Quiz 2

Humaira 092
Zombie Trojans infect a host and wait for their originating attacker’s commands telling
them to attack other hosts. The attacker installs a series of zombie Trojans, sometimes
numbering in the thousands. With one predefined command, the attacker can cause all
the zombies to begin to attack another remote system with a distributed denial of service
(DDoS) attack. DDoS attacks flood the intended victim computer with so much traffic,
legitimate or malformed, that it becomes overutilized or locks up, denying legitimate
connections.
\
Cybersecurity: The protection of digital devices and their communication channels to
keep them stable, dependable and reasonably safe from danger or threat. Usually, the
required protection level must be sufficient to prevent or address unauthorized access or
before it can lead to substantial personal, professional, organizational, financial and/or
political harm.

Digital Device: Any electronic appliance that can create, modify, archive, retrieve or
transmit information in an electronic format. Desktop computers, laptops, tablets,
smartphones and Internet-connected home devices are all examples of digital devices.

Cyber Crime: Any tradition crime that can happen using ICT can be regarded as a cyber-
crime.

Cyber Attack: To take aggressive or hostile action by leveraging or targeting digital

devices. The intended damage is not limited to the digital (electronic) environment.

Cyber Warfare: Cyberwarfare is the use of digital attacks to attack a nation, causing
comparable harm to actual warfare and/or disrupting the vital computer systems. Cyber
warfare involves the actions by a nation-state or international organization to attack and
attempt to damage another nation's computers or information networks through, for
example, computer viruses or denial-of-service attacks.

Cyber Espionage: The use of computer networks to gain illicit access to confidential
information, typically that held by a government or other organization. Cyber espionage
is a form of cyber-attack that steals classified, sensitive data or intellectual property to
gain an advantage over a competitive company or government entity.

Cyber Insecurity: Suffering from a concern that weaknesses in one’s cyber security are
going to cause one’s personal or professional harm.

Hacker: A person who engages in attempts to gain unauthorized access to one or more
digital devices.

Ethical Hacking: The process by which supportive penetration testing experts assist in
finding security weaknesses and vulnerabilities.

Red Team: When testing for potential exploits affecting any critical or sensitive system,
infrastructure or website, a team of penetration testers is usually used. This term (red
team) is used to describe the group of penetration testers working together on this type
of objective.

Ethical Hacker: An alternative name for a penetration tester.

Virus: A form of malicious software that spreads by infecting (attaching itself) to other
files and usually seeks opportunities to continue that pattern. Viruses are now less
common than other forms of malware. Viruses were the main type of malware in very
early computing. For that reason, people often refer to something as a virus when it is
technically another form of malware.

Malware: Shortened version of malicious software. A term used to describe the insertion
of disruptive, subversive or hostile programs onto a digital device. These types of
programs can be intentional or unintentional. Intentional versions are usually disguised
or embedded in a file that looks harmless. There are many types of malwares; adware,
botnets, computer viruses, ransomware, scareware, spyware, trojans and worms are all
examples of intentional malware. Hackers often use malware to mount cybersecurity
attacks.

Botnet: Shortened version of robotic network. A connected set of programs designed to

operate together over a network (including the Internet) to achieve specific purposes.
The purpose can be good or bad. Some programs of this type are used to help support
Internet connections; malicious uses include taking over control of some or all of a
computer’s functions to support large-scale service attacks. Botnets are sometimes
referred to as a zombie army.

Ransomware: A form of malicious software (malware) that prevents or restricts usage

of one or more digital devices or applications or renders a collection of electronic data
unreadable until a sum of money is paid. It simulates traditional ransom. For example,
WannaCry (2017).

Spyware: A form of malware that covertly gathers and transmits information from the
device on which it is installed. Example: Pegasus

Phishing: Using an electronic communication (for example email or instant messaging)

that pretends to come from a legitimate source, in an attempt to get sensitive information
(for example, a password or credit card number) from the recipient or to install malware
on the recipient’s device. The methods used in phishing have evolved so that the message
can simply contain a link to an Internet location where malware is situated or can include
an attachment (such as a PDF or Word document) that installs malware when opened.
The malware can then be used to run any number of unauthorized functions, including
stealing information from the device, replicating additional malware to other accessible
locations, sharing the user screen and logging keyboard entries made by the user. Less
complex forms of phishing can encourage the recipient to visit a fake but convincing
version of a website and to disclose passwords or other details.

Spear Phishing: A more targeted form of phishing. This term describes the use of an
electronic communication (for example, email or instant messaging) that targets a
particular person or group of people (for example, employees at a location) and pretends
to come from a legitimate source. In this case, the source may also pretend to be someone
known and trusted to the recipient, in an attempt to obtain sensitive information (for
example, a password or credit card number).

Spoofing: Concealing the true source of electronic information by impersonation or

other means. Often used to bypass Internet security filters by pretending the source is
from a trusted location.

Social Engineering Attack: It is the art of manipulating people through personal

interaction to gain unauthorized access to something.

The act of constructing relationships, friendships or other human interactions for the
purpose of enticing the recipient to perform an action or reveal information. The
individual(s) doing the social engineering use the victim’s action or information for the
hidden purpose of achieving a nefarious objective, such as acquiring intelligence about
the security, location or vulnerability of assets, or even gaining the person’s trust to open
an Internet link or document that will result in a malware foothold being created.

Denial of Service (DoS): An attack designed to stop or disrupt peoples’ use of

organizations’ systems. Usually, a particular section of an enterprise is targeted; for
example, a specific network, system, digital device type or function. These attacks usually
originate from, and are targeted at, devices accessible through the Internet. If the attack
is from multiple source locations, it is referred to as a Distributed Denial of Service, or
DDoS attack.

Vulnerability: (in the context of cybersecurity) a weakness that could be compromised

and result in damage or harm.

Vector: Another word for 'method' – as in 'They used multiple vectors for the attack.'

Exploit: To take advantage of a security vulnerability. Well-known exploits are often

given names. Falling victim to a known exploit with a name can be a sign of low security,
such as poor patch management.

Zero-day: It refers to the very first time a new type of exploit or new piece of malware is
discovered. At that point in time, none of the anti-virus, anti-malware or other defenses
may be set up to defend against the new form of exploit.

Backdoor: A covert method of accessing software or a device that bypasses the normal
authentication requirements.
Threat Actors: An umbrella term to describe the collection of people and organizations
that work to create cyber-attacks. Examples of threat actors can include cyber criminals,
hacktivists and nation states.

Anti-malware: It is a computer program designed to look for specific files and behaviors
(signatures) that indicate the presence or the attempted installation of malicious
software. If or when detected, the program seeks to isolate the attack (quarantine or
block the malware), remove it, if it can, and also alert appropriate people to the attempt
or to the presence of the malware. The program can be host-based (installed on devices
that are directly used by people) or network-based (installed on gateway devices through
which information is passed). Older forms of this software could detect only specific, pre-
defined forms of malicious software using signature files. Newer forms use machine
learning and make use of additional techniques including behavior monitoring.

Signatures: Signatures (in the context of cybersecurity) are the unique attributes – for
example, file size, file extension, data usage patterns and method of operation – that
identify a specific computer program. Traditional anti- malware and other security
technologies can make use of this information to identify and manage some forms of
rogue software or communications.

Defense in Depth: The use of multiple layers of security techniques to help reduce the
chance of a successful attack. The idea is that if one security technique fails or is bypassed,
there are others that should address the attack. The latest (and correct) thinking on
defense in depth is that security techniques must also consider people and operations
factors and not just technology.

Incident Response: A prepared set of processes that should be triggered when any
known or suspected event takes place that could cause material damage to an
organization. The typical stages are
• verify the event is real and identify the affected areas,
• contain the problem (usually by isolating, disabling or disconnecting the affected
pieces),
• understand and eradicate the root cause,
• restore the affected components to their fixed state and
• review how the process went to identify improvements that should be made.

Breach Notification Procedure: Some types of information, when suspected or known

to be lost or stolen, must, by law, be reported to one or more authorities within a defined
time period. The required notification time period varies by regulator, but is often within
24 hours. In addition to reporting the known or suspected loss, the lead organization
responsible for the information (referred to as the data owner) is also required to swiftly
notify those affected, and later on, to submit a full root cause analysis and information
about how they have responded and fixed the issues. To meet these legal obligations,
larger companies usually have a pre-defined breach notification procedure to ensure that
the timelines are met. The fines for data breaches are usually increased or decreased
based on the adequacy of the organization’s breach and incident response management.

Secure Configuration: It is a process ensuring that when settings are applied to any item
(device or software), appropriate steps are always taken to ensure
• default accounts are removed or disabled,
• shared accounts are not used and
• all protective and defensive controls in the item use the strongest appropriate
setting(s).

Penetration Test: Checks and scans on any application, system or website to identify
any potential security gaps (vulnerabilities) that could be exploited. Once the
vulnerabilities are identified, this process then goes on to identify the extent to which
these vulnerabilities could be leveraged in an attack (the penetration possibilities).
Usually, these checks are performed in a test area and emulate the same techniques that
could be used by an attacker. This is to prevent any inadvertent operational disruption.
The checks are typically conducted before any application or site is first used, and also on
a periodic (repeating) basis; for example, each time the program is updated or every 6
months. Any significant gaps must be addressed (fixed) in a timeframe appropriate to the
scale of the risk. Not to be confused with the term vulnerability assessment, which only
identifies gaps without examining how they could be leveraged. Penetration tester is the
person who performs simulated attempts at attack on a target system or application on
behalf of the organization that owns or controls it.

Vulnerability Assessment: The identification and classification of security gaps in a

computer, software application, network or other section of a digital landscape. This is
usually a passive identification technique that aims only to identify the gaps, without
exploring how those gaps could be used in an attack. This should not be confused with a
penetration test, which may include information from a vulnerability assessment, but
which will go on to explore how any vulnerabilities can be exploited.

Business Continuity Plan: An operational document that describes how an organization

can restore its critical products or services to its customers, should a substantial event
that causes disruption to normal operations occur.

Technical Disaster Recovery Plan: An operational document that describes the exact
process, people, information and assets required to put any electronic or digital system
back in place within a timeline defined by the business continuity plan.

Patch Management: A controlled process used to deploy critical, interim updates to

software on digital devices. The release of a software ‘patch’ is usually in response to a
critical flaw or gap that has been identified. Any failure to apply new interim software
updates promptly can leave open security vulnerabilities in place. As a consequence,
promptly applying these updates (patch management) is considered a critical component
of maintaining effective cybersecurity.

Firewall: It is hardware (physical device) or software (computer program) used to

monitor and protect inbound and outbound data (electronic information). It achieves this
by applying a set of rules. These physical devices or computer programs are usually
deployed, at a minimum, at the perimeter of each network access point. Software
firewalls can also be deployed on devices to add further security. The rules applied within
a firewall are known as the firewall policy. Advanced firewalls are often equipped with
other defensive features typical of more unified threat management.

Chief Information Security Officer (CISO): A single point of accountability in any

organization for ensuring that an appropriate framework for managing dangers and
threats to electronic and physical information assets is operating and effective.

Policy:
• A high-level statement of intent, often a short document, that provides guidance
on the principles an organization follows. For example, a basic security policy
document could describe the intention for an enterprise to ensure that all
locations (physical and electronic) where information for which they are
accountable must remain secure from any unauthorized access. A policy does not
usually describe the explicit mechanisms or specific instructions that would be
used to achieve or enforce the intentions it expresses; this would be described in
a procedure.
• Alternatively, it can also be used to mean the settings (including security settings)
inside a software program or operating system.

Risk: A situation involving exposure to significant impact or loss. In formal frameworks,

risk can be quantified using probability (often expressed as a percentage) and impact
(often expressed as a financial amount). Other parameters for risk can include proximity
(how soon a potential risk may be encountered, and information about which assets,
services, products and processes could be affected).

Jurisdiction: Power of a court to adjudicate cases and issue orders. Territory within
which a court or government agency may properly exercise its power.

It is also known as the authority given by law to a court to try cases and rule on legal
matters within a particular geographic area and/or over certain types of legal cases. It is
vital to determine before a lawsuit is filed which court has jurisdiction. State courts have
jurisdiction over matters within that state, and different levels of courts have jurisdiction
over lawsuits involving different amounts of money.
 Virtual Private Network (VPN)

VPN stands for the Virtual Private Network. A virtual private network (VPN) is a
technology that creates a safe and encrypted connection over a less secure network. A
Virtual Private Network is a way to extend a private network using a public network.

A VPN tunnel is an encrypted connection between a device and a VPN server. It's
uncrackable without a cryptographic key, so neither hackers nor Internet Service
Provider (ISP) could gain access to the data. This protects users from attacks and hides
what they're doing online.

Effectively, VPN tunnels are a private route to the internet via intermediary servers.
That's why VPNs are popular among privacy-cautious individuals.

In a sense, a VPN acts as a middleman between a device and remote servers, and carries
data over existing networks without exposing it to the public Internet.

Let’s look at an example of how visiting Amazon would work without a VPN. The user
enters the Amazon homepage, it loads, and he/she can do shopping. Here’s how it works
in more technical terms:
− The user’s browser contacts a Domain Name Server (DNS) assigned by his/her
ISP, asking it to translate the website domain into an IP address.
− Knowing the Amazon server’s IP address, the user’s device can now send a request
and retrieve the website.
− The user’s ISP routes his/her request to the Amazon server and returns a
response.
This is very simplified, but that’s essentially how any connection works if VPN is not
being used. In this example, the Amazon website is secure and uses HTTPS, so the
connection is encrypted. If the user visits an insecure website that doesn’t use HTTPS,
his/her data won’t be encrypted. But despite the encryption, this type of session still isn’t
completely private. By sending a DNS request to the ISP, the user is telling his/her ISP
that he/she wants to visit Amazon.com. Amazon also knows the user’s IP address and
can therefore determine the user’s location as well as, potentially, his/her identity.

Now let’s look at an example of how visiting Amazon would work if the user was using a
VPN:
− Firstly, the user would connect to a VPN server in a country of choosing, let's say
the UK.
− The VPN app uses a tunneling protocol to create an encrypted connection to the
VPN server.
− The user heads over to Amazon’s homepage. Yet this time, the DNS query is
resolved by the VPN, denying the ISP knowledge of what he/she is doing.
− The VPN establishes a connection between their server and the Amazon.com
server.
− Traffic goes from the user to the VPN server, then to Amazon’s server, and back.

Technically, VPN can slow down Internet connection, as there’s an extra step in the
process – Internet traffic going through a VPN server. On the bright side, the impact won’t
be noticeable.

VPNs can have vulnerabilities. There are no perfect cybersecurity products, and using a
VPN comes with some risks as well. Here are some potential VPN vulnerabilities that one
should be aware of:
− Some VPN services still use outdated protocols with known vulnerabilities.
− Hackers can impersonate VPN servers and intercept data if the VPN itself is
insecure.
− A user’s real IP address can get leaked if a VPN server goes down while he/she is
connected and privacy can be compromised. Premium VPNs offer kill switch
features to disable the Internet connection when the VPN drops.
− The user’s data is probably being sold if a VPN service is free. The maintenance of
server fleets costs money. Hence, when the service is free, the money has to come
from somewhere. In many cases, the VPN is collecting the data and selling it off to
third parties.
− Some VPNs log user data, even though the logging may not be extensive. There
have been instances of several VPN providers handing over user data to
governments when asked. That’s why it’s important to make sure that the chosen
provider is a no-logs VPN.
− VPN doesn’t protect from malware. For enhanced protection from viruses,
malware, trojans, or bots, one should use antivirus software.
Computer Security

Computer security is the protection afforded to an automated information system in order

to attain the applicable objectives of preserving the integrity, availability and confidentiality
of information system resources which includes hardware, software, firmware, information,
data, and telecommunications.

Standards Organizations

Various organizations have been involved in the development or promotion of cryptography

and network security standards. Some of them are mentioned below.
• NIST is a U.S. federal agency that deals with measurement science, standards, and
technology related to U.S. government use and to the promotion of U.S. private-sector
innovation. Despite its national scope, NIST Federal Information Processing
Standards (FIPS) and Special Publications (SP) have a worldwide impact.
• ISOC is a professional membership society with worldwide organizational and
individual membership. It provides leadership in addressing issues that confront the
future of the Internet and is the organization home for the groups responsible for
Internet infrastructure standards, including the Internet Engineering Task Force
(IETF) and the Internet Architecture Board (IAB). These organizations develop
Internet standards and related specifications, all of which are published as Requests
for Comments (RFCs).
• ITU is an international organization within the United Nations System in which
governments and the private sector coordinate global telecom networks and services
The ITU Telecommunication Standardization Sector (ITU-T) is one of the three
sectors of the ITU. ITU-T's mission is the production of standards covering all fields
of telecommunications. ITU-T standards are referred to as Recommendations.
• ISO is a worldwide federation of national standards bodies from more than 140
countries, one from each country. ISO is a nongovernmental organization that
promotes the development of standardization and related activities with a view to
facilitating the international exchange of goods and services, and to developing
cooperation in the spheres of intellectual, scientific, technological, and economic
activity. ISO's work results in international agreements that are published as
International Standards.
 Risk Analysis

The objective of a security program is to mitigate risks. Mitigating risks does not mean
eliminating them; it means reducing them to an acceptable level. To make sure that the
security controls are effectively controlling the risks in the environment, it is important
to anticipate what kinds of incidents may occur. It is also needed to identify what one is
trying to protect, and from whom. That’s where risk analysis, threat definition, and
vulnerability analysis come in.

Threat

A cyber or cybersecurity threat is a malicious act that seeks to damage data, steal data,
or disrupt digital life in general. Threats can take many forms, and in order to be
successful, a security strategy must be comprehensive enough to manage the most
significant threats.

Threat Vector

A threat vector is a term used to describe where a threat originates and the path it takes
to reach a target. An example of a threat vector is an e-mail message sent from outside
the organization to an inside employee, containing an irresistible subject line along with
an executable attachment that happens to be a Trojan program, which will compromise
the recipient’s computer if opened.

Source Threats Targets

Employee Theft Intellectual Property
Software Corruption Email
Software Bug Error Application

Different Types of Attacks

Any computer that is accessible from the Internet will be attacked. It will constantly be
probed by attackers and malicious programs intending to exploit vulnerabilities. There
can be different types of attacks, such as:
• Malicious Mobile Code
• Advanced Persistence Threat (APT)
• Manual Attacks
Malicious Mobile Code

There are three generally recognized variants of malicious mobile code: viruses, worms,
and Trojans. In addition, many malware programs have components that act like two or
more of these types, which are called hybrid threats or mixed threats. The lifecycle of
malicious mobile code looks like this:
− Find
− Exploit
− Infect
− Repeat

Computer Viruses

A virus is a self-replicating program that uses other host files or code to replicate. Most
viruses infect files so that every time the host file is executed, the virus is executed too.
A virus infection is simply another way of saying the virus made a copy of itself
(replicated) and placed its code in the host in such a way that it will always be executed
when the host is executed.

The damage routine of a virus (or really of any malware program) is called the payload.
The vast majority of malicious program files do not carry a destructive payload beyond
the requisite replication. This means they aren’t intentionally designed by their creators
to cause damage. However, their very nature requires that they modify other files and
processes without appropriate authorization, and most end up causing program crashes
of one type or another.

At the very least, a “harmless” virus takes up CPU cycles and storage space. Of course,
payloads can be intentionally destructive, deleting files, corrupting data, copying
confidential information, formatting hard drives, and removing security settings. Some
viruses are devious. Many send out random files from the user’s hard drive to everyone
in the user’s e-mail address list.

If the virus executes, does its damage, and terminates until the next time it is executed,
it is known as a nonresident virus. A nonresident virus may, for example, look for and
infect five EXE files on the hard disk and then terminate until the next time an infected
file is executed. These types of viruses are easier for novice malicious coders to write. If
the virus stays in memory after it is executed, it is called a memory-resident virus.
Memory-resident viruses insert themselves as part of the operating system or
application and can manipulate any file that is executed, copied, moved, or listed.
If the virus overwrites the host code with its own code, effectively destroying much of
the original contents, it is called an overwriting virus.

If the virus inserts itself into the host code, moving the original code around so the host
programming still remains and is executed after the virus code, the virus is called a
parasitic virus. Viruses that copy themselves to the beginning of the file are called
prepending viruses, and viruses placing themselves at the end of a file are called
appending viruses. Viruses appearing in the middle of a host file are labeled mid-
infecting viruses. The modified host code doesn’t always have to be a file—it can be a
disk boot sector or partition table, in which case the virus is called a boot sector or
partition table virus.

Example of an overwriting virus

Example of a prepending parasitic virus

Computer Worms

A computer worm uses its own coding to replicate, although it may rely on the existence
of other related code to do so. The key to a worm is that it does not directly modify other
host code to replicate. A worm may travel the Internet trying one or more exploits to
compromise a computer, and if successful, it then writes itself to the computer and
begins replicating again. An example of an Internet worm is Bugbear. Bugbear was
released in June 2003, arriving as a file attachment in a bogus e-mail.

E-mail worms are a curious intersection of social engineering and automation. They
appear in people’s inboxes as messages and file attachments from friends, strangers, and
companies. They pose as games, official patches from Microsoft, or unofficial
applications found in the digital marketplace. There cannot be a computer user in the
world who has not been warned multiple times against opening unexpected e-mail
attachments, but often the attachments are simply irresistible.

Trojans

Trojan horse programs, or Trojans, work by posing as legitimate programs that are
activated by an unsuspecting user. After execution, the Trojan may attempt to continue
to pose as the other legitimate program (such as a screensaver) while doing its malicious
actions in the background. Many people are infected by Trojans for months and years
without realizing it.

If the Trojan simply starts its malicious actions and doesn’t pretend to be a legitimate
program, it’s called a direct-action Trojan. Direct-action Trojans don’t spread well
because the victims notice the compromise and are unlikely, or unable, to spread the
program to other unsuspecting users.

An example of a direct-action Trojan is JS.ExitW. It can be downloaded and activated

when unsuspecting users browse malicious web sites. In one case, this Trojan posed as
a collection of Justin Timberlake pictures and turned up in a search using Google. The
link, instead of leading to the pictures, downloaded and installed the JS.ExitW Trojan.
When activated, JS.ExitW installs itself in the Windows startup folder as an HTML
application (.hta) that shuts down Windows. Because it is in the startup folder, this has
the consequence of putting infected PCs in a never-ending loop of starts and shutdowns.

A powerful type of Trojan program called a remote access Trojan (RAT) is very popular
in today’s attacker circles. Once installed, a RAT becomes a back door into the
compromised system and allows the remote attackers to do virtually anything they want
to the compromised PC. Password-stealing Trojans look for saved passwords on the
computer and email them to the hackers. Some can even steal passwords cached in the
browser history. Destructive Trojans destroy and delete files from the computer.
Antivirus killer Trojans detect and kill the antivirus and firewall programs to give the
attacker easier access to computer.

Zombie Trojans infect a host and wait for their originating attacker’s commands telling
them to attack other hosts. The attacker installs a series of zombie Trojans, sometimes
numbering in the thousands. With one predefined command, the attacker can cause all
the zombies to begin to attack another remote system with a distributed denial of service
(DDoS) attack. DDoS attacks flood the intended victim computer with so much traffic,
legitimate or malformed, that it becomes overutilized or locks up, denying legitimate
connections.

Advanced Persistent Threat (APT)

The use of sophisticated malware for targeted cybercrime is known as advanced

persistent threats (APTs). Usually targeted at businesses (especially high-tech
businesses with juicy intellectual property and trade secrets desired by competitors)
and governments that have political adversaries, APTs are created and directed by
hostile governments and organized criminals for financial or political gain.

APTs rely on targeted attacks to achieve success. While malware and phishing attacks
are not new, the APT is a new way to commit these types of attacks. The APT attacks are
generally targeted towards specific organizations, often including high-level executives,
to gain access to proprietary information or trade secrets.

Common APT Schemes

• Spear Phishing: Spear phishing is a method that targets specific individuals or

groups within an organization. It is a potent a malicious tactic which uses emails,
social media, instant messaging, and other platforms to get users to divulge
personal information or perform actions that cause network compromise, data
loss, or financial loss. Spear phishing focuses on specific targets and involve prior
research. A typical spear phishing attack includes an email and attachment. The
email includes information specific to the target, including the target's name and
rank within the company. This social engineering tactic boosts the chances that
the victim will carry out all the actions necessary for infection, including opening
the email and the included attachment.
• Watering Hole Attack: A watering hole attack is a targeted attack designed to
compromise users within a specific industry or group of users by infecting
websites they typically visit and luring them to a malicious site. The end goal is to
 infect the user’s computer with malware and gain access to the organization’s
network. Watering hole attacks, also known as strategic website compromise
attacks, are limited in scope as they rely on an element of luck.
• Privilege Escalation: Privilege escalation attacks occur when a threat actor gains
access to an employee's account, bypasses the proper authorization channel, and
successfully grants themselves access to data they are not supposed to have.
• Credential Harvesting: Credential harvesting, also known as password
harvesting or username harvesting, is a form of cyberattack that involves the theft
of personal or financial data such as usernames and passwords, typically carried
out through phishing, malicious websites, email scams, or malware but not
always. Any social engineering techniques, digital scamming, and malware may be
used to steal login credentials.
• Data Exfiltration: Data exfiltration, also known as data extrusion or data
exportation, is data theft. It is the intentional, unauthorized, covert transfer of
data from a computer or other device. Data exfiltration may be conducted
manually, or automated using malware.

Detection of APT

− Abnormal Activities: An infected system will have abnormal user account

activities like multiple logins, frequent password changes, and random posts or
emails. This is because the threat will try to reach out to the crucial database and
will try everything possible.
− Trojans in Abundance: It is common to find infected components in a system
when APT is trying to make its way. If one finds one’s systems to be using Trojan
horses (or remote access Trojan) excessively, be it can be assured that APT is
there.
− Database Defects: The prime aim of a threat is to access the database only. If APT
is present in the system, there will be sudden changes in the data access activities.
For instance, more failed attempts to access databases, trying to access the large
quality of data that were not accessed before, or making changes in sensitive data.
− Suspicious Data: The data files that a system stores should always be properly
monitored. If one finds anything unusual in one’s system that one cannot
remember downloading or creating, it can be considered a sign of an APT attack.

Manual Attacks

While automated attacks may satisfy virus writers, typical attackers want to test their
own mental wits and toolkits against a foreign computer, changing their attack plan as
the host exposes its weaknesses. They love the challenge manual hacking gives. An
example of such attack is ARP poisoning.

Risk Analysis

A risk analysis needs to be a part of every security effort. It should analyze and categorize
the assets that need to be protected and the risks that need to be avoided, and it should
facilitate the identification and prioritization of protective elements. It can also provide
a means to measure the effectiveness of the overall security architecture, by tracking
those risks and their associated mitigation over time to observe trends.

− Qualitative risk analysis is the process of rating or scoring risk based on a

person’s perception of the severity and likelihood of its consequences. The goal of
qualitative risk analysis is to come up with a short list of risks which need to be
prioritized above others. Qualitative risk analysis is best described as a project
manager’s first line of defense against risks. It helps weed out potential detractors
to the project’s success, including risks that are unlikely to cause any severe harm
to the project. By targeting the most dangerous risks first, risk analysis in project
management becomes more efficient and project managers are able to allocate
their time and resources more effectively.
− Quantitative risk analysis is the process of calculating risk based on data
gathered. The goal of quantitative risk analysis is to further specify how much will
the impact of the risk cost the business. This is achieved by using what’s already
known to predict or estimate an outcome. For data to be suitable for quantitative
risk analysis, it has to have been studied for a long period of time or to have been
observed in multiple situations. For example, in the past five projects, equipment
type A has broken down after 7 hours of use. With this information, it can be
assumed that if a project requires workers to use equipment type A for 8 hours,
then it has a 100% chance of breaking down.
− The key difference between qualitative and quantitative risk analysis is the basis
for evaluating risks. As mentioned earlier, qualitative risk analysis is based on a
person’s perception or judgment while quantitative risk analysis is based on
verified and specific data.