Ten attack methodologies small business needs to know about


IT Security Thing has reached out to security professionals for answers to a big question for small business: what are the attack methodologies those businesses need to worry about right now?

The UK Department for Digital, Culture, Media and Sport, in association with Ipsos MORI and the University of Portsmouth, has published the 2018 Cyber Security Breaches Survey.  Some of the statistics within the report should certainly be food for thought, for both the IT security industry and British businesses alike. The one that caught our attention here at IT Security Thing was that more often than not a breach does not incur any specific financial cost. Or, more accurately, the explanation that caught our attention:

“This is reflective of the fact that most breaches or attacks do not have any material outcome (a loss of assets or data) so do not always need a response.”

Sorry folks, but if your network has been breached that always requires a response or your network is going to be breached again and again. Just because data wasn’t compromised the first time, that doesn’t mean the attackers have not gleaned some intelligence that could help them to do so in the future. Especially if ‘no response needed’ was the determination of the security people.

Perhaps this is down to another statistic from the report, that only 20% of businesses had staff participate in any kind of cyber security training, a number that drops to 15% for charities. For smaller businesses and charities, the report states “basic technical controls might also be improved.”

Then there’s the finding that 20% of businesses “never update their senior managers on cybersecurity issues” apparently. At the smaller end of the business scale, more say that cybersecurity is a very high priority than did so in the 2017 research report; but that number is still only 42%.

With all that in mind then, here’s the industry response IT Security Thing got to our big question.

1. Email-based attack

Dr Klaus Gheri, Vice President and General Manager Network Security at Barracuda Networks

“Today the number one threat vector for all businesses, including small businesses, is email. In fact, according to our research, email still accounts for 76% of cyber attacks. What many smaller businesses get wrong is that they assume they’re not real targets; they think that attackers would rather spend their time going after large enterprises. This is simply not the case. Bottom line? Everyone is a target and no company is safe. In fact, often smaller organisations are seen as more lucrative targets by cybercriminals because it’s assumed that they have less staff and less technological resource to combat targeted attacks. As a result, email attacks in which malicious actors masquerade as trusted institutions or impersonate other people within the organisation have become an increasingly popular way to target SMBs. They exploit the human layer in your defence, relying on user error and a lack of cybersecurity education. It only takes one employee to click on a malicious link and the attackers could have access to the whole network.”

Aaron Higbee, Co-Founder & CTO at Cofense

“In response, businesses, too, must get organised by improving security tactics, sharing threat intelligence and training their employees to catch suspicious emails. With informed staff, small businesses can build a strong defence against hackers. Like the guards who patrolled castle walls, employees can either be a curse by leaving the back-gate open, or a boon by raising the alarm when they notice something suspicious: the difference lies in how we collaborate from point of alarm to ousting the attacker.”

2. Credential attack

Paul Colwell, CTO of CyberGuard Technologies, at OGL

“One of the areas that we see a lot of problems with is passwords. Many small businesses will open up or move services for their employees to the cloud such as email or web portals providing them increased flexibility, but the increased availability to log into these services from anywhere in the world provides a prime target for attackers to target. Ensuring strong passwords are employed company-wide has long been a pain point for IT managers and time and time again we see users using either weak, commonly used passwords or re-using passwords from other websites that may have been compromised in previous breaches (e.g LinkedIn). Small businesses should look to educate users on setting strong passwords and allow them to use password managers to help with the burden of setting and remembering individual unique complex passwords. Ideally, any external facing services should be protected by a two factor authentication method, this is particularly important for any accounts which have admin level rights.”

Phil Bindley, managing director at The Bunker

“Although it may seem basic, password security should be high on the list of priorities for small businesses, particularly when it comes to cloud-based infrastructure. With a widespread adoption of the cloud, we are seeing more and more cases where email accounts containing sensitive data have been compromised due to the adoption of simple passwords. This can result in attackers setting up a forwarding rule to other email accounts or otherwise exploiting and stealing sensitive data, which can go unnoticed for months. Combating these attacks is a matter of cultivating a culture of security and ensuring that staff are trained on basic security principles. As an extra layer of defence, we recommend implementing administrative controls, such as two-factor authentication, to minimise the risk of such breaches.”

3. Malware cocktails

SonicWall’s President and CEO, Bill Conner

“As the cyber arms race continues to escalate, there is increasing pressure on the US and UK governments to truly understand the nature of malware cocktails: the process of mixing threats to concoct brand new, destructive attacks. The risks to businesses and even everyday citizen’s data grow each day. Governments and businesses need to deploy a layered security approach utilizing next-generation firewalls, deep packet inspection for encrypted communication, cloud-based multi-engine cloud sandboxing, advanced real-time deep memory inspection, and next generation end-point security with rollback capability.”

4. Automation

Daniel Moscovici, co-founder at Cy-oT

“SMBs are mainly exposed to large automated threats rather than targeted attacks. Anything that perpetrators can launch through large scale distributed attack platforms is of relevance. In particular, we see more and more connected devices of all types being compromised en masse to serve as launch pads for further attacks into networks (big and small). These IoT botnets, either stationary (smart TVs, CCTV, coffee machines) or mobile (wearables), are used to leak data from and wreak havoc inside organizations. SMBs suffer from high exposure to such threat as they usually lack the resources to deploy stringent internal controls.”

5. SQL injection

James Brown, global vice president, technology solutions at Alert Logic

“It may be old and boring, however, it is still one of the most common attack types we see and is still the root cause in a number of very high profile attacks. We see SQL injection flaws arise in all manner of platforms and components; whether they be content management solutions, development platforms, plugins, add-ins etc. It is more common to see SQL injection target known vulnerabilities in these components rather than targeting custom code. How to protect? Patch all the server components you are using, and yes that includes all the plugins that the development team used to speed up development.”

6. Microsoft

Javvad Malik, security advocate at AlienVault

“AlienVault collects billions of anonymised security events from our customers. Using this telemetry we can establish macro trends of what attacks are being utilised and how best to defend against them. Based on this data, we can see that the most popular exploits used are for Microsoft Windows and Office. Having said that, Microsoft does have exceptionally mature processes to prevent exploits, therefore ensuring products are patched and up to date is a good first step.”

7. Ransomware

Robert Carolina, Executive Director of the Institute for Cyber Security Innovation

“The attack methodology most widely affecting small businesses – particularly professional services firms is ransomware. Such companies are ripe for ransomware attacks and are also most likely to pay the ransom as they require their data to operate. Losing access to it would be catastrophic. Overall, the resilience of small businesses is very low. They are the least likely to have good password hygiene – password reuse is rife, there are lots of admin accounts that allow the proliferation of ransomware, and they rarely have a backup system which is regularly tested to enable them to recover from an attack. This is a problem unlikely to go away anytime soon. If you make a list of 1,000 small businesses, and 10 pay $300 each, you’re suddenly operating a very lucrative cyber-crime business. Offshore mid-sized criminal gangs are cashing in on this currently and with some simple steps could be stopped.”

8. People

Andrew Avanessian, COO at Avecto

“Social engineering as an attack method is ubiquitous for a reason: arguably, it now poses more of a risk to business than it ever has. It has moved beyond often simplistic scams to well-informed phone calls to employees, or convincing looking websites and spear-phishing emails that target individuals using data that is readily available online. Often, attackers target junior or unsuspecting team members, so limiting access to sensitive data and critical systems within an organisation is vital. Carrying out an audit of where mission-critical and sensitive data sits within a business is an important first step, which means it can then be safeguarded with appropriate permissions.”

Oscar Arean, Technical Operations Manager at Databarracks

“The insider threat is one of the biggest issues small businesses need to worry about right now. However, small businesses are often unaware of these threats and tend to lack the processes and practices necessary to keep their data safe, such as strong passwords and multi-factor authentication. For example, passwords are often shared without putting in place a proper password registers and policies for revoking access to leavers, which puts small businesses at significant risk. As a result, we have seen several examples of data theft and malicious deletion by disgruntled staff on their way out. Additionally, SMEs tend to favour agility over process and security. That can mean unpatched desktops and laptops, use of unsecured Wi-Fi and use lots of freemium SaaS accounts, often with the same passwords used throughout. Insider threats are some of the most difficult types of attacks to protect against, even for larger organisations, but can leave small organisations crippled and unable to operate. Unfortunately for small businesses, there’s not a simple answer or a product you can buy for a quick fix. They need to stop sharing passwords, keep registers of who has access, be vigilant and have a defined leaver process. Basic cyber hygiene is a requirement for all businesses and even SMEs will start to see demands from their customers evaluating their supply-chain.”

Netwrix GM, EMEA Matt Middleton-Leal

“Many small and medium-size business (SMB) owners and company executives make a common mistake. They are so preoccupied with external attack methodologies like website hacks or spam-borne malware/ransomware that they overlook the possibility of attacks originating closer to home. Sometimes ordinary employees do extraordinary things. Such as extend their IT privileges to give them access to systems and information beyond their job function. Or someone with a grudge or who is leaving deliberately tampers with data or takes it to a competitor. Tools do exist that allow IT staff to spot the tell-tale signs of privilege abuse or data tampering and take early action before a breach can occur. Yet all too often improving defences against external threats or managing strategic projects take precedence. It’s a risky strategy that means data breaches can only be avoided if IT and non-IT staff are well drilled in security best-practice and wholly committed to doing their bit to help each other.”

9. IoT devices

Barry Shteiman, VP of Research and Innovation at Exabeam

“Businesses must understand just how quickly IoT devices can turn and become useful to an adversary either as a member of a botnet or a jumpbox into a network. As more devices become smart and also internet-enabled, they often are given the ability to send, query, or process information that resides elsewhere in the network or cloud. To do so, these devices often use embedded accounts that are difficult to monitor and may also have hard-coded passwords. The combination of smart devices with credentials to access external systems, via unmonitored, privileged accounts means that IoT represents a risky and unwatched channel for data theft or larger participation in botnet attacks. The best way to illuminate this attack risk is to monitor the behaviour of IoT devices in much the same way as actual human users. By understanding what normal behaviour for these IoT devices looks like, it’s possible to get an early indication of when a device has been highjacked by hackers and is likely being used to access and steal data. IoT will continue to grow and gain greater access to data; already a simple and lucrative target for attackers.”

10. Encrypted traffic

Tim Bandos, Senior Director of Cybersecurity at Digital Guardian

“SSL encryption is a staple of the internet. It’s crucial to protecting data in transit during web transactions, emails, mobile apps, but at the same time as masking corporate data, it can also be used to hide an attacker’s data transfers and communications to command and control servers. Today, cloud adoption means businesses are accepting more encrypted traffic than ever. The volume of data for malware to hide itself in is increasing, and payoffs are becoming simpler to achieve and more lucrative. Additionally, there has been a significant rise in the offerings of free or low-cost SSL certificates to encourage a more widespread adoption of data encryption, which has unfortunately allowed cyber-criminals to leverage for nefarious purposes. The best strategy for defence against such attacks is a multi-layered one. It’s important to remember that simply decrypting the traffic may not immediately uncover any malware or sensitive data contained within, and will undoubtedly also require a set of “eyes-on-glass” to analyse and interpret any suspicious or anomalous activity for further verification.”