InfoSec Essentials: SME Threats & Attack Vectors

SMEs usually do not pay much attention to their information security. This negligence pose a serius threat to business and attack vector analysis is an important part of vulnerability analysis. An attack vector is the method or means by which a vulnerability is exploited in order to perform a cyber attack. Attack vectors enable hackers to exploit system vulnerabilities, including the human element.

Malware

Malware is a term that includes computer viruses, worms, trojans and any other kinds of malicious software. Sometimes, employees and end-users within an organization they might receive an email, with a worm or download spyware when visiting a website infected with malicious code. Alternatively, in order to get work done, employees may decide to install unlicenced - thus pirated - software. This practice, besides being illiegal, is also dangerus as it is a common method by malware writers to hide their code in pirated applications targeting the end-users’ computers. An organization that operates efficiently usually has established ways to share files and content across the organization. These methods can also be abused by worms to further infect computer systems on the network. Computer malware does not have to be introduced manually or consciously. Common software installed on desktop computers such as browsers, Adobe Acrobat Reader or Flash have their fair share of security weaknesses. These security vulnerabilities are exploited by malware programmers to automatically infect victims’ computers. This type of attack is known as drive-by download because the users do not have knowledge of malicious files being downloaded onto their computer.

Social engineering

Social engineering, refers to psychological manipulation of people into performing actions or divulging confidential information rather than flaws within the technology. It differs from a traditional fraud scheme as it is often more complex. A phishing attack is a type of social engineering attack that is normally opportunistic and targets a subset of society. The easiest way to perform a large scale phising attack is through fake e-mail messages claiming to originate from a trusted source. When the end-user follows the instructions in the email, he or she is directed to reveal sensitive or personal information such as passwords, PIN codes and credit card numbers. Spear-phishing is a very special phishing attack targeting individuals and key users.

Attacks on physical systems

Internet-borne attacks are not the only security issue that organizations face. Laptops and mobile devices are often hold sensitive of information about the organization. These devices, often contain company documents and are used to log on to the company network. Due to their nature, such devices have a high risk of physical theft. The first half of 2014, 290.651 thefts involving computer equipment reported by police forces across the entire UK.
Unprotected endpoints pose another threat affecting physical security. USB ports and CD/DVD drives can both be used to leak data and introduce malware on the network. A USB stick that is mainly used for work and may contain sensitive documents, becomes a security risk if it is taken home and left lying around and other members of the family use it on their personal PC. This is typically a case of negligence but it can also be the work of a targeted attack, where internal employees can take large amounts of information out of the company. The examples above are not a SciFi scenario, if incidets like these happen to governments and major hospitals that have standard operating procedures for handling such situations, why should it not happen to smaller enterprises? Small and medium-sized enterprises may overlook the importance of securing the physical network and server room to prevent unauthorized persons from gaining access. Open network points and unprotected server rooms can allow disgruntled employees and visitors to connect to the network and launch attacks such as ARP spoofing to capture network traffic with no encryption and steal passwords and content.

Authentication and privilege attacks

Passwords remain the number one vulnerability in many systems. Nowadays most people have to remember on average 17 passwords, according to a survey in 2012 in Norway. The the password used for company business should not be the same one used for webmail accounts, site memberships and so on. Password policies can go a long way to mitigate the risk, but if the password policy is too strict people will find ways and means to get around it. They will write the password on sticky notes, share them with their colleagues or simply find a keyboard pattern (1q2w3e4r5t) that is easy to remember, but also easy to guess. Most complex password policies can be easily rendered useless by non-technological means.