UNIT 4

Access control principles

Access control is a fundamental concept in information security that determines
who is allowed to access certain data, applications, and resources, and under what
circumstances12. It’s a crucial component of web application security, ensuring
only the right users have the right level of access to the right resources2. Here are
some key principles:

1. Authentication: This is the initial process of establishing the identity of a

user. Common methods include passwords, pins, security tokens, and even
biometric scans12.
2. Authorization: This adds an extra layer of security to the authentication
process. It specifies access rights and privileges to resources to determine
whether the user should be granted access to data or make a specific
transaction12.
3. Access: Once a user has completed the authentication and authorization
steps, their identity will be verified. This grants them access to the resource
they are attempting to log in to2.
4. Manage: Organizations can manage their access control system by adding
and removing the authentication and authorization of their users and
systems2.
5. Audit: Organizations can enforce the principle of least privilege through the
access control audit process. This enables them to gather data around user
activity and analyze that information to discover potential access violations2.

There are four main types of access control:

 Discretionary Access Control (DAC): In DAC models, every object in a

protected system has an owner, and owners grant access to users at their
discretion1.
 Mandatory Access Control (MAC): In MAC models, users are granted
access in the form of a clearance. A central authority regulates access rights
and organizes them into tiers, which uniformly expand in scope1.
 Role-Based Access Control (RBAC): In RBAC models, access rights are
granted based on defined business functions, rather than individuals’
identity or seniority1.
 Attribute-Based Access Control (ABAC): In ABAC models, access is
granted flexibly based on a combination of attributes and environmental
conditions, such as time and location1.
Access control is a feature of modern Zero Trust security philosophy, which
applies techniques like explicit verification and least-privilege access to help
secure sensitive information and prevent it from falling into the wrong hands1.

Subjects
Information security is a vast field that encompasses various subjects. Here are
some of the key subjects that are typically covered in information security courses:

1. Cyber Defense: This subject focuses on strategies and techniques to protect

information systems from cyber threats1.
2. Cyber Ethics, Cyber Law and Cyber Policy: These subjects deal with the
ethical, legal, and policy issues related to cybersecurity1.
3. Information Systems: This subject covers the design, implementation, and
management of computer-based information systems1.
4. Data Communications & Networking: This subject involves the study of
data transmission and networking technologies1.
5. Digital Forensics: This subject focuses on the collection, preservation,
analysis, and presentation of evidence from digital sources1.
6. Information Technology Security Systems: This subject covers the
principles and practices of securing information technology systems1.
7. Encryption, Signature Schemes, Hash Functions, and Authentication:
These subjects are the major fields of securing information online2.
8. Ethical Hacking: This subject involves learning to think like a hacker in
order to identify vulnerabilities and weaknesses in systems2.
9. Analytics: This subject involves the use of data analysis tools and
techniques to detect and prevent security threats2.
10.Operations in Computer Networking: This subject covers the operational
aspects of computer networks2.
11.Information Assurance: This subject focuses on ensuring the availability,
integrity, authentication, confidentiality, and non-repudiation of information
and systems2.

These subjects provide a comprehensive understanding of the various aspects of

information security, from the technical details of securing systems to the broader
ethical and legal implications of cybersecurity.

Objects and access rights

In the context of information security, objects and access rights are key
components of access control systems12.

Objects in information security are resources that you want to protect from
unauthorized access, use, or disclosure1. They can be files, directories,
applications, or any other resource that requires controlled access1. Objects
automatically inherit security settings from their parent folder3.

Access rights, also called permissions, determine which users can view the object
and what those users can do2. For example, to see a folder, a user needs at least the
folder’s View properties permission2. Access rights vary by object and control all
operations on that type of object2.

An object’s access rights are made up primarily of Access Control Entries

(ACEs) that are organized into Access Control Lists (ACLs)2. An object’s ACL is
the collection of all the ACEs placed on it2.

For example, documents have permissions that let the user make new versions of
the document, whereas folders have an Add to Folder access right2. These
permissions are typically the same for the user and group SID attributes, the
UserUniqueIDAttribute and GroupUniqueIDAttribute properties respectively2.

In summary, objects are the resources that need protection, and access rights
determine who can access these objects and what actions they can perform on
them. This relationship between subjects (users or groups) and objects forms the
basis of access control in information security1.

Discretionary access control

Discretionary Access Control (DAC) is a type of security access control that
grants or restricts object access via an access policy determined by an object’s
owner group and/or subjects1. Here’s how it works:

1. Creation: An object (like a file or folder) is created, and the creator

becomes the owner who can control access permissions2.
2. Configuration: The owner configures the Access Control List (ACL) for
the newly created resource, assigning users and groups who should have
access with the required permissions2.
3. Access Request: One or more users who have been granted permission to
the resource attempt to access it, resulting in an access request to the DAC
system2.
4. Verification: The DAC system checks that the user information in the
request aligns with an ACL, and then approves or denies the request
depending on whether it finds an ACL2.
5. Enforcement: The DAC system enforces its decision in real time, allowing
the user to view, modify, or run the resource requested so long as the
corresponding ACL permits the action2.

In DAC, each system object (like a file or data object) has an owner, and each
initial object owner is the subject that causes its creation1. Thus, an object’s access
policy is determined by its owner1. A typical example of DAC is Unix file mode,
which defines the read, write, and execute permissions in each of the three bits for
each user, group, and others1.

DAC is easy to implement and intuitive but has certain disadvantages, including
inherent vulnerabilities (like the Trojan horse), ACL maintenance or capability,
grant and revoke permissions maintenance, and limited negative authorization
power1.

Role-based access control

Role-Based Access Control (RBAC) is a security methodology that manages user
access to systems, networks, or resources based on their role within a team or a
larger organization123. Here’s how it works:

1. Assignment: Each user is assigned one or more roles1.

2. Permission: User roles are assigned permissions1.
3. Access: Users gain access to permissions by being active members of a
role1.

RBAC models often establish a role hierarchy, where the role structure resembles
the hierarchy of the organization and may include roles for administrators, end
users, and guests, and any specialized group in between1. Some role hierarchies
may be inheritance hierarchies, where more senior user roles are automatically
granted the roles beneath them along with their privileges1.

Depending on the use case, organizations using RBAC may also enforce separation
of duties by requiring involvement from multiple users with different roles to
initiate a specific task or action1. This practice, along with regular auditing of role
permissions, is implemented to reduce risk by ensuring that no single user has
more privileges than they actually need1.

RBAC provides a more granular approach to identity and access management

(IAM) than access control lists (ACLs), but remains simpler and easier to
implement than attribute-based access control (ABAC)1. While other methods of
IAM—like mandatory access control (MAC) or discretionary access control
(DAC)—might be effective for specific use cases, RBAC is a good choice for most
organizations looking for an easy-to-manage governance solution that scales1.

Case study
Sure, here are a few case studies in information security:
 1. Information Security Management Practices: Case Studies from India1:
This study explores and examines information security management (ISM)
practices of two IT development and services organizations in India. The
study adopts a qualitative research route to understand the current ISM
practices of the case organizations. The results highlight the importance of
consistent top management support, organizational information security
culture, and a proper monitoring system for ISM effectiveness in
organizations1.
2. Fortifying Information Security Case Study | Accenture2: This case study
discusses how Accenture evolved and matured its defenses to fortify the
company’s security posture. A small team was tasked with formulating a
response, strengthening and expanding Accenture’s security defenses
beyond technical systems, tools, and controls by restructuring their security
approach to meet Information Security Management System (ISMS)
standards2.
3. Case Study in Information Security: Securing The Enterprise3: This
practical case study discusses an Insurance Company’s migration to an
enterprise-wide security system. It provides a path to follow when creating
or migrating to a security system3.

These case studies provide valuable insights into the practical application of
information security principles in real-world scenarios.

Introduction & types of Malicious Software (Malware)

Malware, short for malicious software, refers to any intrusive software developed
by cybercriminals to steal data and damage or destroy computers and computer
systems1. It is a file or code, typically delivered over a network, that infects,
explores, steals or conducts virtually any behavior an attacker wants2. Malware can
reveal itself with many different aberrant behaviors3.

Here are some common types of malware:

1. Virus: A computer virus is a malicious program that self-replicates by

copying itself to another program4. It damages computer systems and/or
destroys or erases data files4.
2. Worm: A worm is a destructive program that fills a computer system with
self-replicating information, clogging the system so that its operations are
slowed down or stopped4.
3. Trojan/Backdoor: Trojans are malicious programs that perform actions that
have not been authorized by the user4.
4. Rootkit: A rootkit is a collection of software tools that enable remote
control and administration-level access over a computer or computer
network4.
 5. Advanced Persistent Threat (APT): APTs are long-term targeted attacks,
which are aimed at compromising specific entities4.
6. Spyware and Adware: Spyware is software that enables a user to obtain
covert information about another’s computer activities by transmitting data
covertly from their hard drive4. Adware is software that automatically
displays or downloads advertising material when a user is online4.
7. Ransomware: Ransomware is a type of malicious software designed to
block access to a computer system until a sum of money is paid4.

These malicious programs can steal, encrypt or delete sensitive data, alter or hijack
key computing functions and to monitor the victim’s computer activity5. The
motives behind malware vary. Malware can be about making money off you,
sabotaging your ability to get work done, making a political statement, or just
bragging rights3.

Propagation–Infected Content–Viruses
In the context of information security, propagation refers to the process by which
a computer virus spreads from one system to another12. Viruses are a type of
malicious software (malware) that can self-replicate by attaching themselves to
other programs or files12.

During the propagation phase, a virus begins to self-replicate, creating copies of

itself and storing them in various parts of the infected computer’s disk drive12.
These copies, or clones, may be slightly altered in an attempt to avoid detection1.
Each clone is also capable of self-replication, allowing the virus to spread and
infect more parts of the system12.

The propagation of viruses is a significant concern in information security.

Understanding the propagation characteristics of viruses is key to developing
effective antivirus measures and strategies34. For instance, researchers have
proposed optimal control measures based on virus propagation models to help
manage the spread of viruses in information networks3.

The infected content refers to the files or programs that have been compromised by
the virus. Once a file or program is infected, it can further spread the virus when it
is executed or opened12. Therefore, managing and controlling the propagation of
viruses is crucial in maintaining the security and integrity of information systems34.

Types of viruses
There are several types of computer viruses, each with unique characteristics and
methods of operation12345. Here are some common types:
 1. File Virus: This type of virus infects the system by appending itself to the
end of a file1.
2. Boot Sector Virus: It infects the boot sector of the system, executing every
time the system is booted and before the operating system is loaded1.
3. Macro Virus: These viruses are written in a high-level language like Visual
Basic and are triggered when a program capable of executing a macro is
run1.
4. Source Code Virus: It looks for source code and modifies it to include the
virus and to help spread it1.
5. Polymorphic Virus: To avoid detection by antivirus, a polymorphic virus
changes each time it is installed1.
6. Encrypted Virus: This type of virus exists in encrypted form to avoid
detection by antivirus. It carries a decryption algorithm along with it1.
7. Stealth Virus: It changes the code that can be used to detect it, making the
detection of viruses very difficult1.
8. Tunneling Virus: This virus attempts to bypass detection by antivirus
scanner by installing itself in the interrupt handler chain1.
9. Multipartite Virus: This type of virus is able to infect multiple parts of a
system including the boot sector, memory, and files1.
10.Armored Virus: An armored virus is coded to make it difficult for antivirus
to unravel and understand1.

Each type of virus has its own propagation methods and payloads, and they all
pose significant threats to information security12345.

Propagation–Vulnerability Exploit–Worms
In the context of information security, worms are a type of malware that self-
replicates and spreads across networks or systems without any user intervention123.
Unlike other forms of malware, such as viruses and Trojan horses, worms do not
need to attach themselves to a host program or file123.

During the propagation phase, a worm exploits security vulnerabilities in

software or operating systems to propagate itself to other devices and networks4123.
Worms can propagate through various means, including email attachments,
malicious links, instant messaging, file-sharing networks, or even removable media
like USB drives13.

A good example of a self-propagating worm which targeted a specific vulnerability

was the Sasser worm. It exploited a vulnerability in Windows to propagate4. The
author of the Sasser worm was monitoring the updates Microsoft releases for
Windows. One of them was fixing something Microsoft referred to as a “Critical
Remote Code Execution Vulnerability”, which for a malware author reads “$$$
JACKPOT! $$$”. By downloading and examining the update he found out how
exactly the bug worked4.

Every Windows installation has a background program called “Local Security

Authority Subsystem Service” (lsass.exe) which starts with the system and listens
to port 445. Any other system on the internet can connect to this service. However,
they can not do anything unless they send the correct login credentials, so this
service is usually harmless4.

But Microsoft found and fixed a bug in this program: When you send a specifically
crafted message to it, a buffer overflow will happen and parts of this message will
be executed as a program4. So the author wrote a program which (grossly
oversimplified): connects to random IP addresses, port 445 sends the malicious
message including its own code4. When the system didn’t install the update yet, it
would also execute this program which would then do the same thing there4.

This is basically how all internet worms work. The author finds a vulnerability
which allows to execute arbitrary code. They write a program which automatically
searches for vulnerable systems and then uses the vulnerability to smuggle a copy
of itself onto the system and execute it4. What do we learn from this? Install any
released updates fast, because the moment a software vendor releases an update,
the vulnerability is known and black hats will start writing malware which exploits
it4.

Propagation–Social Engineering–SPAM E-mail

Propagation in the context of SPAM emails refers to the distribution of
unsolicited emails to a large number of recipients1. SPAM emails are a common
method used in social engineering attacks, where attackers manipulate
individuals into revealing confidential information or performing actions that may
result in a security breach12.

Social engineering attacks often use SPAM emails to target victims1. These emails
may appear to be from a legitimate source and may contain malicious links or
attachments132. When a user clicks on the link or opens the attachment, they may
unknowingly install malware on their system or provide sensitive information to
the attacker132.

Here are some common types of SPAM email-based social engineering attacks:

1. Phishing: This is the most common type of social engineering attack.

Phishing emails typically appear to be from a legitimate source and attempt
to trick the victim into providing sensitive information, such as login
credentials or credit card numbers2.
 2. Spear Phishing: This is a more targeted form of phishing where the attacker
has gathered specific information about the victim and uses this to make the
email seem more legitimate1.
3. Whaling: This is a form of spear phishing that specifically targets high-level
executives within an organization1.
4. Pretexting: This involves the attacker pretending to need certain
information from the victim in order to confirm their identity1.

By understanding these methods of propagation and the tactics used in social

engineering attacks, individuals and organizations can better protect themselves
against such threats132.

Trojans and its type

A Trojan, also known as a Trojan horse, is a type of malicious software that
disguises itself as legitimate software1234. Trojans are designed to steal, damage,
disrupt, or perform other harmful actions on data or networks1234. Unlike computer
viruses, a Trojan horse requires a user to download the server side of the
application for it to function because it cannot manifest by itself1.

Here are some common types of Trojans:

1. Backdoor Trojan: This type of Trojan creates a “backdoor” on your

computer, allowing an attacker to gain remote access and control15.
2. Rootkit Trojan: A rootkit is a malicious program that installs and executes
code on a system without user consent in order to gain system access5.
3. Downloader Trojan: This Trojan targets your already-infected computer,
downloading and installing new versions of malicious programs5.
4. Ransomware: This type of Trojan is designed to encrypt the data on the
compromised system and then demand payment in exchange for its
decryption1.
5. Banker Trojan: This Trojan is designed to steal sensitive information
related to online banking and other online financial transactions5.
6. Denial-of-Service (DoS) Attack Trojan: This Trojan performs DoS
attacks, which aim to take down a network by flooding it with traffic5.
7. Exploit Trojan: This Trojan takes advantage of software vulnerabilities in
order to infect the system5.
8. Mailfinder Trojan: This Trojan harvests email addresses from the infected
system5.
9. Fake Antivirus (Fake AV): This Trojan behaves like antivirus software,
but demands money from you to detect and remove threats, whether they’re
real or fake5.
10.Spy Trojan: This Trojan spies on how a user uses their computer and steals
any personal information5.
 11.Infostealer Trojan: This Trojan steals valuable information from the
system5.
12.Remote Access Trojan (RAT): This Trojan allows a remote attacker to
control the victim’s computer5.

Each type of Trojan has its own propagation methods and payloads, and they all
pose significant threats to information security1234.

Payload–System Corruption
In the context of information security, a payload refers to the part of the malware
that performs the malicious action1234. Payloads can take various forms, such as a
virus, worm, or Trojan, and are typically delivered to the target system through a
vulnerability or security flaw2.

System corruption is one of the harmful actions that a payload can perform. This
can involve deleting or modifying system files, affecting the behavior of a
computer, or even disabling the operating system and/or startup processes1. For
example, some payloads are designed to ‘brick’ smartphones, meaning they can no
longer be turned on or used in any way1.

Payloads can also run processes in the background, such as cryptocurrency mining
or data storage1. They can even trigger the download of a much larger piece of
malicious software1.

In summary, the payload is the harmful component of a cyber attack, and system
corruption is one of the many damaging actions it can perform1234. Understanding
these concepts is crucial for developing effective cybersecurity measures.

Payload–Attack
In the context of cybersecurity, a payload is the component of a cyber attack that
causes harm to the victim1. It is a piece of malicious code designed to execute a
specific action on a target system23. This code can take various forms, such as a
virus, worm, or Trojan, and is typically delivered to the target system through a
vulnerability or security flaw23.

Payloads are a critical component of many types of attacks, including ransomware,

remote access trojans, command and control attacks, exploit attacks, and macro
payloads2. In 2022, over 80% of cyber attacks involved the use of payloads to
deliver malware or other malicious code2.

Here are some common ways to execute a malicious payload:

  Opening an executable file: For example, a victim downloads an email
attachment that they believe to be a piece of pirated software and they
double-click on the installation file which executes the payload1.
 Social engineering attacks and DNS hijacking: These are two common
examples of payload delivery techniques1.
 Running background processes: A malicious payload can also be triggered
to quietly run processes in the background, such as cryptocurrency mining
or data storage1.

Understanding what a payload is, how it works, and the various types of payloads
that exist is essential for cybersecurity professionals looking to protect their
systems from these types of threats234.

Agent–Zombie
In terms of cybersecurity, a zombie is a computer or electronic device that has
been compromised by malware or malicious software12. When a computer gets
affected by malicious software, that computer can be controlled by an attacker
sitting at a different location, and the owner won’t know about this12. These
infected computers are termed to be 'zombies’12.

Here is an overview of how Zombies operate in the cyber world1:

1. Infection: When a computer gets affected by malware, zombies are created.

Visiting fake websites, downloading malicious files, and having infected
attachments can be a reason for being exposed to malware1.
2. Remote Control: A connection between the attacker’s command-and-
control (C&C) server and the compromised device is set up after being
infected by the malware. This C&C server becomes a central hub to manage
and control zombies by attackers. With this connection, the attacker can
issue commands to the zombies without the knowledge of the owner1.
3. Botnet Formation: Botnets are the network of zombies i.e.; a botnet is
referred to the collection of compromised devices that work under the
control of a single attacker1.

Different types of zombies present with different malicious intents1:

 Botnet Zombies: These are the compromised devices or computers that are
controlled by Central Command and Control (C&C) servers by infecting
computers with malware. These devices form a network called botnets.
These botnets allow the criminal to coordinate for various cybercrime such
as distributing spam or DDOS1.
 Fileless Zombies: The problem with traditional malware is that they leave
traces on the affected systems. Fileless Zombie operates in memory and it
almost leaves no trail on the hard drive. These zombies are mostly
 undetectable from the traditional antivirus software making them hard to
identify and mitigate1.
 IoT Zombies: Many IoT devices such as smart homes, medical devices, or
industrial devices can be compromised and converted into zombies. These
infected devices are a way to launch a big attack or can be the entry point
into a big network1.
 Ransomware Zombies: Some malware encrypts the victim’s file, blocks
those files in the victim’s computer itself, and demands money to decrypt
those files. This type of attack is said to be a ransomware attack. These
attacks can become a zombie controlled by a ransomware controller1.
 Social Engineering Zombies: These zombies are not devices or computers,
they refer to individuals who manipulate others to give sensitive information
by using social engineering tactics. Attackers use techniques such as fake
websites, phone calls, or phishing emails to manipulate people into
providing sensitive information or making them install malware by
themselves1.

Bots
In the context of cybersecurity, a bot is a software application that runs automated
tasks over the internet1. Bots can automate and supplement human workflows,
taking on repetitive and lower-value work1. Advanced bots and automated agents
can interpret language, engage in chats and conversations, and use machine
learning algorithms to assist decision making1.

However, not all bots are benign. Some bots are malicious and are used to
automatically scan websites for software vulnerabilities and execute simple attack
patterns2. These malicious bots, also known as botnets, are a collection of Internet-
connected devices, such as computers, smartphones, or IoT devices whose security
have been breached and control ceded to a third party3. Each compromised device,
known as a “bot,” is created when a device is penetrated by software from a
malware (malicious software) distribution3. The bots serve as a tool to automate
mass attacks, such as data theft, server crashing, and malware distribution4.

There are many types of bots active on the Internet, both legitimate and malicious2.
Some common examples include:

 Spider Bots: Browse the web by following hyperlinks, with the objective of
retrieving and indexing web content2.
 Scraper Bots: Read data from websites with the objective of saving them
offline and enabling their reuse2.
 Spam Bots: Gather email addresses for spam mailing lists2.
 Botnets: Networks of compromised devices controlled by a single attacker2.
Understanding what a bot is, how it works, and the various types of bots that exist
is essential for cybersecurity professionals looking to protect their systems from
these types of threats12345.

Payload–Information Theft–Keyloggers
A keylogger is a type of malicious software (malware) that records a user’s
keystrokes12. Keyloggers are often used in cyber attacks to steal sensitive
information, such as usernames, passwords, credit card numbers, and other
personal details12. This information is then sent back to the attacker1.

Keyloggers can be part of the payload in a cyber attack3. In cybersecurity, a

payload refers to the part of the malware that performs the malicious action3. In the
case of keyloggers, the payload is the code that records the keystrokes and
transmits the data to the attacker12.

Keyloggers can be delivered in various ways, including through phishing emails,

malicious downloads, or infected websites12. Once installed on a victim’s device,
the keylogger runs in the background, recording every keystroke and sending the
data to the attacker12.

There are two main types of keyloggers: hardware keyloggers and software
keyloggers1. Hardware keyloggers are physical devices that are attached to the
computer, while software keyloggers are programs that are installed on the
computer1.

Keyloggers pose a significant threat to information security, as they can lead to

identity theft, financial loss, and other serious consequences12. Therefore, it’s
important to have robust security measures in place, such as regularly updating
software, using strong and unique passwords, and installing reliable security
software12.

Phishing
Phishing is a type of cybersecurity attack where malicious actors send messages
pretending to be a trusted person or entity1. Phishing messages manipulate a user,
causing them to perform actions like installing a malicious file, clicking a
malicious link, or divulging sensitive information such as access credentials1.

Phishing attacks are the practice of sending fraudulent communications that appear
to come from a reputable source2. The goal is to steal sensitive data like credit card
and login information, or to install malware on the victim’s machine2. Phishing is a
common type of cyber attack that everyone should learn about in order to protect
themselves2.

Phishing starts with a fraudulent email or other communication that is designed to

lure a victim2. The message is made to look as though it comes from a trusted
sender2. If it fools the victim, he or she is coaxed into providing confidential
information, often on a scam website2. Sometimes malware is also downloaded
onto the target’s computer2.

There are several types of phishing attacks:

 Deceptive Phishing: In this case, an attacker attempts to obtain confidential

information from the victims2.
 Spear Phishing: This targets specific individuals instead of a wide group of
people2.
 Whaling: When attackers go after a “big fish” like a CEO, it’s called
whaling2.

One way to protect your organization from phishing is user education2. Education
should involve all employees2. High-level executives are often a target2. Teach
them how to recognize a phishing email and what to do when they receive one2.
Simulation exercises are also key for assessing how your employees react to a
staged phishing attack2.

Spyware
Spyware is a type of malicious software that enters a user’s computer, gathers data
from the device and user, and sends it to third parties without their consent1234. A
commonly accepted spyware definition is a strand of malware designed to access
and damage a device without the user’s consent1234. Spyware collects personal and
sensitive information that it sends to advertisers, data collection firms, or malicious
actors for a profit1234. Attackers use it to track, steal, and sell user data, such as
internet usage, credit card, and bank account details, or steal user credentials to
spoof their identities1234.

Spyware is one of the most commonly used cyberattack methods that can be
difficult for users and businesses to identify and can do serious harm to
networks1234. It also leaves businesses vulnerable to data breaches and data misuse,
often affects device and network performance, and slows down user activity1234.

Here are some of the most commonly used types of spyware:

 Adware: This sits on a device and monitors users’ activity then sells their
data to advertisers and malicious actors or serves up malicious ads1.
  Infostealer: This is a type of spyware that collects information from
devices. It scans them for specific data and instant messaging
conversations1.
 Keyloggers: Also known as keystroke loggers, keyloggers are a type of
infostealer spyware. They record the keystrokes that a user makes on their
infected device, then save the data into an encrypted log file1.
 Rootkits: These enable attackers to deeply infiltrate devices by exploiting
security vulnerabilities or logging into machines as an administrator1.
 Red Shell: This spyware installs itself onto a device while a user is
installing specific PC games, then tracks their online activity1.

Spyware can enter a computer system in various ways, such as through phishing,
spoofing, free or shared software, and misleading software2. It is a best practice to
be cautious of the sites that are used for downloading content on the system2.

Payload–Stealthing–Backdoors
In the context of cybersecurity, a payload is a piece of malicious code that is
designed to execute a specific action on a target system1. This code can take
various forms, such as a virus, worm, or Trojan, and is typically delivered to the
target system through a vulnerability or security flaw1.

Backdoors are hidden entry points into a system that are designed to bypass
normal authentication procedures2. Backdoors can be used by attackers to gain
unauthorized access to a system or to maintain persistence on an already
compromised system2. They are often part of the payload in a cyber attack3.

The term stealthing in this context refers to the practice of making these backdoors
as difficult to detect as possible4. For example, BPFDoor is a backdoor payload
specifically crafted for Linux. Its purpose is for long-term persistence in order to
gain re-entry into a previously or actively compromised target environment4. It
notably utilizes BPF along with a number of other techniques to achieve this goal,
taking great care to be as efficient and stealthy as possible4.

In summary, the payload is the harmful component of a cyber attack, backdoors

provide unauthorized access to a system, and stealthing is the practice of making
these backdoors difficult to detect1342.

Rootkits
A rootkit is a type of malicious software that allows an attacker to gain access to
and control your computer system1. Hackers often use rootkits to steal sensitive
information, such as passwords and financial data, or to use your computer as part
of a larger botnet for further attacks1. Rootkits are one of the most difficult
malware strands to discover and remove, and are frequently used to eavesdrop on
users and launch attacks on machines2.

Rootkits can contain multiple malicious tools, which typically include bots to
launch distributed denial-of-service (DDoS) attacks; software that can disable
security software, steal banking and credit card details, and steal passwords; and
keystroke loggers2. A rootkit usually provides an attacker with a backdoor into a
machine, which gives them access to the infected computer and enables them to
change or remove software and components when they choose2.

There are several types of rootkits:

1. Firmware Rootkits: A firmware rootkit, also known as a hardware rootkit,

typically aims to infect a computer’s hard drive and basic input/output
system (BIOS), the software installed onto a small memory chip in the
motherboard2.
2. Bootloader Rootkits: A bootloader is an important element of any
computer and is central to a machine booting up. A bootloader toolkit
attacks this system by replacing a machine’s bootloader with a hacked
version2.
3. Kernel Mode Rootkits: A kernel mode rootkit is a sophisticated piece of
malware that can add new code to the operating system or delete and edit
operating system code3.
4. Virtualized Rootkits: Unlike kernel mode rootkits, which boot up at the
same time the targeted system boots up, a virtualized rootkit boots up before
the operating system boots up3.
5. User Mode Rootkits: User mode rootkits modify the behavior of
application programming interfaces3.

Rootkits can be installed through several methods, but they typically target a
vulnerability in a machine’s operating system (OS) or application on the machine2.
Attackers will target known vulnerabilities and use exploit code to attack a
machine, then install a rootkit and other components that give them remote access 2.
Another common rootkit installation method is through infected universal serial
bus (USB) drives that attackers leave in public places in the hope that unwitting
victims will pick them up and plug them into a machine2.

Countermeasures
In computer security, countermeasures are actions, devices, procedures, or
techniques that reduce a threat, a vulnerability, or an attack by eliminating or
preventing it, minimizing the harm it can cause, or discovering and reporting it so
that corrective action can be taken1. They are the controls used to protect the
confidentiality, integrity, and availability of data and information systems2.
Countermeasures often refer to a set of techniques and strategies designed to
prevent, detect, and respond to threats to computer systems3. These measures
protect systems from unauthorized access, data theft, and other malicious acts that
undermine the integrity, confidentiality, and availability of data3.

Here are some common types of countermeasures in relation to computer security:

1. Physical Security Countermeasures: This includes physical security

attributes such as security locks, fencing, security personnel, surveillance
equipment, and cameras3.
2. Technical Countermeasures: These include firewalls, intrusion detection
systems, encryption, and antivirus software3.
3. Administrative Countermeasures: These involve security policies,
procedures, and awareness training3.
4. Legal and Regulatory Countermeasures: These include laws, regulations,
and compliance requirements that govern how information is protected3.

Countermeasures are significant because they support the prevention and

mitigation of threats in the event of a security event3. They help organizations
better manage risk and minimize security issues and events3.