As a consultant, one the security biggest problems I see is one of perception: The threats companies think they face are often vastly different than the threats that pose the greatest risk. For example, they hire me to deploy state-of-the-art PKI or an enterprisewide intrusion detection system, when really what they need is better patching.
The fact is most companies face the same threats -- and should be doing their utmost to counteract those risks. Here are the five most common successful cyber attacks.
[ Brace yourself for IT's 9 biggest security threats. | Find out how to block the viruses, worms, and other malware that threaten your business. | Learn how to protect your systems with InfoWorld's Security Central newsletter. ]
Cyber attack No. 1: Socially engineered Trojans
Socially engineered Trojans provide the No. 1 method of attack (not an exploit or a misconfiguration or a buffer overflow). An end-user browses to a website usually trusted -- which prompts him or her to run a Trojan. Most of the time the website is a legitimate, innocent victim that has been temporarily compromised by hackers.
Usually, the website tells users they are infected by viruses and need to run fake antivirus software. Also, they're nearly out of free disk space and need a fake disk defragger. Finally, they must install an otherwise unnecessary program, often a fake Adobe Reader or an equally well-known program. The user executes the malware, clicking past browser warnings that the program could possibly be harmful. Voilà, exploit accomplished! Socially engineered Trojans are responsible for hundreds of millions of successful hacks each year. Against those numbers, all other hacking types are just noise.
Countermeasure: Social engineered Trojans are best handled through end-user education that's informed by today's threats (such as trusted websites prompting users to run Trojans). Enterprises can further protect themselves by not allowing elevated users to surf the Web or answer email. An up-to-date antimalware program can't hurt, but strong end-user education provides better bang for the buck.
Cyber attack No. 2: Unpatched software
Coming in a distant second is software with known, but unpatched exploits. The most common unpatched and exploited programs are Java, Adobe Reader, and Adobe Flash. It's been this way for a few years now. But strangely, not a single company I've ever audited has ever had these three programs perfectly patched. I just don't get it.
Countermeasure: Stop what you're doing right now and make sure your patching is perfect. If you can't, make sure it's perfect around the top most exploited products, including Java, Adobe, browser admins, OS patches, and more. Everyone knows that better patching is a great way to decrease risk. Become one of the few organizations that actually does it.
Cyber attack No. 3: Phishing attacks
Approximately 70 percent of email is spam. Fortunately, antispam vendors have made great strides, so most of us have reasonably clean inboxes. Nonetheless, I get several spam emails each day, and a least a few of them each week are darned good phishing replicas of legitimate emails.
I think of an effective phishing email as a corrupted work of art: Everything looks great; it even warns the reader not to fall for fraudulent emails. The only thing that gives them away is the rogue link asking for confidential information.
Countermeasure: Decreasing risk from phishing attacks is mostly accomplished through better end-user education -- and with better antiphishing tools. Make sure your browser has antiphishing capabilities. I also love browsers that highlight the domain name of a host in a URL string. That way windowsupdate.microsoft.com.malware.com, for example, is more obvious.