Good security is goal oriented. A good security architecture is tailored to your situation.
When defining a product or new (IT) service one of the key activities is to define your specific security requirements. Defining requirements is known to be hard, time consuming and complex. Especially when you have an iterative development cycles and you do not have yet a clear defined view of your final product or service to be created.
Defining attack vectors within your security requirements documentation is proven to be helpful from the start. Attack vectors will give more focus on threads to be expected so you can start developing security measurements that really matter in your situation from the start.
Attack vectors are routes or methods used to get into information systems. Attacks are the techniques that attackers use to exploit the vulnerabilities in applications. Many attack vectors take advantage of the human element in the system or one of the maintenance activities defined for the system, because that’s often the weakest link.
Within the IT cyber security world many terms and definitions are used. Attack vectors require most of the time detailed knowledge to judge if the vector is relevant in a specific situation. Common attack vectors are e.g.:
- DoS Attacks
- Email propagation of malicious code
- Executable code attacks (against browsers)
- Exploiting Vulnerabilities
- GUI intrusion tools
- Industrial espionage
- Internet social engineering attacks
- Network sniffers
- Rogue Master Attack
Some attack vectors apply to critical infrastructure components, like NTP or DNS. E.g. the Rogue master attack. In a rogue master attack, an attacker causes other nodes in the network to believe it is a legitimate master. As opposed to the spoofing attack, in the Rogue Master attack the attacker does not fake its identity, but rather manipulates the master election process using malicious control packets.
The good news is: The number of possible attack vectors is limited. The bad news is: The ways an attack vector can be exploited is endless. Unless decent security measurements are taken to minimize attacks using this specific attack vector. So when designed well: Security is not that complicated and complex after all.