Table of Contents
Chapter 1; Introduction to Cybersecurity Threat Landscape
Chapter 2; Explore The Threat of Malware And Ransomware
Chapter 3; Protect Against Malware And Ransomware
Chapter 4; Explore The Threat of Phishing And Smishing
Chapter 5; Explore The Threat of Business Email Compromise
Chapter 6; Protect Against Business Email Compromise
Chapter 7; Explore The Threat of Botnets And DDoS Attacks
Chapter 8; Protect Against Botnets And DDoS Threats
Chapter 9; Exploring The Threat of Zero-Day Attacks
Chapter 10; Mitigating Zero-Day Attacks
Chapter 11; Protecting Against AI-Based Cyberattacks
Chapter 12; Exploring The Threat of Advanced Persistent Threats (APTs)
Chapter 13; Protecting Against Advanced Persistent Threats (APTs)
Chapter 14; Explore The Risk of Insider Threats
Chapter 15; Protect Against Insider Threats
Chapter 16; Explore The Threat of Unmanaged IoT Devices
Chapter 17; Protect Against Unmanaged IoT Device
Chapter 18; Explore The Threat of Shadow IT
Chapter 19; Protect Against Shadow IT
Chapter 20; The Threat of Supply Chain Attacks And Third-Party Risks
Chapter 21; Stay up to Date on Cybersecurity
Chapter 1; Introduction to Cybersecurity Threat landscape
Modern cyber attacks are constantly evolving. Not long ago, internet of things devices and deep fakes didn't even exist. Now they are emerging threats that shouldn't be ignored. This unpredictable change requires organizations to frequently survey the threat landscape and reassess the strength of their cybersecurity. Based on the threats, your organization may need to invest in new technologies and implement new security controls. I am excited to share with you the latest intelligence about the shifting cybersecurity threat landscape. In this guide, I will cover many of the most common cybersecurity threats. Plus, some emerging threats you should know about. I will also show you ways you can protect against these threats and share resources to get more information about them. Keep in mind that the cybersecurity threat landscape may be different for different organizations. If your organization handles a lot of sensitive data, you are likely to be the target of more cybersecurity threats than an organization that doesn't. But it's important to understand today's threat landscape in any case, because for every organization, it's not a matter of if they will be targeted by one of these threats but when. If you are ready to explore the cybersecurity threat landscape.
Chapter 2; Explore The Threat of Malware And Ransomware
Malware has been a serious cybersecurity threat to both individuals and organizations since the late 1980s. Ransomware has many of the same characteristics of malware, so it makes sense to examine them together. First, what is malware? Malware is a catchall term for any software that is designed to gain unauthorized access to computers or network equipment with the goals of causing damage, extracting information, or making money for the attackers. Malware can take on many forms, including viruses, worms, Trojans, rootkits, adware, and spyware.
A growing form of malware attack is known as Cryptojacking. This malware variant exploits a vulnerable computer and uses its resources to mine cryptocurrency. While there are many types of malware, the infection methods are often similar. There are two main ways that systems become infected with malware. The first is system vulnerabilities. These are flaws in hardware or software that allow malware to get installed and function. Usually, patches exist to fix these vulnerabilities, but users and organizations don't always apply these patches in a timely manner, leaving themselves exposed. And even old vulnerabilities are still targeted by malware attackers. In 2020, a Microsoft vulnerability first identified back in 2012 was still included in the FBI's list of the top 10 most exploited security flaws. The second most common way that systems get infected with malware is users falling prey to social engineering.
This happens when attackers successfully convince a user to download infected software, open an infected email attachment, or connect an infected disk or drive. The system still needs to be vulnerable to the malware that the user introduces for it to work though. Now let's look at ransomware.
Ransomware is a form of malware that has a special purpose. It encrypts data and files on the infected computer and instructs the user to send the attackers money to recover their information. In some cases, attackers will also steal files from the victim's systems and threaten to expose these files to the public to increase the pressure to pay. This is known as double extortion. Ransomware can be a lucrative income for attackers. In 2020, the FBI's internet crime complaint center, or IC3, received 2,474 ransomware complaints that cost victims over $29.1 million. Of course, these are only the attacks in America that were reported. The actual number of worldwide attacks and money made with ransomware is much higher.
Although ransomware can use any of the malware attack techniques I mentioned earlier, one of the most common is the fake urgent email with a malicious link or attachment designed to trick users to click the link or open the attachment. This is a phishing attack, which is another threat I'll cover in this course. Due to their success and huge ransom demands, ransomware attacks have generated a lot of dramatic headlines, like this one about Acer getting charged up to a $100 million to get their data back after a ransomware attack. As long as systems remain vulnerable and users keep falling for social engineering attacks, malware and ransomware will continue to be serious components of the cybersecurity threat landscape.
Chapter 3; Protect Against Malware And Ransomware
A successful malware or ransomware attack can be catastrophic for both individuals and organizations. There are some simple steps you can take though to protect against both malware and ransomware. Let's look at five of them.
First is frequent backups. If your system has been compromised by malware or ransomware, you may have lost access to some or all of the data on that system. If you've been keeping frequent data backups however, the impact goes from possibly devastating to merely inconvenient. Simply restore the backed up data onto an uninfected system. Backing up your data is especially important to recover from ransomware attacks that specifically target your data. Also make sure you test your backups. You don't want to attempt restoring your backups in an emergency only to find they're corrupted or not complete.
Second, apply security updates and patches. Malware and ransomware can only work on systems that are vulnerable to their attacks. You can significantly reduce your exposure to malware and ransomware attacks by making sure your systems have all their security updates and patches.
Third, upgrade to the latest operating system versions. If you've been putting off the expense or hassle of upgrading your operating systems to their most current versions, you could be exposing yourself to vulnerabilities that don't have patches. Plus, current operating systems are often designed to be more secure than previous versions.
Fourth, install firewalls. Firewalls are designed to prevent unauthorized traffic from getting directly to your systems. Many forms of malware attempt to exploit systems that are directly connected to the internet without a firewall. There are also types of malware that once installed, attempt to communicate with a command and control system outside of the infected network. Hardware and software firewalls can block these malicious traffic flows.
Fifth, install anti malware software. No matter how much you try to protect your network and systems, malware can still be introduced by accident if a user becomes a victim of social engineering. That's why it's important to install antimalware software on all systems, and make sure the malware signatures are updated at least daily. By following these security controls, you will be significantly reducing your exposure to malware and ransomware.
Chapter 4; Explore The Threat of Phishing And Smishing
Phishing and smishing are social engineering attacks designed to trick users into sharing sensitive personal information, like usernames, passwords, and credit card details with attackers.
Let's take a look at what these threats are and how they work. Phishing has been around since the 1990s, but it's still going strong. IBM Security X-Force reported that phishing was the top method of compromise in 2021. The most common phishing technique is to send a fraudulent email to a targeted user. The email is designed to look like it came from a trusted entity and it will often appear urgent, so the recipient will quickly open it. Typically, the email will contain a manipulated link that looks like it goes to a real website. If the user clicks the link, though, it goes to a forged website designed to look like the real thing.
Once there, the target will usually be prompted to enter their username and password for the site. If they do, the attacker will now have their credentials for the real site. Depending on the site, this can turn into an immediate loss of information or money for the victim.
In some cases, the phishing email won't have a link. It will have a malicious attachment. If the recipient clicks on the attachment, it will often attempt to install ransomware, which is another threat I cover in this guide.
One of the keys to a successful phishing attack is making the emails look like they came from trusted sources. So phishing attackers frequently co-op trusted brands like Microsoft, Apple, Google, Chase, and Amazon. Phishing email subject lines often have a certain style. Here are examples of typical subject lines used in phishing emails. "Your account will be locked." "Important: Please log into your account to verify your info." And "Invoice due." Note, how they sound urgent or at least important enough to not ignore.
Spear phishing is a variety of phishing that customizes email attacks to specific users, hoping the illusion of familiarity will create more trust. Smishing has many of the same characteristics of phishing, but instead of sending fraudulent emails, the attackers send SMS texts to the victim's phone.
Common smishing text messages often impersonate a bank with an urgent message about how your account has been locked due to suspicious activity, or a recent payment was made and the bank needs your confirmation. Then there's usually a link to a malicious site designed to steal your online banking credentials.
Smishing scams can also include text messages about winning a prize that you have to redeem through a website. You should immediately be suspicious of getting anything for free through a text message. Another form of smishing includes text messages impersonating someone you work with, like your boss or the CEO of your company. Threat actors can easily find the company you work for and get your cellphone number to pull off this attack.
They will send a text message, pretending to be your boss or CEO, and ask you to help them with a task. The task often requires you to buy gift cards to give to employees or clients. If you buy the cards, the attackers will ask you to send them the codes, which will allow them to instantly extract the money off the cards. Because both phishing and smishing attacks are cheap, simple, and effective, we can expect that they will continue to be among the most common attacks on the cybersecurity threat landscape.
Chapter 5; Explore The Threat of Business Email Compromise
Business email compromise, or BEC for short, is a cyber crime that can cost organizations a lot of money if they become victims. In this guide, I will cover what BEC attacks are and why they can be so dangerous.
BEC attacks usually start with criminals hacking into email accounts and using them to pretend to be someone they're not. The criminals will then use the hacked email accounts to impersonate C-level executives, finance teams, or even suppliers. Their goal is to trick employees into making large payments or changing the payment process to send funds to a scammer's bank account.
The most common way the email accounts are hacked is through a phishing attack. Since the BEC criminals are going after specific email accounts, this is considered spear phishing.
So, BEC attackers typically combine phishing, social engineering, and financial fraud to pull off these scams. And it is likely they will soon add another technology to the mix; deepfake audio, generated by artificial intelligence to make the request even more convincing to the victim. BEC criminals will sometimes try to use spoofed emails where the email header is forged to look like it's coming from somewhere it's not, or they'll use lookalike domains to try to make their email look legitimate. While these methods of faking email senders might be easier than hacking into an email account, they are not as effective at tricking the victims. Variations of BEC attacks include the false invoice scam; tricking the finance team to send a vendor invoice payment to a fraudulent account. Payroll diversion; tricking HR to change the direct deposit banking information for an employee to send salary payments to a fraudulent account. CEO fraud; tricking the finance team to send an emergency wire transfer for the CEO, which goes to a fraudulent account. The gift card scam; tricking the victim to buy gift cards for staff or clients, then send the serial numbers of the cards to the attacker. And home buyer fraud; tricking home buyers into transferring funds to a fraudulent account. While BEC may not be the most common cybersecurity threat, it is easily the most costly type of cyber crime. According to the FBI, losses in the US alone to BEC scams in 2021 were nearly $2.4 billion. That's up more than 30% from the year before, showing that BEC attacks are effective and increasing. And those losses are just in the US, and just from the cases that are reported. The worldwide losses are much higher. The huge payoffs, ease of execution, and low risks of BEC attacks are attracting criminals all around the world. Because it's so attractive to attackers, we can expect business email compromise to be a big part of the cybersecurity threat landscape well into the future.
Chapter 6; Protect Against Business Email Compromise
Because business email compromise, or BEC, has characteristics similar to phishing attacks, some of the ways to protect against it will overlap.
First, like with phishing, you can protect against BEC by implementing email filtering controls on your email server. This will help prevent email attacks designed to trick users into giving away their credentials. And because BEC attackers will sometimes try to spoof legitimate domains in their emails, consider configuring email protocols like SPF, DKIM, and DMARC to reduce this type of spoofing. For instance, DKIM can be used to reject emails where the displayed domain doesn't match the domain of the originating email server. Mike Chapple gives a good overview of these protocols in his CompTIA Cybersecurity Analyst+ course on LinkedIn Learning.
Second, enable multifactor authentication, or MFA, especially on email accounts. This will significantly reduce the chances of an attacker taking control of an email account with just a username and password. Once enabled, never disable MFA. User security awareness training is another important protection against BEC attacks. Train users about these attacks and that they should be suspicious of urgent-sounding or unusual emails that request transferring funds.
Show them how to spot look-alike domains used in emails. Teach them to confirm these financial transaction requests out of band, meaning through some method other than email, such as calling the person or meeting with them directly. And any change in payment instruction should be verified, no matter how it is sent or who it comes from.
Third way to protect against BEC is to add a warning banner to emails coming from outside your organization. Marking external emails helps warn users that an email spoofed to look like it's from someone within the organization really isn't. Then train users to understand what these warning banners mean and why they're important. If you or someone in your organization is a victim of a BEC scam, you should contact your financial institution immediately and tell them what happened. In some cases, money transfers can be frozen or canceled. Next, if you're in the US, report the crime to your local FBI field office. If you're outside the US, contact your equivalent law enforcement agency. Also, if you're in the US, file a complaint with the FBI's Internet Crime Complaint Center at ic3.gov. Business email compromise is a growing problem on the cybersecurity threat landscape. Take the steps described in this video to reduce the chances that you or your organization will become a victim of a BEC attack.
Chapter 7; Explore The Threat of Botnets And DDoS Attacks
While the term botnets may conjure up images of robots taking over the world like in a sci-fi movie, the reality is different. Let us take a look at botnets and DDoS attacks.
A botnet is a collection of computers or internet of things devices, which have been infected by malware, allowing a malicious actor to take remote control of them. Because so many systems can come under one attacker's control, botnets can become a serious force multiplier, allowing an attacker to inflict a lot more damage than they could accomplish on their own. And compromised systems that become part of a botnet are sometimes called zombies because they are no longer able to control their own actions.
Once compromised, botnets can be used for many types of cyber attacks, including distributed denial of service, or DDoS, attacks, spam and fishing campaigns, spreading malware, brute force and other cyber attacks, and crypto mining.
The terms botnets and DDoS attacks are related, but not the same. Botnets are the actors. DDoS attacks are the actions.
A DDoS attack is an attempt to make an online service, usually a website, unavailable by overwhelming it with traffic from many sources. With sometimes thousands of zombie computers at their disposal, attackers will often use botnets to flood their target websites with millions of HTTP browser based requests per second.
These traffic floods can disrupt or completely block the services of targeted websites, and DDoS attacks can last hours, days, or even weeks. In fact, one DDoS attack in 2021 lasted more than 776 hours, which is over a full month. DDoS attacks are frequently used for extortion. The attackers behind botnets will often send emails to organizations threatening to launch the DDoS attack if a ransom isn't paid. If they don't get the ransom, they'll gradually ramp up the DDoS attack to put pressure on their victims to pay quickly. Because botnets are so common and they can be used to make a lot of money, some botnet owners sell DDoS attacks as a service.
DDoS as a service enables any criminal to conduct these attacks without needing any technical skills or resources of their own. The ever increasing number of poorly secured internet connected devices and the chance to use them to make money is driving the growth of botnets and DDoS attacks. This is why we can expect botnets and DDoS attacks to continue playing a big role in the cybersecurity threat landscape for some time.
Chapter 8; Protect Against Botnets And DDoS Threats
Although botnets and distributed denial of service, or DDoS attacks may be growing threats on the cyber security threat landscape, there are effective ways to minimize your exposure to them. In this guide, I will cover how to protect against botnet and DDoS attacks and how to keep your systems from becoming part of a botnet. We will start by talking about several ways to protect your websites and online applications from DDoS attacks.
First, you absolutely must have either firewalls or web application firewalls or WAFs for short in front of your websites. Firewalls and WAFs can be used to detect and block unwanted and abnormal traffic. They can also be used to control or throttle the traffic that reaches your applications. Firewalls and WAFs though can still be overwhelmed by DDoS attacks.
The second way you can protect against DDoS attacks is by using load balancers or content delivery networks or CDNs for short. Load balancers and CDNs can share the traffic load across servers in different locations, which waters down the DDoS attack. Third, consider using DDoS defense systems or service providers that specialize in protecting organizations from these attacks.
Cloud Flare for instance provides a service that can absorb DDoS traffic and route only legitimate traffic to your web servers. Next, a good network monitoring system will detect unusual internet traffic like a DDoS attack once it starts.
Notifications from a network monitoring system will give you an early warning about the attack, so you can respond quickly. And finally, develop a denial of service response plan. Define who will be on the response team in the event of a DDoS attack, and write down the procedures that must be followed in the event of an attack. When you have these protections in place, you can hire a qualified third-party firm to conduct a DDoS test.
There are many security companies that specialize in pretend DDoS attacks, load tests, and other external threat simulations. They can help identify system misconfigurations, network bottlenecks, poor instant response, and more. Now let's talk about how to keep your systems from joining a botnet. Since the primary way systems are taken over and added to botnets is through the use of malware, the best way to protect your systems is by using effective anti-malware. Make sure you're using the latest version with the most current malware definitions.
Next, you should monitor your system processes, investigating any that look unusual or take excessive CPU or memory. These can be signs that your system is part of a botnet, and of course follow good enterprise security practices. Example practices include, make sure all your devices have strong passwords, keep software, firmware, and applications updated and patched. Implement anti-spam controls on your email server. Use web filtering to block access to sites that commonly host malware, and conduct regular user security awareness training and phishing training. These may seem like basic security tasks, but they'll go a long way toward protecting your systems from becoming part of a botnet. Botnets and DDoS attacks are getting bigger and more common. And like an arms race, their attack methods are getting more creative and evolving to overcome existing defense measures. Take the steps I covered in this video to protect your organization's data from botnet and DDoS threats.
Chapter 9; Exploring The Threat of Zero-Day Attacks
Zero-day attacks are one of the most feared threats in cybersecurity. So what exactly is a zero-day attack? Essentially, it's an exploit that targets a vulnerability in software or hardware unknown to the vendor and users.
Because no one knows about the flaw, they haven't had a chance to patch it, leaving systems open to attacks. Here's how a zero-day attack typically unfolds. An attacker discovers an unknown vulnerability in a software or hardware product. Instead of reporting it, they create an exploit to take advantage of this weakness. Once the exploit is ready, they launch an attack, often causing significant damage before anyone knows what's happening. For example, the infamous Stuxnet worm was a zero-day exploit that targeted industrial control systems, causing widespread damage before it was discovered. Zero-day attacks can have devastating impacts. They can lead to data breaches, financial loss, and even physical damage, as seen with Stuxnet. Organizations can face severe repercussions, including loss of customer trust and regulatory penalties. Detecting zero-day attacks is incredibly challenging. Traditional security measures like antivirus and firewalls are often ineffective because they rely on known signatures to identify threats. This means that zero-day attacks can go undetected for long periods, allowing attackers to exploit vulnerabilities without being noticed. Zero-day attacks represent a significant and evolving threat in the cybersecurity landscape. Their ability to exploit unknown vulnerabilities makes them dangerous and difficult to defend against. Understanding the nature and potential impact of zero-day attacks is crucial for organizations striving to protect their systems and data.
Chapter 10; Mitigating Zero-Day Attacks
Zero-day attacks are among the most challenging cybersecurity threats to defend against because they exploit unknown vulnerabilities. Let's explore how you can protect your organization from these elusive threats. First, keeping your software and systems updated is crucial. Regular updates and patches can close vulnerabilities before attackers can exploit them. Make sure your organization has a robust patch management process in place. This helps ensure that all systems are up to date with the latest security patches. Next, leveraging threat intelligence is essential. You can take proactive steps to protect your systems by staying informed about emerging threats. Subscribe to threat intelligence feeds and remain connected with the cybersecurity community for timely updates about new vulnerabilities and exploits. For instance, subscribe to notifications from the Cybersecurity and Infrastructure Security Agency or CISA to receive valuable alerts and updates. Advanced monitoring and anomaly detection are critical in identifying potential zero day attacks. Implement tools like security information and event management or SIEM systems that use machine learning and AI to detect unusual activities in your network. SIEM systems analyze patterns and behaviors to spot anomalies, aggregate data from various sources and provide real-time threat detection. Regularly reviewing logs and conducting thorough audits can also help in early detection. Having a well-defined instant response plan is vital. Your plan should outline the steps to take immediately after detecting a zero-day attack.
This includes isolating affected systems, conducting a detailed investigation, and communicating with stakeholders. Ensure your incident response team is well-trained and conducts regular drills to stay repaired. Employee training and awareness are also key components in your defense strategy. Educate your staff about security, best practices, and the importance of vigilance. Regular training sessions help employees recognize potential threats and respond appropriately. Encourage them to report suspicious activities and ensure that they understand their role in maintaining cybersecurity. Protecting against zero day attacks requires a combination of proactive measures and preparedness. By staying proactive and vigilant, you can significantly reduce the risk of zero-day attacks and protect your organization from potential harm.
Chapter 11; Protecting Against AI-Based Cyberattacks
AI-based cyber attacks, including deep fakes and AI-powered phishing, are designed to be hard to detect, and this will only get more challenging as technology improves. But there are ways to protect yourself and your organization. Train users about AI-based technology, how it works, and how it can be used to conduct payment fraud and other attacks. Educate them on how to spot deepfake audios and videos by looking for: unnatural speech cadence, low-quality audio and video, digital artifacts like noise in audio and video, unnatural movement in videos, unnatural blinking, unexpected shifts in lighting and skin tone, and poor lip syncing. Train users to recognize AI-powered phishing emails, which can analyze past communications to mimic writing styles and increase believability. Educate users to be cautious of emails that: urgently request sensitive information or payments, come from unfamiliar or slightly altered email addresses, and contain links or attachments that seem out of context. Both deepfakes and phishing attacks often have typical social engineering red flags, like a sense of urgency. Attackers want you to act quickly without thinking. Watch out for unusual behavior. Attackers may not use the cloned voice or writing style perfectly, and the request might be something the actual person wouldn't usually say. Train users to verify any phone calls or emails requesting financial transactions or payment changes through other methods. The best way to verify a request is face-to-face, but if that's not possible, call the person back at their official phone number to confirm the request and ask a test question that the person would know the answer to but attackers probably wouldn't. For instance, their favorite sports team or a specific detail about their office. Ensure the finance department has authorization processes to confirm transactions and payment changes which can't be done with a simple phone call or email. By staying vigilant and following these steps, you can better protect yourself and your organization from AI-based cyber attacks.
Chapter 12; Exploring The Threat of Advanced Persistent Threats (APTs)
Imagine a group of cyber criminals hiding in the shadows, carefully planning their next move to infiltrate a high-security network. They're not in a rush. They have time, resources, and advanced tools. This scenario describes the reality of advanced persistent threats, or APTs, one of today's most sophisticated and dangerous types of cyber threats. At its core, an APT is a prolonged and targeted cyber attack in which an intruder gains access to a network, and remains undetected for an extended period.
APTs have unique characteristics that set them apart from other threats. They are persistent, meaning attackers are determined to achieve their goals over a long period, often adapting their methods to stay under the radar. These threats are also sophisticated, employing advanced techniques to bypass security defenses. APTs are also highly targeted, focusing on specific organizations or industries, such as government agencies, financial institutions, and healthcare providers. Here's how APTs typically operate. The process usually begins with reconnaissance, where attackers gather as much information as possible about their target. Next, they move to the initial compromise stage, often gaining entry through phishing emails or exploiting known vulnerabilities. Once inside, attackers establish a foothold, installing backdoors and malware to ensure they can return, even if discovered. They then escalate their privileges, allowing them to access more sensitive areas of the network. The attacker's next move is lateral movement, where they navigate through the network, avoiding detection while identifying valuable data. The final stages include data exfiltration, where they steal sensitive information and maintain persistence, ensuring their presence remains undetected for future exploitation. The impact of APTs can be devastating. These threats can lead to severe data breaches, financial losses, reputational damage, and even pose risks to national security. For example, the healthcare industry has been a frequent target of APTs, with attackers aiming to steal patient data, which can be sold on the dark web for significant profit. Government agencies are also prime targets, with attackers seeking access to classified information that can be used for espionage or to disrupt national security. By being aware of how APTs operate and their potential impacts, organizations can better prepare to face this severe threat.
Chapter 13; Protecting Against Advanced Persistent Threats (APTs)
Advanced persistent threats or APTs are among the most insidious cyber threats organizations face today. In this video, I'll show you how you can protect your organization from these sophisticated attacks. First, leverage threat intelligence. Staying informed about emerging threats is crucial. By subscribing to threat intelligence feeds and connecting with the cybersecurity community, you can receive timely updates about new vulnerabilities and exploits. For example, subscribing to notifications from the Cybersecurity and Infrastructure Security Agency or CISA, can provide valuable alerts and updates. A multi-layered security approach is essential in defending against APTs. This means implementing security measures like firewalls, intrusion detection systems, and antivirus software. Additionally, regular software updates and patch management are crucial. Ensuring all systems are up-to-date with the latest security patches helps close vulnerabilities before attackers can exploit them. Your employees play a key role in preventing APTs. Regular security awareness training sessions are essential. Educate your staff about security best practices and the importance of vigilance. Training helps employees recognize potential threats and respond appropriately. Encourage them to report suspicious activities and ensure they understand their role in maintaining cybersecurity. Finally, having a well-defined incident response plan is vital. Your plan should detail the actions to take when an APT is detected. This involves isolating compromised systems, thoroughly investigating, and keeping stakeholders informed. Ensure your incident response team is well-trained and frequently conducts drills to maintain readiness. Protecting against advanced persistent threats demands a blend of proactive strategies and thorough preparation. By staying alert and taking proactive steps, you can safeguard your organization from these sophisticated threats.
Chapter 14; Explore The Risk of Insider Threats
When we think about the cybersecurity threat landscape, it's easy to focus on attackers coming from the outside but internal threats can sometimes be just as dangerous if not more dangerous than outside threats. In this video, I'll cover what insider threats are and why we should be concerned about them.
Insiders can include anybody who has inside information about your organization's data, IT systems, and security practices. This can include current or former employees, vendors with internal access, third party contractors, and business partners. The reason why insider threats can sometimes be more dangerous than outside threats is because trusted insiders have been given access to assets and data based on that trust and that access can be misused or abused.
Insider attacks can also be hard to detect because trusted insiders may have legitimate access that allows them to access and steal data without going through firewalls or other controls that could track their activity. Types of malicious insider attacks include sabotage, where the goal is to damage systems or destroy data. Fraud, which can come in many forms, but often involves criminal financial transactions. Theft of sensitive data or intellectual property. And espionage, where the attacker steals sensitive data to sell to competitors. An example of a real world malicious insider attack was the case of a trusted software engineer at a cloud services provider who went rogue. She hacked into one of their customers using a firewall vulnerability that she found. She was then able to access accounts of millions of credit card customers. The hacked company recovered from the attack and patched the vulnerability but they estimated the total cost of the incident to be around 150 million dollars. Unintentional insider threats include human error, bad judgment, falling victim to a fishing attack or malware, and unintentionally aiding an attacker.
An example of an unintentional insider threat was the case of an employee who had a question about how to format some of the data on a company spreadsheet. He emailed the spreadsheet to his wife's personal email account to ask her for help. While this may have seemed like a harmless action, it turned out that the spreadsheet had hidden columns which included sensitive employee data. This turned his simple email into a major security breach that had to be reported to the state's attorney general and likely cost the company millions of dollars. The Ponemon Institute regularly publishes reports on the cost of insider threats.
Their research shows that the average cost from insider threats in North American companies is millions of dollars and the cost is rising every year. That's why we can expect that insider threats will continue to hold a place in the cybersecurity threat landscape for years to come.
Chapter 15; Protect Against Insider Threats
Insider threats can be dangerous and hard to detect. In this video, I will show you four steps you can take to protect your organization against insider threats. First, if you haven't already, take the time to identify the critical assets in your organization. These are the IT systems that are essential for the operations of your business, have the most sensitive information, or both.
When you identify the critical assets, ensure that they are being properly protected and monitored. Also, review and validate who has access to these assets. Confirm that everyone who has access to them really needs that access. It's a good idea to conduct these asset access reviews on a regular basis. Next, write and enforce policies and processes that can protect against insider threats. Examples of these policies and processes include an acceptable use policy, which defines authorized and unauthorized use of your organization's assets. Without an acceptable use policy an employee could claim they didn't know that their malicious activity wasn't allowed. Once your acceptable use policy is written, make sure all employees read and agree to follow it. A policy on the proper use of admin accounts, this will define who is authorized to have admin accounts and how these accounts are allowed to be used. A clear employee performance review process, including requirements for promotions and financial bonuses. This is often handled by HR and is necessary to avoid misunderstandings that could lead to disgruntled employees. A process for addressing employee grievances. This is also often an HR process and is necessary to help prevent unhappy employees from becoming insider threats. And an offboarding process that quickly removes access from employees who are no longer in the organization. Third, let's look at some technical security controls that can be implemented to protect against insider threats. To avoid having insider threats go undetected, you should monitor user activities, especially on your critical assets. One of the best tools for doing this is a security information and event management system, or SIM. A SIM will collect and analyze event log activity from all your systems and can help identify suspicious or malicious activity. When it comes to access, it's important to follow the least privileged principle. Only grant the bare minimum of privilege that someone needs to do their job. Regularly review each user's privileges to make sure they're not excessive. And use network segmentation to isolate the critical assets from the rest of the network. This will help protect those assets from insider threats who shouldn't have access to those parts of the network. Finally, user security awareness training can be an important way to protect against insider threats. Teach users about the acceptable use of your organization's assets. Let users know that their activity is being monitored and the consequences of unauthorized activities. And remind users to report any suspicious activity to the appropriate parties in your organization. Although insider threats are a growing part of the cybersecurity threat landscape, you can take the steps I covered in this guide to help protect your organization against them.
Chapter 16; Explore The Threat of Unmanaged IoT Devices
The internet of Things, or IoT can be the source of major cybersecurity threats, including data leakage, distributed denial of service attacks, and any attack that can be launched from botnets.
Let's take a look at what the Internet of Things is and why it's part of the cybersecurity threat landscape. More and more devices are being connected to the internet in the name of convenience and control, key drivers for the growth of IoT devices include the rise of cloud computing as the foundational technology for IoT, plummeting cost of IoT devices, common usage of smartphones and tablets to control IoT devices, and easy access to wifi.
Practically any electronic device can be connected to the internet and become an IoT device. Common IoT devices include smart home lights, switches, thermostats, home appliances, TVs, security cameras, and even locks.
Many health devices are also directly connected to the internet, such as fitness trackers, connected scales, pedometers, and sleep monitors. Personal assistants that respond to voice commands are also popular. And of course, most modern vehicles are also IoT devices. And the number of IoT devices is projected to grow to more than 50 billion by 2025. The problem is IoT devices are often connected to the internet without thinking about their security and IoT devices can be more vulnerable to attacks than servers and network devices connected to the internet.
That's because they usually don't have enough computing power to support basic protections like antimalware and firewalls. They also often have built in back doors for maintenance with default passwords that can easily be found on the internet, because these IoT devices are usually directly connected to the internet, attackers can easily exploit these and other vulnerabilities with automated scripts. Once they have control of an IoT device it can be added to a botnet or used as a jumping off point to attack other devices on the same network. According to Symantec's internet security threat report, routers and connected cameras are the IoT devices most infected by malware and the main sources of IoT attacks, accounting for over 90% of malicious activity.
One of the most dramatic examples of the threat of unmanaged IoT devices is the Mirai botnet. The attackers built their botnet army by running a simple script against devices on the internet that attempted to log in with 61 known IoT default passwords. If they successfully logged in, the IoT device was infected with malware that directed them to follow the instructions of a central command and control system. The attack was very effective. It's estimated that there were nearly half a million Mirai infected IoT devices, mostly composed of closed circuit TV cameras, DVRs, and routers. They were used to conduct distributed denial service or DDoS attacks against a wide variety of targets. Some good news is governments and regulatory bodies are recognizing the problem of poor or no security standards for devices connecting to the internet. They're proposing minimum security standards for device manufacturers and labeling to raise the awareness of users about how secure their devices are. These requirements are being enforced as laws like the IoT cybersecurity improvement act which was signed into US law in 2020, but with next generation internet capabilities like 5g dramatically increasing data speeds and throughput, we may see IoT devices continue being a key player on the cybersecurity threat landscape well into the future.
Chapter 17; Protect Against Unmanaged IoT Device
The number of Internet of Things or IoT devices is growing rapidly and so are the related threats when they're deployed in an unsecure way. The good news is there are some straightforward steps you can take to protect your organization from the threat of unmanaged IoT devices.
It's important to understand though that some IoT devices are so poorly designed that they may be challenging to secure. For instance, they might not allow you to change default passwords. So we'll start by looking at a few effective security actions you can take at the network level even if the IoT devices themselves are hard to secure. First, you should conduct an IT asset inventory, run network scans like Nmap to know which systems and devices are on your network.
This will help you identify IoT devices you may not have known about. Investigate any that seem out of the ordinary and remove any unauthorized devices. Second is network segmentation. Now that you have an inventory of your network assets, the next step is to identify which ones are your critical information assets and where they are in your network. Use your routers and switches to segment your network and isolate your critical assets from IoT devices as much as possible. Finally, block ports. Figure out which network ports the IoT devices need and block traffic at the firewall for any other ports, especially block Telnet port 23 unless it's absolutely required. Telnet was the protocol that the Mirai attack software used to compromise hundreds of thousands of IoT devices. Some IoT devices on the other hand are easier to secure. If that's the case, then at a minimum implement the following. Change default passwords when possible.
This is easily the most important way you can protect your organization and data from attacks against your IoT devices. Attackers know the most common IoT default passwords and will use them to compromise your devices. Changing the default password keeps these attacks from being successful. Next, configure strong security, if possible. Practice the least privileged principle and only give the device and accounts that access it the ability to do what they should be doing and no more. Set restrictive security controls on the device itself if that's an option. And third, install software updates and patches. If the manufacturer is supporting their IoT devices with periodic software updates and patches, make sure you install them in a timely manner. They may include important security fixes that will help protect your IoT devices from attacks.
The Open Web Application Security Project or OWASP published the IoT top 10, which is a list of the key vulnerabilities to avoid when building, deploying, or managing IoT systems. If you're responsible for securing IoT devices, I recommend reviewing this list to make sure you've protected against all of these vulnerabilities. By implementing these and the other protections I covered in this video, you'll significantly reduce your exposure to the threat of unmanaged IoT devices.
Chapter 18; Explore The Threat of Shadow IT
Most of the dangers on the cybersecurity threat landscape come from malicious actors outside of your organization. Shadow IT is different though because this threat comes from within your organization and many times it's not malicious. That doesn't mean it's not a serious problem. Let's take a look at Shadow IT and why it's part of the cybersecurity threat landscape. Shadow IT refers to the unauthorized use of systems, software, personal devices, or cloud services by enterprise employees. To best manage and secure IT systems, all technology purchases should be approved and budgeted by a shared services IT function, but users will sometimes go around IT and purchase technology with their own budget. When implemented, this unsanctioned and often unmanaged technology solution becomes part of the Shadow IT in the enterprise. IT will either find out about these Shadow implementations after they've been deployed or even worse, not at all.
There are many reasons behind the rise of Shadow IT but some of the most common are understaffed IT departments that can't support the IT needs of users. The perception by users that IT is too slow or restrictive with technology deployments, and easy access to software as a service or SaaS solutions like Dropbox, Salesforce, or Amazon web services. Shadow IT can represent a large amount of spending in organizations. In fact, Gartner has estimated that Shadow IT accounts for 30 to 40% of IT spending in large enterprises. Other research states that this number could be even higher but many enterprise leaders either aren't aware of the Shadow IT problem or downplay it as not that big of a deal.
That can be a costly mistake because there are real risks associated with Shadow IT, simply put it's impossible for the enterprise to secure systems that the organization's IT function isn't even aware of. Here are just a few of the Shadow IT risks. First is data loss, if the Shadow IT systems are processing or storing important information, it probably isn't being included in the enterprise backup solution. So if the data is lost there's no chance for recovery, even worse if the information is confidential and the Shadow IT systems aren't secured, that could lead to a data breach. Next is unpatched vulnerabilities, Shadow IT systems probably aren't being included in vulnerability scans or scheduled patch cycles. That means these systems could have vulnerabilities that expose them to attacks and possible data breaches. And lack of security compliance, all sanctioned IT solutions should be deployed with standard security controls that may not exist on Shadow IT systems. These could include antimalware, encryption, security monitoring, and more. And enterprise could be subject to big fines if a data breach occurs on Shadow IT systems that aren't compliant with enterprise or regulatory security controls. We can expect that IT departments will continue being challenged by users who circumvent required processes for implementing IT solutions. For this reason, we'll likely see Shadow IT being part of the cybersecurity threat landscape for some time.
Chapter 19; Protect Against Shadow IT
Shadow IT as the name implies can be challenging to both detect and prevent. In this video, I'll cover some specific actions you can take to reduce the likelihood and impact of shadow IT in your organization. First, let's look at some fundamental controls for protecting against shadow IT. These are steps you should be taking anyway, but if you aren't, your exposure to the shadow IT threat increases a lot. The first control you need to have is an IT asset inventory. If you don't have a current inventory of your sanctioned IT assets, you won't be able to identify shadow IT systems. Run an Nmap scan or use a similar tool to get a baseline of systems currently on your network. Review the results to make sure all systems you found are authorized and deal with any that aren't. Next, make sure users know about correct IT deployment processes. It's hard to blame users who don't follow the system when they don't know what it is. Define a clear IT deployment process and write it down. Publish it in a place that's easy for users to find and heavily promote it. Finally, implement and enforce strong security policies that prohibit unauthorized deployment of IT systems or solutions. Security policy should be approved by executive leadership and should clearly state what is allowed when it comes to IT deployments. That way, you'll have an answer when asked why shadow IT systems need to be removed.
There are also several technology controls that will help keep shadow IT from becoming a serious problem in your organization. First is security monitoring. Security monitoring systems like a security information and event management system or SIEM can track all network activity and notify the IT or security team if an unauthorized system is added to the network. This may be an indication of shadow IT or another type of security incident. Next, consider ways to implement network access control or NAC. This is a technical security restriction that only allows authorized systems such as those with enterprise issued certificates from joining your network. With NAC in place, if a user attempts to add shadow IT systems to the network, they wouldn't be able to connect. Finally, consider using a cloud access security broker or CASB. CASB is a technology that sits between users and the cloud services they try to use. CASBs can enforce security controls on the use of software as a service or SaaS applications. They can also monitor your organization's network traffic to detect any cloud-based applications in use. You can use that information to detect shadow IT SaaS applications. By implementing the fundamental and technology security controls I covered in this video, you should significantly reduce your exposure to the threat of shadow IT.
Chapter 20; The Threat of Supply Chain Attacks And Third-Party Risks
All organizations have what is called an attack surface. This is the part of the organization that is exposed to any kind of threat. One of the biggest attack surfaces for most organizations is their supply chains and exposures to third parties.
This attack surface is also one of the most challenging to protect. In this video, I'll cover what supply chain and third party risks are and why they're part of the cybersecurity threat landscape.
Every organization has suppliers.
They provide the needed resources for that organization to function. These suppliers can be software as a service or other technology providers that are critical to your business. And these suppliers have their own suppliers, and those suppliers have suppliers, and so on. If a direct or downstream supplier fails, that could have a negative impact on your organization. That's the idea of supply chain risk. Now let's think about the access your suppliers and other third parties might have to your systems and data.
If third parties like suppliers, contractors, and vendors need access to your systems to provide their services, that can create risk. For instance, if one of your vendors has access to your systems and they get hacked, now the hackers can attack your systems. This is what happened to a major retailer, which led to a security breach that cost an estimated $202 million.
On top of that, consider all the data your organization stores with third parties. Cloud-based software as a service, or a SAS applications like Dropbox, Salesforce, and Google Drive can store some of your organization's most critical data. And your organization may be storing its data with other third parties that aren't SAS apps. If the right controls aren't in place, that data may be accessible to malicious actors outside or inside of your organization. Finally, we have software supply chain risk.
Many organizations develop software for their own internal systems or to provide the services they offer. Instead of writing everything from scratch, developers will often use free open source software. But open source software comes with potential problems. It can be hard to keep track of, especially if your organization develops a lot of software. And opensource software can contain vulnerabilities or even malicious code.
For instance, and opensource Java logging library called LOG4J was used by software found on millions of servers around the world. But a zero day vulnerability was found in LOG4J which allowed remote code execution attacks that could be used to compromise these servers. Every organization who developed its own software immediately needed to determine if any of their software contained LOG4J, and if it did, patch it. As you can see, supply chain and third party risks can be highly complex and have serious consequences for your organization. That's why they're an important part of the cybersecurity threat landscape.
Chapter 21; Stay up to Date on Cybersecurity
In this guide I have described some of the most common cybersecurity threats you're likely to encounter. To best protect against them, your next step after watching these videos would be to figure out which of these threats apply to your organization.
Then find out if the security controls for those threats are in place and apply any that are missing. By following the recommendations in these videos, you'll definitely reduce your exposure to these threats.
But the challenge is cyber security threats keep evolving to overcome even the best defenses. Just because you're secure today doesn't mean new threats won't be a problem tomorrow. So how do you keep up? Let's look at three actions you can take to keep ahead of cybersecurity threats.
First, stay up to date with changes in the cybersecurity threat landscape. I recommend subscribing to security newsletters like SANS NewBites and Bruce Schneier's Crypto-gram. There are a lot of weekly security podcasts that cover current cybersecurity threats like Security Weekly News and Defense in Depth. There are also plenty of cybersecurity magazines with articles about the latest threats like Infosecurity Magazine and Cyber Defense Magazine.
Second, to get a more in-depth look at cybersecurity threats, attend security conferences and seminars. Presentation topics will often explore current threats in detail. Conferences and seminars are also good ways to connect with security professionals who have firsthand knowledge of the latest cybercnsecurity threats and how they've dealt with them.
Third, hire security professionals who specialize in cybersecurity threat simulation and management. These include companies and consultants who conduct penetration tests, threat modeling, and DDoS simulations. I hope you use the knowledge you gain from this guide to protect you and your organization from current and future cybersecurity threats.
Top comments (0)