There are many ways to expose, alter, disable, destroy, steal or gain unauthorized access to computer systems, infrastructure, networks, operating systems and IoT devices.
In general, attack vectors can be split into passive or active attacks:
A. Passive Attacks
A hacker attempts to gain access or make use of information from the system but does not affect system resources, such as typosquatting, phishing and other social engineering based attacks.
B. Active Attacks
A hacker attempts to alter a system or affect its operation such as malware, exploiting unpatched vulnerabilities, email spoofing, man-in-the-middle attacks, domain hijacking and ransomware.
You see, most attack vectors share some similarities:
-
Attacker identifies a potential target.
-
Attacker gathers information about the target using social engineering, malware, phishing, OPSEC and automated vulnerability scanning.
-
Attackers use the information to identify possible attack vectors and create or use tools to exploit them.
-
Attackers gain unauthorized access to the system and steal sensitive data or install malicious code.
-
Attackers monitor the computer or network, steal information or use computing resources.
IMPORTANT:
One often overlooked attack vector are your third and fourth-party vendors and service providers. It doesn't matter how sophisticated your internal network security and information security is, if vendors have access to sensitive data they are as much a risk to your organization.
This is why it is important to measure and mitigate third-party risk and fourth-party risk. This means it needs to be part of your information security policy and information risk management program.
You should consider investing in threat intelligence tools that help automate vendor risk management and automatically monitor your vendor's security posture and notify you if it worsens.
Every organization now needs a third-party risk management framework, vendor management policy and vendor risk management program.
Before considering a new vendor, you must perform a cybersecurity risk assessment to understand what attack vectors you could be introducing to your organization by using them and ask about their SOC 2 compliance.
This Article Was Written & published by Meena R, Senior Manager - IT, at Luminis Consulting Services Pvt. Ltd, India.
Over the past 16 years, Meena has built a following of IT professionals, particularly in Cybersecurity, Cisco Technologies, and Networking...
She is so obsessed with Cybersecurity domain that she is going out of her way and sharing hugely valuable posts and writings about Cybersecurity on website, and social media platforms.
34,000+ professionals are following her on Facebook and mesmerized by the quality of content of her posts on Facebook.
If you haven't yet been touched by her enthusiastic work of sharing quality info about Cybersecurity, then you can follow her on Facebook:
Click Here to follow her: Cybersecurity PRISM
