Good security is goal oriented. Good security architecture is tailored to your situation. When defining a product or new (IT) service one of the key activities is to define your specific security requirements. Defining requirements is known to be hard, time consuming and complex. Especially when you have iterative development cycles and you do not have a clearly defined view of your final product or service that is to be created.
Defining attack vectors within your security requirements documentation is proven to be helpful from the start. Attack vectors give more focus on expected threats so you can start developing security measures that really matter in your situation from the start.
Attack vectors are routes or methods used to get into information systems. Attacks are the techniques that attackers use to exploit the vulnerabilities in applications. Many attack vectors take advantage of the human element in the system or one of the maintenance activities defined for the system, because that’s often defined as the weakest link.
Within the IT cyber security world many terms and definitions are used. Attack vectors usually require detailed knowledge to judge whether the vector is relevant in a specific situation.
Some attack vectors apply to critical infrastructure components, like NTP or DNS. E.g. in a rogue master attack, an attacker causes other nodes in the network to believe it is a legitimate master. Contrary to spoofing attacks in the Rogue Master attack the attacker does not fake its identity, but rather manipulates the master election process using malicious control packets.
The good news is: The number of possible attack vectors is limited. The bad news is: The ways an attack vector can be exploited is endless. Unless decent security measures are taken to minimise attacks using this specific attack vector. Good designed security solutions are not that complicated and complex after all.
Attack vectors and Weaknesses#
A good reference for attack vectors is to use the ATT&CK model. See the section on models for the reference and more info.
And check the subsections: