st04_KnowYourEnemy.md

---
title: Know your enemy
---

We begin this week by outlining the most common types of threat a
business or individual may face.

Malware is an umbrella term defining any software that is harmful to
computers.  It's a very broad brush term that covers a wide range of
threats, including viruses, spyware, and other exploits.

Generally, malware involves installing some software onto a computer;
this may be initiated by the user (i.e. the user installs a compromised
version of a legitimate program), or through some other exploit (for
example, a worm virus that infects computers over the network).


Below we discuss the common ways security threats such as Malware occour.

## Phishing and Social Engineering

Hackers are like Vampires, and are usually need to be invited into our
systems.

Having a user install the malware for us is the most common attack
vector.  Techniques such as Phishing try to trick a user into
installing the rogue program.  Phishing is a form of social
engineering where we try to convince the target we are a legitimate
account, service or person, and install the Malware onto their system
for us.

It is claimed that around 90% of malware installations are due to
Phishing.  Personally I take this to include a broad definition of
phishing including setting up fake websites or app-stores in the hope
of luring people into installing software, rather than the more
targeted approach.


## Web Based attacks

Are the second most common vector (after Phishing) for installing
malware.  Web based exploits can also be an attack vector outside of
directly attacking websites.

For example, browser based attacks such as clickjacking (injecting
software into a website that affects a browsers behaviour), and
cryptojacking (installing bitcoin mining software on vulnerable
computers that visit a website) are common.  Additionally, malware
can be installed though malicious browser plugins, or making use of
vulnerabilities in the browser itself.

One recent example of malware installed via a browser plugin comes
from the "web development toolbar".  The toolbar is a very well
respected extension, that allows you to examine, and test the
functionality on web pages.  The author of the toolbar was the victim
of a Phishing attack, which compromised his email account, and a
malicious version of the toolbar was
released. <https://www.theregister.co.uk/2017/08/02/chrome_web_developer_extension_hacked/>

Other web based vectors include Man In The Middle (MITM) attacks, where
the network traffic is intercepted by a third party.  This means that
"secure" information you send to a site could be seen by a 3rd party.
We will discuss methods of protecting against MITM, and eavesdropping
in the cryptography section of the course.

##  Web Application Attacks

Previously we explored web application attacks, with the OWASP
top 10. These attacks may not directly affect users of a website, but
give the potential for information about users to be revealed though
data breaches.

Web application attacks affect the operation of a website and can lead
to exploitation or a data breach. Around 30% of data breaches involve
vulnerabilities in web applications.  Issues with Web applications
that allow an attacker to comprimise can involve:

 - SQL (Structured Query Language) injection. Rated the Number 1 threat by OWSAP  (51%)
 - File Includes vulnerabilities    (35%)
 - XSS (Cross Site Scripting).  Places malicious code on the site itself. (9%)
 - Content Management Systems (CMS). Such as WordPress
   - Newly discovered vulnerability affected ~2million sites.

Each of these attacks can lead either to a data breach, where
information such as user details is revealed, or a full comprimise of
the server, allwing the attacker to take control.

Another interesting trend in web application attacks is through
Phishing.  Compromised versions of software plugins have been used to
gather information about a sites users.  Two examples of organisations
that have been exploited through the use of an insecure 3rd party
plugin include:
   - British Airways
   - Ticketmaster

##  The Insider Threat

While not a direct threat for exploitation, the insider threat is still
the 2nd most common cause of an incident within an organisation.
This occurs when an employee uses their authorised access to harm the
security of an organisation.  While the majority of cases are unwilling
(employees being Phished etc), there are still a number of cases when
the employee maliciously exploits the systems.

Analysis shows that the majority of insiders tend to ignore security
policies to speed productivity.  For example they may:
   - Send files to personal accounts
   - Writing down passwords
   - Store data on media external to the organisation

## Hardware issues

Security issues with hardware design have always been present, but
came to prominence in 2018 with *Spectre* and *Meltdown*. These
exploit the way the processor has been designed to allow an attacker
to read parts of computer memory they should not have access to.

Hardware based issues can be difficult to fix retrospectively. If the
flaw is with the physical design of the chip then there is little that
can be done, and modifying the behaviour of the code running on the
chip itself is difficult.

While not strictly a hardware on the hardware itself, a flaw in the
firmware for the Broadcom WiFi chips left billions of devices open to
attack. <https://thehackernews.com/2017/04/broadcom-wifi-hack.html>


# Threat Actors

As well as the security flaws themselves, we also need to understand
where the threats originate from.

## Cyber Criminals

Cyber criminals, commit crime by targeting computers or networks, and
can be either lone entities, or part of a larger organised group.
Remain the most active threat in cyberspace, and are responsible for
2/3 of all registered incidents.

Analysis of recent trends shows that the behaviour of cyber criminals
is becoming more organised, and trending toward monetisation of
activity.  This is evident in the increase in targeted attacks and
data breaches in the business sector, and the rise of ransomware.  One
interesting trend is the increased number of Phishing campaigns
targeting of high value targets, such as the CEO of organisations.

## Nation States

Nation state hackers may either be part of an "cyber army" or
individuals with a "Licence to Hack"

Organised hacking at a state level, with hackers working for a
government to disrupt or compromise other governments, organisations
or individuals.  It is estimated that nation state hacking is
responsible for 20% of all incidents.

This style of attack can include; spreading propaganda on social
media, stealing national or industrial secrets, interfering with
elections, or compromising the nuclear safety of a country.

https://www.csoonline.com/article/3218104/what-is-stuxnet-who-created-it-and-how-does-it-work.html


## Hacktivists  / Cyber Fighters

The hacking activist takes their political, religious or social cause
onto the internet.  This can range from defacing the website of a
corporation they disagree with, to directly attacking the
infrastructure of an organisation.

There are several large scale hacktivist groups (such as anonymous),
that may adopt a cause.  It could also be argued that some hacktivist
groups are actually a front for nation state activity.

## Script Kiddies

Script kiddies are our final threat, these are generally untrained
hackers, making use of tools and scripts available on the internet.
Generally they are responsible for simple, low impact cyber attacks.
However, they can have a significant impact, for example the Talk Talk
data breach was caused by teenage hacker using simple tools.
	---
	title: Know your enemy
	---

	We begin this week by outlining the most common types of threat a
	business or individual may face.

	Malware is an umbrella term defining any software that is harmful to
	computers. It's a very broad brush term that covers a wide range of
	threats, including viruses, spyware, and other exploits.

	Generally, malware involves installing some software onto a computer;
	this may be initiated by the user (i.e. the user installs a compromised
	version of a legitimate program), or through some other exploit (for
	example, a worm virus that infects computers over the network).



	Below we discuss the common ways security threats such as Malware occour.

	## Phishing and Social Engineering

	Hackers are like Vampires, and are usually need to be invited into our
	systems.

	Having a user install the malware for us is the most common attack
	vector. Techniques such as Phishing try to trick a user into
	installing the rogue program. Phishing is a form of social
	engineering where we try to convince the target we are a legitimate
	account, service or person, and install the Malware onto their system
	for us.

	It is claimed that around 90% of malware installations are due to
	Phishing. Personally I take this to include a broad definition of
	phishing including setting up fake websites or app-stores in the hope
	of luring people into installing software, rather than the more
	targeted approach.


	## Web Based attacks

	Are the second most common vector (after Phishing) for installing
	malware. Web based exploits can also be an attack vector outside of
	directly attacking websites.

	For example, browser based attacks such as clickjacking (injecting
	software into a website that affects a browsers behaviour), and
	cryptojacking (installing bitcoin mining software on vulnerable
	computers that visit a website) are common. Additionally, malware
	can be installed though malicious browser plugins, or making use of
	vulnerabilities in the browser itself.

	One recent example of malware installed via a browser plugin comes
	from the "web development toolbar". The toolbar is a very well
	respected extension, that allows you to examine, and test the
	functionality on web pages. The author of the toolbar was the victim
	of a Phishing attack, which compromised his email account, and a
	malicious version of the toolbar was
	released. <https://www.theregister.co.uk/2017/08/02/chrome_web_developer_extension_hacked/>

	Other web based vectors include Man In The Middle (MITM) attacks, where
	the network traffic is intercepted by a third party. This means that
	"secure" information you send to a site could be seen by a 3rd party.
	We will discuss methods of protecting against MITM, and eavesdropping
	in the cryptography section of the course.

	## Web Application Attacks

	Previously we explored web application attacks, with the OWASP
	top 10. These attacks may not directly affect users of a website, but
	give the potential for information about users to be revealed though
	data breaches.

	Web application attacks affect the operation of a website and can lead
	to exploitation or a data breach. Around 30% of data breaches involve
	vulnerabilities in web applications. Issues with Web applications
	that allow an attacker to comprimise can involve:

	- SQL (Structured Query Language) injection. Rated the Number 1 threat by OWSAP (51%)
	- File Includes vulnerabilities (35%)
	- XSS (Cross Site Scripting). Places malicious code on the site itself. (9%)
	- Content Management Systems (CMS). Such as WordPress
	- Newly discovered vulnerability affected ~2million sites.

	Each of these attacks can lead either to a data breach, where
	information such as user details is revealed, or a full comprimise of
	the server, allwing the attacker to take control.

	Another interesting trend in web application attacks is through
	Phishing. Compromised versions of software plugins have been used to
	gather information about a sites users. Two examples of organisations
	that have been exploited through the use of an insecure 3rd party
	plugin include:
	- British Airways
	- Ticketmaster

	## The Insider Threat

	While not a direct threat for exploitation, the insider threat is still
	the 2nd most common cause of an incident within an organisation.
	This occurs when an employee uses their authorised access to harm the
	security of an organisation. While the majority of cases are unwilling
	(employees being Phished etc), there are still a number of cases when
	the employee maliciously exploits the systems.

	Analysis shows that the majority of insiders tend to ignore security
	policies to speed productivity. For example they may:
	- Send files to personal accounts
	- Writing down passwords
	- Store data on media external to the organisation

	## Hardware issues

	Security issues with hardware design have always been present, but
	came to prominence in 2018 with Spectre and Meltdown. These
	exploit the way the processor has been designed to allow an attacker
	to read parts of computer memory they should not have access to.

	Hardware based issues can be difficult to fix retrospectively. If the
	flaw is with the physical design of the chip then there is little that
	can be done, and modifying the behaviour of the code running on the
	chip itself is difficult.

	While not strictly a hardware on the hardware itself, a flaw in the
	firmware for the Broadcom WiFi chips left billions of devices open to
	attack. <https://thehackernews.com/2017/04/broadcom-wifi-hack.html>


	# Threat Actors

	As well as the security flaws themselves, we also need to understand
	where the threats originate from.

	## Cyber Criminals

	Cyber criminals, commit crime by targeting computers or networks, and
	can be either lone entities, or part of a larger organised group.
	Remain the most active threat in cyberspace, and are responsible for
	2/3 of all registered incidents.

	Analysis of recent trends shows that the behaviour of cyber criminals
	is becoming more organised, and trending toward monetisation of
	activity. This is evident in the increase in targeted attacks and
	data breaches in the business sector, and the rise of ransomware. One
	interesting trend is the increased number of Phishing campaigns
	targeting of high value targets, such as the CEO of organisations.

	## Nation States

	Nation state hackers may either be part of an "cyber army" or
	individuals with a "Licence to Hack"

	Organised hacking at a state level, with hackers working for a
	government to disrupt or compromise other governments, organisations
	or individuals. It is estimated that nation state hacking is
	responsible for 20% of all incidents.

	This style of attack can include; spreading propaganda on social
	media, stealing national or industrial secrets, interfering with
	elections, or compromising the nuclear safety of a country.

	https://www.csoonline.com/article/3218104/what-is-stuxnet-who-created-it-and-how-does-it-work.html


	## Hacktivists / Cyber Fighters

	The hacking activist takes their political, religious or social cause
	onto the internet. This can range from defacing the website of a
	corporation they disagree with, to directly attacking the
	infrastructure of an organisation.

	There are several large scale hacktivist groups (such as anonymous),
	that may adopt a cause. It could also be argued that some hacktivist
	groups are actually a front for nation state activity.

	## Script Kiddies

	Script kiddies are our final threat, these are generally untrained
	hackers, making use of tools and scripts available on the internet.
	Generally they are responsible for simple, low impact cyber attacks.
	However, they can have a significant impact, for example the Talk Talk
	data breach was caused by teenage hacker using simple tools.