2 hours 11 minutes
Okay. Module to methods of attack
in model One. We learned about the why involved in the insider threat scenario in module to methods of attack. We take a look at the what? Involved in the insider threat.
We will take a look at the attacks,
uh, that human beings have come up with and the damage that they have done.
Okay, so let's talk about attack methods. Okay. So the largest and most devastating and started attacks on the U. S. Government were perpetrated by Mr Edward Snowden.
It was a defense contractor working for the agency. He had access to the network in the systems. He knew how the security infrastructure worked, and so he was able to do some significant damage.
Um, by stealing a large amount of classified data.
So this is an example?
Uh, the devastation that can be weak. Tw by an insider who has decided to do bad things within an organization.
Okay, so an insider attacker can exploit their access to gather information, copy store exfiltrate damage or destroy data or systems.
They can do some serious devastation.
Uh, this kind of review, what we're gonna talk about in this section
And, uh, so we're gonna talk about it. The attack surface area. We're gonna talk about privilege, user attacks,
non privileged user attacks, road systems,
attacks, printing smartphone and memorization.
Okay. So first, let's talk about the attack surface area.
Why is this important? Because this is the area that is available to be attacked.
The area that is exposed. So, for instance, if you're on attacker out there on the Internet and you're a hacker and you're trying to hack into the company network,
you may only be able to see
the things that are exposed by the firewall. The firewall may only let you see a little bit of things so you can see the firewall
You can see maybe the external rounder. You can probably see whatever's in the D m Z the militarized zone of the network, which is where you keep your Web servers and the things that are exposed to the Internet.
So you may only be able to see a few things.
If you're an insider
and you're sitting on your work station on the inside of a company network,
guess what. You can see
the whole kingdom if you will, because you have the keys to the kingdom.
You are on the inside. Your trusted your granted access your given database access your given network access. So you, in theory, are a much greater danger than the external hacker. If you decide to be
so, that is a tax service area.
So privileged user attacks. A privilege user is someone who has elevated privileges on the network on the app on an application on a system. They may be a developer. They maybe someone who doesn't maintenance on the servers of the database, et cetera, et cetera. They have higher level privileges
in the hours
worker within an organization. Privileged user attacks
are a scenario where the privilege user uses their higher level access to do bad things. For instance, a system administrator who wants to steal a bunch of data may, um, tell everyone that they need to do maintenance on the server
in actuality, because one of the drives his pad
and so they take the server to hum, they take off the bad drive and they put a new drive in, and they get it back up and everything's good, But in actuality, what they did
waas the copied
data onto that internal drive,
and they stole that data
that is under the ruse of doing maintenance.
So they may say that they're throwing that drive away because it's no longer good. Well, actually, they took it home.
So that's a scenario where you can see how a privilege juicer conduce, um, serious damage when it comes to the insider threat.
Okay, let's talk about non free would choose their attack.
Okay, so we talked about the producer. They could do a lot of bad stuff. Edward Snowden was a privileged user. Now let's talk about what the average user can do.
So when normal, not administrated, user's abuse, their access to steal all to destroy or expose information that is a non privileged user attack
and could be justice devastating, depending on the motivation and the determination of the individual. Examples of such an attack include abusing application access, elevating privileges, employing removable media. That means playing
a member, stick into a computer and copying gigs of data down and stick it in your pocket and take it at home.
Ex filtration of data that's sending it out through the network
to like Dropbox or something. Social engineering. That's where you use your use your relationships with people who trust you to try to get what you want, and there's all kinds of things that these insiders could do. It mentions SQL Injection as an example.
That is a scenario where you could look up online, how to do SQL injection
as in really a user, and then you can come to work and try it.
And if you you may get lucky and may be able to elevate privileges or get access to data that you want supposed to have access to buying, doing an SQL injection of pack. That said. So there's other examples,
but this shows the danger of a regular user
within an environment.
Okay, Rose System and Attack. Let's talk about that.
So this is a concept of an individual.
Anyone within an organization bringing in a computer like a laptop, maybe a small device like a raspberry pi are doing a bringing one in
and plugging it into the network.
And if they if the security measures aren't in place, they can get this system on the network without anyone knowing.
And the goal is to do bad things.
So once they have this nefarious system on the network, maybe they had a bunch of hacker tools installed on it. They had it all pre stage and ready to go so they could start launching attacks so it could be a launch pad for internal network attacks.
So you could do things that external happier would love to do, but they can't. But you're on the inside of the soft underbelly of the network on the inside, and you can launch these attacks with this computer that you brought it. Okay,
um, you can do things like sniffing the network.
This is a situation where you can configure the machine
to be able to see the traffic, the network traffic going back and forth, which enables you to potentially gain information that help you hack into a system. Maybe you could steal information like passwords that are unequipped ID and things like that.
So a lot of bad things could be done with aero system. Another example would be to put it on the network and then manually map. And that would drive to this system from your your authorized computer and then slowly start copying David down to that drive, and eventually, when you're done, you take it.
Put it back in your gym bag and you walk out of the building and you have just executed an insider threat attack.
Okay, so let's talk about printing. Why is that a big deal? Everybody in print. It's not super high tech,
Um, but it is a danger. So an insider, be they a privilege or non privileged user can simply select in print copies of sensitive data. It's very simple,
and and this will often be able to go around security controls that are in place.
So maybe they don't monitor printing,
and so on. Individual can simply look for the most important data. Let's say that
a year's worth worth of a research
resulted in a one page document
that saw some sort of
of assault, a technical problem. And there's an equation that is on that document that could be printed and stolen. And that, in theory, is worth saying millions of dollars.
It's a very effective attack to just print that document and take it home.
Obviously, there are measures you've been put in place. She prevents someone from from just randomly printing a sensitive, sensitive document. You can do things like Data Tagi and have measures in place so that if someone wants to do something with something that is tagged as super sensitive,
other steps that have to happen that require other individuals to approve that action and so on. But nevertheless, printing can be
I used to do a devastating impact.
Okay, let's talk about smartphones.
Smartphones are very powerful, very small devices that have their own network connections that can't be monitored.
And, um, they can do things like, for instance, you could take photos of sensitive information like the picture shows. You can take video of sensitive information as you scroll through it. You can just video.
You can use it as a storage device data you can. You can do a lot of damaging things. With a smartphone, for instance, you can also record a sensitive meaning, so a lot of damage could be done was a smartphone. It's got a lot of power, a lot of capability, and
in theory, if you have a room that has your most sensitive data in it, you would not want to allow anyone to bring the cellphone into that room.
Uh, just to try to prevent
that kind of scenario from happened.
Everybody has a memory. Everybody can remember a certain amount of information. Some human beings are super talented and remember a lot more than the average person, those air individuals that have a photographic memory.
And then there's average memory. That's what most of us have,
but either scenario can be bad. So again, let's go back to scenario. Let's say that a year's worth of research resulted in a one sentence formula or something for some chemical or whatever, and an individual who has worked with that was it is able to remember
that formula in their head.
How do you prevent that? There's no firewall. There's no tool. There's no technology that can prevent that individual from walking out,
writing it down on a piece of paper and selling it to someone. But that shows the danger of memorization, so really, not much you can do about that other than focus on your hiring practices. So if you are hiring something for us to be around, super sensitive information
that's worth millions and millions of dollars are highly classified information.
That's where you want to do extra things to try to make sure I established the level of trust, and you can have,
uh, with the individual that you're hiring.
Okay, so let's do the knowledge check. So question here, when elevated privileges are abused and used to steal, damaged, exposed or alter sensitive information,
this is called what
type of attack
prove? A geezer attack.
Connecting an unauthorized device to a network to store stolen data or to use as a launch pad for other malicious activity is known as what type of attack
Okay, when a user of these is their normal user rights within a system or application to aid in stealing, altering, exposing or destroying sensitive data, this is known as what
part of attack
answer Non privileges, air attack.
Course Assessment - Insider Threats