 Cross-Site Scripting processes.

This can lead to a system crash or data

 Cross-site scripting (XSS) is a common vulnerability compromise, or provide escalation of privileges.
found in many web applications.
 Code Injection  Remote Code Executions
Most modern websites use a database, such as a  Remote code execution allows a cybercriminal to
Structured Query Language (SQL) or an Extensible take advantage of application vulnerabilities to
Markup Language (XML) database, to store and execute any command with the privileges of the user
manage data. Injection attacks seek to exploit running the application on the target device.
weaknesses in these databases.  Privilege escalation exploits a bug, design flaw or
4 common types of injection attacks. misconfiguration in an operating system or software
o XML injection attack application to gain access to resources that are
 An XML injection attack can corrupt the normally restricted.
data on the XML database and threaten the
security of the website.It works by  Other Application Attacks
interfering with an application’s processing 1. Cross-site request forgery (CSRF)
of XML data or query entered by a user.  CSRF describes the malicious exploit of a
 Cybercriminals can manipulate this query website where unauthorized commands are
by programming it to suit their needs. This submitted from a user’s browser to a trusted
will grant them access to all of the sensitive web application.
information stored on the database and 2. Race condition attack
allows them to make any number of changes  Also known as a time of check (TOC) or a
to the website. time of use (TOU) attack, a race condition
o SQL injection attack attack happens when a computing system
 Cybercriminals can carry out an SQL that is designed to handle tasks in a specific
injection attack on websites or any SQL sequence is forced to perform two or more
database by inserting a malicious SQL operations simultaneously.
statement in an entry field.This attack takes 3. Improper input handling attack
advantage of a vulnerability in which the  Data inputted by a user that is not properly
application does not correctly filter the data validated can affect the data flow of a
entered by a user for characters in an SQL program and cause critical vulnerabilities in
statement. systems and applications that result in buffer
 As a result, the cybercriminal can gain overflow or SQL injection attacks.
unauthorized access to information stored 4. Error handling attack
on the database, from which they can spoof  Attackers can use error messages to extract
an identity, modify existing data, destroy specific information such as the hostnames
data or even become an administrator of the of internal systems and directories or files
database server itself. that exist on a given web server — as well
o DLL injection attack as database, table and field names that can
 A dynamic link library (DLL) file is a be used to craft SQL injection attacks.
library that contains a set of code and data 5. Application programming interface (API) attack
for carrying out a particular activity in  An API delivers a user response to a system
Windows. Applications use this type of file and sends the system’s response back to the
to add functionality that is not built-in, when user. An API attack occurs when a
they need to carry out this activity. cybercriminal abuses an API endpoint.
 DLL injection allows a cybercriminal to 6. Replay attack
trick an application into calling a malicious  This describes a situation where a valid data
DLL file, which executes as part of the transmission is maliciously or fraudulently
target process. repeated or delayed by an attacker, who
o LDAP injection attack intercepts, amends and resubmits the data to
 The Lightweight Directory Access Protocol get the receiver to do whatever they want
(LDAP) is an open protocol for 7. Directory traversal attack
authenticating user access to directory  Directory traversal occurs when an attacker
services. is able to read files on the webserver outside
 An LDAP injection attack exploits input of the directory of the website. An attacker
validation vulnerabilities by injecting and can then use this information to download
executing queries to LDAP servers, giving server configuration files containing
cybercriminals an opportunity to extract sensitive information, potentially expose
sensitive information from an organization’s more server vulnerabilities or even take
LDAP directory. control of the server!
8. Resource exhaustion attacks
 Buffer Overflow  These attacks are computer security exploits
 Buffers are memory areas allocated to an that crash, hang or otherwise interfere with a
application. A buffer overflow occurs when data is targeted program or system. Resource
written beyond the limits of a buffer. By changing exhaustion attacks overwhelm the hardware
data beyond the boundaries of a buffer, the resources available on the target’s server
application can access memory allocated to other instead.
 programmed to do so. Machine learning
 Some common email and browser attacks uses mathematical models to predict
 Spam outcomes. However, these models are
o Spam, also known as junk mail, is simply dependent on the data that is inputted. If the
unsolicited email. In most cases, it is a data is tainted, it can have a negative impact
method of advertising. However, a lot of on the predicted outcome. Attackers can
spam is sent in bulk by computers infected take advantage of this to perpetrate attacks
by viruses or worms and often contains against machine learning algorithms.
malicious links, malware or deceptive  Supply chain attacks
content that aims to trick recipients into o Many organizations interface with a third
disclosing sensitive information, such as a party for their systems management or to
social security number or bank account purchase components and software.
information. Organizations may even rely on parts or
 Phishing components from a foreign source.
o Phishing is a form of fraudulent activity  Cloud-based attacks
often used to steal personal information. o The advantage is that the cloud provider
o Phishing occurs when a user is contacted by will maintain the equipment but this also
email or instant message by someone opens up an organization to a host of
masquerading as a legitimate person or potential threats. Attackers are constantly
organization. The intent is to trick the leveraging ways to exploit sensitive data
recipient into installing malware on their stored on the cloud, as well as applications,
device or into sharing personal information, platforms and infrastructure that is cloud-
such as login credentials or financial based, as we saw with SaaS, PaaS and IaaS.
information.
o Spear phishing  Network security relates directly to an organization's
 A highly targeted attack, spear business continuity. Network security breaches can
phishing sends customized emails disrupt e-commerce, cause the loss of business data,
to a specific person based on threaten people’s privacy, and compromise the integrity
information the attacker knows of information. These can result in lost revenue for
about them — which could be their corporations, theft of intellectual property, lawsuits, and
interests, preferences, activities and can even threaten public safety.
work projects.  Vectors of Network Attacks
 Common scams. An attack vector is a path by which a threat actor
o Vishing can gain access to a server, host, or network. Attack
 Often referred to as voice phishing, this type vectors originate from inside or outside the
of attack sees criminals use voice corporate network.
communication technology to encourage Note: A DoS attack occurs when a network
users to divulge information, such as their device or application is incapacitated and no
credit card details.Criminals can spoof longer capable of supporting requests from
phone calls using voice over internet legitimate users.
protocol (VoIP), or leave recorded messages An internal user, such as an employee,
to give the impression that they are can accidentally or intentionally:
legitimate callers.  Steal and copy confidential data to
o Pharming removable media, email, messaging
 This type of attack deliberately misdirects software, and other media.
users to a fake version of an official  Compromise internal servers or network
website. Tricked into believing that they are infrastructure devices.
connected to a legitimate site, users enter  Disconnect a critical network connection
their credentials into the fraudulent website. and cause a network outage.
o Whaling  Connect an infected USB drive into a
 Whaling is a phishing attack that targets corporate computer system.
high profile individuals, such as senior Internal threats have the potential to cause greater damage
executives within an organization, than external threats because internal users have direct access
politicians and celebrities. to the building and its infrastructure devices. Network security
professionals must implement tools and apply techniques for
 Some other common attacks that cybercriminals can mitigating both external and internal threats.
launch.
 Physical attacks  Data Loss
o Physical attacks are intentional, offensive Data is likely to be an organization’s most valuable
actions used to destroy, expose, alter, asset. Data loss, or data exfiltration, is when data is
disable, steal or gain unauthorized access to intentionally or unintentionally lost, stolen, or leaked
an organization’s infrastructure or hardware. to the outside world. The data loss can result in:
 Adversarial artificial intelligence attacks  Brand damage and loss of reputation
o Machine learning is a method of automation  Loss of competitive advantage
 Loss of customers
that allows devices to carry out analysis and
 Loss of revenue
perform tasks without specifically being
  Litigation/legal action that results in fines mean that the attacker has physical access to the end
and civil penalties system.
 Significant cost and effort to notify affected 5. Risk
parties and recover from the breach The likelihood that a particular threat will exploit a
 Common data loss vectors are displayed below. particular vulnerability of an asset and result in an
 Email/Social Networking undesirable consequence.
 The most common vector for data Risk management is the process that balances the
loss includes instant messaging operational costs of providing protective measures
software and social media sites. with the gains achieved by protecting the asset. There
 Unencrypted Devices are four common ways to manage risk, as shown
 A stolen corporate laptop typically below:
contains confidential  Risk acceptance
organizational data. If the data is  This is when the cost of risk
not stored using an encryption management options outweighs the
algorithm, then the thief can cost of the risk itself. The risk is
retrieve valuable confidential data. accepted, and no action is taken.
 Cloud Storage Devices  Risk avoidance
 Saving data to the cloud has many  This means avoiding any exposure
potential benefits. However, to the risk by eliminating the
sensitive data can be lost if access activity or device that presents the
to the cloud is compromised due to risk. By eliminating an activity to
weak security settings. avoid risk, any benefits that are
 Removable Media possible from the activity are also
 One risk is that an employee could lost.
perform an unauthorized transfer of  Risk reduction
data to a USB drive. Another risk  This reduces exposure to risk or
is that a USB drive containing reducing the impact of risk by
valuable corporate data could be taking action to decrease the risk. It
lost. is the most commonly used risk
 Hard Copy mitigation strategy.
 Corporate data should be disposed  Risk transfer
of thoroughly. Otherwise, a thief  Some or all of the risk is
could retrieve discarded reports transferred to a willing third party
and gain valuable information. such as an insurance company.
 Improper Access Control  Other commonly used network security
 Passwords are the first line of terms include:
defense. Stolen passwords or weak  Countermeasure - The actions that are
passwords which have been taken to protect assets by mitigating a threat
compromised can provide an or reducing risk.
attacker easy access to corporate  Impact - The potential damage to the
data. organization that is caused by the threat.
 Threat, Vulnerability, and Risk Note: A local exploit requires inside network
Assets are anything of value to an organization, such as access such as a user with an account on the
data and other intellectual property, servers, computers, network. A remote exploit does not require an
smart phones, tablets, and more. account on the network to exploit that
1. Threat network’s vulnerability.
A potential danger to an asset such as data or the  Hacker vs Threat Actor
network itself. As we know, “hacker” is a common term used to describe a
2. Vulnerability threat actor. However, the term “hacker” has a variety of
A weakness in a system or its design that could be meanings:
exploited by a threat.  A clever programmer capable of developing new
3. Attack surface programs and coding changes to existing programs to
An attack surface is the total sum of the make them more efficient.
vulnerabilities in a given system that are accessible to  A network professional that uses sophisticated
an attacker. The attack surface describes different programming skills to ensure that networks are not
points where an attacker could get into a system, and vulnerable to attack.
where they could get data out of the system.  A person who tries to gain unauthorized access to
4. Exploit devices on the internet.
The mechanism that is used to leverage a  An individual who run programs to prevent or slow
vulnerability to compromise an asset. Exploits may network access to a large number of users, or corrupt or
be remote or local. A remote exploit is one that wipe out data on servers.
works over the network without any prior access to An attack vector is a path by which a threat actor can gain
the target system.In a local exploit, the threat actor access to a server, host, or network. Attack vectors originate
has some type of user or administrative access to the from inside or outside the corporate network, as shown in the
end system. A local exploit does not necessarily figure.
External and Internal Threats
  White hat hackers are ethical hackers who use their  US Cybersecurity Infrastructure and Security Agency
programming skills for good, ethical, and legal (CISA) is leading efforts to automate the sharing of
purposes. cybersecurity information with public and private
 Grey hat hackers are individuals who commit organizations at no cost. CISA uses a system called
crimes and do arguably unethical things, but not for Automated Indicator Sharing (AIS).
personal gain or to cause damage.  The European Union Agency for Cybersecurity (ENISA)
 Black hat hackers are unethical criminals who delivers advice and solutions for the cybersecurity
violate computer and network security for personal challenges of the EU member states.
gain, or for malicious reasons, such as attacking
networks. Black hat hackers exploit vulnerabilities
to compromise computer and network systems. IP Vulnerabilities
 ICMP attacks
 Threat actors use Internet Control Message Protocol
 Evolution of Threat Actors
(ICMP) echo packets (pings) to discover subnets and
Hacking started in the 1960s with phone freaking, or hosts on a protected network, to generate DoS flood
phreaking, which refers to using various audio frequencies to attacks, and to alter host routing tables.
manipulate phone systems.  Denial-of-Service (DoS) attacks
n the mid-1980s, computer dial-up modems were used to  Threat actors attempt to prevent legitimate users from
connect computers to networks. Threat actors wrote “war accessing information or services.
dialing” programs which dialed each telephone number in a  Distributed Denial-of-Service (DDoS) attacks
given area in search of computers, bulletin board systems, and  Similar to a DoS attack, but features a simultaneous,
coordinated attack from multiple source machines.
fax machines.
 Address spoofing attacks
There are many different types of threat actors.  Threat actors spoof the source IP address in an attempt to
1. Script kiddies perform blind spoofing or non-blind spoofing.
- Script kiddies emerged in the 1990s and refers to  Man-in-the-middle attack (MiTM)
teenagers or inexperienced threat actors running existing  Threat actors position themselves between a source and
scripts, tools, and exploits, to cause harm, but typically destination to transparently monitor, capture, and control
not for profit. the communication. They could simply eavesdrop by
2. Vulnerability brokers inspecting captured packets or alter packets and forward
- Vulnerability brokers typically refers to grey hat them to their original destination.
 Session hijacking
hackers who attempt to discover exploits and report them  Threat actors gain access to the physical network, and
to vendors, sometimes for prizes or rewards. then use an MiTM attack to hijack a session.
3. Hacktivists
- Hacktivists is a term that refers to grey hat hackers who ICMP Attacks
rally and protest against different political and social ICMP was developed to carry diagnostic messages and to report error
ideas. Hacktivists publicly protest against organizations conditions when routes, hosts, and ports are unavailable. ICMP
or governments by posting articles, videos, leaking messages are generated by devices when a network error or outage
sensitive information, and performing distributed denial occurs.
of service (DDoS) attacks.
4. Cybercriminals The following lists common ICMP messages of interest to threat
- Cybercriminal is a term for black hat hackers who are actors.
 ICMP echo request and echo reply
either self-employed or working for large cybercrime
 ICMP unreachable
organizations. Each year, cyber criminals are responsible  ICMP mask reply
for stealing billions of dollars from consumers and  ICMP redirects
businesses.  ICMP router discovery
5. State-sponsored 1. Amplification - The treat actor forwords ICMP echo request
- State-Sponsored hackers are threat actors who steal message to many hosts. These message contain the sourse IP
government secrets, gather intelligence, and sabotage address of the victim.
networks of foreign governments, terrorist groups, and 2. Reflection - These hosts all reply to the spoofed IP address of
corporations. Most countries in the world participate to the victim to overwhelm it
some degree in state-sponsored hacking. Depending on a IP address spoofing attacks occur when a threat actor creates packets
person’s perspective, these are either white hat or black with false source IP address information to either hide the identity of
hat hackers. the sender, or to pose as another legitimate user. The threat actor can
then gain access to otherwise inaccessible data or circumvent
Cybercriminals are threat actors who are motivated to make security configurations. Spoofing is usually incorporated into another
money using any means necessary. While sometimes attack such as a Smurf attack.
Non-blind spoofing - The threat actor can see the traffic
cybercriminals work independently, they are more often that is being sent between the host and the target. Non-blind spoofing
financed and sponsored by criminal organizations. determines the state of a firewall and sequence-number prediction. It
Cybercriminals operate in an underground economy where can also hijack an authorized session.
they buy, sell, and trade exploits and tools. They also buy and Blind spoofing - The threat actor cannot see the traffic that is being
sell the personal information and intellectual property that sent between the host and the target. Blind spoofing is used in DoS
they steal from victims. attacks.
Indicators of attack (IOA) focus more on the motivation
behind an attack and the potential means by which threat
actors have, or will, compromise vulnerabilities to gain access
to assets.