Over the past few months, we have explored cyber attack vectors through the ages, looking back at the earliest cyber crimes and touching on cybersecurity threats of the 60s, 70s, 80s, and 90s. At the beginning of the 21st Century, things started to really take off in the cyber attack world. As the Internet grew in popularity, so did cyber crime aimed at making money. Adware and spyware became real threats, and aggressively self-propagating malware became the fear of cybersecurity professionals across the globe. One threat that was particularly unnerving were shatter attacks.
In 2002, a security researcher named Chris Paget wrote a paper detailing what he called a shatter attack. In the paper, he demonstrates how an attacker could run a particular version of Network Associates’ VirusScan on Windows 2000 Professional systems to gain high access privileges. Logged in as a guest, the attacker could get the application to run a bit of code that takes advantage of the elevated privileges needed by the application to then give the attacker systemwide high access permissions. His theory was that any application that requires elevated privileges and involves direct user interaction was a potential attack vector.
What was so unsettling about this vulnerability was that it meant the Windows operating system might not by completely secure. Looking back, it’s easy to say that, of course, Windows isn’t completely secure, but it was a perspective-altering vulnerability for many organizations.
The fact that your corporate OS and all those protective apps could be violated added to the sense that cyber crime was increasing—a feeling that has continued to today’s cyber landscape. What has changed is the ability for organizations to better protect their data and systems through cybersecurity training for all employees, network security monitoring, a clear and well-developed incident response plan, and proactive maneuvers like penetration testing. As threats and attacks have become ever more complex, organizations have had to respond by ratcheting up their cybersecurity posture.