Page 32 - CITP Review
P. 32
Passports
Stolen account credentials
Social Security numbers
Driver’s licenses
Loyalty accounts
Medical records
Types of attacks
The following are common types of cyberattacks used by cyber adversaries to disrupt the confidentiality,
integrity and availability of information possessed by organizations:
Classic buffer overflow. A buffer is a sequential section of memory dedicated for specific content,
such as a single character or a string of characters or numbers. A buffer overflow occurs when a
program tries to place more data in a buffer than that buffer can hold or when a program attempts to
put data in a memory area past a buffer. Writing data past or outside the limits of a buffer can cause
program crashes and data corruption and could even trigger malicious code. Attackers use buffer
overflows to corrupt the execution stack of a web application by sending customized input to an
application, causing that application to execute arbitrary code, thereby gaining control over the
17
machine.
SQL injection. In an SQL injection attack, an SQL query or command is inserted (“injected”) in an
application through a client’s input data, generally to execute predefined SQL commands. SQL
injections can allow access to or reading of sensitive data and data modification; they can also give
18
unauthorized users administrative access to a system.
Cross-Site Scripting (XSS). Cross-Site Scripting (XSS) attacks are another type of injection attack.
With XSS, an attacker uses an application to send malicious code to another end user. An attacker
can use XSS to send a malicious script to an unsuspecting user. Because the script appears to come
from a trusted source, that user’s browser assumes the script can be trusted and will execute it. The
malicious script can then access any information retained by the browser, such as cookies, and use
19
it. These scripts can even rewrite the content of the HTML page.
Cross-Site Request Forgery (CSRF). Cross-Site Request Forgery (CSRF) is an attack that tricks an end
user into performing unwanted actions on a web application in which they're currently logged in.
These attacks leverage social engineering, such a forged link in an email or chat that purports to
access a given site but actually accesses a different one. CSRF attacks are generally not for the
purpose of obtaining data but aim to trick users into executing specified actions. For example, a
CSRF attack could force a user to change a password or transfer funds. In some cases, CSRF attacks
20
can actually compromise an entire web application.
Clickjacking. Clickjacking, also known as a UI redress attack, is when an attacker uses multiple
transparent or opaque layers to trick a user into clicking on a button or link on another page when
they were intending to click on the top level page. The attacker is effectively "hijacking" clicks meant
21
for their page and sending them to another page.
Denial of service. A denial-of-service (DoS) attack occurs when legitimate users are unable to access
information systems, devices, or other network resources due to the actions of a malicious cyber
17 See www.owasp.org/index.php/Buffer_Overflow, accessed June 20, 2019.
18
See www.owasp.org/index.php/SQL_Injection, accessed June 20, 2019.
19
See www.owasp.org/index.php/Cross-site_Scripting_(XSS), accessed June 20, 2019.
20
See www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF), accessed June 20, 2019.
21 See www.owasp.org/index.php/Clickjacking, accessed June 20, 2019.
© 2019 Association of International Certified Professional Accountants. All rights reserved. 1-24
