Nine IT Vulnerabilities and Threats
You May Not Know About

Unpatched Security Holes

Software vendors find – or are told about – security flaws in their systems all the time. They hope these holes are found by their internal teams, or “white hat” hackers who are interested in helping to protect everyone’s systems. Sometimes these security issues come out because a particularly talented cybercriminal found it and exploited it.

Regardless of how it’s discovered, once a hole in their security is apparent, the developers move quickly and issue software patches to remove the flaw. That’s great news for users who can now patch their system and be safe from that particular threat. But it’s also great news from the perspective of every other cybercriminal in the world. Once the patch comes out, the security flaw is now known to everyone. So, it’s not just the clever criminals who can exploit this flaw. Now anyone can now attempt to break into the thousands of systems that are still running the unpatched software.

That leaves systems that have not applied the patch at even greater risk than they were before the patch was issued. In 2019, 60% of data breaches were linked to vulnerabilities for which patches were available but hadn’t been applied. This makes patching security vulnerabilities the top cybersecurity threat.

IT Project Management Methodologies

Some of the earliest documented remote hacking attempts were conducted by individuals who were simply able to log in to the system administrator accounts using the default password (hint: It was “password”.). By now, most internal IT staff are well aware of these types of attacks and are more careful with network-wide administrator and super-user accounts.

But there is still often an issue where IT staff issue credentials and access to users who don’t strictly need them. Users accounts may be provided with broad-ranging access to the entire system even though the users only really use a specific server or device. The reasons given are that it is easier to manage just a few types of accounts without having to grant and deny specific access. After all, your own users and employees are completely trustworthy, right?

Unfortunately, it’s not quite that simple. It’s true that almost all internal users are completely trustworthy. But they may not be aware of the full impact their privileged accounts can have on a device or network. They may use weak passwords or casually share their access with other users. This gives anyone who can access this information the keys to infiltrating, damaging or destroying your entire infrastructure.

With this in mind, most IT staffs try to limit user account privileges. The smart thing to do is to give each user the minimum access required to do their jobs. This policy secures your network, but with that comes added workload for the IT department. They now have to log in as an administrator to do basic tasks like installing software or applying certain updates. Understanding why that extra work is necessary is a key step to understanding the danger of cybersecurity threats. Locking down user accounts will also close many other attack vectors. Many cyberthreats come from a user simply downloading the wrong file or clicking the wrong link and inadvertently giving access to your entire network. So, if the user doesn’t have access to the entire network, then they can’t accidentaly cause that kind of damage.

Social Engineering

This type of threat is much older than IT itself. Someone trying to talk their way inside the gates and then attack from within sounds familiar to anyone who knows about Greek history. Or anyone who watched Luke Skywalker and Han Solo disguise themselves as stormtroopers and walk Chewbacca right into the detention block on the Death Star.

Social engineering is the practice of tricking people into giving up sensitive information or providing access to sensitive places. This could be as simple as an email posing as a vendor or could actually involve a person approaching someone wearing a uniform from the local phone company and requesting access to the network closet.

Social engineering takes advantage of a person’s basic goodwill, a lack of technical knowledge and gaps in security training and policies. Often, the easiest way to access a secure network is to simply earn the trust of an authorized user under false pretenses. To do this, they might examine a potential target’s social media posts or other public information and try to build a rapport. Once inside, a cybercriminal can set themselves up with the right hardware, software or access to control every aspect of your IT systems.

The point of social engineering is not to defeat the technology that protects the system, but to exploit a different line of defense that is generally considered weaker. Proper training and awareness of these potential weak points can serve as an important part of your overall security posture.

Phishing Attacks

One of the most common social engineering attacks is phishing. Phishing is an attempt to access sensitive information through electronic communication. This is familiar to most people in the form of the stereotypical “Nigerian prince” email. The email promises money in exchange for help, but in order to receive the money, the user must provide account information.

Those types of clichés are so well-known that they (probably) never work anymore. Instead of targeting individual email accounts, phishing attempts are now targeting corporations. There is not only more at stake, but there is also the chance that a person dedicated to providing good customer service will be especially responsive to a scammer or be overwhelmed with work to the point that they respond quickly without thinking.

When scammers realized phishing really worked, they got more sophisticated. By doing a little bit of investigation, they are often able to determine the job title, business role and other details of an individual. With that information in hand, they can conduct targeted attacks, which are known as spear phishing. By providing a plausible-sounding story with enough details, the spear phisher can trick a person into responding with confidential information or details that will help them access private networks. Specific attacks might impersonate a known individual such as the CEO (easily determined from most company websites) and ask for specific vital information in a hurry. After all, who ignores an urgent request from the CEO?

Some attempts work the other way around, targeting the c-level executives at a company with spear phishing. This is known as whaling. Disguised with a sense of urgency and often including details of business transactions or alleged issues with the company (all based on publicly available information), the whaling attack attempts to convince the target to do something like click on a link. The supposed urgency or seriousness of the situation compels the individual to ignore normal security precautions and common sense.

While spam and junk email filters do a good job of removing the most obvious generalized phishing attacks, spear phishing and whaling attacks often come in as normal emails with none of the telltale signs of a clumsy cyberattack.

The only real defense against these is security training and a healthy suspicion of all electronic communication. Several organizations have recently discovered the drastic consequences of falling for phishing or another social engineering attack.

Ransomware

No matter how malware is inserted into your system – through an intrusion into your network or through social engineering – ransomware can be one of the most destructive.

Ransomware encrypts data storage drives, making them inaccessible to the owner. The program will then deliver an ultimatum demanding payment for the encryption key that can be used to unlock the data. The ransomware can be removed, but without the key, there is no way to restore the data. And often the perpetrators never release the key even after payment.

One defense against ransomware is the use of offsite backups to secure data. The data backups can be copied back to the production system, but studies have shown that the process to remove the ransomware program and then restore the data can cost up to 500 person-hours of effort. And that’s the best-case scenario when you do have a safe and secure backup.

Trojans

Trojans are a delivery system for malware. A Trojan poses as something harmless like a PDF file or weblink and then activates malicious code inside your system, much like the famous horse (or Luke, Han and Chewbacca, if you prefer). If a phishing attempt is successful, it may result in the delivery of a Trojan.

Ransomware can reach your system through a Trojan attack. Other Trojan attacks may start out on the computer of a typical user and then spread throughout your system, looking to copy sensitive data such as credit card numbers or the personally identifiable information of your employees or customers.

A backdoor Trojan may rewrite permissions on your system to allow an outside user access. Or they can capture your keyboard input to intercept banking or other sensitive passwords. Some even hijack your resources to mine crypto coins.

Trojans infect not only desktop and laptop computers, but mobile devices. The majority of run-of-the-mill trojans are detectible by a good antivirus scanner, deep-packet inspection at the firewall and incoming email scanners. But as with all cybersecurity issues, one of the most important lines of defense is your employees and their knowledge of good security practices.

Worms

Worms are programs that spread themselves inside your system. They use your own contacts to disperse themselves via email or messaging programs.

Like with Trojans, you can stop many – but not all – worm programs with effective hardware and software systems. Many of these programs are let loose into the wild and travel from system to system. After a while, the experts in the cybersecurity industry are able to analyze and defend against them.

But there are two key points to remember about all malware. The first is that the state-of-the-art is always advancing. The top cyberattackers can nearly always find a way through any system eventually. To fight these ultra-sophisticated attackers, you generally need to focus on reducing potential damage.

But the flip side is that cybercriminals are in this for the money – usually for quick money. There are thousands of systems that are ripe for attack with little to no effort. If you can make it even moderately difficult to access your system, they are happy to move onto the next easy system that offers less of a challenge.

Automated Scripts

In order to run complex features on websites, browsers tend to allow trusted scripts to run. Certain types of scripts can disguise themselves as trusted scripts and run inside a browser. The automatic execution of these scripts can insert other types of malware such as backdoor access points, ransomware or worse.

One solution to this is to control the users’ ability to browse to untrusted websites. Relying on either a “blacklist” of prohibited websites or a “whitelist” or allowed websites, you can control where a user browses. The issue here is potentially blocking access to legitimate sites that are needed for work purposes.

A more preferred solution is to block the automatic execution of so-called “safe” scripts. You can completely block them or force users to authorize every script. This still leaves the protection of the system in the hands of the users, but proper training and clear policies on permitted internet activity can help considerably here.

Your Own Devices

In addition to your own local desktops, laptops, servers and printers, a large number of additional smart devices are usually attached to the typical business WiFi network.

The biggest group of these devices is probably your users’ mobile phones and tablets. Good WiFi is considered almost essential in the workplace and extending access to employees’ personal devices is often done as a courtesy. This is especially true when bring-your-own-device policies are adopted for employee email. But with devices you don’t actually own, there is always the possibility of malware or unpatched operating systems posing a threat to your systems.

Outside of mobile devices, the Internet of Things (IoT) can also be a threat. IoT includes any device from a security camera to a refrigerator that offers “smart” features over WiFi. Some of these devices are manufactured on the cheap with firmware that could be based on outdated standards. This allows them to be more easily hijacked than a properly maintained device with a modern OS.

Understanding the risk these devices provide and tracking their use is an essential part of any data security plan. Deploying a guest network that is completely separate from your corporate WiFi is another step in the right direction.

The Cost of Not Knowing

Each of the cases above can have consequences that range from a minor annoyance to a total disaster. The first step to correcting any risks you may have is measuring the worst-case-scenario and what it will cost if it happens to you.