Week 1 – Introduction to Cyber Security

Cybersecurity threats
and vulnerabilities

Kedar Mendhurwar CCIE Security, CISSP, CISA

1
 Course introduction

2
 INSTRUCTOR
▪ Kedar Mendhurwar CCIE Security, CISSP, CCSP, CISA
▪ Sr. IT Security Architect at Government of Quebec & President
at Rootsec Inc.
▪ Working in Security since 2009 and teaching since 2014.
▪ Experience working in different security roles.

Contact information
▪ Email: [email protected]
▪ Availability:
• Online 15-30 minutes before and after day’s lecture.
• Through email anytime.
(I reply as soon as possible, usually within 24 hours)

CECR 2001 – Cybersecurity threats and vulnerabilities

3
 PROGRAM OVERVIEW
Cyberproficiency program

❑ CECR 2001 – Cybersecurity General high-level point of view (Level 0.5)

❑ CECR 2002 – POV Employee
❑ CECR 2003 – POV Manager

CECR 2001 – Cybersecurity threats and vulnerabilities

4
 COURSE STRUCTURE
CECR 2001 Structure

▪ 5 weeks (Tuesdays and thursdays) – January 14th, 2025 – February 13th, 2025
▪ 30 hours in-class and around 30 hours off the class work
▪ 3 reports (solo or in-group) and 1 in-class quiz

CECR 2001 – Cybersecurity threats and vulnerabilities

5
 COURSE OVERVIEW
Course outcomes

▪ Understand the basic principles of cybersecurity

▪ Learn cybersecurity skills that are relevant in job market
▪ Be versed with different types of cyber attacks
▪ Recognize the major types of cybersecurity threats and vulnerabilities.
▪ Identify the different types of organizations that are most vulnerable to these threats and
vulnerabilities.
▪ Draft cybersecurity plans for organizations.
▪ Present cybersecurity implementation plans effectively.
▪ Describe how to monitor the organization’s cybersecurity posture on an ongoing basis.

CECR 2001 – Cybersecurity threats and vulnerabilities

6
 RECOMMENDED READS
Recommended books for reading

▪ Cybersecurity for dummies (Joseph Steinberg)

▪ Cybersecurity essentials – Charles J. Brooks
▪ Big breaches – Cybersecurity lessons for everyone
▪ Cybersecurity: The Beginner's Guide – Dr. Erdal Ozakaya
▪ Cybersecurity for beginners – Raef Meeuwisse
▪ Also check moodle – Recommended topics for cybersecurity students

CECR 2001 – Cybersecurity threats and vulnerabilities

7
 RULES
▪ There are NO RULES. ( We make the rules ).
▪ Do not hesitate to ask a question (at any point!).
▪ Feedback is the most important.
▪ Camera is not mandatory but recommended !
▪ Work in a team.
▪ Be accomodative
▪ Practice. Practce. Practice.
▪ Do not share course content outside the university
▪ No plaigirism !

CECR 2001 – Cybersecurity threats and vulnerabilities

8
 RESOURCES

▪ Moodle
▪ Office 365
▪ Zoom
▪ Class video recordings
▪ Sharepoint
▪ Other reading resources (updated weekly)

CECR 2001 – Cybersecurity threats and vulnerabilities

9
 EVALUATION
▪ Cybersecurity event in the news – 10%.
▪ Outsider threat report – 20%
▪ Insider threat report – 25 %
▪ 1 page reflection OR Quiz – 15%
▪ Cybersecurity plan – 30%

CECR 2001 – Cybersecurity threats and vulnerabilities

10
 COURSE INTRODUCTION – TOPIC BREAKDOWN
▪ Week 1 – Introduction to Cybersecurity

▪ Week 2 – Understanding the cyber threats

▪ Week 3 – Understanding the cyber-attacks and their impact

▪ Week 4 – Risk management and cybersecurity strategy planning

▪ Week 5 – Cloud based threats and future of Cybersecurity

CECR 2001 – Cybersecurity threats and vulnerabilities

11
 COURSE INTRODUCTION – TOOLS

▪ VirtualBox

▪ Opensource password managers (Keepass, Lastpass etc.)

▪ Opensource antivirus solutions (such as ClamAV, Malwarebytes)

▪ Encryption tools (Veracrypt, 7zip etc.)

▪ Secure file sharing tools (SFTP, FileZilla etc.)

▪ Email secure backup and restore tools.

▪ Phishing detection tools (Go Phish)

▪ Malware detection tools and websites

CECR 2001 – Cybersecurity threats and vulnerabilities

12
 FEEDBACK SURVEY RESULTS

▪ 81.25% students with no experience in Cybersecurity

▪ 92% students wish to change career /enter cybersecurity
▪ 50% students think Cybersecurity is everyone’s responsibility, but they
should be paid for it. 43.75% students think the same but that they
shouldn’t be paid for it
▪ 37.5% students wish to improve their cybersecurity skills
▪ 50% students wish the focus be on hands-on lab practical
▪ 62.5% students won’t hesitate when asking a question in class
▪ 69% students have undergone a security training in past at least once. 25%
are taking it for 1st time

CECR 2001 – Cybersecurity threats and vulnerabilities

13
 WEEK 1 – COURSE OUTLINE
▪ Introduction to the course
▪ Introduction to cybersecurity
▪ Present Cybersecurity landscape
▪ History of Cybersecurity
▪ Introduction to the CIA triad
▪ Cybersecurity principals
▪ Types of Attackers
▪ Types of attacks
▪ Security terminologies
▪ Threats, vulnerabilities and Risk
▪ Impact of vulnerabilities on organizations

CECR 2001 – Cybersecurity threats and vulnerabilities

14
 The present digital
landscape

CECR 1003 - Cybersecurity by design

15
 THE PRESENT DIGITAL LANDSCAPE

Let’s Play: Cybersecurity Fact or Fiction

CECR 2001 – Cybersecurity threats and vulnerabilities

16
 THE PRESENT DIGITAL LANDSCAPE
Exercise - Fact or Fiction?

1. Ghost in the house

▪ Family purchases a home camera to watch their 8-year-old daughter’s

bedroom.

▪ In the middle of the night, the camera starts playing creepy music & a
strange voice begins speaking to the child.

▪ Parents find their daughter talking to an unknown man through the

camera claiming to be Santa Claus

CECR 2001 – Cybersecurity threats and vulnerabilities

17
 THE PRESENT DIGITAL LANDSCAPE
Fact – It happened to this family

https://www.youtube.com/watch?v=P6X75eknvc8

CECR 2001 – Cybersecurity threats and vulnerabilities

18
 THE PRESENT DIGITAL LANDSCAPE
Exercise - Fact or Fiction?

2. When cars attack

▪ FBI most wanted criminal & expert hacker is on the run from US
federal law enforcement in Manhattan

▪ To slow-down the authorities, she hacks passenger cars across

Manhattan, remotely disabling their safety systems and overriding
their controls to force them to crash into one another.

CECR 2001 – Cybersecurity threats and vulnerabilities

19
 THE PRESENT DIGITAL LANDSCAPE
Fiction: Fast and Furious 8

▪ Vast majority of cars are not yet fully internet-enabled

or autonomous

▪ That can’t happen, right…?

CECR 2001 – Cybersecurity threats and vulnerabilities

20
 THE PRESENT DIGITAL LANDSCAPE
Exercise - Fact or Fiction?

3. Remote jeep takeover

▪ Team of hackers pool their money to buy a 2014 Jeep Cherokee

▪ After months of research, they discover how to remotely takeover all

Jeeps via the onboard internet connection and can crash them at will.

▪ They use the vulnerability to attack a journalist who is doing an

investigative report on their research

CECR 2001 – Cybersecurity threats and vulnerabilities

21
 THE PRESENT DIGITAL LANDSCAPE
Fact: The Jeep hacking duo

https://www.youtube.com/watch?v=ysAam9Zmdv0

CECR 2001 – Cybersecurity threats and vulnerabilities

22
 THE PRESENT DIGITAL LANDSCAPE
Exercise - Fact or Fiction?

4. Cyber nuclear warfare

▪ To slow down Iran’s nuclear weapons development, Israel & US develop advanced malware

designed to destroy Iranian nuclear centrifuges

▪ Mossad & CIA use a USB stick to smuggle the malware into highly secure & air-gapped systems

deep within the nuclear facility. The malware makes the centrifuges spin 10x faster than

normal, critically destroying many of them.

▪ BUT it also spreads outside of the Iranian nuclear facility and infects thousands of computers

worldwide, including those of civilians in Israel and United States.

CECR 2001 – Cybersecurity threats and vulnerabilities

23
 THE PRESENT DIGITAL LANDSCAPE
Fact: The Stuxnet work (2010)

▪ Stuxnet was the most advanced malware of its time, and the first documented use of

cyberwarfare on nuclear systems…. but it had unanticipated collateral damage

▪ We’ll cover it later in class, but you can read more about it here:

https://en.wikipedia.org/wiki/Stuxnet

CECR 2001 – Cybersecurity threats and vulnerabilities

24
 THE PRESENT DIGITAL LANDSCAPE
The key takeaways

▪ Although Hollywood hypes cybersecurity, reality itself is very scary

▪ More and more of our life is becoming internet connected, exposing us to risks we

never had a few years ago

▪ Advanced technologies bring along advanced threats !

CECR 2001 – Cybersecurity threats and vulnerabilities

25
 THE PRESENT DIGITAL LANDSCAPE
Present Internet Landscape

▪ Total 5.16B (64.4% of world’s total population) internet users

▪ Total 14.4B IoT devices
▪ 4.8 Zettabytes (4.8 x 1018 Gb) data per day
▪ Internet has made world more connected than ever
▪ But not everything is honky dory

CECR 2001 – Cybersecurity threats and vulnerabilities

26
 THE PRESENT DIGITAL LANDSCAPE
Present Cyber Landscape

▪ Exponential increase in attack surface

▪ Technology has evolved but so have
threats

▪ More sophisticated cyber attacks that

ever before

CECR 2001 – Cybersecurity threats and vulnerabilities

27
 THE PRESENT DIGITAL LANDSCAPE
Present Cyber Landscape
▪ The internet has now become a ‘war zone’
▪ Spying, Sabotage, Advanced persistent threats (APT)

▪ Different threats according to different capabilities

▪ Governments channeling lot of money into Cybersecurity
▪ Security breaches are an everyday phenomenon
▪ Lack of technical expertise – 3.5 million unfulfilled vacancies

CECR 2001 – Cybersecurity threats and vulnerabilities

28
 THE PRESENT DIGITAL LANDSCAPE
Some Important stats

▪ 3,809,448 cyber attacks per day, 158,727 per hour, 2,645 per minute and 44
attacks every second of every day.
▪ The average cost of a data breach in 2022 was over $4.24 million
▪ The entire cost of cyberattacks in 2022 was $6 trillion
▪ By 2025, cybercrime will cost the world $10.5 trillion yearly
▪ The average life cycle of a data breach is about 11 months.

▪ Email is responsible for 91% of all cyber attacks

▪ 98% of the attacks rely on social engineering

CECR 2001 – Cybersecurity threats and vulnerabilities

29
 THE PRESENT DIGITAL LANDSCAPE
Some Important stats (Contd.)

▪ 43% of all breaches are caused due to insider threats

▪ 56% of victims don`t know what steps to take in event of a breach
▪ Security spending to surpass $260B by 2026
▪ 95% of cyber security breaches are due to human error
▪ 95% of all breaches can be stopped by a few basic cybersecurity guidelines

▪ Employee negligence remains as the biggest threat

▪ Global expenditure on security training is $10B
▪ Human element is the most common threat vector

REF. LINK. https://www.varonis.com/blog/cybersecurity-statistics

CECR 2001 – Cybersecurity threats and vulnerabilities

30
 THE PRESENT DIGITAL LANDSCAPE
Average days to identify and contain a data breach

▪ Global average is 280 days

▪ 207 days to identify a breach
▪ 73 days to contain the attack
▪ Government (Public)
▪ Hard to see – but second
highest on table
▪ 233 days to identify
▪ 324 days to contain

31
 THE PRESENT DIGITAL LANDSCAPE
Current challenges
▪ Threats are increasing
▪ Alerts to threats are increasing
▪ Need for security analysts and experts is in high demand
▪ Required knowledge on cybersecurity is increasing
▪ Less time

REF. LIN. https://www.varonis.com/blog/cybersecurity-statistics

CECR 2001 – Cybersecurity threats and vulnerabilities

32
 THE PRESENT DIGITAL LANDSCAPE

REF. LINK. https://www.varonis.com/blog/cybersecurity-statistics

CECR 2001 – Cybersecurity threats and vulnerabilities

33
 THE PRESENT DIGITAL LANDSCAPE
Notable security breaches of 21st century
▪ Yahoo (2013 & 2014) – 3.5 billion comptes compromis
▪ Verifications.io (2019) – 2.9 billion comptes compromis
▪ Aadhar (2018) – 1.1 Billion PII data compromis
▪ Alibaba (2019) – 1.1 Billion records compromis
▪ LinkedIn (2021) – 700 million usagers affectés
▪ Facebook (2019) – 540 million records exposé
▪ Marriott International (2018) - data breach affectés 500M usagers
▪ Adult Friend Finder (2016) – 412.2 million usagers affectés
▪ Microsoft (2019) – 250M million usagers affectés
▪ Instagram (2020) - HSPII of 200M consumers exposé
▪ Adobe (2013) - 153M consumers affectés
REF. LINK. https://en.wikipedia.org/wiki/List_of_data_breaches

CECR 2001 – Cybersecurity threats and vulnerabilities

34
 THE PRESENT DIGITAL LANDSCAPE
Top 10 breaches in news in 2023

1. T-Mobile (Jan) – personal data of 37M customers exposed

2. Mailchimp (Feb) – Exposed employee information and credentials
3. ChatGPT (March) – exposed user PII such as name, email and CC info
4. MCNA (March) – 8M user data exposed
5. Shields healthcare (March) – 2.3M users affected
6. Scandinavian airline (June) – website takedown and exposure of PII through app
7. Luxottica eyeware (May) – PII of 220M users exposed
8. Check-fil-A Fast food – another case of PII breach
9. Twitter (January)
10. Discord (May)

REF. LINK. https://heimdalsecurity.com/blog/top-data-breaches/

CECR 2001 – Cybersecurity threats and vulnerabilities

35
 THE PRESENT DIGITAL LANDSCAPE
Notable security breaches of 21st century

CECR 2001 – Cybersecurity threats and vulnerabilities

36
 THE PRESENT DIGITAL LANDSCAPE

What is the impact of a Security breach ?

CECR 2001 – Cybersecurity threats and vulnerabilities

37
 THE PRESENT DIGITAL LANDSCAPE
What gets stolen ?

▪ Financial data – E.g., Credit card information

▪ Personal data – E.g., SIN, Health info, PII
▪ Intellectual data – E.g., Trade secrets
▪ Classified data – E.g., Defense information
▪ Protected Data

▪ Highly sensitive data

▪ Reputation

CECR 2001 – Cybersecurity threats and vulnerabilities

38
 Introduction to
cybersecurity

CECR 2001 – Cybersecurity threats and vulnerabilities

39
 INTRODUCTION TO CYBER SECURITY

So, what is Cyber Security Really ?

And should I really care ?

CECR 2001 – Cybersecurity threats and vulnerabilities

40
 INTRODUCTION TO CYBER SECURITY

CECR 2001 – Cybersecurity threats and vulnerabilities

41
 INTRODUCTION TO CYBER SECURITY

Cyber security is a mindset

How you act at work
How you act at Home
How you interact with people
How you use your social media
How you check your emails
Cybersecurity is in everything

CECR 2001 – Cybersecurity threats and vulnerabilities

42
 INTRODUCTION TO CYBER SECURITY

What is Cybersecurity ?

▪ Technologies (Tools), Processes and Practices to protect against cyber attacks

▪ Objective is to reduce risks and ensure business continuity

▪ Permits secure operation of information management systems

▪ Is and/or must be part of the enterprise’s mission
▪ Must be inline with the business objectives
▪ Be audited regularly

CECR 2001 – Cybersecurity threats and vulnerabilities

43
 Evolution of
cybersecurity

CECR 1003 - Cybersecurity by design

44
 EVOLUTION OF CYBER SECURITY
History of Cybersecurity

CECR 2001 – Cybersecurity threats and vulnerabilities

45
 EVOLUTION OF CYBER SECURITY
❑ The 1940s: The Time Before Cybercrime
❑ The 1950s: The Phone Phreaks
❑ The 1960s: All Quiet On the Western Front
❑ The 1970s: ARPANET and the Creeper
❑ The 1970s: ARPANET and the Creeper
❑ The 1990s: The World Goes Online
❑ The 2000s: Threats Diversify and Multiply
❑ 2011: Sony’s PlayStation Network and Sony Pictures Suffers Multiple Attacks
❑ 2013 and 2014: Yahoo! Suffers a Massive Data Breach
❑ 2014: Sony Dealt Another Blow with Attack on Sony Pictures Entertainment
❑ 2015: Snapchat and Ashley Madison breach
❑ 2016: GDPR introduced in UK
❑ 2017: Equifax, Uber and WannaCry
❑ 2018: Facebook and Marriot international
❑ 2019 to present: Breaches occurring everyday
CECR 2001 – Cybersecurity threats and vulnerabilities
46
 EVOLUTION OF CYBER SECURITY
Evolution of security attack methods

CECR 2001 – Cybersecurity threats and vulnerabilities

47
 EVOLUTION OF CYBER SECURITY

CECR 2001 – Cybersecurity threats and vulnerabilities

48
 Principles of cyber
Security

CECR 2001 – Cybersecurity threats and vulnerabilities

49
 Principles of cyber Security

1. Confidentiality
2. Integrity
3. Availability
4. Authenticity
5. Accountability
6. Non-repudiation
7. Principle of least privilege
8. Separation of duties

CECR 2001 – Cybersecurity threats and vulnerabilities

50
 Principles of cyber Security

The CIA Triad

▪ Fundamental objectives of cybersecurity professionals

▪ Comprises of confidentiality, integrity and availability
▪ Forms basis for development of security systems
▪ All three pillars are equally important

CECR 2001 – Cybersecurity threats and vulnerabilities

51
 Principles of cyber Security

1. Confidentiality

▪ Objective is to prevent disclosure of information to

unauthorized individuals (those who do not have a need or
right)
▪ Assurance that data can be accessed only by authorized
people; any other access is prohibited
▪ Supports least privilege principle
▪ Controls include data classification, Encryption, strong
access control, secure training etc.

CECR 2001 – Cybersecurity threats and vulnerabilities

52
 Principles of cyber Security

1. Confidentiality (Contd.)

CECR 2001 – Cybersecurity threats and vulnerabilities

53
 Principles of cyber Security

2. Integrity

▪ Assurance that data/system is not altered

▪ Effort to prevent disclosure of information to
unauthorized individuals
▪ Controls: Hashing, encryption, digital certificates

CECR 2001 – Cybersecurity threats and vulnerabilities

54
 Principles of cyber Security

2. Integrity (Contd.)

CECR 2001 – Cybersecurity threats and vulnerabilities

55
 Principles of cyber Security

3. Availability

▪ Efforts made to prevent disruption of service

▪ Assurance that information is available when
needed
▪ System must work without errors and insure
the access of services without degradation
▪ Controls: Redundancy, High-availability (HA),
Firewalls

CECR 2001 – Cybersecurity threats and vulnerabilities

56
 Principles of cyber Security

3. Availability (Contd.)

CECR 2001 – Cybersecurity threats and vulnerabilities

57
 Principles of cyber Security

4. Authenticity (or authentication)

▪ Ensures that information and communication come

from a trusted source.
▪ This includes protecting against impersonation,
spoofing and other types of identity fraud.
▪ Common techniques used to establish authenticity
include authentication, digital certificates, and
biometric identification.

CECR 2001 – Cybersecurity threats and vulnerabilities

58
 Principles of cyber Security

5. Non-repudiation

▪ ensure that a party cannot deny having sent or

received a message or transaction.
▪ This includes protecting against message tampering
and replay attacks.
▪ Common techniques used to establish non-repudiation
include digital signatures, message authentication
codes and timestamps.

CECR 2001 – Cybersecurity threats and vulnerabilities

59
 Principles of cyber Security

5. Non-repudiation (Contd.)

CECR 2001 – Cybersecurity threats and vulnerabilities

60
 Principles of cyber Security

6. Accountability

▪ Ensures that an individual is held responsible for an

action and that individual can’t deny an action
▪ Prevents non-repudiation

CECR 2001 – Cybersecurity threats and vulnerabilities

61
 Principles of cyber Security

7. Principle of least privilege

▪ Ensures that an individual has access only sufficient

for him to carry his work activities
▪ Any excessive permissions are retracted

CECR 2001 – Cybersecurity threats and vulnerabilities

62
 Principles of cyber Security

8. Separation of duties

▪ Ensures that any task is divided into two or

more individuals to prevent any intentional or
unintentional fraud/error.

CECR 2001 – Cybersecurity threats and vulnerabilities

63
 Week 1 – Introduction to Cyber Security (Day 2)

Cybersecurity threats
and vulnerabilities

Kedar Mendhurwar CCIE Security, CISSP, CISA

64
 Recap week 1 – day 1

▪ Introduction to the course

▪ Introduction to cybersecurity
▪ Present Cybersecurity landscape
▪ History of Cybersecurity
▪ Introduction to the CIA triad
▪ Cybersecurity principals
▪ Types of Attackers

CECR 2001 – Cybersecurity threats and vulnerabilities

65
 CECR 2001 – Cybersecurity threats and vulnerabilities
66
 John is a new member in the DevSecOps team and has no exposure
to security. While reading the corporate security policy, he comes
across a term confidentiality.

What does confidentiality of data refer to?

CECR 2001 – Cybersecurity threats and vulnerabilities

67
 Alice is buying books from an online retail site, and she finds that
she is able to change the price of a book from £19.99 to £1.99.

Which part of the CIA triad has been broken?

CECR 2001 – Cybersecurity threats and vulnerabilities

68
 Cynthia is working on her university applications online, when the
admissions website crashes. She is unable to turn in her
application on time.

Which part of the CIA triad has been broken?

CECR 2001 – Cybersecurity threats and vulnerabilities

69
 Kim has taken her A-Level exam and is waiting to get her results
by email. By accident, Kim’s results are sent to Karen.

Which part of the CIA triad has been broken?

CECR 2001 – Cybersecurity threats and vulnerabilities

70
 Steve is the manager of the product development team. He has
asked John to develop the code and Hannah to review the code.

What is this principle called ?

CECR 2001 – Cybersecurity threats and vulnerabilities

71
 Course outline – week 1 day 2

▪ Types of attackers
▪ Types of attacks
▪ Security terminologies
▪ Threats, vulnerabilities and Risk
▪ Impact of vulnerabilities on organizations

CECR 2001 – Cybersecurity threats and vulnerabilities

72
 Types of cyber
attackers

CECR 2001 – Cybersecurity threats and vulnerabilities

73
 TYPES OF CYBER ATTACKERS

Who are the hackers ?

1. Script kiddies
Individuals with little to no technical expertise using pre-
existing tools or scripts available on internet
E.g., rookie hackers

CECR 2001 – Cybersecurity threats and vulnerabilities

74
 TYPES OF CYBER ATTACKERS

Who are the hackers ? (Contd.)

2. Black hat hackers

a computer hacker who violates laws or typical ethical
standards for nefarious purposes, such as cybercrime,
cyberwarfare or malice.

CECR 2001 – Cybersecurity threats and vulnerabilities

75
 TYPES OF CYBER ATTACKERS

Who are the hackers ? (Contd.)

3. white hat hackers

individuals who use hacking skills “ethically” to identify
security vulnerabilities in hardware, software or networks.

CECR 2001 – Cybersecurity threats and vulnerabilities

76
 TYPES OF CYBER ATTACKERS

Who are the hackers ? (Contd.)

4. Gray hat hackers

individuals who may sometimes violate laws or typical ethical
standards, but usually do not have the malicious intent typical
of a black hat hacker.

CECR 2001 – Cybersecurity threats and vulnerabilities

77
 TYPES OF CYBER ATTACKERS

Who are the hackers ? (Contd.)

5. Hacktivists
Hacker activists who attack computer system for
social or political reasons
E.g., Anonymous

CECR 2001 – Cybersecurity threats and vulnerabilities

78
 TYPES OF CYBER ATTACKERS

Who are the hackers ? (Contd.)

6. Cyber gangs
Criminal gangs who aim to maximize the amount of
money they can collect through cyber crime
E.g., Lazarus, Cosmic Lynx, Fin7, Exagerrated Lion

CECR 2001 – Cybersecurity threats and vulnerabilities

79
 TYPES OF CYBER ATTACKERS

Who are the hackers ? (Contd.)

7. Nation states
Work for the government to disrupt or compromise
target governments, organizations or individuals to gain
access to valuable data or intelligence
E.g., Russian interference in 2016 US election, Russian
cyberattacks on Ukraine, Conflicts between Iran and
Iraq

CECR 2001 – Cybersecurity threats and vulnerabilities

80
 TYPES OF CYBER ATTACKERS

Who are the hackers ? (Contd.)

8. Insider threats
Past or present employees, partners, consultants,
vendors, contractors etc.
E.g., NSA breach, Uber breach, Tesla breach,

CECR 2001 – Cybersecurity threats and vulnerabilities

81
 TYPES OF CYBER ATTACKERS

TRUE OR FALSE ?

CECR 2001 – Cybersecurity threats and vulnerabilities

82
 TYPES OF CYBER ATTACKERS

▪ A black hat hacker is an individual who finds the vulnerabilities in a system

in an ethical way.

▪ Hacktivists are individuals who perform hacking activities for personal gains.

▪ Gray hat hackers are ethical hackers who make use of unethical ways.

▪ Out of all the attacker types, insider threats cause the biggest damage.

CECR 2001 – Cybersecurity threats and vulnerabilities

83
 Types of Cyber
attacks

CECR 2001 – Cybersecurity threats and vulnerabilities

84
 TYPES OF CYBER ATTACKS
What are the common attack types

▪ Malware attack
▪ Social engineering
▪ DoS and DDoS
▪ Man in the middle (MITM)
▪ Phishing

▪ Spear Phishing
▪ Ransomware
▪ Injection attacks
▪ Insider threats

CECR 2001 – Cybersecurity threats and vulnerabilities

85
 TYPES OF CYBER ATTACKS
What are the common attack types

▪ Spoofing
▪ Session high jacking
▪ Web attacks
▪ Network attacks
▪ Insider threats

▪ Eavesdropping
▪ Birthday attack
▪ Cross site scripting
▪ Insider threats

CECR 2001 – Cybersecurity threats and vulnerabilities

86
 TYPES OF CYBER ATTACKS
What are the common attack types (Contd.)

CECR 2001 – Cybersecurity threats and vulnerabilities

87
 TYPES OF CYBER ATTACKERS

Group activity:

Which of the cyber threats or attacks you

think is the most dangerous and why ?

CECR 2001 – Cybersecurity threats and vulnerabilities

88
 Security
terminologies

CECR 2001 – Cybersecurity threats and vulnerabilities

89
 CECR 2001 – Cybersecurity threats and vulnerabilities
90
 SECURITY TERMINOLOGIES
Asset
▪ Information or system that is of value to the organization
▪ Goal is to ensure CIA of assets from various threats
▪ May be tangible (calculatable in dollars) or intangible
(incalculable)
▪ Examples include:
❑ Workstations
❑ Database servers
❑ Web servers
❑ Network systems such as routers, firewalls
❑ Financial or corporate data
❑ People
CECR 2001 – Cybersecurity threats and vulnerabilities
91
 SECURITY TERMINOLOGIES
Malware – Trojan, viruses and worms

❑ Malware – Umbrella term for all malicious softwares

❑ Virus – malware aimed to corrupt, erase or modify
information on system
❑ Trojan – malware which pretends to be a useful
software
❑ Worm – self-replicating malware
❑ Ransomware – asking ransom by keeping data
hostage
❑ Spyware – Functions by spying on user activity

CECR 2001 – Cybersecurity threats and vulnerabilities

92
 SECURITY TERMINOLOGIES
Security Control / Safeguard

❑ A remediation/cure for a security gap

❑ Reduces the risk of threats over the assets
❑ A control can be:
o Preventative – Firewalls, Antivirus etc.
o Detective – IDS, Firewalls etc.
o Corrective – Antivirus
o Compensative – Security policy
o Deterrent – Banners, security policy, firewalls
etc.
o Administrative – security policies
CECR 2001 – Cybersecurity threats and vulnerabilities
93
 CECR 2001 – Cybersecurity threats and vulnerabilities
94
 SECURITY TERMINOLOGIES
cryptography

❑ cryptography – practice of hiding the data or information

❑ Encryption – Hiding the data using cryptography
❑ Decryption – Unhiding/decoding the encrypted data
❑ Plaintext / cleartext – Data which is not encrypted (or hidden)
❑ Ciphertext – Data which is encrypted (or hidden)
❑ encryption key – Key used for encryption
❑ Decryption key – key used for decryption
❑ Hashing – Processing data to create a unique value

95
 SECURITY TERMINOLOGIES
AAA

❑ Authentication – Process of verifying or confirming the identity

❑ Authorization – Process of verifying or confirming the permissions
❑ Accounting / Auditing – Process of logging or documenting all the activities

96
 SECURITY TERMINOLOGIES
Threats

External threats
❑ Arise from outside the organization
❑ Must bypass the perimeter controls for attack to be successful
❑ Often make use of malware, impersonation, fake job postings, DDOS etc.

Internal threats
❑ Arise from within the organization
❑ Immune to the perimeter controls
❑ Often make use of trust, privilege escalation, social engineering

97
 SECURITY TERMINOLOGIES
Due Diligence and Due care

❑ Due Diligence
o Acting like a prudent person
o Taking necessary precautions in a given situation
o E.g., Ensuring password security

❑ Due Care
o Implementation of due diligence
o E.g., using a password manager

98
 SECURITY TERMINOLOGIES
Other definitions

❑ Domain – Logical group of employees, computers, printers etc.

❑ Network – Logical group of entities connected to share resources
❑ Exploit – malicious application or script
❑ Breach – Phenomenon of hacker successfully exploiting vulnerability
❑ IP address – Logical address of a body on the network
❑ MAC address – Physical address of a body on the network

99
 Vulnerability, Threat
and risk

CECR 1003 - Cybersecurity by design

100
 Vulnerabilities, Threat and Risk

What is a vulnerability ?

CECR 2001 – Cybersecurity threats and vulnerabilities

101
 Vulnerabilities, Threat and Risk

What is a Vulnerability ?

▪ Fault or weakness in a system which may be potentially exploited

▪ Examples are:
❑ default or weak passwords
❑ Buggy software code
❑ Unpatched software or OS
❑ Insecure API
❑ Lack of data encryption
❑ Untrained Employees

CECR 2001 – Cybersecurity threats and vulnerabilities

102
 Vulnerabilities, Threat and Risk

What is a zero-day Vulnerability ?

▪ vulnerabilities in software that are discovered and exploited by attackers

before a fix can be disseminated.
▪ A completely strange or unknown vulnerability for which there is no patch
available yet
▪ The most dangerous and could have worse impact

CECR 2001 – Cybersecurity threats and vulnerabilities

103
 Vulnerabilities, Threat and Risk

What causes a vulnerability

▪ Complexity
▪ Attacker Familiarity
▪ Connectivity
▪ Poor password management
▪ Internet
▪ OS flaws
▪ Software bugs
▪ Unchecked user input
▪ People

CECR 2001 – Cybersecurity threats and vulnerabilities

104
 Vulnerabilities, Threat and Risk

Vulnerabilities – Well known breaches

▪ Morris worm (1988) – exploited vulnerabilities in UNIX sendmail
▪ Yahoo breach (2014) – Unpatched system and lack of security design
▪ WannaCry attack (2017) – Exploited vulnerability in SMB design
▪ CAM4 leak (2020) - misconfigured Elasticsearch production database exposed 10B
records
▪ Alibaba breach (2022) – Misconfigured Alibaba Cloud server did not require a
password to access results in 1B exposed records
▪ Verifications.io (2019) – Data left unprotected on a public server exposed 2B records
▪ Uber breach (2016) – Attacker posed as a colleague

CECR 2001 – Cybersecurity threats and vulnerabilities

105
 Vulnerabilities, Threat and Risk

What is a threat ?

CECR 2001 – Cybersecurity threats and vulnerabilities

106
 Vulnerabilities, Threat and Risk

What is a threat ?

▪ Potential of an actor to exploit a vulnerability

▪ Anything that could exploit a vulnerability and hinder CIA
▪ Can be categorized as:
❑ Natural events
❑ Human error
❑ Attacks

CECR 2001 – Cybersecurity threats and vulnerabilities

107
 Vulnerabilities, Threat and Risk
Threat actors

CECR 2001 – Cybersecurity threats and vulnerabilities

108
 Vulnerabilities, Threat and Risk

What is a risk ?

CECR 2001 – Cybersecurity threats and vulnerabilities

109
 Vulnerabilities, Threat and Risk

What is a risk ?

▪ Likelihood or probability of vulnerability being exploited by a threat

▪ In layman’s terms, the probability in which the bad guy wins ☺
▪ takes into consideration the likelihood and impact of the threat being realized

CECR 2001 – Cybersecurity threats and vulnerabilities

110
 Vulnerabilities, Threat and Risk

QUIZ TIME ☺

CECR 2001 – Cybersecurity threats and vulnerabilities

111
 Impact of
vulnerabilities on
organizations

CECR 1003 - Cybersecurity by design

112
 Impact of vulnerabilities on organizations

What would happen if the

vulnerabilities are left unpatched ?

CECR 2001 – Cybersecurity threats and vulnerabilities

113
 Impact of vulnerabilities on organizations

▪ Disclosure of sensitive data

▪ Lack of availability
▪ Privilege escalation
▪ Financial loss or complete shutdown
▪ Reputational loss
▪ Operational disruption
▪ Loss of confidence

CECR 2001 – Cybersecurity threats and vulnerabilities

114
 Impact of vulnerabilities on organizations

Use case 1

▪ In 2019, data of more than 100M Capital One customers compromised

▪ attacker exploited a vulnerability in the firewall configuration of the bank's
cloud-based infrastructure
▪ A cyberattack that affects data at multiple large financial institutions could
lead to a broad loss of confidence in the security of the financial sector.
▪ If the institutions' data are corrupted during the attack, the recovery process
could be extensive.

CECR 2001 – Cybersecurity threats and vulnerabilities

115
 Impact of vulnerabilities on organizations

Use case 2
▪ In 2020, DDOS attacks overwhelmed New Zealand's Exchange (NZX) in 2020.
▪ Exchange of cash, debt, and derivatives halted for most of four days
▪ NZX was vulnerable because it lacked adequate defenses and a response playbook
▪ An attack that shuts down trading at a large and interconnected financial market
exchange could disrupt price information more widely, as well as clearing and
settlement, and trigger a loss of confidence.

CECR 2001 – Cybersecurity threats and vulnerabilities

116
 Impact of vulnerabilities on organizations

Use case 3
▪ In 2020, a nation-state actor inserted malware into a routine update of network
management software sold by SolarWinds, a third-party vendor.
▪ SolarWinds customers, which included large financial institutions, were infected by
the malware when they installed the software update.
▪ The attack opened a backdoor through which attackers could have exploited the
customers' computer systems.
▪ While financial institutions do not appear to have been the intended targets, if they
had been, the outcome for financial stability could have been much worse, as the
attackers reportedly had access to the computer systems for some time

CECR 2001 – Cybersecurity threats and vulnerabilities

117
 ❑ Write a one pager report on a recent cybersecurity news event

❑ Read about the top 10 cybersecurity breaches of 21st century

CECR 2001 – Cybersecurity threats and vulnerabilities

118