes a group of attackers can leverage a DDoS attack, and other times, one individual can carry it out using bots. Large amounts of traffic might be sent to IP addresses, websites, or DNS servers in an attempt to limit access or shut down operations.

Data Breaches

Many different attacks may be included in data breaches, including phishing or ransomware. In a data breach, sensitive company (i.e. employee login information or files) or user data (i.e. birthdays or email addresses) is exposed to people who should not have access.

Zero-Day Attacks

Cybercriminals are ready to pounce on recently discovered vulnerabilities, and this is where zero-day attacks come into play. These are vulnerabilities that are found before a developer is able to patch the software and can cause further problems for companies that don’t have a solid plan for patching or vulnerability management.

Emerging Cyber Threat Landscape Trends

New technology, and combinations of existing tactics, mean that the cyber threat landscape will continue to expand and evolve as time goes on.

Artificial Intelligence

AI-powered tools have started to enter the mainstream, with AI writing assistants, programming tools, project management software, and more. However, the benefits of new technology often come with downsides as well. AI can be used to power social engineering attacks such as phishing by creating more realistic messaging and even spoofing the voices of key figures in a company. Because AI can also automate formerly manual processes, it can be used to find and exploit software vulnerabilities at a faster rate. The efficiency afforded by AI is a double-edged sword for businesses that may fall victim to more efficient and effective attacks.

Cloud Security

Major cloud providers offer several security measures for clients, but that doesn’t mean that cloud environments are immune from incoming threats. Data breaches can happen as a result of cloud service vulnerabilities or compromised data on the employee side. Misconfiguration and human error can pose major threats to critical infrastructure.

Exploiting IoT Devices

Internet-connected devices, including fitness trackers, medical trackers and smart thermostats, are called “Internet of Things” (IoT) devices. These devices can be subject to attacks due to oftentimes more lax security controls, such as end users failing to update default network settings. Attackers can use their access to control devices or steal data.

Combined Cyber Attack Methods

In addition to double/triple extortion and malware combined with ransomware, cybercriminals are combining other attacks to deliver more effective one-two punches:

• Ransom DDoS: Attackers launch a DDoS attack and promise to lift it once a ransom is paid.
• Exploit packs: Amateur hackers can buy ransomware as a service (RaaS) on the dark web, malware kits, and compromised system credentials.
• Cybercriminal gangs: Some criminals have joined forces and formed alliances with other criminals or groups that have other specialties. This might look like one group infiltrating data and another group exfiltrating it.
• Software supply chain attacks: Supply chain attacks have been on the rise, but now, software supply chains are also at risk. Open-source environments, including GitHub and Linux, may have vulnerabilities that can impact thousands or millions of users who share a repository.

How to Protect Against the Cyber Threat Landscape

While knowing about the cyber threat landscape can take you far, gaining visibility on your own attack surface and implementing appropriate security measures are steps you can take to protect your organization against incoming cyber threats.

Understanding Cyber Attack Types

When you understand what different cyber attack types entail, you stand a better chance at defending against them. Different threats behave in different ways, infiltrate different parts of your environment, and may target specific types of information or people in the company. Understanding which cyber attack types are most likely to impact your business can help you prioritize your security strategy.

Gain Visibility into Attack Surface

Once you know what to look for, you need to gain visibility on the attack surface. Monitoring tools can help with this, especially tools that allow you to see across environments if you’re running multiple clouds or have a hybrid environment.

Use Defensive Measures

Any defensive measures you include will provide additional fortification around your business, and there’s really no such thing as being too protected. Here are some things you might want to incorporate:

• Multifactor authentication and strong passwords
• A plan to keep software up-to-date and patched
• Training programs for employees to learn about phishing and common cyber attacks
• Firewalls, antivirus software, XDR and DDoS protection
• Disaster recovery and business continuity planning

Reduce the Overwhelm of the Cybersecurity Threat Landscape with an IT Security Partner

It’s no longer good enough to simply react to threats. The best way to protect yourself against whatever the cybersecurity threat landscape has in store is by engaging in proactive security measures. TierPoint offers IT security services including disaster recovery, cybersecurity, advisory, security consulting, and compliance solutions that help businesses stay one step ahead of cybercriminals.

Ready to learn more about the top threats to cloud security and the best defenses against them? Download the full whitepaper today.

FAQs

Defining cloud security architecture & the components

Interviewer: Let’s dive into the topic of cloud security architecture. First, what is it?

Tyler: Sure. Cloud security architecture applies security controls to cloud resources. The purpose is to protect data, such as intellectual property (IP), personally identifiable information (PII), and payment card (PCI) data. Ultimately, the goals of cloud security architecture are compliance, risk mitigation, and protection of the company and employees.

It’s a give and take between protecting the organization and understanding what’s feasible for the business. There’s a requirement to understand the business — what data needs to be protected and what data needs to be made highly available — so that the cloud security architecture is suitable for the business and does not hinder its users.

Interviewer: What is the cloud security architecture model?

Tyler: The cloud security architecture model differs by the type of cloud. There are four common pillars:

Identity and access management for each type of data is the first. That’s a huge focus of cloud security architecture: permissions, accounts, and delegating administration so that if one admin account is compromised, it doesn’t enable access to the entire cloud environment.

Visibility across the cloud computing ecosystem is another pillar. Visibility is needed to ensure the company can identify a risk or incident when it happens.

Regulatory or compliance requirements specific to the business are the third pillar. For example, it wouldn’t be prudent to put healthcare or financial data on a cloud platform where the company lacks visibility or access management control. In addition, the business may need to comply with regulatory consent compliance frameworks, such as GDPR (General Data Protection Regulation) in Europe and CCPA (California Consumer Privacy Act) in the US.

Integration of security into the culture of the organization and all its processes is the final pillar. That’s where DevSecOps comes in. DevSecOps brings together development, security, and operations to make everyone involved accountable for security throughout the development of every application and business project, which really pays off with better security.

Interviewer: How does it work? What are the principles of cloud security architecture?

Tyler: It’s always about a particular cloud service or platform. Cloud security architecture differs greatly from on-premises security architecture and differs greatly by cloud platform because different cloud computing environments have different security threats and security controls. What security architecture has in common across different cloud platforms is an understanding of where data is stored, which could be with a third-party provider that you don’t control or on infrastructure that you do control. In either case, cloud security architecture requires visibility and control over the data.

Application security policies vs. infrastructure security policies

Interviewer: Let’s explore cloud security architecture for applications and infrastructure. Starting with application security policy, what do executives need to pay attention to ensure application security?

Tyler: Web or mobile applications are often the front door to a business. In most cases, the company meets its customers on the Internet via an application — and the app, or a database behind it, is the first target a threat actor tries to exploit. Application security policies range from secure code development, where security controls are implemented during the secure software development life cycle, to extra controls placed in front of applications — such as with an application firewall. The integration of development, quality assurance, and security engineering teams throughout the secure SDLC is a best-practice approach to application security.

At the same time, developers may miss something or the platform itself may have a vulnerability, and that’s where a security control adds value. With machine learning, the security control will learn the application — its normal behavior and functions — which enables the control to block and alert on anomalies and protect the application from threats and emerging vulnerabilities.

Interviewer: How about infrastructure security policies? What do executives need to know?

Tyler: Infrastructure security is well-established, and time tested across the IT industry, having matured over decades. Infrastructure security policies include encryption of data at rest, physical security at the data center, and security up the OSI stack such as the datalink, network and transport layers, including infrastructure firewall blocking for network traffic.

For stronger infrastructure security policy, more organizations now embrace strict filtering through firewall blocking policy, with explicit rules for inbound — and outbound — security policies. Outbound policies close a potentially large security gap.

Interviewer: How about security policy at the network edge?

Tyler: So when it comes to edge computing and putting the data closer to the consumer, consistent security policy across all ingress and egress points is paramount. Edge security can be controlled centrally via a management plane or a security fabric, such as Fortinet, so configuration changes of point devices are controlled at the core or a central office location for consistency.

Also read: Data Center Knowledge – How Edge Computing Amplifies Security Challenges

More on cloud security architecture

In the next part of this cloud security Q&A series, we’ll look at public cloud security architecture and how to keep data safer in a public cloud. Interested in learning more about security? Read our Strategic Guide to IT Security.

It can be daunting to undertake a cloud security architecture with the resources in your own organization. TierPoint is a managed security services provider (MSSP) and cloud service provider (CSP). Reach out to us to discuss how we can help you.

• the systems you’ve deployed: hardware, software, networking, etc.
• your processes, such as how often you patch your systems
• the applications you use to protect your systems from attack, e.g., WAFs and next-gen firewalls
• your organizational culture, e.g., how security conscious your employees are and how good they are at following the security protocols you set
• your industry – some types of businesses are just more vulnerable than others

The major components of a vulnerability management strategy

Vulnerability management is a core responsibility of the IT manager, and especially of the CISO or Chief Security Officer. In this post, I’ll cover four core components of an effective vulnerability management strategy and share a few best practices.

Read our recent Forbes Tech Council article: Conquering Fear Is Essential For IT Security

#1 Regular Vulnerability Scans

A vulnerability scan is performed using a specialized software application that inventories all of the systems on your network and looks for vulnerabilities that can be exploited by hackers.

It’s essential to run these scans periodically as known threats change rapidly. Advanced vulnerability threat scanning applications incorporate threat feed analysis from major OS developers, regulatory agencies, and other sources, sometimes updating scanning algorithms as frequently as twice a day.

That’s not to say you need to scan your systems twice a day. It’d probably take too long anyway. However, some key industry regulations require scans be run at specified intervals. For example, PCI DSS requires a vulnerability scan to be run every 90 days. As a best practice, we run scans against our clients’ systems every 30 days unless the announcement of a critical vulnerability triggers an ad hoc scan of either a specific component or the entire network.

Remember, hackers watch those vulnerabilities closely. They know that only a small portion of businesses pay attention to them. A vulnerability announcement tells them exactly what they should try to exploit.

Scans for a single machine can take an hour and are usually performed in response to a known exploit. We usually run scans for our entire infrastructure over a long weekend. The scan doesn’t affect network performance, but if we start on Friday evening, the scan is usually complete by Sunday morning or Sunday afternoon at the latest. This lets us generate reports first thing Monday morning and get them out to the groups that are in charge of those systems.

Also read: Which Cybersecurity Threats Keep This CSO Up at Night—and Which Don’t

#2 Penetration Testing

It’s important to understand that doing a vulnerability scan does nothing to protect your systems. It simply tells you where your vulnerabilities are. The vulnerability scans we do against our clients’ systems give us a baseline for how well they are secured against known threats.

We then take the results of the scan and highlight all the critical flaws, i.e., those that are easily exploited by hackers, including those that aren’t highly skilled. There’s a good reason for this. By the time a critical flaw shows up, there’s probably a threat analysis posted on the dark web, with step-by-step instructions showing non-skilled hackers how they can exploit a known vulnerability to gain access to their targeted victim’s systems.

After we run a routine vulnerability scan, we pick the top ten vulnerable components and run what’s known as a penetration test. That is, using available tools, we try to exploit our infrastructure to see how vulnerable we are to critical threats.

If we were going to try to run these exploits against every system manually, we would need 100 employees just for a company the size of TierPoint. By helping us identify which components are most open to being hacked, vulnerability scans allow us to focus our efforts when dealing with a large infrastructure like TierPoint’s.

Penetration tests are non-destructive tests that validate what the vulnerability scans are telling us. A penetration test goes all the way into the infrastructure to the point where it could run the exploit, but it doesn’t. In essence, it simply provides direction that says, for example, these ports are open, this is a known vulnerability for these ports, and these are the tools that hackers might use to exploit these open ports.

While this seems simple, this direction is incredibly helpful. There are over 65,000 ports that could be opened or closed. Some applications require specific ports to be open, so keeping them all shut isn’t a viable option. When you install a piece of software, you may not even know it’s opening a specific port. A vulnerability scan at least tells me where to focus my efforts, and penetration testing tells me how much effort to put into closing a vulnerability.

And that’s what we need to do next…fix the vulnerabilities identified by the vulnerability scan and prioritized by the penetration testing. The first actionable step is patch management.

#3 Patch Management

Hardware. Operating systems. Applications. All of these components need periodic patching regardless of which vendor created them. For most components, we maintain a 30-day rolling patching window, meaning we don’t patch everything at once, but we do apply patches at least every 30 days. A vulnerability scan and follow-up penetration test can help you identify patches that need to be applied immediately.

Traditionally, many IT leaders have been somewhat wary of applying patches as soon as they are released because their neck is on the line if an application becomes unusable. Vendors can’t possibly test their patches against every commercial application before they release them. It wouldn’t even be worth attempting as the same application can have different vulnerabilities based on how it is configured. So, these IT leaders wait, hoping someone else will uncover any issues before they apply the patch.

That leads to the problem we talked about earlier. When a manufacturer releases a patch, they usually give pretty explicit details on the vulnerabilities being addressed. IT leaders can use this information to assess any potential issues before applying the patch. Hackers will use this information to identify which vulnerabilities to exploit.

#4 Vulnerability Remediation

This cornerstone can cover any number of actions. For example, reconfiguring network components to eliminate a vulnerability is one of the simplest actions to take.

But what if your production environment needs to be configured a certain way for an application to run? If this is a mission-critical application, you might not be able to fix a vulnerability, but you can still lessen the threat by creating a perimeter of security around your network using a variety of threat detection and remediation tools. This would include tools such as WAFs, next-gen firewalls, and log management tools. It would also include best practices in areas such as password management, especially of edge devices, and credentials management.

Also read: Cybersecurity Q&A: What is a Web Application Firewall (WAF)?

Manage vulnerability management yourself or get help?

Each of the four cornerstones of vulnerability management can be executed well with the right tools. The good news is that the average security professional should be able to run these tools. They aren’t all that difficult to use. The harder part is analyzing the results and using the data to prioritize your efforts.

That leads us to the bad news. The majority of organizations apparently haven’t even mastered the basics of vulnerability management. For example, on February 11, 2020, Microsoft released security updates to address a Microsoft Exchange Server vulnerability. In early March, the Department of Homeland Security even issued an alert about the vulnerability and encouraged organizations to go back and review Microsoft’s recommendations.

Apparently, their warning went unheeded. On March 24, Rapid7 ran a scan of public-facing Exchange Outlook Web App (OWA) services and found that at least 82.5% were still unpatched.

If you don’t know where your network vulnerabilities are and which ones are most critical, it’s difficult to focus your vulnerability remediation efforts where they can do the most good. I’ve seen companies spend millions on the latest IT security solutions over the years, thinking if they just applied enough ‘name brands’ to the problem, they’re bound to fill all the gaps in their security perimeter.

Maybe, but it’s an expensive approach with few guarantees.

We can help you identify your IT security vulnerabilities

As a managed security provider, we help businesses address their biggest cloud and security concerns with our secure, reliable, connected IT infrastructure solutions and a nationwide network of 40+ data centers. Contact us today for more information on how we can help you get a good night’s sleep by securing your systems and data.

What is a SQL Injection Attack?

In a SQL injection attack, the attacker inputs or “injects” malicious SQL queries into a SQL database. These commands can execute a variety of actions, e.g., read, transfer, erase, or alter the contents of the database. A sophisticated attack can even shut down the database.

Financial services firms are particularly susceptible to SQL injection attacks due to the nature of their business. Because they handle copious quantities of data, SQL databases are the norm in the industry. And these databases contain data that command a high price on the dark web: Personally identifiable information (PII), bank accounts, credit card details, etc.

The digital transformation of the financial services sector means that more and more of the applications built on SQL databases will be accessible via the web, so SQL injection attacks will continue to be a problem. Attackers can gain access by stealing credentials (e.g., through spear phishing) then exploit vulnerabilities in the applications remotely.

7 SQL Injection Attack Protection Best Practices

SQL injection attacks are a bit unique in the world of cybersecurity. Unlike some of the other action items, such as increasing employee awareness, SQL injection attacks require head-on countermeasures. Here are seven best practices to implement in your organization.

1. Make sure your developers understand the risk and the countermeasures

Financial institutions still develop a lot of their applications in house, and that requires developers who know how to write SQL code that doesn’t increase the organization’s exposure to SQL injection attacks. From parameterized statements to sanitizing inputs, there are plenty of tricks of the trade. If your developers aren’t as well-versed as they ought to be or they have too much on their plate, consider partnering with an organization that can provide third-party security oversight of your development projects.

2. Use third-party authentication tools

There are third-party authentication tools that allow users to access your site. This saves you from having to develop the authorization code yourself. And, it saves your users from having to remember their login credentials.

3. Implement credential-protection protocols

Here’s where SQL injection protection and standard IT security best practices overlap. If your passwords are unencrypted or your users are sharing login credentials, no coding-based countermeasures are going to be effective.

4. Use third-party apps from trusted sources

If you need to provide access to your SQL database to a third-party app, e.g., a banking app, make sure you’re only using apps from trusted sources. (Those that know how to minimize the risks.) Then, make sure these apps are only given access to just as much of the database as they need to perform their job.

5. Maintain solid patching protocols

All systems and applications have vulnerabilities. Implementing patches issued by your vendors promptly can help you close any new vulnerabilities discovered. (Always remember, hackers watch for patch announcements, too. These announcements alert them to potential vulnerabilities, and they know that a large percentage of organizations won’t implement a patch right away.)

6. Implement an advanced Web Application Firewall

A Web Application Firewall, or WAF, sits between your web application and the database, inspecting traffic to weed out anything that looks suspicious. However, your WAF needs to be finely tuned by someone who knows what they’re doing to ensure your advanced security measures don’t impact the user experience.

7. Web application scanning, penetration testing and source code analysis

Here is where you validate the security of the code before it goes into production. Web application scanning is when a scanning tool crawls your website to identify weak points in your web application. Penetration testing (pen-testing) is a technique used to test your web application using simulated attacks. A source code analysis tool, often the deepest level of vulnerability testing, will also help you review your code to identify any security flaws.

Prepare for and defend against SQL injection attacks

Mergers and acquisitions activity is heating up, especially in the financial services sector. Download our latest eBook to learn how SQL Server 2016 can help you assimilate new systems quickly and securely. Contact us to learn more about creating a HA/DR strategy for SQL Server 2016.

The Bank Job: Protecting Your Data with High Availability and Disaster Recovery in SQL Server 2016

The future of WAFs

Interviewer: What’s next for web application firewalls (WAFs)?

Dustin: Artificial Intelligence and Machine Learning will be the future of web application firewalls. Future WAF platforms will have the enhanced ability to establish a baseline of normal traffic patterns. Web application firewalls will understand statistical data and teach themselves what an anomaly looks like – and then be able to take independent action without direct human interaction. Ultimately, this has the potential to address the management overhead and some of the challenges caused by complexity.

Interviewer: What are some computing trends that will impact WAF?

Dustin: Cloud services have gained popularity. Public cloud providers now have marketplaces with lots of web application firewall vendors, which is increasing the adoption of cloud-based WAFs. Unique features allow cloud-based WAFs to scale as rapidly as a public cloud’s hyper scaling infrastructure – much more so than hardware-based WAFs.

I rarely seeing anyone using a physical WAF appliance anymore. The growth in private clouds built from hyperconverged infrastructure is another technology trend moving web application firewalls out of data centers and into a cloud-based models.

Multicloud strategies and edge computing, a new type of deployment methodology, may drive web application firewalls to be directly incorporated into edge computing architecture in the future, so edge computing deployments will have a security element built into it.

WAF for Edge, APIs and the Internet of Things (IoT)

Interviewer: A big driver of edge computing is the use of IoT devices in homes and businesses – some of which can also be used in botnet attacks. How will that affect WAF?

Dustin: IoT devices like smart refrigerators need to “phone home” to a server via an application programming interface, or API. Protecting API traffic and IoT devices with a web application firewall is important to avoid compromised devices and to prevent malicious code from being distributed back to those devices.

APIs are as subject to hacking as any other computing platform, but APIs haven’t received the same effort to protect them as web applications. A web application firewall lets you enforce API methods and calls. You can customize your protection based on the type of application you have and its risks.

With a finely tuned web application firewall, APIs can be tightly controlled. You can lock down the communication and block unauthorized methods. A WAF can enforce what is put into the API with a parameter filter, whitelist valid API calls and prevent unauthorized calls. You can also whitelist valid file extensions such as .docx and .xlsx and deny unwanted file extensions such as shell files or other executables.

Get Help Finding the Right WAF for Your Organization

A multi-layered security approach is your best defense against next-generation threats. A web application firewall is an essential part of a multilayer IT security strategy to protect your organization – but web application firewalls are known for taking a lot of time to manage in house. We help our clients every step of the way. Let us help you secure your business.

A customer or end-user can enable a hacker by opening infected attachments, clicking on fraudulent links, being careless with passwords or by sending sensitive information to a criminal pretending to be a boss or co-worker. IT employees have been guilty of lax security practices as well, such as failing to change administrative passwords or update applications.

“User-based threats are the biggest threats right now,” said Matt Tabor, the director of product management for TierPoint, echoing the stat that 90% of all data leaks are caused by an end user mistake.

This all creates a huge hole in your cybersecurity plan. How can you tell the difference between an intruder and your employees? To understand this, we need to first understand how the attacks work:

Common attack schemes to exploit cybersecurity

In his recent webcast “Identity & Access Management Best Practices”, Tabor explained that attackers use different strategies for tricking end-users into giving out information or executing a malicious application. For instance:

Deceptive phishing

Deceptive phishing occurs when  users are directed to a malicious copy of a legitimate web site, such as the sign-in page for a bank or supplier.  The tactic is useful for capturing login information, accessing business data and, of course, stealing money.

Spear phishing

Spear phishing is when an attacker masquerades as an employee of an organization in order to convince other employees to take some action, such as provide a password, share sensitive customer data or even send money.  The attacker often uses information from social media or hacked emails to make themselves more believable. CXO fraud is a form of spear phishing in which an attacker assumes the identity of the CEO or other top executive. One example of CXO fraud, a cyber-criminal successfully convinced the CEO’s assistant to send him the list of employees and their W2 data. This kind of data can be worth a fortune on the Dark Web.

Publicly available data from Google and social media, combined with the huge volume of information for sale on the Dark Web (e.g. medical records, drivers’ licenses, subscriptions, financial records) makes it easy for hackers to effectively spoof an executive. Tabor also says that busy executives are often the laziest with their cyber-security practices and particularly susceptible to online fraud.

How do you protect yourself against this trickery?

Guidance on the right cybersecurity approach

To safeguard your systems from would-be hackers, Tabor recommends implementing security safeguards throughout your IT environment, not just at the firewall. Specifically, identity-based access to applications, mobile devices and cloud services not only provides security checkpoints but also offers a way to monitor access.

Also read: Are Mobile Devices a Threat to Your Network Security?

File-based encryption for identity-based access

For securing data and other content, Tabor advises using an enterprise encryption solution. Encryption provides identity-based access for individual files both inside and outside of the organization. Enterprise encryption software allows you to grant or revoke access to a file even if it’s already on an unauthorized user’s drive.

Cybersecurity evaluation questions

Tabor also advised IT organizations to evaluate their cybersecurity based on the questions below. The more “yes” answers, the stronger your security.

• Do you know who is accessing your data? Identity-based authorization and access solutions can identify users and track usage. Multi-factor authentication that includes biometrics (fingerprints or facial recognition) and encryption solutions are ideal methods for controlling access.
• Can you detect high-risk behaviors such as an usual download or atypical activity between two applications? Machine learning is making it possible to evaluate a login based on multiple criteria, such as the location or IP address of the login, time of day and type of activity. An employee working in Chicago shouldn’t be logging in from Nigeria. If an employee normally works in the morning and only occasionally downloads small files, then a large data transmission at midnight should trigger an alarm.
• Can you quickly identify and react to a breach? Does your IT security team provide monitoring and alerting if an abnormal behavior or unauthorized access is detected? Can it block a malicious transmission? Developments in machine learning and risk profiling make it possible to detect and react to potential breaches much more effectively, noted Tabor.
• Do end-users like their online work environment? People are adept at avoiding burdensome restrictions and policies that make their jobs harder. Making your cybersecurity processes as seamless and user-friendly as possible–such as through single sign-on vs requiring multiple passwords– is essential to user compliance.

Learn about helpful cybersecurity tools

In addition to discussing cybersecurity best practices, Tabor explained how to maximize security using the right IT productivity tools, like Microsoft’s Enterprise Mobility & Security (EMS) platform. EMS includes identity access management, threat protection, cloud access security broker and unified endpoint management.

Learn about TierPoint’s IT security management services, including compliance, DDoS mitigation, endpoint, encryption, next generation firewall and other security services or request a security assessment.

In this interview, Dustin gives us some background on what a web application firewall (WAF) is, what types of applications a WAF protects, and the types of attacks a WAF blocks.

What is a web application firewall?

Interviewer: In your own words, can you explain to us what is a web application firewall?

Dustin: A web application firewall, or WAF, protects your web applications by inspecting HTTP and HTTPS traffic for indications of malicious activity. A WAF is specifically designed to block web application attacks such as cross-site scripting attacks, SQL injection, cross-site request forgeries, and other vulnerabilities as outlined in the OWASP Top 10 and other security frameworks. Basically, a WAF is a hardware appliance or cloud solution that sits in the middle of your web traffic and provides a level of inspection and protection.

Interviewer: How does a WAF do that? What are the parts of a web application firewall?

Dustin: A typical WAF deployment would consist of these six components:

1. A reverse proxy for inspecting SSL and non-SSL traffic. This server sits between the user’s browser and your server infrastructure. It decrypts and encrypts all HTTPS traffic so the traffic can be inspected, and it controls network traffic destined for the web application.
2. A security engine that inspects, analyzes and takes action on the traffic.
3. A signature database, which is built into the web application firewall and can identify known attack techniques and vulnerabilities
4. An IP reputation database, which recognizes IP addresses associated with bots and malicious activities
5. A rule management interface where you can tune your WAF, fix false positive blocks, and apply new security rules
6. A reporting interface where you can pull reports on attacks, including what was allowed or blocked, and get statistics about attacks

What types of applications can a WAF protect?

Interviewer: What are the typical applications that can be protected by a web application firewall?

Dustin: Any web application has a use case for a web application firewall. In the past, enterprises focused on protecting only their most important applications with a WAF, but in today’s security landscape, it makes sense to put a WAF in front of every web application. Even though a marketing website might not contain valuable intellectual property or data that could be breached, it could be used by someone for drive-by downloads, that is, to distribute malware to your customers. Or someone could deface the website to damage your brand.

A content management system such as WordPress, which has plugins that aren’t as well maintained as the core code, has a larger attack surface. Those plugins could be exploited, and a web application firewall is a big help in mitigating the threats.

Other types of web applications, such as enterprise portals, Software as a Service (SaaS)-based applications, and application programming interfaces (APIs) all need to be protected. It’s simply a good idea, an IT security best practice, to put a WAF in front of anything on the internet that you are using for business purposes.

What types of attacks can a WAF block?

Interviewer: What kind of attacks are pushing the need for web application firewalls?

Dustin: As a web application firewall administrator, I’ve observed that attacks are becoming more complex, and traditional mitigation techniques are no longer effective. That’s driving the need for web application firewalls and good WAF vendors. Low and slow attacks and other attacks that slip under the radar are good examples. Such attacks can be incredibly low bandwidth, they don’t create a lot of noise, and so they can easily slip through the cracks without a WAF.

Another type of attack is denial of service. Bots using automated scripts are a huge part of application layer 7 denial of service attacks in this modern era. Threat actors harvest systems for use in their botnets to launch large distributed DoS attacks.

SQL injection, which is often enabled by simple programmatic mistakes, is one of the most dangerous forms of attack that a WAF can protect you from. If someone (or a bot) can use malicious SQL query language on your website to do an SQL injection attack, they could breach an entire database and dump all its data, which is a huge risk and negative outcome for any business.

Many types of legitimate processes are also used in attacks. For example, Selenium scripting: here a legitimate quality assurance process, a script that is used to QA a website, is used to conduct malicious activity against a web application. Or as another example, someone may load up an e-commerce shopping cart so full of items that they crash the database and exhaust the server. Or a bot may hammer a form to generate tons of spam or another malicious load.

All these are the types of attacks that a web application firewall is used to stop.

Interviewer: What’s the motivation behind web application attacks?

Dustin: Different threat actors have different motivations: hacktivism, organized crime and foreign government-sponsored activity, for example.

Let’s start with hacktivists. These are people who have a cause, who want to cause your organization pain or are trying to make a political statement. They might be out for blood because of something your company has done.

Some are in it for the money. If organized crime can get into your website, they can use your site to deliver malware as part of a larger breach campaign. In this case a user could come to your website, download malware without realizing it, and in this way the criminal organization gains a foothold in your customer’s network. Breaches in financial and healthcare sectors are lucrative.

Another motivation might be state-sponsored. Higher-end threat actors are engaged in advanced persistent threats (APT) sponsored by foreign governments. They might have a huge interest in an enterprise portal that contains proprietary information, intellectual property or product design information.

More on cybersecurity and web application firewalls

In the second part of this blog post Q&A series, we’ll take a look at who needs a WAF and why, and the challenges enterprises face in using web application firewalls.

Interested in learning more about cybersecurity? Read our Strategic Guide to IT Security. Are you ready to discuss your approach to protecting vital applications and data? Contact us.

These changes are good for business, but they also have a dramatic impact on the IT security threat landscape. Paul Mazzucco is TierPoint’s Chief Security Officer and a veteran of the IT security market. We asked him to paint a picture for us of where we are today, where the business of IT security is headed, and how business will adapt to these changes down the line.

The Future of IT Security: The Bad

Interviewer: Paul, we called this interview ‘the good, the bad, and the ugly,’ but let’s start with ‘the bad’. What is ‘the bad’ in the context of the future state of IT security?

Mazzucco: With the rise of 5G, we’re seeing a real push to move workloads as close as possible to the IoT edge to remove the latency and other inefficiencies created by having to push data back to a centralized computing center. Now eventually, that data is going to need somewhere to live and be stored, but IT leaders need to be realistic about this and realize that not everything is going to live in their data center.

The challenge with this from an IT security perspective is that it creates a much larger, much less secure attack surface. Most of these workloads are processed at the application layer, and they bypass the typical network security protocols that you’d find in a centralized data center. Unfortunately, upwards of 70% of edge devices don’t require authentication for 3rd party APIs, and more than 60% don’t encrypt that API data natively. That adds to the speed and efficiency of the application, but it amplifies the security concerns.

Interviewer: How big is this issue, and how do you see cybercriminals exploiting it?

Mazzucco: When the IoT first started out, the estimates were that it was going to be roughly 75 billion connected devices by 2025, mostly consumer-related devices such as your home security cameras, connected doorbells, and large appliances connected to the internet. Now, that’s a lot of devices, but the estimates today are somewhere in the 200-300 billion range as the idea of an Industrial Internet of Things has started to take off.

When Mirai hit in 2016, we started to see the potential scope of the security threat created by edge computing. When the attack traffic was analyzed, investigators found that Mirai exploited 61 user names and passwords on industrial-type devices that still used default, factory-set passwords. This allowed Mirai to create a botnet that led to what was at the time the largest DDoS attack on record.

Mirai made it abundantly clear that the IoT botnets were not going to just attack home devices with minimal security. Hackers were going to go after industrial devices as well and in a big way. They know that people don’t change the default passwords on their devices or they use the same passwords across devices. These devices make an easy target.

And, of course, the growing IoT is going to be even more attractive as time goes on. Since the introduction of 5G, both public and private sector organizations will look to internet-connected devices to improve efficiencies. As 5G becomes more widely available, this emphasis on connected industrial devices will increase, and cybercriminals will have an even larger attack surface available to infiltrate, including essential infrastructure such hospitals, buildings, shipping, energy, and more.

The Future of IT Security: The Ugly

Interviewer: Now that we know what’s the bad, what’s the ugly?

Mazzucco: There are botnets on the dark web that make Mirai look tame. Radware, one of our business partners, discovered what they called the Zyklon botnet. It had the ability to launch multiple types of attacks and malware contamination at the same time. It could do http flood attacks, TCP flood attacks, UDP flood attacks, SYN flood attacks AND deliver malware payloads for understanding cloud-based inspection.

So, for example, the ‘http’ botnet could look at start-up files and understand what sort of malware protections you had and try to bypass those. The same exact botnet allowed browser password and ftp password sniffing and could go in and find license keys installed on your infrastructure. It had email recovery password infrastructure, and it encrypted its own communications back to its command and control servers.

You know how much it costs? $75 to buy it on the dark web. These tools based on this same basic building block infrastructure have gotten more and more sophisticated, and they’re now in the hands of pretty much anyone who wants them.

The Future of IT security: The Good

Interviewer: Please tell us there’s an upside to this story. Is there a good?

Mazzucco: While there’s no doubt in my mind that cybercriminals have the upper hand right now, I’m hopeful that we’re going to eventually figure this out with artificial intelligence and machine learning. But, it will be a real battle. 51% of the internet traffic right now is made up of bots – bad and good. It’ll all come down to how fast good bots can use machine learning to make changes to the infrastructure to thwart the bad bots that are using machine learning to try and bypass the security measures in place.

The good news is that there’s a huge commercial aspect to this. A lot of companies have a vested interest in creating these protection protocols and selling them to the commercial market and the government market in order to try and keep these bad bots at bay.

Eventually, we expect to get to the point where we will have the ability to autonomously sniff this edge and have an advanced understanding of packets moving through this edge infrastructure. 5G will contribute to that. So as machine learning and these pieces get stronger, I’m hopeful we’re going to have edge computing protections that are much more efficient and autonomous, and we won’t have worry so much about the internal devices.

How Businesses Should Adapt to the Changing Threat Landscape

Interviewer: If you were to give one piece of advice to business leaders to help them protect their systems and data today, what would that be?

Mazzucco: They need to adopt multiple protocols across their security stack right now. This includes the entire fabric of their infrastructure and not just the endpoints themselves. For example, a company might contract for 200 servers, 500 laptops, 200 firewalls, and so on. They create their network and hope that it’s protected. But, probably some 90% of these firewalls don’t get updated, and they don’t patch their endpoints.

Interviewer: Can you put a finer point on the need for patch management? 

Mazzucco: That’s easy. Once a month, Microsoft releases a roadmap for infrastructure vulnerabilities. Within three to four days of a vulnerability being announced, an exploit is available on the dark web. Cybercriminals take advantage of the fact that the vast majority of companies have poor patch management practices.

Of course, larger companies hopefully have more well-established patch management practices, and any company that pays for security monitoring may also be paying for patch management. But again, it’s not just how you protect your laptops and servers. It has to be a much broader focus on your entire infrastructure and the larger attack surface created by 5G and the IoT.

Understand the Threats and Find a Managed Security Provider

With the constant evolution of cyberthreats, IT organizations need to have a good understanding of the threat landscape and a plan to protect their vital data and applications. Some organizations, understandably need help staying up to date and ahead of these threats.

As an IT security services provider, we assist our clients with the development, implementation and management of comprehensive IT security strategies. Contact us today to learn more and see how we can help you.

You May Be Also Interested In

3 Ingredients for an effective IT Security Policy

Major General Brett Williams on the Cyber threat Landscape

BraveIT 2019, which will take place in the Intrepid Sea, Air & Space Museum, on the former aircraft carrier Intrepid, will open with a presentation by cybersecurity expert Major General Brett Williams, USAF (Ret.).

Major General Williams, the co-founder of IronNet Cybersecurity, is a national speaker and educator on cybersecurity problems and solutions. His presentation will focus on the current cyber threat landscape and strategies for safeguarding IT networks and data.

As a leading expert on cybersecurity, Major General Williams has appeared on national news shows including NBC’s Meet the Press with Chuck Todd and ABC’s This Week with George Stephanopoulos. During his 30-year career in the military, he was responsible for the operations and security of Department of Defense IT networks. Today General Williams speaks on cybersecurity issues and conducts cyber-risk training seminars.

iLuminate’s Miral Kotb on the Intersection of Art and Technology

The second, and closing, keynote speaker will be Miral Kotb, a dancer, choreographer and software engineer who will speak about the intersection of art and technology, and how technology can be used to enhance artistic expression.

Kotb developed a unique wireless technology that enables dancers to appear as neon lighted patterns on darkened stages. Her dance company, iLuminate, achieved fame in 2011 as a finalist on the show America’s Got Talent with its mix of artistic choreography and high-tech, wireless light display.

Kotb first developed the concept for iLuminate while programming iPhone applications. With a degree in computer science from Columbia University and a background in dance—she studied at Barnard College in New York—Kotb wanted to bridge the gap between technologists and artists. She and her team of dancers and programmers developed the iLuminate costumes that are programmed to change with the choreography and be controlled remotely.

Since then, her iLuminate technology has been used by celebrities including Christina Aguilera, The Black-Eyed Peas and Death Cab for Cutie, as well as in Dancing with The Stars, The American Music Awards, The X Factor and many other shows. As an IT entrepreneur, Kotb has spoken at tech conferences such as Apple’s World-Wide Developer’s Conference.

More at BraveIT 2019

Between these two keynotes will be other not-to-miss events: sessions on cybersecurity and 5G, networking opportunities and the chance to experience an augmented reality space exhibit with Microsoft’s HoloLens. The Defying Gravity: Women in Space exhibit at the Intrepid Space Shuttle Pavilion shows the journey of Dr. Mae Jemison, the first African-American woman in space, with the help of VR headsets and the Enterprise shuttle, which is now a resident at the museum.

Some of our featured sessions:

What 5G Really Means for IT

What impact will 5G have on your business? 5G will bring faster speeds and wider coverage. But it will also have other less-obvious effects, especially when combined with data from new sources like AI and internet devices. This will be a discussion on preparing for 5G.

Battle Royale: Hyperscale vs. Hyperconverged

Which type of cloud best addresses your company’s unique needs—hyperscale (public) or hyperconverged (private)? Industry experts and IT leaders will tackle this key question facing many IT departments.

Register and Learn more about BraveIT 2019

TierPoint’s BraveIT conference is an interactive, thought leadership and networking event designed for the modern IT professional. The 2019 BraveIT conference will take place September 19 in New York City, with a variety of events, activities and speakers. You can see the full agenda, as well as register for the BraveIT at BraveIT 2019.

Cyber criminals use a diverse mix of technologies and tactics. Many conventional attacks, such as phishing emails designed to trick users into sharing sensitive information, are still in use. Newer tactics include file-less malware, which is capable of evading anti-virus filters, making it extremely difficult to detect.

To help IT managers and business executives understand the variety of cybersecurity threats that their organizations face, we explain the different types of cyber attacks below.

Botnets

Botnets are networks of “bots,” or computers and devices that have been infected with botnet malware. Bots and botnets are remotely controlled by the cyber attacker, who may command the bots to send a flood or spam, malware, phishing emails or denial-of-service attacks to the target organization.  One of the best-known botnets, Mirai, knocked out internet service throughout the Eastern U.S. in 2016. Mirai had an estimated 100,000 infected internet-of-things (IoT) devices, which launched a denial-of-service attack on Manchester, NH-based internet service provider Dyn (now part of Oracle).

Botnet developers can easily infect unsecured IoT devices, such as security cameras, smart thermostats, medical devices and network routers. As there are currently 26+ billion IoT devices in use worldwide, with more than 75 billion projected by 2025, there is no shortage of material for botnet makers. .

Distributed Denial of Service (DDoS) attack

A denial-of-service (DoS) attack sends excessive amounts of traffic to a targeted web site or IT network with the aim of overwhelming the system. A distributed denial of service (DDoS) attack employs botnets of distributed PCs and IoT devices to flood a victim with junk traffic. A DDoS attack can last for minutes or–if the victim has poor cybersecurity defenses–for hours. In 2018, software development site GitHub was attacked by a flood of DDoS traffic that peaked at 1.35 Tbps of traffic. However, GitHub quickly rerouted incoming traffic to Akamai Prolexic, a traffic filtering service, which blocked the DDoS attack within a few minutes.

Also read: 5 Key Types of DDoS Attacks & How to Mitigate Them

Web application attacks

Web application attacks exploit vulnerabilities in web browsers and application components. They’re among the oldest of cyber attacks and remain popular with hackers. Symantec’s Internet Security Threat Report (ISTR) 2019 found 1 in 10 URLs to be malicious, up from one in 16 in 2017. A vulnerability in a web browser or application can enable a hacker to upload malware, execute code or even gain access to back end servers.

Many web browser attacks are script- or SQL-based. Two common ones are cross-site scripting and SQL injection. Both types take advantage of unsecured input fields on a web site to execute malicious code. The goal may be to infiltrate back-end systems or to infect the browsers of visitors to the web site.

With cross-site scripting, a hacker inputs a script into a contact or message form on a web site. When the recipient opens the message, the script executes. The goal might be to bypass access controls to the system, hijack the user’s session, post messages on their behalf, capture the user’s keystrokes or conduct other malicious activities.

A SQl injection attacks the database behind a web site by typing in malicious SQL code instead of the expected database query. Depending on the query input, an attacker might be able to delete the database, change data, access all usernames and passwords or take other unauthorized actions

Most recently, a web site attack called “form-jacking” has been targeting ecommerce sites. Form-jacking inserts malicious code into the check-out page, which enables the attacker to steal credit card information.

Hackers may also exploit the vulnerabilities of browser extensions or web application components to gain a foothold into an IT system. For example, a vulnerability in the Cisco WebEx Browser Extension reportedly allows  remote attackers to execute arbitrary code on an affected system. While these vulnerabilities are typically fixed in future updates or patches, an IT department may be slow to incorporate them, leaving the system vulnerable.

Multi-vector attacks

These attacks use a combination of several exploits. Typically, none of the exploits would, by themselves, catch the notice of an IT security application. But in a multi-vector attack, they can implant back doors into servers, copy data, create fake accounts and even take control of a system. Multi-vector attacks often employ trusted system tools to do their dirty work. For example, Windows PowerShell and Windows Management Instrumentation (WMI) are often used in multi-vector attacks because they are legitimate programs and their processes are rarely suspect.  (It’s no doubt for that reason that the use of malicious PowerShell scripts increased by 1,000 percent in 2018, according to the Symantec ISTR.)

A multi-vector attack might also have multiple goals, such as to plant malware, steal data and spread ransomware to other computers on the network.  Occasionally, one attack is used as a red herring to cover up another, more serious attack. A DDoS attack might distract an organization’s IT staff, so they don’t notice a hacker downloading data or planting malware.

Insider threats

Not all cyber attacks are done by outside hackers. Employees, contractors and business partners are also frequently guilty of cybersecurity breaches.  CA Technologies 2018 Insider Threat Report found that 53% of organizations experienced one or more insider attacks during the prior 12 months. An “insider” might be a disgruntled, former employee who sabotages a database or a contractor who steals a customer list.  Some insider threats are unintentional, due to ignorance or laziness. Sharing passwords, falling victim to phishing emails, visiting compromised web sites or working remotely over public WiFi are all non-malicious, but potentially damaging, insider threats.

How we could help you

Advanced cybersecurity technologies and services, such as those provided by TierPoint, can greatly improve an organization’s chances of stopping an attempted cyber attack before it can do any damage. Training employees and IT staff in cybersecurity best practices will also greatly help to reduce your organization’s odds of being hacked.

Cybersecurity is an ongoing effort that requires continuous updating of applications and security technologies to stay one step ahead of cyber attackers. IT departments that neglect to quickly install the latest security patches or to warn employees about new types of phishing emails are providing criminals with a significant advantage. Protecting applications and data from cyber attacks requires a combination of advanced IT security services and basic due diligence in security practices.

You May Be Also Interested In

The Future of Web Application Firewalls: AI, Clouds, and IoT