Professional Documents
Culture Documents
1
Group 5
Members
Prince Mupangavanhu – R192721N
Wayne Nzvere – R132500H
Nyasha P Muzeanenhamu – R191197V
Edwin M Muzeza – R1814999V
Anotida H.M Pasi – R1815002M
Clive Masawi – R1814915Q
Tatenda G Rufu – R193782A
Silvanos Dambwa – R192722A
Royal Guta – R193881Y
CHAPTER 3
What is a “principle” ?
a fundamental truth or proposition serving as the foundation for belief or
action.
4
10 KEY SECURITY PRINCIPLES
5
TEN KEY SECURITY PRINCIPLES
• Assign the least privilege • Fail securely & use secure
possible defaults
Tradeoff Convenience
14
9 - NEVER INVENT SECURITY TECH
Businesses today are connecting to the Internet using more and more devices. This creates more
gateways for cybercriminals to carry out cyberattacks.
Along with an exploding volume of data generated using these devices, new data also estimates that
there will be close to 50 billion connected Internet of Things (IoT) devices used worldwide by 2030.
Ransomware and hybrid ransomware attacks are significant threats to devices. A ransomware attack
on its own is bad enough as it allows hackers to take control of a device, and then demand a ransom
before the user can regain control.
What are the primary attack surfaces?
Software attack surface (i.e., software vulnerabilities)
Ransomware and hybrid ransomware attacks are significant threats to devices. A ransomware attack
on its own is bad enough as it allows hackers to take control of a device, and then demand a ransom
before the user can regain control.
What are the primary attack surfaces?
Human attack surface (e.g., social engineering)
Sophisticated cyberattacks primarily target employees because they are often the weakest link in the
digital security chain. In the Verizon DBIR 2020 report, human error accounts for 22% of breaches.
According to Gartner, 95% of cloud breaches occur due to human errors such as configuration
mistakes, and this is expected to continue.
Adding more risk, password policies and other safeguards designed to protect people, such as multi-
factor authentication (MFA), are not standard practice within most SMB organizations. And worse,
recent research shows that password behaviors continue to be an issue — 91% of people know that
using the same password on multiple accounts is a security risk, yet 66% continue to use the same
password anyway.
Attackers also use social engineering techniques to gain access to networks through employees.
Social engineering tricks people into handing over confidential company information. The hacker
often contacts employees via email, pretending to be a credible organization or even a colleague.
Most employees do not have the knowledge to defend themselves against these advanced social
engineering attacks.
An attack tree
Attack trees are diagrams that depict attacks on a system in tree form. The tree root is the goal for
the attack, and the leaves are ways to achieve that goal. Each goal is represented as a separate tree.
Thus, the system threat analysis produces a set of attack trees.
Attack Tree for Internet Banking Authentication
The attack tree model for common attacks against online banking systems is presented in
Diagram below. This model represents the main components of banking systems
authorization and authentication mechanisms and efficient attacks against them.
The attacks exploit vulnerabilities inherent in the people (engineering social and phishing)
then to gain control of device (malware) and credential theft legitimate user (fake Web
pages and malware).
Attack Tree for Internet Banking Authentication
Attack Tree for Internet Banking Authentication
CREDENTIAL THEFT
This kind of attack is the simplest and most commonly performed against banking systems. It
basically consists in obtaining the necessary credentials and user data in order to access the
system as a legitimate user, providing information normally known only to legitimate users.
DEVICE CONTROL
The device control objective is to obtain full control of the user's device instead of only stealing
data used in the authentication process. The user's device itself is then used by the attacker to
access the banking service and perform frauds. This attack is more complex than credential theft
and tracing its origin is much more difficult because the attacker never directly accesses the online
banking service.
Malware
Malware targets end user devices such as computers and cell phones and install a malware which
pose a risk to the bank’s cyber security each time they connect to the bank’s network.
Sensitive data passes through this connection and the end user device installed with malware on
it, will attack the bank’s networks.
Attack Tree for Internet Banking Authentication
A newer type of cyber security threat is spoofing , where hackers will find a way to impersonate a
banking website’s URL with a website that looks and functions exactly the same. When a user
enters his or her login information, that information is then stolen by hackers to be used later, the
new spoofing techniques do not use a slightly different but similar URL and they are able to target
users who visited the correct URL.
Social Engineering
Social engineering is the act of exploiting human weaknesses to gain access to personal
information and protected systems. Social engineering relies on manipulating individuals rather
than hacking computer systems to penetrate a target’s account. The most common social
engineering is phishing
Thank you … questions?