Posted on Jan 7, 2021
Everyone hopes that by ringing in the new year, they go out with the old and in with the new. Unfortunately, in cybersecurity, the old rarely goes out while the new still keep coming in. As organizations look to enhance their cybersecurity posture for 2021, they need to consider these 20 cybersecurity security threats to protect against.
Structure Query Language (SQL) is a coding language used in web-based databases and servers that programmers use to organize information into readable tables. SQL injection attacks considered one of the oldest and least sophisticated cyberattacks, use malicious code to replace the web application’s login page. When users enter their name/ID and password, the cybercriminals can steal the credentials.
A 1=1 attack exploits vulnerabilities in the user tables, the code that matches people to passwords. The underlying code, for example, links to a table that matches a specific “username” with the associated “password.” In SQL, 1=1 means that a value is “true.” In a 1=1 SQL injection, the malicious code removes the definitions and replaces them with “1=1.” By doing so, any entry in the forms is automatically “true.” Once they insert this code, cybercriminals can then put “admin” for the username and anything in the “password” box to gain unauthorized access.
With a union-based SQL injection, malicious actors infiltrate the system tables rather than the user login tables. System tables define how users and information are linked together which is how the attack gets the name “union.” In this attack, cybercriminals set the code so that the system returns an error. That error message indicates what information led to the error. Most systems have similar types of tables on the backend, such as database, user, username, and password. Cybercriminals look to retrieve the content of the table, and if they’re wrong, the error message tells them what information is missing. They can then ask how many columns the table has and keep using error feedback until the system shows the data list.
Cross-Site Scripting (“XSS”) exploits web applications by targeting user browsers while they enter information. In a stored XSS attack, the malicious actors place code into something that looks legitimate, such as an image or comment on a web page. Every time someone visits the page with the malicious code, that person downloads and executes that malicious code. Although XSS attacks are common, they are also effective. Problematically, a simple stored XSS attack is often the first step in a more sophisticated attack.
A reflected XSS attack usually stores the malicious code in the URL, rather than in an element on the page such as an image. Every time someone clicks on the link, that person executes the code. Often, links in phishing emails will be so long that hiding the malicious code in them is easy. For example, www.fakewebsite.com/something/somethingelse/maliciouscode/realinfo/. Another way that cybercriminals insert the code is in the search function of the website. When someone types in the search, they get a webpage with the results that often has a long and confusing URL like www.fakewebsite.com/search?q=something/. Cybercriminals insert the malicious code into that URL, www.fakewebsite.com/maliciouscodesearchq?=something. This then executes the code.
Extensions are codes with special privileges that add functionality to a browser, such as Chrome, Safari, or Firefox. However, because these small programs download to the browser and change what it can do, they also create an opportunity for malicious actors. Once a user installs a malicious extension, anyone who uses the browser is at risk. Additionally, malicious browser extensions can collect sensitive information sent through other extensions, such as a password manager.
Spyware, or Adware, is software that creates pop-up ads to appear when users search the internet, such as those asking for them to subscribe to newsletters. When the pop-ups appear in the user’s browser, they run code that cybercriminals use to collect information such as user names or passwords.
Spear phishing, a type of social engineering attack, occurs when cybercriminals target users at an organization by sending fake emails that have malicious links or downloads attached. They often use legitimate-looking “sender” information and rely on users’ emotions to get them to take action. For example in March 2020, spear-phishing attacks increased by 667% as cybercriminals leveraged people’s concern around the COVID-19 pandemic.
Similar to spear phishing, whale phishing involves sending phishing emails to senior leadership or management team members who might have privileged access, such as Chief Executive Officers (CEOs) or Chief Financial Officers (CFOs). These users can often access sensitive corporate information or approve wire transfers. Then, the cybercriminals either gain unauthorized access to important data or perpetrate financial fraud.
With social media phishing, cybercriminals look to obtain unauthorized access to a company’s social media accounts. Then, they either send malicious links to followers or post fake contests that require users to input information. For example, in 2020, malicious actors gained access to 130 social media accounts that led to $180,000 in Bitcoin.
Often, other attack methods such as phishing, are used to distribute ransomware. Ransomware is a type of malicious software, or malware, that installs on a user’s computer and encrypts the information. Encryption scrambles information, making it unreadable. Then, the cybercriminals ask for a “ransom,” often in the form of cryptocurrency. In recent years, ransomware attacks have started to steal the data as well because many organizations have strengthened their data backup and recovery processes, meaning that they did not need to unencrypt the information.
Trojan malware, similar to the Greek Trojan Horse, disguises itself as legitimate software. For example, Trojan malware can pretend to be free antivirus software, but once downloaded, it executes, runs in the background, and steals data.
A buffer overflow attack is a type of Denial of Service (DoS) attack, where cybercriminals send the targeted network so many requests that it ultimately shuts down. Buffers temporarily hold data while it transfers from one device to the next. In a buffer overflow attack, cybercriminals overload the buffer’s storage capacity. When the network reroutes the information, the lack of “buffer” storage means that the data can be damaged or exposed.
Also referred to as a ping flood, ICMP flood is another type of DoS attack. In an ICMP flood attack, malicious actors overwhelm the network with request packets or formatted units of data. When the network attempts to respond, the incoming and outgoing data use too much bandwidth, shutting the network down.
A SYN flood is a Distributed Denial of Service (DDoS) attack that uses multiple devices, increasing the severity and making it more difficult to trace. SYN flood attacks leverage the Transmission Control Protocol (TCP) that allows devices to talk to one another over a network. The synchronize (SYN) is the request a device sends asking to connect to the network. Once sent, the network responds with the synchronize-acknowledge (SYN-ACK) packet, agreeing to the process. Finally, the original device sends the acknowledge (ACK) packet, giving a digital “RSVP” before finally connecting. This process, known as the “TCP handshake” makes sure that data is received in the correct order. In a SYN flood attack, malicious actors create fake IP addresses and use multiple servers to send a large number of connect requests. However, the cybercriminals’ devices never send the final “RSVP,” leaving the network overwhelmed with requests and unable to respond to legitimate requests.
UDP stands for “User Datagram Protocol,” a communication protocol that enables rapid data transference between computers on a network by confirming that the targeted device can accept data, sending information all at once, and checking to ensure that it arrived. In a UDP flood attack, malicious actors use fake or “spoofed” IP addresses. When the targeted server tries to check that the spoofed IPs can receive data, it gets no response answer. The malicious actors send so many requests from so many different locations, none of which respond that they can accept packets, which ultimately leaves the server sending out messages but not being able to receive any. This shuts down the server which shuts down all data sharing between devices on the network.
Dictionary attacks take advantage of poor password hygiene. Cybercriminals can use lists like SecLists/Passwords/Common-Credentials in conjunction with software to try to find a login ID/password combination that gives them access to an organization’s networks, systems, or applications. Some of the most successful attacks arise from administrative accounts that still have default passwords attached to them. For example, the default router usernames and passwords can be found online. Many of the usernames are “admin” and the default passwords are also located on the most used passwords list. This means that a dictionary attack for any of these devices would give cybercriminals privileged access to those resources.
Brute force and dictionary attacks are often confused with one another because they both look to infiltrate systems by exploiting weak passwords. However, while a dictionary attack uses a list of well-known passwords, a brute force attack tries every possible combination of login and password. Although brute force attacks are more complex, they may also take into account the most commonly used passwords and prioritize those. They also take longer to complete and may make assumptions based on common password rules, including capitalization of the first letter or the number 1 at the end.
This network attack can also be called snooping or sniffing. An eavesdropping attack leverages an unsecured network, such as a home WiFi connection, to access the data as it is transmitted from a device to a server. Because the network is not secure, cybercriminals can place network monitors on a server or computer to capture the data-in-transit. Ultimately, any device sending or receiving information on the network is at risk.
A man-in-the-middle attack is a specific type of eavesdropping attack that often exploits public WiFi connections. During a MiTM attack, the malicious actors change or steal the data transmitted across the network. For example, if a user is accessing their bank account using a public WiFi network, the malicious actors can steal the account login information which can lead to identity theft.
The domain name system (DNS) is the set of rules for translating numeric IP addresses into memorable text. For example, when a user types in www.fakecompany.com the actual address looks like this 10.10.10.10. Since people would have a hard time remembering the number, the DNS server translates it into a text-based URL. Because DNS is required for internet communications to work, it is a trusted set of rules for sending and receiving digital information. In a DNS tunneling attack, the attacker exploits this trust. Malicious actors deploy malware on a device and set up a fake domain like www.badfakecompany.com. Then, they create a subdomain such as www.badfakecompany.com/stealing. They then configure the subdomain to catch data going to the legitimate website so that when the infected device tries to communicate with the legitimate website, the cybercriminals’ subdomain intercepts the communication, enabling the malicious actors to steal the data.
SecurityScorecard’s security ratings platform provides an outside-in look at your organization’s and supply chain’s security postures. We passively monitor your ecosystem across ten risk categories including DNS health, network security, endpoint security, web application security, IP reputation, patching cadence, information leak, hacker chatter, and social engineering. Our easy-to-read A-F ratings give you at-a-glance visibility into your controls’ effectiveness while our platform provides actionable remediation steps to help you mature your security posture.
Vendor management is the process an organization utilizes to assess and manage a third- or fourth-party vendor. Learn how SecurityScorecard can help.
Performing cybersecurity risk assessments is a key part of any organization’s information security management program. Read our guide.
Templates and vendor evaluations are needed to level that playing field, in a time efficient and fair way, so that the best vendors are chosen.
Co-founder and CEO, Alex Yampolskiy, speaks about the importance of measuring and acting on key indicators of cybersecurity risk.
You’ve invested in cybersecurity, but are you tracking your efforts? Check out our list of 20 cybersecurity KPIs you should track. Read more.
No waiting, 100% Free
Get your free scorecard and learn how you stack up across 10 risk categories. Answer a few simple questions and we'll instantly send your score to your business email.