It’s been said that lyrics are poetry with a limp. They’re meant to go along with music, unlike poems that stand on their own. Just like lyrics, considering cyberattack statistics apart from the supporting data of areas such as industry and the data that a company holds keeps one from fully appreciating the statistics or how that information relates to any particular company, especially that of the reader.
Considering Vectors – Industries, business size, and data held
There’s a lot of information flowing throughout this planet. Consider this infographic:
Along with the enormous business and personal opportunities presented by technology come enormous criminal opportunities. This information shouldn’t lead to fear but to action, specifically actionable defense.
There are many reputable sources of the top cyber threats and attacks to expect in 2022. SANS gives the top five major categories of cyber-threats.
Verizon’s DBIR gives detailed studies on various industries, vectors, threats, etc. Sophos has an excellent report, as does Symantec with its white paper. IBM weighs in with its industry expertise. There are numerous other expert and anecdotal studies.
Want More Tech News? Subscribe to ComputingEdge Newsletter Today!
Given all this information, each business has to pore over the data to discover and ask: “What applies to me?”
When applying the information to one’s own company, three main factors appear when considering the risk factors: industry, business size, and data held. It’s obvious that healthcare companies hold PHI and banks hold financial information, but crime isn’t always straightforward. There are plenty of criminals who will take the long con, such as stealing thousands of social security numbers to use later in the year, or even a couple of years down the road, to gain unemployment benefits wrongfully. And there are many companies, such as Marketing, who hold and transfer tons of data that would benefit threat actors. And the larger the company, the more things can be stolen.
On a side note, one industry that has increased as a target in recent years, but doesn’t get reported much, is legal. A not-so-recent but prominent example is an attack on a large law firm in 2017. So those in the legal profession, while not getting much coverage, are examples of those who need to be on the lookout, even though many of those firms are smaller and don’t get much press.
In addition to these three factors, let’s condense the findings into two overarching common vectors of attack: Servers and People.
Servers (including Web Applications and APIs)
DDoS attacks against web servers are common. Even with advancements in security, such as including DDoS capabilities often being included or built-in to existing controls, 2021 saw an increase over 2020 losses from DDoS attacks. DDoS is an old method, but the server that the attack is leveled against needs to be ready for it.
Some other common attacks in this category are data leaks and stolen credentials (abusing something like Broken Access Control). Web apps and endpoints must be prepared for an onslaught of attacks such as fuzzing and SQLi.
APIs are a big deal. How big? The API management market (e.g., gateways, portals) is expected to reach $21.68 billion by 2028. APIs enable businesses to succeed, grow, and excel by accelerating business possibilities, decreasing business costs, and creating opportunities for quick change. A recent survey shows that “26% of businesses use at least twice as many APIs now as a year ago.” Protect those APIs, because they are like street-facing store doors – necessary for business, and a ready target.
Along with the opportunities afforded by web applications and APIs come the desire of criminals to commit crimes.
People
According to the Verizon DBIR, “…82% of breaches in the DBIR involved the human element. (not just the social engineering, though).” The category of “People” includes vulnerabilities such as misconfigurations and backdoors. Anyone who has used OSINT techniques, including Shodan, knows how easy it is to find these vulnerabilities. Misconfigurations and backdoors could also be included Servers/Web apps/APIs because people are the ones who work with the technology.
Also in this category is the usual phishing for credentials. At an ever-increasing rate, phishing to obtain credentials succeeds. In a recent phishing campaign, an attacker stole 1 million credentials in 4 months by tricking people into logging into a fake domain.
According to Sophos, 79% of their responses to customer security incidents related to ransomware. Ransomware is by no means limited to “someone clicked on something they shouldn’t have,” but mis-clicking is no small percentage of ransomware attacks (cue the battle music for the game of “it’s the user’s fault” vs. “it’s Security’s fault”).
Strategies and Approaches to Defense
There are two main goals in corporate cyber defense and protection: 1) Make it as hard as possible for criminals to do bad things, and 2) Don’t be found negligent.
For criminals, the more resources spent compromising a target means a reduction in their ROI. Why continue attacking a company where one might spend a week to potentially obtain private information when one can choose another target where card data could be stolen in half the time? Criminals are business-minded, but without the typical scruples and concerns over things like laws. In many cases, they’re looking for easy targets, so making a compromise tough increases the chances they’ll move on.
In case of a breach, companies need to ensure they can present to legal and insurance authorities that they did all things reasonable to protect the information. Cyber insurance is becoming a larger aspect of business life, sometimes even necessary. And insurance companies are requiring more proof of due diligence in protecting assets.
A quote from the book “Cyberwarfare,” by Dr. Chase Cunningham, applies here:
“Often the defenders are working with what they have been told is the “best of breed” or the most advanced solution, only to find out that they still end up with a breach…While defenders pursue the most powerful and advanced solutions they can find, the enemy needs only a single user with a bad password or an unpatched application to derail an entire defensive position.”
A helpful tool for determining what attacks to monitor in your company is a tool by MITRE’s Center for Threat Informed Defense that calculates top ten attack techniques based on your monitoring components.
Active defenses and vigilance are key components in protecting your customer data and company reputation. It takes work, but proper defense is achievable.
About the Writer
Ross Moore is the Cyber Security Support Analyst with Passageways. He was Co-lead on SOC 2 Type 1 implementation and Lead on SOC 2 Type 2 implementation, facilitated the company’s BCP/DR TTX, and is a HIPAA Security Officer. Over the course of his 20 year IT career, Ross has served in a variety of operations and infosec roles for companies in the manufacturing, healthcare, real estate, business insurance, and technology sectors. He holds (ISC)2’s SSCP and CompTIA’s Security + certifications, a B.S. in Cyber Security and Information Assurance from WGU, and a B.A. in Bible/Counseling from Johnson University. He is also a regular writer at Bora.