Principals of Information Security

THREATS
&
ATTACKS
Chapter 2
The Need for Security
Threats vs Attacks
• Threats represent potential risks that could exploit vulnerabilities in a
system. These risks can come from various sources such as malicious
actors, internal mistakes, or natural disasters.
• Attacks are the actual exploitation of these threats, where someone
actively tries to compromise, damage, or gain unauthorized access to a
system or data.
• Example:
• Threat: A known software vulnerability that allows unauthorized access.
• Attack: A hacker uses this vulnerability to breach the system and steal sensitive
data.
• In summary,
• Threat is the potential for harm.
• Attack is the execution of that potential harm when a vulnerability is exploited.

2
Introduction

• Primary mission of information security is to ensure systems and

contents stay the same
• If no threats existed, resources could be focused on improving
systems, resulting in vast improvements in ease of use and usefulness
• Attacks on information systems are a daily occurrence

7
Business Needs First

• Information security performs four important functions for an

organization
• Protects ability to function
• Enables safe operation of applications implemented on its IT systems
• Protects data the organization collects and uses
• Safeguards technology assets in use

8
Protecting the Functionality of an
Organization
• Management (general and IT) responsible for implementation
• Information security is both management issue and people issue
• Organization should address information security in terms of
business impact and cost

9
Enabling the Safe Operation of Applications

• Organization needs environments that safeguard applications using IT

systems
• Management must continue to oversee infrastructure once in
place—not relegate to IT department

10
Protecting Data that Organizations Collect
and Use
• Organization, without data, loses its record of transactions and/or
ability to deliver value to customers
• Protecting data in motion and data at rest are both critical aspects of
information security

11
Safeguarding Technology Assets in
Organizations
• Organizations must have secure infrastructure services based on size
and scope of enterprise
• Additional security services may be needed as organization grows
• More robust solutions may be needed to replace security programs
the organization has outgrown

12
Figure 2-1 World Internet usage3
13
THREATS
15
Threats
Threat: an object, person, or other entity that represents a
constant danger to an asset

Management must be informed of the different threats

facing the organization

Overall security is improving

The 2009 CSI/FBI survey found

• 64 percent of organizations had malware infections

• 14 percent indicated system penetration by an outsider
16
Threats (Conti…)
i. Deepfake Technology
ii. Cloud Security Threats
iii. Compromises to Intellectual Property
iv. Deliberate Software Attacks
v. Deviations in Quality of Service
vi. Espionage or Trespass
vii. Forces of Nature
viii. Human Error or Failure
ix. Information Extortion
x. Missing, Inadequate, or Incomplete
xi. Sabotage or Vandalism
xii. Theft
xiii. Technical Hardware Failures or Errors
xiv. Technological Obsolescence

17
Table 2-1 Threats to Information Security4

18
Threats…
Deepfake Technology
• Description: Deepfake technology creates realistic but fake video,
audio, or images, often used to impersonate individuals or create
misleading content.
• Why it's dangerous: Deepfakes can be used to manipulate public
perception, impersonate individuals for fraud, or disrupt political
processes. They are particularly challenging to detect.
• Example: Deepfake scams involving impersonating CEOs to trick
employees into transferring money.
Cloud Security Threats
• Threat: The risk that sensitive data or services hosted on cloud
platforms could be compromised due to misconfiguration, poor
access controls, or API vulnerabilities.
• Why it's dangerous: As more businesses rely on cloud services,
improper security measures can expose vast amounts of data or
critical services to potential breaches.

19
Compromises to Intellectual Property

Intellectual property (IP): “ownership of ideas and control

over the tangible or virtual representation of those ideas”

The most common IP breaches involve software piracy

Software & Information Industry

Two watchdog organizations Association (SIIA)
investigate software abuse: Business Software Alliance (BSA)

Enforcement of copyright law has been attempted with

technical security mechanisms
20
Deliberate
Software
Attacks
Figure 2-4 Trojan Horse Attack

22
Deviations in Quality of Service

Includes situations where products or services are not delivered as

expected

Information system depends on many interdependent support

systems

Internet service, communications, Internet service issues

and power irregularities dramatically Communications and other service
affect availability of information and provider issues
systems Power irregularities
Deviations in Quality of Service (cont’d.)

Internet service issues

• Internet service provider (ISP) failures can considerably undermine
availability of information
• Outsourced Web hosting provider assumes responsibility for all
Internet services as well as hardware and Web site operating
system software

Communications and other service provider issues

• Other utility services affect organizations: telephone, water,
wastewater, trash pickup, etc.
• Loss of these services can affect organization’s ability to function
Deviations in Quality of Service
(cont’d.)

• Power irregularities
• Commonplace
• Organizations with inadequately conditioned power are susceptible
• Controls can be applied to manage power quality
• Fluctuations (short or prolonged)
• Excesses (spikes or surges) – voltage increase
• Shortages (sags or brownouts) – low voltage
• Losses (faults or blackouts) – loss of power

25
Espionage or Trespass

• Access of protected information by unauthorized individuals

• Competitive intelligence (legal) vs. industrial
espionage (illegal)
• Shoulder surfing can occur anywhere a person accesses confidential
information
• Controls let trespassers know they are encroaching on organization’s
cyberspace
• Hackers use skill, guile, or fraud to bypass controls protecting others’
information

26
Figure 2-5 Shoulder Surfing

27
Figure 2-6 Hacker Profiles

28
Espionage or Trespass (cont’d.)

Expert hacker

• Develops software scripts and program exploits

• Usually a master of many skills
• Will often create attack software and share with others

Unskilled hacker

• Many more unskilled hackers than expert hackers

• Use expertly written software to exploit a system
• Do not usually fully understand the systems they hack

Other terms for system rule breakers:

• Cracker: “cracks” or removes software protection designed to prevent unauthorized

duplication
• Phreaker: hacks the public telephone network
 • Forces of nature (acts of God) are among
the most dangerous threats
• Disrupt not only individual lives, but also
storage, transmission, and use of
information

Forces of • It may include fire, flood, earthquake,

lightning, landslide or mudslide, tornado or
Nature (Acts severe windstorm, hurricane or typhoon,
of God) tsunami, electrostatic discharge, and dust
contamination.

• Organizations must implement controls to

limit damage and prepare contingency plans
for continued operations

30
 Includes acts
performed without Inexperience
malicious intent

Human
Error or Causes include: Improper training

Failure
Employees are among
the greatest threats to Incorrect assumptions
an organization’s data

31
 Revelation of classified
data

Entry of erroneous
data

Human
Error or Employee mistakes
Accidental data
deletion or
can easily lead to:
Failure modification

(cont’d.) Many of these threats

Data storage in
can be prevented with
unprotected areas
controls

Failure to protect
information

32
Figure 2-8 Acts of Human Error or Failure
33
Information Extortion

• Attacker steals information from computer system and demands

compensation for its return or nondisclosure
• Commonly done in credit card number theft

34
 35

In policy or planning, can

make organizations
vulnerable to loss, damage,
or disclosure of information
Missing, assets
Inadequate, or
Incomplete
With controls, can make an
organization more likely to
suffer losses when other
threats lead to attacks
 36

Threats can range from petty vandalism

to organized sabotage

Web site defacing can erode consumer

confidence, dropping sales and
Sabotage or organization’s net worth
Vandalism
Threat of hacktivist or cyberactivist
operations rising

Cyberterrorism: much more sinister form

of hacking
 37

Illegal taking of another’s

physical, electronic, or
intellectual property

Theft Physical theft is controlled

relatively easily

Electronic theft is more

complex problem; evidence
of crime not readily apparent
 38

Occur when manufacturer

distributes equipment containing
flaws to users
Technical
Hardware Can cause system to perform outside
Failures or of expected parameters, resulting in
unreliable or poor service
Errors
Some errors are terminal; some are
intermittent
 Purchased software that
contains unrevealed faults
Technical
Software Combinations of certain
software and hardware can
Failures reveal new software bugs
or Errors
Entire Web sites dedicated
to documenting bugs

39
 Antiquated/outdated
infrastructure can lead to
unreliable, untrustworthy
systems

Technological Proper managerial planning

should prevent technology
Obsolescence obsolescence

IT plays large role

40
ATTACKS
41
Attacks

• Attacks
• Acts or actions that exploits
vulnerability (i.e., an identified
weakness) in controlled system
• Accomplished by threat agent that
damages or steals organization’s
information

42
Listing of attacks

1. Network (Active/Passive) 17. Password crack

2. Ransomware Attacks 18. Brute force
3. Advanced Persistent Threats (APTs) 19. Dictionary
4. Zero-Day Exploits 20. Denial-of-service (DoS)
5. Credential Stuffing 21. Distributed denial-of-service (DDoS)
6. IoT Attacks 22. Spoofing
7. Cryptojacking 23. Man-in-the-middle(MITM)
8. Business Email Compromise (BEC) 24. Spam
9. Artificial Intelligence (AI)-Powered Attacks 25. Mail bombing
10. SQL Injection 26. Sniffers
11. Cross-Site Scripting (XSS) 27. Phishing and Spear Phishing
12. Session Hijacking 28. Pharming
13. Malvertising 29. Social engineering
14. Malicious code 30. Timing attack
15. Hoaxes 31. Supply Chain Attacks
16. Back door

43
Passive Attacks

• Passive attacks do not affect system

resources
• Eavesdropping, monitoring
• Two types of passive attacks
• Release of message contents
• Traffic analysis
• Passive attacks are very difficult to detect
• Message transmission apparently
normal
• No alteration of the data
• Emphasis on prevention rather than
detection
• By means of encryption
Passive Attacks (1)
Release of Message Contents
Passive Attacks (2)
Traffic Analysis
Active Attacks

• Active attacks try to alter system resources or affect

their operation
• Modification of data, or creation of false data
• Four categories
• Masquerade
• Replay
• Modification of messages
• Denial of service: preventing normal use
• A specific target or entire network
• Difficult to prevent
• The goal is to detect and recover
Active Attacks (1)
Masquerade
Active Attacks (2)
Replay
Active Attacks (3)
Modification of Messages
Active Attacks (4)
Denial of Service
 Attacks Conti…
Ransomware Attacks
• Description: Ransomware is malicious software that encrypts files on a victim's system and
demands payment (usually in cryptocurrency) to restore access.
• Why it’s dangerous: These attacks can shut down entire businesses, hospitals, or even city
infrastructures, causing devastating financial and operational losses.
• Recent examples: The WannaCry and Ryuk ransomware attacks targeted healthcare,
government, and critical infrastructure sectors.
Advanced Persistent Threats (APTs)
• Description: APTs are prolonged, targeted attacks where attackers gain unauthorized access to
a network and remain undetected for an extended period, often to steal sensitive data.
• Why it’s dangerous: APTs are typically state-sponsored or financially motivated groups that
can persist for months or years within networks, exfiltrating valuable data.
• Recent examples: The APT29 group (Cozy Bear), associated with Russian intelligence, was
linked to the SolarWinds attack.
Zero-Day Exploits
• Description: These attacks exploit unknown vulnerabilities in software before developers have a chance to
patch them.
• Why it’s dangerous: Since no patch exists, organizations are left vulnerable until the flaw is identified and
mitigated.
• Recent examples: Zero-day vulnerabilities in widely used platforms like Microsoft Exchange, Google
Chrome, and Zoom have been exploited by attackers.

52
Attacks Conti…
Credential Stuffing
• Description: Attackers use stolen credentials (from past data breaches) to
gain unauthorized access to user accounts across multiple services.
• Why it’s dangerous: Many people reuse passwords, so once one account is
compromised, attackers can gain access to others, including corporate
systems.
• Recent examples: Credential stuffing attacks on retail and financial services
have increased as stolen credentials are sold on the dark web.
IoT Attacks
• Description: Internet of Things (IoT) devices, such as smart home systems,
medical devices, and industrial control systems, are increasingly targeted
due to weak security configurations.
• Why it’s dangerous: These devices often have poor security, and if
compromised, they can give attackers access to sensitive data or even critical
infrastructure.
• Recent examples: The Mirai botnet hijacked IoT devices for large-scale DDoS
attacks, and medical devices have been targeted in healthcare facilities.

53
 Attacks Conti…
Cryptojacking
• Description: Attackers hijack systems to mine cryptocurrency using
unauthorized resources, leading to performance degradation and higher
operational costs.
• Why it's dangerous: Cryptojacking often goes unnoticed for long periods,
draining resources, reducing system performance, and increasing
electricity costs.
• Example: Infected websites or software that use the computing power of
visitors’ devices to mine cryptocurrencies like Bitcoin.
Business Email Compromise (BEC)
• Description: Attackers impersonate senior executives or vendors and manipulate employees
into wiring funds or sharing sensitive data.
• Why it's dangerous: BEC scams are highly targeted and often result in significant financial
losses, with little chance of recovery once funds are transferred.
• Example: Fraudulent emails convincing employees to transfer money to attacker-controlled
accounts, leading to millions in losses for businesses.

54
 Attacks Conti…
SQL Injection
• Malicious SQL queries inserted into input fields to manipulate or access databases.
• Example: An attacker enters ' OR '1'='1' -- into a login form, bypassing authentication and
gaining unauthorized access to user accounts.
Cross-Site Scripting (XSS)
• Injects malicious scripts into websites, which execute on users’ browsers.
• Example: A user posts <script>alert('You have been hacked!');</script> in a forum comment,
causing every visitor to see the alert when viewing that comment.
Session Hijacking
• Taking over a user’s session to impersonate them without needing login credentials.
• Example: In a public Wi-Fi network, an attacker uses Firesheep to intercept session cookies,
allowing them to log in as the victim on a website.
Malvertising
• Malicious ads that distribute malware or redirect users to malicious sites.
• Example: An infected advertisement on a legitimate website redirects users to a site hosting
ransomware, infecting their device without any user interaction.

55
Attacks Conti…
• Malicious code: includes execution of viruses, worms,
Trojan horses, and active Web scripts with intent to
destroy or steal information
• Hoaxes: transmission of a virus hoax with a real virus attached;
more devious form of attack
• Back door: gaining access to system or network using
known or previously unknown/newly discovered access
mechanism
• Password crack: attempting to reverse calculate a
password
• Brute Force: trying every possible combination of
options of a password
• Dictionary: selects specific accounts to attack and uses
commonly used passwords (i.e., the dictionary) to guide
guesses

56
New Table

Table 2-2 Attack Replication Vectors

57
 Attacks (cont’d.)

• Denial-of-service (DoS): attacker sends large number of

connection or information requests to a target
• Target system cannot handle successfully along with other, legitimate
service requests
• May result in system crash or inability to perform ordinary functions
• Distributed denial-of-service (DDoS): coordinated
stream of requests is launched against target from
many locations simultaneously

58
Figure 2-11 Denial-of-Service Attacks
59
Attacks (cont’d.)

• Spoofing: technique used to gain unauthorized

access; intruder assumes a trusted IP address
• Man-in-the-middle: attacker monitors network
packets, modifies them, and inserts them back into
network
• Spam: unsolicited commercial e-mail; more a
nuisance than an attack, though is emerging as a
vector for some attacks
• Mail bombing: also a DoS; attacker routes large
quantities of e-mail to target

60
Figure 2-12 IP Spoofing
61
Figure 2-13 Man-in-the-Middle Attack
62
Attacks (cont’d.)

• Sniffers: program or device that monitors or eavesdrop

data traveling over network; can be used both for
legitimate purposes and for stealing information from a
network
• Phishing: an attempt to gain personal/financial
information from individual, usually by posing as
legitimate entity (Email, Forms, Replicate)
• URL manipulation
• Web site forgery
• Phone phishing
• Pharming: redirection of legitimate Web traffic (e.g.,
browser requests) to illegitimate site for the purpose of
obtaining private information
63
Attacks (cont’d.)

•Social engineering: using social skills to

convince people to reveal access credentials or
other valuable information to attacker
• “People are the weakest link. You can have the best
technology; firewalls, intrusion-detection systems,
biometric devices ... and somebody can call an
unsuspecting employee. That's all she wrote, baby. They
got everything.” — Kevin Mitnick
•Timing Attack: relatively new; works by
exploring contents of a Web browser’s cache
to create malicious cookie

64
\

65
Reading task (Optional)
1. HACK PCWEEK TOPOLOGY
2. Nigerian Fraud Example @ Advance-Fee Fraud (AFF),
(Course Book)
3. Secure Software Development

67
Supplementary

68
Secure Software Development

• Many information security issues discussed here are caused by

software elements of system
• Development of software and systems is often accomplished using
methodology such as Systems Development Life Cycle (SDLC)
• Many organizations recognize need for security objectives in SDLC
and have included procedures to create more secure software
• This software development approach known as Software Assurance
(SA)

69
Software Assurance and the SA Common
Body of Knowledge
• National effort underway to create common body of knowledge
focused on secure software development
• US Department of Defense and Department of Homeland Security
supported Software Assurance Initiative, which resulted in
publication of Secure Software Assurance (SwA) Common Body of
Knowledge (CBK)
• SwA CBK serves as a strongly recommended guide to developing
more secure applications

70
Software Design Principles

• Good software development results in secure products that meet all

design specifications
• Some commonplace security principles:
• Keep design simple and small
• Access decisions by permission not exclusion
• Every access to every object checked for authority
• Design depends on possession of keys/passwords
• Protection mechanisms require two keys to unlock
• Programs/users utilize only necessary privileges

71
Software Design Principles (cont’d.)

• Some commonplace security principles (cont’d.):

• Minimize mechanisms common to multiple users
• Human interface must be easy to use so users routinely/automatically use
protection mechanisms

72
Software Development Security Problems

• Problem areas in software development:

• Buffer overruns
• Command injection
• Cross-site scripting
• Failure to handle errors
• Failure to protect network traffic
• Failure to store and protect data securely
• Failure to use cryptographically strong random numbers

73
Software Development Security Problems
(cont’d.)
• Problem areas in software development (cont’d.):
• Format string problems
• Neglecting change control
• Improper file access
• Improper use of SSL
• Information leakage
• Integer bugs (overflows/underflows)
• Race conditions
• SQL injection

74
Software Development Security Problems
(cont’d.)
• Problem areas in software development (cont’d.):
• Trusting network address resolution
• Unauthenticated key exchange
• Use of magic URLs and hidden forms
• Use of weak password-based systems
• Poor usability

75
Summary

• Unlike any other aspect of IT, information security’s primary mission

to ensure things stay the way they are
• Information security performs four important functions:
• Protects organization’s ability to function
• Enables safe operation of applications implemented on organization’s IT
systems
• Protects data the organization collects and uses
• Safeguards the technology assets in use at the organization

76
Summary (cont’d.)

• Threat: object, person, or other entity representing a constant

danger to an asset
• Management effectively protects its information through policy,
education, training, and technology controls
• Attack: a deliberate act that exploits vulnerability
• Secure systems require secure software

77