Transcription
P3 - Risk ManagementCH8 – Cyber security threatsChapter 8Cyber security threatsChapter learning objectives:LeadComponentD.1. Analyse cyberthreatsAnalyse: Malware(a) Nature and impact ofcyber risks Application attacks(b) Types of cyber risks Hackers Result of vulnerabilities includingdowntime, reputational loss,customer flight, legal and industryconsequencesReview: Protection, detection and response(a) Cyber security objectives Centralised management(b) Security controls Centralised monitoring(c) Risk of securityvulnerabilities.D.2 Review cybersecurity processes.Indicative syllabus content(c) Centralisation in cybersecurityPage 1
P3 - Risk ManagementCH8 – Cyber security threats1. Overview of cyber security threatsOrganisations deal with a wide variety of sensitive information on a daily basis.Types of sensitive information Personal information or Personally Identifiable Information (PII): anything on its ownor accompanying other information which can be used to identify, locate or contact anindividual. Business information: anything that could cause a risk to the organisation ifdiscovered by an external party. Classified information: usually held by a national government and could harm nationalsecurity, if exposed.How technology interacts with the organisation Type: for example, ERP and data centres. Connections: for example, virtual private networks (VPNs) and virtual servers. Service providers: for example, cloud providers, software providers and call centres. Delivery: for example, fulfillments to the customer and/or the process of transmittingthings to vendors.Types of changes that could affect cyber securitySome examples:o Expansiono Acquisitiono Restructuringo Hardware / software updateso RegulationsPage 2
P3 - Risk ManagementCH8 – Cyber security threatsCyber security objectives: Availability: eg. selling online means companies can make sales 24/7 Confidentiality - companies can obtain and are required to securely keep PII etc Integrity of data - prevent unauthorised modifications of data Integrity of processingTest your Understanding 1 – Cyber securityMoneycorp is an online retail bank that has experienced significant growth thanks partly to the lossin confidence in the more established banks and the consumer demand for the convenience thatonline banking offers.Cyber security has been central to their strategy, they have recently commissioned a cyber securityfirm to carry out some penetration testing. The results of the testing have highlighted that theoperating systems do not have the most up to date security patches. Because of this, the hackerwho carried out the test was quickly and easily able to get into the network and set up a ‘back door’to allow easy future access to the system.Which THREE of the following statements are correct?A. The hacker should not have been able to get into the system at all.B. Moneycorp should update all security patches immediately.C. It would be sensible to continue to carry out further tests at regular intervals in the future.D. The cyber security firm should not be used again because of the ‘back door’ they set up.E. Once this issue is resolved, Moneycorp do not need to use penetration testing anymore.F. Moneycorp should investigate why the security patches were not already updated.Page 3
P3 - Risk ManagementCH8 – Cyber security threats2. Types of cyber security risksMalwareMalware is the term used for malicious software, regardless of the intended purpose.Some of the most common types are: Ransomware - software that prevents access to data until a ransom is paid. Botnets - networks of infected computers that are under the control of an attacker. Spyware - malware that is designed to spy on the victim and report back to the attacker. Trojans - legitimate software that secretly contain and releases malicious software ontoa system. Malvertising - online advertising that has malicious software written into its code. Viruses - malware that replicates itself and spreads through programs, files and data. Spyware – malware designed to spy on the victim’s systems.Application attacksApplication attacks are increasingly common as the use of applications (apps) become morecommon place. The intention is similar to malware; to steal data or users’ identities.Some of the most common types are: Denial-of-service (DoS) attack - an attempt to overwhelm an application resource toprevent it from working. Distributed-denial-of-service (DDoS) attack - DDoS is where the source is from anumber host machines, usually linked to Botnets under the control of an attacker. SQL (Structured Query Language) injection - SQL is a request for something on adatabase (e.g. logging into a website). SQL injection is when an attacker accesses thedatabase through an unprotected input box. Cross-site scripting attacks (XSS attacks) - this occurs when a malicious code istransmitted from a website and can access the victims’ data. Man in the Middle (MitM) - this is when the application is compromised so that theusers believe they are communicating directly as normal, but someone is interceptingthe communications and potentially changing them. Buffer overflow attack - this is another type of attack that overwhelms a system’sresources. In this case the excess data overwrites existing data.Page 4
P3 - Risk ManagementCH8 – Cyber security threatsHackersHacking is the gaining of unauthorised access to a computer system. It can be both internal(disgruntled employees) and external (competitors or nation states). There are differentmotives for unauthorised access: To gain access to codes, passwords and authorisations. To interfere with control systems in order to gain open access to the system. To obtain information that is useful for competitors. To cause data corruption or delete files.Social engineeringSocial engineering is the manipulation of people to make them perform specific actions orreveal confidential information.Studies by Dr Robert Cialdini have identified six principles used to persuade or influencesomeone. This theory of influence is key to social engineering. The principles are: Reciprocity Consistency Scarcity Liking Authority ConsensusPhishingPage 5
P3 - Risk ManagementCH8 – Cyber security threatsTechniques known as phishing or spear phishing are types of social engineering used togain access to a system or network by hackers. Phishing - the use of fraudulent communications (from physical impersonation to textmessages and emails) to steal sensitive information. Spear phishing – a phishing attempt targeted at a specific individual who is deemed tohave specific information or privileged access to something.3. Social mediaSocial media is a term that describes a range of websitesand applications that provide varying types of socialinteractions.Opportunities offered by social media Advertising Brand development Big Data analytics Method of listening to customers Real-time information gathering Communication Recruitment SelectionRisks of socia media to organisations Human error - mistakes by employees on personal accounts or organisation accounts. Productivity - employees can be distracted by social media. Data protection - increased regulatory requirements around protecting PII that couldbe gained from social media sites. Hacking - accessing organisation specific accounts and sending messages posing asthe organisation. Reputation - well-meaning posts can be misinterpreted, leading to criticism. Inactivity - not keeping a social media account could be as damaging as not usingsocial media at all. Costs – the use of social media can be significantly costly. Using it in the wrong waycould lead to fines and penalties.Page 6
P3 - Risk ManagementCH8 – Cyber security threatsSocial media risks to individuals Going viral - an unknown person can become famous or infamous very quickly. Thisrisk can have a positive or negative impact - it could lead to a good or bad outcome (KimKardashian? J ). Internet trolling - going viral for a bad reason can lead to abusive responses whereothers deliberately incite individuals. Employment - most organisations review social media accounts as part of their hiringprocess now. Legal sanction - discovering an individuals’ whereabouts at the time of a crime or a riskof legal action because of a social media post. Physical theft – a burglar may identify vacant properties to target from social mediaposts. Identity fraud - building up a portfolio on individuals from a poorly protected account. Permanence - a social media post can be very difficult to delete. Even if an individual’sviews have changed, the post may be used against them in future.Risks of security vulnerabilitiesPage 7
P3 - Risk ManagementCH8 – Cyber security threatsGDPRThe GDPR (General Data Protection Regulation) is a regulation in EU law and in the UK itreplaced the Data Protection Act (DPA) on 25th May 2018.The GDPR has two main objectives. Protection of fundamental rights and freedoms of individual persons with regard toprocessing personal data. Protection of the principle of free movement of personal data within the EU.4. Solutions to Test Your UnderstandingTest your Understanding 1 – Cyber securityB, C, FMoneycorp should fix the issues highlighted, investigate why the issue occurred and continue to usepenetration testing in the future to proactively identify issues such as this before a malicious hackerexploits any vulnerabilities.The aim of a penetration test is to understand if access is possible, how long it takes, and whataccess can be gained. If it takes too long it should be sufficient to discourage most hackers so A isincorrect. The setting up of the ‘back door’ proved what access was possible and is part of a normalpenetration test exercise.Cyber threats are changing constantly, so further penetration tests would be beneficial to have inthe future.Page 8
P3 - Risk ManagementCH8 – Cyber security threats5. Chapter summaryPage 9
P3 - Risk Management CH8 - Cyber security threats Page 3 Cyber security objectives: Availability: eg. selling online means companies can make sales 24/7 Confidentiality - companies can obtain and are required to securely keep PII etc Integrity of data - prevent unauthorised modifications of data Integrity of processing Test your Understanding 1 - Cyber security
