10 types of information security threats for IT teams
Know thine enemy -- and the common security threats that can bring an unprepared organization to its knees. Learn what these threats are and how to prevent them.
Cybersecurity teams must be mindful at all times of the current threats their organization faces. While it's impossible to thwart every threat, stopping as many as possible and quickly detecting when they occur are both critical for reducing damage.
It is important to note that many cybersecurity incidents involve multiple types of threats. In a nutshell, a security threat is a malicious act that aims to corrupt or steal data or disrupt an organization's systems or the entire organization. A security event refers to an occurrence during which company data or its network might have been exposed. An event that results in a data or network breach is called a security incident.
Here are 10 types of threats that cybersecurity teams should focus on.
1. Supply chain attacks
Supply chain attacks are challenging to identify because they usually involve a breach or other cybersecurity compromise affecting a trusted third party, such as a supplier, partner, contractor, vendor or service provider. In this attack, the third party does not realize it has been compromised and therefore spreads the threat to its customers, partners and vendors.
For example, a vendor's software might accidentally be infected with malware during manufacturing, or bad actors might add malicious code that steals sensitive data from organizations using a service provider's offering. Another form of supply chain attack involves counterfeit products and legitimate products that have been tampered with after manufacturing and packaging.
How to prevent supply chain attacks
To prevent supply chain attacks, only work with trusted third-party vendors, service providers, partners and contractors. Perform third-party risk assessments, conduct continuous vendor monitoring and keep an accurate inventory of all third parties and their dependencies.
In addition, only purchase technology products and services from reputable manufacturers and vendors. Examine any physical technology purchases for anything suspicious, especially on product packaging or the product surface itself.
2. Distributed denial-of-service attacks
DDoS attacks occur when thousands or millions of compromised devices simultaneously overwhelm a server, network or other target. The compromised devices are typically part of a botnet, enabling attackers to easily coordinate all devices in performing DDoS attacks. The goal of a DDoS attack is to disrupt the target's operations, preventing legitimate use of resources.
How to prevent DDoS attacks
Preventing DDoS attacks is a unique challenge. No matter how much capacity enterprise systems and networks have, a large DDoS attack can still clog them.
Options for mitigating DDoS attacks include the following:
- Partner with an MSP or other third party that specializes in DDoS attack monitoring and mitigation.
- Deploy and configure network security devices in front of systems and networks to enforce rate limiting and stop traffic from known botnets.
- Design the organization's important applications with resilience in mind, such as duplicating key resources on other networks so that a DDoS attack against one network will not completely disrupt applications.
3. Social engineering and phishing attacks
Social engineering comes in many forms, from someone pretending to be a delivery person in order to access a secure area to someone sending phishing emails, texts or other forms of messaging to deceive the recipient.
The goal of phishing, the most popular form of social engineering, is to get the recipient to divulge credentials, bank information or other sensitive data, or to install malware on the recipient's device.
How to prevent social engineering and phishing attacks
Some social engineering and phishing attacks can be stopped only by the intended victims. This requires that individual users be trained on how to identify attacks and what to do if an attack occurs. For example, they'll need to scrutinize links and email attachments for anything suspicious.
Many phishing attacks can be stopped through automated means, such as antispam and antimalware technologies, that are frequently updated with the latest threat intelligence. Some phishing attacks exploit software vulnerabilities, so keep all devices' software patched and up to date.
4. Attacks through look-alike content
Attackers often craft websites, social media accounts, advertisements and other online content to look just like the real thing. When visited, that content installs malware on users' computers. Known as drive-by download attacks, users have no idea that anything bad has happened.
How to prevent attacks through look-alike content
Educate users on how to verify that URLs, social media accounts and other content are legitimate to prevent these attacks. Tell users not to click on advertisements from work devices.
To stay on top of the latest threats, consider subscribing to near-real-time threat intelligence feeds. These can be consumed by an organization's cybersecurity technologies to quickly stop access to look-alike content once others detect and report it. Organizations should also keep software patched and up to date to minimize the risk of malicious content exploiting vulnerabilities.
5. Misinformation and disinformation
Misinformation is incorrect information, while disinformation is intentional misinformation designed to trick people -- another form of social engineering. Whether information is accidentally or intentionally wrong, the effect is the same: it convinces people that false statements are true and often triggers them to act on those false statements.
Misinformation and disinformation come in many forms. AI technologies are now widely used to create deepfake audio and video that often can't be distinguished from the real thing. Websites, emails and other content might also provide false instructions to users on how to improve security or functionality on their work computers. Rumors about the organization itself could also surface inside or outside the business.
How to prevent misinformation and disinformation
Misinformation and disinformation are often difficult to detect through automated means. Instead, rely on regularly scheduled security awareness training to teach employees how to spot misinformation and disinformation. Educate them on how to verify information pertaining to both internal and external matters. Also, provide a website where members of the public can verify the legitimacy of communications they receive from the organization, and provide a mechanism for the public to report misinformation and disinformation involving the organization.
6. Credential compromise and account takeover
Passwords, ID badges and other credentials are obvious targets for attackers. Passwords can be acquired in many ways, including social engineering and phishing, watching someone enter a password on their phone, guessing a password -- known as brute-force attacking -- or reusing a previously compromised password that the person used for multiple accounts.
Possessing a password enables an attacker, in many cases, to access and control the user account. This is known as an account takeover.
How to prevent credential compromise and account takeover
Avoid relying only on passwords for user authentication. Requiring MFA and switching from passwords to passwordless authentication are two effective alternatives. If passwords are required, teach employees how to create strong passphrases, which are a more secure alternative to passwords.
In addition, train users on how to safeguard their credentials and what to do if they think one of their credentials has been compromised. Another helpful measure is to use cybersecurity technologies that monitor authentication attempts. Use these tools to identify anomalies, such as the same user connecting to email from different geographic locations at the same time, which could indicate someone masquerading as the user.
7. Ransomware
Ransomware uses encryption to make computers or files inaccessible or extortion to get victims to pay a ransom to get their stolen data back. While most ransomware attacks result from phishing or other forms of social engineering, some ransomware campaigns target exploitable software vulnerabilities.
How to prevent ransomware
Train users to avoid social engineering attacks, and teach them what to do if a ransomware infection occurs. Seconds can make a difference between a single computer being infected and an infection spreading throughout an organization.
To minimize vulnerabilities that ransomware can exploit, organizations should keep all software current with the latest patches and updates. It's also critical to use antimalware technologies that detect and stop ransomware, along with cyberthreat intelligence feeds that provide near-real-time updates on the latest ransomware threats.
8. Persistence threats
Persistence refers to an attacker's ability to gain and then maintain access to a system without being detected. Known as advanced persistent threats (APTs), attackers can persist unnoticed in compromised systems for days, weeks or months. During this time, they could access and exfiltrate sensitive data, compromise additional systems and monitor conditions until they are ready to launch a more devastating attack.
How to prevent persistence
Use firewalls and other network security tools, along with threat intelligence feeds, to block access to and from known malicious domains, IP addresses and websites. This denies APTs by disrupting the command-and-control channels they rely upon.
Monitor network traffic to look for signs of unauthorized access to internal systems. Use antimalware and antiphishing technologies to detect and stop attacks in transit. Also, scan the organization's devices regularly for signs of bots, exploit kits and other attack tools. Act swiftly whenever any such unauthorized tools are detected.
9. Insider threats
An insider threat is when an employee, contractor or other person within an organization misuses their technology privileges in ways that violate and harm the organization's cybersecurity. For example, an employee emailing sensitive data to external email addresses for the purposes of selling the data. A more complex example is two employees in different roles colluding to steal from the organization.
How to prevent insider threats
Follow the principle of least privilege to ensure each user has the minimal access needed to do their job. Train all users, including contractors and vendors, on acceptable use policies and the potential consequences of violating them. Monitor all user activity for signs of suspicious behavior. Promptly investigate potentially malicious behavior.
10. Accidental data leaks
Accidental data leaks occur when an organization's sensitive data is inadvertently made available to unauthorized parties or systems. Examples include choosing the wrong recipient for an email, uploading the wrong file to a website or shared storage, or posting data for public access that has not yet been approved for release.
Data leaks can also occur when old or broken technologies are disposed of without first sanitizing or physically destroying their data storage. Printouts are also mechanisms for data leaks.
How to prevent accidental data leaks
Teach users to double-check recipients, attachments and other components of emails and other messages before sending them. Use data loss prevention technologies to examine outbound emails and other applications for potential signs of data leaks. Carefully control physical access to printed sensitive data so that printouts are not left unattended and are shredded when no longer needed.
Karen Kent is the co-founder of Trusted Cyber Annex. She provides cybersecurity research and publication services to organizations and was formerly a senior computer scientist for NIST.
