CYBER SECURITY

Unit -1
Over view of cyber security
Cyber security focuses on protecting computer systems from unauthorised access or being
otherwise damaged or made inaccessible. According to the Cyber Security & Infrastructure
Security Agency (CISA), "Cyber security is the art of protecting networks, devices and data
from unauthorized access or criminal use and the practice of ensuring confidentiality,
integrity and availability of information."

There are 5 types of cyber security

Cybersecurity can be categorized into five distinct types:

 Critical infrastructure security.
 Application security.
 Network security.
 Cloud security.
 Internet of Things (IoT) security.

The Different Types of Cybersecurity : Cyber security is a wide field covering several
disciplines. It can be divided into seven main pillars:

1. critical Infrastructure secutiry: critical infrastructure is a concept that relates to

preparedness and response to serious incidents that involved the critical
Infrastructure of a region or nation.
2. Application Security: Web applications, like anything else directly connected to the
Internet, are targets for threat actors. Since 2007, OWASP has tracked the top 10
threats to critical web application security flaws such as injection, broken
authentication, mis configuration, and cross-site scripting to name a few.
3. Network Security : Most attacks occur over the network, and network
security solutions are designed to identify and block these attacks. These solutions
include data and access controls such as Data Loss Prevention (DLP), IAM (Identity
Access Management), NAC (Network Access Control), Next-Generation Firewall
application controls to enforce safe web use policies.

4. Cloud Security:As organizations increasingly adopt cloud computing, securing the cloud
becomes a major priority. A cloud security strategy includes cyber security solutions,
controls, policies, and services that help to protect an organization’s entire cloud deployment
(applications, data, infrastructure, etc.) against attack.

5. IOT Security: While using Internet of Things (IoT) devices certainly delivers productivity
benefits, it also exposes organizations to new cyber threats. Threat actors seek out
vulnerable devices inadvertently connected to the Internet for nefarious uses such as a
pathway into a corporate network or for another bot in a global bot network.

Cyber space
Cyberspace allows users to share information, interact, swap ideas, play games,
engage in discussions or social forums, conduct business and create intuitive
media, among many other activities.

The term cyberspace was initially introduced by William Gibson in his 1984
book, Neuromancer. Gibson criticized the term in later years, calling it “evocative
and essentially meaningless.” Nevertheless, the term is still widely used to
describe any facility or feature that is linked to the Internet. People use the term
to describe all sorts of virtual interfaces that create digital realities.

More on Cyberspace
In many key ways, cyberspace is what human societies make of it.

One way to talk about cyberspace is related to the use of the global Internet for
diverse purposes, from commerce to entertainment. . Wherever the Internet is
used, you could say, that creates a cyberspace. The prolific use of both desktop
computers and smart phones to access the Internet means that, in a practical
(yet somewhat theoretical) sense, the cyberspace is growing.

Another prime example of cyberspace is the online gaming platforms advertised

as massive online player ecosystems. These large communities, playing all
together, create their own cyberspace worlds.

To really consider what cyberspace means and what it is, consider what happens
when thousands of people, who may have gathered together in physical rooms in
the past to play a game, do it instead by each looking into a device from remote
locations.

In fact, gaming as an example, as well as streaming video, shows what our

societies have largely chosen to do with the cyberspace as a whole. According to
many IT specialists and experts, including F. Randall Farmer and Chip
Morningstar, cyberspace has gained popularity as a medium for social
interaction, rather than its technical execution and implementation.

Theoretically, the same human societies could create other kinds of cyberspace
—technical realms in which digital objects are created, dimensioned and
evaluated in technical ways.

In the end, it seems that the cyberspaces that we have created are pretty
conformist and one-dimensional, relative to what could exist. In that sense,
cyberspace is always evolving, and promises to be more diverse in the years to
come.

Threat landscape
The cyber security threat landscape is vast, and we are often faced with the
challenge of keeping in touch with novel attack techniques and new attack surfaces.
As enterprises continue to transition to storing data and offering services through the
cloud, we will continue to see an increase in threat activity relevant to all forms of
cloud technology.
There are so many dangerous cloud attack methods observed in the wild today,
The examples included in this post are based on both active opportunistic and
targeted attackers we observe.

1. Vulnerable Services : One of the most commonly observed attacks in

cloud networks is compromise through vulnerable services. Consequently,
the criticality of running updated systems can not be overstated.
One well known example of this type of attack was the immediate
exploitation of the Apache Log4J vulnerability. Apache had a single
vulnerability with massive impact across the world when it was discovered,
yet there are so many other common services ripe for such attacks too.

2. Cloud Mis configurations :Configuration oversight is the most common cause of

the vast majority of cloud storage data leaks. Organizations mistakenly leaving
customer data publicly accessible, or easily accessible to attackers, has led to a
climb in data leaks over the years.
Again, this is not unique to the cloud. It is increasingly common due to the ease
and hidden complexity of cloud storage configurations.Additionally, configuration
oversight is not limited to causing data leaks. In many cases, we have observed
cloud hosts become infected with malware or further network access due to an
attacker’s ability to inflict change on a system.
3 Supply Chain Attacks :Supply chain attacks hold a special place in the heart of
attackers. While supply chain intrusions have been heavily reported on with the
likes of Solar winds, which was attributed to a Russian APT, there are others which
are isolated to cloud networks and services.

4. Cloud Management Platform Access :Examples like those above can teach us
an important lesson: So much of the cloud threat landscape centers around the desire to
access the cloud management platform, especially privileged cloud accounts. It’s so critical
to defend against cloud threats because they offer the attacker an opportunity to break the
barrier of accessing information or control over a powerful, normally-trusted service.

An attacker with privileged access to the management platform of a cloud service, be it AWS
GCP or Azure, can weave their way into many difficult-to-identify places. Thanks to the use
of open source tools like Purple Panda, an attacker with their hands on stolen
credentials can automate cloud privilege escalation and identify opportunities for lateral
movement.

The ways that attackers seek such access are, again, quite vast. For example, we know
opportunistic attackers scan online code and image repositories (Github, Docker Hub) for
mistakenly leaked keys. This has allowed them to kick off supply chain attacks and general
bulk data theft. Additionally, highly capable and well resourced targeted attackers like APT29
also place a deliberate effort into seeking such access for state-sponsored missions. Overall,
this is a highly desirable level of access any attacker would enjoy, so it should be of the
utmost importance for defenders to track.

Simplify CYBER ATTACKS

A cyber attack is an attempt to disable computers, steal data, or use a

breached computer system to launch additional attacks. Cybercriminals use
different methods to launch a cyber attack that includes malware, phishing,
ransomware, man-in-the-middle attack, or other methods.

17 Different Types of Cyber Attacks

1. Malware-based attacks (Ransomware, Trojans, etc.)

2. Phishing attacks (spear phishing, whaling, etc.)
3. Man-in-the-middle attacks
4. Denial of Service attacks (DOS and DDoS)
5. SQL Injection attacks
6. DNS Tunneling
7. Zero-day exploits and attacks
8. Password attacks
9. Drive-by download attacks
10.Cross-site scripting (XSS) attacks
11.Rootkits
12.DNS spoofing or “poisoning”
13.Internet of Things (IoT) attacks
14.Session hijacking
15.URL manipulation
16.Cryptojacking
17.Inside threats

1. Malware-based attacks (Ransomware, Trojans, etc.)

Malware refers to “malicious software” that is designed to disrupt or steal data
from a computer, network, or server.

Hackers trick you into installing malware on your devices. Once installed, a
malicious script runs in the background and bypasses your security — giving
hackers access to your sensitive data.

Malware is one of the most commonly used cyber attacks. And there are
multiple variations that you should be aware of:

 Ransomware: This type of malware encrypts files on your system so you

can’t access them until you pay a “ransom” (usually in cryptocurrency).
There was a 80% increase year-over-year in ransomware attacks
worldwide.
 Spyware: As the name suggests, this type of malware spies on your
activities and sends data back to the hacker. This could include bank
details, logins, and passwords.
 Trojans: Named after the famous Trojan horse, these types of malware
“hide” inside a legitimate piece of software. For example, you might
download what you think is antivirus software — only to have your device
infected.
 Viruses: Viruses attach to programs and files and are triggered when you
open them. Once active, a virus can self-replicate without your knowledge
and slow down your device or destroy 2. Phishing attacks (spear phishing,
whaling, etc.)

2. phishing attack: Tis attack occurs when a cybercriminal sends you a fraudulent
email, text (called “smishing”), or phone call (called “vishing”). These messages look
like they’re from someone official or a person or business who you trust – such as
your bank, the FBI, or a company like Microsoft, Apple, or Netflix.

In actuality, these messages are sent from imposters. If you reply with sensitive
information such as your password, they can use it to take over your accounts.

Phishing and smishing messages may also instruct you to click on a link or open an
email attachment that will either download malware to your device or send you to a
phishing site designed to steal your information.

In many cases, phishing attacks cast a wide net and don’t target specific individuals
(this makes them easier to identify). However, there are a few new phishing cyber
attacks that are more targeted and harder to spot. These include:

 Spear phishing attacks: These attacks are usually sent via email and target
a specific individual. The hacker will use your personal information that
they have bought on the Dark Web (or found in your online footprint and on
social media) to make it sound more believable and get you to click on the
link.
 Whaling: A whale phishing attack occurs when a hacker targets high-
profile individuals, like CEOs and executives. The goal is to steal their
credentials and get backdoor access to their company’s network. CEO
fraud is now a $26-billion-a-year scam
 Angler phishing attacks: An Angler attack is a new type of phishing scam in
which a hacker “baits” users on social media by pretending to be a well-
known company’s customer service account. Scammers create accounts
like “@AmazonHelp$” and then auto-respond to relevant messages by
providing a link for you to talk to a “rep.” But really, it’s a scam designed to
steal your information.

3. Man-in-the-middle attacks
A man-in-the-middle attack (MitM) occurs when attackers intercept data or
compromise your network to “eavesdrop” on you. These attacks are especially
common when using public Wi-Fi networks, which can easily be hacked.

For example, let’s say you’re using the Wi-Fi at Starbucks and need to check your
bank account balance. When you log in, a hacker can intercept your data and
capture your username and password (and drain your account later).

4. Denial of Service (DOS) and Distributed Denial of Service (DDoS)

Many cyber attacks are meant to overwhelm servers, forcing services to shut down.

A denial of service (DOS) attack occurs when hackers use false requests and traffic
to overwhelm a system and shut it down.

A distributed denial of service (DDoS) attack is the same type of attack, except the
hacker uses multiple breached devices at the same time.

The goal of these cyber attacks isn’t usually to steal data, but to halt or even shut
down business operations.

DDoS attacks have shut down sites like Twitter, Sound Cloud, and Spotify, and
even severely damaged Amazon’s AWS .
4. SQL injection attacks

Most websites use SQL databases to store sensitive information like logins,
passwords, and account information. Hackers use an SQL injection attack to “trick”
the database into giving up this information.

These attacks are a bit technical, but they come down to a hacker entering
predefined SQL commands into a data-entry box (like a login or password field).
Those commands can read sensitive data, modify database data, or even trigger
executive functions (such as shutting down the system).

Just last year, 70 gigabytes of data was stolen from Gab — a far-right website —
through an SQL injection attack

6. DNS tunneling

DNS tunneling is a type of cyber attack that hackers use to bypass traditional
security systems like firewalls to gain access to systems and networks. Hackers
encode malicious programs within DNS queries and responses (that most security
programs ignore).

Once the program is inside, it latches onto the target server, giving the hackers
remote access.

DNS tunneling attacks are especially dangerous as they often go unnoticed for days,
weeks, or months. During that time, cybercriminals can steal sensitive data, change
code, install new access points, and even install malware.

In one example, cybercriminals used DNS tunneling to attack Air India and other
airlines and steal passport details and credit card numbers.

7. Zero-day exploits and attacks

Zero-day exploits are cyber security vulnerabilities that exist in a software or network
without the manufacturer’s knowledge.

For example, Apple might release a new version of iOS that accidentally contains a
way for hackers to steal your iCloud information. Once they discover the flaw, the
attacked company has “zero days” to fix it, as they’re already vulnerable.

A zero-day attack occurs when hackers use those vulnerabilities to get into a system
to steal data or cause damage. In the first few months of 2022, Microsoft, Google,
and Apple all had to patch zero-day bugs

8. Password attack

Password attacks comprise any cyber attacks in which hackers try to guess, brute
force, or trick you into giving up your passwords.

There are a few different password-based cyber attacks you need to be aware of:
  Password spraying: This is when hackers attempt to use the same
password across many accounts. For example, over 3.5 million Americans
use the password “123456”.[ easy to remember ]
 Brute force: A brute force attack occurs when hackers create software that
tries different combinations of usernames and passwords until finding one
that works. They’ll often use logins leaked to the Dark Web because many
people reuse passwords across accounts (this is also called the
“Dictionary” method).
 Social engineering: Social engineering attacks occur when hackers use
psychology to trick you into giving up your password. For example, they
might use a phishing email pretending to be from your bank and fool you
into “confirming” your account details.

9. Drive-by download attacks

Most cyber attacks require some action from you — like clicking on a link or
downloading an attachment. But a drive-by attack (or drive-by download) occurs
when you just browse an infected website.

Hackers take advantage of vulnerabilities in plug-ins, web browsers, and apps to

install malware on your device without your knowledge.

Back in 2016, a drive-by download attack used vulnerabilities in Adobe Flash Player
to install crypto-ransomware .. Once installed, victims were redirected to a site
demanding 0.05 bitcoin to return access to their device.

10. Cross-site scripting attacks

A cross-site scripting (XSS) attack allows hackers to gain unauthorized access to an
application or website.

Cybercriminals take advantage of vulnerable websites and cause them to install

malicious JavaScript to users.

When the code executes in your browser, the hacker is able to masquerade as your
account and do anything you can do.

Sites vulnerable to XSS include message boards, forums, and web pages. These
pages depend on user input that is not screened for malicious codes. But even larger
sites are at risk.

For example, in 2014, a site vulnerability on eBay led to customers being redirected
to malicious sites upon clicking on product links . The sites displayed fake eBay login
pages, prompting users to enter their details which were then stolen.

11. Root kits

Root kits are a type of malware that give hackers control and administrator-level
access to the target system.

Root kits hide deep inside your device’s operating system, making them hard to
detect but also incredibly dangerous.
A root kit could allow hackers to steal sensitive information, install key loggers, or
even remove antivirus software. For example, in July 2022, Kasper sky uncovered a
rootkit that can persist on a victim's machine even after a reboot or reinstallation

12. DNS spoofing or “poisoning”

Domain Name System (DNS) spoofing allows hackers to send online traffic to a
“spoofed” website.

These sites look nearly identical to your destination (for example, the login page for
your bank or a social media account). But any information you submit goes straight
to the hackers, giving them access to your accounts.

Hackers can also use DNS spoofing to sabotage companies by redirecting their site
visitors to a poor-quality site with obscene content.

In one famous example, Google’s homepage was spoofed in Romania and Pakistan
sending users to an unfamiliar site. Thankfully, in this case, the hacker did not seem
to have malicious intent other than redirecting visitors.

13. Internet of Things (IoT) attack

Internet of Things (IoT) devices, such as your smart speakers, TVs, and toys can
also be the targets of cyber attacks.

An IoT attack occurs when hackers steal data from a device — or string together
multiple IoT devices into a botnet — that can be used for DDoS attacks.

IoT devices usually don’t have antivirus software installed, making them easy targets
for hackers. Many of the world’s largest DDoS attacks used “bot armies” composed
of IoT devices. It may seem unlikely, but even your “smart fridge” could be an
unwitting soldier in a cyber attack.

14. Session hijacking

Session hijacking is a type of man-in-the-middle attack in which the attacker “takes

over” a session between a client and the server.

The attacker’s computer swaps its IP address for the client’s address and continues
to access the server, without needing any sort of authentication.

Once they’ve hijacked a session, hackers can do anything the client’s account could
do. For example, let’s say you’re accessing your company’s internal database while
on a work trip. If a hacker hijacks your session, they’ll gain access to all of your
company files.

15. URL manipulation

URL manipulation occurs when hackers alter the parameters in a URL address to
redirect you to a phishing site or download malware.
For example, many people use URL shorteners to help remember long web
addresses or specific pages. If hackers “poison” that shortened URL, they can send
you to a phishing site designed to steal your personal information.

In other situations, hackers manipulate the URL to get the server to show pages they
shouldn’t have access to. For example, they might enter

www.yoursitename.com/admin” to find your login page or enter

“www.yoursitename.com/.bak” to get access to backup files.

16. Crypto jacking

Crypto jacking is a cyber attack that secretly uses your computer’s processing power
to mine for crypto currencies like bit coin and Ethereum. This will severely slow down
your computer systems and cause other potential vulnerabilities.

While not necessarily an “attack,” Norton is facing harsh criticism after revelations
that their latest update quietly installed a crypto miner inside its antivirus software.

17. Inside threats

Cyber attacks often come from an external threat like a hacking group. But there’s
also the possibility of insider threats.

Inside threats occur when someone who works for a company purposefully steals
data, gives someone unauthorized access, or leaks passwords.

For example, at the start of the COVID-19 pandemic, a disgruntled former staff
member of a medical device packaging company used his administrator access to
wipe over 100,000 company records .

ATTACK VECTOR

In cyber security, an attack vector is a method of achieving un authorized network

access to launch a cyber attack. Attack vectors allow cyber criminals
to exploit system vulnerabilities to gain access to sensitive data, personally
identifiable information (PII), and other valuable information accessible after
a data breach.

With the average cost of a data breach at $4.35 million, it's important to plan
ahead to minimize potential attack vectors and prevent data breaches. Digital
forensics and IP attribution are helpful for cleaning up data breaches, but it's
much more important to know how you can prevent them.

The most common attack vectors include malware, viruses, email attachments,
web pages, pop-ups, instant messages, text messages, and social engineering.

However, the number of cyber threats continues to grow as cybercriminals look to

exploit un patched or zero-day vulnerabilities listed on CVE and the dark web, as
there is no single solution for preventing every attack vector.

Cybercriminals are growing increasingly sophisticated and it is no longer enough

to rely on antivirus software as the primary security system. This is why
organizations must employ defense in depth to minimize cyber security risk.
the Difference Between an Attack Vector, Attack Surface and Threat Vector are

An attack vector is a method of gaining unauthorized access to a network or

computer system.

An attack surface is the total number of attack vectors an attacker can use to
manipulate a network or computer system or extract data.

Threat vector can be used interchangeably with attack vector and generally
describes the potential ways a hacker can gain access to data or other
confidential information.

The Common Types of Attack Vectors are

1. Compromised Credentials

‍ sernames and passwords are still the most common type of access credential
U
and continue to be exposed in data leaks, phishing scams, and malware. When
lost, stolen, or exposed, credentials give attackers unfettered access. This is why
organizations are now investing in tools to continuously monitor for data
exposures and leaked credentials. Password managers, two-factor
authentication (2FA), multi-factor authentication (MFA), and biometrics can
reduce the risk of leak credentials resulting in a security incident too.

2. Weak Credentials

‍ eak passwords and reused passwords mean one data breach can result in
W
many more. Teach your organization how to create a secure password, invest in
a password manager or a single sign-on tool, and educate staff on their benefits.

3. Insider Threats

‍ isgruntled employees or malicious insiders can expose private information or

D
provide information about company-specific vulnerabilities.

4. Missing or Poor Encryption

‍ ommon data encryption methods like SSL certificates and DNSSEC can
C
prevent man-in-the-middle attacks and protect the confidentiality of data being
transmitted. Missing or poor encryption for data at rest can mean that sensitive
data or credentials are exposed in the event of a data breach or data leak.

5. Mis configuration

‍ is configuration of cloud services, like Google Cloud Platform, Microsoft Azure,

M
or AWS, or using default credentials can lead to data breaches and data
leaks, check your S3 permissions or someone else will. Automate configuration
management where possible to prevent configuration drift.
6. Ransomware

‍ ansomware is a form of extortion where data is deleted or encrypted unless a

R
ransom is paid, such as WannaCry. Minimize the impact of ransomware
attacks by maintaining a defense plan, including keeping your systems patched
and backing up important data.

7. Phishing

‍ hishing attacks are social engineering attacks where the target is contacted by
P
email, telephone, or text message by someone who is posing to be a legitimate
colleague or institution to trick them into providing sensitive data, credentials,
or personally identifiable information (PII). Fake messages can send users to
malicious websites with viruses or malware payloads.

8. Vulnerabilities

‍ ew security vulnerabilities are added to the CVE every day and zero-day
N
vulnerabilities are found just as often. If a developer has not released a patch for
a zero-day vulnerability before an attack can exploit it, it can be hard to prevent
zero-day attacks.

9. Brute Force

‍ rute force attacks are based on trial and error. Attackers may continuously try to
B
gain access to your organization until one attack works. This could be by
attacking weak passwords or encryption, phishing emails, or sending infected
email attachments containing a type of malware. Read our full post on brute force
attacks.

10. Distributed Denial of Service (DDoS)

DDoS attacks are cyber attacks against networked resources like data centers,
servers, websites, or web applications and can limit the availability of a computer
system. The attacker floods the network resource with messages which cause it
to slow down or even crash, making it inaccessible to users. Potential mitigations
include proxies.

11. SQL Injections

‍ QL stands for a structured query language, a programming language used to

S
communicate with databases. Many of the servers that store sensitive data use
SQL to manage the data in their database. An SQL injection uses malicious SQL
to get the server to expose information it otherwise wouldn't. This is a huge cyber
risk if the database stores customer information, credit card numbers, credentials,
or other personally identifiable information (PII).

12. Trojans

‍ rojan horses are malware that misleads users by pretending to be a legitimate

T
program and are often spread via infected email attachments or fake malicious
software.
13. Cross-Site Scripting (XSS)

XSS attacks involve injecting malicious code into a website but the website itself
is not being attacked, rather it aims to impact the website's visitors. A common
way attackers can deploy cross-site scripting attacks is by injecting malicious
code into a comment e.g. embedding a link to malicious JavaScript in a blog
post's comment section.

14. Session Hijacking

‍ hen you log into a service, it generally provides your computer with a session
W
key or cookie so you don't need to log in again. This cookie can be hijacked by an
attacker who uses it to gain access to sensitive information.

15. Man-in-the-Middle Attacks

‍ ublic Wi-Fi networks can be exploited to perform man-in-the-middle attacks and

P
intercept traffic that was supposed to go elsewhere, such as when you log into a
secure system.

16. Third and Fourth-Party Vendors

‍ he rise in outsourcing means that your vendors pose a huge cybersecurity

T
risk to your customer's data and your proprietary data. Some of the biggest data
breaches were caused by third parties.

ATTACK SURFACE
An organization’s attack surface is the sum of vulnerabilities, pathways or methods—
sometimes called attack vectors—that hackers can use to gain unauthorized access to the
network or sensitive data, or to carry out a cyber attack.

As organizations increasingly adopt cloud services and hybrid (on-

premises/work-from-home) work models, their networks and associated
attack surfaces are becoming larger and more complex by the day.

Security experts divide the attack surface into 3 sub-surfaces:

1.The digital attack surface

2. The physical attack surface
3 The social engineering attack surface.

1.Digital attack surface :

The digital attack surface potentially exposes the organization’s cloud and
on-premises infrastructure to any hacker with an internet connection.
Common attack vectors in an organization’s digital attack surface include:

 Weak passwords: Passwords that are easy to guess—or easy to

crack via brute-force attacks—increase the risk that cyber criminals
can compromise user accounts to access the network, steal
sensitive information, spread malware and otherwise damage
infrastructure.
  Mis configuration: Improperly configured network ports, channels,
wireless access points, firewalls or protocols serve as entry points
for hackers. Man-in-the-middle attacks, for example, take advantage
of weak encryption protocols on message-passing channels to
intercept communications between systems.

 Software, operating system (OS) and firmware

vulnerabilities: Hackers and cybercriminals can take advantage of
coding or implementation errors in third-party apps, OSs and other
software or firmware to infiltrate networks, gain access to user
directories, or plant malware

 Internet-facing assets: Web applications, web servers and other

resources that face the public internet are inherently vulnerable to
attack. For example, hackers can inject malicious code into
unsecured application programming interfaces (APIs), causing them
to improperly divulge or even destroy sensitive information in
associated databases.
 Shared databases and directories: Hackers can exploit
databases and directories shared between systems and devices to
gain unauthorized access to sensitive resources or launch
ransomware
 Shadow IT: "Shadow IT" is software, hardware or devices—free or
popular apps, portable storage devices, an unsecured personal
mobile device—that employees use without the IT department’s
knowledge or approval. Because it’s not monitored by IT or security
teams, shadow IT may introduce serious vulnerabilities that hackers
can exploit.

2.Physical attack surface

The physical attack surface exposes assets and information typically

accessible only to users with authorized access to the organization’s
physical office or endpoint devices (servers, computers, laptops, mobile
devices, IoT devices, operational hardware).

 Malicious insiders: Disgruntled employees or other users with

malicious intent may use their access privileges to steal sensitive
data, disable devices, plant malware or worse.
 Device theft: Criminals may steal endpoint devices or gain access
to them by breaking into an organization's premises. Once in
possession of the hardware, hackers can access data and processes
stored on these devices. They may also use the device's identity
and permissions to access other network resources. Endpoints used
by remote workers, employees' personal devices, and improperly
discarded devices are typical targets of theft.
 Baiting: Baiting is an attack in which hackers leave malware-
infected USB drives in public places, hoping to trick users into
plugging the devices into their computers and unintentionally
downloading the malware.

3.Social engineering attack surface

 Social engineering manipulates people into sharing information they
shouldn’t share, downloading software they shouldn’t download, visiting
websites they shouldn’t visit, sending money to criminals, or making other
mistakes that compromise their personal or organizational assets or
security.

Because it exploits human weaknesses rather than technical or digital

system vulnerabilities, social engineering sometimes called ‘human
hacking.’

THREAT
The threat is nothing but an expression of intention to inflict evil, injury, or damage
A cyber security threat refers to any possible malicious attack that seeks to unlawfully
access data, disrupt digital operations or damage information.

There are six types of security threat

 Cybercrime. Cybercriminals' principal goal is to monetise their attacks. ...
 Hacktivism. Hacktivists crave publicity. ...
 Insiders
 Physical threats.
 Terrorists.
 Espionage.

¶ The most common network security threats

Here are the most common security threats examples:

¶

1.computer virus :
Computer viruses are pieces of software that are designed to be spread from one computer
to another. They’re often sent as email attachments or downloaded from specific websites
with the intent to infect your computer

2.Rogue security software

Rogue security software is malicious software that mislead users to believe that they have
network security issues, most commonly a computer virus installed on their computer or that
their security measures are not up to date.

3 Adware and spyware

By "adware" we consider any software that is designed to track data of your browsing habits
and, based on that, show you advertisements and pop-ups. Adware collects data with your
consent and is even a legitimate source of income for companies that allow users to try their
software for free, but with advertisements showing while using the software. The adware
clause is often hidden in related User Agreement docs .When adware is downloaded without
consent, it is considered malicious.
Spyware works similarly to adware, but is installed on your computer without your
knowledge. It can contain keyloggers that record personal information including email
addresses, passwords, even credit card numbers, making it dangerous because of the high
risk of identity theft.

4 . computer worm

Computer worms are pieces of malware programs that replicate quickly and spread from one
computer to another. A worm spreads from an infected computer by sending itself to all of
the computer’s contacts

5. DOS and DDOS Attack

A website during a DoS attack, or denial-of-service, a malicious traffic overload that occurs
when attackers over flood a website with traffic. When a website has too much traffic, it’s
unable to serve its content to visitors.

A DoS attack is performed by one machine and its internet connection, by flooding a website
with packets and making it impossible for legitimate users to access the content of flooded
website.

A DDoS attack, or distributed denial-of-service attack, is similar to DoS, but is more forceful.
It’s harder to overcome a DDoS attack. It’s launched from several computers, and the
number of computers involved can range from just a couple of them to thousands or even
more.

¶ 7. Phishing

Phishing is a method of a social engineering with the goal of obtaining sensitive data such as
passwords, usernames, credit card numbers.

The attacks often come in the form of instant messages or phishing emails designed to
appear legitimate. The recipient of the email is then tricked into opening a malicious link,
which leads to the installation of malware on the recipient's computer

8. Rootkit
¶

Rootkit is a collection of software tools that enables remote control and administration-level
access over a computer or computer networks. Once remote access is obtained, the rootkit
can perform a number of malicious actions; they come equipped with keyloggers, password
stealers and antivirus disablers.

9. SQL Injection attack

¶

We know today that many servers storing data for websites use SQL. As technology has
progressed, network security threats have advanced, leading us to the threat of SQL
injection attacks.SQL injection attacks are designed to target data-driven applications by
exploiting security vulnerabilities in the application’s software.

10. MIM attacks

¶

Man-in-the-middle attacks are cyber security attacks that allow the attacker to eavesdrop on
communication between two targets. It can listen to a communication which should, in
normal settings, be private.

As an example, a man-in-the-middle attack happens when the attacker wants to intercept a

communication between person A and person B. Person A sends their public key to person
B, but the attacker intercepts it and sends a forged message to person B, representing
themselves as A .

RISK
Cyber security risks relate to the loss of confidentiality, integrity, or availability
of information, data, or information (or control) systems and reflect the potential
adverse impacts to organizational operations (i.e., mission, functions, image, or
reputation) and assets, individuals, other organizations.

Cyber security risk is the probability of exposure or loss resulting from a cyber
attack or data breach on your organization. A better, more encompassing definition
is the potential loss or harm related to technical infrastructure, use of technology or
reputation of an organization.

Organizations are becoming more vulnerable to cyber threats due to the increasing
reliance on computers, networks, programs, social media and data globally. Data
breaches, a common cyber attack, have massive negative business impact and
often arise from insufficiently protected data.

Global connectivity and increasing use of cloud services with poor default security
parameters means the risk of cyber attacks from outside your organization is
increasing. What could historically be addressed by IT risk management and access
control now needs to be complemented by sophisticated cyber security
professionals, software and cybersecurity risk management.

It's no longer enough to rely on traditional information technology professionals and

security controls for information security. There is a clear need for threat
intelligence tools and security programs to reduce your organization's cyber risk and
highlight potential attack surfaces.

Decision-makers need to make risk assessments when prioritizing third-party

vendors and have a risk mitigation strategy and cyber incident response plan in
place for when a breach does occur.

Valnarability
A vulnerability is a weakness in an IT system that can be exploited by an attacker to deliver
a successful attack. They can occur through flaws, features or user error, and attackers will
look to exploit any of them, often combining one or more, to achieve their end goal.

A vulnerability is a weakness that can be exploited by cybercriminals to gain unauthorized

access to a computer system. After exploiting a vulnerability, a cyber attack can run
malicious code, install malware, and even steal sensitive data.

Vulnerabilities can be exploited by a variety of methods, including SQL injection, buffer

overflows, cross-site scripting (XSS), and open-source exploit kits that look for known
vulnerabilities and security weaknesses in web applications.

Many vulnerabilities impact popular software, placing the many customers using the
software at a heightened risk of a data breach, or supply chain attack. Such zero-day
exploits are registered by MITRE as a Common Vulnerability Exposure (CVE).
 Vulnerability Examples

There are several different types of vulnerabilities, determined by which infrastructure they’re
found on. Vulnerabilities can be classified into six broad categories:

1. Hardware

Any susceptibility to humidity, dust, soiling, natural disaster, poor encryption, or firmware
vulnerability.

2. Software

I‍nsufficient testing, lack of audit trail, design flaws, memory safety violations (buffer
overflows, over-reads, dangling pointers), input validation errors (code injection, cross-site
scripting (XSS), directory traversal, email injection, format string attacks, HTTP header
injection, HTTP response splitting, SQL injection), privilege-confusion bugs (clickjacking,
cross-site request forgery, FTP bounce attack), race conditions (symlink races, time-of-
check-to-time-of-use bugs), side channel attacks, timing attacks and user interface failures
(blaming the victim, race conditions, warning fatigue).

3. Network

Unprotected communication lines, man-in-the-middle attacks, insecure network architecture,

lack of authentication, default authentication, or other poor network security.

4. Personnel

Poor recruiting policy, lack of security awareness and training, poor adherence to security
training, poor password management, or downloading malware via email attachments.

5. Physical site

‍Area subject to natural disaster, unreliable power source, or no keycard access.

6. Organizational

I‍mproper internal controls, lack of audit, continuity plan, security, or incident response plan.

There are 4 main types of vulnerability in cyber security?

 Network Vulnerabilities. These are issues with a network's hardware or software that
expose it to possible intrusion by an outside party. ...
 Operating System Vulnerabilities. ...
 Human Vulnerabilities. ...
 Process Vulnerabilities.

There are many causes of vulnerabilities, including:

Complexity :

‍ omplex systems increase the probability of a flaw, misconfiguration, or unintended

C
access.
Familiarity

‍ ommon code, software, operating systems, and hardware increase the probability
C
that an attacker can find or has information about known vulnerabilities.

Connectivity

‍The more connected a device is, the higher the chance of a vulnerability.

Poor Password Management

‍ eak passwords can be broken with brute force, and reusing passwords can result
W
in one data breach becoming many.

Operating System Flaws

‍ ike any software, operating systems can have flaws. Operating systems that are
L
insecure by default allow any user to gain access and potentially inject viruses and
malware.‍

Internet Usage

‍ he Internet is full of spyware and adware that can be installed automatically on

T
computers.

Software Bugs

‍ rogrammers can accidentally or deliberately leave an exploitable bug in software.

P
Sometimes end users fail to update their software, leaving them unpatched and
vulnerable to exploitation.

Unchecked User Input

I‍f your website or software assumes all input is safe, it may execute unintended SQL
commands.

People

‍ he biggest vulnerability in any organization is the human at the end of the

T
system. Social engineering is the biggest threat to the majority of organizations.

EXPLOIT
An exploit is a code that takes advantage of a software vulnerability or security flaw. It
is written either by security researchers as a proof-of-concept threat or by malicious actors
for use in their operations.

For example, an attacker could damage the confidentiality of a computer by installing

malware on the computer, the integrity of a web page by injecting malicious code into the
web browser, or availability by performing a distributed denial of service (DDoS) attack
powered by a botnet of trojans.
 Hacking

Hacking is the practice of modifying the features of a system, in order to accomplish

a goal outside of the creator's original purpose.

Computer hacking is the practice of modifying computer hardware and software to

accomplish a goal outside of the creator’s original purpose. is most common among
teenagers and young adults.

In the hacking Information can be sold ,Information can be used to steal ,Protest –
Eg. Hactivism: a hacktivist is someone whom utilizes technology to announce a
social, ideological, religious, or political message • Challenge – Fun, problem-
solving skill, the thrill of power

Hackers want to use the victim’s computer to store illicit materials i.e pirated
software, pornography, etc. .hackers can steal the victim’s personal information in
order to access accounts or the accounts of the website visitors. The data can be
used to gain access to important databases; billing, merchant accounts, etc.

Hackers want to set-up fake ecommerce sites to access credit card details; gain
entry to servers that contain credit card details and other forms of credit card fraud
spy on friends, family, co-workers for personal reasons revenge

1. 6. Effects of hacking • Damage to information • Theft of information – Credit card details,

social security numbers, identity fraud, email addresses • Compromise/damage of systems
• Use of victim machines as “zombies” Hacking attacks cost large businesses an average
of about $2.2 million per year (Symantec 2010 State of Enterprise Security Study)
2. 7. Effects of hacking • Businesses may suffer from damaged reputations and lawsuits •
Business secrets could be stolen and sold to competitors • Computing
system/infrastructure could suffer from performance degrading as the resources used for
malicious activities In an education institution, hacking can cause damage to the
institution’s credibility/reputation ie. If examination system is compromised and sensitive
data tampered
3. 8. Also known as security analysts They perform defensive activities against hacking 
Individuals with good hacking skills  Also known as crackers • White hats  Individuals
with good computing knowledge, abilities and expertise but with the intentions and
conducts to cause damage on the systems they attack A hacker… Can fall into one of
these types: • Black hats
4. 9. Not worried about the serious consequences that they may have to face as a result of
their damaging activities i.e being jailed for many years Individuals whom want to fail a
computing system for a personal ‘reason’ or ‘cause’  Individuals that perform both
offensive and defensive hacking activities • Suicide hackers A hacker… • Gray hats
5. 10. Types of attacks … • DoS/DDoS Attacks • Password Guessing Attacks • Man-in-the-
Middle Attacks • Identity Spoofing • Interception • Eavesdropping • Backdoor Attacks …
and many more!
6. 11. The real reasons for BackTrack development are for digital forensics and penetration
testing BackTrack is a Linux distro with many tools; Metasploit, Aircrack-ng, Nmap,
Ophcrack, Wireshark, Hydra and many many more! How to hack?… Many of the hacking
tools and guides are available on the Internet
7. 12. SQL InjectionDenial of Service Social Engineering Sniffers Viruses Trojans
System Hacking; Keyloggers, password cracking How to hack?…some examples
8. 13. Other types of password cracking attacks – shoulder surfing, social engineering,
dumpster diving, wire sniffing, Man-in-the- Middle, password guessing,
keyloggerPassword cracking - dictionary attacks, brute forcing attacks, hybrid attacks,
syllable attacks and rule-based attacks How to hack?…some examples
9. 14. Passwords… Enforce complexity so that passwords are difficult to break; use
combination of letters, numbers, special characters
10. 15. Other types of attacks – shoulder surfing, social engineering, dumpster diving, wire
sniffing, Man-in-the-Middle, password guessing, keyloggerPassword cracking - dictionary
 attacks, brute forcing attacks, hybrid attacks, syllable attacks and rule-based attacks How
to hack?…some examples
11. 16. DNS SpoofingNTFS Streams Google Hacking Web-cloning Sniffing Keylogger
How to hack? LIVE DEMO
12. 17. Thank you http://jayitsecurity.blogspot.com

Cyber Terrorism

Cyber terrorism means the Cyber terrorist acts are carried out using computer servers, other
devices and networks visible on the public internet. Secured government networks and other
restricted networks are often targets.

The following are the Examples of cyber terrorism . they are

 Disruption of major websites. The intent here is to create public inconvenience or stop
traffic to websites containing content the hackers disagree with.
 Unauthorized access. Attackers often aim to disable or modify communications that
control military or other critical technology.
 Disruption of critical infrastructure systems. Threat actors try to disable or disrupt
cities, cause a public health crisis, endanger public safety or cause massive panic and
fatalities. For example, cyberterrorists might target a water treatment plant, cause a
regional power outage or disrupt a pipeline, oil refinery or fracking operation.
 Cyberespionage. Governments often carry out or sponsor cyberespionage attacks.
They aim to spy on rival nations and gather intelligence, such as troop locations or
military strategies.
In one word it is a real threat because The threat of cyber terrorism is greater than ever.
In 2021, the Center for Strategic and International Studies (CSIS), a bipartisan,
nonprofit policy research group, identified 118 significant cyber attacks that either
occurred during that time or were acknowledged to have occurred earlier. Significant
attacks, as the CSIS defines them, include those that target government agencies,
defense and high-tech companies, as well as economic crimes with losses over $1
million.

Here are examples of 2021 attacks that CSIS identified:

 January. Hackers with ties to the Chinese government deployed ransomware attacks
against five major gaming companies. They demanded over $100 million in ransom.
 February. Hackers tried to contaminate the water supply of Oldsmar, Fla., by exploiting
a remote access system to increase the amount of sodium hydroxide present.
 March. The Polish government said it suspected Russian hackers had taken control of
Poland's National Atomic Energy Agency and Health Ministry websites for a short time.
They tried to spread alarms about a radioactive threat that didn't exist.
 May. North Korea carried out a cyber attack against South Korea's state-run Korea
Atomic Energy Research Institute by taking advantage of a virtual private network
vulnerability.
 July. Iran used Facebook to target U.S. military personnel, posing as recruiters,
journalists and nongovernmental organization personnel. The hackers sent files with
malware and used phishing sites to trick victims into providing sensitive credentials.
 September. Hackers stole 15 terabytes of data from 8,000 organizations working with
Voicenter, an Israeli company. The hackers offered the data online for $1.5 million.
  October. Brazilian hackers attacked a website belonging to Indonesia's State Cyber and
Password Agency.
 December. A Russian group claimed responsibility for a ransomware attack on CS
Energy, an Australian utility company.

Protection of end user mechine

Endpoint protection is the process of stopping unauthorized agents and campaigns
from targeting endpoints or access points of end-user computers such as desktops,
notebooks, and handheld devices. Cyber

security risks are secured by endpoint security services on a network or the internet.

There are three ways an end-user can protect themselves. They are
 No pirated and cracked software: Avoid usage of pirated and cracked software. ...
 Always keep your devices protected with antivirus: An antivirus gives you optimum
protection against potential malware and bugs. ...
 Always keep your software bundle updated: Updating antivirus database is not just the key
to a healthy system.

The 10 Ways to Protect Your Identity Online

 Use Strong Passwords. ...
 Look for Encryption. ...
 Install Security Suites. ...
 Turn on Web Browser Blacklisting. ...
 Avoid Phishing Scams. ...
 Get Private Data Protection. ...
 Password-Protect Your Wireless Router. ...
 Hide Your Personal Information.

critical IT and national critical infrastructure.

The Information Technology Act, 2000 defines Critical Information Infrastructure (CII) as
“those computer resource, the destruction of which, shall have debilitating impact on national
security, economy, public health or safety”.

The three interwoven elements of critical infrastructure (physical, cyber and human) are
explicitly identified and should be integrated throughout the steps of the framework, as
appropriate.

the 3 types of IT infrastructure are

Traditional infrastructure. With a traditional infrastructure, the components—like
datacenters, data storage, and other equipment—are all managed and owned by the
business within their own facilities. ...
 Cloud infrastructure. ...
 Hyperconverged infrastructure.

Cyber warefare
What Is Cyber Warfare?

Cyber warfare is usually defined as a cyber attack or series of attacks that target a country. It
has the potential to wreak havoc on government and civilian infrastructure and disrupt critical
systems, resulting in damage to the state and even loss of life.

There is, however, a debate among cyber security experts as to what kind of activity
constitutes cyber warfare. The US Department of Defense (DoD) recognizes the threat to
national security posed by the malicious use of the Internet but doesn’t provide a clearer
definition of cyber warfare. Some consider cyber warfare to be a cyber attack that can result
in death.

Cyber warfare typically involves a nation-state perpetrating cyber attacks on another, but in
some cases, the attacks are carried out by terrorist organizations or non-state actors seeking
to further the goal of a hostile nation. There are several examples of alleged cyber warfare in
recent history, but there is no universal, formal, definition for how a cyber attack may
constitute an act of war.

There are 7 Types of Cyber Warfare Attacks. They are

Refers to monitoring other countries to steal secrets. In cyber warfare, this can involve
using botnets or spear phishing attacks to compromise sensitive computer systems before
exfil trating sensitive information.

Sabotage : Government organizations must determine sensitive information and the risks if
it is compromised. Hostile governments or terrorists may steal information, destroy it, or
leverage insider threats such as dissatisfied or careless employees, or government
employees with affiliation to the attacking country.

Denial-of-service (DoS) Attacks : DoS attacks prevent legitimate users from accessing a
website by flooding it with fake requests and forcing the website to handle these requests.
This type of attack can be used to disrupt critical operations and systems and block access
to sensitive websites by civilians, military and security personnel, or research bodies.

Electrical Power Grid : Attacking the power grid allows attackers to disable critical systems,
disrupt infrastructure, and potentially result in bodily harm. Attacks on the power grid can
also disrupt communications and render services such as text messages and
communications unusable.

Propaganda Attacks :Attempts to control the minds and thoughts of people living in or
fighting for a target country. Propaganda can be used to expose embarrassing truths, spread
lies to make people lose trust in their country, or side with their enemies.

Economic Disruption :

Most modern economic systems operate using computers. Attackers can target computer
networks of economic establishments such as stock markets, payment systems, and banks
to steal money or block people from accessing the funds they need.
Surprise Attacks : These are the cyber equivalent of attacks like Pearl Harbor and 9/11.
The point is to carry out a massive attack that the enemy isn’t expecting, enabling the
attacker to weaken their defenses. This can be done to prepare the ground for a physical
attack in the context of hybrid warfare.

CASE STUDIES

CASE STUDIES ON CYBER SECURITY

CASE STUDY 1:

IBM CYBER SECURITY CASE STUDY

Cyber-attacks on organisations are now inevitable. Security is no longer about preventing

attacks, it’s about preparing for them. This means finding them and dealing with them in real

time. The longer a cyber-attack goes undetected (on average 154 days), the more damage it

does to the business and the more money it will cost for the business to recover.

A significant shortfall in skilled security resource is slowing down time to detection of

security breaches as organizations simply don’t have the bandwidth to manually trace all

alerts across their security fabric, organisations are therefore adopting SIEM (Security

Information and Event Management) solutions to provide a single pane of glass view in real

time of all external and internal threats, allowing them to be proactive in stopping the attack

before it has time to exploit.

Today, customers can choose from a wide range of SIEM software and other security

technologies, however, many organisations have realised that software alone will not bring

the full level of security required.

The Challenge

1. Too much data but not enough actionable information…

Client X have a small IT team, with no dedicated security consultants. With around x

systems, which in turn generate thousands of log entries and alerts per day, data is not being

transformed into actionable information of potential cyber threats, posing the risk of multiple

unidentified attacks infiltrating the network.

Organisations the size of Client X are expected to be targeted with around 1000 cyber-attack

attempts within any 24 hour period! Without a dedicated team to focus on this, it is inevitable

some threats will be missed, causing both financial and reputational damage.
2. Only the most obvious attacks are investigated…

With so much unmanageable data, Client X can currently only investigate what are perceived

as easily recognisable cyber-attacks. This however results in too many false positives and

does not allow the IT team to drill-down to find and react to REAL attacks that would have

significant business impact.

3. Inability to isolate the root cause of an attack…

The lack of visibility means intrusions cannot be analysed without consolidating data from

multiple point systems. In a decentralized, non-SIEM environment, Client X are currently

having to view and understand the nature of issues and alerts on several systems, in order to

confirm an attack. This is a highly ineffective means of determining the root cause of an

attack, as well as how to respond. Time to remediation will be dramatically increased, leading

to potentially greater financial loss and brand reputational damage in the event of an attack.

4. Lack of visibility to employee activity…

Insider threats are a bigger risk to cyber security than external hackers, with 74% of cyber

incidents happening from within companies. Employees are inadvertently causing corporate

data breaches and leaks daily and are very costly to remediate against. Loss of credentials due

to phishing theft, or even carelessness invites malware into the system when an employee

clicks on a link in a spam email or unknowingly brings an infected device to work. In

addition, protection of your IP is at risk in the event of a disgruntled employee or even a

leaver wishing to remove data that could potentially provide a competitor important insight

into your business.

RESULT – Client X had a cyber breach which resulted in significant financial loss….

The Solution

SCC worked in partnership with Client X to provide the SCC SOC service enabling real time,

rapid and thorough analysis of security events originating from both internal and external

sources to Client X’s network.

The CSS service is designed to detect anomalies, uncover advanced threats and removes false

positives. It consolidates log events and network flow data from devices, endpoints and

applications distributed throughout a network.

This service is located in SCC’s Cyber Security Centre in the UK, where a team of Security

Analysts monitor incoming alerts and events. The SOC service remains continually up to date

with the latest threats and vulnerabilities provided It then uses an advanced Sense Analytics

engine to normalise and correlate this data and identifies security offences requiring

investigation. By IBM X-Force Threat Intelligence which supplies a list of potentially

malicious IP addresses including malware hosts and spam sources.

The Outcome

• Continuous improvement – the methods that determine what is being attacked and how to

stop an attack, are constantly being monitored; as the hackers evolve, we evolve with them,

providing Client X real time detection.

• Increased efficiencies – to address the constant growth of IT environments, as well as the

dramatic increase in the number of threats and attacks. The goals are to streamline security

solutions while reducing operational costs and staffing requirements. SCC consolidates this

data from multiple sources, including networks, servers, databases, applications, and so forth;

this enables our SOC analysts to monitor everything from everywhere, in one central

location.

• Identify at-risk users – Account takeover, disgruntled employees, malware actions.

Streamlined incident investigations – Immediate insights into risky user behaviours, action

and activity history. 360°Analysis – Perform analysis of activities at the end point, insights

from network data, and cloud activities. Identify Insider Threats.

• Single view of vulnerabilities – Single centralised view of all vulnerabilities with their

status and their context. Prioritise by threat and impact – Analyses threat intelligence,

vulnerability status and network communications to assess true vulnerability risk.

 CASE STUDY 2

CYBER SECURITY CASE STUDY - BANKING & FINANCE SECTOR

1. BACKGROUND

A financial company dealing in banking services and credit card businesses is headquartered

in the Middle East with many branches spread across several cities. There were talks of a

mega merger. On a Wednesday afternoon, just before a 3 day weekend, the CIO received a

ransom email from an unknown entity, stating that they knew about the merger plans and also

had personal data of more than 2 lac customers.

As a sample, private details of five hundred customers were enclosed within the ransom

email as "proof". The threat : Unless a major ransom was paid in Bitcoin they might leak
the

merger plans and sell the client info. Along with a Legal company, Infopercept, as a Managed

Security Services Provider, was also appointed to manage and advise on the incident

response. We commenced work right away, power-assisted by the expert competent teams, to

assess and measure the volatility of the threat.

2. FIRST RESPONSE:

Our “Security Operations Centre” was set up as a primary step to validate the threat. We

found a discussion on a hacker website, within the dark net, that talked about the availability

of personal information of 200,000 account holders of our client. Additionally, personal

details of 500 customers were also provided as proof.

The RED TEAM of Infopercept works on the aforementioned proverb. Although simple in

nature, it is the core strategy of Infopercept. This is implemented as soon as the security audit

is completed.

The RED TEAM MEMBERS are our Ethical Hacking Consultants; experts, who test various

aspects of an organization’s network in the interest of identifying and resolving

vulnerabilities.

Our team plunged into action, and within a few hours they were able to record and safeguard

the relevant server logs. A big crisis was averted and further damage prevented, as the

malware was identified and neutralized immediately which was still active on our clients

network. Even as these activities were occurring, all other communicating channels were
simultaneously secured which were used between the customer, the advocates and the

forensic analysts. After thorough analysis of the sample data that was compromised, we concluded
that it was indeed the client data that was compromised and security was breached.

On further analysis of the server log noise, we figured out that in reality personal data records

of 500 employees were only missing and the rest of the data was safe. This also led us to

doubt if the hackers had any reliable information about the merger.

3. REPORTING AND COMMUNICATIONS:

Even as the cyber team was securing the network, another team began work on drafting and

implementing guidelines for various other communications and reports that were to be

generated. Immediate action was taken regarding communicating to the relevant authorities,

the affected 500 customers, other staff members etc.

It had become clear that apart from the data of the 500 customers, the hackers didn’t have any

other data or information regarding the upcoming merger. Thus with consensus from the

company, the legal team, and us, it was mutually decided not to pay the ransom.

But action had to be taken regarding the leaked data. As it contained the customer’s name,

contact details, email addresses etc., it was decided to inform them of the breach and caution

them against falling prey to fraudulent emails or calls. The customer care executives too were

informed and were prepared to handle queries pertaining to the same.

A press conference was called and relevant details were given out. The concerned authorities

such as the monetary authority and the administrative authority were briefed within 24 hours

of the receipt of the ransom email. This was done even before the customers were informed

about the breach.We wanted to ensure that the line of communication was transparent right from
the beginning till the end of the investigation. This was done so that the legal team, the security
team

members, and the government authorities were all on the same page and there was no

miscommunication.

We further reiterated that from then on, there will be sharing of information among the

involved parties with regular updates. We advised the customers to strengthen their online

security, be alert to any unusual activity, and inform the security team in case of any

suspicion.

4. FURTHER INVESTIGATION & INQUIRIES

Listed below are the findings of our investigation and also solutions to queries raised to us.

Modus operandi by hackers: The CEO of our client company used to travel a lot.

He was also part of many CSR (Corporate Social Responsibility) activities and

initiatives. An Executive Assistant (EA) was assigned to take care of all

communication through emails. Like on any regular day the EA received an email

requesting sponsorship with the applicant’s profile attached. The unsuspecting EA

downloaded the attachment leading to entry of the malware into the system and

putting the whole network at risk. Non deployment of IT staff 24x7: Even though

important security measures were in place such as antivirus and firewalls which

delayed the breach, it wasn’t sufficient to stop the hack. As the attack was intelligently

planned on the weekend, the log alerts went unnoticed and there was no one to take action.

Lacking of Competent Technical Resources: Given the size of the large

corporation, the resources allocated to take care of security was proportionally very

less. This was a glaring loop hole in the entire security framework.

Security Audit: It was also learned that there was no one looking into the security

audit of the firm which is essential to remain on top of the game. So the first thing we

suggested and implemented was putting in a team to do regular audits and all other

compliances.

Benefits of Security Audit: We reiterated to the client the importance of having a

regular security audit. The main benefit being identifying vulnerabilities or gaps in the

system and rectifying them before any untoward incident occurs.

Outsourcing of Web Portal & Applications: The design and implementation of the

website of the customer was given to a third party. Naturally it gave rise to security

concerns but we allayed their fears.

Loopholes in Cyber Security: In spite of using a number of cyber security measures

to take care of the websites, applications and their external network, three glaring

vulnerabilities were spotted by our team and brought to the notice of the company.

Weak Encrypted Internet Traffic: The most shocking observation we found was

the lack of use of HTTPS (which is the encrypted internet traffic) at a login form in
the website. This glaring error made the network vulnerable and easy for the hackers

to get access to the customers usernames and passwords, when they would log in on

this vulnerable page. This way our clients’ customers accounts may have been

compromised. The customers were bank account holders, credit card holders of our

client, and those accounts were at big risk of being compromised.

Bridge between our CLIENT and the AMALGAMATOR: As the incident was out

in the open, everyone including the buyers who were part of the merger had become

aware of the security breach. Although a lot of damage control had been done, still it

was necessary to convince the buyers of a secure network. Thus the client requested

us to play the role of “Security Advisor”. We represented the client and did a

presentation in front of the board members of the buyers and their cyber security team

to show the security of the infrastructure. We explained in detail the reason for the

hack, the lapses and the remedial action taken by us. Once they saw the security

measures taken up by us they were reassured and convinced and gave the green signal

to proceed with the merger.

5. SOLUTIONS AND CYBER SECURITY IMPLEMENTATION:

Security Audit: Upon auditing the security network, 300 odd lapses were found and

corrective actions taken.Training of the resources: Our team shadowed the clients IT Team,

trained them, and kept

up the training for a period of 90 days.

Optimization taken as a Approach: The first step taken by us was that of Optimization. We

optimized the client’s resources and tools within the allocated budget and were able to

produce top of the line security of their infrastructure.

Technology Optimization Centre: A Technology Optimizations Centre (TOC) was set up

for the client. As the client was in the banking sector, PCI DSS (Payment Card Industry Data

Security Standard) was set up to take care of the transactions. A 90 day trial run was done

and all activities were mapped.

Compliances: Compliance certifications were done as per the required norms of the Central

Bank regularization. This was well appreciated by the client as this determines their

credibility and provides grounds for continued licensing by the SAMA.

Reengineering of the Processes and systems: All the IT processes and systems were

reengineered in a chronological order. This streamlined the operations and brought in much

relief to the clients. They were now able to focus on their core business by leaving the

security management to Infopercept. From time to time the management sought reviews from

us as well as their IT team.

Tools used for Cyber Security:

As per the requirement of the client we implemented DARK WEB as the most

reliable tool to secure the online transactions being done by customers of our client.

Various techniques of Infopercept were implemented such as Deception

technology for advanced attack detection. Moving Target Defense (MTD) was

brought into action to control the changes across the multiple system dimensions. This

was done to make it complicated for the attackers to hack the network, stall their

attack and buy time to stop them from causing major damage.

FINAL RESULTS:

After the great job done by Infopercept’s RED TEAM, BLUE TEAM, GREEN

TEAM, PURPLE TEAM, and PINK TEAM for 180 days, our clients were extremely

satisfied with the result. We were asked to look after their security systems for a year and set

up their SOC, TOC and COC centres for a year. We further advised them to be alert to any

suspicious activity and report at once to our security team. We also taught them the remedial

actions to be taken in case of a future attack. As part of strengthening their network we asked

them to segregate their activities related to their daily dealings from the network that deals

with storage of sensitive data and information pertaining to their customers. We also worked

closely with them in reframing their cyber security policies and procedures and increasing

awareness among their employees.

CASE STUDY 3:
EX-FILTRATING REMOTE USER ACCOUNT TO INJECT RANSOMWARE

OVERVIEW

HALOCK contained and eradicated a ransomware attack on a Manufacturing company’s

internal assets and set a wholistic plan to mitigate future risk through enhanced MFA,
policies, and training.

ATTACK SUMMARY:

Adversaries performed data theft techniques to exfiltrate vulnerable information and hold

ransom internal systems. Incident led to the company negotiating a Bitcoin payment to

recover data increasing the financial impact to the organization.

HOW THE ATTACK WAS EXECUTED:

Through a phishing campaign adversaries were able to obtain user credentials and VPN

settings to gain internal network access.

Mimikatz was then installed on vulnerable systems to recover Windows Service Accounts.

Using the escalated privileges the attackers exfiltrated information through data transfer

services and propagated Medusalocker ransomware on internal assets. Attackers held ransom

internal assets and exfiltrated valuable data for financial gain.

VULNERABILITY

HALOCK determined O365 and the corporate VPN solution lacked strong authentication

controls. It was discovered that the VPN authentication utilized the same credential as Active

Directory. Endpoint detection capabilities of the anti-virus solution lacked anti-exploit

monitor-ing to restrict the execution of Mimikatz and the ransomware Medusalocker.

RECOVERY

The HALOCK team identified the attack vector malicious binary code and shut down all

external access which included O365 replication, and all user passwords were reset.

Recovered systems that had capable backups. The organization then paid ransom for critical

data that was unrecoverable through an insurance-appointed ransom negotiator.

MITIGATING THE VULNERABILITY: Safeguard & Monitor

A comprehensive security plan was developed to continually protect and monitor the

manufacturer’s network. Safeguards included:

• Implementation of MFA for VPN authentication and O365

• Upgrading endpoint protection

• Launched a robust email filtering system

• Conducting security awareness training on phishing campaigns

• IT training on new protective measures

• Develop critical system back-up plan to ensure they are recoverable from malware attacks

• Scheduling regular vulnerability scans, and threat monitoring to identify risky login

attempts.

********************************************************************