A cyber attack is an unauthorized attempt to access a computer system to either size, modify, or steal data.
Cybercriminals can use a variety of attack vectors to launch a cyberattack including malware, phishing, ransomware, and man-in-the-middle attacks. Each of these attacks are made possible by inherent risks and residual risks.
A cybercriminal may steal, alter, or destroy a specified target by hacking into a susceptible system. Cyber threats can range in sophistication from installing malicious software like malware or a ransomware attack (such as WannaCry) on a small business to attempting to take down critical infrastructure like a local government or government agency like the FBI or Department of Homeland Security. One common byproduct of a cyber attack is a data breach, where personal data or other sensitive information is exposed.
As more organizations bring their most important data online, there is a growing need for information security professionals who understand how to use information risk management to reduce their cybersecurity risks. This paired with the increasing use and regulatory focus on outsourcing means that vendor risk management and third-party risk management frameworks are more important than ever.
Why Do Cyber Attacks Happen?
The motivations behind cyberattacks vary. The most common category of cyberattacks is nation-state attacks This type of attack is launched by cybercriminals representing a nation (usually Russia). Nation-state attackers usually target critical infrastructures because they have the greatest negative impact on a nation when compromised.
An example of such an incident is the Colonial Pipeline attack. Russian cybercriminal group, DarkSide infected Colonial Pipelines's IT systems with ransomware, disrupting all of its operations. To resume its critical supply of gasoline to the state, Colonial Pipeline paid Darkside's ransom in exchange for a decryption key to reinstate its encrypted systems.
Inside vs Outside Cyber Threats
Cyber attacks can come from inside or outside of your organization:
- Inside cyber attack: Initiated from inside an organization's security perimeter, such as a person who has authorized access to sensitive data that steals data
- Outside cyber attack: Initiated from outside the security perimeter, such as a distributed-denial-of-service attack (DDoS attack) powered by a botnet.
What Do Cyber Attacks Target?
Cyber attacks target a resource (physical or logical) that has one or more vulnerabilities that can be exploited. As a result of the attack, the confidentiality, integrity, or availability of the resource may be compromised.
In some cyber-attacks, the damage, data exposure, or control of resources may extend beyond the one initially identified as vulnerable, including gaining access to an organization's Wi-Fi network, social media, operating systems, or sensitive information like credit card or bank account numbers.
One of the most famous examples of a cyberattack that was deployed for surveillance was the Solarwinds supply chain attack. Russian cyber criminals gained access to various US Government entities by piggy-backing malware off an update for the Solarwinds product Orion. Because this product was being used by the US Government, the cybercriminals were able to gain access to its networks and intercept private internal correspondences.
Such highly-complex cyberattacks are able to bypass firewalls and VPNs because they hide behind legitimate computer processes. This also makes it very difficult for law enforcement to track the responsible cybercriminals down.
Confidentiality, integrity, and availability are known as the CIA triad and are the basis of information security.
Passive vs. Active Cyber Attacks
Cyber attacks can either be passive or active.
Active cyber attacks include intentional attempts to alter a system or affect operation - for example, data breaches and ransomware attacks.
Most Common Type of Cyber Attacks
Examples of Active Cyber Attacks Include:
- Brute force attacks: A popular cracking method that involves guessing usernames and passwords to gain unauthorized access to a system or sensitive data.
- Cross-site scripting (XSS): A type of security vulnerability typically found in web applications. XSS enables attackers to inject client-side scripts into web pages viewed by other users and may be used to bypass access control, such as the same-origin policy.
- Denial-of-service attacks (DoS): Occurs when legitimate users are unable to access information systems, devices, or other network resources due to the actions of a malicious cyber threat actor.
- Exploit: A piece of software, data or sequence of commands that takes advantage of avulnerabilityto cause unintended behavior or to gain unauthorized access to sensitive data.
- Email spoofing: The creation of emails with a forged sender address. Because core email protocols lack authentication, phishing attacks and spam emails can spoof the email header to mislead the recipient about the sender of the email.
- Phishing: Gathers sensitive information like login credentials, credit card numbers, bank account numbers or other financial information by masquerading as a legitimate site.
- Man-in-the-middle: An attacker relays and possibly alters communication between two parties who believe they are communicating directly. This allows the attacker to relay communication, listen in, and even modify what each party is saying.
- Man-in-the-browser: A proxy for a trojan horse that infects a web browser by taking advantage of vulnerabilities in the browser to modify web pages and transaction content, or insert new content in a covert fashion.
- Ping flooding: A simple denial-of-service attack where the attacker overwhelms the victim with ICMP "echo request" (ping) packets.
- Ping of death: An attack on a computer system that involves sending a malformed or otherwise malicious ping to a computer
- Smurf attack: A distributed denial-of-service attack where a large numbers of Internet Control Message Protocol (ICMP) packets with the intended victim's spoofed source IP are broadcast to a computer network using an IP broadcast address.
- Buffer overflows: Attackers exploit buffer overflow issues by overwriting the memory of an application. This changes the execution path of the program, triggering a response that damages files or exposes private information
- Heap overflows: A form of buffer overflow that happens when a chunk of memory is allocated to the heap and data is written to this memory without any bound checking being done on the data.
- Stack overflows: A type of buffer overflow that causes a program to write more data to a buffer located on the stack than what is allocated for the buffer, resulting in corruption of adjacent data on the stack that causes the program to crash or operate incorrectly.
- Format string attacks: Occurs when the submitted data of an input string is evaluated as a command by the application. In this way, the attacker could execute code, read the stack, or cause a segmentation fault in the running application, causing new behaviors that could compromise the security or the stability of the system.
- Direct access attacks: An attack where a hacker is able to gain access to a computer and be able to directly download data from it.
- Social engineering: Social engineering is an attack vector that exploits human psychology and susceptibility to manipulate victims into divulging confidential information and sensitive data or performing an action that breaks usual security standards.
- Spyware: Unwanted software, a type of malicious software or malware, designed to expose sensitive information, steal internet usage data, gain access to or damage your computing device.
- Tampering: Modification of a product or service intended to cause harm to the end user.
- Privilege escalation: The exploitation of a programming error, vulnerability, design flaw, configuration oversight or access control in an operating system or application to gain unauthorized access to resources that are usually restricted from the application or user.
- Viruses: A computer program that, when executed, replicates itself by modifying other computer programs and inserting its own code.
- Whaling attack: A type of phishing attack that targets high-level executives, such as the CEO or CFO, to steal sensitive information from a company. This could include financial information or employees' personal information.
- Worms: A type of malicious software that self-replicates, infecting other computers while remaining active on infected systems.
- Ransomware: A type of malicious software, or malware, designed to deny access to a computer system or data until ransom is paid. Ransomware spreads through phishing emails, malvertising, visiting infected websites or by exploiting vulnerabilities.
- Trojan horses: Any malware which misleads users of its true intent.
- Malicious code: Any program or file that is harmful to a computer user. Types of malware include computer viruses, worms, Trojan horses, spyware, adware and ransomware.
- SQL injection: A code injection technique, used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker).
- Zero-day exploit: An unpatched security vulnerability that is unknown to the software, hardware or firmware developer, and the exploit attackers use to take advantage of the security hole.
Common Examples of Passive Cyber Threats:
- Computer surveillance: The monitoring of computer activity and data stored on a hard drive.
- Network surveillance: The monitoring of activity and data being transferred over computer networks.
- Wiretapping: The monitoring of telephone and Internet-based conversations by a third party, often by covert means.
- Fiber tapping: Uses a network tap method that extracts signal from an optical fiber without breaking the connection.
- Port scanning: A technique used to identify open ports and services available on a network host.
- Idle scanning: A TCP port scan method that consists of sending spoofed packets to a computer to find out what services are available
- Keystroke logging (keylogging): The action of recording the keys struck on a keyboard so the victim is unaware their actions are being monitored.
- Data scraping: A technique in which a computer program extracts data from human-readable output coming from another program
- Backdoor: A covert method of bypassing normal authentication or encryption in a computer, product, embedded device, or its embodiment.
- Typosquatting: Typosquatting is a form of cybersquatting where someone sits on similar domain names to those owned by another brand or copyright, targeting Internet users who incorrectly type in a website address into their web browser, rather than using a search engine.
- Eavesdropping: The act of secretly or stealthily listening to the private conversation or communications of others without their consent
- Vulnerabilities: A weakness that can be exploited by a cyber attack to gain unauthorized access to or perform unauthorized actions on a computer system.
Common Infrastructure Cyber Attack Targets
There are six common infrastructure cyberattack targets:
- Control systems: Control systems that activate and monitor industrial or mechanical controls such as controlling valves and gates on physical infrastructure.
- Energy: Cybercriminals may target electric grids or natural gas lines that power cities, regions, or households.
- Finance: Financial infrastructure is often the target of cybercrime due to the increasing interconnectivity of computer systems and financial systems.
- Telecommunications: Denial-of-service (DoS) attacks often target telecommunications that run through the Internet reducing the ability to communicate.
- Transportation: Successful cyber attacks on transportation infrastructure has a similar effect to telecommunications attacks, impacting the schedule and accessibility of transport.
- Water: Water infrastructure is often controlled by computers making it a big target for cybercriminals and one of the most hazardous if compromised. Sewer systems can also be compromised.
What is a Cyber Threat?
A cyber threat is a potential for violation of cybersecurity that exists when there is a circumstance, capability, action, or event that could cause a data breach or any other type of unauthorized access.
Any vulnerability that can be exploited is a cyber threat. Cyber threats can come in both intentional and accidental ways:
- Intentional cyber threat: An example is a cybercriminal installing the WannaCry ransomware attack, which targeted computers running the Microsoft Windows operating system by encrypting data and demanding ransom payments in the Bitcoin cryptocurrency.
- Accidental cyber threats: Poorly configured S3 bucket security leading to a big data breach. Check your Amazon S3 security or someone else will.
This is why understanding the difference between cybersecurity and information security, as well as how to perform a cybersecurity risk assessment is more important than ever. Your organization needs to have a set of policies and procedures to manage your information security in accordance with risk management principles and have countermeasures to protect financial, legal, regulatory, and reputational concerns.
Should a cyber attack lead to a security incident, your organization should have steps to detect, classify, manage, and communicate it to customers where applicable. The first logical step is to develop an incident response plan and eventually a cybersecurity team.
How to Detect Cyber Attacks
Cyber threats arise from either residual or inherent risks. To detect cyber attacks, a number of countermeasures can be set up at organizational, procedural, and technical levels.
Examples of organizational, procedural, and technical countermeasures are as follows:
- Organizational countermeasure: providing cybersecurity training to all levels of your organization.
- Procedural countermeasure: sending out vendor assessment questionnaires to all third-party vendors.
- Technical countermeasure: installing antivirus, antimalware, anti-spyware software, and network intrusion detection systems (NIDS) on all computers and continuously monitoring your vendors and your organization for data leaks.
How Cyber Attacks Impact Your Business
Successful cyber attacks can lead to a loss of sensitive customer data including personal information and credit card numbers. This gives cybercriminals the ability to sell their personal details on the dark web, demand ransom, or harass your customers.
For instance, they may use your customer's name to buy illegal products or gain access to more personal information like credit card numbers.
Cyber attacks can also disrupt your key business activities DDoS attacks have the power to completely shut down your website. Even if you're a large business you're not necessarily protected. In 2016, DDoS attacks took down PayPal and Twitter.
Researchers at the University of Kent identified at least 57 negative impacts from cyber attacks ranging from threats to life, causing depression, regulatory fines, and disrupting daily activities. Overall the researchers group the negative impacts into five key areas:
The paper titled A taxonomy of cyber-harms: Defining the impacts of cyber-attacks and understanding how they propagate can be found in the Journal of Cybersecurity (Oxford University Press).
How to Protect Your Business Against Cyber Attacks
Protecting your business against cyber attacks can take different forms. From creating strong passwords to using sophisticated cybersecurity software, It's important to have a prevention plan in place. Learning the TTPs (Tactics, Techniques, & Procedures) of previous threat actors can also help anticipate future cyber attacks.
Here are four good places to start protecting your business against cyber attacks:
- Enforce strong security practices: Ensure every level of your organization uses strong passwords and password managers to reduce the threat of a leaked or cracked password resulting in unauthorized access. Further, educate your employees about phishing scams and not downloading email attachments from unknown senders. Read our password security checklist for more information.
- Back up and ensure there is an audit trail for important business information: With a secure backup and audit trail for all key business information, you won't know whether there has been a data breach or unauthorized access or changes to your data
- Encrypt all business data and customer information: Ensure all business and customer data is strongly encrypted, so if it is exposed there is less chance cybercriminals will be able to access customer information or trade secrets as part of corporate espionage.
- Use sophisticated cybersecurity software: Antivirus and antimalware software is important but is often not sufficient. Your organization needs to be continuously monitoring for data exposures and sending automated vendor security questionnaires out.
What Nation States Participate in Cyber Attacks?
Many nation-states actors are committing cyber attacks against one another including the United States, United Kingdom, Ukraine, North Korea, and Russia. That said, China and the US have the two most sophisticated cyber warfare capabilities. Outside of nation-states, there are also non-nation states entities that perform cyber terrorism to shut down critical national infrastructures like energy, transportation, and government operations or to coerce and intimidate the government or civilian population.
For example, in February 2020 the Iranian telecommunications infrastructure suffered from a distributed denial of service (DDoS) attack that led to national connectivity falling to 75% of usual usage.
This is part of the reason why China and the United States have invested heavily in cyber warfare programs.
China's Cyber Warfare Program
The People's Liberation Army (PLA) has a cyberwarfare strategy called "Integrated Network Electronic Warfare" that guides computer network operations and cyber warfare tools. The strategy links network warfare tools and electronic warfare weapons against an opponent's information systems during the conflict.
The PLA believes that seizing control of an opponent's information flow and establishing information dominance is fundamental to warfare success. By focusing on attacking infrastructure to disrupt transmission and information processing gives the PLA cyber dominance over their enemies. The PLA may use electronic jammers, electronic deception and suppression techniques to achieve interruption.
They may also use more traditional techniques like viruses or hacking techniques to sabotage information processes. The key focal point is to weaken the enemy's cyber abilities to maximize the physical offensive.
Additionally, it is suspected that the Chinese government gathers data from foreign firms in industries identified as strategic priorities by the Chinese government, including telecommunications, healthcare, semiconductor manufacturing, and machine learning.
The United States' Cyber Warfare Program
The United States focuses on security plans in response to cyber warfare, acting in defense rather than attacking. The responsibility for cybersecurity is divided between the Department of Homeland Security (Homeland Security), the Federal Bureau of Investigation (FBI) and the Department of Defense (DOD).
Recently Cyber Command was formed as a dedicated department to tend to cyber threats to ensure the President can navigate and control information systems via the Internet. Cyber Command is a military subcommand under US Strategic Command and is responsible for protecting military cyberinfrastructure. Cyber Command is made up of Army Forces Cyber Command, Twenty-fourth Air Force, Fleet Cyber Command, and Marine Forces Cyber Command.
Both state and non-state actors target the United States in cyber warfare, cyber espionage, and other cyber attacks, so Cyber Command was designed to dissuade potential adversarial attacks by conducting cyber operations of its own.
How UpGuard Can Protect Your Organization from Cyber Attacks
UpGuard helps hundreds of major enterprises and corporations protect their data and prevent data breaches. UpGuard BreachSight helps organizations reduce their cyber risks, ensure compliance with regulations, and manage third-party vendor security.
We can also help you continuously monitor, rate and send security questionnaires to your vendors to control third-party risk and improve your security posture, as well as automatically create an inventory, enforce policies, and detect unexpected changes to your IT infrastructure.