The financial services industry faces significant pressure from a cybersecurity perspective
The top cyber attacks in the financial industry include phishing, ransomware, DDoS attacks, local file inclusion, and insider threats (users or employees)
Being proactive to prevent these types of attacks from taking place is critical
The financial industry suffers from more cyber attacks than any other, and that should come as no surprise. After all, cyber attacks are normally motivated by one of two factors: gaining maximum profits or inflicting maximum damage. Targeting a financial institution responsible for massive quantities of private, corporate, or even public funds—like a bank or an insurance company—is an effective way to do both. No wonder the industry now experiences an average of one cyber attack every 10 seconds.
Phishing attacks rely on fraudulent communications, usually disguised to appear as messages from key partners, clients, or other stakeholders in the organization. In the financial sector, these could appear at first glance to be emails from investors, regulators, or vendors.
Email phishing is the most common kind, where a hacker simply sends a legit-looking email to an employee at a company in an attempt to make them volunteer-sensitive information or download malicious software. But it’s also not uncommon for hackers to use fake links (HTTPS phishing) to direct victims to pages that download malware to their devices and let hackers steal data from them.
Cost: phishing scams cost the average large organization nearly $15 million each year.
Collateral damage: phishing doesn’t just cost a company money—it can also result in a loss of intellectual property, disrupt operational activities, and damage the institution’s reputation. Phishing attacks that target company leadership (called whaling attacks) can have particularly devastating consequences.
How can it be prevented? Improve your endpoint security. When a device on your network is compromised with malware from a phishing attack, you likely only have 10-30 minutes before it spreads to others. Our endpoint detection and response services can isolate your devices as soon as they are compromised and contain the threat until it can be dealt with.
Ransomware is a type of malware that makes a device unusable until the victim pays a given amount of money to the hackers who control it. In a recent poll of financial organizations affected by cyber attacks, nearly 75% reported being affected by ransomware hacks.
Cost: in a six-month period during the previous year, the US Treasury Department’s financial crimes unit reported more than $5.2 billion in bitcoin payments related to ransomware attacks.
Collateral damage: ransomware can do more than make an endpoint unusable—it can also give hackers control over the data that endpoint can access. Often, the hackers will threaten to release this data unless the ransom is paid, so ransomware often creates a “Sophie’s Choice” situation where a business is forced to choose between its profits and its reputation.
How can it be prevented? Hackers often use phishing emails to get ransomware onto your devices, so endpoint protection is important here, too. But adding in frequent vulnerability scanning (which identifies weaknesses in your network security so they can be resolved) and an up-to-date firewall (which blocks unauthorized traffic to and from your network) also play key roles in stopping this common type of threat.
A Distributed Denial of Service (DDoS) attack occurs when a threat actor purposefully overloads your organization’s network with traffic to disrupt normal business operations and potentially divert cybersecurity resources so that other hacks can be attempted with a greater chance of success. More than 50% of reported DDoS attacks are against financial institutions such as commercial banks and payment card processing companies.
Cost: most credit card companies process thousands of transactions per second, so a successful DDoS attack can cost millions of dollars in lost revenue every minute.
Collateral damage: during a DDoS attack, an organization’s internal cybersecurity resources are often diverted to fix the disruption in services. During this time, detection time for other threats can increase, making them more likely to succeed.
How can it be prevented? Knowing how to configure your firewall to block unwanted traffic can reduce the possible areas a DDoS attack can target. Virtual Armor’s managed firewall services can be configured by our experts to make these attacks as ineffective as possible against your network.
Local File Inclusion
These attacks are among the most common kinds of web application attacks in the financial sector, making up nearly 50% of web application attacks on financial organizations in recent years. LFI attacks work by targeting web applications used by financial institutions and attempting to make them display or run files on a server—revealing sensitive data.
Cost: LFI attacks are often used to make other cyber crimes possible, so the exact costs involved with them can be difficult to pinpoint. However, given that they are commonly used to create data breaches and that the average cost of a data breach in the financial sector this year is $5.72 million, it’s easy to see why they represent a major threat.
Collateral damage: LFI attacks can open up an organization’s clients who use their web applications to Denial of Service attacks, data theft, and website defacement. LFI attacks can also lead to cross-site scripting (XSS) attacks, where malicious code is attached to a web-based application and affects every person who uses it.
How can it be prevented? Regular vulnerability scanning plays a vital role in identifying areas where your organization’s web applications can be compromised. Virtual Armor offers vulnerability scanning as an independent service and as part of our SOCaaS option.
Insider threats occur when someone within your organization is responsible for a cybersecurity threat. This can happen deliberately (malicious insiders), but that’s not always the case—sometimes, employees just make mistakes or don’t have the resources to adequately protect your organization from a potential breach (inadvertent insiders).
Cost: the average cost of these incidents is upwards of $15 million in 2022.
Collateral damage: the average financial sector employee has access to over 11 million records on their first day of work. That makes the extent of the damage an internal threat can cause potentially limitless.
How can it be prevented? Hiring Virtual Armor to provide SOCaaS takes pressure off your existing cybersecurity team and puts the most sensitive parts of your cybersecurity infrastructure in the hands of our trained professionals. Simply put: the more of your cybersecurity we handle, the less of a risk you face from your own employees.
Protect Your Organization from Cyber Attacks
Strong cybersecurity isn’t optional for financial institutions—there’s simply too much to lose. To learn more about how Virtual Armor’s solutions can bolster your cybersecurity capabilities, contact us immediately and speak with a member of our team.
Malware is software designed to steal data, damage equipment, or spy on users.
Viruses infiltrate a program or device and then spread across a network.
Worms are viruses that self-replicate and spread without human action.
Trojans disguise themselves as legitimate code or software, but allow attackers to carry out the same actions as authorized users.
Ransomware restricts access to a device and gives control of it to an attacker unless a sum of money is paid to them.
Malicious Adware uses ads to lure users to download other types of malware or visit sites that will automatically infect their devices.
Malvertising is similar to malicious adware, but is delivered through a compromised website and only affects users while they are visiting it.
Spyware is malware designed to gather a user’s data without their consent or knowledge.
In the internet age, organizations in all verticals are increasingly relying on digital tools to get the job done. From seemingly mundane tools such as email and digital calendars to highly specialized programs, more work than ever relies on digital and internet-connected tools, including the cloud. Unfortunately, this rapid increase in digital interconnectivity has brought with it a sharp rise in digital crime, including the distribution of malware.
Malware, short for malicious software, is a general term that encompasses a wide variety of malicious programs designed to steal sensitive data, damage equipment, or spy on unsuspecting users. In this article, we will discuss seven of the most common types of malware:
2021 Saw An Alarming Increase in Ransomware & This Trend is Likely to Continue
According to a joint cybersecurity advisory issued by the Cybersecurity and Infrastructure Security Agency (CISA), along with the FBI and the NSA, and in partnership with the Australian Cyber Security Centre (ACSC) and the United Kingdom’s National Cyber Security Centre (NCSC-UK) 2021 saw the continuation of several alarming cybercrime trends, and found that “Ransomware [a type of malware] groups are having an increasing impact thanks to approaches targeting the cloud, managed service providers, industrial processes and the software supply chain” and that “More and more, ransomware groups are sharing victim information with each other, including access to victims’ networks.”
The advisory also reported that the ransomware market, in particular, is becoming increasingly “professionalized”, with more criminals relying on cybercriminal services-for-hire to attack targeted organizations.
The 7 Most Common Types of Malware (& How They Can Impact Your Organization)
Computer viruses are a form of malware designed to infiltrate one program or machine and then spread to other systems, much like the viruses that target the human body. As it spreads, the virus wreaks havoc on business activities by encrypting, corrupting, deleting, or moving data and files or launching DDoS or ransomware attacks on other connected machines.
Viruses are particularly insidious because they may remain dormant for a set period, allowing the virus to spread to as many machines and devices as possible before launching the attack. Viruses may be delivered via email or inadvertently downloaded from infected or malicious websites and can also be delivered via physical media such as USB drives. Cybercriminals may leave infected USB drives in lobbies or parking lots, hoping that a worker will pick them up and plug them into their network-connected computer.
Unlike worms (discussed below), computer viruses must be embedded in a host program and often remain dormant until they are activated by unsuspecting users, such as when a user plugs an infected USB drive into their machine, opens an infected file, or clicks on a malicious URL.
Worms are similar to viruses, but they do not require human action to infect, self-replicate, and spread to other machines. As soon as the system is breached, worms can infect both the entry point machine and spread to other machines and devices on the network unaided by humans.
Worms rely on network vulnerabilities, such as unpatched operating systems, weak email security protocols, and poor internet safety practices. Originally, the goal of most worms was to damage system resources to hinder performance. However, modern worms are often designed to steal or delete files and are typically deployed against email servers, web servers, and database servers.
The Stuxnet attack is a particularly devastating example of a worm at work. This attack targeted operations technology systems involved in uranium enrichment and impacted organizations across Iran, India, and Indonesia.
A trojan is a type of malware that has disguised itself as a piece of legitimate code or software. Once an unsuspecting user grants the trojan network access, it allows attackers to carry out the same actions as legitimate users, including exporting or deleting files, modifying data, and otherwise altering the contents of the infected device. Trojans are designed to appear innocuous and are often found in downloads for games, apps, tools, or even software patches.
Many trojans rely on phishing, spoofing, or other social engineering attacks to trick users into granting them network access, but this is not always the case. Though trojans are occasionally referred to as trojan viruses or trojan worms, these terms are not strictly correct: unlike viruses, trojans cannot self-replicate, and unlike worms, they cannot self-execute. All trojans require specific and deliberate user actions to spread, such as convincing a colleague to try out this great new productivity app or download this fun game onto their work phone so you two can play together on your lunch break.
Ransomware is one of the most common and widely discussed forms of malware, and for a good reason. According to a cyber threat bulletin from the Canadian Centre for Cyber Security, 2021 saw the average recovery cost from a ransomware attack more than doubled between 2020 and 2021, from $970,722 CAD (roughly $757,852 USD as of the writing of this article) in 2020 to $2.3M CAD (roughly $1,795,380 USD) in 2021. The same bulletin revealed that the increased impact and scale of ransomware operations between 2019 and 2020 was largely fuelled by the “professionalization” of ransomware and the growth of the ransomware-as-a-service (RaaS) model, which involves less-technically-savvy criminals hiring skilled attackers to distribute ransomware campaigns, with attackers being paid a percentage of the victim’s ransom payment.
Ransomware is focused primarily on financial gain and is designed to encrypt files on an infected machine and hold them hostage until a ransom is paid. With the invention of cryptocurrencies such as Bitcoin, which don’t rely on a central authority such as a bank and are therefore more difficult for law enforcement to trace, has made it easier than ever for attackers to extort victims.
Ransomware frequently relies on social engineering to manipulate unsuspecting users into downloading infected email attachments or clicking on URLs from untrustworthy sources. Once a device is infected, the program typically creates a back door, which allows the attackers to covertly access the device and begin encrypting files while locking owners and other legitimate users out.
Even if your organization decides not to pay the ransom, you may still suffer financial loss. Employees who can’t access their work devices aren’t likely to get much work done, and your IT team and other technical specialists may need to be pulled away from other critical tasks to deal with the crisis. Depending on the nature of your business, even a few hours of downtime can have devastating consequences, as highlighted by the now-famous WannaCry attack that targeted the United Kingdom’s National Health Service (NHS) in 2017. The attack rendered the IT systems of hospitals and doctor’s surgeries inaccessible, which compromised medical care and put patient lives at risk. The attack knocked CT scanning facilities and MRI machines offline and left healthcare professionals unable to access vital data, including digital patient health records.
5. Malicious Adware
Adware, also called advertising-supported software, is legitimate software that is designed to display ads to a user when they are online, thereby generating revenue for the website’s owner. Though it is not inherently malicious, it can be used for malicious purposes.
While most legitimate organizations will carefully vet what sort of advertisements they allow to appear on their website (to ensure they don’t accidentally damage their brand by serving hateful or controversial content or drive business away by showing competitor ads), not all businesses are as meticulous as they should be. Cybercriminals may use malicious ads to trick unsuspecting users into downloading malware when they click on the ad or may use pop-ups, pop-unders (where the pop-up is intentionally hidden from view by the active window), or permanent windows that allow for drive-by downloads (where a user’s device becomes infected with malware simply by visiting the site). Malicious ads may also preemptively block antivirus programs from opening, further weakening your organization’s defenses.
Malvertising (malicious advertising) is similar to malicious adware. One key difference is that adware only targets individual users and relies on infected digital ads served via unsuspecting websites. Once a device is infected, adware operates continuously on that device unless actively removed. On the other hand, malvertising is served by the compromised web page itself (not via third-party adware programs) and only affects users while they are on the infected web page.
Like malicious adware, malvertising may take advantage of browser vulnerabilities to deploy drive-by-downloads. However, because the entire webpage (and potentially the entire website) is compromised, it can also forcibly redirect users away from the legitimate site to a malicious one or display advertising, malicious content, pop-ups, or pop-unders that the website’s owners did not intend to display. In the case of a forcible redirect, users may be brought to a different site infested with drive-by download malware (allowing attackers to compromise multiple sites and simply redirect them to the malicious site) or direct users to a site that looks almost exactly like the legitimate site as part of a wider phishing scam and attempt to trick unsuspecting users into handing over private information such as banking details or login credentials.
Malvertisements Cost Organizations More than Just Revenue & Site Traffic
While redirecting users to a different site impacts both website traffic and can compromise revenue streams, these are hardly the only potential costs. Website publishers may suffer reputational damage (since users are less likely to trust compromised organizations with their personal information going forward) and may be found legally liable for any damage suffered by users visiting their website.
Spyware differs from the other forms of malware we have discussed so far in that its goal is not to extort funds, steal sensitive files, or damage files but instead to, as the name suggests, spy on you and your organization. Spyware is designed to gather data without your consent and forward it to a third party.
Spyware can also refer to legitimate software installed by companies to monitor their workforce or programs, such as tracking tools embedded in websites that you visit that are used for advertising purposes. However, we will be focusing on malicious spyware deployed by cybercriminals against unsuspecting targets such as businesses so they can profit from stolen data, including proprietary data and usernames and passwords (obtained via keylogging software).
Malicious spyware is a type of malware that has been installed without your informed consent and is designed to monitor your activities and capture personal, confidential data, often via keystrokes, screen captures, and other types of tracking tools. This stolen data is then aggregated and either used by the party that gathered it or sold to other parties.
Malicious spyware is typically interested in confidential information such as:
Credit card numbers
However, it will also monitor your keyboard strokes, track your browsing habits, and harvest email addresses (including your own and those of the people and organizations you are corresponding with).
Unlike ransomware, spyware goes out of its way to remain undetected and obscure its activities. Spyware often embeds itself in other programs that users are likely to intentionally download and install, such as bundleware (bundled software packages), without the knowledge or consent of the company that is offering the legitimate software.
However, sometimes companies will purposefully embed spyware in their bundleware while describing and requiring you to agree to the spyware in the license agreement without explicitly using the term “spyware”, tricking users into voluntarily and unknowingly infecting their devices. Spyware can also infect devices using similar methods to other malware, including via compromised websites or malicious attachments. Trojan malware and malicious adware may also both include spyware.
Spyware can wreak havoc on any business environment, allowing cybercriminals to better:
Commit identity fraud
Disrupt business operations
Safeguarding Your Business From Malware
There are a few steps you can take to safeguard your organization against malware. These include:
Avoid Abandoned USBs
Attackers will often leave infected USB drives in publicly accessible places such as lobbies or parking lots in the hopes that some unsuspecting employee will pick it up and plug it into their machine. Should you come across an abandoned USB drive, you should report it to security and then hand the USB drive over to your cybersecurity team for further analysis and proper destruction.
Keep Your Software Up to Date
Software developers frequently release security patches, small programs designed to address known flaws and improve security. However, your organization can only take advantage of these improvements if the security updates are installed.
Invest in Antivirus Software
While antivirus software may not seem cutting edge anymore, it still plays a critical role in any cybersecurity strategy.
Think Before You Click
While most email providers include built-in antivirus scanning that flags potentially harmful attachments or links, it never hurts to be cautious. If you encounter a suspicious link or file, do not open it. Instead, you should forward the email to your cybersecurity team for further analysis. If the email is purportedly from someone you trust (such as your company’s bank or your boss) but seems suspicious, you should reach out to that person independently to verify that they are the real sender. You should also carefully read the sender’s email address on any email you receive.
For example, if your boss Jennifer Smith usually emails you from her work email ([email protected]com), but this email is from a different address, such as [email protected]org or [email protected], you should not reply to the email, but should instead reach out to your boss independently to verify that she sent the email. This is particularly important if the sender is asking you for sensitive or personal information, such as banking details or your password, or asking you to do something unusual, such as purchase a large number of gift cards or make changes to company banking details.
If someone sends you a URL, make sure you read it carefully. While you may be expecting a URL that directs you to www.yourbank.com and instead see www.yourbaank.com (note the extra ‘a’), you should once again independently verify that the sender is who they say they are before taking any action or handing over any information. It’s always better to spend a bit of time verifying than rush and take actions that could potentially compromise the safety and security of your organization.
Invest in Cybersecurity Training for All Employees
Even the most comprehensive and robust cybersecurity incident response plan and cutting-edge cybersecurity infrastructure depends on educated users for maximum efficacy. Ensure all employees undergo cybersecurity training as part of your onboarding process and periodically receive additional training.
Only Buy Devices from Trusted, Reputable Sources
While it may be more budget-conscious and environmentally friendly to purchase gently used devices, second-hand devices may offer more than you bargained for in the form of pre-downloaded malware. If you still intend to purchase second-hand equipment, make sure you do so from a trusted, authorized retailer of pre-owned devices and audit each item thoroughly for suspicious programs before connecting it to your network.
Opt for the Paid Version
One of the easiest ways to avoid falling victim to malicious adware is to opt for the paid, ad-free version of the software you are using whenever possible. Most organizations that offer premium subscriptions to otherwise ad-supported free products do not serve ads to premium users, so opting for the paid version can dramatically reduce your attack surface.
Vet Ads Partners Carefully to Avoid Malvertisement
Ad networks serve users ads from millions of advertisers, and most rely on real-time bidding, which means the ads shown on a website are constantly changing. This can make it difficult, if not nearly impossible, for individual website publishers to separate malicious ads from innocent ones. As such, it falls primarily on the ad provider to carefully vet ads, so it is critical that all website publishers choose their advertising partners with care.
Be Cautious About Cookies
With GDPR compliance affecting more organizations each day, almost all websites now ask users for their explicit permission before creating cookies. Cookies are considered by some to be a form of spyware, so make sure you only accept cookies from trusted sites and consider limiting your permission to essential cookies only.
Consider Using an Anti-Tracking Browser Extension
Not all of your browsing activities need to be tracked by third parties, whether for legitimate means like advertising or otherwise. Anti-tracking tools can allow you to better opt-out of omnipresent tracking, which helps keep your browsing activities and data private.
Apps are an increasingly common delivery mechanism for malware, particularly spyware. Before you download an app, make sure that you trust the company that developed it.
Limit App Permissions
A troubling trend in the app space is apps that ask for more generous permissions than they require. Many apps ask to access your microphone, camera, or location data without justifying why they need this information. To avoid handing over more data than you need or want to, you should regularly review your app permissions and ensure your current settings reflect your actual preferences.
Nothing is Ever Really Free
Are You Concerned About Malware? VirtualArmour is Here to Help!
While it may feel like malware is lurking around every corner, there are concrete steps you can take to better safeguard your organization and its data. In addition to the advice above, you should also consider partnering with a trusted MSSP like VirtualArmour. With offices in both Denver, Colorado, and Middlesbrough, England, we are able to offer live, 24/7/365 monitoring as well as industry-leading response times.
The Russian invasion of Ukraine has shocked the world, driving millions from their homes as they seek safety. However, in the internet age, wars aren’t fought in the physical world alone, and cyber warfare has become an increasingly serious threat.
While the Kremlin has denied they are behind the denial of service attacks, the disruption has brought concerns about the threat of cyberconflict into the spotlight. Ilya Vitayuk, the cybersecurity chief of Ukraine’s SBU intelligence agency, has stated that it is still too early to definitively identify the perpetrators behind the attack. This is because, as with most cyberattacks, the perpetrators worked hard to cover their tracks. However, he also added, “The only country that is interested in such … attacks on our state, especially against the backdrop of massive panic about a possible military invasion, the only country that is interested is the Russian Federation.”
Cyberattacks, even those specifically targeting Ukraine, could seriously impact the United States.
In response to the invasion of Ukraine, CISA (Cybersecurity and Infrastructure Security Agency) has issued a statement. Entitled Shields Up, it states (as of the writing of this article):
“While there are no specific or credible cyber threats to the US homeland at this time, Russia’s unprovoked attack on Ukraine, which has involved cyber-attacks on Ukrainian government and critical infrastructure organizations, may impact organizations both within and beyond the region. Every organization—large and small—must be prepared to respond to disruptive cyber activity. As the nation’s cyber defense agency, CISA stands ready to help organizations prepare for, respond to, and mitigate the impact of cyber-attacks. When cyber incidents are reported quickly, we can use this information to render assistance and as a warning to prevent other organizations and entities from falling victim to a similar attack.”
However, as the Shields Up announcement indicates, cyberwarfare concerns are not contained to the national and international stage. Organizations of all sizes and in all verticals need to be taking appropriate steps to proactively safeguard their digital assets.
What Sort of Cyberattacks Should We Anticipate?
While we have no way of knowing exactly what sort of attacks the cyber warfare front of the Ukraine-Russia conflict will bring, we can look to a history of previous international attacks for guidance. According to Forbes, organizations should be prepared to handle:
Advanced Persistent Threats (APTs)
APTs is a broad term used to describe any attack campaign where an attacker, or group of attackers, establishes an illicit, long-term presence on a network in order to covertly mine highly sensitive data. Most intrusions of this nature that target private companies tend to focus on the theft of intellectual property, compromising sensitive data (such as employee or private user data), sabotaging critical infrastructure (such as deleting database data), or taking over websites with a goal of illegal financial enrichment, the strategies deployed against private companies can be used against nations and companies alike.
With cyber warfare on our doorstep, now is the time to batten down the hatches and strengthen your cybersecurity posture. By improving your overall security posture, you can proactively guard against ATPs by making it difficult for intruders to infiltrate your network in the first place, preventing them from establishing a covert, long-term presence.
Malware refers to any form of malicious software, typically spread by infected email attachments and suspicious website links deployed as part of phishing scams. While most email providers automatically filter out suspicious messages, one of the best steps organizations can take to improve their cybersecurity posture is to invest in employee cybersecurity training.
Cybersecurity is everyone’s responsibility, from the CEO down to the summer intern. Teaching workers to identify and report suspicious activities can stop an attack before it even begins, so all team members should receive robust cybersecurity training as both part of their onboarding process and on an ongoing basis.
Ransomware is a subset of malware, which uses malicious code to encrypt files and prevent legitimate users from accessing data or systems on either their individual machine or the organization’s network.
DDoS (Distributed Denial of Service) attacks are attempts to crash a web server or other online service by flooding the supporting infrastructure with more traffic than the network can reasonably handle.
This type of attack can be instigated by either a large group of attackers working together or a single attacker with a sufficiently large botnet (connected computers performing repetitive tasks as directed by the user in charge). The goal of DDoS attacks is to overload the server, forcing it offline and preventing legitimate users from accessing the organizations’ products or services.
Network Security Attacks
Network security attacks is an umbrella term for attacks aimed at disrupting an organization’s network and system for a variety of reasons, including causing service disruptions, stealing data, or corrupting files. While this is often done for financial gain, in the case of the cyberwarfare front of Russia’s attack on Ukraine, it is likely to be for political or military gain.
To help safeguard themselves from these types of attacks, organizations should be taking proactive steps to safeguard their networks from network breaches.
What Steps Should Your Organization Be Taking to Best Safeguard Your Digital Assets
Follow All Current Advice From Your National Cybersecurity Authority
The situation, both on the ground in Ukraine and in the digital sphere, is continually evolving, with new threats always on the horizon. To best safeguard your organization, it is vital to stay up to date on the situation and follow the current advice of your national cybersecurity authority.
In the European Union, organizations should follow the advice of ENISA (the European Union Agency for Cybersecurity).
Establish A Relationship With Local Governments in Jurisdictions Where Your Company Operates
In the United States, InfraGard is responsible for coordinating information sharing between critical infrastructure providers.
Organizations operating in the United Kingdom should review information provided by NCSC’s Critical National Infrastructure hub.
Organizations in the European Union should speak to their local CSIRT (Computer Security Incident Response Team) and CERT (Computer Emergency Response Teams) contacts. A full list of these can be found here.
In Germany, the BSI (Federal Office for Information Security) has released several cybersecurity warnings related to the situation. Current security warnings can be found here.
Even the most comprehensive, best-designed cybersecurity strategy can be easily undermined if your organization lacks interdepartmental trust. A solid relationship between stakeholders and your security team is critical if you want to keep your organization secure.
Clear, concise, focused, and on-point communication is critical, and there is no such thing as too much information. Too many stakeholder-security team conflicts are rooted in a lack of communication, miscommunications, or misunderstandings. Opening the lines of communication, and keeping them open, is an excellent way to build trust.
Honesty & Transparency
When it comes to cybersecurity, honesty is the best policy. When it comes to admitting fault, acknowledging a mistake, or delivering bad news, stakeholders and security teams alike appreciate honesty. By being honest about your organization’s current security posture (including any deficiencies), security and stakeholders can work together to fortify your organization’s cybersecurity posture.
On the other hand, lies, omissions, and misrepresentations cause cracks in your cybersecurity posture and foster inter-organizational distrust, with potentially disastrous consequences. All trusting relationships are built on a foundation of honesty.
Hard work, dedication, and commitment from both your security team and your stakeholders is critical for building organizational trust. Both sides of the table need to know that the other side is working hard to fulfill their obligations and is willing to own up to any mistakes or shortcomings. It’s a lot easier to build trust when you know the rest of the team has your back.
A Willingness to Listen & Accept Feedback
Communication is a two-way street, and both stakeholders and security teams need to be willing to listen and accept honest feedback and not dismiss the other side’s suggestions and concerns out of hand. When one side feels that the other isn’t taking their concerns, expertise, or advice seriously, it undermines the relationship and damages trust, weakening the organization and compromising its security posture.
Talk is great, but only when it is followed by concrete action. When either the security team or the stakeholders promise to do something, the other side needs to see that they will follow through. When we can’t trust our teammates to act on their promises, those promises become meaningless.
That being said, we are only human, and sometimes promises are broken. When this happens, it is critical to acknowledge that the promise was not honored, provide an explanation (budgetary concerns, staffing shortages, etc.), amend the promise so it can be reasonably accomplished, commit to action, and then act to fulfill the promise. A cycle of inaction and broken promises can impact more than your cybersecurity posture; it can poison your organization, driving away good workers and demoralizing those who remain.
Initiate a “Request for Intelligence” From Your Threat Intelligence Partner
You can’t adequately defend yourself if you don’t know what you are defending against. A request for intelligence is a comprehensive report compiled by your threat intelligence partner. When requesting your report, make sure you specify your intended audience (such as your board of directors or security team) and any specific concerns you may have so that your vendor can tailor the report accordingly and ensure all critical and relevant information is included.
A good request for an intelligence report should go beyond the normal overviews your partner is providing and should include specific concerns related to your vertical, industry, and operating locations. It should also provide information on threat actors you should be concerned about, as well as the TTPs (tactics, techniques, and procedures) those threat actors typically use.
Collaborate Closely With Your Security Vendors
Your security vendor needs to take a proactive role when it comes to preparing your organization for cyber conflict and defense.
Vendor account representatives can help ensure your organization receives the correct level of care and attention and help you get the most out of your security products and services.
You should also work closely with your product vendors to confirm turnaround times and automation options for ruleset and patch updates (to ensure your software automatically downloads and installs security patches as soon as they are made available).
A good vendor should be already communicating with you about the situation in Ukraine, but if you have not received any communications, you should reach out directly to your vendor, representative, or support team.
Keep an Eye Out for Disinformation & Misinformation
As such, it is vital to get your news from trustworthy sources and rely on the advice of local and national leaders as well as your security team to ensure you are getting the facts. As the situation continues to evolve, it is also vital that you are keeping your incident response plans up to date and keeping the lines of communication open both across your organization and between your organization and relevant third parties, such as your managed security services provider (MSSP) and relevant government bodies.
Consider Adopting Secure Communications Tools
Organizations that are concerned about the security and privacy of their business communications (including eavesdropping, data loss, communications metadata exposure, or non-compliance) should consider increasing communications security or switching to more secure communications tools. Organizations with employees in and around Ukraine should also be aware that those individuals may face communications disruptions.
Encrypted messaging and calling solutions like Element and Wickr are ideal for low-bandwidth environments and can be used to enhance the security of your everyday communications as well as work as out-of-band communication channels during incident responses. They can also be used to provide traveling executives with improved communications security. If you are concerned about the security of your current in-house communication tools or are looking to replace them with a more secure option, your managed security services provider can help you make the right choice for your organization.
Should an incident occur, your MSSP can help you respond effectively (mitigating, or even eliminating, damage), conduct a thorough investigation into the root cause of the incident, and help you prepare any reports required for relevant legislative bodies (such as GDPR, HIPAA, or CCPA).
Safeguard Your Endpoints & Practice Good Software Hygiene
One of the easiest yet most critical steps any organization can take to improve their security posture is to keep all their software up to date. When software developers discover vulnerabilities in their products, they release patches to address them. Cybercriminals often target recently patched software in the hopes that not all organizations have been as diligent as yours about installing new security patches. Installing patches takes a few minutes, and the process can often be automated and scheduled so that patches are installed during non-business hours to completely eliminate downtime.
Take Proactive, Preventative Steps Before an Incident Occurs
As the old saying goes, the best defense is a good offense. By being proactive and shoring up your cybersecurity defenses before an incident occurs, you stand a better chance of mitigating or even eliminating damage. Regular pen (penetration) testing, which involves hiring an ethical hacker to stress-test your defenses and search for vulnerabilities, can help highlight security deficiencies so they can be addressed before a cyber attacker is able to exploit them.
Investing in ongoing cybersecurity training is also critical: Employees who can’t identify potential threats are more likely to fall for things like phishing scams, and employees who don’t know how to respond to an incident won’t be able to respond effectively. As such, it is critical that you review your incident response plans regularly and make sure all relevant stakeholders are kept up to date.
You may also want to consider running tabletop scenarios. Tabletop scenarios work like cyber incident fire drills: Your team is presented with a hypothetical scenario and asked to respond, allowing them to put their cybersecurity training to use in a no-stakes environment. Tabletop scenarios not only familiarize your employees with potential threats and help them hone their response skills, but they are also a great way to identify and address security gaps before they can be exploited.
Concerned About Your Cybersecurity Stance? VirtualArmour is Here to Help!
The situation in Ukraine has put many organizations on edge, and trying to figure out how to shore up your organization’s cybersecurity defenses against cyber conflict may be overwhelming. Fortunately, the VirtualArmour team is always here to help.
We offer a variety of security solutions, including:
We have extensive experience working with organizations in a variety of highly-specialized industries, including energy, finance, healthcare, and retail, and are well-versed in the unique security and IT challenges faced by service providers. With offices in both Denver, Colorado, and Middlesbrough, England, we are able to offer live, 24/7/365 monitoring and industry-leading response times.
The situation in Ukraine is constantly shifting, and it can be hard to stay up to date and get the facts your team depends on to best inform your cybersecurity posture. To help you get the information you need, we have compiled a list of links to relevant organizations below.
Phishing is a form of social engineering where the attacker impersonates a trusted party for the purpose of gaining access to sensitive information like login credentials, personal information, or payment card data.
A company with 5000 employees will receive an average of 14,400 phishing emails each year—not including the ones caught by spam filters.
Phishing tactics are becoming more advanced over time, and phishing attacks are most common during the holiday season, when consumers often face increased stress levels.
SMS phishing scams are on the rise, so it’s vital to use caution if you recieve texts from a sender you don’t recognize.
Cybersecurity training for employees and visibility scanning are two essential ways to prevent and combat phishing scams. VirtualArmor can provide both of these services.
Phishing scams tend to peak during and around the winter holiday season, catching individuals and businesses alike unprepared. To help ensure you and your team have the information you need to identify and avoid these scams, we sat down with one of our VirtualArmour cybersecurity engineers to learn more about this common cybersecurity threat.
Phishing is a type of social engineering typically used to steal user data such as login credentials, personally identifiable information (PII), or payment card information. This type of cyber attack involves a threat actor masquerading as a trusted party (such as your bank) in order to trick you into opening an email, text message, instant message, or other electronic message and inadvertently handing over sensitive information such as personally identifiable information (such as your full name, birth date, or social insurance number) or payment information (such as your credit card number).
Phishing attacks pose a serious threat at both the personal and corporate levels. Though most email spam filters are able to stop the most egregious attempts at phishing, even the best filters and firewalls aren’t able to catch everything. Phishing scams continue to evolve, and the sheer number of phishing emails alone is staggering. Research into the volume of email, spam, and malicious attachments and URLs directed at companies found that a company with 5000 employees will still have an average of 14,400 phishing emails arrive in employee inboxes each year, and those are just the emails that were savvy enough to get past the spam filter.
With so many emails alone slipping past our defenses, employee training on how to spot and report potential phishing scams is key. However, many threat actors are changing tactics and moving away from email and towards other forms of electronic communication.
Phishing Tactics Have Evolved
When many of us think of phishing emails, we likely still picture some scammer pretending to be a fabulously wealthy prince from some faraway land promising riches in return to helping them covertly move money out of their home country (a common ruse referred to as an advance-fee scam).
The advanced-fee scam is a classic ruse that involves the threat actor asking you to help them by either transferring money to the target (purportedly for “safekeeping” or to evade authorities) while also asking you to pay a fee to help move the money with the promise that they will both send you money to cover the advanced payment and reward you handsomely for your cooperation.
Though this elaborate ruse has become cliche even outside of cybersecurity circles, unfortunately, many individuals and companies still fall for this and similar advance fee scams. A recent CNBC article found that these advanced fee scams still net cybercriminals well over $700,000 USD per year.
Why Do Phishing Scams Peak Around the Holiday Season?
Phishing campaigns typically soar in popularity over the holiday season in an attempt to prey on festive (and often frazzled) shoppers using increasingly sophisticated phishing scams.
One common example of a popular business-targeted phishing scam involves sending the target an email with a domain that appears to link to the company website and contain innocuous information (such as a festive meal menu with a .doc file extension, paired with an email asking the employee to please indicate their meal preference and dietary restrictions for the company party). However, though the email appears legitimate at first glance, a red flag such as a misspelled domain (for example, virtaularmour.com’ rather than ‘virtualarmor.com’, note the transposed ‘u’ and ‘a’) indicates that this email is likely malicious and should be both flagged as spam and reported to your company’s IT or cybersecurity team.
“Smishing” (SMS Phishing) Scams Are On the Rise
Though these types of scams tend to peak around the holiday season, they are still common year-round. The fake delivery text is a new form of this age-old scam that has been making the rounds and is rapidly becoming one of the most common formats for smishing scams.
One theory behind the rise in this particular style of phishing scam is the increase in lockdowns worldwide, prompting a rise in online shopping, particularly during the holiday period. Before clicking on any links in a suspicious text message, it is critical to verify whether the text message is legitimate (such as by calling your local post office or delivery depot to verify if there really is a parcel waiting for you).
How to Recognize (& Avoid Falling Prey To) a Smishing Attack
If you receive a suspicious text that may be part of a smishing scam, there are a few steps you can take to help avoid falling prey:
Never respond to a potentially suspicious text message. If a response appears to be necessary, respond via a verified official channel (such as calling your delivery company or local post office directly).
Never click on any links or phone numbers sent from a user you don’t recognize.
Never share any payment information or personally identifiable information, such as your social security number, birth date, or full name.
Report any messages that appear suspicious to the relevant authority.
In the United Kingdom, reports can be filed with the National Cyber Security Centre here.
In the United States, reports can be filed with the FCC here and FTC here.
A common example of a scam asking for payment information is a scammer posing as your bank and asking you to update your account information (usually under threat of being locked out of your accounts or some other undesirable outcome). In this case, you should contact your bank immediately via an official channel (most banks print a toll-free number on the back of their credit or debit cards or somewhere on your bank statement) and independently verify that your information requires updating. This not only helps you avoid falling victim to a potential phishing scam but also alerts your bank so they can warn other customers about the scam so they can avoid falling prey as well.
Investing in employee cybersecurity training is vital. When it comes to scams, your employees are one of your first lines of defense, which is why all employees, from the summer intern up to the CEO, should undergo regular cybersecurity training. To help set everyone up for success, you should also include cybersecurity training as part of your company’s onboarding process.
Vulnerability Scanning Offers Total Visibility Into Your Infrastructure
You can’t defend yourself against cybersecurity threats if you don’t know they exist. Vulnerability scanning helps ensure that no threat makes its way past your defenses by providing detailed information on threat intelligence, device health, threat mapping, and support ticketing. Being able to view all traffic on your network at all times is critical for spotting suspicious activities, so you can respond swiftly and effectively to safeguard both your data and your organization should a threat actor sneak past your defenses.
Social Engineering Takes Many Forms
Many of these attacks depend on social engineering. Social engineering involves manipulating potential victims into revealing personally identifiable information and can be used to access either personal or organizational accounts. Social engineering attacks typically rely on consistent communication between the attacker and the target and frequently take the form of text messages, instant messages, or emails.
As COVID-19 continues to force workers to trade their desks at work for their kitchen tables, spare rooms, and home offices, attacks of this nature are becoming more frequent and more effective. This, combined with more mundane but still frustrating events such as a purportedly missed delivery (which you can conveniently reschedule by clicking on this completely legitimate link), has created an ideal environment for threats like phishing scams to flourish.
Worried About Phishing Scams? VirtualArmour is Here to Help
In 2021, GoDaddy’s Managed WordPress hosting environment was accessed by an unauthorized third party using a compromised password.
The hack accessed the personal data of an estimated 1.2 million Managed WordPress customers, exposing them to potential phishing attacks.
Other web hosting providers are also vulnerable to these attacks, which fall into three categories: general web hosting vulnerabilities, shared hosting vulnerabilities, and VSPs and cloud-hosting vulnerabilities.
Following website best practices, creating an incident response plan, and investing in cybersecurity training for employees can minimize your organization’s risk and help you avoid similar threats.
GoDaddy responded swiftly and effectively, working with law enforcement and an IT forensics firm to thoroughly investigate the incident and take appropriate steps to safeguard users.
On November 17, GoDaddy identified suspicious activity inside their Managed WordPress hosting environment, triggering an internal investigation with the help of an IT forensics firm. It was later determined that an unauthorized third party had used a compromised password to access the provisioning system for their Managed WordPress legacy codebase.
In response to this troubling discovery, GoDaddy immediately blocked the unauthorized third party from their system and began alerting affected users.
So far, the investigation reveals that the unauthorized third party had been using these compromised credentials to gain access to the system beginning on September 6, with a goal of obtaining private customer information, including:
The email addresses and customer numbers of as many as 1.2 million active and inactive Managed WordPress customers were accessed, which the company said may increase the chances of phishing attacks.
The original WordPress Admin passwords set on these accounts, which were also exposed. As a preemptive measure, any account still using its original WordPress Admin password was subject to a password reset.
SFTP and database usernames and passwords of active users. Once this was discovered, GoDaddy immediately reset the passwords on these accounts.
The SSL private keys of a subset of active customers. To address this, GoDaddy immediately began issuing and installing new certificates on affected accounts.
The investigation is ongoing, and in addition to the actions outlined above, all impacted customers will be contacted directly by the GoDaddy team and provided with specific details. Customers can also contact the GoDaddy team via their online help center, which also includes country-specific phone numbers.
It Isn’t Just GoDaddy; All Hosting Providers Are Vulnerable
Common web host vulnerabilities fall into three main categories: general web hosting vulnerabilities, shared hosting vulnerabilities, VPS and cloud hosting vulnerabilities:
General Web Hosting Vulnerabilities
This is when attackers attempt to use publicly available exploits to hijack your web servers and use your infrastructure as part of a botnet (connected computers instructed by a third party to perform repetitive tasks) to attack other organizations.
Less secure web hosting providers are particularly vulnerable. However, once these vulnerabilities are discovered, they are typically patched fairly quickly.
DDoS (distributed denial of service) attacks flood web servers or other online services with traffic in an attempt to crash the system. This can be done either by a large group of cybercriminals or a single criminal commanding a botnet. The goal of DDoS attacks is to overload the server and prevent legitimate users from accessing a company’s services or products.
Web Server Misconfigurations
Many basic website owners, particularly those using low-cost shared hosting, often have no idea whether or not their servers have been correctly configured. This is problematic because misconfigured servers are often left vulnerable and may be running unpatched or outdated applications.
Incorrectly configured servers may also be unable to accurately verify access rights, and hiding restricted functions or links to the URL alone is unlikely to deter attackers. This is because attackers are likely technologically savvy enough to guess the probable parameters and typical locations of this sensitive information and then simply use brute-force attacks to gain access.
Shared Hosting Vulnerabilities
If having your own server is like owning a single-family home, shared hosting environments act more like apartment buildings, where each account has its own unit within the larger structure. Unfortunately, that means a single attack can impact all of the accounts on a single server.
Organizations that op for shared hosting accounts are particularly vulnerable because these types of accounts exist like large pools of data. Though each account is allocated its own select resources, they all exist within a single environment, so all data, content, and other files occupy the same space and are only divided based on the file structure.
Since all of this data is stored in one location, shared hosting sites are intrinsically linked. This means that if an attacker is able to access the main directory, all sites within the pool may be at risk, and a single compromised account could provide the attacker with a way into the supposedly closed system.
All types of hosting accounts can contain software vulnerabilities, but shared servers are typically more at risk. This is because the large number of accounts per server means that each server is likely to host a variety of different applications, each of which will need to be updated regularly to take advantage of security patches and other updated security measures. A single unpatched or out-of-date application may leave the entire server vulnerable.
Malware (Including Ransomware)
Malware, and particularly ransomware, is a growing problem. Though a ransomware attack may target any hosting provider, shared hosting servers are particularly ill-adapted to contain such an attack. Because multiple accounts are hosted on a single server, it is easy for a ransomware attack to spread from one company’s account and infect the rest of the accounts on the same server.
Shared IP Addresses
Shared hosting accounts also share IP addresses, with multiple sites typically being identified by a single IP address, much like all units in a single apartment building share one street address. Unfortunately, this means that if one account is compromised and begins sending out spam or otherwise behaving badly and is blacklisted by a company or service, all other sites sharing that IP address will be blacklisted as well.
This is problematic because getting an IP address removed from a blacklist is typically quite difficult, and organizations are unlikely to cooperate if one of the accounts attached to that IP address continues to behave badly or disregard the organization’s terms of service.
VPS & Cloud Hosting Vulnerabilities
Though virtual private servers (VPS) or cloud hosting options are typically more secure than shared hosting options, they are still vulnerable. Attackers often target these types of hosting accounts because of the advanced interconnected nature of these servers, presenting a lucrative payday for hackers. As such, these types of attacks are also typically carried out by more experienced attackers using advanced methods.
Cross-Site Security Forgery
Cross-site security forgery, also called cross-site request forgery (CSRF), is a flaw that generally affects websites built using unsecured or poorly secured infrastructure. For convenience, many users save their credentials on select platforms, which can be a risky decision if the corresponding website is not secure.
During a CSRF attack, the end-user is forced to execute an unwanted action, such as automatically transferring funds, on a web application in which they are currently authenticated. Using social engineering (such as sending a compromised link via chat or email), an attacker may be able to trick users of a specific web application into doing what the attacker wants without the attacker having to bother trying to determine a username or password.
This works because the attacker has already queued up the action they wish to perform (such as transferring funds) and because the credentials are saved when the unsuspecting user clicks the link, they are automatically logged in (because their credentials are saved), and the application will go ahead and complete the action before the user is even aware of what happened.
This can be particularly devastating on admin accounts and can compromise the entire web application.
SQL injections work by extracting data, such as customer information or financial data, from a system as the data is sent to and from your database server. If this route is not secure, attackers can insert SQL scripts into the infrastructure and scan all data queries before they even reach the server.
This attack works like a postal delivery worker opening and reading all of your mail and copying down any private information they discover before delivering your letters and parcels.
Exploiting XSS Flaws
Harmful XSS-based scripts are small programs that can be used to either access confidential information or redirect legitimate users to fraudulent websites.
Though this attack is most commonly used by attackers looking to capture usernames and passwords or trick users into entering their credit card number or other sensitive information into a fraudulent website (such as one that is designed to look almost exactly like your bank’s website), this technique can also be used by organizations to carry out fraudulent business operations.
Cryptography algorithms typically rely on random number generators, but not all random number generators are made equal, and some random number generators may produce easily guessable numbers which attackers can use to their advantage.
Virtual Machine Vulnerabilities
Multiple virtual machines can be run on top of hypervisors in physical servers. However, if there is a vulnerability in the hypervisor, attackers may be able to infiltrate the system remotely and gain access to all virtual machines hosted on a physical server. Though this type of attack is rare, it is still possible, and organizations that use virtual machines should take appropriate steps to safeguard their infrastructure.
Supply Chain Weaknesses
One of the benefits of cloud hosting is resource distribution, but unfortunately, this can also be a source of vulnerabilities. If not all organizations in the cloud supply chain are as studious as your organization about security, they could leave the entire chain vulnerable.
APIs (application user interfaces) are designed to help streamline cloud computing processes, but they can allow attackers to easily infiltrate your cloud infrastructure if they aren’t secured properly.
Reusable components are incredibly popular, which can make it difficult to safeguard your organization against this type of attack. In an attempt to gain unauthorized access, an attacker can simply try basic access attempts repeatedly until they find a single vulnerability that allows them into the system.
Steps You Can Take to Protect Your Organization & Your Website
In the modern era, it is an unfortunate truth that it isn’t so much if your organization will experience a cybersecurity incident, but when. Luckily, there are steps you can take to safeguard your website and your organization as a whole.
If you have a static site, you should ensure that you have an SSL certificate and keep your software up to date. You should also keep an eye on your website using uptime monitoring programs so that you are altered any time your site undergoes an unexpected content change.
By keeping an eye on your website, you can quickly learn if an incident has occurred, allowing you to mitigate or even prevent damage if your website is defaced or otherwise compromised.
For WordPress or Other Database Websites (Like Those Impacted by the GoDaddy Attack)
There are a few things you can do to better safeguard your WordPress website. This includes implementing a robust username and password policy and adding multi-factor authentication. If you need to store passwords on your website for any reason, you should ensure that all passwords are encrypted, and you may want to consider using OAuth or another third-party identity management site.
You should also consider implementing rate limiting or limiting user logins based on the number of failed login attempts. This can help safeguard your website from brute-force attacks. You should also strongly consider changing your admin username from the default “Admin” to something harder to guess.
Rate limiting can help safeguard your website from botnets involved in brute force attacks. Rate limiting allows users almost unlimited login attempts but artificially installs a delay between each attempt. Even a seemingly insignificant delay of a second or two can slow down a brute force attack, buying your organization more time for someone to notice something is amiss and take appropriate action.
You should also seriously consider changing your login path from the default URL. WordPress is the most commonly used content management system on Earth, and many WordPress websites continue to use the /wp-admin/ login path. As such, attackers may use this knowledge to quickly locate and access your login page. By making the login page harder to find, you can help dissuade attackers or at least buy your team more time to respond.
Interview Your Hosting Provider & Review Your SLA Carefully
The GoDaddy security incident has demonstrated how much a website’s security depends on the security of its hosting provider. Though life, and cybersecurity, in particular, offer no guarantees, here are a few questions you should ask your hosting provider in light of this recent attack.
Ask your hosting provider how they monitor their network. Suspicious activities can’t be stopped if they aren’t detected, so you want to make sure your hosting provider is carefully monitoring their internal network by asking them how their network is monitored, who is responsible for monitoring, and what sort of red flags they are actively looking for.
Ask about their antivirus and malware scanning and removal processes. Malware continues to be a threat, so you need to know what sort of malware protection your host offers and what steps they take to secure your website. You should also ask if their support team is scanning your account and request a copy of these internal reports. You also need to be clear on what will happen if your account is infected and what steps your hosting provider will take to help you identify and remove malware on your website.
Don’t forget SSL, firewalls, and DDoS prevention. You should also ask your provider what sort of protocols they have in place to prevent cyberattacks like the one experienced by GoDaddy. You should also find out if your hosting provider offers SSL certificates or if that is something your team will need to handle. Most providers don’t handle SSL certificate implementation, but they do need to provide you with the certificate so your team can implement it.
You should be able to find at least some of this information in your SLA (service level agreement), but if the answers to any of these questions are missing, you should reach out to your contact at your hosting provider for more information.
You should also lock down your folders and subdirectories to make it more difficult for unauthorized users to access exploits or vulnerabilities associated with back-end software and upload files containing malware. You should also consider adding bot filters and maintaining an active blacklist to help you filter out bots and prevent brute-force attacks.
Create an Incident Response Plan & Invest in Cybersecurity Training for All Employees
When it comes to cybersecurity, it is always best to be proactive instead of reactive. A robust incident response plan in place will allow you to respond to attacks quickly and effectively while helping limit damage and make your recovery smoother.
In their statement, GoDaddy specified that customers whose email addresses were exposed are now more likely than ever to be targeted by phishing attacks. However, all organizations should ensure their employees know what sort of red flags to look for when it comes to phishing scams. To help improve your employee cybersecurity training and educate your team, please consider reviewing our educational article Don’t Let Phishing Scams Catch You Unaware.
Whether your organization has been directly impacted by the GoDaddy security incident or not, now is an excellent time to review your website’s cybersecurity best practices. For more information, or to start improving your cybersecurity stance, please contact our team today.
Vulnerability scans provide visibility of your cybersecurity posture’s weaknesses before cybercriminals can exploit them. They look for weak points in your software and firmware, plus configuration issues in your network’s endpoint devices.
Vulnerability scans for SMBs should check for weaknesses in software, web applications, and encryption configurations. They should also look for potential information leaks and ways to reduce your attack surface.
Free vulnerability scanning tools (like Burp Suite, Nmap, Wireshark, and OpenVAS) exist but are usually limited in scope.
VirtualArmor provides one-time vulnerability scans for compliance purposes and managed security scanning conducted by experts who use the data they collect to keep improving your cybersecurity posture over time.
Cyber attacks, and ransomware attacks, in particular, are on the rise, and this troubling trend is likely to continue. Having an effective incident response plan in place is vital for protecting your organization and its digital assets, but even the best plan is only as good as the facts that inform it.
To create a solid incident response plan, you need specific, actionable information about your current cybersecurity posture. A vulnerability scan gives your cybersecurity team invaluable insight into your current cybersecurity posture’s weaknesses or deficiencies so those cracks in your armor can be addressed before cybercriminals are able to use them against you.
A vulnerability scan involves having trained cybersecurity experts evaluate your IT infrastructure for software and firmware vulnerabilities, as well as evaluate all devices that connect to your network for configuration issues that pose security gaps. Using this valuable information, your cybersecurity team or partner can develop strategies and solutions to address these shortcomings before cybercriminals are able to leverage them and sneak past your defenses.
Whether you opt for a one-time engagement scan or ongoing vulnerability scanning as part of a larger suite of managed services (such as managed SIEM), a vulnerability scan is a critical component of any robust cybersecurity posture.
What Should All SMBs Look for in their Vulnerability Scans?
What weaknesses your vulnerability scan will look for will vary slightly between organizations, but all comprehensive scans should assess your systems for:
Software vulnerabilities are the most common vulnerability discovered. This type of scan involves checking for known weaknesses in all the third-party hardware and software your system relies on. These known weaknesses are discovered by security researchers and typically only pose an issue in select versions of particular technologies.
When software engineers employed by software companies discover a vulnerability or other issue in their code, they create security patches (small corrective snippets of code) to address the issue. However, you can only take advantage of the security patch if you download it, which is one of the many security reasons you should be keeping your software up to date. Cybercriminals frequently try to exploit known vulnerabilities in recently patched software in the hope that not all organizations are as studious as yours about keeping their software up to date.
Web Application Vulnerabilities
Another common type of vulnerability cybercriminals often seek to exploit are security gaps in web applications, which can be used to gain unauthorized access to sensitive data, compromise your web server, or attack web application users.
Whether you are using third-party applications designed by other companies or proprietary in-house applications, make sure any vulnerability scan you commission includes web application vulnerability scanning.
Common Misconfigurations & Mistakes
Sometimes the issue isn’t the software or the hardware, but the people using it or configuring it. Incorrectly configured software can inadvertently leave your entire system vulnerable, and you may not even realize it.
Not following established security best practices can also leave your network vulnerable. After all, investing in a high-quality, unbreakable lock is only useful if you don’t leave the key under the mat (or your password written on a sticky note under your keyboard).
Make sure you have security best practices in place and that those practices are effectively communicated to all network users. Investing in employee cybersecurity training can not only help curtail network vulnerabilities but can also help secure your network in other ways by making it less likely employees will fall for phishing scams (or other social engineering based attacks). Security-minded employees are also better able to identify potentially suspicious activities (such as strange network traffic), so they can alert your security team.
Encryption Configuration Weaknesses
A good vulnerability scan will also assess the encryption configurations used to safeguard data in transit between your users and your servers.
An effective strategy for improving your cybersecurity posture is to limit your attack surface area. You should only publicly expose core services or systems if you absolutely have to, and those exposed surfaces should be continuously monitored for suspicious activities. When choosing a vulnerability scanner, make sure you select one that assesses your attack surface area for issues such as unprotected ports and services that are exposed to the wider internet. Examples of vulnerable attack surfaces include exposed databases, exposed administrative interfaces, and sensitive services such as SMB (server message block).
Information leaks involve exposing information to end users when that data should remain private.
In addition to assessing your system, the final report of your vulnerability scan should include both the weaknesses discovered (in plain, accessible language so that even non-technical team members are able to understand what was discovered) as well as concrete, actionable recommendations for remedying the situation. When it comes to cybersecurity, information is only useful if it can be easily understood and actioned upon. That’s why it is vital you choose a cybersecurity partner whose goal is to educate and inform your team and help you improve your cybersecurity posture.
Not all vulnerability scans will include checks in all of the above categories, and the quality and number of checks a scan includes will vary between organizations. As such, it is critical to do your research before conducting a scan, particularly if you are opting for a paid option, to ensure the scan will meet your needs.
Free vs Paid Vulnerability Scanning
User Beware: “Free” Doesn’t Always Actually Mean Free
Also, the term “free” can vary from scanner to scanner, with some offering a free trial, a free version for non-commercial use only, or limited functionality at the free tier. As such, make sure you are clear about what the free version does and does not include before you sign up and do your research to ensure the free scan will actually give you the information you need in a format you can actually use to improve your security posture.
Just Because You Aren’t Paying with Money Doesn’t Mean There Isn’t a Cost
When it comes to many “free” vulnerability scans, you may not be paying with money, but there is still a cost. These tools are often limited in scope, so you likely aren’t getting the whole picture. This can lead to a false sense of security as you metaphorically check that the front door is locked while leaving the back door wide open.
As you will soon see, these tools are also frequently not very user friendly (at least for individuals who aren’t already technology experts), which can mean either hiring a tech expert just to perform your free scan or setting time and personnel aside to learn how to use this product, pulling them away from critical tasks. Free software is typically developed on an extremely limited budget, and UX design is often an “extra” that is left out, making it difficult for even the most technically inclined to get useful information out of these tools.
Free vulnerability scans are also not carried out by teams of experts and are frequently just tools you can use to assess select aspects of your infrastructure on your own, so even the most comprehensive versions will still require your team to take the information they have gathered and turn it into actionable suggestions.
Paid options are almost always more user-friendly and typically come with ongoing support and guidance. They are more likely to offer a polished, easy-to-understand report detailing what vulnerabilities were discovered, as well as actionable advice on how to address these issues and improve your security posture.
Top 4 Free Vulnerability Scanning Tools (& What They Can Tell You)
While paid vulnerability scan options typically yield more detailed and in-depth information (and cover a wider range of checks), free scanning tools can help small organizations on a tight budget assess specific areas of their networks (such as their web applications or security patches).
However, these scanning tools tend to be limited in scope, so you may need to run several in order to piece together a full list of all vulnerabilities on your network.
Burp Suite (Owned by PortSwigger)
Burp Suite is a popular web vulnerability scanner used by a variety of organizations and offers a free version (referred to as their Community Edition). However, this free version has limited functionality and does not include automation capabilities. This version contains essential manual tools and is mostly aimed at researchers and hobbyists.
Burp Suite is Java-based and can be used to check for SQL injections, cross-site scripting (XSS), and other web vulnerabilities, as well as for security auditing and compliance purposes.
Nmap bills itself as a pen-testing tool but works more as a port scanner. Nmap scans your network and flags ports that are vulnerable, which can aid in pen-testing. In addition to port scanning, Nmap can also look for other vulnerabilities in your systems and networks, monitor host uptime, service uptime, and map network attacks when they occur. By pointing out potential weaknesses, it has its strengths as an auditing tool, but it isn’t able to actually show users how the vulnerabilities it discovers could be penetrated.
Nmap is an open-source tool aimed at ethical hackers looking for network weaknesses. Like all open-source software, Nmap is free, but like other open-source programs, it isn’t particularly easy to use unless you are already familiar with using open-source software.
Wireshark is a well-known open-source network protocol analyzer designed to help with select network vulnerability scanning tasks. It relies on packet sniffing to understand your network traffic patterns, which is useful for network administrators looking to design effective countermeasures.
By detecting suspicious network traffic, Wireshark can help you discover errors and detect if an attack is underway, categorize the attack, and help you implement rules to protect your network. However, like other open-source options, it isn’t particularly easy to use for the non-technically inclined and will need to be carefully managed and configured in order to meet your organization’s needs.
The Open Vulnerability Assessment System (OpenVAS) is a free, open-source platform offering a variety of vulnerability management services. Designed as an all-in-one scanner and maintained by Greenbone Networks, it is designed to perform over 50,000 vulnerability tests and is updated daily.
OpenVAS is designed to run in a Linux-based environment and is aimed at experienced open-source users looking to perform pen-tests or targeted scans. However, like the other open-source tools in this list, it isn’t particularly easy to use for the non-technically savvy, and installing and using this tool poses a significant learning curve. Because it is so difficult to install and learn to use correctly, it can take a lot of time to get up and running smoothly, which can eat up employee time and pull them away from other tasks.
What Information Does Your VirtualArmour Vulnerability Scan Contain?
VirtualArmour offers both one-time vulnerability scanning engagements (vulnerability assessment) and ongoing managed security scanning (vulnerability scanning premium).
One-Time Scan: Vulnerability Assessment
Our one-time vulnerability assessments include both an external scan and a certificate scan and can be useful for auditing purposes or to prove compliance.
Our ongoing vulnerability scanning solution (Vulnerability Scanning Premium) is designed to expose and notify you of potential security gaps in your environment before they can be exploited by cybercriminals. As part of this process, our team of experts will identify:
Software and firmware vulnerabilities
Weak security policies and configurations
Outdated software and operating systems that could be used to penetrate your endpoints and infrastructure
Our team will also scan and audit your publicly exposed resources (such as file servers and web applications) with the goal of minimizing your attack surface as much as possible.
Vulnerability Scanning Premium can also be integrated with our managed SIEM option, offering more comprehensive data and additional context for alerts.
Vulnerability Scanning Premium also includes:
Custom vulnerability severity levels
Defined processes and escalation procedures
A record of all vulnerabilities detected across your environment, both on-premises and in the cloud
Threat intelligence feeds
SIEM platform enrichment using vulnerability analytics
This premium option also offers both periodic and on-demand reports, so you always know exactly what is going on, improving your organizational agility by making it easy to respond to issues as they come to light. All asset vulnerabilities are correlated with network configuration and traffic data, allowing us to identify active attack paths across your network. This vital information is used to simulate threat vectors and predict how a theoretical attack could potentially spread across your network. This can help you adjust your incident response plan as necessary and help you take a proactive rather than reactive approach.
In addition to these security benefits, continuous vulnerability scanning can help ensure your organization is complying with relevant legislation, helping you avoid the costly fines associated with noncompliance. Our team of security engineers will continuously analyze the results of your vulnerability scans and use this information to craft concrete, actionable recommendations designed to improve your overall security posture across your organization’s infrastructure, from core to cloud.
For more information about the importance of vulnerability scanning, or to learn more about our vulnerability scanning options, please contact our team today.