What Is Cybersecurity?
Cybersecurity is the term used to characterize all of the activities, policies, procedures, and tools used in concert to protect against unauthorized access to the information technology, data (including sensitive data), and sensitive information that is core to the functioning of the modern world.
Cybersecurity has become one of the most important areas that businesses and other organizations need to consider in their day-to-day operations, and their cybersecurity strategy planning for the longer term. The protection of digital assets is so important that Governments and regulatory organizations now publish cybersecurity advisories within their jurisdiction. Groups doing this include the National Institute Of Standards and Technology (NIST) and the FBI in the USA, the UK National Cyber Security Centre (NCSC), and the European Union Agency for Cybersecurity (ENISA).
Cybersecurity covers many aspects of the modern digital landscape. It includes security measures to deliver data protection, information security, application security, network security, cloud security, endpoint device security, and the protection of people - staff, clients, customers, and the public users of IT services.
Effective cybersecurity will combine protections for all the items listed above, and merge them into solutions that are easy to deploy, use, update, and manage.
What Is a Cybersecurity Attack?
A cybersecurity attack is any form of malicious activity that targets computer systems, or the people using them, to gain unauthorized access to the systems and the data or information they contain. In most cases, cyber-attackers are criminals looking to exploit the attack for financial gain. In other cases, the aim is to disrupt operations by disabling access to IT systems, or in some cases, directly damaging physical equipment. The latter type of attack is commonly state-backed and carried out by state actors, or cybercriminals in their employ.
Cybersecurity attacks can be targeted at specific organizations or individuals, or they can be broadcast in nature and impact multiple organizations regionally and globally. Often targeted attacks jump from their intended victims to become more general problems on the Internet and for many organizations.
Types of Cybersecurity Threats
Cyber threats come in many types, and they are constantly changing and increasing in number. The available attack surface open to cybercriminals is continually growing. This is due to the expansion of IT use in general, the growth of the Internet of Things (IoT) devices and sensors, coupled with the increasing provision of 5G network connectivity. The rapid switch to home working in 2020, and the trend towards remote working in general, fuels an increase in the number of phishing and other social engineering attacks that cybercriminals attempt. This trend is likely to continue in the future.
The threats from malicious actors fall into three broad categories. They are:
- Cybercrime - efforts by bad actors to profit from their malicious attacks. Either by direct financial theft, use of stolen credit card information, selling information obtained via a data breach on the dark web, or even hijacking computing resources for activities such as crypto-jacking to mine cryptocurrencies.
- Disruption - attempts to disrupt the operations of organizations by attacking their IT and operational technology (OT) infrastructure to damage it, temporarily shut it down, or hold it for ransom.
- Espionage - cyberattacks backed by state agencies that are part of broader espionage and military activities.
Often there is considerable overlap between these three top-level categories. For example, state-based operatives frequently hand over newly discovered vulnerabilities to cybercriminals to use in malware, ransomware, and other cyberattacks.
Across all kinds of threats, there are multiple attack types in use. In the section below we outline them.
Cybersecurity Attack Types
There are many different attack vectors that cybercriminals attempt to use:
Phishing - Phishing attacks target people to steal login and other confidential information by trying to trick them into clicking malicious links in emails, message apps, or on the web. Phishing attacks are designed to look like authentic messages from trusted brands, organizations, or individuals so that the recipients think that they are getting a genuine request for information. Phishing links usually take the recipient to a spoof website made to look like a real one. On this site, they then collect login credentials and other confidential information.
Spear Phishing - Spear Phishing is a highly targeted variant of Phishing that uses a pretend email or message from an important individual to trick a person within the same or a partner organization. Spear phishing attempts hope to use the extra authenticity of the sender to trick people into providing information they shouldn't.
Malware - Malware is malicious software designed to infect IT systems and cause damage or compromise data security. Malware attacks come in many forms, such as viruses, worms, trojans, adware, spyware, ransomware, and more.
Ransomware - Ransomware is a form of malware that encrypts data on infected IT systems. It demands a ransom to get a code to decrypt the infected system, usually to an anonymous address using Bitcoin. Many of the significant cybersecurity attacks have been ransomware attacks in the last few years (WannaCry, for example). Or they have masqueraded as ransomware attacks to hide their real purpose (NotPetya seems to fall into this category - it was a state-backed disruption attack in reality).
Man In The Middle Attack - A man in the middle (MITM) attack occurs when cybercriminals intercept and alter network traffic flowing between IT systems. The MITM attack impersonates both senders and receivers on the network. It aims to trick both into sending unencrypted data that the attacker intercepts and can use for further attacks or financial gain.
Denial Of Service Attack - A Denial of Service (DoS) attack aims to disrupt a service being provided on the network by flooding the targeted systems or applications with so many requests that the servers cannot respond to them all. By doing this, legitimate access requests can't access the service, or any response takes a very long time. Most DoS attacks are distributed and known as DDoS attacks. These use malware-infected PCs, and increasingly poorly secured IoT devices, in Botnets to rapidly send the requests that overwhelm the targeted systems.
Botnets - Botnets are widespread groups of devices that have been compromised and hijacked by cybercriminals in order to use them to target IT systems with DDoS attacks or other attack types. Botnet is a portmanteau of the words robot and network.
Adware - Adware is software that displays unwanted ads on end-user devices to generate revenue from advertisers. Adware is a type of malware. It often gets installed on user devices after tricking people into clicking a link. Adware then displays the ads and simulates user clicks to defraud advertisers into thinking that legitimate users are interacting with their ads. They then pay the cybercriminals for these clicks.
Crypto-Jacking - Crypto-jacking is a type of malware that uses the resources of the infected IT systems to 'mine' for cryptocurrencies. This steals the attacked system's computing resources by running at a high load to generate income for the remote attackers. Who make money from the sale of the cryptocurrencies generated on the infected system.
Insider Threats - Not all cyber threats originate from external sources. Data and other sensitive information like login credentials can leak from inside organizations. Either via malicious activity by staff, or more frequently due to a mistake. Such a mistake is sending an email with an unencrypted attachment to the wrong recipient. This type of cyber breach is known as an insider threat.
OWASP Top 10 - Other types of cyberattacks exist. For example, SQL Injection and other injection attacks, cross-site scripting, and more. The OWASP Top 10 lists the most prevalent technical level attack methods that are in use. It is updated every few years.
Implementing robust cybersecurity defense is now a core part of every organization's operations. Attacks come in many forms, but cybersecurity professionals can do things to mitigate the risk of attacks succeeding. Here are some measures that, when combined, will create a cybersecurity framework that will lower the risk from attacks.
Have Documented Policies and Procedures - A crucial part of any strategy used to counter the risk of cyberattacks is having an easy-to-understand set of policies and procedures. These should cover what the IT team (or external suppliers if outsourced) need to do to protect the systems and what each user within the organization needs to do to help implement security. Regular risk assessments should be part of these policies. They should tell everyone what to do in the event of a security incident.
Implement Proactive Defense Measures - Cyberattacks rarely happen without the planning leaving telltale markers. Discussions about organizations soon to be attacked, auctions of user account information, and the setting up of dummy domains for phishing attacks occur on the dark web. If you know where to look, you can get threat intelligence warnings of imminent attacks and take steps to prevent them.
Monitoring the web and dark web for signs of imminent attack is an ongoing and specialized activity. Many organizations don't have the skill base or the resources to allocate staff to it. IntSights provide threat intelligence services that give warnings about imminent attacks.
Provide Ongoing Awareness Training - Most successful cyber attacks occur due to phishing attacks, successful malware infections, or other social engineering-based attacks. Ongoing security awareness training for staff is vital, so they know how to spot suspicious emails, messages, or websites. It should also make end-users aware of social media information leakage and potential information phishing outside of conventional work channels. Cybercriminals often target employees via their social media accounts to get information to aid later Phishing and Spear-phishing attacks. This awareness training should be frequent, short, easily digestible, and trackable to ensure everyone takes it on board.
Use Password Management Tools - Unique passwords should be mandatory for all systems that a user accesses. Users should not be allowed to use the same password for multiple systems. Nor should teams of users be allowed to share a password for a system. Passwords should also be strong and hard to guess or brute force.
These rules are great for system security, but they are hard for humans. To make it easier for humans while maintaining good password use across all systems, consider using a password management system. These generate strong, unique passwords for each system used. In many cases, they can autofill login details for users without them having to remember (or even know) what the password is for a particular system. All the user needs to remember is a single strong password that logs them into their password manager application.
Password management systems also enable multi-factor authentication to be implemented if the target system supports it. The users don't need to know how to generate secondary multi-factor tokens for each system.
Use Multi-factor Authentication - Implementing multi-factor authentication for all systems that support it is a crucial best practice. Requiring some other information besides a user name and password protects systems if login details are exposed to cybercriminals. Additional tokens, specific device requirements, and biometrics all provide ways to implement multi-factor authentication when logging into IT systems.
Use Protected Access Management - The authentication methods listed above are a core part of Identity Access Management (IAG). When combined with permissions, IAG gives the authorization to access components of an application or IT system. This is the basis of the core access management that most organizations have traditionally used via Active Directory or a similar directory service.
A best practice for protecting critical systems is to take IAG to the next level and implement Protected Access Management (PAM). A PAM implementation adds additional policies and procedures to restrict access to designated systems. PAM also requires a management workflow to authorize anyone to use a logon. No single person can grant access. During a PAM session, all activity is logged and often recorded for later analysis if required. PAM security solutions also implement protections that prevent dangerous system or data altering commands from being run unless executed by a specific, highly authorized account. All PAM login and password combinations are one-time use only, and each access has to start the workflow from scratch.
Use Secure Firewalls - The border between internal networks and the Internet needs to be secured and protected with good firewalls and intrusion protection systems. Modern firewalls can detect known attack methods and any suspicious activity that might indicate an emerging cyberattack method.
In addition to border firewalls, Web Application Firewalls (WAFs) should also be deployed between back-end application servers and border firewalls. A WAF can act as a reverse proxy for a web application server and handle all access requests (usually on a load balancer). These requests are checked for suspicious activity at the network and application level. Any request that is deemed suspicious doesn't reach the application servers.
Implement Network Deception Technologies - Deception technologies implement dummy applications, databases, and other IT systems on a network. These dummy systems fool any cyber attackers who breach the external firewalls into thinking they have access to internal systems. In reality, the dummy systems are intended as honey traps to allow security teams to monitor the attacker's activities and gather data without exposing the production systems. Deception technologies are often backed by machine learning algorithms that can make the activity on the dummy IT systems seem authentic to cybercriminals.
Encrypt Data - All data at rest on servers or devices and in transit over the network should be encrypted. If an attacker does get access to data or intercepts it traveling over the Internet, they should not be able to read it due to the encryption. Use strong encryption: AES-256 as a minimum for data at rest, and TLS 1.3 or later if available for websites and transfers over the Internet.
Do Frequent Backups - In addition to encrypting data, organizations should frequently back it up. These backups should also be encrypted to protect them. Some of the backups should also be stored in a location not connected to the network. If a ransomware attack is successful and prevents access to data, you don't want this malware to infect the backups. If required, organizations can use these clean backups to restore systems without paying the ransomware demand. This is now a key component of business continuity and disaster recovery planning.
Install Anti-Malware Software - Preventing malware infections is better than cleaning up afterward. Good anti-malware and anti-virus protection software that protects in real-time should be installed on all systems that can run it.
Use Endpoint Protection- End users are frequent targets for cybercriminals. Both on their devices and via social engineering attacks. All end-user devices that are capable of running it should have endpoint security protection software deployed. This should integrate with a wider Security Information and Event Management (SIEM) tool that allows for organization-wide monitoring and analyses of threats.
Keep IT Systems Up To Date - All IT systems need to be kept up to date with the latest security patches and other operating system updates. The same applies to anti-malware and other security software. These need to be configured to get the latest security updates and definitions every day (or multiple times a day if appropriate).
Secure All WiFi - All WiFi networks in use should use the maximum security available, and WiFi networks should not advertise their network names for devices to discover. Restricted guest networks should be configured if required. This also applies to users working from home. Their WiFi should be secured, or they should be using hardened mobile access.
Use a Mobile device Management Solution - A lot of business activity now happens on smartphones and tablets. Plus, many people use laptops for their work. The mobile nature of all these devices means that they will get lost and stolen. All mobile devices (including laptops) should be enrolled and managed in a mobile device management (MDM) solution. If a device is lost or stolen, it can be quickly wiped so that unauthorized users cannot access any data. MDM systems are often part of more comprehensive IT Security Information and Event Management solutions.