Defining the Threat Landscape
As technology advances, so does the complexity and sophistication of cyber threats. This chapter delves into the ever-changing landscape of information security, aiming to provide a comprehensive understanding of the many threats that information systems face. By exploring the diverse range of adversaries, attack vectors, and motivations driving cyber threats, you will learn how to develop defense strategies to mitigate risks and protect against cyber threats effectively.
The following topics will be covered in this chapter:
- Understanding organizational context
- Hackers and hacking
- Closing information system vulnerabilities
Understanding the organizational context
To effectively protect an organization from potential threats, information security professionals must understand what is important to the organization beyond its information technology. To begin this process, information security professionals should examine the organization’s mission and vision statements to understand what the organization does and who its customers are. Understanding this information can help identify the business-critical processes of the organization’s operations and the technology assets that support them. For example, a hospital’s business-critical processes may include medical records on an external internet-facing technology asset. In contrast, a financial institution’s business-critical process may consist of customer financial data on an internally facing technology asset.
To take this understanding a step further, information security professionals must also work with all levels of management within the organization. This type of engagement involves reaching out to mission-driven parts of the organization to understand how they apply their mission and vision to their day-to-day work. Through this engagement, information security professionals can identify sensitive information, trade secrets, intellectual property, and business processes to understand the potential impact on the organization if this information were to be provided to a competitor, altered, or destroyed. By focusing on business processes and important data within those functions, information security professionals can establish mission-focused relationships within the organization and find allies who share their concerns.
When the highly sensitive processes and information the organization needs to operate have been identified, information security professionals can analyze this information regarding compliance requirements and the organization’s threats. This analysis must consider the organization’s specific context. Organizations may have vastly different responses to securing information systems depending on their industry, the types of information they are trying to protect, and the threats they face.
Understanding what is essential for the successful business operations of an organization, as well as establishing mission-focused relationships with the organization’s various mission units, is critical for information security professionals to protect the organization from potential threats effectively. Gathering this information requires focusing on business functions, the essential data within those functions, and a contextual understanding of the organization’s specific industry and compliance requirements.
Once the critical business processes and data have been identified, the next step is to evaluate the potential impact of a security breach on each technology asset that supports these business processes. This includes considering a successful attack’s financial, reputational, and operational consequences on an organization. For example, a data breach that results in the loss of customer financial information could result in a significant financial loss and damage to the organization’s reputation. Cybersecurity threats can significantly impact an organization’s business operations and reputation. Understanding how these threats can impact the organization from a business perspective is crucial to prioritizing and allocating resources to address them adequately.
One of the most obvious impacts of a cybersecurity breach is financial losses. A breach can result in stolen funds, lost revenue, and legal fees associated with remediation efforts. For example, suppose customer credit card data is compromised in a data breach. In that case, the organization may be liable for fraudulent charges made with those cards, which can result in significant financial losses. Another potential impact of a cybersecurity breach is damage to the organization’s reputation. A breach can erode customer trust and confidence in the organization, leading to decreased sales and difficulty attracting new customers. In some cases, a breach can result in legal action or regulatory fines, further damaging the organization’s reputation.
In addition to financial losses and damage to reputation, a cybersecurity breach can also impact an organization’s ability to carry out its business operations. A breach can result in systems downtime or data loss, disrupting normal business processes and resulting in lost productivity. A breach can have a ripple effect throughout the organization and impact multiple areas, such as supply chain management, customer service, and marketing.
Once the organizational context has been determined, it is essential to integrate cybersecurity with business operations. Alignment involves ensuring that cybersecurity measures align with the organization’s goals and objectives and do not disrupt business processes. One of the key ways to integrate cybersecurity with business operations is to involve key stakeholders in the process. This engagement includes business leaders, IT professionals, and cybersecurity professionals. By involving key stakeholders in the process, it is possible to ensure that cybersecurity measures are designed with the organization’s goals and objectives in mind and integrated into existing business processes.
Cybersecurity threats are risks or vulnerabilities compromising the confidentiality, integrity, or availability of digital information, systems, or networks. Cyber threats can be caused by various sources, including cybercriminals, hackers, insiders, or even accidental actions by employees. With the proliferation of technology and the growing reliance on digital infrastructure, cybersecurity threats have become more sophisticated, frequent, and costly, posing significant risks to individuals, organizations, and even entire nations.
The cybersecurity threat landscape is constantly evolving, and the specific threats that organizations face can vary depending on factors such as industry, size, location, and other factors. Coming up are some of the most common and dangerous cybersecurity threats that organizations may face.
Phishing is a common cyber-attack that aims to trick individuals into providing sensitive information, such as usernames, passwords, credit card details, or personal information. Phishing attacks are typically carried out through deceptive email messages, including links and attachments that mimic legitimate sources, such as banks, social media, or online stores. Phishing attacks rely on social engineering tactics to exploit human weaknesses, such as curiosity, urgency, or trust, and can cause significant damage to individuals and organizations.
A common type of phishing attack is spear-phishing, which targets specific individuals or organizations with personalized messages tailored to their interests, job roles, or relationships. Spear-phishing attacks often involve extensive research and surveillance to gather information about the target, such as their social media profiles, job titles, or recent events, to make the message appear more convincing and relevant. Business email compromise (BEC) is another type of phishing attack that targets organizations with messages that appear to be from a trusted source, such as an internal organizational division, a supplier, or a partner. BEC attacks often involve impersonating a legitimate group or individual or using social engineering tactics to trick employees into providing sensitive information or authorizing fraudulent payments. BEC attacks can cause significant financial losses, especially involving wire transfers or electronic payments.
The consequences of phishing attacks can be severe for individuals and organizations. Phishing attacks can result in financial losses, identity theft, or reputational damage, especially if they involve sensitive data or high-profile targets. Phishing attacks can also lead to further cyber-attacks, such as malware infections or ransomware attacks, that can cause even more damage. Technical measures such as antivirus software or spam filters can help block or detect phishing messages. Organizational measures, such as policies, procedures, or training, can help raise awareness and promote good cybersecurity practices, such as using strong passwords, verifying sources, or reporting suspicious activities.
Ransomware is malicious software (malware) that encrypts an organization’s data and demands payment for the decryption key. Ransomware attacks can devastate an organization. These attacks can cause significant financial losses, reputational damage, or even operational shutdowns. No organization is immune to the threat of ransomware, as small businesses and large enterprises can fall victim to these attacks.
Ransomware attacks typically begin with the infection of a single device or system, such as a workstation, server, or mobile device, through a vulnerability or a phishing attack. Once the malware is installed, it encrypts the infected machine’s data, making it inaccessible to the user or the organization. The ransomware then displays a message or a warning, usually in the form of a pop-up window or a text file, that demands payment in exchange for the decryption key. The ransomware message may also threaten to delete or leak the data if the ransom is not paid within a specific time frame.
Ransomware attacks can be carried out through various types of malware. Some examples of these malware variants are CryptoLocker, WannaCry, and Locky. Some ransomware attacks may use advanced techniques, such as obfuscation, encryption, or polymorphism, to evade detection by security software or to make it more difficult to recover the encrypted data. Ransomware attacks can also involve anonymous payment methods, such as Bitcoin or other cryptocurrencies, making tracking the attacker’s payment or identity more difficult. The consequences of a ransomware attack can be severe, both for the affected organization and its customers, partners, or suppliers. Ransomware attacks can cause significant financial losses, as organizations may need to pay a ransom or incur additional costs for data recovery, forensic analysis, or legal fees.
Protection can include anti-malware software, intrusion prevention systems, and verified data backups, allowing organizations to recover their data in case of a ransomware attack. It is important to note that data backups must be regularly tested and updated to ensure their effectiveness and that a ransomware attack has not adversely affected an organization’s backups. In addition to prevention and mitigation activities, an organization can prepare for a ransomware attack by ensuring the cybersecurity incident response plan includes ransomware-specific considerations. This plan will help an organization detect, contain, and recover from a ransomware attack, minimizing damage and reducing downtime.
Malware is a broad term that describes any software designed to harm or disrupt computer systems, networks, or devices. Malware is a significant cybersecurity threat that can take many forms, including viruses, worms, trojans, spyware, adware, and ransomware. Malware can cause substantial damage to organizations and individuals by stealing data, damaging systems, or disrupting operations.
A common type of malware is a virus. A virus is a self-replicating program that can infect files, applications, or system boot sectors. Once a virus infects a system, it can spread rapidly, causing significant damage to a system’s files. Another type of malware is a worm, a self-replicating program that can quickly spread across networks, infecting multiple devices and systems. Worms can cause significant damage to networks by consuming bandwidth or causing system crashes. Trojans are a type of malware that masquerades as legitimate software or applications. Once a trojan infects a system, it can steal data, create backdoors, or download additional malware. Spyware is malware that collects data from a device or system without the user’s knowledge or consent. Spyware can collect sensitive data such as passwords, credit card numbers, or personal information.
Malware attacks can cause a range of problems for both individuals and organizations, including financial losses, reputational harm, and identity theft. The impact can be especially severe if the malware targets or exfiltrates sensitive data or high-profile targets. Additionally, malware attacks can trigger further cyber-attacks, such as ransomware attacks, which can result in even more significant damage.
Distributed denial-of-service attacks
Distributed denial-of-service (DDoS) attacks are a significant cybersecurity threat that can disrupt online services and cause substantial financial losses for businesses. DDoS attacks involve overwhelming a website, server, or network with traffic from multiple sources, rendering it inaccessible to legitimate users. DDoS attacks can be carried out through various means, such as botnets, DNS amplification attacks, or application layer attacks.
Botnets can be used to execute DDoS attacks. Botnets are networks of compromised devices, such as computers, smartphones, or IoT devices, that a single attacker or group of attackers controls. Botnets can launch DDoS attacks by sending a large volume of traffic to the target, overwhelming its resources, and making it unavailable to legitimate users. Botnets can be created through malware infections, phishing scams, or social engineering tactics.
A DNS amplification attack exploits Domain Name System (DNS) vulnerabilities to generate massive traffic and overwhelm a target server or network. In a DNS amplification attack, the attacker sends a large number of DNS queries to open DNS resolvers, requesting information about a specific domain name. The attacker spoofs the source IP address of the requests so they appear to come from the target server or network. When the open DNS resolver receives the request, it responds with a much larger packet of data than the original query. This attack can occur because many DNS responses are larger than the corresponding queries due to the use of Domain Name System Security Extensions (DNSSEC) and other security measures. The attacker can then use the amplified response to flood the target server or network with traffic, overwhelming its resources and making it inaccessible to legitimate users.
Application layer DDoS attacks, also known as Layer 7 DDoS attacks, are DDoS attacks that target the application layer of a website or server. Unlike other DDoS attacks that focus on the network layer, application layer attacks aim to exhaust the resources of the target server or website by overwhelming it with requests that mimic legitimate user traffic. Application layer DDoS attacks use bots or malware that flood the target website or server with HTTP, HTTPS, or other application layer requests, such as database queries or user registrations. These requests can be challenging to distinguish from legitimate traffic because they resemble legitimate user activity, making them hard to block or filter.
Content Delivery Networks (CDNs) can be used to defend against DDoS attacks by distributing the traffic across multiple servers, reducing the attack’s impact on any single server. CDNs work by caching content on multiple servers geographically so that users can access the content from a server closest to their location. This architecture not only speeds up the delivery of content but also provides redundancy, making it more difficult for attackers to overwhelm any single server.
Insider threats refer to malicious activities or negligence by employees, contractors, or business partners who access sensitive information, systems, or networks and can be challenging to detect and mitigate. There are several types of insider threats, including accidental or unintentional, negligent, and malicious insider threats:
- Accidental or unintentional insider threats occur when an employee or contractor inadvertently causes harm or damage to the organization by misconfiguring a system or sending an email to the wrong recipient.
- Negligent insider threats occur when employees or contractors disregard security policies or procedures, such as using weak passwords or clicking suspicious links.
- Malicious insider threats are the most dangerous and occur when employees or contractors intentionally cause harm or damage to the organization. Malicious insider threats can take many forms, including the theft of sensitive information, sabotage of systems or networks, or unauthorized access to sensitive data.
Organizations can implement security controls to monitor and detect insider threats. These controls can include access controls, such as role-based access control, multi-factor authentication, or privilege escalation monitoring, to ensure that employees only have access to the information and systems they need to perform their job duties. Organizations can also implement security monitoring and auditing tools, such as log analysis and anomaly detection, to detect unusual behavior or activity by employees or contractors.
Advanced Persistent Threats
Advanced Persistent Threats (APTs) are a type of cyber-attack that targets specific organizations, governments, or individuals to gain unauthorized access to sensitive information or cause harm to the target. Unlike cyber-attacks that use simple and indiscriminate techniques, APTs are highly targeted and sophisticated, often relying on multiple stages of attacks and leveraging zero-day vulnerabilities to evade detection. APTs typically involve a well-funded, well-organized, and highly skilled group of hackers willing to invest significant time and resources in their attack campaigns.
- APTs are highly targeted, allowing the attackers to understand the target’s infrastructure, operations, and vulnerabilities, making it easier to develop customized attack strategies
- APTs are also persistent and designed to remain undetected for an extended period
- APTs may use lateral movement techniques, moving laterally across the network, exploiting different vulnerabilities, and hiding their activities
Detecting APTs can be challenging, as they are designed to remain undetected for an extended period. Traditional security measures such as firewalls and anti-malware software may not be sufficient to detect APTs. Instead, organizations must adopt a more proactive approach involving continuous monitoring, threat intelligence, and advanced analytics. This approach can help organizations detect APTs early in the attack life cycle, allowing them to take appropriate action before significant damage occurs.
Social engineering attacks
Social engineering attacks are cybersecurity threats that target human vulnerabilities rather than exploit technical weaknesses in an organization’s infrastructure. Social engineering attacks rely on psychological manipulation to deceive individuals into disclosing sensitive information or performing actions that may compromise an organization’s security. Social engineering attacks typically involve using various tactics to deceive individuals, including phishing.
Social engineering attacks rely on deception and manipulation to achieve their objectives. Attackers use various tactics, such as phishing emails, pretexting phone calls, and baiting schemes, to deceive individuals into performing actions that may compromise an organization’s security. These attacks are typically low-tech and do not require significant technical expertise. Attackers can use simple tactics such as sending a convincing phishing email or a pretexting phone call to achieve their objectives.
Detecting social engineering attacks can be challenging as they rely on deception and manipulation to achieve their objectives. Organizations must embrace a security culture with regular employee training on cybersecurity best practices and incident response procedures. This training can help employees identify and respond to social engineering attacks, reducing the risk of successful attacks.
Supply chain attacks
Supply chain attacks are cybersecurity threats that target the interconnected network of vendors and suppliers supporting an organization’s operations. These attacks typically exploit vulnerabilities in the supply chain to gain access to sensitive information or systems within the organization.
Supply chain attacks often exploit vulnerabilities in third-party vendors or suppliers that access an organization’s systems or data. These vendors may be small or medium-sized businesses with limited security resources, making them attractive targets for attackers. Supply chain attacks can be challenging to detect, as they often involve a series of compromises across multiple organizations. Attackers may use multiple layers of obfuscation and encryption to evade detection and gain access to sensitive information. Compromised vendors can be used as entry points into an organization’s network, allowing attackers to move laterally and access sensitive information or systems.
Detecting supply chain attacks can be challenging as such organizations need to adopt a more proactive approach that includes supply chain risk assessments, vendor management, and threat intelligence. Supply chain risk assessments can help organizations identify and mitigate potential vulnerabilities in their supply chain. Assessments may include evaluating the security practices of vendors and suppliers and analyzing the potential impact of a supply chain compromise on the organization’s operations. Organizations must establish clear policies and procedures for working with vendors and suppliers, including security controls, data protection, and incident response requirements. Regular monitoring and auditing of vendor activities can help detect suspicious behavior and mitigate the risk of a supply chain attack.
Safeguarding sensitive information, systems, and networks is a shared responsibility that demands constant vigilance and adaptability. By staying informed about the latest threat trends, individuals and organizations can improve their defenses and navigate the ever-changing cybersecurity landscape more confidently.
Hackers and hacking
Hackers can be broadly categorized into several types with unique motives, skills, and methods. Understanding these different types of hackers is essential for individuals and organizations to protect against the various cybersecurity threats they pose. Knowing the workings of different kinds of hackers can enable organizations to anticipate potential cybersecurity threats and create better strategies to secure their systems.
As technology continues to evolve, new types of hackers may emerge. By staying informed about the latest trends and the methods hackers use, individuals and organizations can remain vigilant and implement proactive security measures. It is essential to have conversations about different types of hackers to understand an organization’s threats and foster a security culture in which individuals know the risks and take measures to protect their digital assets.
White hat/ethical hacker
A white hat or ethical hacker is an individual who applies their expertise in computer systems to identify and expose vulnerabilities in information security protocols, with the consent and knowledge of the system owner. Unlike black hat hackers, who engage in malicious activities, white hat hackers typically provide their services as penetration testers, simulating attacks on information systems to help organizations strengthen their security defenses. These professionals use their technical skills to uncover weaknesses in computer networks, software applications, and other digital infrastructures to improve the security of the systems they are testing.
Black hat hacker
A black hat hacker is an individual who exploits vulnerabilities in a computer system for personal gain or malicious intent without the knowledge or consent of the system’s owner. These individuals are involved in criminal activities, such as stealing confidential information, spreading malware, or even blackmailing individuals or organizations for financial gain. Black hat hackers are the driving force behind the widespread proliferation of cybercrime and pose a significant threat to global cybersecurity.
The term black hat was inspired by Western movies, in which the antagonists often wore black hats to symbolize their evil intentions. Black hat hackers use various techniques, including social engineering, phishing, and brute force attacks, to gain unauthorized access to computer systems. They exploit software, hardware, and human behavior weaknesses to bypass security measures and steal sensitive data.
Gray hat hacker
A gray hat hacker is an individual who falls somewhere between a black hat and a white hat hacker. These individuals typically hack into a computer system to identify vulnerabilities, but their intentions may not always be clear. Some gray hat hackers may notify a system owner of their discovered weakness and offer to fix it for a fee. Other gray hat hackers may publish their findings to the internet to showcase their skills or force a vendor to fix a software package. However, it is essential to note that hacking without the permission of the information system owner is illegal and can result in severe consequences. Even gray hat hackers with good intentions may be subject to legal action if they do not have explicit permission to test or assess a system’s security.
Blue hat hacker
A blue hat hacker is an information security professional invited by software or hardware vendors to test their products for vulnerabilities. Blue hat hackers are similar to white hat hackers in that they are committed to improving the security of computer systems and protecting against cyber threats. Their testing involves identifying potential security flaws or bugs that attackers could exploit. By finding these vulnerabilities before the product is released, vendors can address them and improve the security of their products.
A script kiddie is an individual who uses automated hacking tools and scripts developed by other, more skilled hackers to attack computer systems. These individuals often lack the knowledge and experience to create tools or develop sophisticated attack methods, so they rely on pre-existing scripts and tools to carry out their attacks. This access to tools means that even individuals with minimal technical knowledge can launch attacks on a computer system. Script kiddies are often motivated to cause chaos. However, their lack of knowledge and experience can often result in unintended damage or even compromise their computer systems.
Experienced hackers know how to avoid detection and cover their tracks, making it difficult for law enforcement to apprehend them. On the other hand, script kiddies may be much easier to track down because they lack this skill set. While script kiddies may threaten computer systems, their lack of skill and knowledge limits their ability to carry out sophisticated attacks. However, their impact can still be substantial.
A hacktivist is an individual who uses their computer security knowledge to promote a political or social agenda by attacking organizations that they believe represent a threat to society. While hacktivists may use similar techniques to black hat hackers, their motivations and goals are different. Hacktivists often launch cyber-attacks against government agencies, corporations, or other organizations that they believe are engaging in unethical or illegal activities. They may deface websites, steal confidential information, or use other cyber vandalism to draw attention to their cause.
A nation-state attacker is an individual or group sponsored by a government to carry out cyber-attacks on other countries, organizations, or individuals. These adversaries are highly skilled and have access to significant resources, including advanced technology and funding. Nation-state activities are best described as cyber warfare, where the attacker is motivated to engage in espionage and sabotage against another country or target. Nation-state actors may seek to compromise military targets, critical infrastructure, political organizations, or private sector/non-profit intellectual property. Their motivations may range from political or economic gain to national security concerns or even acts of terrorism.
Nation-state attackers often use sophisticated and advanced techniques, including zero-day exploits, social engineering, and APTs, to infiltrate their targets’ computer systems. Nation-state attacks pose a significant threat to global cybersecurity and can have far-reaching consequences. Therefore, governments, organizations, and individuals must remain vigilant against these threats and take appropriate measures to protect themselves.
Penetration testing is an authorized simulation of an information system attack designed to identify vulnerabilities a black hat hacker could exploit. It is an essential component of an information security program and helps organizations find hidden vulnerabilities that cannot be easily detected through automated means.
While many organizations implement vulnerability assessment tools, penetration testing is crucial because it allows information security professionals to systematically break into an information system even when a vulnerability scanner has not found any vulnerabilities. The penetration testing process requires highly skilled and experienced professionals to use their knowledge of information security to assess the security posture of a system.
A penetration testing engagement conducted by a white hat or ethical hacker can include social engineering activities. Those activities may consist of collecting trash from trash cans and dumpsters to look for passwords and intellectual property, pretending to be a helpdesk technician to retrieve user passwords, and launching social engineering attacks such as phishing and spear-phishing. Penetration testing can also include web-based application attacks, vulnerability scanning, port scanning, and more. The penetration testing process is designed to simulate a real-world attack and identify the vulnerabilities that attackers could potentially exploit to gain unauthorized access to a system or sensitive data.
The results of a penetration testing engagement are used to inform information security program stakeholders, including executives, IT professionals, and developers, about the vulnerabilities that have been identified and provide recommendations on how to remediate them. Organizations can improve their overall security posture and reduce the risk of a successful cyber-attack by identifying and addressing vulnerabilities before they can be exploited. Organizations should consider incorporating penetration testing into their overall testing methodology to ensure the security of their systems and data.
Cybercrime is any criminal activity involving a computer, either as the target or as a tool to carry out the crime. Cybercrime can be committed by individuals and organized criminal gangs, significantly impacting the global economy. The threat of cybercrime is increasing at an alarming rate. According to Cybersecurity Ventures, the cost of cybercrime is expected to reach $8 trillion by 2023 and is projected to grow to $10.5 trillion by 2025. These staggering numbers highlight the urgent need for organizations and individuals to take proactive steps to protect themselves against cyber threats.
One of the most common types of cybercrime is fraud and financial crime. These crimes involve the misrepresentation of facts intending to manipulate another individual or organization into doing or not doing an activity that causes a financial loss. Computer fraud can occur in various ways, including altering, suppressing, destroying, or exfiltrating electronic data. Forms of computer fraud include identity theft, extortion, and bank fraud.
Cyber extortion is another form of cybercrime that occurs when an organization is subjected to repeated attacks by an attacker who demands money to stop the attacks. These crimes can take the form of Denial of Service (DoS) attacks or ransomware attacks, where the attacker blocks access to a system or data until the victim pays a ransom. Cybercrime is a constantly evolving threat, requiring a coordinated and multi-layered approach to combat. Organizations must take measures to protect their systems and data.
Exploits are among the primary tools attackers use to gain unauthorized access to an information system. These techniques take advantage of vulnerabilities in an information system by utilizing custom software, operating system commands, and open source tools.
Web applications are particularly vulnerable to exploitation, with numerous well-defined vulnerabilities cataloged by organizations such as the Open Web Application Security Project (OWASP). For many years, OWASP has maintained a top 10 list of the most pervasive and destructive web application vulnerabilities, providing a valuable resource for developers to understand and mitigate these issues in their applications.
Visiting the OWASP website can provide a wealth of information that can be used to enhance the security of your information and application security programs. By understanding common exploits and vulnerabilities, developers and IT professionals can take proactive measures to prevent attacks and protect against unauthorized access to sensitive information.
For more information on OWASP, please refer to https://owasp.org/Top10/.
The OWASP Top 10 vulnerabilities for 2021 are as follows:
- Broken access control: Broken access control is a vulnerability that occurs when an application fails to properly enforce restrictions on what authenticated users are allowed to do. This flaw can allow attackers to access unauthorized functionality and sensitive data, such as other users’ accounts and confidential files, or modify other users’ data and change access rights. Attackers can exploit these weaknesses to access information or actions they are not authorized to have, resulting in severe consequences for the organization or individuals affected. Developers must implement robust access control mechanisms to prevent unauthorized access and ensure the security of sensitive information.
- Cryptographic failures: Cryptographic failures cover various issues related to cryptography. This category includes using weak or outdated encryption algorithms, insecure key management practices, storing sensitive information in plaintext, and improperly implementing SSL/TLS protocols. Cryptographic failures can lead to serious security breaches and compromise sensitive information’s confidentiality, integrity, and availability. To mitigate these risks, developers are advised to follow best practices for cryptography, including using robust encryption algorithms, secure key management, and proper SSL/TLS implementation.
- Injection: Injection flaws refer to vulnerabilities when an interpreter, such as SQL, OS, XXE, or LDAP, receives untrusted data as part of a command or query. Attackers can exploit these weaknesses by sending hostile data that can deceive the interpreter into executing unintended commands or accessing data without proper authorization. To prevent these attacks, developers must use parameterized queries and input validation to ensure that the interpreter processes only trusted data. Other strategies, such as object-relational mapping tools and special character escaping, can also effectively prevent injection vulnerabilities.
- Insecure design: Insecure design covers various issues related to software design. This category includes weak or ineffective access control mechanisms, lack of encryption or hashing, insecure authentication and session management, and poor error handling and logging. Developers must follow secure design principles to prevent issues such as strong access control mechanisms, secure authentication and session management, and proper error handling and logging. Developers should also regularly review their software design to identify and address any potential vulnerabilities.
- Security misconfiguration: Security misconfiguration highlights the importance of having a secure configuration defined and deployed for all system components, including the application, frameworks, application server, web server, database server, and platform. Secure settings should be defined, implemented, and maintained for each component, as default configurations are often insecure. It is essential to establish and maintain secure configurations to minimize the risk of security breaches, protect sensitive information from unauthorized access or data theft, and prevent system compromise.
- Vulnerable and outdated components: The category of vulnerable and outdated components underscores the risk posed by components such as libraries, frameworks, and other software modules that run with the same privileges as the application. If a vulnerable component is exploited, it can enable attackers to facilitate severe data loss or server takeover. Applications and APIs that use components with known vulnerabilities may weaken application defenses and allow various types of attacks with severe consequences. To prevent these vulnerabilities, it is essential to update components to the latest version that has been appropriately tested and reviewed. Developers should also have a process for monitoring and managing component updates and vulnerabilities.
- Identification and authentication failures: Identification and authentication failures are the risks posed by the incorrect implementation of application functions related to authentication and session management. If authentication and session management functions are implemented incorrectly, attackers can exploit vulnerabilities to compromise passwords, keys, or session tokens. This misconfiguration can enable the attacker to assume the identity of other users temporarily or permanently and to access sensitive information or perform unauthorized actions. To prevent these vulnerabilities, developers should follow best practices related to authentication and session management, including using strong and unique passwords, secure session management, and properly handling sensitive data. Implementing multi-factor authentication and using secure communications protocols can also help to prevent authentication and identification failures.
- Software and data integrity failures: Software and data integrity failures can occur due to a lack of proper validation, input sanitization, or other security measures. Software and data integrity failures can result in severe consequences for an application. Such failures may occur due to coding, bugs, or configuration errors, among other factors. It is essential to implement proper input validation and sanitization and ensure that software components are up to date and that the application and data are adequately backed up. Security testing, including fuzz testing and other automated tools, can also help to identify vulnerabilities and prevent software and data integrity failures.
- Security logging and monitoring failures: Security logging and monitoring failures can lead to difficulties in detecting and responding to security incidents and a lack of visibility into system activity. This vulnerability can enable attackers to carry out attacks undetected and remain on a system for extended periods. To prevent these vulnerabilities, developers should ensure that logging and monitoring functionality is implemented correctly and that logs are stored securely and protected from tampering. Organizations should also have processes in place for regularly reviewing and analyzing logs, as well as for responding to incidents and performing forensic analysis when necessary.
- Server-side request forgery: Server-side request forgery vulnerabilities occur when an attacker can send a request to a server or service from within a targeted application, bypassing any security measures. To prevent these vulnerabilities, developers should ensure that input validation is implemented correctly and that requests can only go to trusted external.
Hackers are finding new and more creative ways to breach computer systems and networks as technology advances. From exploiting vulnerabilities in software to tricking users into giving away sensitive information, hackers use a wide range of techniques to carry out their attacks. Understanding these techniques and what measures can be taken to prevent them is essential. This section will explore common hacker techniques.
Password cracking is a technique attackers use to gain unauthorized access to a system or application. This technique involves using specialized software to recover passwords transmitted over the network, stored in password databases, or implemented within application software. Attackers often use automated guessing methods, such as dictionary attacks, to crack passwords. Dictionary attacks involve trying common passwords, such as password or 123456, to guess the correct password. Other password-cracking methods include brute-force attacks, where the attacker tries every possible combination of characters until a valid password is found.
It is important to use strong and complex passwords that are difficult to guess to prevent password-cracking attacks. Passwords should be changed regularly and should not be reused across multiple accounts. Additional measures, such as multi-factor authentication and password denylisting, can also help to prevent password cracking attacks.
- Brutus: http://sectools.org/tool/brutus
- RainbowCrack: http://sectools.org/tool/rainbowcrack
- Wfuzz: http://sectools.org/tool/wfuzz
- Cain and Abel: http://sectools.org/tool/cain
- John the Ripper: http://sectools.org/tool/john
- THC Hydra: http://sectools.org/tool/hydra
- Medusa: http://sectools.org/tool/medusa
- Ophcrack: http://sectools.org/tool/ophcrack
- L0phtCrack: http://sectools.org/tool/l0phtcrack
- Aircrack-NG: https://www.aircrack-ng.org/downloads.html
Vulnerability assessment scanners are tools that are used to identify potential weaknesses in a network or information system. These scanners use specialized software and databases of known vulnerabilities to scan the network and identify any matches. Once a vulnerability is identified, the tool creates a listing that ties the exposure to a specific IP address, making it easier for administrators to locate and fix the issue.
For administrators, vulnerability assessment scanners can be an essential tool for maintaining the security of their networks and systems. By regularly scanning for vulnerabilities and addressing them promptly, administrators can reduce the risk of successful attacks and protect sensitive data. However, vulnerability assessment scanners can also be used by attackers as a means of identifying potential targets. By scanning a network or system for vulnerabilities, attackers can identify weaknesses that can be exploited to gain unauthorized access or cause damage to the system. By using vulnerability assessment scanners proactively and responsibly, administrators can enhance the security of their networks and systems while minimizing the risk of successful attacks.
Manual vulnerability assessment tests information systems based on a hacker’s knowledge, experience, and intuition to identify potential weaknesses and vulnerabilities that automated scanners may not detect. Unlike automated scanners that use predefined databases of known vulnerabilities, manual testing relies on hackers’ creativity and ingenuity to find vulnerabilities that attackers could exploit. While automated scanners can help identify common vulnerabilities, they may not be able to detect more sophisticated and less well-known vulnerabilities that experienced hackers could exploit.
- OpenVAS: http://www.openvas.org/
- Burp Suite: https://portswigger.net/burp/freedownload/
- W3af: http://w3af.org/
- NMAP: https://nmap.org/
- Qualys Community Edition: https://www.qualys.com/community-edition/
Keystroke logging is a technique attackers use to capture all keystrokes entered on a computer. There are two types of keystroke loggers, namely software-based and hardware-based. Software-based key loggers are installed on a computer through manual and automated mechanisms and can be categorized into hypervisor-based and kernel-based key loggers. The hypervisor-based key logger operates at the hypervisor level of a virtualized infrastructure. It can avoid detection by antivirus tools as it sits below the operating system. On the other hand, the kernel-based key logger operates at the kernel mode of the operating system as a rootkit and can also avoid detection by anti-virus tools as they do not have access to the layer of the operating system.
As the name suggests, hardware-based keyloggers are connected physically to a computer system to capture keystrokes. There are two types of hardware-based key loggers: keyboard hardware and wireless keyboard sniffers. The keyboard hardware-based key logger is connected between a computer and a keyboard. It has internal memory and can intercept keystrokes from the keyboard to the computer. This type of key logger requires physical access to the computer. The wireless keyboard sniffer is a specialized hardware and software device that can intercept keystrokes sent between a wireless keyboard and the computer it is attached to. This type of key logger requires the attacker to be close to the computer being attacked.
A rootkit is a type of malware that a hacker installs to gain control of an operating system. The term root refers to the rootkit giving the attacker root-level access to the system, allowing them to perform various malicious activities. Rootkits are notoriously difficult to detect, as they are designed to operate covertly and remain hidden from the operating system and any security software that may be installed. Rootkits are often used to perform various malicious activities. They achieve this by replacing or modifying critical operating system software, such as device drivers or system libraries, to hide their presence and evade detection. The following figure depicts a computer infected with a rootkit.
Figure 2.1 – Computer infected with a rootkit
There are several types of rootkits, including kernel mode, user mode, and firmware rootkits. Kernel-mode rootkits operate at the lowest level of the operating system, allowing them to intercept system calls and hide their presence from the operating system and any security software. On the other hand, user mode rootkits operate at a higher level of the operating system and are easier to detect but still can hide their presence from many security tools. Finally, firmware rootkits are stored in the firmware of a device, such as a BIOS or a network card, and are particularly difficult to detect and remove.
Hackers use spoofing to deceive users by mimicking another system or person. In a spoofing attack, the hacker may install software or create a system that appears to be a trusted client system to gain unauthorized access to a backend server environment. Alternatively, the hacker may pose as the underlying information system infrastructure to trick unsuspecting users into sharing sensitive information or passwords. The following figure provides an example of a spoofing attack.
Figure 2.2 – Example spoofing attack
Spoofing attacks can take many forms, including email, IP address, and caller ID. In email spoofing, the attacker forges the From address in an email to make it appear as if it came from a trusted source. In IP address spoofing, the attacker changes the source IP address in an IP packet to make it appear as if it originated from a trusted source. In caller ID spoofing, the attacker manipulates the phone number displayed on the recipient’s caller ID to make it appear that the call is from a trusted source. Spoofing attacks can harvest sensitive company information.
Social engineering is a hacking technique that doesn’t rely on technical tools but manipulates human psychology to gain unauthorized access to sensitive information or systems. It involves deception and persuasion, exploiting an individual’s natural inclination to trust others. Social engineering attackers can use a variety of tactics, such as phishing scams, pretexting, baiting, and water-holing, to gather sensitive information. The following depicts the social engineering life cycle.
Figure 2.3 – The social engineering life cycle
Pretexting is a social engineering attack where the attacker creates a false scenario or pretext to trick the victim into divulging sensitive information. The attacker will typically establish a position of authority, trust, or familiarity to make the victim feel more comfortable and willing to share information. This scenario can include posing as a victim’s company or organization member, a trusted vendor or partner, or even a friend or family member.
One common example of pretexting involves an attacker posing as a victim’s IT department member. The attacker may contact the victim via email, phone, or in person, claiming there is a problem with the victim’s account or computer system. They may then request that the victim provide their username and password to resolve the issue. The victim, thinking they are helping resolve a legitimate problem, may willingly give this information.
However, the attacker has no legitimate reason to request this information and is using it to gain unauthorized access to the victim’s account or system. With this information, the attacker can move further into the organization’s information system and potentially cause damage or steal sensitive information.
Pretexting attacks can be challenging to detect, as the attacker may use sophisticated techniques to create a convincing pretext and establish trust with the victim. It’s essential for individuals and organizations to be aware of these types of attacks and to establish protocols for verifying requests for sensitive information. This verification can include verifying the requester’s identity, checking with a supervisor or IT department, or requiring additional authentication before providing sensitive information.
Phishing is a social engineering attack that uses deception and technology to trick users into providing sensitive information such as login credentials, credit card numbers, and personal data. Unlike pretexting, which targets individuals one at a time, phishing campaigns can target millions of users simultaneously, making it a highly effective tactic for hackers.
In a phishing attack, the attacker typically sends an email that appears to be from a trusted source, such as a bank, an online retailer, or a social media site. The email will usually contain a message that creates a sense of urgency or alarm, such as a warning that the user’s account has been compromised or a request to update their account information.
The email may also contain a link or attachment the user is directed to click on. In the case of the link, it will take the user to a fake website. The website looks like a legitimate website but is controlled by the attacker. The phony website will typically prompt the user to enter their login credentials or other sensitive information, which the attacker then captures. In some cases, the phishing email may also contain a malicious attachment that, when opened, installs malware on the user’s computer or device.
Phishing attacks can be challenging to detect, as emails and fake websites can be designed to look very convincing. It’s important for individuals and organizations to be aware of the signs of a phishing attack, such as suspicious email addresses or URLs, and to verify the legitimacy of any requests for sensitive information before responding. Here is an example of a phishing campaign. Notice that the email appears to come from Netflix and generically addresses the user. The link would take the user to the attacker’s website if clicked. The following figure is taken from an actual phishing message.
Figure 2.4 – Phishing message example
Spear phishing is a highly targeted phishing attack focusing on specific individuals or groups rather than sending out mass emails like traditional phishing campaigns. In spear phishing attacks, the attacker performs extensive reconnaissance on the victim to gather personal details to make their attack more convincing.
Unlike phishing campaigns, which typically use generic messages sent out to many potential victims, spear phishing emails are highly customized to the individual victim. The attacker will use their gathered personal details to create a message tailored to the victim’s interests, job position, or personal relationships.
For example, an attacker might send a spear phishing email to an employee at a company, posing as a senior executive and requesting sensitive financial information. The email might include details about a recent company project or event that the attacker has gleaned from the victim’s social media profile or public information online, making the email appear more legitimate.
Spear phishing attacks can be highly effective, as the customized nature of the attack makes it more difficult for victims to identify it as fraudulent. The attacker’s attention to detail and personalization can create a sense of trust between the victim and the attacker, making it more likely that the victim will provide the requested information.
Awareness training to combat phishing
Phishing attacks continue to be a significant threat to organizations of all sizes, and it’s essential to have effective countermeasures in place to combat them. The most effective countermeasure is to raise awareness among your user population about phishing and spear phishing threats.
Figure 2.5 – Do your users understand phishing?
As an information security professional, it’s easy to become complacent and assume everyone is already aware of phishing. However, it’s important to remember that other parts of the organization have their specialized work and may not be as familiar with the risks. It’s crucial to communicate the importance of phishing awareness to all organization members, including those in HR, finance, manufacturing, and other departments.
There are several methods for conducting training and raising awareness about phishing threats. One practical approach is to include specific phishing training in your yearly information security training. If you don’t currently conduct annual training, it’s important to start doing so. Another approach is to develop a cycle for communicating with your entire user base via targeted communications such as emails and internal social media. You can create a plan where several communications are used to deliver targeted phishing awareness training.
Conducting phishing exercises is also an effective way to test your user base’s awareness of phishing. You can utilize automated tools to test your user base for their awareness of phishing threats. These tools should allow you to import your user population from your user directory rather than manually inputting them into the tool. You should also be able to build multiple campaigns to target different user groups simultaneously. Additionally, the tool should allow you to track exploited users as part of the training so they can be scheduled for additional training. It’s important to note that users should not be treated negatively if they are determined to need additional training. The process should be positive, and users should feel they are learning a new skill rather than being reprimanded. By implementing these training and awareness strategies, you can help to protect your organization from the devastating consequences of phishing attacks.
Water-holing exploits vulnerabilities in trusted websites frequently used by a particular user or group within an organization. To execute a water-holing attack, the attacker first conducts reconnaissance to identify websites the target users regularly visit. The attacker then attempts to compromise the trusted website, potentially by exploiting vulnerabilities in the website’s code or by compromising a third-party service that the website relies on. Once the website has been compromised, it can be used as a platform to install malware on unsuspecting users’ machines.
The attacker may wait for the users to visit the compromised website, or they may use a spear phishing email to lure the users to the site. The spear phishing email could be designed to appear as if it comes from a trusted source or contain a link to a fake login page that looks like the real thing. Water-holing attacks can be particularly effective because they exploit users’ trust in familiar websites. They can also be difficult to detect because the attack comes from a trusted website rather than a suspicious or unknown source.
Baiting uses physical media, such as DVDs or USB drives, to entice users into inserting the drives into their computers. The bait may be disguised as a free software or music download, a coupon or discount offer, or other enticing content. Many users insert removable media into their computers without properly verifying its source or content. The best defense against baiting attacks is to train users about the risks and how to avoid them. Training would include ensuring that users understand the importance of not inserting removable media into their computers unless it comes from a trusted source, such as their employer or a reputable vendor.
Closing information system vulnerabilities
A vulnerability refers to a weakness in a piece of technology, such as a workstation, server, router, software, cloud, or process, that undermines the system’s ability to provide adequate security assurance that the threat actors will use that have been previously discussed. Three aspects must be considered to assess a vulnerability properly:
- First, the information system’s susceptibility to a particular flaw must be determined. This review involves ascertaining whether the specific version of the technology or software in question meets the criteria for the vulnerability to exist.
- Next, it must be determined whether an attacker can access the information system to exploit the flaw. Depending on the technology and location, an attacker may not have immediate access to the system. This information helps prioritize vulnerabilities as it relates to enterprise vulnerability management.
- Finally, whether sufficient means exist to exploit the flaw must be determined. If an active exploit exists in the wild for a given vulnerability, it should be considered a high-priority vulnerability to be addressed immediately.
After carefully reviewing the characteristics of vulnerabilities related to a specific information system, an information security professional can determine the attack surface for a given vulnerability and prioritize how the enterprise should mitigate the vulnerability. Hundreds of vulnerabilities may exist in an information system at any time. Therefore, the information security professional must be able to prioritize critical vulnerabilities that must be addressed immediately, while other vulnerabilities can be managed more methodically and reasonably over time. The following table provides more details related to this concept.
Example Triage Chart for Vulnerabilities
All Hands on Deck
Planned Methodical Deployment
It is essential to understand that many situations that require an all hands on deck response in information security are often a result of poor management of the enterprise information system. If an organization’s information system is not regularly patched, it can create serious vulnerabilities that must be addressed immediately. Vulnerability management is identifying and addressing vulnerabilities within an organization’s information system. The process involves several steps:
- Firstly, the organization must identify vulnerabilities in its specific information system. This identification can be made through enterprise vulnerability management tools, such as Nessus, as well as staying up to date with information security blogs and subscribing to security sites for the vendors they use.
- Secondly, the organization must triage the vulnerabilities and determine the level of risk they pose to the organization. The information security professional must communicate this risk effectively and determine whether an all hands on deck or a planned approach to a vulnerability is needed.
- Thirdly, the organization must research, plan, and deploy the appropriate mitigations for applicable vulnerabilities. There may be multiple tasks involved in vulnerability mitigation. The information security professional must fully understand these steps, communicate them to stakeholders, and adequately deploy the appropriate countermeasures to mitigate the vulnerability.
- Finally, the organization must continuously monitor the information system to ensure that vulnerabilities have been fully mitigated. Utilizing a vulnerability assessment tool during the vulnerability mitigation process will allow the organization to continuously assess its information system, track progress, and understand when they have successfully met its goal.
This chapter offered a foundational understanding of the information security threats organizations face. Understanding your organizational context is central to this, as it shapes a specific business’ unique vulnerabilities and challenges. The chapter provided a detailed look into the various threats that systems might encounter and discussed the world of hackers, shedding light on their techniques and motivations. The chapter discussed the importance of addressing information system vulnerabilities to mitigate these challenges. The next chapter will discuss the critical elements needed when planning and building an information security program.