Cybersecurity is the process or methods of protecting Internet-connected networks, devices, or data from attacks. Cyberattacks are usually made to access, change, or destroy data, interrupt normal business operations, or, as with ransomware, they may involve extortion. Extortion is the act of using actual or threatened force, violence, or intimidation to force a person or entity to turn over money or property. Extortion is a criminal offense.
Outsiders are not the only threat to the security of a company’s systems and data. Cyberattacks can originate from any number of sources, including, but not limited to:
- Hackers are looking to cause harm or have fun attacking a system. There is usually no financial motivation or personal vendetta. Hackers may be seeking notoriety.
- Hacktivists are hackers with a specific motivation that could be political, personal, religious, or just spiteful. Hacktivists may be individuals or many people working together.
- Cybercriminals are usually seeking some sort of financial payoff and may have no connection or animosity towards the companies that they target.
- Employees have access to systems and information and can cause significant damage. For example, disgruntled employees or those who are planning to work for a competitor can sabotage computer systems or steal proprietary information.
- Competitors may use cyberattacks to steal information or cause harm. Cyberattacks by a competitor would fall under the umbrella of corporate or industrial espionage.
- Foreign states (nations) do not usually attack individual companies, but it does happen.
Some specific cybersecurity risks include the following:
- Denial of Service (DOS) : attacks occur when a website or server is accessed so frequently that legitimate users cannot connect to it. Distributed Denial of Service (DDOS) attacks use multiple systems in multiple locations to attack one site or server, which makes stopping or blocking the attack difficult.
Hackers gain access to unsecured Internet of Things (IoT) devices on which the default passwords have not been changed and use malware tools to create a botnet made up of innumerable devices. A botnet is a network of devices connected through the Internet that are all infected with the malware. A hacker or a group of hackers control the botnet without the owners’ knowledge. The hacker directs the botnet to send junk
Internet traffic continuously and simultaneously to a targeted server, making it unreachable by legitimate traffic. Sophisticated firewalls and network monitoring software can help to mitigate DOS and DDOS attacks.
2. Buffer overflow attacks : are designed to send more data than expected to a computer system, causing the system to crash, permitting the attacker to run malicious code, or even allowing for a complete takeover of the system. Buffer overflow attacks can be easily prevented by the software programs adequately checking the amount of data received, but this common preventative measure is often overlooked during software development.
3. Man-in-the-Middle attacks are sophisticated technical exploits that install a malicious router or software between two networks so that the attacker can intercept all the traffic being sent and received. It can be difficult to detect such attacks because data is sent and received as usual between the two networks, even though the malicious router or software is capturing all the data. Any unencrypted data sent over the network can be read by the attacker.
Internet of Things (IoT) devices are products used in homes and businesses that can be controlled over the Internet by the owner. Examples are door locks, appliances, lights, energy- and resource-saving devices, and other devices that are controlled either remotely or on-premises using voice commands.
Types of Cyberattacks
1. Password attacks (crackers) : are attempts to break into a system by guessing a password. Brute force attacks use programs that repeatedly attempt to log in with common and/or random words, although most modern systems effectively prevent brute force attacks by blocking login attempts after several incorrect tries. Two-factor authentication can also prevent brute force attacks from being successful because a password alone will not allow access to the system.
2. Malware : broadly refers to malicious software, including viruses. Spyware can secretly gather data, such as recording keystrokes to harvest banking details, credit card information, and passwords. Other types of malware can turn a PC into a “bot” or “zombie,” giving hackers full control over the machine without alerting the owner to the problem. Hackers can set up “botnets,” which are networks consisting of thousands or millions of “zombies,” which can be made to send out spam emails, emails infected with viruses, or as described above, to cause distributed denial of service attacks. Rootkits allow remote access to a computer and can be used legally or maliciously.
3. Ransomware is particularly dangerous malware that encrypts data on a system and requires a specific key to convert the code back into readable data. Only the attacker knows the key, and the attacker demands a ransom (a payment, usually in cryptocurrency) for the key to decrypt the data. If the ransom is not paid the data is lost forever, and the attacker may also release it to the public.
The most common way that ransomware is installed is through a malicious attachment to a download that appears to come from a trusted source. The primary defenses against ransomware are to avoid installing it in the first place and to have data backups. However, backups may be ineffective if the ransomware has remained in the system for a time before activating. By the time the ransomware activates and encrypts the data, it has already been copied into previous backups. Restoring from a backup may simply cause the ransomware to be restored as well, so it re-activates and re-encrypts the data all over again. Thus, employee education is vital.
4. A logic bomb : also called slag code, is a sequence of code that executes a malicious task, such as clearing a hard drive or deleting specific files, when it is triggered by a specific event. The event trigger is referred to as positive or negative. Positive means when an event has happened (such as a certain date and time is reached) the bomb is activated, and a negative is when something does not happen (such as an admin does not log in for a day), the bomb is activated. Logic bombs are not technically viruses because they are not designed to propagate themselves. However, they can be used in conjunction with viruses. Logic bombs are commonly used by insider threats.
5. Tampering : is making unauthorized changes to a system, usually when doing something damaging or illegal. Any tampering with a system risks making it less effective. Changing data and files to read-only can help protect against tampering or deletion (preventive control). Tools that track changes to databases and files can be useful to detect tampering (detective control).
Refrence :
1. Samir Datt; “Learning Network Forensics – Identify and Safeguard your Networks against both Internal and External Threats, hackers and malware attacks”, PACKT Publishing, 2016
2. Sherri Davidoff and Jonathan Ham; “Network Forensics – Tracking Hackers through Cyberspace”, Pearson Publications, 2012