Chapter 1: The Need for Cybersecurity

This chapter explains what cybersecurity is and why the demand for cybersecurity professionals is growing. It
explains what your online identity and data is, where it is, and why it is of interest to cyber criminals.

This chapter also discusses what organizational data is, and why it must be protected. It discusses who the cyber
attackers are and what they want. Cybersecurity professionals must have the same skills as the cyber attackers, but
cybersecurity professionals must work within the bounds of the local, national and international law. Cybersecurity
professionals must also use their skills ethically.

Also included in this chapter is content that briefly explains cyber warfare and why nations and governments need
cybersecurity professionals to help protect their citizens and infrastructure.

What is Cybersecurity?

The connected electronic information network has become an integral part of our daily lives. All types of
organizations, such as medical, financial, and education institutions, use this network to operate effectively. They
utilize the network by collecting, processing, storing, and sharing vast amounts of digital information. As more digital
information is gathered and shared, the protection of this information is becoming even more vital to our national
security and economic stability.

Cybersecurity is the ongoing effort to protect these networked systems and all of the data from unauthorized use or
harm. On a personal level, you need to safeguard your identity, your data, and your computing devices. At the
corporate level, it is everyone’s responsibility to protect the organization’s reputation, data, and customers. At the
state level, national security, and the safety and well-being of the citizens are at stake.

Your Online and Offline Identity

As more time is spent online, your identity, both online and offline, can affect your life. Your offline identity is the
person who your friends and family interact with on a daily basis at home, at school, or work. They know your
personal information, such as your name, age, or where you live. Your online identity is who you are in cyberspace.
Your online identity is how you present yourself to others online. This online identity should only reveal a limited
amount of information about you.

You should take care when choosing a username or alias for your online identity. The username should not include
any personal information. It should be something appropriate and respectful. This username should not lead
strangers to think you are an easy target for cybercrimes or unwanted attention.

Your Data

Any information about you can be considered to be your data. This personal information can uniquely identify you as
an individual. This data includes the pictures and messages that you exchange with your family and friends online.
Other information, such as name, social security number, date and place of birth, or mother‘s maiden name, is known
by you and used to identify you. Information such as medical, educational, financial, and employment information,
can also be used to identify you online.

Medical Records

Every time you go to the doctor’s office, more information is added to your electronic health records (EHRs). The
prescription from your family doctor becomes part of your EHR. Your EHR includes your physical health, mental
health, and other personal information that may not be medically-related. For example, if you had counseling as a
child when there were major changes in the family, this will be somewhere in your medical records. Besides your
medical history and personal information, the EHR may also include information about your family.
Medical devices, such as fitness bands, use the cloud platform to enable wireless transfer, storage and display of
clinical data like heart rates, blood pressures and blood sugars. These devices can generate an enormous amount of
clinical data that could become part of your medical records.

Education Records

As you progress through your education, information about your grades and test scores, your attendance, courses
taken, awards and degrees rewarded, and any disciplinary reports may be in your education record. This record may
also include contact information, health and immunization records, and special education records including
individualized education programs (IEPs).

Employment and Financial Records

Your financial record may include information about your income and expenditures. Tax records could include
paycheck stubs, credit card statements, your credit rating and other banking information. Your employment
information can include your past employment and your performance.

Where is Your Data?

All of this information is about you. There are different laws that protect your privacy and data in your country. But do
you know where your data is?

When you are at the doctor’s office, the conversation you have with the doctor is recorded in your medical chart. For
billing purposes, this information may be shared with the insurance company to ensure appropriate billing and quality.
Now, a part of your medical record for the visit is also at the insurance company.

The store loyalty cards maybe a convenient way to save money for your purchases. However, the store is compiling a
profile of your purchases and using that information for its own use. The profile shows a buyer purchases a certain
brand and flavor of toothpaste regularly. The store uses this information to target the buyer with special offers from
the marketing partner. By using the loyalty card, the store and the marketing partner have a profile for the purchasing
behavior of a customer.

When you share your pictures online with your friends, do you know who may have a copy of the pictures? Copies of
the pictures are on your own devices. Your friends may have copies of those pictures downloaded onto their devices.
If the pictures are shared publicly, strangers may have copies of them, too. They could download those pictures or
take screenshots of those pictures. Because the pictures were posted online, they are also saved on servers located
in different parts of the world. Now the pictures are no longer only found on your computing devices.

Your Computing Devices

Your computing devices do not just store your data. Now these devices have become the portal to your data and
generate information about you.

Unless you have chosen to receive paper statements for all of your accounts, you use your computing devices to
access the data. If you want a digital copy of the most recent credit card statement, you use your computing devices
to access the website of the credit card issuer. If you want to pay your credit card bill online, you access the website
of your bank to transfer the funds using your computing devices. Besides allowing you to access your information, the
computing devices can also generate information about you.

With all this information about you available online, your personal data has become profitable to hackers.
They Want Your Money

If you have anything of value, the criminals want it.

Your online credentials are valuable. These credentials give the thieves access to your accounts. You may think the
frequent flyer miles you have earned are not valuable to cybercriminals. Think again. After approximately 10,000
American Airlines and United accounts were hacked, cybercriminals booked free flights and upgrades using these
stolen credentials. Even though the frequent flyer miles were returned to the customers by the airlines, this
demonstrates the value of login credentials. A criminal could also take advantage of your relationships. They could
access your online accounts and your reputation to trick you into wiring money to your friends or family. The criminal
can send messages stating that your family or friends need you to wire them money so they can get home from
abroad after losing their wallets.

The criminals are very imaginative when they are trying to trick you into giving them money. They do not just steal
your money; they could also steal your identity and ruin your life.

They Want Your Identity

Besides stealing your money for a short-term monetary gain, the criminals want long-term profits by stealing your
identity.

As medical costs rise, medical identity theft is also on the rise. The identity thieves can steal your medical insurance
and use your medical benefits for themselves, and these medical procedures are now in your medical records.

The annual tax filing procedures may vary from country to country; however, cybercriminals see this time as an
opportunity. For example, the people of the United States need to file their taxes by April 15 of each year. The
Internal Revenue Service (IRS) does not check the tax return against the information from the employer until July. An
identity thief can file a fake tax return and collect the refund. The legitimate filers will notice when their returns are
rejected by IRS. With the stolen identity, they can also open credit card accounts and run up debts in your name. This
will cause damage to your credit rating and make it more difficult for you to obtain loans.

Personal credentials can also lead to corporate data and government data access.

Types of Organizational Data

Traditional Data

Corporate data includes personnel information, intellectual properties, and financial data. The personnel information
includes application materials, payroll, offer letters, employee agreements, and any information used in making
employment decisions. Intellectual property, such as patents, trademarks and new product plans, allows a business
to gain economic advantage over its competitors. This intellectual property can be considered a trade secret; losing
this information can be disastrous for the future of the company. The financial data, such as income statements,
balance sheets, and cash flow statements of a company gives insight into the health of the company.

Internet of Things and Big Data

With the emergence of the Internet of Things (IoT), there is a lot more data to manage and secure. IoT is a large
network of physical objects, such as sensors and equipment that extend beyond the traditional computer network. All
these connections, plus the fact that we have expanded storage capacity and storage services through the cloud and
virtualization, lead to the exponential growth of data. This data has created a new area of interest in technology and
business called “Big Data". With the velocity, volume, and variety of data generated by the IoT and the daily
operations of business, the confidentiality, integrity and availability of this data is vital to the survival of the
organization.
Confidentiality, Integrity, and Availability

Confidentiality, integrity and availability, known as the CIA triad (Figure 1), is a guideline for information security for
an organization. Confidentiality ensures the privacy of data by restricting access through authentication encryption.
Integrity assures that the information is accurate and trustworthy. Availability ensures that the information is
accessible to authorized people.

Confidentiality

Another term for confidentiality would be privacy. Company policies should restrict access to the information to
authorized personnel and ensure that only those authorized individuals view this data. The data may be
compartmentalized according to the security or sensitivity level of the information. For example, a Java program
developer should not have to access to the personal information of all employees. Furthermore, employees should
receive training to understand the best practices in safeguarding sensitive information to protect themselves and the
company from attacks. Methods to ensure confidentiality include data encryption, username ID and password, two
factor authentication, and minimizing exposure of sensitive information.

Integrity

Integrity is accuracy, consistency, and trustworthiness of the data during its entire life cycle. Data must be unaltered
during transit and not changed by unauthorized entities. File permissions and user access control can prevent
unauthorized access. Version control can be used to prevent accidental changes by authorized users. Backups must
be available to restore any corrupted data, and checksum hashing can be used to verify integrity of the data during
transfer.

A checksum is used to verify the integrity of files, or strings of characters, after they have been transferred from one
device to another across your local network or the Internet. Checksums are calculated with hash functions. Some of
the common checksums are MD5, SHA-1, SHA-256, and SHA-512. A hash function uses a mathematical algorithm to
transform the data into fixed-length value that represents the data, as shown in Figure 2. The hashed value is simply
there for comparison. From the hashed value, the original data cannot be retrieved directly. For example, if you forgot
your password, your password cannot be recovered from the hashed value. The password must be reset.

After a file is downloaded, you can verify its integrity by verifying the hash values from the source with the one you
generated using any hash calculator. By comparing the hash values, you can ensure that the file has not been
tampered with or corrupted during the transfer.

Availability

Maintaining equipment, performing hardware repairs, keeping operating systems and software up to date, and
creating backups ensure the availability of the network and data to the authorized users. Plans should be in place to
recover quickly from natural or man-made disasters. Security equipment or software, such as firewalls, guard against
downtime due to attacks such as denial of service (DoS). Denial of service occurs when an attacker attempts to
overwhelm resources, so the services are not available to the users.

The Consequences of a Security Breach

To protect an organization from every possible, cyberattack is not feasible, for a few reasons. The expertise
necessary to set up and maintain the secure network can be expensive. Attackers will always continue to find new
ways to target networks. Eventually, an advanced and targeted cyberattack will succeed. The priority will then be how
quickly your security team can respond to the attack to minimize the loss of data, downtime, and revenue.

By now you know that anything posted online can live online forever, even if you were able to erase all the copies in
your possession. If your servers were hacked, the confidential personnel information could be made public. A hacker
(or hacking group) may vandalize the company website by posting untrue information and ruin the company’s
reputation that took years to build. The hackers can also take down the company website causing the company to
lose revenue. If the website is down for longer periods of time, the company may appear unreliable and possibly lose
credibility. If the company website or network has been breached, this could lead to leaked confidential documents,
revealed trade secrets, and stolen intellectual property. The loss of all this information may impede company growth
and expansion.

The monetary cost of a breach is much higher than just replacing any lost or stolen devices, investing in existing
security and strengthening the building’s physical security. The company may be responsible for contacting all the
affected customers about the breach and may have to be prepared for litigation. With all this turmoil, employees may
choose to leave the company. The company may need to focus less on growing and more on repairing its reputation.

Security Breach Example 1

The online password manager, LastPass, detected unusual activity on its network in July 2015. It turned out that
hackers had stolen user email addresses, password reminders, and authentication hashes. Fortunately for the users,
the hackers were unable to obtain anyone’s encrypted password vaults.

Even though there was a security breach, LastPass could still safeguard the users’ account information. LastPass
requires email verification or multi-factor authentication whenever there is a new login from an unknown device or IP
address. The hackers would also need the master password to access the account.

LastPass users also have some responsibility in safeguarding their own accounts. The users should always use
complex master passwords and change the master passwords periodically. The users should always beware of
Phishing attacks. An example of a Phishing attack would be if an attacker sent fake emails claiming to be from
LastPass. The emails ask the users to click an embedded link and change the password. The link in the email goes
to a fraudulent version of the website used to steal the master password. The users should never click the embedded
links in an email. The users should also be careful with their password reminder. The password reminder should not
give away your passwords. Most importantly, the users should enable multi-factor authentication when available for
any website that offers it.

If the users and service providers both utilize the proper tools and procedures to safeguard the users’ information, the
users’ data could still be protected, even in the event of security breach.

Security Breach Example 3

Equifax Inc. is one of the nationwide consumer credit reporting agencies in the United States. This company collects
information on millions of individual customers and businesses worldwide. Based on the collected information, credit
scores and credit reports are created about the customers. This information could affect the customers when they
apply for loans and when they are looking for employment.

In September 2017, Equifax publicly announced a data breach event. The attackers exploited a vulnerability in the
Apache Struts web application software. The company believes that millions of U.S. consumers' sensitive personal
data were accessed by the cyber criminals between May and July of 2017. The personal data includes the
customers' full names, Social Security numbers, birth dates, addresses and other personally identifiable information.
There is evidence that the breach may have affected customers in United Kingdom and Canada.

Equifax established a dedicated web site that allows the consumers to determine if their information was
compromised, and to sign up for credit monitoring and identity theft protection. Using a new domain name, instead of
using a subdomain of equifax.com, this allowed nefarious parties to create unauthorized websites with similar names.
These websites can be used as part of a phishing scheme to trick you into providing personal information.
Furthermore, an employee from Equifax provided an incorrect web link in social media for worried customers.
Fortunately, this web site was taken down within 24 hours. It was created by an individual who use it as an
educational opportunity to expose the vulnerabilities that exists in Equifax's response page.

As a concerned consumer, you may want to quickly verify if your information was compromised, so you can minimize
the impact. In a time of crisis, you may be tricked into using unauthorized websites. You should be cautious about
providing personal information so you do not become a victim again. Furthermore, companies are responsible for
keeping our information safe from unauthorized access. Companies need to regularly patch and update their software
to mitigate exploitation of known vulnerabilities. Their employees should be educated and informed about the
procedures to safeguard the information and what to do in the event of a breach.
Unfortunately, the real victims of this breach are the individuals whose data may have been compromised. In this
case, Equifax has the burden of protecting the collected consumer data while conducting credit checks because the
customers did not choose to use the services provided by Equifax. The consumer has to trust the company to
safeguard the collected information. Furthermore, the attackers can use this data to assume your identity, and it is
very difficult to prove otherwise because both the attacker and the victim know the same information. In these
situations, the most you can do is be vigilant when you are providing personally identifiable information over the
Internet. Check your credit reports regularly (once per month or once per quarter). Immediately report any false
information, such as applications for credit that you did not initiate, or purchases on your credit cards that you did not
make.

Types of Attackers

Attackers are individuals or groups who attempt to exploit vulnerability for personal or financial gain. Attackers are
interested in everything, from credit cards to product designs and anything with value.

Amateurs – These people are sometimes called Script Kiddies. They are usually attackers with little or no skill, often
using existing tools or instructions found on the Internet to launch attacks. Some of them are just curious, while others
are trying to demonstrate their skills and cause harm. They may be using basic tools, but the results can still be
devastating.

Hackers – This group of attackers break into computers or networks to gain access. Depending on the intent of the
break-in, these attackers are classified as white, gray, or black hats. The white hat attackers break into networks or
computer systems to discover weaknesses so that the security of these systems can be improved. These break-ins
are done with prior permission and any results are reported back to the owner. On the other hand, black hat attackers
take advantage of any vulnerability for illegal personal, financial or political gain. Gray hat attackers are somewhere
between white and black hat attackers. The gray hat attackers may find a vulnerability in a system. Gray hat hackers
may report the vulnerability to the owners of the system if that action coincides with their agenda. Some gray hat
hackers publish the facts about the vulnerability on the Internet so that other attackers can exploit it.

The figure gives details about the terms white hat hacker, black hat hacker, and gray hat hacker.

Organized Hackers – These hackers include organizations of cyber criminals, hacktivists, terrorists, and state-
sponsored hackers. Cyber criminals are usually groups of professional criminals focused on control, power, and
wealth. The criminals are highly sophisticated and organized, and they may even provide cybercrime as a service to
other criminals. Hacktivists make political statements to create awareness to issues that are important to them. State-
sponsored attackers gather intelligence or commit sabotage on behalf of their government. These attackers are
usually highly trained and well-funded, and their attacks are focused on specific goals that are beneficial to their
government.
Chapter 2: Attacks, Concepts and Techniques

This chapter covers the ways that cybersecurity professionals analyze what has happened after a cyberattack. It
explains security software and hardware vulnerabilities and the different categories of security vulnerabilities.

The different types of malicious software (known as malware) and the symptoms of malware are discussed. The
different ways that attackers can infiltrate a system is covered, as well as denial of service attacks.

Most modern cyberattacks are considered to be blended attacks. Blended attacks use multiple techniques to infiltrate
and attack a system. When an attack cannot be prevented, it is the job of a cybersecurity professional to reduce the
impact of that attack.

Finding Security Vulnerabilities

Security vulnerabilities are any kind of software or hardware defect. After gaining
knowledge of a vulnerability, malicious users attempt to exploit it. An exploit is
the term used to describe a program written to take advantage of a known
vulnerability. The act of using an exploit against a vulnerability is referred to as an
attack. The goal of the attack is to gain access to a system, the data it hosts or to a
specific resource.

Software vulnerabilities

Software vulnerabilities are usually introduced by errors in the operating system

or application code, despite all the effort companies put into finding and patching
software vulnerabilities, it is common for new vulnerabilities to surface.
Microsoft, Apple, and other operating system producers release patches and
updates almost every day. Application updates are also common. Applications
such as web browsers, mobile apps and web servers are often updated by the
companies or organizations responsible for them.

In 2015, a major vulnerability, called SYNful Knock, was discovered in Cisco IOS.
This vulnerability allowed attackers to gain control of enterprise-grade routers,
such as the legacy Cisco 1841, 2811, and 3825 routers. The attackers could then
monitor all network communication and had the ability to infect other network
devices. This vulnerability was introduced into the system when an altered IOS
version was installed in the routers. To avoid this, always verify the integrity of
the downloaded IOS image and limit the physical access of the equipment to
authorized personnel only.
The goal of software updates is to stay current and avoid exploitation of
vulnerabilities. While some companies have penetration testing teams dedicated
to search, find and patch software vulnerabilities before they can get exploited,
third party security researchers also specialize in finding vulnerabilities in
software.

Google’s Project Zero is a great example of such practice. After discovering a

number of vulnerabilities in various software used by end-users, Google formed a
permanent team dedicated to finding software vulnerabilities. Google Security
Research can be found here.

Hardware vulnerabilities

Hardware vulnerabilities are often introduced by hardware design flaws. RAM

memory for example, is essentially capacitors installed very close to one another.
It was discovered that, due to proximity, constant changes applied to one of these
capacitors could influence neighbor capacitors. Based on that design flaw, an
exploit called Rowhammer was created. By repeatedly rewriting memory in the
same addresses, the Rowhammer exploit allows data to be retrieved from nearby
address memory cells, even if the cells are protected.

Hardware vulnerabilities are specific to device models and are not generally
exploited through random compromising attempts. While hardware exploits are
more common in highly targeted attacks, traditional malware protection and a
physical security are sufficient protection for the everyday user.

Categorizing Security Vulnerabilities

Most software security vulnerabilities fall into one of the following

categories:
Buffer overflow – This vulnerability occurs when data is written beyond
the limits of a buffer. Buffers are memory areas allocated to an
application. By changing data beyond the boundaries of a buffer, the
application accesses memory allocated to other processes. This can
lead to a system crash, data compromise, or provide escalation of
privileges.
Non-validated input – Programs often work with data input. This data
coming into the program could have malicious content, designed to
force the program to behave in an unintended way. Consider a program
that receives an image for processing. A malicious user could craft an
image file with invalid image dimensions. The maliciously crafted
dimensions could force the program to allocate buffers of incorrect and
unexpected sizes.
Race conditions – This vulnerability is when the output of an event
depends on ordered or timed outputs. A race condition becomes a
source of vulnerability when the required ordered or timed events do
not occur in the correct order or proper timing.
Weaknesses in security practices – Systems and sensitive data can be
protected through techniques such as authentication, authorization,
and encryption. Developers should not attempt to create their own
security algorithms because it will likely introduce vulnerabilities. It is
strongly advised that developers use security libraries that have already
created, tested, and verified.
Access-control problems – Access control is the process of controlling
who does what and ranges from managing physical access to
equipment to dictating who has access to a resource, such as a file, and
what they can do with it, such as read or change the file. Many security
vulnerabilities are created by the improper use of access controls.
Nearly all access controls and security practices can be overcome if the
attacker has physical access to target equipment. For example, no
matter what you set a file’s permissions to, the operating system
cannot prevent someone from bypassing the operating system and
reading the data directly off the disk. To protect the machine and the
data it contains, physical access must be restricted and encryption
techniques must be used to protect data from being stolen or
corrupted.

Types of Malware

Short for Malicious Software, malware is any code that can be used to steal data,
bypass access controls, or cause harm to, or compromise a system. Below are a
few common types of malware:

Spyware – This malware is design to track and spy on the user. Spyware often
includes activity trackers, keystroke collection, and data capture. In an attempt to
overcome security measures, spyware often modifies security settings. Spyware
often bundles itself with legitimate software or with Trojan horses.

Adware – Advertising supported software is designed to automatically deliver

advertisements. Adware is often installed with some versions of software. Some
adware is designed to only deliver advertisements but it is also common for
adware to come with spyware.

Bot – From the word robot, a bot is malware designed to automatically perform
action, usually online. While most bots are harmless, one increasing use of
malicious bots are botnets. Several computers are infected with bots which are
programmed to quietly wait for commands provided by the attacker.

Ransomware – This malware is designed to hold a computer system or the data it

contains captive until a payment is made. Ransomware usually works by
encrypting data in the computer with a key unknown to the user. Some other
versions of ransomware can take advantage of specific system vulnerabilities to
lock down the system. Ransomware is spread by a downloaded file or some
software vulnerability.

Scareware – This is a type of malware designed to persuade the user to take a

specific action based on fear. Scareware forges pop-up windows that resemble
operating system dialogue windows. These windows convey forged messages
stating the system is at risk or needs the execution of a specific program to return
to normal operation. In reality, no problems were assessed or detected and if the
user agrees and clears the mentioned program to execute, his or her system will
be infected with malware.

Rootkit – This malware is designed to modify the operating system to create a

backdoor. Attackers then use the backdoor to access the computer remotely.
Most rootkits take advantage of software vulnerabilities to perform privilege
escalation and modify system files. It is also common for rootkits to modify
system forensics and monitoring tools, making them very hard to detect. Often, a
computer infected by a rootkit must be wiped and reinstalled.

Virus - A virus is malicious executable code that is attached to other executable
files, often legitimate programs. Most viruses require end-user activation and can
activate at a specific time or date. Viruses can be harmless and simply display a
picture or they can be destructive, such as those that modify or delete data.
Viruses can also be programmed to mutate to avoid detection. Most viruses are
now spread by USB drives, optical disks, network shares, or email.

Trojan horse - A Trojan horse is malware that carries out malicious operations
under the guise of a desired operation. This malicious code exploits the privileges
of the user that runs it. Often, Trojans are found in image files, audio files or
games. A Trojan horse differs from a virus because it binds itself to non-
executable files.

Worms – Worms are malicious code that replicate themselves by independently

exploiting vulnerabilities in networks. Worms usually slow down networks.
Whereas a virus requires a host program to run, worms can run by themselves.
Other than the initial infection, they no longer require user participation. After a
host is infected, the worm is able to spread very quickly over the network. Worms
share similar patterns. They all have an enabling vulnerability, a way to propagate
themselves, and they all contain a payload.

Worms are responsible for some of the most devastating attacks on the Internet.
As shown in Figure 1, in 2001 the Code Red worm had infected 658 servers.
Within 19 hours, the worm had infected over 300,000 servers as shown in Figure
2.

Man-In-The-Middle (MitM) – MitM allows the attacker to take control over a

device without the user’s knowledge. With that level of access, the attacker can
intercept and capture user information before relaying it to its intended
destination. MitM attacks are widely used to steal financial information. Many
malware and techniques exist to provide attackers with MitM capabilities.

Man-In-The-Mobile (MitMo) – A variation of man-in-middle, MitMo is a type of

attack used to take control over a mobile device. When infected, the mobile
device can be instructed to exfiltrate user-sensitive information and send it to the
attackers. ZeuS, an example of an exploit with MitMo capabilities, allows
attackers quietly to capture 2-step verification SMS messages sent to users.

Symptoms of Malware

Regardless of the type of malware a system has been infected with, these are
common malware symptoms:

 There is an increase in CPU usage.

 There is a decrease in computer speed.

 The computer freezes or crashes often.

 There is a decrease in Web browsing speed.

 There are unexplainable problems with network connections.

 Files are modified.

 Files are deleted.

 There is a presence of unknown files, programs, or desktop icons.

 There are unknown processes running.

 Programs are turning off or reconfiguring themselves.

 Email is being sent without the user’s knowledge or consent.

Social Engineering

Social engineering is an access attack that attempts to manipulate individuals into

performing actions or divulging confidential information. Social engineers often
rely on people’s willingness to be helpful but also prey on people’s weaknesses.
For example, an attacker could call an authorized employee with an urgent
problem that requires immediate network access. The attacker could appeal to
the employee’s vanity, invoke authority using name-dropping techniques, or
appeal to the employee’s greed.

These are some types of social engineering attacks:

 Pretexting - This is when an attacker calls an individual and lies to them in an

attempt to gain access to privileged data. An example involves an attacker
who pretends to need personal or financial data in order to confirm the
identity of the recipient.

 Tailgating - This is when an attacker quickly follows an authorized person into

a secure location.
 Something for Something (Quid pro quo) - This is when an attacker requests
personal information from a party in exchange for something, like a free gift.

Wi-Fi Password Cracking

Wi-Fi password cracking is the process of discovering the password

used to protect a wireless network. These are some techniques used in
password cracking:
Social engineering – The attacker manipulates a person who knows the
password into providing it.
Brute-force attacks – The attacker tries several possible passwords in
an attempt to guess the password. If the password is a 4-digit number,
for example, the attacker would have to try every one of the 10000
combinations. Brute-force attacks usually involve a word-list file. This is
a text file containing a list of words taken from a dictionary. A program
then tries each word and common combinations. Because brute-force
attacks take time, complex passwords take much longer to guess. A few
password brute-force tools include Ophcrack, L0phtCrack, THC Hydra,
RainbowCrack, and Medusa.
Network sniffing – By listening and capturing packets sent on the
network, an attacker may be able to discover the password if the
password is being sent unencrypted (in plain text). If the password is
encrypted, the attacker may still be able to reveal it by using a
password cracking tool.

Phishing
Phishing is when a malicious party sends a fraudulent email disguised as being
from a legitimate, trusted source. The message intent is to trick the recipient into
installing malware on their device, or into sharing personal or financial
information. An example of phishing is an email forged to look like it was sent by a
retail store asking the user to click a link to claim a prize. The link may go to a fake
site asking for personal information, or it may install a virus.

Spear phishing is a highly targeted phishing attack. While phishing and spear
phishing both use emails to reach the victims, spear phishing emails are
customized to a specific person. The attacker researches the target’s interests
before sending the email. For example, an attacker learns the target is interested
in cars, and has been looking to buy a specific model of car. The attacker joins the
same car discussion forum where the target is a member, forges a car sale
offering and sends email to the target. The email contains a link for pictures of the
car. When the target clicks on the link, malware is installed on the target’s
computer.

Vulnerability Exploitation

Exploiting vulnerabilities is another common method of infiltration.

Attackers will scan computers to gain information about them. Below is
a common method for exploiting vulnerabilities:
Step 1. Gather information about the target system. This could be done
in many different ways such as a port scanner or social engineering. The
goal is to learn as much as possible about the target computer.
Step 2.One of the pieces of relevant information learned in step 1
might be the operating system, its version, and a list of services running
on it.
Step 3. When the target’s operating system and version is known, the
attacker looks for any known vulnerabilities specific to that version of
OS or other OS services.
Step 4. When a vulnerability is found, the attacker looks for a previously
written exploit to use. If no exploits have been written, the attacker
may consider writing an exploit.
Figure 1 portrays an attacker using whois, a public Internet database
containing information about domain names and their registrants.
Figure 2 portrays an attacker using the nmap tool, a popular port
scanner. With a port scanner, an attacker can probe ports of a target
computer to learn about which services are running on that computer.
Advanced Persistent Threats
One way in which infiltration is achieved is through advanced persistent
threats (APTs). They consist of a multi-phase, long term, stealthy and
advanced operation against a specific target. Due to its complexity and
skill level required, an APT is usually well funded. An APT targets
organizations or nations for business or political reasons.
Usually related to network-based espionage, APT’s purpose is to deploy
customized malware on one or multiple of the target’s systems and
remain undetected. With multiple phases of operation and several
customized types of malware that affect different devices and perform
specific functions, an individual attacker often lacks the skill-set,
resources or persistence to carry out APTs.

DoS

Denial-of-Service (DoS) attacks are a type of network attack. A DoS

attack results in some sort of interruption of network service to users,
devices, or applications. There are two major types of DoS attacks:
Overwhelming Quantity of Traffic - This is when a network, host, or
application is sent an enormous quantity of data at a rate which it
cannot handle. This causes a slowdown in transmission or response, or
a crash of a device or service.
Maliciously Formatted Packets - This is when a maliciously formatted
packet is sent to a host or application and the receiver is unable to
handle it. For example, an attacker forwards packets containing errors
that cannot be identified by the application, or forwards improperly
formatted packets. This causes the receiving device to run very slowly
or crash.
DoS attacks are considered a major risk because they can easily
interrupt communication and cause significant loss of time and money.
These attacks are relatively simple to conduct, even by an unskilled
attacker.

DDoS

A Distributed DoS Attack (DDoS) is similar to a DoS attack but

originates from multiple, coordinated sources. As an example,
a DDoS attack could proceed as follows:
An attacker builds a network of infected hosts, called a
botnet. The infected hosts are called zombies. The zombies
are controlled by handler systems.
The zombie computers constantly scan and infect more hosts,
creating more zombies. When ready, the hacker instructs
handler systems to make the botnet of zombies carry out a
DDoS attack.
Click Play in the figure to view the animations of a DDoS
attack.

What is a Blended Attack?

Blended attacks are attacks that use multiple techniques to

compromise a target. By using several different attack techniques at
once, attackers have malware that are a hybrid of worms, Trojan
horses, spyware, keyloggers, spam and phishing schemes. This trend of
blended attacks is revealing more complex malware and placing user
data at great risk.
The most common type of blended attack uses spam email messages,
instant messages or legitimate websites to distribute links where
malware or spyware is secretly downloaded to the computer. Another
common blended attack uses DDoS combined with phishing emails.
First, DDoS is used to take down a popular bank website and send
emails to the bank's customers, apologizing for the inconvenience. The
email also directs the users to a forged emergency site where their real
login information can be stolen.
Many of the most damaging computer worms like Nimbda, CodeRed,
BugBear, Klez and Slammer are better categorized as blended attacks,
as shown below:

 Some Nimbda variants used email attachments; file downloads from

a compromised web server; and Microsoft file sharing (e.g.,
anonymous shares) as propagation methods.

 Other Nimbda variants were able to modify the system’s guest

accounts to provide the attacker or malicious code with
administrative privileges.
The recent Conficker and ZeuS/LICAT worms were also blended attacks.
Conficker used all the traditional distribution methods.

What is Impact Reduction?

While the majority of successful companies today are aware of

common security issues and put considerable effort towards preventing
them, no set of security practices is 100% efficient. Because a breach is
likely to happen if the prize is big, companies and organizations must
also be prepared to contain the damage.
It is important to understand that the impact of a breach is not only
related to the technical aspect of it, stolen data, damaged databases, or
damage to intellectual property, the damage also extends to the
company’s reputation. Responding to a data breach is a very dynamic
process.
Below are some important measures a company should take when a
security breach is identified, according to many security experts:

 Communicate the issue. Internally employees should be informed

of the problem and called to action. Externally, clients should be
informed through direct communication and official
announcements. Communication creates transparency, which is
crucial in this type of situation.

 Be sincere and accountable in case the company is at fault.

 Provide details. Explain why the situation took place and what was
compromised. It is also expected that the company take care of the
costs of identity theft protection services for affected customers.
 Understand what caused and facilitated the breach. If necessary,
hire forensics experts to research and learn the details.

 Apply what was learned from the forensics investigation to ensure

similar breaches do not happen in the future.

 Ensure all systems are clean, no backdoors were installed, and

nothing else has been compromised. Attackers will often attempt to
leave a backdoor to facilitate future breaches. Make sure this does
not happen.

 Educate employees, partners, and customers on how to prevent

future breaches.

Chapter 2: Attacks, Concepts and Techniques

This chapter covered the ways that cybersecurity professionals analyze

what has happened after a cyberattack. It explains security software
and hardware vulnerabilities and the different categories of security
vulnerabilities.
The different types of malicious software (known as malware) and the
symptoms of malware explained. Some of the malware that was
discussed included viruses, worms, Trojan horses, spyware, adware,
and others.
The different ways that attackers can infiltrate a system was covered,
including social engineering, Wi-Fi Password Cracking, Phishing, and
vulnerability exploitation. The different types of denial of service
attacks were also explained.
Blended attacks use multiple techniques to infiltrate and attack a
system. Many of the most damaging computer worms like Nimbda,
CodeRed, BugBear, Klez and slammer are better categorized as blended
attacks. When an attack cannot be prevented, it is the job of a
cybersecurity professional is to reduce the impact of that attack.
If you would like to further explore the concepts in this chapter, please
check out the Additional Resources and Activities page in Student
Resources.