Vulnerabilities are weakness that can be exploited to compromise security of computer systems. Vulnerabilities differ in severity with some being easier to attack than others. Vulnerabilities exist in software, hardware, and people.
Vulnerabilities are exploited by an attacker in both random and targeted attacks. A home computer user is mostly likely to be exploited by random attacks and it can be compared to a criminal walking a car park checking for unlocked cars. The cybercriminal does the same thing by scanning the web for known vulnerabilities in hopes to find a device that is easily exploited. Unlike the carpark analogy, a cyber-attack can be automated meaning the attacker can be scanning for 1000s of vulnerabilities all at once. Targeted attacks are when an attacker has a set target he wishes to exploit. This could be a large company or business but individuals may also become victims of targeted attacks.
Software vulnerabilities may allow an attacker to remotely execute code, steal data or take over your machine. Patching or installing the latest software and apps, updating Operating systems via Windows Updates (Software Update on Mac) and installing the latest iOS or Android build on your phone and tablet are an essential part of keeping your systems secure. A fully patched device makes a harder target for an attacker. Software vulnerabilities are likely to be exploited in random hacking attacks as well as targeted attacks. Exploiting a vulnerability can often allow the attacker to bypass any Internet Security you may have in place.
Hardware vulnerabilities are often used in targeted attacks against high value organisations but may also be used in random attacks. BadUSB is a well-known hardware vulnerability and affects the firmware of some USB sticks. The USB stick can be modified to run malicious code, without detection from antivirus. It does this by emulating a keyboard and commands are ‘typed’ in when the USB stick is inserted. The commands entered may download malware or open a back door allowing an attacker access to your machine. This kind of attack relies on the attacker exploiting the hardware and exploiting a person. It is an effective attack as it is low-cost and people, who are naturally curious will plug in USB sticks to see what is on it. USB sticks can also be used to exploit software vulnerabilities or install malware.
Social engineering is used to exploit the trusting nature and curiosity of people. It can take place as phishing via emails and website, tech support scams via the telephone, and person to person. An attacker using social engineering tactics can quite easily gain access to your system. The tech support scams that are quite common and are an effective attack. The attacker, posing as a well-known company, tells the target they have been hacked, they have malware, or their internet will be cut off it specific tasks are not taken. This is often enough to get the user to comply and the attacker will then talk the target though installing tech support software. Tech support software gives the attacker full access to your machine. They can access your photos, emails, documents, and even passwords you have stored in your web browser. Social engineering can allow an attacker to bypass all security you have in place.
Protecting against social engineering can be quite tricky as it exploits the nature of people. Some tips can be to avoid attachments and links from unknown senders – Files and links can be scanned with online services such as www.virustotal.com although this may not recognise a file designed to exploit a vulnerability. Do not enabled macros in documents. Macros allow code to run, potentially allowing malware to be downloaded onto your machine. A common threat that uses this kind of attack in ransomware. Also, avoid USB sticks that you may find laying around or unsure of the origin.
Zero-day vulnerabilities are those known by a third party but have not yet had a patch created by the vendor. These are highly sought after by cyber criminals as they have a higher success rate. Zero-day vulnerabilities are often used by exploit kits with a common attack being to deliver malware via compromised website advertising. Malvertising as it is known, is where a website delivers malware via ads displayed on their website. This is often due to weaker security of the advertising companies and not an actual breach of the website you visit. To avoid this kind of attack it is recommended to removed plugins such as Adobe Flash Player and Java and to use an AdBlocker.