Cybersecurity is one of the top concerns for organizations. In recent years, and that’s not going to change any time soon – unless, if anything, cybersecurity becomes the top concern.
So what can an organization do about the rise in cybersecurity incidents?
In this article we’ll take a closer look at security incidents: what they are, the most common types, and how to prevent and mitigate them. Armed with this information, your organization will be able to protect itself against future security incidents and to get started on the path toward worry-free cyber risk management.
What Is a Security Incident?
A security incident is any event related to compromised data resulting from missing or failed security measures. Specifically in cybersecurity, an information security incident involves the unauthorized access, use, disclosure, breach, modification, or destruction of data.
Typically an event is categorized as a “security incident” when it is widespread enough to disrupt your normal business operations. That’s not the same as a “security event,” which is a single incident that usually doesn’t disrupt your organization. A security incident is a more serious problem – and it doesn’t necessarily need to be a successful attack to necessitate a response from your organization.
A cybersecurity security incident could be anything from a potential threat to a successful attack; just because your information wasn’t compromised doesn’t mean you should ignore the incident altogether. Any security incident occurs, successful or not, should result in a review of the tools, policies, and procedures you have in place to prevent similar events from happening again.
In many cases, the result of a cybersecurity incident is a breach of personal data. Such incidents can inflict huge financial and reputational harm on the victim. In 2021 the average cost of a data breach was $4.24 million, a figure which is likely to grow considerably in the coming years. Businesses also face additional costs for regulatory fines, fees, and even legal action in extreme cases.
Most Common Types of Threats to Information Security
Below are the most common types of information security threats your security team should know about:
- Insider threats
- Computer worms and Trojans
- Phishing attacks
- Ransomware attacks
- Exploit kits
- Advanced persistent threats (APTs)
- Distributed denial-of-service attacks
As you can see, information security or infosec threats range from advanced persistent threats to different types of malware, each with the capacity to bring down your organization unless it has an effective cybersecurity strategy.
What Are the Most Common Types of Security Incidents?
Using technology to their advantage, cybercriminals will do everything and anything possible for financial gain. Here are some of the most common types of security incidents executed by malicious actors against businesses and organizations:
Unauthorized Access Attacks
This type of incident involves any unauthorized attempts by a threat actor to access systems or data using an authorized user’s account. How a cybercriminal gains access to user accounts often remains a mystery, even long after an attack. Still, your organization can do few things to prevent this type of security incident from occurring.
If you don’t already do so, require multi-factor authentication (MFA) for all users. This will require users to provide additional identifying information (say, a one-time verification code sent to their phone) after they enter a correct username and password. Many times, multi-factor authentication alone can deter a potential security incident from occurring, since criminals will simply move on to another target that doesn’t use MFA.
Also consider encrypting your sensitive corporate data at rest and in transit using suitable software or hardware technology. This way, attackers won’t be able to access confidential data such as your account or credit card details even if an attack succeeds.
Privilege Escalation Attacks
This type of incident occurs when an attacker attempts to gain unauthorized access to an organization’s network, and then tries to obtain more privileges using a privilege escalation exploit. A successful privilege escalation exploit grants threat actors privileges that normal users don’t have. Usually, this type of attack takes place only after a hacker has already compromised an organization’s endpoint network security by gaining unauthorized access to a lower-level user account. With privileged access to your most sensitive information, there’s no telling what a cybercriminal might do.
To prevent this type of security incident, start by looking for and remediating any security vulnerabilities in your IT environment. Ideally your organization should do this by conducting regular vulnerability assessments and scans as part of your overall risk management program.
Another tactic is to use the “principle of least privilege” to limit the access rights for users to the bare minimum permissions they need to do their jobs. Also consider security monitoring tools to help you collect and analyze potential security threats, so you can respond appropriately.
Insider Threat Attacks
Insider threats are malicious (intentional) or accidental (unintentional) threats caused by employees, former employees, or third parties, including contractors, temporary workers, or customers.
While preventing insider threats can be difficult, you can take some steps to reduce the chance of an incident. First and foremost, you should implement spyware scanning programs, antivirus programs, firewalls, and a rigorous data backup and archiving routine.
You should also train your employees (and any contractors) on security awareness before allowing them access to your computer networks. A robust security awareness training program should also include routine training sessions to avoid any unintentional security incidents resulting from user error.
You can also implement employee monitoring software to reduce your risk of a data breach or intellectual property theft by identifying careless, disgruntled, or malicious insiders. Additionally, an internal whistleblower program (that protects employees who come forward) can help your organization to gain intel about potential security incidents.
A data loss prevention policy will also let insiders know what’s expected of them when handling company data and that they’re being monitored for unwanted behaviors. Sometimes this alone is enough to prevent internal actors from acting carelessly or maliciously.
In this type of social engineering attack, the attacker assumes the identity of a reputable entity or person via email to distribute malicious code or links that can perform various functions, such as obtaining login credentials or account information from victims. More targeted phishing attacks are known as spear phishing attacks, where the attacker invests more time researching the victim to pull off an even more sophisticated attack to steal information.
On a technical level, a gateway email filter will help you trap a large number of mass-targeted phishing emails and reduce the overall number of emails that reach your users’ inboxes. You probably still won’t be able to prevent every single phishing attempt from entering every single inbox, so you’ll need to take other steps as well.
Start by educating your users so that they’re better able to identify phishing attempts on their own. In some organizations, incentive programs encourage employees to identify and report phishing emails in exchange for a reward. These types of programs have prevented phishing attacks from leading to more serious types of security incidents, like malware attacks.
Malware is a broad term for various malicious software, including Trojans, worms, ransomware, adware, spyware, and other types of viruses. Malware can either be inadvertently installed when a user clicks on an advertisement, visits an infected website, or installs freeware or other infected software; or, it can be installed intentionally by insider threat actors or malicious actors with unauthorized access.
The signs of a malware attack include unusual system activity, sudden loss of disk space, unusually slow speeds, repeated crashes or freezes, increased unwanted internet activity, and pop-up advertisements.
To protect your organization against this type of security incident, you should install an antivirus tool to detect and remove any malware. Whether you decide on real-time protection or routine system scans to detect and remove malware, whichever security solution you choose should protect your organization against any existing malware and any future malware attacks.
Distributed Denial-of-Service or DDoS Attacks
This type of security incident occurs when a threat actor floods the target system with traffic or sends information that triggers an attack to shut down an individual machine (or an entire network) so that it cannot respond to service requests. Typically, these attacks can be dealt with by simply rebooting the system.
You can also reconfigure your firewalls, routers, and servers to block any future unwanted traffic. Keep your firewalls updated with the latest security patches as part of your overall patch management program to keep your systems, software, and applications at their most secure. If you choose, you can also integrate front-end hardware into your network to help analyze and screen data packets to classify them as they enter the system.
Man-in-the-Middle (MitM) Attacks
This type of incident occurs when an attacker secretly intercepts and alters messages between two parties who believe they are communicating directly with each other. In a man-in-the-middle attack, the attacker manipulates both victims to gain access to their data. This can occur via session hijacking, email hijacking, and Wi-Fi eavesdropping.
Although this type of attack is difficult to detect, there are some ways to prevent it. You should first consider implementing an encryption protocol that provides authentication, privacy, and data integrity between communicating computer applications, such as Transport Layer Security (TLS). Or a network protocol that gives users, particularly systems administrators, a secure way to access a computer over an unsecured network such as a Secure Shell Protocol (SSH).
You should also educate your employees on the dangers of using open public Wi-Fi networks, because it’s much easier for hackers to commit cybercrime by exploiting these connections. For the most network protection, use a virtual private network (VPN) to help ensure more secure connections.
A password attack is expressly aimed at obtaining a user’s password or an account’s password. To do so, hackers use various methods, such as password-cracking programs, dictionary attacks, password sniffers, or simply guessing passwords via brute force trial and error.
A password cracker is an application or program used to determine an unknown or forgotten password to a user account. When in the hands of a hacker, a password cracker can be used to gain unauthorized access to company resources.
A dictionary attack is breaking into a password-protected computer system or server by systematically entering every word in the dictionary as a password until the attacker guesses correctly. While this method might not be the most efficient, if a hacker does guess a correct password, he or she may then try to log in to multiple accounts using the same hacked password.
A brute force attack is when a hacker or bot attempts to log in using a series of generated passwords over and over again until the attacker succeeds. This type of trial-and-error attack can also cause websites to crash, which is another reason why multi-factor authentication is so important.
These types of security incidents can be difficult to prevent completely, but you can take some steps to defend yourself against them in the future. As mentioned above, multi-factor authentication is the best way to prevent unauthorized logins. Even if a cybercriminal guesses the correct password, that alone won’t be enough information to let them into your system.
You should also insist that your employees use strong passwords that include at least seven characters as well as a mix of upper and lower case letters, numbers, and symbols. Users should also change their passwords regularly and avoid duplicating passwords for multiple accounts. Any passwords your organization stores should be done so in secured repositories and should also be encrypted.
Web Application Attacks
This type of incident occurs when a web application is used as the vector for an attack. Web application attacks include exploits of code-level vulnerabilities in the application and attacks that thwart authentication mechanisms.
For example, a cross-site scripting attack is a type of web application attack that occurs when an attacker injects data (such as a malicious script) into content from otherwise trusted websites.
To avoid this attack, your organization should review code early in the development phase to detect any vulnerabilities automatically, by using static and dynamic code scanners. You should also implement bot detection functionality to prevent bots from accessing your application data. Finally, a web application firewall will help you monitor your network and block potential attacks.
Another type of web application attack is an advanced persistent threat (APT), a prolonged and targeted cyberattack typically executed by cybercriminals or nation-states to gain access to a network and remain undetected for a period of time. Ultimately, this type of security incident aims to monitor the target’s network activity and steal data rather than cause damage to the network or organization.
To avoid this type of attack, your organization should monitor incoming and outgoing traffic to prevent hackers from installing backdoors and extracting sensitive data. Again, web application firewalls at the edge of your network perimeter will help to filter any traffic coming into your web application servers. A firewall can also help filter out application layer attacks, such as SQL injection attacks which are often used during the APT infiltration phase.
How to Prevent and Mitigate Security Incidents
For each of the common security incidents described above, we included several steps you can take to prevent, or at least reduce the chances of, an incident occurring. To make things easier, we’ve compiled those suggestions into a singular and actionable list so that you can start preventing and mitigating security incidents for your organization.
Security Incident Detection
The first step to preventing security incidents is to put the right tools and processes in place to detect security incidents before they occur. Security incident detection is important for detecting and responding to incidents before they do damage but also so that you can track and trace the origins of the security incident and put the appropriate security controls in place to prevent it from happening again. Make sure all operating systems are up to date.
Monitor User Account Behavior
Implement behavior analytics tools to monitor user account behavior. Before looking for any anomalous behavior, you need to set the baseline for what “normal” behavior looks like. Once you’ve established that pattern, you can start looking for departures from it, especially for privileged users. Any unusual behavior could be an indication that a security incident is taking place.
You should also monitor for unauthorized users attempting to access servers and data, or requesting access to data that isn’t critical to their job function. This type of behavior indicates two scenarios: an insider attempting to gain unauthorized access to confidential information for malicious purposes, or a malicious actor has already gained access to a user account and is using that account to attempt to gain access to more privileged data.
As a general rule, you should always use the principle of least privilege regarding your data. This means only granting access to data to those employees who need access to perform their duties. To implement this principle, however, you’ll need to start by categorizing your data by sensitivity, so that you know which data your employees should have the least access to. You’ll also need clearly defined roles for the users in your organization, so you’ll know which data different types of users need.
Monitor Network Traffic
Your organization’s network is the gateway into your systems, and data. Keeping it secure is the best way to prevent attackers from gaining unauthorized access to your organization’s sensitive information. It’s important to monitor the traffic coming into your network, and the traffic leaving your network perimeter.
This traffic might include insiders uploading large files to personal cloud applications, or sending large numbers of email messages containing attachments to addresses outside the company, or downloading large files to external storage devices such as USBs. You should also monitor for any traffic sent to or from unknown locations-especially if your company only operates in one country.
In general, your administrators should investigate any unknown or suspicious network traffic to ensure its legitimacy. Even if nothing malicious is occurring, it’s better to be safe than sorry.
Monitor Suspicious Activity
Beyond monitoring user account behavior and network traffic, you should also monitor other types of activity. For example:
- Excessive consumption or an increase in performance of server memory or harddrives could mean an attacker is accessing them.
- Changes in configuration that haven’t been approved, such as reconfiguration of services, installation of startup programs or firewall changes are often a sign of possible malicious activity.
- Hidden files that might be considered suspicious due to file names, sizes, or locations and could indicate a data leak.
- Unexpected changes such as user account lockouts, password changes or sudden changes in group memberships.
- Abnormal browsing behavior like unexpected redirects, changes in browser configuration, or repeated pop-ups.
- Suspicious registry entries, which are usually a result of a malware infection.
Security Incident Management
As you continuously monitor for threats, your organization will inevitably need to evaluate the risk an attack could pose as well as the vulnerabilities an attacker might exploit to do so. If you haven’t already done so, now is the time to implement a risk management program designed to help your organization identify, analyze, prioritize, and mitigate cyber risks.
Cyber Risk Management
The cyber risk management process never ends. Once you begin, you’ll need to keep the program alive and well if you want it to benefit your organization.
Start by creating a list of your company assets and keeping it current; it’s impossible to know how to protect your assets if you aren’t exactly sure what those assets are. Then conduct a risk assessment to determine the level of risk each of those assets presents to your organization. Next, prioritize those risks and create a mitigation plan for each one you identify. Finally, after mitigating your existing cyber risks, it’s time to start the process again.
In general, your organization should regularly conduct vulnerability assessments to identify vulnerabilities in your systems, software, and applications throughout the risk management process. In addition, you should also regularly conduct risk assessments to determine whether your internal security controls are working effectively to prevent threats from doing damage.
See our five-step risk management article for more details.
Incident Response, Disaster Recovery, and Business Continuity Plans
Ultimately, security incidents are inevitable; you cannot mitigate every single cyber risk. You can, however, decide how your organization will respond to those risks if they can’t be prevented. As part of your risk management program, your organization should create a thorough incident response plan to assure that the correct course of action is taken in the event of a security incident.
This includes making sure that the right people know what to do when a security incident occurs, and that you have the right plans to cover your assets in a number of disruptive events, including cybersecurity incidents, natural disasters, and more. A disaster recovery plan will help your organization ensure business continuity in the face of one of these disruptions.
Tools to Help
Protecting your organization from security incidents can be an overwhelming task, especially if you’re attempting to do so on your own. Moreover, with an endless number of security software solutions, tools, and applications to choose from, picking the right ones can be overwhelming too. You want a tool to do all-threat monitoring, risk management, governance, and compliance.
Fortunately, there are solutions designed to help.
Prevent Security Incidents with RiskOptics
The RiskOptics ROAR Platform is an integrated cybersecurity risk management solution designed to provide you with actionable insights to gain the visibility you need to stay ahead of the different types of cybersecurity threats and communicate the effect of risk on high-priority business initiatives.
Turn the unknown into quantifiable and actionable risk insights with built-in expertise that identifies and maps risks, threats, and controls for you, so you can spend less time setting up the application and more time using it.
A single, real-time view of risk and business context allows you to communicate to the board and key stakeholders in a way that’s framed around their priorities, keeping your risk posture in sync with the direction your business is moving.
ROAR will notify you automatically of any changes or required actions, so you can be on top of your risk posture like never before. Eliminate time-consuming, manual work and streamline collaboration by automating workflows and integrating with your most critical systems.
Now, through a more active approach, you can give time back to your team with ROAR. Talk to an expert today to learn more about how the RiskOptics ROAR Platform can help your organization mitigate cybersecurity risk and stay ahead of threats.