What are cyber attacks and how do you defend against them?
The May 2009 ISO/IEC 27000 publication described an attack on an information or computer network as an “attempt to destroy, expose, alter, disable, steal or gain unauthorized access to or make unauthorized use of anything that has value to the organization.” ⁽¹⁾
The concept of a cyber attack or a computer network attack is rooted in this description. Techopedia describes a cyber attack as a “deliberate exploitation of computer systems, technology-dependent enterprises and networks.” Techopedia continues, stating that cyber attacks use “malicious code to alter computer code, logic or data, resulting in disruptive consequences that can compromise data and lead to cybercrimes, such as information and identity theft.” ⁽²⁾
It’s not just computer networks and computer information systems that are being attacked. Cyber attacks are also infamous for attacking computer infrastructure and peoples’ personal computers.
In addition to cybercrime, cyber attacks can also be associated with cyberwarfare or cyberterrorism, particularly in instances when the attackers are state actors, groups or affiliated organizations. For example, in 2014 a group hacked Sony Pictures and stole troves of data, including many Sony Pictures employees’ personal information, executive salary information, copies of unreleased films, and more. The group, which is suspected to be North Korean or affiliated with North Korea, used a Shamoon wiper malware to obliterate Sony Pictures’ computer infrastructure.
What are the most common types of cyber attacks?
According to long-time Netwrix blogger Jeff Melnick, the ten most common types of cyber attack consist of the following examples:
Denial-of-service (DoS) and distributed denial-of-service (DDoS) attacks: These attacks inundate a system’s resources, overwhelming them and preventing responses to service requests, and greatly reducing the system’s ability to perform. The goal of DoS or DDoS is usually service denial or setting up a different, second attack.
Several different types of DoS and DDoS attacks include the following:
Transmission Control Protocol (TCP) synchronize (SYN) flooding or SYN attack:
What does a TCP SYN flooding attack target? During a TCP session initialization handshake, the attacker takes advantage of buffer space, exploiting it to flood the target’s system with connection requests.
What’s the result of a TCP SYN flooding attack? The targeted system will crash or become unusable due to the overburdened system’s small in-process queue.
How can you prevent a TCP SYN flooding attack? First configure your firewall to halt any inbound SYN packets, then place your servers behind that firewall. Boost the connect queue’s size and reduce the timeout rate for open connections. ⁽³⁾
Teardrop attack: According to Techopedia, teardrop attacks tend to target older versions of Windows or even Windows Vista or Windows 7 operating systems. Uniquely, Windows 2000 and Windows XP lack the driver vulnerability that teardrop attacks tend to exploit.
What does a teardrop attack target? The attacker targets the TCP/Internet Protocol (IP) fragmentation reassembly codes.
What’s the result of a teardrop attack? The length and fragmentation offset fields from the IP packets overlap each other. During this process, the system tries to reconstruct the packets and fails, with the stress and confusion leading to a system crash.
How can you prevent a teardrop attack? Melnick notes that you can get patches to protect against DoS attacks, and if you don’t have these patches then “disable [Server Message Blog (SMB) version 2] and block ports 139 and 445.” ⁽⁴⁾
Smurf attack: Techopedia notes that Smurf attackers apply some common facts about IP and Internet Control Message Protocol (ICMP) when attacking. Notably, the fact is that “ICMP is used by network administrators to exchange information about network state and can also be used to ping other nodes to determine their operational status.” ⁽⁵⁾
To better understand how a Smurf attack works, you need to know what “spoofing” is. Spoofing occurs when a communication from an unknown source is disguised to seem like it comes from a known or reliable source. Spoofing is also used by cyber criminals for man-in-the-middle and similar cyber attacks.
What does a Smurf attack target? The attacker sends ICMP echo requests, a “ping” to the broadcast network address, also known as IP address, or addresses being targeted. All the ICMP pings are sent from a spoofed address that’s meant for the intended victim. These ICMP echo requests are broadcast out to other addresses. These addresses respond back to the actual address that the attacker was spoofing.
What’s the result of a Smurf attack? The vast amount of ICMP echo requests and pings barrage the victim’s network with high computer network traffic. This flood of echoes and pings drains the bandwidth of the victim’s network and causes the victim’s server to crash.
What’s scary about Smurf attacks? They can be automated and the process is repeatable, making Smurf attacks capable of incredible disruption.
How can you prevent a Smurf attack? Disable IP-directed broadcasts at your routers or individual hosts. This process halts ICMP echo broadcast requests at your network devices. You can also configure your routers to prevent them from responding to or otherwise forwarding ICMP echo requests directed to broadcast addresses.
Ping-of-death attack (PoD) or long ICMP attack: Similar to how teardrop attacks are notorious for targeting older operating systems, PoD attacks are known for targeting earlier systems.
To better understand how a PoD attack works, you need to know about IPv4 networks and about the maximum sizes for ping commands and the size limit for how much a computer can handle.
- The total payload size of a ping’s command is 84 bytes
- 65,536 bytes is the maximum size of a network packet that a single computer can handle. ⁽⁶⁾
What does a PoD attack target? True to its name, the PoD uses IP packets to attack a system over an IPv4 network.
What’s the result of a PoD attack? The attacker sends a ping network packet that’s larger than 65,536 bytes. Because IP systems can’t handle packets this large, they aren’t allowed. To get around this rule, the attacker splinters the IP packet and sends them fragmented. After the targeted system receives the packets and reassembles them, the system is unable to handle the packet’s large size. This issue can cause the computer to experience buffer overflow and freeze or crash.
How can you prevent a PoD attack? Use a firewall that checks fragmented IP packets for their maximum size.
Botnets or bots: Botnets are comprised of a series of interconnected computers, sometimes comprised of zombie systems or just computers infected with malware.
What does a botnet attack target? These bots are under the attacker’s control and are used to perform an attack against the targeted computer system, network, network device, website or similar IT environment.
What’s the result of a botnet attack? The attacker uses the bots to bombard the victim’s system, overwhelming its bandwidth and processing capabilities. Disruption is usually the botnet attacker’s goal, often preventing normal working operations or otherwise degrading the victim’s system’s overall service.
What’s scary about botnet attacks? Botnet attacks are notoriously hard to trace due to the many different geographic locations that the different bots can have. There’s no limit to how many systems these attackers can control. One attacker’s bots can number in the hundreds, thousands, or even millions.
How can you prevent a botnet attack? Different types of filtering offer countermeasures against botnet attacks. Techopedia offers the following examples:
- RFC3704 filtering denies traffic from spoofed addresses and helps ensure that traffic is traceable back to its correct source network.
- Black hole filtering drops undesirable traffic before it enters a protected network. As soon as a DDoS attack is detected, the Border Gateway Protocol (BGP) host sends routing updates to internet service provider (ISP) routers. This process helps the ISP routers direct all web traffic destined for a victim’s servers onto a null0 interface. ⁽⁷⁾
Man-in-the-middle (MITM) attack or Janus attack or fire brigade attack.
The MITM attack name is taken from the “keep-away” ball game where two people toss a ball back and forth and attempt to keep the ball away from a third person in the middle. The fire brigade attack name is derived from the emergency process of passing water buckets to put out a fire. The goal of this attack is infiltration, acquisition, and manipulation where communications between two parties appears normal, and neither recognizes that the receiver is secretly the attacker.
What does a MITM attack target? A MITM attack occurs when a hacker inserts itself between two systems, eavesdrops in and intercepting communications. The attacker often performs the interception process by gaining control of a router along a regular point of traffic. This process usually places the attacker within the same broadcast domain as the victim.
For Hypertext Transfer Protocol (HTTP) transactions, where there often is a TCP connection with a client and a server, the attacker takes advantage of any weakness in the network communication protocol. By forking the TCP connection into two connections, the attacker creates one connection between the attacker and the victim, and a second connection between the attacker and the server. By using the process known as Address Resolution Protocol (ARP) spoofing, the attacker masquerades as a proxy reading and gets the victim to direct traffic through the attacker as opposed to through the normal router.
ARP spoofing involves transmitting faked ARP packets. ARP is used for translating IP addresses over to link layer addresses (MAC addresses).
What’s the result of a MITM attack? Because they’re perceived as a proxy reading, the attacker can intercept the TCP connection and any public key messages. They’re able to alter and insert data into the commandeered messages, manipulating the communication. The attacker can easily capture the session cookie that reads the HTTP header.
How can you prevent a MITM attack? Encryption and digital certificates and hash functions offer strong protection against MITM while allowing for confidentiality and integrity in communications. ⁽⁷⁾
There are several different types of MITM attacks, include the following:
Session hijacking: This type is a MITM attack that involves the attacker taking control of a session between a network server and a trusted client.
What does it attack? Session hijacking attacks occur after a successful authentication of a client login when a session token is distributed to a client browser from the web server. The attacker then compromises the token either by commandeering it or trying to figure out what the authentic token session is. This method also works with IP addresses, where the attacker swaps the IP address for the attacker’s own unauthorized web server or computer with that of the victim.
What some vulnerabilities to session hijacking attacks:
- The Firefox web browser has an extension called Firesheep. This extension permits access to a system’s personal cookies, enabling published user session hijacking attacks.
- Twitter, Facebook and several other social media sites have session hijack attack vulnerabilities.
How can you prevent session hijacking attacks? Encryption methods and using long, random numbers for creating session keys are techniques that help in defending against session hijacking attacks. After logins, update your cookie value requests and perform session regenerations. This process helps prevent attackers from figuring out what your authentic token session is. ⁽⁸⁾
IP spoofing: An IP spoofing attack involves completing the IP address field on a packet with a false address instead of the senders correct IP address. IP spoofing attacks involve MITM manipulation coupled with DoS bombardment.
What does an IP spoofing attack target? In an IP spoofing attack, the attacker uses a fake IP address to hijack the targeted victim’s connection. After masquerading their connection so that it appears to be an authentic, trusted source, the attacker sends a malevolent packet or message coupled with the fake IP address.
What’s the result of an IP spoofing attack? If the victim accepts the packet, then the attacker can hijack the victim’s computer sessions. The attacker then floods the victim with traffic, draining the victim’s network bandwidth, causing massive disruption, slowdown, freezing and crashing.
How can you prevent or defend against an IP spoofing attack? Talk with your IT department and cybersecurity professionals about how to boost your resilience against IP spoofing attacks and what measures your enterprise can take to defend against them. ⁽⁹⁾
Replay attack or playback attack:
What does a replay attack target? Melnick notes that replay attacks happen after attackers intercept and save old messages, and then try to send them out themselves while impersonating one of the participants.
Techopedia expands on this explanation, describing a replay attack as one where an attacker detects a data transmission, then fraudulently delays or repeats it, before retransmitting it.
To further expand on this explanation, replay attacks target the security protocol with data transmission replays from a different sender into the targeted receiving system.
What’s the result of a replay attack? If the attack isn’t detected, then the computers and networks that were attacked can have the attacker send malicious messages that appear legitimate. The attacker can also gain access to trade secrets or equally valuable data including login information, which they could use to gain additional access to the network. A replay attack is meant to trick the recipients into thinking they’d completed the data transmission. If it’s successful, then the attacker gained access to the network and information that would otherwise have been inaccessible.
How can you prevent a replay attack? Strong session timestamps or a cryptographic nonce, a random number or string of session keys that are time and process bound help with preventing replay attacks.
Techopedia notes that a “one-time password for each request also helps in preventing replay attacks and is frequently used in banking operations.” ⁽¹⁰⁾
Sequencing of messages and non-acceptance of duplicate messages also helps with avoiding replay attacks.
Phishing attack: An email spoofing-based attack or similarly, cloned website-based attacks.
A phishing attack is the common practice of sending malicious emails that masquerade as though they come from a trusted source.
Phishing attacks often appear to come from easily recognized organizations, such as a large bank or social media site. Attackers often target large groups of people and are often successful because many of their targets will use that bank or website. These victims won’t check if the email is legitimate before clicking on malicious links or downloading malicious attachments.
Attackers may use social engineering techniques and computer programming expertise along with link manipulation, image filter evasion and website forgery to trick victims into believing that the attacker’s content is bona fide.
What does a phishing attack target? Phishing attacks target victims in an effort to steal their private or otherwise sensitive information, such as credit card numbers, social security numbers, or similar personally identifiable information (PII) or website login credentials.
What’s the result of a phishing attack? A successful phishing attack requires a victim to click on a malicious link or input private or sensitive information. If phishing attack is successful, then the attacker can attempt to use the victim’s information for the attacker’s own gain, often through a variety of identity-theft-related cybercrimes.
How can you prevent a phishing attack? The good news is that most phishing attacks prey on human error. If you exercise critical thinking and are discerning with what emails and websites you interact with, then you can greatly reduce your risk of falling victim to a phishing attack. Use the following strategies to help prevent phishing attacks:
The simplest method for verifying whether any content is genuine is to ask the listed sender about it. Send an independent email, call the sender, or stop by the sender’s desk and ask.
Don’t just accept that an email or website is genuine. Make a point to review the content. If you have any doubts about its validity, then don’t engage with it and immediately reach out to your IT department or cybersecurity department.
Hover your mouse’s cursor over any links. Don’t immediately click them. Your cursor should display the URL that the link will lead you to. Use critical thinking to determine if it’s legitimate.
Check the email headers of messages you received. These headers are key for understanding how an email made it to your email address. Review the “Reply to” and “Return path” parameters. They should have the same domain or address that sent you the email.
Provided you have access to a sandbox environment, you can test your email’s content from there, tracking the log of activity after opening an attacking email or clicking the email links.
Update your network and computer security regularly, including antivirus and anti-malware software and firewalls.
Never include private information like your social security number or credit card number over email. ⁽¹¹⁾
Spear phishing attack: Similar to a phishing attack, these attacks also use email spoofing or cloned websites.
A spear phishing attack is a specialized and finely targeted phishing attack that not only appears to come from a trusted source, but from one that’s close to the target, such as from within the target’s organization.
Spear phishing attackers are frequently methodical about researching their targets, crafting messages to them that seem personal and relevant.
What does a spear phishing attack target? Spear phishing attacks can target groups of people, such as those that work for the same company or on the same team, in an effort to steal trade secrets or similarly classified information.
What’s the result of a spear phishing attack? Like a phishing attack, spear fishing attackers want to trick you into entering private information like trade secrets, PII or your login credentials. Once acquired, they can sell this information on the deep web or use it to commit identity theft or similar cybercrimes.
What’s scary about spear phishing? Because of how personal and relevant the content of the spear phishing’s messages appear, spear phishing attacks are difficult to identify and defend against. Attackers may look up the name of an organization’s CEO or that of a manager or team lead, and then compose a spear phishing email that masquerades as if it was sent by this authority figure to other accounts within the company.
How can you prevent a spear phishing attack? All the same strategies for defending against phishing attacks also work for defending against spear phishing attacks. ⁽¹²⁾
Drive-by download attack: Drive-by download attacks can install spyware, adware and malware, and even a non-malicious program that you didn’t want to install onto your computer or device.
What does a drive-by download attack target? Hackers locate vulnerable websites and insert malicious script into the site’s HTTP or Hypertext Preprocessor (PHP) code.
What’s the result of a drive-by download attack? This malicious script could directly install malware onto the computer or device of a user who visits that site or sees that pop-up window. The script could redirect the user to another site that’s controlled by the hackers.
What’s scary about a drive-by download attack? Unlike phishing and other spoofing attacks, drive-by download attacks don’t necessarily rely on the user to enable the attacker’s trap. These attacks can engage with a computer or device without the user’s consent.
- Targets don’t have to click a download or install button.
- Drive-by download attacks take advantage of apps, operating systems, and web browsers with security vulnerabilities.
How do you prevent a drive-by download attack? Ensure that your operating systems, browsers and apps are up to date. You can usually verify all your software is up to date by using a check for updates feature. Be sure to use antivirus software and keep it updated. Avoid websites that may contain malicious code in favor of sites that you know are safe. Exercise general caution, as even safe sites can get hacked.
We shouldn’t have to say this, but avoid illegally downloading anything like music or movies and participating in similar forms of internet piracy. There are lots of safe, free-for-use streaming services online that you can use without risk of getting malware or viruses. Try to limit how many unnecessary programs, apps and plug-ins that you have on your computers and devices. The more of them you have, the more likely you are to have vulnerabilities that can be exploited. Be careful when you download a new program, app or something similar. Sometimes hackers can attempt to include unwanted programs for installation along with the desired programs. ⁽¹³⁾
Password attack or password cracking: Users’ passwords and relevant login credentials function almost as a sort of digital collateral for would-be attackers.
What does a password attack target? Attackers using a password try to steal a user’s or many different users’ passwords. Attackers may try to access these passwords through the following methods:
- Searching that user’s desk, scrutinizing if the user wrote down their login credentials on a sticky note or in a notebook.
- Attempting password sniffing on the user’s network connection to gain access to unencrypted passwords.
- Applying social engineering or guessing to determine a user’s password.
What’s the result of a password attack? Similar to a phishing attack, if the attack is successful, then the attacker can attempt to use the victim’s password, persistent identifier (PI or PID), or similar private information for the attacker’s own gain, including identity theft and cybercrimes, or selling the victim’s private information on the dark web.
How can you prevent a password attack? Create complex passwords that use a combination of uppercase and lowercase letters and symbols. Set a limit on how many unsuccessful login attempts are allowed. If a user is unable to successfully login after the designated number of unsuccessful login attempts, then temporarily lock the user out of the account and prompt the user to reset the password. ⁽¹⁴⁾ Locking accounts prevents attackers from trying multiple passwords when they’re attempting to discover the correct password.
The eponymous Netwrix article Password Policy Best Practices offers additional guidelines for creating tough-to-crack passwords and how to be forward-thinking with your password policies.
Additional types of password attacks include the following examples:
Brute force attack or brute force cracking or brute force: A password attack that uses many password guesses to generate a correct password guess.
What does a brute force attack target? Brute force attacks are password attacks where the attackers try to ascertain a user’s password or personal identification number (PIN) through a trial-and-error approach. Attackers may apply logic to guessing the user’s password, using the user’s name, job title, hobbies or pet’s name.
What’s required for a brute force attack to be successful? Brute force attacks tend to consume lots of time and resources. The success of a brute force attack is generally rooted in the attack’s computing power and how many password combinations were performed by the attack, as opposed to a complex algorithm.
What’s scary about brute force attacks? Brute force attackers can use automated software to produce a staggering amount of diverse guesses, including running through a seemingly infinite combination of letters and numbers. In addition to stealing passwords, brute force attacks can be used to unencrypt data or probe the network security of a government or business. ⁽¹⁵⁾
Dictionary attack: A password attack that tries to overcome the security of a password protected computer, server or network to gain access to that secure computer, server or network.
What does a dictionary attack target? A dictionary attack may use different methods or techniques to gain access to a secure computer, server or network. Dictionary attacks get their name from the technique where the attack attempts to use each word in a dictionary to find the correct password or the decryption key for any messages or documents that were encrypted. A dictionary attack may duplicate an encrypted message or file that contains the passwords that it’s trying to access. The approach then applies the same encryption to a list of common passwords in the hope that they will find matching results.
How can you prevent a dictionary attack? Dictionary attacks tend to be ineffective against computers, servers and networks that use multi-word passwords and those that use randomly generated combinations of uppercase and lowercase letters, with numbers and symbols. Having a tiny delated response from a server hinders attackers from checking many passwords in a brief time period. As with most password attacks, it’s a good idea to establish automatic temporary locking on an account after a certain number of unsuccessful login attempts. ⁽¹⁶⁾
Structured Query Language (SQL) injection attack: These attacks are a recurring issue with database-driven sites.
What does a SQL injection attack target? SQL injection attacks embed malicious code in a vulnerable application, and then shifts to the backend database. This malicious code quickly yields backend database query results, performs commands and similar actions that weren’t requested by the user.
What’s the result of a successful SQL injection attack? Successful SQL injection attacks provide the attacker with access to the database. The attacker is able to read sensitive or private data, insert, update, delete or otherwise modify the data, perform shutdowns on the database and similar administrator operations, send commands to the operating system, or retrieve content from specific files.
What’s scary about a SQL injection attack? Like many other cyber attacks, SQL injection attacks prey on vulnerabilities. SQL offers no substantial distinction between the data planes and control planes and most SQL injection attacks are successful against websites that apply dynamic SQL. Because of the commonness of older functional interfaces, SQL injection attacks are often successful against PHP and auxiliary storage pool (ASP) apps.
How can you prevent a SQL injection attack? Applying the least privilege permissions model in your databases helps boost your resistance to SQL injection attacks. Opt for stored procedures that lack any dynamic SQL and prepared statements like parameterized queries.
Melnick notes that the “code that is executed against the database must be strong enough to prevent injection attacks.” He also argues in favor of validating the “input data against a white list on the application level.” Solid application design boosts resistance against SQL attacks. This method is particularly noticeable in modules that need user input to support database queries and commands.
Apps with programmatic interfaces like J2EE and ASP.NET, are the inverse of PHP and ASP apps, making them more resistant to SQL injection attacks. ⁽¹⁷⁾
What does an XSS attack target? XSS attacks target a victim’s private information by exploiting XSS security vulnerabilities and by injecting malicious, client-side script.
What’s the result of a successful XSS attack? If an XSS attack is successful, then the attacker gains access to the victim’s privileges and the ability to remotely take over the victim’s session before the session cookie expires. The attacker could do the following:
- Hijack the victim’s account
- Record the victim’s keystrokes and capture screen shots of the victim’s activity
- Accrue the victim’s network information and private information
- Steal the victim’s cookies
- Establish false advertising
- Connect the victim’s computer to a malicious server
- Implement malicious modifications in the user settings of the victim’s account
How can you prevent an XSS attack? Before reflecting an HTTP request back, developers can sanitize the user’s data input, and ensure that all of the data is validated, filtered or escaped prior to echoing anything back to the user. Special characters, as well as spaces, need to be converted to their HTML or URL encoded equivalents. Ensure that client-side scripts can be disabled by users. ⁽¹⁸⁾
Eavesdropping attack: Actual eavesdropping in everyday life involves intercepting communication. Eavesdropping can just be the act of listening to other people talk without them realizing it. It can also be done using technology like microphones, cameras and other recording devices.
Eavesdropping attacks involve an attacker trying to intercept one or more communications sent by the victim. Network eavesdropping, a common name for an eavesdropping attack that involves sniffing for data in the digital world, uses programs to sniff and record packets of a network’s data communications, and then listen to or scan them for analysis and decryption. For example, protocol analyzers can pick up and record the content of voice over IP (VoIP). Specialized software can then convert these recordings into audio files. Laptops, cellphones and other devices with microphones can be hacked by attackers looking to secretly record and receive data.
Because all the network’s communications are forwarded to all the ports and a sniffer will just accept all the incoming data, data sniffing is very simple to perform on a local network that uses a hub. Data sniffing is also simple to perform on wireless networks that don’t securely broadcast their data, so non-recipients with the right tools are able to receive the data
There are two types of eavesdropping attacks:
Passive eavesdropping attacks: An attacker listens to the digital or analog voice communication transmissions on a network to steal private information. It’s frequently more important to detect passive eavesdropping as opposed to active eavesdropping.
Active eavesdropping attacks, also known as probing, scanning or tampering: Attackers disguise themselves as friendly units and send queries to transmitters to steal private information. Active eavesdropping involves the interception or sniffing of communication data, regardless of its form. These attacks require the attacker to conduct passive eavesdropping to accrue knowledge of the network’s friendly units.
What does an eavesdropping attack target? Attackers target the victim’s private information, such as their passwords, credit card numbers, social security number and similar information that might be transmitted over the network.
For example, VoIP calls made using IP-based communication can be picked up and recorded using protocol analyzers and then converted to audio files using other specialized software.
What’s the result of a successful eavesdropping attack? As with many other types of cyber attack, once attackers have your private information, they can sell it on the deep web or use it to commit identity theft or similar cybercrimes.
What’s scary about an eavesdropping attack? Hacking into devices, such as IP phones, is also done to eavesdrop on the owner of the phone by remotely activating the speaker phone function. Devices with microphones, including laptops and cellphones, also can be hacked to remotely activate their microphones and discretely send data to the attacker. Data sniffing is easily done on a local network that uses a hub since all communications are sent to all the ports—non-recipients just drop the data—and a sniffer will simply accept all of the incoming data. The same goes for wireless networking where data is broadcast so even non-recipients can receive the data if they have the proper tools.
How can you prevent an eavesdropping attack? Data encryption is the best countermeasure for eavesdropping. Passive eavesdropping is usually the precursor to active eavesdropping attacks. If passive eavesdropping can be detected, then active eavesdropping can be prevented. ⁽¹⁹⁾
Birthday attacks: These attacks are cryptographic cyber attacks and brute force attacks that are performed against hash algorithms used for the integrity verification of a message, software or electronic signature.
For example, a hash function processes a message and produces a fixed-length message digest (MD) that’s independent of the input message’s length. Melnick notes that “this MD uniquely characterizes the message” and continues that the birthday attack references the likelihood of discovering two random messages which produce an identical MD when a hash function processes them. Provided an attacker can determine an identical MD for the attacker’s message that matches the attacker’s victim’s, then the attacker can stealthily replace the victim’s message with the malicious one. ⁽²⁰⁾
On his titular blog, Daniel Miessler notes that birthday attacks make “the brute forcing of one-way hashes easier.” The attack is based on the birthday paradox, which argues that “in order for there to be a 50% chance that someone in a given room shares your birthday, you need 253 people in the room.”
Geeks for Geeks notes that success for a birthday attack is largely dependent on the high probability of collisions occurring between a fixed degree of permutations and random attack attempts, which are factors of the birthday paradox problem. ⁽²¹⁾
What does a birthday attack target? By exploiting the mathematics behind the probability theory’s birthday problem, a birthday attack can be used to disrupt the communication between two or more people, groups or entities.
What’s the result of a successful birthday attack? In one example regarding the digital signature’s vulnerability, an attacker gets a victim to sign a genuine contract. The attacker then attaches the victim’s signature to a malicious contract with an identical hash value to the genuine contract.
What are some vulnerabilities to a birthday attack and how can you prevent a birthday attack?
For the malicious contract example, the victim can make inoffensive changes to the contract before the victim sign it and then save a copy of the original contract after signing it to use as proof. This process can be used as evidence that the victim didn’t sign the malicious contract.
Preventing birthday attacks follows the same methodology as preventing password attacks. Whereas users can create longer, more complicated passwords that are impossible to guess. So too, users can apply this strategy in defense against birthday attacks. Users can increase the output length of the signature scheme’s hash function, incorporating two times as many bits as needed for preventing regular brute-force attacks.
ScienceDirect argues that hashes have the vulnerability that “the same data will always produce the same hash.” ⁽²²⁾ Because of this vulnerability, attackers can use precomputed hash dictionaries to glean commonly used passwords.
One solution for this vulnerability is to add “salt” to the password, ensuring a different hash each time. ScienceDirect states that “the salt should be a large random number uniquely generated for that purpose.” It goes on to note that users don’t have to keep the salt private, they can save the salt and the hash together.
Even if attackers gain access to the hashes and the salts, they will still have to individually compute each hash and otherwise won’t receive any benefits from previously cracked passwords.
Malware or malware attack or malicious software
The most well-known type of cyber attack, malware is unwanted software that’s installed on a victim’s computer without consent. This software is meant to bring harm to the victim’s computer or the victim, although the effects of the malware may not be immediate. Once installed, malware can hide in the victim’s computer and quietly replicate itself.
What does malware target? Malware usually works to steal private data from a victim, delete the victim’s documents or install other malicious software. It can be used to spy on a victim’s internet traffic or user information or damage the victim’s computer system.
How can you prevent getting malware? Preventing your computer from getting malware is vastly easier to do than to remove malware from your computer once you’ve been infected. Ensure that you have supported antivirus and anti-malware software that’s enabled and up to date. Use a firewall for additional security, since having security redundancies fosters cyber resilience. Regularly establish recovery points, so that if your computer does become infected, can always restart it from that recovery point.
Several of the most common types of malware include the following:
Macro virus: Macro viruses are computer viruses that replace a macro, which is what allows a program to function and sets off an assigned group of actions or commands.
After a micro virus has embedded itself into a program, it will hijack the app’s actions or commands, such as those for launching the program when the computer starts up or opening an existing document.
What does a macro virus target? This malware begins by infecting applications within programs, with Microsoft Word and Excel being prominent examples.
What’s the result of a successful macro virus? The macro virus will replicate itself, and gradually infect other parts of the computer. This process leads to permanent damage to the computer, making it unusable, and potential theft of the victim’s private information.
What’s scary about a macro virus? Not all macro viruses are detectable by antivirus software, though most are. Word processing programs are especially vulnerable because macro viruses replace prompt commands and macros viruses work to hijack these commands. Therefore, the simple act of opening an existing document can launch a malicious macro virus. Email attachments, modems, networks and flash drives can be used to spread macro viruses.
Melissa: A macro virus developed by David Smith in 1999, Melissa came in a Word document that, after it was downloaded, would replicate itself into the victim’s email. Melissa would then send automated messages with copies of the Word document attached to the first addresses in the victim’s contacts list, perpetuating the infection of others as these contacts downloaded the Word document, allowing the infection process to proliferate.
Melissa reportedly affected 1 million computers and caused USD 80 million worth of damages. ⁽²²⁾
File infector virus, file infecting virus or file injector virus: One of the most common types of malware
What does a file infector virus target? A file infector virus overwrites existing code or inserts infected code into an executable file (.EXE) and files with .COM extensions. Similar to macro viruses, this malware also infects executable programs, such as word processors, spreadsheet applications and video games. When it’s launched, the file may partially or totally be written over by the file infector virus.
What’s the result of a successful file infector virus? After an infector virus infects a program, it then works to spread itself to other programs on the same computer, and onto other computers on the same network. Some file infector viruses are capable of totally reformatting a hard drive.
What’s scary about a file infector virus? Macintosh, Windows and UNIX are all operating systems that are vulnerable to infector viruses.
Win32.Sality.BK: This file-infector virus was one of the 10 most common malware infections of 2011 and 2012. ⁽²³⁾
System or boot-record infectors:
What does a system infector target? System infector viruses infect the executable code by attaching itself to the following, depending on the storage device:
Master boot record – hard drive
DOS bootsector – diskette or USB thumb drive
Victims of system infectors usually become infected after they receive a storage device that contains the virus. A system boot or reboot triggers a boot disk and if an infected storage device is connected with the system, then the infected device can modify or replace the system’s boot code. The system infector loads and runs itself into the master boot record.
What’s the result of a successful system infector? After the computer has booted and the virus is loaded into memory, the virus can then proliferate and spread to other storage devices and computers on the network.
How common are system infector viruses today? SearchSecurity argues that system infectors and other boot viruses are “less common now as today's devices rely less on physical storage media.” ⁽²⁴⁾
Polymorphic virus: Upon infection, the polymorphic virus duplicates itself by creating usable, albeit slightly modified, copies of itself.
What does a polymorphic virus target? This complicated malware affects functions and data types. Polymorphic viruses actively conceal themselves using encryption and decryption. A decryption program begins by decrypting an encrypted polymorphic virus an affiliated mutation engine.
Infection usually proceeds in the following process:
- The polymorphic virus infects an area of code.
- The mutation engine creates a decryption routine.
- The virus encrypts the following:
- The mutation engine
- A modified duplicate of the virus containing an algorithm that corresponds with the new decryption routine
- The mutation engine and virus are attached to new code.
- Repeat steps 1 through 4.
What’s the result of a successful polymorphic virus? In addition to copying itself and spreading throughout the victim’s computer, polymorphic viruses alter functions and data types. For example, a polymorphic virus could switch the function so that when you press the “A” key, it inputs the letter “D” instead.
What’s scary about a polymorphic virus? Since functions and data types are part of polymorphism and functional programming languages broadly use polymorphism, polymorphic viruses can be created with a broad range of purposes. Because of how they modify their source code, polymorphic viruses are considerably difficult to detect by scanning.
Techopedia argues that to detect polymorphic viruses, [you need] a scanner with strong string detection and the ability to scan different strings is necessary. Most scanners won’t be able to detect a polymorphic virus unless “brute-force programs [are] written to combat and detect the polymorphic virus with novel variant configurations.” ⁽²⁵⁾
Removing a polymorphic virus is more difficult than detecting it. Programmers must rewrite language strings, a process that’s time-consuming, costly and complex.
How can you prevent a polymorphic virus infection? Antivirus software, with the latest updates, definitions and tools like Process Hacker, can often detect polymorphic viruses before an infection when they copy and modify themselves.
What does a stealth virus target? This malware targets system functions to remain hidden from the victim’s system.
What’s the result of a successful stealth virus? Stealth viruses target operating system processes and antivirus or anti-malware detection software, manipulating them so they believe that uninfected areas of a system are infected and infected areas are uninfected. As the virus spreads, the compromised software isn’t able to detect or remove it. This malware hides manipulated computer data and similar harmful control functions within system memory. Stealth viruses can further avoid antivirus detection by using the following types of self-modification:
Code modification: Altering the code and virus signature of each file that it infects
Encryption: Using simple encryption to encrypt data and using a different encryption key for every infected file
What”s scary about stealth viruses? Stealth viruses can avoid antivirus software detection by self-copying themselves into files, and partitions, boot sectors and other undetectable places on your computer.
How can you prevent a stealth virus infection?
Antivirus software with the latest updates and definitions should be able to detect a stealth virus as it attempts to get to your system. ⁽²⁶⁾
Brain: Widely considered to be the first stealth virus, Brain operated on MS-DOS. During the 1980s, it infected 5.25-inch floppy disks and spread itself onto computer systems worldwide.
Trojan or Trojan horse: True to its namesake, a Trojan masquerades as a benign virus until it’s activated when it’s revealed to be a malicious one. Unlike viruses, Trojans don’t self-replicate.
What’s the result of a successful Trojan infection? Trojans actively undermine the victim’s system, frequently establishing vulnerabilities that the attacker can exploit, such as opening a high-numbered port that would allow an attacker to listen in on the victim and gain access to the victim’s system. ⁽²⁷⁾
Several results of a Trojan infection include the following examples:
- Keyloggers monitoring the victim’s activity and helping the attacker steal the victim’s passwords, credit card numbers, or similar private information
- Gaining control of the victim’s webcam to monitor or record video of them
- Taking screen shots of the victim’s computer activity
- Using the victim’s computer to forward Trojans and other viruses and malware to vulnerable computers on the victim’s network
- Formatting the victim’s storage devices
- Stealing, encrypting, deleting or otherwise manipulating files and file systems on the victim’s computer
Some of the most common types of Trojans include the following examples:
Backdoor Trojan: A backdoor Trojan creates a backdoor vulnerability in the victim’s system that allows the attacker to gain remote control over the victim’s infected computer, giving the attacker almost total control over the victim’s system.
What’s the result of a successful backdoor Trojan infection? This Trojan is frequently used to link up a group of victims’ computers into a botnet or zombie network that can then be used for cybercrime.
Downloader Trojan: Attackers use this Trojan to download from the internet and install other Trojans and viruses, and hide malicious programs.
What’s scary about a downloader Trojan? Some antivirus programs are unable to scan all the components within this Trojan.
Infostealer Trojan: This Trojan tries to steal private information from the victim’s computer and aggregate as much of it as possible.
After the Infostealer collects the victim’s private information, it forwards it back to the attacker.
What’s scary about an infostealer Trojan? Infostealer Trojans often use keylogging to gather email passwords, bank account information, credit card numbers, and similar private information from the victim.
Remote access Trojan (RAT): Not to be confused with a remote administration tool, it’s a program with both legitimate and malicious applications.
A RAT has a backdoor that gives the attacker administrative control over the victim’s computer. RATs are secretly downloaded along with a game or other user-requested program or as part of an email attachment.
After the victim’s computer is infected, the attacker may use it to spread the RAT to other computers on the network and create a botnet or zombie network.
What’s scary about a RAT? RATs don’t usually display in a computer’s list of running programs and tasks. This ability makes them difficult for antivirus software to detect. This issue is exacerbated because, once a system is infected, the attacker can often hide any change in the victim’s system’s resources and performance, preventing any system alerts from occurring. ⁽²⁸⁾
Data-sending Trojan: This Trojan works to syphon private or other information from the victim’s computer back to the attacker. While this information is often like a victim’s passwords or credit card numbers, it can also be less malicious.
Data-sending Trojans can also aggregate information about a victim’s internet activity for relevant ads looking to target the user.
A duplicitous version of this Trojan is found with antivirus or anti-malware software ads that inform victims that their computers are infected with a Trojan.
For example, “Your computer is infected with a virus. For $19.99, Trojan Buster, Inc. can remove it.”
These ads are boosted by the data-sending Trojan for a product that’s meant to remove the virus itself from the victim’s computer. ⁽²⁹⁾
Trojan.FakeAV: Similar to a data-sending Trojan, a Trojan.FakeAV is a program that masquerades as fake security status on the victim’s computer. This Trojan displays fake computer scans and alert messages of a non-existing malware or virus infection or similar security issues and prompts the victim to purchase its recommended antivirus product as a solution.
Trojan.FakeAVs can be installed by downloader Trojans or other malware.
Symantec” by NORTON argues that one vendor is probably responsible for 80 percent of all misleading applications, and that most of these applications are cloned or reskinned to appear different but perform as they had previously.
Destructive Trojan: True to its name, a destructive Trojan is designed to destroy or delete files and not steal information. Destructive Trojans don’t replicate themselves.
What’s scary about a destructive Trojan? They’re usually programmed to perform like a logic bomb and attack the victim’s computer. After a system is infected, a destructive Trojan begins arbitrarily deleting files, folders and registry entries, which can cause OS failure. ⁽³⁰⁾
Proxy Trojan: As its name implies, proxy Trojans hijack their victim’s computer, converting it into a proxy server, part of a botnet.
Similar to a RAT, the proxy Trojan is secretly downloaded along with a legitimate download or attachment or is disguised as a legitimate software download or attachment. ⁽³¹⁾
- Trojan-GameThief: Similar to a data-sending Trojan, the Trojan-GameThief is a Trojan that steals its victim’s user account information, the information used for online games, and then transmit it back to the attacker. ⁽³²⁾
- Trojan-Ransom: Similar to ransomware, this Trojan modifies victims’ computers using encryption or another means that prevents the victims from fully using or accessing their data until the attacker’s ransom has been paid. ⁽³³⁾
Logic bomb, slag code or malicious logic: This malicious software functions similar to a time bomb. A logic bomb remains inactive until it’s triggered at a preprogramed date and time or when certain logical conditions are met. Once triggered and activated, the logic bomb damages the victim’s computer using data corruption, file deletion or hard drive clearing. Similar to Trojans, worms and other malware, logic bombs are secretly installed on a victim’s computer using malicious code, and then remain hidden until they’re triggered.
What’s a logic bomb used for? Logic bombs are frequently used by attackers to get revenge on a victim or for cyber sabotage against a victim’s work. Logic bombs can also be used for less malicious means, such as for free software trials that deactivate the program after a predetermined date or amount of time.
What’s scary about a logic bomb? Techopedia notes that former White House counter terrorism expert, Richard Clarke, expressed considerable concern about the vulnerabilities of the United States to logic bombs. Because the US infrastructure relied more on computer networks than other modern countries, a precise series of logic bomb attacks could shut down much of the US urban transit and banking systems.
How can you prevent a logic bomb attack? In addition to the usual tips for boosting cyber resilience, such as maintaining up-to-date antivirus software and running regular virus scans for all files on your computer, you can also practice the following to protect your enterprise against logic bombs:
- Promote regular cybersecurity and cyber resilience training and education.
- Ensure that the auto-protect and email screening features are activated.
- Individually protect all computers within your networks.
- Establish regular recovery points for your systems. This process won’t necessarily protect you from a logic bomb attack, but it will allow you to recover more quickly following an attack. ⁽³⁴⁾
Worm: A worm is a type of malware that doesn’t attack a host file and replicates itself as it travels across computers and networks and leaves copies of itself in the memory of each computer. Not every worm causes malicious activity. Some just don’t do anything. A malicious worm’s code is called a payload.
What does a worm target? Attackers will often attempt to infect their victim’s computers by sending worms as email attachments that masquerade as though they’re from trusted senders, tricking their victims into opening or downloading them and activating the worm.
What’s the result of a successful worm infection? Once infected, a worm will attempt to send copies of itself to the contacts listed in the victim’s email account and address book. Worm infection can result in overloading email servers and denial-of-service attacks against the network’s nodes and other malicious activities. ⁽³⁵⁾
Stuxnet: Arguably the most famous or infamous computer worm, Stuxnet was discovered by two Iranian security researchers in July of 2010. A weapon of cyber warfare and an intricately complex worm, research eventually concluded that Stuxnet was attacking an Iranian power plan to sabotage the Iranian production of a nuclear weapon. ⁽³⁶⁾
Dropper or virus dropper:
What does a dropper target? A relatively new type of malware, droppers are programs that contain viruses meant to harm their victim’s computer. Droppers launch viruses by “dropping” or installing them onto their victim’s computer. They’re often hidden within downloads or malicious email attachments that appear to be from a trusted sender.
What’s the result of a successful dropper infection? After hiding themselves within their victim’s computer or directory, droppers launch the payload that was contained within them. Dropper viruses are often Trojans and virus installation happens in the form of the payload. A dropper’s payload can cause its victim’s computers to suffer performance issues like slowdown. Droppers can also be used to aggregate and steal private information.
What’s scary about a dropper? Because they don’t necessarily contain malicious code, droppers can be difficult for antivirus software to detect and isolate. Sophisticated droppers can connect to the web to receive updates against antivirus software to help them avoid detection.
How can you prevent a dropper infection? In addition to general cyber resilience practices, anti-spyware software is considered to be the most effective tool for dropper detection and removal. ⁽³⁷⁾
Ransomware, crypto virus, crypto Trojan or crypto worm: Malicious email attachments, infected software downloads and visiting malicious websites or clicking malicious links are how most computers get infected with ransomware. Some malicious applications can masquerade as the police or a government agency, claim that a victim’s system is locked down for security reasons and that a fee or fine is required for them to regain access to it.
What does ransomware target? This malware infects a victim’s computer or system and locks or otherwise limits access to that computer or system until a ransom is paid to relinquish the attacker’s control over it.
What’s the result of a successful ransomware infection? More sophisticated ransomware uses encryption for crypto-viral extortion, encrypting the victim’s files so that it’s impossible for them to recover them with the correct decryption key. The ransomware then sends the victim pop-up windows prompting the victim to pay a ransom to get full access to the victim’s computer. ⁽³⁸⁾
Ransomware attacks against governments worldwide: As of the end of October 2019, CNN reports that there have been 140 ransomware attacks that targeted state and local branches of the US government, including attacks on government offices, hospitals and healthcare providers. The US isn’t alone when it comes to ransomware attacks. Small and large governments around the world are falling victim to ransomware attacks.
The ensuing paralysis halts government functions and services, such as the distribution of water and power utilities or the ability of residents to pay their bills. In some cases, hospitals were unable to admit new patients and struggled to deal with the existing patients in their care. ⁽³⁹⁾
RobbinHood: This infamous ransomware was responsible for attacks on and damage to the following US cities:
- Atlanta, GA, March 2018
- Baltimore, MD, May 2019
- Greenville, NC, April 2019 ⁽⁴⁰⁾
Adware, freeware or pitchware: Adware is commonly used in web-based marketing online as advertising banners that display while a program is running, such as pop-ups. Adware can be downloaded automatically to your computer without your permission while you are browsing online.
There are generally two categories of adware:
- Legitimate, which offers free or trial versions of products
- Spyware that compromises users’ privacy and tracks their website history and preferences
Blurring the line between these categories, some adware can appear legitimate but use spyware to collect search data from a victim’s browser for targeted, user-specific advertisements.
How can you prevent getting adware or remove it? Licensed anti-adware software is often better at removing adware from a computer than unlicensed versions. Some antivirus programs have packages that include anti-adware software. ⁽⁴¹⁾
Spyware: If you use peer-to-peer (PTP) file sharing software, then you’re at greater risk of getting spyware or a virus on your computer. Cookies and spyware can appear similar to your computer.
What does spyware target? Similar to how adware functions, spyware is infiltration software that monitors unsuspecting victims and collects information about them, their computers, and what sites they visit. Victims often get spyware by installing a free online software that has spyware bundled with it or by clicking on a malicious link.
What’s the result of a successful spyware infiltration? Spyware discretely tracks user activity, including the user’s private information, and forwards it to a remote location or back to its creator. Spyware can download and install other malicious programs onto its victim’s computer.
How can you prevent a spyware infection? Updated anti-spyware software is a good tool for detecting and removing spyware from your computer. Antivirus software isn’t always able to detect spyware. ⁽⁴²⁾
- "ISO Standards Maintenance Portal." International Organization for Standardization (ISO). standards.iso.org
- “Cyberattack.” Techopedia. https://www.techopedia.com/definition/24748/cyberattack
- Jeff Melnick. “Top 10 Most Common Types of Cyber Attacks.” Netwrix Blog. 15 May 2018. https://blog.netwrix.com/2018/05/15/top-10-most-common-types-of-cyber-attacks/
- “Teardrop Attack.” Techopedia. https://www.techopedia.com/definition/4136/teardrop-attack
- “Smurf Attack.” Techopedia. https://www.techopedia.com/definition/17294/smurf-attack
- “Ping of Death.” Techopedia. https://www.techopedia.com/definition/4051/ping-of-death
- “Man-in-the-Middle Attack (MITM).” Techopedia. https://www.techopedia.com/definition/4018/man-in-the-middle-attack-mitm
- “Session Hijacking.” Techopedia. https://www.techopedia.com/definition/4101/session-hijacking
- “IP Spoofing.” Techopedia. https://www.techopedia.com/definition/3993/ip-spoofing
- “Replay Attack.” Techopedia. https://www.techopedia.com/definition/21695/replay-attack
- “Phishing.” Techopedia. https://www.techopedia.com/definition/4049/phishing
- “Spear Phishing.” Techopedia. https://www.techopedia.com/definition/4121/spear-phishing
- “Drive-By Download.” Techopedia. https://www.techopedia.com/definition/15423/drive-by-download
- “Password Cracking.” Techopedia. https://www.techopedia.com/definition/4044/password-cracking
- “Brute Force Attack.” Techopedia. https://www.techopedia.com/definition/18091/brute-force-attack
- “Dictionary Attack” Techopedia. https://www.techopedia.com/definition/1774/dictionary-attack
- “SQL Injection.” Techopedia. https://www.techopedia.com/definition/4126/sql-injection
- “Cross Site Scripting (XSS.” Techopedia https://www.techopedia.com/definition/24435/cross-site-scripting-xss
- “Eavesdropping.” Techopedia. https://www.techopedia.com/definition/13612/eavesdropping
- Daniel Miessler. “The Birthday Attack.” DANIELMIESSLER, 28 June 2014. https://danielmiessler.com/study/birthday_attack/
- “Birthday attack in Cryptograph.” GeeksforGeeks. https://www.geeksforgeeks.org/birthday-attack-in-cryptography/
- “Macro Virus” Techopedia. https://www.techopedia.com/definition/4012/macro-virus
- “File-Infecting Virus.” Techopedia. https://www.techopedia.com/definition/55/file-infecting-virus
- “virus (computer virus).” SearchSecurity. https://searchsecurity.techtarget.com/definition/virus
- “Polymorphic Virus.” Techopedia. https://www.techopedia.com/definition/4055/polymorphic-virus
- “Stealth Virus.” Techopedia. https://www.techopedia.com/definition/4130/stealth-virus
- “Trojan Horse.” Techopedia. https://www.techopedia.com/definition/5484/trojan-horse
- “RAT (remote access Trojan).” SearchSecurity. https://searchsecurity.techtarget.com/definition/RAT-remote-access-Trojan
- “Data-Sending Trojan.” Techopedia. https://www.techopedia.com/definition/51/data-sending-trojan
- “Destructive Trojan.” Techopedia. https://www.techopedia.com/definition/53/destructive-trojan
- “Proxy Trojan.” Techopedia. https://www.techopedia.com/definition/4070/proxy-trojan
- “Trojan-GameThief.” encyclopedia by Kaspersky. https://encyclopedia.kaspersky.com/knowledge/trojan-gamethief/
- “Trojan-Ransom.” encyclopedia by Kaspersky. https://encyclopedia.kaspersky.com/knowledge/trojan-ransom/
- “Logic Bomb.” Techopedia. https://www.techopedia.com/definition/4010/logic-bomb
- “Worm.” Techopedia. https://www.techopedia.com/definition/4171/worm
- “What is a computer worm, and how does it work?” Norton by Symantec. https://us.norton.com/internetsecurity-malware-what-is-a-computer-worm.html
- “Dropper.” Techopedia. https://www.techopedia.com/definition/54/dropper
- “Ransomware.” Techopedia. https://www.techopedia.com/definition/4337/ransomware
- Allen Kim. “In the last 10 months, 140 local governments, police stations and hospitals have been held hostage by ransomware attacks.” CNN Business, 8 October 2019. https://www.cnn.com/2019/10/08/business/ransomware-attacks-trnd/index.html
- Emily Sullivan. “Ransomware Cyberattacks Knock Baltimore's City Services Offline.” NPR, 21, May 2019. https://www.npr.org/2019/05/21/725118702/ransomware-cyberattacks-on-baltimore-put-city-services-offline
- “Adware.” Techopedia. https://www.techopedia.com/definition/4215/adware
- “Spyware.” Techopedia. https://www.techopedia.com/definition/4125/spyware