This article was originally written by Aaron Xie and published at Educative.io
For any web application, there are a variety of ways that cyber-attackers can exploit vulnerabilities and cause damage. It's crucial for applications to have robust defense systems in place against cyber attacks. Today, you will learn about some common cyber attacks and how to defend against them.
Today, we will cover the following:
- What is cyber security?
- Understanding SQL injections
- Understanding phishing
- Defenses against phishing
- Wrapping up and resources
Learn how to defend your systems
Take your first step and learn the best practices for preventing vulnerabilities.
Cyber security is the practice of protecting and recovering computer systems, services, and data from a cyber attack. Cyber security is a large subset that includes information security, network security, and other forms of security.
Cyber-attacks have existed for decades and continue to be an evolving danger to companies, customers, and employees. They can cause massive, irreparable damage to businesses and threaten the identities of customers and users.
Common forms of cyber attacks:
Malware: Creates malicious software that exploits and damages a user's computer. Common types of malware are ransomware, spyware, trojan horse, and adware.
SQL injection: Involves taking control of a database or stealing data from a database by exploiting a system's vulnerabilities.
Phishing: Involves cybercriminals forging emails that appear to be from a legitimate person or company, asking for sensitive information or payment.
In the digital age, cyber threats continue to increase year after year. In the first nine months of 2019 alone, 7.9 billion records were exposed by data breaches: a figure more than doubles that of 2018. These cybersecurity threats undermine the livelihood of all businesses as they can damage company reputation and erode the trust of customers. It can also result in a great amount of financial loss and burden. Because of this, it's important that all businesses set up critical infrastructure and defenses to prevent unauthorized access and attacks.
Structured Query Language (SQL) is a language used to query and control database systems such as MySQL, Oracle, or Microsoft SQL Server.
Databases store all types of information to add functionality to web applications. Oftentimes, web applications will use user-supplied data to build SQL statements that will interact with the database. A SQL injection attack seeks to exploit this by submitting SQL statements that subvert the original intent of the application. Depending on how the application processes SQL statements, a SQL injection can successfully access information and distribute malicious code.
There are many types of possible SQL injections, so to understand how they work, let's take a look at a simple example. Say, we have a simple login screen on a website asking for a username and password.
SELECT id FROM users WHERE username ='John' and password = 'mypassword'
Normally, a site will run the SQL code above when a user requests to log in. The above statement asks whether the database contains a user with the username
John and password
SELECT id FROM users WHERE username =''' and password = '''
An attacker determines whether the system uses a SQL database by providing single quotes for the Username and Password inputs. Single quotes are special characters in the SQL language, and a poorly designed database system may not check for single quotes. Because of this, it will return an error saying that the syntax is not supported by the SQL server.
Now, the attacker can confirm that the system is using SQL.
SELECT id FROM users WHERE username ='' OR 1=1 --' and password = 'mypassword'
The attacker can use the username
' OR 1=1 -- to bypass the login. Because the value 1 is always equal to 1, an undefended server will potentially log in the attacker to the first user in the table. This is an extremely simple example of a SQL attack, but it can be far more complex.
Bypassing authentication: Allows an attacker to access a user and potentially change details and access sensitive data.
Information disclosure: Allows an attacker to access information from a database, compromising data security.
Availability of data: Allows an attacker to delete important information, causing data loss, which results in harm to a business and its customers.
To protect your information technology systems, you should conduct risk assessments to find security vulnerabilities. Below, is a general guide to preventing SQL injections.
Creating layers of defense: It's important that your system has multiple systems of defense such that even if a hacker gets past one, there are more defenses in place. You can start by adding prepared statements against things like single quotations that may be exploited. These are bullet-proof defenses, but they don't protect against everything. You can continue adding defense through continuous digital development. A final layer of defense is a broad defense such as database permissions.
Alerts: You can also set up your system so that the attacks are "noisy", meaning that they will stand out. You want to build an alert system in which you have a rigorous evaluation that indicates whether a security breach is happening. With alerts, the system can quickly notify employees and take action.
Diligence: You should also set up a system of ongoing diligence during development. This consists of creating a framework that developers can easily understand where/when diligence is required. For example, you need to make it clear which parts of the database's code should be accessible and where it shouldn't.
Educative's Practical security course teaches you the main forms of cyber attacks alongside five simple, yet effective, techniques to improve your application security.
Phishing is the practice of illegally obtaining personal information through deceptive e-mails and websites. This often results in identity theft and is considered a serious cyber attack. In a phishing attack, the attacker will send an email to the recipient with false information to mislead the victim in providing their personal information. The goal of the attacker is to trick the victim into believing that the email or request is from a legitimate organization like a bank or known company.
These types of attacks date back to the 1990s and are still one of the most widespread and successful cyber attacks because techniques have become increasingly sophisticated and require little effort. With phishing, there is no need for the attacker to look for potential SQL injections or unpatched servers.
Let's look over the three common types of phishing attacks: phished credentials, CSRF, and social engineering.
Phished credentials: This is the most popular form of phishing, in which the attacker will replicate a popular website such as Instagram, Facebook, Gmail. Oftentimes, an attacker mimics a social media platform. Then, the attacker will send emails asking potential victims to sign into their account through a malicious link.
Typically, they'll copy an email format similar to the legitimate company's emails and ask the recipient to take some form of action. The phisher's attack is successful when a recipient enters their login info or credit card info into the malicious website, giving the attacker access to their account and its private information.
This is considerably dangerous, as the attacker can reset passwords for accounts on other sites, beyond the initial website. And if a victim uses the same password on other sites, an attacker can access more private information. Attackers can go one step further by resetting the account password so that they have complete control over the account. Because this approach is so common, applications must set up defense systems such as multi-factor authentication.
Cross-Site Request Forgery (CSRF): CSRF is a cyberattack that tricks an application into executing an action that a victim will unknowingly execute. An attacker can create a malicious email with a hyperlink that they want the recipient to click. When the recipient clicks the link, it will send a request to the application server based on the attacker's intention. The request, for example, could allow the attacker to take over the victim's web app or validate a dangerous activity such as transferring funds on a bank application.
An attacker typically prepares for a response assault by studying the application API to make forged requests. So, if you are building a web application, it's incredibly important that your system prevents CSRF attacks. Without any defense, a CRSF attack is completely cleared for a cyberattacker.
Social engineering: This form of attack is the least technical type of attack. In this method, a phisher will pretend that they're someone else in an effort to ask for certain personal details like banking information, passwords, usernames, and more.
One of the simplest and most effective methods to protect against phishing is social defense. This consists of educating everybody in your company or team about how to differentiate between legitimate emails and malicious emails. Here are a few tips for anti-phishing training:
Look for suspicious-looking domains in the email address and links provided. A common trait with phishing emails is that they appear to be from someone legitimate, such as a company executive. These emails will also link to a site that appears legitimate. When you see an email requesting you to take action, be sure to check the sender's email and the reply-to email. If they do not match, or the email address appears suspicious or it does not align with the email address of a legitimate website, this should raise a red flag. For example, a replicated email address of
email@example.com could be
Oftentimes, phishing emails will link to a website that looks similar to a legitimate site. You should look at the web address to see if the URL is legitimate.
Be skeptical about attachments. Another common trait of phishing emails is that they contain an attachment to open. It's important that before you open an attachment, that you were expecting an attachment. Do not open attachments from random emails. Furthermore, make sure that the file type is the type you are expecting. If you were expecting an image, the file should be a
.jpg or a
.png. If the file attached is a
.exe file, don't open it. You should automatically be suspicious of
.exe files, as you run the risk of downloading malware or other harmful programs into your computer. As a basic precaution, an easy way to defend against malware is to download an antivirus.
Be skeptical about emails with urgent deadlines. Oftentimes, phishing emails will exploit a sense of urgency such that the recipient feels that they must take immediate action. An example could be an email with an invoice requesting money for an unfulfilled payment. You should be suspicious of these emails and follow-up with the appropriate people in your company or team. It's better to ask than run the risks.
Consider whether the general premise of the email is legitimate. Above all, you must confirm the legitimacy of the email by verifying its claims. If the email doesn't add up or simply feels off, check with company customer support. Again, it's safer to ask than put yourself at risk.
The reason why phishing emails are so widespread is because anyone can send an email to anybody else. Email is sent and received using a system called SMTP (Simple Mail Transfer Protocol). SMTP allows any mail server on the internet to send and receive emails from one another. This system is a large part of the problem, as it allows spam to become so widespread.
Let's say you receive an email from the address
educative.io, such as
firstname.lastname@example.org. What's to say that this email address is legitimate? There is no defense in place such that a server can determine whether the email address is legitimate.
So, what can we do? We can use DNS (Domain Name System) to analyze information about domains and potentially filter out fraudulent emails. The DNS stores all kinds of information about a domain. Let's see how we can use a defense strategy like SPF to determine whether an incoming email address is legitimate.
SPF (Sender Policy Framework) is a technology that allows admins of a domain to specify which computers have permission to send an email representing a certain domain. This allows us to determine whether an email is legitimate. For example, if you receive an email that claims to be from
educative.io, the mail server that receives the email can check whether the sending-computer is authorized to send emails on behalf of
educative.io. So, say
educative.io has an SPF record below:
“v=spf1 ip4:188.8.131.52 -all”
When you receive an email that is supposedly from
educative.io, the mail server can check whether it's 184.108.40.206 that's connecting to send the email. If not, its a forged email.
The two other DNS-based strategies are DKIM (Domain Keys Identified Mail) and DMARC (Domain-Based Message Authentication, Reporting, and Conformance). If you want to learn more about SPF or the other two strategies, check out our Practical Security course.
Now, you should have a good idea of cyber attacks from SQL injections to phishing. But there's still a lot to learn!
Other topics such as cloud security, cryptography, patching, XSS (cross-site scripting), and window security also defend your systems against all forms of cybercrimes.
To get started with these concepts and to dive deeper into cybersecurity, get started with our course Practical Security: Simple Practices for Defending Your Systems course for real-world examples and hands-on practice. You will learn five simple, yet effective, best practices for preventing attackers from getting into your system.