A data breach can be a catastrophic event for any federal government agency. One way to help curb potential exploits is to get a handle on potential attack vectors. An attack vector is the combination of a bad actor’s intentions and the path they use to execute a cyberattack on an organization. For example, a cybercriminal looking to infect a network with ransomware may use a phishing email to gain access. In this case, the phishing email is the attack vector.
Hackers continually attempt to gain unauthorized access to your computer, server or networked system of devices and cause a malicious outcome, or attack. The method by which they attempt to achieve that outcome is the attack vector.
What are examples of common attack vectors?
SQL injection is a common attack vector in web applications. It takes advantage of a vulnerability that allows attackers to modify queries as they are executed on the underlying database. Man-in-the-middle is another common attack, in which connections are intercepted for anything from simple spying to introducing rogue content.
Phishing exploits combine deceit with malware. Attackers often send legitimate-looking email messages to your users, knowing that eventually an unsophisticated user will click on an embedded link or attachment. That leads to a malware infection or to a “watering hole” with a form requesting more information that the site captures for later use or sale.
Currently, the attack that most often grabs headlines is ransomware, a type of malware that spreads quickly and encrypts all the files it infects. The attacker effectively holds your data hostage and demands payment of a ransom, usually in an untraceable format such as a cryptocurrency.
Other common attack vectors include, but are not limited to:
- Vulnerability exploits — All software contains weaknesses. When attackers find them, they can use them to gain access to government agency networks and data.
- Zero-day vulnerabilities — Some vulnerabilities are designed to open a window and strike at a given time, while zero-day vulnerabilities strike as soon as they infect the system.
- Shadow IoT devices — Unauthorized hardware like USB drives and small computing devices can sit attached to a server or workstation, unobserved by IT staff. If secreted onto the network by somebody with internal access, such a device can capture and send a lot of data before being discovered.
- Unsecure applications — Most IT groups deal with this by enforcing a list of applications that are approved or disapproved for use on the network. This issue has weighed on organizations in the era of BYOD, as control of devices has shifted away from agency-issued hardware and IT has had to obtain user permission for updates. That loss of control has made it more difficult to maintain tight security.
- Supply chain — To the extent that your organization depends on software for its success, the supply chain behind that software becomes an attack vector. A single exploit in the supply chain ripples out to all the organizations running the software, as build tools and repositories incorporate the exploit and distribute it.
- Humans themselves — The highest-leverage attack vector is an authenticated user who can simplify the task of providing access. From those unwitting users who keep opening rogue email attachments to those who act with ill intent, humans interacting with data tend to be the most powerful vector.
What is the relationship between an attack vector and a government agency’s attack surface?
Think of an attack vector as every attempt to storm the castle of your network. Your attack surface, then, represents the full scope of your vulnerabilities, similar to holes in your castle walls and ladders you left outside. It’s a measure of your overall security posture because it reflects all the ways in which you’re weak and liable to exploitation.
Suppose you use remote desktop protocol (RDP) for your remote workers, but you haven’t added the necessary security layers, or you’re lax about authentication for those RDP sessions. If you’re secure in all the other areas and have them locked down, then your attack surface is limited to RDP. The fewer places you’re vulnerable, the smaller your attack surface in the face of attempts to breach your network.
What do threat actors do?
Threat actors are people who intend to compromise an organization’s security, data, information or reputation. Common classes of threat actors include cybercriminals, nation-state actors, ideologues, insiders and even your own competitors. As described above, threat actors have the what (intent), so they manage and direct the activities of the hackers, who have the how (skills).
Hackers sniff around for openings and clues to openings, like the email address of an administrative assistant with access to executive data. Their thinking is that, although the devices of your CXOs are secure, the devices of admin staff are less secure.
Or, they run port scanning tools, looking for ports that you’ve left unprotected on your firewall. That’s one way to find and exploit RDP, or initiate a SQL injection attack on a database.
Most devious is social engineering, in which hackers perform the digital equivalent of simply talking their way through the door and into your building. It’s a confidence game in which they con their target into revealing information like a password or a location. They can then use the information for the next step in their attempt to plant a malicious payload on your network.
5 best practices for reducing risk from attack vectors
- Monitor and manage your endpoints — If you’re not controlling the systems that people are using, then the effect is like tying a blindfold on yourself. The best way to anticipate and avoid an attack is to know what’s happening on all the devices in your environment, then configure those devices for limited function. That means mitigating the risk that something will exploit a feature of an application or the operating system.
- Restrict administrator privileges where possible — Do your users really need full admin rights on their agency-issued devices? Sure, it’s nice not needing to escalate privileges for them, but the downside is that they can easily install their own programs.
- Reassess permissions consistently — Instead of infrequent, one-off monitoring, stay on top of changes to permissions. Your goal is to monitor frequently so that, if you discover a vulnerability, you can minimize damage from it. That’s better than stumbling onto it and hoping it hasn’t been there a long time. If you don’t brush your teeth for a couple of months, you’ll pay the price, and the same is true for monitoring.
- Monitor suspicious behavior — Suppose a new network service account has popped up in the last few days. IT didn’t create it. Why was it created? Who needed it? For what purpose? It could be completely benign, but it could also be something malign. The same applies to unexpected hardware devices. Make sure you can explain every new event on your network.
- Train employees on security — No government agency can afford to overlook the human factor inherent to almost every attack vector. That’s why it’s important to inform and remind all network users of the ramifications and consequences of their actions. You reap the benefits of good training every time an employee pauses before opening an attachment or clicking on an unrecognized link.
Maybe you have no control over the next attack vector a bad actor will use, but you have control over your government agency’s defense against it. As important as it is to understand attack vectors, it’s more important to establish and maintain strong endpoint security. It’s always a good idea to look to flexible endpoint management software to help you discover, manage and secure your devices via traditional and modern methods.
