Let's face it. Cybersecurity attacks will always be a threat to your organization. The risk/reward numbers are always in their favor because most hackers get away with their crimes. Not knowing who the perpetrator is, it's a defensive game for you. Targets change, but there are still the core types of attacks that reap the most benefits or are the lowest hanging fruit that most hackers use.
Knowing what these core threats are will certainly help you plan your defensive strategy.
1) DDOS (Distributed Denial of Service) attack
This is generally the lowest hanging fruit that most hackers go to. It's not necessarily a money-making opportunity, but it will render a service or server useless.
When this happens, hackers flood a website and hit it with high network traffic, usually in the form of ping requests causing a website to breakdown and service failure. This results in users cannot access the website anymore, causing an actual loss for the target company.
Sometimes DDOS attacks are a precursor to a larger attack. This shakes up enough action from the IT team that creates more vulnerabilities so the hackers can try other ways to steal the organizations data.
This can be the most financially damaging to an organization. Ransomware attacks the systems that hold all access to infected files and data until a ransom is paid to the hacker. Ransomware attacks can shut down your entire operation, causing a forced shutdown as files are encrypted completely. The attack can take over your systems as quickly as 3 seconds only, while the downtime could extend up to 15 days depending on the payment release. The hacker keeps your IT infrastructure hostage until his demands are met.
Ransomware attacks can target any size organization, even government entities are hit sometimes. It is prevalent among hackers and most companies choose to pay the ransom and move on rather than disclosing it to the cyber defense authorities. But why? Most don't wish to lose their market reputation and business as a consequence.
Ransomware is usually delivered and deployed by downloading something (Clicking a link) off of an email or website. These website links or emails are sent to the potential victim by ways of Phishing (see #4). Phishing emails are very common and most email services do a good job removing them or putting them in your spam folder. But some still find a way to get into your inbox.
3) Direct Access cracking Weak Passwords
Most folks as they get older tend to get stuck in their ways. Passwords take the way of convenience over complexity. It's all about remembering them so they tend get simple with names of their cats, kids, or address. The other problem is having too many of them and writing them down on a piece of paper can make it easy to lose and easy to take. They key to good password creation and management is to keep your passwords to 3 or under and making them long and complex using phrases you can remember. Save the most complex and hardest to crack for accessing your banks, email, other important secure services. The least complex can be used for less important website and services.
The key to being successful with your more complex passwords is that you can still remember them. Append your birthdate in reverse at the end, or your first 3 digits of your SSN. Even adding one weird character at the end (like a left bracket or carat) can make a big difference. Keeping it at least 12 characters is good too. The longer it is the more characters to crack.
A great little tool to test your passwords for strength is Password Monster https://www.passwordmonster.com. Play around with it. It's surprising how one little change in your password can dramatically increase your complexity (Time to crack).
4) Social Hacking
Phishing is just how it sounds. Hackers are fishing for a catch. The catch is your money. They cast their lines out in the form of mass emailing or random phone calls. Phishing can come in the form of an email or even a phone call.
Usually, those emails or phone calls are representing a company, organization, or even someone you know. Easiest ways to spot them are word misspellings, poor English (writing), the "From" email address or website link might not be a domain name that you recognize from that organization. And most of all have no reference to you in the email body. They are very generic and won't call you by your name or might ask you very general things that are specific your relationship with them. A phishing phone call might represent an organization and request your credit card info to be given to them over the phone. That is a red flag and should get your brain thinking about the legitimacy of the call.
You can prevent these in your organization with a good preventive plan...
If you are skeptical about your organization’s current security status, then feel free to contact Clearity. Try us out! Clearity accounts for all of these threats in your assessments. We are a trusted SaaS risk assessment provider that can give you the best current security status for your company. We can also provide you with a plan to io improve your security for the next time you assess. We are skilled technically and have the industry know how to give you the best quality service.