Cybersecurity Essentials

Lecture 2
Identifying Potential Security threats
Dr. Eman Zahran
Identifying Potential Security threats
The main goal of this part is to help you Identify the different types of
security threats.
1- Software Treats
2- Hardware Threats
3- Data Threats
Software Threats
Software threats include theft, exploits, and malware.
Software or license theft is the unauthorized copy or use of copyright-
protected software. This includes pirating software and counterfeiting
activation codes.
Exploits are pieces of code that use vulnerabilities in hardware or
software to get into a system.

Malware-infected websites use exploits to automatically download

malware to a system.

Malware is a general term for software designed to compromise

computer systems.
Hardware Threats
Hardware threats occur due to:
• Weak security policies that lead to physical threats, tampering,
or the theft of hardware.
• Hardware failure or destruction can occur during power
outages, fires, and natural disasters like earthquakes.
Mitigation of Hardware threats
To keep hardware safe.

• Lock it in a secured area with card readers on doors to limit access (Only
trusted, authorized personnel should have physical access to information
systems and only for the specific systems they are responsible for).

• Use robust surveillance on the inside and outside of the premises

• Keep these two security solutions maintained, updated, and tested

• Keep hardware safe with a well-maintained infrastructure that includes fire

suppression systems, backup power, HVAC systems.
(Heating, Ventilation and Air Conditioning (HVAC) systems control the ambient
environment (temperature, humidity, air flow and air filtering)
Data Threats

Unpatched systems, misconfigured firewalls, weak cybersecurity, and

weak physical security are just a few ways that data threats occur.
 Data Leaks & Data Breach & Data Loss
 Dumpster Diving
Data Leaks & Data Breach& Data Loss
Data leaks
Data Leak = Exposure — involves the unintentional exposure of sensitive data, either
through human error or overlooked vulnerabilities.
are the accidental exposure of confidential or sensitive data through a security vulnerability.
Data leaks can occur through various ways, including unprotected databases, misconfigured
servers, or human errors like inadvertently sending an email containing confidential data to
the wrong recipient.
.
 Data Leaks & Data Breach& Data Loss Cont.
Data breaches
Data Breach = Unauthorized Access
A data breach occurs when unauthorized individuals gain access to sensitive
information. Cybercriminals often exploit security vulnerabilities to infiltrate an
organization's network or environment, stealing confidential data such as personal
identifiable information (PII), financial records, or trade secrets.
The motive behind data breaches can range from financial gain through selling
stolen data on the dark web, to espionage and sabotage.
Data Leaks & Data Breach& Cont.
Data Loss
Data loss encompasses incidents where sensitive data is unintentionally misplaced
or stolen through cyber attacks or insider threats. data loss also includes scenarios
where information cannot be retrieved due to human- or system-errors, or hardware
failures.
Data Loss = Removal — encompasses both accidental and intentional removal of
sensitive data, often due to errors or theft.
A battle running between attackers and
cybersecurity professionals
Goals of attacks:
Attacks are generally used to accomplish one or more of these three goals:

1- An access attack
someone who should not be able to access your resources.
2- During a modification and repudiation attack,
someone wants to modify information in your systems.
3- A denial-of-service (DoS) attack
It is an attempt to disrupt your network and services
can prevent authorized users from having access because the system is busy
responding to illegitimate requests
Understanding Access Attack Types

• An access attack is an attempt to gain access to information that the

attacker isn’t authorized to have.

• These types of attacks focus on breaching the confidentiality of

information.

• They occur either internally or externally; they might also occur when
physical access to the information is possible.
Access Attack Types
1- Dumpster diving

2- Capturing information in route between two systems

Understanding Access Attack Types
1- Dumpster diving
is the act of physically searching through a literal dumpster to find
something valuable. A company’s trash might contain lists of customer
names, phone numbers, contact information, business plans, product
designs, or an access code written on a post-it note.
Companies normally generate a huge amount of paper, most of which
eventually winds up in Dumpsters or recycle bins. Dumpsters may
contain information that is highly sensitive in nature.

In high-security and government environments, sensitive papers are

either shredded or burned (Document Shredding).
Document Shredding
Tech companies require document shredding and device destruction as a
normal part of business because these can be stolen from the trash to
harvest data that can be used for identity theft and data breaches, or the
data could be sold to hackers, or a company's competitors.
Understanding Access Attack Types

2- Capturing information in route between two systems

A second common method used in access attacks is to capture
information in route between two systems; rather than paper, data is
found in such attacks.
Understanding Access Attack Types

2- Capturing information in route between two systems

There are several common types of access attacks:

 Eavesdropping
 Snooping
 Interception
Understanding Access Attack Types
Eavesdropping
Eavesdropping (or packet-sniffing) attacks occur on wireless, wired, and phone
connections. A packet sniffer is a tool that intercepts everything transmitted on a
network. Anything your device sends on an unencrypted network can be viewed
with a packet sniffer. This gives hackers an opportunity to intercept, alter, or delete
data transmitted between devices.
If a network is encrypted, packet sniffers will only be able to see things like the
origin and destination of a packet, but not the data inside it

• This type of attack is generally passive.

capturing all the relevant network
traffic for later analysis
Understanding Access Attack Types

Eavesdropping

For example,

a co-worker might overhear your dinner plans because your

speakerphone is set too loud or you’re yelling into your cell phone.

The opportunity to overhear a conversation is coupled with the

carelessness of the parties in the conversation.
Understanding Access Attack Types

Snooping
Hackers use snooping attacks to intercept data between devices. These
attacks can reveal, logins, credit card numbers, intellectual property, and
more.
Snooping occurs when someone looks through your files hoping to find
something interesting.

The files may be either electronic or on paper.

Understanding Access Attack Types

Snooping
to look around a place secretly, in order to discover things or find out
information about someone or something

In the case of physical snooping, people might inspect your Dumpster,

recycling bins, or even your file cabinets; they can look under the
keyboard for Post-it notes or look for scraps of paper tacked to your
bulletin board.
Understanding Access Attack Types

Snooping
is unauthorized access to another person's or company's data

Computer snooping, on the other hand, involves someone searching

through your electronic files trying to find something interesting.
Understanding Access Attack Types

Interception
any situation where a hacker intercepts and changes communication between
two parties without their knowledge. To do that, the attacker may place
themselves between the sender and the receiver — this is called a man-in-the-
middle attack.
In a networked environment,
A passive interception would involve someone who routinely monitors
network traffic.
An active interception might include putting a computer system between
the sender and receiver to capture information as it’s sent. The process is
usually secret.
Understanding Access Attack Types

Intercept missions can occur for years without the knowledge of the
parties being monitored.
Modification and Repudiation Attacks

Modification attacks involve the deletion, insertion, or alteration of

information in an unauthorized manner that is intended to appear
genuine to the user.

These attacks can be hard to detect.

Modification and Repudiation Attacks Cont.
• They’re similar to access attacks in that the attacker must first get to
the data on the servers, but they differ in the following point:

• The motivation for this type of attack may be to plant information,

change grades in a class, fraudulently alter credit card records, or
something similar.

• Website defacements are a common form of modification attack; they

involve someone changing web pages in a malicious manner.
Modification and Repudiation Attacks

A repudiation attack is a variation of a modification attack.

repudiation refers to the ability of a user or system to deny having
performed a particular action or transaction. This can happen in a
number of ways, such as through the use of a false identity, the
manipulation of logs or system data.
for example: in systems where multiple users have access to shared
resources, as one user may deny having deleted or modified a file.
Repudiation attacks make data or information appear to be invalid or
misleading (which can be even worse).
Modification and Repudiation Attacks

Repudiation attack example

someone might access your e-mail server and send inflammatory
information to others under the guise of one of your top managers.

This information might prove embarrassing to your company and

possibly do irreparable harm.
Modification and Repudiation Attacks

Repudiation attacks are fairly easy to accomplish because most e-mail

systems don’t check outbound mail for validity.

Repudiation attacks, like modification attacks, usually begin as access

attacks.
ways to counter repudiation in cyberspace
• Authentication and Authorization: By implementing strong authentication and
authorization mechanisms, it is possible to ensure that only authorized users can
access resources and perform actions
• Logging and Auditing: By maintaining detailed logs of system activity, it is
possible to detect and investigate unauthorized access or actions and to identify
the responsible user.
• Data Integrity: By maintaining the integrity of the data and system, it is possible to
detect and prevent unauthorized changes, deletions, or modifications.
• Cryptography: By using cryptographic techniques to secure the data and
communication, it is possible to ensure the authenticity and integrity of the data
and the identity of the sender, preventing the manipulation or fabrication of data.
• Legal framework: Having a solid legal framework, with defined rights and
responsibilities for users, and a procedure for investigation, can help with holding
the responsible parties accountable and ensuring that the law is followed.
Identifying Denial-of-Service and Distributed Denial-of-
Service Attacks
Denial-of-service (DoS) attacks prevent authorized from accessing their
resources.
prevents or impairs the authorized use of networks, systems, or
applications by exhausting resources such as central processing units
(CPU), memory, bandwidth, and disk space.

Example: An attacker may attempt to bring down an e-commerce

website to prevent or deny usage by legitimate customers.
Identifying Denial-of-Service and Distributed Denial-of-
Service Attacks Cont.
DoS attacks are common on the Internet, where they have hit large
companies such as Amazon, Microsoft, and AT&T.

These attacks are often widely publicized in the media. Most simple
DoS attacks occur from a single system, and a specific server or
organization is the target.
Identifying Denial-of-Service and Distributed Denial-of-
Service Attacks Cont.
There isn’t a single type of DoS attack, but a variety of similar methods
depending on resources that could be attacked which are:
• Network bandwidth
Network bandwidth relates to the capacity of the network links
connecting a server to the wider Internet
It’s easiest to think of a DoS attack by imagining that your servers are so
busy responding to false requests that they don’t have time to service
legitimate requests. Not only can the servers be physically busy, but the
same result can occur if the attack consumes all the available bandwidth.
Identifying Denial-of-Service and Distributed Denial-of-
Service Attacks Cont.
A DoS attack against a network is designed to fill the communications
channel and prevent access by authorized users.
A common DoS attack involves opening as many TCP sessions as
possible; this type of attack is called a TCP SYN flood DoS attack.
Identifying Denial-of-Service and Distributed Denial-of-
Service Attacks Cont.

• System resources
A DoS attack targeting system resources typically aims to overload or
crash its network handling software. Rather than consuming bandwidth
with large volumes of traffic, specific types of packets (poison packet)
are sent that consume the limited resources available on the system.

Operating system crashes can be restored to the normal operation by a

simple reboot
Identifying Denial-of-Service and Distributed Denial-of-
Service Attacks Cont.
A DoS attack against a network is designed to fill the communications
channel and prevent access by authorized users.
Two of the most common types of DoS attacks are the ping of death and
the buffer overflow.

The ping of death crashes a system by sending Internet Control Message

Protocol (ICMP) packets (think echoes) that are larger than the system
can handle.
sPing is an example of a ping of death attacks.
Identifying Denial-of-Service and Distributed Denial-of-
Service Attacks Cont.
Buffer overflow attacks, attempt to put more data (usually long input
strings) into the buffer than it can hold.

Code Red, Slapper, and Slammer are all attacks that took advantage of
buffer overflows.
Identifying Denial-of-Service and Distributed Denial-of-
Service Attacks Cont.
• Application resources
An attack on a specific application, such as a Web server, typically
involves a number of valid requests, each of which consumes significant
resources. This then limits the ability of the server to respond to requests
from other users.
For example, a Web server might include the ability to make database
queries. If a large, costly query can be constructed, then an attacker
could generate a large number of these that severely load the server
A DoS attack on an application may bring down a website while the
communications and systems continue to operate.
Defenses against DoS attacks
There are several techniques to limit the consequences a DoS
attack which are:
• Network segmentation - Segmenting networks into smaller, more
manageable pieces, can limit the impact of a DoS attack. This can be
done by creating VLANs, and firewalls can limit the spread of an
attack.
• Load balancing - Distributing traffic across multiple servers, a DoS
attack can be prevented from overwhelming a single server or
resource. Load balancing can be achieved using hardware or software
solutions.
Defenses against DoS attacks Cont.

• IP blocking - Blocking traffic from known or suspected malicious

sources can prevent DoS traffic from reaching its target.
• Rate limiting - Limiting the rate of traffic to reach a server or resource
can prevent a DoS attack.
• Content Delivery Networks (CDNs) - Distributing website content
across multiple locations makes it more difficult for an attack to bring
down an entire site.
Distributed Denial-of-Service Attacks
Distributed Denial-of-Service (DDoS) attack is similar to a DoS attack.

A DDoS attack amplifies the concepts of a DoS by using multiple computer

systems to conduct the attack against a single organization (Victim).

These multiple computer systems are compromised, malware-infected

computers known as a botnet.

It's harder to identify a DDoS attack’s origin, which makes it harder to shut
down
Distributed Denial-of-Service Attacks Cont.

An attacker can load an attack program onto dozens or even hundreds of

computer systems that use DSL or cable modems.

The attack program lies dormant on these computers until they get an
attack signal from a master computer.
The signal triggers the systems, which launch an attack simultaneously
on the target network or system.
 Distributed Denial-of-Service Attacks Cont.

Botnet:
A large collection of
zombies, or bots,
controlled by a bot
herder.
Distributed Denial-of-Service Attacks Cont.

The previous figure shows an attack occurring and the master controller
orchestrating the attack. The master controller may be another
unsuspecting user. The systems taking direction from the master control
computer are referred to as zombies. These systems merely carry out the
instruction they’ve been given by the master computer.
Distributed Denial-of-Service Attacks Cont.

The nasty part of DDoS attack is that the machines used to carry out the
attack belong to normal computer users.
The attack gives no special warning to those users.
When the attack is complete, the attack program may remove itself from
the system or infect the unsuspecting user’s computer with a virus that
destroys the hard drive, thereby wiping out the evidence.
Defenses against DDoS attacks
Four lines of defense against DDoS attacks:

1- Attack prevention and preemption (before the attack):

These mechanisms enable the victim to endure attack attempts without
denying service to legitimate clients. Techniques include enforcing
policies for resource consumption and providing backup resources
available on demand.
Defenses against DDoS attacks Cont.
2- Attack detection and filtering (during the attack):
These mechanisms attempt to detect the attack as it begins and respond
immediately. This minimizes the impact of the attack on the target.
Detection involves looking for suspicious patterns of behavior.
Response involves filtering out packets likely to be part of the attack
Defenses against DDoS attacks Cont.
3- Attack source traceback and identification (during and after the
attack):
This is an attempt to identify the source of the attack as a first step in
preventing future attacks. However, this method typically does not yield
results fast enough, if at all, to mitigate an ongoing attack.

4- Attack reaction (after the attack):

This is an attempt to eliminate or curtail the effects of an attack.
Thank You
Malware can cause ……………..
Malware can come from ……………….
To avoid malware……………………….
Avoid snooping
• Avoid using public Wi-Fi networks.
• Use secure Wi-Fi authentication techniques.
• Conduct rogue Wi-Fi access point searches.
• Keep antivirus software updated.
• Use strong passwords, and change them frequently.
• Use encryption when transmitting and storing sensitive data.
• Know your surroundings, and turn computer screens away from surveillance cameras.
• Deploy network monitoring and prevention tools, such as firewalls, virtual private
networks (VPNs) and anti-Address Resolution Protocol/domain name system spoofing
services.
• Segment networks so that secure communications flow through specific portions of the
network that can be better protected from spoofing attacks.