Wa0071

Download as docx, pdf, or txt
Download as docx, pdf, or txt
You are on page 1of 13

SECURITY INCIDENTS AND ATTACKS.

What Is a Security Incident?


A security incident is any event related to compromised data resulting from
missing or failed security measures. Specifically in cybersecurity,
an information security incident involves the unauthorized access, use,
disclosure, breach, modification, or destruction of data.

Typically an event is categorized as a “security incident” when it is widespread


enough to disrupt your normal business operations. That’s not the same as a
“security event,” which is a single incident that usually doesn’t disrupt your
organization. A security incident is a more serious problem – and it doesn’t
necessarily need to be a successful attack to necessitate a response from
your organization.

A cybersecurity security incident could be anything from a potential threat to a


successful attack; just because your information wasn’t compromised doesn’t
mean you should ignore the incident altogether. Any security incident occurs,
successful or not, should result in a review of the tools, policies, and
procedures you have in place to prevent similar events from happening again.

In many cases, the result of a cybersecurity incident is a breach of personal


data. Such incidents can inflict huge financial and reputational harm on the
victim. In 2021 the average cost of a data breach was $4.24 million, a figure
which is likely to grow considerably in the coming years. Businesses also face
additional costs for regulatory fines, fees, and even legal action in extreme
cases.
Most Common Types of Threats to Information
Security
Below are the most common types of information security threats your
security team should know about:

 Insider threats
 Viruses
 Computer worms and Trojans
 Botnets
 Phishing attacks
 Ransomware attacks
 Exploit kits
 Malvertising
 Advanced persistent threats (APTs)
 Distributed denial-of-service attacks

As you can see, information security or infosec threats range from advanced
persistent threats to different types of malware, each with the capacity to bring
down your organization unless it has an effective cybersecurity strategy.

What Are the Most Common Types of Security


Incidents?
Using technology to their advantage, cybercriminals will do everything and
anything possible for financial gain. Here are some of the most common types
of security incidents executed by malicious actors against businesses and
organizations:

Unauthorized Access Attacks


This type of incident involves any unauthorized attempts by a threat actor to
access systems or data using an authorized user’s account. How a
cybercriminal gains access to user accounts often remains a mystery, even
long after an attack. Still, your organization can do few things to prevent this
type of security incident from occurring.

If you don’t already do so, require multi-factor authentication (MFA) for all
users. This will require users to provide additional identifying information (say,
a one-time verification code sent to their phone) after they enter a correct
username and password. Many times, multi-factor authentication alone can
deter a potential security incident from occurring, since criminals will simply
move on to another target that doesn’t use MFA.

Also consider encrypting your sensitive corporate data at rest and in transit
using suitable software or hardware technology. This way, attackers won’t be
able to access confidential data such as your account or credit card details
even if an attack succeeds.

Privilege Escalation Attacks


This type of incident occurs when an attacker attempts to gain unauthorized
access to an organization’s network, and then tries to obtain more privileges
using a privilege escalation exploit. A successful privilege escalation exploit
grants threat actors privileges that normal users don’t have. Usually, this type
of attack takes place only after a hacker has already compromised an
organization’s endpoint network security by gaining unauthorized access to a
lower-level user account. With privileged access to your most sensitive
information, there’s no telling what a cybercriminal might do.

To prevent this type of security incident, start by looking for and remediating
any security vulnerabilities in your IT environment. Ideally your organization
should do this by conducting regular vulnerability assessments and scans as
part of your overall risk management program.

Another tactic is to use the “principle of least privilege” to limit the access
rights for users to the bare minimum permissions they need to do their jobs.
Also consider security monitoring tools to help you collect and analyze
potential security threats, so you can respond appropriately.

Insider Threat Attacks


Insider threats are malicious (intentional) or accidental (unintentional) threats
caused by employees, former employees, or third parties, including
contractors, temporary workers, or customers.

While preventing insider threats can be difficult, you can take some steps to
reduce the chance of an incident. First and foremost, you should implement
spyware scanning programs, antivirus programs, firewalls, and a rigorous data
backup and archiving routine.

You should also train your employees (and any contractors) on security
awareness before allowing them access to your computer networks. A robust
security awareness training program should also include routine training
sessions to avoid any unintentional security incidents resulting from user
error.

You can also implement employee monitoring software to reduce your risk of
a data breach or intellectual property theft by identifying careless, disgruntled,
or malicious insiders. Additionally, an internal whistleblower program (that
protects employees who come forward) can help your organization to gain
intel about potential security incidents.

A data loss prevention policy will also let insiders know what’s expected of
them when handling company data and that they’re being monitored for
unwanted behaviors. Sometimes this alone is enough to prevent internal
actors from acting carelessly or maliciously.
Phishing Attacks
In this type of social engineering attack, the attacker assumes the identity of a
reputable entity or person via email to distribute malicious code or links that
can perform various functions, such as obtaining login credentials or account
information from victims. More targeted phishing attacks are known as spear
phishing attacks, where the attacker invests more time researching the victim
to pull off an even more sophisticated attack to steal information.

On a technical level, a gateway email filter will help you trap a large number of
mass-targeted phishing emails and reduce the overall number of emails that
reach your users’ inboxes. You probably still won’t be able to prevent every
single phishing attempt from entering every single inbox, so you’ll need to take
other steps as well.

Start by educating your users so that they’re better able to identify phishing
attempts on their own. In some organizations, incentive programs encourage
employees to identify and report phishing emails in exchange for a reward.
These types of programs have prevented phishing attacks from leading to
more serious types of security incidents, like malware attacks.

Malware Attacks
Malware is a broad term for various malicious software, including Trojans,
worms, ransomware, adware, spyware, and other types of viruses. Malware
can either be inadvertently installed when a user clicks on an advertisement,
visits an infected website, or installs freeware or other infected software; or, it
can be installed intentionally by insider threat actors or malicious actors with
unauthorized access.

The signs of a malware attack include unusual system activity, sudden loss of
disk space, unusually slow speeds, repeated crashes or freezes, increased
unwanted internet activity, and pop-up advertisements.
To protect your organization against this type of security incident, you should
install an antivirus tool to detect and remove any malware. Whether you
decide on real-time protection or routine system scans to detect and remove
malware, whichever security solution you choose should protect your
organization against any existing malware and any future malware attacks.

Distributed Denial-of-Service or DDoS Attacks


This type of security incident occurs when a threat actor floods the target
system with traffic or sends information that triggers an attack to shut down an
individual machine (or an entire network) so that it cannot respond to service
requests. Typically, these attacks can be dealt with by simply rebooting the
system.

You can also reconfigure your firewalls, routers, and servers to block any
future unwanted traffic. Keep your firewalls updated with the latest security
patches as part of your overall patch management program to keep your
systems, software, and applications at their most secure. If you choose, you
can also integrate front-end hardware into your network to help analyze and
screen data packets to classify them as they enter the system.

Man-in-the-Middle (MitM) Attacks


This type of incident occurs when an attacker secretly intercepts and alters
messages between two parties who believe they are communicating directly
with each other. In a man-in-the-middle attack, the attacker manipulates both
victims to gain access to their data. This can occur via session hijacking,
email hijacking, and Wi-Fi eavesdropping.
Although this type of attack is difficult to detect, there are some ways to
prevent it. You should first consider implementing an encryption protocol that
provides authentication, privacy, and data integrity between communicating
computer applications, such as Transport Layer Security (TLS). Or a network
protocol that gives users, particularly systems administrators, a secure way to
access a computer over an unsecured network such as a Secure Shell
Protocol (SSH).

You should also educate your employees on the dangers of using open public
Wi-Fi networks, because it’s much easier for hackers to commit cybercrime by
exploiting these connections. For the most network protection, use a virtual
private network (VPN) to help ensure more secure connections.

Password Attacks
A password attack is expressly aimed at obtaining a user’s password or an
account’s password. To do so, hackers use various methods, such as
password-cracking programs, dictionary attacks, password sniffers, or simply
guessing passwords via brute force trial and error.

A password cracker is an application or program used to determine an


unknown or forgotten password to a user account. When in the hands of a
hacker, a password cracker can be used to gain unauthorized access to
company resources.

A dictionary attack is breaking into a password-protected computer system or


server by systematically entering every word in the dictionary as a password
until the attacker guesses correctly. While this method might not be the most
efficient, if a hacker does guess a correct password, he or she may then try to
log in to multiple accounts using the same hacked password.

A brute force attack is when a hacker or bot attempts to log in using a series
of generated passwords over and over again until the attacker succeeds. This
type of trial-and-error attack can also cause websites to crash, which is
another reason why multi-factor authentication is so important.

These types of security incidents can be difficult to prevent completely, but


you can take some steps to defend yourself against them in the future. As
mentioned above, multi-factor authentication is the best way to prevent
unauthorized logins. Even if a cybercriminal guesses the correct password,
that alone won’t be enough information to let them into your system.

You should also insist that your employees use strong passwords that include
at least seven characters as well as a mix of upper and lower case letters,
numbers, and symbols. Users should also change their passwords regularly
and avoid duplicating passwords for multiple accounts. Any passwords your
organization stores should be done so in secured repositories and should also
be encrypted.

Web Application Attacks


This type of incident occurs when a web application is used as the vector for
an attack. Web application attacks include exploits of code-level vulnerabilities
in the application and attacks that thwart authentication mechanisms.

For example, a cross-site scripting attack is a type of web application attack


that occurs when an attacker injects data (such as a malicious script) into
content from otherwise trusted websites.

To avoid this attack, your organization should review code early in the
development phase to detect any vulnerabilities automatically, by using static
and dynamic code scanners. You should also implement bot detection
functionality to prevent bots from accessing your application data. Finally, a
web application firewall will help you monitor your network and block potential
attacks.
Another type of web application attack is an advanced persistent threat (APT),
a prolonged and targeted cyberattack typically executed by cybercriminals or
nation-states to gain access to a network and remain undetected for a period
of time. Ultimately, this type of security incident aims to monitor the target’s
network activity and steal data rather than cause damage to the network or
organization.

To avoid this type of attack, your organization should monitor incoming and
outgoing traffic to prevent hackers from installing backdoors and extracting
sensitive data. Again, web application firewalls at the edge of your network
perimeter will help to filter any traffic coming into your web application servers.
A firewall can also help filter out application layer attacks, such as SQL
injection attacks which are often used during the APT infiltration phase.

How to Prevent and Mitigate Security Incidents


For each of the common security incidents described above, we included
several steps you can take to prevent, or at least reduce the chances of, an
incident occurring. To make things easier, we’ve compiled those suggestions
into a singular and actionable list so that you can start preventing and
mitigating security incidents for your organization.

Security Incident Detection


The first step to preventing security incidents is to put the right tools and
processes in place to detect security incidents before they occur. Security
incident detection is important for detecting and responding to incidents before
they do damage but also so that you can track and trace the origins of the
security incident and put the appropriate security controls in place to prevent it
from happening again. Make sure all operating systems are up to date.

Monitor User Account Behavior


Implement behavior analytics tools to monitor user account behavior. Before
looking for any anomalous behavior, you need to set the baseline for what
“normal” behavior looks like. Once you’ve established that pattern, you can
start looking for departures from it, especially for privileged users. Any
unusual behavior could be an indication that a security incident is taking
place.

You should also monitor for unauthorized users attempting to access servers
and data, or requesting access to data that isn’t critical to their job function.
This type of behavior indicates two scenarios: an insider attempting to gain
unauthorized access to confidential information for malicious purposes, or a
malicious actor has already gained access to a user account and is using that
account to attempt to gain access to more privileged data.

As a general rule, you should always use the principle of least privilege
regarding your data. This means only granting access to data to those
employees who need access to perform their duties. To implement this
principle, however, you’ll need to start by categorizing your data by sensitivity,
so that you know which data your employees should have the least access to.
You’ll also need clearly defined roles for the users in your organization, so
you’ll know which data different types of users need.

Monitor Network Traffic


Your organization’s network is the gateway into your systems, and data.
Keeping it secure is the best way to prevent attackers from gaining
unauthorized access to your organization’s sensitive information. It’s important
to monitor the traffic coming into your network, and the traffic leaving your
network perimeter.

This traffic might include insiders uploading large files to personal cloud
applications, or sending large numbers of email messages containing
attachments to addresses outside the company, or downloading large files to
external storage devices such as USBs. You should also monitor for any
traffic sent to or from unknown locations-especially if your company only
operates in one country.

In general, your administrators should investigate any unknown or suspicious


network traffic to ensure its legitimacy. Even if nothing malicious is occurring,
it’s better to be safe than sorry.

Monitor Suspicious Activity


Beyond monitoring user account behavior and network traffic, you should also
monitor other types of activity. For example:

 Excessive consumption or an increase in performance of server memory or


harddrives could mean an attacker is accessing them.
 Changes in configuration that haven’t been approved, such as reconfiguration
of services, installation of startup programs or firewall changes are often a
sign of possible malicious activity.
 Hidden files that might be considered suspicious due to file names, sizes, or
locations and could indicate a data leak.
 Unexpected changes such as user account lockouts, password changes or
sudden changes in group memberships.
 Abnormal browsing behavior like unexpected redirects, changes in browser
configuration, or repeated pop-ups.
 Suspicious registry entries, which are usually a result of a malware infection.

Security Incident Management


As you continuously monitor for threats, your organization will inevitably need
to evaluate the risk an attack could pose as well as the vulnerabilities an
attacker might exploit to do so. If you haven’t already done so, now is the time
to implement a risk management program designed to help your organization
identify, analyze, prioritize, and mitigate cyber risks.

Cyber Risk Management


The cyber risk management process never ends. Once you begin, you’ll need
to keep the program alive and well if you want it to benefit your organization.

Start by creating a list of your company assets and keeping it current; it’s
impossible to know how to protect your assets if you aren’t exactly sure what
those assets are. Then conduct a risk assessment to determine the level of
risk each of those assets presents to your organization. Next, prioritize those
risks and create a mitigation plan for each one you identify. Finally, after
mitigating your existing cyber risks, it’s time to start the process again.

In general, your organization should regularly conduct vulnerability


assessments to identify vulnerabilities in your systems, software, and
applications throughout the risk management process. In addition, you should
also regularly conduct risk assessments to determine whether your internal
security controls are working effectively to prevent threats from doing damage.

Incident Response, Disaster Recovery, and Business


Continuity Plans
Ultimately, security incidents are inevitable; you cannot mitigate every single
cyber risk. You can, however, decide how your organization will respond to
those risks if they can’t be prevented. As part of your risk management
program, your organization should create a thorough incident response plan
to assure that the correct course of action is taken in the event of a security
incident.

This includes making sure that the right people know what to do when a
security incident occurs, and that you have the right plans to cover your
assets in a number of disruptive events, including cybersecurity incidents,
natural disasters, and more. A disaster recovery plan will help your
organization ensure business continuity in the face of one of these
disruptions.

You might also like