IT Risk Management

Lecture 2
Introduction to Cybersecurity
and Threat Landscape
 Topics

1. Threat Landscape

2. Attack Lifecycle

3. Some Attacks and Mitigations

4. Verizon 2025 DBIR

5. In-Class Exercise

6. Coming Up For Next Week

Threat Landscape
 Threat Landscape

Today’s Cyber Threat Landscape

• Technology is continually evolving, therefore the
cybersecurity landscape is also constantly
evolving.

• There are more devices attached to internet today

than world population. Due to IOT, by 2025 we will
have more than 30 billion internet attached devices.
• Since hackers only need to be right once and those
who protect the organization need to be right all the
time, your cybersecurity program needs to be
constantly growing and adapting.
• In order to evolve, it is vital to understand who is
after you, what motivates them and what they are
after.

• Understanding the landscape is a key element in

any successful cybersecurity risk management
program.

5
 Security Incidents
• Historical Security Incidents
• The Morris Worm (November 1988)
• Citibank and Vladimir Levin (June-October 1994)

• Current Threat Environment

• Advanced Persistent Threats (APTs)
Sample list on page 5 of textbook

• Some notable breaches:

• Sony (2011)
• Target (2013)
• WannaCry (2017)
• Equifax (2017)
• SolarWinds Attack (2020)

6
 Threat Actors by Type
• CHEW C.H.E.W. – Motivations and Capabilities

on This CRIMINAL HACTIVIST ESPIONAGE WAR

Organized groups of Loosely organized Largely carried out This is when the
Definition
criminals who hide in collections of by nation-states, motivations of a
“cyber sanctuary” hackers launching are extremely well- nation-state or a
countries to launch targeted campaigns organized and well- terrorist group turn
broad based attacks against specific funded. They use from intellectual
against individuals and entities or web sites this stolen property theft
companies for and able to cause intellectual towards damage
financial gain. embarrassment and property to enhance and destruction
financial damage. their own
economies.

 Money  Protest  Acquiring Secrets  Destroy, Degrade,

Motivation
 Information to Sell  Revenge  National Security Deny
 Demonstration of  Economic Benefit  Political Motivation
Power

 Large Number of  Large Number of  Small but Growing  Limited Number of

Capability
Actors Actors Number of Actors
 Basic to Advanced  Majority Tend to Countries with  Potential Non-State
Skills have Limited Capability Actors
 Present in Nearly Skills  Larger Array of  Expensive to
all Countries  Few with Support Maintain
Advanced Skill
Sets and
Motivations

7
 Threat Landscape

[Link]

8
 Different Attacks – Social Engineering
• Exploiting people into performing actions or divulging confidential
information.
• Pretexting - Impersonating a trusted party in order to obtain information.
 Phishing – E-mail.
 Smishing – Text message.
 Vishing – Phone.
 Physical – In person.
• Baiting – Leaving an infected USB in a location where it is sure to be found.
(lunch room, conference room, elevator etc.)
• Tailgating/Piggybacking – Walking through a physical access control behind a
person with legitimate access.
• Dumpster Diving – Stealing mail or rummaging through trash.
• Shoulder Surfing – Eavesdropping to obtain data.
• Deep Undercover - Infiltration of a company to steal information.
 Different Attacks – The Rest
• Ransomware
Malware that typically encrypts data on a system, leaving it unusable until a
ransom is paid to the attacker.

• Web Attacks
Targets vulnerabilities in websites to gain unauthorized access, obtain confidential
information, introduce malicious content, or alter the website’s content.

• Insider Threat
Authorized user who maliciously or unintentionally causes harm.

• Zero Day Exploit

A vulnerability that does not currently have a fix or patch to remediate it.

• [Distributed] Denial of Service (DDoS or DoS)

Malicious cyberattack that overwhelms a network or server with traffic.

10
 Threat Landscape

Threat Landscape is Changing

• Industrial Control System – convergence of IT/OT
• Used to be air-gapped and isolated, now connected to the
internet and various applications, opening the door to bad
actors

• Smart Grid Technology

• Smart Grid technology and the proliferation of IoT means
more data traveling across more networks to more devices

• Quantum Computing
• A quantum computer can break RSA-2048 encryption in
seconds! In 2016 NIST warns all organizations to start
preparing for the coming quantum cryptographic break and
little has been done.

11
 Threat Landscape
Most businesses will be hacked because it is easy
Have not fully assessed their cyber risks

Have not classified their data

Don’t have basic security controls in place

Many use social media to market their products and services

No budget or limited spending on security

Lack of internal security talent

Use unencrypted devices/unsecure emails for sensitive data

Depend on third parties for various functions

Executive management not focused on cyber risk

12
 The Operational Model of Computer Security
It is not just about prevention anymore

Protection = Prevention + (Detection + Response)

• Prevention examples:
• Multi-Factor Authentication (MFA)
• Firewalls
• Encryption
• Detection examples:
• Database Activity Monitoring
• Intrusion Detection Systems
• Vulnerability Scanning
• Response examples:
• Backups
• Incident Response
• Computer Forensics

13
Cyber Kill Chain
 Cyber Kill Chain

[Link]

15
 Cyber Kill Chain
• Reconnaissance
• The observation stage: attackers typically assess the situation from the outside-in, in order
to identify both targets and tactics for the attack.

• Intrusion
• Based on what the attackers discovered in the reconnaissance phase, they’re able to get
into your systems: often leveraging malware or security vulnerabilities.

• Exploitation
• The act of exploiting vulnerabilities, and delivering malicious code onto the system, in order
to get a better foothold.

• Privilege Escalation
• Attackers often need more privileges on a system to get access to more data and
permissions: for this, they need to escalate their privileges often to an Admin.

16
 Cyber Kill Chain
• Lateral Movement
• Once they’re in the system, attackers can move laterally to other systems and accounts in
order to gain more leverage: whether that’s higher permissions, more data, or greater
access to systems.

• Obfuscation / Anti-forensics
• In order to successfully pull off a cyberattack, attackers need to cover their tracks, and in
this stage they often lay false trails, compromise data, and clear logs to confuse and/or
slow down any forensics team.

• Denial of Service
• Disruption of normal access for users and systems, in order to stop the attack from being
monitored, tracked, or blocked

• Exfiltration
• The extraction stage: getting data out of the compromised system.

17
Some Attacks and Mitigation
 Some Computer and Network Attacks

Malicious Software
A computer virus is a type of malicious
software program (malware) that, when
executed, replicates itself by modifying
other computer programs and inserting
its own code.

19
 Some Mitigations
Minimizing the Risk of Virus Infection
• Never open attachments from unknown sources or unexpected ones from
known sources.
• Never click on links from unknown sources or unexpected ones from known
sources.
• Make sure you have an antivirus
program installed and running and make
sure it is updated regularly
• Make sure computer is patched regularly
• Make sure your IT has appropriate security
controls in place

20
 Some Mitigations

Avoiding Social Engineering and Phishing Attacks

• Be suspicious of
unsolicited phone calls,
visits, or email
messages from
individuals asking about
employees or other
internal information.

• Do not provide personal information or information about your organization,

including its structure or networks, unless you are certain of a person's
authority to have the information.

• Do not reveal personal or financial information in email, and do not respond to

email solicitations for this information. This includes following links sent in
email. Source: US-CERT
21
 Computer and Network Attacks

Avoiding Social Engineering and Phishing Attacks

• Don't send sensitive information over the Internet before checking a website's
security. (remember any attachments are not protected unless you encrypt
them)
• Pay attention to the URL of a website. Malicious websites may look identical to
a legitimate site, but the URL may use a variation in spelling or a different
domain (e.g., .com vs. .net).
• If you are unsure whether an email request is legitimate, try to verify it by
contacting the company directly.
• Install and maintain anti-virus software, firewalls, and email filters to reduce
some of this traffic.
Source: US-CERT

22
 2023 Verizon DBIR

2025 Data Breach Investigation Report, by Verizon

This year the DBIR team analyzed 22,052 security incidents, of which,
12,195 were confirmed data breaches.

Incident vs. Breaches

Incident: Breach:
A security incident can describe any An incident that results in the
event where your security policies confirmed disclosure - not just
and procedures have not been potential exposure - of data to an
followed or have been violated in unauthorized party.
some way to alter the state of the
target, such as the exposure of
confidential data.

25
2025 Verizon DBIR
Summary of Findings

The exploitation of vulnerabilities has seen another year of growth

as an initial access vector for breaches, reaching 20%. This value
approaches that of credential abuse, which is still the most
common vector. This was an increase of 34% in relation to last
year’s report and was supported, in part, by zero day exploits
targeting edge devices and virtual private networks (VPNs).
The percentage of edge devices and VPNs as a target on our
exploitation of vulnerabilities action was 22%, and it grew almost
eight-fold12 from the 3% found in last year’s report. Organizations
worked very hard to patch those edge device vulnerabilities, but
our analysis showed only about 54% of those were fully
remediated throughout the year, and it took a median of 32 days
to accomplish.

The presence of Ransomware, with or without encryption, in our

dataset also saw significant growth—a 37% increase from last
year’s report. It was present in 44% of all the breaches we
reviewed, up from 32%. In some good news, however, the
median amount paid to ransomware groups has decreased to
$115,000 (from $150,000 last year). 64% of the victim
organizations did not pay the ransoms, which was up from 50%
two years ago. This could be partially responsible for the
declining ransom amounts. Ransomware is also disproportionally
affecting small organizations. In larger organizations,
Ransomware is a component of 39% of breaches, while SMBs
experienced Ransomware-related breaches to the tune of 88%
overall.
26