A threat is the potential occurrence of an undesirable event that can eventually damage and disrupt the

operational and functional activities of an organization. A threat can be any type of entity or action
performed on physical or intangible assets that can disrupt security. The existence of threats may be
accidental, intentional, or due to the impact of another action.

The criticality of a threat is based on how much damage it can cause, how uncontrollable it is, or the level of
complexity in identifying the latest discovered threat incident in advance. Threats to data assets cause loss
of confidentiality, integrity, or availability (CIA) of data. They also result in data loss, identity theft, cyber
sabotage, and information disclosure.

• Natural Threats; Natural factors such as fires, floods, power failures, lightning, meteor, and
earthquakes are potential threats to the assets of an organization.
• Unintentional Threats; threats that exist due to the potential for unintentional errors occurring
within the organization.
• Intentional Threats:
▪ Internal Threats; These threats are performed by insiders within the organization such as
disgruntled or negligent employees and harm the organization intentionally or
unintentionally. causes for insider attacks could be revenge, disrespect, frustration, or lack
of security awareness. Insider attacks are more dangerous than external attacks because
insiders are familiar with the network architecture, security policies, and regulations of the
organization.
▪ External Threats; External attacks are performed by exploiting vulnerabilities that already
exist in a network, without the assistance of insider employees. Therefore, the potential to
perform an external attack depends on the severity of the identified network weaknesses.
Attackers may perform such attacks for financial gain, to damage the reputation of the
target organization, or simply for the sake of curiosity. External attackers can be individuals
with expertise in attack techniques or a group of people who work together with a shared
motive. External threats are further classified into two types.
• Structured external threats; implemented by technically skilled attackers, using
various tools to gain access into a network, with the aim of disrupting services. The
motivation behind such attacks includes criminal bribes, racism, politics, terrorism,
etc. Examples include distributed ICMP floods, spoofing, and simultaneously
executing attacks from multiple sources.
• Unstructured external threats; Unstructured external threats are implemented by
unskilled attackers, typicallyscript kiddies who may be aspiring hackers, to access
networks. Most of these attacks are performed primarily out of curiosity, rather
 than with criminal intentions. For example, untrained attackers use freely available
online tools for attempting a network attack or for crashing a website or other
public domains on the Internet. Unstructured external threats can easily be
prevented by adopting security solutions such as port-scanning and address-
sweeping tools.

Threat Actors/Agents:

• Black Hats; Individuals with extraordinary computing skills; they resort to malicious or destructive activities
and are also known as crackers
• White Hats; Individuals who use their professed hacking skills for defensive purposes and are also known as
security analysts
• Gray Hats; Individuals who work both offensively and defensively at various times
• Suicide Hackers; Individuals who aim to bring down the critical infrastructure for a "cause" and are not
worried about facing jail terms or any other kind of punishment
• Script Kiddies; unskilled hacker who compromises a system by running scripts, tools, and software that were
developed by real hackers
• Cyber Terrorists; Individuals with a wide range of skills who are motivated by religious or political beliefs to
create the fear through the large-scale disruption of computer networks
• State-Sponsored Hackers; Individuals employed by the government to penetrate and gain top-secret
information from, and damage the information systems of other governments
• Hacktivist; Individuals who promote a political agenda by hacking, especially by using hacking to deface or
disable website
• Hacker Teams; consortium of skilled hackers having their own resources and funding. They work together in
synergy for researching the state-of-the-art technologies
• Industrial Spies; Individuals who perform corporate espionage by illegally spying on competitor organizations
and focus on stealing information such as blueprints and formulas
• Insiders: An insider is any employee (trusted person) who has access to critical assets of an organization. An
insider threat involves the use of privileged access to violate rules or intentionally cause harm to the
organization’s information or information systems. Insiders can easily bypass security rules, corrupt valuable
resources, and access sensitive information. Generally, insider threats arise from disgruntled employees,
terminated employees, and undertrained staff members.
• Criminal Syndicates: Criminal syndicates are groups of individuals or communities that are involved in
organized, planned, and prolonged criminal activities. They exploit victims from distinct jurisdictions on the
Internet, making them difficult to locate. The main aim of these threat actors is to illegally embezzle money
by performing sophisticated cyber-attacks and money-laundering activities.
• Organized Hackers: Organized hackers are a group of hackers working together in criminal activities. Such
groups are well organized in a hierarchical structure consisting of leaders and workers. The group can also
have multiple layers of management. These hackers are miscreants or hardened criminals who do not use
their own devices; rather, they use rented devices or botnets and crimeware services to perform various
cyber-attacks to pilfer money from victims and sell their information to the highest bidder.

Attributes of Threat Actors The complexity of evolving cyber security threats has alerted organizations to the
importance of identifying and analyzing the behavior of threat actors. The attributes of threat actors such as their
location, intent/motivation, and level of sophistication allows security professionals to analyze their behavior.

• Internal: Internal actors are trusted insiders who have permission and authorized access to the
organization’s network, systems, and physical resources.
• External: External actors are outsiders who do not have authorized access to the organization’s network and
systems including physical resources.
• Level of sophistication: The sophistication level is a crucial factor determining the risk of a threat actor.
Highly sophisticated threat actors are more successful in attacks than less sophisticated threat actors.
 • Resources/funding: This attribute determines the way a threat actor supports an attack financially or with
the required software and equipment. Criminal groups and nation-state actors have relatively large budgets
and can perform persistent attacks for longer time periods.
• Intent/motivation: This is a key attribute for the success of an attack. Highly motivated actors are more likely
to launch an attack than less motivated actors, who may prepare for an attack but never launch it. The intent
of an attack can be connected to political or personal goals of the attacker.

Threat Vectors

A threat vector is a medium through which an attacker gains access to a system by exploiting identified
vulnerabilities. It is the path that attackers take to enter an organization’s network. Discussed below are some of the
important threat vectors used by malicious actors:

• Direct access: Through direct access, the attacker gains physical access to the target system and performs
malicious activities, which include modifications to the operating system and the installation of various types
of programs such as keyloggers and software worms. Attackers can also download large amounts of data
into backup media or portable devices.
• Removable media: Devices such as USB drives, phones, and printers can become a threat vector when
plugged into an organization’s system or network. These devices might contain malware that run
automatically on the host system to steal or corrupt critical files. Detecting and preventing data leakage
through removable media can be difficult.
• Wireless: A corporate device implementing an unsecured wireless hotspot can be compromised along with
the internal network. Attackers may use tools to crack the authentication credentials of a corporate wireless
network or spoof a trusted access point to gain access to the target network.
• Email: Attackers use email as a vector to perform various phishing attacks with malicious attachments to
compromise the target.
• Cloud: Attackers inject malware into cloud resources to gain access to user information. They can add a
service implementation module to SaaS, PaaS, or a virtual machine instance to deceive a cloud system. The
user’s requests will then be redirected to the attacker’s module or instance, which initiates the execution of
malicious code. Alternatively, attackers find user accounts with weak credentials and exploit them to gain
access to the target cloud services/data.
• Ransomware/malware: Attackers can take advantage of unpatched vulnerabilities in the target system to
inject ransomware. Furthermore, various types of malware including Trojans, adware, and file-less malware
can be employed by attackers to infiltrate the target organization.
• Supply chain: Using this threat vector, the attacker attempts to compromise the target by exploiting
vulnerabilities in the resources supplied by a third-party vendor. The attacker takes advantage of these
vulnerabilities to introduce malicious payloads and bypass endpoint security devices/solutions.
• Business partners: Third-party organizations can emerge as a threat vector to an organization. Attackers can
use supply-chain attacks to gain access to the customers’ information. Organizations must introduce
cybersecurity best practices and demonstrate mutual transparency to mitigate this risk.

Malware is malicious software that damages or disables computer systems and gives limited or full control of the
systems to the malware creator for malicious activities such as theft or fraud.

Different Ways for Malware to Enter a System:

• Instant Messenger Applications; Infection can occur via instant messenger applications such as Facebook
Messenger, WhatsApp Messenger, LinkedIn Messenger, Google Hangouts, or ICQ. Users are at high risk
while receiving files via instant messengers. Regardless of who sends the file or from where it is sent, there is
always a risk of infection by a Trojan. The user can never be 100% sure of who is at the other end of the
connection at any particular moment. For example, if you receive a file through an instant messenger
application from a known person such as Bob, you will try to open and view the file. This could be a trick
 whereby an attacker who has hacked Bob's messenger ID and password wants to spread Trojans across
Bob's contacts list to trap more victims.
• Portable Hardware Media/Removable Devices:
o Portable hardware media such as USB drives, DVDs, and external hard drives can also inject malware
into a system.
o Another means of portable media malware infection is through the Autorun function. Autorun, also
referred to as Autoplay or Autostart, is a Windows feature that, if enabled, runs an executable
program when a user inserts a DVD in the DVD-ROM tray or connects a USB device. Attackers can
exploit this feature to run malware along with genuine programs. The following is the content of an
Autorun.inf file:

[autorun]

open=setup.exe

icon=setup.exe

To mitigate such infection, turn off the Autostart functionality. Follow the instructions below to turn
off Autoplay in Windows 10:

1. Click Start. Type gpedit.msc in the Start Search box, and then press ENTER.

2. If you are prompted for an administrator password or confirmation, type the password, or click
Allow.

3. Under Computer Configuration, expand Administrative Templates, expand Windows Components,

and then click Autoplay Policies.

4. In the Details pane, double-click Turn off Autoplay.

5. Click Enabled, and then select All drives in the Turn off Autoplay box to disable Autorun on all
drives.

6. Restart the computer.

• Browser and Email Software Bugs; Outdated web browsers often contain vulnerabilities that can pose a
major risk to the user’s computer. The same scenario occurs while checking e-mail with Outlook Express or
some other software with well-known problems. Again, it may infect the user's system without even
downloading an attachment. To reduce such risks, always use the latest version of the browser and e-mail
software.
• Insecure Patch management; Unpatched software poses a high risk. Users and IT administrators do not
update their application software as often as they should, and many attackers take advantage of this well-
known fact.
• Rogue/Decoy Applications; Attackers can easily lure a victim into downloading free applications/programs.
• Untrusted Sites and Freeware Web Applications/Software; A website could be suspicious if it is located at a
free website provider or one offering programs for illegal activities.
• Downloading Files from the Internet; Trojans enter a system when users download Internet-driven
applications such as music players, files, movies, games, greeting cards, and screensavers from malicious
websites, thinking that they are legitimate.
• Email Attachments; An attachment to an e-mail is the most common medium to transmit malware. The
• attachment can be in any form, and the attacker uses innovative ideas to trick the victim into clicking and
downloading the attachment. Some email clients, such as Outlook Express, have bugs that automatically
execute attached files. To avoid such attacks, use secure email services, investigate the headers of emails
with attachments, confirm the sender’s email address, and download the attachment only if the sender is
legitimate.
• Network Propagation; Network security is the first line of defense for protecting information systems from
hacking incidents. However, various factors such as the replacement of network firewalls and mistakes of
 operators may sometimes allow unfiltered Internet traffic into private networks. Malware operators
continuously attempt connections to addresses within the Internet address range owned by targets to seek
an opportunity for unfettered access. Some malware propagates through technological networks. For
example, the Blaster starts from a local machine’s IP address or a completely random address and attempts
to infect sequential IP addresses.
• File Sharing Services; If NetBIOS (Port 139), FTP (Port 21), SMB (Port 145), etc., on a system are open for file
sharing or remote execution, they can be used by others to access the system. This can allow attackers to
install malware and modify system files.
• Installation by other Malware; A piece of malware that can command and control will often be able to re-
connect to the malware operator’s site using common browsing protocols.
• Bluetooth and Wireless Networks; Attackers use open Bluetooth and Wi-Fi networks to attract users to
connect to them. These open networks have software and hardware devices installed at the router level to
capture the network traffic and data packets as well as to find the account details of the users, including
usernames and passwords.

Common Techniques Attackers Use to Distribute Malware on the Web

• Black hat Search Engine Optimization (SEO); Ranking malware pages highly in search results
• Social Engineered Click-jacking; Tricking users into clicking on innocent-looking webpage
• Spear-phishing Sites; Mimicking legitimate institutions in an attempt to steal login credentials
• Malvertising; Embedding malware in ad-networks that display across hundreds of legitimate, high-traffic
sites
• Compromised Legitimate Websites; Hosting embedded malware that spreads to unsuspecting visitors
• Drive-by Downloads; Exploiting flaws in browser software to install malware just by visiting a web page
• Spam Emails; Attaching the malware to emails and tricking victims to click the attachment

Components of Malware

• Crypter; Software that protects malware from undergoing reverse engineering or analysis
• Downloader; A type of Trojan that downloads other malware from the Internet on to the PC
• Dropper; A type of Trojan that covertly installs other malware files on to the system
• Exploit; A malicious code that breaches the system security via software vulnerabilities to access information
or install malware
• Injector; A program that injects its code into other vulnerable running processes and changes how they
execute to hide or prevent its removal
• Obfuscator; A program that conceals its code and intended purpose via various techniques, and thus, makes
it hard for security mechanisms to detect or remove it
• Packer; A program that allows all files to bundle together into a single executable file via compression to
bypass security software detection
• Payload; A piece of software that allows control over a computer system after it has been exploited
• Malicious Code Description ; A command that defines malware’s basic functionalities such as stealing data
and creating backdoors.

A vulnerability refers to the existence of weakness in an asset that can be exploited by threat agents. Common
Reasons for the Existence of Vulnerabilities:

• Hardware or software misconfiguration

• Insecure or poor design of network and application
• Inherent technology weaknesses
• End-user carelessness
• Intentional end-user acts
Examples of Network Security Vulnerabilities:
Common areas of vulnerability:
Impact due to vulnerabilities

• Information disclosure: A website or application may expose system-specific information.

• Denial of service: Vulnerabilities may prevent users from accessing website services or other resources.
• Privilege escalation: Attackers may gain elevated access to a protected system or resources.
• Unauthorized access: Attackers may gain unauthorized access to a system, a network, data, or an
application.
• Identity theft: Attackers may be able to steal the personal or financial information of users to commit fraud
with their identity.
• Data exfiltration: Vulnerabilities may lead to the unauthorized retrieval and transmission of sensitive data.
• Reputational damage: Vulnerabilities may cause reputational damage to a company’s products and security.
Reputational damage has a direct impact on customers, sales, and profit.
 • Financial loss: Reputational damage may lead to business loss. Further, vulnerability exploitation may lead to
expenses for recovering damaged IT infrastructure.
• Information disclosure: A website or application may expose system-specific information.
• Denial of service: Vulnerabilities may prevent users from accessing website services or other resources.
• Privilege escalation: Attackers may gain elevated access to a protected system or resources.
• Unauthorized access: Attackers may gain unauthorized access to a system, a network, data, or an
application.
• Identity theft: Attackers may be able to steal the personal or financial information of users to commit fraud
with their identity.
• Data exfiltration: Vulnerabilities may lead to the unauthorized retrieval and transmission of sensitive data.
• Reputational damage: Vulnerabilities may cause reputational damage to a company’s products and security.
Reputational damage has a direct impact on customers, sales, and profit.
• Financial loss: Reputational damage may lead to business loss. Further, vulnerability exploitation may lead to
expenses for recovering damaged IT infrastructure.

Risk Risk refers to the potential loss or damage that can occur when a threat to an asset exists in the presence of a
vulnerability that can be exploited to compromise the asset. Therefore, a risk can be thought of as the intersection of
an asset, threat, and vulnerability. Risk = Asset + Threat + Vulnerability

Examples of risks:

Disruption of Business - Attacks on the network infrastructure of a business can potentially disrupt the entire
functioning of the business. Security breaches can lead to a loss of critical business and user information.

Loss of Productivity - An exploited business network may incur significant production losses. The data lost due to an
attack must be recovered either through data backups, if available, or restored manually by individuals. Therefore,
the recovery of data after a network attack can be a time-consuming process.

Loss of Privacy - The leakage of confidential data can cause considerable losses for the organization and can also lead
to legal challenges.

Theft of Information - A successful intrusion into a network can enable attackers to raid the information available in
the system.

Legal Liability - In accordance with electronic and data security laws, which differ between countries, an organization
can file a legal lawsuit against attackers when their security is breached, if they have appropriate evidence of the
incident.

Damage to reputation and consumer confidence - Once the security of an organization’s resources has been
breached by an attack, it is difficult to regain customer confidence.

Vulnerability Classification

Vulnerabilities present in a system or network are classified into the following categories:

• Misconfigurations/weak configurations:
• Default installations/default configurations:
• Application flaws

• Poor patch management

• Design flaws; Vulnerabilities due to design flaws are universal to all operating devices and systems. Design
vulnerabilities such as incorrect encryption or the poor validation of data refer to logical flaws in the
functionality of the system that attackers exploit to bypass the detection mechanism and acquire access to a
secure system.
• Operating system flaws; Due to vulnerabilities in the operating systems, applications such as Trojans, worms,
and viruses pose threats. These attacks use malicious code, script, or unwanted software, which results in
the loss of sensitive information and control of computer operations. Timely patching of the OS, installing
minimal software applications, and using applications with firewall capabilities are essential steps that an
administrator must take to protect the OS from attacks.
• Default passwords
• Zero-day vulnerabilities; Zero-day vulnerabilities are unknown vulnerabilities in software/hardware that are
exposed but not yet patched. These Vulnerabilities are exploited by the attackers before being
acknowledged and patched by the software developers or security analysts. Zero-day vulnerabilities are one
of the major cyber-threats that continuously expose the vulnerable systems until they get patched.
• Legacy platform vulnerabilities

• System sprawl/undocumented assets

• Improper certificate and key management

• Third-party risks; Third-party services or products can have access to privileged systems and applications,
through which financial information, customer and employee data, and processes in the enterprise’s supply
chain can be compromised:
o Vendor management; It is the activity of selecting suppliers and assessing the risks of third-party
services and products. It includes all the essential programs and processes required for an
organization to handle and manage operations and communications with its third-party vendors.
o Supply-chain risks: The majority of network devices and systems in an organization are often
purchased from a third party. The use of such equipment in each segment along the supply chain can
potentially pose security risks due to improper maintenance or configuration.
o Outsourced code development: In some cases, enterprises do not have all the resources required for
developing products inside their environment. In such cases, organizations hire contract-based third
parties to develop products or software.
o Data storage: With the emergence of cloud technology, organizations are storing large amounts of
data in third-party storage spaces, where vendors may also have access to organizations’ data.
Therefore, the data should be frequently inspected for security concerns to protect sensitive
information related to customers, employees, or users.
o Cloud-based vs. on-premises risks: As organizations are migrating their business infrastructure to
cloud environments, storage and data exposure issues often arise in third-party storage locations.