Importance of Cybersecurity
To Read Part 1 click here
Understanding the attack surface
I am sure, by now, that you have a grasp of security and its importance to some extent. So, let’s take a look at what attack surface is, and how we define it, as it’s important to understand the attack surface so that we can plan well for our security. In very simple terms, attack surface is the collection of all potential vulnerabilities which, if exploited, can allow unauthorized access to the system, data, or network.
These vulnerabilities are often also called attack vectors, and they can span from software, to hardware, to network,and the users (which is the human factor). The risk of being attacked or compromised is directly proportional to the extent of attack surface exposure. The higher the number of attack vectors, the larger the attack surface, and the higher the risk of compromise. So, to reduce the risk of attack, one needs to reduce the attack surface by reducing the number of attack vectors.
We witness all the time that attacks target applications, network infrastructure, and even individuals. Just to give you an extent of attack surface and the exposure, let’s look into the Common Vulnerabilities and Exposure (CVE) database (https://cve.mitre.org/cve/). It has 108,915 CVE entries (at the time of writing this chapter), which are all those that have been identified so far over the past few decades. Certainly many of these are now fixed, but some may still exist. This huge number indicates how big the risk of exposure is.
Any software that is running in a system can potentially be exploited using vulnerabilities in the software, remotely or locally. This applies particularly to software which is web facing, as it is more exposed, and the attack surface is much larger. Often, these vulnerable applications and software can lead to the compromise of the entire network, and also pose a risk to the data it is managing. Apart from these, there is another risk that these applications or software are exposed to all the time: insider threat, where any authenticated user can gain access to the data that is unprotected due to badly implemented access controls.
On the other hand, an attack surface that exposes network attacks can be passive or active. These attack surfaces can allow the network services to collapse, make it temporarily unavailable, allow unauthorized access of the data flowing through the network, and so on.
In the event of a passive attack, the network can be monitored by the adversary to capture passwords, or to capture information that is sensitive in nature. During a passive attack, one can leverage the network traffic to intercept the communications between sensitive systems and steal the information. This can be done without the user even knowing about it.
Alternatively, during an active attack, the adversary will try to bypass the protection systems by using malware or other forms of network-based vulnerabilities to break into the network assets; active attacks can lead to exposure of data and sensitive files. Active attacks can also lead to Denial-of-Service type attacks. Some common types of attack vectors are:
- Social engineering, scams, and so on
- Malicious URLs and scripts
- Browser-based attacks
- Attacks on the supply chain (which is rising day by day)
- Network-based attack vectors
The threat landscape
The attack surface also brings in another term, threat landscape. We, in the cybersecurity community, talk about it every day. Threat landscape can be defined as the collection of threats that are observed, information about threat agents, and the current trends of threats. It is important that every security professional keeps track of the threat landscape. Usually, many different agencies and security vendors will release such threat landscape reports, for example, ENISA (European Union Agency for Network and Information Security), and NIST (National Institute of Standards and Technology), along with some of the big security corporations.
Moreover, the threat landscape is an extremely dynamic space; it changes very frequently, and is driven by many factors, such as available tools to exploit vulnerabilities, the knowledge base of available resources and vulnerabilities, and the skill requirements to place an attack. (This is becoming increasingly easy due to the freely available tools on the internet.) We will talk more about the threat landscape resources in following chapters in this book. The following is a list of different threats in 2016-2017 and their relative rankings:
Figure 2: ENISA Threat Landscape Report 2017
The preceding image is the threat landscape for 2017 based on a report from ENISA. This brings us to a point where it is important to know a little bit about some common types of attacks:
- Unstructured attacks: These are one of those attacks where the adversary has no prior knowledge of the environment they are launching an attack on. Mostly, in such scenarios, they rely on all the freely available tools. Unstructured attacks are often targeted en masse, based on any common vulnerability and available exploitation.
- Structured attacks: In the case of a structured attack, unlike an unstructured one, the adversary is much more prepared and well planned in carrying out the attack. In most of the cases of structured attacks we notice that the attackers demonstrate their advanced skills of programming, and knowledge about the IT systems and applications they are targeting. These attacks can be highly organized in nature and mostly targeted towards an individual entity or industry vertical.
- Social engineering (phishing, spear phishing, and so on): This attack is targeted towards one of the weakest links, humans. In this attack, the user is exploited in various ways. Often these attacks are successful because of a lack of knowledge or ignorance. Information is extracted from the user by tricking them one way or the other. The most common way is by phishing and spear phishing. In a phishing and spear phishing attack, data is extracted by impersonating something that looks authentic to the user, such as, posing as an administrator helping the user to reset their password, and other account details, via a web portal. These portals are specially crafted to suit the purpose of extracting data which the attacker wishes to collect. Users fall prey to those, and share sensitive information.
- Eavesdropping: This attack can be performed by gaining unauthorized access to the network and listening to the network communications. Commonly, all the traffic that is not encrypted can be easily targeted by the attacker.
- Denial of Service (DoS and DDoS): This is one of the oldest forms of network-based attacks, where the attacker will attempt to overwhelm the processing or computing capacity of the application or device by sending such a flood of data that it is more than the application or the device can handle, thereby disrupting the system. On the other hand, distributed denial of service (DDoS), is launched from multiple sources towards a single victim application or system on a very large scale, more than the amount that can be handled. This is one of the hardest to mitigate without proper technologies in place.
- Man-in-the-middle attack (MITM): In this attack form, the session or the network is hijacked in between by manipulating the communication between server and client, and acting as a proxy server, often without the knowledge of the victim.
- Malware: Malware can be defined as disruptive software, which is intentionally designed to cause damage or achieve any other malicious intent by its creator. Most of the time, this access is gained by exploiting the computing system’s security, or any vulnerabilities, with help from the malware. Worms and Trojans are different forms of malware, and these have a very specific capability to spread from computer to computer and replicate themselves. Malware can cause theft of data, mass destruction of computer systems, disruption of network activities, and also can help in corporate espionage. Most of the latest malware may have unique capabilities to hide itself extremely well from the security systems and detection mechanisms, and stay active for weeks to years.
- Botnets: When computer systems are infected with malware, or any other malicious remote tools, and these infected computer systems are controlled by the attacker remotely, it is known as a bot. Furthermore, when there are many computers which are compromised by this malware, and controlled by the attacker, this network, or collection of compromised computers, is called a botnet. The remote mechanism and the control method are also termed as “Command and Control”. Botnets can be used for various other purposes by the adversary, and, to achieve these, the botnet master will keep updating the malicious program’s binary. Botnets used to be single-focused in terms of their mission. However, in the recent past, they have changed to become multiple-purpose malicious applications.
- Cross-site scripting: Cross-site scripting, commonly known as XSS attack, is an exploitation of flaws in web applications, which allows the adversary to inject malicious client-side script and compromise the user, without their knowledge in most cases. In general, these flaws exist due to poor input validation of web-based applications. Once the XSS is sent to the user, the browser will process it because the browsers have no mechanism to stop XSS based attacks. There are multiple forms of XSS attacks. Stored and reflected types of XSS are very common. Stored XSS allows the attacker to leave permanent malicious scripts in the victim’s server, while reflected XSS usually takes place when the attacker sends a specially crafted link with a malicious query in the URL to the user, and the unsuspecting user clicks on the link, which then takes the user to a malicious site and captures the user’s sensitive data, which is then sent to the attacker. Reflected XSS is possible only if the user clicks on the link. Or, another method is if the attacker tricks the user into clicking it.
- Drive-by download attack: This form of attack is very commonly seen over the internet. It has been one of the top threats in the past couple of years. In practice, attackers will compromise a well-known benign website and host their malware there, by embedding malicious links. Once users visit these non-suspecting websites, they get compromised by automatically being redirected to the malware download locations. Often, the links of compromised websites could be spread via spam or phishing emails, where a user might click a link out of curiosity, or unknowingly, and get the malware downloaded into the system.
- SQL injection attack: SQL injection attack is usually targeted towards the database exposed via the web. An attacker would execute malicious queries via poorly configured web applications, mostly in the data input mechanism to run SQL commands. The attacker, if successful, can gain access to the database, manipulate sensitive data, or, at times, also modify data. SQL injection can also allow arbitrary commands to manage the operating system remotely. This vulnerability is successful mostly due to the poor input sanitization at the web application, rather than at the database end, because databases are designed to execute queries as they receive them and return results accordingly. So, the developers must take care about input sanitization and only accept data input as desired, and check for any malicious inputs, before sending it to a database for query execution.
- Advanced persistent threat (APT): This attack has been on the rise over many years. The modus operandi of these attacks is mostly to launch highly targeted attacks against specific individual organizations, industry segments, or even a nation. These threats are called “advanced persistent” because the attacker, or the group of attackers, will use many advanced and stealthy techniques to stay undetected for a very long time. Often, it is found that the attack and persistent methods are specifically crafted for the particular attack and have never been used in any other attacks. APT based attacks are mostly well funded and they are mostly a team driven activity.
- APT is used to target intellectual property, any form of sensitive information, disruptive activities, or may even be for corporate espionage, or sabotage of data, and/or the infrastructure. APT attacks are entirely different from the other forms of attack; the adversary/adversaries take a very organized approach to know their target and the mission they want to achieve, and they do not rush to attack. The attack infrastructure is very complex at times. The main goal of the attacker/attackers is to stay in the compromised network as long as possible and stay hidden from security detection. One of the significant natures of APT, is that it can only impact certain parts of the network, or certain persons in the company, or just a few systems in the network that are the point of interest. This, therefore, makes it more challenging to detect APT activities by security monitoring systems.
- Web-based attacks: In these attacks, as the name suggests, the target systems are mostly those which are internet facing devices, applications, services, and so on. Practically, we can say that the majority of internet applications are exposed to web attacks. These can be attacked via flaws and vulnerabilities, not only in the applications, but, also, in the medium by which we access those applications, such as web browsers. Web browser exploits have been on the rise for many years. Web servers are always a very lucrative target for the adversary/adversaries. Some of the famous attack forms are drive-by downloads or watering hole attacks (where a legitimate web application, used by the target/targeted organizations, is compromised and then the attacker waits for the employees/users to visit the website and, thus, it becomes compromised).
- Insider attacks: Insider attacks are the human element of cybersecurity that are extremely vulnerable and very difficult to track, monitor, and mitigate. This threat indicates that the users with authorized access to the information assets will cause harm to the entity/business, or the organization. This is sometimes done unknowingly by becoming prey, or, sometimes, they are the ones conducting the attack.
- In general, there are no definitive ways to detect or monitor insider threat proactively; it can only be found when the damage has already been done in most cases. It’s been a rising trend over many years, as the advanced attackers try to exploit insiders to gain access to the organization or businesses. This has been a major threat to governments and it’s increasing day by day. Even if the organizations have a bullet proof network with a lock down environment, and strong perimeter defenses, insider attacks are considered to be the most effective. The mitigation of an insider threat is beyond the technical implementation. The organization also needs to include the social culture and education of its own users about how to treat security and stay vigilant.
- Ransomware: Ransomware has done a lot of damage recently and has come up as a prominent threat. The modus operandi of ransomware is mostly to gain monetary profit by holding the user’s data/system in ransom by making it unusable. This is achieved by compromising the system with one or other form of existing exploits and vulnerabilities and then encrypting the data in the user’s system. Once encrypted the attacker would demand money in exchange for the decryption key. The following screenshot shows an example of a ransomware message:
Figure 3: Example of Ransomware message, https://digitalguardian.com/sites/default/files/zdnet.jpg
Ransomware attacks are extremely dangerous because of their mechanism. Anyone with a little knowledge and access to freely available exploitation tools can use them to gain access and encrypt data. This is mostly done on a wide scale to generate more profit by volume, and the process is entirely automated. There are dark net groups that have created ransomware-as-a-service to offer the infrastructure and tools needed to generate such a campaign. Ransomware attacks are now being targeted more at organizations, such as banks and other financial institutions, to generate huge profits by disrupting their business and asking for ransom. WannaCry and NotPetya are the two most disrupting examples of ransomware that we have seen recently.
One of the notorious examples of ransomware even had the modus operandi to make the system unusable, which implied that it not only encrypted the data on the systems, but also had overwritten the master boot record that makes the computer unusable if rebooted. The impact of ransomware is unimaginable when it comes to attack against infrastructure like airlines, hospitals, governments, and emergency services.
- Espionage: This is one of those serious issues that has always been there since the beginning of human warfare. Today, this is taking place between corporate, governments, and various other entities, and the battleground is cyberspace. It’s beneficial, in a sense, because no one is directly coming in front to perform this espionage; they are all behind the hidden cyberspace, and the attackers can stay anonymous. We have already seen in the news in the past couple of years how one government is trying to damage or disrupt the other by using a cyber form of espionage, by compromising sensitive information, and then leaking it to the public, to cause chaos and disruption. Even corporations are not far behind. They do it to gain access to each other’s intellectual property to stay ahead of the competition. Cyberspace is way more interesting and dangerous when we think from this perspective of cybersecurity.
The importance of securing the network and applications
With every passing day, the network of connected devices is increasing, and, while this growth of connectivity continues to grow bigger, the risk of exposure is also increasing. Furthermore, it is no longer dependent on how big or small the businesses are. In today’s cyberspace it is hard to establish if any network of application is not prone to attacks, but it has become extremely important to have a sustainable, dependable, and efficient network system, as well as applications. Properly configured systems and applications will help reduce the risk of attack. But it might not ever be able to eliminate the risk of attack completely.
A modern IT security system is a layered system, as a single layer approach to security is not enough anymore. In the event of a network breach, the victim can sustain a huge impact, including financial, disruptions to operations, and loss of trust factors. In the recent past, the number of breaches has increased for various reasons. The attack vectors for these breaches could be many, such as viruses, Trojans, custom malware for targeted attacks, zero-day-based attacks, or even insider threats. The following table shows the biggest data breaches of the 21st century:
Figure 4: https://images.idgesg.net/images/article/2017/10/biggest-data-breaches-by-year-and-accounts-compromised-1-100738435-large.jpg
For instance, one of the biggest data breaches that happened with Target Stores in December 2013, was planned during the Thanksgiving holidays and the organization did not discover it until a few weeks after the actual attack. The attack was started from an internet enabled air conditioning system and then to the point of sale systems. Eventually this attack led to the theft of about $110 million in credit and debit card data. The after-effect of the attack led to the resignation of the, then, Target CEO and the cost impact to Target was in the region of $162 million. (For readers, a more detailed report can be found here: https://www.csoonline.com/article/2134248/data-protection/target-customers–39–card-data-said-to-be-at-risk-after-store-thefts.html)
In this chapter, we explored the various aspects of the internet and how digitization has brought in a new era of cyber crimes and attacks. We also learned about the history of cyber attacks, which broke our usual belief that cyber crimes started a few decades ago. As we progressed, we learned about the various aspects of cloud computing and how it brings data under threat.
By reading this chapter, you will clearly have understood the importance of security in the current technological landscape, gained visibility of the cybersecurity landscape, and how organizations, as well as individuals, can protect data from being stolen. This knowledge is useful in identifying potential threat areas and designing a defensive game plan.
As we continue the discussion, we will explore the evolution of security from legacy systems to machine learning, AI, and other turnkey technologies. This will help us gain an insight about the past, present, and future of cybersecurity.