Cyber attacks against companies and protection | OnlineSim
Jul 14 21:31:15, 2023
Part 3: Common types of attacks against companies and ways to protect against them
When hackers try to steal money from companies, they use not only phishing, MITM and malware, but also cyberattacks specifically targeted at companies.
In the previous two articles, we talked about the types of cyberattacks that target ordinary users and aim to steal their personal information, banking details and online accounts.
In this article, we describe the types of attacks that hackers launch against companies in order to steal money or sensitive information.
Data breach attacks
These are also called insider attacks. Cyberattacks of this type are only possible through the actions of company employees. It works like this: a company employee gains access to important files and steals them, sells them online as a database or uses them to blackmail the company’s management.
This type of fraud typically occurs in small businesses where employees often have access to several business accounts, so they can easily put their hands on an important file and steal it.
How to protect against insider attacks
First of all, the company must have a well-developed security system. Secondly, different types or levels of access must be set up for employees depending on their job responsibilities.
Companies should also train employees to recognize insider threats and understand when a hacker is trying to take advantage of them.
These attacks exploit vulnerabilities in DNS servers and fall into two types:
DNS spoofing (aka DNS cache poisoning). In the DNS system, a real website’s address is replaced with one that leads to a fake website, so users visiting the attacked website will instead be directed to a malicious site under the attacker’s control.
Information compromise. By redirecting a user to a rogue IP address, an attacker can get hold of that user's personal information, often leaving the user unaware that his/her personal information has been compromised.
The attack works like this: in the DNS system, the hacker replaces the IP address of the real website with a fake one. When a user visits the website, he/she would land on the fake one and won't even notice the difference, because the address of the fake resource will be the same.
For example, if someone substitutes the DNS record leading to www.site.com with a copy, all links pointing to that site will lead to a rogue website. The hacker would also copy the design of the original site so that the fake one does not reveal itself in any way.
This will naturally have a negative impact on the affected company's income and reputation. After all, it will lose some customers and money. The deceived users may stop using the company's services and publish negative reviews online.
There are other types of DNS fraud, but they are more complicated than the ordinary replacement of IP addresses, and it would take a separate article to explain them. But the point remains the same — the user's server takes a fake DNS record for a real one and directs the user to a rogue website.
Distributed Denial-of-Service attacks involve large amounts of traffic and requests directed by hackers to the target website to have its resources and processing capacities exhausted and thus render it inoperable.
Large amounts of traffic are generated by botnets, which are types of computer networks that simultaneously control dozens of computers. The computers in such a network are regular users’ devices infected with specialized malware.
Let's look at an example. Imagine a three-lane highway with hundreds of cars passing through it without creating any traffic jams. The road was built with an expectation of how many cars would use it during the day.
Now imagine that instead of a hundred cars, a traffic controller will direct thousands of cars on the road at the same time. The highway will be completely jammed with cars, and only a few will be able to get to their offramp and reach their destination on time. This is an analogy of what a DDoS attack looks like — a hacker sends millions of requests to the victim server and it fails to handle all of them at the same time.
There is much more to say about the types of DDoS attacks, but that would require a separate article. Here, we will give you just a general explanation.
There are several main types of DDoS attacks:
A traffic overflow attack is a type of an attack where hackers attempt to overwhelm a web server’s resources and use up all of its capacities. When many requests come to a website at the same time, the processing resources quickly get overloaded, for example due to frequent page updates. As a result, it generates errors because it can no longer handle the workload.
A volumetric attack is a type of an attack when bots send requests to a web page and wait for a response. If they generate a lot of such traffic, the responses will take longer, and at some point the server will crash.
A protocol attack as a type of DDoS attack involves sending requests from different IP addresses targeting the weak points of the web server. For this attack, hackers send invalid requests to the resource, causing it to crash while trying to process them. This type of attack does not require a large botnet.
How to protect against DNS and DDoS attacks
Create backups. Back up your data at regular times and store copies in encrypted storage. The important thing is to always have copies on hand for quick deployment.
Establish a corporate response team. Train employees on how to handle DDoS attacks and how to prevent them.
Make a plan for emergency alerts. Prepare emergency notifications for customers, service providers and employees in the event of a DDoS attack.
And a few more security principles:
Use SSL certificates;
Use a reliable web hosting service;
activate the anti-DDoS protection from your hosting provider.
Sometimes, hackers take the URLs of real websites and try to gain access to restricted pages of a resource. For example, they might go to "www.mysitename.com/admin" to log into the administration panel or type "www.yoursitename.com/.bak" to access backup files.
How to protect against URL manipulations
Keep your administration panel protected. For this, you need to keep track of who has access to your website’s administration panel. Besides, you need to keep the administration panel hidden from cybercriminals by moving it from “mysite.com/admin” to another, less predictable location. Also, use complex passwords for your administration accounts and set up IP address filtering.
Take some steps, as follows, to ensure protection of your administration panel:
Make sure all requests go through the access control system
Deny access by default, i.e. reject all requests except those specifically allowed
Follow the principle of least privilege, i.e. configure the minimum possible rights and privileges for all users, programs or processes.
A zero-day attack is a type of fraud in which hackers find vulnerabilities in a resource's security and use them to steal information. It is so called to denote that the resource owner has only just learned about the vulnerability and has "zero days" to fix it.
Usually no one knows about the vulnerability before hackers attack, so before it is fixed, the attackers try to write malicious code and inject it into the software. Such code is also called exploit code.
How to protect against zero-day attacks
To protect against zero-day attacks, regular users and companies must:
Keep software and operating systems up to date. Software manufacturers always collect information about security problems and release new versions with security patches addressing those problems.
Use only the minimum required set of software. The more applications are installed on your computer(s), the greater the chance that some of them contain a vulnerability that can be exploited by hackers.
Always use a firewall. A firewall is a filter between your device and the Internet. It blocks suspicious and phishing resources that are in the security service's database. Essentially, it is a filter that lets safe traffic through and blocks suspicious traffic.
Train your employees. Sometimes, a zero-day attack occurs due to employee negligence. For example, they may install a vulnerable application due to ignorance and thus put the company at risk. Employees’ knowledge of the basic rules of online security will help to improve the security of corporate data.
Always use an antivirus. Such software will identify possible threats and block them.
In 2019, a hacker stole hundreds of thousands of bank card details using SQL injections. He stole payment card information from website databases and then sold it on illegal online platforms.
For example, malicious code of such type when it is planted on an online banking site can remember users’ login credentials for banking accounts or other confidential information.
Cross-site request forgery (CSRF) is a type of attack against a website launched with the help of a fraudulent site or script. It causes the user's browser to perform an unwanted action on a resource where the user is logged in. For the attack to work, the user must click on a specially crafted malicious link.
Let’s say a person has logged in to an online banking service and accidentally clicked on a fraudulent link with a request to transfer money to the attacker’s account. The bank will process the transaction without asking the customer twice, since the customer has logged in his/her bank account.
How to protect against SQL injections, XSS and CSRF attacks
Keep your websites’ code clean and secure and follow a few other rules (to protect against SQL injections). For detailed information on what should and should not be there in your website’s code and how to handle placeholders and variables, it’s better to check out what programmers have to say, so we recommend checking out specialized programming websites like StackOverflow or CodeProject.
Also, take some advice from us:
Disable error output. Having error output enabled on your websites is handy at the stage of site development as you have to correct mistakes. Once the site has been published online and is up and running, it’s better to have error output disabled, otherwise an attacker may be able to see what types of problems your site has and take advantage of them for his/her purposes.
Never publish your website code online. If you need help with your site, never show its code online, even on specialized forums like StackOverflow.
In your request for help, don't disclose your site's theme, address or hosting details. The more information about your site the attacker learns, the higher the risk of being hacked.
Always install the latest language versions. In the older language versions, there are more errors that cybercriminals know about. They can exploit known vulnerabilities to gain control over your website and plant malicious code in it.
In newer language versions, such vulnerabilities are always fixed, so one is unlikely to hack anything with them.
Use XSS sanitizer tools (to protect against XSS). Sanitization is cleaning your website’s code from malicious and suspicious elements. Basically, a special sanitizing type of library, such as DOM Purify, gets embedded in your site’s site code. It can remove the code that it considers insecure.
Require confirmation for user actions (to protect against CSRF attacks). For any changes to take place on the resource, such as processing a user payment, you can request additional confirmation actions. For example, you can ask the user to enter a captcha. The script won't be able to bypass such protection.
A few more rules to protect your company against hackers
Web application firewall (WAF)
Use a WAF
A web application firewall (WAF) detects and blocks website attacks. A WAF package helps to detect malicious traffic and identify attacks targeting business critical systems. Thus, a WAF package will help your company to protect from attacks against your web applications’ business logic.
Essentially, a firewall is a barrier around your company's IT infrastructure that protects the network and prevents unauthorized access to it. Firewalls filter incoming and outgoing traffic, eliminating unwanted network connections without blocking secure requests.
DLP systems are used in corporate networks to monitor and protect all traffic in the company. A DLP system detects unauthorized access to information, blocks attempts to transfer sensitive corporate data and enforces privacy policies.
A dedicated gateway must be configured on email servers that will filter all messages and block malicious ones, e.g. those containing malicious links or attachments.