Threats and Attack
Cybersecurity: practice of protecting an organization's IT infrastructure and critical data from bad actors by deploying a variety of technologies, internal control proces and best practices to mitigate the business impact of attack.
The goal is to manage the cybersecurity risk by securing and enhancing confidentiality, data integrity, and Availability.
Impact of cybersecurity attack: monetary and non-monetary losses to restore its ability to work with customers, vendors, and partner organizations. These attacks are threat to both individuals and organizations.
Highest security concerns:
•Breach of data: like attacks from ransomware, phishing, malware, and compromised passwords.
•theft
•service interruptions: an unplanned event that causes the general system or major applications to be in-operated for an unacceptable length of time. like attacks from malware, distributed denial-of-service (DDoS) attacks, password attacks
•noncompliance: Like from HIPPA, GDPR, PCI-DSS and ISO/IEC 27001.
Ways to combat these security concern:
•discuss various program to mitigate cybersecurity risks and constantly update security measures that keep up with the ever changing technology landscape.
Cybersecurity Risk Management: information is compromised and utilized without permission.
Cyberattacks: any kind of malicious activities that targets computer information systems, infrastructure, computer network, or personal computer devices and attempt to collect, disrupt, deny, degrade, or destroy information system resources or the information itself.
Methods of of Cyberattacks:
•Network-based attacks: to gain unauthorized access or disrupt operations for users, infrastructure of a network is targeted including switches, routers, servers, and cabling.
Backdoor and trapdoors: methods to bypass security access produces by creating an entity and exit point to a network that is undocumented. Facilitate entry into the network that can be used to execute attacks.
Trapdoors are often installed by system owners so they can bypass security measures to gain quick access.
Backdoors: may be intentionally installed or unintentionally left available due to product defects.
Covert Channels: Mechanisms used to transmit data using methods not originally intended for data transmission by the system designers. Violate the entity's security policy but do not exceed the entity's access authorization so they can communication data in small parts.
storage channels: data is transmitted by modifying a storage location, allowing another party with lower security permission to access the data.
Timing channel: use the delay (or gaps) in transmitting data packets to hide the transmission.
Buffer overflows: attackers overload a programs buffer, the temp storage, with more input then it is designed to holder. Can cause overwrite it the memory of an application to crash. Then the attacker can inject malicious code or take control of a system.
Denial of Service: an attacker floods a system network by contesting it with large volume of traffic that are greater than the bandwidth it was designed to handle. Excess volume consumes the networks resources so that it cannot respond to service requests, leaving it vulnerable.
Distributed Denial of service: multiple attackers or compromised devices are working in unison to flood an organization network with traffic. Manipulat the operation of network equipment and services in such a way that may be more powerful than a traditional DOS attacks.
Man in the middle: eavesdropping
Port Scanning attacks: scanning networks for open ports is frequently done by attackers to find vulnerabilities that can be exploited so that they can gain unauthorized access to a company's network. Can be physical, attack focuses on logical ports that are used for protocol such as Transmission Control Potocol. Common vulnerabilities include unsecured protocols, unpatched protocols, poor login credentials, and poorly configured firewalls.
Ransomware attacks: typically come in the form of malware that lock a user or a company's operating system, applications, and the ability to access data unless a ransom is paid.
Reverse shell attacks/connect back shells: a victim initiates communication with an attacker from behind a company's firewall so that the attacker can bypass the. firewall and any other network safeguards and remotely control the victim machine.
Replay attacks: eavesdropping, a type of MITM attack in which a cybercriminal eavesdrops on a secure network communication , intercepts it, and then replays the message at a later time to the intended end target to gain access to the network and the data that is behind the firewall.
Return Oriented Attacks/return oriented programming attacks: these use a sophisticated technique that utilizes pieces of legitimate original system code (each a gadget ) in a sequence to perform operations useful to the atttacker. Each gadget ends with a "return" instruction causing a series of code to execute and carry out complex operations. Ex. Shredded paper and putting it back together
Spoofing: the act of impersonating someone to obtain unauthorized system access by using falsified credential or imitating a legitamate person or entity by using fake IP addresses, domains, or email addresses.
Domain name server: spoofing domain names
Hyperlink spoofing
•Host-based attacks
•Social engineering attacks: involves the use of psychological manipulation or deception to get employees to divulge sensitive information, provide unauthorized access, or assist an attacker in committing fraud through human interaction where the perpetrators gain confidence and trust.
Phishing: emails requesting info or direct them to a fake website that requests information
spear Phishing: targets specific people.
Business Engineering Attacks/whaling: form of phishing that targets executives and other high ranking executives.
Pretexting: involves creating a fake identity or scenario so that an employee has a sense of urgency to act
Catfishing: creating a fake online persona that is used to lure a victim into a personal relationship with a fraudster to send fraud some money etc.
Pharming: combo of phishing as it involves a victim entering persona; information into a website or portal that imitates a legit website
Vishing: fraudulent schemes using a telephone system voice over internet protocol involves a spoofed or fraudulent caller ID that is tied to the victim.
•Application based attacks:
Sructured Query Language injections: attacker injects malicious SQL code into existing SQL code on a company's website to gain unauthorized access to. a company's data- from web server to injection of web server to hitting database server.
Cross site scripting XXS: attacks inject code to a company's website that attacks users visiting the company website. Compromises information from there.
Race conditions: forcing the application to perform operations out of order.
Mobile Code/virus
overwrite virus: deletes or overwrite information in the file infected. Have
to be removed
multipartite visus: uses a mixture of infection methods to infect files, trying different ways if one way fails
Parasitic virus: parasite to user and spreads.
Polymophic: mutates and changes structure to avoid detection
resdent virus: installed and then takes information that was put in when it was there
Host Based attacks: target a single host to disrupt functionality
obtain unauthorize access or brute force attacks where they just try different combo to get in
keystroke logging: records keystrokes delivered via Trojan horses
malware: gen any type of not nice software
Rouge mobile app: fraudulant part takes all your information after you download the app
•Physical attacks: security breach carried out on a organizations premises or performed in some way that physically involves a bad actor gaining control of sensitive data, hardware, and/or software.
intercepting discarded equipment
piggybacking: getting into the door by going behind an authorized person "hold the door!"
targeted by attackers: we are less likely to spot attackers hysically since many organizations lack sophisticated cybersecurity defenses.
Tampering: modifying the way IT infrastructure modify the network it collects, stores, processes, or transmits data through physical access
Theift
•Supply Chain attacks: target is the production and distribution of goods to disrupt normal operation
embedded software code: inserting code into prepackaged software or firmware being sold to a company that later installs the software after purchase
foreign sourced attack: government have deep and widespread control of companies in the private sector, so governments may use products sold by other countries that have been tampered with
pre-installed malware on hardware: involves installing maleware on devices that will be companies in a supply chain such as USB drives, cameras or phones and will execute when connected to the company network
Vendor attack:
Watering hold attack: fraud identify websites of suppliers, customers, or regulatory entities that are known to be used by several companies or even the entire industries so they look for weakness then deliver malware to steal data etc.
Note: attacks impact customers, vendors, and the partner organization.
Type of Threat agents: a threat agent is an internal or external attacker that could negatively impact data security through: Theft, manipulation, or control of sensitive information or system
•Attacks, threat actor, or hackers
•Adversary: actors with interest in conflict with the org. Incentivized to perform malicious actions against org.
•Government-sponsored/ state-sponsored actors
•Hacktivists
•Insiders: employees that either organically developed into a person with malicious intentions or intentionally infiltrated an organization to achieve nefarious objectives.
•External threats: threats from the outside org, entity, and individual
States in a cyber attack:
1Reconnaissance: attackers discover and collect as much information about the target IT system as possible. Examples are locations of facilities, type of network and infrastructure deployed, security measures in place, and the name of employees as well as the management hierarchy. Looking for vulnerabilities.
2Gaining access: information collected is used to gain access to the target of an attacker using a variety of techniques.
1hackers attempt to escalation of privileges
3Maintaining access without being detected.
4How can they exploit and exfiltrate the network and our data?
5Cover tracks
1disable audit functionality
2clear or modify logs
3remove files
Risks related to cloud computing:
•additional industry exposure: by operatin gin a shared cloud computing environment then they might be exposed to other subscribing organizations and their unique industry risk
•Cloud Malware injection attacks: specific to cloud computing based system in which an attacker gains access to the cloud environment and then injects malware so that data can be stolen, services disrupted, or further access grained.
•Compliance violation: third parties bares risk they aren't in complience
•Loss of Data: third party cloud computing service is susceptible to data breaches, losing data, or eposed data
•Loss of Control: not having access to the physical or logical means we have to careful that changes or upgrades are made in a timely matter and in compleince, so you have to make sure they are reputable
•loss of visibility: can't see what is happening, couples with loss of controll
•Multi cloud and hybrid management issues: subscribes to various cloud based solutions and or maintains some on premises IT infrastructure but integrating and monitoring can make detecting difficult
•Theft or loss of intellectual property: stores many different types of data into the cloud but lack of controls can cause thrift of intellectual property
cloud computing: store, use, process, and share data, software, and applications without owning or managing the resources on the premises. Needs the computing power of the internet. The data and software applications used in a cloud computing environment are often stored and managed by a third party provider, which causes a significant amount of sensitive info to be at risk but is seen as more secure then on premises.
•high level of security and advising by regulations like GDPR and HIPAA is required
SOC 2 engagements: independent audits of management attestation regarding the cloud services providers controls and other claims made by management regarding security over their customers data, privacy and confidentiality.
Has Cloud Security Alliances Cloud Control Matrix which provides security principle guidance to cloud vendors, assists in prospective cloud customers in assessing the overall security risk of a cloud provider and utilizes industry acecepted security standards, regulations, and controls frameworks such as COBIT, NIST, etc.
Risks related to Mobile Technologies: for users and employers
•Application malware
•Lack of updates
•Lack of encryption: and then they can then reset passwords on other accounts
•Physical threats: steal
•Unsecured WiFi networks: means anyone on that network can access, steal, or inflect the device with malware
•Location tracking
Watch out for easedropping, mobile storage devices like USB to infect other devices etc.
Mobile devices have a lack of oversight. It is similar to a computer in terms of functionality and type of info they access but are different from how mobile devices operating system is different and mobile devices are constantly exposed to public networks.
Risks related to the internet of things:
•device mismanagement: insufficent/same passwords and controls
•device spoofing: attacker creates an illegitimate or phony device and introcuces it to a company network, posing as an actual device, to gain information or access to that network
•escalated cyber attacks: LoT devices can be used as an attack base to infect more machines
•Expanded footprint: similar to to cyber attack, starting to take over
•Information theft
•Outdated firmware: came installed
•Malware: will be introduced which could be a gateway to other devices
•Network attacks
Threat modeling and overal threat landscape:
Threat modeling: an organization's process of identifying, analyzing, and mitigating threats to a network, system, or application with the goal to understand all risks a system could face and develop controls and countermeasures to minimize the impact of a risk or to try and prevent it from happening.
Phases:
1Identify assets
2identify threats
3perform reduction analysis: involves decomposing the assets being protected from the threat to gain a greater understanding of how the asset interacts with potential threats whether its system, applications, or network. Flow of data, input, security clearances.
4analyze impact of the attack: quantifying the impact and qualitative effect
5develop counter measures and controls: response plan prioritized with implementing security controls like intrusion detection system, contingency plans and security protocols
6review and evaluate
Three common methodologies for threat models:
•Process for attack simulation and threat analysis: helps priotize the value of the assets being protected
1. Definition of the objectives for the analysis of risk
definition of the technical scope
application decomposition and analysis
threat analysis
weakness and vulnerabilites
attack modeling and simulations
risk analysis and management
•Visual agile and simple threat model: integrate the threat management into programming environment on a scalable basis
•Spoofing, tampering, repudiation, information disclosure, denial of service attacks, and elevation of privilege threat model: developed by Microsoft that is used by assessing threats to application and operating system. Applied to network threats and social engineering threats.
Threat landscape: Total range of potential threats that. An organization and its IT infrastructure may face. Should be regularly assessed because threats are continuously evolving. Can be by using threat intelligence platforms which help organizations get information on the latest threats and vulnerabilities so companies can prioritize their cybersecurity effects.
Considers: the different attack vendors or methods, magnitudes of threats, existing vulnerabilities, and types of threats.