CISA, a joint multinational cyber security advisory agency, has revealed the ten attack vectors most exploited by professional hackers to gain access to organisational networks and wireless networks, and the techniques they use to gain access.
The advisory cites five techniques used to gain unauthorised access in organisations and public authorities:
Public applications. Anything connected to the Internet can be a threat if not patched and updated properly. In many cases, a poorly secured website or database can be the starting point for criminal activity that can lead to a serious hacker attack.
Guilty accounts. These can be obtained through phishing, social engineering, insider threats or exposed data.
External remote services. Theft of valid accounts is often combined with external corporate services such as VPNs or other access mechanisms. This allows hackers to infiltrate a network and continue hacking a network.
Phishing. The essence of business-centric attacks, ranging from spear phishing to CEO fraud and Business Email Compromise (BEC), is unwary or careless employees.
Trusted relationships. Hackers will map relationships between organizations. Third party trusted access from one organisation to the target will itself become a target used to gain access to otherwise unreachable internal networks.
There is some degree of overlap between most of these techniques, with some following naturally from another. CISA lists ten different areas of concern, which you can see below.
If you recognize any as potential weaknesses, or your organization has no security policy regarding these areas, it may be time to do something about it.
10 areas exploited by professional hackers
1. Multi-factor authentication (MFA) is not enforced
MFA is particularly useful when hackers focus heavily on techniques such as phishing, trusted relationships and valid accounts. Any of these approaches can have serious long-term consequences for an affected organization. It's not just how they get in, but what they do afterwards.
A company that has been hit by ransomware and data exfiltration may have experienced multiple stages of attack to reach that point. Imagine if they had all never happened because the first point of entry, a stolen password, had been protected with MFA. It is an absolutely invaluable tool for all users, and especially for administrators or people with elevated privileges.
2. Incorrectly used privileges or permissions and errors in access control lists
Users should only have access to resources and IT systems that are necessary for a given purpose. Someone who has accidentally been granted administrator-level control of a company website can cause chaos if their account is hacked or they leave the company and no one revokes access.
Similarly, Access Control Lists (ACLs) used to filter network traffic and/or grant certain users file access can quickly lead to negative consequences if users are granted the wrong access permissions.
3. Software is not updated
Asset and patch management helps keep operating systems and other key software up-to-date. Vulnerability scans are valuable for assessing which software is not supported in an end-of-life state or other category, meaning that continuous updates can be difficult. Outdated software is one of the most common attack vectors leading to network compromise
4. Use of vendor-provided default configurations or default usernames and passwords
Hardware that only contains default configurations is a no go for any business. There is a very good chance that default usernames/passwords are readily available online, e.g. from generic questions on help pages. Not changing standards on both hardware and software can be one of the biggest reasons why a company experiences data breaches.
Depending on where you live, default passwords can be a big problem, not only in a business sense, but also in a very legal sense. The use of default configurations can potentially lead to fines or bans, depending on which country your business is in.
5. Remote services - such as a VPN - lack sufficient controls to prevent unauthorised access
Additional security and privacy tools require care in setup and configuration. A poorly designed VPN for the workplace can be easily accessed by an attacker and can also help hide the attacker's exploitation of the network.
MFA is useful here, as is monitoring for instances of abnormal usage patterns, such as sudden connection toVPN outside working hours.
6. Strong password policies are not implemented
Weak passwords are often exploited by criminals to access the network. Bad Remote Desktop Protocol (RDP) setups are particularly hard hit by poor password practices. This is a common way ransomware attacks hit companies through their networks. A password policy with information on the use of strong and different passwords is a must.
Password guessing tools will keep running until they guess a weak password and enable access to the target organisation. This is called brute force attack. One way to combat this is to limit the amount of login attempts via RDP before locking the user out.
7. Cloud services are unprotected
Unprotected cloud services are a big part of security breach stories. Default passwords, and in some cases no passwords, allow easy access to both corporate and client data. This can lead to great damage to people's personal information and damage to the reputation of the organisation that is affected.
8. Improperly configured services are open to exploitation on the Internet
Criminals use scanning tools to detect security vulnerabilities and exploit them as attack vectors. Compromising a device in this way can give rise to the possibility of multiple attacks after the initial access. RDP, NetBios and Telnet are all potentially high-risk for an insecure network.
9. Failure to detect or block phishing attempts
Malicious macros in Word documents or Excel files are a key feature of business-centric phishing attacks. They may be close to disappearing thanks to recent permission changes in Office products that make them harder to run.
Even without the threat of fake attachments, phishing is still a major problem for administrators. No amount of scanning of emails coming onto the network, or scanning of message content from internal senders for signs of compromised accounts, will lead to phishing emails in employees' inboxes.
This internal threat is another area where MFA will help a lot. A policy for prompt deactivation and deletion of accounts for departing employees should also be considered
10. Poor endpoint detection and response
Cybercriminals often make it as difficult as possible to identify the attacks they use. Malware is packaged in specific ways to avoid detection and identification. Malicious scripts uploaded to websites are obfuscated, making it difficult to figure out exactly what they are doing.
Is your website hosting SEO poisoning and spam redirection? Without the right programs and analytics, it can take much longer to find out and your business will suffer in the long run.
Best practices to protect your IT systems from hacking
Advice from CISA provides a useful list of ways to combat some of these problems mentioned:
Control access: It is important to control who can access what, when and how. Allow only local logins for administrators, excluding them from RDP unless absolutely necessary. Consider dedicated admin workstations if possible.
Everyone should only have access to what is required to do their job effectively, with proper business flow required to approve requested additional permissions. If employees change roles or leave the organization, revoke their access immediately.
Strengthen information protection: MFA across all areas of the organization is again key here. Consider physical hardware security keys for those with access to business critical services. If MFA is not available to certain employees, make use of other security techniques to minimize unauthorized logins.
A strict password policy combined with checks on devices used, time of day, location data and user history can help put together a picture of what can reasonably be described as a legitimate employee.
Establish centralized log management: Log generation and storage are essential tools for many aspects of security. Data from intrusion detection tools helps form a picture of potentially malicious activity, where it comes from, what time of day and so on. Decide which logs you need. Need a complete picture of cloud activity? Is system logging important? Are you able to capture activity on the network?
Decide on a retention period. Too short a timeframe and you may need to refer to logs that no longer exist. Too long, and there may be privacy issues around the information you have logged and retained. Secure storage is also importantas you do not want hackers to tamper with the data you have collected.
Use antivirus solutions: Workstations require security solutions that are able to handle exploits that do not require user interaction and attacks that rely on social engineering. A good antivirus program should be installed on all computers.
Desktop hijacking, malvertising, malware attacks and fake attachments are just some of the threats you can face. Routine monitoring of scan results will help identify weaknesses and vulnerabilities in your IT security.
Use detection tools: An Intrusion Detection System (IDS) helps detect malicious network activity and protects against questionable activity.
Penetration tests from ethical hackers can reveal misconfigurations with services listed above, such as cloud, VPNs and more. Cloud service provider tools will help locate overshared storage and irregular or abnormal access.
About the author
Sofie Meyer is a copywriter and phishing aficionado here at Moxso. She has a master´s degree in Danish and a great interest in cybercrime, which resulted in a master thesis project on phishing.