How Do Cyber Criminals Operate Most Frequent Attack Vectors?

Viruses have been with us since computers began to be on top of, or under, work tables a few decades ago, even before the Internet existed. 

In their beginnings, they were ingenious demonstrations of program errors and spread via floppy disks. They soon began to be exploited for malicious purposes, causing data deletion, intrusion, system disablement, or service downtime.

Computer systems and networks are now more complex; therefore, the means of attack have diversified. Episodes arrive as email attachments, use human intermediaries, removable devices, via wireless connections, via Whatsapp, on web pages, and our technology services providers, such as the case of Kaseya software or SolarWinds. 

Cybercriminals continually look for new ways to deliver their “malicious payload” or gain access to our equipment by exploiting human error, misconfigurations, or system flaws.

These ways of reaching our systems are known as attack vectors in jargon. We will see the most frequent and what we can do to prevent cybercriminals from using them to their advantage and, almost always, to our detriment.

How do Cyber Criminals Operate?

As you might expect, systems and networks ( hardware and software ) are not perfect. They may have security flaws or vulnerabilities that are well known in the circles that cybercriminals frequent, in forums on the dark web, for example. They can also acquire specific developments to exploit them and launch their attacks.

In addition, they are constantly and automatically scanning networks in search of vulnerable systems (with unpatched bugs) or poorly configured and unaware users that can serve as an entry point. 

This, what can be attacked, in jargon, is known as the attack surface, formed by the facts on the perimeter of the device, network component, service, system, or environment that can be used to enter, cause damage or extract data. . And this includes users with their valuable login credentials.

As in any economy of scale, the more significant the scope and the chances of success of the attack, the greater its benefits, so they will try to exploit widespread vulnerabilities. They will even try to physically enter our facilities or take advantage of internal employees, either bribing them or simply tricking them into obtaining their access credentials. This key opens the ‘doors.’

What are the Most Frequent Attack Vectors?

Taking into account that attack vectors are subject to change with technological advances and that cyber criminals could use several in each attack, these are the most frequent at present:

• Email and instant messaging, for example, phishing emails and SMS that impersonate organizations known to the recipient, such as banks, parcel companies, the Tax Agency, our suppliers and customers, or our technical support, to deceive you with various decoys, to follow links to fake web pages asking you to enter your credentials or download malicious attachments that install malware. Very often, it is ransomware, that is, malware, that locks data in exchange for a ransom. In other cases, malware turns our devices into zombies at your service to launch attacks on third parties or for other unethical purposes.
• Web browsing, either due to browsers not being updated or due to the installation of malicious plugins, or due to visiting fraudulent pages. In the face of outdated browsers, cybercriminals could exploit vulnerabilities with techniques such as:

1. Drive-by download, which allows the malware to be downloaded just by visiting a malicious page or viewing an HTML mail;
2. The browser in browser simulates an authentication popup asking for credentials.

• Users may also be led by searches or other means to follow links that download malware or lead to phishing sites. Cybercriminals impersonate legitimate websites by copying them and giving them similar web addresses with homographs or links that look like the real ones by changing some character that is not easy to distinguish.

• Endpoints, terminals, and other devices in which security options have not been configured are vulnerable. Manufacturer’s default settings are, in many cases, insecure. For example, if they use weak passwords or allow USB or removable drives to be plugged in, these could carry malware. Other times they are incomplete or insufficient configurations of the networks to which these devices belong and allow access to them and their manipulation. A particular case is IoT devices.

• Web applications, corporate portals, intranets, and social networks with faulty configurations, or if they are outdated, can be an entry point or a way to provide information to cybercriminals for subsequent attacks.

For example, suppose they contain or show too much information about the company’s structure, email addresses, or details of its employees. In that case, it could be used in spear phishing attacks, phishing directed at a specific person from whom they have previously collected information to do so. More believable.

Suppose the company has a web page or application. In that case, it must consider cybersecurity in its design and maintenance to avoid attacks such as SQL injection. As we will see later, access credentials and authentication mechanisms must be protected for users and administrators.

A particular case to consider is video call applications and other collaborative tools, which must be updated and regulated to avoid attacks.

The rise of cloud applications is also being used as attack vectors. When contracting them, it is necessary to analyze who is responsible for keeping the systems updated, the supplier or us. We must also review which applications of this type are allowed in the company and regulate their use. For example, force them to use good encryption if they are used as backup services. Check out these real stories of fraud using Google Drive and Sharepoint.

• Network and system software that is misconfigured, outdated, or not patched, that is, adequate procedures have not been followed in its configuration. Updates have not been applied or do not exist because the software is already out of its useful life. An example of the use of this entry route by cybercriminals is attacks against the router, such as DNS hijacking or DoS or Denial of Service attacks, as happened to this company in this true story.

• Compromised user credentials either because they are in data leaks and reused in other systems or because they have been obtained by brute force or social engineering attacks. In other cases, they are received through software or hardware that registers keystrokes, keyloggers, or software that spies on open Wi-Fi networks or with obsolete encryption settings.

• Predictable or default passwords and credentials, either because they have not been changed, the typical ‘admin/admin’ or those set by the manufacturer and can be found on the web; or if they have been changed, it has been done for others of everyday use or easily predictable by the user environment; well because they are ‘hard coded,’ that is, included in the electronics of the devices.

• Insiders or people with access who can exfiltrate information. They can be dissatisfied employees out of spite, former employees who keep accessing credentials due to procedural errors, or those who could have allowed themselves to be bribed by cybercriminals.

• Lacks in encryption either because of its weakness, by using simple and deductible keys or obsolete protocols, or because the policies in this regard are not applied correctly, for example, in mobile or portable devices or by forgetting to encrypt documents in the cloud. This vector can lead to information leaks.

• Weaknesses of the supply chain, such as technology providers or collaborating companies. If your systems experience an incident, our data may be compromised. That is why we have to review the security clauses of the Service Level Agreements. A particular case is cloud service providers.

What Can We Do to Control Those Avenues of Attack?

All attack pathways have in common that they exploit both human and organizational vulnerabilities and technical and configuration vulnerabilities.

Faced with the human facility to make mistakes or failures and organizational deficiencies, we can:

1. Train and raise awareness. Access the Training section.
2. Apply use policies, with restrictions and permitted uses, and if necessary, with sanctions. Take a look at the Security policies for the SME.
3. Establish agreements and commitments from the beginning, as we tell you in the contracting services section.
4. Identify those responsible for the security of each service that uses ICT. Ensure their training and competence.

In case of technical and configuration failures, we can:

1. Know all our assets in our facilities and those of our IT providers. Prepare an inventory that includes your possible vulnerabilities. If necessary, we will hire an audit.
2. Review the threats that may affect our assets, assess the damage they could cause, and what our preparation is for them with a risk analysis.
3. Establish an updated policy to keep assets up to date and well-configured. Assess whether it is possible to change them if they cannot be edited or stop using them.
4. Protect communications and Wi-Fi networks.
5. Continuously monitor access to networks and services. Use tools to detect intrusions.
6. Manage access permissions, and require double authentication factor in critical services. Apply password change procedures frequently enough.