A recent survey conducted by Balabit to uncover the ten most popular hacking methods aims to help organisations clearly see which methods or vulnerabilities attackers are using the most when they want to get sensitive data in the shortest possible time.
The survey also shows that 40% of respondents were aware that first-line defense tools, such as firewalls, are not effective at preventing a cyber attack. Simply put, security is no longer a product but a process. “Technology itself is too weak”, said Amit Yoran, President of RSA at last month’s RSA conference.
# 1: Social engineering (e.g. phishing attacks)
Topping the list was, unsurprisingly, social engineering – e.g. phishing attacks – which we at IT Governance have been blogging about extensively over the last few years. Although traditional access control tools and anti-malware solutions are important, once criminals manage to break into a system, they can easily escalate their rights and gain privileged access to the network.
#2: Compromised accounts (e.g. weak passwords)
Coming in at a close second was compromised accounts, which could be caused by weak password security practices.
#3: Web-based attacks
Websites and web applications offer an easy-access route to company assets and provide a huge attack surface, making these types of attacks – which include methods like SQL injection – highly popular.
The other attack methods are listed in order:
- Client-side attacks (e.g. against doc readers, web browsers)
- Exploits against popular server updates (e.g. OpenSSL, Heartbleed)
- Unmanaged personal devices (e.g. lack of BYOD policy)
- Physical intrusion
- Shadow IT (e.g. users’ personal Cloud-based services being used for business purposes)
- Managing third-party service providers (e.g. outsourced infrastructure)
- Taking advantage of getting data added to the Cloud (e.g. IAAS, PAAS).
Why ISO 27001 provides an effective defense against these attacks
ISO 27001, the international standard for information security, provides a best-practice approach to cyber risk management through the implementation of a cost-effective and efficient management system. Encompassing people, processes and technology, the management system is based on the logic that conducting regular risk assessments and implementing controls to negate these risks provide a robust, ongoing defense.
The Standard provides a list of recommended controls that cover a broad range of cyber risks, such as frequent website and network penetration testing, security staff awareness training, and the development of appropriate policies and procedures. The Standard also emphasizes continual improvement, thereby ensuring that the management system continues to adapt to the changing cyber risk landscape.
Watch the video
Watch this short video by IT Governance CEO Alan Calder, which explains why ISO 27001 provides an effective cyber defense strategy.