Information Technology Security & Privacy (COSC 3796)

School of Computer Science and Technology

Algoma University, Sault Ste. Marie
Fall 2024

TITLE: SECURITY FUNDAMENTALS, THREATS, ATTACKS AND

VULNERABILITY
LECTURE NO. 1

INSTRUCTOR: DR. MUHAMMAD AZAM

 Land Acknowledgement

• Algoma University respectfully acknowledges that its three campuses are located on the inherent and treaty lands of First Nations and within
traditional lands of Indigenous peoples. For thousands of years, Indigenous peoples inhabited and cared for this land, and continue to do so today.

• The Sault Ste. Marie campus is located in an area known as Baawaating on sacred lands set aside for education as envisioned by Chief Shingwauk
for our children and for those as yet unborn.

• Located in Robinson-Huron Treaty territory, this land is the traditional territory of the Anishinaabek, specifically the Garden River and
Batchewana First Nations, as well as Métis People. Sault Ste. Marie is also home to several urban Indigenous peoples.

• We also acknowledge that; Brampton campus is part of Treaty Lands and Territory of the Mississaugas of the Credit.
• In particular we acknowledge the territory of the Anishinabeg particularly the, Huron-Wendat, Haudenosaunee and Ojibway/ Chippewa peoples;
the land that is home to the Métis; and most recently, the territory of the Mississaugas of the Credit First Nation who are direct descendants of the
Mississaugas of the Credit.

• We also acknowledge that; Timmins campus is located on Treaty #9 territory, also known as the James Bay Treaty.
• It is the traditional territory of the Ojibwe/Chippewa, including the Mattagami First Nation, as well as the Mushkegowuk Cree), Algonquin, and
Métis Peoples
 Equity, Diversity, Inclusion

https://algomau.ca/about/equity-diversity-and-inclusion/
 Course Slides Acknowledgement

 The slides of this course were originally prepared by Dr. Samuel Faloye at Brampton
Campus of Algoma University and adopted for this course
 Module Objectives

1 2 3 4
1.Define 2. Identify threat 3. Describe the 4. Explain the
information security actors and their different types of impact of attacks
and explain why it attributes vulnerabilities and
is important attacks
 What is Information Security?

The first step in understanding security is Understanding Security

to define exactly what it is
Security is:
• To be free from danger, which is the goal of security
• The process that achieves that freedom
As security is increased, convenience is often decreased
• The more secure something is, the less convenient it may
become to use
Defining
Information
Security
  A threat actor is an individual or entity responsible for cyber
incidents against the technology equipment of enterprises and
users
 The generic term attacker is also commonly used
 Financial crime is often divided into three categories based on
targets:
 Individual users

Who Are the 


Enterprises
Governments

Threat Actors?  There are three types of hackers

 Black hat hackers (Bad guys): Hack for profit or personal
benefits
 White hat hackers (Good Guys): Identify Vulnerability
and fix them
 Gray hat hacker: Not good not bad, they have their own
agendas
 Script Kiddies
 Script kiddies are
individuals who want to
perform attacks, yet lack
technical knowledge to carry
them out
 They download freely
available automated
attack software and use
it to attack
  Individuals that are strongly motivated by ideology
(for the sake of their principles or beliefs) are
hacktivists
 The types of attacks by hacktivists often involved
breaking into a website and changing its contents as a
Hacktivists means of a political statement
 Other attacks were retaliatory: hacktivists have
disabled a bank’s website that didn’t allow online
payments deposited into accounts belonging to groups
supported by hacktivists
  Governments are increasingly employing their
own state-sponsored attackers for launching
cyberattacks against their foes
 These attackers are known as state actors
 Many security researchers believe that state
actors might be the deadliest of any threat actors
 State actors are often involved in multiyear
State Actors intrusion campaigns targeting highly sensitive
economic, proprietary, or national security
information
 A new class of attacks called advanced
persistent threat (APT)
 APTs are most commonly associated with state
actors
  Employees, contractors, and business partners can
pose an insider threat of manipulating data from the
position of a trusted employee
 These attacks are harder to recognize because they
come from within the enterprise
 Six out of 10 enterprises reported being a victim of at
Insider least one insider attack during 2019
 The focus of the insiders was:
 Intellectual property (IP) theft – 43%
 Sabotage – 41%
 Espionage – 32%
 Threat Actor Description Explanation

Competitors Launch attacks against an opponent’s system May steal new product research or a list
to steal classified information. of current customers to gain a competitive
advantage.

Criminal Move from traditional criminal activities to Usually run by a small number of
syndicates more rewarding and less risky online attacks. experienced online criminal networks that
do not commit crimes themselves but act as
entrepreneurs.

Other Threat Shadow IT Employees become frustrated with the

slow pace of acquiring technology, so they
purchase and install their own equipment or
Installing personal equipment, unauthorized
software, or using external cloud resources
can create a weakness or expose sensitive
resources in violation of company policies. corporate data.
Actors Brokers Sell their knowledge of a weakness to other
attackers or governments.
Individuals who uncover weaknesses do
not report it to the software vendor but
instead sell them to the highest bidder who
is willing to pay a high price for the unknown
weakness.

Cyberterrorists Attack a nation’s network and computer Targets may include a small group of
infrastructure to cause disruption and panic computers or networks that can affect
among citizens. the largest number of users, such as the
computers that control the electrical power
grid of a state or region.
Vulnerabilities and Attacks

One of the most

Each successful
successful types of
attack has serious
attack is social
ramifications
engineering

Social engineering
does not even
exploit technology
vulnerabilities
  A vulnerability is the state of being exposed to the
possibility of being attacked or harmed
 Cybersecurity vulnerabilities can be categorized into
platforms, configurations, third parties, patches, and
zero-day vulnerabilities
 Platforms
 A computer platform is a system that consists of
the hardware device and an OS that runs software
Vulnerabilities  All platforms have vulnerabilities to some degree,
some platforms have serious vulnerabilities
including:
 Legacy platforms
 On-premises platforms
 Cloud platforms
 • Configuration settings are often not properly
implemented
• Results in weak configurations

Vulnerabilities
  Third Parties
 Almost all businesses use external entities
known as third parties
 Examples of third parties include:
outsourced code development, data storage
facilities
 Vendor management is the process
organizations use to monitor and manage the
Vulnerabilities interactions with all of their external third
parties
 Connectivity between the organization and
the third party is known as system
integration
 One of the major risks of third-party system
integration involves the principle of the
weakest link
 Vulnerabilities

Patches Zero Day

As important as patches are, they can create Vulnerabilities can be exploited by attackers
vulnerabilities: before anyone else even knows it exists
• Difficulty patching firmware This type of vulnerability is called a zero day
• Few patches for application software because it provides zero days of warning
• Delays in patching OSs Zero-day vulnerabilities are considered
extremely serious
  An attack vector is a pathway or avenue used
by a threat actor to penetrate a system
 Attack vectors can be grouped into the following
general categories:
 Email
 Wireless
Attack Vector  Removable media
 Direct access
 Social media
 Supply chain
 Cloud
 Social engineering

Social engineering is a means of eliciting information Psychological Principles

(gathering data) by relying on the weaknesses of
individuals
It is also used as influence campaigns to sway attention and Attackers use a variety of techniques to gain trust:
sympathy in a particular direction • Provide a reason
These campaigns can be found exclusively on social media or • Project confidence
may be combined with other sources • Use evasion and diversion
• Make them laugh
  Social engineering psychological approaches
often involve:
 Impersonation is masquerading as a real or
fictitious character and then playing the role
of that person with a victim
 Phishing is sending an email message or
displaying a web announcement that falsely
claims to be from a legitimate enterprise in
Social an attempt to trick the user into surrender
private information or taking action
engineering
 Variations on phishing attacks:
 Spear phishing
 Whaling
 Vishing

 Smishing
 Social engineering

 Social engineering psychological approaches often involve (continued):

 Redirection is when an attacker directs a user to a fake lookalike site filled with ads for which
the attacker receives money for traffic generated to the site
 Attackers purchase fake sites because the domain names of sites are spelled similarly to actual sites
(called typo squatting)
 Another redirection technique is pharming where the attacker attempts to exploit how a URL is
converted into its corresponding IP address
 Spam is unsolicited email that is sent to a large number of recipients
 Text-based spam messages can be filtered
 Image spam cannot be filtered
 Spim is spam delivered through instant messaging (IM) instead of email
  Social engineering psychological approaches often
involve (continued):
 Hoaxes are false warnings, often contained in an
email message claiming to come from the IT
Social department
 The hoax purports that there is a “deadly virus”
engineering circulating through the Internet and the recipient should
erase specific files or change security configurations
 A watering hole attack is directed toward a smaller
group of specific individuals
  Physical Procedures
 Physical attacks take advantage of user
actions that can result in compromised
security
 Three of the most common physical
procedures are dumpster diving, tailgating,
and shoulder surfing
Social Engineering  Dumpster Diving involves digging through
trash receptacles to find information that can
be useful in an attack
 An electronic variation of physical
dumpster diving is to use the Google
search engine to look for documents and
data posted online that can be used in an
attack (called Google dorking
  Physical Procedures (continued)
 Tailgating occurs when an authorized
person opens an entry door, one or more
individuals can follow behind and also enter
Social Engineering  Shoulder Surfing allows an attacker to
casually observe someone entering secret
information, such as the security codes on a
door keypad
  A successful attack always results in several negative
impacts
Impacts of  These impacts can be classified as:
 Data impacts
Attacks  Effects on the organization
  Effects on the Enterprise
 The attack may make systems inaccessible (availability

Impacts of loss)
 This results in lost productivity (financial loss)

Attacks  Attacks may effect the public perception of the

enterprise (reputation)
 Impact Description Example
Data loss Destroying data so that Maliciously erasing
it cannot be recovered patient data used for
cancer research
Data Stealing data to Taking a list of current
exfiltration distribute it to other customers and selling
parties it
Impacts of to a competitor
Data breach Stealing data to Stealing credit card
Attacks disclose it in an numbers to sell to
unauthorized other
fashion threat actors
Identity Taking personally Stealing a Social
theft identifiable information Security number to
to secure a
impersonate someone bank loan in the
victim’s name
 References

Some Contents were derived from the following Text.

 CompTIA Security + Guide to Network Security Fundamentals, 7th Edition

 Principles of Information Security , 7th Edition (Michael E. Whitman; Herbert J. Mattord)

 Ukeje, N., Gutierrez, J., & Petrova, K. (2024). Information security and privacy challenges of
cloud computing for government adoption: a systematic review. International Journal of
Information Security, 1-17.
 Ali, A. S., Zaaba, Z. F., & Singh, M. M. (2024). The rise of “security and privacy”:
bibliometric analysis of computer privacy research. International Journal of Information
Security, 23(2), 863-885.
 Farayola, O. A., Olorunfemi, O. L., & Shoetan, P. O. (2024). Data privacy and security in IT: a
review of techniques and challenges. Computer Science & IT Research Journal, 5(3), 606-615.