![\"Top](\"https:\/\/ieeecs-media.computer.org\/wp-media\/2022\/08\/23193918\/Top-Attack-Vectors-in-2022.jpg\")
It\u2019s been said that lyrics are poetry with a limp. They\u2019re meant to go along with music, unlike poems that stand on their own. Just like lyrics, considering cyberattack statistics apart from the supporting data of areas such as industry and the data that a company holds keeps one from fully appreciating the statistics or how that information relates to any particular company, especially that of the reader.<\/p>\n
\u00a0<\/p>\n
Considering Vectors \u2013 Industries, business size, and data held<\/h2>\n
\n
There\u2019s a lot of information flowing throughout this planet. Consider this infographic:<\/p>\n
![\"biggest](\"https:\/\/ieeecs-media.computer.org\/wp-media\/2022\/08\/23195117\/biggest-attack-vectors-for-Cyber-Criminals-288x300.png\")
<\/p>\n
Along with the enormous business and personal opportunities presented by technology come enormous criminal opportunities. This information shouldn\u2019t lead to fear but to action, specifically actionable defense.<\/p>\n
There are many reputable sources of the top cyber threats and attacks to expect in 2022. SANS gives the top five major categories of cyber-threats.<\/p>\n
Verizon\u2019s DBIR gives detailed studies on various industries, vectors, threats, etc. Sophos has an excellent report, as does Symantec with its white paper. IBM weighs in with its industry expertise. There are numerous other expert and anecdotal studies.<\/p>\n
\u00a0<\/p>\n
\n
\u00a0<\/p>\n
Want More Tech News? Subscribe to ComputingEdge<\/i> Newsletter Today!<\/strong><\/p>\n \u00a0<\/p>\n \u00a0<\/p>\n Given all this information, each business has to pore over the data to discover and ask: \u201cWhat applies to me?\u201d<\/p>\n When applying the information to one\u2019s own company, three main factors appear when considering the risk factors: industry, business size, and data held. It\u2019s obvious that healthcare companies hold PHI and banks hold financial information, but crime isn\u2019t always straightforward. There are plenty of criminals who will take the long con, such as stealing thousands of social security numbers to use later in the year, or even a couple of years down the road, to gain unemployment benefits wrongfully. And there are many companies, such as Marketing, who hold and transfer tons of data that would benefit threat actors. And the larger the company, the more things can be stolen.<\/p>\n On a side note, one industry that has increased as a target in recent years, but doesn\u2019t get reported much, is legal. A not-so-recent but prominent example is an attack on a large law firm in 2017. So those in the legal profession, while not getting much coverage, are examples of those who need to be on the lookout, even though many of those firms are smaller and don\u2019t get much press.<\/p>\n In addition to these three factors, let\u2019s condense the findings into two overarching common vectors of attack: Servers and People.<\/p>\n \u00a0<\/p>\n DDoS attacks against web servers are common. Even with advancements in security, such as including DDoS capabilities often being included or built-in to existing controls, 2021 saw an increase over 2020 losses from DDoS attacks. DDoS is an old method, but the server that the attack is leveled against needs to be ready for it.<\/p>\n Some other common attacks in this category are data leaks and stolen credentials (abusing something like Broken Access Control). Web apps and endpoints must be prepared for an onslaught of attacks such as fuzzing and SQLi.<\/p>\n APIs are a big deal. How big? The API management market (e.g., gateways, portals) is expected to reach $21.68 billion by 2028. APIs enable businesses to succeed, grow, and excel by accelerating business possibilities, decreasing business costs, and creating opportunities for quick change. A recent survey shows that \u201c26% of businesses use at least twice as many APIs now as a year ago.\u201d Protect those APIs, because they are like street-facing store doors \u2013 necessary for business, and a ready target.<\/p>\n Along with the opportunities afforded by web applications and APIs come the desire of criminals to commit crimes.<\/p>\n \u00a0<\/p>\n According to the Verizon DBIR, \u201c\u202682% of breaches in the DBIR involved the human element. (not just the social engineering, though).\u201d The category of \u201cPeople\u201d includes vulnerabilities such as misconfigurations and backdoors. Anyone who has used OSINT techniques, including Shodan, knows how easy it is to find these vulnerabilities. Misconfigurations and backdoors could also be included Servers\/Web apps\/APIs because people are the ones who work with the technology.<\/p>\n Also in this category is the usual phishing for credentials. At an ever-increasing rate, phishing to obtain credentials succeeds. In a recent phishing campaign, an attacker stole 1 million credentials in 4 months by tricking people into logging into a fake domain.<\/p>\n According to Sophos, 79% of their responses to customer security incidents related to ransomware. Ransomware is by no means limited to \u201csomeone clicked on something they shouldn\u2019t have,\u201d but mis-clicking is no small percentage of ransomware attacks (cue the battle music for the game of \u201cit\u2019s the user\u2019s fault\u201d vs. \u201cit\u2019s Security\u2019s fault\u201d).<\/p>\n \u00a0<\/p>\n There are two main goals in corporate cyber defense and protection: 1) Make it as hard as possible for criminals to do bad things, and 2) Don\u2019t be found negligent.<\/p>\n For criminals, the more resources spent compromising a target means a reduction in their ROI. Why continue attacking a company where one might spend a week to potentially obtain private information when one can choose another target where card data could be stolen in half the time? Criminals are business-minded, but without the typical scruples and concerns over things like laws. In many cases, they\u2019re looking for easy targets, so making a compromise tough increases the chances they\u2019ll move on.<\/p>\n In case of a breach, companies need to ensure they can present to legal and insurance authorities that they did all things reasonable to protect the information. Cyber insurance is becoming a larger aspect of business life, sometimes even necessary. And insurance companies are requiring more proof of due diligence in protecting assets.<\/p>\n A quote from the book \u201cCyberwarfare,\u201d by Dr. Chase Cunningham, applies here: A helpful tool for determining what attacks to monitor in your company is a tool by MITRE\u2019s Center for Threat Informed Defense that calculates top ten attack techniques based on your monitoring components.<\/p>\n Active defenses and vigilance are key components in protecting your customer data and company reputation. It takes work, but proper defense is achievable.<\/p>\n \u00a0<\/p>\n
\nServers (including Web Applications and APIs)<\/h3>\n
People<\/h3>\n
Strategies and Approaches to Defense<\/h2>\n
\n
\u201cOften the defenders are working with what they have been told is the \u201cbest of breed\u201d or the most advanced solution, only to find out that they still end up with a breach\u2026While defenders pursue the most powerful and advanced solutions they can find, the enemy needs only a single user with a bad password or an unpatched application to derail an entire defensive position.\u201d<\/i><\/p>\nAbout the Writer<\/h2>\n
\n![\"\"](\"https:\/\/ieeecs-media.computer.org\/wp-media\/2022\/08\/23195719\/Ross-Moore-Headshot-150x150.jpg\")
Ross Moore is the Cyber Security Support Analyst with Passageways. He was Co-lead on SOC 2 Type 1 implementation and Lead on SOC 2 Type 2 implementation, facilitated the company\u2019s BCP\/DR TTX, and is a HIPAA Security Officer. Over the course of his 20 year IT career, Ross has served in a variety of operations and infosec roles for companies in the manufacturing, healthcare, real estate, business insurance, and technology sectors. He holds (ISC)2\u2019s SSCP and CompTIA\u2019s Security + certifications, a B.S. in Cyber Security and Information Assurance from WGU, and a B.A. in Bible\/Counseling from Johnson University. He is also a regular writer at Bora.<\/p>\n<\/p><\/div>\n