As a consultant, one the security biggest problems I see is one of perception: The threats companies think they face are often vastly different than the threats that pose the greatest risk. For example, they hire me to deploy state-of-the-art PKI or an enterprisewide intrusion detection system, when really what they need is better patching.
The fact is most companies face the same threats -- and should be doing their utmost to counteract those risks. Here are the five most common successful cyber attacks.
Cyber attack No. 1: Socially engineered Trojans
Socially engineered Trojans provide the No. 1 method of attack (not an exploit or a misconfiguration or a buffer overflow). An end-user browses to a website usually trusted -- which prompts him or her to run a Trojan. Most of the time the website is a legitimate, innocent victim that has been temporarily compromised by hackers.
Usually, the website tells users they are infected by viruses and need to run fake antivirus software. Also, they're nearly out of free disk space and need a fake disk defragger. Finally, they must install an otherwise unnecessary program, often a fake Adobe Reader or an equally well-known program. The user executes the malware, clicking past browser warnings that the program could possibly be harmful. Voilà, exploit accomplished! Socially engineered Trojans are responsible for hundreds of millions of successful hacks each year. Against those numbers, all other hacking types are just noise.
Countermeasure: Social engineered Trojans are best handled through end-user education that's informed by today's threats (such as trusted websites prompting users to run Trojans). Enterprises can further protect themselves by not allowing elevated users to surf the Web or answer email. An up-to-date antimalware program can't hurt, but strong end-user education provides better bang for the buck.
Cyber attack No. 2: Unpatched software
Coming in a distant second is software with known, but unpatched exploits. The most common unpatched and exploited programs are Java, Adobe Reader, and Adobe Flash. It's been this way for a few years now. But strangely, not a single company I've ever audited has ever had these three programs perfectly patched. I just don't get it.
Countermeasure: Stop what you're doing right now and make sure your patching is perfect. If you can't, make sure it's perfect around the top most exploited products, including Java, Adobe, browser admins, OS patches, and more. Everyone knows that better patching is a great way to decrease risk. Become one of the few organizations that actually does it.
Cyber attack No. 3: Phishing attacks
Approximately 70 percent of email is spam. Fortunately, antispam vendors have made great strides, so most of us have reasonably clean inboxes. Nonetheless, I get several spam emails each day, and a least a few of them each week are darned good phishing replicas of legitimate emails.
I think of an effective phishing email as a corrupted work of art: Everything looks great; it even warns the reader not to fall for fraudulent emails. The only thing that gives them away is the rogue link asking for confidential information.
Countermeasure: Decreasing risk from phishing attacks is mostly accomplished through better end-user education -- and with better antiphishing tools. Make sure your browser has antiphishing capabilities. I also love browsers that highlight the domain name of a host in a URL string. That way windowsupdate.microsoft.com.malware.com, for example, is more obvious.
Cyber attack No. 4: Network-traveling worms
Computer viruses aren't much of a threat anymore, but their network-traveling worm cousins are. Most organizations have had to fight worms like Conficker and Zeus. We don't see the massive outbreaks of the past with email attachment worms, but the network-traveling variety is able to hide far better than its email relatives.
Countermeasure: Network-traveling worms can be defeated by blocking executables in email, better patching, disabling autorun capabilities, and strong password policies. Many network worms, like Conficker, will try to exploit network shares by logging on using a list of built-in, bad passwords: 12345, password2, qwerty, and the like. If any of your passwords are listed in the password manifest inside of a worm, you do not have a strong password policy.
Cyber attack No. 5: Advanced persistent threats
Lastly, I only know of one major corporation that has not suffered a major compromise due to an APT (advanced persistent threat) stealing intellectual property. APTs usually gain a foothold using socially engineered Trojans or phishing attacks.
A very popular method is for APT attackers to send a very specific phishing campaign -- known as spearphishing -- to multiple employee email addresses. The phishing email contains a Trojan attachment, which at least one employee is tricked into running. After the initial execution and first computer takeover, APT attackers can compromise an entire enterprise in a matter of hours. It's easy to accomplish, but a royal pain to clean up.
Countermeasure: Detecting and preventing an APT can be difficult, especially in the face of a determined adversary. All the previous advice applies, but you must also learn to understand the legitimate network traffic patterns in your network and alert on unexpected flows. An APT doesn't understand which computers normally talk to which other computers, but you do. Take the time now to start tracking your network flows and get a good handle of what traffic should going from where to where. An APT will mess up and attempt to copy large amounts of data from a server to some other computer where that server does not normally communicate. When they do, you can catch them.
There are other popular attack types, such as SQL injection, cross-site scripting, pass-the-hash, and password guessing, but they aren't seen nearly at the same high levels as the five listed here. Protect yourself against the top five threats and you'll go a long way to decreasing risk in your environment.
More than anything, I strongly encourage every enterprise to make sure its defenses and mitigations are aligned with the top threats. Don't be one of those companies that spends money on high-dollar, high-visibility projects while the bad guys continue to sneak in using routes that could have easily been blocked.