Cyberthreats are typically boring, repetitive, and require a reasonably predictable remediation process. A SQL injection is a SQL injection, no matter who’s trying it. But what about the outliers? What about threats that impact you, but you can’t remediate, or establish a policy to cover?
Here are five cyberthreats that if you’re not frightened by, you should be.
- VNC roulette. This was a website that scanned for computers that allowed for remote sessions, but were unsecured by passwords or encryption. A fair amount of screenshots the site collected were from average users who simply failed to set up proper security settings. But there were also machines for which that failure was much more serious, like SCADA systems, CCTVs, and water treatment plants.
- A public drone feed? Last week a security blogger discovered what appeared to be a publically accessible Predator drone feed. As it turned out, the video was actually an unclassified demo page created by a defense contractor using a misconfigured web server. While not exactly the OPSEC blunder viewers thought, the amount of critical infrastructure exposed to the internet and managed via unaccountable third parties is food for thought.
- Mirai botnet. Used in some of the largest DDoS attacks ever, including one to silence Brian Krebs, Mirai scans the internet for Internet of Things devices using factory default credentials and infects them. What’s the scope of a Mirai attack? Ars technica reported a Mirai DDoS on French web host OVH of 1.7 terabytes. That’s not the scary part. The scary part is that the IoT market is booming, they have one of the most abysmal records of security engineering and poor judgment ever seen. And as of 2016, the most conservative estimation for IoT devices on the market was 6.4 billion.
- RATs. Some of us are familiar with remote access tools used to spy on the unwitting and sometimes take compromising pictures. But what happens when a RAT is embedded in a SaaS tool? Tech Support scammers have been hit by third-party business services who sold their service with an extra addition of DarkComet. Given how tough it can be to vet a SaaS offering, the potential to impact legitimate businesses is very large.
- The Computer Fraud and Abuse Act. Nobody likes fraud and abuse, so what’s the big deal an act designed to keep them off of computers? Well, the act was written in 1986, prompted by a White House screening of the movie WarGames (no, really) and criminalized those who
“having knowingly accessed a computer without authorization or exceeding authorized access”
That bold part has proved problematic in recent years, as the automated scraping of content, saving public data that the owner didn’t intend to make public, and landing on unexpected pages due to a web sites misconfiguration have all been interpreted as violations of the law at one point or another. This is absolutely scary, as the act and its capricious enforcement have led to a chilling effect over vulnerability disclosure and introduced a risk to researchers who might otherwise work with law enforcement.
These are all scary cyberthreats not because of their technical sophistication, but more because they are failures of organizations and institutions that manage technology. Your security team can patch a zero-day vulnerability, but not the executive that insists his password be set to ‘1234’ for ‘convenience.’ When you have strong organizations, the cyberthreats you face suddenly get much less scary.