Acceptable Usage Policy
A document drawn up by an organisation that defines proper IT system usage (network, system or website), restrictions and the responsibilities of users. While users might be aware of their organisation’s AUP – they might not fully understand the rationale behind it or understand the important role they play in keeping the organisation’s data secure. Better user understanding usually equates with better adherence.
Advanced Persistent Threat (APT)
A prolonged attack when an attacker gains access to a system or network for a prolonged period of time. The motivation for this category of attack is usually data exfiltration. Common targets include the financial sector, government departments or agencies. One such victim was the New York Times which discovered an APT had been residing on its network for months. Security researchers at FireEye allege that Chinese hackers have targeted several foreign affairs ministries in Europe. Social engineering tactics, such as spear-phishing, appear to be commonly used on employees to launch APT attacks.
The phenomenon of users ignoring warnings of potential problems from their IT security software, usually as a result of being exposed to a large number of frequent alarms.
A recent trend where cyber criminals pose as customer support representatives of various organisations on social media platforms, such as Twitter and Facebook. Here they can initiate an interaction with a target under the pretext of helping them whilst also extracting personal information. For example, Twitter’s direct message service might be used by social engineers to get a bank customer who is experiencing an issue with their bank account to divulge their credit card and pin number. See also Reverse Social Engineering.
This is data which cannot identify somebody directly or indirectly. Data is anonymised because it reduces the risk of unintended disclosure when sharing data between countries, organisations and even departments. If a breach does occur the data will be useless to any miscreants. Data can be anonymised by using a number of techniques, such as encryption, generalisation or deletion.
Software designed to prevent and detect malware infections. Early versions of anti-virus software were signature-based, which meant detection relied on a database of known malware. However, malware and virus authors circumvented these detection methods by using techniques, such as polymorphism (changing code on-the-fly), encryption and obfuscation. As a result, many AV companies introduced heuristic-based (behaviour-based) detection into their products. But even this type of detection can be avoided as threats can be programmed to lie dormant or execute inside “safe” applications. The efficacy of anti-virus software is further eroded by the prevalence of so-called zero-day threats in circulation which AV software has difficulty detecting. Despite these shortcomings, anti-virus still acts as a useful layer of defence against known threats. See also Scareware.
This method is used to bypass normal security controls. A backdoor may refer to a part of an application, a dedicated application or the firmware of a hardware device that allows access without using authentication credentials. Pirated software downloaded from the internet is often used as an operating system backdoors. Backdoors are sometimes deliberate. For example, at the behest of an ISP, a modem manufacturer may introduce a backdoor into their devices for more efficient troubleshooting. Backdoor accounts are commonly used in insider attacks where the miscreant will use a second login (often a redundant user or guest account) to access a system without triggering technical controls, such as an intrusion detection system.
Business email compromise (BEC)
A type of social engineering attack in which one party of a financial transaction gets impersonated. For example, in the buying or selling of a house, an attacker may impersonate the real estate agent or solicitor by using a compromised or spoofed email account, and then socially engineer the buyer to redirect funds to their own bank account during the final stages of the transaction. See also CEO fraud.
A social engineering attack that involves the attacker leaving malware infected portable storage media, such as USB memory sticks, in locations where people will find them. The hope is that the target will insert the USB device into a computer. Once this occurs, an executable malware file is triggered to run surreptitiously. For example, keylogger software might be downloaded onto the target’s computer, which transmits login credentials back to the attacker’s command and control centre. The Stuxsnet virus was propagated using an infected USB stick which was strategically dropped near an Iranian nuclear facility.
Monitoring resource usage (such as email usage) to determine typical usage patterns so that significant deviations can be detected.
A type of password attack where multiple password combinations are used to gain access to a password protected device or account. Hackers use extensive off-the-shelf password databases of commonly used passwords and password combinations. Brute force attacks work because users still use weak passwords. For example, many computer users still erroneously believe that leeting the password (for example, replacing the letter “o” with the numeral “0”) makes it more secure. But online password databases contain most commonly used passwords and their leeted versions. For example, password databases will contain common passwords, such as “Liverpoolfc," but also variants, such as “1iverp00lfc”, “L1verpoolFC” and “L!verp00lFc”. It is important that users understand the importance of devising secure passwords to mitigate against such attacks.
A bot is a piece of software that has been surreptitiously installed onto an internet connected device, such as a computer, smartphone or a device, like an IoT camera. Interestingly, it works in a similar way to a biological parasite that often leaves the host relatively unharmed in order to attack other victims. see also Botnet
A network of bot infected devices that is used for massive denial-of-service attacks and bulk-email attacks where a huge number of emails from one point can be blocked by the service provider. In 2016, the Mirai botnet used web-connected DVRs, IP cameras, routers and IoT devices to launch an attack on Dyn, a company that runs the DNS infrastructure for many popular websites, such as Twitter, Netflix, Reddit and CNN. The attack resulted in many of these sites being taken offline.
Business Process Compromise (BPC)
A form of attack where business processes or their underlying systems have been manipulated by an attacker. For example, starting from 2011, the Belgian port of Antwerp was infiltrated by hackers acting on behalf of drug traffickers. Shipping containers were disappearing off their computer systems for no apparent reason. It took the port authority almost two years to discover that hackers were “inside” their IT systems manipulating them. BPC causes financial loss and can severely disrupt operations.
Caller ID Spoofing
A direct social engineering attack that often involves using a spoofed phone number to create a sense of trust. The number will appear on the victim’s caller identification display, leading them to believe that the call emanates from a particular geographic region, organisation or individual.
A type of business email compromise in which the attacker purports to be the CEO, and uses a compromised or spoofed email address to make a payment request to an employee with the authority to issue payments. The receiving bank account is usually owned or connected to the attacker. This attack preys on the human inclination to follow a chain of command and usually involves the attacker adding some urgency to the request. Victims of this scam include Meath County Council, who lost €4.3 million when one of their finance team received a fraudulent payment request from an attacker who claimed to be the CEO. The risk posed by CEO fraud can be mitigated by training executive staff, their assistants and those working in finance functions to identify the tell-tale signs of such an attack and how to mitigate it.
see Plain Text.
Clean Desk Policy
A policy which encourages employees to remove sensitive documents or materials from their workspace when they are not in use. A clean desk policy hopes to mitigate the risk of the insider threat. This includes not only existing employees, but also “invisible insiders”, such as contract cleaners or anyone who has access to employee workspaces. A common example of a clean desk policy breach is employees leaving sticky notes containing passwords at their workstation, and a much overlooked breach of a clean desk policy is sending private documents to a communal printer when a private one should be used instead.
A website URL or email attachment that appears to be from a trusted source, but is actually connected to a source set up by a hacker. Clickbait URLs or attachments will often have alluring titles such as “salary increase” or “picture of you at party” which incite human curiosity. However, clickbait strategies are becoming more sophisticated – like when the Coca-Cola executive got a phishing email with the subject line “Save Power is Save Money” just when the company was starting an energy-saving initiative.
Occurs when an attacker tricks the target into clicking on something different to what they had expected. This can potentially reveal sensitive information, take control of their computer, or cause them to take an action that was not intended.
Occurs when the text and graphics of an authentic email that has been previously sent to the target (e.g. from a financial institution) is copied and resent to them. The “new” version of the email will generally be modified so that its content is faked or links are malicious.
Almost every organisation holds confidential data which can often mean success or failure in the marketplace. Examples of such data include research and development data, customer information or data related to mergers and acquisitions.
A data subject’s consent for data collection under the GDPR can only be obtained after the purpose specification has been presented. The purpose should be unambiguous and/or explicit. This is referred to as active consent. For example, organisations will no longer be allowed to use automatic pre-ticked “opt-in” boxes for email lists, and they must be able to provide proof that the “opt-in” was not automatic.
Occurs when the login credentials for webmail, domain access, VPN access, etc. are collected via a compromised web browser, application, malware or DNS server. This can have serious ramifications for an organisation’s security as these login credentials give the attacker the keys to the kingdom, and this type of attack is very difficult to detect.
Malware designed to automate cybercrime. “Crimeware kits” can be bought on the “darknet” to automate all sorts of attacks from phishing to DDoS. Some of these are highly-specific tools. For example, tools designed to attack Office 365 or tools than can emulate DropBox links. For some of these kits, their creators even provide buyers with a “customer support” line.
Cross-site Scripting (XSS)
This occurs when a malicious script is injected into a trusted website. The code allows the attack to execute scripts in the victim’s browser or redirect the user to a malicious site. An XSS attack usually exploits a website or application but also uses social engineering to exhort the user to perform an action such as the clicking of a link or attachment.
Espionage geared towards financial, commercial and technological goals. Organisations can spend millions of Euros on research and development for new products and services only to have that intellectual property stolen. Likewise, valuable customer databases that have taken years to build up can be stolen in the space of an afternoon. According to a 2015 Standard and Poor / Ocean Tomo survey, 84% of the value of a firm is directly related to its intellectual property. Cyber-criminals now offer marketplaces in the “dark web” where this information can be bought along with “rent-a-hacker” type services that will hack your competitor of choice. Phishing attacks have been the starting point for many corporate espionage attacks, such as those on Coca-Cola and Telenor.
A data process involves the process of finding out where your organisation’s data is stored, how it is processed and whether it is compliant with data protection law. This process can be performed manually or electronically. For example, questionnaires on data holding might be distributed to relevant staff or data audit software that is executed to identify PII on servers or end-point devices. When performing a data audit, it is important to think about data broadly. For instance, you may have customer data but also employee and supplier data.
Any event where confidential data is viewed, transmitted, stolen or used by an unauthorised individual. Data breaches are often caused by user error, lost or stolen devices, data-stealing malware, targeted attacks or malicious insiders. According to a survey of IT administrators carried out by the Irish Computer Society in 2016, 61% of Irish companies have suffered a data breach. Negligent employees were cited as the biggest source of data breaches, followed by external attackers and unencrypted end-user devices. Employees are your eyes and ears for breaches. During IT security awareness training, employees should be instructed on breach-prevention strategies and reminded of the importance of reporting a suspected breach to your information security team or relevant person. Moreover, they need to be made aware of the breach reporting time limits that the GDPR imposes
Organising data into categories so that it can be used and stored more securely.
Data leaving a network to an external location. This term is usually used in reference to authorised data.
(a.k.a. data in transit) – Data that is transmitted over a network. Data-in-motion can be secured by encrypting the communications channel (e.g. by using IPSec encryption) or by encrypting the data before transmission (e.g. using AES-256).
This is one of the three states of data. It primarily refers to data that is stored in a computing system while it’s being processed. For example, a user working on a Microsoft Word document will result in the data being temporarily stored in the computer systems hardware (e.g. CPU, RAM) and in operating system cache files.
Inactive data that is stored on a physical storage device, such as the server, workstation, USB drive or smartphone.
An unintentional release of confidential information to an untrusted environment. An increasingly large number of data leaks can now be attributed to social engineering attacks or plain human error.
Data Loss Prevention (DLP)
This aims to prevent the unauthorised loss or exfiltration of data. DLP solutions typically monitor data traffic that leaves a network for document tags, watermarks and “DLP fingerprints”. DLP functionality often comes bundled with many UTM firewalls. While DLP solutions as touted by DLP vendors might be marketed as watertight, a lot of these “solutions” can be circumvented by IT-savvy insiders.
Collecting the minimum amount of data needed to fulfil a purpose. Data minimisation also refers to the practice of carrying the bare minimum of data on portable computing devices and storage media in order to minimise one’s exposure in the event of a data breach.
Refers to data which is in a format that is easily accessible and easily transmissible to a third party. Data portability is a stipulation in the GDPR which means organisations that are subject to data access requests must have the facility to export data in an open and non-proprietary format.
An entity that collects or processes data for a data controller.
In many computing environments, the execution of the “delete” or “move to trash” command does not actually result in data getting irreversibly deleted. Data remanence is data that persists beyond the non-invasive means to delete it. For example, deleting data within OS X or Windows-based operating systems does not result in the data being immediately deleted, it merely means the hard disk space previously allocated to these files is marked by the file system as “free”. In the age of BYOD, it is imperative that users are trained to realise the risks associated with improper data wiping and trained in practical steps they can follow to securely erase data. See also data wiping.
Data Quality Principle
Personal data collected by organisations should be relevant for purpose, accurate and kept up-to-date.
Secure data wiping usually involves writing zeros or random characters to a storage device so that any stored data becomes overwritten and is unrecoverable. There are several free and commercial applications on the internet that claim to perform this task securely. However, with the proliferation of solid state disks, traditional “wiping software” or “disk erasure” software might not always work as effectively on SSDs, compared to mechanical disks. This is because SSDs do not store their data in the same fashion as mechanical disks and are often only capable of being securely erased by commands issued from the controller on the storage device itself. See also Data Remanence
Records that have had personal data removed or obfuscated so that the information does not identify a data subject. Information can be de-identified by using a code, algorithm or pseudonym. Commonly cryptographic hashes, such as SHA, can be used for this purpose.
Digital Rights Management (DRM)
In the context of organisational data protection, DRM, which is sometimes referred to as Enterprise Digital Rights Management (EDRM), helps to protect data that has been properly classified and resident in known file locations. Typically, EDRM solutions are identity-centric, which means that the access rights are tightly tied to the identity of the user. So, for example, a PDF file containing details of a new product launch which is emailed externally to a third-party will be unreadable. However, an EDRM solution is by no means infallible as it cannot prevent employee workarounds, such as photographing documents with a smartphone.
A mechanism for proving the identity of the sender and a way of proving a message has not been interfered with in any way. In an ideal world, the efficacy of phishing attacks and other email scams could be curtailed by the widespread adoption of digital signatures, but this has yet to happen. Many email providers regard the mass rollout of encrypted and authenticated emails as being too cumbersome. Moreover, it is feared that the widespread adoption of digitally signed emails would generate a whole new “dark web” marketplace for stolen encryption keys.
Information that can be used to identify a data subject.
DNS Cache Poisoning
The attacker “poisons” the DNS cache of a DNS server with incorrect routing information. This results in DNS requests that resolve to the attacker’s proxy server and browser requests being surreptitiously redirected to a malicious domain where the login credentials and other sensitive information may be captured. See also Pharming, Credential Harvesting.
DMARC (Domain-based Message Authentication, Reporting & Conformance)
This is the email message validation standard that is used to prevent spoofed emails. DMARC combines Sender Policy Framework with DomainKeys Identified Mail protocols to confirm that a message came from the source it purports to.
Domain Keys Identified Mail (DKIM)
A system which allows receiving mail servers to check whether an email came from the domain that it purports to and was not modified during transport. This is done largely to prevent mail spoofing and tampering.
The creation of a website domain that is made to look like a bona fide website. The victim logs into the spoofed website domain with their real credentials, which are then used by the attacker. For example, the attacker might claim there is an urgent document to be reviewed on droppbox.com instead of dropbox.com.
A phishing technique where the victim is sent multiple emails from the same malicious sender. The initial emails do not contain an attack as they are used to establish some credibility and garner the victim’s trust, but subsequent ones are used to extract information or influence the user.
The release of confidential personal or organisational information from a compromised computer or storage device into the public domain. An infamous case of doxing involved 11.5 million leaked documents of the Panamanian law firm Mossack Fonseca.
vA malicious file that downloads automatically from a compromised website with little or no user intervention. Drive-by-downloads usually exploit out-of-date website plug-ins. In 2011, visitors to Amnesty International’s website got infected by a drive-by-download attack because hackers had exploited an out-of-date Java applet.
In the context of information security, due care means handling data in a prudent manner which any right-thinking person would consider to be appropriate. Due care is normally not explicitly documented in security policies and procedures.
Process whereby the attacker examines the contents of waste bins, skips or recycling bins for the purpose of obtaining confidential information, such as invoices, email printouts or company memos. Dumpster diving can also refer to the collection and analysis of electronic waste items, such as old computer systems, memory devices or smartphones for useful information. This attack can be prevented by using cross-cut shredders on paper waste and performing secure erasure on devices. The physical destruction of standalone storage devices and storage media contained in electronic devices is always preferable though.
The identification of malware that is based on direct observation of its behaviour. Using this method to identify malicious payloads is still not perfect, however, as the malware may be programmed to behave differently under the absence or presence of certain resources, or when it is being observed. See also Sandbox.
The time between the infection and detection of malicious software or hacker infiltration. Most security researchers estimate the average dwell time to be 150 days. If an organisation has experienced a breach, dwell time can be reduced by trained employees to can spot anomalies on their IT systems. Dwell time can also be reduced by having robust easy-to-use reporting mechanism.
Encryption is the scrambling of data so that it can only be accessed by someone with a decryption key. All devices that contain confidential or sensitive information should be encrypted. The login presented at system start-up for most operating systems (Microsoft and Apple) offers a meagre level of protection if the device is lost or stolen. To protect devices, such as laptops, you can use full-disk encryption (FDE) or folder-level encryption. The latter relies on the user saving their documents to an encrypted folder or container. Full-disk encryption is safer as everything on the disk will be encrypted, regardless of where it is saved. Popular encryption applications include Apple’s File Vault and Microsoft’s BitLocker. Third-party encryption applications may offer enhanced features, such as remote wipe.
Occurs when a bad actor takes control of a user’s email address via unauthorised means such as credential harvesting. Once they have control, they can prey on the user’s contacts list to propagate phishing emails and malicious download links. Email hijacking can be an extremely potent attack vector, as using a legitimate email address when purporting to be a colleague, supplier or family member carries a high degree of credibility.
A wireless access point or computing device that spoofs the legitimate access point’s SSID or uses a similar name to another network. This can be used to instigate a man-in-the-middle attack where wireless communications between a client device, such as a laptop or smartphone, are intercepted by the attacker, resulting in stolen data, passwords or credit card numbers. During IT security awareness training, users should be reminded of the importance of using bona fide Wi-Fi networks and VPNs when accessing the internet in public places or whatever their IT security policy deems safe.
This Malware is extremely difficult to detect as it’s not written to the systems’ disk. Instead, such infections reside in the systems’ memory, which can be within the Windows registry, in a rootkit or the infection piggybacks on Powershell.
Malware that works by capturing data in a web form before the form is submitted. It is considered more effective than keylogging software, as it captures data even when a virtual keyboard, autofill or copy and paste is used. HTTPS-enabled websites are not immune from this attack vector either, as the data is captured before it gets encrypted. The infamous Zeus and TinyBanker trojans extensively used form grabbing as a mechanism for stealing credentials for online banking. Form grabbing can be mitigated by using anti-virus, an updated browser and eschewing the installation of browser plug-ins.
Hacker slang for information that is needed to steal one’s identity. Cybercriminals will often offer some “free samples” of people’s identities to buyers on the dark web to show that they’re credible and have fullz “inventory”. Typically, this information includes details, such as victim’s names, addresses, bank account numbers, banking PIN numbers, date-of-birth etc.
General Data Protection Regulation (GDPR)
This data protection regulation will allow individuals to have greater control over how their data is collected and controlled when it comes into effect in May 2018. Under this regulation, all businesses working with personal data will be obliged to appoint a Data Protection Officer or data controller. Non-compliance with GDPR regulations gives the Irish Data Protection Commissioner the power to fine an organisation up to €20 million or 4 per cent of a company’s annual turnover.
Host Intrusion Prevention System (HIPS)
Performs a similar role to anti-virus software in that it both detects and blocks threats, but its broader scope means that HIPS can detect changes to the operating system. However, with the evolution of “endpoint security suites”, the difference between HIPS and AV is now blurring.
Modern day IT security does not just come under the remit of the IT department. Instead, it is everyone’s job. It can greatly enhance an organisation’s security posture if incident reporting policies create an easy way for employees to report suspicious emails, SMS messages, telephone calls, etc. Ideally, incident reporting should become a cultural norm and not be perceived as a mechanism for the paranoid. But perhaps the greatest attribute of any incident reporting mechanism is trust. Employees who have accidentally made an error, such as opening up a dubious attachment, should not fear being reprimanded. A reported incident can be at least eliminated, contained or monitored.
Identity Access Management
The system for controlling access to an organisation’s information assets. The whole premise of an IAM solution is one identity per individual. That identity should be maintained, modified and monitored during the “access life cycle” of the user. IAM is an essential tool in data auditing.
Incident Response (data breach)
Organisations should develop contingency plans in preparation for a possible data breach. These should contain information, such as how individuals should be notified about the breach, how the breach is to be reported and whether remedial services, such as credit monitoring, should be provided to those affected.
This usually refers to a database when an authorised entity is able to infer sensitive information from authorised query results and prevailing common knowledge. For example, an authorised user accessing a database might be able to identify an entity based on a combination of criteria, such as age, gender, date of birth and postal code.
Instant Messenger (IM) Attack
Instant messenger tools, such as those provided by Google, Facebook and a host of other vendors, can provide a vector for a number of phishing attacks.
Data generated from day-to-activities that are not identified as confidential or restricted. Typical examples of internal data might include email correspondence with clients or internal telephone directories.
Internationalized Domain Name (IDN) Homograph attack
Website domain names can be registered using non-Latin characters. This means that websites for popular domain names can be mimicked whilst appearing to be totally normal in the user’s browser. For example, a domain name registered as “xn--pple-43d.com” might display in a browser as “apple.com”.
This usually refers to a piece of software installed on a computing device which records everything that is typed on the keyboard, including passwords and other credentials inputted into the device. The recorded data is then sent over the internet to be used by the attacker. Keyloggers were extensively used by the Zeus banking trojan to capture bank login credentials. A keylogger can also take the form of a hardware device. For example, a hardware keylogger can interface between a computer’s USB port and keyboard to record inputted data.
Attackers don’t always aim for their prime target the first time. Instead, they might pick an “easier” target first, which acts as a beachhead. From there, they can move laterally across the network. For example, they might use a “pass the hash attack” to steal the credentials stored on a warehouse computer in order to access a system elsewhere in the organisation without leaving a trail of failed login attempts behind. Or the attackers might exploit open network shares. Lateral movement attacks perfectly illustrate why robust IT security must encompass every department and every individual of an organisation.
Least Access Privilege
The basic principle of IT security, which dictates that people should only have access to data or systems that are strictly required for the performance of their duties. “Privilege creep” occurs when users have more access than is required.
Information which, when linked with other information, can be used to identify a data subject. For example, in a relational database, date-of-birth linked with a home address will probably identify someone.
The injection of malicious or malware-laden advertisements into legitimate online banner advertising networks. Banners of popular websites, such as The New York Times, the BBC and Yahoo, have all been the targets of malvertising. Just because a website might seem reputable, it does not mean a malicious actor cannot use a banner advertising network to propagate malware.
An umbrella term used to describe any malicious software. Traditionally, the target of most malware attacks has been personal computers that run Windows or Apple operating systems. But now malware is being increasingly targeted at mobile devices that run Android and iOS. In August 2016, Pegasus malware was discovered on iOS (iPhones) that could read text messages, track calls, collect passwords and track phone locations. The malware could also intercept data from other apps, such as Gmail and Viber. The proliferation of mobile malware is a worrying trend. Numerous studies have shown that users are more likely to download malware infected apps and click on malware infected weblinks because of the smaller screen sizes. Malware infections on end-user systems are often the starting point of further attacks since login credentials for email accounts and network servers can be harvested using malware – thus giving attackers the keys to the kingdom as it were.
Metadata is data about data, such as the size of a file or the last time it was updated. For example, unbeknownst to many computer users, a simple Microsoft Word document can contain data on the author’s name, as well as a record of changes made to the document and any omissions. The same applies to photo images, as the exposure time, camera used and sometimes even the GPS co-ordinates are embedded into a photo’s metadata. Even a cropped image can still retain metadata that contains a copy (thumbnail view) of the original photo. Data protection training can teach end-users techniques for removing metadata from files to prevent third-parties becoming privy to confidential information.
Email mis-delivery is a common cause of data breaches. This user error can occur when a user inadvertently sends an email containing sensitive data to the wrong recipient. Mis-delivery errors can also occur when the recipients of bulk emails have their names and email addresses exposed to other parties on the list. This occurred in 2015 when an employee of a London-based NHS clinic specialising in HIV care inadvertently send a bulk email newsletter using the “To” field instead of the “Bcc” field of their email application. Several techniques
The act of deliberately drawing a target’s attention to one thing in order to distract them from another. This is often used in social engineering attacks.
Multi-Factor Authentication (MFA)
Passwords have an inherent weakness as they can be stolen, guessed or brute-forced. As a result, hardware manufacturers and software providers decided this more secure authentication solution was needed. With multi-factor authentication, the user must authenticate by using two or more separate forms of identification. The classic example of multi-factor authentication in action is a bank customer having to use a card and a PIN to withdraw money from an ATM. Having just one “factor” will result in the authentication process failing and the customer being unable to withdraw cash. Multi-factor authentication can also be applied to email services, such as Gmail, and cloud storage providers, such as Dropbox. Once enabled, the user needs a secondary code (typically sent to a smartphone) or a hardware token to login. This helps to thwart attackers with stolen passwords from logging into a multi-factor secured account. Multi-factor authentication is also commonly referred to as two-factor (2FA) authentication.
Hackers or social engineers can hide infected domains or malicious code behind official looking or shortened URLs or attachments.
Open Source Intelligence Techniques (OSINT)
The practice of using publicly available information found in sources, such as Google, LinkedIn, Twitter, Whois and Facebook, to glean intelligence on an individual. Using such sources has made it easy for social engineers to assemble an accurate profile of targets, which they will use in highly targeted attacks. Cyber-awareness training should make employees aware of how bad actors use such information and how they can minimise their exposure to the risk.
Out Of Band (OOB) Authentication
The use of a separate communication channel, such as an email, telephone, or in-person request, to verify the veracity of a request. This is considered to be a type of two-factor authentication. Many high-profile phishing and cyber-attacks on organisations might have been averted if employees had been trained to use OOB authentication.
Pass the hash
Many users erroneously believe that hashed passwords stored in their internet browser cannot be used in attacks. In reality, however, attackers can use what are known as “hash dumping tools” which collect hashed passwords from a target (Windows) system. These can then be stored in the Local Authority Subsystem Service, which dupes the Windows system into thinking the attacker is an authenticated user.
Although Bill Gates might have predicted the demise of the password over a decade ago, the humble password is still the primary means of authenticating endpoint devices, on-premise computers and cloud services for a substantial number of users. End-users must be made aware of the risks of using weak passwords which can be brute-forced or recycling passwords which makes them easily guessable. Moreover, during IT security awareness training, end-users should be reminded of the importance of using two-factor authentication where possible.
According to Article 4 of the GDPR, personal data is “any information related to an identified or identifiable natural person”. While PII covers very specific identifiers, such as vehicle registration numbers, social security numbers etc., personal data covers a much wider spectrum of data that can be used to identify someone on its own or in conjunction with other data. For example, this might include identification of someone based on their IP address or social media posts.
Personally Identifiable Information (PII)
Any information, such as date of birth, credit card details, home address, driving license information etc., can be classified as PII. There is a thriving black market for PII on the so-called “dark web”, which can be used for identity theft and fraud.
A attack that directs traffic from a legitimate website to an attack site, often configured so that it very closely resembles the original. For example, a DNS server might be hacked and it’s IP routing information is modified to redirect the traffic. The domain name will show correctly in the browser (even though it is a fraudulent site). See also DNS Cache Poisoning.
A social engineering technique in which the attacker masquerades as a legitimate website or communication in order to acquire sensitive information, such as passwords or credit card information. Phishing messages can arrive via email, SMS, tweets, instant messages, QR codes, or social media status updates. Phishing emails are also used as a delivery method for ransomware that exhorts users to click on an attachment or URL where malicious code encrypts their files in a matter of seconds. There are a number of techniques which can be used to help identify whether a suspicious email is a phishing attempt, such as examining the email headers, but there is no silver bullet. One of the safest ways to check the authenticity of a suspicious email is to contact the sender by phoning them – an old-fashioned solution to a modern problem.
Phishing Susceptibility Framework
Framework that correlates user attributes, such as culture, age, gender and experiential factors (technology savviness and professional experience), to phishing attack susceptibility.
Any document that is not encrypted is said to be in plain text or clear text format. There are some files which should never be stored in plain text, such as files containing password information or credit card information.
Commonly used in credential harvesting phishing attacks. For example, after the user inadvertently has downloaded a malicious application, they might get a legitimate-appearing pop-up window asking them to authenticate their credentials for their network or email account.
Occurs when a user fails to complete a task securely. For instance, a user might be logged on to Outlook Web Access or another email portal, but fails to log-out, leaving the email account open to compromise if their device is left unattended, lost or stolen.
This is using a fabricated story to elicit an action from a target. Common pretexts include attackers “verifying your account information” or posing as “IT support personnel investigating a problem”. Pretexts used by an intruder to gain physical entry into a building might include posing as a fire-safety engineer who needs to examine fire safety equipment or a lift engineer.
Privacy by Design
Designing systems and applications which have data protection by default. Privacy experts have always espoused privacy by design, but under GDPR it has become an explicit requirement. For example, if an organisation is planning a new smartphone app its design will have to protect data by default.
This is a document that informs data subjects how you use their data. Under GDPR, your privacy notice must contain a number of details, including the contact details of your company and DPO, the reasons for processing data and categories of data you are processing. You must also include details of any data profiling the data might be used for.
Under the GDPR, “processing” is any operation that is performed on personal data. This includes collection, recording, organisation, structuring, storage, adaptation, alteration, dissemination, erasure or destruction.
According to the GDPR article 4 (40), profiling means any form of automated processing of personal data that is used to evaluate certain personal aspects relating to a natural person. In particular, it refers to the analysis of personal data pertaining to a person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements
Information associated with a company’s products, product research, marketing plans, clients lists, processes or trade secrets that the company has created.
Protected Health Information (PHI)
This refers to any health information that is created or received by a health care provider, health plan, public health authority, employer, life insurer, school, university or healthcare clearinghouse. The information can relate to the physical health, mental health or condition of any individual, in the past, present or future, as well as the provision of healthcare to an individual, or payment for this, in the past, present or future.
This refers to data which has been partially anonymised. For example, somebody’s name might be replaced with a number.
Organisational data that can be exposed to the general public without any impact on the organisation; for example, public-facing data on a website.
Remote Access Trojan (RAT)
A RAT is a piece of malware that provides a backdoor for the administrative control of the target. The goal of some phishing attacks is to install a remote access trojan onto the target’s computer. This enables the attacker to steal sensitive information, spy on victims and potentially access other computers on the same network.
QR Code Phishing
While QR codes may seem innocuous, the information encoded in them can be used to open a URL, send a text message or compose an email. This often automatically executes an action in the related application as soon as it is scanned.
Malware that attempts to extort money from a user or organisation by taking control of the victim’s machine, files or documents. Ransomware, such as Wannacry, Petya or Locky, and their variants can propagate from just one infected system and infect a whole network. In most cases, ransomware uses 256-bit AES to encrypt files. Without the decryption key, the victim’s data becomes inaccessible. The attacker will normally request a ransom payment via an untraceable channel, such as Bitcoin. However, even if the ransom is paid, there is still a great degree of uncertainty as to whether the files will be decrypted. The most common attack vectors for ransomware are email attachments and links to file sharing sites, such as Dropbox or Google Drive. Drive-by-downloads are also used as a conduit, where social engineering techniques are used to persuade the user to open the infected file. High profile victims of ransomware have included the UK’s National Health Service, Telefonica, the Spanish telecoms company, and the courier company FedEx. However, everyday smaller organisations also become victims to ransomware, which never gets reported.
Reverse Social Engineering
A scenario whereby the target approaches the attacker for assistance. For example, a virus notification warning may appear on the target’s computer with an accompanying number to call for assistance, whereby they are socially engineered for their credit card details, network authentication credentials etc. More commonly perhaps is the phenomenon of internet users approaching “support agents” on Twitter that purport to be from banks, utility companies etc., with billing or other support issues. Inevitably, the transaction culminates in the target being asked for their credit card, bank login details or other confidential information.
A piece of malware that is very well hidden inside an operating system which gives an unauthorised user root-level privileges to a computer system. As a general rule, rootkits are extremely difficult to detect by security software. This malware is commonly delivered by phishing attacks and can be used to exfiltrate data or intellectual property.
This is an isolated environment within a computer’s operating system that is used for the opening of suspicious or untested executable files. In the same way that armies blow up suspicious packages in controlled areas, security researchers use sandboxes to open suspicious files or emails without damaging their own systems. However, sandboxes have not proved to be a panacea that many in the IT security community had hoped for, as many malware variants now have sandbox detection capabilities. This results in their behaviour being intentionally curtailed in sandbox environments.
Sensitive personal data
The GDPR covers a special category of personal data called sensitive personal data. This is any data which covers the data subject’s racial or ethnic origin, political opinions, religious beliefs, trade union activities, physical or mental health, sexual life or any criminal convictions.
Also known as “fake anti-virus”, Scareware software issue a pop-up alert that aims to frighten unsuspecting internet users into purchasing worthless security software. Scareware can also take the form of “system optimisation” software. Many scareware applications are vectors for malware that connects your PC to a botnet. In many instances, scareware can be removed from an infected system without paying the attacker. For this reason, many cyberspace miscreants now propagate more profitable ransomware instead.
Search Engine Optimization (SEO) poisoning
It is not uncommon for social engineers to build a website around frequently used internet search terms in order to lure users into performing an action, such as downloading a trojan or divulging their credit card numbers. For example, a user might enter a computer error message into a search engine only to come across a downloadable “fix” on the first page of the search results. The software might be a trojan or rogue anti-virus software. See also reverse social engineering.
Security Awareness Training
The process of educating users about IT security risks and reinforcing the importance of compliance with security policies. Most employees will have a level of awareness about the risks posed by, for example, the opening of unknown email attachments, but awareness does not always translate into behaviour. The real value of IT security awareness training is that it pre-conditions users to make them more resilient against social engineering and more vigilant when handling data. Metrics can be used to measure behavioural change. Good IT security awareness training takes into account the skillset of the audience and organisational culture.
Sender Policy Framework (SPF)
This is a validation system that allows receiving mail exchangers (MXs) to check with the sending domain to ensure that the host which the mail originated from is authorized to send mail for that domain.
Sensitive personal data
The GDPR covers a special category of personal data called sensitive personal data. This is any data which covers the data subject’s racial or ethnic origin, political opinions, religious beliefs, trade union activities, physical or mental health, sexual life or any criminal convictions.
SIEM (Security Indication Event Management)
This is a system for aggregating security-related log files from devices across your network to help detect suspicious activity. SIEMs can be effective at detecting technical breaches, but are not always effective at detecting social engineering-based attacks because many of the actions in these attacks are performed by the user themselves, which is not always flagged. A SIEM is important In the context of GDPR because it can indicate to the organisation which data systems were compromised after a technical-based attack takes place.
This technique is commonly used to bypass two-factor authentication. The attacker obtains a victim’s personal information through a phishing scam. Details such as the address, mobile telephone number and banking pin are collected. The attacker then socially engineers an employee at the victim’s mobile phone company into redirecting their calls and texts to a SIM in their possession. Once this has been achieved, the attacker now has access to the one-time verification codes that are sent by banks before payment transfers. The attacker can now redirect funds from the victim’s account to any account of their choosing.
An exercise which involves computer users being sent phishing-type emails to investigate their susceptibility to phishing attacks. This can also be used as a training and security awareness tool.
A collection of techniques that use human vulnerabilities to manipulate people into performing actions or divulging sensitive information. Many hackers have realised that instead of trying to penetrate technical defences, it is sometimes easier to use good old-fashioned manipulation techniques to install a trojan on a PC or find out a user’s password.
This might involve sending the target an email purporting to be from someone else (phishing) and using emotions, such as fear or a sense of urgency, to persuade them to reveal information or download a malicious file. Some of the biggest data breaches in history have used social engineering. For example, one of the world’s largest IT security companies, RSA, got hacked in 2011 by an employee who opened a malware-laden Excel spreadsheet sent through email. Just by this simple action, the unfortunate employee ended up compromising the company’s entire IT network and RSA were forced to redistribute 40 million SecureID tokens (one of their flagship products) to their customers. Each year, thousands of computer users in Ireland get duped by emails purporting to be from the Revenue Commissioners, financial institutions, suppliers and colleagues or friends who've had their own email accounts hijacked.
This has resulted in both financial and data losses due to systems being maliciously encrypted or wiped. Ironically, the users who claim immunity from such “obvious scams” are the very ones who get duped, as they often underestimate the sophistication of the techniques used. Social engineering continues to be a potent attack vector that sidesteps even the most robust technological defenses.
IT hardware or software is used to handle organisational data without explicit approval. For example, an employee who uses a personal Gmail account for internal or external work-related communications. An infamous example of shadow IT was Hillary Clinton using her own private service for work-related emails. Shadow IT increases the attack surface for hackers and increases the risk of identity theft or accidental data disclosure. While the use of shadow IT might seem totally benign to most users, IT security awareness training can highlight some of its inherent risks.
This is the capture of confidential data by observation of a target, while passwords or PIN numbers are being input into a computing device, such as a tablet, ATM machine or door entry system. Shoulder-surfing can take the form of direct observation or be aided by the use of hidden cameras.
Smishing (aka SMS phishing)
This is a technique whereby targets are sent SMS messages from an attacker masquerading as a trustworthy entity who is requesting personal information. One popular smishing scam involves a message being sent to the target that informs them their credit card details have been compromised with an accompanying phone number. When the victim calls the number, their credit card information is requested.
An informal term used to describe the practice of information sharing by using portable media, such as USB flash drives or DVD / CD-R disks. These ad-hoc file sharing methods are forbidden by most IT security policies, but users can resort to them when existing security controls become too restrictive to their workflows.
Unsolicited emails that are sent out in bulk.
The job of a spam filter is to prevent spam or malicious emails from reaching your email inbox. Most spam filters rely on a mixture of artificial intelligence, heuristics and natural language processing to classify emails. However, this can only partially mitigate the risk of social engineering emails reaching their intended targets as there will always be emails that slip under the radar of even the most advanced filters. Moreover, even if a phishing email does get categorised as “spam”, it is still at risk of being opened. This happened in the infamous RSA attack of 2011 when an employee retrieved a phishing email in their spam folder and opened it, which resulted in a significant data breach.
Used to send information from your computer to a third party without your consent. Spyware is often installed silently in the background as part of a browser plugin, internet game, or other software install.
Just like phishing, but targeted at a specific person or group. Spear-phishing is a highly focused attack with a higher probability of success due to a well-researched pretext. Anti-phishing training can make employees more resilient against spear-phishing attacks.
The practice of concealing a file within another one. For example, a social engineer might hide a malicious executable inside a JPEG file, which he then emails to his victim. Upon clicking a seemingly benign photo, a malicious trojan then gets activated which communicates back to the attacker’s command and control centre. This makes steganography a useful technique for data exfiltration or credential harvesting. Steganographic techniques can also be used by rogue employees to exfiltrate data out of an organisation by hiding confidential files, e.g. customer database files that are hidden amongst graphic design files.
Subject Access Request
Under GDPR, data subjects can now make a subject access request to an organisation for all personal information held on them and an in-depth description of how it is being processed. This request must be met “without undue delay and any event within one month of the receipt of the request”. Organisations should have streamlined processes in place to handle such requests smoothly and efficiently.
Occurs when a malicious URL opens in a browser’s open tab. It usually happens without the user being immediately aware of it. The tabs opened are often designed to imitate a legitimate site in order to trick the user into entering their credentials or providing other sensitive information.
Tailgating (a.k.a piggybacking)
The act of following someone into a secured area, usually by exploiting someone’s courtesy of “holding the door”. To mitigate against this type of physical intrusion, it should be explicitly stated in the organisation’s security policy that tailgating is not permitted. A thief physically entering your premises can steal unattended computing devices in a matter of seconds (as what happened at Bord Gais headquarters when an intruder stole 4 laptops some which contained customer data). Your IT security awareness training program should create awareness of the tailgating risk along with practical mitigation strategies.
The GDPR requires that organisations should maintain records of data processing. According to Article 30, these records should include information, such as the categories of data subjects and categories of personal data, the purpose of data processing, time limits for erasure, details of data transfers to a third country and a general description of the technical and organisational security measures.
The GDPR data protection regulation specifies that the organisation must publish information related to the processing of personal data that is accessible and easy-to-understand. See also Data Accountability.
When a hacker registers a domain name that is similar to an established one for the purposes of advertising, drive-by malware or phishing attacks. For example, a hacker might register a domain, such as Vodaphone.ie (as opposed to the legitimate site Vodafone.ie) and lure people into entering their billing or other confidential information into the site. See also Credential Harvesting.
A web address that has been obfuscated in the browser address bar. For example, a URL might be encoded to disguise its true value by using hex, dword or octal encoding. This is a form of social engineering and is commonly used by hackers in phishing attacks. Cyber security awareness train.
This was originally designed to make long URLs (website links) more manageable when typing or more easily transmitted in mediums where character limits exist (e.g. SMS messaging). However, URL shortening is also used by social engineers to hide malicious website addresses because it makes links more difficult for users to analyse. Some shortened URLs can be linked to a download site where a malicious .ZIP file (containing ransomware or some other nasty) is downloaded upon clicking. For example, goo.gl/x1ebN3 leads to google.com.
A social engineering scam in which confidential information (such as credit card information) is extracted from a target over the telephone for financial gain. A common vishing scam involves an attacker who uses the guise of a technical support employee to call the victim and inform them that they have a serious problem with their computer which needs to be resolved. Thereafter, the victim is asked for sensitive information, such as their credit card details.
Other pretexts used during vishing scams include calls from broadband companies about “outstanding balances” and calls from your bank’s “fraud department” about a fraud that has occurred on your account and which needs to be “urgently resolved”. Vishing scams can have surprisingly high success rates as an authentic call-centre environment is often used along with spoofed phone numbers, which appear to be local or familiar to the victim. Also, the victim’s logical judgement gets impaired by a huge sense of urgency that is imposed on the victim by the fraudster. Vishing is often used in conjunction with a phishing email as any story becomes more credible if it comes from more than one source.
Watering Hole Attack
The targeting of a website used by a specific group of users. For example, if an attacker wanted to attack an airline, they might insert malware into an aviation website, such as Pprune.org, which is a website frequented by airline staff. If, for example, the target inadvertently downloads credential harvesting software from this site, it could easily lead to an airline’s network being compromised. In 2017, the Polish Financial Supervision Authority’s website was infected with code which would trigger the download of malware onto the users’ computers. This malware was squarely targeted at those working in the Polish financial sector.
As traditional anti-virus software only relies on signature-based definitions or heuristics, there is always the risk that a zero-day threat will infect a system. To mitigate against this risk, application whitelisting can be used. This method protects computing devices by allowing only trusted applications to run. However, the administration of whitelisting controls can be resource intensive when operating systems or applications are patched. Whitelisting is also commonly used to prevent unauthorised storage devices from being used on end-point devices.
An attack that exploits a zero-day vulnerability.
A vulnerability in hardware or software of which is unknown to the manufacturer/ developer or general public. The name “zero day” references the number of days that the software or hardware vendor has known about a vulnerability. As zero-day vulnerabilities are unpatched and unknown, they are often used as the basis for more complex attacks. Zero-days are often used sparingly by attackers, as they get “used up” once they are publicly exposed and patched by the vendor.