Unit 2

Nathan House , The Complete Cyber Security Course, StationX, First edition,
January 2017
Udemy
The Threat and Vulnerability Landscape

• What is Privacy, Anonymity

• Pseudonymity, Security, Vulnerabilities,
• Threats and Adversaries,
• Threat Modeling and Risk Assessments,
• Security vs Privacy vs Anonymity
Terms and Keywords
• Privacy
Assurance that the confidentiality of, and access to, certain information about an
entity is protected
• Anonymity
Anonymity refers to the state of not having a name or identifying information associated with
an individual
• Pseudoanonymity
Pseudonymity is the near-anonymous state in which a user has a consistent identifier that is
not their real name: a pseudonym.
In pseudonymous systems, real identities are only available to site administrators.
Pseudonymity allows users to communicate with one and other in a generally anonymous
way.
• Security
Every aspect of protecting an organization and its employees and assets against cyber threats. As
cyberattacks become more common and sophisticated and corporate networks grow more complex,
a variety of cyber security solutions are required to mitigate corporate cyber risk.
 Threats and Adversaries, Threat Modeling and Risk Assessments

• What is Threat Modeling

• Threat modeling is a method of optimizing network security by locating vulnerabilities, identifying objectives, and
developing countermeasures to either prevent or mitigate the effects of cyber-attacks against the system.
• While security teams can conduct threat modeling at any point during development, doing it at the start of the
project is best practice. This way, threats can be identified sooner and dealt with before they become an issue.
It's also important to ask the following questions:
• What kind of threat model needs building?
The answer requires studying data flow transitions, architecture diagrams, and data classifications, so you get a
virtual model of the network you're trying to protect.
• What are the pitfalls?
Here is where you research the main threats to your network and applications.
• What actions should be taken to recover from a potential cyberattack? You've identified the problems now; it's
time to figure out some actionable solutions.
Did it work? This step is a follow-up where you conduct a retrospective to monitor the quality, feasibility, planning,
and progress.
The Threat Modeling Process
Threat modeling consists of
• Defining an enterprise's assets,
• Identifying what function each application serves in the grand
scheme,
• Assembling a security profile for each application.
• Identifying and prioritizing potential threats
• Documenting both the harmful events and what actions to take
to resolve them.
Why Do We Need Security Threat Modeling?

• Cybercrime has exacted a heavy toll on the online community in recent years, as detailed
in this piece by Security Boulevard, which draws its conclusions from several industry
sources.
• Among other things, the report says that data breaches exposed 4.1 billion records in
2019 and that social media-enabled cybercrimes steal $3.25 billion in annual global
revenue.
• According to KnowBe4's 2019 Security Threats and Trends report, 75 percent of
businesses consider insider threats to be a significant concern, 85 percent of
organizations surveyed reported being targeted by phishing and social engineering
attacks, and percent of responders cite email phishing scams as the largest security risk.
Smart organizations and individuals will take advantage of any reliable resources to fight this growing epidemic, and sound threat
modeling designing for security purposes is essential to accomplish this.
 Ten Threat Modeling Methodologies
1. STRIDE
A methodology developed by Microsoft for threat modeling, it offers a mnemonic for
identifying security threats in six categories:
• Spoofing: An intruder posing as another user, component, or other system feature
that contains an identity in the modeled system.
• Tampering: The altering of data within a system to achieve a malicious goal.
• Repudiation: The ability of an intruder to deny that they performed some malicious
activity, due to the absence of enough proof.
• Information Disclosure: Exposing protected data to a user that isn't authorized to
see it.
• Denial of Service: An adversary uses illegitimate means to exhaust services
needed to provide service to users.
• Elevation of Privilege: Allowing an intruder to execute commands and functions
that they aren't allowed to.
DREAD
Proposed for threat modeling, but Microsoft dropped it in 2008
due to inconsistent ratings. OpenStack and many other
organizations currently use DREAD. It's essentially a way to rank
and assess security risks in five categories:
• Damage Potential: Ranks the extent of damage resulting from
an exploited weakness.
• Reproducibility: Ranks the ease of reproducing an attack
• Exploitability: Assigns a numerical rating to the effort needed to
launch the attack.
• Affected Users: A value representing how many users get
impacted if an exploit becomes widely available.
• Discoverability: Measures how easy it is to discover the threat.
 • P.A.S.T.A
This stands for Process for Attack Simulation and Threat
Analysis, a seven-step, risk-centric methodology.
It offers a dynamic threat identification, enumeration, and scoring
process.
Once experts create a detailed analysis of identified threats,
developers can develop an asset-centric mitigation strategy by
analyzing the application through an attacker-centric view.
OCTAVE
• The Operationally Critical Threat, Asset, and Vulnerability
Evaluation (OCTAVE) process is a risk-based strategic
assessment and planning method. OCTAVE focuses on
assessing organizational risks only and does not address
technological risks. OCTAVE has three phases:
• Building asset-based threat profiles. (Organizational evaluation)
• Identifying infrastructure vulnerabilities. (Information
infrastructure evaluation)
• Developing and planning a security strategy. (Evaluation of risks
to the company's critical assets and decision making.)
Others
• VAST
• Attack Tree
• Common Vulnerability Scoring System (CVSS)
• T-MAP
• Quantitative Threat Modeling Method
This hybrid method combines attack trees, STRIDE, and CVSS methods. It
addresses several pressing issues with threat modeling for cyber-physical systems
that contain complex interdependencies in their components. The first step is
building components attack trees for the STRIDE categories. These trees illustrate
the dependencies in the attack categories and low-level component attributes.
Then the CVSS method is applied, calculating the scores for all the tree's
components.
Risk Assessment – 5 step framework
Practically every organization has internet connectivity and some form of IT
infrastructure, which means nearly all organizations are at risk of a cyber
attack.
To understand how great this risk is and to be able to manage it,
organizations need to complete a cybersecurity risk assessment, a process
that identifies which assets are most vulnerable to the cyber risks the
organization faces.
This is a risk assessment that looks specifically at cyber threats, so risks
such as fire and flooding which would be included in a general risk
assessment are not in scope.
Step 1: Determine the scope of the risk
assessment
• A risk assessment starts by deciding what is in scope of the
assessment.
• It could be the entire organization, but this is usually too big an
undertaking, so it is more likely to be a business unit, location or
a specific aspect of the business, such as payment processing
or a web application.
• A third-party specializing in risk assessments may be needed to
help them through what is a resource-intensive exercise.
Step 2:
How to identify cybersecurity risks
• Identify assets
• Identify threats
• Identify what could go wrong
This task involves specifying the consequences of an identified threat
exploiting a vulnerability to attack an in-scope asset. For example:
• Threat: An attacker performs an SQL injection on an open
database table
• Vulnerability: unpatched
• Asset: web server
• Consequence: customers' private data stolen, resulting
in regulatory fines and damage to reputation.
Step 3: Analyze risks and determine
potential impact
• Now it is time to determine the likelihood of the risk scenarios
documented in Step 2 actually occurring, and the impact on the
organization if it did happen.
• In a cybersecurity risk assessment, risk likelihood -- the
probability that a given threat is capable of exploiting a given
vulnerability -- should be determined based on the
discoverability, exploitability and reproducibility of threats and
vulnerabilities rather than historical occurrences.
Step 4: Determine and prioritize risks

• Using a risk matrix like the one below where the risk level is
"Likelihood times Impact," each risk scenario can be classified.
Step 5: Document all risks
• Risk scenario
• Identification date
• Existing security controls
• Current risk level
• Treatment plan -- the planned activities and timeline to bring the risk within
an acceptable risk tolerance level along with the commercial justification
for the investment
• Progress status -- the status of implementing the treatment plan
• Residual risk -- the risk level after the treatment plan is implemented
• Risk owner -- the individual or group responsible for ensuring that the
residual risks remain within the tolerance level
Risk Assessment Vs Threat Modeling
• A risk assessment considers possible countermeasures; threat
modeling defines and implements them.
• Threat modeling identifies vulnerabilities, as well as potential risks
and mitigation steps, by using scenarios that target system entry
points and data, both at rest and in transit.
• A cyber security risk assessment is the process of identifying,
analysing and evaluating risk.
• It helps to ensure that the cyber security controls you choose are
appropriate to the risks your organization faces.
• Without a risk assessment to inform your cyber security choices, you
could waste time, effort and resources.
Things You Need To Stay Safe Online

• Tools and tips to help you stay safe online.

• Use strong and unique passwords. Creating a strong, unique
password for every account is one of the most critical steps you
can take to protect your privacy. ...
• Keep track of all your passwords. ...
• Check your passwords for security issues.
Things You Need To Stay Safe Online
• Don't open mail from strangers. ...
• Make sure your devices are up to date. ...
• Use strong passwords. ...
• Use two-factor authentication. ...
• Don't click on strange-looking links. ...
• Avoid using unsecured public Wi-Fi. ...
• Back up your data regularly. ...
• Be smart with financial information.
Security Bugs and Vulnerabilities

• A security bug or security defect is a software bug that can be

exploited to gain unauthorized access or privileges on a
computer system.
• Security bugs introduce security vulnerabilities by compromising
one or more of: Authentication of users and other
entities. Authorization of access rights and privileges.
Common Web Security Vulnerabilities

• Injection Flaws
Injection flaws result from a classic failure to filter untrusted input. Injection flaws can
happen when we pass unfiltered data to the SQL server (SQL injection), to the browser
(via Cross Site Scripting), to the LDAP server (LDAP injection), or anywhere else. The
problem here is that the attacker can inject commands to hijack clients’ browsers,
resulting in loss of data.
Broken Authentication
• Problems that might occur during broken authentication don’t necessarily stem from the same root cause.
Rolling your own authentication code is not recommended, as it is hard to get right. There are myriad
possible pitfalls, and here are a few:
1. The URL might contain the session ID and leak it in the referer header.
2. Passwords might not be encrypted in storage and/or transit.
3. Session IDs might be predictable, making it a little too easy to gain unauthorized access.
4. Session fixation might be possible.
5. Session hijacking could occur if timeouts are not implemented correctly, or if using HTTP (no SSL security),
etc.
 • Cross-Site Scripting (XSS)
An attacker sends on input JavaScript tags to your web application.
When this input is returned to the user unsanitized, the user’s browser
would execute it.
Insecure Direct Object References
This is a classic case of trusting user input and paying the price by
inheriting a resultant security vulnerability. A direct object reference
means that an internal object (e.g., a file or a database key) is exposed
to the user, leaving us vulnerable to attack. The attacker can provide
this reference, and if authorization is either not enforced or broken, the
attacker gets in.
Security Misconfiguration

• Running an application with debug enabled in production

• Having directory listing (which leaks valuable information) enabled on
the server
• Running outdated software (think WordPress plugins, old
PhpMyAdmin)
• Running unnecessary services
• Not changing default keys and passwords (which happens more
frequently than you’d believe)
• Revealing error handling information (e.g., stack traces) to potential
attackers
Sensitive data exposure

• This web security vulnerability is about crypto and resource

protection.
• Sensitive data should be encrypted at all times, including in transit
and at rest. No exceptions.
• Credit card information and user passwords should never travel or be
stored unencrypted, and passwords should always be hashed.
• Obviously, the crypto/hashing algorithm must not be a weak one.
When in doubt, web security standards recommend AES (256 bits and
up) and RSA (2048 bits and up).
Hackers, crackers and cyber criminals
• Hackers are the ethical professionals.
• Crackers are unethical and want to benefit themselves from illegal
tasks.
• Hackers program or hacks to check the integrity and vulnerability
strength of a network.
• Crackers do not make new tools but use someone else tools for their
cause and har
• Hacking is identifying and exploiting weaknesses in computer
systems and/or computer networks.
• Cybercrime is committing a crime with the aid of computers and
information technology infrastructure.
• Ethical Hacking is about improving the security of computer systems
and/or computer networks.
• Malware, viruses, rootkits and RATs, Spyware, Adware, Scareware, PUPs & Browser
hijacking, What is Phishing,
• Vishing and SMShing, Spamming & Doxing, Social engineering - Scams, cons, tricks and
fraud, Darknets, Dark
• Markets and Exploit kits
Malware, viruses, Worms
Malware
• Malware is a general term that encompasses all software designed to do harm. You can
compare the term “malwareˮ to the term “vehicle.ˮ All software-based threats are malware, just
like all cars and trucks are vehicles.
• However, similar to vehicles, there are many different kinds of malware. In other words, you can
have a car, an SUV, and a truck, and you would have three vehicles. But not every vehicle is a
car, a truck, or an SUV. Similarly, viruses and worms are both malware, but not all malware is a
virus or a worm.
Virus
• Viruses can be spread from one computer to another inside files. For the virus to be activated,
someone has to trigger it with an external action. For example, a virus can be embedded inside
a spreadsheet. If you download the spreadsheet, your computer will not necessarily be infected.
The virus gets activated once you open the spreadsheet.
Worm
• With a worm, there is no need for the victim to open up any files or even click on anything. The
worm can both run and spread itself to other computers. Because a worm has the ability to
automatically propagate itself, you can get a worm in your computer just because it is on the
same network as another infected device.
How To Protect Devices from Malware,
Viruses, and Worms
• There are several ways to protect your computer from
threats like viruses, worms, and other malware:
1. Use an effective antimalware program.
2. Learn how to recognize malicious programs. Keep an eye
out for applications that look or behave suspiciously, as well
as your computer running slowly or overheating.
3. Avoid downloads from suspicious websites.
4. Use a firewall.
rootkits and RATs
• Remote Access Tools also known as RATs are used to remotely
control another PC over the Internet or the Local Area Network.
• RATs (Remote Access Tools) are a subcategory of Trojan malware.
• Trojans are executable applications, documents, or files with
embedded executable code appearing as typical, innocuous
functions.
• Trojans contain malicious, hidden components that infect or harm the
target's device.
• A botnet is a collection of internet-connected devices installed with
remote access tools (the RAT bots). Together they are all controlled
by a server on the hacker's machine.
rootkit Vs Trojan
• A rootkit is software used by cybercriminals to gain control over a target
computer or network.
• Rootkits can sometimes appear as a single piece of software but are often
made up of a collection of tools that allow hackers administrator-level
control over the target device.
• What separates a rootkit from a regular Trojan is that a rootkit, by definition,
occupies Ring 0, also known as root or kernel level, the highest run
privilege available, which is where the OS (Operating System) itself runs.
• Examples of rootkit attacks: Phishing and social engineering attacks.
• Rootkits can enter computers when users open spam emails and
inadvertently download malicious software.
• Rootkits also use keyloggers that capture user login information.
Spyware, Adware, Scareware
• Spyware are programs designed to track all of your computer activities, from which
applications you use to which websites you visit.
• Adware are programs that pop-up various advertisements and offers, often based on the
websites you visit.
• Scareware is a type of malware attack that claims to have detected a virus or other issue on
a device and directs the user to download or buy malicious software to resolve the problem.
• Generally speaking, scareware is the gateway to a more intricate cyberattack and not an
attack in and of itself.
• Scareware is a tool to help fix your system but when the software is executed it will infect
your system or completely destroy it.
• Adware is similar to a spyware and it can be both intrusive and difficult to eradicate.
Gator (2002): Also known as Claria, this adware was notorious for its pop-up ads, often
tricking users into downloading and installing it by bundling itself with other software.
CoolWebSearch (2003): This adware would redirect your browser to some other websites,
often full of advertisements or even malicious software.
PUPs & Browser hijacking
• A potentially unwanted program (PUP) is a program that may be
unwanted, despite the possibility that users consented to
download it.
• PUPs include spyware, adware and dialers, and are often
downloaded in conjunction with a program that the user wants.
PUPs can negatively affect a computer's performance while
being an annoyance at best, and at worst, they can introduce
security risks.
PUPs
• Once installed, A PUP can also do the following:
• Over-advertise to the user. The PUP displays many advertisements in
pop-up windows. It can also be a browser hijacker, redirecting web search
results, adding browser toolbars and placing ads on pages.
• Collect user information. The PUP can be spyware, collecting user data
without consent. For example, keystrokes from a keyboard can be
monitored to steal user data and gain additional knowledge on the user.
• Reduce system resources. By launching itself and performing whatever
function it is programmed to carry out, the PUP eats up system resources,
potentially slowing down a user's computer.
• Obscure the process of uninstallation. PUPs may be designed to be
hard to remove manually from a user's computer. They may not have an
easy uninstall method or may not uninstall completely.
Types of PUPs

• Adware. Adware is any software application that has an advertising

banner or other advertising material that displays while a program is
running. Ads are delivered through pop-up windows or bars that
appear on the program's user interface.
• Browser hijackers. Browser hijackers are malicious software,
or malware, programs that modify web browser settings without the
user's permission in order to redirect users to websites they did not
intend to visit. Part of the goal of a browser hijacker is to help the
cybercriminal generate unwanted advertising revenue.
• Spyware. Spyware is malware that invades a device to steal
sensitive data and track internet usage. Data is either collected and
sold to advertisers, or more sensitive information such as passwords
or credit card information is stolen.
What is Phishing, Vishing and
SMShing
Vishing is short for "voice phishing," which involves defrauding people
over the phone, enticing them to divulge sensitive information.
In this definition of vishing, the attacker attempts to grab the victim's
data and use it for their own benefit—typically, to gain a financial
advantage.
• Smishing is a social engineering attack that uses fake mobile text
messages to trick people into downloading malware, sharing
sensitive information, or sending money to cybercriminals.
• The term “smishing” is a combination of “SMS”—or “short message
service,” the technology behind text messages—and “phishing.
• Phishing uses emails and links, smishing uses text messages or
common messaging apps, and vishing uses voice calls and
voicemails to obtain sensitive information.
Spamming & Doxing

• Doxing is a form of cyberbullying that uses sensitive or secret information,

statements, or records for the harassment, exposure, financial harm, or
other exploitation of targeted individuals.
• Doxing is based on the fact that nearly everyone has data about them
floating around on the internet, protected by varying levels of
security—and in some cases, barely any at all.
• Once this data has been found, it is weaponized and used against the
target.
• Involves taking specific information about someone and then
spreading it around the internet or via some other means of getting it
out to the public.
Doxers
• Examples of information doxers typically search for include:
1. Phone numbers: These can be used to contact the victim directly while pretending to
be someone else and then asking questions to get more information. They can also
be used to gain access to secure user accounts.
2. Social security numbers: A social security number is required to validate the identity
of a person on a variety of websites and with a wide array of companies that hold
private data.
3. Home address: Not only can a home address be used to verify someoneʼs identity
while trying to gain access to a private account, but it can also be used by an attacker
to apply for new accounts while pretending to be the victim.
4. Credit card details: Credit card information can be weaponized for profit or to harm a
victimʼs credit rating, as well as gain access to other sensitive information.
5. Bank account details: Because bank account details are typically only available after
someone has satisfied security measures, they can be used to “verifyˮ your identity
for someone pretending to be you. They can also be levied to transfer money from
your account to someone elseʼs or published in a doxing attack to make the target
more vulnerable.
Darknets, Dark Markets and Exploit kits

• The Dark Web refers to a collection of websites that exist on an

encrypted network and cannot be found on traditional search engines
or accessed using standard web browsers.
• The Tor network is used to access these sites whilst providing
anonymity to its users.
• Operating through a network of relays, Tor uses multiple layers of
encryption to ensure that no single node ever has access to both
unencrypted data and traffic information that could be used to
identify users
Darknet Market
• A darknet market is a commercial website on the dark web that
operates via darknets such as Tor and I2P.[1][2] They function
primarily as black markets, selling or brokering transactions
involving drugs, cyber-arms,[3] weapons, counterfeit
currency, stolen credit card details,[4] forged
documents, unlicensed pharmaceuticals,[5] steroids,[6] and other
illicit goods as well as the sale of legal products.[7] In December
2014, a study by Gareth Owen from the University of
Portsmouth suggested the second most popular sites
on Tor were darknet markets.[8]
Exploit Kits
• An exploit kit is a toolkit that bad actors use to attack specific
vulnerabilities in a system or code.
• Once they take advantage of these vulnerabilities, they perform
other malicious activities like distributing malware or ransomware.
• These toolkits are named this way because they use exploits, code
that takes advantage of security flaws and software vulnerabilities.
• Some exploit kits deliver malicious ads on commonly visited websites
like YouTube and Yahoo.
• Others take advantage of flaws in commonly used programs like
Adobe Flash Player.
• Exploit kits like these are even linked to other attacks like
ransomware against a variety of organizations.