Cybersecurity Threats, Vulnerabilities, and Attacks Summary (38.6)
The following is a summary of each topic in the chapter and some questions for your reflection.
What Did I Learn in This Chapter? (38.6.1)
• Common Threats—A threat domain is an area of control, authority, or protection that attackers can exploit to gain access to a system. Attackers can exploit systems within a threat domain by gaining physical access to systems, breaking into wireless networks, compromising Bluetooth and NFC devices, sending malicious emails, scrutinizing social media accounts, spreading malicious software (malware) through removable media, or exploiting cloud computing environments.
Attacks can exploit software bugs or human error. Attacks threaten physical systems through sabotage or theft. In addition, equipment failures, utility interruptions, and natural disasters can impact the availability of systems and resources. Internal threats are usually from former or current employees, while external threats come from amateur or skilled attackers.
The user domain includes anyone with access to an organization’s information system, including employees, customers, and contract partners. Users are often considered to be the weakest link in information security systems. User threats come from a lack of security awareness, poorly enforced security policies, data theft, unauthorized downloads and media, visits to unauthorized websites, or intentional destructions of systems, applications, and data.
Threats to devices include unauthorized access to unattended systems, downloading of malware, and out-of-date software.
Threats to the LAN include unauthorized access to facilities and equipment, operating system vulnerabilities, rogue access points, interception of data in transit, and inefficient management practices. Misconfigured security devices, such as firewalls, can also be exploited.
Threats to the private cloud include unauthorized network probing and port scanning, unauthorized access to resources, vulnerabilities in device software, configuration errors, and unauthorized access to internal resources through the cloud.
The application domain includes all critical systems, applications, and data used by an organization to support operations. Threats to the application domain include unauthorized access, server downtime or hardware failure, network operating system vulnerabilities, data loss, and vulnerabilities in web applications or client-server software.
Complex threats take the form of advanced persistent threats (APT) or algorithm attacks. APTs take place over an extended period and use elaborate tactics and malware. Algorithm attacks exploit software processes to generate behaviors that were not intended by the software developers.
Backdoors, such as Netbus or Back Orifice, are used to gain ongoing unauthorized access to systems by bypassing normal authentication procedures. They typically involve the use of remote administrative tools (RATs) to gain access to systems. Rootkits are a type of malware that exploits vulnerabilities to gain unauthorized access (privilege escalation). Rootkits can modify system files and interfere with system forensics and monitoring tools. They are very difficult to detect and remove.
The United States Computer Emergency Readiness Team (US-CERT) and the U.S. Department of Homeland Security sponsor a database of common vulnerabilities and exposures (CVEs). CVE identifiers are a standard way to refer to known security vulnerabilities. The dark web is used by hackers to exchange vulnerability and threat information and stolen data. Security professionals use CVEs and dark web resources to research security threats. Indicators of compromise (IOCs) are the characteristics of attacks that can be used to identify exploits. Automated Indicator Sharing (AIS) provides a standard way for security professionals to exchange exploit information using the Structured Threat Information Expression (STIX) and Trusted Automated Exchange of Intelligence Information (TAXII) standards.
• Deception—Social engineering is a non-technical strategy that attempts to manipulate individuals into performing risky actions or divulging confidential information. Pretexting is a social engineering attack in which someone lies to gain access to confidential data. A something-for-something attack uses the offer of a gift for confidential information. Identify fraud is the use of a person’s stolen confidential information to acquire goods or services.
Social engineering uses a number of tactics to gain cooperation from victims. Attackers may pretend to be persons of authority or use intimidation to compel people to act in ways that compromise security. They may also use tactics such as consensus, scarcity, urgency, and familiarity. Attackers will even develop a relationship of trust with a victim in order to eventually violate the victim’s security.