Professional Documents
Culture Documents
Cyber Security and Digital Forensics - Lec3
Cyber Security and Digital Forensics - Lec3
digital forensics
lecture3
Vulnerability, Threat, and Risk
• Objectives
• On completion of this unit, you will be able to:
• ■ Categorize vulnerabilities and threat agents and vectors.
• ■ Understand social engineering and phishing attacks.
• ■ Identify different types of malware and malware protection.
Definitions…….
• In IT security, it is important to distinguish between the concepts
of threat, vulnerability, and risk
• ■ Vulnerability - a weakness that could be triggered accidentally
or exploited intentionally to cause a security breach.
• ■ Threat - the potential for a threat agent or threat actor
(something or someone that may trigger a vulnerability
accidentally or exploit it intentionally) to "exercise" a
vulnerability (that is, to breach security). The path or tool used by
the threat actor can be referred to as the threat vector.
• Or threats are circumstances or events with the potential to cause
harm to an information resource by exploiting vulnerabilities in a
system
RISK……….
• ■ Risk - the likelihood and impact (or consequence) of a threat
actor exercising a vulnerability.
• Or Risk is defined as the combination of the probability(or
likelihood) of an event and its consequences.
• The probability of an event is the likelihood that a given threat
will exploit an exposed vulnerability.
If there are no consequences or impact ,its considered no risk at all.
The greater the consequences or impact, the greater the risk .
• ■ Control/Countermeasure- a system or procedure put in place
to mitigate risk.
Types of Threat Agent
• Threat agents
An "agent" need not be human for instance. Confidentiality, integrity, and availability
could be threatened as much by an earthquake as they could by a hacker. Threat agents
include;
Hackers, Crackers, Black Hats, White Hats, and Script Kiddies Experts in computer
security are widely referred to as hackers.
A cracker is someone who breaks into a computer system with the intent of causing
damage or theft. Nowadays, the terms Black Hat (malicious) and White Hat (non-
malicious) are more widely used.
A script kiddie is someone that uses hacker tools without necessarily understanding how
they work or having the ability to craft new attacks.
A disgruntled employee is also a threat agent.
Types of threats
• External Threats
• Human threat sources described as external covers the whole range of malicious
attackers that could pose a threat to the organization's assets, including crackers,
script kiddies, thieves, organized crime, terrorists, war, and so on.
Within these groups, further distinctions as to motivation can be made, such as
whether an attacker is motivated by greed, curiosity, or has some sort of grievance.
threat examples; criminal acts, data corruption, disease(epidemic),espionage, facility
flaws(freezing pipe, burst pipe),fire, flooding, industrial accidents, power surge, severe
storms, theft, supply chain interruptions.
Types of threats
• Malicious Insider Threats
• Malicious insider threat sources means attacks launched by the
organization's own staff, partners, or contractors. E.g a disgruntled
employee
A malicious insider is: A current or former employee, contractor, or business
partner who has or had authorized access to an organization’s network,
system, or data and intentionally exceeded or misused that access in a
manner that negatively affected the confidentiality, integrity, or availability
of the organization’s information or information systems.
Types of threats
• Natural Disaster
Natural disaster is fairly self-explanatory; these are threat sources such as river or sea
floods, earthquakes, electrical storms,most of natural threats are unpredictable and may
be extremely damaging
Natural disasters may be quite predictable (as is the case with areas prone to flooding or
storm damage) or unexpected, and therefore difficult to plan for.
Environmental threat
Environmental threat sources are those caused by some sort of failure in the built
environment. These could include power or telecoms failure or pollution or accidental
damage.
Threat types
• Legal and Commercial Threats
In addition to threats to assets and staff members, an organization can be made
vulnerable because of misuse of equipment by its employees or attackers.
Some examples include:
■ Downloading or distributing obscene material.
■ Defamatory comments published on social networking sites.
■ Hijacked mail or web servers used for spam or phishing attacks.
■ Third-party liability for theft or damage of personal data.
■ Accounting and regulatory liability to preserve accurate records. These cases
are often complex, but even if there is no legal liability the damage done to the
organization's reputation could be just as serious.
threats
• Social Engineering
• Protecting against natural or environmental disasters is important but most of
the focus in computer security is in deterring malicious external and insider
threats. Attackers can use a diverse range of techniques to compromise a
security system.
• A pre-requisite of many types of attack is to obtain information about the
network and security system.
• Social engineering refers to means of getting users to reveal confidential
information.
Social engineering
• Impersonation
Some people have the sort of natural charisma that allows them to persuade others
to do as they request. One of the basic tools of a social engineer is simply to be
affable and likable and to present the requests they make as completely reasonable
and unobjectionable.
This approach is relatively low risk as even if the request is refused, it is less likely
to cause suspicion and the social engineer may be able to move on to a different
target without being detected.
A social engineering attack can use this instinct either to persuade the target that to
refuse a request would be odd ("That's not something anyone else has ever said no
to") or to exploit polite behavior
Social engineering….
• Authority and Intimidation
Many people find it difficult to refuse a request by someone they perceive as
superior in rank or expertise. Social engineers can try to exploit this behavior to
intimidate their target by pretending to be someone senior.
Another attack might be launched by impersonating someone who would often be
deferred to, such as a police officer, judge, or doctor.
Social engineering can exploit the fact that few people are willing to admit
ignorance. Compared to using a familiarity / liking sort of approach, this sort of
adversarial tactic might be more risky to the attacker as there is a greater chance of
arousing suspicion and the target reporting the attack attempt.
Social engineering….
• Scarcity and Urgency
Often also deployed by salespeople, creating a false sense of scarcity or urgency can
disturb people's ordinary decision-making process. The social engineer can try to
pressure their target by demanding a quick response. For example, the social engineer
might try to get the target to sign up for a "timelimited" or "invitation-only" trial and
request a username and password for the service (hoping that the target will offer a
password they have used for other accounts).
Dumpster Diving refers to combing through an organization's (or individual's) refuse
to try to find useful documents (or even files stored on discarded removable media).
Shoulder surfing refers to stealing a password or PIN (or other secure information)
by watching the user type it. Despite the name the attacker may not have to be in
close proximity to the target - they could use high-power binoculars or CCTV to
directly observe the target remotely.
Cont’d…..
• Lunchtime Attack
2) When considering non-accidental threats, what important distinctions can be made to identify different
threat sources?
3) Apart from natural disaster, what type of events threaten physical damage to assets?