Information Security Is Like A Box Of Chocolates

Life as an information security professional, to borrow the phrase from Forrest Gump, “…is like a box of chocolates; you never know what you are going to get.” The number of venues by which a large organization may be electronically attacked has many information security professionals reminiscing about the little Dutch boy in Hans Brinker and the Silver Skates who saved his town by plugging a leaky dam with his fingers. “Hacks” often vary in sophistication as do the criminals behind them.
The first actual “Hack” occurred in 1903 when a magician named Nevil Maskelyne interrupted a public demonstration of Marconi's new secure wireless telegraphy machine by sending insults via Morse code through the presenter’s projector. The tradition has carried forward through the ages from the Allies using a brute force attack to decode the German’s Enigma machine in WWII to the free Captain Crunch cereal whistle that was used to create the precise tone needed to obtain free calls from phone booths in the 1970s. More modern malware and attacks have actually sported weird and cool names like 1260, Melissa, ILOVEYOU, Poison Ivy, Zeus, and Stuxnet. Hacking has evolved into its own industry where hackers work as ethical “White Hat” hackers that try to help companies/people stay safe from the more nefarious or less ethical “Black Hat” and “Grey Hat” hackers. Even governments are now waging wars in “Cyberspace”.
 So why am I telling you all of this? Because when the cyber dust settles Information Security Professionals see the trends that are occurring in “Cyberspace.” Here are some popular attacks you should know about now and some possible future attack venues. I want to ensure you aware of what is out there.  Remember, these are just a few of the attack vectors.

• Social Engineering – When an attacker socializes with people in person, on the phone, on the computer, or by other means to accomplish their main objective. Ex. A person carrying a box trying to get a victim to open a secure door and allow them access to a facility. 
• Phishing/Spear Phishing – An attacker attempts to trick victims into opening a malicious file or clicking a bad URL through a specially crafted email (it is a form of social engineering). So be careful of the links and attachments you click on.
• Cross-Site Scripting (XSS) - A security exploit on the Web which allows attackers to insert bad code into a trustworthy link. When someone clicks the link, the bad code is submitted and can execute on the user's computer, allowing the attacker to steal information. Developers can search for OWASP top 10 for help.
• SQL Injection – An attacker enters programming code into web form fields hoping the code will take advantage of poor programming practices and allow the attacker to steal or destroy data. Developers can search for OWASP top 10 for help.
• Distributed Denial of Service (DDOS) – Using automation to overload computer resources to the point that they cannot function properly.
• Fake Access Points – a fake Wi-Fi hotspot that is named similar to a legitimate one.
• Malicious Apps – Mobile apps that contain malware that damages, steals, or provide access to mobile data and functions. So try to download apps made by reputable companies.
• My crystal ball says watch out for budding malware that may attack wireless home appliances, wireless medical devices, telematics in cars, and connected entertainment technologies like TVs, DVRs, and gaming consoles.