NEED SUPPORT? CALL (855) 422-8283

Virtual Armour
Top 5 Financial Industry Cyber Attacks

Top 5 Financial Industry Cyber Attacks

Summary

  • The financial services industry faces significant pressure from a cybersecurity perspective
  • The top cyber attacks in the financial industry include phishing, ransomware, DDoS attacks, local file inclusion, and insider threats (users or employees)
  • Being proactive to prevent these types of attacks from taking place is critical

The financial industry suffers from more cyber attacks than any other, and that should come as no surprise. After all, cyber attacks are normally motivated by one of two factors: gaining maximum profits or inflicting maximum damage. Targeting a financial institution responsible for massive quantities of private, corporate, or even public funds—like a bank or an insurance company—is an effective way to do both. No wonder the industry now experiences an average of one cyber attack every 10 seconds.

The costs of these attacks are often severe, too. The average cost of a data breach in the financial industry is $5.72 million, according to info from IBM. That means it’s vital for financial institutions to take precautionary measures against likely cyber threats—and to help you, we’ve compiled a list of the most common cyber attacks financial organizations face. Read the list below to learn more about how much these attacks can cost you and how you can prevent them.

Employee at financial services company after receiving phishing email
Via Pexels.

Phishing

Phishing attacks rely on fraudulent communications, usually disguised to appear as messages from key partners, clients, or other stakeholders in the organization. In the financial sector, these could appear at first glance to be emails from investors, regulators, or vendors.

Email phishing is the most common kind, where a hacker simply sends a legit-looking email to an employee at a company in an attempt to make them volunteer-sensitive information or download malicious software. But it’s also not uncommon for hackers to use fake links (HTTPS phishing) to direct victims to pages that download malware to their devices and let hackers steal data from them.

  • Cost: phishing scams cost the average large organization nearly $15 million each year.
  • Collateral damage: phishing doesn’t just cost a company money—it can also result in a loss of intellectual property, disrupt operational activities, and damage the institution’s reputation. Phishing attacks that target company leadership (called whaling attacks) can have particularly devastating consequences.
  • How can it be prevented? Improve your endpoint security. When a device on your network is compromised with malware from a phishing attack, you likely only have 10-30 minutes before it spreads to others. Our endpoint detection and response services can isolate your devices as soon as they are compromised and contain the threat until it can be dealt with.
Cartoon hands exchanging money for key over computer to represent ransomware concept

Ransomware

Ransomware is a type of malware that makes a device unusable until the victim pays a given amount of money to the hackers who control it. In a recent poll of financial organizations affected by cyber attacks, nearly 75% reported being affected by ransomware hacks.

  • Cost: in a six-month period during the previous year, the US Treasury Department’s financial crimes unit reported more than $5.2 billion in bitcoin payments related to ransomware attacks.
  • Collateral damage: ransomware can do more than make an endpoint unusable—it can also give hackers control over the data that endpoint can access. Often, the hackers will threaten to release this data unless the ransom is paid, so ransomware often creates a “Sophie’s Choice” situation where a business is forced to choose between its profits and its reputation.
  • How can it be prevented? Hackers often use phishing emails to get ransomware onto your devices, so endpoint protection is important here, too. But adding in frequent vulnerability scanning (which identifies weaknesses in your network security so they can be resolved) and an up-to-date firewall (which blocks unauthorized traffic to and from your network) also play key roles in stopping this common type of threat.
Hacker's hand on keyboard during DDoS attack
Via Pexels.

DDoS Attacks

A Distributed Denial of Service (DDoS) attack occurs when a threat actor purposefully overloads your organization’s network with traffic to disrupt normal business operations and potentially divert cybersecurity resources so that other hacks can be attempted with a greater chance of success. More than 50% of reported DDoS attacks are against financial institutions such as commercial banks and payment card processing companies.

  • Cost: most credit card companies process thousands of transactions per second, so a successful DDoS attack can cost millions of dollars in lost revenue every minute.
  • Collateral damage: during a DDoS attack, an organization’s internal cybersecurity resources are often diverted to fix the disruption in services. During this time, detection time for other threats can increase, making them more likely to succeed.
  • How can it be prevented? Knowing how to configure your firewall to block unwanted traffic can reduce the possible areas a DDoS attack can target. Virtual Armor’s managed firewall services can be configured by our experts to make these attacks as ineffective as possible against your network.
Infographic showing how LFI attacks work
Via Spanning.com.

Local File Inclusion

These attacks are among the most common kinds of web application attacks in the financial sector, making up nearly 50% of web application attacks on financial organizations in recent years. LFI attacks work by targeting web applications used by financial institutions and attempting to make them display or run files on a server—revealing sensitive data.

  • Cost: LFI attacks are often used to make other cyber crimes possible, so the exact costs involved with them can be difficult to pinpoint. However, given that they are commonly used to create data breaches and that the average cost of a data breach in the financial sector this year is $5.72 million, it’s easy to see why they represent a major threat.
  • Collateral damage: LFI attacks can open up an organization’s clients who use their web applications to Denial of Service attacks, data theft, and website defacement. LFI attacks can also lead to cross-site scripting (XSS) attacks, where malicious code is attached to a web-based application and affects every person who uses it.
  • How can it be prevented? Regular vulnerability scanning plays a vital role in identifying areas where your organization’s web applications can be compromised. Virtual Armor offers vulnerability scanning as an independent service and as part of our SOCaaS option.
Infographic showing difference between malicious insiders and inadvertent insider threats
Via Ekran.

Insider Threats

Insider threats occur when someone within your organization is responsible for a cybersecurity threat. This can happen deliberately (malicious insiders), but that’s not always the case—sometimes, employees just make mistakes or don’t have the resources to adequately protect your organization from a potential breach (inadvertent insiders).

  • Cost: the average cost of these incidents is upwards of $15 million in 2022.
  • Collateral damage: the average financial sector employee has access to over 11 million records on their first day of work. That makes the extent of the damage an internal threat can cause potentially limitless.
  • How can it be prevented? Hiring Virtual Armor to provide SOCaaS takes pressure off your existing cybersecurity team and puts the most sensitive parts of your cybersecurity infrastructure in the hands of our trained professionals. Simply put: the more of your cybersecurity we handle, the less of a risk you face from your own employees.

Protect Your Organization from Cyber Attacks

Strong cybersecurity isn’t optional for financial institutions—there’s simply too much to lose. To learn more about how Virtual Armor’s solutions can bolster your cybersecurity capabilities, contact us immediately and speak with a member of our team.

The 7 Most Common Types of Malware

The 7 Most Common Types of Malware

Last updated August 19, 2022

Summary:

  • Malware is software designed to steal data, damage equipment, or spy on users.
  • Viruses infiltrate a program or device and then spread across a network.
  • Worms are viruses that self-replicate and spread without human action.
  • Trojans disguise themselves as legitimate code or software, but allow attackers to carry out the same actions as authorized users.
  • Ransomware restricts access to a device and gives control of it to an attacker unless a sum of money is paid to them.
  • Malicious Adware uses ads to lure users to download other types of malware or visit sites that will automatically infect their devices.
  • Malvertising is similar to malicious adware, but is delivered through a compromised website and only affects users while they are visiting it.
  • Spyware is malware designed to gather a user’s data without their consent or knowledge.

In the internet age, organizations in all verticals are increasingly relying on digital tools to get the job done. From seemingly mundane tools such as email and digital calendars to highly specialized programs, more work than ever relies on digital and internet-connected tools, including the cloud. Unfortunately, this rapid increase in digital interconnectivity has brought with it a sharp rise in digital crime, including the distribution of malware. 

If your organization has recently been targeted or is currently being targeted in a malware attack please contact our team of experts for advice and practical assistance as soon as possible and consider reading our educational article: Hacked? Here’s What to Know (and What to Do Next).

See also:

comprimised phone

What is Malware?

Malware, short for malicious software, is a general term that encompasses a wide variety of malicious programs designed to steal sensitive data, damage equipment, or spy on unsuspecting users. In this article, we will discuss seven of the most common types of malware: 

  • Viruses
  • Worms
  • Trojans
  • Ransomware
  • Adware
  • Malvertising
  • Spyware
virus code

2021 Saw An Alarming Increase in Ransomware & This Trend is Likely to Continue

According to a joint cybersecurity advisory issued by the Cybersecurity and Infrastructure Security Agency (CISA), along with the FBI and the NSA, and in partnership with the Australian Cyber Security Centre (ACSC) and the United Kingdom’s National Cyber Security Centre (NCSC-UK) 2021 saw the continuation of several alarming cybercrime trends, and found that “Ransomware [a type of malware] groups are having an increasing impact thanks to approaches targeting the cloud, managed service providers, industrial processes and the software supply chain” and that “More and more, ransomware groups are sharing victim information with each other, including access to victims’ networks.” 

The advisory also reported that the ransomware market, in particular, is becoming increasingly “professionalized”, with more criminals relying on cybercriminal services-for-hire to attack targeted organizations.

These alarming statistics highlight the importance of having an up-to-date and comprehensive cybersecurity incident response plan in place, investing in critical cybersecurity infrastructure to safeguard your digital assets, and offering all team members regular cybersecurity training.  

spyware on the web

The 7 Most Common Types of Malware (& How They Can Impact Your Organization)

1. Viruses

Computer viruses are a form of malware designed to infiltrate one program or machine and then spread to other systems, much like the viruses that target the human body. As it spreads, the virus wreaks havoc on business activities by encrypting, corrupting, deleting, or moving data and files or launching DDoS or ransomware attacks on other connected machines. 

Viruses are particularly insidious because they may remain dormant for a set period, allowing the virus to spread to as many machines and devices as possible before launching the attack. Viruses may be delivered via email or inadvertently downloaded from infected or malicious websites and can also be delivered via physical media such as USB drives. Cybercriminals may leave infected USB drives in lobbies or parking lots, hoping that a worker will pick them up and plug them into their network-connected computer. 

Unlike worms (discussed below), computer viruses must be embedded in a host program and often remain dormant until they are activated by unsuspecting users, such as when a user plugs an infected USB drive into their machine, opens an infected file, or clicks on a malicious URL.

2. Worms

Worms are similar to viruses, but they do not require human action to infect, self-replicate, and spread to other machines. As soon as the system is breached, worms can infect both the entry point machine and spread to other machines and devices on the network unaided by humans. 

Worms rely on network vulnerabilities, such as unpatched operating systems, weak email security protocols, and poor internet safety practices. Originally, the goal of most worms was to damage system resources to hinder performance. However, modern worms are often designed to steal or delete files and are typically deployed against email servers, web servers, and database servers. 

The Stuxnet attack is a particularly devastating example of a worm at work. This attack targeted operations technology systems involved in uranium enrichment and impacted organizations across Iran, India, and Indonesia. 

small trojan horse on a computer

3. Trojans

A trojan is a type of malware that has disguised itself as a piece of legitimate code or software. Once an unsuspecting user grants the trojan network access, it allows attackers to carry out the same actions as legitimate users, including exporting or deleting files, modifying data, and otherwise altering the contents of the infected device. Trojans are designed to appear innocuous and are often found in downloads for games, apps, tools, or even software patches. 

Many trojans rely on phishing, spoofing, or other social engineering attacks to trick users into granting them network access, but this is not always the case. Though trojans are occasionally referred to as trojan viruses or trojan worms, these terms are not strictly correct: unlike viruses, trojans cannot self-replicate, and unlike worms, they cannot self-execute. All trojans require specific and deliberate user actions to spread, such as convincing a colleague to try out this great new productivity app or download this fun game onto their work phone so you two can play together on your lunch break. 

4. Ransomware

Ransomware is one of the most common and widely discussed forms of malware, and for a good reason. According to a cyber threat bulletin from the Canadian Centre for Cyber Security, 2021 saw the average recovery cost from a ransomware attack more than doubled between 2020 and 2021, from $970,722 CAD (roughly $757,852 USD as of the writing of this article) in 2020 to $2.3M CAD (roughly $1,795,380 USD) in 2021. The same bulletin revealed that the increased impact and scale of ransomware operations between 2019 and 2020 was largely fuelled by the “professionalization” of ransomware and the growth of the ransomware-as-a-service (RaaS) model, which involves less-technically-savvy criminals hiring skilled attackers to distribute ransomware campaigns, with attackers being paid a percentage of the victim’s ransom payment.

Ransomware is focused primarily on financial gain and is designed to encrypt files on an infected machine and hold them hostage until a ransom is paid. With the invention of cryptocurrencies such as Bitcoin, which don’t rely on a central authority such as a bank and are therefore more difficult for law enforcement to trace, has made it easier than ever for attackers to extort victims.

Ransomware frequently relies on social engineering to manipulate unsuspecting users into downloading infected email attachments or clicking on URLs from untrustworthy sources. Once a device is infected, the program typically creates a back door, which allows the attackers to covertly access the device and begin encrypting files while locking owners and other legitimate users out. 

Even if your organization decides not to pay the ransom, you may still suffer financial loss. Employees who can’t access their work devices aren’t likely to get much work done, and your IT team and other technical specialists may need to be pulled away from other critical tasks to deal with the crisis. Depending on the nature of your business, even a few hours of downtime can have devastating consequences, as highlighted by the now-famous WannaCry attack that targeted the United Kingdom’s National Health Service (NHS) in 2017. The attack rendered the IT systems of hospitals and doctor’s surgeries inaccessible, which compromised medical care and put patient lives at risk. The attack knocked CT scanning facilities and MRI machines offline and left healthcare professionals unable to access vital data, including digital patient health records.

pop up on a website

5. Malicious Adware 

Adware, also called advertising-supported software, is legitimate software that is designed to display ads to a user when they are online, thereby generating revenue for the website’s owner. Though it is not inherently malicious, it can be used for malicious purposes. 

While most legitimate organizations will carefully vet what sort of advertisements they allow to appear on their website (to ensure they don’t accidentally damage their brand by serving hateful or controversial content or drive business away by showing competitor ads), not all businesses are as meticulous as they should be. Cybercriminals may use malicious ads to trick unsuspecting users into downloading malware when they click on the ad or may use pop-ups, pop-unders (where the pop-up is intentionally hidden from view by the active window), or permanent windows that allow for drive-by downloads (where a user’s device becomes infected with malware simply by visiting the site). Malicious ads may also preemptively block antivirus programs from opening, further weakening your organization’s defenses. 

6. Malvertising

Malvertising (malicious advertising) is similar to malicious adware. One key difference is that adware only targets individual users and relies on infected digital ads served via unsuspecting websites. Once a device is infected, adware operates continuously on that device unless actively removed. On the other hand, malvertising is served by the compromised web page itself (not via third-party adware programs) and only affects users while they are on the infected web page. 

Like malicious adware, malvertising may take advantage of browser vulnerabilities to deploy drive-by-downloads. However, because the entire webpage (and potentially the entire website) is compromised, it can also forcibly redirect users away from the legitimate site to a malicious one or display advertising, malicious content, pop-ups, or pop-unders that the website’s owners did not intend to display. In the case of a forcible redirect, users may be brought to a different site infested with drive-by download malware (allowing attackers to compromise multiple sites and simply redirect them to the malicious site) or direct users to a site that looks almost exactly like the legitimate site as part of a wider phishing scam and attempt to trick unsuspecting users into handing over private information such as banking details or login credentials.

Malvertisements Cost Organizations More than Just Revenue & Site Traffic

While redirecting users to a different site impacts both website traffic and can compromise revenue streams, these are hardly the only potential costs. Website publishers may suffer reputational damage (since users are less likely to trust compromised organizations with their personal information going forward) and may be found legally liable for any damage suffered by users visiting their website. 

7. Spyware

Spyware differs from the other forms of malware we have discussed so far in that its goal is not to extort funds, steal sensitive files, or damage files but instead to, as the name suggests, spy on you and your organization. Spyware is designed to gather data without your consent and forward it to a third party. 

Spyware can also refer to legitimate software installed by companies to monitor their workforce or programs, such as tracking tools embedded in websites that you visit that are used for advertising purposes. However, we will be focusing on malicious spyware deployed by cybercriminals against unsuspecting targets such as businesses so they can profit from stolen data, including proprietary data and usernames and passwords (obtained via keylogging software).

Malicious spyware is a type of malware that has been installed without your informed consent and is designed to monitor your activities and capture personal, confidential data, often via keystrokes, screen captures, and other types of tracking tools. This stolen data is then aggregated and either used by the party that gathered it or sold to other parties. 

Malicious spyware is typically interested in confidential information such as:

  • Login credentials
  • Credit card numbers
  • Account PINs

However, it will also monitor your keyboard strokes, track your browsing habits, and harvest email addresses (including your own and those of the people and organizations you are corresponding with). 

Unlike ransomware, spyware goes out of its way to remain undetected and obscure its activities. Spyware often embeds itself in other programs that users are likely to intentionally download and install, such as bundleware (bundled software packages), without the knowledge or consent of the company that is offering the legitimate software.

However, sometimes companies will purposefully embed spyware in their bundleware while describing and requiring you to agree to the spyware in the license agreement without explicitly using the term “spyware”, tricking users into voluntarily and unknowingly infecting their devices. Spyware can also infect devices using similar methods to other malware, including via compromised websites or malicious attachments. Trojan malware and malicious adware may also both include spyware.

Spyware can wreak havoc on any business environment, allowing cybercriminals to better:

  • Steal data
  • Commit identity fraud
  • Damage computers
  • Disrupt business operations
computer and coffee with lock logos

Safeguarding Your Business From Malware

There are a few steps you can take to safeguard your organization against malware. These include:

Avoid Abandoned USBs

Attackers will often leave infected USB drives in publicly accessible places such as lobbies or parking lots in the hopes that some unsuspecting employee will pick it up and plug it into their machine. Should you come across an abandoned USB drive, you should report it to security and then hand the USB drive over to your cybersecurity team for further analysis and proper destruction.

Keep Your Software Up to Date

Software developers frequently release security patches, small programs designed to address known flaws and improve security. However, your organization can only take advantage of these improvements if the security updates are installed.

Invest in Antivirus Software

While antivirus software may not seem cutting edge anymore, it still plays a critical role in any cybersecurity strategy.

Think Before You Click

While most email providers include built-in antivirus scanning that flags potentially harmful attachments or links, it never hurts to be cautious. If you encounter a suspicious link or file, do not open it. Instead, you should forward the email to your cybersecurity team for further analysis. If the email is purportedly from someone you trust (such as your company’s bank or your boss) but seems suspicious, you should reach out to that person independently to verify that they are the real sender. You should also carefully read the sender’s email address on any email you receive. 

For example, if your boss Jennifer Smith usually emails you from her work email ([email protected]com), but this email is from a different address, such as [email protected]org or [email protected], you should not reply to the email, but should instead reach out to your boss independently to verify that she sent the email. This is particularly important if the sender is asking you for sensitive or personal information, such as banking details or your password, or asking you to do something unusual, such as purchase a large number of gift cards or make changes to company banking details.  

If someone sends you a URL, make sure you read it carefully. While you may be expecting a URL that directs you to www.yourbank.com and instead see www.yourbaank.com (note the extra ‘a’), you should once again independently verify that the sender is who they say they are before taking any action or handing over any information. It’s always better to spend a bit of time verifying than rush and take actions that could potentially compromise the safety and security of your organization.

Invest in Cybersecurity Training for All Employees

Even the most comprehensive and robust cybersecurity incident response plan and cutting-edge cybersecurity infrastructure depends on educated users for maximum efficacy. Ensure all employees undergo cybersecurity training as part of your onboarding process and periodically receive additional training. 

Only Buy Devices from Trusted, Reputable Sources

While it may be more budget-conscious and environmentally friendly to purchase gently used devices, second-hand devices may offer more than you bargained for in the form of pre-downloaded malware. If you still intend to purchase second-hand equipment, make sure you do so from a trusted, authorized retailer of pre-owned devices and audit each item thoroughly for suspicious programs before connecting it to your network.

Opt for the Paid Version

One of the easiest ways to avoid falling victim to malicious adware is to opt for the paid, ad-free version of the software you are using whenever possible. Most organizations that offer premium subscriptions to otherwise ad-supported free products do not serve ads to premium users, so opting for the paid version can dramatically reduce your attack surface.

Vet Ads Partners Carefully to Avoid Malvertisement

Ad networks serve users ads from millions of advertisers, and most rely on real-time bidding, which means the ads shown on a website are constantly changing. This can make it difficult, if not nearly impossible, for individual website publishers to separate malicious ads from innocent ones. As such, it falls primarily on the ad provider to carefully vet ads, so it is critical that all website publishers choose their advertising partners with care. 

Be Cautious About Cookies

With GDPR compliance affecting more organizations each day, almost all websites now ask users for their explicit permission before creating cookies. Cookies are considered by some to be a form of spyware, so make sure you only accept cookies from trusted sites and consider limiting your permission to essential cookies only.

Consider Using an Anti-Tracking Browser Extension

Not all of your browsing activities need to be tracked by third parties, whether for legitimate means like advertising or otherwise. Anti-tracking tools can allow you to better opt-out of omnipresent tracking, which helps keep your browsing activities and data private.

Avoid Third-Party App Stores

Cybercriminals are increasingly targeting people through their phones, often using apps. Third-party app stores may not vet the apps they offer as carefully as Apple and Google, so it is best to be cautious and stick to the official app stores. 

Stick with Official App Publishers

Apps are an increasingly common delivery mechanism for malware, particularly spyware. Before you download an app, make sure that you trust the company that developed it.

Limit App Permissions

A troubling trend in the app space is apps that ask for more generous permissions than they require. Many apps ask to access your microphone, camera, or location data without justifying why they need this information. To avoid handing over more data than you need or want to, you should regularly review your app permissions and ensure your current settings reflect your actual preferences.

Nothing is Ever Really Free

As the old saying goes: if something is free, it’s because you are the product, not the customer. While sometimes free can mean a limited-time trial that allows prospective customers to try out the product for themselves, it can also mean that its creator is profiting off of the data you generate. Before you start using new software, make sure you take the time to read through the terms of use and only agree to them if you understand and accept them. 

a comprimised usb drive

Are You Concerned About Malware? VirtualArmour is Here to Help!

While it may feel like malware is lurking around every corner, there are concrete steps you can take to better safeguard your organization and its data. In addition to the advice above, you should also consider partnering with a trusted MSSP like VirtualArmour. With offices in both Denver, Colorado, and Middlesbrough, England, we are able to offer live, 24/7/365 monitoring as well as industry-leading response times. 

The cybersecurity experts at VirtualArmour have extensive experience working with organizations in a variety of verticals, including healthcare, finance, retail, and energy and are also familiar with the unique needs of service providers and offer tailored plans based on your level of need, including essential services, premium services, and one-time consults. We offer a wide selection of cybersecurity services, including:

For more information, or to get your free, no-obligation quote, please contact our team of experts today.

What the War in Ukraine Means for American Cybersecurity Engineers

What the War in Ukraine Means for American Cybersecurity Engineers

The Russian invasion of Ukraine has shocked the world, driving millions from their homes as they seek safety. However, in the internet age, wars aren’t fought in the physical world alone, and cyber warfare has become an increasingly serious threat. 

woman on her laptop with a lock icon on the screen

The Invasion of Ukraine is Already a Cyberwar

Though most of the news coverage of the situation focuses on developments in the physical world, early cyber skirmishing has already begun. Cyberattacks have recently targeted the Ukrainian defense ministry, and two banks in what the country’s deputy prime minister stated is the largest attack of this type ever seen in the country. 

While the Kremlin has denied they are behind the denial of service attacks, the disruption has brought concerns about the threat of cyberconflict into the spotlight. Ilya Vitayuk, the cybersecurity chief of Ukraine’s SBU intelligence agency, has stated that it is still too early to definitively identify the perpetrators behind the attack. This is because, as with most cyberattacks, the perpetrators worked hard to cover their tracks. However, he also added, “The only country that is interested in such … attacks on our state, especially against the backdrop of massive panic about a possible military invasion, the only country that is interested is the Russian Federation.”

Ukraine has accused Russia of cyberattacks in the past and believes the Kremlin is behind a string of cyberattacks against Ukraine starting in 2014. In an age when war is fought on battlefields, both physical and digital, combat is no longer confined to combatants on the ground. While Ukraine’s SBU has made cybersecurity a major security focus in the current conflict, a cyberattack on Ukraine by Russia or its allies could have wide-reaching consequences for Ukraine’s allies as well. As such, countries and private organizations alike need to remain vigilant.

The American Government Prepares to Respond

Cyberattacks, even those specifically targeting Ukraine, could seriously impact the United States. 

In response to the invasion of Ukraine, CISA (Cybersecurity and Infrastructure Security Agency) has issued a statement. Entitled Shields Up, it states (as of the writing of this article):

“While there are no specific or credible cyber threats to the US homeland at this time, Russia’s unprovoked attack on Ukraine, which has involved cyber-attacks on Ukrainian government and critical infrastructure organizations, may impact organizations both within and beyond the region. Every organization—large and small—must be prepared to respond to disruptive cyber activity. As the nation’s cyber defense agency, CISA stands ready to help organizations prepare for, respond to, and mitigate the impact of cyber-attacks. When cyber incidents are reported quickly, we can use this information to render assistance and as a warning to prevent other organizations and entities from falling victim to a similar attack.”

President Joe Biden has announced the American government is prepared to respond to cyberattacks from Russia if necessary, and “For months, we have been working closely with our private — with the private sector to harden their cyber defenses, sharpen our ability to respond to Russian cyberattacks, as well.” NBC News also reported that President Biden has a “menu of options for the US to carry out massive cyberattacks designed to disrupt Russia’s ability to sustain its military options in Ukraine.”

However, as the Shields Up announcement indicates, cyberwarfare concerns are not contained to the national and international stage. Organizations of all sizes and in all verticals need to be taking appropriate steps to proactively safeguard their digital assets. 

room of people on their electronic devices

What Sort of Cyberattacks Should We Anticipate?

While we have no way of knowing exactly what sort of attacks the cyber warfare front of the Ukraine-Russia conflict will bring, we can look to a history of previous international attacks for guidance. According to Forbes, organizations should be prepared to handle:

Advanced Persistent Threats (APTs)

APTs is a broad term used to describe any attack campaign where an attacker, or group of attackers, establishes an illicit, long-term presence on a network in order to covertly mine highly sensitive data. Most intrusions of this nature that target private companies tend to focus on the theft of intellectual property, compromising sensitive data (such as employee or private user data), sabotaging critical infrastructure (such as deleting database data), or taking over websites with a goal of illegal financial enrichment, the strategies deployed against private companies can be used against nations and companies alike. 

With cyber warfare on our doorstep, now is the time to batten down the hatches and strengthen your cybersecurity posture. By improving your overall security posture, you can proactively guard against ATPs by making it difficult for intruders to infiltrate your network in the first place, preventing them from establishing a covert, long-term presence. 

Malware

Malware refers to any form of malicious software, typically spread by infected email attachments and suspicious website links deployed as part of phishing scams. While most email providers automatically filter out suspicious messages, one of the best steps organizations can take to improve their cybersecurity posture is to invest in employee cybersecurity training. 

Cybersecurity is everyone’s responsibility, from the CEO down to the summer intern. Teaching workers to identify and report suspicious activities can stop an attack before it even begins, so all team members should receive robust cybersecurity training as both part of their onboarding process and on an ongoing basis. 

Ransomware

Ransomware is a subset of malware, which uses malicious code to encrypt files and prevent legitimate users from accessing data or systems on either their individual machine or the organization’s network. 

DDoS

DDoS (Distributed Denial of Service) attacks are attempts to crash a web server or other online service by flooding the supporting infrastructure with more traffic than the network can reasonably handle. 

This type of attack can be instigated by either a large group of attackers working together or a single attacker with a sufficiently large botnet (connected computers performing repetitive tasks as directed by the user in charge). The goal of DDoS attacks is to overload the server, forcing it offline and preventing legitimate users from accessing the organizations’ products or services. 

Network Security Attacks

Network security attacks is an umbrella term for attacks aimed at disrupting an organization’s network and system for a variety of reasons, including causing service disruptions, stealing data, or corrupting files. While this is often done for financial gain, in the case of the cyberwarfare front of Russia’s attack on Ukraine, it is likely to be for political or military gain. 

To help safeguard themselves from these types of attacks, organizations should be taking proactive steps to safeguard their networks from network breaches. 

person being locked out of their phone

What Steps Should Your Organization Be Taking to Best Safeguard Your Digital Assets

Follow All Current Advice From Your National Cybersecurity Authority

The situation, both on the ground in Ukraine and in the digital sphere, is continually evolving, with new threats always on the horizon. To best safeguard your organization, it is vital to stay up to date on the situation and follow the current advice of your national cybersecurity authority. 

Establish A Relationship With Local Governments in Jurisdictions Where Your Company Operates

  • In the United States, InfraGard is responsible for coordinating information sharing between critical infrastructure providers.
  • Organizations operating in the United Kingdom should review information provided by NCSC’s Critical National Infrastructure hub.
  • Organizations in the European Union should speak to their local CSIRT (Computer Security Incident Response Team) and CERT (Computer Emergency Response Teams) contacts. A full list of these can be found here
  • In Germany, the BSI (Federal Office for Information Security) has released several cybersecurity warnings related to the situation. Current security warnings can be found here
  • In Australia, the Australian Cyber Security Centre (ASCS) is providing guidance using ongoing alerts. You can also register to receive alerts from ACSC, and they provide general cybersecurity advice for small and medium businesses and organizations and critical infrastructure

Success Depends on Interorganizational Trust

Even the most comprehensive, best-designed cybersecurity strategy can be easily undermined if your organization lacks interdepartmental trust. A solid relationship between stakeholders and your security team is critical if you want to keep your organization secure. 

Building trust can be hard, but there are concrete steps your security team can take to build stakeholder trust. This includes:

Overcommunication 

Clear, concise, focused, and on-point communication is critical, and there is no such thing as too much information. Too many stakeholder-security team conflicts are rooted in a lack of communication, miscommunications, or misunderstandings. Opening the lines of communication, and keeping them open, is an excellent way to build trust.

Honesty & Transparency

When it comes to cybersecurity, honesty is the best policy. When it comes to admitting fault, acknowledging a mistake, or delivering bad news, stakeholders and security teams alike appreciate honesty. By being honest about your organization’s current security posture (including any deficiencies), security and stakeholders can work together to fortify your organization’s cybersecurity posture. 

On the other hand, lies, omissions, and misrepresentations cause cracks in your cybersecurity posture and foster inter-organizational distrust, with potentially disastrous consequences. All trusting relationships are built on a foundation of honesty.

Diligence

Hard work, dedication, and commitment from both your security team and your stakeholders is critical for building organizational trust. Both sides of the table need to know that the other side is working hard to fulfill their obligations and is willing to own up to any mistakes or shortcomings. It’s a lot easier to build trust when you know the rest of the team has your back.

A Willingness to Listen & Accept Feedback

Communication is a two-way street, and both stakeholders and security teams need to be willing to listen and accept honest feedback and not dismiss the other side’s suggestions and concerns out of hand. When one side feels that the other isn’t taking their concerns, expertise, or advice seriously, it undermines the relationship and damages trust, weakening the organization and compromising its security posture. 

Action

Talk is great, but only when it is followed by concrete action. When either the security team or the stakeholders promise to do something, the other side needs to see that they will follow through. When we can’t trust our teammates to act on their promises, those promises become meaningless. 

That being said, we are only human, and sometimes promises are broken. When this happens, it is critical to acknowledge that the promise was not honored, provide an explanation (budgetary concerns, staffing shortages, etc.), amend the promise so it can be reasonably accomplished, commit to action, and then act to fulfill the promise. A cycle of inaction and broken promises can impact more than your cybersecurity posture; it can poison your organization, driving away good workers and demoralizing those who remain.   

ransomware downloading on a laptop

Initiate a “Request for Intelligence” From Your Threat Intelligence Partner

You can’t adequately defend yourself if you don’t know what you are defending against. A request for intelligence is a comprehensive report compiled by your threat intelligence partner. When requesting your report, make sure you specify your intended audience (such as your board of directors or security team) and any specific concerns you may have so that your vendor can tailor the report accordingly and ensure all critical and relevant information is included. 

A good request for an intelligence report should go beyond the normal overviews your partner is providing and should include specific concerns related to your vertical, industry, and operating locations. It should also provide information on threat actors you should be concerned about, as well as the TTPs (tactics, techniques, and procedures) those threat actors typically use. 

Collaborate Closely With Your Security Vendors

Your security vendor needs to take a proactive role when it comes to preparing your organization for cyber conflict and defense. 

  • Vendor account representatives can help ensure your organization receives the correct level of care and attention and help you get the most out of your security products and services.
  • You should also work closely with your product vendors to confirm turnaround times and automation options for ruleset and patch updates (to ensure your software automatically downloads and installs security patches as soon as they are made available).

A good vendor should be already communicating with you about the situation in Ukraine, but if you have not received any communications, you should reach out directly to your vendor, representative, or support team.

Keep an Eye Out for Disinformation & Misinformation

Disinformation and misinformation featured heavily in the lead-up to the conflict in Ukraine. On February 3rd, 2022, the United States even predicted that Russia might use fake graphic videos as a pretext for invasion, a prediction that came true two weeks later. Videos like these and other forms of misinformation and disinformation serve two purposes: to bolster internal sentiment for an invasion (or justify an ongoing invasion) and distort the narrative abroad. 

As such, it is vital to get your news from trustworthy sources and rely on the advice of local and national leaders as well as your security team to ensure you are getting the facts. As the situation continues to evolve, it is also vital that you are keeping your incident response plans up to date and keeping the lines of communication open both across your organization and between your organization and relevant third parties, such as your managed security services provider (MSSP) and relevant government bodies. 

Consider Adopting Secure Communications Tools

Organizations that are concerned about the security and privacy of their business communications (including eavesdropping, data loss, communications metadata exposure, or non-compliance) should consider increasing communications security or switching to more secure communications tools. Organizations with employees in and around Ukraine should also be aware that those individuals may face communications disruptions.

Encrypted messaging and calling solutions like Element and Wickr are ideal for low-bandwidth environments and can be used to enhance the security of your everyday communications as well as work as out-of-band communication channels during incident responses. They can also be used to provide traveling executives with improved communications security. If you are concerned about the security of your current in-house communication tools or are looking to replace them with a more secure option, your managed security services provider can help you make the right choice for your organization. 

Build Out Your Incident Response Ranks

Small and medium-sized organizations often don’t have the resources to support a full, in-house cybersecurity team, which is why many choose to partner with an MSSP. A good MSSP can help you augment your in-house security team, provide employee cybersecurity training, and help you evaluate your current cybersecurity position and incident response plans

Should an incident occur, your MSSP can help you respond effectively (mitigating, or even eliminating, damage), conduct a thorough investigation into the root cause of the incident, and help you prepare any reports required for relevant legislative bodies (such as GDPR, HIPAA, or CCPA).

Safeguard Your Endpoints & Practice Good Software Hygiene 

Safeguarding your endpoints (smartphones, laptops, and tablets that have access to your network) and hosts (such as networks) is vital. Endpoint detection and response (EDR) involves using tools and solutions to detect, investigate, and mitigate suspicious endpoint and host activities. Unlike traditional anti-virus software, EDR isn’t reliant on known behavioral patterns or malware signatures, allowing it to quickly and easily detect new threats. Depending on the nature of the threat it has detected, EDR is also designed to trigger an adaptive response (much like your immune system springing into action).

One of the easiest yet most critical steps any organization can take to improve their security posture is to keep all their software up to date. When software developers discover vulnerabilities in their products, they release patches to address them. Cybercriminals often target recently patched software in the hopes that not all organizations have been as diligent as yours about installing new security patches. Installing patches takes a few minutes, and the process can often be automated and scheduled so that patches are installed during non-business hours to completely eliminate downtime. 

Take Proactive, Preventative Steps Before an Incident Occurs

As the old saying goes, the best defense is a good offense. By being proactive and shoring up your cybersecurity defenses before an incident occurs, you stand a better chance of mitigating or even eliminating damage. Regular pen (penetration) testing, which involves hiring an ethical hacker to stress-test your defenses and search for vulnerabilities, can help highlight security deficiencies so they can be addressed before a cyber attacker is able to exploit them.

Investing in ongoing cybersecurity training is also critical: Employees who can’t identify potential threats are more likely to fall for things like phishing scams, and employees who don’t know how to respond to an incident won’t be able to respond effectively. As such, it is critical that you review your incident response plans regularly and make sure all relevant stakeholders are kept up to date.

You may also want to consider running tabletop scenarios. Tabletop scenarios work like cyber incident fire drills: Your team is presented with a hypothetical scenario and asked to respond, allowing them to put their cybersecurity training to use in a no-stakes environment. Tabletop scenarios not only familiarize your employees with potential threats and help them hone their response skills, but they are also a great way to identify and address security gaps before they can be exploited. 

Concerned About Your Cybersecurity Stance? VirtualArmour is Here to Help!

The situation in Ukraine has put many organizations on edge, and trying to figure out how to shore up your organization’s cybersecurity defenses against cyber conflict may be overwhelming. Fortunately, the VirtualArmour team is always here to help.

We offer a variety of security solutions, including:

We also offer tailored services à la carte, allowing you to pick and choose the services your organization requires to create your own premium services package or essential services package. We also offer personalized, one-time expert consults.

We have extensive experience working with organizations in a variety of highly-specialized industries, including energy, finance, healthcare, and retail, and are well-versed in the unique security and IT challenges faced by service providers. With offices in both Denver, Colorado, and Middlesbrough, England, we are able to offer live, 24/7/365 monitoring and industry-leading response times. 

Our team of experts can help you assess your current cybersecurity posture and create or update your incident response plans. We also provide cybersecurity training through our VirtualArmour Academy. For more information or to get your free, no-obligation quote or free cyber risk report, please contact our team today.

Suggested Reading & Useful Links

The Cybersecurity Situation in Ukraine

The situation in Ukraine is constantly shifting, and it can be hard to stay up to date and get the facts your team depends on to best inform your cybersecurity posture. To help you get the information you need, we have compiled a list of links to relevant organizations below. 

The United States

Europe

The United Kingdom

Australia

Educational Articles from VirtualArmour

Cybersecurity is a complex and continually evolving field. To best safeguard your organization and its digital assets, it’s important to stay up to date. 

To learn about the latest news and developments in the cybersecurity sphere, please consider visiting our Articles and Resources page and reviewing the educational articles listed below.

Cybersecurity Basics For All Organizations

Cybersecurity Basics By Industry

Minimizing Your Risks

Common Threats (and How to Avoid Them)

Phishing Attacks are Evolving: What You Need to Know to Keep Your Company Safe

Phishing Attacks are Evolving: What You Need to Know to Keep Your Company Safe

Last updated August 19, 2022

Summary:

  • Phishing is a form of social engineering where the attacker impersonates a trusted party for the purpose of gaining access to sensitive information like login credentials, personal information, or payment card data.
  • A company with 5000 employees will receive an average of 14,400 phishing emails each year—not including the ones caught by spam filters.
  • Phishing tactics are becoming more advanced over time, and phishing attacks are most common during the holiday season, when consumers often face increased stress levels.
  • SMS phishing scams are on the rise, so it’s vital to use caution if you recieve texts from a sender you don’t recognize.
  • Cybersecurity training for employees and visibility scanning are two essential ways to prevent and combat phishing scams. VirtualArmor can provide both of these services.

Phishing scams tend to peak during and around the winter holiday season, catching individuals and businesses alike unprepared. To help ensure you and your team have the information you need to identify and avoid these scams, we sat down with one of our VirtualArmour cybersecurity engineers to learn more about this common cybersecurity threat.

If you are currently experiencing, or have recently experienced, a cybersecurity incident, please contact our team for immediate assistance and consider reviewing our educational article: Hacked? Here’s What to Know (and What to Do Next). Our team can help you fend off the attack, identify the root cause of the issue, and create an actionable, comprehensive plan to help mitigate or even avoid further damage.

photo of a credit card with a fishing hooks in it, symbolizing how people use phising to steal credit card information

What is Phishing?

Phishing is a type of social engineering typically used to steal user data such as login credentials, personally identifiable information (PII), or payment card information. This type of cyber attack involves a threat actor masquerading as a trusted party (such as your bank) in order to trick you into opening an email, text message, instant message, or other electronic message and inadvertently handing over sensitive information such as personally identifiable information (such as your full name, birth date, or social insurance number) or payment information (such as your credit card number). 

Phishing attacks pose a serious threat at both the personal and corporate levels. Though most email spam filters are able to stop the most egregious attempts at phishing, even the best filters and firewalls aren’t able to catch everything. Phishing scams continue to evolve, and the sheer number of phishing emails alone is staggering. Research into the volume of email, spam, and malicious attachments and URLs directed at companies found that a company with 5000 employees will still have an average of 14,400 phishing emails arrive in employee inboxes each year, and those are just the emails that were savvy enough to get past the spam filter. 

With so many emails alone slipping past our defenses, employee training on how to spot and report potential phishing scams is key. However, many threat actors are changing tactics and moving away from email and towards other forms of electronic communication.

Phishing Tactics Have Evolved

When many of us think of phishing emails, we likely still picture some scammer pretending to be a fabulously wealthy prince from some faraway land promising riches in return to helping them covertly move money out of their home country (a common ruse referred to as an advance-fee scam).

The advanced-fee scam is a classic ruse that involves the threat actor asking you to help them by either transferring money to the target (purportedly for “safekeeping” or to evade authorities) while also asking you to pay a fee to help move the money with the promise that they will both send you money to cover the advanced payment and reward you handsomely for your cooperation.

Though this elaborate ruse has become cliche even outside of cybersecurity circles, unfortunately, many individuals and companies still fall for this and similar advance fee scams. A recent CNBC article found that these advanced fee scams still net cybercriminals well over $700,000 USD per year.

Why Do Phishing Scams Peak Around the Holiday Season?

Phishing campaigns typically soar in popularity over the holiday season in an attempt to prey on festive (and often frazzled) shoppers using increasingly sophisticated phishing scams. 

However, it isn’t just holiday shoppers that fall for these campaigns; many businesses and other organizations of all sizes continue to fall victim to these types of attacks.

One common example of a popular business-targeted phishing scam involves sending the target an email with a domain that appears to link to the company website and contain innocuous information (such as a festive meal menu with a .doc file extension, paired with an email asking the employee to please indicate their meal preference and dietary restrictions for the company party). However, though the email appears legitimate at first glance, a red flag such as a misspelled domain (for example, virtaularmour.com’ rather than ‘virtualarmor.com’, note the transposed ‘u’ and ‘a’) indicates that this email is likely malicious and should be both flagged as spam and reported to your company’s IT or cybersecurity team.

“Smishing” (SMS Phishing) Scams Are On the Rise

Though these types of scams tend to peak around the holiday season, they are still common year-round. The fake delivery text is a new form of this age-old scam that has been making the rounds and is rapidly becoming one of the most common formats for smishing scams. 

One theory behind the rise in this particular style of phishing scam is the increase in lockdowns worldwide, prompting a rise in online shopping, particularly during the holiday period. Before clicking on any links in a suspicious text message, it is critical to verify whether the text message is legitimate (such as by calling your local post office or delivery depot to verify if there really is a parcel waiting for you).

How to Recognize (& Avoid Falling Prey To) a Smishing Attack

If you receive a suspicious text that may be part of a smishing scam, there are a few steps you can take to help avoid falling prey: 

  1. Never respond to a potentially suspicious text message. If a response appears to be necessary, respond via a verified official channel (such as calling your delivery company or local post office directly).
  2. Never click on any links or phone numbers sent from a user you don’t recognize.
  3. Never share any payment information or personally identifiable information, such as your social security number, birth date, or full name. 
  4. Report any messages that appear suspicious to the relevant authority.
    1. In the United Kingdom, reports can be filed with the National Cyber Security Centre here.
    2. In the United States, reports can be filed with the FCC here and FTC here.

A common example of a scam asking for payment information is a scammer posing as your bank and asking you to update your account information (usually under threat of being locked out of your accounts or some other undesirable outcome). In this case, you should contact your bank immediately via an official channel (most banks print a toll-free number on the back of their credit or debit cards or somewhere on your bank statement) and independently verify that your information requires updating. This not only helps you avoid falling victim to a potential phishing scam but also alerts your bank so they can warn other customers about the scam so they can avoid falling prey as well.

laptop screen with phishing tactics being used on an unsuspecting user

Awareness is Critical

Education and awareness are a cornerstone of any solid cybersecurity strategy. By educating yourself and others about common scams and red flags to look for, you can help reduce the chance someone falls victim. Individual scams are often short-lived, so you need to act quickly; Verizon reports that 50% of scam targets open emails and click on phishing links within an hour of receiving a suspicious email.  

Investing in employee cybersecurity training is vital. When it comes to scams, your employees are one of your first lines of defense, which is why all employees, from the summer intern up to the CEO, should undergo regular cybersecurity training. To help set everyone up for success, you should also include cybersecurity training as part of your company’s onboarding process. 

Vulnerability Scanning Offers Total Visibility Into Your Infrastructure

You can’t defend yourself against cybersecurity threats if you don’t know they exist. Vulnerability scanning helps ensure that no threat makes its way past your defenses by providing detailed information on threat intelligence, device health, threat mapping, and support ticketing. Being able to view all traffic on your network at all times is critical for spotting suspicious activities, so you can respond swiftly and effectively to safeguard both your data and your organization should a threat actor sneak past your defenses. 

Social Engineering Takes Many Forms

Many of these attacks depend on social engineering. Social engineering involves manipulating potential victims into revealing personally identifiable information and can be used to access either personal or organizational accounts. Social engineering attacks typically rely on consistent communication between the attacker and the target and frequently take the form of text messages, instant messages, or emails. 

As COVID-19 continues to force workers to trade their desks at work for their kitchen tables, spare rooms, and home offices, attacks of this nature are becoming more frequent and more effective. This, combined with more mundane but still frustrating events such as a purportedly missed delivery (which you can conveniently reschedule by clicking on this completely legitimate link), has created an ideal environment for threats like phishing scams to flourish. 

Worried About Phishing Scams? VirtualArmour is Here to Help

Not everyone is a cybersecurity expert, and that’s okay. VirtualArmour is full of experts like the cybersecurity engineer who helped us write this educational article. Whether you need help drafting a cybersecurity strategy, are looking for someone to monitor your network 24/7/365 for suspicious activities, or are looking to bolster your internal IT or cybersecurity team, our team is here to help. For more information, or to start improving your organization’s cybersecurity posture, please contact our team today.

About the Author

Kurt Pritchard is a SOC Engineer at VirtualArmour, you can learn more about him on his LinkedIn.

GoDaddy: Have You Been Impacted and What to Do Next?

GoDaddy: Have You Been Impacted and What to Do Next?

Last updated August 19, 2022

Summary:

  • In 2021, GoDaddy’s Managed WordPress hosting environment was accessed by an unauthorized third party using a compromised password.
  • The hack accessed the personal data of an estimated 1.2 million Managed WordPress customers, exposing them to potential phishing attacks.
  • Other web hosting providers are also vulnerable to these attacks, which fall into three categories: general web hosting vulnerabilities, shared hosting vulnerabilities, and VSPs and cloud-hosting vulnerabilities.
  • Following website best practices, creating an incident response plan, and investing in cybersecurity training for employees can minimize your organization’s risk and help you avoid similar threats.

On November 22, 2021, the hosting platform GoDaddy revealed that an unauthorized third party had accessed their Managed WordPress hosting environment. Unfortunately, GoDaddy isn’t unique; many hosting providers remain vulnerable to similar attacks. In this article, we will discuss what is known about the incident so far.

What We Know About the Attack So Far

GoDaddy responded swiftly and effectively, working with law enforcement and an IT forensics firm to thoroughly investigate the incident and take appropriate steps to safeguard users. 

What Happened?

On November 17, GoDaddy identified suspicious activity inside their Managed WordPress hosting environment, triggering an internal investigation with the help of an IT forensics firm. It was later determined that an unauthorized third party had used a compromised password to access the provisioning system for their Managed WordPress legacy codebase.

In response to this troubling discovery, GoDaddy immediately blocked the unauthorized third party from their system and began alerting affected users. 

So far, the investigation reveals that the unauthorized third party had been using these compromised credentials to gain access to the system beginning on September 6, with a goal of obtaining private customer information, including:

  • The email addresses and customer numbers of as many as 1.2 million active and inactive Managed WordPress customers were accessed, which the company said may increase the chances of phishing attacks
  • The original WordPress Admin passwords set on these accounts, which were also exposed. As a preemptive measure, any account still using its original WordPress Admin password was subject to a password reset.
  • SFTP and database usernames and passwords of active users. Once this was discovered, GoDaddy immediately reset the passwords on these accounts.
  • The SSL private keys of a subset of active customers. To address this, GoDaddy immediately began issuing and installing new certificates on affected accounts.

Six Additional Web Hosting Providers Impacted

GoDaddy has also revealed that six other web hosts have been impacted by this incident. All six are European resellers of GoDaddy’s Managed WordPress hosting services and include:

What is GoDaddy Doing to Address the Situation?

The investigation is ongoing, and in addition to the actions outlined above, all impacted customers will be contacted directly by the GoDaddy team and provided with specific details. Customers can also contact the GoDaddy team via their online help center, which also includes country-specific phone numbers. 

security camera monitoring a lobby, people need this kind of security for the web

It Isn’t Just GoDaddy; All Hosting Providers Are Vulnerable

While GoDaddy is currently in the spotlight, incidents like this are hardly unique to one hosting provider. Cybercriminals frequently target websites, and many of those attacks are targeted at web hosting accounts.

Common web host vulnerabilities fall into three main categories: general web hosting vulnerabilities, shared hosting vulnerabilities, VPS and cloud hosting vulnerabilities:

General Web Hosting Vulnerabilities

Botnet-Building Attempts

This is when attackers attempt to use publicly available exploits to hijack your web servers and use your infrastructure as part of a botnet (connected computers instructed by a third party to perform repetitive tasks) to attack other organizations. 

Less secure web hosting providers are particularly vulnerable. However, once these vulnerabilities are discovered, they are typically patched fairly quickly.

DDoS Attacks

DDoS (distributed denial of service) attacks flood web servers or other online services with traffic in an attempt to crash the system. This can be done either by a large group of cybercriminals or a single criminal commanding a botnet. The goal of DDoS attacks is to overload the server and prevent legitimate users from accessing a company’s services or products.

Web Server Misconfigurations

Many basic website owners, particularly those using low-cost shared hosting, often have no idea whether or not their servers have been correctly configured. This is problematic because misconfigured servers are often left vulnerable and may be running unpatched or outdated applications. 

Incorrectly configured servers may also be unable to accurately verify access rights, and hiding restricted functions or links to the URL alone is unlikely to deter attackers. This is because attackers are likely technologically savvy enough to guess the probable parameters and typical locations of this sensitive information and then simply use brute-force attacks to gain access. 

Shared Hosting Vulnerabilities

If having your own server is like owning a single-family home, shared hosting environments act more like apartment buildings, where each account has its own unit within the larger structure. Unfortunately, that means a single attack can impact all of the accounts on a single server. 

Non-Siloed Environments

Organizations that op for shared hosting accounts are particularly vulnerable because these types of accounts exist like large pools of data. Though each account is allocated its own select resources, they all exist within a single environment, so all data, content, and other files occupy the same space and are only divided based on the file structure.

Since all of this data is stored in one location, shared hosting sites are intrinsically linked. This means that if an attacker is able to access the main directory, all sites within the pool may be at risk, and a single compromised account could provide the attacker with a way into the supposedly closed system.

Software Vulnerabilities

All types of hosting accounts can contain software vulnerabilities, but shared servers are typically more at risk. This is because the large number of accounts per server means that each server is likely to host a variety of different applications, each of which will need to be updated regularly to take advantage of security patches and other updated security measures. A single unpatched or out-of-date application may leave the entire server vulnerable.

Malware (Including Ransomware)

Malware, and particularly ransomware, is a growing problem. Though a ransomware attack may target any hosting provider, shared hosting servers are particularly ill-adapted to contain such an attack. Because multiple accounts are hosted on a single server, it is easy for a ransomware attack to spread from one company’s account and infect the rest of the accounts on the same server.

Shared IP Addresses

Shared hosting accounts also share IP addresses, with multiple sites typically being identified by a single IP address, much like all units in a single apartment building share one street address. Unfortunately, this means that if one account is compromised and begins sending out spam or otherwise behaving badly and is blacklisted by a company or service, all other sites sharing that IP address will be blacklisted as well. 

This is problematic because getting an IP address removed from a blacklist is typically quite difficult, and organizations are unlikely to cooperate if one of the accounts attached to that IP address continues to behave badly or disregard the organization’s terms of service.

woman review her computer settings and ensuring her cyber security are correct.

VPS & Cloud Hosting Vulnerabilities

Though virtual private servers (VPS) or cloud hosting options are typically more secure than shared hosting options, they are still vulnerable. Attackers often target these types of hosting accounts because of the advanced interconnected nature of these servers, presenting a lucrative payday for hackers. As such, these types of attacks are also typically carried out by more experienced attackers using advanced methods. 

Cross-Site Security Forgery

Cross-site security forgery, also called cross-site request forgery (CSRF), is a flaw that generally affects websites built using unsecured or poorly secured infrastructure. For convenience, many users save their credentials on select platforms, which can be a risky decision if the corresponding website is not secure. 

During a CSRF attack, the end-user is forced to execute an unwanted action, such as automatically transferring funds, on a web application in which they are currently authenticated. Using social engineering (such as sending a compromised link via chat or email), an attacker may be able to trick users of a specific web application into doing what the attacker wants without the attacker having to bother trying to determine a username or password. 

This works because the attacker has already queued up the action they wish to perform (such as transferring funds) and because the credentials are saved when the unsuspecting user clicks the link, they are automatically logged in (because their credentials are saved), and the application will go ahead and complete the action before the user is even aware of what happened.

This can be particularly devastating on admin accounts and can compromise the entire web application. 

SQL Injections

SQL injections work by extracting data, such as customer information or financial data, from a system as the data is sent to and from your database server. If this route is not secure, attackers can insert SQL scripts into the infrastructure and scan all data queries before they even reach the server. 

This attack works like a postal delivery worker opening and reading all of your mail and copying down any private information they discover before delivering your letters and parcels. 

Exploiting XSS Flaws

Harmful XSS-based scripts are small programs that can be used to either access confidential information or redirect legitimate users to fraudulent websites. 

Though this attack is most commonly used by attackers looking to capture usernames and passwords or trick users into entering their credit card number or other sensitive information into a fraudulent website (such as one that is designed to look almost exactly like your bank’s website), this technique can also be used by organizations to carry out fraudulent business operations.

Insecure Cryptography

Cryptography algorithms typically rely on random number generators, but not all random number generators are made equal, and some random number generators may produce easily guessable numbers which attackers can use to their advantage.  

Virtual Machine Vulnerabilities

Multiple virtual machines can be run on top of hypervisors in physical servers. However, if there is a vulnerability in the hypervisor, attackers may be able to infiltrate the system remotely and gain access to all virtual machines hosted on a physical server. Though this type of attack is rare, it is still possible, and organizations that use virtual machines should take appropriate steps to safeguard their infrastructure. 

Supply Chain Weaknesses

One of the benefits of cloud hosting is resource distribution, but unfortunately, this can also be a source of vulnerabilities. If not all organizations in the cloud supply chain are as studious as your organization about security, they could leave the entire chain vulnerable.

Insecure APIs

APIs (application user interfaces) are designed to help streamline cloud computing processes, but they can allow attackers to easily infiltrate your cloud infrastructure if they aren’t secured properly. 

Reusable components are incredibly popular, which can make it difficult to safeguard your organization against this type of attack. In an attempt to gain unauthorized access, an attacker can simply try basic access attempts repeatedly until they find a single vulnerability that allows them into the system.

Steps You Can Take to Protect Your Organization & Your Website

In the modern era, it is an unfortunate truth that it isn’t so much if your organization will experience a cybersecurity incident, but when. Luckily, there are steps you can take to safeguard your website and your organization as a whole. 

Website Best Practices For Static Sites 

One of the best things you can do to safeguard your website is to make sure you are following website security best practices

If you have a static site, you should ensure that you have an SSL certificate and keep your software up to date. You should also keep an eye on your website using uptime monitoring programs so that you are altered any time your site undergoes an unexpected content change. 

By keeping an eye on your website, you can quickly learn if an incident has occurred, allowing you to mitigate or even prevent damage if your website is defaced or otherwise compromised.

For WordPress or Other Database Websites (Like Those Impacted by the GoDaddy Attack)

There are a few things you can do to better safeguard your WordPress website. This includes implementing a robust username and password policy and adding multi-factor authentication. If you need to store passwords on your website for any reason, you should ensure that all passwords are encrypted, and you may want to consider using OAuth or another third-party identity management site.  

You should also consider implementing rate limiting or limiting user logins based on the number of failed login attempts. This can help safeguard your website from brute-force attacks. You should also strongly consider changing your admin username from the default “Admin” to something harder to guess.

Rate limiting can help safeguard your website from botnets involved in brute force attacks. Rate limiting allows users almost unlimited login attempts but artificially installs a delay between each attempt. Even a seemingly insignificant delay of a second or two can slow down a brute force attack, buying your organization more time for someone to notice something is amiss and take appropriate action. 

You should also seriously consider changing your login path from the default URL. WordPress is the most commonly used content management system on Earth, and many WordPress websites continue to use the /wp-admin/ login path. As such, attackers may use this knowledge to quickly locate and access your login page. By making the login page harder to find, you can help dissuade attackers or at least buy your team more time to respond.

Interview Your Hosting Provider & Review Your SLA Carefully

The GoDaddy security incident has demonstrated how much a website’s security depends on the security of its hosting provider. Though life, and cybersecurity, in particular, offer no guarantees, here are a few questions you should ask your hosting provider in light of this recent attack.

  1. Ask your hosting provider how they monitor their network. Suspicious activities can’t be stopped if they aren’t detected, so you want to make sure your hosting provider is carefully monitoring their internal network by asking them how their network is monitored, who is responsible for monitoring, and what sort of red flags they are actively looking for.
  2. Ask about their antivirus and malware scanning and removal processes. Malware continues to be a threat, so you need to know what sort of malware protection your host offers and what steps they take to secure your website. You should also ask if their support team is scanning your account and request a copy of these internal reports. You also need to be clear on what will happen if your account is infected and what steps your hosting provider will take to help you identify and remove malware on your website.
  3. Don’t forget SSL, firewalls, and DDoS prevention. You should also ask your provider what sort of protocols they have in place to prevent cyberattacks like the one experienced by GoDaddy. You should also find out if your hosting provider offers SSL certificates or if that is something your team will need to handle. Most providers don’t handle SSL certificate implementation, but they do need to provide you with the certificate so your team can implement it. 

You should be able to find at least some of this information in your SLA (service level agreement), but if the answers to any of these questions are missing, you should reach out to your contact at your hosting provider for more information.

You should also lock down your folders and subdirectories to make it more difficult for unauthorized users to access exploits or vulnerabilities associated with back-end software and upload files containing malware. You should also consider adding bot filters and maintaining an active blacklist to help you filter out bots and prevent brute-force attacks. 

Create an Incident Response Plan & Invest in Cybersecurity Training for All Employees

When it comes to cybersecurity, it is always best to be proactive instead of reactive. A robust incident response plan in place will allow you to respond to attacks quickly and effectively while helping limit damage and make your recovery smoother.

For more information, please consider reading our educational guide on creating an effective incident response plan

Beware of Possible Phishing Scams

In their statement, GoDaddy specified that customers whose email addresses were exposed are now more likely than ever to be targeted by phishing attacks. However, all organizations should ensure their employees know what sort of red flags to look for when it comes to phishing scams. To help improve your employee cybersecurity training and educate your team, please consider reviewing our educational article Don’t Let Phishing Scams Catch You Unaware.

Whether your organization has been directly impacted by the GoDaddy security incident or not, now is an excellent time to review your website’s cybersecurity best practices. For more information, or to start improving your cybersecurity stance, please contact our team today.

What Your Vulnerability Scan Report is Telling You (& What It’s Not)

What Your Vulnerability Scan Report is Telling You (& What It’s Not)

Last updated August 18, 2022

Summary:

  • Vulnerability scans provide visibility of your cybersecurity posture’s weaknesses before cybercriminals can exploit them. They look for weak points in your software and firmware, plus configuration issues in your network’s endpoint devices.
  • Vulnerability scans for SMBs should check for weaknesses in software, web applications, and encryption configurations. They should also look for potential information leaks and ways to reduce your attack surface.
  • Free vulnerability scanning tools (like Burp Suite, Nmap, Wireshark, and OpenVAS) exist but are usually limited in scope.
  • VirtualArmor provides one-time vulnerability scans for compliance purposes and managed security scanning conducted by experts who use the data they collect to keep improving your cybersecurity posture over time.

Cyber attacks, and ransomware attacks, in particular, are on the rise, and this troubling trend is likely to continue. Having an effective incident response plan in place is vital for protecting your organization and its digital assets, but even the best plan is only as good as the facts that inform it.

To create a solid incident response plan, you need specific, actionable information about your current cybersecurity posture. A vulnerability scan gives your cybersecurity team invaluable insight into your current cybersecurity posture’s weaknesses or deficiencies so those cracks in your armor can be addressed before cybercriminals are able to use them against you. 

As an MSSP (see also: what is a managed security services provider?), we run vulnerability scans regularly as part of our managed cybersecurity services.

photo of a magnifying glass scanning data

What is a Vulnerability Scan?

A vulnerability scan involves having trained cybersecurity experts evaluate your IT infrastructure for software and firmware vulnerabilities, as well as evaluate all devices that connect to your network for configuration issues that pose security gaps. Using this valuable information, your cybersecurity team or partner can develop strategies and solutions to address these shortcomings before cybercriminals are able to leverage them and sneak past your defenses.

Whether you opt for a one-time engagement scan or ongoing vulnerability scanning as part of a larger suite of managed services (such as managed SIEM), a vulnerability scan is a critical component of any robust cybersecurity posture. 

What Should All SMBs Look for in their Vulnerability Scans?

What weaknesses your vulnerability scan will look for will vary slightly between organizations, but all comprehensive scans should assess your systems for: 

Vulnerable Software

Software vulnerabilities are the most common vulnerability discovered. This type of scan involves checking for known weaknesses in all the third-party hardware and software your system relies on. These known weaknesses are discovered by security researchers and typically only pose an issue in select versions of particular technologies. 

When software engineers employed by software companies discover a vulnerability or other issue in their code, they create security patches (small corrective snippets of code) to address the issue. However, you can only take advantage of the security patch if you download it, which is one of the many security reasons you should be keeping your software up to date. Cybercriminals frequently try to exploit known vulnerabilities in recently patched software in the hope that not all organizations are as studious as yours about keeping their software up to date.

Web Application Vulnerabilities

Another common type of vulnerability cybercriminals often seek to exploit are security gaps in web applications, which can be used to gain unauthorized access to sensitive data, compromise your web server, or attack web application users. 

Whether you are using third-party applications designed by other companies or proprietary in-house applications, make sure any vulnerability scan you commission includes web application vulnerability scanning. 

Common Misconfigurations & Mistakes

Sometimes the issue isn’t the software or the hardware, but the people using it or configuring it. Incorrectly configured software can inadvertently leave your entire system vulnerable, and you may not even realize it. 

Not following established security best practices can also leave your network vulnerable. After all, investing in a high-quality, unbreakable lock is only useful if you don’t leave the key under the mat (or your password written on a sticky note under your keyboard). 

Make sure you have security best practices in place and that those practices are effectively communicated to all network users. Investing in employee cybersecurity training can not only help curtail network vulnerabilities but can also help secure your network in other ways by making it less likely employees will fall for phishing scams (or other social engineering based attacks). Security-minded employees are also better able to identify potentially suspicious activities (such as strange network traffic), so they can alert your security team. 

Encryption Configuration Weaknesses

A good vulnerability scan will also assess the encryption configurations used to safeguard data in transit between your users and your servers. 

When looking for encryption configuration weaknesses, make sure your scan is looking for issues with SSL/TLS (secure sockets layer/transport layer security) implementations, such as weak encryption ciphers (easy to guess passwords), SSL certificate misconfigurations, and the unintentional use of unencrypted services such as FTP (file transport protocol). 

Attack Surface Reduction

An effective strategy for improving your cybersecurity posture is to limit your attack surface area. You should only publicly expose core services or systems if you absolutely have to, and those exposed surfaces should be continuously monitored for suspicious activities. When choosing a vulnerability scanner, make sure you select one that assesses your attack surface area for issues such as unprotected ports and services that are exposed to the wider internet. Examples of vulnerable attack surfaces include exposed databases, exposed administrative interfaces, and sensitive services such as SMB (server message block). 

Information Leaks

Information leaks involve exposing information to end users when that data should remain private. 

In addition to assessing your system, the final report of your vulnerability scan should include both the weaknesses discovered (in plain, accessible language so that even non-technical team members are able to understand what was discovered) as well as concrete, actionable recommendations for remedying the situation. When it comes to cybersecurity, information is only useful if it can be easily understood and actioned upon. That’s why it is vital you choose a cybersecurity partner whose goal is to educate and inform your team and help you improve your cybersecurity posture.

Not all vulnerability scans will include checks in all of the above categories, and the quality and number of checks a scan includes will vary between organizations. As such, it is critical to do your research before conducting a scan, particularly if you are opting for a paid option, to ensure the scan will meet your needs.

Free vs Paid Vulnerability Scanning

User Beware: “Free” Doesn’t Always Actually Mean Free

Also, the term “free” can vary from scanner to scanner, with some offering a free trial, a free version for non-commercial use only, or limited functionality at the free tier. As such, make sure you are clear about what the free version does and does not include before you sign up and do your research to ensure the free scan will actually give you the information you need in a format you can actually use to improve your security posture. 

a fremium button on a keyboard indicating how often the model is used.

Just Because You Aren’t Paying with Money Doesn’t Mean There Isn’t a Cost

When it comes to many “free” vulnerability scans, you may not be paying with money, but there is still a cost. These tools are often limited in scope, so you likely aren’t getting the whole picture. This can lead to a false sense of security as you metaphorically check that the front door is locked while leaving the back door wide open. 

As you will soon see, these tools are also frequently not very user friendly (at least for individuals who aren’t already technology experts), which can mean either hiring a tech expert just to perform your free scan or setting time and personnel aside to learn how to use this product, pulling them away from critical tasks. Free software is typically developed on an extremely limited budget, and UX design is often an “extra” that is left out, making it difficult for even the most technically inclined to get useful information out of these tools. 

Free vulnerability scans are also not carried out by teams of experts and are frequently just tools you can use to assess select aspects of your infrastructure on your own, so even the most comprehensive versions will still require your team to take the information they have gathered and turn it into actionable suggestions. 

Paid options are almost always more user-friendly and typically come with ongoing support and guidance. They are more likely to offer a polished, easy-to-understand report detailing what vulnerabilities were discovered, as well as actionable advice on how to address these issues and improve your security posture. 

Top 4 Free Vulnerability Scanning Tools (& What They Can Tell You)

While paid vulnerability scan options typically yield more detailed and in-depth information (and cover a wider range of checks), free scanning tools can help small organizations on a tight budget assess specific areas of their networks (such as their web applications or security patches).

However, these scanning tools tend to be limited in scope, so you may need to run several in order to piece together a full list of all vulnerabilities on your network.

Burp Suite (Owned by PortSwigger)

Burp Suite is a popular web vulnerability scanner used by a variety of organizations and offers a free version (referred to as their Community Edition). However, this free version has limited functionality and does not include automation capabilities. This version contains essential manual tools and is mostly aimed at researchers and hobbyists. 

Burp Suite is Java-based and can be used to check for SQL injections, cross-site scripting (XSS), and other web vulnerabilities, as well as for security auditing and compliance purposes.

Nmap

Nmap bills itself as a pen-testing tool but works more as a port scanner. Nmap scans your network and flags ports that are vulnerable, which can aid in pen-testing. In addition to port scanning, Nmap can also look for other vulnerabilities in your systems and networks, monitor host uptime, service uptime, and map network attacks when they occur. By pointing out potential weaknesses, it has its strengths as an auditing tool, but it isn’t able to actually show users how the vulnerabilities it discovers could be penetrated.

Nmap is an open-source tool aimed at ethical hackers looking for network weaknesses. Like all open-source software, Nmap is free, but like other open-source programs, it isn’t particularly easy to use unless you are already familiar with using open-source software. 

Wireshark

Wireshark is a well-known open-source network protocol analyzer designed to help with select network vulnerability scanning tasks. It relies on packet sniffing to understand your network traffic patterns, which is useful for network administrators looking to design effective countermeasures. 

By detecting suspicious network traffic, Wireshark can help you discover errors and detect if an attack is underway, categorize the attack, and help you implement rules to protect your network. However, like other open-source options, it isn’t particularly easy to use for the non-technically inclined and will need to be carefully managed and configured in order to meet your organization’s needs.

OpenVAS

The Open Vulnerability Assessment System (OpenVAS) is a free, open-source platform offering a variety of vulnerability management services. Designed as an all-in-one scanner and maintained by Greenbone Networks, it is designed to perform over 50,000 vulnerability tests and is updated daily.

OpenVAS is designed to run in a Linux-based environment and is aimed at experienced open-source users looking to perform pen-tests or targeted scans. However, like the other open-source tools in this list, it isn’t particularly easy to use for the non-technically savvy, and installing and using this tool poses a significant learning curve. Because it is so difficult to install and learn to use correctly, it can take a lot of time to get up and running smoothly, which can eat up employee time and pull them away from other tasks. 

What Information Does Your VirtualArmour Vulnerability Scan Contain?

VirtualArmour offers both one-time vulnerability scanning engagements (vulnerability assessment) and ongoing managed security scanning (vulnerability scanning premium).

One-Time Scan: Vulnerability Assessment

Our one-time vulnerability assessments include both an external scan and a certificate scan and can be useful for auditing purposes or to prove compliance.

Ongoing Vulnerability Scanning: Vulnerability Scanning Premium

Our ongoing vulnerability scanning solution (Vulnerability Scanning Premium) is designed to expose and notify you of potential security gaps in your environment before they can be exploited by cybercriminals. As part of this process, our team of experts will identify:

  1. Software and firmware vulnerabilities
  2. Weak security policies and configurations
  3. Outdated software and operating systems that could be used to penetrate your endpoints and infrastructure 

Our team will also scan and audit your publicly exposed resources (such as file servers and web applications) with the goal of minimizing your attack surface as much as possible. 

Vulnerability Scanning Premium can also be integrated with our managed SIEM option, offering more comprehensive data and additional context for alerts. 

Vulnerability Scanning Premium also includes: 

  • Custom vulnerability severity levels
  • Defined processes and escalation procedures
  • A record of all vulnerabilities detected across your environment, both on-premises and in the cloud
  • Threat intelligence feeds
  • SIEM platform enrichment using vulnerability analytics

This premium option also offers both periodic and on-demand reports, so you always know exactly what is going on, improving your organizational agility by making it easy to respond to issues as they come to light. All asset vulnerabilities are correlated with network configuration and traffic data, allowing us to identify active attack paths across your network. This vital information is used to simulate threat vectors and predict how a theoretical attack could potentially spread across your network. This can help you adjust your incident response plan as necessary and help you take a proactive rather than reactive approach.

In addition to these security benefits, continuous vulnerability scanning can help ensure your organization is complying with relevant legislation, helping you avoid the costly fines associated with noncompliance. Our team of security engineers will continuously analyze the results of your vulnerability scans and use this information to craft concrete, actionable recommendations designed to improve your overall security posture across your organization’s infrastructure, from core to cloud.

For more information about the importance of vulnerability scanning, or to learn more about our vulnerability scanning options, please contact our team today