As a consultant, one of the biggest security problems I see is perception: The threats companies think they face are often vastly different than the threats that pose the greatest risk. Don’t be distracted by the exploit of the week. Invest your time and money defending against the threats you’re apt to confront:
1. Socially engineered malware
Socially engineered malware, lately often led by data-encrypting ransomware, provides the No. 1 method of attack (not a buffer overflow, misconfiguration or advanced exploit). An end-user is somehow tricked into running a Trojan horse program, often from a website they trust and visit often. The otherwise innocent website is temporarily compromised to deliver malware instead of the normal website coding.
2. Password phishing attacks
Coming a close second are password phishing attacks. Approximately 60 to 70 percent of email is spam, and much of that is phishing attacks looking to trick users out of their logon credentials.
3. Unpatched software
Coming in close behind socially engineered malware and phishing is software with (available but) unpatched vulnerabilities. The most common unpatched and exploited programs are browser add-in programs like Adobe Reader and other programs people often use to make surfing the web easier.
4. Social media threats
Our online world is a social world led by Facebook, Twitter, LinkedIn or their country-popular counterparts. Social media threats usually arrive as a rogue friend or application install request.
5. Advanced persistent threats
Almost every major corporation has suffered a major compromise due to an advanced persistent threat (APT) stealing intellectual property. APTs usually gain a foothold using socially engineered Trojans or phishing attacks.
Overall, figure out what your enterprise’s most like threats will be and prepare for those the most. OWASP Top 10 project is pretty useful to incorporate the processes and policies in place to protect against some of the most common threats.