An attack vector is a path or means by which an attacker or hacker can gain access to a computer or network server in order to deliver a payload or malicious outcome. Attack vectors enable hackers to exploit system vulnerabilities, including the human element.
Viruses, malware, email attachments, webpages, pop-up windows, instant messaging (IMs), chat rooms, and deceit are all common cyber attack vectors. All of these techniques, with the exception of deceit, involve hardware or programming, occasionally both. When a human operator is tricked into deleting or weakening system defenses, that is deception.
To some extent, firewalls and antivirus software can block attack vectors. But no protection method is totally attack-proof. A defense method can quickly become obsolete, as hackers are constantly updating attack vectors and seeking new ones in their quest to gain unauthorized access to computers and servers.
The most common malicious payloads are viruses, which can function as their own attack vectors, Trojan horses, worms and spyware. Third-party vendors and service providers can also be considered attack vectors, as they are a risk to an organization if they have access to its sensitive data.
What is the Difference Between an Attack Vector, Attack Surface and Threat Vector?
An attack vector is a method of gaining unauthorized access to a network or computer system.
An attack surface is the total number of attack vectors an attacker can use to manipulate a network or computer system or extract data.
Threat vector can be used interchangeably with attack vector and generally describes the potential ways a hacker can gain access to data or other confidential information.
How do cyber attackers exploit attack vectors?
Hackers have in-depth knowledge of the common security attack vectors that are available to them. When determining how to hack one of these security vectors, they first seek out vulnerabilities, or security holes, in these vectors that they think they can penetrate.
A security hole can be found in a piece of software or in a computer operating system (OS). Sometimes, a security vulnerability can open up because of a programming error in an application or a faulty security configuration. Hacks can even be low-tech, such as obtaining an employee’s security credentials or breaking into a building.
Hackers continuously search businesses and people to find any potential access points to systems, apps, and networks. In certain instances, they might even target real-world locations or hunt for internal users and staff members who might unintentionally or knowingly divulge their information technology (IT) access credentials.
Why are Attack Vectors Exploited by Attackers?
Cybercriminals can make money from attacking your organization’s software systems, such as stealing credit card numbers or online banking credentials. However, there are other more sophisticated ways to monetize their actions that aren’t as obvious as stealing money.
Attackers may infect your system with malware that grants remote access to a command and control server. Once they have infected hundreds or even thousands of computers they can establish a botnet, which can be used to send phishing emails, launch other cyber attacks, steal sensitive data, or mine cryptocurrency.
Accessing personally identifiable information (PII), medical data, and biometrics is often done in order to perpetrate insurance fraud, credit card fraud, or unlawful prescription drug purchases.
Competitors may employ attackers to perform corporate espionage or overload your data centers with a Distributed Denial of Service (DDoS) attack to cause downtime, harm sales, and cause customers to leave your business.
Money is not the only motivator. Attackers may want to leak information to the public, embarrass certain organizations, grow political ideologies, or perform cyber warfare on behalf of their government like the United States or China.
How Do Attackers Exploit Attack Vectors?
There are many ways to expose, alter, disable, destroy, steal or gain unauthorized access to computer systems, infrastructure, networks, operating systems, and IoT devices.
In general, attack vectors can be split into passive or active attacks:
Passive Attack Vector Exploits
Passive attack vector exploits are attempts to gain access or make use of information from the system without affecting system resources, such as typosquatting, phishing, and other social engineering-based attacks.
Active Attack Vector Exploits
Active cyber attack vector exploits are attempts to alter a system or affect its operation such as malware, exploiting unpatched vulnerabilities, email spoofing, man-in-the-middle attacks, domain hijacking, and ransomware.
That said, most attack vectors share similarities:
One often overlooked attack vector is your third and fourth-party vendors and service providers. It doesn’t matter how sophisticated your internal network security and information security policies are — if vendors have access to sensitive data, they are a huge risk to your organization.
This is why it is important to measure and mitigate third-party risks and fourth-party risks. This means it needs to be part of your information security policy and information risk management program.
Consider investing in threat intelligence tools that help automate vendor risk management and automatically monitor your vendor’s security posture and notify you if it worsens.
Every organization now needs a third-party risk management framework, vendor management policy, and vendor risk management program.
Perform a cybersecurity risk assessment prior to considering a new vendor to see what attack vectors you may be adding to your firm by using them. You should also inquire about their SOC 2 compliance.
What are the Common Types of Attack Vectors?
1. Compromised Credentials
The most popular sort of access credential is still a username and password, and these details are frequently leaked through malware, phishing scams, and data breaches. Credentials provide unrestricted access to attackers when they are lost, stolen, or exposed. Organizations are now spending money on systems to continuously check for data exposures and credential leaks for this reason. The danger of credential leaks leading to a security incident can also be decreased by using password managers, two-factor authentication (2FA), multi-factor authentication (MFA), and biometrics.
2. Weak Credentials
Weak passwords and reused passwords mean one data breach can result in many more. Teach your organization how to create a secure password, invest in a password manager or a single sign-on tool, and educate staff on their benefits.
3. Insider Threats
Disgruntled employees or malicious insiders can expose private information or provide information about company-specific vulnerabilities.
4. Missing or Poor Encryption
Common data encryption methods like SSL certificates and DNSSEC can prevent man-in-the-middle attacks and protect the confidentiality of data being transmitted. Missing or poor encryption for data at rest can mean that sensitive data or credentials are exposed in the event of a data breach or data leak.
Check your S3 permissions or someone else will since incorrect configuration of cloud services like Google Cloud Platform, Microsoft Azure, or AWS, or utilizing default credentials, can result in data breaches and leaks. To stop configuration drift, automate configuration management whenever you can.
Ransomware is a form of extortion where data is deleted or encrypted unless a ransom is paid, such as WannaCry. Minimize the impact of ransomware attacks by maintaining a defense plan, including keeping your systems patched and backing up important data.
Phishing attacks are social engineering attacks where the target is contacted by email, telephone, or text message by someone who is posing to be a legitimate colleague or institution to trick them into providing sensitive data, credentials, or personally identifiable information (PII). Fake messages can send users to malicious websites with viruses or malware payloads.
New security vulnerabilities are added to the CVE every day and zero-day vulnerabilities are found just as often. If a developer has not released a patch for a zero-day vulnerability before an attack can exploit it, it can be hard to prevent zero-day attacks.
9. Brute Force
Brute force attacks are based on trial and error. Attackers may continuously try to gain access to your organization until one attack works. This could be by attacking weak passwords or encryption, phishing emails, or sending infected email attachments containing a type of malware. Read our full post on brute force attacks.
10. Distributed Denial of Service (DDoS)
DDoS attacks are cyber attacks against networked resources like data centers, servers, websites, or web applications and can limit the availability of a computer system. The attacker floods the network resource with messages which cause it to slow down or even crash, making it inaccessible to users. Potential mitigations include CDNs and proxies.
11. SQL Injections
SQL stands for a structured query language, a programming language used to communicate with databases. Many of the servers that store sensitive data use SQL to manage the data in their database. An SQL injection uses malicious SQL to get the server to expose information it otherwise wouldn’t. This is a huge cyber risk if the database stores customer information, credit card numbers, credentials, or other personally identifiable information (PII).
Trojan horses are malware that misleads users by pretending to be a legitimate program and are often spread via infected email attachments or fake malicious software.
13. Cross-Site Scripting (XSS)
14. Session Hijacking
When you log into a service, it generally provides your computer with a session key or cookie so you don’t need to log in again. This cookie can be hijacked by an attacker who uses it to gain access to sensitive information.
15. Man-in-the-Middle Attacks
Public Wi-Fi networks can be exploited to perform man-in-the-middle attacks and intercept traffic that was supposed to go elsewhere, such as when you log into a secure system.
16. Third and Fourth-Party Vendors
The rise in outsourcing means that your vendors pose a huge cybersecurity risk to your customer’s data and your proprietary data. Some of the biggest data breaches were caused by third parties.
How to protect devices against common vector attacks
Attackers use a variety of techniques to penetrate corporate IT assets. As these techniques continue to evolve, IT’s job is to identify and implement the policies, tools and techniques that are most effective in protecting against these attacks. The following is a list of effective protection techniques:
- Implement effective password policies. Ensure usernames and passwords meet proper length and strength criteria and the same credentials are not used to access multiple applications and systems. Use two-factor authentication (2FA) or verification methods, such as a password and a personal identification number (PIN), to provide an added layer of protection for system access.
- Install security monitoring and reporting software. This includes software that monitors, identifies, alerts and even locks down entry points to networks, systems, workstations and edge technology once a potential attack by an unidentified or unauthorized user or source is detected.
- Regularly audit and test IT resources for vulnerabilities. At a minimum, IT vulnerability testing should be conducted quarterly, and an outside IT security audit firm should test IT resources for vulnerability annually. Based upon these findings, security policies, practices and prevention techniques should be updated immediately.
- Keep IT security front and center. Security investments cost money, and a chief information officer (CIO) and a chief security officer (CSO) need the chief executive officer (CEO) and the board of directors to approve these purchases. This requires regular briefings and education for C-level executives so they understand the importance of securing IT and the ramifications for the company and its reputation if IT is left unsecured.
- Train users. All new employees should be provided comprehensive training in IT security policies and practices, and existing employees should be given refresher training annually. IT personnel, especially in the security area, should be current on the latest security policies and practices.
- Collaborate with human resources (HR). Social engineering vulnerability audits should be performed with an outside security audit firm at least once every two to three years. If there is suspicious employee activity, IT should immediately alert HR so it can take appropriate action, whether it is meeting with an employee, restricting an employee’s access, coaching an employee or firing an employee.
- Immediately install all updates. Whenever a hardware, firmware or software update is issued, IT should promptly install it. If devices are used in the field, the security updates should be provided as push notifications, where software or firmware is automatically updated.
- Use thin clients for companies with a bring your own device (BYOD) policy. It is preferable to house all corporate data in a secure cloud or other enterprise system so users can sign in from home or from their own devices through a virtual private network (VPN), which is restricted to a specific set of users and is not open to the public. This eliminates sensitive data from being stored on remote devices.
- Use strong data encryption on portable devices. Whether a portable device is a laptop, a smartphone, a sensor or any other type of edge device, data encryption should be used wherever sensitive data is stored. This can be done by selecting a strong data encryption technology, such as Advanced Encryption Standard (AES). The U.S. government uses AES, which contains 192- and 256-bit keys for data encryption.
- Review and set all security configurations for OSes, internet browsers, security software, network hubs and edge devices, such as sensors, smartphones and routers. Often, systems, browsers, hubs and internet of things (IoT) devices come with minimal default security settings, and companies forget to adjust these settings. As a standard practice, companies should check and, if necessary, reset security on all new IT.
- Secure physical spaces. While most data breaches and security hacks target IT, physical access intrusions can also occur. Data centers, servers located in different business departments and remote field offices, medical equipment, field-based sensors and even physical file cabinets in offices are all hacking targets. They should be secured, protected and regularly inspected.