Describe the threat landscape
You’ve now learned about cyberattacks, cybercriminals, and cybersecurity. But you’ll also need to understand the means cybercriminals can use to carry out attacks and achieve their aims. To do this, you’ll learn about concepts like the threat landscape, attack vectors, security breaches, and more.
What is the threat landscape?
Whether an organization is big or small, the entirety of the digital landscape with which it interacts represents an entry point for a cyberattack. These can include:
- Email accounts
- Social media accounts
- Mobile devices
- The organization’s technology infrastructure
- Cloud services
Collectively, these are referred to as the threat landscape. Notice that the threat landscape can cover more than just computers and mobile phones. It can include any elements that are owned or managed by an organization, or some that are not. As you’ll learn next, criminals will use any means they can to mount and carry out an attack.
What are attack vectors?
An attack vector is an entry point or route for an attacker to gain access to a system.
Email is perhaps the most common attack vector. Cybercriminals will send seemingly legitimate emails that result in users taking action. This might include downloading a file, or selecting a link that will compromise their device. Another common attack vector is through wireless networks. Bad actors will often tap into unsecured wireless networks at airports or coffee shops, looking for vulnerabilities in the devices of users who access the wireless network. Monitoring social media accounts, or even accessing devices that are left unsecured, are other commonly used routes for cyberattacks. However, you should know that attackers don’t need to rely on any of these. They can use a variety of less obvious attack vectors. Here are some examples:
- Removable media. An attacker can use media such as USB drives, smart cables, storage cards, and more to compromise a device. For example, attackers might load malicious code into USB devices that are subsequently provided to users as a free gift, or left in public spaces to be found. When they’re plugged in, the damage is done.
- Browser. Attackers can use malicious websites or browser extensions to get users to download malicious software on their devices, or change a user’s browser settings. The device can then become compromised, providing an entry point to the wider system or network.
- Cloud services. Organizations rely more and more on cloud services for day-to-day business and processes. Attackers can compromise poorly secured resources or services in the cloud. For example, an attacker could compromise an account in a cloud service, and gain control of any resources or services accessible to that account. They could also gain access to another account with even more permissions.
- Insiders. The employees of an organization can serve as an attack vector in a cyberattack, whether intentionally or not. An employee might become the victim of a cybercriminal who impersonates them as a person of authority to gain unauthorized access to a system. This is a form of social engineering attack. In this scenario, the employee serves as an unintentional attack vector. In some cases, however, an employee with authorized access may use it to intentionally steal or cause harm.
What are security breaches?
Any attack that results in someone gaining unauthorized access to devices, services, or networks is considered a security breach. Imagine a security breach as similar to a break-in where an intruder (attacker) successfully breaks into a building (a device, application, or network).
Security breaches come in different forms, including the following:
Social engineering attacks
It is common to think about security breaches as exploiting some flaw or vulnerability in a technology service or piece of equipment. Likewise, you might believe that security breaches only happen because of vulnerabilities in technology. But that’s not the case. Attackers can use social engineering attacks to exploit or manipulate users into granting them unauthorized access to a system.
In social engineering, impersonation attacks happen when an unauthorized user (the attacker), aims to gain the trust of an authorized user by posing as a person of authority to access a system from some nefarious activity. For example, a cybercriminal might pretend to be a support engineer to trick a user into revealing their password to access an organization’s systems.
Whether on a desktop, laptop, or phone, browsers are an important access tool for the internet. Security vulnerabilities in a browser can have a significant impact because of their pervasiveness. For example, suppose a user is working on an important project with a looming deadline. They want to figure out how to solve a particular problem for their project. They find a website that they believe will provide a solution.
The website asks the user to make some changes to their browser settings so they can install an add-on. The user follows the instructions on the website. Unknown to them, the browser is now compromised. This is a browser modifier attack, one of many different types used by cybercriminals. An attacker can now use the browser to steal information, monitor user behavior, or compromise a device.
A password attack is when someone attempts to use authentication for a password-protected account to gain unauthorized access to a device or system. Attackers often use software to speed up the process of cracking and guessing passwords. For example, suppose an attacker has somehow discovered someone’s username for their work account.
The attacker then tries a vast number of possible password combinations to access the user’s account. The password only has to be correct once for the attacker to get access. This is known as a brute force attack and is one of many ways in which a cybercriminal can use password attacks.
What are data breaches?
A data breach is when an attacker successfully gains access or control of data. Using the intruder example, this would be similar to that person getting access to, or stealing, vital documents and information inside the building:
When an attacker achieves a security breach, they’ll often want to target data, because it represents vital information. Poor data security can lead to an attacker gaining access and control of data. This can lead to serious consequences for the victim, whether that is a person, organization, or even a government. This is because the victim’s data could be abused in many ways. For example, it can be held as ransom or used to cause financial or reputational harm.
You’ve heard about terms like malware, viruses, worms, and so on. But what do these things mean? Is a virus a worm? Exactly what does malware do? These are just some of the basic concepts you’ll learn about in this unit.
What is malware?
Malware comes from the combination of the words malicious and software. It’s a piece of software used by cybercriminals to infect systems and carry out actions that will cause harm. This could include stealing data or disrupting normal usage and processes.
Malware has two main components:
- Propagation mechanism
What is a propagation mechanism?
Propagation is how the malware spreads itself across one or more systems. Here are a few examples of common propagation techniques:
Most of us are already familiar with this term. But what does it actually mean? First, let’s think about viruses in non-technical terms. In biology, for example, a virus enters the human body, and once inside, can spread and cause harm. Technology-based viruses depend on some means of entry, specifically a user action, to get into a system. For example, a user might download a file or plug in a USB device that contains the virus, and contaminates the system. You now have a security breach.
In contrast to a virus, a worm doesn’t need any user action to spread itself across systems. Instead, a worm causes damage by finding vulnerable systems it can exploit. Once inside, the worm can spread to other connected systems. For example, a worm might infect a device by exploiting a vulnerability in an application that runs on it. The worm can then spread across other devices in the same network and other connected networks.
A trojan horse attack gets its name from classical history, where soldiers hid inside a wooden horse that was presented as a gift to the Trojans. When the Trojans brought the wooden horse into their city, the soldiers emerged from hiding and attacked. In the context of cybersecurity, a trojan is a type of malware that pretends to be a genuine piece of software. When a user installs the program, it can pretend to be working as advertised, but the program also secretly performs malicious actions such as stealing information.
What is a payload?
The payload is the action that a piece of malware performs on an infected device or system. Here are some common types of payload:
- Ransomware is a payload that locks systems or data until the victim has paid a ransom. Suppose there’s an unidentified vulnerability in a network of connected devices. A cybercriminal can exploit this to access and then encrypt all files across this network. The attacker then demands a ransom in return for decrypting the files. They might threaten to remove all of the files if the ransom hasn’t been paid by a set deadline.
- Spyware is a type of payload that spies on a device or system. For example, the malware may install keyboard scanning software on a user’s device, collect password details, and transmit them back to the attacker, all without the user’s knowledge.
- Backdoors: A backdoor is a payload that enables a cybercriminal to exploit a vulnerability in a system or device to bypass existing security measures and cause harm. Imagine that a cybercriminal infiltrates a software developing company and leaves some code that allows them to carry out attacks. This becomes a backdoor that the cybercriminal could use to hack into the application, the device it’s running on, and even the organization’s and customers’ networks and systems.
- Botnet is a type of payload that joins a computer, server, or another device to a network of similarly infected devices that can be controlled remotely to carry out some nefarious action. A common application of botnet malware is crypto-mining (often referred to as crypto-mining malware). In this case, the malware connects a device to a botnet that consumes the device’s computing power to mine or generate cryptocurrencies. A user might notice their computer is running slower than normal and getting worse by the day.
Describe basic mitigation strategies
You’ve learned that there are many different types of cyberattack. But how do you defend your organization against cybercriminals? There are several different ways that you can keep cyberattackers at bay, from multifactor authentication to improved browser security, and by informing and educating users.
What is a mitigation strategy?
A mitigation strategy is a measure or collection of steps that an organization takes to prevent or defend against a cyberattack. This is usually done by implementing technological and organizational policies and processes designed to protect against attacks. Here are some of the many different mitigation strategies available to an organization:
Traditionally, if someone’s password or username is compromised, this allows a cybercriminal to gain control of the account. But multifactor authentication was introduced to combat this.
Multifactor authentication works by requiring a user to provide multiple forms of identification to verify that they are who they claim to be. The most common form of identification used to verify or authenticate a user is a password. This represents something the user knows.
Two other authentication methods provide something the user is, such as a fingerprint or retinal scan (a biometric form of authentication), or provide something the user has, such as a phone, hardware key, or other trusted device. Multifactor authentication employs two or more of these forms of proof to verify a valid user.
For example, a bank might require a user to provide security codes sent to their mobile device, in addition to their username and password, to access their online account.
We all rely on browsers to access the internet to work and carry out our daily tasks. As you’ve learned earlier, attackers can compromise poorly secured browsers. A user might download a malicious file or install a malicious add-on that can compromise the browser, the device and even propagate itself into an organization’s systems. Organizations can protect against these types of attacks by implementing security policies that:
- Prevent the installation of unauthorized browser extensions or add-ons.
- Only allow permitted browsers to be installed on devices.
- Block certain sites using web content filters.
- Keep browsers up to date.
Social engineering attacks rely on the vulnerabilities of humans to cause harm. Organizations can defend against social engineering attacks by educating their staff. Users should learn how to recognize malicious content they receive or encounter, and know what to do when they spot something suspicious. For example, organizations can teach users to:
- Identify suspicious elements in a message.
- Never respond to external requests for personal information.
- Lock devices when they’re not in use.
- Only store, share and remove data according to the organization’s policies.
The threat landscape can be vast. Organizations might have many attack vectors that are all possible targets for cybercriminals. This means that organizations need to take as many measures as possible to monitor, prevent, defend against attacks, and even identify possible vulnerabilities before cybercriminals use them to carry out attacks. In short, they need to use threat intelligence.
Threat intelligence enables an organization to collect systems information, details about vulnerabilities, information on attacks, and more. Based on its understanding of this information, the organization can then implement policies for security, devices, user access, and more, to defend against cyberattacks. The collection of information to gain insights, and respond to cyberattacks, is known as threat intelligence.
Organizations can use technological solutions to implement threat intelligence across their systems. These are often threat intelligent solutions that can automatically collect information, and even hunt and respond to attacks and vulnerabilities.
These are just some of the mitigation strategies that organizations can take to protect against cyberattacks. Mitigation strategies enable an organization to take a robust approach to cybersecurity. This will ultimately protect the confidentiality, integrity, and availability of information.