MODULE:02

Threat: a potential cause of an incident that may result in harm to a system or organization

Types of damage:

Interruption---destroyed/unavailable services/resources

Interception---unauthorized party snooping or getting access to a resource

Modification--- unauthorized party modifying a resource

Fabrication---unauthorized party inserts a fake asset/resource

Components of threat:

– Threat agents---criminals, terrorists, subversive or secret groups, state sponsored, disgruntled

employees, hackers, pressure groups, commercial groups

– Capability---software, technology, facilities, education and training, methods, books and manuals

– Threat inhibitors---fear of capture, fear of failure, level of technical difficulty, cost of participation,
sensitivity to public perception, law enforcement activity, target vulnerability, target profile, public
perception, peer perception

– Threat amplifiers---peer pressure, fame, access to information, changing high technology,

deskilling through scripting, skills and education levels, law enforcement activity, target vulnerability,
target profile, public perception, peer perception

– Threat catalysts---events, technology changes, personal circumstances

– Threat agent motivators---political, secular, personal gain, religion, power, terrorism, curiosity

Top ten Database Security Threats:

1. Excessive Privilege Abuse---users are granted database access privileges that exceed the
requirements of their job function, e.g., a university administrator whose job requires only the ability
to change student contact information may take advantage of excessive database update privileges
to change grades

2. Legitimate Privilege Abuse ---- Users may abuse legitimate database privileges for unauthorized
purposes, e.g., a rogue health worker who is willing to trade patient records for money

3. Privilege Elevation---Attackers may take advantage of database platform software vulnerabilities

to convert access privileges from those of an ordinary user to those of an administrator.
Vulnerabilities may be found in stored procedures, built-in functions, protocol implementations, and
even SQL statements

4. Database Platform Vulnerabilities--- Vulnerabilities in underlying operating systems (Windows

2000, UNIX, etc.) and additional services installed on a database server may lead to unauthorized
access, data corruption, or denial of service.
5. SQL Injection--- a perpetrator typically inserts (or “injects”) unauthorized database statements
into a vulnerable SQL data channel. Using SQL injection, attackers may gain unrestricted access to an
entire database

6. Weak Audit Trail--- Weak database audit policy represents a serious organizational risk on many
levels. ---regulatory risk, deterrence, and detection and recovery

7. Denial of Service (DoS)--- access to network applications or data is denied to intended users

8. Database Communication Protocol Vulnerabilities--- e.g., Four out of seven security fixes in the
two most recent IBM DB2 Fix Packs address protocol vulnerabilities; similarly, 11 out of 23 database
vulnerabilities fixed in the most recent Oracle quarterly patch relate to protocols

9. Weak Authentication--- allowing attackers to assume the identity of legitimate database users by
stealing or otherwise obtaining login credentials

10. Backup Data Exposure--- Backup database storage media is often completely unprotected from
attack. As a result, several high-profile security breaches have involved theft of database backup
tapes and hard disks

Ten web threats:

1. Bigger, Subtler DDoS Attacks---Distributed Denial of Service Attacks

2. Old Browsers, Vulnerable Plug-Ins---e.g., browser vulnerabilities and, more frequently, the
browser plug-ins that handle Oracle's Java and Adobe's Flash and Reader.

3. Good Sites Hosting Bad Content---in VOHO watering hole attack, attackers infected legitimate
financial and tech industry websites in Massachusetts and Washington, D.C., commonly accessed by
their intended victims

4. Mobile Apps nd The Unsecured Web--- bring-your-own-device movement has led to a surge in
consumer-owned devices inside corporate firewalls

5. Failing to Clean Up Bad Input---e.g., Since 2010, SQL injection has held the top spot on the Open
Web Application Security Project's list of top 10 security vulnerabilities

6. The Hazards of Digital Certificates--- a series of hacks against certificate authorities gave attackers
the tools they needed to issue fraudulent SSL certificates that could disguise a malicious website as a
legitimate

7. The Cross-Site Scripting Problem--- An attacker going after a banking site with a cross-site scripting
vulnerability could run a script for a login box on the bank's page and steal users' credentials.

8. The Insecure 'Internet Of Things ‘--- Routers and printers, videoconferencing systems, door locks
and other devices are now networked via Internet protocols and even have embedded Web servers.
In many cases, the software on these devices is an older version.

9. Getting in the Front Door--- Automated Web bots scrape from Web pages information that can
give a competitor better intelligence on your business.

10. New Technology, Same Problems--- People click links all day long -- people are pretty trained to
think that clicking a link on the Web is safe.
Major Security Threats on Information Systems

1. Intrusion or Hacking---gaining access to a computer system without the knowledge of its owner---
Tools: Poor Implementation of Shopping Carts, Hidden fields in the html forms, Client-side validation
scripts, Direct SQL attack, Session Hijacking, Buffer Overflow Forms, Port Scan

2. Viruses and Worms--- programs that make computer systems not to work properly-- -
Polymorphic Virus, Stealth Virus, Tunnelling Virus, Virus Droppers, Cavity Virus

3. Trojan Horse--- These programs are having two components; one runs as a server and another
one runs as a client; data integrity attack, steal private information on the target system, store
keystrokes and make it viewable for hackers, sending private local as an email attachment.

4. Spoofing---fooling other computer users to think that the source of their information is coming
from a legitimate user---IP Spoofing, DNS Spoofing, ARP Spoofing

5. Sniffing---used by hackers for scanning login_ids and passwords over the wires. TCPDUmp and
Snoop are better examples for sniffing tools.

6. Denial of Service---The main aim of this attack is to bring down the targeted network and make it
to deny the service for legitimate users. In order to do DoS attacks, people do not need to be an
expert. They can do this attack with simple ping command

The Impact of Threats:

No matter how much preparation goes into preventing and acting upon existing threats, it is likely
that some kind of damage will still be caused.

We judge the impact level of the damage caused by these threats by the value of the loss caused.
However, the loss isn’t always financial. Losses may be operational, financial, reputation or
intellectual property loss.

The Types of Impact of Threats:

Operational Loss

• Operational losses refer to damages of the operating capability of an organization, this includes a
loss of manufacturing output, service availability and service data.

For example, a business whose operations rely on IT systems can be prevented from performing any
work due to cybersecurity threats. Even on the manufacturing line, the machinery that builds the
products will receive its instructions from computers that could be taken offline due to some threat.

• For businesses who don’t rely on manufacturing, but providing services and data, they are even
more easily affected.

• An online store could be taken down by a denial-of-service attack that will prevent the business
from taking and processing sales.

• It’s clear that, due to how reliant all businesses now are on IT systems, cybersecurity threats can
massively hinder the operation of the business.
Financial Loss

• Financial losses refer to damages to the wealth of an organization, this includes organizational
losses, compensation and legal fees.

• By financial loss, we mean actual increased costs, or reduced income, caused by the threat. This
could be replacing damaged equipment from sabotage or the loss of sales due to your website being
down from a malicious hack.

• Compensation and legal fees come as a result of suffering a threat, as a business may be culpable,
and so might need to both compensate customers that are affected by the threat and pay data
protection fines placed on the business by the ICO due to the improper security of the data. There
may also be legal fees to defend oneself in court, should there be a case for legal culpability.

• After being hacked, Tesco Bank had to pay £2.5m in compensation to customers and faced a
massive fine by the ICO.

Reputation Loss

• Reputation losses refer to the loss of trust and lowered opinion of people to a business as a result
of them being affected by a threat.

• This could be a lack of service and employee or customer information.

• The lack of service is due to customers no longer wanting to do business with an organization due
to concerns over whether the service will be available.

• If you subscribed to a website and their services regularly went down due to cybersecurity threats,
this would naturally lead to questions about continuing to use it.

• Similarly, if a business has been hacked and had personal data stolen of employees or customers,
you may not want them to be storing your data in future, as you would be concerned of them failing
to protect that data again, which could impact on you.

• You, therefore, may not provide them with data they require and may instead take your business
elsewhere.

Intellectual Property Loss

• Intellectual property losses refer to when product designs or trade secrets are stolen, thus
adversely affecting the organization.

• This may be performed by a competitor organization as corporate espionage, or an individual who

wishes to blackmail the organization or release it.

• The theft of product designs, for example, could be used by a competitor to release a rival product.
Stolen trade secrets will have almost the same effect, such as a competitor stealing the formula for a
product so they can then produce it themselves.

• This loss can have huge on-going effects to the business, leading to additional financial losses and a
loss in reputation
Risk and Risk management:

Risk is the potential that a given threat will exploit vulnerabilities of an asset or group of assets and
thereby cause harm to the organization

• Risk management--- “Process of identifying, controlling and minimizing or eliminating security risks
that may affect information systems, for an acceptable cost.” --- assessment of risk and the
implementation of procedures and practices designed to control the level of risk

• Risk assessment--- “assessment of threats to, impact on and vulnerabilities of information and
information processing facilities and the likelihood of their occurrence.” ---identification of the risk,
analysis of the risk in terms of performance, cost, and other quality factors; risk prioritization in
terms of exposure and leverage.

– Risk assessment

• Risk identification---decision driver analysis, assumption analysis, decomposition

• Risk analysis---cost models, network analysis, decision analysis, quality factor analysis

• Risk prioritization---risk leverage, component risk reduction

– Risk control

• Risk management planning---risk avoidance, transfer, reduction, element planning, plan

integration

• Risk resolution---Simulations, benchmarks, analysis, staffing

• Risk monitoring---Top 10 tracking, risk assessment, corrective action

Process of assessing risk, taking steps to reduce it to an acceptable level, and maintaining that level
of risk

• Five principles:

– I. Assess risk and determine needs

• Recognize the importance of protecting information resource assets

• Develop risk assessment procedures that link IA to business needs

• Hold programs and managers accountable

• Manage risk on a continuing basis

– II. Establish a central management focus

• Designate a central group for key activities

• Provide independent access to senior executives to the group

• Designate dedicated funding and staff

• Periodically, enhance staff technical skills

– III. Implement appropriate policies and related controls

• Link policies to business risks

• Differentiate policies and guidelines
• Support polices via the central IA group

– IV Promote awareness

• Educate user and others on risks and related policies

• Use attention-getting and user-friendly techniques

– V Monitor and evaluate policy and control effectiveness

• Monitor factor that affect risk and indicate IA effectiveness

• Use results to direct future efforts and hold managers accountable

• Be on the lookout for new monitoring tools and techniques

VULNERABILITY

• Vulnerability is a weakness in the security system.

• Weaknesses can appear in any element of a computer, both in the hardware, operating system,
and the software. The types of vulnerabilities we might find as they apply to the assets of hardware,
software, and data.

• These three assets and the connections among them are all potential security weak points.

Types of vulnerability:

HARDWARE VULNERABILITY

• Hardware is more visible than software, largely because it is composed of physical objects.

• it is rather simple to attack by adding devices, changing them, removing them, intercepting the
traffic to them, or flooding them with traffic until they can no longer function.

• other ways that computer hardware can be attacked physically.

• Computers have been drenched with water, burned, frozen, gassed, and electrocuted with power
surges
SOFTWARE VULNERABILITIES

• Software can be replaced, changed, or destroyed maliciously, or it can be modified, deleted, or

misplaced accidentally. Whether intentional or not, these attacks exploit the software’s
vulnerabilities.

• Sometimes, the attacks are obvious, as when the software no longer runs. More subtle are attacks
in which the software has been altered but seems to run normally.

DATA VULNERABILITY

• a data attack is a more widespread and serious problem than either a hardware or software attack.

• data items have greater public value than hardware and software because more people know how
to use or interpret data.

Examples of Information Security Vulnerabilities:

Information security vulnerabilities are weaknesses that expose an organization to risk.

• Through employees--Social interaction, Customer interaction, Discussing work in public

locations, Taking data out of the office (paper, mobile phones, laptops), Emailing documents
and data, Mailing and faxing documents, Installing unauthorized software and apps,
Removing or disabling security tools, Letting unauthorized persons into the office
(tailgating) , Opening spam emails, Connecting personal devices to company networks,
Writing down passwords and sensitive data, Losing security devices such as id cards, Lack of
information security awareness, Keying data
• Through former employees---Former employees working for competitors, Former
employees retaining company data, Former employees discussing company matters
• Though Technology---Social networking, File sharing, Rapid technological changes, Legacy
systems, Storing data on mobile devices such as mobile phones, Internet browsers
• Through hardware---. Susceptibility to dust, heat and humidity, Hardware design flaws, out
of date hardware, Misconfiguration of hardware
• Through software---Insufficient testing, Lack of audit trail, Software bugs and design faults,
Unchecked user input, Software that fails to consider human factors, Software complexity
(bloatware), Software as a service (relinquishing control of data), Software vendors that go
out of business or change ownership
• Through Network---Unprotected network communications, Open physical connections, IPs
and ports, Insecure network architecture, Unused user ids, Excessive privileges,
Unnecessary jobs and scripts executing , Wifi networks
 • Through IT Management---Insufficient IT capacity , Missed security patches, Insufficient
incident and problem management, Configuration errors and missed security notices ,
System operation errors, Lack of regular audits, Improper waste disposal, Insufficient
change management, Business process flaws, Inadequate business rules, Inadequate
business controls, Processes that fail to consider human factors, Overconfidence in security
audits, Lack of risk analysis, Rapid business change, Inadequate continuity planning Lax
recruiting processes
• Partners and suppliers---Disruption of telecom services, Disruption of utility services such as
electric, gas, water, Hardware failure, Software failure, Lost mail and courier packages,
Supply disruptions, Sharing confidential data with partners and suppliers

ADVANCED PERSISTENT THREAT:

An advanced persistent threat (APT) is a covert cyber-attack on a computer network where the
attacker gains and maintains unauthorized access to the targeted network and remains undetected
for a significant period. During the time between infection and remediation the hacker will often
monitor, intercept, and relay information and sensitive data. The intention of an APT is to exfiltrate
or steal data rather than cause a network outage, denial of service or infect systems with malware.

APTs often use social engineering tactics or exploit software vulnerabilities in organizations with high
value information.

Because of the level of effort needed to carry out such an attack, APTs are usually leveled at high
value targets, such as nation states and large corporations, with the ultimate goal of stealing
information over a long period of time, rather than simply "dipping in" and leaving quickly, as many
black hat hackers do during lower-level cyber assaults.

APT is a method of attack that should be on the radar for businesses everywhere. However, this
doesn’t mean that small- and medium-sized businesses can ignore this type of attack.

APT attackers are increasingly using smaller companies that make up the supply-chain of their
ultimate target as a way of gaining access to large organizations. They use such companies, which
are typically less well-defended, as stepping-stones.

Five Stages of An Evolving Advanced Persistent Attack:

The whole purpose of an APT attack is to gain ongoing access to the system. Hackers achieve this in a
series of five stages.

Stage One: Gain Access

Stage Two: Establish a Foothold

Stage Three: Deepen Access

Stage Four: Move Laterally

Stage Five: Look, Learn, and Remain

Stage One: Gain Access

Like a burglar forcing open a door with a crowbar, cybercriminals usually gain entry through a
network, an infected file, junk email, or an app vulnerability to insert malware into a target network.

Stage Two: Establish a Foothold

Cybercriminals implant malware that allows the creation of a network of backdoors and tunnels
used to move around in systems undetected. The malware often employs techniques like rewriting
code to help hackers cover their tracks.

Stage Three: Deepen Access

Once inside, hackers use techniques such as password cracking to gain access to administrator rights
so they can control more of the system and get even greater levels of access.

Stage Four: Move Laterally

Deeper inside the system with administrator rights, hackers can move around at will. They can also
attempt to access other servers and other secure parts of the network.

Stage Five: Look, Learn, and Remain

From inside the system, hackers gain a full understanding of how it works and its vulnerabilities,
allowing them to harvest the information they want at will.

Hackers can attempt to keep this process running — possibly indefinitely — or withdraw once they
accomplish a specific goal. They often leave a back door open to access the system again in the
future.

7 Best Practices for Advanced Persistent Threat Protection

Here’s the hard truth about advanced persistent threat protection:

No single solution will 100% protect you.

You need multiple layers of security working together, all the time, in addition to constant network
monitoring.

With that said, here are 7 ways to protect against advanced persistent threats.

Install a Firewall

Choosing a firewall is an essential first layer of defense against APT attacks.

Software firewalls, hardware firewalls, and cloud firewalls are the 3 most common types of firewalls
used – any of which will help you prevent advanced persistent threats.

Enable a Web Application Firewall

A web application firewall is a useful tool for defeating APT attacks because it can detect and
prevent attacks coming from web applications by inspecting HTTP traffic.

Install an Antivirus
Up-to-date antivirus programs can detect and prevent a wide range of malware, trojans, and viruses,
which APT hackers will use to exploit your system.

Make sure that your antivirus can access real-time data and detect the newest threats, instead of
only being able to recognize well-known malware.

Implement Intrusion Prevention Systems

Intrusion prevention systems (IPS) are an essential IT security service that monitors your network for
any strange behavior or malicious code and alerts you if any is found.

This is a powerful tool for recognizing network compromises before they can be exploited.

Create a Sandboxing Environment

A sandbox is a secure, virtual environment that allows you to open and run untrusted programs or
codes without risking harm to your operating system.

If a file is found to be infected, you isolate it, remove it, and prevent future infections.

Install a VPN

Remote access risks such as an insecure WiFi hotspot, present an easy opportunity for APT hackers
to gain initial access to your company’s network.

A virtual private network (VPN) provides an encrypted “tunnel” that you and your employees can
use to access your network without cybercriminals snooping on your activity or gathering your
data.

Enable Email Protection

Email is one of the most-used and most-effective forms of infiltration.

Advanced persistent threat protection relies on good software as much as it does on good end-user
behaviour.

Enable spam and malware protection for your email applications, and educate your employees on
how to identify potentially malicious emails

TOP 10 CHALLENGES OF CYBER SECURITY FACED IN 2021

• Cyber Security is becoming a severe issue for individuals, enterprises, and governments alike.

• In a world where everything is on the internet, from cute kitten videos and our travel diaries to our
credit card information, ensuring that our data remains safe is one of the biggest challenges of Cyber
Security.

• Cyber Security challenges come in many forms, such as ransomware, phishing attacks, malware
attacks, and more.

• India ranks 11th globally in terms of local cyber-attacks and has witnessed 2,299,682 incidents in
Q1 of 2020 already
What is Cybersecurity?

Cybersecurity is the state or process of protecting and recovering computer systems, networks,
devices, and programs from any type of cyber-attack. Cyber-attacks are an increasingly sophisticated
and evolving danger to your sensitive data, as attackers employ new methods powered by social
engineering and artificial intelligence (AI) to circumvent traditional data security controls.

The fact of the matter is the world is increasingly reliant on technology and this reliance will
continue as we introduce the next generation of new technology that will have access to our
connected devices via Bluetooth and Wi-Fi.

To keep customer data protected while embracing new technology, intelligent cloud security
solutions should be implemented alongside strong password policies like multi-factor
authentication to mitigate unauthorized access.

THE IMPORTANCE OF CYBERSECURITY

• Cybersecurity's importance is on the rise.

• Fundamentally, our society is more technologically reliant than ever before and there is no sign
that this trend will slow.

• Data leaks that could result in identity theft are now publicly posted on social media accounts.

• Sensitive information like social security numbers, credit card information and bank account
details are now stored in cloud storage services like Dropbox or Google Drive.

The fact of the matter is whether you are an individual, small business or large multinational, you
rely on computer systems every day.

Pair this with the rise in cloud services, poor cloud service security, smartphones and the Internet of
Things (IoT) and we have a myriad of cybersecurity threats that didn't exist a few decades ago.

We need to understand the difference between cybersecurity and information security, even though
the skillsets are becoming more similar.

CYBERSECURITY ATTACKS:

1. Malware attack

Attacks use many methods to get malware into a user’s device, most often social
engineering. Users may be asked to take an action, such as clicking a link or opening an
attachment. In other cases, malware uses vulnerabilities in browsers or operating systems
to install themselves without the user’s knowledge or consent.

Once malware is installed, it can monitor user activities, send confidential data to the
attacker, assist the attacker in penetrating other targets within the network, and even
cause the user’s device to participate in a botnet leveraged by the attacker for malicious
intent.
Malware attacks include:

• Trojan virus — tricks a user into thinking it is a harmless file. A Trojan can launch
an attack on a system and can establish a backdoor, which attackers can use.
• Ransomware — prevents access to the data of the victim and threatens to delete
or publish it unless a ransom is paid. Learn more in our guide to ransomware
prevention.
• Wiper malware — intends to destroy data or systems, by overwriting targeted files
or destroying an entire file system. Wipers are usually intended to send a political
message, or hide hacker activities after data exfiltration.
• Worms — this malware is designed to exploit backdoors and vulnerabilities to gain
unauthorized access to operating systems. After installation, the worm can
perform various attacks, including Distributed Denial of Service (DDoS).
• Spyware — this malware enables malicious actors to gain unauthorized access to
data, including sensitive information like payment details and credentials. Spyware
can affect mobile phones, desktop applications, and desktop browsers.
• Fileless malware — this type of malware does not require installing software on
the operating system. It makes native files such as PowerShell and WMI editable to
enable malicious functions, making them recognized as legitimate and difficult to
detect.
• Application or website manipulation — OWASP outlines the top 10 application
security risks, ranging from broken access controls and security misconfiguration
through injection attacks and cryptographic failures. Once the vector is established
through service account acquisition, more malware, credential, or APT attacks are
launched.
2. Social engineering attacks

Social engineering attacks work by psychologically manipulating users into performing

actions desirable to an attacker, or divulging sensitive information.

Social engineering attacks include:

• Phishing — attackers send fraudulent correspondence that seems to come from

legitimate sources, usually via email. The email may urge the user to perform an
important action or click on a link to a malicious website, leading them to hand
over sensitive information to the attacker, or expose themselves to malicious
downloads. Phishing emails may include an email attachment infected with
malware.
• Spear phishing — a variant of phishing in which attackers specifically target
individuals with security privileges or influence, such as system administrators or
senior executives.
• Malvertising — online advertising controlled by hackers, which contains malicious
code that infects a user’s computer when they click, or even just view the ad.
Malvertising has been found on many leading online publications.
• Drive-by downloads — attackers can hack websites and insert malicious scripts
into PHP or HTTP code on a page. When users visit the page, malware is directly
installed on their computer; or, the attacker’s script redirects users to a malicious
 site, which performs the download. Drive-by downloads rely on vulnerabilities in
browsers or operating systems. Learn more in the guide to drive-by downloads.
• Scareware security software — pretends to scan for malware and then regularly
shows the user fake warnings and detections. Attackers may ask the user to pay to
remove the fake threats from their computer or to register the software. Users
who comply transfer their financial details to an attacker.
• Baiting — occurs when a threat actor tricks a target into using a malicious device,
placing a malware-infected physical device, like a USB, where the target can find it.
Once the target inserts the device into their computer, they unintentionally install
the malware.
• Vishing — voice phishing (vishing) attacks use social engineering techniques to get
targets to divulge financial or personal information over the phone.
• Whaling — this phishing attack targets high-profile employees (whales), such as
the chief executive officer (CEO) or chief financial officer (CFO). The threat actor
attempts to trick the target into disclosing confidential information.
• Pretexting — occurs when a threat actor lies to the target to gain access to
privileged data. A pretexting scam may involve a threat actor pretending to confirm
the target’s identity by asking for financial or personal data.
• Scareware — a threat actor tricks the victim into thinking they inadvertently
downloaded illegal content or that their computer is infected with malware. Next,
the threat actor offers the victim a solution to fix the fake problem, tricking the
victim into downloading and installing malware.
• Diversion theft — threat actors use social engineers to trick a courier or delivery
company into going to a wrong drop-off or pickup location, intercepting the
transaction.
• Honey trap — a social engineer assumes a fake identity as an attractive person to
interact with a target online. The social engineer fakes an online relationship and
gathers sensitive information through this relationship.
• Tailgating or piggybacking — occurs when a threat actor enters a secured building
by following authorized personnel. Typically, the staff with legitimate access
assumes the person behind is allowed entrance, holding the door open for them.
• Pharming — an online fraud scheme during which a cybercriminal installs malicious
code on a server or computer. The code automatically directs users to a fake
website, where users are tricked into providing personal data.
Related content: Read detailed explainer on social engineering techniques.

3. Software supply chain attacks

A software supply chain attack is a cyber attack against an organization that targets weak
links in its trusted software update and supply chain. A supply chain is the network of all
individuals, organizations, resources, activities, and technologies involved in the creation
and sale of a product. A software supply chain attack exploits the trust that organizations
have in their third-party vendors, particularly in updates and patching.

This is especially true for network monitoring tools, industrial control systems, “smart”
machines, and other network-enabled systems with service accounts. An attack can be
made in many places against the vendor continuous integration and continuous delivery
(CI/CD) software lifecycle, or even against third-party libraries and components as seen via
Apache and Spring.

Types of software supply chain attacks:

• Compromise of software build tools or dev/test infrastructure

• Compromise of devices or accounts owned by privileged third-party vendors
• Malicious apps signed with stolen code signing certificates or developer IDs
• Malicious code deployed on hardware or firmware components
• Malware pre-installed on devices such as cameras, USBs, and mobile phones
4. Advanced persistent threats (APT)

When an individual or group gains unauthorized access to a network and remains

undiscovered for an extended period of time, attackers may exfiltrate sensitive data,
deliberately avoiding detection by the organization’s security staff. APTs require
sophisticated attackers and involve major efforts, so they are typically launched against
nation states, large corporations, or other highly valuable targets.

Common indicators of an APT presence include:

• New account creation — the P in Persistent comes from an attacker creating an

identity or credential on the network with elevated privileges.
• Abnormal activity — legitimate user accounts typically perform in patterns.
Abnormal activity on these accounts can indicate an APT is occurring, including
noting a stale account which was created then left unused for a time suddenly
being active.
• Backdoor/trojan horse malware — extensive use of this method enables APTs to
maintain long-term access.
• Odd database activity — for example, a sudden increase in database operations
with massive amounts of data.
• Unusual data files — the presence of these files can indicate data has been
bundled into files to assist in an exfiltration process.
Related content: Read detailed explainer on privilege escalation detection.

5. Distributed denial of service (DDoS)

The objective of a denial of service (DoS) attack is to overwhelm the resources of a target
system and cause it to stop functioning, denying access to its users. Distributed denial of
service (DDoS) is a variant of DoS in which attackers compromise a large number of
computers or other devices, and use them in a coordinated attack against the target
system.

DDoS attacks are often used in combination with other cyberthreats. These attacks may
launch a denial of service to capture the attention of security staff and create confusion,
while they carry out more subtle attacks aimed at stealing data or causing other damage.
Methods of DDoS attacks include:

• Botnets — systems under hacker control that have been infected with malware.
Attackers use these bots to carry out DDoS attacks. Large botnets can include
millions of devices and can launch attacks at devastating scale.
• Smurf attack — sends Internet Control Message Protocol (ICMP) echo requests to
the victim’s IP address. The ICMP requests are generated from ‘spoofed’ IP
addresses. Attackers automate this process and perform it at scale to overwhelm a
target system.
• TCP SYN flood attack — attacks flood the target system with connection requests.
When the target system attempts to complete the connection, the attacker’s
device does not respond, forcing the target system to time out. This quickly fills the
connection queue, preventing legitimate users from connecting.
6. Man-in-the-middle attack (MitM)

When users or devices access a remote system over the internet, they assume they are
communicating directly with the server of the target system. In a MitM attack, attackers
break this assumption, placing themselves in between the user and the target server.

Once the attacker has intercepted communications, they may be able to compromise a
user’s credentials, steal sensitive data, and return different responses to the user.

MitM attacks include:

• Session hijacking — an attacker hijacks a session between a network server and a

client. The attacking computer substitutes its IP address for the IP address of the
client. The server believes it is corresponding with the client and continues the
session.
• Replay attack — a cybercriminal eavesdrops on network communication and
replays messages at a later time, pretending to be the user. Replay attacks have
been largely mitigated by adding timestamps to network communications.
• IP spoofing — an attacker convinces a system that it is corresponding with a
trusted, known entity. The system thus provides the attacker with access. The
attacker forges its packet with the IP source address of a trusted host, rather than
its own IP address.
• Eavesdropping attack — attackers leverage insecure network communication to
access information transmitted between the client and server. These attacks are
difficult to detect because network transmissions appear to act normally.
• Bluetooth attacks — Because Bluetooth is often open in promiscuous mode, there
are many attacks, particularly against phones, that drop contact cards and other
malware through open and receiving Bluetooth connections. Usually this
compromise of an endpoint is a means to an end, from harvesting credentials to
personal information.
7. Password attacks

A hacker can gain access to the password information of an individual by ‘sniffing’ the
connection to the network, using social engineering, guessing, or gaining access to a
password database. An attacker can ‘guess’ a password in a random or systematic way.

Password attacks include:

• Brute-force password guessing — an attacker uses software to try many different

passwords, in hopes of guessing the correct one. The software can use some logic
to trying passwords related to the name of the individual, their job, their family,
etc.
• Dictionary attack — a dictionary of common passwords is used to gain access to
the computer and network of the victim. One method is to copy an encrypted file
that has the passwords, apply the same encryption to a dictionary of regularly used
passwords, and contrast the findings.
• Pass-the-hash attack — an attacker exploits the authentication protocol in a
session and captures a password hash (as opposed to the password characters
directly) and then passes it through for authentication and lateral access to other
networked systems. In these attack types, the threat actor doesn’t need to decrypt
the hash to obtain a plain text password.
• Golden ticket attack — a golden ticket attack starts in the same way as a pass-the-
hash attack, where on a Kerberos (Windows AD) system the attacker uses the
stolen password hash to access the key distribution center to forge a ticket-
granting-ticket (TGT) hash. Mimikatz attacks frequently use this attack vector.
Cyberthreat actors

When you identify a cyberthreat, it’s important to understand who the threat actor is, as
well as their tactics, techniques, and procedures (TTP). Common sources of cyberthreats
include:

• State-sponsored — cyberattacks by countries can disrupt communications, military

activities, or other services that citizens use daily.
• Terrorists — terrorists may attack government or military targets, but at times may
also target civilian websites to disrupt and cause lasting damage.
• Industrial spies — organized crime and international corporate spies carry out
industrial espionage and monetary theft. Their primary motive is financial.
• Organized crime groups — criminal groups infiltrate systems for monetary gain.
Organized crime groups use phishing, spam, and malware to carry out identity
theft and online fraud. There are organized crime groups who exist to sell hacking
services to others as well, maintaining even support and services for profiteers and
industrial spies alike.
• Hackers — there is a large global population of hackers, ranging from beginner
“script kiddies” or those leveraging ready-made threat toolkits, to sophisticated
operators who can develop new types of threats and avoid organizational
defenses.
 • Hacktivists — hacktivists are hackers who penetrate or disrupt systems for political
or ideological reasons rather than financial gain.
• Malicious insider — insiders represent a very serious threat, as they have existing
access to corporate systems and knowledge of target systems and sensitive data.
Insider threats can be devastating and very difficult to detect.
• Cyber espionage — is a form of cyberattack that steals classified, or sensitive
intellectual data to gain an advantage over a competitive company or government
entity.

SOFTWARE DEVELOPMENT SECURITY:

The software development life cycle, or SDLC, encompasses all of the steps that an organization
follows when it develops software tools or applications.
Organizations that incorporate security in the SDLC benefit from products and applications that are
secure by design.
Those that fail to involve information security in the life cycle pay the price in the form of costly and
disruptive events.

A typical SDLC model contains the following main functions:

• Conceptual definition. This is a basic description of the new product or program being developed,
so that anyone reading it can understand the proposed project.
• Functional requirements and specifications. This is a list of requirements and specifications from a
business function perspective.
• Technical requirements and specifications. This is a detailed description of technical requirements
and specifications in technical terms.
• Design. This is where the formal detailed design of the product or program is developed.
• Coding. The actual development of software.
• Test. This is the formal testing phase.
• Implementation. This is where the software or product is installed in production.

GETTING THE RIGHT SECURITY INFORMATION TO THE RIGHT PEOPLE

Many people in the entire development process need all kinds of information, including security
information, in a form that is useful to them. Here is the type of information that is required during
each phase of the SDLC.
• Conceptual -- Organization information security principles and strategies
• Functional requirements and specifications -- Information security requirements
• Technical requirements and specifications -- Information security requirements
• Design -- Enterprise security architecture and security product standards
• Coding -- Development standards, practices, libraries and coding examples
• Testing -- Test plans that show how to verify each security requirement
• Implementation -- Procedures for integrating existing authentication, access controls, encryption,
backup, etc.

SECURE DEVELOPMENT LIFECYCLE

• In its simplest form, the SDL is a process that standardizes security best practices across a range of
products and/or applications.
• It captures industry-standard security activities, packaging them so they may be easily
implemented.
• The software development lifecycle consists of several phases.
• The SDL was unleashed from within the walls of Microsoft, as a response to the famous Bill Gates
memo of January 2002.
• In it Gates laid out the requirement to build security into Microsoft's products.
• He admitted that due to various virus and malware outbreaks, Microsoft had to embed security if
it was to be taken seriously in the marketplace.

THE PROBLEMS THE SDL SOLVES

1. The lack of a standard approach to securing products causes problems. As a result, developers
spend too much time fixing code they wrote in the past and not enough focusing on the future.
2. The second problem is that developers tend to repeat the same security mistakes, each time
expecting a different response (which is the definition of insanity).
3. The third issue is that problems are found at release or after deployment.
4. Finally, without a security standard, customers have no assurance that a given product is secure. A
single product considered for purchase may be one of the good ones, or it might be terrible from a
security perspective. Without an SDL, there is no product security parity across the company. And
without a standard process, some product teams ignore security altogether.

SDL DIFFERENT PHASES

The requirements phase

• In the requirements phase, best practices for security are integrated into a product. These
practices may come
from industry standards or be based on responses to problems that have occurred in the past.
• Requirements exist to define the functional security requirements implemented in the product,
and include all the
activities of the SDL. They are used as an enforcement point to ensure that all pieces are properly
considered.
• Requirements may take the classic form, stating that the product or application must, may, or
should, do
something. One example might be that the product must enforce a minimum password length of
eight characters.
• In the agile world, requirements are expressed as user stories. These stories contain the same
information as do
the requirements, but security functionality is written from the user's perspective

The design phase

• Secure design is about quantifying architecture (for a single feature or the entire product) and then
searching for
problems. Secure design could occur in a formal document or on a napkin.
• Threat modeling is the process of thinking through how a feature or system will be attacked, and
then mitigating
those future attacks in the design before writing the code. Threat modeling is akin to perceiving
crimes prior to
their occurrence.
• A solid threat model understands a feature's or product's attack surface, then defines the most
likely attacks that
will occur across those interfaces. A threat model is only as good as the mitigations it contains to fix
the problems.
But it is crucial to identifying security issues early in the process.
Implementation or coding
• The SDL contains a few things programmers must do to ensure that their code has the best chance
of being
secure. The process involves a mixture of standards and automated tools.
• Implementation tools include static application security testing (SAST) and dynamic application
security testing
(DAST) software. SAST is like a spell-checker for code, identifying potential vulnerabilities in the
source code. SAST
runs against a nightly build or may be integrated into your IDE. It may find and open new bugs in the
bug
management system rightly or prompt the developer to pause while coding to fix a problem in real
time.
• DAST checks the application's runtime instantiation. It spiders through an application to find all
possible interfaces
and then attempts to exploit common vulnerabilities in the application. These tools are primarily
used on web
interfaces.

The test phase

• Formal test activities include security functional test plans, vulnerability scanning, and penetration
testing.
Vulnerability scanning uses industry-standard tools to determine if any system-level vulnerabilities
exist with the
application or product.
The final phase: Release/response
• Release occurs when all the security activities are confirmed against the final build and the
software is sent to
customers (or made available for download). Response is the interface for external customers and
security
researchers to report security problems in products.
• Part of the response should include a product security-incident response team that focuses on
triaging and
communicating product vulnerabilities, both individual bugs and those that will require industry-
wide collaboration
(e.g., Heartbleed, Bashbug, etc.).
• Other security activities are also crucial for the success of an SDL.

What are the Components of Access Control?

At a high level, access control is about restricting access to a resource. Any access control system,
whether physical or logical, has five main components:

Authentication: The act of proving an assertion, such as the identity of a person or computer user. It
might involve validating personal identity documents, verifying the authenticity of a website with a
digital certificate, or checking login credentials against stored details.
Authorization: The function of specifying access rights or privileges to resources. For example,
human resources staff are normally authorized to access employee records and this policy is usually
formalized as access control rules in a computer system.

Access: Once authenticated and authorized, the person or computer can access the resource.

Manage: Managing an access control system includes adding and removing authentication and
authorization of users or systems. Some systems will sync with G Suite or Azure Active Directory,
streamlining the management process.

Audit: Frequently used as part of access control to enforce the principle of least privilege. Over time,
users can end up with access they no longer need, e.g. when they change roles. Regular audits
minimize this risk.

Access to accounts can be enforced through four major types of controls.

1. Mandatory Access Control (MAC)
In MAC, users do not have much freedom to determine who has access to their files. For example,
security clearance of users and classification of data (as confidential, secret or top secret) are used
as security labels to define the level of trust.
2. Discretionary Access Control (DAC)
In DAC, the data owner determines who can access specific resources. For example, a system
administrator may create a hierarchy of files to be accessed based on certain permissions.
3. Role-Based Access Control (RBAC)
RBAC allows access based on the job title. For example, a human resources specialist should not
have permissions to create network accounts; this should be a role reserved for network
administrators.
4. Rule-Based Access Control
An example of this would be only allowing students to use the labs during a certain time of the day.