Book Excerpt: Recognize Their AttacksA Chapter of the New Book 'Heuristic Risk Management' by Michael Lines
Learn about an effective approach for setting up a risk-based information security program from CyberEdBoard executive member Michael Lines.
Michael Lines is working with Information Security Media Group to promote awareness of the need for cyber risk management, and as a part of that initiative, the CyberEdBoard will post draft chapters from his upcoming book, "Heuristic Risk Management: Be Aware, Get Prepared, Defend Yourself." The last excerpt we published is here.
Recognize Their Threats
"Victorious warriors win first and then go to war, while defeated warriors go to war first and then seek to win."
— Sun Tzu, "The Art of War"
Once you know what threats are most concerning to your business, you next need to look at the common ways in which these attacks are carried out. The aim of this chapter is to teach you the primary means by which threat actors will attack organizations. You will use knowledge in the next chapter to assess your defenses against these attacks.
All cyberattacks fall into one of two broad categories: compromise the person and compromise the system. Attackers will use multiple means of attack and will chain these together to meet their objectives. Each of these attack methods needs to be considered as a link in a chain of events that make up the story of how an attack occurs. The order that they appear in the chain depends on the attacker and their aim. Nothing is set in stone.
Compromise the Person
People, either employees or contractors, working for you or at third parties whose products or services you use, can be compromised to perform or facilitate cyberattacks. Following are the primary ways these attacks occur.
Social engineering is the term for the deception or manipulation of individuals to get them to do something that facilitates or enables a fraudulent act. This deception can occur via an email or fake website - phishing, phone call, vishing or smishing. All these methods are intended to trick an employee into performing some action that gives the attacker the access or information they need. This can range from tricking the user into executing a piece of malware that was disguised as an innocuous attachment to an email to providing the information that helps the attacker, such as the user's credentials or credentials to some internal system.
Physical attacks from a cyber perspective describe instances where the attacker physically interacts with you or the business location to conduct their attack. This can range from tailgating to access a secure area to using social engineering - pretending to be a customer or repair person - so that they can enter the company offices and install malicious equipment allowing attackers remote access to the company’s internal network. USB dropping is another form of attack that mixes both social engineering (tricking the individual) and physical - leaving malicious USB sticks where they are likely to be picked up and hopefully inserted into company computers.
Compromise the System
All electronic systems, whether you own them or they are used by a third party you interact with, can be compromised to perform or facilitate cyberattacks against your business. Following are the most common means by which these attacks occur.
Malware is any software intended to steal information or manipulate systems for malicious purposes. Ransomware is one such example of malicious software. While malware is often introduced into systems by tricking users into executing it via social engineering - malicious email attachments, for example - it can also be embedded into products for supply chain attacks by compromising open-source software which is used in these products. Attackers can then use the access that this malicious code provides to penetrate the systems and networks of the customers using the compromised product. Once attackers have penetrated a system or network, they will use a combination of legitimate and malicious software to achieve their objectives.
Information technology systems and networks are highly complex and are getting more so daily, especially with the move to cloud computing adding another dimension of complexity. For every software, hardware and networking component, there is usually some configuration required to set it up to perform its intended function. The issue arises when this configuration is not done and the component operates with default - and typically insecure - settings, or it is done by someone who does not know what they are doing. The result is that hackers often have an open door to steal data or compromise systems by taking advantage of the misconfigurations that exist.
Vulnerabilities differ from misconfigurations in that vulnerabilities are flaws in the component - hardware or software - which leave it open to misuse, whereas misconfigurations are not flaws, but mistakes in setting up the device properly. The scanning for and exploitation of vulnerabilities is one of the primary methods hackers use to compromise systems, simply due to how prevalent vulnerabilities are because of unpatched systems. It is not unusual for a large corporate with tens of thousands of computer and network devices to have millions of known and unknown vulnerabilities, ranging from minor to critical - if the hacker exploits the vulnerability, they will have full ownership of the device. Making this problem even worse is that many vulnerabilities once discovered have no patch available, as the manufacturer either has gone out of business, does not have the resources or interest, have not yet had time to develop one - zero-day vulnerability, or considers the product to be End of Life, or EOL. As a result, companies with these obsolete systems are in the position of having ticking time bombs in the environment, just waiting for a malicious hacker to take advantage of them.
Exploit Design Flaws
Hacking is the generic term for all attempts to compromise computer systems or networks with the objective of manipulating or stealing information from them. Script Kiddies is the term used to describe unsophisticated hackers who run prebuilt attack tools without fully understanding how they operate. True hackers on the other hand fully understand not only the attack tools but the inner workings of the systems they are attacking. They can develop custom code or custom hardware as needed to take advantage of previously undetected design flaws in their targets, and subsequently penetrate the systems they are attacking. This is where zero-day vulnerabilities are both discovered and used by attackers, to penetrate systems through holes that the system owners did not even know existed.
CyberEdBoard is ISMG's premier members-only community of seniormost executives and thought leaders in the fields of security, risk, privacy and IT. CyberEdBoard provides executives with a powerful, peer-driven collaborative ecosystem, private meetings and a library of resources to address complex challenges shared by thousands of CISOs and senior security leaders located in 65 different countries worldwide.
Join the Community - CyberEdBoard.io.
Michael Lines is an information security executive with over 20 years of experience as a Chief Information Security Officer, or CISO, for large global organizations, including PricewaterhouseCoopers, Transition and FICO. In addition, he has led several advisory services practices, delivering security, risk and privacy professional services to major corporations. Lines writes, blogs, speaks at conferences and webinars, and provides interviews on a wide variety of information security topics, primarily concerning what it takes to develop and run effective information security programs and why so many companies continue to suffer security breaches due to ineffective risk management.