## 2.

1 Vulnerability, Threat, and Risk

### 2.1.1 Vulnerability

A vulnerability refers to a weakness in a system, process, design, or implementation that could be

exploited to compromise the security of the system. These weaknesses can be triggered accidentally or
exploited intentionally to cause a security breach. It's important to note that threats can exist even in the
absence of vulnerabilities.

**Example:**

Consider a web application used by an e-commerce company to process customer transactions. If this
application has a known vulnerability, such as a SQL injection flaw, an attacker could exploit this
weakness to gain unauthorized access to the company's database and steal sensitive customer
information.

### 2.1.2 Threat

A threat is any circumstance or event that has the potential to compromise the confidentiality, integrity,
or availability of a system or its data. Threats can exist without risks, but a risk requires an associated
threat to exist.

**Example:**

A threat actor attempting to gain unauthorized access to a company's computer network is a threat to
the confidentiality and integrity of the data stored on that network. This threat could come from various
sources, including malicious hackers, disgruntled employees, or even natural disasters.

### 2.1.3 Risk

Risk is the likelihood that a threat will exploit a vulnerability and the impact of that exploitation on the
business. Risk assessment involves the identification of security risks through the analysis of assets,
threats, and vulnerabilities, including their impacts and likelihood.

**Example:**
Consider the risk of a data breach occurring due to a vulnerability in a company's web application. The
risk assessment would involve analyzing the probability of the vulnerability being exploited and the
potential impact on the company's reputation and financial standing if a breach were to occur.

### 2.1.4 Threat Assessment

Threat assessment combines a threat actor’s intentions to cause harm with an assessment of that actor’s
capability to carry out those intentions.

**Example:**

A threat actor with the intention of stealing sensitive customer data from a company's database is
assessed based on their capability to bypass the company's security controls and access the database.
This assessment would consider factors such as the attacker's technical skills, resources, and motivation.

### 2.1.5 Risk Assessment

Risk assessment involves the identification of security risks through the analysis of assets, threats, and
vulnerabilities, including their impacts and likelihood.

**Example:**

A company conducts a risk assessment to identify potential security risks to its computer network. Based
on the assessment, the company implements security controls such as firewalls, intrusion detection
systems, and access controls to mitigate these risks.

### 2.1.6 Difference between Risks and Threats

Risks are event-focused, meaning they describe the potential impact of a specific event on the business.
Threats, on the other hand, focus on the intentions of threat actors.

**Example:**

- Risk: The database server goes down, causing a loss of service for customers.

- Threat: A hacker wants to take down the database server to disrupt business operations.
## 2.2 Attributes of Threat Actors

### 2.2.1 Location

- **External Threat Actors:** These are individuals or entities that have no account or authorized access
to the target system. They must use malware or social engineering to infiltrate the security system.

**Example:**

A hacker attempting to gain unauthorized access to a company's computer network from outside the
organization.

**Case Study:**

In 2013, the retail giant Target suffered a massive data breach that compromised the personal and
financial information of millions of customers. The attackers gained access to Target's network by using
stolen credentials from a third-party HVAC vendor.

- **Internal Threat Actors:** These are individuals or entities that have been granted permissions on the
system, typically employees or third-party contractors.

**Example:**

An employee with authorized access to a company's database system who abuses their privileges to
steal sensitive customer data.

**Case Study:**

In 2014, Edward Snowden, a contractor for the National Security Agency (NSA), leaked classified
information about the agency's surveillance programs to the media. Snowden exploited his privileged
access to the NSA's systems to download and exfiltrate the data.

### 2.2.2 Intent and Motivation

- **Intent:** The desired outcome or goal of an attack.

- **Motivation:** The reason behind perpetuating the attack.

**Example:**

An attacker's intent may be to steal financial data from a company's database system, while their
motivation may be financial gain.

**Case Study:**

In 2017, the ransomware known as WannaCry infected hundreds of thousands of computers worldwide,
encrypting their data and demanding ransom payments in Bitcoin. The attackers' intent was to extort
money from their victims, and their motivation was financial gain.

### 2.2.3 Level of Sophistication and Capability

- **Sophistication:** The technical abilities of the threat actor.

- **Capability:** The resources and funding available to the threat actor.

**Example:**

- A sophisticated threat actor may have the technical skills to develop novel exploit techniques and tools.

- A threat actor with significant financial resources may be capable of launching large-scale cyber attacks
against high-value targets.

**Case Study:**

The cybercriminal group known as FIN7 is an example of a sophisticated threat actor with significant
capabilities. FIN7 specializes in financially motivated cybercrime and has targeted organizations in the
retail, restaurant, and hospitality sectors. The group is known for using advanced techniques such as
spear-phishing and malware to compromise its victims' systems.

## 2.3 Threat Actors

### 2.3.1 Script Kiddie

- **Description:** Individuals with limited technical skills who use pre-written hacking tools without
necessarily understanding how they work.
**Example:**

An individual using a pre-written exploit script to launch a denial-of-service (DoS) attack against a
website.

**Case Study:**

In 2000, a teenager known as Mafiaboy launched a series of DoS attacks against several high-profile
websites, including Yahoo, Amazon, and eBay. Mafiaboy used a network of compromised computers to
flood the target sites with traffic, causing them to become unavailable to legitimate users.

### 2.3.2 Black Hats

- **Description:** Skilled hackers who use their technical abilities for financial gain.

**Example:**

A cybercriminal who steals credit card information from online retailers and sells it on the dark web.

**Case Study:**

In 2013, a group of hackers stole the credit card information of millions of customers from the retail
giant Target. The attackers gained access to Target's network by exploiting vulnerabilities in the
company's network infrastructure. The stolen credit card data was later sold on underground forums,
where it was used to make fraudulent purchases.

### 2.3.3 White Hats

- **Description:** Ethical hackers who hack systems and networks with full authorization, typically to
discover vulnerabilities and test current security setups.

**Example:**

A security consultant hired by a company to conduct penetration testing on its network infrastructure.

**Case Study:**
In 2016, researchers from Google's Project Zero discovered a series of critical vulnerabilities in the
iPhone's software that could be exploited to take control of the device remotely. Google reported the
vulnerabilities to Apple, which released a patch to fix the issues before they could be exploited by
malicious actors.

###

2.3.4 Gray Hats

- **Description:** Skilled hackers who use black hat tactics for white hat objectives.

**Example:**

A security researcher who discovers a vulnerability in a software application and publicly discloses it
without informing the vendor first.

**Case Study:**

In 2018, a security researcher discovered a vulnerability in the Facebook platform that allowed hackers
to take over user accounts. Instead of reporting the vulnerability to Facebook, the researcher publicly
disclosed it, forcing Facebook to release an emergency patch to fix the issue.

### 2.3.5 Hacktivists

- **Description:** Individuals or groups who hack for a cause, such as political activism or social justice.

**Example:**

A hacktivist group defaces a government website to protest a controversial government policy.

**Case Study:**

In 2010, the hacktivist group Anonymous launched a series of cyber attacks against companies and
organizations that had withdrawn support for the whistleblower website WikiLeaks. The attacks targeted
websites belonging to financial institutions, government agencies, and media organizations, disrupting
their online services.
### 2.3.6 State Actors and Advanced Persistent Threats (APTs)

- **Description:** State-sponsored hackers who use advanced techniques and resources to compromise
network security and maintain access to target systems.

**Example:**

A nation-state actor launches a cyber attack against a rival country's critical infrastructure, such as its
power grid or financial system.

**Case Study:**

In 2017, the Russian government was accused of launching a cyber attack against the Ukrainian power
grid, causing widespread power outages across the country. The attack, which was attributed to a group
of Russian hackers known as Sandworm, targeted the control systems used to operate the power grid,
disrupting the supply of electricity to millions of Ukrainian citizens.

### 2.3.7 Criminal Syndicates

- **Description:** Organized groups of cybercriminals who operate across the internet, often from
different jurisdictions than their victims.

**Example:**

A criminal syndicate steals credit card information from online retailers and sells it on the dark web.

**Case Study:**

In 2014, a criminal syndicate known as Carbanak stole over $1 billion from banks and financial
institutions worldwide. The group used sophisticated malware to infiltrate the banks' computer networks
and gain access to their internal systems, allowing them to transfer funds from the banks' accounts to
their own.

### 2.3.8 Insider Threats

- **Description:** Threats that originate from within an organization, such as compromised employees,
disgruntled employees, or third-party contractors.

**Example:**

An employee with access to sensitive customer data leaks that data to a competitor.

**Case Study:**

In 2016, a former employee of the National Security Agency (NSA) named Harold Martin was arrested for
stealing classified information from the agency. Martin had worked as a contractor for the NSA and had
access to highly sensitive documents and computer systems. He was accused of stealing terabytes of
classified data over a period of 20 years and storing it at his home.

### 2.4 Attack Surface and Attack Vectors

### 2.4.1 Attack Surface

The attack surface refers to all the points at which a malicious threat actor could try to exploit a
vulnerability. Minimizing the attack surface involves restricting access so that only a few known
endpoints, protocols/ports, and services are permitted.

**Example:**

A company reduces its attack surface by disabling unnecessary services on its network, closing unused
network ports, and implementing strict access controls.

### 2.4.2 Attack Vectors

Attack vectors are the paths that threat actors use to gain access to secure systems. Attack vectors can
include:

- Direct access

- Removable media

- Email
- Remote and wireless networks

- Supply chain

- Web and social media

- Cloud services

**Example:**

An attacker gains access to a company's computer network by sending a phishing email to an employee
with a malicious file attachment.

**Case Study:**

In 2016, a cybercriminal group known as Fancy Bear launched a spear-phishing campaign targeting
employees of the Democratic National Committee (DNC). The attackers sent emails containing malicious
attachments to DNC staff, tricking them into downloading malware that allowed the attackers to steal
sensitive emails and documents from the organization's servers.

## 2.5 Vulnerable Software and Network Vectors

### 2.5.1 Vulnerable Software

Vulnerable software contains flaws in its code or design that can be exploited to circumvent access
control or crash the process.

**Example:**

A software application contains a buffer overflow vulnerability that allows an attacker to execute
arbitrary code on the system.

### 2.5.2 Unsupported Systems and Applications

Unsupported systems are those for which the vendor no longer develops updates or patches.

**Example:**
A company uses an outdated operating system that is no longer supported by the vendor, leaving it
vulnerable to security exploits.

### 2.5.3 Network Vectors

Network vectors are exploit techniques for software vulnerabilities classified as either remote or local.

- Remote exploits: Vulnerabilities that can be exploited by sending code to the target over a network.

- Local exploits: Vulnerabilities that require authenticated access to the computer.

**Example:**

A threat actor exploits a remote vulnerability in a company's web server software to gain unauthorized
access to its internal network.

### 2.6 Threat Vectors

### 2.6.1 Direct Access

- **Description:** Physically accessing an unlocked workstation, stealing a computer, or using a boot

disk to install malicious tools.

**Example:**

An attacker gains access to a company's office building by impersonating a delivery person and then
steals an employee's laptop.

### 2.6.2 Removable Media

- **Description:** Concealing malware on a USB thumb drive or memory card and tricking employees
into connecting it to a computer or smartphone.

**Example:**
 An attacker drops USB drives in the parking lot of a company's office building, hoping that employees
will pick them up and plug them into their computers.

### 2.6.3 Email

- **Description:** Sending a malicious file attachment via email to trick recipients into opening it and
executing the malware.

**Example:**

An attacker sends a phishing email to an employee with an attachment containing malware disguised as
a legitimate document.

### 2.6.4 Remote and Wireless

- **Description:** Obtaining credentials for a remote access or wireless connection to a network, or

cracking the security protocols used for authentication.

**Example:**

An attacker intercepts Wi-Fi traffic between a user's device and a router and uses a brute-force attack to
crack the WPA2 encryption key.

### 2.6.5 Supply Chain

- **Description:** Targeting third-party suppliers or service providers to gain access to a target

organization's network.

**Example:**

An attacker compromises a software vendor's update server and distributes malware to customers who
download and install the updates.

### 2.6.6 Web and Social Media

- **Description:** Concealing malware in files attached to posts or presented as downloads on websites
or social media platforms.

**Example:**

An attacker creates a fake social media profile and sends friend requests to employees of a target
organization, then sends them links to malicious websites or files.

### 2.6.7 Cloud

- **Description:** Targeting accounts used to develop services in the cloud or manage

cloud systems.

**Example:**

An attacker gains access to a company's cloud storage account by using stolen credentials obtained
from a phishing email.

### 2.7 Lure-Based and Message-Based Vectors

### 2.7.1 Lure-Based Vectors

Lure-based vectors use something superficially attractive to entice a target into opening a malicious file
or visiting a malicious website.

**Example:**

An attacker sends an email with a subject line that appears to be urgent, such as "Your account has been
compromised! Click here to reset your password."

### 2.7.2 Message-Based Vectors

Message-based vectors involve sending malicious files or links via email, short message service (SMS),
instant messaging, or web and social media platforms.

**Example:**

An attacker sends a text message to a user's smartphone containing a link to a website that installs
malware on the device when clicked.

## 2.8 Third-Party Risks

### 2.8.1 Vendor Management

Vendor management is the process of choosing supplier companies and evaluating the risks inherent in
relying on a third-party product or service.

**Example:**

A company evaluates the security practices of its cloud service provider before migrating its data to the
provider's servers.

### 2.8.2 System Integration

System integration involves using components from multiple vendors to implement a business workflow.

**Example:**

A company integrates third-party software into its existing infrastructure to improve its business
processes.

### 2.8.3 Data Risks When Using Third Parties

When using third-party vendors, organizations face two main data risks:

- Granting access to data

- Hosting data or data backups

**Example:**

A company hires a third-party contractor to manage its customer database, giving the contractor access
to sensitive customer information.

### 2.8.4 Data Storage

When storing data on third-party systems, organizations should take precautions to protect that data.

**Precautions:**

- Ensure the same protections for data as if it were stored on-premises.

- Monitor and audit third-party access to the data.

- Evaluate compliance impacts from storing personal data on a third-party system.

**Example:**

A company encrypts sensitive customer data before storing it on a third-party cloud storage service to
prevent unauthorized access.

**Case Study:**

In 2019, Capital One suffered a data breach that exposed the personal and financial information of over
100 million customers. The breach occurred when a former employee of Amazon Web Services (AWS),
the cloud service provider used by Capital One, gained unauthorized access to the company's servers
and stole the data. Capital One was criticized for its lack of oversight of its third-party vendors and its
failure to implement adequate security controls to protect its customers' data.