• Identity 101
  • What's an Attack Vector? Definition, Common Exploits, & Protection

What's an Attack Vector? Definition, Common Exploits, & Protection

Learn how Adaptive Multi-Factor Authentication combats data breaches, weak passwords, and phishing attacks.
Read more
Okta
Updated: 12/05/2022 - 5:51
Time to read: 5 minutes

An attack vector is a method a hacker uses to gain access to a protected area. Attack vectors are varied, and most companies have many potential attack vectors. The higher the number and less secure each vector is, the more likely an attack becomes. 

The more you know about common attack vectors, the better you can defend against them. But before we dive into solutions, let's explain some key terms.

These are three critical terms to understand:

  • Attack vector: breach methods a hacker might use to gain access to protected assets 
  • Attack surface: the points on your network a hacker might explore to gain access
  • Data breach: loss of information or processing power results from a successful attack. 

Let’s put these terms together.

A hacker assesses your attack surface and chooses what seems like a weak point. The hacker then chooses an attack vector that’s well suited for this access point. The attack is successful, and you endure a data breach. 

How attack vectors are used

Your system can be a treasure-trove of data for hackers. Each person has a unique reason for attacking you, but motives can be lumped together. 

Hackers typically use attack vectors to:

  • Make money. In 2021, data breaches cost companies $4.24 million. A hacker might make money by stealing something important. Or the hacker might hold your information hostage and make money through the ransoms you pay. 
  • Future attacks. Some hackers break in to steal information they can use against someone else. Passwords, usernames, and protected data could all help fuel other crimes. 
  • Mining. Your servers could help hackers mine cryptocurrency. Experts say crimes like this have made hackers more than $50 million
  • Revenge. You've made someone angry, and that person wants to strike back. Attack vectors make that possible. 

When we talk about attack vectors, we often focus on financial loss. But clearly, hackers have many reasons to launch an attack against you. 

16 common cyber attack vectors

How can a hacker gain access to something you want to protect? Attack vectors make that possible.

Here is an attack vectors list:

  • Brute force attack: A hacker tries to guess your usernames and passwords. 
  • Compromised credentials: A hacker accesses stolen or purchased usernames and passwords from the dark web and uses them to gain access. 
  • Cross-site scripting: A hacker tricks an authenticated user into granting access to the user's account. 
  • DDoS: Multiple computers connect to the server at once. The server is overwhelmed, and it crashes. 
  • Malicious insiders: Someone inside your organization wants to harm you, and that person can use their authentication to do so. 
  • Man-in-the-middle attacks: A hacker steps between an authenticated device and the server. 
  • Misconfiguration: The system is set up improperly, and that flaw gives hackers access. 
  • Missing or poor encryption: Proper encryption scrambles data so it's illegible to hackers. Do this step poorly, and data is exposed in transit. 
  • Phishing: Hackers masquerade as a reputable source. Users are fooled into giving access. 
  • Session hijacking: A hacker steals a session token and uses it to perform steps as an authenticated user. 
  • Software supply chain: Malicious code is added to a software component.
  • SQL injections: A hacker uses coding vulnerabilities to make a website or server do things that it wouldn't normally do. 
  • Third- and fourth-party vendors: Your business partners don't secure your data. A hacker doesn't need to work with your resources directly and can focus on this sensitive spot instead. 
  • Trojans: A malicious computer program weakens your security protocols and allows hackers inside. 
  • Trust relationships vulnerabilities: Permissive setups allow a device and a server to connect and share information too freely. That allows for easy hacking.
  • Weak credentials: You don't require your users to take multiple steps to get inside protected spaces. A hacker can climb inside easily. 

This is an abbreviated list of attack vectors. Know that there are many more, and they could be scattered throughout your company. 

7 ways to protect devices against common vector attacks

It takes time and vigilance to reduce your attack surface and block attack vectors. Typically, companies must take several steps all at once to ensure they've done all they can to protect what is theirs. 

Here are seven ways to fight off attack vectors:

  1. Audits: Walk through your protection steps internally, and ask an external vendor to check your work. Update your protection steps accordingly. Continue auditing regularly.
  2. Encryption: Protect data at rest and in transit through encryption. Don't allow important information to remain legible to those who might steal it. 
  3. Update installation: Don't wait to deploy critical security updates. Ensure all of your employees know that they must update as soon as possible. Better yet, give IT the opportunity to override users and install automatic updates. 
  4. Password restrictions: Ensure that passwords are long, unguessable, and updated often. Use a multi-factor authentication system (such as requiring a code sent to an authenticated device) to secure logins. 
  5. Physical security: Ensure that computers are locked when not in use. Protect physical server spaces.
  6. Software: Use a program to scan activity and flag anything suspicious. Invest in a program that can take servers offline in a crisis. 
  7. Training: Make cybersecurity part of your employee onboarding process, and hold regular refresher courses for your staff. 

Don't tackle just one item on this list. You'll need all of these steps, working in tandem, to truly protect your data and your company. We also strongly recommend abiding by the OWASP Top 10 Guidelines, as well as NIST guidelines.

Partner with Okta to protect your assets. Find out more about how we can help.

References

How Much Does a Data Breach Cost? (2021). IBM.

A Multimillion-Dollar Criminal Cryptomining Ecosystem Has Been Uncovered. (March 2019). Technology Review. 

2021 Data Breach Investigations Report. Verizon.