ISC CPA - S3 Becker

S3 M1 - Threats and Attacks

Cybersecurity

-practice of protecting an organizations IT infrastructure and critical data from bad actors by deploying technology, internal control processes, and best practices to mitigate the business impact of these attacks

Highest security concerns for senior executives charged with IT governance are:

-Breaches of data

-Theft

-service interruptions

-regulatory noncompliance

Data breaches

Occur when information is compromised and utilized without the authorization of the owner

Examples of attacks: ransomware, phishing, malware and compromised passwords

Service Disruptions

Unplanned events that cause a general system or major application to be inoperable for an unacceptable length of time

Ex: malware, distributed denial of service (DDoS) attacks, SQL injections and password attacks

Compliance risk

-Regulators can require organizations to comply with cybersecurity regulations

-ex of areas involving compliance risk include: HIPPA, GDPR, PCI-DSS and ISO/IEC 27001

Cyberattack

Any kind of malicious activity that targets computer information systems, infrastructures, computer networks, or personal computer devices and attempts to collect, disrupt, deny, degrade or destroy information system resources or the information itself

Threat Agents

-Attacker, Hacker, threat actor: individuals, or groups known as hacking rings or advanced persistent threats (APTs) that target people or orgs to gain access to systems, networks and data

-Adversary: someone with conflict/incentivized to hack

-Government Sponsored/State-Sponsored: funded or sponsored by nations to hack; steal funds or important information

-Hacktivists: group of hackers that operate to promote social/political causes, moral basis

-Insiders: employees that either organically develop into a person with malicious intentions or intentionally infiltrated an org to achieve nefarious objectives

-External Threats: threats that occur from outside of the org, entity, or individual that is the target of the cyberattack

6 Types of Cyberattacks

1) Network-Based Attacks

2) Application Based Attacks

3) Host-Based Attacks

4) Social Engineering Attacks

5) Physical Attacks

6) Supply Chain Attacks

1) Network Based Attacks

*attacks target the infrastructure of a network like (switches, routers, servers and cabling) to disrupt operations for users

-backdoors and trapdoors

-covert channels

-buffer overflows

-denial of service (DoS)

-man in the middle (MITM)

-port scanning

-ransom-wear

-reverse shell

-replay attacks

-return-oriented attacks

-spoofing

-address resolution spoofing (ARS)

Back doors and trap doors

Methods to bypass security access procedures by creating an entry and exit point to a network that is undocumented

Covert Channels

*mechanisms used to transmit data using methods not originally intended for data transmission by the system designers

-storage channels: data is transmitted by modifying a storage location allowing another party with lower security permission to access the data

-timing channels: the delay in transmitting data packets is used to hide a transmission

Buffer Overflows

-attacker overloads a program buffer (the temporary storage) with more input than it is designed to hold

-causes the program to overwrite the memory of an application or crash

-attacker can then inject malicious code or take system control

Denial of Service (DoS)

-attacker floods a systems network by congesting it with large volumes of traffic that are greater than the bandwidth is was designed to handle

-excess volume consumes networks resources so that it cannot respond to service requests, vulnerable to exploitation

Distributed denial of service (DDoS) - multiple attackers

-when multiple attackers or compromised devices are working in unison to flood an organizations network with traffic

-more powerful attack than a traditional DoS attack

Man-in-the-Middle Attacks

-attacker acts as an intermediary between two parties who eavesdrops and intercepts communications

-as info is passed between them the attacker can read or redirect traffic

Port Scanning attacks

-attackers scan networks for open ports to find vulnerabilities that can be exploited so that they can gain unauthorized access to a company's network

-typically TCP (port 80, http) is most commonly used

-attack focuses on logical ports

Ransomware Attacks

-typically come in the form of malware that locks a user or a company's operating systems, applications and ability to access data unless a ransom is paid

Reverse Shell Attacks

-a victim starts communication with an attacker from behind a company's firewall (in an email) so that the attacker can bypass the firewall and remotely control the victims machine

-also known as "connect back shells"

Replay Attacks

-cybercriminal eavesdrops on a secure network communication, intercepts it, then replays message at later time to intended target to gain access to network data

Return-Oriented Attacks

-technique that uses pieces of a legitimate original system code in a sequence to perform operations useful to the attacker

-also known as return oriented programming attacks

-each gadget ends with a return instruction causing next gadget to execute operations

Spoofing

-impersonating someone (fake IP address, domain, email) to obtain unauthorized system access by using falsified credentials

-Address Resolution Spoofing: falsifying the mapping of Media Access Control (MAC) addresses on a network to IP addresses

(An attacker links its MAC address with the targets IP addresses so that devices can communicate with each other point to point)

-DNS Spoofing: a perpetrator modifies the Domain Name System (DNS) (website). A company's DNS server translates domain names to IP addresses, Ex: www.Mycompany.com converts to 111.100.1.10

-Hyperlink Spoofing: alteration of hyperlink URLs that redirect the victim away from their intended destination and send them to a nefarious location

2) Application-Based Attacks

-SQL Injection

-Cross Site Scripting (XSS)

-Race Condition

-Mobile Code

Application Based Attacks

-these forms of attacks target specific software or applications (desktop or web) such as databases or websites to gain unauthorized access or disrupt functionality

Structured Query Language SQL Injection

-an application attack in which an attacker injects malicious SQL code into existing SQL code on a company's website to gain unauthorized access to company data

Cross-Site Scripting XSS

-these attacks inject code into a company's website that attacks users visiting the company's website, when user visits the website the users browser executes malicious code and performs the attack (can take passwords, usernames, sensitive info)

Race Condition

-attacker exploits a system or application that relies on a specific sequence of operations

-attacker forces the system to perform 2+ operations out of order or simultaneously to gain unauthorized access

Mobile Code

*any software program designed to move from computer to computer to infect other applications by altering them to include a version of the code

Malicious code is referred to as a virus. Types of viruses:

-Overwrite Virus: deletes or overwrites information on infected file

-Multi-Partite Virus: uses multiple methods to infect files; uses a mixture of infection methods to infect files, trying different ways to infect if others fail

-Parasitic Virus: launches with the application; launches when an application that has the virus launches and the same rights as the program being launched are given to the virus (overtaking host)

-Polymorphic Virus: mutates by changing structure to avoid detection

-Resident Virus: installs a copy of themselves on a computers memory

3) Host-Based Attacks

*target a single host (laptop, mobile device, server) to disrupt functionality or obtain unauthorized access

Included in host based attacks:

-brute-force attacks

-keystroke logging

-malware

-rogue mobile apps

Brute-Force Attacks

-password cracking scheme in which attackers use an automated program that attempts to guess a password

Keystoke Logging

-scheme that tracks the sequence of keys pressed by a user on a keyboard to collect confidential data such as usernames, passwords, personal info

-often delivered as a Trojan Horse

Malware

-software or firmware intended to perform an unauthorized process that has an adverse impact on confidentiality, integrity, availability of Information System

-ex. viruses, worms, trojan horse, adware, spyware

Rogue Mobile Apps

-involve the use of a malicious app that appears legitimate

-fraudulent party creates a mobile app that is installed by a victim unsuspectingly and the app steals info and gives to attacker

4) Social Engineering Attacks

-these attacks involve the use of psychological manipulation or deception to get employees to divulge sensitive information, provide unauthorized access or assist an attacker in committing fraud

Ex: human interaction thru email, text, DM, social media

-phishing

-spear phishing

-business email compromise

-pretexting

-catfishing

-pharming

-vishing

Phishing

-form of digital social engineering -uses authentic looking, but bogus emails that request info from users or direct them to a fake website that requests info

Spear Phishing

-form of phishing targets employees in a corporate entity by posing as a legitimate department or employee, such as Human Resources or the IT director

-goal is to obtain confidential info such as usernames, passwords or personal data that can be used for exploitation

Business Email Compromise (BEC)

-type of phishing

-targets executives and other high ranking individuals

-involves schemes to get the executive to transfer money through a wire, pay fake foreign suppliers, or send sensitive data to someone impersonating an attorney or other employee

-also called whaling

Pretexting

-creating a fake identity or scenario so the employee has a sense of urgency to act

-attacker is able to obtain sensitive information or manipulate victim into performing fraudulent act

Catfishing

-involves the creation of a fake online persona that is used to lure a victim into a personal relationship with a fraudster

-person conducting the scheme then appeals to the emotional nature of victim and requests money, gifts, etc

Pharming

-often used in combo with phishing

-involves victim entering personal info into a website or portal that imitates a legitimate website

-scheme may involve manipulation of a Domain Name System (DNS) servers

Vishing

-involves fraudulent schemes using telephonic system voice over internet protocol (VoIP)

-involve a spoofed or fraudulent caller ID that is tied to a legitimate business or person

-ex: attackers use voice messages and key tones or voice recognition

5) Physical (On-Premises) Attacks

A security breach carried out on an orgs premises or performed in some way that physically involves a bad actor gaining control of sensitive data, hardware, software

PITTT

-intercepting discarded equipment

-piggybacking

-targeted by attackers

-tampering

-theft

Intercepting Discarded Equipment

by obtaining access to outdated/discarded equipment in the trash, fraudsters steal sensitive information data

Piggybacking

-involves an attacker using an authorized persons access to gain entrance to a physical location or electronic access

-Involves an attacker convincing an authorized employee to let them into the facility by getting the authorized employee to swipe their own access badge.

Targeted by attackers

on-premises infrastructures are often targets of hacking groups or attackers because they know that many organizations lack sophisticated cybersecurity defenses

-may be due to the cost of implementation or a lack of awareness of potential cyber threats

Tampering

-involves gaining physical access to a company's IT infrastructure and modifying the way its network collects, stores, processes or transmits data

-can be done by physically rewiring cabling, plugging directly into network, adding unauthorized device to network

Theft

Refers to the act of physically stealing data, hardware or software

6) Supply Chain Attacks

-these attacks use cyber tactics to target the production and distribution of goods within a supply chain so that there are larger disruptions in the normal operations of a company, government or other entity

-embedded software code

-foreign-sourced attacks

-pre-installed malware on hardware

-vendor attacks

-watering hole attacks

Embedded Software Code

-involves inserting code into prepackaged software or firmware being sold to a company that later installs the software after purchase

Foreign-sourced Attacks

In many countries, governments have deep and widespread control of companies in the private sector. Those governments may use products sold to other countries to conduct surveillance or deliver malicious code

Preinstalled Malware on Hardware

-attack involves installing malware on devices that will be used by companies in a supply chain such as USB drives, cameras or phones

Once company acquires the devices connects them to company network the malware executes

Vendor attacks

This attack is perpetrated upon key vendors of a target company so that the normal production of goods or business operations is disrupted.

Watering Hole Attack

-fraudsters identify websites of suppliers, customers, or regulatory entities that are known to be used by several companies

-attackers then look for weaknesses at that third party that can be used to deliver malware, steal data or obtain unauthorized access

Stages in a Cyberattack

1) Reconnaissance: collecting info

2) Gaining Access

3) Escalation of Privileges: gaining higher level access

4) Maintaining Access

5) Network Exploitation and Exfiltration: malicious activity

6) Covering Tracks: concealing entry or exit points

Reconnaissance

-Attackers discover and collect as much info about the target IT system as possible

-attackers may also search for specific vulnerabilities such as open ports that are not adequately protected or software apps not sufficiently patched

Gaining Access

When the information collected in the previous steps is used to gain access to the target of an attack using a variety of techniques

Escalation of privileges

-once unauthorized access into a system is obtained, attackers attempt to gain higher levels of access in this stage

-may be done by obtaining the credentials of a user with higher privileges

Maintaining Access

attacker remains in the system for a sustained period of time until the attack is completed and looks for alternative ways to prolong access or return later.

Network Exploitation and Exfiltration

In this stage, attackers proceed with the objective of disrupting system operations by stealing sensitive data, modifying data, disabling access to systems or data, or performing other malicious activities

Covering tracks

Occurs while the attack is in progress or after the attack is completed and involves the attacker concealing the entry or exit points in which access was breached

Done by:

-disabling audit functionality

-clearing logs

-modifying logs and registry files

-removing all files and or folders created

Cloud Computing

Way for organizations to store, use, process, and share data, software, and applications without the need to own or manage the resources required to perform those functions on company premises

Risks Related to Cloud Computing

1) additional industry exposure

2) cloud malware injection attacks

3) compliance violations

4) loss of data

5) loss of control

6) loss of visibility

7) multi-cloud and hybrid management

8) theft or loss of intellectual property

*cloud computers should follow Cloud Security Alliance's Cloud Control Matrix

Additional Industry Exposure

-by more of design, organizations subscribing to a cloud provider may be exposed to other subscribing orgs and their unique industry risks

-cyber threats that one company might not be exposed to become a risk to the other companies that share the same cloud computing provider

Cloud Malware Injection Attacks

-an attacker gains access to the cloud environment and then injects malware so that data can be stolen, services disrupted or further access gained

Compliance Violations

-cloud computing relies on third party hosts, and there is the compliance risk that these hosts or service providers do not have the security protocols and procedures in place to meet regulations on privacy and confidentiality

Loss of control

-Not having physical or logical access to computing equipment means an organization using cloud computing services will relinquish some control over its infrastructure

-as a result, changes or upgrades to the cybersecurity measures may not be timely or up to the standard that the subscribing company prefers

Loss of data

The third party cloud computing services provider is susceptible, albeit less likely than most businesses, to data breaches, losing data or exposing data

Loss of visibility

Loss of full visibility of the company's IT Infrastructure comes with a loss of control

The only entity that has full visibility is the cloud provider, which means the subscribing organization does not know all of its risks

Multi-Cloud and Hybrid Management Issues

A company subscribes to various cloud based solutions and maintains some on premises IT Infrastructure

-while having a hybrid or multi cloud setup can be part of a good cybersecurity diversification plan, it may prove challenging to integrate and monitor multiple environments which could make detecting a cyberattack difficult

Theft or Loss of Intellectual Property

-cloud apps store various types of data for companies including proprietary info and there is risk that the service provider lacks sufficient controls over the data which results in theft or loss of intellectual property (IP)

Risks Related to Mobile Technologies

1) application malware

2) lack of updates

3) lack of encryption

4) physical threats

5) unsecured Wi-Fi networks

6) location tracking

Application Malware

This threat occurs when a user downloads an application that appears to be legitimate but gives an unauthorized user access to the device

Ex: when a user visits a site malware could be installed that steals private info without the users knowledge

Lack of updates

There could be uninstalled patches and security fixes that have yet to be installed at a given point in time that leave the device vulnerable

-devices that go long periods of time without updates are at risk

Lack of Encryption

-Many mobile devices are not encrypted and only rely on a passcode for secure access

-once access is gained passwords can be reset on the web by using the victims email on the mobile device

Physical threats

Examples of physical threats include loss or theft of a mobile device

-if the device does not have sufficient access controls, theft could lead to an unauthorized user gaining the ability to access sensitive information and applications

Unsecured WIFI networks

Users of mobile devices often connect to public unsecured networks which means anyone in the same network could potentially access that device, steal sensitive info, or infect the device with malware

Location Tracking

Unauthorized tracking is a risk that involves a threat actor using Global Positioning System (GPS) technology to locate people, devices or other assets. With this knowledge attackers can devise plans that use the victims location to perpetuate an attack

Internet of Things (IoT)

A class of smart devices connected to the internet that provide automation and remote control for other devices in a home or office setting such as cameras, tablets, wearable devices, phones and alarm systems

Risks Related to Internet of Things (IoT)

1) Device Mismanagement - always change default passwords

2) Device Spoofing

3) Escalated Cyberattacks - using IoT as entry point

4) Expanded Footprint

5) Information Theft

6) Outdated Firmware

7) Malware

8) Network Attacks

Device Mismanagement

-insufficient password controls and device mismanagement can increase the risk of a cyberattack

-can lead to the loss of critical info or access to the devices on the IoT network

Device Spoofing

This is when an attacker connects illegitimate devices to a company network to gain info or perform unauthorized activities

-illegitimate devices may include phony devices or standard devices being modified for malicious attack

Escalated Cyberattacks

IoT devices can be used as an attack base to infect more machines, or as an entry point for access into a connected network

Expanded Footprint

IoT devices paired with other devices that are directly connected to a company's core network expand the footprint of total devices under a company's purview, thus increasing the number of points subjected to attack

Information Theft

Since IoT devices are connected to the internet, they have the potential for sensitive data to be stolen or exploited because the data is either stored in the cloud or on other devices that can be accessed

Outdated firmware

Firmware is software that is pre installed on a device that controls its local functions. When it's not updated to the latest version, attackers can exploit the vulnerability and gain access to

Malware

IoT networks and devices are susceptible to cyberattacks due to the often limited computing power among the individual devices connected to the network

Ex of malware is ransomware where the malware code denies access to the devices without a financial consideration paid by the user

Network attacks

Threat actors can launch DoS attacks on IoT networks and devices just as they can with traditional networks

These types of attacks overburden a network with traffic via IoT devices and render it useless

Threat Modeling

Process of identifying, analyzing and mitigating threats to a network, system or application

Goal : to understand all risks a system could face and develop controls and countermeasures to minimize the impact of a risk or to try and prevent it from happening

Phases of Threat Modeling

1) Identify Assets

2) Identify Threats

3) Perform Reduction Analysis: (decompose/break down components)

4) Analyze Impact of an Attack (quantify impact in $)

5) Develop Countermeasures and Controls

6) Review and Evaluate

1) Identify Assets

Involves inventorying all assets that need to be protected against threats using the CIA triad

2) Identify Threats

Includes identifying the threat types and characteristics such as intent, targeting and potential method of attack

Realistic threat scenarios should also be discussed and used for planning

3) Perform Reduction Analysis

Phase involves decomposing the asset being protected from the threat. Intent is to gain a greater understanding of how the asset interacts with potential threats whether they are systems, apps or networks

4) Analyze Impact of an Attack

Quantifying the impact of an attack in terms of dollars will help prioritize solutions

Understanding other qualitative effects should also be considered

5) Develop countermeasures and controls

-May include implementing security controls like intrusion detection systems, contingency plans and security protocols in the event of a successful attack.

Responses should be prioritized based on the threat with the greatest risk

Review and evaluate

Periodically Evaluating the threat model should be done so that updates can be made based on new risks in the threat landscape

Three Commonly Used Methodologies for Threat Models

-PASTA: Process for Attack Simulation and Threat Analysis

-VAST: Visual, Agile, and Simple Threat

-STRIDE: Spoofing, Tampering, Repudiation, Information Disclosure, Denial-of-Service, and Elevation of Privledge

PASTA Threat Model stages

-Process for Attack Simulation and Threat Analysis

1) define objectives

2) define technical scope

3) application of decomposition and analysis

4) threat analysis

5) weakness and vulnerability analysis

6) attack modeling and simulation

7) risk analysis and management

VAST Threat Model

Based on the agile project management methodology

Goal: to integrate threat management into a programming environment on a scalable basis

STRIDE Threat Model

Threat model developed by Microsoft that is used for assessing threats related to applications and operating systems

It's six threat concepts listed in its name are broad enough to cover threat concerns other than apps such as network threats or social engineering

S3 M2 - Mitigation