A cyberattack is any offensive maneuver that targets computer information systems, infrastructures, computer networks, or personal computer devices, using a variety of methods to steal, modify or destroy data or computer systems.
This article reviews the cyberattacks most prevalent in 2021, and passes on recommendations for countering such attacks issued by leading IT security organizations. We also cover the important role of digital certificates in securing computer systems. Ensuring effective management of the digital certificate life cycle is a significant challenge for IT departments.
The seven most plausible cyberattacks in 2021 Recommendations from ANSSI, ANSI, OWASP and Google
Cross-site scripting (XSS)
XSS attacks use third-party web resources to run scripts in the victim’s web browser or an application that supports scripts. More specifically, the attacker injects malicious JavaScript code into a website’s database. When the victim requests a page on the website, the website serves the page to the victim’s browser with the malicious script embedded in the HTML body.
The victim’s browser executes the script, which might, for example, send the victim’s cookie to the attacker’s server, allowing it to be extracted and used to hijack the session. The most serious consequences occur when an XSS attack is used to exploit additional vulnerabilities. In practice, the attacker may be able to steal cookies, log keystrokes and take screenshots. They may also be able to discover and retrieve network-related information, enabling them to remotely control the victim’s computer.
How can XSS attacks be countered?
To protect against vulnerabilities that allow XSS attacks, the French National Agency for the Security of Information Systems (ANSSI) recommends ensuring that all data from external sources included in web pages is protected, by processing it such that it cannot be interpreted in the context in which it is used.
This is common practice for server-side controls, but the same check should also be performed by the browser, which plays a role in safeguarding the integrity of content presented to legitimate users.
Third-party data used in any part of the reply sent to the browser must first be processed by an ‘escape’ function suited to the context in which it is interpreted.
The following example illustrates the use of escape functions:
fetch-and-escape.js:
async function printUsername ( username ) {
try {
// encodeURIComponent used to escape unreliable content (URL context)
constres = await fetch(’https://my−api.com/user/ ’ + encodeURIComponent(
username));
const jsonData = await res.json();
// textContent used to escape unreliable content (HTML context)
document.getElementById(‘username’).textContent = jsonData.username;
} catch (err)
// Error management to be implemented
welcome.html:
<!DOCTYPE html>
<html>
<body>
<h1>Welcome <span i d =”username ” > </span>!</h1>
<script src=”fetch−and−escape.js”></script>
</body>
</html>
Phishing attacks
Phishing is a type of social engineering attack often used to steal users’ personal information, including login details and credit card numbers.
This happens when an attacker, posing as a trusted organization, dupes a victim into opening an email, instant message or text message.
ANSI recommendations for protecting against phishing:
Tunisia’s National Agency for Computer Security, ANSI (Agence Nationale de la Sécurité Informatique Tunisienne) advises users to ignore suspicious email messages, refrain from clicking suspicious links, and thoroughly checking the source of emails by referring to the official email addresses of businesses and other organizations. When in doubt, ANSI also advises against acting on information contained in email messages.
SQL injection
SQL injection has become a frequent problem targeting websites that use databases. It consists in a malicious user executing an SQL database query via input data sent from the client to the server. SQL commands are inserted into the query plan (in place of the user name or password, for example) in order to execute predefined SQL commands. If this SQL injection maneuver is successful, the attacker will be able to perform a range of malicious actions, such as:
- Read sensitive information in the database
- Edit information in the database (by inserting, updating or erasing records)
- Execute database administration operations (such as closing it)
- Retrieve the contents of a specific file
- Send commands to the operating system
Example: Use of SQL injection to elevate privileges on a web application:
Consider a basic login form on the login.php page, which expects a simple email address and password combination. Analyzing the POST HTTP query in any browser’s network analysis utility (via F12 then Network) reveals that there are only two parameters:
email: “admin@unsafe-website.fr”,
password: “superpassword”
When the login.php script is executed, the code generates the following concatenated query.
$query = “SELECT * FROM users WHERE email ='”.$_POST[“email”].”‘ AND password ='”.$_POST[“password”].”‘”;
This yields the following query:
SELECT * FROM users WHERE email =‘admin@unsafe-website.fr’ AND password =‘superpassword’;
Now we are going to force the form parameters as follows:
email: “admin@unsafe-website.fr’#”,
password : “”
The engine will interpret the following query without considering the password at any point.
SELECT * FROM users WHERE email =‘admin@unsafe-website.fr’
The system will systematically ignore the password, allowing any user to illegitimately obtain administrator privileges.
Malware / Ransomware
Malware is a generic term used to describe viruses and harmful computer programs used by hackers to access and destroy sensitive information.
Ransomware – one of the commonest forms of malware – consists in encrypting a victim’s files and then demanding payment in exchange for restoring access to their data.
Protecting against ransomware attacks
ANSSI recommends the following precautions to guard against ransomware attacks:
- Regularly back up your data.
- If the source or content of an email message seems suspicious, do not trust the sender.
- Attacks via web applications
Attacks via web applications
Web application publishers are laser-focused on ensuring that their applications function correctly, but often neglect to implement good practices for protecting against the various types of cyberattack.
One such attack involves broken authentication. Software functions relating to user authentication and session management are often poorly implemented. This allows attackers to compromise passwords, keys and session tokens. They may also be able to exploit other implementation vulnerabilities to temporarily or permanently usurp the identity of other users.
The Open Web Application Security Project (OWASP) recommends the following measures to protect web applications against hacking:
- Implement multi-factor authentication to prevent automated attacks, credential stuffing, brute force attacks and the reuse of stolen credentials.
- Never ship or deploy applications with default login details, particular for administrator users.
Man-in-the-Middle (MitM) attacks
A man-in-the-middle attack occurs when an attacker intercepts communications between two parties in order to either eavesdrop on them or modify the traffic between them.
Attackers can use MitM attacks to steal login credentials or personal information, spy on the victim, sabotage communications or corrupt data.
Google official documentation and certification authorities consider a robust SSL certificate to be a security measure that protects websites against man-in-the-middle attacks.
You can obtain a security certificate when activating HTTPS for your site. The certificate is issued by a certification authority (CA), which takes steps to verify that your website address is indeed owned by your organization, thereby protecting your customers against man-in-the-middle attacks. When configuring your certificate, choose a 2,048-bit key to ensure a good level of security. If you already have a certificate with a weaker (1,024-bit) key, upgrade it to 2,048 bits. When choosing your site certificate, bear the following points in mind:
- Get your certificate from a dependable certification authority that provides technical support.
- Decide which type of certificate you need:
- Single-domain certificate for a single secure source (e.g. example.com).
- Multi-domain certificate covering multiple well-known sources (e.g. www.example.com, cdn.example.com, and example.co.uk).
- Generic (wildcard) certificate for a secure domain with multiple dynamic subdomains (e.g. a.example.com and b.example.com).
Distributed denial of service (DDoS) attacks
Distributed denial of service (DDoS) attacks are distributed network attacks
that submit multiple queries to the targeted web resource, with the aim of disrupting the website’s ability to function correctly by saturating its query handling capacity.
One low-cost counter-measure consists in using a utility such as fail2ban to automatically reject queries from clients that exhibit suspicious behavior.
Digital certificates can effectively counter certain attacks
You can secure the authentication credentials of your website’s users by using an SSL certificate to encrypt them. If your website uses an SSL certificate, information entered by your users will be sent directly to your server.
SSL/TLS sessions using an expired certificate must not be approved. Accepting expired certificates would expose users to the risk of a man-in-the-middle (MITM) attack.
The role of the HTTPS protocol in stopping Man-in-the-Middle attacks stems from the SSL certificate concept and the certification authority’s infrastructure. The concept uses a private key to establish a valid connection when paired with the corresponding certificate.
The acid test: when a client connects to a server, could a malicious man-in-the-middle intercept the communication, receive the SSL certificate and successfully decrypt the data?
The hacker could certainly receive the same certificate, as it contains the public key and the domain name sent by the server to anyone wishing to log in to it. However, the hacker would not be able to decipher the information, as only the server has the matching private key used to decrypt the data.
As the private key is not disclosed by the server, the hacker would not be able to use the website’s real certificate. They would have to use one of their own. This means that the hacker would have to persuade the certification authority to sign the certificate or use it as-is. Consequently, if a hacker uses a certificate that has either expired or has not been approved by a reputable certification authority, the client’s web browser would flag it immediately.
Alternatively, the hacker might attempt to forge the SSL certificate and provide their own public key to the client. This would destroy the certification authority’s signature, prompting the browser on the client to display an ‘Invalid SSL certificate’ warning.
Consequently, the SSL certificate’s specific structure prevents Man-in-the-Middle attacks, protects your clients against hackers and enhances your organization’s reliability.
Additionally, keeping an expired certificate operational encourages bad practice by users. Everyone in the organization is responsible for computer security, and the case is powerfully made when IT personnel lead by example.
There is currently a clear trend for organizations to adopt, and in some cases rely on digital certificates. The number and diverse sources of such certificates is making their use increasingly complex. As a result, deploying a CLM solution is becoming a serious prerequisite. Our experts have written an article presenting the benefits of CLM and discussing related best practices. We encourage you to read it.
