Enterprise cybersecurity: protecting your business

Enterprise cybersecurity: protecting your business

March 17, 2020

Alex Paretski

Information Security Observer

Modern companies are warriors on the cyber battlefield. They have to hold their lines with double efforts, as they need to resist new and good old attacks at the same time. Smart technologies, such as artificial intelligence, blockchain, and internet of things, provided cybercriminals with alternative channels of attacking organizations and new ways of camouflaging malicious activities. At the same time, well-known types of attacks evolve constantly, thus becoming more difficult to reveal and neutralize.

Official statistics on cyberattacks change quickly. However, looking through previous years’ data, it’s easy to spot the waves of attacks occurring in a specific period of time. For example, 2017 was the year of the devastating WannaCry and Petya/Not Petya malware campaigns. 2018 will stay in the cybersecurity chronicles as the year of the massive data breaches overlooked by Facebook.

In 2019, security professionals registered a mind-blowing 2,000% increase in operational technologies (OT) incidents. IBM’s latest X-Force Threat Intelligence Index 2020 shows more frequent aggressive attacks on Industrial Control Systems (ICS). Cybercriminals exploit known vulnerabilities within ICS hardware and choose brute forcing as the key method of getting into such systems’ software.

Operational technology (OT) attack trends

Still, there are several types of attacks that are registered all the time. It’s organizations’ responsibility to be ready to face them when they happen, either on their own or by turning to cyber security consulting services.

Common cyberattacks and core principles of enterprise cybersecurity

Let’s dive into the major concepts of enterprise cybersecurity by analyzing the most popular types of attacks and their most effective countermeasures.

Brute force and credential stuffing attacks

Brute force is a straightforward trial-and-error type of cyberattack. Using brute force techniques, hackers try to access valuable data by cracking victims’ passwords or encryption keys. Websites with built-in user authorization and mail services are the most attractive targets for attackers, who carry out dictionary attacks to pick up and crack active passwords. A reverse brute-force attack is an alternative attack method where an attacker tries one password against multiple usernames.

Since trying thousands of passwords manually takes too much time and effort, hackers use special tools to automate the process. This allows them to organize massive brute forcing against large networks.

Brute force attacks can bring major damage to corporate IT infrastructures and result in substantial data leaks. Fortunately, they are also quite easy to spot through the cascades of abnormal logins and logouts.

The OWASP Foundation offers several techniques to withstand brute force attacks. Time delays between successive login attempts, complex answers to unsuccessful logins, automatically locked accounts after failed logins, and CAPTCHAs are just a few feasible measures to knock down brute forcing. Organizations should also disallow weak and commonly used passwords and train staff to never reuse or create variations of old passwords, as well as implement password encryption software.

One of the modifications of brute force attacks are credential stuffing attacks that proliferated in the last few years. Keeping in mind that users typically have the same credentials across several apps, hackers utilize compromised credentials, illegitimately acquired in a data breach, to perform an account takeover (ATO).

Credential stuffing attacks vs. brute force attacks

The first outbreaks of credential stuffing were reported in 2018 when security professionals registered more than 115 million attempts to use stolen credentials per day. In 2019, Boost Mobile, a Sprint-owned virtual mobile network with over 15 million active users, confirmed credential stuffing that enabled hackers to manipulate customer accounts via their official website.

Assessing the future of big data in general and keeping in mind that the number of stolen sensitive data traded on the dark web will increase, the risk of credential stuffing will only grow in the next years.

DDoS attacks

A distributed denial-of-service attack (DDoS) is one of the greatest enterprise cybersecurity threats. DDoS represents a set of malicious activities aimed at disrupting the normal operation of a server, service, or network by exhausting them with a flood of data packets. Assaulted by hackers, a target becomes unreachable for standard users while malicious actors take control over it to further contaminate the network, put enterprise infrastructure out of service, or steal confidential data.

Typically, a DDoS attack begins with an exploited vulnerability, which allows hackers to gain control over a particular computer or a network device, known as a zombie or a bot. A zombie then detects other vulnerable systems and infects them by allowing hackers to create a botnet, or a contaminated network. After that, an attacker can use the botnet traffic to flood the selected target.

DDoS floods can be overwhelming. One of the most prominent DDoS attacks was registered in February 2018 when GitHub faced an incredible peak traffic of 1.35 TBps.

Depending on the target, there are three main types of DDoS attacks:

  • Network-centric (volumetric) attacks
  • Protocol attacks
  • Application layer attacks

DDoS attacks are dangerous because they often affect the target together with connected networks and systems. For example, a DDoS attack can compromise not only an organization but also their service providers.

Comparing DDoSers’ activities in 2018 and 2019, Kaspersky shows that not only the number of DDoS attacks has increased but also their duration. It means that cybercriminals have more chances to seriously damage enterprises’ assets and operations.

DDoS attacks in 2018 and 2019

It is to mention that IoT is one of the key targets and channels for modern DDoSers. The IoT history explains clearly that multiple attempts of governments and businesses to secure the IoT deployments didn’t bring any breakthroughs so far. That’s why connected environments, as well as IoT devices will definitely stay attractive targets for cybercriminals globally.

To minimize risks, companies should put their effort into eliminating network vulnerabilities that can attract malicious users. In order to keep constant control over network traffic, it’s worth implementing relevant enterprise security solutions to prevent the transmission of undesired packets, thwart user interaction with insecure services, and block suspicious traffic. By setting up network monitoring tools and taking up software security testing, organizations can monitor their network activities and apply immediate countermeasures in case of a DDoS.

Malware attacks

Viruses, worms, Trojan horses, and wipers are just a few types of malware that can infect a target system and let hackers steal sensitive data, disrupt core computing functions, and secretly monitor users’ activity.

Ransomware is another incarnation of malware that has become particularly popular in the last few years. By getting into a target system and spreading ransomware, attackers encrypt data and offer to decrypt it after a demanded ransom is paid.

Once launched, malware is nearly impossible to stop, so it’s always better for organizations to prevent infection rather than eradicate it. Past massive attacks prove that organizations often neglect the core principles of enterprise security, which leads to terrible outcomes.

The infamous WannaCry ransomware attack in May 2017 became the most disastrous cyberattack of all time. It affected almost 200,000 computers in 150 countries, causing the total damage of $8 billion. Surprisingly, such catastrophic damage wasn’t the result of poor or missing countermeasures. The ransomware propagated through a known exploit in older versions of Microsoft Windows. While the corporation released necessary security patches before the attack, affected organizations didn’t apply the updates and just kept using their outdated operating systems.

As ransomware evolves, so do hackers’ techniques. Not only cybercriminals choose their targets more scrupulously, but they also set higher ransoms and aggravate risks.

For Travelex, a UK currency exchange service, 2020 started on a dark note. Apart from asking for an unprecedented payment of $6 million, hackers behind the latest REvil (aka Sodinokibi) attack also threatened the company to sell all the stolen sensitive data. While the company is still recovering from the attack, security specialists have already declared that the threats of leaking or selling stolen data in addition to encrypting it for good is a new trend of the year.

Injection attacks

Injection attacks imply that a hacker injects malicious code into a program or a computer and executes remote commands in order to perform malicious activities. There are various types of injections, including blind XPath injection, XPath injection, buffer overflow, LDAP injection, OS commanding, SSI injection, blind SQL injection and SQL injection, or SQLi for short. In the latter case, an attacker injects commands that can read or modify a database and alter the meaning of the original SQL query.

According to Akamai’s Web Attacks and Gaming Abuse report, SQLi attacks and Local File Inclusion (LFI) attacks represent 89.8% of all web app attacks.

Top attack vectors

SQLi attacks are so widespread because the vulnerabilities allowing SQL injection are commonplace. To make it worse, the target itself is highly attractive: databases contain loads of potentially lucrative data.

SQLi attacks are not only common but also dangerous. By gaining access to a database, a hacker can not only change its normal operation but also steal identities, remove data, compromise its integrity, or completely destroy large data sets. Moreover, through SQLi, an attacker can get privileged user rights, for example, of a database administrator, which can cause even more damage to services and operating systems connected with the database.

The OWASP Cheat Sheet includes several methods of the defense against injection attacks. Database developers should pay attention to how they write database queries. It is highly recommended to create parameterized queries with bind variables instead of dynamic queries. Additionally, developers can use stored procedures without any unsafe dynamic SQL generation.

Practicing white list input validation (query redesign) and eliminating user-supplied input are two more techniques to make a database SQLi-proof. Limiting the number of privileged users with broad administration rights is one more measure to prevent malicious users from gaining control over a database.

Social engineering

Social engineering involves psychological manipulation in order to make users divulge confidential information such as telephone numbers, addresses, credit card details, and so on. Social engineering can be used for system access. Sometimes it is also the easiest way to penetrate a large organization’s complex security infrastructure.

Social engineering is often used as the first step for hackers to explore the selected target, collect secret information, or spread malicious software by taking advantage of employees’ carelessness. There is a variety of social engineering techniques that let malicious actors succeed in their activities. Baiting, vishing, honey trap, watering hole, pretexting, quid pro quo, tailgating, phishing, and whaling are popular methods to compromise enterprise cybersecurity by interacting with different user groups.

IBM’s X-Force Threat Intelligence Index 2020 shows that phishing stays the most used attack vector that enables hackers to root in enterprises’ networks to further spread the area of their malicious activities.

Top initial access vectors

Verizon’s Data Breach Investigations Report 2019 affirms that phishing is particularly successful when applied to mobile devices. Smartphones’ characteristics, such as relatively small screens and mobile OS settings, don’t let users thoroughly check emails they get and webpages they work with.

What’s worse, even organizations that stick to the core principles of enterprise security aren’t protected against social engineering if employees aren’t vigilant enough or if they are ready to disclose corporate data. Regular security training can help teach employees how to deal with suspicious devices and email attachments, as well as how to recognize camouflaged hackers. Security filters should also be in place to reduce the risk of employees opening infected emails.

Advanced persistent threat

Advanced persistent threat (APT) is one of the most dangerous types of cyberattacks, as it’s very difficult to detect. With this type of attack, a malicious user penetrates a network and anchors there for a long period of time. Unlike other types of attacks, APTs rarely entail large damage to an organization’s infrastructure. Instead, an attacker would put great effort into staying unnoticed to steal as much valuable data as possible.

The State of Industrial Cybersecurity 2019 by ARC Advisory Group and Kaspersky proves that APTs are among enterprises’ greatest security concerns.

Which of the following security incidents are a major, minor or no concern for your control system

The Carbanak attack is one of the largest registered APT attacks against banks worldwide. The Carbanak gang started their activities in late 2013, and during five years of targeted activities they managed to steal more than $1 billion from over 100 financial institutions in 40 countries. The gang’s leader was arrested only in March 2018 after a large-scale investigation conducted jointly by several countries.

The example of the Carbanak attack shows how sophisticated hackers can be and how difficult it might be to stop them. At the corporate level, an established strategy for enterprise network management enabling comprehensive network monitoring and an exceptional vigilance of security professionals as well as database and system administrators can be the only remedy against an APT. Abnormal logins and logouts, backdoors that let hackers get in and out of a network, unexpected data storages, targeted spear phishing, and whaling campaigns might be the signs of an ongoing APT attack.

Which industries are at risk?

According to the latest study by the Ponemon Institute and IBM, the number of breached records across all industries almost tripled in 2019 comparing to 2018 and accounted for 8.5 billion, with the average cost of a data breach being $3.9 million. As for the US, the average total cost of a data breach in the region climbed from $3.54 million in 2006 to $8.19 million in 2019.

2019 cost of a data breach

While no organization is immune to cybercrime, there are industries and business domains that usually attract hackers’ biggest attention. While the financial sector stays the most appealing target for hackers, organizations in retail, media, and education were attacked much more frequently in the past year.

Top 10 targeted industries ranked by attack volume

At the same time, healthcare stays the leader in terms of the costs of a stolen record. Industries that operate under weaker regulations (for example, public sector, retail, media, etc.) traditionally endure a substantially lower cost of a data breach compared to heavily regulated industries such as healthcare and financial services.

Average cost per record by industry sector

The holistic approach to enterprise cybersecurity is the only remedy

Hackers are getting smarter by the day. Today, enterprises witness both short aggressive attacks and long-term sophisticated campaigns, involving multiple vectors and stages.

So how can companies protect themselves against hackers? At all times, building up a robust enterprise security architecture and coupling it with automated security tools and governance plans is the most effective way for enterprises to stay away from cyber troubles.

Respecting security basics

Traditional security measures such as antivirus software, firewalls, password managers, web gateways, and mirrors hosted in the cloud seem banal, but they are essential for a company to detect and mitigate attackers’ first moves. Keeping an eye on timely updates and patches will also prevent companies from exposing their IT environments. Regular security training is a must to teach employees to stay vigilant of suspicious activities happening on their workstations.

Advanced security software

Apart from the standard security measures, organizations are welcome to adopt relevant enterprise security solutions that will help security professionals to get a comprehensive vision of their IT ecosystems. Depending on an organization’s specifics and needs, they can rely on user and entity behavior analytics (UEBA), data loss prevention (DLP), identity and access management (IAM), security information and event management (SIEM), threat intelligence, and other security-centric systems. The major benefit of security systems is that they monitor a connected environment ongoingly, which is critical for data-driven decision making and allows businesses take the most effective security steps based on accurate stats.

Security testing

Finally, companies can run security testing both as a preventive and reactive measure. On the one hand, security testing helps organizations reveal existing vulnerabilities and eliminate them before they attract attackers. On the other hand, network security and software security testing can help organizations define attack vectors and analyze attackers’ paths, thus stopping them midway. Additionally, penetration testing can be carried out yearly at less vulnerable organizations and twice a year at organizations exposed to higher cyber risks.