It seems that there are more and more news reports every day about how hackers have broken into the networks or website of a company or government department, and it happens everywhere around the world. How do attackers do it? They do it by following one or more of the following steps, and the ones they use depend on the nature of the attack.

Reconnaissance
The hacker tries to find out basic but important information about the system she’s targeting. For instance, they need to know the operating system, if there’s a firewall, what connection ports are open, what content management system (CMS) is used, and the identity of the main users. A good hacker will know how to harvest this information from open sources such as social media networks and search engines.

Known Vulnerabilities
A number of online sources publish information about different systems’ security weaknesses and as a way of establishing bona fides, will also frequently publish the code that was used to attack the system. Hackers will use this information in planning and executing their attack.

These attacks normally work when there are security lapses like improper configurations of servers and applications, the lack of firewalls on a network, or missing security patches.

SQL Injection
This type of attack works by manipulating the database queries that the web application sends. An application can be vulnerable if it does not sanitize user input properly or uses untrusted parameter values in database queries without validation.

Some of the ways of protecting against SQL injection are:

• Using parameterized SQL
• Sanitizing/validating all untrusted parameters before using them in database operations
• Using tested and code reviewed libraries for database operations
• Using least privilege for database access (never let application use administrator user for database access)

Phishing
This type of attack is very old and still effective. The attacker normally sends out a lot of spam email to many people, and the messages contain links to fraudulent websites that have been made to look like, a bank’s website, for example. The message will ask the reader to enter some type of sensitive credential, which the fake website will capture and enable the attacker to impersonate the recipient or steal other valuable information – or in the case of payment card details, money.

To best protect yourself, don’t ever click on a link in an email message from an unknown person, or in a suspicious-looking message. If you want to verify any requests for credentials such as your password, always type in the link directly into your browser and verify the information on the website that loads.

Spear Phishing
This is a type of phishing attack, but directed at a particular person or organisation. The email message will contain information that will convince the recipient that they know the person in question, as a way of trying to establish trust.

Malware Attacks
Malware is a malicious software installed on your computer, mostly without your knowledge. This happens when an attacker sends out phishing emails with attachments containing the malicious code, or if you click on a file containing malware from a website.

Note: Avoid clicking on Illegitimate links to win stuff, download free antivirus, Instant prize draw, etc…

Malware can control the user’s computer, capture key strokes, or look for documents on the computer.

Weak Authentication
Poor security such as weak passwords, insecure password reset methods, or allowing an indefinite number of invalid login attempts. A strong password is one that is difficult to guess or figure out.

Conclusion
The above mentioned methods are just a few common ways in which hackers can break into websites or computers. Everyone must bear responsibility for their individual and their organisation’s security, and know the latest methods of attack.