Lecture 2 - f24.pptx
Transcript
Cybersecurity Threats, Vulnerabilities, and Attacks Common Threats Threat Domains A ‘threat domain’ is considered an area of control, authority, or protection that attackers can exploit to gain access to a system. Attackers can exploit systems within a domain through: Direct, physical access...
Cybersecurity Threats, Vulnerabilities, and Attacks Common Threats Threat Domains A ‘threat domain’ is considered an area of control, authority, or protection that attackers can exploit to gain access to a system. Attackers can exploit systems within a domain through: Direct, physical access to systems and networks. Wireless networking extends beyond an organization’s boundaries. Bluetooth or near-field communication (NFC) devices. Malicious email attachments. Less secure elements within an organization’s supply chain. An organization’s social media accounts. Removable media such as flash drives. Cloud Vulnerabilities. Deep Fakes. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2 Common Threats Types of Cyber Threats Category Types of Cyber Threats Software Attacks A successful denial-of-service (DoS attack). A computer virus. Software Errors A software bug. An application going offline. A cross-site script or illegal file server share. Sabotage An authorized user compromising an organization’s primary database. The defacement of an organization’s website. Human Error Inadvertent data entry errors. A firewall misconfiguration. Theft Laptops or equipment being stolen from an unlocked room. Hardware Failures Hard drive crashes Utility Interruption Electrical power outages. Water damage resulting from sprinkler failure. Natural Disasters Severe storms such as hurricanes or tornados. Earthquakes. Floods. Fires. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3 Common Threats Internal vs External Threats Valuable, sensitive information is personnel records, intellectual property, and financial data. Internal threats Accidentally or intentionally carried out by current or former employees and other contract partners. Operation of servers or network infrastructure devices are compromised by connecting infected media or by accessing malicious emails or websites. External threats It usually comes from amateur or skilled attackers. Attacks can exploit vulnerabilities in networked devices or can use social engineering techniques. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4 Common Threats User Threats and Vulnerabilities A user domain includes anyone accessing an organization’s information system, including employees, customers, and contract partners. Users are the weakest link in information security systems, posing a significant threat to the confidentiality, integrity, and availability of an organization’s data. Examples of User Threats are: No awareness of security policies Poorly enforced security policies Data theft Unauthorized activity: downloads, media, VPNs, websites Destruction of systems, applications, or data © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5 Common Threats Threats to Devices Devices left powered on and unattended. Downloading files, photos, music or videos from unreliable sources. Software with vulnerabilities installed on an organization’s devices. New viruses, worms and other type of malware. Insertion of unauthorized USB drives, CDs or DVDs on networking devices. No policies in place to protect an organization’s IT infrastructure. Use of outdated hardware or software. IoT device vulnerabilities. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6 Common Threats Threat Complexity Software vulnerabilities occur because of programming mistakes, protocol vulnerabilities, or system misconfigurations. Some of the attack methods by cybercriminals are: Advanced persistent threat (APT): a continuous attack that uses elaborate espionage tactics involving multiple actors and sophisticated malware. More advanced threats like Zero Trust evasion tactics and AI-powered attacks. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7 Common Threats Backdoors and Rootkits Cybercriminals also use many different types of malware to carry out their attacks. Some common types are: Backdoors Cybercriminals use programs to gain unauthorized access to a system by bypassing the standard authentication procedures. A remote administrative tool (RAT) program runs on the user's machine to install a backdoor to provide administrative control over a target computer. Rootkits Modify the operating system to create a backdoor, which attackers can use to access the computer remotely. Most use software vulnerabilities to access resources that should not be accessible (privilege escalation) and modify system files. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8 Deception Social Engineering Social engineering is a non-technical strategy that attempts to manipulate individuals into performing specific actions or divulging confidential information. Some common types of social engineering attacks are: Pretexting: This occurs when an individual lies to gain access to confidential data. Something for something (quid pro quo): Involves a request for personal information in exchange for something, like a gift. Identity fraud: Uses a person’s stolen identity to obtain goods or services by deception. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9 Deception Shoulder Surfing and Dumpster Diving Shoulder Surfing A simple attack involves observing or looking over a target's shoulder to gain valuable information such as PINs, access codes, or credit card details. Criminals do not always have to be near their victim-to-shoulder surf — they can use binoculars or security cameras to obtain this information. Dumpster Diving The process of going through a target's trash to see discarded information. Documents containing sensitive information should be shredded or stored in burn bags until destroyed by fire after a certain period. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10 Deception Impersonation and Hoaxes Cybercriminals have many other deception techniques to help them succeed. Impersonation Act of tricking someone into doing something they would not ordinarily do by pretending to be someone else. Criminals can also use impersonation to attack others. Hoax An act intended to deceive or trick someone can cause just as much disruption as an actual security breach. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11 Deception Defending Against Deception Organizations must promote awareness of social engineering tactics and adequately educate employees on prevention measures. Here are some top tips: Never disclose confidential information or credentials via email, chat, text messages, in-person, or phone to unknown parties. Resist the urge to click on enticing emails and web links. Be wary of uninitiated or automatic downloads. Establish and educate employees on key security policies. Encourage employees to take ownership of security issues. Do not give in to pressure from unknown individuals. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12 Cyber Attacks What's the Difference? Cybercriminals use many different types of malware to carry out attacks. The three most common types of malware are: Virus Type of computer program that, when executed, replicates and attaches itself to other files, such as a legitimate program, by inserting its code into it. Worms It replicates by independently exploiting vulnerabilities in networks. Trojan horse It carries out malicious operations by masking its true intent. It might appear legitimate but is, in fact, very dangerous. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13 Cyber Attacks What's the Difference? A computer virus has three parts: 1. Infection mechanism: The means by which a virus spreads, enabling it to replicate. The mechanism is also referred to as the infection vector. 2. Trigger: The event or condition that determines when the payload is activated or delivered. 3. Payload: What the virus does, besides spreading. The payload may involve damage or may involve nonthreatening but noticeable activity. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14 Cyber Attacks Logic Bombs A malicious program that waits for a trigger, such as a specified date or database entry, to set off the malicious code. Until this trigger event happens, the logic bomb will remain inactive. Once activated, it implements a malicious code that causes harm to a computer in various ways. It can sabotage database records, erase files and attack operating systems or applications. Logic bombs attack and destroy the hardware components in a device or server, including the cooling fans, CPU, memory, hard drives, and power supplies were recently discovered. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15 Cyber Attacks Ransomware Designed to hold a computer system or the data it contains captive until completed payment. It usually works by encrypting data so the owner cannot access it. A demanded ransom paid through an untraceable payment system, the cybercriminal provides a program that decrypts files or sends an unlock code – but many victims do not gain access to their data even after paying. Some versions of ransomware can take advantage of specific system vulnerabilities to lock it down. Spread through phishing emails that encourage downloading malicious attachments or a software vulnerability. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16 Cyber Attacks Denial of Service Attacks The type of network attack is relatively simple to conduct, even for an unskilled attacker. They usually result in some interruption to network services, causing a significant loss of time and money. The two main types of DoS attacks are: The overwhelming quantity of traffic: When a network, host, or application sends an enormous amount of data at a rate it cannot handle, it causes a slow transmission or response or causes the device or service to crash. Maliciously formatted packets: Sends a maliciously formatted packet, and the receiver will be unable to handle it. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17 Cyber Attacks Man-in-the-Middle and Man-in-the-Mobile Attacks Attackers can intercept or modify communications between two devices to steal information from or impersonate one of the devices. MitM (Man-in-the-Middle) It happens when a cybercriminal takes control of a device without the user’s knowledge. With this level of access, an attacker can intercept, manipulate and relay false information between the sender and the intended destination. Wi-Fi vulnerabilities (e.g., KRACK attacks on WPA2) and cloud-based MitM attacks. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18 Cyber Attacks Zero-Day Attacks It exploits software vulnerabilities before they become known or before the software vendor discloses them. A network is highly vulnerable to attack between the time an exploit is discovered (zero hours) and the time it takes for the software vendor to develop and release a patch that fixes this exploit. Defending against such fast-moving attacks requires network security professionals to adopt a more sophisticated and holistic view of any network architecture. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19 Cyber Attacks Keyboard Logging It refers to recording or logging every key struck on a computer’s keyboard. Cybercriminals log keystrokes via software installed on a computer system or through hardware devices that are physically attached to a computer and configure the keylogger software to send the log file to the criminal. Because it has recorded all keystrokes, this log file can reveal usernames, passwords, websites visited, and other sensitive information. Many anti-spyware suites can detect and remove unauthorized key loggers. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20 Cyber Attacks Defending Against Attacks Organizations can take several steps to defend against various attacks. These include: Configure firewalls to remove any packets from outside the network with addresses indicating that they originated inside the network. Ensure patches and upgrades are current. Distribute the workload across server systems. Network devices use ICMP packets to send error and control messages. Organizations can block external ICMP packets with their firewalls to prevent DoS and DDoS attacks. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21 Application Attacks Cross-Site Scripting Cross-site scripting (XSS) is a common vulnerability in many web applications. This is how it works: Cybercriminals exploit the XSS vulnerability by injecting scripts containing malicious code into a web page. The victim accesses the web page, and the malicious scripts unknowingly pass to their browser. The malicious script can access any cookies, session tokens, or other sensitive information about the user, which is sent back to the cybercriminal. Armed with this information, the cybercriminal can impersonate the user. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22 Application Attacks Buffer Overflow Buffers are memory areas allocated to an application. A buffer overflow occurs when data is written beyond the limits of a buffer. By changing data beyond the boundaries of a buffer, the application can access memory allocated to other processes. This can lead to a system crash, data compromise, or provide escalation of privileges. These memory flaws can also give attackers complete control over a target’s device. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23 Application Attacks Remote Code Executions Remote code execution allows a cybercriminal to take advantage of application vulnerabilities to execute any command with the privileges of the user running the application on the target device. Privilege escalation exploits a bug, design flaw, or misconfiguration in an operating system or software application to access usually restricted resources. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24 Application Attacks Defending Against Application Attacks You can take several actions to defend against an application attack. Some of them are: The first defense against an application attack is to write solid code. Prudent programming practice involves treating and validating all input from outside of a function as if it is hostile. Keep all software, including operating systems and applications, up to date, and do not ignore update prompts. Remember that not all programs update automatically. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25 Application Attacks Spam Spam (junk mail) is unsolicited email and, in most cases, is an advertising method. A lot of spam is sent in bulk by computers infected by viruses or worms — and often contains malicious links, malware, or deceptive content that aims to trick recipients into disclosing sensitive information. Almost all email providers filter spam, but it still consumes bandwidth. And even if you have implemented security features, some spam might get through to you. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26 Application Attacks Spam (Cont.) Some indicators of spam: The email has no subject line. The email asks you to update your account details. The email text contains misspelled words or strange punctuation. Links within the email are long and cryptic. The email looks like correspondence from a legitimate business, but there are tiny differences — or it contains information that does not seem relevant to you. The email asks you to open an attachment, often urgently. If you receive an email containing one or more indicators, you should not open the email or any attachments. Many organizations have an email policy that requires employees to report receipt of this type of email to their cybersecurity team for further investigation. If in doubt, always write. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27 Application Attacks Phishing Phishing is a form of fraudulent activity often used to steal personal information. Phishing It occurs when a user is contacted by email or instant message — or in any other way — by someone masquerading as a legitimate person or organization. The intent is to trick the recipient into installing malware on their device or into sharing personal information, such as login credentials or financial information. Spear phishing A highly targeted attack, spear phishing sends customized emails to a specific person based on information the attacker knows about them — which could be their interests, preferences, activities, and work projects. In 2020, BEC attacks were responsible for the loss of over $1.8 billion, primarily by targeting executives using tailored spear-phishing emails. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28 Application Attacks Vishing, Pharming and Whaling Criminals make use of a wide range of techniques to try to gain access to your personal information. Some of their common scams are: Vishing: This type of attack sees criminals use voice communication technology to encourage users to divulge information, such as credit card details. Farming: This attack deliberately misdirects users to a fake version of an official website. Whaling: A phishing attack targets high-profile individuals, such as senior executives within an organization, politicians, and celebrities. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29 Application Attacks Defending Against Email and Browser Attacks Some of the important actions that you can take to defend against email and browser attacks: It is difficult to stop spam, but there are ways to reduce its effects: Most Internet service providers (ISPs) filter spam before it reaches the user’s inbox. Many antivirus and email software programs automatically detect and remove dangerous spam from an email inbox. Organizations should educate employees about the dangers of unsolicited emails and make them aware of the risks of opening attachments. Always scan email attachments before opening them. Become a member of the Anti-Phishing Working Group (APWG). It is an international association of companies focused on eliminating identity theft and fraud resulting from phishing and email spoofing. All software should be kept up-to-date, with the latest security patches, to protect against known vulnerabilities. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30 Application Security Lab - Online Malware Investigation Tools In this lab, you will complete the following objectives: Part 1: Perform Static Analysis Part 2: Reviewing Dynamic Analysis Results © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31 Assignment - Explore Social Engineering Techniques In this assignment, you will complete the following objectives: Part 1: Explore Social Engineering Techniques Part 2: Create a Cybersecurity Awareness Poster © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 32
