Five Techniques Hackers Love Using
to Get Inside Your System
Note: The link to the Data Breach Investigations Report (DBIR) is to the report home page. The 2012 report is cited, but the 2013 report is
due out imminently.
Whether a hacker wants to steal your data, just mess with it, or harness your computer to help them wreak havoc on someone else, they
first have to get into your system. Here are five of their favorite attack techniques:
1) SQL injection: When a cybercriminal goes after a large organization, they often strike through a web application powered by a
back-end database. That web application’s front end defines and controls how users can interact with the database. But what if those
limits were removed and the hacker could execute commands directly against the underlying database? That’s exactly what an attacker is
aiming for with an SQL injection attack.
SQL (structured query language) is a programming language used to manipulate data in many common databases. In a typical scenario, a
web application accepts user form input, which is then used to build SQL commands that are run against the database to accomplish an
action, such as changing a user’s email address or returning a list of results to display. In an SQL injection attack, the attacker inserts
carefully constructed SQL commands into the input fields of the application. If the commands slip through unchecked, they get
incorporated into the queries and executed against the database. The potential results: confidential data is exposed, records are wiped out,
access privileges are altered, and other potentially catastrophic security breaches.
2) Cross-site scripting (XSS): Cross-site scripting attacks are the bane of dynamic websites that allow user contributed content, such as
forums, blogs and social networks. In an XSS attack, the attacker slips malicious code into an otherwise legitimate web page, perhaps via
HTML <script> tags hidden in a blog comment or forum post. From then on, whenever a user visits the page (the victim may or may not
have to click a link, depending on the XSS method employed), the malicious code is executed by the user’s browser when it loads the
page. Bad things will likely follow, because the attacker is now able to take advantage of the victim’s user credentials. If the victim is
logged into another site (such as Google or Facebook) when they visit the infected page, for example, the attacker may be able to hijack
those accounts.
3) Brute force/dictionary attacks: Insanely simple, incredibly effective and free - no wonder it’s a hacker fave. Just as the name
implies, a brute force attack relies on computer processing power rather than human smarts. An automated guessing program runs
through every possible combination of letters and symbols, trying user names and passwords, until it hits on one that opens the doors to
the kingdom. Appling this to every possible account on every system can take a very long time, even for a computer; thus the more
constrained dictionary attack, which runs through all the words in a likely list, such as a dictionary. A hybrid attack is a dictionary attack
with select extra characters, such as @, - and $ added.
www.prometric.com
Brute force attack software is freely available across the Internet. All a hacker has to do is start it and
come back later to see what it’s turned up.
4) Phishing (and the rest of the *ishing family): When a cybercriminal goes on a phishing trip,
he/she is out to net user names, passwords, and account numbers using carefully crafted electronic
communication as the bait. The most common lure is an email that appears to originate from a
recognizable, trusted entity and may even be a slightly altered reproduction of just that. The email
directs the victim to a scam website (mocked up to look like the real thing, of course) to “update” a
password or account information; or the email may contain links that download malware to the
victim’s computer, giving the attacker control of it.
Phishers don’t just hook the naïve; their lures can be so deceiving that even veteran users take the bait.
Spear phishing is particularly enticing. Spear phishers fashion custom lures for specific victims. For
example, an attacker might obtain the name of a company’s support admin and use it in a phishing
email to company employees or send a phishing message to a company exec designed to appear as an
urgent message from a key partner.
5) Backdoor: What hacker wouldn’t love a secret entry point that provides an easy way to bypass
normal authentication and enter or control a remote system any time? That’s exactly what a backdoor
does. Programmers sometimes add backdoors during legitimate development and/or testing phases of
a project – however, they may forget about the code and inadvertently leave a backdoor open to
potential hackers.
Prometric, a wholly-owned subsidiary
of ETS, is a trusted provider of
technology-enabled testing and
Once an attacker gains entry, they typically install one or more of them before leaving. It may be by
adding a hidden user account with top privileges or deploying a bit of malware that allows a secret
assessment. Its market-leading test
connection. According to Verizon’s 2012 Data Breach Investigations Report (DBIR), a quarter of all
development and delivery solutions
hacking cases involve installation of a backdoor. Sometimes a pre-existing backdoor is what lets the
allow clients to develop and launch
hacker inside in the first place. It may have been installed earlier by a virus, malware, or other source,
and the hacker simply found it.
global testing programs as well as
accurately measure program results
and data. Prometric reliably delivers
and administers more than 10 million
tests a year on behalf of approximately
400 clients in the academic, financial,
government, healthcare, professional,
corporate and information technology
markets. It delivers tests flexibly via the
Web or by utilizing a robust network of
Find Out More
more than 10,000 test centers in more
Learn more about Cyber Security by visiting www.prometric.com
than 160 countries.
Copyright© 2013 Prometric, Inc. All Rights Reserved.
www.prometric.com