To secure a computer system, it is important to understand the attacks that can be made against it, and these threats can typically be classified into one of the following categories below:
Backdoor
A backdoor in a computer system, is any secret method of bypassing normal authentication or security protocols.
Denial-of-Service Attacks
Denial of service attacks (DoS) are designed to make a system or network resource unavailable to its intended users. Attackers can deny service to individual victims, such as by deliberately entering a wrong password with enough consecutive times to cause the victims account to be locked, or they may overload the capabilities of a machine or network and block all users at once.
Direct-Access Attacks
A Direct-access attack is described as an unauthorized user gaining physical access to a computer and directly copying data from it.
Eavesdropping
Eavesdropping is the act of covertly listening to a private conversation, typically between hosts on a network.
Spoofing
Spoofing is the act of masquerading as a valid entity through falsification of data (such as an IP address or username), in order to gain access to information or resources that one is otherwise unauthorized to obtain. There are several types of spoofing, including:
- Email spoofing, where an attacker forges the sending (From, or source) address of an email.
- IP address spoofing, where an attacker alters the source IP address in a network packet to hide their identity or impersonate another computing system.
- MAC spoofing, where an attacker modifies the Media Access Control (MAC) address of their network interface to pose as a valid user on a network.
- Biometric spoofing, where an attacker produces a fake biometric sample to pose as another user.
Tampering
Tampering can be defined as a malicious modification of products.
Privilege Escalation
Privilege escalation describes a situation where an attacker with some level of restricted access is able to elevate their privileges or access level without authorization.
Phishing
Phishing can be described as a form of social engineering. The attacker aims to acquire sensitive information such as usernames, passwords, and credit card details directly from users. Phishing is typically carried out by email spoofing or instant messaging, and it often directs users to enter details at a fake website whose look and feel are almost identical to the legitimate one.
Clickjacking
Clickjacking, is a malicious technique in which an attacker tricks a user into clicking on a button or link on another webpage while the user intended to click on the top level page. A similar technique can be used to hijack keystrokes. A user can be led into believing that they are typing the password or other information on some authentic webpage while it is being channeled into an invisible frame controlled by the attacker.
Social Engineering
Social engineering is the act of manipulating a user to disclose secrets such as passwords, card numbers, etc. by, for example, impersonating a bank, a contractor, or a customer.Computers and Laptops are commonly targeted to gather passwords or financial account information, or to construct a network of connected devices to attack another target. Smartphones, tablet computers, smart watches, and other mobile devices such as activity trackers have built in sensors such as cameras, microphones, GPS receivers, compasses, and accelerometers which could be exploited through the use of Bluetooth, Wi-Fi and cell phone networks to collect personal information.Listed below are some of the preventive measures to take to reduce vulnerability to Cybersecurity attacks.
- Navigating through your Email: Spam
- Don't open spam. Delete it unread.
- Never respond to spam as this will confirm to the sender that it is a "live" email address.
- Have a primary and secondary email address - one for people you know and the other for all other purposes.
- Never purchase anything advertised through an unsolicited email
- Avoid giving out your email address unless you know how it will be used.
- Avoiding Credit Card Fraud
- Ensure a site is secure and reputable before providing your credit card number online.
- Promptly reconcile credit/debit card statements to avoid unauthorized charges.
- If purchasing merchandise, ensure it is from a reputable source.
- Beware of providing credit card information when requested through unsolicited emails.
- Ensure you understand all terms and conditions of any agreement.
- Be wary of businesses that operate from Post .Office. boxes or no physical address.
- Do your research to ensure legitimacy of the individual or company.
- Ask for names of other customers of the individual or company and contact them where possible.
- Be cautious when dealing with individuals outside of your own country.
- Guarding against Phishing/Spoofing
- Be suspicious of any unsolicited email requesting personal information.
- Always compare the link in the email to the link that you are actually directed to.
- Log on to the official website, instead of "linking" to it from an unsolicited email.
- Contact the actual business that allegedly sent the email to verify if the email is authentic.
- Avoid filling out forms in email messages that ask for personal information.
- Internet Extortion
- Security need to be multi-layered so that numerous obstacles will be in the way of the intruder.
- Ensure security is installed at every possible entry point.
- Identify all machines connected to the Internet and evaluate the defense that is engaged.
- Ensure you are utilizing the most up-to-date patches for your software.
- Identify whether your servers are utilizing any ports that have been known to represent insecurities.
- Avoiding Auction Fraud
- Before you bid, contact the seller with any questions you have.
- Review the seller's feedback.
- Consider insuring your item.
- Be cautious when dealing with individuals outside of your own country.
- Ensure you understand the refund, return, and warranty policies.
- Determine the shipping charges before you purchase.
- Be wary if the seller only accepts wire transfers or cash.
- Be cautious of unsolicited offers.
- Dealing with DHL and UPS
- Beware of individuals using the DHL or UPS logo in any email communication.
- Be suspicious when payment is requested by money transfer before the goods will be delivered.
- Fees associated with DHL or UPS transactions are only for shipping costs and never for other costs associated with online transactions.
- Contact DHL or UPS to confirm the authenticity of email communications received.
- DHL and UPS do not generally get involved in directly collecting payment from customers.
- Eluding Identity Theft
- Ensure websites are secure prior to giving your credit card number.
- Attempt to obtain a physical address, rather than a P.O. Box
- Never throw away credit/debit card or bank statements in usable form.
- Be aware of unauthorized transactions which could indicate your account has been taken over.
- Be cautious of scams requiring you to provide your personal information.
- Never give your credit card number over the phone
- Do your homework to ensure the business or website is legitimate.
- Monitor your bank statements monthly for any fraudulent activity.
- Report unauthorized transactions to your bank as soon as possible.
- Circumventing Ponzi/Pyramid Scheme and Investment Opportunity
- If the "opportunity" appears too good to be true, it probably is.
- Employ diligence in selecting investments.
- Thoroughly research with whom you choose to invest.
- Be cautions when asked to make further investments without returns.
- Be wary when you are required to bring in subsequent investors.
- Independently verify the authenticity of any investment.
- Beware of references given by the promoter.
- Do not invest in anything unless you fully understand the investment "opportunity".
- Don't assume a company is legitimate based on "appearance" of the website.
- Be suspicious when responding to investment offers received through unsolicited email.
- Beware of investments that offer high and/or fast returns at little or no risk.
- Avoiding Lottery Fraud
- If the lottery winnings appear too good to be true, they probably are.
- Beware of lotteries that charge a fee prior to delivery of your prize.
- Be suspicious if you do not remember entering a lottery or contest.
- Be cautious if you receive a telephone call stating you are the winner in a lottery.
- Be skeptical of demands to send additional money to be eligible for future winnings.
The following steps should be taken immediately if a Cybersecurity attack occurs:
- Fill out the Cybersecurity Incidence Report (CIR) form on the NCC Portal
- When filing the CIR Form, you need to provide your name, contact details, and address for mailing. You need to address the written complaint to the Local Police Station in the city near you or to the ngCERT domiciled in the Office of the National Security Adviser (ONSA)
- For Email based complaints, a copy (Hard & Soft) of the suspected email as received by the original receiver (forwarded emails should be avoided) including the complete header of the suspected email should be provided.
- For Business Email based complaints, the following information should be enclosed:
- Originating (Senders)name and location
- Originating (Senders)bank name and account number
- Recipient's name (as in bank records)
- Recipient's bank account number
- Recipient's bank location (not mandatory)
- Date and amount of transaction
- SWIFT number
- For Social Media based complaints, a copy (Hard &Soft) or screenshot showing the alleged profile/content. A screenshot of the URL of the alleged content is also required.
- For Mobile Application Based Complaints, a copy (soft) or screenshot of the alleged app and the location from where it was downloaded should be included, along with the victim's bank statements in case any transactions were made after the incident
- For Data Theft Complaints, the victim should provide a copy of the stolen data, the copyright certificate of the allegedly stolen data (where applicable), and details of the suspected employee(s). The following documents are required in relation to the suspected employee(s):
- Letter of Appointment
- Non-disclosure Agreement
- Assigned list of duty
- List of clients that the suspect handles
- Devices used by the accused during his/her term of service ( only if available)
- For Internet Banking/Online Transactions/Lottery Scam Complaints, a copy of the victim's bank statement, SMSs and/or emails received relating to the suspected transaction should be attached.
- For Bitcoin based complaints, the address of the Bitcoin , amount of the Bitcoin in question and the address from/to whom the purchase/sale of the Bitcoin have been done should be included.
- For Hacking based complaints, the following information should be provided:
- Server Logs (where applicable)
- A copy of the defaced web page in soft copy as well as hard copy format, if victim's website is defaced.If data are compromised on the victim's server or computer or any other network equipment, soft copy of original data and soft copy of compromised data.
- Access control mechanism details i.e. - Who had the access to the computer or email of the victim?
- List of suspects.
- The number of systems that have been compromised by the attacker
Article Submitted By:New Media and Information Security Department, NCC.