During the holiday season of 2013, high-level managers at Target were horrified to learn that attackers had succeeded in compromising 40 million credit cards, and customers were already seeing fraudulent charges from their cards. Now, almost a decade later, the infamous Target breach still offers critical insights into the attacker’s mindset and the exploitative use of attack vectors, particularly in third-party security vulnerabilities. The incident underscores the critical importance of understanding potential vulnerabilities and the necessity of comprehensive security measures in today’s cybersecurity landscape.
When the breach dust had settled, the company paid an $18.5 million settlement on top of $200 million in costs from the data breach itself. Many top-level executives, including the CEO, were fired. Company profits for Q4 of 2013 – the holiday season in which retailers make most of their sales – plummeted by 46%.
So, how did attackers succeed in executing one of the largest data breaches in history at a company that had invested in multiple, state-of-the-art cybersecurity solutions? Although these solutions were meant to defend against sophisticated attacks, the attack on Target was quite simple. Attackers were able to gain access to credit card data through the compromised credentials of a third party. This created an entry point, or attack vector, for attackers to execute their attack.
What is an Attack Vector?
Attack vectors are entry points, or windows left open that enable attackers to gain unauthorized access to your system or network. Attackers exploit attack vectors to gain unauthorized access to an organization’s system and networks, enabling them to then access encrypted data, steal data, and cause data breaches.
For example, internet ports have numbers that are used to identify connection endpoints. Some ports, such as Port 80 or SMTP Port 25, are recommended to keep open, while others should be kept closed. When these ports are accidentally kept open, it signals to attackers that they are available to receive information.
In the case of Target, attackers were able to enter the network through a phishing attack that compromised the login credentials(source) set by their third-party HVAC contractor. This compromised password gave the attackers direct access to Target’s payment system. Using a malware program, the cybercriminals then gathered the credit card information of millions of customers.
How Do Attackers Gain Unauthorized Access to Sensitive Data?
Although attackers prefer to use the easiest entry point to launch an attack, they often use combinations of multiple attack vectors and methods to exploit system vulnerabilities. For example, the Target attack used a combination of malware and compromised credentials (e.g. the attack vector) from a third party (e.g. method) to launch attacks.
To simplify things, however, we can generally split vector attacks into two main categories:
- Active attacks – These attacks involve the attacker changing or disrupting an organization’s system or operations. An active attack could include malware, ransomware, domain hijacking, email spoofing, brute force attacks that target weak passwords, exploiting unpatched vulnerabilities and DDoS attacks.
- Passive attacks – These attacks involve monitoring your system and network to wait for you to accidentally “leave the window open”, so to speak. Since passive attacks do not involve an attacker making any changes to your system, they can be difficult to detect. A passive attack could include phishing, social engineering, and typosquatting.
Attackers can be from both internal sources, such as disgruntled employees, or external sources, such as hacktivists or state actor groups. They can be motivated by money, political ideology, the need to damage the competition, or the desire to launch cyber warfare against an enemy state.
9 of the Most Common Attack Vectors
Although the most common cyber attack vectors include phishing, malware and unpatched vulnerabilities, attackers often combine different cyber attack vectors and methods to increase their chance of successful attacks.
To make it more straightforward, however, we’ve listed a few of the main attack vectors and methods below.
1) Phishing attacks
Phishing attacks are social engineering attacks launched via emails, texts, or phone calls in which attackers pose as trusted members of a known brand, entity, or even your own organization. The goal of these attacks is to entice the victim into giving the attacker sensitive information, personally identifiable information (PII) or login credentials. In the case of the Target attack, the HVAC login credential was compromised after a successful phishing attack.
Malware, short for malicious software, includes the use of trojans, viruses, worms or any other type of software system to gain access to an organization’s computer system, or network. Malware can inflict serious damage at scale if they gain access to a command and control server, which they could use to install the malware on thousands of computer systems to launch other types of cyberattacks. Although Target had previously installed anti-malware software on their systems, the malware ran undetected long enough to gather the credit card details of millions of customers.
3) Unpatched vulnerabilities
In the era of IoT, cloud migration and digital transformation, there are increasing numbers of devices, software systems and applications with vulnerabilities. Although patches are available, 66% of security leaders report that they have a backlog of more than 100,000 vulnerabilities. The highest-risk vulnerabilities can take three to five weeks to patch on average. In the meantime, however, your organization’s system and network are exposed.
4) Missing or weak encryption
Data encryption methods such as SSL certificates and Rivest-Shamir-Adleman (RSA) encryption ensure that data is converted to a code or ciphertext and cannot be read by unauthorized parties. Unencrypted data, as in the case of Target, makes it easier for attackers to steal data. As part of the settlement after the breach, Target was ordered to use third-party encryption for its credit card data, so that if an attacker gained access again, the data would be unreadable.
5) Compromised and stolen credentials
Weak passwords are an easy entry point for attackers since they can target them in your organization as well as your third and fourth parties. According to data from NordPass, the most common password in 2022 was “password” followed by “123456”. With so many additional common attack vectors available for attackers to gain access to sensitive data, it shouldn’t be surprising that nearly half of all data breaches involve stolen credentials.
The Target attack successfully entered Target’s payment systems through one of the most common attack vectors: the compromised credentials of a third party.
Misconfigurations occur when there are errors in the configuration of a device, application or system. For example, when a server is configured incorrectly, it can expose user config files, allowing access to additional files on the server and even admin access. Using default credentials is another common error that leads to attacks. According to CheckPoint, nearly a quarter of cybersecurity attacks in the cloud alone are a result of misconfigurations.
7) Insider threats
Disgruntled employees, as well as former employees, are potential insider threats to be considered. Since they are authorized users, they have had access to your network and can handle sensitive information which they can potentially use to facilitate an attack. Due to their familiarity with the inner workings of the system, these individuals understand exactly what type of information would be valuable to competitors, or which could place your organization in a negative light.
Today’s increase in the use of third-party vendors and services gives attackers even more opportunity to execute cyberattacks. Since these organizations often have access to your network and services and sensitive data, they pose a risk to your organization. Many mistakenly limit third parties to vendors, but they include your software providers, partners, suppliers, and consultants. Commonly used software vendors such as Asana, Salesforce and Zoom, for example, are attractive third-party targets for cybercriminals because they enable them to attack a large number of targets at once.
9) Cross-site scripting attacks
3 of the Most Common Attack Methods
Whereas attack vectors refer to the entry point that attackers use to access your system, attack methods are the techniques attackers use to access your system.
- DDoS Attacks
DDoS attacks, or distributed denial of service attacks, attempt to disrupt or halt your organization’s site, services or resources by overloading it with network traffic. Attackers employ botnets, or multiple computer systems, to generate the amount of traffic required for this type of attack.
- Brute Force Attacks
A brute force attack attempts to crack a login or another entry point by trying all combinations of passwords or session IDs to access encrypted data until it is successful. Generally, these attacks are executed using automated tools. Once a brute force attack is successful, the next step for attacks is to gain privileged access to reach additional parts of your network.
- Zero-Day Attacks
These are attacks that occur before the vulnerability is made public as a CVE (Common Vulnerabilities and Exposures) and a patch has not yet been released. According to reports by Mandiant, zero-day vulnerabilities nearly doubled between 2020 and 2022, with the vast majority targeting products such as operating systems and browsers from Google, Microsoft and Apple.
What are the Best Practices for Defending Your Attack Vectors?
Security teams need to be several steps ahead to guard against attackers and protect their computer systems and network. Although attackers’ methods are constantly evolving, there are still many classic methods organizations can employ to defend themselves.
- Make sure your login credentials are strong. Password managers can help you create passwords that are long, strong and unique. Ensure you change all factory default login settings.
- Deploy multi-factor authentication (MFA). This provides an additional layer of protection for any system requiring a username and password. MFA is also a requirement for meeting PCI DSS compliance and security frameworks such as NIST.
- Employ network separation. Network separation entails having different controls for different zones of your network so that they can only be accessed to users who need them. In the case of Target, the IT department had decided to combine Target’s operational system and payment system, which enabled attackers easy access to credit card information.
- Update software and devices regularly. Updating ensures you have the latest patches and security features available. This includes your antivirus and firewall, which can help defend against zero-day attacks.
- Monitor your third parties regularly. Attackers can infiltrate your network due to weak passwords, poor security controls, and old versions of software of your third parties.
How Panorays Can Help
Panorays helps you defend against your extended attack surface by automating, accelerating and scaling your third-party security evaluation and management process. This allows you to quickly and easily manage, mitigate and remediate risk and reduce breaches.
Want to learn more about how you can manage your third-party risk with Panorays? Get started with a Free Account today.
An attack vector in cybersecurity is similar to the window of a building. When a window is left open, it poses a security risk. Attack vectors are “windows” or entry points in your network or system that, when left open, pose a risk to your organization’s security.
The most common attack vectors include:
Phishing attacks. Attackers pose as trusted brands or individuals of your organization and entice victims to provide sensitive information (e.g. passwords, credit card information) to the attacker.
Malware. Malicious software that allows attackers to gain access to your organization’s network and systems.
Unpatched vulnerabilities. Vulnerabilities are weaknesses in your devices, systems, or network that can be exploited in an attack.
Missing or weak encryption. Unencrypted data can be read and exploited by attackers, and weak encryption can be easily hacked.
Compromised and stolen credentials. Weak and stolen passwords are one of the most common attack vectors used by cybercriminals, as they can also target them via third parties.
Misconfigurations. Errors in the configuration of servers, devices, networks and applications make it easy for attackers to infiltrate your network and system.
Insider threats. Former employees or current employees have authorized access to sensitive information and may threaten your security with malicious intent.
Third parties. Software providers, partners, suppliers, and consultants doing business with your organization all pose risks through their own vulnerabilities and errors.
An attack surface refers to all the points where an unauthorized user or attacker could potentially gain access to a system or network, or where existing security measures could be bypassed. It includes all vulnerabilities in a system or network that can be exploited by an attacker, encompassing aspects like software, hardware, network interfaces, and even human interaction points.
In contrast, an attack vector is a specific method or pathway that an attacker uses to exploit a vulnerability within the system or network. It represents the technique or route used by the attacker to infiltrate your organization and gain unauthorized access to your network, system, and sensitive data. Common examples of attack vectors include phishing emails, malicious websites, and unpatched software vulnerabilities.