INFORMATION ASSETS

& THREATS
Dr. Priya. V
Associate Professor
Coordinator – VIT Cyber Security CoE
VIT University
 INFORMATION ASSETS & THREATS
Security concerning IT and information is normally categorized in three categories to facilitate
the management of information.

Confidentiality Integrity Availability

Ensuring authorized
Prevention of Prevention of access of
unauthorized unauthorized information
disclosure or use of modification of assets when required
information assets information assets for the duration
required
 THREATS TO INFORMATION ASSETS

• Risk is the potential threat, and process of understanding and responding to factors that may lead to
a failure in the confidentiality, integrity or availability of an information system constitute risk
management.

• The key concerns in information assets security are:

• theft

• fraud/ forgery

• unauthorized information access

• interception or modification of data and

• data management systems

 VULNERABILITIES

• Vulnerability is a weakness in an information system, system security procedures, internal controls,

or implementation that could be exploited or triggered by a threat source.
Click to add text
• ‘Threat agent or actor’ refers to the intent and method targeted at the intentional exploitation of
the vulnerability or a situation and method that may accidentally trigger the vulnerability.

• A ‘threat vector’ is a path or a tool that a threat actor uses to attack the target.

• ‘Threat targets’ are anything of value to the threat actor such as PC, laptop, PDA, tablet, mobile
phone, online bank account or identity.
 THREAT CLASSIFICATION

Microsoft has proposed a threat classification called STRIDE from the initials of threat categories:

• Spoofing of user identity

• Tampering

• Repudiation

• Information disclosure (privacy breach or data leak)

• Denial of Service (D.o.S.)

• Elevation of privilege
 THREAT AGENTS CLASSIFICATION

• Non-Target specific: Non-Target specific threat agents are computer viruses, worms, Trojans and logic bombs.

• Employees: staff, contractors, operational/ maintenance personnel or security guards who are annoyed with the
company.

• Organized crime and criminals: criminals target information that is of value to them, such as bank accounts,
credit cards or intellectual property that can be converted into money. Criminals will often make use of insiders
to help them.

• Corporations: corporations are engaged in offensive information warfare or competitive intelligence. Partners
and competitors come under this category.

• Unintentional human error: accidents, carelessness etc.

• Intentional human error: insider, outsider etc.

• Natural: Flood, fire, lightning, meteor, earthquakes etc.

TYPES OF SECURITY ATTACKS

• VIRUS
• WORM
• TROJAN
 VIRUS

• Virus is a malicious program able to inject its code into other programs/ applications or data files
and the targeted areas become "infected".
• Installation of a virus is done without user's consent, and spreads in form of executable code
transferred from one host to another.
Types of viruses include
 Resident virus ,
 Non-resident virus;
 Boot sector virus;
 Macro virus;
 File-infecting virus (fileinfector);
 Polymorphic virus;
 Metamorphic virus;
 Stealth virus;
 Companion virus and
 Cavity virus.
 REvil Ransomware
REvil is a file encryption virus
• REvil is a file encryption virus that encrypts all the files and demands money from the victim once it
infiltrates into the system. In the ransom demand, criminals force victims to pay the money via bitcoins. If
the victim does not pay the ransom within a specific time period, the ransom rate doubles in amount.

• It has been discovered that the data leak in Grubman Shire Meiselas & Sacks the law corporation was
caused through Revil Ransomware. Attackers breached the data that belonged to famous clients and
shared them on the dark web.

• According to reports, the personal information of Drake, Robert De Niro, Rod Stewart, Elton John, Mariah
Carey and many other stars may have been obtained through this Ransomware attack. In addition,
screenshots of computer files of celebrities like Madonna’s tour contract, or the files of belonging to
Bruce Springsteen, Bette Midler, and Barbra Streisand were also leaked. This Ransomware is top in our
Ransomware attacks 2020-2021 list.

Reference : https://www.keepnetlabs.com/top-11-ransomware-attacks-in-2020-2021/
 WORM

• Worm is a malicious program category, exploiting operating system vulnerabilities to spread

itself.

• In its design, worm is quite similar to a virus - considered even its sub-class.

• Unlike the viruses worms can reproduce/ duplicate and spread by itself.
 WORM (Continued..)
Types of Worms

The most common categorization of worms relies on the method how they spread:

Email worms:

 spread through email messages, especially through those with attachments.

Internet worms:

 spread directly over the internet by exploiting access to open ports or system vulnerabilit
Network worms:

 spread over open and unprotected network shares.

Multi-vector worms:

 having two or more various spread capabilities.

 Stuxnet - Worm
• Stuxnet worm was thought to have been developing since 2005 and it was first uncovered in
2010. It was originally aimed at Iran’s nuclear facilities. The worm destroyed numerous
centrifuges in Iran’s Natanz uranium enrichment facility by causing them to burn themselves out.
Based on the log files of Stuxnet, a company called Foolad Technic was the first victim.
• Stuxnet spread via USB sticks and Microsoft Windows computers. The real target of the Stuxnet
virus is to look for a particular model of Programmable Logic Controller (PLC) which is made
by Siemens. These are small industrial control systems running all sorts of automated processes
such as in chemical plants, on factory floors, oil refineries and in nuclear power plants.
• These PLCs are controlled by computers and it is the main target of the Stuxnet worm. It was
reported that the worm already infected more than 50,000 Window computers and Siemens has
reported 14 infected control systems which were mainly in Germany.

Reference - https://lifars.com/2020/04/top-10-most-dangerous-cyber-virus/
 TROJAN

• Computer Trojan or Trojan Horses are named after the mythological Trojan horse owing to their
similarity in operation strategy.

• Trojans are a type of malware software that masquerades itself as a not-malicious even useful
application but it will actually do damage to the host computer after its installation.

• Unlike virus, Trojans do not self-replicate unless end user intervene to install.
Types of Trojan

• Remote Access Trojans (RAT) aka Backdoor. Trojan

• Trojan-DDoS

• Trojan-Proxy

• Trojan-FTP

• Destructive Trojan

• Security Software Disabler Trojan

• Info Stealer (Data Sending/ Stealing Trojan)

• Keylogger Trojan

• Trojan-PSW (Password Stealer)

• Trojan-Banker

• Trojan-IM,.. etc..
 Ursnif Banking Trojan 

• The Ursnif banking trojan targets Windows PCs and is capable of stealing vital
financial information, email credentials and other sensitive data. The malware is
delivered in malicious spam campaigns via Word or Excel attachments.
• The new wave of Ursnif trojan attacks – which saw it enter the Top Malware
index’s top 10 for the first time – coincides with reports about the demise of one
of its popular variants, Dreambot.
• Dreambot was first spotted in 2014 and is based on Ursnif’s leaked source code.
As reported since March 2020, Dreambot’s backend server has gone down, and
no new Dreambot samples have been seen in the wild.

Reference : https://www.globenewswire.com/news-release/2020/06/15/2047871/0/en/May-2020-s-Most-Wanted-Malware-Ursnif-
Banking-Trojan-Ranks-On-Top-10-Malware-List-for-First-Time-Over-Doubling-Its-Impact-On-Organizations.html
 Other security threats
Malware

• Malware refers to software viruses, spyware, adware, worms, Trojans, ransomeware etc.

• They are designed to cause damage to a targeted computer or cause a certain degree of operational
disruption.

Rootkit

• Rootkit are malicious software designed to hide certain processes or programs from detection.

• Usually acquires and maintains privileged system access while hiding its presence in the same
time. It acts as a conduit by providing the attacker with a backdoor to a system
 Other security threats (Continued…)
Spyware

• Spyware is a software that monitors and collects information about a particular user, computer or
organization without user’s knowledge.

• There are different types of spyware, namely system monitors, trojans (keyloggers, banker trojans,
inforstealers), adware, tracking cookies etc.

Tracking cookies

• Tracking cookies are a specific type of cookies that are distributed, shared and read across two or
more unrelated websites for the purpose of gathering information or potentially to present.
 Other security threats (Continued…)

Riskware

• Riskware is a term used to describe potentially dangerous software whose installation may pose a
risk to the computer.

Adware

• Adware in general term adware is software generating or displaying certain advertisements to the
user.

• This kind of adware is very common for freeware and shareware software and can analyze end
user internet habits and then tailor the advertisements directly to users’ interests.
 Other security threats (Continued…)
Creepware

• Creepware is a term used to describe activities like spying others through webcams (very
often combined with capturing pictures), tracking online activities of others and listening to
conversation over the computer's microphone and stealing passwords and other data.

Blended threat

• Blended threat defines an exploit that combines elements of multiple types of malware
components.

• Usage of multiple attack vectors and payload types targets to increase the severity of the
damage causes and as well the speed of spreading.
 Pegasus: A spy that won’t wait;
will die before being exposed
• Pegasus spyware was used by multiple governments
around the world to snoop on public figures and
opposition leaders among others.
• Zero-click installation that requires no action by the target is not the only ability that
makes Pegasus the super spyware it is. What also makes it unique is the capability of
“active collection”, which gives attackers the power to “control the information” they
want to collect from the targeted device.
• Israel’sNSO Group, which is at the heart of the alleged state surveillance of
thousands of human rights activists, lawyers, journalists, politicians, and dissidents in
countries including India, has built such a tool — Pegasus, the world’s most invasive
spyware.
NETWORK ATTACKS

Network attack is usually defined as an intrusion on the network infrastructure that will
first analyze the environment and collect information in order to exploit the existing
open ports or vulnerabilities.
This may include unauthorized access to organization resources.
 NETWORK ATTACKS (Continued..)

Characteristics of network attacks:

• Passive attacks: they refer to attack where the purpose is only to learn and get some
information from the system, but the system resources are not altered or disabled in any way.
• Active attacks: in this type of network attack, the perpetrator accesses and either alters,
disables or destroys resources or data.
• Outside attack: when attack is performed from outside of the organization by unauthorized
entity it is said to be an outside attack.
• Inside attack: if an attack is performed from within the company by an "insider" that
already has certain access to the network it is considered to be an inside attack.
• Others such as end users targeted attacks (like phishing or social engineering): these attacks
are not directly referred to as network attacks, but are important to know due to their
widespread occurrences.
 What types of attack are there?

Spear
Social Phishing Social Watering hole
phishing
engineering attack phishing attack
attack

Vishing (voice
Network
Whaling phishing or Port scanning Spoofing
sniffing
VoIP phishing

DoS attack Buffer Man-in-

ICMP smurf
& DDoS overflow Botnet themiddle
Denial of serv
attack attack attack

Session Cross-side
SQL injection Bluetooth
hijacking scripting attack
attack related attacks
attack (XSS attack)
 SPOOFING
It is a technique used to masquerade a person, program or an address as another by falsifying
the data with purpose of unauthorized

A few of the common spoofing types include:

IP Address spoofing – process of creating IP packets with

forged source IP address to impersonate legitimate system.
This kind of spoofing is often used in DoS attacks (Smurf
Attack).
ARP spoofing (ARP Poisoning) – process of sending
fake ARP messages in the network. The purpose of
this spoofing is to associate the MAC address with the
IP address of another legitimate host causing traffic
redirection to the attacker host. This kind of spoofing
is often used in man-in-the-middle attacks.

DNS spoofing (DNS Cache Poisoning) – an attack

where the wrong data is inserted into DNS Server
cache, causing the DNS server to divert the traffic by
returning wrong IP addresses as results for client
queries.
 SPOOFING (Continued…)

Email spoofing – a process of faking the email's sender

"from" field in order to hide real origin of the email. This
type of spoofing is often used in spam mail or during
phishing attack.

Search engine poisoning – attackers take advantage of

high profile news items or popular events that may be of
specific interest for certain group of people to spread
malware and viruses.
NETWORK SNIFFING
(Packet Sniffing)

• A process of capturing the data packets travelling in the network.This may include unauthorized
access to organization resources.

• Network sniffing can be used both by IT professionals to analyze and monitor the traffic for
example, in order to find unexpected suspicious traffic, but as well by perpetrators to collect data
send over clear text that is easily readable with use of network sniffers (protocol analysers). 

• Best counter measure against sniffing is the use of encrypted communication between the hosts.
Denial of Service Attack (DoS Attack) and
Distributed Denial of Service Attack (DDoS
Attack

• An attack designed to cause an interruption or suspension of services of a specific host/ server by

flooding it with large quantities of useless traffic or external communication requests.

• When the DoS attack succeeds the server is not able to answer even to legitimate requests
anymore, this can be observed in numbers of ways – slow response of the server, slow network
performance, unavailability of software or web page, inability to access data, website or other
resources.

• Distributed Denial of Service Attack (DDoS) occurs where multiple compromised or infected
systems (botnet) flood a particular host with traffic simultaneously.
Few of the most common DoS attack types:

• ICMP flood attack (Ping Flood)

• Ping of Death (PoD)

• Smurf attack

• ICMP Smurf Denial of Service SYN flood attack

• Buffer overflow attack

• Botnet

• Man-in-the-middle attack

• Session hijacking attack

• Cross-side scripting attack (XSS attack)

• SQL injection attack.

 Bluetooth related attacks
• Bluesnarfing
• This is the practice of sending unsolicited messages to nearby Bluetooth devices. Bluejacking messages are typically text, but
can also be images or sounds. Bluejacking is relatively harmless, but does cause some confusion when users start receiving
messages.

• Bluejacking
• Any unauthorized access to or theft of information from a Bluetooth connection is bluesnarfing. A bluesnarfing attack can
access information, such as email, contact lists, calendars, and text messages. Attackers use tools such as hcitool and obexftp.

• Bluebugging
• Bluebugging attacks allow an attacker to take over a mobile phone. Attackers can listen in on phone conversations, enable call
forwarding, send messages, and more.
• Reference : https://info-savvy.com/2020-top-10-cyber-attacks-in-india/
COVID 19 Phishing mails in March 2020
• NHS phishing email
• WHO phishing email

Reference : https://www.vadesecure.com/en/blog/top-phishing-trends
 Phishing URLs

Reference : https://www.vadesecure.com/en/blog/emotet-malware-returns-to-exploit-a-world-on-edge
 MITM attacks

• The US National Security Agency posing as Google was revealed in 2013 when Edward
Snowden leaked NSA documents to the public. Using its ability to intercept traffic and
spoof SSL certificates, the NSA was able to keep tabs on potentially anyone's Google
searches.

Reference: https://www.cnet.com/news/nsa-disguised-itself-as-google-to-spy-say-reports/
Superfish adware weakens security and injects ads
on some Lenovo laptops

• Lenovo confirmed it had been installing Superfish adware on some of its

laptops, and that it inserted a Superfish public key into the Windows
Certificate Store as part of this installation. This means affected users
cannot trust their computer when it says "this connection is secure." It also
undermines trust in every other kind of secure communication the laptop
might try to make: database connections, VPN connections, software
updates, you name it.
DDoS Attack

• Google has revealed that its infrastructure absorbed a 2.5Tbps 

distributed denial of service (DDoS) attack in 2017, the largest such attack in
terms of its sheer volume ever recorded.
• The previously undisclosed DDoS attack was the culmination of a six-month
campaign launched by Chinese-backed hackers that used multiple methods
of attack, although ultimately had no material impact. 
• Google’s Security Reliability Engineering team measured the record-
breaking attack sourced from several Chinese ISPs, with the attacker using
several networks to spoof 167 millions of packets per second to 180,000
exposed servers. These included vulnerable CLDAP, DNS and SMTP servers.
 SQL Injection Attacks

• Thousands of payment cards’ information stolen from more than 105 e-commercial
websites
• Attackers have been injecting malicious JS scripts on the malicious domain
‘www.magento-analytics[.]com’ on various e-commerce website for the last seven
months.
• These malicious scripts included digital credit card skimming code. This code
automatically stole the information related to the payment card including the credit card
number, name of the credit card holder, date of expiration as well as the CVV number of
the card.
• The malicious script then sent the stolen payment card data to another file hosted on the
magento-analytics[.]com server controlled by the attackers.

Reference:https://www.kratikal.com/blog/payment-card-information/?utm_source=Kratikal
%20Blog&utm_medium=Blog&utm_campaign=SQL%20Injection%20Attack%3A%20A%20Major%20Application%20Security%20Threat
Hacker breached 60+ unis, govt agencies via
SQL injection
Reference:https://www.helpnetsecurity.com/2017/02/16/hacker-govt-agencies-via-sql-injection/

• A hacker tied to the November 2016 penetration of the US Election Assistance

Commission and subsequent database sale has successfully targeted 60+ government
agencies and universities by leveraging the same attack method: SQL injection.
• According to a report by Recorded Future, whose researchers scour the dark web for
threat intelligence, the hacker uses a proprietary SQLi tool to gain access to the targets’
databases and then sells access to them to other cyber crooks.
• Among his latest targets were:
• Two dozen US universities (including Virginia Tech, Cornell University, the Rochester
Institute of Technology, and Purdue University),
• Ten UK universities (Cambridge, Oxford, Edinburgh – among others), and
• A wide variety of US government institutions at the city, state, and federal level
(including the Oklahoma State Department of Education, District Columbia Office of the
Chief Financial Officer, and the US Department of Housing and Urban Development).