CYBERSECURITY

Computer Security

·Cybersecurity is the practice of protecting systems, networks, and programs from digital attacks.

·These cyberattacks are usually aimed at, accessing, changing, or destroying ssensitive information; extorting money from users; or interrupting normal business processes.

Cybersecurity aims to protect individuals' and organizations' systems, applications, computing devices, sensitive data and financial assets against simple and annoying computer viruses, sophisticated and costly ransomware attacks, and everything in between.

Types of Cyberattacks

 A cyber attack is any type of offensive action that targets computerinformation systems, infrastructures, computer networks or personal computer devices, using various methods to steal, alter or destroy data or information systems.

When software connects to a network, it establishes a pathway into the underlying operating system. Allowing unrestricted program access can create security vulnerabilities, potentially enabling attackers to breach and

manipulate the protective code guarding sensitive information.

Denial-of-Service (DoS) and Distributed Denial-of-

Service (DDoS) Attacks

A denial-of-service attack overwhelms a

system’s resources so that it cannot respond

to service requests.

A DDoS attack is also an attack on system’s

resources, but it is launched from a large

number of other host machines that are

infected by malicious software controlled by

the attacker.

Another purpose of a DoS attack can be to

take a system offline so that a different kind

of attack can be launched. One common

example is session hijacking.

Man-in-the-Middle (MitM) Attack

A MitM attack occurs when a hacker inserts

itself between the communications of a client

and a server. Here are some common types of

man-in-the-middle attacks:

• Session hijacking – In this type of MitMattack, an attacker hijacks a session between a trusted client and network server. The attacking computer substitutes its IP address for the trusted client while the server continues the session, believing it iscommunicating with the client.

Drive-by Attack

Drive-by download attacks are a common method of spreading malware. Hackers look for insecure websites and plant a malicious script into HTTP or PHP code on one of the pages.

This script might install malware directly onto the computer of someone who visits the site, or it might re-direct the victim to a site controlled by the hackers. Drive-by downloads can happen when visiting a website or viewing an email message or a pop-up window.

Unlike many other types of cyber security attacks, a drive-by doesn’t rely on a user to do anything to actively enable the attack — you don’t have to click a download button or open a malicious email attachment to become infected

Password attack

Because passwords are the most commonly used mechanism to authenticate users to an information system, obtaining passwords is a common and effective attack approach. Access to a person’s password can be obtained by looking around the person’s desk, ‘‘sniffing’’ the connection to the network to acquire unencrypted passwords, using social engineering, gaining access to a password database or outright guessing. The last approach can be done in either a random or systematic manner:

Brute-force password guessing means using a random approach by trying different passwords and hoping that one work.

Birthday Attack

 Birthday attacks are made against hash algorithms that are used to verify the integrity of a message, software or digital signature. A message processed by a hash function produces a message digest (MD) of fixed length, independent of the length of the input message; this MD uniquely characterizes the message.

 The birthday attack refers to the probability of finding two random messages that generate the same MD when processed by a hash function. If an attacker calculates same MD for his message as the user has, he can safely replace the user’s message with his, and the receiver will not be able to detect the replacement even if he compares MDs.

Events That Changed Cybersecurity

1970’s - The First Computer Virus

• A self-replicating program called “Creeper” was created by Bob Thomas, which infected the

ARPANET.

• This lead to the creation of the first antivirus program dubbed, “Reaper.”

1976 - 2006 – The Largest Insider Attack

• For 30 years, Greg Chung of Boeing stole $2 billion worth of aerospace documents and gave them to China.

• The malicious intent to supply china with military and spacecraft Intel was not a threat just to the company, but the entire country. (USA)

2013 - The Snowden Effect

• Edward Snowden, a former CIA employee, leaked classified information from the National Security Agency. Many were divided by what Snowden did, and lost trust in the government.

2013-2014 – Largest Data Breach

• A group of hackers hacked Yahoo, compromising the personal information of over 3 billion users. Yahoo failed to report this until 2016, and faced multiple lawsuits.

2017 - The First Ransomworm

• WannaCry, a ransomware, targeted computers that ran the Microsoft Windows OS and demanded ransom payments in Bitcoin.

• In just one day, the ransomware infected over 230,000 computers in over 150 countries.

2017 – NotPetya Ransomware Attack

• The NotPetya virus, another ransomware, targeted Microsoft Windows computers, infecting over 12,500 computers. It wiped data from energy firms, banks, government offices, and airports. NotPetya didn’t only encrypt data, but prevented computers from working altogether.

2017 - The Largest Credit Card Attack

• Equifax, a credit bureau, failed to patch a vulnerability that compromised the data of over 143 million Americans. The hackers had access to over 210,000 consumer credit cards.

Cyber Kill Chain

Reconnaissance

- harvesting employee email addresses and

credentials, probing the network in search

of vulnerabilities

Passive Reconnaissance

- in attempt to gain information

about targeted computers and

networks without actively

engaging with the systems (e.g.,

Social Media, Google...)

Active Reconnaissance

- computer attack in which an

intruder

engages with the

targeted system to gather

information about vulnerabilities

(e.g., NMAP, Port Scanning,

Vulnerabilities Scanners)

Weaponization

- coupling the exploit with a backdoor to

create deliverable payload

Delivery

- delivering the weaponized bundle to the

victim through email, web, USB, or cloud

Exploitation

- exploiting a vulnerability to execute code

on the victim’s system

Installation

- installing malware on the asset

Command and Control - established a command channel to an

external server for remote manipulation

Actions on Objective- for example, data exfiltration, ransomware

deployment or corporate espionage

SOC (Security Operations Center)

Security Operations Center

- an in-house or outsourced team of IT

security professionals that monitors an

organization’s entire IT infrastructure,

24/7, to detect cybersecurity events

Security Posture

- status of organization’s readiness to

protect its assets

SOC Activities and Responsibilities

| Preparation, planning and prevention

- prioritizes readiness, strategizing, and

proactive measures; initiates its efforts

with asset inventory

| Monitoring, detection and response

-

monitors the entire extended IT

infrastructure 24/7/365 for signs of known

exploits and for any suspicious activity

| Recovery, refinement and compliance

- ensures all applications, systems, and

security tools and processes comply with

data privacy regulations

SOC Team Members

Incident Responder - identifies and responds to security

incidents

Forensic Investigator - conducts in-depth forensic analysis of

security incidents

Compliance Auditor - ensures that the organization complies

with relevant industry, national, and

global privacy and security regulations

Security Analyst

- monitors the network, systems, and logs

for signs of security breaches and

suspicious activities

Security Engineer

-

manages and

maintains security

technologies and infrastructure

Threat Hunter

- proactively seeks out potential threats

and vulnerabilities within the

organization’s infrastructure

SOC Manager

- oversees the entire SOC team and

operations

SOC Operator

- monitors security alerts and events in

real-time

Malware Analyst

- specializes in analyzing and dissecting

malware

Security Awareness Trainer

- educates employees and staff on security

best practices and policies