10 types of security incidents and how to handle them SOAR vs. SIEM: What's the difference?
X

Top 10 types of information security threats for IT teams

Common security threats range from insider threats to advanced persistent threats, and they can bring an organization to its knees unless its in-house security team is aware of them and ready to respond.

Although the terms security threat, security event and security incident are related, in the world of cybersecurity these information security threats have different meanings.

A security threat is a malicious act that aims to corrupt or steal data or disrupt an organization's systems or the entire organization. A security event refers to an occurrence during which company data or its network may have been exposed. And an event that results in a data or network breach is called a security incident.

As cybersecurity threats continue to evolve and become more sophisticated, enterprise IT must remain vigilant when it comes to protecting their data and networks. To do that, they first have to understand the types of security threats and potential attacks they're up against.

Below are the top 10 types of information security threats that IT teams need to know about.

1. Insider threats

An insider threat occurs when individuals close to an organization who have authorized access to its network intentionally or unintentionally misuse that access to negatively affect the organization's critical data or systems.

Careless employees who don't comply with their organizations' business rules and policies cause insider threats. For example, they may inadvertently email customer data to external parties, click on phishing links in emails or share their login information with others. Contractors, business partners and third-party vendors are the source of other insider threats.

Some insiders intentionally bypass security measures out of convenience or ill-considered attempts to become more productive. Malicious insiders intentionally elude cybersecurity protocols to delete data, steal data to sell or exploit later, disrupt operations or otherwise harm the business.

How to prevent insider threats

The list of things organizations can do to minimize the risks associated with insider threats include the following:

  • Limit employees' access to only the specific resources they need to do their jobs;
  • Train new employees and contractors on security awareness before allowing them to access the network. Incorporate information about unintentional and malicious insider threat awareness into regular security training;
  • Set up contractors and other freelancers with temporary accounts that expire on specific dates, such as the dates their contracts end;
  • Implement two-factor authentication, which requires each user to provide a second piece of identifying information in addition to a password; and
  • Install employee monitoring software to help reduce the risk of data breaches and the theft of intellectual property by identifying careless, disgruntled or malicious insiders.

Your Editable Incident Response Plan (IRP) Template

Use this as starting point for developing an IRP for your company's needs.

Download now

2. Viruses and worms

Viruses and worms are malicious software programs (malware) aimed at destroying an organization's systems, data and network. A computer virus is a malicious code that replicates by copying itself to another program, system or host file. It remains dormant until someone knowingly or inadvertently activates it, spreading the infection without the knowledge or permission of a user or system administration.

A computer worm is a self-replicating program that doesn't have to copy itself to a host program or require human interaction to spread. Its main function is to infect other computers while remaining active on the infected system. Worms often spread using parts of an operating system that are automatic and invisible to the user. Once a worm enters a system, it immediately starts replicating itself, infecting computers and networks that aren't adequately protected.

How to preventing viruses and worms

To reduce the risk of these types of information security threats caused by viruses or worms, companies should install antivirus and antimalware software on all their systems and networked devices and keep that software up to date. In addition, organizations must train users not to download attachments or click on links in emails from unknown senders and to avoid downloading free software from untrusted websites. Users should also be very cautious when they use P2P file sharing services and they shouldn't click on ads, particularly ads from unfamiliar brands and websites.

3. Botnets

A botnet is a collection of Internet-connected devices, including PCs, mobile devices, servers and IoT devices that are infected and remotely controlled by a common type of malware. Typically, the botnet malware searches for vulnerable devices across the internet. The goal of the threat actor creating a botnet is to infect as many connected devices as possible, using the computing power and resources of those devices for automated tasks that generally remain hidden to the users of the devices. The threat actors -- often cybercriminals -- that control these botnets use them to send email spam, engage in click fraud campaigns and generate malicious traffic for distributed denial-of-service attacks.

Botnet command and control illustrated

How to prevent botnets

Organizations have several ways to prevent botnet infections:

  • Monitor network performance and activity to detect any irregular network behavior;
  • Keep the operating system up to date;
  • Keep all software up-to-date and install any necessary security patches;
  • Educate users not to engage in any activity that puts them at risk of bot infections or other malware, including opening emails or messages, downloading attachments or clicking links from unfamiliar sources; and
  • Implement antibotnet tools that find and block bot viruses. In addition, most firewalls and antivirus software include basic tools to detect, prevent and remove botnets.

4. Drive-by download attacks

In a drive-by download attack, malicious code is downloaded from a website via a browser, application or integrated operating system without a user's permission or knowledge. A user doesn't have to click on anything to activate the download. Just accessing or browsing a website can start a download. Cybercriminals can use drive-by downloads to inject banking Trojans, steal and collect personal information as well as introduce exploit kits or other malware to endpoints.

How to prevent drive-by download attacks

One of the best ways a company can prevent drive-by download attacks is to regularly update and patch systems with the latest versions of software, applications, browsers, and operating systems. Users should also be warned to stay away from insecure websites. Installing security software that actively scans websites can help protect endpoints from drive-by downloads.

5. Phishing attacks

Phishing attacks are a type of information security threat that employs social engineering to trick users into breaking normal security practices and giving up confidential information, including names, addresses, login credentials, Social Security numbers, credit card information and other financial information. In most cases, hackers send out fake emails that look as if they're coming from legitimate sources, such as financial institutions, eBay, PayPal -- and even friends and colleagues.

In phishing attacks, hackers attempt to get users to take some recommended action, such as clicking on links in emails that take them to fraudulent websites that ask for personal information or install malware on their devices. Opening attachments in emails can also install malware on users' devices that are designed to harvest sensitive information, send out emails to their contacts or provide remote access to their devices.

How to prevent phishing attacks

Enterprises should train users not to download attachments or click on links in emails from unknown senders and avoid downloading free software from untrusted websites.

6. Distributed denial-of-service (DDoS) attacks

In a distributed denial-of-service (DDoS) attack, multiple compromised machines attack a target, such as a server, website or other network resource, making the target totally inoperable. The flood of connection requests, incoming messages or malformed packets forces the target system to slow down or to crash and shut down, denying service to legitimate users or systems.

How to prevent DDoS attacks

To help prevent DDoS attacks, companies should take these steps:

  • Implement technology and tools to monitor networks visually and know how much bandwidth a site uses on average. DDoS attacks offer visual clues so administrators who understand the normal behaviors of their networks will be better able to catch these attacks.
  • Ensure servers have the capacity to handle heavy traffic spikes and the necessary mitigation tools necessary to address security problems.
  • Update and patch firewalls and network security programs.
  • Set up protocols outlining the steps to take in the event of a DDoS attack occurring.

7. Ransomware

In a ransomware attack, the victim's computer is locked, typically by encryption, which keeps the victim from using the device or data that's stored on it. To regain access to the device or data, the victim has to pay the hacker a ransom, typically in a virtual currency such as Bitcoin. Ransomware can be spread via malicious email attachments, infected software apps, infected external storage devices and compromised websites.

Ransomware attack notification
You've been hacked

How to prevent ransomware

To protect against ransomware attacks, users should regularly back up their computing devices and update all software, including antivirus software. Users should avoid clicking on links in emails or opening email attachments from unknown sources. Victims should do everything possible to avoid paying ransom. Organizations should also couple a traditional firewall that blocks unauthorized access to computers or networks with a program that filters web content and focuses on sites that may introduce malware. In addition, limit the data a cybercriminal can access by segregating the network into distinct zones, each of which requires different credentials.

8. Exploit kits

An exploit kit is a programming tool that enables a person without any experience writing software code to create, customize and distribute malware. Exploit kits are known by a variety of names, including infection kit, crimeware kit, DIY attack kit and malware toolkit. Cybercriminals use these toolkits to attack system vulnerabilities to distribute malware or engage in other malicious activities, such as stealing corporate data, launching denial of service attacks or building botnets.

How to prevent exploit kits

To guard against exploit kits, an organization should deploy antimalware software as well as a security program that continually evaluates if its security controls are effective and provide protection against attacks. Enterprises should also install antiphishing tools because many exploit kits use phishing or compromised websites to penetrate the network.

9. Advanced persistent threat attacks

An advanced persistent threat (APT) is a targeted cyberattack in which an unauthorized intruder penetrates a network and remains undetected for an extended period of time. Rather than causing damage to a system or network, the goal of an APT attack is to monitor network activity and steal information to gain access, including exploit kits and malware. Cybercriminals typically use APT attacks to target high-value targets, such as large enterprises and nation-states, stealing data over a long period.

How to prevent APT attacks

Detecting anomalies in outbound data may be the best way for system administrators to determine if their networks have been targeted.

Indicators of APTs include the following:

  • unusual activity on user accounts;
  • extensive use of backdoor Trojan horse malware, a method that enables APTs to maintain access;
  • odd database activity, such as a sudden increase in database operations involving massive amounts of data; and
  • the presence of unusual data files, possibly indicating that data that has been bundled into files to assist in the exfiltration process.

To combat this type of information security threat, an organization should also deploy a software, hardware or cloud firewall to guard against APT attacks. Organizations can also use a Web application firewall to detect and prevent attacks coming from web applications by inspecting HTTP traffic.

10. Malvertising

Malvertising is a technique cybercriminals use to inject malicious code into legitimate online advertising networks and web pages. This code typically redirects users to malicious websites or installs malware on their computers or mobile devices. Users' machines may get infected even if they don't click on anything to start the download. Cybercriminals may use malvertising to deploy a variety of moneymaking malware, including cryptomining scripts, ransomware and banking Trojans.

Some of the websites of well-known companies, including Spotify, The New York Times and the London Stock Exchange, have inadvertently displayed malicious ads, putting users at risk.

How to prevent malvertising

To prevent malvertising, ad networks should add validation; this reduces the chances a user could be compromised. Validation could include: Vetting prospective customers by requiring legal business paperwork; two-factor authentication; scanning potential ads for malicious content before publishing an ad; or possibly converting Flash ads to animated gifs or other types of content.

To mitigate malvertising attacks, web hosts should periodically check their websites from an unpatched system and monitor that system to detect any malicious activity. The web hosts should disable any malicious ads.

To reduce the risk of malvertising attacks, enterprise security teams should be sure to keep software and patches up to date as well as install network antimalware tools.

Next Steps

Remote work cybersecurity: 12 risks and how to prevent them

How to develop a cybersecurity strategy: Step-by-step guide

How to fix the top 5 cybersecurity vulnerabilities

10 types of security incidents and how to handle them

How to create a CSIRT: 10 best practices

Dig Deeper on Security operations and management

Networking
CIO
Enterprise Desktop
Cloud Computing
ComputerWeekly.com
Close