Each year brings more and more of software and devices connected to the Internet. As more of such are connected, system vulnerabilities increase in numbers as well.
There's deficit in numbers of cybersecurity professionals (in Poland alone, there's need for over 15 000 cybersecurity experts), and it seems that this deficit will increase in numbers as years pass.
Red Team vs. Blue Team.
'Red Team Hackers', 'Ethical Hackers', also called: 'Pentesters' focus on finding vulnerabilities in organization's systems, then report and help Blue Team to 'patch the holes'.
Blue Team are Administrators who are installing, configuring, and monitoring antivirus software, intrusion detection systems, and other protective mechanisms on these devices.
This article concerns more about theory and is mostly of interrest for future Blue Team members. It touches only basics, however. Blue Team aspirants should deepen the knowledge using other means as well.
Red Team members are meant to cooperate & communicate with Blue Team, hence why this article should be useful for them as well.
CIA Triad.
C - Confidentiality
- Ensuring that informations are available only for authorized personnel
I - Integrity
- Protecting data from unauthorized modification or deletion
A - Availability
- Ensuring that informations are available for authorized personnel
Methods for Ensuring Confidentiality:
- Security Policy (Categorizing Data as either Confidential or Public,
and ensuring that only authorized personnel has access to Confidential Data)
- Encryption
- Access Control (Physical and Multifactored Access Control)
Securing a device often comes at the cost of convenience of use. Protected laptop computer, for example, should be still useful and use-conveniet for authorized personnel. So, in practice, security means should not be too excessive. We should not request, for example, 128-characters-long random passwords from users.
Meaning of Integrity:
- Data should be protected from unauthorized modification
- Example attacks on Data Integrity:
- Modifying company's payments lists
- Modifying company's webpage conent files
- Disrupting Integrity might lead to disastrous consequences for a company
Meaning of Availability & Methods for Ensuring Availability:
- Ensuring continuity of work of systems and applications
- Redundancy (extra resources for case of malfunctions)
- Keeping backups (for swift restoration of data and systems in case of malfunction)
Examples & Solutions for Availability Violations:
- DDoS attacks (Resources Overload might cause troubles in accessibility)
- Viral Marketing (Sudden increase in Web Traffic might lead to overloading of
server resources)
- Solutions:
- Scalability
- Load Balancing
- Firewalls
- Monitoring
Additional characteristics of CIA model:
- Authentication & Authorization (verifying user's identity and privileges)
- Non-repudiation (provides proof of the origin, authenticity and integrity of data.
It provides assurance to the sender that its message was delivered, as well as proof
of the sender's identity to the recipient)
This way, neither party can deny that a message was sent, received and processed)
- Robustness (ability of a computer system to cope with errors during execution
and cope with erroneous input)
- Compliance (fulfilling legal and regulatory requirements)
- Privacy (protecting user privacy and personal data)
Cybersecurity as Process - CSF2.0
Overview:
- Cybersecurity should be treated as continuous process, not as single, one-time,
100% complete solution
- Every day new attacks & hacking techniques appear. Hacking tools are under constant
development, with time more advanced and more sophisticated hacking tools appear
- There's need for constant updating of security strategies
- Organizations keep deploying new technological solutions. New technologies might
introduce new vulnerabilities, new security holes
Being ready for incidents:
- Preparation (developing incident reaction plans)
- Detection (swift identification of potential threats)
- Reaction (immediate reaction to appearing incidents)
Process approach to cybersecurity can ensure readiness for action at any moment.
Process approach to cybersecurity can make compliance with legal and industry requirements easier.
Process approach in practice:
- Planning (developing strategies and objectives of cybersecurity)
- Deployment (implementing planned actions & controls)
- Assesment (efficiency analysis of deployed solutions)
- Perfection (constant refinement of security practices)
- Continuity & cyclicity (keep repeating above solutions in cycles)
Elasticity & Adaptation:
- Fast adaptation to appearing threats
- Adaptation to changing technologies & IT architecture
- Adaptation to changing business requirments, to changing organization needs
Integration with business processes (cybersecurity should not be treated as a
separate concern, should a part of business processes):
- Risk Management (integrating cybersecurity with overall risk management)
- Products Development (take cybersecurity into consideration with products'
lifecycles)
- Customer Service (integrating cybersecurity with customer support practices)
Cyber Security Framework 2.0 (CSF2.0):
- Created & Developed by NIST (National Institute of Standards & Technology in USA)
- Objective: helps with Risk Management in Cybersecurity
- Universality: can be tailored for small or large companies & organizations
CSF Elasticity:
- Elastic: CSF is an elastic tool, not stiff regulation or standard
- Adjustment: can be tailored for specific organization needs
- Pointers: generic approach, with possibility of custom implementation
CSF2.0 Components:
- Core (center of framework, with key functionalities)
- Profile (description of current and target cybersecurity approach)
- Tiers (characteristics of rigors of actions related with risk management)
CSF2.0 Core:
- Describes strategy of Risk Management in organization
- 'Surrounds' and manages five other CSF2.0 components
- Includes determining roles & responsibilites, who is responsible for what
- Manages supply chain(s)
- Sets policies related with cybersecurity
Identify (understanding of what we want to protect):
- Understanding (increasing understanding of current risks in cybersecurity)
- Resources Management (identification & management of organization's resources)
- Risk Assesment (analysis & evaluation of potential threats)
Protect:
- Security Tools (deploying proper security tools for risk management)
- Access Control (managing authentication & authorization, and raising
users' cybersecurity awareness)
- Data Security (protecting organization's sensitive informations)
Detect:
- Monitoring (constant monitoring of systems and networks)
- Analysis (analysis of incidents & anomalies in realtime)
- Alerts (generating alerts of potential security incidents)
Respond:
- Reaction Plan (preparation and deployment of incidents reaction plans)
- Incident Analysis (detailed analysis of detected cybersecurity incident)
- Softening Effects (actions meant for minimizing effects of security incident)
- also: Reporting & Communication
Recover:
- Recovery Plan (executing plan meant for restoring normal functioning)
- Communication (informing interrested parties about recovery processes)
- Post-Incident Analysis (drawing conclusions & refining processes)
CSF2.0 Profiles:
- Current Profile (description of current organization's cybersecurity state)
- Target Profile (description of desired cybersecurity state to achieve)
CSF2.0 Tiers:
Organization should consider how dangerous which risks are, resources available, and possibility of certain solution deployments.
Choice of Tiers for risks depends on organization. Not always higher tiers mean better security. Organization should choose which tiers to assign for what risks, depending on organization's resources and current needs.
Integrating CSF2.0 with overall risk management:
- Balance (treating cybersecurity risks as equal with other risks)
- Integration (including cybersecurity in overall risk management)
- Development (constant development of risk management processes)
Links:
- NIST CSF2.0
- Implementation examples
- Quick Start guides
Vulnerabilities and Metrics - CVSS.
Vulnerability:
- Vulnerability is weakness or an application error in system or process
- Vulnerability can be used to perform an attack
- Vulnerability is threat to application security or to system security
Causes of Vulnerability:
- Configuration Error(s)
- Errors in Design, in application's architecture
- Lacks in security updates
- Hasty application debugging, programming shortcuts
Human factors in Cybersecurity:
- Weak passwords
- Phishing (unaware users might reveal confidential informations)
- Lack of cybersecurity courses, lack of threat awareness
- Short, interresting courses help to pass the knowledge
Difference between error and vulnerablitiy:
- Error is unintended malfunction in software
- Vulnerability is an error that can be used to perform an attack
not every error is vulnerability
- Vulerability allows for modification in application's performance,
in a way unintended by it's creator(s)
What happens when vulnerability is found:
- Reporting vulnerability to application's creator(s)
- Vulnerabilities catalogue (CVE - Common Vulnerabilities and Exposure)
- Responsible revealing
Investigators cooperate with app delivery to patch the security gap(s)
Introduction to CVE vulnerabilities catalogue (Common Vulnerabilities and Exposure):
- Created by MITRE in 1999
- Goal: Standardization of identification of known vulnerabilities
Each vulnerability has standardized identifier: CVE - year - ID number
- Informations exchange: Allows for efficient informations exchange about
vulnerabilities
Introduction to CVSS standard (Common Vulnerabilities Scoring System):
- CVSS allows for classification of vulnerabilites, from low priority to critical
vulnerabilities
- CVSS is a standard method for classification of vulnerabilities' threat levels
- Prioritization: helps to determine which vulnerabilities require more urgent
attention
- Severity Score (for example: 8.8 High)
- Vector:
- Attack Vector (for example: Network)
- Attack Complexity (for example: Low)
- Privileges Required (for example: Low)
- User Interaction (for example: None)
- Scope (for example: Unchanged)
- Confidentiality (for example: High)
- Integrity (for example: High)
- Availability (for example: High)
Reaction to high and critical vulnerabilities:
- Immediate software update
- Reconfiguration: reconfiguration of the system, deployment of solution means
- Rescanning: efficiency analysis of deployed solution means
Tools for automatic scanning of vulnerabilities (as Nessus for example):
- Detected vulnerabilities are prioritized (Highest Score vulnerabilities should be
handled earlier)
- Chaining vulnerabilities: less important security gaps can be combined into
dangerous threats
Holistic approach to vulnerabilities management:
- Overall assesment: considering potential interactions between vulnerabilities
- Grouping associated vulnerabilities: considering overall impact on security
- Knowledge of architecture: knowing data flow between components
- Scanning & patching of vulnerabilities on regular basis
Links:
- CVE Catalogue (MITRE): https://www.cve.org/
- Vulnerabilities Database (NIST): https://nvd.nist.gov/vuln
- CVE-related statistics: https://www.cvedetails.com/
- CVSS (3.1) Calculator: https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator
Threat and Threats Modelling.
Threat is potential event, in which vulnerability might be used to cause harm.
Examples of threats:
- Unauthorized access
- Data stealing
- DDoS attacks
- Infections with malware
Threats can endanger Confidentiality, Integrity and/or Availability of data, application(s) and/or system(s).
Sources of Threats: Threats can originate from within or from outside organization.
Threat modelling:
- Understanding threats: analysis of potential threats and weak points
- Evaluation of potential effect on organization
- Proactive actions: creation/developmentt of strategy for protecting against threats
- Objectives of attackers: understaning of what pottential attacker wants to achieve
- Motivation analysis: what can cause someone to attack
- Resources: identification of attractive resources for attacker
In other words, threat modelling is looking at a system from attacker's perspective, with goal of predicting pottential attack(s) vector(s)
Difference between threat modelling & vulnerability assessment
- Vulnerability assessment: scanning system(s) with goal of discovering known
vulnerabilities
- Threat modelling: analysis of potential threats, and means of protection
- Perspective:
- Vulnerability assessment: from defense perspective
- Threat modelling: from attacker's perspective
- System decomposition: analysing components for weak points
- Brainstorming: discussing about potential threats for our application
OWASP Cheat Sheets: help to approach security threat(s) in condensed form.
Involving team in threat modelling process:
- Cooperation: Include people from various areas into threat modelling session
- Different perspectives: discuss security concerns in larger group
- Effectivity: arrange for focused session with programmers
Four key questions to answer in threat modelling:
- What we're working at?
- Decomposing system(s): split system into smaller, easier to analyse parts; analyse
each of components separately to understand them better
- Understanding system: know components, functions, data flow & trust limits
- What can go wrong?
- Identifying threats: considering potential problems for each of of system's
components
- The STRIDE model can be used to go through each of threats categories in a
systematic manner
- Group analysis: we identify & discuss potential threat(s) together
- What we intend to do with it?
- Risk reduction: we aim to reducte the risk(s) to acceptable level(s)
- Architectural changes: we introduce modification(s) in system's architecture
- Security functions: we add concrete functions that increase security
- Processes correction: Increasing quality of processes, to reduce threats
- Did we do good enough job so far?
- Effectivity assessment: checking whether deployed solution(s) effectively solve
identified threats
- New threats: we should make sure whether new threats appear because of introduced
changes
- Continuous process: threat modelling should be repeated constantly, as a
continuous process
STRIDE Model:
Spoofing: pretending to be someone else
- Identity verification
- Authorization: weak authorization algorithms might lead to spoofing
- Threat: insufficient identity verification is the key threat
Tampering: manipulation
- Data manipulation: can data sent via user interface can be manipulated?
- Validation: potential problem is lack of server-side data validation
- Integrity protection: data-integrity protections should be handled well enough
Repudiation: denying involvement
- Denying action: user may try to deny that he/she performed a specific action in
our system
- Insufficient registration: lacks in proper actions logging can make proving
of responsibility for performing an action more difficult
- Protecting from repudiation: system should be fitted with efficient
users actions registration systems.
Information Disclosure: revealing confidential informations
- Information reveal risk: user interface can reveal confidential data
- Improperly handled errors: can cause sensitive informations to be revealed
- Improper encryption: data can be captured during transmission process
Denial of Service: Refusing access
- Vulnerability to DoS attacks: can user interface be used to perform DoS attacks?
- No limits: Without requests limits, the system can be overloaded when traffic is
high
Elevation of Privilege: raising privileges
- Security holes like XSS can allow to perform actions with attacked user's privileges
- Threat to system: can user gain higher privileges through the user interface?
- Security holes may allow attacker to raise his/her privileges
By performing STRIDE Model Analysis for each of components in attacked system, we can make a complex image of potential threats. This allows to design proper security solutions for protected systems.
Strong points of STRIDE Model use:
- Systematic analysis: ensures complex research of security concerns
- Methodical approach: considers every threat category, for each of analysed elements
- Minimizing risks: lessens the risk of overlooking important security gaps
STRIDE Model's limits:
- Generic model: STRIDE is abstract model, without concrete guidelines
- Elasticity: allows for high elasticity when thinking about threats
- Knowledge: requires supplementing with technical knowledge about concrete
technologies
Documenting threats:
1. Threat name
2. Description
3. Objective: what is the goal of the attacker?
4. Attack technique:
5. Required privileges
6. Impact on the customer/business (who ordered our protected application)
7. Security means to deploy
Risk assessment:
Severity of risk depends on two factors:
- Impact on the customer/business (who ordered our protected application)
- Probability of attack's occurance
- High Risk: immediate attention needed (for example: SQL Injection; insufficient
authorization)
- Mid & Low Risk: to be solved later
- Repeated regularly: threat modelling process should be repeated as the protected
system develops and gains in complexity
Other frameworks for threat modelling (STRIDE's competition):
- PASTA
- Trike
- OCTAVE
- VAST
Free tools for threat modelling:
- Microsoft Threat Modelling Tool
- OWASP Threat Dragon
Links:
- Threat Modelling Process (OWASP)
Risk Management.
Risk in the Cybersecurity context:
- Risk is probability of occurance of undesirable event(s)
- Two main factors:
- Probability of occurance
- Impact on our organization
- Risk's effects:
- Financial losses
- Physical damage
- Loss of trust
- Negative PR
- Benefits of definition:
- Precise grading and prioritization
DREAD model (created & developed by Microsoft):
- Damage potential: how severe damage an attack can cause?
- Reproductibility: how easy is to repeat the attack?
- Exploitability: how easy is to perform the attack?
- Affected users: how many users are affected by the attack?
- Discoverability: how easy is to discover the security gap?
DREAD model is meant to help us to more precisely analyse the potential threats, and allows for quantitative analysis which is very useful in the Risk Management process. The risk can be measured and described with a number, which allows for easier and more precise risks comparisons and helps in the Risk Management.
DREAD model validity:
- Allows for quantitative analysis of potential threats
- Makes Risk Management easier by expressing risks in form of numbers
- Assessment of each factor in the 1-10 scale depends on experience of person who
assesses the risk
Hints for assigning numbers to risks:
1. Damage potential scale:
- Minimal damage: 1-2
- Low damage: 3-4
- Moderate damage: 5-6
- Serious damage: 7-8
- Catastrophic damage: 9-10
2. Reproductibility:
- Very difficult to repeat: 1-2
- Difficult to repeat: 3-4
- Moderately difficult to repeat: 5-6
- Easy to repeat: 7-8
- Very easy to repeat: 9-10
3. Exploitability:
- Very difficult to perform attack: 1-2
- Requires expert knowledge and nonstandard tools, or huge amount of resources
- Difficult to perform an attack: 3-4
- Requires advanced knowledge and specific tools
- Moderately difficult to perform an attack: 5-6
- Requires some of technical knowledge, and available tools
- Easy to perform an attack: 7-8
- Only basic knowledge is required, attack can be performed using standard,
generic tools
- Very easy to peform an attack: 9-10
- Require practically no qualifications from attacker
- Often these attacks can be automated
4. Affected users (how many users can be affected by the attack):
- Very small part (less than 1%): 1-2
- Small part (1%-5% of users): 3-4
- Significiant part (5%-25% of users): 5-6
- Major part of of users (25%-75% of users): 7-8
- Most of users (more than 75% of users): 9-10
5. Discoverability:
- Very difficult to discover: 1-2
- Requires specialised knowledge and 'deep' testing
- Difficult to discover: 3-4
- Requires advanced knowledge and 'directed' testing
- Moderately difficult to discover: 5-6
- Requires some of 'directed' testing
- Probably will be discovered during 'routine' testing
- Very easy to discover: 9-10
- Easy to guess by merely interacting with attacked system
The above hints are just generic tips, should be adjusted for the needs of organization we protect and for specific context/situation in which we're in. Key is consequence and clear communication about criteria in the whole team. Whole team should use consistent, unified scale.
It is also important to review and update risk assessments for the organization and/or system(s) as the organization we protect grows and develops.
After assigning numbers to risks, we add the number and consult the result with following table to get the Risk Level, according to the DREAD model:
After assessing the Risks Levels, we should answer the following question: what we do with it? how to manage it?
Risk Mitigation
- Reducing probability or impact
- Lessen effects or risk
Risk Management:
- Risk Avoidance
- We eliminate actions/processes or resources that make our organization
vulnerable to unneeded risk(s)
- Risk Reduction
- Example: Deploying Multi-Factor Authentication
- Example: Encrypting Laptop's Hard Disk (Mass Storage)
(Even if the laptop is stolen, important informations won't leak)
- Risk Transferrance
- Insurance
- Moving service to the Cloud
(Risk is transferred to the Cloud services provider)
- SLA contracts
(Defining responsibilities division in the contract)
- Accepting Risk
- Deliberate decision
- In everyday life we accept small risks
- Sometimes accepting risk has more benefits than troubles and costs attached
Risk Metrics.
With Risks there are metrics associated. These metrics help to calculate potential lossess associated with risks, and benefits and costs of investments that reduce these risks.
SLE - Single Loss Expectancy:
- Value of losses associated with a single incident
- Calculated as follows:
ARO - Annual Rate of Occurence: how many times per year, an attack occurs
ALE - Annual Loss Expectancy:
- Estimates yearly loss associated with risk
- Calculated as follows:
AAL - Annual Avoidance of Loss:
- Metric for potential yearly losses that can be avoided
- Example: deployment of Multi-Factor Authentication can reduce losses by 80%
- Interpretation: for assumed value of 100 000 PLN yearly loss associated with
incident(s), with 80% loss reduction factor we can avoid losing an amount
of 80 000 PLN per year
- Calculated as follows:
(in an above example: AAL = 100 000 PLN * 80% = 80 000 PLN)
ROI - Return of Investment:
- Metric for investment profiatbility, describes benefits/costs ratio
- High ROI means that investment is business-justified
- Calculated as follows:
Importance of Risk Metrics:
- Metrics help to justify actions before the management staff
- Losses assessment makes it easier to plan the budget
- Metrics help to designate benefits from the actions taken
Business issues might seem boring for a cybersecurity specialist, but these improve communication with business, with management staff. With business metrics, informed decisions can be taken by the business staff. Professional cybersecurity personnel should not ignore business matters as well.
Attack & Incident Reaction Plans.
When we consider an attack, we should coniser WHEN it happens, not WHETHER it happens.
What is an Attack in Cybersecurity?
- Attack is a moment when potential threat becomes reality, when it 'materializes'
- Attacker uses vulnerability, and causes security incident
- Theory becomes practice - organization needs to react
- Swift steps are neccessary to deal with incident
In CSF2.0 Core we've considered 3 phases of incident's response: Detect, Respond & Recover. CSF2.0 does not giver us, however, any detailed solutions associated with reaction plan. That's where SANS Incident Response Cycle framework might come handy.
1. Preparation
- Roles & Responsibilities designation
- Setting up the the efficient communication channels to use in case of incident
- Setting up the procedures for dealing with incident
- Creation and training the incident reaction teams
- Incident reaction teams should consist of people with varied skills, including:
- IT specialists
- Security Experts
- Lawyers
- PR Representatives
- Regular training is the key for the team to stay up to date with the most recent
threats, and to efficiently cooperate under the pressure of time
- Providing neccessary tools & resources
- Security Monitoring Systems: for incident detection & reaction
- Tools for Forensic Analysis: for investigating attack's causes & effects
- Backup creation tools: for quick data & systems recovery
- Dedicated testing environment: for testing & analysis of incidents in safe
conditions
2. Identification
- Monitoring of systems & networks
- Detecting anomalies:
- Unusual network traffic
- Failed login attempts
- Unauthorized files modifications
- Identifying deviations from norms:
- Anything that deviates from normal functioning
- Analysis of alerts & indicators of compromise
- Analysis of alerts and idicators of compromise (IoC) may help to identify an
incident
- Checking whether alarm is false or not, is the key
- Attack traces (IoC) may confirm that attack actually happened
- IoC types:
- IP Addresses
- Domains
- File hashes
- File names
- Character sequences
- Registry keys
- Network traffic patterns
- IoC Changeability: IoC quickly lose relevance, because attackers often change
tools & infrastructure
- Modern approach: Combining IoC with behavioral analysis & machine learning
can result in better threats detection
- Determining reach & impact: once we've confirmed that attack happens, we should
determine it's range & impact
- Quick designation of affected systems
- Identification of compromised data
- Assessment of potential impact on organization
3. Containment: preventiont of spread of damage, as quickly as possible
- When whole team is trained and ready (see phase: 1. Preparation), the quick
containment can be real
- Isolation: disconnecting infected systems from network
- Blocking: blocking malicious accounts in applications
- Limiting: limiting spreading of threat
- Deployment of temporary corrective measures
- Quick, temporary bugfixes in applications that can stop certain attack vectors
- Firewall blocking rules that blocks specific network traffic or certain
IP Adresses
4. Eradication: removal of the cause(s) of attack
- Requires 'Deep' analysis of the incident, for identification of the threat's
source(s)
- Removal of all related security gaps, not only symptoms used in the attack
- Removing ALL of the malicious code detected during the analysis
- The cause of vulnerability that enabled the attack needs to be identified and
fixed, for example by:
- Reinstallation
- Reconfiguration
- Patching the application's code
5. Recovery: restoring systems to normal functioning, but without too much of haste -
to not allow systems to be re-infected
- Before we go to the recovery phase, we must positively confirm that attack has
been stopped
- Prioritization:
- Designating the most important systems to recover first
- Prioritization by business priorities: production line first, then HR systems
- Verifying backups
- We should make sure that backup we restore from is not infected
- We should 'deeply' perform antivirus scanning
- We should review security patches and test vulnerabilities
- We should monitor systems after restoration
- We should make sure that the compromise is not repeated again
6. Lessons Learned:
- Incident analysis, for improvement of processes, and for increasing team skills
- Identification of good practices and areas for improvement in the reaction plan
Reaction to incidents is continuous process, and not a single exercise.
Every incident is an opportunity for learning and development, requires constant readiness.
SIEM - Security Information and Event Management.
An example of SIEM use in practice:
- SIEM aggregates logfiles from various systems & networks, enabling analysis of
suspicious events
- For example: SIEM might detect that user account writes large amount of data during
unusual hours
- Security analyst investigates this and confirms that account has been hijacked and
executes formally reaction to incident
Who is Attacker & Attack Types.
Threat Actors & Motivations:
- Enemy Actors: Enemy persons and groups that pose threat to our organization
- Motivations: Various reasons of why attackers take actions
- Attack vectors: Means by which attackers gain access to our systems
Regarding the Cybersecurity Myths:
- Every company can be attack's victim, no matter size or industry
- Attacks may be fully automated, or precisely planned and executed
Attackers' Types & Motivations:
- Script Kiddies: Young attackers
- Use pre-made scripts & exploits
- Low skills: don't know how to hide traces, easy to identify
- Motivations:
- Malice
- Nastiness
- Desire to impress
- A joke
- Organized Cribe: Dominant group of attackers
- Motivation:
- Ggetting financial profits
- Popular attacks:
- Ransomware
- Stealing credit card informations
- Profit scale:
- Estimated profits from ransomware attack: 1 Billion USD
- Discretion:
- Victims often don't disclose the ransom paid
- Hacktivists:
- Motivation:
- Social ideas
- Political agenda
- Not interrested in financial gains
- Attacks' objectives:
- Protests against corporations, governments or politicians
- Revealing informations
- Perceptions:
- Acting in the name of the 'greater good', according to their own beliefs
- Insider threats:
- Unhappy employee
- Can cause damage if has too broad privileges
- Greedy & unethical employee
- May want to steal data to gain financial profits
- Unaware employee
- Can randomly open infected file or email attachment
- Advanced Persistent Threat (APT)
- Directed campaigns:
- APT target large companies, critical infrastructure and governments
- Used security gaps:
- Attackers use unknown to public security gaps
- Long-term actions:
- APT can hide in victim's networks for years
- Political motivations
- APT often operate on government request, for espionage
Attack Vectors: paths & methods used by attackers to gain unauthorized access to networks, applications, computers or data
- Phishing: Attacks that depend on cheating/deceiving users
- Attackers use emails, SMS, or falsified webpages to extort data, especially logins
and passwords
- Malware: Malicious software that infects systems
- Malware types
- Viruses
- Worms
- Trojans
- Ransomware
- Spyware
- Spreads through:
- Infected attachments
- Links
- Webpages
- Potential damage:
- Malware can cause serious damage
- Man-in-the-Middle: Capturing communication between webpages/applications
- Eavesdropping communication between two pages/applications, often without their
knowlege
- Capturing communication: Attacker may gain control over the communication
- Attacks on passwords: Attempts to steal or guess the passwords
- Brute force attacks: attempt to guess the password by trying various combinations
- Dictionary attacks: using lists of popular passwords to gain acccess
- Credential stuffing: attempt to use stolen credentials on varied services
- DDoS: Distributed denial of service: attack that attempts to overload systems
or networks
- Social Engineering
- Psychological manipulation: use of human psychology to gain confidential
informations
- Key element of phishing
- SQL Injection: Attacks performed by injecting malicious SQL code
- Attempt to gain unauthorized access to data
- Attacks directed on web applications' vulnerabilities
- Cross-Site Scripting (XSS)
- Publishing malicious scripts on legal webpages
- Unaware execution of a script can lead to stealing session's cookies
- Attacks on Supply Chain(s)
- Compromising a supplier
- Attacker(s) compromise trusted supplier of hardware or software
- Attackers replace files or infect hardware
- User installs the infected software, without knowledge or suspicion
- Attacks on Wireless Networks
- Attackers might eavesdrop the unprotected network traffic
- Attackers can create false access points
- Attacks on IoT (Internet of Things)
- New domain for hackers
- Many of IoT devices has insufficient protection
- Hacker might steal control over IoT device(s)
- Reverse Engineering
- Hackers decompile and analyse software, looking for security gaps
- Memory-related Security Gaps
- Buffer Overflow
- Memory overflow in vulnerable application might lead to malicious code execution
- Attacks on Cloud Infrastructure
- Cloud servicesa are complex systems
- Attackers use configuration errors and other security gaps in cloud services
- Attacks on Mobile Applications
- Personal data: Smartphones are real treasury of personal informations
- Mobile Applications security gaps: Attackers search for weak points in mobile
applications, with an objective to gain access to sensitive informations
- Other attacks
- Above mentioned attacks are just most common examples. There are many more of
attack types
No comments:
Post a Comment