Attack Vectors and Attack Surfaces explained
In IT Security, two industry terms deserve a bit of explaining. They are:
An “Attack Vector” is the industry’s term for describing the path that a hacker or a malware application might follow to compromise your data.
In the case of the Target credit card breach from 2013, the hackers gained exposure to Target’s corporate network by stealing the login details of air conditioning contractor which had been granted system-wide access. The Attack Vector was “Compromised Credentials in Network-trusted Third Parties”.
Ransomware follows an Attack Vector that touches on email networks and human fallibility. Typically, successful deployment requires the user to actively bypass security controls designed to limit exposure. The Attack Vector being exploited is “Phishing” where users are tricked into taking action they would normally avoid.
Malware contained in an app is often granted all the permission it needs at the point of installation. Apps downloaded from unofficial App stores are often laced with malware and lazy or greedy users who don’t verify their quality or who seek to avoid paying for apps are the targets. The Attack Vector is another form of phishing.
Your “Attack Surface” is all the publicly and privately-exposed nexus points between your company’s data and the human or software-driven interfaces of your company. In essence, it’s all your threat vectors put together.
It’s important to periodically map and take stock of your Attack Surface and to proactively take some steps to mitigate your exposure.
The alternative is losing a couple of days and maybe a few thousand dollars getting your data back from ransomware. Or worse, a loss of brand trust because your company is hacked and the breach is made public.
Mandatory data breach reporting seems inevitable and may be in place by the end of 2017. Our advice is to map out your Attack Surface now with an Information Security Audit from a trusted Managed Network Security provider.
Attack Vectors and Attack Surfaces explained
In the context of IT security, business owners must be aware of the following two terms:
- Attack Vector.
- Attack Surface.
What is an Attack Vector?
An Attack Vector is the path or route that malware or malicious actor may use to compromise your network and access your data and services.
To better demonstrate what an Attack Vector is, let’s consider the 2013 credit card breach at Target. Attackers were able to gain system-wide access to Target’s corporate network by stealing the login details of an air conditioning contractor. In this case, the Attack Vector was “Compromised Credentials In Network-Trusted Third Parties”.
Similar vulnerabilities persist in systems today. In the 2020 SolarWinds attack, Attack Vectors included compromised credentials and security vulnerabilities that were exploited in software solutions like SolarWinds Orion. Having accessed the SolarWinds infrastructure – possibly via a compromised Microsoft Office 365 account – the hackers were able to inject malicious code into Orion updates.
As another example of an Attack Vector, ransomware exploits weakly protected email networks and human fallibility. Successful deployment of ransomware typically requires the end user to be convinced to bypass existing security controls. The Attack vector being exploited is “Phishing” where users are tricked into taking action they would normally avoid.
Here’s another example: Malware contained in an app is often granted all the permission it needs at the point of installation. Apps downloaded from unofficial App stores (and often from the official ones) can be laced with malware, and lazy or greedy users who don’t verify their quality or who seek to avoid paying for apps are the targets. This Attack Vector is “Users who like to circumvent controls”.
All in all, vectors of attack include:
- Weak passwords.
- Shared passwords.
- Software vulnerabilities.
- Software misconfigurations.
- Denial of service.
- Stolen credentials.
- Misused trust.
What is an Attack Surface?
As for an Attack Surface, it incorporates all of your company’s Attack Vectors. In other words, your Attack Surface is the set of all possible methods with which attackers may attempt to compromise your network.
You should map your Attack Surface and periodically update it as you introduce new software and hardware tools to your IT workflow. This will allow you to take proactive steps for preventing breaches or minimising losses if a breach does happen.
Take full control of your system to avoid dire consequences
If you don’t have a full picture of your points of vulnerability, you may end up losing weeks and maybe thousands (or tens or hundreds of thousands?) of dollars trying to get your data back after a ransomware attack. Worse, you may lose the trust and future business of your customers if your data breach is made public (which is required by the Australian government in certain cases).
In accordance with the Notifiable Data Breach (NDB) scheme, organisations regulated by the Privacy Act 1988 must notify affected individuals and the Office of the Australian Information Commissioner when a data breach involving personal information is likely to result in serious harm. Failure to comply with the scheme can incur fines of up to $2.1 million.
The Notifiable Data Breach scheme can create certain difficulties for those organisations that are negligent about their cybersecurity. But for conscientious businesses, the NDB scheme is invaluable thanks to its semi-annual cybercrime reports that help you make your network security more robust.
Among other things, the July-December 2020 report lays out the sources of breaches in reporting organisations. Between July and December 2020, 58% of data breaches were caused by malicious or criminal attacks, 38% by human error, and 5% by system fault.
A further breakdown of malicious or criminal attacks shows that:
- 68% of malicious/criminal attacks were cyber incidents.
- 11% of malicious/criminal attacks were caused by a rogue employee/insider threat.
- 11% were caused by social engineering/impersonation.
- 9% were due to the theft of paperwork or data storage devices.
Cyber incidents included:
- Compromised or stolen credentials (method unknown, 25%).
- Phishing (compromised credentials, 25%).
- Ransomware (17%).
- Hacking (14%).