Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cybersecurity Threats and Countermeasures

Published byDjaja Hartono Modified over 6 years ago

Similar presentations

Presentation on theme: "Cybersecurity Threats and Countermeasures"— Presentation transcript:

1 Cybersecurity Threats and Countermeasures
Unit 1: Basic security concepts

2 Learning Objectives Upon the conclusion of this module, the student will be able to: Identify the effect that cyber warfare and cybercrime can have on society and an organization. Explain the trade-off between key security properties and usability. Identify the basic concepts of threats, vulnerabilities, attack vectors, and risk. Identify threat actors, their capabilities/techniques, motivations, risk aversion, and potential attack targets

3 Cyber Warfare “Cyber warfare involves the actions by a nation-state or international organization to attack and attempt to damage another nation’s computers or information networks through, for example, computer viruses or denial-of-service attacks” (Source: Rand Corporation. Retrieved from These first few slides attempt to address the question, “Why do we need cybersecurity?”, introducing the students to the very real threats of cyber war and cybercrime. For the last decade, nation states have been engaging in cyberwar. This is evident from instances such as Stuxnet, where highly sophisticated malware (possibly brought in on USB “thumb drives”) targeting a very specific type of enrichment centrifuge used by Iran’s nuclear program, damaged the devices, significantly delaying Iran’s nuclear development efforts. Iran purportedly has attempted retaliation for Stuxnet on U.S./Israeli banks. Other examples include the cyberattacks on Estonia, in 2007, which were attributed to Russian hackers. These attacks disabled government websites, newspapers, and banks. Even our own recent accusations in December 2016 by U.S. officials of Russian attempts to hack a Burlington, Vermont electrical grid, using malicious code named “Grizzly Steppe”, indicate a continued, concentrated effort to disrupt critical infrastructure and networks through cyber attacks. Most countries today have large organizations dedicated to cyber warfare, such as the United States’ Cyber Command (USCYBERCOM), created in 2009, that is responsible for engaging nation state actors both defensively, as well as offensively.

4 Cyber Warfare Targets Cyber war targets systems that are critical to maintaining a nation’s way of life, what the Department of Homeland Security identifies as “critical infrastructure” and cause widespread panic and uncertainty. These systems include financial systems, healthcare, energy (electrical grids and power plants), water (including water treatment facilities and dams), communications systems, food and agriculture, and transportation systems, all of which are now connected to the Internet. These activities indicate that we have entered into an era where battles will be fought not on land, but in cyberspace, and network personnel responsible for securing systems and applications need to be continually diligent to monitoring evolving cyber threats and recognize and secure systems against potential attacks. Exercise 1: Have students find and discuss articles relating to instances of cyber warfare on the critical infrastructure sectors cited above and complete Exercise 1.

5 Cybercrime Unlike cyber warfare activities, cybercrimes are malicious activities that are often financial in nature. They involve credit card theft (most often large-scale), cyber extortion (ransomware attacks), theft of intellectual property (often with the intent to take stolen products to market before the developing company can do so). These crimes are often perpetrated by individuals in economically-disadvantaged countries, or hostile nation states. While the slide focuses on cybercrimes committed against organizations, the scope of cybercrime extends to individuals and children, as well, who may be cyberstalked or potential victims of online predators. In 2011, theft of intellectual property in the U.S. had cost billions of dollars in lost revenue, amounting to 2.2 million lost jobs. 90% of this theft attributable to China (US International Trade Commission, 2011). This was confirmed in 2015 by in a survey performed by the FBI which saw a significant increase in 2015 of economic espionage over the previous year, 95% of which was, again, attributed to China. Bruer (2015). Suggested Activity: Have students review the FBI siteat that addresses economic espionage and intellectual theft and watch the FBI-produced movie “The Company Man: Protecting America’s Secrets” at that seeks to raise awareness of economic espionage threats. Sources: Bruer, W. (2015). FBI sees Chinese involvement amid sharp rise in economic espionage cases. CNN Politics. July 24, Retrieved from United States International Trade Commission. (2011). China: Effects of Intellectual Property Infringement and Indigenous Innovation Policies on the U.S. Economy. USITC Publication May Retrieved from

6 Challenges Defending against these threats can be challenging, given many factors: “Zero day” vulnerabilities Sophistication of attack tools, requiring little knowledge or skill on the part of the attacker System complexity Smaller devices associated with growth of “Internet of Things” Lack of vulnerability/patch management processes Zero-day vulnerabilities - vulnerabilities in software that are discovered and exploited by attackers before a fix can be disseminated. Sophistication of attack tools – many attack tools today are complex programs that are automated, allowing attackers to possess relatively little skill in executing them against a target. System complexity – systems are interconnected and much more complex than in the past. This complexity almost always ensures that vulnerabilities are introduced or missed (not patched), which the interconnected nature facilitates security issues at the boundaries of these interconnected devices. As an example, Voice over IP (VoIP) systems introduce new vulnerabilities to the data networks to which they are connected. Smaller devices – Smaller devices, including mobile devices and those associated with the “Internet of Things” (for examples, sensors on dams that regulate water flow), are often considered disposable devices and are not meant to be updated. These devices also often do not support common security techniques, such as encryption and authentication (verifying that an update, or patch, is received from an authorized source). Lack of vulnerability/patch management processes – Many times, security challenges are a result of human or resource issues. A lack of vulnerability or patch management processes to ensure that systems are adequately patched can leave assets at significant risk.

7 Security Trade-Off In addition to the security challenges previously addressed, there is always a trade-off between security and usability. As security services, such as those providing for confidentiality, integrity, and availability, are implemented, system performance and accessibility suffer.

8 Security Threats A security threat is the potential for an event to occur that would negatively impact security. There are three types of threats: Natural events (also called “Acts of God”) Human error (accidents) Attacks – attacks require malicious intent, so must be caused by people who would circumvent or violate security. The word “potential” is the operative word where threats are concerned. These are not events that have occurred. They can occur. An impending storm, as an example, threatens us. ITEF’s Request for Comment (RFC) 4949 provides the following definitions: “threat 1a. (I) A potential for violation of security, which exists when there is an entity, circumstance, capability, action, or event that could cause harm. (See: dangling threat, INFOCON level, threat action, threat agent, threat consequence. Compare: attack, vulnerability.) 1b. (N) Any circumstance or event with the potential to adversely affect a system through unauthorized access, destruction, disclosure, or modification of data, or denial of service. [C4009] (See: sensitive information.)” “ attack 1. (I) An intentional act by which an entity attempts to evade security services and violate the security policy of a system. That is, an actual assault on system security that derives from an intelligent threat. (See: penetration, violation, vulnerability.) 2. (I) A method or technique used in an assault (e.g., masquerade). (See: blind attack, distributed attack.)” ITEF Trust (2007). Request for Comments: Internet Security Glossary, Version 2. Retrieved from

9 Vulnerabilities Vulnerabilities are weaknesses, such as with insecure (buggy) software code, or misconfigurations (e.g. default or weak passwords). Vulnerabilities provide the opportunity by which threat agents/actors (the entity that would act on the threat) can cause the threat to occur. A threat action is the realization (actualization) of the threat. Suggested activity: Using the terms on Slides 8 and 9, ask students to identify the scenarios that include threats, vulnerabilities, threat agents, and threat actions. As an example: A company has an online web application that allows customers to order products online. This connects to a database containing customer account information. The threat, in this case, would be to the loss of that customer data. The vulnerability would be a poorly designed web form that enables an attacker (the threat agent, in this example) to perform a SQL Injection attack and successfully gain access to customer data (threat action). Results will differ depending on the student’s prior experience or knowledge. Encourage students to think of natural events, as well. For instance, an organization has a server that must be up 24/7. A threat would be an event that would prevent the system from being up 24/7. The vulnerability might be that the company is located in an area prone to ice storms. The threat agent and threat action would be an ice storm. Doesn’t work as neatly as the first example, but it will give them an idea of how threats relate to vulnerabilities.

10 Attack Vectors Attack vectors are the methods, or path, that the attacker (threat actor) will use to attack. It is the path that they will take to take advantage of a vulnerability. As an example, attackers will often use social engineering techniques, such as phishing, to attack a network. Another example of an attack vector, relative to the example provided in the notes on slide 9 with the SQL Injection, the SQL Injection itself becomes the attack vector – the attacker using this to exploit the vulnerability (the poorly designed web application).

11 Risk Risk is the degree to which an organization is exposed to the threat, and takes into consideration the likelihood and impact of the threat being realized. Risk assessments are processes used by an organization to calculate the amount of risk that a threat presents to an organization, often with the goal of serving to better evaluate proposed security controls for cost effectiveness. Likelihood is the probability of an event occurring. This is often expressed as a percentage (for example, it is understood that, historically, there is a 90% probability that a web server connected to the Internet will be successfully breached by an attacker in a year). Impact is the result of that threat and can be expressed quantitatively in terms of the cost of the event, or qualitatively (High, moderate, or low). It is important to calculate likelihood and impact as, while all systems might face a particular event, the likelihood of the event occurring may be higher or lower and is also true with the impact, or cost, to the organization if the impact occurred. As an example, there may be the threat of an earthquake that might have a higher likelihood of occurrence if an organization is in parts of California, versus Washington, D.C., however the impact would be the same if the quake occurred. Or, the impact might be much greater if the earthquake occurs near a nuclear power plant, as opposed to a unmanned storage facility. Several different types of risk assessments are available to calculate the amount of risk that a threat presents to an organization, such as quantitative and qualitative types, as well as risk frameworks (Delphi, OCTAVE) used in the process. This is outside of the scope of this module, however students should understand that processes exist to calculate the level of risk that must be managed.

12 Risk Handling Techniques
Risk handling is the process of managing risk so that either the likelihood of the threat occurring is reduced, or the impact is reduced. Risk handling techniques include: Risk Avoidance Risk Mitigation Risk Transference Risk Acceptance The degree to which an organization “accepts” risk (chooses to do nothing) is based on their risk tolerance. A “risk averse” organization will be more likely to implement security controls, even if they are more costly than the event. Risk Avoidance – Measures taken to prevent the threat from occurring. This prevents the likelihood (doesn’t effect the impact), but is often unfeasible. An example would be to disconnect a vulnerable web server from the Internet. This would prevent it from being hacked by an external attacker, however you would completely lose its functionality. Risk Mitigation – Taking steps to reduce the likelihood or impact, but not to zero, of a threat’s occurrence. For example, the implementation of a firewall that would examine network traffic coming in to the organization to filter out suspicious traffic. It is possible that some attacks might be missed, but the amount of malicious packets would be eliminated. Risk Transference – Placing the responsibility of the threat onto another entity. An example would be with the purchase of cybersecurity insurance that would pay the fines and damages in the event of a successful attack. Risk Acceptance – A risk handling method in which the organization chooses to do nothing to reduce the likelihood or impact. In many cases, this is a cost-based decision where a risk assessment has determined that the cost of security measure that would be implemented outweighs the anticipated cost of the threat being actualized. The bottom line to effective risk management is to remember that “He who defends everything, defends nothing” (Frederick the Great). The goal of a good risk assessment and risk management plan is to identify critical assets to the organization and prioritize countermeasures (controls) to those that present the greatest negative impact to the organization’s mission.

13 Threat Actors Understanding who the threat actors, or attackers, are and the methods that they will use to attack a target is critical to effective cyber defense. This is categorized, using a military term, as Tactics, Techniques, and Procedures, or TTPs. Tactics refer to the art or skill in achieving the goal. Techniques are the methods that are employed that are often unique to the attacker (for example, specific “signatures” that might identify the writer of malware), and the procedures are the actions that are taken during an attack (port scans, for instance). By understanding what motivates the attacker, we can understand possible attack vectors and vulnerabilities that the attacker will take.

14 Threat Actor Types Threat Actor Description Target Motivation
Techniques Risk Aversion Script Kiddies Less-skilled attacker, usually younger Opportunistic Thrill of the hunt, bragging rights Uses canned scripts found on the Internet Low Corporate Spies Highly-skilled hackers seeking to access company proprietary data Companies, often engaged in R&D Economic espionage – money Phishing and other social engineering techniques, the use of Remote Access Trojans (RATs) to gain access to the competitor’s systems High Cyber Criminals Often well-organized groups, but can be individuals acting alone Banks, companies that store Money Ransomware, Phishing and other social engineering techniques Hacktivist Seek to disrupt or vandalize Organizations that violate the individual or group’s beliefs Political or other causes in which the hacker believes Website Graffiti, Denial-of-Service. Will sometimes place personnel inside the organization Nation State Spies and Terrorists Highly-skilled Government and critical infrastructure organizations Disruption of critical services to generate panic, data theft for their businesses or to cripple the other nation Difficult to identify, due to their skills. Use of Advanced Persistent Threat (APTs) to gain, and maintain, access. Some use supply chain attacks. Insiders Often employees, usually less skilled Company data Theft of proprietary data or, sometimes, a desire to snoop Privilege escalation, often through gaining access to other accounts via social engineering There are many types of threat actors, identifiable by their characteristics, motivation, and techniques: Script Kiddies - Script kiddies are relative novice attackers. They are generally younger and don’t possess the level of skill or knowledge as their more experienced counterparts. Their targets tend to be opportunistic, they will attack whomever is readily available and tend to work individually. Due to their being lesser-skilled, they tend to make a lot of “noise when they attack and are easy to identify. That said, the fact (as mentioned before in this unit) that the scripts that they use tend to be highly sophisticated, these attackers don’t need a lot of skill to do a lot of damage as they can easily overwhelm some systems. They tend to pay less attention to risk and are willing to risk discovery in order to quickly attack a target. Corporate Spies – Economic espionage, although it is well-known that many other nations engage in corporate espionage to give their nation’s businesses and unfair advantage economically, so this tends to also relate to Nation State spies. These attackers are usually highly-skilled employees of a competitor’s organization. Due to the ramifications on stock prices and prosecution, attackers will be risk averse so attacks may span several months to avoid being detected. Cyber criminals – According to Department of Justice statistics, Ransomware attacks have cost the U.S. as much as $57 million dollars, with victims paying between $200 and $10,000 to recover lost files (DOJ, 2016). Cyber criminals often uses malware embedded in images in to redirect the victim to a spoofed site (usually financial sites), where they obtain user names and passwords. Given the magnitude of the volume of phished s sent, if even 1% are successful the attacker stands to gain significant funds. In organized groups, they can be well-funded. Skill levels differ, however many cyber crime organizations can pay to attract top talent, making some attacks against very difficult to defend against. Generally, risk tolerant as they have anonymized themselves and will simply move on to another target. Hacktivists – In some cases, the hacktivist will be an insider, such as the cases with Pvt. Manning and the release of State Department s, or Edward Snowden and the compromise of NSA information. Because they strongly believe in their cause, they tend to be very risk tolerant, not caring if their identities become known. This is obviously not the case with more organized groups, such as Anonymous, which take great care to anonymize the identities of its members. Nation State – As discussed earlier in the unit, the Department of Homeland Security has identified 16 critical infrastructure sectors, including healthcare, financial, transportation, and IT. The goal of nation-sponsored threat actors is to disrupt these services to generate panic or uncertainty among the population. In many cases, their goal is to steal intellectual property to increase the wealth of their own country’s businesses. In some cases, as with the 2016 Presidential election, the motivation was to influence election results to elect a President sympathetic to their agenda. Because nations recruit “the best of the best”, these are highly skilled attackers, difficult to both detect and defend against. As such, they are often able to establish a long-term presence on the victim’s system, known as an Advanced Persistent Threat (APT). Because of the political ramifications of getting caught, there is a high risk aversion, resulting in a much longer, more methodical approach to compromise. As an example, port scans to detect open, listening ports, would be performed much more slowly in order to avoid detection by an intrusion detection system (coming in “low and slow”, as they say). In some cases, the use of malware on devices, such as with a water pump purchased by a water treatment facility in Ohio (a supply chain attack), provides the means to deliver a malicious payload (result of the attack). Insiders – Insiders are internal employees or business partners that have access to the internal system. This access makes them particularly dangerous, as they often know what they are looking for and where it is located. Many times, employees are “feathering their nest” in preparation for leaving a company – seeking to take company proprietary information with them to their new employer. Other times, they are motivated by revenge. Studies have shown that, as company morale decreases, incidences of insider attack increase. Occasionally, employees may be simply interested in snooping through company data, for instance prying into human resource or payroll records to discover co-workers salaries. They type of insider will determine how sophisticated the attack and the tools used. Many insiders are system administrators who have elevated privileges (often in excess of their need-to-know). Because the risk of discovery would be termination and prosecution, these attackers would be highly risk averse. Suggested Student Activity: Ask students to visit the FBI’s Internet Crime Complaint Center (IC3) located at and read the press releases and annual reports to fully understand the prevalence and cost of Internet crimes. Source: Department of Justice. (2016). DOJ Responds to Carper Inquiries on Response to Threat of Ransomware. Retrieved from

Download ppt "Cybersecurity Threats and Countermeasures"

Similar presentations

Introduction and Overview of Digital Crime and Digital Terrorism

Introduction and Overview of Digital Crime and Digital Terrorism
Security and Trust in E- Commerce. The E-commerce Security Environment: The Scope of the Problem  Overall size of cybercrime unclear; amount of losses.

Security and Trust in E- Commerce. The E-commerce Security Environment: The Scope of the Problem  Overall size of cybercrime unclear; amount of losses.
Information System protection and Security. Need for Information System Security §With the invent of computers and telecommunication systems, organizations.

Information System protection and Security. Need for Information System Security §With the invent of computers and telecommunication systems, organizations.
David A. Brown Chief Information Security Officer State of Ohio

David A. Brown Chief Information Security Officer State of Ohio
Lecture 1: Overview modified from slides of Lawrie Brown.

Lecture 1: Overview modified from slides of Lawrie Brown.
CST 481/598 Many thanks to Jeni Li.  Potential negative impact to an asset  Probability of a loss  A function of three variables  The probability.

CST 481/598 Many thanks to Jeni Li.  Potential negative impact to an asset  Probability of a loss  A function of three variables  The probability.
Introducing Computer and Network Security

Introducing Computer and Network Security
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
Chapter 1 Introduction to Security

Chapter 1 Introduction to Security
Global Information Security Issues According to the E&Y Global Survey, Managers Say the Right Thing… –90% of 1400 companies surveyed in 66 countries say.

Global Information Security Issues According to the E&Y Global Survey, Managers Say the Right Thing… –90% of 1400 companies surveyed in 66 countries say.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
Network Infrastructure Security. LAN Security Local area networks facilitate the storage and retrieval of programs and data used by a group of people.

Network Infrastructure Security. LAN Security Local area networks facilitate the storage and retrieval of programs and data used by a group of people.
IT Security Readings A summary of Management's Role in Information Security in a Cyber Economy and The Myth of Secure Computing.

IT Security Readings A summary of Management's Role in Information Security in a Cyber Economy and The Myth of Secure Computing.
CYBER CRIME AND SECURITY TRENDS

CYBER CRIME AND SECURITY TRENDS
Network security policy: best practices

Network security policy: best practices
Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.

Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.
The Difficult Road To Cybersecurity Steve Katz, CISSP Security Risk Solutions 631-692-5175 Steve Katz, CISSP Security.

The Difficult Road To Cybersecurity Steve Katz, CISSP Security Risk Solutions Steve Katz, CISSP Security.
APA of Isfahan University of Technology In the name of God.

APA of Isfahan University of Technology In the name of God.
SEC835 Database and Web application security Information Security Architecture.

SEC835 Database and Web application security Information Security Architecture.
Threats and vulnerabilities

Threats and vulnerabilities

Similar presentations

Ads by Google