D. Cyber risk Flashcards
what are the types of sensitive information?
personal information
- personally identifiable information (PII)
- can either be on its own or with other info that can identify a single person
business information
- anything that may cause a risk to the company if discovered by an external party
- includes things like research data, marketing plans
classified information
-usually refers to information that a national government has put special restrictions on where disclosure could harm public safety and security
what are some examples of PII?
- names
- addresses
- DOB
- credit card numbers
- bank account numbers
- information about race/ethnicity
how can technology interact with an organisation?
TYPE of tech the company uses
-ERP, Data Centres
different ways the organisation is CONNECTED with technology
-VPN, routers, virtual servers
different SERVICE PROVIDERS the company uses
-cloud provider, software providers, call centres
how the company DELIVERS its product or service to the customer
-transmissions to vendors, online retail channel, wholesale customers
what is an ERP?
Enterprise Resource Planning
- link wide range of activities
- used ot automate work traditionally done by MA
what is a Data centre?
large group of networked computer servers that are usually used by organisations for storage, processing or distributing large amounts of data
what is a VPN?
virtual private network
- extends private network across a public network and enables users to send and receive data across shared or public networks as it their computing devices were directly connected to the private network
- often used by organisations whose staff work remotely so they can access shared data drives or intranet
what is a router?
networking devices that effectively direct the computing traffic between computer on networks
what is a virtual server?
modern server is now so powerful that having one server for a single function is very inefficient
servers can now perform multiple functions and can be located offsite and ofter controlled by a third party
resources the server provides are often used by multiple suers and each user can administer it as though they have complete control over it
what is the Cloud?
form of remote data storage
called cloud as storage could be at a great distance from the access point rather than locally stores
although it uses new tech, similar to olden day computing where large central computer owned and run by company (mainframe) held all data
what are the benefits of cloud storage?
only paying for the storage used
in-house staff are not required to maintain and protect the data
what are the costs related to cloud computing?
- remoteness can be a problem, if communications break down you cannot gain access to your data
- reliance on a third part to protect the integrity of the data
- sharing storage space with others which may compromise your data
where is collateral damage and access to confidential PII usually sold?
on the dark web
what is the dark web?
part of the internet that allows further anonymity
ability to obscure the source or location
-provides criminals protection
-‘fraud economy’
what are the 3 parts of the internet?
surface web (clear web) -everyday use, can find using search engine
deep web
- used everyday
- have to log in to access
dark web
- need special technology to access
- Tor browser/network
- increased use of encryption and use of obfuscation
how can criminals use PII?
big market for PII can use passwords for other sites can use this to build a user profile identity theft can sell profile to others
what was the 2017 global cyberattack called Notpetya?
targeted Ukraine on the eve of a national Urakranian holiday
- 80% of infections were in Ukraine
- several large businesses going offline
- Germany also badly hit, 9% infections
- collateral damage recorded across the world
what types of changes could affect cyber security risk management?
expansion
- adding manufactiong operation
- additional connection
acquisition
- different software and systems
- data loss
restructure
- undertake an internal restructure
- reporting lines change
hardware update
- rolling out any kind of update poses a risk as it means people will need to change the way they do things
- old hardware disposed incorrectly
regulations
- legal reqs or reg requirements can have an effect on cyber security risk management
- e.g. GDPR
how did Covid post a cyber security risk?
everyone had to work remotely
- emails and phishing rise
- malicious links passed around
what are changeover methods?
direct changeover
parallel running
pilot changeover
phased changeover
what is a direct changeover?
old system is switched off and then the new system is switched on
appropriate when the 2 systems are very different or it is too expensive to run both
also risky if the new system doesn’t work properly and they cant revert and will lose staff trust in new system
what is parallel running?
old and new systems run together for a period of time, until it is considered safe to switch the old system off
why is parallel running costly?
inputting data twice
possible employing more staff to do so
BUT less risky than direct changeover
what is pilot changeover?
where one part of the business changes over first
-this division could use parallel or direct changeover
once the system operated correctly there, the rest will change over
what are the pros and cons of the pilot changeover?
safer method of changeover as only one part of the business will be affected if anything foes wrong
however may be different issues with different parts of the business that fo unrealised at first
what is a phased changeover?
involves bringing in the new system one part of the business at a time
how does phased changeover differ from pilot changeover?
in phased, all departments or divisions are staggered with respect to receiving the new system
what are the pros and cons of phased changeover?
less risky, should there be a problem in a certain division and IT staff can deal with issues one at a time
time consuming
what happened during the TSB software migration?
2015: Spanish banking group acquired TSB from Lloyds Banking Group and wanted tin integrate into the same core banking system
wanted to offer new services that the legacy system couldn’t offer
changeover method:pilot approach
- moved some services first, including mobile banking app
- planned to move everything else in 2017
- final stage delayed and had many problems when it did finally changeover
what are the 4 cyber security objectives outlined by the AICPA reporting framework?
availability confidentiality integrity of data -prevent unauthorised modification integrity of processing
how can we apply the cyber security objectives to an online retailer?
availability:online retail store provide 24/7 service worldwide
confidentiality:keep PII confidential
integrity of data:make sure financial info for both internal and external purposes is reliable and also that customer information is correct and up to date
integrity of processing:making sure goods sold are as described on their website and the service matches the description provided
what was the availability issue with RBS?
2012: outage occurred for RBS, Natwest and Ulster Bank
-customers could not access funds for a week or more
-banks had to manually update account balances
received £56m fine from regulator for outages
-software suppliers that caused outage paid millions
-didn’t know actual cause: suspect someone in RBS India pressed wrong button
what is a PCI DSS?
payment card industry data security standards
- brought in to ensure businesses process card payments are secure
- protect sensitive cardholder data
- help reduce card fraud
- sets tight controls over storage, transmission and processing of the cardholder data that businesses handle
what is malware?
malicious software, regardless of the intended purpose.
can do any number of things, ranging from the stealing of credentials, other information or money to the general wreaking of havoc, or denial of service
what are the various ways to execute malware?
ransomware botnets spyware trojans malvertising viruses
what is ransomware?
designed to prevent access to data until a ransom is paid
what is botnets?
networks of private computers that are infected with a malware and controlled by a ‘botnet agent’ designed to follow the attacker’s instructions without the knowledge of the owner of the computer
ofter associated with DDoS
what are trojans?
names after Trojen horse where a wooden horse was allowed into the city as it was deemed harmless but which concealed soldiers inside ready to attack the city
malware pretends to be a useful piece of software whilst secretly releasing malware into the system, usually with the capability to be controlled by the attacker from a different location (known as a remote access Trojan or RAT)
what is a banking Trojan?
targets banking industry
- steal customer credentials to attack bank
- bank had to increase cybersecurity
what is malvertising?
when online advertisements have malware written into their code
- can involve hiding the malicious code in legitimate online advertising networks and web pages
- code may direct victim to a malicious site where malware is installed
- might directly infect computer when page is visited
serious threat that requires little or no user interaction
what are viruses?
designed to endlessly replicate themselves and infect programs and files to damage or destroy data
what are worm viruses?
spread across networks to infect other devices
what is spyware?
designed to spy on the victim’s systems without being detected and gather information to send to the hacket
what are keyloggers?
similar to spyware
-every keystroke typed by the victim is recorded and forwarded to the hacker
what is a zero day exploit?
the issue that the malware is supposed to fix that may be either unknown to the software developer or that has been left unaddressed
vulnerability in system that hacker has known about that company may have just spotted
what is polymorphic malware?
type of malware that avoids being identified by systems and networks by constantly changing its identifiable features
can use any of the was mentioned to execute malware by harder for the target to identify
becoming more common as it takes longer to prevent, leaving more time for malicious activity
what are some cases of ransomware?
NHS: Wannacry shutdown more than 80 NHS orgs, 20k appointments cancelled, diverted ambulances
NotPetya: Ukrainian accounting systems, infected multinational shipping companies such as Maersk costing $300m per quarter
what is an application attack?
term for a variety of different ways of attacking a victim, but this time by attacking a whole app
becoming common with app development
what is the intention of application attacked?
same as malware:
steal data and user identities
what are the most common types of application attacks?
DoS: Denial-of service DDoS: Distributed-denial-of-service SQL injection: Structured Query Language injection XSS attacks:Cross-site scripting attacks MitM: Man in the Middle Buffer overflow attack
what is DoS?
Denial-of-service is an attempt to overwhelm a system’s resources so they cannot respond to service requests
what is DDoS?
where the source is from a number of host machines, usually linked to Botnets under the control of the attacked
FB DDoS attack
March 2019: WA, Insta and FB down
-FB said it was a server configuration issue
many thought they were covering up a DDoS attack
-unlikely to admit as it might encourage attackers
what is an SQL injection?
common issue with database-driven websites
occurs when the attacked uses an unprotected input box on the company’s website to execute a SQL query to the database via the input data from the client to serve
what could a successful SQL injection do?
- can read sensitive data from the database
- modify(insert, update, delete)
- execute admin operation e.g. shutdown
- recover content
- issue commands
what is a SQL query?
request for something to be done on a database
e.g. when logging into a website, you input username and password. when you press ‘enter’ the website queries your inputs against the database of usernames and passwords to check for a match. Allows if a match is found
what is an XXS attack?
occurs when malicious code is transmitted from a website and can access the victims’ data
- occurs when visiting another org website
- 3rd party web resource to run script on vitcims’ web browser
what is a buffer overflow attack?
another type of attack that overwhelms a systems resources
the excess data overwrites existing data
what is hacking?
gaining unauthorised access to a computer system
- might be deliberate attempt to gain access
- might want to alter data
why is hacking dangerous?
GAIN access to codes, passwords and authorisations
INTERFERE with control systems to gain open access to the system
OBTAIN information that is of use for competitors
CAUSE data corruption or delete files
how was Target a victim of hacking?
largest department store retailers
breach in 2013
user credentials stolen from third party
hacker uploaded malware into the point of sale systems
stole 40m credit and debit card info in the US in 2-3 weeks
what are the different types of hackers?
unethical hackers:malicious intent, typical hackers
ethical hackers:hack with company’s permission, help understand weaknesses in network, usually called ‘security experts’
what is the 3rd type of hacker?
sit between ethical and unethical
not good or bad, sell skill for monetary gain
what is a key element of hackers?
skilled in some way, whether technical skills or skilled in social engineering and deceiving people into taking action
what is a threat actor?
individual or group that either intentionally or unintentionally conducts malicious activities against an organisation
can include negligence or mistakes by a person or a group of people who do not have malicious intent
what is a weaponised document?
tool used by hacker document that is downloaded from a source (email, website, shared drive) that contains some code, a link or a video that once activates releases malware onto a system or network
what is social engineering?
manipulation of people to make them perform specific actions or reveal confidential information
The theory of influence is key to social engineering. What are Dr Cialdini’s 6 principles used to persuade or influence someone?
reciprocity
-people feel obliged to return the favour
scarcity
-something that is in short supply is perceived to be more valuable
authority
-if someone is deemed to be an expert they carry more power
consistency
-routine
liking
-people sharing some common traits are more inclined to like eachother
consensus
-follow behavioural norms
ARCSCL
what is phishing?
use of fraudulent messages to try to steal sensitive information such as passwords or credit card numbers, or to install malware onto a user’s computer
what tools do phishers use to deceive their victims?
phishers us a combination of communication tools to deceive their victims:
- SMS text message (smishing)
- email impersonation
- telephone calls (voice phishing or vishing)
- fake websites
what is spear phishing?
when a phishing attempt targets a specific user, rather than a blanket communication sent to many people
phishers would have carried out research into the specific person and their role and interest
allows the attacker to modify the communication to be more appealing or relevant to the victim, increasing the likelihood of its success
what is BEC?
Business Email Compromise is a way to phish or spear phish
known as imposter email and CEO fraud, BEC attacks involve impersonating an identity e.g. chief exec and asking for a particular action to happen of for a piece of information to be sent through
-rely on social engineering principle of AUTHORITY
what is domain fraud?
called out bound phishing
where the threat actors make an email appear to be from a legitimate source, but is actually from a malicious actor
-can create a sense of urgency i.e. SCARCITY
fraudulent domain name is another example of something that may be purchased on the dark web
e.g. email sent from @Amazonsupport.com instead of @Amazon.com
what are the most common approached to BEC?
spoofing email fields
-changing the reply to email address to make it look like it’s coming from the organisation e.g. replace o with 0
using scarcity
-putting work ‘urgent’ in or combining with perceived authority
variety
-target more identities than CEO and CFO
why are individuals cited as being the biggest cyber security risks?
often feel that they are not part of the information security defence systems
- can lead to actions that might compromise security
- focus elsewhere
What is an example of social engineering at Yahoo?
2013: engineer who had special access manipulated
duped by phishing email
$3bn accounts compromised and made available on dark web
didn’t realise full extent until breach revealed
large reputational damage
what are some examples of themes used in social engineering to attract attention?
food
shelter
love
money
overlap with Maslow’s hierarchy & basic human desires
how does day of the week help social engineering?
research indicates there is an increased volume of attacks earlier in the week, with over 50% on a Monday or Tuesday
-employee in rush to clear through backlog
which roles are attractive targets to hackers?
CEO: high profile but likely to have high security and hard to reach
HR: easily contractible and have customer and employee data
what are some considerations for who might be the most susceptible people to attack in an organisaiont?
use of social media
-know more about victim
likelihood of clicking
–more curious people will click link
access to customer data
-role privileged with customer info, PII is valuable on black market
access to confidential business data
-also valuable on dark web
access to C-suite employees
-assistant could have important information, could be a connection to target
location
-logs on from less secure network e.g. in public could easily be attacked
type of device
-some are easier to target e.g. can’t see full email on mobile
routine
-if routine is identifiable, can create attack opportunity or can impersonate target easily
is there a correlation between size of organisations and number of attacks?
no correlation
larger organisations may appear more appealing being able to breach their security
lesser known SME, with a smaller potential payoff, but weaker security in place would provide the opportunity for a threat actor to keep a steady income stream while they work towards a big target
how can threat actors use cryptocurrency?
makes it easier to send and receive money
what is the IoT?
internet of things is a network of devices, most commonly associated with devices around the home, where machines such as vehicles and home appliances contain software and sensors and communicate with one another either through the Wi-FI or via Bluetooth
-can be controlled and monitored from a remote ocation
how can IoT pose cyber security risks?
not always sufficiently secure
can often be interrogated wirelessly to reveal access codes
-remote access gives hackers control e.g. heating in factory
-hackers might try social engineering to gain access to the network by asking staff for passwords
businesses must decide whether the convenience that the IoT provides is worth the additional vulnerabilities and therefore security measures that would be required
what is social media?
term for a range of sites that may provide radically different social interactions
what are some examples of social media sites?
Twitter: people share short updates i.e. tweets
Facebook:allows updates, photos, joining events and a variety of other activities
LinkedIn: professional business-related networking site
Instagram:free photo-sharing program
what opportunities does social media offer?
advertising
brand development: post pics of product
Big Data analytics: monitor mentions, where and why
Methods of listening to customers:queries, complaints
Real time information gathering:quick polls
communications
recruitment and selection:advertise roles, avoid costly recruitment fees
selection:firms screen applicants by researching their web presence
what are the risks of social media?
human error
-mistakes by employees (clicking phishing link, questionable post) on personal accounts or organisations accounts
productivity
-employees can be distracted by social media
data protection
-increased regulatory requirements around protecting PII that could be gained from social media sites
hacking
-accessing organisation specific accounts and sending messages posing as the organisation
reputation
-well-meaning posts can be misinterpreted leading to criticism
inactivity
-not keeping a social media account could be as damaging as not using social media at all
costs
-to use social media could lead to significant costs, using it badly could lead to fines
what are the risks of social media to individuals?
going viral:can be food or bad, abuse, disabling accounts when bad
internet trolling:abusive responses are referred to as trolling
employment:companies may disapprove of your posts during
recruitment process
legal sanction:law enforcement can review social media posts to help
identify suspects, location etc
physical theft:showing you’re away from home
identity fraud: build up portfolio from what you post
permanence:hard to remove content, can take screenshots or download
what are the different types of vulnerabilities in an organisation?
technical:defects in software or poor protection
procedural deficiencies: IT related or user related
physical:physical event such as fire of flood causing damages to the information technology system
where do most breaches come from?
human vulnerabilities rather than technical or physical
- phishing related
- stolen or lost devices
- insecure networks e.g. in public
what are some examples of the implications for an organisation that is compromised?
downtime:unable to carry out service, production loss, lost revenue
reputation damage:name & brand value negatively affected
customer flight:customers move to competitors, need to prevent over-reliance on single customers
industry consequences:healthcare and financial services, cyber security breaches can be very costly as they are highly regulated
termination of employees:those accountable for breach or misconduct
loss of IP or trade secrets:lost trust in ability to protect customer details, threat actor could have compromised the organisation’s competitive advantage in the industry
legal consequences:fines, lawsuit costs and settlements can be very significant. 2018 GDPR
what is GDPR
General Data Protection Regulation is a EU law and in the UK replaces by the Data Protection Act (DPA) on May 2018
what are the 2 main objectives of GDPR?
- protection of fundamental rights and freedoms of individual persons with regard to processing personal data
- protection of the principle of free movement of personal data within the EU
