Attack Vectors

Attack vectors are paths by which malicious actors gain unauthorized access to computer systems or data. These vectors can be existing avenues that are not adequately protected and hence used for unintended purposes, or they can be paths which are intentionally established for malicious activities. Attacks can come from internal or external sources.

Attack vectors generally exist because of vulnerabilities in hardware or software, or because of human factors (e.g., insider threats). Understanding the characteristics and behaviors related to attack vectors provides the potential to identify threats. Such identification then enables the development of mitigations as well as informing risk management and resource allocation plans. 

There are active attacks and passive attacks. Passive attacks are stealthy and usually not detectable to the untrained eye. Network sniffers, brute-force attacks, and keystroke loggers are good examples of passive attacks. Active attacks are likely to modify the systems or data, many times using social engineering, such as phishing, to gain access to the systems and networks. Spoofed email attacks are active.

You should be familiar with the common schemas and frameworks such as brute force, SQL injection, Trojan horses, phishing variations, password cracking, buffer overflows, cross-site scripting, smurf attacks, wireless attacks, and logic bombs. Injection attacks are common, where redirection script is introduced in place of user input during log-in, use of web applications, or database entry. Attack vector lists can be found online (e.g., www.tecapi.com).

Enumerated attack vectors are used in formulating attack patterns which identify and characterize threats to guide risk management and development practices for software assurance. A schema for attack pattern enumeration is Common Attack Pattern Enumeration and Classification, or CAPEC (MITRE, n.d.). The attack pattern CAPEC-100 Overflow Buffers, for instance, outlines a buffer overflow attack in accordance with the CAPEC schema. Here, the attack vector is buffer overflow, and the attack pattern is the way buffer overflow is enabled through a vulnerability and implemented by an attacker to affect the information system.

Best software assurance and more generally risk management practices include use of industry-wide schemas and frameworks. CAPEC is part of a family of schemas developed in association with the Open Web Application Security Project (OWASP, n.d.), and is independent of any specific commercial interest. The Vocabulary for Event Recording and Incident Sharing, or VERIS (Verizon, n.d.), is another important schema for threat incident and breach enumeration, centered on Verizon Communications Inc. Further, as a service to the community, Verizon annually publishes the Data Breach Investigations Report (Verizon, 2016).

Public sharing of incident and breach data using VERIS leads to software assurance through threat identification, for instance by describing attack vectors in a common language and posting the information in the publicly accessible VERIS Community Database.

References

MITRE Corporation. (n.d.). About CAPEC. In Common attack pattern enumeration and classification: A community resource for identifying and understanding attacks. https://capec.mitre.org/about/

Open Web Application Security Project (OWASP). (n.d.). Welcome to OWASP. https://www.owasp.org/index.php/Main_Page

Verizon. (n.d.). The Veris Community Database (VCDB). http://veriscommunity.net/vcdb.html

Verizon. (2016). 2016 Data breach investigations report.

Check Your Knowledge

Choose the best answer to each question:

Question 1
Brute-force attacks are usually focused on which of the following?
passwords
encryption
wireless networks
biometrics
Question 2
A particular attack that is called bluesnarfing is described as which of the following?
bluetooth spam
wireless attack
automobile computer system attack
compromising a Bluetooth connection
Question 3
Whaling is a type of attack that targets which of the following personnel?
human resources personnel
accountants
executives
security administrators
Question 4
The following attack is the result of poor programming practices allowing attacks on improper parameter checking within software applications:
backdoors
buffer overflow
Trojan horses
memory overflow
Question 5
If the practice is to supply system‐generated passwords to employees, the organization is less susceptible to which of the following attacks?
brute-force
dictionary attacks
both brute-force and dictionary attacks
none of the above
Question 6
When new software is released, it can be taken advantage of by hackers by using which of the following types of attacks?
exploit attack
zero-day attack
phishing attack
password cracking
Question 7
A hacker is someone who seeks and exploits weaknesses in a computer system or computer network. What is the first thing that hackers most likely try to accomplish once they have penetrated an organization's system?
encrypt the data
exfiltrate the data
determine the users' passwords
escalate privileges
Question 8
Dishonest software development employees can ultimately sabotage a company's system upon their exit from the company by placing which type of attack?
logic bomb
SQL injection
cross-site scripting
none of the above
Question 9
Which of the following is usually considered the most widely used form of social engineering?
cross-site scripting
phishing
dumpster diving
Trojan horse
Question 10
Unscrupulous developers have been known to place malware in code that is designed to launch after a specific time period. This type of attack is called which of the following?
cross-site scripting
buffer overflow
SQL injection
logic bomb