How Can Businesses Defend Themselves Against Cyberthreats?
Advertisements
Today, all businesses are at risk of cyberattack, and that risk is constantly growing. Digital transformations are resulting in more sensitive and valuable data being moved onto online systems capable of exploitation, thus increasing the profitability of a successful breach.
Furthermore, launching a cyberattack is becoming more accessible. Exploit kits and malware-as-a-service offerings are getting cheaper, while open-source AI tools are making masquerading as a trusted executive and exploiting vulnerabilities easier.
TechRepublic consolidated expert advice on how businesses can defend themselves against the most common cyber threats, which are:
Social engineering attacks.
Zero-day exploits.
Ransomware attacks and data theft.
IoT attacks.
Supply chain attacks.
AI deepfakes.
Social engineering attacks
What are they?
Social engineering is an umbrella term for some of the most common types of cyberattacks, all of which involve some form of human manipulation to obtain information about an organization or network. Social engineering attacks include, but are not limited to:
Phishing: Attackers impersonate legitimate entities to deceive individuals into giving up confidential information, like log-in credentials. Most often, this is in the form of an email, but it can be done over the phone (vishing) or text (smishing).
Baiting: The attacker leaves a physical device, like a USB stick or CD, containing malware in a public place in the hopes that someone will pick it up and use it, thus compromising their system.
Whaling: A more personalized version of phishing that usually targets a single, high-ranking individual.
Business email compromise: A targeted cyberattack where attackers impersonate a trustworthy executive via a compromised email account and deceive employees into transferring money or revealing sensitive information.
While social engineering attacks can be instigated through emails, phone calls and USB sticks, they all have one attack entry point in common: humans.
How can businesses protect themselves?
Zero-day exploits
What are they?
TechRepublic contributing writer Kihara Kimachia defined zero-day exploits as:
“Zero-day exploits are code vulnerabilities and loopholes that are unknown to software vendors, security researchers and the public. The term ‘zero day’ originates from the time remaining for a software vendor to patch buggy code. With zero days — or zero hours — to respond, developers are vulnerable to attack and have no time to patch the code and block the hole. One bug can give hackers enough access to explore and map internal networks, exfiltrate valuable data and find other attack vectors.”
Zero-day attacks could be on the rise thanks to the growing accessibility of large language models. Such models can be used to speed up the search for vulnerabilities and help conduct convincing social engineering attacks.
What are the most common attack entry points?
Potential attack entry points for zero-day vulnerabilities are the same as known and patched vulnerabilities — any way an attacker can exploit the weaknesses in software or hardware systems. These common attack entry points include:
Email attachments that exploit vulnerabilities in software when opened. These attachments can arrive in a victim’s inbox as part of a social engineering attack.
Compromised websites that trigger the automatic download of malware onto a visitor’s device.
Software or hardware that has had a vulnerability exploited directly by a threat actor through injecting malicious code.
How can businesses protect themselves?
Kimachia offered the following advice for protection against zero-day exploits:
Keep software up to date as patches are released to fix known vulnerabilities. However, it’s important to be cautious when updating from unverified sources.
Install intrusion detection systems that can detect unusual patterns or behaviours in networks, which helps in identifying zero-day exploits.
Implement endpoint security solutions that offer real-time monitoring and protection against both known and unknown threats.
Stay informed by subscribing to threat intelligence services that provide real-time information about vulnerabilities and exploits.
Develop an incident response plan so security teams can act quickly and cohesively to mitigate the damage caused by a zero-day exploit.
Behavioral analytics tools can identify any unusual user or system behaviour that could indicate the presence of a zero-day exploit.
Conduct regular security audits using a security risk assessment checklist to proactively identify any vulnerabilities in your network and applications.
Never use a ‘.0’ release of software to keep your organization safe from any undiscovered zero-day vulnerabilities in the first iteration.
Ransomware attacks and data theft
What are they?
Ransomware is malware, according to TechRepublic’s ransomware cheat sheet. The hackers demand payment, often via Bitcoin or prepaid credit card, from victims in order to regain access to an infected device and the data stored on it.
Recent research found that, alongside financial implications, ransomware’s impact could include heart attacks, strokes and PTSD.
A ransomware attack is a form of data theft attack, and encrypting is not the only thing that attackers can do when they successfully obtain access to the data. They could also leak the information online or sell it to competitors or other cybercriminals, leading to reputational and financial damage.
What are the most common attack entry points?
Vulnerabilities in enterprise software and applications that connect to the internet can allow bad actors to gain unauthorised access to an organization’s environment and steal or encrypt sensitive data.
Similarly, compromised websites can contain malware that scans connected devices for vulnerabilities. If one is found, malware can automatically be downloaded onto the device that provides the attacker with remote access to the system and, therefore, data.
Employees, via social engineering attacks, are another common attack vector. Attackers can gain access after a worker opens a link or download from a phishing email masquerading as legitimate communication. Those who feel wronged by their employer or made a deal with cybercriminals may also intentionally install ransomware.
Weak log-in credentials can be exploited via brute force credential attacks. Such attacks involve the bad actor inputting a series of typical username and passwords until a correct login is discovered and they can begin the ransomware attack.
Previously compromised credentials that have been leaked on the dark web without the owner’s knowledge can offer access to the organization’s system. Often, one set of correct credentials can unlock multiple areas of the environment, as it is common for staff to reuse passwords so they are easy to remember.
Back up all company data regularly to mitigate the potential impacts of a ransomware attack. If something goes wrong, you should be able to quickly and easily revert to a recent backup.
Keep software updated with the latest security patches to prevent attackers exploiting known vulnerabilities to gain access to the company system. Legacy devices running unsupported operating systems should be removed from the network.
Leverage an automated threat detection system to identify the early warning signs of a ransomware attack and give the company time to respond.
Install anti-ransomware solutions that monitor programs running on a computer for suspicious behaviours commonly exhibited by ransomware. If these behaviours are detected, the program can stop any encryption before further damage is done.
Implement multifactor authentication as it prevents criminals who discover an employee’s log-in credentials from accessing the organization’s system. Phishing-resistant MFA techniques, like smartcards and FIDO security keys, are even better as mobile devices can also be compromised.
Use the principle of least privilege, which means employees should only have access to the data and systems essential for their role. This limits the access of cybercriminals should an employee’s account become compromised, minimizing the damage they could do.
Scan and monitor emails and files on an ongoing basis, and consider deploying an automated email security solution to block malicious emails from reaching users that could lead to ransomware or data theft.
Train employees on good cyber hygiene to help minimize the risks of the inevitable human attack vector. Cyber training equips the team with the ability to recognize phishing attempts, preventing attackers from ever being able to deploy ransomware.
Do not pay the ransom if a business does fall victim to ransomware. Cyber authorities advise this because there is no guarantee the attacker will be true to their word, and the remuneration will encourage future attacks.
Refer to the No More Ransom project. This is a collaboration between Europol, the Dutch National Police, Kaspersky Lab and McAfee that provides victims of a ransomware infection with decryption tools to remove ransomware for more than 80 variants of widespread ransomware types, including GandCrab, Popcorn Time, LambdaLocker, Jaff, CoinVault and many others.
The weak security of IoT devices is targeted in many different ways by cyber criminals. For example, they can use them as an entry point to deploy ransomware on the device or wider network, or even control the device to sabotage business processes.
Furthermore, IoT botnet attacks involve an entire network of connected devices being compromised by a single “botmaster” and used to carry out coordinated attacks often without the device owners’ knowledge. Examples of botnet attacks include distributed denial-of-service (DDoS) attacks on a target server or website, data theft by intercepting transmissions over the network and malware distribution. A botnet attack can also leverage “living off the land” techniques, which are the use of legitimate, pre-installed tools and software within the IoT device to help evade detection.
What are the most common attack entry points?
Existing software vulnerabilities in a device can be exploited by cybercriminals to gain access to an IoT device or network. These vulnerabilities might be prevalent due to poor security practices, lack of updates or outdated software.
Many organizations lock their IoT devices using default or weak credentials, which can be easily guessed by an attacker through a brute force credential attack.
Employees might provide an IoT device’s log-in credentials or download IoT-targeting malware as part of a wider social engineering attack.
If IoT devices are not kept physically secure, then attackers might tamper with the hardware by altering settings or connecting malicious devices. Attackers might be intruders but could also be existing employees or contractors with access.
All the above entry points could be present at the device’s supplier or manufacturer, meaning it could be compromised even before deployment.
The following advice is from Brian Contos, a security expert with Phosphorus and Sevco, senior threat expert at Trend Micro and TechRepublic contributing writer Cedric Pernet and TechRepublic reporter Megan Crouse.
Maintain an updated inventory of IoT devices to ensure comprehensive knowledge of all the devices that need protection.
Ensure IoT devices have strong, unique passwords that are rotated regularly to prevent successful brute force credential attacks.
Keep IoT devices updated with the latest firmware and security patches, and replace legacy devices with modern versions that support better security practices.
Harden IoT devices by disabling unnecessary ports and connectivity features.
Limit IoT devices’ communication outside the network using network firewalls, access control lists and VLANs.
Validate and manage IoT digital certificates to mitigate risks such as TLS versions and expiration dates.
Monitor for suspicious changes in IoT devices, such as default password resets or insecure services being reactivated.
Implement mobile security solutions and train employees to detect compromise attempts on their mobile devices.
Advise employees to avoid storing sensitive data on mobile phones and power off devices during sensitive meetings.
Enable logging for application, access and security events and implement endpoint protection and proactive defences like SIEM tools and security orchestration solutions.
Implement phishing-resistant multifactor authentication to prevent access for cybercriminals with correct log-in information.
Supply chain attacks
What are they?
Supply chain attacks are when a cybercriminal targets an organization by compromising a less-secure vendor of software, hardware or services in its supply chain. Historically, supply chain attacks occurred when an attacker infiltrated a trusted supplier that had been granted access to the victim’s data or network to do their job; however, now software supply chain attacks — where the attacker manipulates software that is distributed to many end user organisations — are actually more common. Once a business uses the compromised software, they become vulnerable to data theft, ransomware and other attack types.
Bad actors use a variety of techniques to access and manipulate the code behind commercial software products. They may deploy malicious updates after compromising the account of one of its developers or exploiting a vulnerability in its download location. Alternatively, attackers might amend code stored in a software library used by developers for hundreds of different products.
Sometimes, the bad actor might build a trusted relationship with legitimate developers of enterprise software and become one of the maintainers of their tool, allowing them to slowly push different vulnerable parts of code into the software without being noticed. This is how a backdoor was implemented into the XZ Utils data compressor in 2024.
What are the most common attack entry points?
To execute a supply chain attack, attackers first need to gain access to a crucial part of a target organization’s supply chain. There are a number of potential targets, all of which are susceptible to social engineering campaigns, using weak log-in credentials, unintentionally downloading malware through a compromised website and having vulnerabilities in their digital systems. Some common entry points are:
Third-party software providers, as attackers could directly amend the product’s code before it is downloaded by the target firm or manipulate its update mechanisms.
Third-party service providers that may have been granted access to the target company’s system and have weaker security.
Third-party hardware providers, as attackers can tamper with hardware or physical components during manufacturing or distribution if they gain access to their facility.
Open-source or private code repositories used by enterprise software developers. Attackers can use this as a way of deploying malicious code into hundreds of different software products used by even more companies.
How can businesses protect themselves?
The following advice is from Kurt Hansen, the CEO of cybersecurity firm Tesserent, senior threat expert Cedric Pernet and TechRepublic contributing writer Franklin Okeke.
Conduct an audit to understand all business activities’ third-party involvement, as there are often different suppliers to different parts of an organization.
Follow a documented governance process for third parties that includes accreditations, whether they are doing assessments and if they are outsourcing themselves. Ensure contracts include outlines of requirements, data protection obligations and consequences for non-compliance.
Remain aware of developing geopolitical tensions and consider if they are putting the supply chain at risk.
Review new software updates before deploying them by looking at code differences between the old and new code.
Implement a zero-trust architecture, where every connection request must meet a set of rigorous policies before being granted access to organizational resources.
Deploy honeytokens, which mimic valuable data. Once attackers interact with these decoy resources, an alert is triggered, notifying the targeted organization of the attempted breach.
Conduct regular third-party risk assessments. This helps to expose each vendor’s security posture, providing further information on vulnerabilities that should be remediated.
The barrier to entry has also been lowered significantly in recent months, as AI tools are both easy and cheap to use. Research by Onfido revealed the number of deepfake fraud attempts increased by 3,000% in 2023, with cheap face-swapping apps proving the most popular tool.
There are a number of impacts a deepfake attack could have on an organization. Incidences of financial fraud have been reported on multipleoccasions where a scammer has impersonated an executive using a deepfake and convinced an employee to transfer money to them. In addition, deepfakes could be used to convince others of false events, such as a staffing change, which impacts an organization’s stock price. The sharing of deepfake content featuring staff could also have serious consequences, damaging a business’s employee experience and reputation.
Video and phone calls can be made using sophisticated technology to impersonate a trusted executive’s voice and likeness. The deepfake could be a recorded message or hold a conversation in real time.
Authentication methods based on voice or facial recognition can be tricked using deepfake content of authorised employees.
Attackers, or even disgruntled employees, may choose to create a compromising deepfake and share it on social media to damage the company’s reputation or influence their stock.
How can businesses protect themselves?
The following advice was provided by Robert Huber, the chief security officer at cybersecurity firm Tenable, and Rahm Rajaram, the former VP of operations and data at financial services firm EBANX.
Make the risks associated with AI deepfakes a part of regular risk assessment procedures, including evaluating internal content as well as that from third parties.
Be aware of the common indicators of deepfake content, like inconsistent lighting or shadows, distortion at the edge of the face, lack of negative expressions and lip movement not correlating with audio. Consider educating staff in this area.
Implement phishing-resistant MFA to prevent the attacker’s access even if their deepfake campaign results in them acquiring log-in credentials. Consider requiring such verification for large wire transfers and not relying on facial recognition.
Look out for data breaches that expose customers’ credentials and flag these accounts to watch for potential fraud.
Maintain cybersecurity best practices to eliminate the risk of phishing attacks of all types, including those involving deepfakes.
More cyber security resources
Improve your organisation’s cyber security with these resources from TechRepublic Academy: