What is an attack vector?
An attack vector is a path or means by which an attacker or hacker can gain access to a computer or network server in order to deliver a payload or malicious outcome. Attack vectors enable hackers to exploit system vulnerabilities, including the human element.
Common cyber attack vectors include viruses and malware, email attachments, webpages, pop-up windows, instant messages (IMs), chatrooms and deception. Except for deception, all of these methods involve programming or, in a few cases, hardware. Deception is when a human operator is fooled into removing or weakening system defenses.
To some extent, firewalls and antivirus software can block attack vectors. But no protection method is totally attack-proof. A defense method can quickly become obsolete, as hackers are constantly updating attack vectors and seeking new ones in their quest to gain unauthorized access to computers and servers.
The most common malicious payloads are viruses, which can function as their own attack vectors, Trojan horses, worms and spyware. Third-party vendors and service providers can also be considered attack vectors, as they are a risk to an organization if they have access to its sensitive data.
How do cyber attackers exploit attack vectors?
Hackers have in-depth knowledge of the common security attack vectors that are available to them. When determining how to hack one of these security vectors, they first seek out vulnerabilities, or security holes, in these vectors that they think they can penetrate.
A security hole can be found in a piece of software or in a computer operating system (OS). Sometimes, a security vulnerability can open up because of a programming error in an application or a faulty security configuration. Hacks can even be low-tech, such as obtaining an employee's security credentials or breaking into a building.
Hackers are constantly scanning companies and individuals to identify all potential entry points into systems, applications and networks. In some cases, they may even target physical facilities or find vulnerable users and internal employees who will knowingly or inadvertently share their information technology (IT) access credentials.
What is the difference between attack vector and attack surface?
These two terms are often used interchangeably, but they are not the same thing. An attack vector differs from an attack surface, as the vector is the means by which an intruder gains access and the attack surface is what is being attacked.
One of the most publicized hacks was the SolarWinds supply chain attack. An investigation was undertaken to determine the attack vectors, but the breach may have been the result of compromised credentials or possible access through the development environment for SolarWinds' Orion IT management software.
10 of the most common attack vectors
Intruders are continuously seeking out new attack vectors. The most common attack vectors include the following:
- Software vulnerabilities. If a network, OS, computer system or application has an unpatched security vulnerability, an attacker can use a threat vector, such as malware, to gain unauthorized access.
- Compromised user credentials. Users can knowingly or inadvertently share their user IDs and passwords. This can be done verbally, but cyber attackers can also gain access to credentials through a brute-force attack that tries different combinations of user IDs and passwords until an authorized set of credentials is uncovered. The hacker then uses these credentials to hack a network, system or application.
- Weak passwords and credentials. In brute-force attacks, cyber attackers focus their efforts on hacking user IDs and passwords that are weak or can be easily guessed. But hackers also steal credentials by using programs that monitor public Wi-Fi networks for when users input their access credentials. For example, a hacker could install keylogging software on a user's workstation through an infected website or email. The keylogging program logs user keyboard activity, including the entry of the user's ID and password. Hackers can also gain access by enticing users to open unsolicited email attachments that contain malicious links to bogus websites that convince them to surrender personally identifiable information (PII).
- Malicious employees. Malicious or disgruntled employees can hack into networks and systems using their security clearances to extract sensitive information, such as customer lists and intellectual property (IP) that they either demand ransom for or sell to others for nefarious purposes.
- Poor or missing encryption. In some cases, employees -- or IT -- may forget to encrypt sensitive information stored on laptops and smartphones out in the field. In other cases, encryption techniques have known design flaws or only use limited keys to encrypt and protect data.
- Ransomware. Ransomware is a type of malware that locks the data on the victim's computer, and the attacker either threatens to publish the victim's data or block access to it unless a ransom is paid. Ransomware can lock a user's files, often demanding a cash sum from the user in order to unlock the files. Most ransomware is inadvertently downloaded onto a computer or network by a user. It can come in the form of a file that a user opens that contains a worm, which is malware that spreads itself throughout a network, or a Trojan, which embeds malicious software code in a downloaded file that locks up the user's computer or data and then demands payment.
- Phishing. Phishing is the deceptive practice of sending emails in which the attacker purports to be from a reputable company in order to lure individuals into revealing personal information, such as passwords or credit card numbers. Spear phishing is a highly targeted attack that targets a single recipient, seeking unauthorized access to sensitive company information.
- Misconfigured devices. Companies can misconfigure their software and hardware security, which leaves them vulnerable to hackers. Vendor security presets on equipment are lax, and if IT doesn't reconfigure this equipment before installing it on networks, security hacks can occur. In still other cases, companies purchase equipment and forget to fully configure security.
- Trust relationships. In many cases, companies entrust their security to outside system and network vendors, cloud providers and business partners. When the systems of these third parties are breached, the information the hackers obtain may also contain sensitive information from the companies these providers service. Examples include when a major credit card carrier's network is breached or when a healthcare system is breached and sensitive data from patients is stolen.
- Distributed denial-of-service (DDoS) attacks. DDoS attacks flood victims with bogus emails, rendering their system or network unusable and services unavailable to their intended recipients. These attacks often target the web servers of finance, commerce and government organizations and are often used to distract an organization from other network attacks.
How to protect devices against common vector attacks
Attackers use a variety of techniques to penetrate corporate IT assets. As these techniques continue to evolve, IT's job is to identify and implement the policies, tools and techniques that are most effective in protecting against these attacks. The following is a list of effective protection techniques:
- Implement effective password policies. Ensure usernames and passwords meet proper length and strength criteria and the same credentials are not used to access multiple applications and systems. Use two-factor authentication (2FA) or verification methods, such as a password and a personal identification number (PIN), to provide an added layer of protection for system access.
- Install security monitoring and reporting software. This includes software that monitors, identifies, alerts and even locks down entry points to networks, systems, workstations and edge technology once a potential attack by an unidentified or unauthorized user or source is detected.
- Regularly audit and test IT resources for vulnerabilities. At a minimum, IT vulnerability testing should be conducted quarterly, and an outside IT security audit firm should test IT resources for vulnerability annually. Based upon these findings, security policies, practices and prevention techniques should be updated immediately.
- Keep IT security front and center. Security investments cost money, and a chief information officer (CIO) and a chief security officer (CSO) need the chief executive officer (CEO) and the board of directors to approve these purchases. This requires regular briefings and education for C-level executives so they understand the importance of securing IT and the ramifications for the company and its reputation if IT is left unsecured.
- Train users. All new employees should be provided comprehensive training in IT security policies and practices, and existing employees should be given refresher training annually. IT personnel, especially in the security area, should be current on the latest security policies and practices.
- Collaborate with human resources (HR). Social engineering vulnerability audits should be performed with an outside security audit firm at least once every two to three years. If there is suspicious employee activity, IT should immediately alert HR so it can take appropriate action, whether it is meeting with an employee, restricting an employee's access, coaching an employee or firing an employee.
- Immediately install all updates. Whenever a hardware, firmware or software update is issued, IT should promptly install it. If devices are used in the field, the security updates should be provided as push notifications, where software or firmware is automatically updated.
- Use thin clients for companies with a bring your own device (BYOD) policy. It is preferable to house all corporate data in a secure cloud or other enterprise system so users can sign in from home or from their own devices through a virtual private network (VPN), which is restricted to a specific set of users and is not open to the public. This eliminates sensitive data from being stored on remote devices.
- Use strong data encryption on portable devices. Whether a portable device is a laptop, a smartphone, a sensor or any other type of edge device, data encryption should be used wherever sensitive data is stored. This can be done by selecting a strong data encryption technology, such as Advanced Encryption Standard (AES). The U.S. government uses AES, which contains 192- and 256-bit keys for data encryption.
- Review and set all security configurations for OSes, internet browsers, security software, network hubs and edge devices, such as sensors, smartphones and routers. Often, systems, browsers, hubs and internet of things (IoT) devices come with minimal default security settings, and companies forget to adjust these settings. As a standard practice, companies should check and, if necessary, reset security on all new IT.
- Secure physical spaces. While most data breaches and security hacks target IT, physical access intrusions can also occur. Data centers, servers located in different business departments and remote field offices, medical equipment, field-based sensors and even physical file cabinets in offices are all hacking targets. They should be secured, protected and regularly inspected.
For more information on the SolarWinds backdoor cyber attack, go to the SolarWinds breach news center.