Cyber security and

digital forensics

lecture3
Vulnerability, Threat, and Risk
• Objectives
• On completion of this unit, you will be able to:
• ■ Categorize vulnerabilities and threat agents and vectors.
• ■ Understand social engineering and phishing attacks.
• ■ Identify different types of malware and malware protection.
Definitions…….
• In IT security, it is important to distinguish between the concepts
of threat, vulnerability, and risk
• ■ Vulnerability - a weakness that could be triggered accidentally
or exploited intentionally to cause a security breach.
• ■ Threat - the potential for a threat agent or threat actor
(something or someone that may trigger a vulnerability
accidentally or exploit it intentionally) to "exercise" a
vulnerability (that is, to breach security). The path or tool used by
the threat actor can be referred to as the threat vector.
• Or threats are circumstances or events with the potential to cause
harm to an information resource by exploiting vulnerabilities in a
system
RISK……….
• ■ Risk - the likelihood and impact (or consequence) of a threat
actor exercising a vulnerability.
• Or Risk is defined as the combination of the probability(or
likelihood) of an event and its consequences.
• The probability of an event is the likelihood that a given threat
will exploit an exposed vulnerability.
If there are no consequences or impact ,its considered no risk at all.
The greater the consequences or impact, the greater the risk .
• ■ Control/Countermeasure- a system or procedure put in place
to mitigate risk.
 Types of Threat Agent
• Threat agents
An "agent" need not be human for instance. Confidentiality, integrity, and availability
could be threatened as much by an earthquake as they could by a hacker. Threat agents
include;
Hackers, Crackers, Black Hats, White Hats, and Script Kiddies Experts in computer
security are widely referred to as hackers.
A cracker is someone who breaks into a computer system with the intent of causing
damage or theft. Nowadays, the terms Black Hat (malicious) and White Hat (non-
malicious) are more widely used.
A script kiddie is someone that uses hacker tools without necessarily understanding how
they work or having the ability to craft new attacks.
A disgruntled employee is also a threat agent.
 Types of threats
• External Threats
• Human threat sources described as external covers the whole range of malicious
attackers that could pose a threat to the organization's assets, including crackers,
script kiddies, thieves, organized crime, terrorists, war, and so on.
Within these groups, further distinctions as to motivation can be made, such as
whether an attacker is motivated by greed, curiosity, or has some sort of grievance.
threat examples; criminal acts, data corruption, disease(epidemic),espionage, facility
flaws(freezing pipe, burst pipe),fire, flooding, industrial accidents, power surge, severe
storms, theft, supply chain interruptions.
 Types of threats
• Malicious Insider Threats
• Malicious insider threat sources means attacks launched by the
organization's own staff, partners, or contractors. E.g a disgruntled
employee
A malicious insider is: A current or former employee, contractor, or business
partner who has or had authorized access to an organization’s network,
system, or data and intentionally exceeded or misused that access in a
manner that negatively affected the confidentiality, integrity, or availability
of the organization’s information or information systems.
 Types of threats
• Natural Disaster
Natural disaster is fairly self-explanatory; these are threat sources such as river or sea
floods, earthquakes, electrical storms,most of natural threats are unpredictable and may
be extremely damaging
Natural disasters may be quite predictable (as is the case with areas prone to flooding or
storm damage) or unexpected, and therefore difficult to plan for.
Environmental threat
Environmental threat sources are those caused by some sort of failure in the built
environment. These could include power or telecoms failure or pollution or accidental
damage.
Threat types
• Legal and Commercial Threats
In addition to threats to assets and staff members, an organization can be made
vulnerable because of misuse of equipment by its employees or attackers.
Some examples include:
■ Downloading or distributing obscene material.
■ Defamatory comments published on social networking sites.
■ Hijacked mail or web servers used for spam or phishing attacks.
■ Third-party liability for theft or damage of personal data.
■ Accounting and regulatory liability to preserve accurate records. These cases
are often complex, but even if there is no legal liability the damage done to the
organization's reputation could be just as serious.
 threats
• Social Engineering
• Protecting against natural or environmental disasters is important but most of
the focus in computer security is in deterring malicious external and insider
threats. Attackers can use a diverse range of techniques to compromise a
security system.
• A pre-requisite of many types of attack is to obtain information about the
network and security system.
• Social engineering refers to means of getting users to reveal confidential
information.
Social engineering
• Impersonation

Impersonation (pretending to be someone else) is one of the basic social

engineering techniques.
The classic impersonation attack is for an attacker to phone into a
department, claim they have to adjust something on the user's system
remotely, and get the user to reveal their password.
For this attack to succeed the approach must be convincing and persuasive .
 Social engineering
• Familiarity / Liking

Some people have the sort of natural charisma that allows them to persuade others
to do as they request. One of the basic tools of a social engineer is simply to be
affable and likable and to present the requests they make as completely reasonable
and unobjectionable.
This approach is relatively low risk as even if the request is refused, it is less likely
to cause suspicion and the social engineer may be able to move on to a different
target without being detected.
A social engineering attack can use this instinct either to persuade the target that to
refuse a request would be odd ("That's not something anyone else has ever said no
to") or to exploit polite behavior
 Social engineering….
• Authority and Intimidation
Many people find it difficult to refuse a request by someone they perceive as
superior in rank or expertise. Social engineers can try to exploit this behavior to
intimidate their target by pretending to be someone senior.
Another attack might be launched by impersonating someone who would often be
deferred to, such as a police officer, judge, or doctor.
Social engineering can exploit the fact that few people are willing to admit
ignorance. Compared to using a familiarity / liking sort of approach, this sort of
adversarial tactic might be more risky to the attacker as there is a greater chance of
arousing suspicion and the target reporting the attack attempt.
 Social engineering….
• Scarcity and Urgency
Often also deployed by salespeople, creating a false sense of scarcity or urgency can
disturb people's ordinary decision-making process. The social engineer can try to
pressure their target by demanding a quick response. For example, the social engineer
might try to get the target to sign up for a "timelimited" or "invitation-only" trial and
request a username and password for the service (hoping that the target will offer a
password they have used for other accounts).
Dumpster Diving refers to combing through an organization's (or individual's) refuse
to try to find useful documents (or even files stored on discarded removable media).
Shoulder surfing refers to stealing a password or PIN (or other secure information)
by watching the user type it. Despite the name the attacker may not have to be in
close proximity to the target - they could use high-power binoculars or CCTV to
directly observe the target remotely.
 Cont’d…..
• Lunchtime Attack

Most authentication methods are dependent on the physical security of the

workstation. If a user leaves a logged on workstation unattended, an attacker can gain
access to the system using the logged on profile (often described as a lunchtime
attack).
Most operating systems are set to activate a password protected screen saver after a
defined period of no keyboard or mouse activity. Users should also be trained to lock
or log off the workstation whenever they leave it unattended .
 Cont’d….
• Tailgating

Tailgating (or piggybacking) is a means of entering a secure area without

authorization by following close behind the person that has been allowed to open
the door or checkpoint. This might be done without the target's knowledge or may
be a means of an insider to allow access to someone without recording it in the
building's entry log.
Another technique is to persuade someone to hold a door open, using an excuse
such as "I've forgotten my badge / key
 Cont’d…….
Phishing
Phishing is a combination of social engineering and spoofing (disguising one
computer resource as another). In the case of phishing, the attacker sets up a spoof
website to imitate a target bank or ecommerce provider's secure website.
The attacker then emails users of the genuine website informing them that their
account must be updated, supplying a disguised link that actually leads to their
spoofed site. When the user authenticates with the spoofed site, their log on details
are captured.
e.g www.bankofafrica.co.ug as a true and real website but an attacker shares and
prompts the user to in put their credentials in another link, www.bakofafrica.co.ug
Another technique is to spawn a "pop-up" window when a user visits a genuine
banking site to try to trick them into entering their credentials through the pop-up.
 Threats….
• Spear Phishing / Whaling
Spear phishing refers to a phishing scam where the attacker has some information
that makes the target more likely to be fooled by the attack.
The attacker might know the name of a document that the target is editing for
instance and send a malicious copy or the phishing email might show that the
attacker knows the recipient's full name, job title, telephone number or other details
that help to convince the target that the communication is genuine.
A spear phishing attack directed specifically against upper levels of management in
the organization (CEOs and other "big beasts") is sometimes called whaling. Upper
management may also be more vulnerable to ordinary phishing attacks because of
their reluctance to learn basic security procedures.
 Threats…..
• Pharming

Pharming is another means of redirecting users from a legitimate website to a

malicious one. Rather than using social engineering techniques to trick the user
however, pharming relies on corrupting the way the victim's computer performs
internet name resolution, so that they are redirected from the genuine site to the
malicious one.
For example, if mybank.com should point to the IP address w.x.y.z, a pharming
attack would corrupt the name resolution process to make it point to IP address
a.b.c.d.
 Mitigating Social Engineering Attacks
• Social engineering is best defeated by training users to recognize and respond to
situations.
■ Train employees only to release information or make privileged use of the system
only according to standard procedures.
■ Establish a reporting system for suspected attacks - though the obvious risk here is
that a large number of false negatives will be reported.
■ Train employees to identify phishing and pharming style attacks plus new styles of
attack as they develop in the future.
■ Train employees not to release any work-related information on third-party sites or
social networks (and especially not to reuse passwords used for accounts at work).
Other measures include ensuring documents and information is destroyed before
disposal, using multifactor access control, to put more than one or two barriers between
an attacker and his or her target, and restricting use of administrative accounts as far as
possible
 Malware
• Malware is a catch-all term to describe malicious software threats and social engineering
tools designed to vandalize or compromise computer systems.
Computer viruses are programs designed to replicate and spread amongst computers, usually
by "infecting" executable applications or program code.
There are several different types of virus and they are generally classified by the different
ways they can infect the computer (the vector). For example:
■ Boot sector viruses - these attack the boot sector information, the partition table, and
sometimes the file system.
■ Program viruses - these are sequences of code that insert themselves into another
executable program. When the application is executed, the virus code becomes active.
■ Script viruses - scripts are powerful languages used to automate OS functions and add
interactivity to web pages. Scripts are executed by an interpreter rather than self-executing.
Most script viruses target vulnerabilities (exploits) in the interpreter.
■ Macro viruses - these viruses affect Microsoft Office documents, and have become very
prevalent because of the wide distribution of these documents, especially over the internet .
worms
Worms are memory-resident viruses that replicate over network resources. A worm is
self-contained; that is, it does not need to attach itself to another executable file.
They typically target some sort of vulnerability in a network application, such as a
database server. The primary effect of a worm infestation is to rapidly consume network
bandwidth as the worm replicates.
A worm may also be able to crash an operating system or server application (performing
a Denial of Service attack). Also, like viruses, worms can carry a payload that may
perform some other malicious action (such as installing a backdoor).
Logic Bombs
• Some viruses do not trigger automatically. Having infected a system,
they wait for a preconfigured time or date (time bomb) or system or
user event (logic bomb).
Logic bombs need not be viruses; a typical example is a system
administrator bearing a grudge leaving a scripted trap that runs in the
event of their account being deleted or disabled.
Anti-virus software is unlikely to detect this kind of malicious script or
program. This type of trap is also referred to as a mine.
 Trojans and Botnets
• A Trojan Horse (often just simply called a Trojan) is a program (often
harmful) that pretends to be something else. For example, you might
download what you think is a new game, but when you run it, it deletes files
on your hard drive; or the third time you start the game, the program emails
your saved passwords to another person.

There is also the case of rogueware or scareware fake anti-virus, where a

web pop-up claims to have detected viruses on the computer and prompts the
user to initiate a full scan, which installs the attacker's Trojan.
 Backdoors
• A backdoor is typically an access method that is installed without the user's
knowledge. This might arise because the user has unwittingly installed malware
such as a Trojan but backdoors can be created in other ways too.
Programmers may create backdoors in software applications to use for testing and
development that are subsequently not removed when the application is deployed.
This is more likely to affect bespoke applications but there have been instances of
known backdoors and exploits in commercial software.
Backdoors are also created by misconfiguration of software or hardware that
allows access to unauthorized users. Examples include leaving a router configured
with the default administrative password, having a Remote Desktop connection
configured with an insecure password, or leaving a modem open to receive dial-up
connections.
 spyware
• Spyware is a program that monitors user activity and sends the information
to someone else.
It may be installed with or without the user's knowledge. Aggressive
spyware or Trojans known as "key loggers" actively attempt to steal
confidential information, by capturing a credit card number by recording
key strokes entered into a web form for example.
Another spyware technique is to spawn browser pop-up windows to try to
direct the user to other websites, often of dubious provenance .
Adware is any type of software or browser plug-in that displays adverts.
Some adware may exhibit spyware-like behavior however, by tracking the
websites a user visits and displaying targeted ads for instance.
Rootkit…
• Many Trojans cannot conceal their presence entirely and will
show up as a running service.
Often the service name is configured to be similar to a genuine
process to avoid detection.
For example, a Trojan may use the filename "run32d11" to
masquerade as "run32dll". One class of backdoor that is harder to
detect is the rootkit.
 Ransomware…
Ransomware is a type of malware that tries to extort money from the victim.
One class of ransomware will display threatening messages, such as requiring
Windows to be reactivated or suggesting that the computer has been locked by
the police because it was used to view child pornography or for terrorism.
Another class of ransomware attempts to encrypt data files on any fixed,
removable, and network drives. If the attack is successful, the user will be
unable to access the files without obtaining the private encryption key, which is
held by the attacker.
If successful, this sort of attack is extremely difficult to mitigate, unless the user
has up-to-date backups of the encrypted files .
 Preventing Malware
• Viruses and worms could easily be described as a "mature" threat.
There are thousands of examples, some of which have been extraordinarily
virulent ("Melissa", "I Love You", "Code Red", "Slammer", or "Conficker"
for instance).
Anti-virus techniques are essential to mitigating the effect of these threats,
as well as more targeted malware attacks, such as Trojans and spyware.
While anti-virus software is important, informed and sensible user
behavior and corporate security policies are the best defense against
malware.
 Preventing malware
• A number of steps can be taken to reduce the risk of virus infection:
■ Carry out regular backups that allow data to be recovered, in case of loss due to a virus infection.
■ Apply operating system and application security patches.
■ Install (and keep up-to-date) a virus checker on workstations and servers. Most network anti-virus
software can be configured to push updates at clients automatically and force scanning of file and
email systems.
Configure filtering on the messaging server - this will prevent most unsolicited messages (spam)
arriving at the server from getting to the users' mailboxes.
■ Properly secure servers and workstations - remember that a virus can only infect other program
files if it has write permissions on the files. Ensure that all system and program files are properly
secured. Do not grant users more than sufficient permissions. Do not log on using administrative
privileges except to perform administrative tasks.
 Preventing malware….
Educate users about not running untrusted installers and browser
plug-ins - and supplement this with procedures that will prevent
files, such as executables and Office macros, from being allowed to
run. This could be accomplished (for instance) by only allowing
digitally signed code to be executed.
 ■ Educate users to help them identify phishing sites by inspecting
the URL and looking for the telltale signs of a faked site, such as
incorrect logos, spelling errors, or pop-up login forms.
 ■ Audit system events (such as logons) and review logs for unusual
activity.
•
Threats summary
Threats can be internal or external, intentional or unintentional.they may be caused by natural events or political,economic or
competitive factors.
• Categories/types;
• Physical threats
• Natural events
• Loss of essential services
• Disturbance due to radiation
• Compromise of information
• Technical failures
• Unauthorised actions
• Compromise of functions
• Malicious attack
• Accidental
• Error
• Failure
• An information security manager should document all the threats that my apply to the systems and business processes under review.
•
Sources of information regarding threats;
Assessments
• Audits
• Business continuity plans
• Financial statements
• Government publications
• Human resources
• Insurance companies
• Media
• Product vendors
• Security companies
• Service providers
• Threat monitoring agencies
• users
 Answer these questions to test what you have learned in this unit.
1) What is a lunchtime attack?

2) When considering non-accidental threats, what important distinctions can be made to identify different
threat sources?

3) Apart from natural disaster, what type of events threaten physical damage to assets?

4) What distinguishes a rootkit from other types of Trojan?

5) True or false? All backdoors are created by malware such as rootkits.

6) What techniques does anti-virus software use to identify threats?

7) What techniques do viruses use to avoid detection by anti-virus software?

8) How do social engineering attacks succeed?

9) Is the goal of social engineering to gain access to premises or a computer system?

10) What is shoulder surfing?