Application Security, Cybercrime, Fraud Management and Cybercrime
A chapter of Michael Lines’ new book, Heuristic Risk Management
April 27, 2022
Learn about an effective approach to establishing a risk-based information security program from CyberEdBoard Board Member Michael Lines.
Michael Lines is working with the Information Security Media Group to promote awareness of the need for cyber risk management, and as part of this initiative, the CyberEdBoard will be submitting draft chapters from his forthcoming book, Heuristic Risk Management: Be Aware, Get Prepared, Defend yourself.” The last excerpt we published can be found here.
“Victorious warriors win first and then go to war, while defeated warriors go to war first and then try to win.”
— Sun Tzu, “The Art of War”
Once you know which threats are worrying your organization the most, the next step is to look at the common methods these attacks are being carried out on. The goal of this chapter is to teach you the main means by which threat actors attack organizations. You’ll use your knowledge in the next chapter to assess your defenses against these attacks.
All cyberattacks fall into one of two broad categories: personal compromise and system compromise. Attackers use multiple attack methods and chain them together to achieve their goals. Each of these attack methods must be viewed as a link in a chain of events that make up the history of an attack. The order in which they appear in the chain depends on the attacker and his target. Nothing is set in stone.
Compromise the person
Individuals, either employees or contractors, working for you or at third parties whose products or services you use may be compromised to conduct or facilitate cyberattacks. Below are the main types of these attacks.
Social engineering is the term for deceiving or manipulating people to get them to do something that facilitates or enables a fraudulent act. This deception can be done via an email or a fake website – phishing, phone call, vishing or smishing. All of these methods are designed to trick an employee into taking an action that would give the attacker the access or information they need. This can range from tricking the user into running malware disguised as a harmless email attachment, to providing information to help the attacker, such as: B. the user’s credentials or credentials for an internal system.
Physical attacks from a cyber perspective describe cases where the attacker physically interacts with you or the company’s premises to carry out their attack. This can range from entering a secure area to using social engineering – pretending to be a customer or repair person – so they can enter company offices and install malicious devices that allow attackers remote access to the company’s internal network . USB dropping is another form of attack that combines both social engineering (tricking the person) and physical attack – malicious USB sticks remain where they are likely to be picked up and hopefully plugged into corporate computers.
Compromise the system
All electronic systems, whether owned by you or used by a third party that you interact with, can be compromised in order to conduct or facilitate cyberattacks on your business. Below are the most common means by which these attacks occur.
Malware is any software designed to steal information or manipulate systems for malicious purposes. Ransomware is one such example of malicious software. While malware is often introduced into systems by tricking users into executing it via social engineering — malicious email attachments, for example — it can also be embedded into supply chain attack products by compromising open-source software embedded in used in these products. Attackers can then use the access provided by this malicious code to penetrate the systems and networks of customers using the compromised product. Once inside a system or network, attackers use a combination of legitimate and malicious software to achieve their goals.
Information technology systems and networks are highly complex and growing by the day, especially with the shift to cloud computing adding another dimension of complexity. Each software, hardware, and network component typically requires some configuration to set it up to perform its intended function. The problem arises when this configuration is not performed and the component is working with default—and typically insecure—settings, or when it is done by someone who doesn’t know what they are doing. The result is that hackers often have an open door to steal data or compromise systems by exploiting the existing misconfigurations.
Vulnerabilities differ from misconfigurations in that vulnerabilities are weaknesses in the component – hardware or software – that make it vulnerable to abuse, while misconfigurations are not vulnerabilities but errors in the proper setup of the device. Scanning and exploiting vulnerabilities is one of the main methods hackers use to compromise systems simply because vulnerabilities due to unpatched systems are widespread. It is not uncommon for a large enterprise with tens of thousands of computers and network devices to have millions of known and unknown vulnerabilities ranging from minor to critical. If the hacker exploits the vulnerability, he becomes full owner of the device. To make matters worse, many vulnerabilities, once discovered, will not have a patch available because the vendor has either gone out of business, does not have the resources or interest, has not yet had time to develop a zero-day vulnerability, or is doing so in Considering the product is referred to as End of Life or EOL. As a result, organizations with these legacy systems are able to have ticking time bombs in the environment just waiting for a malicious hacker to exploit them.
exploit design flaws
Hacking is the umbrella term for any attempt to compromise computer systems or networks in order to manipulate or steal information. Script kiddies is the term used to describe novice hackers who run prepackaged attack tools without fully understanding how they work. Real hackers, on the other hand, not only understand the attack tools, but also the inner workings of the systems they attack. They can develop custom code or custom hardware as needed to exploit previously undetected design flaws in their targets and subsequently penetrate the systems they attack. This is where zero-day vulnerabilities are both discovered and exploited by attackers to penetrate systems through holes the system owners didn’t even know existed.
CyberEdBoard is ISMG’s premier member-only community of senior leaders and thought leaders in security, risk, privacy and IT. CyberEdBoard offers executives a powerful peer-driven collaboration ecosystem, private meetings, and a library of resources to tackle complex challenges shared by thousands of CISOs and senior security professionals in 65 different countries worldwide.
Join the community – CyberEdBoard.io.
Michael Lines is an information security executive with over 20 years of experience as Chief Information Security Officer or CISO for large global organizations including PricewaterhouseCoopers, Transition and FICO. In addition, he has managed several consulting services and provided professional services in the areas of security, risk and data protection for large companies. Lines writes, blogs, speaks at conferences and webinars, and gives interviews on a variety of information security topics, primarily what it takes to design and execute effective information security programs and why so many organizations continue to suffer security breaches due to ineffective risk management.