Cybercrime increases drastically every year as attackers improve in efficiency and sophistication. Cyber attacks happen for different reasons and in many different ways. However, a common thread is that cybercriminals will exploit vulnerabilities in an organisation’s security policies, practices or technology.
A cyber attack refers to an action designed to target a computer or any element of a computerised information system to change, destroy, or steal data, as well as exploit or harm a network. Cyber-attacks have been on the rise, in sync with the digitisation of business that has become more and more popular in recent years.
In the remote work world, the endpoint is cybercriminals’ primary target and an organisation’s first line of deference. Securing the remote workforce requires that organisations understand the top cyber threats their employees face and have endpoint security solutions in place that are capable of detecting, preventing, and remediating these attacks.
Here at Security Systems, we provide an extensive range of security monitoring and CCTV security systems.
What is a Cyber Attack?
A cyberattack is where an attacker tries to gain unauthorised access to an IT system for theft, extortion, disruption or other nefarious reasons.
Of course, many security incidents are caused by insiders – whether through negligence or malice. However, for the sake of simplicity, let us assume that a cyber-attack is carried out by someone who is not, or was not, a member of your organisation.
Top 10 Most Common Types of Cyber Attacks
Denial-of-service (DoS) and distributed denial-of-service (DDoS) attacks
A denial-of-service attack overwhelms a system’s resources so that it cannot respond to service requests. A DDoS attack is also an attack on a system’s help, but it is launched from many other host machines that are infected by malicious software controlled by the attacker.
Unlike attacks designed to enable the attacker to gain or increase access, denial-of-service doesn’t provide direct benefits for attackers. For some of them, it’s enough to have the satisfaction of service denial. However, if the attacked resource belongs to a business competitor, then the benefit to the attacker may be accurate enough. Another purpose of a DoS attack can be to take a system offline so that a different kind of attack can be launched. One typical example is session hijacking, which I’ll describe later.
There are different types of DoS and DDoS attacks; the most common are TCP SYN flood attack, teardrop attack, smurf attack, ping-of-death attack and botnets.
TCP SYN flood attack
In this attack, an attacker exploits the buffer space during a Transmission Control Protocol (TCP) session initialisation handshake. The attacker’s device floods the target system’s small in-process queue with connection requests, but it does not respond when the target system replies to those requests. This causes the target system to time out while waiting for the response from the attacker’s device, which makes the system crash or becomes unusable when the connection queue fills up.
There are a few countermeasures to a TCP SYN flood attack:
- Place servers behind a firewall configured to stop inbound SYN packets.
- Increase the size of the connection queue and decrease the timeout on open connections.
This attack causes the length and fragmentation offset fields in sequential Internet Protocol (IP) packets to overlap on the attacked host; the attacked system attempts to reconstruct packets during the process but fails. The target system then becomes confused and crashes.
If users don’t have patches to protect against this DoS attack, disable SMBv2 and block ports 139 and 445.
This attack involves using IP spoofing and the ICMP to saturate a target network with traffic. This attack method uses ICMP echo requests targeted at broadcast IP addresses. These ICMP requests originate from a spoofed “victim” address. For instance, if the intended victim address is 10.0.0.10, the attacker would spoof an ICMP echo request from 10.0.0.10 to the broadcast address 10.255.255.255. This request would go to all IPs in the range, with all the responses going back to 10.0.0.10, overwhelming the network. This process is repeatable and can be automated to generate vast amounts of network congestion.
To protect your devices from this attack, you need to disable IP-directed broadcasts at the routers. This will prevent the ICMP echo broadcast request at the network devices. Another option would be to configure the end systems to keep them from responding to ICMP packets from broadcast addresses.
Ping of death attack
This type of attack uses IP packets to ‘ping’ a target system with an IP size over a maximum of 65,535 bytes. IP packets of this site are not allowed, so the attacker fragments the IP packet. Once the target system reassembles the packet, it can experience buffer overflows and other crashes.
Ping of death attacks can be blocked by using a firewall to check fragmented IP packets for maximum size.
Botnets are the millions of systems infected with malware under hacker control to carry out DDoS attacks. These bots or zombie systems are used to carry out attacks against the target systems, often overwhelming the target system’s bandwidth and processing capabilities. These DDoS attacks are difficult to trace because botnets are located in differing geographic locations.
Botnets can be mitigated by:
- RFC3704 filtering, which will deny traffic from spoofed addresses and help ensure that traffic is traceable to its correct source network. For example, RFC3704 filtering will drop packets from bogon list addresses.
- Blackhole filtering, which drops undesirable traffic before it enters a protected network. When a DDoS attack is detected, the BGP (Border Gateway Protocol) host should send routing updates to ISP routers to route all traffic heading to victim servers to a null0 interface at the next hop.
Man-in-the-middle (MitM) attack
A MitM attack occurs when a hacker inserts itself between the communications of a client and a server. Here are some common types of man-in-the-middle attacks:
In this MitM attack, an attacker hijacks a session between a trusted client and a network server. The attacking computer substitutes its IP address for the trusted client while the server continues the session, believing it is communicating with the client. For instance, the attack might unfold like this:
- A client connects to a server.
- The attacker’s computer gains control of the client.
- The attacker’s computer disconnects the client from the server.
- The attacker’s computer replaces the client’s IP address with its IP address and
- Spoofs the client’s sequence numbers.
- The attacker’s computer continues the dialogue with the server, believing it is still communicating with the client.
IP spoofing is used by an attacker to convince a system that it is communicating with a known, trusted entity and provide the attacker with access to the system. The attacker sends a packet with the IP source address of a known, trusted host instead of its IP source address to a target host. The target host might accept the package and act upon it.
A replay attack occurs when an attacker intercepts and saves old messages and then tries to send them later, impersonating one of the participants. This type can be easily countered with session timestamps or nonce (a random number or a string that changes with time).
Currently, there is no single technology or configuration to prevent all MitM attacks. Generally, encryption and digital certificates effectively safeguard against MitM attacks, assuring both the confidentiality and integrity of communications. But a man-in-the-middle attack can be injected into the middle of contacts so that encryption will not help. For example, attacker “A” intercepts the public key of person “P” and substitutes it with his public key. Then, anyone wanting to send an encrypted message to P using P’s public key is unknowingly using A’s public key. Therefore, A can read the news intended for P and then send the message to P, encrypted in P’s real public key, and P will never notice that the message was compromised. In addition, A could also modify the statement before resending it to P. As you can see, P is using encryption and thinks that his information is protected. Still, it is not because of the MitM attack.
So, how can you ensure that P’s public key belongs to P and not to A? Certificate authorities and hash functions were created to solve this problem. When person 2 (P2) wants to send a message to P, and P wants to be sure that A will not read or modify the statement and that the news came from P2, the following method must be used:
- P2 creates a symmetric key and encrypts it with P’s public key.
- P2 sends the encrypted symmetric key to P.
- P2 computes a hash function of the message and digitally signs it.
- P2 encrypts his message and the letter’s signed hash using the symmetric key and sends the entire thing to P.
- P can receive the symmetric key from P2 because only he has the private key to decrypt the encryption.
- P, and only P, can decrypt the symmetrically encrypted message and signed hash because he has the symmetric key.
- He can verify that the message has not been altered because he can compute the hash of the received message and compare it with a digitally signed one.
- P can also prove to himself that P2 was the sender because only P2 can sign the hash so that it is verified with the P2 public key.
Check out Security Systems’ range of high-end Melbourne home security for your home protection needs.
Phishing and spear-phishing attacks
The phishing attack is the practice of sending emails that appear to be from trusted sources with the goal of gaining personal information or influencing users to do something. It combines social engineering and technical trickery. It could involve an attachment to an email that loads malware onto your computer. It could also be a link to an illegitimate website that can trick you into downloading malware or handing over your personal information.
Spear phishing is a very targeted type of phishing activity. Attackers take the time to conduct research into targets and create messages that are personal and relevant. Because of this, spear phishing can be very hard to identify and even harder to defend against. One of the simplest ways that a hacker can conduct a spear-phishing attack is email spoofing, which is when the information in the “From” section of the email is falsified, making it appear as if it is coming from someone you know, such as your management or your partner company. Another technique that scammers use to add credibility to their story is website cloning — they copy legitimate websites to fool you into entering personally identifiable information (PII) or login credentials.
To reduce the risk of being phished, you can use these techniques:
- Critical thinking — Do not accept that an email is a real deal just because you’re busy or stressed or you have 150 other unread messages in your inbox. Stop for a minute and analyse the email.
- Hovering over the links — Move your mouse over the link, but do not click it! Just let your mouse cursor hover over the link and see where it would take you. Apply critical thinking to decipher the URL.
- Analysing email headers — Email headers define how an email got to your address. The “Reply-to” and “Return-Path” parameters should lead to the same domain as is stated in the email.
- Sandboxing — You can test email content in a sandbox environment, logging activity from opening the attachment or clicking the links inside the email.
Drive-by download attacks are a standard method of spreading malware. Hackers look for insecure websites and plant a malicious script into HTTP or PHP code on one of the pages.
This script might install malware directly onto the computer of someone who visits the site, or it might redirect the victim to an area controlled by the hackers.
Drive-by downloads can happen when visiting a website or viewing an email message or a pop-up window. Unlike many other types of cybersecurity attacks, a drive-by doesn’t rely on a user to do anything to enable the attack actively — you don’t have to click a download button or open a malicious email attachment to become infected.
A drive-by download can take advantage of an app, operating system or web browser that contains security flaws due to unsuccessful updates or lack of updates.
To protect yourself from drive-by attacks, you need to keep your browsers and operating systems up to date and avoid websites that might contain malicious code. Stick to the sites you usually use — although keep in mind that even these sites can be hacked. Don’t keep too many unnecessary programs and apps on your device. The more plug-ins you have, the more vulnerabilities there are that can be exploited by drive-by attacks.
Because passwords are the most commonly used mechanism to authenticate users to an information system, obtaining passwords is a common and effective attack approach.
Access to a person’s password can be obtained by looking around the person’s desk, “sniffing” the connection to the network to acquire unencrypted passwords, using social engineering, gaining access to a password database or outright guessing. The last approach can be made in either a random or systematic manner:
- Brute-force password guessing means using a random approach by trying different passwords and hoping that one works. Some logic can be applied by trying passwords related to the person’s name, job title, hobbies or similar items.
- In a dictionary attack, a dictionary of common passwords is used to gain access to a user’s computer and network. One approach is to copy an encrypted file that contains the passwords, apply the same encryption to a dictionary of commonly used passwords, and compare the results.
To protect yourself from dictionary or brute-force attacks, you need to implement an account lockout policy to lock the account after a few invalid password attempts. You can follow these account lockout best practices to set it up correctly.
SQL injection attack
SQL injection has become a common issue with database-driven websites. It occurs when a malefactor executes a SQL query to the database via the input data from the client to the server. SQL commands are inserted into data-plane input (for example, instead of the login or password) to run predefined SQL commands.
A successful SQL injection can read sensitive data from the database, modify (insert, update or delete) database data, execute administration operations (such as shutdown) on the database, recover the content of a given file, and, in some cases, issue commands to the operating system.
Cross-site scripting (XSS) attack
For example, it might send the victim’s cookie to the attacker’s server, and the attacker can extract it and use it for session hijacking. The most dangerous consequences occur when XSS is used to exploit additional vulnerabilities. These vulnerabilities can enable an attacker to not only steal cookies but also log keystrokes, capture screenshots, discover and collect network information, and remotely access and control the victim’s machine.
To defend against XSS attacks, developers can sanitise data input by users in an HTTP request before reflecting it. Ensure all data is validated, filtered or escaped before echoing anything back to the user, such as the values of query parameters during searches. Convert special characters such as ?, &, /, <, > and spaces to their respective HTML or URL encoded equivalents. Give users the option to disable client-side scripts.
Eavesdropping attacks occur through the interception of network traffic. By eavesdropping, an attacker can obtain passwords, credit card numbers and other confidential information that a user might be sending over the network. Eavesdropping can be passive or active:
- Passive eavesdropping — A hacker detects the information by listening to the message transmission in the network.
- Active eavesdropping — A hacker actively grabs the information by disguising himself as a friendly unit and sending queries to transmitters. This is called probing, scanning or tampering.
Detecting passive eavesdropping attacks is often more important than spotting active ones since active attacks require the attacker to know the friendly units by conducting passive eavesdropping before.
Birthday attacks are made against hash algorithms used to verify the integrity of a message, software or digital signature. A message processed by a hash function produces a message digest (MD) of fixed length, independent of the size of the input message; this MD uniquely characterises the message. The birthday attack refers to the probability of finding two random messages that generate the same MD when processed by a hash function. If an attacker calculates the same MD for his message as the user has, he can safely replace the user’s message with his, and the receiver will not be able to detect the replacement even if he compares MDs.
Malicious software can be described as unwanted software that is installed in your system without your consent. It can attach itself to legitimate code and propagate; it can lurk in practical applications or replicate itself across the Internet. Here are some of the most common types of malware:
- Macro viruses — These viruses infect applications such as Microsoft Word or Excel. Macro viruses attach to an application’s initialisation sequence. When the application is opened, the virus executes instructions before transferring control to the application. The virus replicates itself and attaches to other code in the computer system.
- File infectors — File infector viruses usually attach themselves to executable code, such as .exe files. The virus is installed when the code is loaded. Another version of a file infector associates itself with a file by creating a virus file with the same name but a .exe extension. Therefore, when the file is opened, the virus code will execute.
- System or boot-record infectors — A boot-record virus attaches to the master boot record on hard disks. When the system is started, it will look at the boot sector and load the virus into memory, where it can propagate to other disks and computers.
- Polymorphic viruses — These viruses conceal themselves through varying cycles of encryption and decryption. The encrypted virus and an associated mutation engine are initially decrypted by a decryption program. The virus proceeds to infect an area of code. The mutation engine then develops a new decryption routine. The virus encrypts the mutation engine and a copy with an algorithm corresponding to the new decryption routine. The encrypted package of mutation engine and virus is attached to new code, and the process repeats. Such viruses are difficult to detect but have a high level of entropy because of the many modifications of their source code. Anti-virus software or free tools like Process Hacker can use this feature to detect them.
- Stealth viruses — Stealth viruses take over system functions to conceal themselves. They do this by compromising malware detection software so that the software will report an infected area as being uninfected. These viruses hide any increase in the size of an infected file or changes to the file’s date and time of the last modification.
- Trojans — A Trojan or a Trojan horse is a program that hides in a helpful program and usually has a malicious function. A significant difference between viruses and Trojans is that Trojans do not self-replicate. In addition to launching attacks on a system, a Trojan can establish a back door that can be exploited by attackers. For example, a Trojan can be programmed to open a high-numbered port so the hacker can use it to listen and then perform an attack.
- Logic bombs — A logic bomb is a type of malicious software that is appended to an application and is triggered by a specific occurrence, such as a logical condition or particular date and time.
- Worms — Worms differ from viruses in that they do not attach to a host file but are self-contained programs that propagate across networks and computers. Worms are commonly spread through email attachments; opening the branch activates the worm program. A typical worm exploit involves sending a copy of itself to every contact in an infected computer’s email address. In addition to conducting malicious activities, a worm spreading across the internet and overloading email servers can result in denial-of-service attacks against nodes on the network.
- Droppers — A dropper is a program used to install viruses on computers. In many instances, the dropper is not infected with malicious code and, therefore, might not be detected by virus-scanning software. A dropper can also connect to the internet and download updates to virus software residents on a compromised system.
- Ransomware — Ransomware is a type of malware that blocks access to the victim’s data and threatens to publish or delete it unless a ransom is paid. While some simple computer ransomware can lock the system in a way that is not difficult for a knowledgeable person to reverse, more advanced malware uses a technique called cryptoviral extortion, which encrypts the victim’s files in a way that makes them nearly impossible to recover without the decryption key.
Sources of Cyber Threats
When identifying a cyber threat, it’s essential to know the adversary and understand the TTP associated with them. The TTP of threat actors are constantly evolving to avoid detection, but the sources of cyber threats remain the same. There is always a human element, someone who falls for a clever trick. But more importantly, there is also always a motive. This is the natural source of the cyber threat. Understanding attacker TTP can help you identify the explanation of a cyber threat and act to prevent the likely next steps. The MITRE ATT&CK framework is a knowledge base of threat actor TTP based on actual cybersecurity observations. Secureworks Taegis XDR covers more than 90% of TTP across all categories of the MITRE framework, on average.
Protecting Against the Top Cyber Threats
Enterprise cybersecurity has grown more difficult with the surge in the remote. Instead of a primarily on-site workforce, security teams must protect employees working from home (potentially on personally-owned devices).
These systems connected directly to personal networks and the public Internet are more vulnerable to attack. As a result, endpoint security – on computers and mobile devices alike – is an even greater priority for enterprise cybersecurity than before.
With the wide range of potential cybersecurity threats, organisations require an endpoint detection and response solution capable of detecting and protecting all of their employees’ devices against top cyber threats. To learn about the features you should be looking for in an endpoint security platform, check out these buyer’s guides for endpoint protection and mobile device security.
Looking for security access control systems in Melbourne? Worry no more as Security Systems has you covered.