Outline
This lesson will start off by exploring the current threat landscape, and then look at ways to measure exactly what level of risk exposure your organization can realistically manage. When we're done, you'll hopefully have a way to make informed and smart decisions about where you're going to direct your future security investments.
In very general terms, an attack can take place through one of four vectors. Physical, in-person attacks might involve the theft or unauthorized duplication of unencrypted data drives. This can happen because someone accidentally left a laptop or phone in a coffee shop or because someone forgot to lock the door to your server room.
But there's another type of physical attack that's much harder to prevent: backdoor vulnerabilities built into your hardware or operating systems. A backdoor is an undocumented weakness in a system's security profile. Backdoors might have been added without the knowledge of vendors before product shipping as part of a criminal operation. Or they might have been intentionally incorporated into a system to permit secret access for law enforcement organizations. The term might also be used to describe accidental design flaws that hackers can later exploit. But whatever their origin, backdoors can be really tough to identify and then close.
The second attack vector is the internet itself. Which, when you consider how nearly every device you're running will need connectivity, could be a common source of trouble. Failing to properly configure your firewall and system settings - and to incorporate cloud harm mitigation services like Cloudflare - can leave you unnecessarily vulnerable to denial of service attacks, where your infrastructure is flooded with enough concurrent fake requests to render your service unavailable.
Similarly, unencrypted network connections risk having their private communications intercepted and stolen. Even worse, such connections can fall victim to man-in-the-middle attacks, where third parties can not only read private data moving between a website and its remote client, but they can even impersonate the legitimate participants and insert their own content in place of what was intended. Imagine how much fun a man-in-the-middle could have with customers logging into their online bank accounts.
Finally, whereas decades ago most viruses were delivered through physical floppy disks, it's now far more efficient to distribute malware online, and in particular as email attachments.
Unpatched software packages are easily the most dangerous and common vulnerability. Let me illustrate with some ancient history. You may remember how the credit bureau service Equifax suffered a security breach back in May, 2017. Private personal and financial data involving more than 160 million individuals was exposed in the breach. What went wrong? Hackers exploited a bug in the open source framework Apache Struts. Apache had shipped a patch for the bug in March, 2017. The problem is that Equifax admins never got around to installing the free patch. And the rest was history.
The fourth and final vector in my model is what they call the bio-ware sitting in front of the keyboards in your office. "Human beings" in other words. As a species, we're pretty good at visually identifying bad guys. After all, they usually wear black hats and rain coats with the collars turned up, right? But when it comes to threats that hide behind regular social interactions, we generally fail early and fail often.
Phishing attacks, for instance, can take the form of emails with links designed to look like they lead to your bank's website or an official government service. But they'll actually misdirect you to a pirate site that'll record and then reuse the legitimate authentication credentials you innocently enter. Similarly, email spoofing involves forging the actual sender address on an email message to make it look like it came from a familiar or trusted source.
Social engineering techniques can include phone calls claiming to come from your organization's IT department. They might ask you to spell out your password so they can quickly fix some problem in the back-end system. Naturally, no real admin would ever need or ask for your password. But equally naturally, it takes awareness and confidence to push back during an unexpected direct conversation with a real human being.
Many - perhaps most - of the most devastating ransomware attacks over the past few years began with a simple set of stolen credentials. Once a ransomware gang comes into possession of valid credentials, they'll log in to your systems and spend all the time they need - sometimes many months - moving through your private network and figuring out how your organization works. When they decide they've learned enough, they'll encrypt as much of your data as they can and demand a lot of money in the form of cryptocurrency before restoring your access.