Lesson Cybersecurity Risks and Vulnerabilities - Cybersecurity - ثالث ثانوي

Lesson 2 Cybersecurity Risks and Vulnerabilities Lik te dig lesse www.ren.edisa Introduction to Risks And Vulnerabilities Cybersecurity vulnerabilities are weaknesses in computer systems, networks, and devices that cybercriminals can exploit to carry out malicious activities. Cybersecurity vulnerabilities can result from software bugs, misconfigured systems, and human errors. The consequences of cybersecurity attacks can be severe, including data theft, financial loss, and reputational damage. Therefore, individuals and organizations must be aware of potential cybersecurity threats, identify the existing vulnerabilities and determine the potential risks and implement robust cybersecurity measures to protect those systems. Cyber attacks are malicious activities by cybercriminals to exploit vulnerabilities in computer systems, networks, and devices. Cyber attacks come in different forms and can be classified into various categories based on the techniques used by the attacker to compromise a system. Various types of actors can be responsible for cybersecurity threats and cyber attacks. They can be broadly categorized based on their capabilities, resources, methods, and motivations. Table 1.1 illustrates some of the main types. Cybersecurity assets Cybersecurity assets are anything of value, to an individual, organization, or country that could be negatively Impacted by a malicious cyber attack. Cybersecurity vulnerabilities Cybersecurity vulnerabilities are weaknesses in a computer system. network, or application that can be exploited by malicious actors in order to cause damage or gain unauthorized access to sensitive data. Cybersecurity risks Cybersecurity risks relate to the loss of confidentiality, integrity, or availability of information, data, or information (or control) systems and reflect the potential adverse impacts to organizational operations and assets, individuals, other organizations, and the Nation. Table 1.1: Types of cyber attack actors Type *Nȧwon- State Actors وزارة التعليم Description These are sophisticated groups, often part of a government's military or intelligence service, that carry out cyber attacks te gain a strategic advantage, conduct espionage, disrupt critical infrastructure, or spread disinformation. Their motivations can be political, economic, or military. 2103-1443 20

Type Organized Crime Groups Hacktivists Inader Threats Script Kiddies Competitors Description These are professional criminals who execute cyber attacks for monetary pain. They often employ tactics such as ransomware, identity theft, credit card fraud. and other types of cybercrime. Their primary motivation is financial. Hacktivists are individuals or groups that use hacking to promote a political or social cause. They often engage in activities such as defacing websites or conducting denial- of-service attacks to gain attention for their cause Their motivation is often ideological or political. These are individuals within an organization who have legitimate access but use it maliciously or irresponsibly. They might be motivated by a variety of reasons such as financial gain. revenge, or coercion. This term refers to amateur hackers who use existing hacking tools and scripts to carry out attacks without much technical expertise. They might do it for fun, to gain notoriety, or to challenge themselves. These could be companies that engage in corporate espionage to gain a competitive advantage. They might be looking for trade secrets, unannounced products or strategies, or sensitive information that can be used to their advantage. The most common type of cyberattack is done by implanting malware, which is short for malicious software. Malware is a program designed to harm a computer system or network. Different types of malware include viruses, worms, trojans, and ransomware. Malware types can be differentiated based on their propagation mechanism and payload. For the propagation mechanism, malware can spread using various techniques such as user-initiated, email-based, web-based, network-based, and portable media-based. Malware payloads are code that deliver their malicious intent. Payload types include data or file encryption, stealing credentials or confidential information, remote access, or malicious functioning of a system. Viruses A virus is a piece of code that attaches itself to another program or file and executes when that program or file is run. A virus can corrupt or delete data, modify system settings, or spread to other files or devices. One famous example is the CIH or Chernobyl virus. The CIH virus is a malicious computer virus that was released in 1998. The virus could disable the computer system and cause information to be lost. The virus was contained, but because of its destructive potential the incident resulted in greater security measures for Windows operating systems. Another example is a boot sector virus designed to infect your computer's boot sector, which is the area of your computer's hard drive containing the code needed for the computer to start up Boot sectar viruses can render your computer unusable or cause it to crash. They typically spread to other computers through infected USB drives or by downloading infected software from the Internet. وزارة التعليم 2173-1445 21

Worms Worms are similar to viruses but do not need to attach themselves to other programs or files to replicate. Instead, they spread rapidly across networks, consuming system resources and causing damage. One example of a worm is the Mydoom worm, which caused significant damage to computer systems worldwide in 2004. Trojans A trojan is malware that disguises itself as a legitimate or useful program but performs malicious actions in the background. A trojan can create backdoors for remote access, steal personal information, download other malware, or display unwanted ads. For example, the Zeus trojan was a banking trojan that targeted Windows users and stole their online banking credentials, credit card numbers, and other sensitive data. Ransomware Ransomware is malware that locks or encrypts the user's files or device and demands payment for their restoration. Ransomware can also threaten to delete or expose the user's data if the ransom is not paid within a certain time limit. Ransomware can be spread through email attachments, phishing links, or network vulnerabilities. For example, the WannaCry ransomware was a worm that exploited a Windows vulnerability and infected hundreds of thousands of computers in 2017. The ransomware encrypted the user's files and displayed a message demanding an amount of Bitcoin for their decryption. The ransomware also had a kill switch to stop its spread if a certain domain name was registered. Adware Adware is malware that displays unwanted advertisements on the user's device or browser. Adware can also collect information about the user's browsing habits and preferences to deliver targeted ads. Adware can be annoying and intrusive but is not necessarily harmful. However, some adware can install other malware or expose users to malicious websites. Adware can be installed either with the user's consent (as part of free software) or without it (through phishing links or drive-by downloads). For example, the Gator adware offered to save passwords and fill out forms for users but also displayed pop-up ads and collected personal information. The adware was bundled with other free software and required users to accept its installation terms and conditions. Spyware Spyware is malware that monitors and collects information about the user's online activity, browsing history, keystrokes, personal data, or system configuration. Spyware can also change browser settings, redirect web pages, or display pop-up advertisements (ads). Spyware can be installed without the user's consent or knowledge through bundled software, phishing links, or drive-by downloads. For example, the CoolWebSearch spyware was a browser hijacker that redirected users to unwanted websites and displayed pop-up ads. The spyware also changed browser settings and installed additional malware. Another example is the Keylogger spyware, which recorded every user's keystroke and sent it to a remote server. The spyware could capture passwords, credit card numbers, chat messages, and sensitive information. Types of Cyberattacks In addition to attacks caused by malware, many other types of cyberattacks can be used to compromise computer systems, networks, and devices. Below are presented some of the most common types of cyberattacks. وزارة التعليم 2177-1445 22

Social Engineering Attacks Social engineering is a form of manipulation used by attackers to exploit human weaknesses and acquire sensitive information in order to gain unauthorized access to physical or computer systems. Attackers attempt to trick users into revealing sensitive information, such as passwords, credit card numbers, or other personal information. These attacks often come in emails or messages that appear to be from a legitimate source, such as a bank or a popular social media site. The messages typically contain a link that leads to a fake website designed to look like a legitimate site, where the user is prompted to enter their information. The following are the main types of social engineering attacks. Phishing: Attempts to trick victims into clicking on fraudulent links sent via email. Smishing: Similar to phishing, except it comes as text message (SMS) on messaging apps. A smishing text usually contains a fraudulent link. Vishing: In this type of attack, cybercriminals call potential victims, pretending to be a legitimate company or person, to request personal information from a victim. Attacker collect data email with phishing link clicked bu plusning link Figure 1.4: Example of a social engineering plishing tack User Please update your payment details Wewing me won your hug Phishing emails normally evoke fear or a sense of urgency by denying access to a user's resources. The most common characteristics of illegitimate email that may be a phishing attack are: The email says your account is on hold because of a billing problem. ACT BANK HID وزارة التعليم 2173-176 We'itary on you my w to up your paym if you dit all the Figure 1.5 Illegitimate link example The email has a generic greeting. The email invites you to click on a link to update your payment details. 23

P necker Bamets Torg Saver Figure 1.7 Example of a DDOS bot tack Man-in-the-Middle (MitM) Attacks Denial-of-Service (DoS) and Distributed Denial-of- Service (DDoS) Attacks DoS and DDoS attacks are cyberattacks that flood a network or server with traffic to overwhelm it, making it difficult or impossible for legitimate users to access the service, which is an attack on availability. In a DoS attack, a single computer or device is used to flood the network, while in a DDoS attack, multiple devices are coordinated to attack the network simultaneously. These attacks can be carried out using a variety of techniques, such as sending large volumes of requests to a server or flooding the network with traffic from multiple sources. DoS and DDoS attacks can have serious consequences, such as shutting down critical services or disrupting business operations. Organizations can protect themselves against these attacks by implementing firewalls and intrusion detection systems (IDSS) and using content distribution networks (CDNs) to distribute traffic across multiple servers. In 2020, the COVID-19 pandemic led to a surge in DDoS attacks against healthcare organizations. Attackers targeted hospitals and healthcare providers, causing disruptions to critical services. Some large-scale attacks have been known to generate traffic in the order of terabits per second (Tbps), overwhelming targeted systems. MitM attacks are cyberattacks where an attacker intercepts communications between two parties to eavesdrop or manipulate the conversation. This can be done by inserting themselves between the two parties and relaying messages back and forth, allowing the attacker to read or alter the messages. MitM attacks can be carried out using various techniques, such as packet sniffing or IP spoofing, which forge false network information. These attacks can have serious consequences, such as the theft of sensitive information or the manipulation of financial transactions. Users can protect themselves against MitM attacks by using encryption technologies, such as HTTPS & VPN, and being cautious when using public Wi-Fi networks. In 2020, a MitM attack occurred when attackers used a vulnerability in Zogra's encryption to intercept and eavesdrop on video calls. The attackers were able to gain unauthorized access to sensitive information, such as business plans and financial data 2177-1445 Apar User Network Figure 1.6: Example of a MitMantack 24

Attack SQL Code User Input Cata SQL Database CHE Data Breach Figure 1.8: Example of an SQL Injection Cross-Site Scripting (XSS) Attacks SQL Injections SQL injection attacks exploit a web application's database vulnerabilities to gain unauthorized access or manipulate data. This can be done by inserting malicious code into a website's input fields, such as login forms, to gain access to the database. SQL injection attacks can have serious consequences, such as the theft of sensitive data or the modification of database records. Organizations can protect themselves against SQL injection attacks by implementing best practices for secure coding and using web application firewalls (WAFS) to detect and block malicious traffic. An example of an SQL injection attack occurred in 2019 when a vulnerability in the Magento e-commerce platform, now named Adobe Commerce, allowed attackers to gain unauthorized access to sensitive customer data, such as names and credit card information. XSS attacks inject malicious code into a website to steal user information or manipulate displayed content. This can be done by inserting scripts into a website's input fields, such as search boxes or comment sections, that execute when the user interacts with the page. XSS attacks can have serious consequences, such as the theft of sensitive information or the manipulation of website content. Organizations can protect themselves against XSS attacks by implementing secure coding practices and using content security policies (CSPS) to detect and block malicious scripts. In 2018, attackers used an XSS attack to steal sensitive information from customers of a large ticket vendor company. The attackers injected malicious code into the company's payment page, allowing them to steal customer information, including names, addresses, and payment card information. Amachee undutorial pominam tueat ليه mple of an APزارة القلعليم DUM Maleistur Dal input fields Figure 1.9: Example of an XSS attack Attacks by Advanced Persistent Threat (APT) APT attacks are targeted attacks that use sophisticated techniques to gain unauthorized access to a system and remain undetected for long periods. APT attacks often use a combination of social engineering, malware, and other techniques to gain access to sensitive information or systems. These attacks can have serious consequences, such as the theft of intellectual property or sensitive customer data. Organizations can protect themselves against APT attacks by implementing a comprehensive security program that includes employee training, vulnerability management, and threat intelligence. An example of an APT attack occurred in 2015 when attackers exploited a previous medical data breach to steal the personal information of 80 million customers. The attackers were able to remain undetected for several months, highlighting the need for comprehensive security programs and threat intelligence. 2177-1465 25

Attacker vulnerability Vundur discovers Ilve attack Figure 1.11 Example of Zero-day exploit Zero-Day Exploits Zero-day exploits take advantage of vulnerabilities in software before they are discovered and patched, making them particularly dangerous, since developers have had 0 days to fix the problem when the attack is launched. Zero-day exploits can be used to gain unauthorized access to a system, steal sensitive information, or cause damage to the system. These exploits are typically discovered by attackers to carry out targeted attacks against organizations. Zero-day exploits can be difficult to protect against because they are unknown to the software vendor and cannot be patched until discovered. Organizations can protect themselves against zero-day exploits by implementing best practices for secure coding and by using security tools that can detect and block suspicious behavior. An example of a zero-day exploit occurred in 2021 when attackers used a vulnerability in Microsoft's new version of Exchange Server to install backdoors on targeted systems. Password Attacks Password attacks use techniques like brute force or phishing to guess or steal user passwords and gain unauthorized access to systems Brute force attacks use automated tools to try thousands or millions of possible passwords until the correct one is found. Phishing attacks use social engineering techniques to trick users into revealing their passwords. Password attacks can have serious consequences, such as stealing sensitive data or compromising critical systems. Users can protect themselves against password attacks by using strong, complex passwords and multi-factor authentication (MFA), like SMS authentication or the Saudi Nafath to add a layer of security. In 2012, attackers used a brute force attack to gain access to the Linkedin database, compromising millions of users' passwords. Lisar Attacker User 2 Usar 3 Authentication Figure 1.12 Ixample of a password attack العيساله Majous dewulanding to usu comput Halverosement pure 113 Example of رارت التعليم mulverbung practice Malvertising Malvertising is the practice of embedding malicious code in online advertisements to infect users' computers with malware. Malvertisements can be difficult to detect because legitimate advertising networks often serve them. Once a user clicks on a malvertisement, malware is downloaded to their computer, which can be used to steal sensitive information or carry out other attacks. Users can protect themselves against malvertising by using advertisement blockers and being cautious when clicking on online advertisements. In 2016, the Angler exploit kit served malvertisements on popular websites, including the New York Times and the BBC. The malvertisements contained code that would download the Locky ransomware to users' computers, highlighting the need for users to use ad blockers and other security tools to protect against malvertising. 2477-1445 26

User Attacker User Algun: 114 Examphicul an eavesdropping interception Eavesdropping Eavesdropping is the unauthorized interception of communication, such as emails, phone calls, or instant messages. Eavesdropping can be carried out using various techniques, such as packet sniffing or network tapping. Eavesdropping can have serious consequences, such as stealing sensitive information or compromising critical systems. Users can protect themselves against eavesdropping by using encryption technologies, such as HTTPS and VPNs, and being cautious when using public Wi-Fi networks. An example of eavesdropping occurred in 2020 when attackers exploited a vulnerability in a telecommunications protocol to intercept and eavesdrop on text messages and phone calls. The vulnerability, known for several years, highlighted the need for telecom companies to implement stronger security measures to protect against eavesdropping. Security Information and Event Management (SIEM) Solutions SIEM solutions are software tools designed to help organizations and enterprises detect and respond to cyberattack threats in real time. SIEM solutions collect and analyze data from various sources, such as network devices, servers, and applications, to identify potential security incidents. The data is analyzed using machine learning and artificial intelligence algorithms to detect anomalies and patterns that may indicate a security threat. Workstations Network Hardware System Imports & Software SIEM System System Output وزارة التعليم 2173-1445 SIEM و المال11 Figure 1.15 Representation of Security Information and Event Management (SIEM) structure 27

Cybersecurity Risk Identification, Mitigation, and Management Cybersecurity risk identification, mitigation, and management are essential processes for organizations to safeguard their critical assets, protect sensitive information, and ensure the continuity of their operations. Risk Identification The first step in managing cybersecurity risks involves identifying potential threats and vulnerabilities that could affect an organization's digital assets. Key activities in risk identification include: Asset Inventory Creating a comprehensive list of an organization's digital assets, including hardware, software, data, and network infrastructure. Threat Assessment Identifying potential threat sources, such as cybercriminals, insider threats, or natural disasters, that could exploit vulnerabilities in the organization's systems. Vulnerability Assessment Discovering and documenting weaknesses in an organization's digital assets using vulnerability scanning, penetration testing, and manual assessments. Risk Analysis To prioritize risks based on their potential consequences, evaluate the likelihood and impact of identified threats and vulnerabilities. Risk Management Once risks have been identified, organizations should take steps to reduce or manage them. Risk management involves implementing security measures to address vulnerabilities and minimize the likelihood or impact of threats. Key risk mitigation strategies include: Security Awareness Training Educating employees about cybersecurity best practices and their responsibilities in protecting the organization's digital assets. Incident Response Planning Developing a plan to detect, respond to, and recover from security incidents to minimize their impact on the organization. Access Control Implementing authentication and authorization mechanisms to restrict access to sensitive data and systems only to authorized users. Encryption Encryption converts plain text or data into encoded formats to prevent unauthorized access. Encrypting sensitive data and information at rest and in transit protects it from unauthorized access or theft. Patch Regularly updating software and hardware to address known vulnerabilities and ensure systems remain secure against emerging threats. وزارة التعليم 1173-1445 28

Risk Treatment Selecting and implementing appropriate risk mitigation strategies based on the organization's risk tolerance and available resources and regularly reviewing the effectiveness of these strategies. Governance and Compliance Ensuring the organization's cybersecurity policies and practices align with relevant laws, regulations, and industry standards. Reporting and Communication Keeping stakeholders informed about the organization's cybersecurity risk responses and any changes to its risk management strategies. Table 1.2: Tools for cybersecurity risk identification, mitigation, and management Category SIEM Systems Penetration Testing Tools Description Security information and event management (SIEM) systems collect and analyze security-related data from various sources. Simulate attacks on systems or networks to identify vulnerabilities and test the effectiveness of security controls. Security Risk Assessment Identify and assess security risks across an organization's infrastructure, induding networks, systems, and applications. Data Loss Prevention Monitor and control the flow of sensitive data within an organization to help prevent data breaches. Firewall and IPS Monitor and block incoming traffic that is identified as potentially harmful. Endpoint Protection Protect Individual devices, such as laptops or smartphones, from malware and other threats. Security Analytics tople Use machine learning and other advanced techniques to analyze security data and Identify potential threats, وزارة التعليم J173-1465 29

30 Exercises Read the sentences and tick True or False. 1. A virus is a piece of code that attaches itself to another program or file and executes when that program or file is run. 2. Ransomware locks or encrypts the user's files or device and demands payment for their restoration. 3. A trojan is a legitimate or useful program that performs beneficial actions in the background. 4. Multi-factor authentication (MFA) can add a layer of security to protect against password attacks. 5. Spyware is malware that protects the user's online privacy and security. 6. Phishing attacks are a form of social engineering that attempts to trick users into revealing sensitive information. 7. DoS attacks involve coordinating multiple devices to attack a network simultaneously. 8. SQL injection attacks exploit a web application's database vulnerabilities to gain authorized access or manipulate data. 9. Cross-site scripting (XSS) attacks inject malicious code into a website to steal user information or manipulate displayed content 10. Public Wi-Fi networks are invulnerable to eavesdropping attacks. True False Z Define what malware is وزارة التعليم

Explain what a computer virus is and how it works. 4 Compare and contrast the characteristics of viruses, worms, trojans, and ransomware. 5. Analyze public Wi-Fi networks' potential risks and benefits and how users can protect their devices.

Explain the importance of staying aware for malvertising attacks. 7 Evaluate the effectiveness of Security Information and Event Management (SIEM) solutions in detecting and responding to security threats BCompare and contrast DoS and DDoS attacks. حرارة التعليم

9Identify and explain the steps an organization can take to protect against zero-day exploits. 10 Assess the impact of SQL Injection attacks on a web application 11 List two example activities that are part of risk identification, mitigation, and management. وزارة التعليم 30