2019’s biggest cyber security threats are and what you can do to avoid them
Like a sniper, the most dangerous cyber security threats
are the ones you never see coming.
Even with firewalls, antivirus solutions, and cyber
security awareness training for your employees, cybercriminals still manage to
exploit any vulnerabilities they can find. This could be because they exploit
attack vectors that are known to your organization (but remain unaddressed for
some reason) or because they’ve discovered vulnerabilities that are not yet
known to you (what are known as zero-day exploits).
Either way, you still lose. Cyber attacks are not a matter of “if,” but “when” they will occur. Unless you somehow gain omniscience (if that happens, be sure to reach out and we can split the cost of a lotto ticket), there’s really no way for you to know every single vulnerability that exists on your network or within your organization. After all, security risks come in all shapes, sizes, attack vectors, and levels of potency in the digital world. And, considering that threats to cyber security are continually changing and adapting, it’s a challenge to keep up with them all.
So, what can you do? You can take the time to learn about
as many cyber security threats as possible and work to identify and address as
many holes in your defenses that you possibly can. Granted, we understand
that’s no small undertaking. But, see, that’s why we’re here!
While we’d love to provide you with a top 10 cyber
security threats list, we’re tuckered out after just writing nine. So, we’ll
cover nine of the biggest cyber security threats that exist in 2019, provide
some recent examples of each, and identify some of the ways you can protect
your organization (regardless of its size).
Let’s hash it out.
The Top 9 Cyber Security Threats and Risks of 2019
The term “cyber security threats” is pretty nebulous — it
can mean many different things depending on whom you ask. For some, threats to
cyber security are limited to those that come through virtual attack vectors
such as malware,
However, as you’ll discover, cyber threats are
continuously changing. SophosLabs’ 2019
Threat Report indicates that:
“The threat landscape is undoubtedly evolving; less skilled cybercriminals are being forced out of business, the fittest among them step up their game to survive and we’ll eventually be left with fewer, but smarter and stronger, adversaries. These new cybercriminals are effectively a cross-breed of the once esoteric, targeted attacker, and the pedestrian purveyor of off-the-shelf malware, using manual hacking techniques not for espionage or sabotage, but to maintain their dishonorable income streams.”
We’ve narrowed down our list of the top nine cyber
Cyber Security Threat or Risk No. 1: Human Nature
Whether with intent or without malice, people are the
biggest threats to cyber security. These vulnerabilities come from employees,
vendors, or anyone else who has access to your network or IT-related systems.
On one hand, a cyber attack or data breach can occur simply because of human error or a lack of cyber security awareness — such as using easy-to-guess passwords or falling for phishing emails. They may simply have a moment of forgetfulness or may be tricked by an attacker’s effective targeted social engineering attack. Hackers frequently use social engineering tactics – akin to “hacking without code” because they use other tactics to get information – to get their victims to either provide the information they need or get them to engage with malicious content (such as malicious URLs). We’ll speak more to that a bit later. Right now, we’re focusing on the other side of the coin — intentional threats to cyber security.
Employees (and former employees) can be significant cyber
security threats when they think they have something to gain through their
malicious actions — perhaps they want to profit by selling or using the data
they steal, or they may want to get revenge against an existing or former
employer for some perceived injustice. So, they may install malware, download
data, or perform other dire actions. But rogue employees are not the only
threat – employees of vendors can also pose a potential risk. We’ll speak more
on that momentarily.
Whatever the reason, whomever is responsible, the results
are the same: Data is stolen, your customers are compromised, and your
company’s reputation takes a major hit. It’s a lose-lose situation for everyone
except the perpetrator — one that likely could have been avoided by operating
under the assumption that people are your biggest risk.
A Recent Example of a Vendor’s (Former) Employee Gone Rogue
One recently made headlines when more than 100 million customers’
accounts were compromised in a data breach — but it wasn’t a random hacker or
even a CO employee. As it turns out, Capital One used Amazon Web Services (AWS)
for their cloud hosting. The hacker, a former AWS employee, decided to exploit a
misconfigured web application firewall to gain access to:
“140,000 Social Security numbers, 1 million Canadian Social Insurance numbers and 80,000 bank account numbers, in addition to an undisclosed number of people’s names, addresses, credit scores, credit limits, balances, and other information, according to the bank and the US Department of Justice.”
result, Capital One expects to face $100-150 million in costs related to the
hack, including customer notifications, credit monitoring, tech costs, and
legal support due to the hack. This is in addition to any potential company
stock value losses.
addition to keeping strong firewalls and antivirus solutions in place,
companies should use the services of an in-house or third-party cyber security
operations center (CSOC) to stave off these types of cyber security threats for
both their overall organizational cyber security as well as for their website.
The benefit of this is that these individuals are dedicated to the monitoring
and analysis of logs for your website, applications, systems to intervene at any sign of a
threat and to swiftly remediate the threat.
of such a comprehensive solution (in this case, designed for small business
websites) is CWatch Web from Comodo Cyber Security, an all-in-one managed
security-as-a-service (SaaS) solution. Not only does it provide you with
24/7/365 access to cyber security experts, but it also includes:
- Access to Comodo CA’s fully secure global content delivery
- A web application firewall (WAF), and
- Security information & event management (SIEM).
Furthermore, limit employee access to sensitive systems using access
management policies and procedures. Create and maintain a list of access to
ensure that only the people who need access to your company’s databases or
other systems have access.
Cyber Security Threat or Risk No. 2: Various Forms of Malware
Malware is a truly insidious threat. It can be
distributed through multiple delivery methods and, in some cases, is a master
of disguises. Some types of malware are known as adaptive malware (such as polymorphic
or metamorphic malware) and can change their very “genetic” makeup, their
coding. Some forms of metamorphic malware can change themselves entirely with
each new iteration — in some cases, they can do it faster than you can say “well,
As we mentioned in another recent
article on malware, Microsoft identifies malware cyber security threats pretty
generically: “Malware is the overarching name for applications and other code,
i.e. software, that Microsoft classifies more granularly as malicious
software or unwanted software.” This categorization includes (but
certainly is not limited to) malicious software such as backdoors, downloaders,
trojans, worms, and macro viruses.
The Top 10 Types of Malware
So, what are considered the biggest cybersecurity threats
in terms of malware? The Center for Internet
Security (CIS) reports that the top 10 malware in July 2019 were:
many things you can do to prevent malware-based cyberattacks:
- Use reputable antivirus and anti-malware solutions, email
spam filters, and endpoint security measures.
- Ensure that your cyber security updates and patches are all
up to date.
- Require your employees to undergo regular cyber security
awareness training to teach them how to avoid suspicious websites and to not
engage with suspicious emails (more on that momentarily).
- Limit user access and application privileges.
- The list goes on and on.
Cyber Security Threat or Risk No. 3: Different Types of Phishing Attacks
and Social Engineering
No matter whether you’re a small business or a Fortune
500 enterprise, phishing is a very real — and very costly — cyber security threat.
In its Evil
Internet Minute infographic, RiskIQ shares that $17,700 is lost every
minute due to phishing attacks. That’s $9,303,120,000 per year based on a
regular calendar year (525,600 minutes), or $9,328,608, 000 for a leap year
But what is phishing? In a nutshell, phishing is a
fraudulent attempt to elicit sensitive information from a victim in order to
perform some type of action (gain access to a network or accounts, gain access
to data, get the victim to perform an action such as a wire transfer, etc.). Phishing
comes in many forms:
- General phishing
- Spear phishing
- CEO fraud
- Clone phishing
- Domain spoofing
- URL phishing
- Watering hole phishing
- Evil twin phishing
Phishing activities frequently involve the use of social
engineering tactics. They can use domain spoofing or phone number spoofing to
make their communications appear more legitimate.
For a quick example of a social engineering hack, check
out this video by Fusion.net. It shows how easily a hacker gains access to a
journalist’s cell phone account using social engineering tactics and phone
Examples of Major Successful Phishing Attacks
of cyber security threats are prolific and can be exceedingly costly. Google
and Facebook together lost more than $100 million to a cybercriminal whose
phishing attack spoofed a technology vendor. Crelan Bank in Belgium also lost more
than $75 million to cybercriminals and their convincing phishing tactics. We’ve
written about several other major phishing attack victims if you’d like to read about other
several things that you can do to ward off cyber security threats:
- Implement cyber security awareness training for every
employee across the board.
- Emphasize the importance of phishing reporting.
- Run random phishing simulations.
- Push HTTPS on your website to create secure, encrypted
- Institute access management policies and procedures.
- Use reliable email and spam filters.
- Require two-factor authentication.
- Use email encryption and email signing certificates.
way to reduce the impact of cyber security threats is to implement cyber
security awareness training and make it mandatory for every employee.
Regardless of whether they’re an intern, the CEO, or anyone in between, if your
employees have access to any company device or network, they need to know how
to use it safely and securely. Some of the biggest phishing attacks involved
“whaling,” a form of phishing that targets CEOs, CFOs, or other executives. Erich
Kron, security awareness advocate at KnowBe4, says that
this type of training should be offered throughout the year and not just once
per year for it to be most effective.
says that phishing reporting is essential for businesses. “Provide a way to
report the suspected phishing emails so your team is aware of campaigns
targeting your organization and can tune email/spam filters to protect other
employees against the specific campaigns.”
random phishing simulations. This practice can help you to determine how well
the cyber awareness training is being implemented and identify potential areas
to focus on in future trainings. Kron shares that the frequency of the
simulations is important. “We have found that users need to have simulated
phishing attacks at least once per month for the best results.”
Fourth, use HTTPS for your website by installing SSL/TLS certificates. An SSL certificate helps to facilitate the handshake that is required to create a secure, encrypted connection between your users’ browsers and your web server.
up proper access management is essential. This helps to ensure that no one has
access to systems or data that their jobs don’t require access to. This is not
a set-it-and-forget-it thing, though — you’ll need to continually maintain the
list to ensure it remains up to date. Policies and procedures need to be
implemented to ensure that when an employee leaves or is fired, that their
access is immediately terminated to limit risk and potential exposure.
Sixth, use effective and reliable phishing and spam
filters for your organization’s email accounts. There are third-party service
providers on the market that use various methods such as metadata analysis to
differentiate phish or other malicious emails from valid messages.
Seventh, implement two-factor authentication (2FA) for
employees. Even if an employee’s credentials become compromised, it can still
help to prevent a cybercriminal from accessing your network or data by
requiring additional user authentication. While 2FA on its own is not necessarily
infallible, it is another link in the chainmail of your cyber security armor.
Lastly, if you handle any type of sensitive information
via email, it’s vital that you secure that information as much as possible.
This includes both in-transit and at-rest data protection through the use of
the secure/multipurpose internet mail extension, or what’s known as S/MIME.
An email signing and encryption certificate uses this email signing protocol and
public/private keys to:
- Encrypt data at rest and in transit so that it’s
- Sign the email with a verified digital signature
so your recipient can confirm you actually sent it.
Cyber Security Threat or Risk No. 4: Formjacking
Formjacking. Much like how it sounds, this type of cyber
security threat involves a cybercriminal taking over forms on websites by
exploiting their security weaknesses. In many cases, cybercriminals use lines
to steal their customers’ financial and payment information such as credit card
numbers. The goal is to skim and harvest any valuable data that end users
submit via the forms. Sometimes, cybercriminals will use third-party
applications such as chats and surveys as their attack vectors.
Symantec’s 2019 Internet
Security Threat Report shows that formjacking was on the rise in 2018. The
internet security company reported an average of 4,800 websites were
compromised with formjacking code each month. The report also stated that 3.7
million formjacking attacks were blocked on endpoints.
Notable Examples of Formjacking Attacks
For examples of recent successful formjacking attacks,
look no further than the British
Airways and Ticketmaster attacks that were believed to be perpetrated by
malicious actors known as Magecart. The British Airways attack resulted in more
than 380,000 credit cards being stolen at an estimated loss of $17 million.
This is in addition to the record £183 million fine that was
levied against the company due to its lack of General Data Protection
Regulation (GDPR) compliance. GDPR allows fines of up to 4% of a company’s
annual turnover for noncompliance.
Some of the ways that you can prevent formjacking
- Running vulnerability scanning and penetration
testing — this will help you to identify any vulnerabilities or weaknesses in
your cyber security defenses.
- Monitoring outbound traffic on your site — this
will help you be aware of any traffic from your site to another location.
- Using subresource integrity (SRI) tags — this
practice helps you to ensure files used by web applications and documents don’t
contain unexpected, manipulated content using hashing.
Cyber Security Threat or Risk No. 5: Inadequate Patch Management
The purpose of a patch is to cover a hole of some kind.
Manufacturers release patches all the time to address vulnerabilities in their
operating systems, software, and other technologies. They’re essential to the
security of your business — yet, frequently, patching largely gets ignored both
by users and IT security teams simply because they have so many other
responsibilities to manage.
Why is poor patch management such a big issue? Imagine you
own a kayak and decide to spend a day out on the ocean (we live in Florida —
this isn’t an unusual notion for us). You load up the kayak and drive to the
beach, put the kayak in the water and start to paddle out. After a little
while, you notice that your kayak has a very small leak but choose to ignore it
and keep paddling. After leaving the small hole unaddressed for a while, that
slow leak grows larger. Your kayak’s compartment soon begins to fill with
water, causing your kayak to start sinking. Eventually, you’ll find yourself
having to swim back to shore.
This analogy is much like inadequate patch management,
which leaves gaping holes in your IT security infrastructure. Ideally, patching
should be implemented as soon as a vulnerability is known as these holes
- leave your organization at risk of cyberattacks,
- lead to needing remediation, which can lead to
- cause reputational harm, and
- make you noncompliant with many industry and
regulatory cyber security standards.
Unfortunately, far too many companies aren’t patching
like they should be. This may be in part because not all businesses have the
resources to expedite that process in house, so they roll out patches when they
can, or they may need (but think they can’t afford) the services of a
third-party service provider. Regardless of the reason, a lot of technology remains
unpatched, which leaves businesses and their data vulnerable to even the most
basic cyber security threats. For example, research
from Avast, a digital security products company, shows that of the 500,000
devices that they analyzed, only 304 — less than 1% — were 100% patched. This
is simply unacceptable.
An Example of Patch Management Issues
EternalBlue. It’s a name that virtually everyone in the
infosec industry knows as an exploit that was allegedly developed by the
National Security Agency (NSA). It’s an exploit of a Microsoft vulnerability
that led to multiple worldwide attacks, including the spread of Petya and the WannaCry
Although Microsoft had released patches for EternalBlue well
beyond the 2017 WannaCry attacks began, many organizations remained vulnerable
because they either didn’t apply the patches or because they were operating on
old systems that were past their supported end-of-life period. This patching
issue led to massive issues for businesses across a variety of industries,
including the National
Healthcare System (NHS) in the United Kingdom. Thousands of appointments
and surgeries were cancelled, the incident cost NHS more than £100
Even now, two years after the WannaCry attacks, EternalBlue
continues to impact systems around the world.
Make patch management a priority. It’s not optional;
effective patch management is essential to the livelihood of your business and
the security of your customers’ data. Developing and implementing effective
patch management policies and procedures helps to reduce the attack surface of
your organization by closing up the holes in security that can allow data to be
Automating this process would also be highly beneficial.
Patching these vulnerabilities in real time through automation makes your cyber
security more effective and is also one less task for your team to have to
perform manually. It’s a win-win for everyone — except, of course, the hackers
who want to take advantage of unpatched vulnerabilities.
Cyber Security Threat or Risk No 6: Outdated Hardware and Software
Wondering why we’ve broken this section out separately?
While it’s true that all patches are updates, it’s equally true that not all
updates are patches. That’s why we’ve broken them out into two separate
Keeping your hardware and software assets up to date is
vital to the security of your organization’s network, servers, devices, data,
and customers. If you’re using out-of-date technologies, your security defenses
are no better than using a wall made of swiss cheese to keep out enemies.
Imagine that you’re a solider on a battlefield. You’re
armed with a sword, a knife, a crossbow, some leather armor. Your enemies, on
the other hand, are armed with Kevlar body armor, M4 rifles, and an assortment
of other modern weapons and vehicles. Who do you think will be victorious?
The same concept can be applied to your cyber security
defenses. If your business is operating using outdated operating systems,
security software, and other applications or tools, then you’re not going to be
able to stave off attacks from a well-armed cybercriminal. After all, they’ve
got the technology, tools, and know-how to plough through such flimsy defenses
while evading detection.
Examples of Outdated Systems
Look around the internet — examples of data breaches and
other cyber security incidents that resulted from outdated or unpatched
technologies are everywhere. Okay, if you still want us to provide a few
examples, then look no further than the WannaCry and Petya attacks we mentioned
earlier, as well as Equifax’s 2017
data breach that involved a patchable
Unsupported and outdated software are hackers’ best
friends, so be sure to put your best foot forward by keeping your systems and
software up to date. When a manufacturer
releases an update or patch, apply it as soon as possible. Don’t wait.
Pushing the latest updates keeps your operating system,
applications, and other assets up to date strengthens your defenses and helping
your data to remain secure and out of the reach of cybercriminals. Develop
device management policies for your organization and follow industry device
management best practices.
Cyber Security Threat or Risk No. 7: Internet of Things Insecurities
Internet of Things (IoT) technologies are marvels to
behold — and they’re everywhere. The Internet of Things connects and
networks devices across the world. Examples of IoT technologies in the
workplace include everything from smart thermostats and videoconferencing
technologies to warehouse stock monitors and even “smart” vending machines that
can order their own refills.
IoT is popular, and its popularity continues to grow. Gartner
reports that they anticipate more than 20.4
billion IoT devices will exist by 2020. But why are they becoming so
popular for businesses and private users so quickly? In part, it’s because IoT
technologies, a combination of sensors, software, devices, and networks, make
homes and workplaces more “intelligent.” They help people and companies
around the world make environments more comfortable, and certain operational
functions more convenient and efficient through automation. Makes sense, right?
But with all of this enhanced connectivity and
convenience come security risks — big ones. It’s no secret that IoT
technologies are a gaping hole of need when it comes to cyber security. After
all, the very things that make IoT so convenient is also what also makes it
OWASP Top 10 IoT Vulnerabilities
Many of the reasons that IoT insecurities are some of the
biggest cyber security threats to businesses and users are covered by OWASP (the
Open Web Application Security Project) in their annual list of the Top 10
IoT Vulnerabilities. Their 2018 list (the most recent) includes the
- Weak, Guessable, or Hard-Coded Passwords
- Insecure Network Services
- Insecure Ecosystem Interfaces
- Lack of Secure Update Mechanisms
- Use of Insecure or Outdated Components
- Insufficient Privacy Protection
- Insecure Data Transfer and Storage
- Lack of Device Management
- Insecure Default Settings
- Lack of Physical Hardening
Examples of Cyber Attacks That Resulted from IoT-Related Cyber Security
Geez. Where do we start? IoT cyber security threats
affect companies and organizations across just about every industry. An unnamed
high-roller database was compromised when hackers accessed the casino’s
network using the smart thermometer of the aquarium in its lobby. A British
bank was hacked via its CCTV cameras. Botnets — entire networks of connected
IoT devices — have been used to launch major distributed denial of service (DDoS)
attacks. One such example, the Mirai botnet, nearly
brought down the internet along the entire eastern seaboard of the U.S.
The list goes on and on.
While we don’t condone the actions of these
cybercriminals — yes, we need to state that to cover our butts — we can
appreciate their demonstrable ingenuity and creativity. After all, who
typically thinks of pulling off a casino data heist through an aquarium?
A hacker, that’s who. That’s why you need to up your ante
and strengthen your IoT cyber security defense to prevent cyber security
threats from getting through.
Securing your IoT is about more than just securing your
devices — it’s also about protecting data and privacy. As such, look beyond
just IoT device security solutions — consider everything from the application
and network to the IoT ecosystem as a whole — to identify any vulnerabilities
and potential liabilities. Part of this is about creating and implementing
organizational mitigation policies and processes that will address IoT device
lifecycle challenges concerning cyber security and privacy.
You also can use IoT digital
security certificates as part of your PKI infrastructure to facilitate
encrypted connections. Like other x.509 digital security certificates, IoT
device certificates verify identity to ensure only trusted devices can connect
and any messages or data transferred are secure and encrypted.
Look, regardless of how you choose to do it, just make
sure your IoT is secure. While we get that accomplishing this task is not an
easy undertaking — after all, effective cyber security requires considerable time
and resources without the use of automation — securing your IoT is not optional.
It’s also significantly less time-consuming and costly than dealing with the
aftermath of a cybersecurity attack or data breach.
Cyber Security Threat or Risk No. 8: Man-in-the-Middle Attacks
Man-in-the-middle (MitM) attacks, or eavesdropping
attacks as they’re sometimes called, occur when an attacker inserts themselves
into two-party transactions. Imagine you’re having a phone conversation with
your bank and an unwanted third party taps into your phone line and starts
listening to your private conversation, gaining access to your personal and
It’s the same concept with a MitM attack. These types of
cyber security threats are made by cybercriminals who set up fake public Wi-Fi
networks or install malware on victims’ computer or networks.
Regardless of how they do it, the goal is the same: To
get access to your business or customer data.
An Example of a Real-World MitM Attack
Banks and other financial institutions are popular
targets of man-in-the-middle attacks, as are banking mobile apps. However,
hackers don’t like to limit themselves and will attack companies and
organizations across all industries, including government organizations.
recent example of a MitM attack occurred when a group of intelligence agents
from Russia’s GRU (the Main
Intelligence Directorate of the General Staff of the Armed Forces of the Russian Federation) tried to hack into the office of the
Organisation for the Prohibition of Chemical Weapons (OPCW) at The Hague. They
used a Wi-Fi spoofing device (a Wi-Fi panel antenna) to try to get information
relating to the results of an investigation. While the attack itself failed, it
still goes to show that no one — not even governments — are exempt from being MitM
Although SSL/TLS encryption protocols are not 100%
perfect, they’re still the best way to help protect your company, customers,
and website from man-in-the-middle attacks. HTTPS for websites is not only
recommended but is actually required by major browsers such as Google Chrome,
Firefox, etc. Without an SSL certificate to facilitate the handshake between
your client’s browser and your web server, which protects in-transit data, your
site will be flagged as “Not Secure” and you’ll lose traffic and business.
Another way to avoid MitM attacks is to instruct your
employees to avoid using public Wi-Fi connections whenever possible. Using virtual
private networks (VPNs) on public Wi-Fi can help increase security by
creating secure, encrypted connections at times when using public networks are
Cyber Security Threat or Risk No. 9: Poor Digital Certificate Management
Expired SSL certificates. Expired code signing
certificates. It doesn’t sound like that big of an issue, so who cares, right?
You should. A lot.
We’ve talked about certificate expiries as a form of
cyber security threat before. But, if you’re new to our little corner of the
internet, you may be surprised to hear just how dangerous and costly poor
public key infrastructure (PKI) practices can be for your business. In fact,
the average cost of unplanned certificate expirations is $11.1 million. No,
that’s not a typo. The number is so high because expired
certificates can result in a litany of issues, including website downtime
and service outages for your business.
All of these things can significantly impact
your bottom line by:
- Increasing downtime,
- Reducing revenue,
- Turning away prospective (and existing)
- Making your organization noncompliant, which
leads to noncompliance fines and potential lawsuits
An Examples of What Happens When You Have Inadequate Certificate Management
the Swedish cellular company that manufacturers back-end equipment and
management software, is another example of a company that allowed a certificate
to expire. As a result, tens of millions of cellular phone users in the U.K.
and throughout Asia — those who cell service providers used Ericsson’s
management software that had the expired certificate — experienced service
Learn from their examples: Don’t let your SSL or other
X.509 digital certificates expire. Period.
If you’re still relying on Excel spreadsheets and other
manual methods of certificate management, saying you’re behind the eight ball
is an understatement. Managing a few SSL certificates and their corresponding
keys manually isn’t too bad. But when you’re doing it at scale for an
enterprise — when you’re managing hundreds, thousands, or even hundreds of
thousands of certificates and key — there’s it’s virtually impossible to
keep up with them all.
This is where using a PKI certificate management tool can help. For example, Sectigo Certificate Manager (formerly Comodo CA Certificate Manager) is a solution that helps you to mitigate certificate expiry issues by automating rapid certificate renewals, installations, and revocations. It’s a single pane of glass that allows you to manage and monitor all of your certificates and keys, as well as delegate tasks and manage access and roles.
What other cyber security threats would you like to see included on the list? As always, share your thoughts in the comments below.
*** This is a Security Bloggers Network syndicated blog from Hashed Out by The SSL Store™ authored by Casey Crane. Read the original post at: https://www.thesslstore.com/blog/the-top-9-cyber-security-threats-that-will-ruin-your-day/