According to the national Common Vulnerabilities and Exploits (CVE) database, the commonly used software and systems has more than 11,000 known vulnerabilities. Moreover, breaches of these vulnerabilities can cost up to $3.92 million on average to large enterprises and IBM has calculated it. These threats evolve constantly, and the mitigation process which protected you in the past might not be very effective against the today’s threat. If you want to prepare better, then you should know better about the threats you face. Some of the most common threats or cyber-attacks are
Social Engineering
Social Engineers are those who is a master of asking seemingly non-invasive or unimportant questions to gather information over time. They try to gain trust and reduce the defenses. So over time that can be combined with several techniques to gather sensitive information. There are three main types in the social engineering attack,
Phishing – Phishing attack is an attack that happens via electronic communication (i.e email) posing as a someone trustworthy. So, in this attack, the attacker targets their email and tries to collect the sensitive information such as logon, passwords, pin number, credit card
Spear Phishing – It is like phishing; however, spear phishing is targeted. In other words, Spear Phishing is a targeted attack appearing to come from a trusted source, often within the victim’s own company, from someone in a position of authority. The attackers are very precise and going after someone and have that email appears to be coming from inside. So that way, the authorizing person thinks that the email is coming specifically for them like a mass email. It has high hit rate when executed properly. For example, the attackers send an email like a boss to their employee asking to review this document. Without really thinking most of the employees click on it because they think it is from their boss.
Whaling is like spear phishing targeting the upper management. Whaling is a specific attack targeting high-profile business executives, upper management, etc.
Mitigation
Train users with an effective training program that routinely uses an integrated anti-phishing tool that keeps security top of mind for users and help them recognize what a phishing email might look like. Since these attacks are on the rise, several new defenses have been developed. AppRiver is a great Spam and Virus email filter that can block many phishing exploits before they even reach the internal servers. Beware of phone phishing; never provide personal information over the phone if you receive a call. Empower employees to recognize potential threats and independently make correct security decisions.
Impersonation
It is sniffing of wired or wireless network, and a replay attack captures packets and puts them back on the wire. These packets can be potentially be modified and retransmitted to look like a legitimate packet. Attacker can impersonate like someone and jump in the middle between two conversations and then make everything go through them. Now the attacker will impersonate either side of that conversation allowing them to intercept all the communication going back and forth.
Mitigation
Sequencing helps to mitigate the effectives of Impersonation. Packets need to be in order one, two and have some type of time strap. If they arrive out of order or they take too long, the time strap expires, then it need to be resent again.
DoS and DDoS Attack
It is a large-scale attack against a specific target and it’s consists of two things botnets which is a network of zombie computers, and botherders: a command and control center (CC issues commands to botnet zombies to initiate attack against a target). It could be hundreds or thousands or millions of zombies compromising a botnet army. Most of the attacks are performed to gain access whereas denial-of-service attacks denies the services by making them unavailable. The most common denial of service attacks is SYN flood and bonnets.
A SYN flood is a form of denial-of-service attack in which an attacker sends a succession of SYN requests to a target’s system to consume enough server resources to make the system unresponsive to legitimate traffic.
A Botnet is a group of bots (can have hundreds of thousands of bots), where a malicious individual or group controls their ability which are connected through the internet. These bots can be activated to distribute malware, launch DDoS attacks, etc and they are infected by visiting a website or opening an infected mail attachment. Mostly control servers and commands are used to control Botnets.
To protect the organization from it, a behavioral approach is done. i.e Botnet traffic filters. These filters inform the worldwide security community about the botnet locations. Eg. Cisco SIO updates the Cisco ASA Botnet filter list; the destination is known as an attack site.
Mitigation of DoS and DDoS Attack
Reduce the attack surface area: Minimize the surface area by providing limited options for the attackers and at the same time allows you to build protection. Content Distribution network and Load balancers are used to restrict the direct traffic on a server.
Plan for Scale: Bandwidth capacity and server capacity are the key features in mitigation. While designing the architecture provide ample redundant internet connectivity so that it can handle more traffic. Most attack uses lot of resources, so it is important to scale automatically on your computation resources.
Distinguish normal and abnormal traffic: Implement the rate limiting concept where host can accept amount of traffic it can handle without affecting availability. More advanced protection techniques can go one step further and intelligently only accept traffic that is legitimate by analyzing the individual packets themselves.
For Application attack, deploy firewalls: Use Web application firewall which could distinguish good traffic or from unknown bad IPs. It is also used to study traffic patterns and create customized protections.
Cryptographic attack
Password attack –In information systems, mostly password is the mechanism which is used to authenticate users. So, obtaining password is the most effective approach to attack.
Brute Force attack is an attempt to defeat encryption by systematically trying every possible combination of passwords and passphrases. This is very time consuming. Most of the accounts will lock out after “X” number of attempts. When the length of the password increases, time to crack that password also will increase. And, brute force is comprised of things like Dictionary attack, Hybrid attack.
Dictionary attack is an attack which uses known words to try and defeat a cipher. These attacks are carried out by using words in the dictionary or a pre-defined set of possible words. This attack is faster than brute force in that only words that are likely to succeed are used. And some of the most common tools used are Brutus, Crack, Metasploit project, Aircrack-ng.
Hybrid attack combines dictionary attack along with word variations.
Mitigation
consider the following actions to reduce the effectiveness of actors utilizing password attacks:
-Implement multifactor authentication (MFA) on all external access systems
-Enforce complex passwords as well as a strong password reset policy
-Increased alerting and monitoring
-Additional access controls and hardening
-Reset credentials of affected accounts
Birthday attacks
Birthday attack which is a brute-force attack that works in the cryptographic phenomenon of hash collisions. However, given enough time and depending upon the algorithm, each hash algorithm has a slightly different way of accomplishing this. Given enough time, two independent sources could yield same hash and the rate of occurrence varies depending on hash algorithm.
Mitigation
-Prefer minimum 128-bit cipher suites
-Limit the length of TLS sessions with a 64-bit cipher, which could be done with TLS renegotiation or closing and starting a new connection
-Disable cipher suites using 3DES
Rainbow Tables
When we are trying to compute all these different variations of alphanumeric characters, time consuming is more. So, in rainbow table, it uses precomputed table to reversing cryptographic hashes. It will reduce time to brute-force a password. It will increase the amount of storage necessary to store rainbow tables. And the rainbow table needed for each has type either MD5 or SHA1, etc.
Mitigation of rainbow tables
It can be mitigated using password salting. Adding a random data to the hashing algorithm so that each users hash is unique even if both have the same password. Larger salt increases the security.
Zero day
Zero day are the vulnerabilities that are discovered and exploited before the developer has a chance to issue a patch or fix. The best example is Stuxnet, was found to use four zero -day vulnerabilities. Mostly private companies, and even government agencies buy the zero-day exploits. One of the tools is cyber-army arsenal.
Mitigation
Best Practices for Protection Against Zero-Day Attacks are
-Use Windows Defender Exploit Guard
-Leverage Next-Generation Antivirus (NGAV)
-Implement Patch Management
-Have an Incident Response Plan Ready
Man-in- the-middle attack
This attack occurs when the attacker hacks and insert himself between the communications of client and server. Some common types of man-in-the middle attacks are
Sessions hijacking is the man in the middle attack where the attacker hijacks a session between the client and server. In this attack, the attacker attacks the client and gains control of that client which is connected to the server, and then disconnects the client from the server by replacing the attackers ip (own ip) in the place of client ip and spoofs the client sequence number. It starts communicating with the server.
IP Spoofing It is an attack in which the attacker convinces the target host that the packet is from known trusted entity. The attacker sends a packet with the IP source address of a known, trusted host instead of its own IP source address to a target host. The target host might accept the packet and act upon it.
Replay attack is an attack in which the attacker had intercepted and saved the old messages and then later sends them again as a legitimate user. To achieve this, they use session timestamps or a random number/ strings that changes with time.
Mitigation of man in the middle attack
Certificate authorities and hash functions were created to rectify this problem. When sender wants to communicate with receiver, first Sender will create a symmetric key and encrypts that key using receiver public key and sends to receiver.
For the message also, sender computes the hash function and digitally signs it. And then encrypts the hash function of the message and digital sign using the symmetric key. And then sends to the receiver.
Receiver already received the encrypted symmetric key. And receiver alone can decrypt the encrypted hash function message and digital sign. And the digital sign is verified using sender public key.
SQL injection
It is a common attack where the attacker uses malicious SQL code to gain access to the backend database. A successful attack may result in the unauthorized viewing of user lists, the deletion of entire tables. They can also use SQL Injection to add, modify, and delete records in the database. An SQL Injection vulnerability may affect any website or web application that uses an SQL database such as MySQL, Oracle, SQL Server, or others.
Mitigation of SQL injection
Use input validation – sanitize all inputs while developing itself. You can use tools to detect the website vulnerabilities like Acunetix scan. And if you discover vulnerability using this scan, then you can use web application firewall to sanitize the input temporarily.
Malware attack
A malware attack is when cybercriminals create malicious software that’s installed on someone else’s device without their knowledge to gain access to personal information or to damage the device, usually for financial gain. Different types of malware include
Virus– Malicious code that requires user interaction to install and replicate.
Ransomware– Malicious application that take various action and encrypts it mostly and demands ransom for it.
Trojans– Seemingly friendly software that contains hidden malicious software
Worms– Self-replicating program that is self-contained and can execute and spread without user interaction.
Rootkit – Malicious code that installs itself at the OS or kernel level to avoid detection.
Keylogger- Malicious application that once installed on a host can capture all keystrokes like username, passwords, chats etc.
Adware– Malware that is installed as an infected machine to deliver ads.
Spyware– Malicious software that captures user activity and reports back.
Logic bombs– Malicious code that triggers after a period based on some data or specific activity.
Back doors– Software that installs for the purpose of opening ports and installing additional software. Backdoors can phone home, steal credentials, download additional software or allow remote access.
Mitigation
Ways to prevent malware infection
- Protect vulnerabilities- Update your operating system, browsers, and plugins, remove software you don’t use (especially legacy programs).
- Practice safe browsing- Make sure you’re on a secure connection. And make sure you’re on a secure connection.
- Layer your security- Use firewall, anti-malware, anti-ransomware, and anti-exploit technology
I’m Saranya Krishnamoorthy. IT graduate with a cybersecurity background has knowledge in cloud safety, automation, PEN testing, system testing, website security, security script programming, networking concepts and protocols, Risk management. I pursued my bachelor’s degree in Computer science & Engineering, from India. And Certificate IV in Cyber Security from Boxhill Institute