Unit 2. Cybercrime PDF

Summary

This presentation covers the topic of cybercrime, including what it is, different types of cybercrime, and examples. It also details cyber attack vectors and how to avoid them. The presentation was given at Mutah University-Faculty of Engineering.

Full Transcript

Unit 2. Cybercrime

Professor AlTarawneh M.S
 Agenda
Cybercrime organization 2.1
2.2 Main attack vectors
2.3 Classification of cyber threats and
cybercrimes
2.4 Agencies for the fight against
cybercrime
2.5 SOC/CERT/CSIRT concept and major
agencies

Organizations and Cybercrime: An Analysis of the nature of groups engaged in
cybercrime
March 2014
International Journal of Cyber Criminology 8(1):1-20 DOI:

10.2139/ssrn.2345525
Cybercrime organization
What is cybercrime?
Cybercrime is criminal activity that either targets or
uses a computer, a computer network or a networked
device.
Most, but not all, cybercrime is committed by
cybercriminals or hackers who want to make money.
Cybercrime is carried out by individuals or
organizations.
Some cybercriminals are organized, use advanced
techniques and are highly technically skilled. Others are
novice hackers.
Rarely, cybercrime aims to damage computers for
reasons other than profit. These could be political or
personal.
Types of cybercrime
Here are some specific examples of the different types
of cybercrime:
Email and internet fraud.
Identity fraud (where personal information is stolen and
used).
Theft of financial or card payment data.
Theft and sale of corporate data.
Cyberextortion ( ‫()االبتزاز االلكتروني‬demanding money to
prevent a threatened attack).
Ransom ware attacks )‫(هجمات أدوات الفديه‬a type of cyber
extortion).
Cryptojacking (where hackers mine crypto currency using
resources they do not own).
Cyber espionage (where hackers access government or
company data).
Cybercrime that targets computers often involves
viruses and other types of malware.
Cybercriminals may infect computers with viruses and
malware to damage devices or stop them working. They
may also use malware to delete or steal data.
Cybercrime that stops users using a machine or
network, or prevents a business providing a software
service to its customers, is called a Denial-of-Service
(DoS) attack.
Cybercrime that uses computers to commit other crimes
may involve using computers or networks to spread
malware, illegal information or illegal images.
Sometimes cybercriminals conduct both categories of
cybercrime at once. They may target computers with
viruses first. Then, use them to spread malware to other
Cybercriminals may also carry out what is known as a
Distributed-Denial-of-Service (DDos) attack. This is
similar to a DoS attack but cybercriminals use numerous
compromised computers to carry it out.
Examples of cybercrime
So, what exactly counts as cybercrime? And are there
any well-known examples?
In this section, we look at famous examples of different
types of cybercrime attack used by cybercriminals.
Read on to understand what counts as cybercrime.
Malware attacks
A malware attack is where a computer system or
network is infected with a computer virus or other type
of malware.
A computer compromised by malware could be used by
cybercriminals for several purposes. These include
stealing confidential data, using the computer to carry
out other criminal acts, or causing damage to data.
A famous example of a malware attack is the WannaCry
ransomware attack, a global cybercrime committed in
May 2017.
Ransomware is a type of malware used to extort money
by holding the victim’s data or device to ransom.
WannaCry is type of ransomware which targeted a
vulnerability in computers running Microsoft Windows.
When the WannaCry ransomware attack hit, 230,000
computers were affected across 150 countries. Users
were locked out of their files and sent a message
demanding that they pay a BitCoin ransom to regain
access.
Worldwide, the WannaCry cybercrime is estimated to
have caused $4 billion in financial losses.
information
Phishing ((‫التصيد‬
A phishing campaign is when spam emails, or other
forms of communication, are sent en masse, with the
intention of tricking recipients into doing something that
undermines their security or the security of the
organization they work for.
Phishing campaign messages may contain infected
attachments or links to malicious sites. Or they may
ask the receiver to respond with confidential
information
Main attack vectors

Regardless of business or industry, here are three key
terms that lie at the heart of every enterprise’s cyber-
defenses:
Attack surface, attack vectors, and breaches
defined
Attack surface
The sum-total of points on a network where attacks can
occur where an unauthorized user (the “attacker”) can
try to manipulate or extract data using a myriad of
breach methods (the “cyber attack vectors”). If you
consider a graph, where the x-axis lists all of the
devices and apps on your network (infrastructure, apps,
endpoints, IoT, etc.) and the y-axis are the different
breach methods such as weak and default passwords,
reused passwords, phishing, social engineering, un-
Cyber Attack vector
The method or way by an adversary can breach or
infiltrate an entire network/system. Attack vectors enable
hackers to exploit system vulnerabilities, including the
human element.
Security breach
Any security incident in which sensitive, protected, or
confidential data is accessed or stolen by an unauthorized
party, jeopardizing an organization’s brand, customers,
and assets. Incidents such as DDoS, Bitcoin mining etc.
are also security breaches. Data breaches are the most
common, but not all security incidents concern data theft.
8 common cyber attack vectors and how to avoid it
1. Compromised Credentials
The username and password continue to be the most
common type of access credential. Compromised
credentials describe a case where user credentials, such
as usernames and passwords, are exposed to
unauthorized entities. This typically happens when
unsuspecting users fall prey to phishing attempts and
enter their login credentials on fake websites. When lost,
stolen or exposed, compromised credentials can give the
intruder an insider’s access. Although monitoring and
analysis within the enterprise can identify suspicious
activity, these credentials effectively bypass perimeter
security and complicate detection. The risk posed by a
compromised credential varies with the level of access it
Privileged access credentials, which give administrative
access to devices and systems, typically pose a higher
risk to the enterprise than consumer credentials. And it is
not only humans who hold credentials. Servers, network
devices and security tools often have passwords that
enable integration and communication between devices.
In the hands of an intruder, these machine-to-machine
credentials can allow movement throughout the
enterprise, both vertically and horizontally, giving almost
Do this to avoid it:
unfettered
Common access.
usernames and weak passwords can lead to compromised credentials, so it’s
important that the enterprise has effective password policies that ensure suitable
password strength.
Password sharing across services makes all applications that share credentials
vulnerable as a consequence of the breach of one service or application in the cohort.
Do not reuse the same password to access multiple apps and systems.
Using two-factor authentication via a trusted second factor can reduce the number of
breaches that occur due to compromised credentials within an organization.
2. Weak and Stolen Credentials
Weak passwords and password reuse make credential
exposure a gateway for initial attacker access and
propagation. Recent malware attacks such as Mirai
highlight this threat not only for managed devices but
also IoT connected devices.
Apps and protocols sending login credentials over your
network pose a significant security threat. An attacker
connected to your network can easily locate and utilize
these credentials for lateral movement. For example, in
the Target attack, adversaries were able to steal Active
Directory credentials and propagate their attack into the
enterprise payment network.
Do this to avoid it:
Track password hygiene and use across your entire enterprise to identify high
risk users and their devices.
3. Malicious Insiders
A malicious insider is an employee who exposes private
company information and/or exploits company
vulnerabilities. Malicious insiders are often unhappy
employees. Users with access to sensitive data and
networks can inflict extensive damage through privileged
misuse and malicious intent.
Do this to avoid it:
Keep an eye out for disgruntled employees and monitor data and network
access for every device and user to expose insider risk.
4. Missing or Poor Encryption
Data encryption translates data into another form that
only people with access to a secret key or password can
read. Encrypted data is commonly referred to as cipher-
text, while unencrypted data is called plaintext. The
purpose of data encryption is to protect digital data
confidentiality as it is stored on computer systems and
Strong encryption must be applied to data at rest, in-
motion, and where suitable, in-processing.
Missing / poor encryption leads to sensitive information
including credentials being transmitted either in plaintext,
or using weak cryptographic ciphers or protocols. This
implies that an adversary intercepting data storage,
communication, or processing could get access to
sensitive data using brute-force approaches to break
weak encryption.
Do this to avoid it:
Don’t rely solely on low-level encryption or assume that
following compliance means that the data is securely
encrypted.
Ensure that sensitive data is encrypted at rest, in-transit,
and in processing.
5. Mis-configuration
Mis-configuration is when there is an error in system
configuration. For example, if setup pages are enabled or
a user uses default usernames and passwords, this can
lead to breaches. With setup/app server configuration not
disabled, the hacker can determine hidden flaws, and this
provides them with extra information. Misconfigured
devices and apps present an easy entry point for an
attacker to exploit.
Do this to avoid it:
Put procedures and systems in place that tighten your
configuration process and use automation wherever
possible. Monitoring application and device settings and
comparing these to recommended best practices reveals
the threat for misconfigured devices located across your
6. Ransomware
Ransomware is a form of cyber-extortion in which users
are unable to access their data until a ransom is paid.
Users are shown instructions for how to pay a fee to get
the decryption key. The costs can range from a few
hundred dollars to thousands, payable to cybercriminals
in Bitcoin.
Do this to avoid it:
Make sure you have systems in place that protect all your
devices from ransomware including keeping your
operating system patched and up-to-date to ensure you
have fewer vulnerabilities to exploit and not installing
software or giving it administrative privileges unless you
know exactly what it is and what it does.
7. Phishing
Phishing is a cybercrime tactic in which the targets are
contacted by email, telephone or text message by
someone posing as a legitimate institution to lure
individuals into providing sensitive data such as
personally identifiable information, banking and credit
card details, and passwords. It continues to be one of the
most effective social engineering attack vectors. Some
phishing schemes are incredibly intricate and can
sometimes look completely innocent. The Office of
Personnel Management (OPM) hack demonstrates how
phishing can defeat almost all layers of traditional
security such as email gateways and endpoint controls.
Do this to avoid it:
Measuring web browsing and email click-through behavior
8. Trust Relationships
Trust relationships refer to a certain level of trust that
exists between users and systems. For example, trust
relationships can connect two domains, so a user only has
to log in once in order to access resources. The two
domains in a trust relationship are the trusted domain
(the domain that authenticates the user the first time),
and the trusting domain (the domain that relies on the
trusted domain to authenticate users and gives access to
its resources without re-authenticating the user). One
common breach scenario example is when credentials are
cached on the trusted client, which then gets breached,
wreaking havoc.
Do this to avoid it:
Managing trust relationships can help you limit or
 Classification of cyber-
threats and cybercrimes

https://www.secureworks.com/blog/cyber-threat-
basics

ps://www.dnsstuff.com/common-types-of-cyber-attacks#sql-injection-attack
gencies for the fight against cybercrime

Just have a look

https://guides.ll.georgetown.edu/c.php?
g=363530&p=4821480
SOC/CERT/CSIRT concept
and major agencies
SOC (security operations centre), while any specific threat
responses are managed by the CSIRT (computer security
incident response team) in collaboration with the CSERT
(Community Emergency Response Team).
What is a SOC and how does it work ?
There are two main ways to detect a security incident:
technical and human. Human detection is when a user notices
some unusual or suspect activity during their normal
occupations, whereas technical detection happens thanks to an
automated analysis of all the data collected about the
Information system and its activity, from servers, firewalls,
proxies and antivirus.
Generally speaking, all equipment linked to the information
systems of a company transmits data about their activity to a
tool named SIEM (Security Incident and Event Manager), which
is the heart of SOC performance. This SIEM tool centralises and
correlates the different logs, in order to predict and notify of
any possible threats based on previously established criteria..
These notifications are analysed and deconstructed by
the SOC team. Any notifications or incidents that are not
deemed as real threats are eliminated, whereas any
verified incidents are sent to the CSIRT, who will be in
charge of deploying an appropriate response.
According to their financial and human resources,
companies can choose whether to set up a SOC in-house,
or whether to outsource one, meaning that the latter
would be managed by a service provider. In the case of an
outsourced SOC, the service providers need to guarantee
the level of expertise and security promised, by providing
them with all the information system logs (extremely
sensitive information)
Computer emergency response team