Types of Attack

Before we get into the technical solutions that can help protect against security breaches, let’s talk about the most common types of hacking. Once we know what they are, we can protect against them.

Malware is probably the type of cyber security breach we hear about the most. We have some huge examples of this with WANNA CRY among others recently. The malware can get onto the servers through social engineering methods (discussed later), where a phishing email or convincing advert leads to the user clicking on a link & downloading the dreaded malware.

One thing to really think about here is, if the hackers manage to obtain the password to one of your systems, it’s very likely that your users have re-used their password on other systems too. So it can have a trickle down effect and leave you very exposed.

Another example of getting malware onto your system can be through the use of a fake wireless access point. The hacker could setup a wireless router somewhere near a Mcdonalds restaurant and call it McDonalds1. This would trick users into joining the network, thinking that it’s legitimate and managed by Mcdonalds themselves. Once connected, this can lead to malware being downloaded and could lead to sensitive information to be stolen. This absolutely therefore requires you to include a section in your policies about joining networks that you don’t know.

The next thing we’re going to talk about is SQL injection. This is a type of attack that can be used with web applications using SQL as the backend database (or MySQL, PostgreSQL etc..). Essentially, if the website is not properly secured, hackers can insert (or inject) code into the website, enabling them to extract the username and password. 

This in itself will be impossible for your end users to spot. So, it’s important that they are only logging into secure and properly managed websites, rather than relatively unknown websites. Again, it’s likely they re-use their password, so getting hacked on www.i-love-to-buy-brocolli.com may not seem like an issue, but it is if they’ve used the same password for your CRM system.

One of the most painful parts of dealing with hacking is realising that most of it is the fault of people. Social engineering is what we call a type of attack where users are manipulated into believing a message is from a trusted source. From here, you could download an email attachment, get malware on your PC and suddenly be compromised. 

Some types of social engineering include:

  • Phishing. This is the most common type of social engineering attack and I actually received one recently. The hacker had recreated an exact replica of the kind of email I might receive from my bank, they had also setup a fake login page, so if I had taken the bait, I would have just given them my username and password. Of course, I don’t believe anything I am emailed and checked the email address it came from, clearly it was not from my bank – you would be surprised how many people do fall foul of this,.

    There are different types of phishing too. It can be over email, SMS and the phone but it can also take the form of online ads, where they entice the user to click, thinking it’s a brand they know that is having a 50% off sale. Once you’ve clicked, they prompt you to login on a replica login page.

    Spear phishing is another type of phishing where the emails are a little bit less random and generic. They’re targeted at particular individuals and they’re made to be extremely unique. Imagine they did a lot of research about you online and could tell you all sorts of things they shouldn’t know about you. You’d be more likely to fall into their trap.
  • There is also Vishing. This is where the hacker creates an IVR (Interactive Voice Response) system that is identical to that of a company you know. They then trick people into entering their confidential information into the IVR when requested.

  • Baiting plays on the curiosity of people. Attackers will leave a USB drive on the desk and wait for someone to come along and stick it in their computer. The USB drive has malware on it and infects the users computer.

    More modern versions of baiting will be around downloads online. For example, you may see if a user will take the bait of a free software download.

  • Tailgating is a type of physical security risk. When you enter a building that requires a pass to get in, unauthorised individuals might tailgate you and get through the barriers before they close behind you.

We may talk about hacking a lot, but it actually doesn’t account for that big of a chunk of attacks. Hacking is all about finding and exploiting vulnerabilities in software. This attack allows the attacker to perform actions on the system that they should not be authorised to do.

We see apps being updated all the time to fix bugs. It’s really important that we keep our apps up to date, as those bugs may present vulnerabilities in the application, which hackers can exploit.

In recent times, hackers have taken control of systems in major organizations and taken actions to extort the companies out of money to restore the system back to it’s working form. In the Netflix case, they then released the unreleased episodes of Orange Is The New Black, because Netflix didn’t pay them. Imagine if those episodes were your customer data!

Another issue is when the user credentials to various systems get cracked by the hackers. This is a particularly big issue, as users tend to use the same password for multiple things.

As a result, more and more people are turning to password management software, so they can have an increased number of more complex passwords. The issue is, the password managers are software which will inevitably have vulnerabilities, which can be exploited and all passwords can be exposed at once.

The final type of attack we will discuss is DDoS which stands for Dynamic Denial of Service. This is where the attacker floods the server with requests which overwhelms the systems and prevents legitimate requests from being fulfilled. There are lots of workaround for this problem, which we will discuss in the next section.

So the conclusion then. The below table shows each of the attacks we described above and looks to the most suitable solutions.

Attack Type

Solution

Phishing

  • User training
  • Security policy
  • SAR Policy
  • Information Sharing Policy
  • Technical solution (e.g. spam filters)

Vishing 

  • User training
  • Security policy
  • SAR Policy
  • Information Sharing Policy
  • Technical solution (e.g. blacklisting numbers)

Baiting 

  • User training 
  • Security policy

Tailgating 

  • User training 
  • Security policy

SQL Injection

  • User training 
  • Security policy

Hacking

  • User training 
  • Security policy
  • Technical solution

DDos

  • Technical Solution

The above table really shows the problem here. Of course, we need the appropriate technical solutions to manage our data, but people really are the problem in every business. We’ve already discussed that they are the root cause of most data breaches and hence, we need to make sure our policies and procedures are absolutely bulletproof in addition to good technical solutions.

For Phishing and Vishing, we can put technical solutions in place but it’s likely that some messages or calls will slip through the cracks. The employees must therefore be trained to identify those mails that we would consider to be phishing; they must know how to keep themselves safe (security policy), they then also need to know what they can share and with who (SAR and Information Sharing Policy), incase they are fooled by the email and share the wrong information.

Baiting really just requires the workforce to agree to the security policy and undergo the associated training to make sure that they’re not tempted to put that USB stick into their machine.

Tailgating needs the workforce to be trained to identify tailgating and they need to act to stop it before any harm is caused.

When we think about hacking, we need to train the users in-line with the security policy to make sure that they keep all their software up to date. This removes the risk of bugs and hence removes potential vulnerabilities in the software.

Finally, DDos requires a technical solution to deal with the flood of requests.