CritiX

Security Operations and Assurance

Alireza Esfahani, Lecturer in Cyber Security

BSc, MSc, PhD, PG Cert, FHEA, MIEEE, MECSO

University of West London

1
Week 2
Security Threats and Attacks

CP70044E @2023 2
CP70044E @2023 3
Today’s agenda

• Examples of cybersecurity incidents.

• The motivations of the threat actors behind specific
security incidents.
• Security Attacks vs Threats
• Seven domains of an IT infrastructure

CP70044E @2023 4
Cybersecurity and the Security Operations Centre
• Different people commit cybercrime for different reasons.
• Security Operations Centres work to combat cybercrime.
• People prepare for work in a Security Operations Centre (SOC) by
earning certifications, seeking formal education, and by using
employment services to gain internship experience and jobs.

CP70044E @2023 5
Examples

CP70044E @2023 6
War Stories – Hijacked People
• A hacker set up an open “rogue” wireless
hotspot posing as a legitimate wireless
network.
• A customer logged onto her bank’s website.
• The hacker hijacked her session.
• The hacker gained access to her bank
accounts.

CP70044E @2023 7
War Stories – Ransomed Companies
• An employee receive an email from his CEO,
containing an attached PDF.
• Ransomware is installed on the employee’s
computer.
• Ransomware gathers and encrypts corporate
data.
• The attackers hold the company’s data
for ransom until they are paid.

CP70044E @2023 8
War Stories – Targeted Nations
• Stuxnet Worm
➢ Infiltrated Windows operating systems.
➢ Targeted Step 7 software that controls
programmable logic controllers (PLCs)
to damage the centrifuges in nuclear
facilities.
➢ Transmitted from the infected USB
drives into the PLCs eventually
damaging many centrifuges
http://www.zerodaysfilm.com/

CP70044E @2023 9
Attackers and Their Tools

CP70044E @2023 10
 Threat,Vulnerability, and Risk
• Threat
➢ Potential danger to an asset such as data or the network.
• Vulnerability and Attack Surface
➢ Weakness in a system or its design that could be exploited
by a threat.
➢ Attack surface describes different points where an
attacker could get into a system and could get to the data
(Example – operating system without security patches)
• Exploit
➢ Mechanism used to leverage a vulnerability to compromise
an asset.
➢ Remote – works over the network.
➢ Local – threat actor has user or administrative access to
the end system.
• Risk
➢ Likelihood that a threat will exploit a vulnerability of an
asset and result in an undesirable consequence.
CP70044E @2023 11
Threat
─ Anything that has the potential (may or may not yet happen) to
cause serious harm to the information systems.
o Natural: flood, earthquake, storm, etc.
o Human-induced:
▪ software attacks (e.g. virus, phishing, Trojan)
▪ theft of intellectual property
▪ identity theft (e.g. social engineering)
▪ theft of equipment or information (e.g. mobile device stolen)
▪ sabotage (e.g. destruction of an organization's website)
▪ information extortion (e.g. ransom ware)

CP70044E @2023 12
Vulnerability and Attack
─ Attack, on the other hand, is a deliberate action taken to
exploit vulnerabilities and compromise the security of a
system, network, or data. It involves active and intentional
efforts to breach confidentiality, integrity, or availability.

▪ malware infections
▪ phishing scams
▪ distributed denial of service (DDoS)

CP70044E @2023 13
 Hacker vs. Threat Actor
• White Hat Hackers
➢ Ethical hackers who use their programming skills for good, ethical, and legal
purposes.
➢ Perform penetration tests to discover vulnerabilities and report to developers
before exploitation
• Gray Hat Hackers
➢ Commit crimes and do unethical things but not for personal gain or to cause
damage.
➢ May compromise network and then disclose the problem so the organization
can fix the problem.
• Black Hat Hackers
➢ Unethical criminals who violate security for personal gain, or for malicious
reasons, such as attacking networks.
• Note: Threat actors is a term used to describe grey and black hat hackers.
CP70044E @2023 14
 Evolution of Threat Actors
• Script Kiddies • Cybercriminals
Hacking started in the 1960s with phone freaking

➢ Inexperienced hackers running ➢ Black hats stealing billions of

existing tools and exploits, to dollars from consumers and
cause harm, but typically not for businesses.
profit. • Hacktivists
• State-Sponsored ➢ Grey hats who rally and protest
➢ White or black hats who steal political and social ideas.
government secrets, gather ➢ Post articles and videos to leak
intelligence, and sabotage sensitive information.
networks. ➢ Vulnerability Broker
➢ Targets are foreign governments, ➢ Discover exploits and report
terrorist groups, and corporations. them to vendors, sometimes for
prizes or rewards.
CP70044E @2023 15
Security Attacks- Types
─ Passive
➢ Passive attacks encompass actions like eavesdropping or monitoring data
transmissions, aiming to acquire the information being transmitted.

─ Active
➢ Active attacks involve the manipulation of a data stream or the
generation of a false stream.

CP70044E @2023 16
Passive Attacks
─ Release of message contents
➢ We aim to protect sensitive or
confidential information in phone
calls, emails, and file transfers from
being accessed by unauthorized
parties. Source: Cryptography and Network Security
William Stallings

─ Traffic Analysis
➢ In a traffic analysis attack, the
eavesdropper studies network data
to figure out locations, spot
communicating devices, and monitor
message frequency and length.

CP70044E @2023 17
Active Attacks
─ Masquerade
➢ A masquerade occurs when
one entity pretends to be
someone else.

Source: Cryptography and Network Security

William Stallings

─ Replay
➢ A replay attack, sometimes
called a repeat or playback
attack, is a network security
tactic in which valid data
transmission is wrongfully
duplicated or delayed.
CP70044E @2023 18
Active Attacks-contd’
─ Modification
➢ Message modification refers to
the alteration of a portion of a
legitimate message or the
manipulation of message timing,
order, or content to create an
unauthorized impact.
Source: Cryptography and Network Security
William Stallings

─ Denial of Service (DoS)

➢ Denial of service disrupts or
hinders the regular utilization or
administration of communication
facilities.

CP70044E @2023 19
Active Attacks-contd’
─ Distributed Denial of Service
(DoS)
➢ DDoS attacks happen when many
devices, often controlled by
hackers, all send a lot of data to a
target at the same time, causing it
to be overwhelmed with traffic.

https://bunny.net/academy/network/what-are-distributed-denial-of-service-ddos-attacks/

CP70044E @2023 20
Domains of a typical IT infrastructure

─ Seven domains

Source: Fundamentals of Information Systems Security

CP70044E @2023 21
Domains of a typical IT infrastructure
• User domain
‒ Roles and tasks: AUP (Acceptable User Policy) defines what
users are allowed and not allowed to do with organisational-
owned IT assets.
‒ Responsibilities: employees
‒ Accountabilities: HR to check employee background

‒ Risks, threats, vulnerabilities and mitigation plans for the

user domain
o Lack of user awareness
o User apathy toward policies
o User downloads of photos, music, videos
o User destruction of systems, applications or data
o Attacks on the organization or acts of sabotage by disgruntled employees
o …
CP70044E @2023 22
Domains of a typical IT infrastructure
• Workstation domain
‒ Roles and tasks: hardening a system is the process of
ensuring that controls (e.g. user authentication, software
updates, security patches, system configurations) in place to
handle any known threats.
‒ Responsibilities: IT services
‒ Accountabilities: IT desktop manager

‒ Risks, threats, vulnerabilities and mitigation plans for the

workstation domain
o Unauthorized access to workstation, systems, applications, etc.
o Desktop OS and software vulnerabilities
o Infection of workstation by virus, malicious code, malware.
o User violation of AUP
o …
CP70044E @2023 23
Domains of a typical IT infrastructure
• LAN domain
‒ Roles and tasks: maintain the master list of user
accounts and access rights
‒ Responsibilities: LAN system admin
‒ Accountabilities: LAN manager

‒ Risks, threats, vulnerabilities and mitigation plans for

the LAN domain
o Unauthorized access to LAN, systems, applications and data.
o LAN server OS, application software vulnerabilities, etc.
o Unauthorized access by rogue users on WLAN
o Compromised confidentiality of data transmissions via WLAN
o …

CP70044E @2023 24
Domains of a typical IT infrastructure
• LAN-to-WAN domain
‒ Roles and tasks: maintain security while giving users as
much access as possible
‒ Responsibilities: Network security group
‒ Accountabilities: IT security manager

‒ Risks, threats, vulnerabilities and mitigation plans for

the LAN-to-WAN domain
o Unauthorized network probing and port scanning.
o Unauthorized access through the LAN-to-WAN domain
o IP router, firewall and network appliance software vulnerability,
configuration file errors or weaknesses
o …

CP70044E @2023 25
Domains of a typical IT infrastructure
• WAN domain
‒ Roles and tasks: allow users the most access possible
while making sure what goes in and out is safe
‒ Responsibilities: WAN group / network engineer
‒ Accountabilities: IT network manager
‒ Risks, threats, vulnerabilities and mitigation plans for
the WAN domain
o Open, public, easily accessible to anyone who wants to connect
o Vulnerable to eavesdropping, malicious attacks, DDoS, IP Spoofing
attacks, etc.
o Email of Trojans, worms, virus attacks, etc.
o …

CP70044E @2023 26
Domains of a typical IT infrastructure
• Remote Access domain
‒ Roles and tasks: allow users to remotely access IT
assets while making sure secure communication
‒ Responsibilities: WAN group / network engineer
‒ Accountabilities: IT network manager

‒ Risks, threats, vulnerabilities and mitigation plans for

the remote access domain
o Unauthorized remote access to IT systems, applications, and data
o Private data or confidential data compromised remotely
o …

CP70044E @2023 27
Domains of a typical IT infrastructure
• System/Application domain
‒ Roles and tasks: An organization’s mission-critical
applications must be secured
‒ Responsibilities: System admin
‒ Accountabilities: IT system manager

‒ Risks, threats, vulnerabilities and mitigation plans for

the system/application domain
o Unauthorized access to data centers, systems, applications
o Loss or corruption of data
o …

CP70044E @2023 28
Summary
❑ Explain the motivations of the threat actors behind specific
security incidents.
❑ Explain the potential impact of network security attacks
❑ Threat, vulnerability, risk
❑ Security Attacks
❑ IT infrastructure domains

CP70044E @2023 29
Practice Time

CP70044E @2023 30
CP70044E @2023 31
Thank you very much!

CP70044E @2023 32