Threats,

Attacks and
Assets
Identification, comparison and
application
 Threats
• Phishing Attacks: Hackers steal sensitive
information through fake websites or emails.
• Ransomware Attacks: Hackers encrypt data and
demand ransom.
• SQL Injection Attacks: Hackers access databases
by injecting malicious code.
• Cross-Site Scripting (XSS) Attacks: Hackers
inject malicious scripts into websites to steal
user data.
• Denial of Service (DoS) Attacks: Hackers
overload websites or servers with traffic, making
them unusable.
 Threats
• Man-in-the-Middle (MitM) Attacks: Hackers
intercept communication to steal sensitive
information.
• Malware Attacks: Hackers control systems using
malware.
• Social Engineering Attacks: Hackers exploit human
psychology to steal sensitive information.
• Insider Threats: Authorized users compromise
data.
• Advanced Persistent Threats (APTs): Sophisticated
attacks designed for long-term access.
 Examples
Phishing Attacks-
• Email from a fake bank asking for login
credentials.
• Fake online form asking for sensitive
information.
Ransomware Attacks-
• WannaCry ransomware attack (2017)
affected 200,000 computers worldwide.
• NotPetya ransomware attack (2017)
targeted Ukrainian companies.
 Examples
SQL Injection Attacks-
• Hackers accessed 380,000 credit card
numbers from Target's database (2013).-
• Hackers stole 40 million credit card numbers
from TJX Companies (2006).4.
Cross-Site Scripting (XSS) Attacks-
• MySpace worm (2005) spread malware to 1
million users.
• Facebook XSS vulnerability allowed hackers
to steal user data (2013).
 Examples
Denial of Service (DoS) Attacks-
• Distributed Denial-of-Service (DDoS) attack
on DNS provider Dyn (2016).
• DDoS attack on GitHub (2018) lasted for 20
minutes.
Man-in-the-Middle (MitM) Attacks-
• Hackers intercepted HTTPS traffic using
fake certificates (2017).
• Wi-Fi eavesdropping attack at public
hotspots.
 Examples
Malware Attacks-
• Stuxnet malware attacked Iranian nuclear
facilities (2010).
• Conficker malware infected 12 million
computers worldwide (2008).
Social Engineering Attacks-
• CEO email scams targeted companies
worldwide (2016).
• Phone scams tricked people into revealing
sensitive information.
 Examples
Insider Threats-
• Edward Snowden leaked classified NSA
documents (2013).
• Chelsea Manning leaked classified
documents to WikiLeaks (2010).
Advanced Persistent Threats (APTs)-
• APT28 (Fancy Bear) targeted government
agencies and organizations.
• APT10 (MenuPass) targeted companies in
aerospace and defense.
 Common software
development issues
 Authentication and
Authorization Weaknesses
• Authentication and authorization
mechanisms are not properly
implemented, allowing unauthorized
access to sensitive data.
• Examples: Weak passwords, lack of
two-factor authentication, insecure
session management.
• Consequences: Unauthorized
access, data breaches, identity theft.
 Input Validation and
Sanitization Weaknesses
• Input data is not properly validated
and sanitized, allowing attackers to
inject malicious code.
• Examples: SQL injection, cross-site
scripting (XSS), cross-site request
forgery (CSRF).
• Consequences: Data corruption,
code injection, unauthorized access.
 Data Encryption Weaknesses
• Sensitive data is not properly
encrypted, allowing unauthorized
access.
• Examples: Weak encryption
algorithms, insecure key
management.
• Consequences: Data breaches,
unauthorized access, identity theft.
 Secure Communication
Protocols Weaknesses
• Secure communication protocols are
not properly implemented, allowing
unauthorized access.
• Examples: HTTPS not used, SSL/TLS
vulnerabilities.
• Consequences: Data breaches,
unauthorized access, man-in-the-
middle attacks.
 Error Handling and Logging
Weaknesses
• Error handling and logging
mechanisms are not properly
implemented, allowing attackers to
exploit vulnerabilities.
• Examples: Insecure error handling,
lack of logging.
• Consequences: Data breaches,
unauthorized access, system
crashes.
Vulnerable Dependencies and
Libraries
• Third-party dependencies and
libraries are not properly updated or
secured.
• Examples: Outdated libraries,
vulnerable frameworks.
• Consequences: Data breaches,
unauthorized access, system
crashes.
 Insufficient Testing and
Quality Assurance
• Insufficient testing and quality
assurance lead to security
vulnerabilities.
• Examples: Lack of security testing,
inadequate code review.
• Consequences: Data breaches,
unauthorized access, system
crashes.
 Poor Code Review and Code
Quality
• Poor code review and code quality
lead to security vulnerabilities.
• Examples: Insecure coding
practices, lack of code review.
• Consequences: Data breaches,
unauthorized access, system
crashes.
 Insecure Configuration and
Deployment
• Insecure configuration and
deployment practices lead to
security vulnerabilities.
• Examples: Insecure server
configuration, lack of security
hardening.
• Consequences: Data breaches,
unauthorized access, system
crashes.
 Lack of Security Awareness
and Training
• Developers lack security awareness
and training, leading to security
vulnerabilities.
• Examples: Lack of security
knowledge, inadequate training.
• Consequences: Data breaches,
unauthorized access, system
crashes.
How to develop secure
software?
 SSDLC
• The Software Development Lifecycle (SDLC)
is a structured process which enables high-
quality software development, at a low cost,
in the shortest possible time.
• Secure SDLC (SSDLC) integrates security
into the process, resulting in the security
requirements being gathered alongside
functional requirements, risk analysis being
undertaken during the design phase, and
security testing happening in parallel with
development
How does Secure SDLC Work?
• Planning: This stage in the Secure SDLC means
collating security inputs from stakeholders alongside
the usual functional and non-functional requirements,
ensuring security definitions are detailed and
embedded from the outset.
• Development: Product development is enhanced by
Secure SDLC with security best practices leveraged to
create code that is secure by design, as well as
establishing static code review and testing in parallel
with development to ensure this is the case.
• Build: Secure SDLC demands that the processes used
to compile software also be monitored, and security
assured.
How does Secure SDLC Work?
• Testing: Testing throughout the lifecycle is critical to
Secure SDLC, and now includes assurance that all
security requirements have been met as defined. Test
automation and continuous integration tooling are
essential to a functional Secure SDLC.
• Release and Deploy: The release and deploy
lifecycle stages are bolstered by Secure SDLC, with
additional monitoring and scanning tooling deployed to
ensure software product integrity is maintained
between environments.
Operations: This utilizes automated tooling to monitor
live systems and services, making staff more available to
address any zero-day threats that may emerge.
Legal, Ethical, and
Professional Issues
in Information
Security
 Law and Ethics in Information
Security
• Laws
• Rules that prohibit certain behavior
• Drawn from ethics
• Ethics
• Define socially acceptable behaviors
• Key difference
• Laws carry the authority of a governing body
• Ethics do not carry the authority of a governing body
• Based on cultural mores
• Fixed moral attitudes or customs
• Some ethics standards are universal
 Organizational Liability
• Organizational Liability
An organization is legally responsible for:
1. Actions of employees (authorized or unauthorized)
2. Harm caused by those actions
3. Restitution (compensation) to affected parties
• Due care:
1. Liability extends beyond criminal or contract law.
2. Employers can be held financially liable for employees'
actions.
3. Organizations must exercise "due care":
- Clearly communicate acceptable/unacceptable behavior.

- Ensure employees understand consequences of

illegal/unethical actions.
 Organizational Liability
Due Diligence-
Taking reasonable care to prevent harm to others
Requirements:
1. Make a genuine effort to protect others
2. Maintain that effort consistently
Jurisdiction-
Court's authority to hear a case-
Types:
3. Local (within a country)
4. International (across countries)-
Concept: "Long Arm Jurisdiction" - courts can hear cases
beyond national borders
 Need for Counsel
• To mitigate liability, organizations
need legal counsel to:
1. Develop policies and procedures
2. Provide training and guidance
3. Monitor compliance
4. Respond to incidents and lawsuits
 Types of Law
• Civil law
o Deals with disputes between individuals/organizations
o Examples: contracts, property etc.
o Goal: Resolve disputes, provide compensation
• Criminal law
o Addresses violations harmful to society
o Examples: theft, assault, murder
o Goal: Punish offenders, protect society
• Tort law (Subset of Civil law)
o Allows individuals to seek damages for:
• Personal injury
• Physical harm
• Financial loss
o Examples: negligence, defamation, product liability 29
o .Management of Information Security, 3rd ed
 Types of Law (contd.)
• Private law
o Regulates the relationships among individuals
and among individuals and organizations
• Family law, commercial law, and labor law
• Public law
o Regulates the structure and administration of
government agencies and their relationships
with citizens, employees, and other
governments
• Criminal, administrative, and constitutional
law

30
.Management of Information Security, 3rd ed
 Question
• Is DDoS a civil or criminal offence

31
 Policy Versus Law
Policy
• Guidelines or rules created by organizations or
institutions
• Internal regulations for operations, conduct, or
decision-making
• May be flexible or discretionary
• Typically enforced by the organization itself
Examples:
• Company policies (e.g., dress code, social media
usage)
• School policies (e.g., attendance, bullying)
• Government agency policies (e.g., employees 32
.Management of Information Security, 3rd ed
 Policy Versus Law
Key Differences:
• Policies come from organizations,
laws from legislative bodies.
• Policies are enforced internally, laws
by external authorities.
• Policies apply within an organization,
laws apply broadly.
• Policies can be changed internally,
laws require legislative action.
33
.Management of Information Security, 3rd ed
International Laws

34
.Management of Information Security, 3rd ed
 Budapest Convention on
Cybercrime (2001)
• The Budapest Convention on Cybercrime was
the first international treaty specifically
addressing cybercrime .
• It provides a framework for countries to
harmonize their laws, improve investigative
capabilities, and enhance international
cooperation.
• The Convention covers various aspects,
including illegal access to computer systems,
data interference and unethical content.
 Convention on Cybercrime
(2001)
• The Council of Europe's Convention
on Cybercrime aims to harmonize
cybercrime laws across Europe .
• It addresses offenses such as
hacking, data interference, and
unethical content, and encourages
countries to adopt laws and policies
to fight against cybercrime.
 United Nations Convention
against Transnational
Organized Crime (2000)
• The United Nations Convention
against Transnational Organized Crime
addresses cybercrime as part of
organized crime .
• It encourages countries to adopt laws
and policies to combat transnational
organized crime, including cybercrime.
 International
Telecommunication Union
(ITU) Cyber security
Recommendations (2018)
• The ITU's Cyber security
Recommendations provide guidelines for
countries to implement effective cyber
security measures .
• These recommendations cover topics
such as threat assessment, incident
response, and cyber security awareness.
European Union's Directive on
Security of Network and
Information Systems (NIS)
(2016)
• The EU's NIS Directive aims to
enhance cyber security in the
European Union.
• It requires member states to
implement measures to prevent and
respond to cyber security incidents,
and to cooperate on cyber security
issues.
 Legal bodies
• International Criminal Police Organization
(INTERPOL) - Cybercrime Unit.
• United Nations Office on Drugs and Crime
(UNODC) - Cybercrime and Anti-Money
Laundering.
• Council of Europe's Cybercrime Convention
Committee (T-CY).
• European Cybercrime Centre (EC3) - Part of
Europol.
• International Telecommunication Union (ITU) –
Cyber security Division.
 Regional Initiatives:
• Asia-Pacific Economic Cooperation (APEC)
– Cyber security and Digital Economy.
• Organization of American States (OAS) –
Cyber security Program.
• African Union's Convention on Cyber
Security and Personal Data Protection
(2014).
• Association of Southeast Asian Nations
(ASEAN) – Cyber security Cooperation
 Key Areas
• Cybercrime investigation and
prosecution.
• Data protection and privacy.
• Network security and incident
response.
• Online child protection.
• Cyber security information sharing.
 Challenges
• Jurisdictional issues.
• Lack of international cooperation.
• Evolving nature of cyber threats.
• Balancing security with individual
rights.
 Ethics in Information Security
• The student of information security is
not expected to study the topic of
ethics in a vacuum, but within a larger
ethical framework
o Information security professionals may be
expected to be more articulate about the topic
than others in the organization
o Often must withstand a higher degree of
scrutiny

44
.Management of Information Security, 3rd ed
10 Commandments of Computer
Ethics
From the Computer Ethics Institute
• Thou shalt not:
o Use a computer to harm other people
o Interfere with other people's computer work
o Snoop around in other people's computer files
o Use a computer to steal
o Use a computer to bear false witness
o Copy or use proprietary software (w/o paying)

45
.Management of Information Security, 3rd ed
 Ten Commandments
o Use other people's computer resources without
authorization or proper compensation
o Appropriate other people's intellectual output
o Think about the social consequences of the
program you are writing or the system you are
designing
o Always use a computer in ways that ensure
consideration and respect for fellow humans

46
Assignment