Weak or Stolen credentials/credentials stuffing

A host's list of weak or stolen credentials and passwords can easily be purchased or gathered by an attacker and then misused for brute-forcing or credential stuffing attacks to get past a login interface. Examples of interface attack surfaces include:

• Public user logins
• Exposed web VPNs
• Exposed remote desktop protocols
• Email clients
• Third-party software login

Contrary to some beliefs, the best practice here is not to always change passwords but to keep a password manager where you only need to memorize one complex and unique password and not reuse it over and over again.

Phishing

An attack vector touches both web and physical attack surfaces because it leverages email or SMS to get a company insider to click on a malicious link. A successful phishing attempt then opens up access to the company’s network.

Most companies conduct security training to increase individual awareness for phishing attacks, and keeping it top of mind can help prevent these attacks from succeeding. In addition to training, assessing email configurations such as SPF/DMARC and DKIM records can reduce the chances of an attack.

Intercepting traffic

If your data is not encrypted correctly, attackers can eavesdrop on your traffic to steal sensitive user data such as usernames, passwords, and credit card credentials. Stolen session cookies could be leveraged further in a chain of vulnerabilities by attackers.

Even though Google reports that 95% of Google traffic is encrypted with HTTPS, attackers still have chances to listen in via man-in-the-middle attacks such as dodgy Wi-Fi connections or bypass CORS and post messages. Such vulnerabilities in websites and other encryption issues can be detected and assessed with the help of external attack surface management tools.

Accidentally exposed assets on the internet

The constant acceleration towards digitalization and remote work culture has accelerated cybersecurity attacks and incidents, with 67% reported attacks targeting remote workers. Work is no longer limited to a secured work network, forcing organizations to provide employees access to, for example, remote desktop protocols and web login interfaces. In 2020, threat actors were exploiting exposed Microsoft Remote Desktop Protocol (RDP) servers that were suddenly online because of the necessity of remote work access.

If an attacker locates a team member's access point, they could exploit this exposure using stolen user login details or brute-forcing. As a result, activating multi-factor authentication is recommended to add an extra layer of security for the attacker to overcome.

With employees working outside of the physical workplace perimeters and using unsecured WiFi networks, hacking incidents and accidental exposure of critical business ports and other internal environments are increasing. Having an asset discovery tool that will crawl the cloud environment and ports to help map out what is exposed can go a long way towards securing the entire organizational network. Read more tips on securing remote work.

Zero-day attacks

A zero-day(0-day) is a unique attack vector that exploits a vulnerability in software that the technology creator is unaware of, which means there is no fix or patch at the time of discovery. As soon as the vendor is aware of the issue, it’s a race against time to remediate and roll out the patch to affected users. Discovering and developing zero-day vulnerabilities is an industry in itself and controversial among cybersecurity experts.

Finding a zero-day is probably one of the most coveted achievements for a hacker, and Detectify receives this class of submissions through Detectify Crowdsource, our community of ethical hackers. When we receive zero-days from a Crowdsource hacker, we work with the ethical hacker and vendor to ensure the disclosure is responsible. The vendor has 45 days to patch the vulnerability, and we work together to develop the security module that goes into the Detectify scanning engines. Learn more about how Detectify handles zero-day submissions.

Social engineering

Social engineering attacks are the art of using psychological manipulation to get you to divulge confidential information or perform a specific action to give access to bad actors. It includes everything from persuading victims to visit a website with a malicious payload (a common practice in XSS and CSRF exploits) to gaining access to a company’s office and hacking on-site. Attackers have even taken to Facebook Messenger with a combination of social engineering and malicious JavaScript to spread adware.

Social engineering goes hand in hand with hacking - malicious hackers are often skilled in the art of social engineering. Following tips to protect yourself from social engineering, such as verifying the source and keeping a tab on your attack surface, is key to protecting yourself.

Denial-of-service attack (DoS attack)

A denial-of-service (DoS) attack occurs when users cannot access information systems, devices, or other network resources due to a malicious actor. Websites, emails, and online accounts are just some of the services that can be affected. Anything that relies on an affected computer or network is at risk.

A DoS attack is accomplished by flooding the targeted host or network with traffic until the target cannot respond or crashes, preventing access for legitimate users. The consequences of DoS attacks for organizations can be severe, not just time and money but also resources needed to rectify the issues and inaccessible services for users.

Malicious insiders

A malicious insider is often an employee that exposes or exploits vulnerabilities at their workplace and is usually found in a role that gives them access to sensitive data and information. According to a 2017 SANS Survey, 40% of respondents said that malicious insiders would cause the most significant damage in cybersecurity attacks.