DIGITAL transformation, in most industries and sectors happened almost overnight when the pandemic closes offices and schools and initiated remote working and learning. The rapid digitalization, induced by the hated COVID-19 virus also allowed attackers to step up their game.
Proven by statistics over and over again, the non-automated part of cybersecurity–that which requires human decision-making–affected by emotions, or knowledge, or influenced by experience or opinion is the weakest link that cybercriminals wait for to get into a website, platform or portal. It is these security misperceptions, coupled by social engineering, phishing or judgement calls that increase vulnerabilities.
Consulting with the Sophos Rapid Response team, here is a list of the ten most common ways malware infections, compromised data, or unauthorized access happen.
- Thinking that the company is too small or there is nothing attractive or profitable. Many cyberattack victims assume size (in terms of what it offers for example, or ranking in its industry or vertical) may be a sector of no significance. The company itself may be lacking the kind of lucrative assets that would attract an adversary. The truth is, it doesn’t matter. Processing power and digital presence is all that matters. Sophos says that most attacks are launched by opportunists looking for easy prey and low-hanging fruit, such as organizations with security gaps, errors, or misconfigurations that cybercriminals can easily exploit.”
- Advanced security technologies installed everywhere are unnecessary. Some IT teams still believe that endpoint security software is enough to stop all threats or don’t need security for their servers. Attackers take full advantage of such assumptions. Any mistakes in configuration, patching, or protection make servers a primary target. Based on the incidents that Sophos Rapid Response has investigated,”¯servers are now the number one target for attacks. An organization that relies only on basic security without more advanced and integrated tools such as behavioral and AI-based detection and a 24/7″¯human-led security operations center is like letting intruders by opening a gate.
- Assuming that robust security policies in place. Having security policies for applications and users is critical. However, they need”¯ to be checked and updated constantly as new features and functionality are added to devices connected to the network.”¯Verify and test policies using techniques such as penetration testing, tabletop exercises, and trial runs of disaster recovery plans.
- Remote Desktop Protocol (RDP) servers can be protected from attackers by changing the ports they are on and introducing multi-factor authentication (MFA). The standard port used for RDP services is 3389, so most attackers will scan this port to find open remote access servers. However, the scanning will identify any available services, so changing ports offers little or no protection on its own. Introducing multi-factor authentication is essential, but it won’t enhance security unless all employees and devices enforce it. RDP activity should occur within the protective boundary of a virtual private network (VPN). IT security should limit or disable RDP internally and externally.
- Blocking IP addresses from high-risk regions such as Russia, China, and North Korea protects us against attacks from those geographies. Blocking IPs from specific regions is unlikely to do any harm, but it could give a false sense of security if it’s the sole means of protection. Adversaries host their malicious infrastructure in many countries, with hotspots in the US, the Netherlands, and the rest of Europe.
- Our backups provide immunity from the impact of ransomware. Keeping up-to-date backups of documents is business-critical. However, if your backups are connected to the network, then they are within reach of attackers. Storing backups in the Cloud also needs to be done with care. The standard formula for secure backups to restore data and systems after a ransomware attack is 3:2:1. Three copies of everything, using two different systems, one of which is offline. Having offline backups in place won’t protect your information from extortion-based ransomware attacks, where the criminals steal and threaten to publish your data instead of or as well as encrypting it.
- Employees understand security. Assume that they don’t. According to the State of Ransomware 2021, 22 percent of organizations believe they’ll be hit by ransomware in the next 12 months because it’s hard to stop end users from compromising security. Social engineering tactics like phishing emails are becoming harder to spot. Messages are often hand-crafted, accurately written, persuasive, and carefully targeted. Employees must be constantly trained on how to spot suspicious messages and what to do when they receive one. Who do they notify so that other employees can be alerted?
- Incident response teams can recover my data after a ransomware attack. This is very unlikely. Attackers today make far fewer mistakes, and the encryption process has improved, so relying on responders to find a loophole that can undo the damage is extremely rare. Automatic backups like Windows Volume Shadow Copies are also deleted by most modern ransomware and overwriting the original data stored on disk, making recovery impossible other than paying the ransom.
- Paying the ransom will get our data back after a ransomware attack. Ransomware that can shut down operations leaves even the smallest company hostage, and desperate to purchase an unlock code to be paid via Bitcoins. According to the State of Ransomware survey 2021, an organization that pays the ransom recovers on average around two-thirds (65 percent) of its data.”¯ A mere 8 percent got back all of their data, and 29 percent recovered less than half. Paying the ransom even when it seems easier and covered by your cyber-insurance policy is therefore not a straightforward solution to getting your data back.
- The release of ransomware is the whole attack. Companies believe that if they pay up they survive. Unfortunately, this is rarely the case. Ransomware is just the point where the attackers want you to realize they are there and what they have done. In most cases the adversaries have been in a network for days if not weeks before releasing the ransomware, exploring, disabling, or deleting backups, finding the machines with high-value information or applications to target for encryption, removing information, and installing additional payloads such as backdoors. Maintaining a presence in the victim’s networks allows attackers to launch a second attack if they want to.