Information Security Threats

In the previous module, we introduced fundamental information security cocepts/terms. Let us recap the ones relevant to this module:

A threat is a potential or actual agent that can cause harm to an organization. This can include various actors such as organized criminal groups, malicious software (e.g. spyware, malware, adware), and even current or former employees who may act against the organization. Additionally, self-propagating malicious software such as worms and viruses can also pose a threat as they can infect and damage systems without the need for human direction.

A vulnerability is a weakness in an organization's environment that a malicious actor could exploit to cause harm. These weaknesses can be found in various areas such as system design, business operations, software, and network configurations, among others.

An exploit is a method or tool used by an attacker to take advantage of a vulnerability in order to cause harm to a target system. Exploits can take many forms, such as code that causes a buffer overflow in software, or a social engineering attack in which an attacker tricks a user into revealing sensitive information.

An attack is an attempt to compromise the security of an information asset. An attack may be successful (breach) or unsuccessful (just an attempt)

The figure below is an illustration that the landscape of cyber threats is always evolving. During the third quarter of 2022, a staggering 15 million data records were exposed worldwide through data breaches. This is a 37% increase compared to the previous quarter and 28% increase compared to the same quarter of 2021 [1]. What is more alarming, however, is the number of attacks attempted in order to breach that many records (the number is in the hundreds of millions).

Understanding Cyber Attacks

There are different types of attacks that try to exploit existing vulnerabilities in our systems. We may classify attacks based on the method of execution (e.g., physical attacks, social attacks, malware attacks), or based on the proximity (e.g., local vs. remote). CCNA Security defines two braod categories:

1. Passive Attacks: In a passive attack, the attacker monitors and learns about the target. In other words, the attacker performs reconnaissance. Examples: network scanning, port scanning, sniffing, etc.
2. Active Attacks: In an active attack, the attacker executes the exploit, typically based on what they dicovered in the reconnaissance stage. Examples: DoS, DDoS, brute forcing passwords, gaining access, etc.

The following are common types of attacks:

Malware Attacks

Malware, short for malicious software, refers to any code or program that is written with the intention to harm computer systems or steal, destroy or deny access to information. This category encompasses various types of malicious code such as viruses, worms, Trojan horses, ransomware, active web scripts, and others.

Malware Category	Description
Virus	Virus attaches itself to a file or program. Needs host and human interaction to replicate (e.g. click).
Worm	Worm replicates and spreads without a host and without human interaction.
Trojan Horse	Trojans disguise themselves as useful programs but include malware.
Polymorphic Malware	Malware (virus, worm, etc.) that constantly changes its identifiable feature. Difficult to detect.
Backdoor	Malware that allows bypassing normal authentication.
Rootkit	Malware that attempts to conceal the existence of malware in the victim host (to avoid detection).
Ransomware	Malware that holds computers or files for ransom and blackmails the victim to pay money.
Spyware	Malware that collects and sends information from infected computer to attacker.
Adware	Displays advertising popups and banners.
Logic Bombs	Special malware that activates only when certain conditions are met (e.g. on the 9th of July).
Botnet	A collection of interconnected devices infected with malware and controlled by a hacker.

Table 2.1: Malware Categories

DoS and DDoS Attacks

Denial of Service (DoS) attacks aim to disrupt the availability of information or computer systems by overwhelming them with a high volume of requests. The target system becomes overwhelmed and unable to process legitimate requests, potentially resulting in crashes or slow performance.

A Distributed Denial of Service (DDoS) attack is a variation of DoS where the requests are launched simultaneously from multiple locations. In a mail bombing attack, the attacker sends a large quantity of emails to the target. These types of DDoS attacks are often perpetrated using botnets, a network of compromised devices under the control of an attacker.

Network Attacks

Information is transferred between locations in computer networks via either wired or wireless connections. Attackers may target network traffic (packets of data), in order to gain access or steal information:

Packet sniffing is an attack where a hacker observes and gathers data packets moving through a network.

Spoofing is the process of disguising a communication from the hacker as being from a known, trusted source (e.g., ARP Spoofing)

MiTM (Man-in-The-Middle) attack is when hackers position themselves in the middle of communication between two nodes (e.g. customer and bank), and fool one or both thinking it’s the other.

Social Engineering Attacks

Social Engineering is the art of manipulating people into providing information or a service they otherwise would never have given. Using social skills, an attacker tries to convince people to reveal access credentials (passwords) or other valuable information (e.g., credit card number). Social engineering attacks are successful because they target human characterestics and behavior (e.g., fear, greed, ignorance, etc.). People fall for trickery mainly because of the lack of awareness but sometimes due to their nature (e.g., trusting, greedy).

Phishing attacks, amounting to over 80% of reported security incidents in 2021 [2], is a type of social engineering in which attackers use fake emails, websites, or phone calls to trick people into giving out sensitive information such as passwords or credit card numbers. Attackers often impersonate legitimate organizations such as banks, e-commerce sites, or government agencies to gain the trust of the victim. The goal of phishers is typically to steal the victim's identity or money, or to gain access to their computer or network.

Spear Phishing is a targeted form of phishing that is directed at specific individuals or organizations. Unlike regular phishing, which is usually sent out to a large number of people in the hope that some will fall for the scam, spear phishing attacks are tailored to a specific target. The attackers will often research their victim beforehand, gathering information from social media, company websites, or other sources, in order to make their scam more convincing. Sometimes, attackers target high profile individuals, such as celebrities or politicians, in an attack called Whaling.

Pharming is the process of redirecting legitimate Web traffic (e.g., browser requests) to illegitimate site for the purpose of obtaining private information. This is a technical attack that requires changing hosts file on a victim's computer or exploiting vulnerable DNS servers.

Other Attacks

Misinformation is the act of spreading false, inaccurate, or misleading information, regardless of intent. Disinformation, on the other hand, is knowingly spreading misinformation. Misinformation and disinformation allow for Scams and Hoaxes.

Sabotage or Vandalism are attacks that can range from petty destruction of or damage to information resources, to organized sabotage. For example attackers may deface a web site, which can erode consumer confidence, dropping sales and organization’s net worth.

Spam is unsolicited commercial e-mail that we receive on a daily basis from sources we don’t know. Spam is more a nuisance than an attack, though is emerging as a vector for some attacks.

Theft (Physical or Digital): Physical theft is directly associated with physical security (e.g., stealing a laptop). Digital theft is associated with the digital content and is often more technical and complex (e.g., database breach).

Non-Attack Threats to InfoSec

Although it may seem like, we are not always under attack. Sometimes information is compromised through different threats:

• Deviations in Quality of Service (QoS): QoS is the overall performance of a network as seen by the users. QoS problems occur when user expectations are not met. Information systems QoS relies on support systems such as ISPs and power companies
• Forces of Nature: This may include floods, storms, extreme weather, etc.
• Human Error: Sometimes people make mistakes while handling data (e.g., deleting a database record). If the incident is not based on malicious intent, it will be dubbed a human error..
• Technological Obsolescence: When hardware or software become obsolete or outdated, they may pose a threat to information. Organizations must ensure systems are updated and patched.
• Technical Failures (Software and Hardware): Sometimes technology simply fails without any actor or intervention.

References

---

[1] STATISTA
[2] VARONIS

Case Study: Threats to Information Security
Introduction

In recent years, the importance of information security has become increasingly apparent as more and more companies and organizations rely on digital technology to store and manage sensitive information. However, as technology advances and new threats emerge, it can be difficult for organizations to keep up and protect themselves from all potential threats. This case study will examine how an organization was able to address multiple threats to its information security.

Background

The organization in question is a large financial institution that deals with sensitive customer information on a daily basis. They had been using traditional security measures such as firewalls and antivirus software to protect their systems, but as technology evolved, they realized they needed to take a more comprehensive approach.

Threats

The organization faced several different threats to their information security, including:

• Advanced persistent threats (APTs):
  APTs are a type of cyber attack in which an attacker establishes a long-term presence on a target's network in order to steal sensitive information. An example of an APT is the "APT10" group, which is believed to have been operating out of China and targeting companies in various industries, such as healthcare, technology, and finance. The group used a combination of tactics, including spear-phishing emails and supply chain attacks, to gain access to target networks and steal sensitive information.
• Ransomware:
  Ransomware is a type of malware that encrypts a victim's files and demands payment in exchange for the decryption key. An example of ransomware is the WannaCry attack that occurred in 2017. The ransomware spread rapidly through networks, encrypting victims' files and demanding payment in Bitcoin in order to restore access to the files. This attack affected over 200,000 computers in 150 countries, including those used by hospitals, businesses, and government organizations.
• Phishing attacks:
  Phishing attacks are a type of social engineering in which attackers use email or other means to trick victims into providing sensitive information. An example of a phishing attack is one where an attacker sends an email that appears to be from a legitimate source, such as a bank or a social media site, and requests the recipient to provide their login credentials. The email may include a link that leads to a fake login page that is designed to steal the victim's information.
• Insider threats:
  Insider threats are a type of threat in which an employee or other trusted individual intentionally or unintentionally causes harm to an organization's information security. An example of an insider threat is an employee who intentionally or unintentionally causes harm to an organization's information security. For example, an employee who knowingly shares login credentials with unauthorized individuals, or an employee who accidentally downloads malware onto a company-owned device.

Solution

To address these threats, the organization implemented a number of different security measures, including:

• Advanced threat detection and response:
  Advanced threat detection and response solutions use a combination of techniques such as network traffic analysis, behavioral analysis, and machine learning to detect and respond to advanced threats, such as APTs. These solutions can detect malicious activity on a network, such as unauthorized access or data exfiltration, and then automatically respond by isolating the affected systems and containing the threat. This can help organizations quickly detect and respond to APTs and other advanced threats before they can cause significant damage.
• Endpoint security:
  Endpoint security solutions are designed to protect an organization's systems and devices from malware and other malicious software. These solutions typically include antivirus software, firewall, and intrusion prevention systems that are installed on individual devices and servers. This can help to detect and prevent malware from spreading on the network, and also to protect against malicious software that is designed to bypass traditional security measures.
• Employee security training:
  Employee security training is an important aspect of information security. Employees are often the first line of defense against cyber threats, and thus, it is important to educate them on how to identify and prevent phishing attacks and other social engineering tactics. Security training can include lessons on how to identify suspicious emails, how to safely use the internet, and how to handle sensitive information. This can help employees to be more aware of the potential risks and take steps to protect themselves and the organization.
• Regular security audits:
  Regular security audits are an important aspect of maintaining an organization's information security. Security audits typically include reviewing an organization's systems and processes to identify vulnerabilities and potential risks. This can include testing the organization's network for vulnerabilities, reviewing access controls and permissions, and testing incident response plans. This can help organizations to identify and address any vulnerabilities in their systems and processes before they can be exploited by attackers.

Case Study Questions

1. How does implementing advanced threat detection and response software help organizations detect and respond to APTs and other advanced threats?
2. How can endpoint security software help protect an organization's systems and devices from malware and other malicious software?
3. Why is employee security training important for organizations and what are some common topics that are covered in security training?
4. What are the benefits of regularly conducting security audits and what types of systems and processes are typically reviewed during an audit?

Show Model Answers

Research Assignment
The Top Cyber Attacks to Prepare for in 2023
Introduction

As technology continues to advance, so do the tactics and techniques used by cybercriminals. With each passing year, new and more sophisticated cyber attacks are developed and used to target organizations and individuals. With 2023 on the horizon, it is important to be aware of the potential cyber attacks that organizations should be prepared for [3]. The purpose of this research assignment is to identify and analyze the top cyber attacks that organizations should prepare for in 2023.

To help you get started, read the following blog post: Stay Ahead of the Game: The Top Cyber Attacks to Prepare for in 2023

Instructions

1. Research the latest trends and predictions regarding cyber attacks for the year 2023. As a minimum, research the attack types discussed in the blog post above.
2. Identify at least three additional potential cyber attacks that organizations should be prepared for in 2023.
3. Provide a detailed analysis of each of the identified cyber attacks (from the blog post and the three ones you identified), including information on how the attack is carried out, the potential impacts on organizations, and the key measures that organizations can take to protect themselves from these attacks.
4. Provide recommendations for organizations on how to best prepare for and defend against the identified cyber attacks.

Research Resources

• Cybersecurity reports and predictions from reputable organizations such as the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Cyber Threat Alliance (CTA)
• Technical reports and articles from cybersecurity experts and researchers
• News articles and press releases regarding recent or ongoing cyber attacks

Assessment Criteria

• The deliverable is a well-organized and clearly written research paper
• The research paper should provide a thorough analysis of the identified cyber attacks
• The research paper should provide actionable recommendations for organizations on how to prepare for and defend against the identified cyber attacks
• The research paper should use a minimum of 5-7 credible sources to support the analysis and recommendations.

References

---

[3] Top Cyber Attacks to Prepare for in 2023