Tag Archives: attack vector

Security Concept: Attack Vector

24 Sep

Our last discussion looked at the security concepts of lock down and layered security. Attack vector is another important security concept. Different agencies and organizations have different words for this but it all comes down to the same concept.

Your adversary wants to attack you and they will attack you through some perceived weakness, a vector. Vector means a pointy little arrow. You can think of the arrow going through the path they’re trying to attack you. If a burglar kicks in your front door, the attack vector is the front door. Burglar crawls in through window, attack vector is the window.

In our last post, ThoughtfullyPrepping correctly said the best “lock down” to your PC being hacked over the Internet is pulling the connection to the Internet. The Internet is the primary attack vector hackers use to get into your system. We can subdivide this into smaller attack vectors. Some of the most common computer hacker attack vectors:

1) Your web browser
2) Your e-mail client
3) JAVA installed on your system
4) Flash player
5) Acrobat Reader

Some attacks go through one thing and then use another: A web browser attack taking advantage of flash player. These last three items have had tens of thousands of vulnerabilities over the years. How can you nullify attacks through these popular attack vectors?

If you don’t need it, uninstall JAVA. You could go without flash player, but how then would you play sheep dash or online flappy bird? Too great a sacrifice. Inside your browser you can install an add on (flashblock) that blocks flash content from automatically playing. This give you control over which flash content is allowed. Keep flash player updated. Visit the Flash Player Settings Manager website to check your settings and choose stronger settings than the defaults.

You can replace Acrobat Reader with a less targeted and less bloated pdf reader like Sumatra PDF.

For an e-mail client, choose one that doesn’t support scripting or one which can turn it off. Avoid Outlook and anything that supports Active X on Windows platform. Don’t open attachments in e-mails from strangers. Just delete them.

You could run your web browser sandboxed, using the free program Sandboxie. It will break many sites, but you can install browser add ons like NoScript which keep javascript and other scripts from running. Turn the extension off when you need scripting. For privacy, add Ghostrey to your browser.

By looking at known attack vectors you can reduce your vulnerability to attacks. By listing possible attack vectors you can get a good idea of how you can be attacked. It gets you thinking about how you can secure each line of attack.

The greatest weakness is entirely missing an attack vector. You’ve secured your home. The doors are bullet proof. The windows, impenetrable. A tiny burglar crawls through your dog door. A missed attack vector.

In the book, I devoted a page to securing window air conditioners. Why? It’s an overlooked burglar attack vector. Most ACs just sit in the window frame, held in place by a few tiny screws at the top. Burglars can easily push the AC into the home and crawl through the window. If you have a window AC, spend some time to secure it.

Securing your garage door from having the traveller disconnected is another overlooked home security attack vector.

When you secure anything, be it your home, computer, survival retreat, vehicle, anything, make a list of possible attack vectors. Don’t be overwhelmed. If you’re on the ball, you’ll see a huge amount of attack area. You can’t bulletproof everything. You don’t need to. The vast majority of attacks look for easy vulnerabilities. Something as simple as a locked door discourages break ins. A reinforced door makes a kick in difficult. Most burglars will move on to the house down the road when confronted with a few hardened attack vectors.

The same is true with computer hackers. Unless you’ve pissed off the NSA, when a hacker finds their favorite attack vectors closed, they’ll move on to hacking somebody else.