Recognise the

need for cyber

security in an
Organisation

VU23217
Session-02 VU23217 1
 Session Content
Cyber security Understand the
concepts and Threats Vulnerabilities Risks Threats trends difference
terminology: between of

Attack Types &

In depth
Ransomware Mitigation Threat goals Threat vectors Threat actors
examples:
strategies

botnets,
Social Malware
Denial of Service Malware types malware, virus’s, Malware analysis
Engineering Explained:
worms, Root Kits

Malware
behaviour
VU23217 2
Cyber Threat

Cyber threats also refer to the

A cyber or cybersecurity threat is a
possibility of a successful cyber
malicious act that seeks to damage
attack that aims to gain
data, steal data, or disrupt digital life
unauthorized access, damage,
in general. Cyber threats include
disrupt, or steal an information
computer viruses, data breaches,
technology asset, computer
Denial of Service (DoS) attacks, and
network, intellectual property, or
other attack vectors.
any other form of sensitive data.

VU23217 3
 Cyber Threat
• Any circumstance or event with the
potential to adversely impact
organizational operations (including
mission, functions, image, or reputation),
organizational assets, or individuals
through an information system via
unauthorized access, destruction,
disclosure, modification of information,
and/or denial of service.
(NIST)

VU23217 4
Vulnerabilty

A vulnerability is a weakness that can be exploited by

cybercriminals to gain unauthorized access to a computer system.
After exploiting a vulnerability, a cyberattack can run malicious
code, install malware, and even steal sensitive data.

Vulnerabilities can be exploited by a variety of methods, including

SQL injection, buffer overflows, cross-site scripting (XSS), and open-
source exploit kits that look for known vulnerabilities and security
weaknesses in web applications.

VU23217 5
Types of vulnerabilities
Hardware
• Any susceptibility to humidity, dust, soiling, natural disaster, poor encryption, or firmware vulnerability.

Software
• Insufficient testing, lack of audit trail, design flaws, memory safety violations (buffer overflows, over-reads, dangling pointers), input validation
errors (code injection, cross-site scripting (XSS), directory traversal, email injection, format string attacks, HTTP header injection, HTTP response
splitting, SQL injection), privilege-confusion bugs (clickjacking, cross-site request forgery, FTP bounce attack), race conditions (symlink races,
time-of-check-to-time-of-use bugs), side channel attacks, timing attacks and user interface failures (blaming the victim, race conditions,
warning fatigue).

Network
• Unprotected communication lines, man-in-the-middle attacks, insecure network architecture, lack of authentication, default authentication, or
other poor network security.
Personnel
• Poor recruiting policy, lack of security awareness and training, poor adherence to security training, poor password management, or
downloading malware via email attachments.
Physical
• Area subject to natural disaster, unreliable power source, or no keycard access.

Organizational
• Improper internal controls, lack of audit, continuity plan, security,VU23217
or incident response plan. 6
Risks
Cybersecurity risk is the probability of
exposure or loss resulting from a cyber
attack or data breach on your
organization. A better, more
encompassing definition is the potential
loss or harm related to technical
infrastructure, use of technology or
reputation of an organization.
VU23217
Decision-makers need to make risk
assessments when prioritizing third-
party vendors and have a risk mitigation
strategy and cyber incident response
plan in place for when a breach does
occur.
7
Risk of Cyber Attack

VU23217 8
 Cyber threats need to be managed like all
other risks in the organisation - through a
process of identifying, ranking and prioritizing
the threats then allocating resources where
the threat is considered most significant.
Cyber Risk
Management
Traditional approaches to risk management
inside organisations rate the threat using a
matrix of likelihood of occurrence and
significance of impact.

VU23217 9
Risk Matrix

VU23217 10
VU23217

Threat
Trends

11
 Top Cybersecurity Trends

The Internet of Increase in cloud

Remote working The rise of
Things (IoT) services and cloud
cybersecurity risks ransomware
evolving security threats

Social engineering Multi-factor Continued rise of

Data privacy as a
attacks getting authentication artificial
discipline
smarter improving intelligence (AI)

Mobile
cybersecurity
becoming front
and centerSource :

https://www.kaspersky.com/ VU23217 12
Top Cybersecurity Trends In 2023

Internet of Things and cloud security

Work-from-home cybersecurity becomes a priority for businesses

International state-sponsored attackers target businesses as well as

governments

Artificial intelligence (AI) plays an increasingly prominent role in cybersecurity

VU23217 13
https://youtu.be/s5rr-Tlw798
Threat Actors
A threat actor is an entity responsible for a cybersecurity incident.
Cyber threat actors are groups or individuals
who, with malicious intent, aim to exploit
weaknesses in an information system or exploit
its operators to gain unauthorized access to or
otherwise affect victims’ data, devices, systems,
and networks, including the authenticity of the
information that flows to and from them.
VU23217
Cyber threat actors can be categorized by their
motivations and, to a degree, by their
sophistication. Threat actors value access to
devices and networks for different reasons, such
as siphoning processing power, exfiltrating or
manipulating information, degrading the
network’s performance and extorting the owner.
Some threat actors conduct threat activity
against specific individuals or organizations,
while others opportunistically target vulnerable
systems.
14
 • Nation-states are frequently the most sophisticated threat actors,
with dedicated resources and personnel, and extensive planning
and coordination. Some nation-states have operational
relationships with private sector entities and organized criminals.
• Cybercriminals are generally understood to have moderate
sophistication in comparison to nation-states. Nonetheless, they
still have planning and support functions in addition to specialized
technical capabilities that affect a large number of victims.
• Threat actors in the top tier of sophistication and skill, capable of
using advanced techniques to conduct complex and protracted
campaigns in the pursuit of their strategic goals, are often
called advanced persistent threats (APT). This designator is
usually reserved for nation-states or very proficient organized
crime groups.

Threat Actors • Hacktivists, terrorist groups, and thrill-seekers are typically at the
lowest level of sophistication as they often rely on widely
available tools that require little technical skill to deploy. Their
actions, more often than not, have no lasting effect on their
targets beyond reputation.
• Insider threats are individuals working within their organization
who are particularly dangerous because of their access to internal
networks that are protected by security perimeters. Access is a
key component for malicious threat actors and having access
privileged access eliminates the need to employ other remote
means. Insider threats may be associated with any of the other
listed types of threat actors but often include disgruntled
employees.

VU23217 15
Threat (Attack) Vector
In cybersecurity, a threat (attack) vector is a method of achieving unauthorized
network access to launch a cyber attack. Threat (Attack) vectors allow
cybercriminals to exploit system vulnerabilities to gain access to sensitive data,
personally identifiable information (PII), and other valuable information
accessible after a data breach.

The most common attack vectors include malware, viruses, email

attachments, web pages, pop-ups, instant messages, text messages,
and social engineering. However, the number of cyber threats
continues to grow as cybercriminals look to exploit unpatched or
zero-day vulnerabilities listed on CVE and the dark web, as there is no
single solution for preventing every attack vector.

VU23217 16
 Attack Surface
• An attack surface is the total
number of attack vectors an
attacker can use to
manipulate a network or
computer system or extract
data.

17
Goals

VU23217 18
 Cyber threat actors can be categorized by their motivations and, to a
degree, by their sophistication. Threat actors value access to devices,
processing power, computing resources, and information for different
reasons. In general, each type of cyber threat actor has a primary
motivation.

Goal ( Motivation)

VU23217 19
VU23217 20
Ransomware Ransomware is used to hold a victim's data for ransom.
Ransomware can include, scareware, crypto malware, RaaS
and Lockers.

Scareware:
is generally used to scare a user into paying a ransom.
Scareware can show a notification that adult material has
been found on the device and if X amount of money isn’t
paid, they will send the data to their loved ones. The
attackers generally don’t have any information but they are
betting on the fact that the victim doesn’t want to ruin a
happy marriage .
Lockers:
Lockers generally lock a user out of a computer and
demand a sum of money to regain access to their device.
These are sometimes incorporated with Scareware which can
lock a computer and then display a message about the adult
material.
Ransomware
Crypto malware:
The definition of ransomware we know today is generally this
one. It is a form of ransomware that encrypts user's data and
then holds the decryption key for ransom.

RaaS:
Is an interesting modern twist on Crypto malware. It
abbreviates to “Ransomware as a service”, there are
organisation's that create the malware which attackers can
load onto systems, the service provider then handles
everything from the encryption to the payments and the
decryption keys and receives a cut of the ransom as payment.
 Protect against ransomware attacks
Update your device and turn on automatic updates
• Cybercriminals use known weaknesses to hack your devices. System updates have security upgrades to patch these weaknesses.
Turn on multi-factor authentication
• Having two or multi-factor authentication increases your cyber security. Multi-factor authentication means there are two checks in place to
prove your identity before you can access your account.
Set up and perform regular backups
• The best recovery method for a ransomware attack is a regular offline backup made to an external storage device and a backup in the cloud.
Backing up and checking that backups restore your files offers peace of mind.
Implement access controls
• Controlling who can access what on your devices is an important step to minimise the risk of unauthorised access. It will also limit the
amount of data that ransomware attacks can encrypt, steal, and delete. Give users access and control only to what they need by restricting
administrator privileges.
Turn on ransomware protection
• Some operating systems offer ransomware protection. Make sure you enable this function to protect your devices.
 Protect against ransomware attacks
Prepare your cyber emergency plan
• Ransomware Action Checklist and the Cyber Security Emergency Plan.
• It is important that these plans are easily accessible and known to all employees, especially in the event of a
ransomware incident.
Get to know your critical data
• Know what data is most important to you. With your business, personal information, or devices, you need to consider
what you:
• can and cannot replace,
• will invest to recover the information or device,
• are willing to live without, and
• must keep safe.

Remain vigilant and informed

• Sign up to get alerts. This type of service will send you an alert when a new cyber threat is identified.
Ransomware
Action Checklist
Cyber Security
Emergency Plan
Social Engineering Attacks

Social engineering is the art of exploiting human psychology, rather

than technical hacking techniques, to gain access to buildings, systems or data.
Phishing:
• usually in the form of emails or chats, where the threat actors pose as a real
organization to obtain personal information
Pretexting:
• when a threat actor impersonates an authority figure or someone that the
target would easily trust in order to get their personal information
Baiting:
• when threat actors leave a malware-infected device, such as a USB or CD, in a
place where it can be easily found by someone, who would then use the
infected device on their computer and accidentally install the malware, giving
the threat actors access into the target’s system
Quid pro quo:
• when a threat actor requests personal information in exchange for some form
of reward, i.e. money, free gift or a free service
Social Engineering
Attack-Phishing
Social
Engineering
Attack
 Social engineering Attack
prevention

Security awareness training is the number one way to prevent social

engineering. Employees should be aware that social engineering exists and
be familiar with the most commonly used tactics.
Train and train again when it comes to security awareness.
• Ensure that you have a comprehensive security awareness training
program in place that is regularly updated to address both the general
phishing threats and the new targeted cyberthreats. Remember, this is not
just about clicking on links.
Provide a detailed briefing “roadshow” on the latest online fraud
techniques to key staff.
Review existing processes, procedures and separation of duties for financial
transfers and other important transactions.
Consider new policies related to “out of band” transactions or urgent
executive requests.
Review, refine and test your incident management and phishing reporting
systems.
 Botnets
Botnets are applications which either crawl the web or are
directly sent to you by a criminal. Botnets are not always
dangerous or illegal, but those that are can cause a lot of
damage.

Most botnets are used to implant trojans and contact the

malware developer to tell them that the infection has
been “planted”, this is generally done via email to the
attacker.

Some botnets execute what are called drive-by’s or

sometimes called Java drive-by’s. These drive-by’s occur
when you are somehow directed to a website which
prompts you to allow Java, which in some cases may be
used to implant malware on your system or steal your data.
Botnets
DoS Attacks (Denial
of Service) DoS attacks or Denial of Service attacks are used to flood a computer
with packets until it cannot function enough to handle legitimate
packets, or crash.

There are many types of DoS attacks.

Buffer overflow attacks – are used to flood a system with TCP/UDP

connections until it is offline.

Ping of Death – Is a common name for Internet Control Message

Protocol (ICMP) flood attacks which floods a service with ping
requests until it is offline.

SYN Flood attacks are like Buffer overflows, except it doesn’t wait for
a TCP handshake. It just sends connection requests until it is offline.

Teardrop attacks send fragments of packets to a network which the

network tries to put them back together, since the packets are so un-
organised it is designed to cause the network to overload.
DoS Vs DDoS
DDoS Attacks (Distributed
Denial of Service)

DDoS or Distributed Denial of Service attacks are

pretty much exactly the same as DoS attacks, the main
difference is that the attacks are coming from more than one
source; Hence the word “Distributed”.

Attackers can use hacked webservers and control them for

DDoS attacks, this allows them to take down much larger
services that have a stronger network than others.

These attacks can cause large organisations to lose thousands

of dollars for every hour that they might be offline. Which
could be even more depending on what type of company you
are.

1.3Tbps DDoS attack on GitHub

https://www.wired.com/story/github-ddos-memcached/
DDoS Attack
DDos Attack (SYN Flood)
 Malware

Malware is a short name for malicious

software. It is the tree that viruses,
worms, rootkits, spyware ransomware,
remote access and keyloggers come
under. All of these types of infections are
classified as malicious software.

Malware is any software that is designed

with the intent to cause damage to a
computer, network or server.
 Virus
A computer virus, much like a flu virus, is
designed to spread from host to host
and has the ability to replicate itself.
Similarly, in the same way that viruses
cannot reproduce without a host cell,
computer viruses cannot reproduce and
spread without programming such as a
file or document. – Norton

A virus is a broad word which covers the

way an infection is contracted rather than
what the infection can do. For instance, a
virus may be ransomware, but if the
ransomware attack requires you to
launch an application or file beforehand
it would be categorized as a virus.
 Worm

A computer worm is a type of malware

that spreads copies of itself from
computer to computer. A worm can
replicate itself without any human
interaction, and it does not need to
attach itself to a software program in
order to cause damage. – Norton

We can already see the difference

between a “Virus” and a “Worm”. A worm
in this case doesn’t need to be executed,
it can spread through a network without
human intervention, the damage caused
by a worm depends on what it is
programmed to do.
 Rootkits

Rootkits come in many forms, they are

designed to hide themselves deep
into a program and become almost
undetectable.

Rootkits are often used to allow attackers

remote access to a system or log
keystrokes on a computer which in hand
steals your passwords and banking
information. Here are some types of
rootkits and what they are designed to
do.
 Rootkits (Cont.)
1. Hardware or firmware rootkit
The name of this type of rootkit comes from where it
is installed on your computer. This type of malware
could infect your computer’s hard drive or its system
BIOS, the software that is installed on a small memory
chip in your computer’s motherboard. It can even
infect your router. Hackers can use these rootkits to
intercept data written on the disk.

2. Bootloader rootkit
Your computer’s bootloader is an important tool. It
loads your computer’s operating system when you
turn the machine on. A bootloader toolkit, then,
attacks this system, replacing your computer’s
legitimate bootloader with a hacked one. This means
that this rootkit is activated even before your
computer’s operating system turns on.
 Rootkits (Cont.)
3. Memory rootkit

This type of rootkit hides in your computer’s RAM, These rootkits will carry
out harmful activities in the background. The good news? These rootkits
have a short lifespan. They only live in your computer’s RAM and will
disappear once you reboot your system — though sometimes further work is
required to get rid of them.

4. Application rootkit
Application rootkits replace standard files in your computer with rootkit files.
They might also change the way standard applications work. These rootkits
might infect programs such as Word, Paint, or Notepad. Every time you run
these programs; you will give hackers access to your computer. The
challenge here is that the infected programs will still run normally, making it
difficult for users to detect the rootkit.

5. Kernel mode rootkits

These rootkits target the core of your computer’s operating system.
Cybercriminals can use these to change how your operating system
functions. They just need to add their own code to it. This can give them
easy access to your computer and make it easy for them to steal your
personal information.
 Spyware
Spyware can include many types of infections under it’s umbrella.
The purpose of spyware is generally to steal data, this can include
internet usage, credit card information, login credentials, it can also relay
your browsing data to internet advertisers to make money.

Some types of spyware can change system settings to allow even more
data and personal information to become available to the malware
application.

Spyware includes the following forms of malware which you may have
heard of:

Adware:
which is a type of spyware that tracks your browser history and then
sells the data to advertising agencies to predict what products or
services you might be interested in, these ads can be displayed directly
on your computer. It isn’t always classified as a dangerous malware,
which is why in the early days of anti-virus systems it wasn’t picked up by
many AV’s. You would have to use a specialized adware scanner to
remove them.
 Spyware
Trojan:
Trojans disguise themselves as legitimate software like
Java or flash applications. Trojans are almost always
managed by an end user, think of the Trojan horse which
was used by the Greeks to enter the city of Troy. The same
concept is related to the malware of the same name.

Sometimes you can have a trojan infection which you may

or may not know about that is not used by the end user, it
may take days, weeks or even months for a user to begin
using the trojan that was implanted into a system,
sometimes the trojan may not have an end user.

A cybercriminal may have created the trojan many years

ago in which you only just contracted the infection, the
user may never connect to your system at all.
 Spyware

Tracking Cookies:
Like adware can be used to steal your browser cookies
to sell the information to marketing agencies.

It is important to know exactly how dangerous it is to

have cookies stolen. Cookies can be used to access web
applications without login credentials, a cookie session
is all an attacker needs to gain access to the web site you
may be logged into.

System monitors:
These types of spyware can collect virtually all
information on your computer. They can steal
keystrokes, emails, browser and system information.
 Keyloggers

Keyloggers are used to record the keystrokes of a

victim's computer and then email the attacker with
data at specific intervals.

An effective way to protect yourself from keyloggers is

to use applications which are known as key
scramblers, that scramble the keys strokes you type
so that applications such as keyloggers don’t receive
the correct information from the victim.
 Remote Access
Remote access malware are generally trojans which
are sometimes referred to as a “RAT” (Remote
Access Trojan)
These Trojan programs are installed on a victims
computer and give an attacker control to pretty
much everything, they can control the webcam for a
device, they can record keystrokes, screen captures,
control the mouse and even eject the optical drive on
the computer.
These are also quite difficult to detect in most cases as
they are generally embedded in files and images and
are copied to deep directories within the filesystem
which look quite legitimate to some anti-virus
applications. Think of it like a TeamViewer app, but
without the authentication.
Malware Analysis

• Malware analysis is the process of

understanding the behavior and
purpose of a suspicious file or URL. The
output of the analysis aids in the
detection and mitigation of the
potential threat.

VU23217 50
4 Stages of
Malware Analysis
Types of Malware Analysis

The analysis may be conducted in a manner that is static, dynamic or a hybrid of the two.
Static Analysis
• Basic static analysis does not require that the code is actually run. Instead, static
analysis examines the file for signs of malicious intent. It can be useful to identify
malicious infrastructure, libraries or packed files.
• Technical indicators are identified such as file names, hashes, strings such as IP
addresses, domains, and file header data can be used to determine whether that file is
malicious. In addition, tools like disassemblers and network analyzers can be used to
observe the malware without actually running it in order to collect information on how
the malware works.
Types of Malware Analysis
Dynamic Analysis
• Dynamic malware analysis executes suspected malicious code in a safe
environment called a sandbox. This closed system enables security
professionals to watch the malware in action without the risk of letting it
infect their system or escape into the enterprise network.
• Dynamic analysis provides threat hunters and incident responders with
deeper visibility, allowing them to uncover the true nature of a threat. As a
secondary benefit, automated sandboxing eliminates the time it would
take to reverse engineer a file to discover the malicious code.
Types of Malware Analysis
Hybrid Analysis (includes both of the techniques above)
• Basic static analysis isn’t a reliable way to detect sophisticated malicious
code, and sophisticated malware can sometimes hide from the presence
of sandbox technology. By combining basic and dynamic analysis
techniques, hybrid analysis provide security team the best of both
approaches –primarily because it can detect malicious code that is trying
to hide, and then can extract many more indicators of compromise (IOCs)
by statically and previously unseen code. Hybrid analysis helps detect
unknown threats, even those from the most sophisticated malware.