Professional Documents
Culture Documents
VU23217 Session-02
VU23217 Session-02
VU23217
Session-02 VU23217 1
Session Content
Cyber security Understand the
concepts and Threats Vulnerabilities Risks Threats trends difference
terminology: between of
botnets,
Social Malware
Denial of Service Malware types malware, virus’s, Malware analysis
Engineering Explained:
worms, Root Kits
Malware
behaviour
VU23217 2
Cyber Threat
VU23217 3
Cyber Threat
• Any circumstance or event with the
potential to adversely impact
organizational operations (including
mission, functions, image, or reputation),
organizational assets, or individuals
through an information system via
unauthorized access, destruction,
disclosure, modification of information,
and/or denial of service.
(NIST)
VU23217 4
Vulnerabilty
VU23217 5
Types of vulnerabilities
Hardware
• Any susceptibility to humidity, dust, soiling, natural disaster, poor encryption, or firmware vulnerability.
Software
• Insufficient testing, lack of audit trail, design flaws, memory safety violations (buffer overflows, over-reads, dangling pointers), input validation
errors (code injection, cross-site scripting (XSS), directory traversal, email injection, format string attacks, HTTP header injection, HTTP response
splitting, SQL injection), privilege-confusion bugs (clickjacking, cross-site request forgery, FTP bounce attack), race conditions (symlink races,
time-of-check-to-time-of-use bugs), side channel attacks, timing attacks and user interface failures (blaming the victim, race conditions,
warning fatigue).
Network
• Unprotected communication lines, man-in-the-middle attacks, insecure network architecture, lack of authentication, default authentication, or
other poor network security.
Personnel
• Poor recruiting policy, lack of security awareness and training, poor adherence to security training, poor password management, or
downloading malware via email attachments.
Physical
• Area subject to natural disaster, unreliable power source, or no keycard access.
Organizational
• Improper internal controls, lack of audit, continuity plan, security,VU23217
or incident response plan. 6
Risks
VU23217 7
Risk of Cyber Attack
VU23217 8
Cyber threats need to be managed like all
other risks in the organisation - through a
process of identifying, ranking and prioritizing
the threats then allocating resources where
the threat is considered most significant.
Cyber Risk
Management
Traditional approaches to risk management
inside organisations rate the threat using a
matrix of likelihood of occurrence and
significance of impact.
VU23217 9
Risk Matrix
VU23217 10
VU23217
Threat
Trends
11
Top Cybersecurity Trends
Mobile
cybersecurity
becoming front
and centerSource :
https://www.kaspersky.com/ VU23217 12
Top Cybersecurity Trends In 2023
VU23217 13
https://youtu.be/s5rr-Tlw798
Threat Actors
A threat actor is an entity responsible for a cybersecurity incident.
VU23217 14
• Nation-states are frequently the most sophisticated threat actors,
with dedicated resources and personnel, and extensive planning
and coordination. Some nation-states have operational
relationships with private sector entities and organized criminals.
• Cybercriminals are generally understood to have moderate
sophistication in comparison to nation-states. Nonetheless, they
still have planning and support functions in addition to specialized
technical capabilities that affect a large number of victims.
• Threat actors in the top tier of sophistication and skill, capable of
using advanced techniques to conduct complex and protracted
campaigns in the pursuit of their strategic goals, are often
called advanced persistent threats (APT). This designator is
usually reserved for nation-states or very proficient organized
crime groups.
Threat Actors • Hacktivists, terrorist groups, and thrill-seekers are typically at the
lowest level of sophistication as they often rely on widely
available tools that require little technical skill to deploy. Their
actions, more often than not, have no lasting effect on their
targets beyond reputation.
• Insider threats are individuals working within their organization
who are particularly dangerous because of their access to internal
networks that are protected by security perimeters. Access is a
key component for malicious threat actors and having access
privileged access eliminates the need to employ other remote
means. Insider threats may be associated with any of the other
listed types of threat actors but often include disgruntled
employees.
VU23217 15
Threat (Attack) Vector
In cybersecurity, a threat (attack) vector is a method of achieving unauthorized
network access to launch a cyber attack. Threat (Attack) vectors allow
cybercriminals to exploit system vulnerabilities to gain access to sensitive data,
personally identifiable information (PII), and other valuable information
accessible after a data breach.
VU23217 16
Attack Surface
• An attack surface is the total
number of attack vectors an
attacker can use to
manipulate a network or
computer system or extract
data.
17
Goals
VU23217 18
Cyber threat actors can be categorized by their motivations and, to a
degree, by their sophistication. Threat actors value access to devices,
processing power, computing resources, and information for different
reasons. In general, each type of cyber threat actor has a primary
motivation.
Goal ( Motivation)
VU23217 19
VU23217 20
Ransomware Ransomware is used to hold a victim's data for ransom.
Ransomware can include, scareware, crypto malware, RaaS
and Lockers.
Scareware:
is generally used to scare a user into paying a ransom.
Scareware can show a notification that adult material has
been found on the device and if X amount of money isn’t
paid, they will send the data to their loved ones. The
attackers generally don’t have any information but they are
betting on the fact that the victim doesn’t want to ruin a
happy marriage .
Lockers:
Lockers generally lock a user out of a computer and
demand a sum of money to regain access to their device.
These are sometimes incorporated with Scareware which can
lock a computer and then display a message about the adult
material.
Ransomware
Crypto malware:
The definition of ransomware we know today is generally this
one. It is a form of ransomware that encrypts user's data and
then holds the decryption key for ransom.
RaaS:
Is an interesting modern twist on Crypto malware. It
abbreviates to “Ransomware as a service”, there are
organisation's that create the malware which attackers can
load onto systems, the service provider then handles
everything from the encryption to the payments and the
decryption keys and receives a cut of the ransom as payment.
Protect against ransomware attacks
Update your device and turn on automatic updates
• Cybercriminals use known weaknesses to hack your devices. System updates have security upgrades to patch these weaknesses.
Turn on multi-factor authentication
• Having two or multi-factor authentication increases your cyber security. Multi-factor authentication means there are two checks in place to
prove your identity before you can access your account.
Set up and perform regular backups
• The best recovery method for a ransomware attack is a regular offline backup made to an external storage device and a backup in the cloud.
Backing up and checking that backups restore your files offers peace of mind.
Implement access controls
• Controlling who can access what on your devices is an important step to minimise the risk of unauthorised access. It will also limit the
amount of data that ransomware attacks can encrypt, steal, and delete. Give users access and control only to what they need by restricting
administrator privileges.
Turn on ransomware protection
• Some operating systems offer ransomware protection. Make sure you enable this function to protect your devices.
Protect against ransomware attacks
Prepare your cyber emergency plan
• Ransomware Action Checklist and the Cyber Security Emergency Plan.
• It is important that these plans are easily accessible and known to all employees, especially in the event of a
ransomware incident.
Get to know your critical data
• Know what data is most important to you. With your business, personal information, or devices, you need to consider
what you:
• can and cannot replace,
• will invest to recover the information or device,
• are willing to live without, and
• must keep safe.
SYN Flood attacks are like Buffer overflows, except it doesn’t wait for
a TCP handshake. It just sends connection requests until it is offline.
2. Bootloader rootkit
Your computer’s bootloader is an important tool. It
loads your computer’s operating system when you
turn the machine on. A bootloader toolkit, then,
attacks this system, replacing your computer’s
legitimate bootloader with a hacked one. This means
that this rootkit is activated even before your
computer’s operating system turns on.
Rootkits (Cont.)
3. Memory rootkit
This type of rootkit hides in your computer’s RAM, These rootkits will carry
out harmful activities in the background. The good news? These rootkits
have a short lifespan. They only live in your computer’s RAM and will
disappear once you reboot your system — though sometimes further work is
required to get rid of them.
4. Application rootkit
Application rootkits replace standard files in your computer with rootkit files.
They might also change the way standard applications work. These rootkits
might infect programs such as Word, Paint, or Notepad. Every time you run
these programs; you will give hackers access to your computer. The
challenge here is that the infected programs will still run normally, making it
difficult for users to detect the rootkit.
Some types of spyware can change system settings to allow even more
data and personal information to become available to the malware
application.
Spyware includes the following forms of malware which you may have
heard of:
Adware:
which is a type of spyware that tracks your browser history and then
sells the data to advertising agencies to predict what products or
services you might be interested in, these ads can be displayed directly
on your computer. It isn’t always classified as a dangerous malware,
which is why in the early days of anti-virus systems it wasn’t picked up by
many AV’s. You would have to use a specialized adware scanner to
remove them.
Spyware
Trojan:
Trojans disguise themselves as legitimate software like
Java or flash applications. Trojans are almost always
managed by an end user, think of the Trojan horse which
was used by the Greeks to enter the city of Troy. The same
concept is related to the malware of the same name.
Tracking Cookies:
Like adware can be used to steal your browser cookies
to sell the information to marketing agencies.
System monitors:
These types of spyware can collect virtually all
information on your computer. They can steal
keystrokes, emails, browser and system information.
Keyloggers
VU23217 50
4 Stages of
Malware Analysis
Types of Malware Analysis
The analysis may be conducted in a manner that is static, dynamic or a hybrid of the two.
Static Analysis
• Basic static analysis does not require that the code is actually run. Instead, static
analysis examines the file for signs of malicious intent. It can be useful to identify
malicious infrastructure, libraries or packed files.
• Technical indicators are identified such as file names, hashes, strings such as IP
addresses, domains, and file header data can be used to determine whether that file is
malicious. In addition, tools like disassemblers and network analyzers can be used to
observe the malware without actually running it in order to collect information on how
the malware works.
Types of Malware Analysis
Dynamic Analysis
• Dynamic malware analysis executes suspected malicious code in a safe
environment called a sandbox. This closed system enables security
professionals to watch the malware in action without the risk of letting it
infect their system or escape into the enterprise network.
• Dynamic analysis provides threat hunters and incident responders with
deeper visibility, allowing them to uncover the true nature of a threat. As a
secondary benefit, automated sandboxing eliminates the time it would
take to reverse engineer a file to discover the malicious code.
Types of Malware Analysis
Hybrid Analysis (includes both of the techniques above)
• Basic static analysis isn’t a reliable way to detect sophisticated malicious
code, and sophisticated malware can sometimes hide from the presence
of sandbox technology. By combining basic and dynamic analysis
techniques, hybrid analysis provide security team the best of both
approaches –primarily because it can detect malicious code that is trying
to hide, and then can extract many more indicators of compromise (IOCs)
by statically and previously unseen code. Hybrid analysis helps detect
unknown threats, even those from the most sophisticated malware.