Unmasking Business Email Compromise: Understanding, Identification, and Prevention
BEC. One of the most insidious threats in the modern digital landscape, causing billions of dollars losses worldwide.
top of page
The Riskopedia
A glossary of Risks, Threats and other Cyber stuff in between
Common Cyber Security Terms
Terms
Open Source Intelligence
Open source intelligence or more commonly known as OSINT, is the act of gathering intelligence from publicly available sources such as newspapers or simply googling things.
Indicator of compromise
When investigating a security incident, an "indicator of compromise" or IoC in short, is a clue such as an IP or file hash that points to a tool or an attacker. For example, a known bad files hash, or name
Third Party Risk Management
Third Party Risk Management is the practice of managing cyber security risks which come from a company's supply chain, customers, or any other related company. The process is usually comprised of a few stages - Discovery, Classification, Assessment, Remediation and Monitoring.
Misconfiguration
The term "Misconfiguration" in the context of Cyber Security refers to a default or inadequate configuration of a system that could lead to a security breach. For example, leaving read permissions to anyone on a publicly exposed folder or cloud bucket
Security Awareness Program
To reduce different risks that are mainly associated with social engineering attacks, companies preform various activities such as training, drills and others to ensure employees are security minded and vigilant
Vulnerability
In the context of cyber security, a Vulnerability refers to any type of weakness that could be exploited by a malicious person to compromise the confidentiality, integrity or availability of a system
Patch Management
In order to mitigate various vulnerabilities, companies perform regular software upgrades to their systems, this process is usually very time consuming and problematic due to the lack of high availability in most systems and continuity requirements.
Exploit
An Exploit is software written which abuses a systems vulnerability to compromise it. Exploits may give their executor complete control of a system, or have other dangerous effects
Standards and Regulations
Standards
CoBit
first released in 1996, COBIT (Control Objectives for Information and Related Technologies) is a framework created by ISACA. The framework defines a set of generic processes for the management of IT. Each process is defined together with process inputs/outputs, key process and activities, objectives, performance measures as well as a simple maturity model.
GDPR
Entered into force on the 24th of May 2016, The GDPR's primary aim is to give control to individuals over their personal data. It is a regulation in EU law on data protection and privacy in the European Union (EU) and the European Economic Area (EEA).
NIST Cybersecurity Framework
First released on April 16, 2018, The NIST Cybersecurity Framework provides a policy framework of computer security guidance for organizations to assess and improve their ability to prevent, detect, and respond to cyber attacks.
ISO 27001
Originally published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission(IEC) in 2005. It details requirements for establishing, implementing, maintaining and continually improving an information security management systems.
HIPPA
Enacted on August 21, 1996, The Health Insurance Portability and Accountability Act of 1996 is a United States federal statute created to modernize the flow of healthcare information, stipulate how personally identifiable information maintained by the healthcare and healthcare insurance industries should be protected from fraud and theft.
CCPA
Signed into law on June 28, 2018, The California Consumer Privacy Act (CCPA) is a state statute to enhance privacy rights and consumer protection for residents of California, United States. Similarly to GDPR, it gives individual greater control over their personal data, as well as addressing discrimination against for exercising their privacy rights.
Mitre Att&ck
Officially released in May 2015 by The Mitre Corporation (an American not-for-profit organization which manages federally funded research and development centers (FFRDCs) supporting several U.S. government agencies). The framework is a comprehensive matrix of tactics and techniques used to classify attacks and assess an organization's risk.
CSA CCM
Initially released on Decemeber 2009 by the Cloud Security Alliance (a nonprofit organisation formed to promote the use of best practices for security assurance in cloud computing). The Matrix is specifically designed to provide fundamental security principles to guide cloud vendors and to assist prospective cloud customers in assessing the overall security risk of a cloud provider.
Osint Tools and Data Providers
OSINT
Passive DNS
Passive DNS is the method of collecting information about Domain Name connections from the DNS requests (as opposed to collection information by making requests)
WHOIS
WHOIS are public databases containing contact and registration information about Domain Names.
Search Engines
By using specially crafted search queries, it is possible to find many Cyber Security related artefacts such as exposed credentials and documents
Internet Scanners
There are many entities which are constantly running port scans on the entire internet and publishing this information. some examples are Shodan, Censys and BinaryEdge
P2P Networks
Networks such as Bitcoin, Torrent and others expose a lot of information about the ip addresses that use them. For example, it's possible to find out what files were downloaded by a certain ip, and if they had any known malware.
Client Side Analytics Codes
Many websites uses client side scripts that have a unique key that can be used to identify their accounts and thereby the ownership of a domain.
Blacklists
By reviewing commonly used blacklists it is possible to know if an ip address is being used for spamming by bots running covertly on the network.
SSL Certificate infrastructure
SSL certificates rely on a public infrastructure that exposes many details about the certificate owners and assets. For example one can find cloud assets that have just been issued a certificate by monitoring the "cert stream"
Risks
CloudJacking
CloudJacking is the practice of gaining control of the victim's cloud assets, usually by exploiting exposed credentials and then asking for ransom.
Ransomware
Ransomware is a common risk in which the attacker encrypts files on the victims computers, and then demands ransom in order to decrypt them and re-allow access.
Insider data leaks
The practice of leaking confidential information for the purpose of personal gain via any digital channel such as the web or email etc.
Web application attacks
Certain web application (or APIs) bugs might allow an attacked to gain control and leak data or cause other damages.
Cyber Industrial Espionage
In some cases companies might employ professional hacker to steal intellectual property, cause damage to a competitor etc.
Crypto Mining
The practice of running a cryptocurrency miner on the victim's computer - this could be via a javascript on a malicous web page, inside a corporate network by an employee or on a cloud server after attacked
Fraud
When an attacker abuses the system in order to manipulate a business process for the purpose of financial gain. For example changing ones bank account balance, getting a free coupon in an online shopping cart, etc.
Denial Of Service
Any attack the causes a degradation of services in a certain system. include using a botnet to create a flood of false traffic, or by exploiting a vulnerability the services of a large platform in order to bring down a smaller one (commonly called a reflection attack)
Threat Actors Types
TheatAs
Cyber Terrorists
Government-Sponsored Actors
These actors prime focus is on creating damage to a political adversary, and are many times sponsored by or affiliated with real terrorist groups.
These groups are funded, managed by a nation. they could be part of a larger military or intelligence organisation, or a separate group. Their goals range from financial gains to espionage and terrorism.
Organized Crime/Cybercriminals
These actors are either criminal organisations that are purely cyber based, or sometimes managed and financed by real felons or organised crime organisations.
Hacktivists
Hacktivists preform cyber attacks in order to promote political agendas such as whistle blowing, ecological betterment, etc.
Insiders
When an employee of an organisation abuses the company's systems in order to achieve financial gains, or any other goal.
Script Kiddies
These are individuals with a low level of skill which use ready made downloadable or purchased tool in order to launch attacks.
Vulns
ZeroLogon (CVE-2020-1472)
CloudBleed
Disclosed on the 11th of Aug, 2020, this cryptographic vulnerability in Microsoft's Active Directory allows an attacker to gain complete control of the entire environment.
On February 17, 2017 a security bug was discovered on the very popular cloudflare content delivery service. The security bug caused the contents of customer's web pages to mix with each other. Among other issues, sensitive information from internal user and admin pages were exposed to users and search engines.
Eternal Blue ( CVE-2017-0144)
Eternal Blue is an exploit that was developed by the NSA, and leaked on April 14, 2017 by the hacker group "Shadow Brokers". The exploit targets microsoft systems, and was later used in the large WannaCry and NotPetaya campaigns.
HeartBleed ( CVE-2014-0160)
HeartBleed is a security bug discovered in the OpenSSL cryptography library on the 1st of April 2014, but existed in the software two years before. Among other Impacts, it allowed attacker to access sensitive information on websites protected by SSL/TLS.
SQL Injection
An SQL injection is a type of cyber attack in which an attacker exploits vulnerabilities in a web application to inject malicious code into an SQL query. This can allow the attacker to bypass authentication or authorization measures and access sensitive data. SQL injections can also be used to modify or delete data in a database. Preventing SQL injections typically involves implementing strict input validation and parameterized queries in web applications. Failure to prevent SQL injections can have serious consequences, including data breaches and the compromise of sensitive information
BlueKeep (CVE-2019-0708)
A security vulnerability discovered in Microsoft's Remote Desktop protocol. First reported in May 2019, the vulnerability allows attacker to take complete control of unpatched systems.
These two are essentially variants of the same security bug that effect essentially all computer central processing chips that were manufactured in the past 20 years. These vulnerabilities allow access to sensitive information in the computers memory, previously considered protected.
ShellShock (CVE-2014-6271)
Disclosed on 12 September 2014, shellshock is a privilage escelation vulnerability in the widely popular Bash Shell application (which also runs components of many internet facing applications). It allows an attacker to run commands and gain access.
bottom of page