Malware (Level 4)

Malware, or malicious software, is the term used to describe computer code that has been written with the intention of causing harm to computer systems.

The term ‘malware’ is an umbrella term that covers all types of malicious software.

The different types of malware range from viruses, Trojans, worms, ransomware, etc, to name a few, and each have their own characteristics and behaviours.

Some malware may exhibit behaviours of two or more of the different types of malware.

Viruses (Level 4)

A computer virus is a piece of code that is written with the intention of disrupting the normal operation of a computer system. Computer viruses are self-replicating and typically ‘attach’ themselves to another file (the host). When the host file is loaded, the virus is loaded with it.

​Viruses can spread to other computers in any number of ways, but in order to do so, they typically require some user interaction. Viruses can be spread over the internet on websites, through infected backing storage devices or through e-mail.

Symptoms of viruses (Level 4)

• Error messages

• Slow performance

• Missing files

• Inaccessible programs

• Hard disk activity

• Unusual behaviour

• Rebooting/shutting down

Types of virus (Level 4)

File viruses attach themselves to files, typically program (.exe) files. This means that when the infected file or program is loaded, the virus is loaded with it.

Macro viruses make use of the built-in programming languages in application programs, such as Word and Excel. These languages are intended to allow users to create short programs, known as macros, to automate frequently performed tasks.

Boot sector viruses attack the part of the hard disk that the computer first accesses to start up the computer. This means that as soon as the computer is started, the virus is immediately loaded into memory.

Virus behaviour (Level 4)

Replication - Viruses are capable of propagating in order to spread across multiple devices. Viruses depend on some type of human interaction in order to facilitate their replication and spreading.

Watching - Some viruses will watch for a particular date and time before executing. For example, the ‘Friday the 13th’ virus replicated and spread for a long time, lying dormant on computer systems as it waited until midnight on Thursday 12th.

Camouflage - Viruses try to evade detection by effectively ‘camouflaging’ themselves so that security software does not detect them. Some techniques include inserting ‘dummy’ lines into their code so that they no longer resemble a known virus that would be in the anti-virus software database.

Delivery - This is when the virus delivers its ‘payload’.

Anti-virus software (Level 4)

Generally, anti-virus software detects malware by utilising a number of techniques:

Memory resident monitoring - Some anti-virus software is constantly resident in memory and actively monitors the system for viruses while the computer is running. It regularly scans programs and files as they are opened.

Virus signature detection- Anti-virus companies hold a database of known viruses, which is constantly updated as more threats emerge. When scanning the computer system, the anti-virus software on the computer compares the bit patterns it finds in programs and files to that of the known viruses in the database.

Heuristic detection - Heuristic detection is the technique of applying previous experience to a problem. Detecting malware using heuristics works by monitoring the behaviour of programs for suspicious activity. For example, if a program attempts to access the internet in the background, or check the system clock. These are actions that a virus might perform and, therefore, would arouse suspicion. If enough suspicious actions were detected from a particular program, a warning would be given to the user.

Anti-virus software (Level 4)

Checksum (Hash) - Viruses often attach themselves to program files, so that when the program is launched, the virus is launched along with it. In order to detect changes in programs, each time a program is installed, the anti-virus software carries out a mathematical function on the raw binary data of the program file, and gets a resulting number which is called a hash or a checksum. This number is stored safely.

Each time the user orders the program to start, the computer will carry out the same calculation on the raw binary; the result is then compared to the checksum. If they are identical, this shows that the program has not been altered since it was installed, and is therefore safe to launch. If the resulting value does not match the checksum, then the file has been altered in some way, which arouses suspicion.

Trojans (Level 4)

A Trojan is a piece of malware that is disguised as something else in order to trick users into downloading and running it.

The Trojan may be disguised as a useful program, such as an anti-virus utility or a computer game, but once downloaded it runs malicious code.

Trojans typically do not self-replicate; instead, they rely on their disguise to gain access to computer systems. In addition, they are often discreet programs unto themselves, and do not attach themselves to other files.

Trojans (Level 4)

A Backdoor Trojan/virus is a method of accessing a computer system through indirect or dishonest means.

These can be deliberately created by software manufacturers for legitimate reasons, such as maintenance or support, but they are often used in cyber crime to access computers.

A Backdoor Trojan gains access to a computer system and then makes alterations to that system which allow hackers and cyber criminals to gain access.

This could involve disabling a security feature or something more subtle — either way, if it is successful, it could allow malicious individuals or groups to access all the data held on the computer system, and even control it remotely, with devastating consequences.

Worms (Level 5)

A worm enters a computer through a vulnerability in the system and takes advantage of file-transport or information-transport features on the system, allowing it to travel unaided.

​Computer worms are similar to viruses in that they replicate working copies of themselves and can cause the same type of damage.

Worms are standalone software and do not require a host program or human help to propagate.

To spread, worms either exploit a vulnerability on the target system or use social engineering to trick users into executing them.

Spywar (Level 5)

​Spyware is the term used to describe software that is used to effectively ‘snoop’ on computer use by individuals. There a number of types of spyware, notably Keyloggers, webcam hijacks and microphone hijacks.

Keyloggers - The purpose of a keylogger is to record the keystrokes a user enters on their computer. Cyber criminals can gain access to private correspondence, usernames and passwords to online accounts, and even credit or debit card details, which can then be used for fraudulent purposes. Keyloggers can be hardware or software. A hardware keylogger is a small device that resembles a USB flash drive.

Spyware (Level 5)

Webcam/microphone jacks - Webcam hijacks are attacks that allow perpetrators to turn on a user's webcam, without their knowledge, and either take snapshots or record the live feed. This obviously has huge privacy implications, and is a particularly disturbing violation.

Most computer manufacturers include a built-in webcam on their computers, which uses a light to indicate when it is in use; more sophisticated attacks can disable this light.

Most modern personal computing devices come with built-in microphones, which can be hijacked in the same way, allowing criminals to hear what is being said near the device.

A number of high profile individuals, including Mark Zuckerberg, famously put tape over their webcams to counter this sort of attack. This is a low-tech, but highly effective solution.

Password attacks (Level 5)

In recent years there has been a trend toward moving away from passwords as an authentication method and using various biometric systems instead, such as fingerprint/retina scanners, etc, password systems are still the most common type of authentication.

When attempting to gain access to a password-protected system, there are a number of tools and techniques available to hackers. One of the most common methods is a Dictionary Attack. Password dictionaries are lists of common passwords that have been compiled and are available online. Software exists that will utilise the processing speed of a computer to do the grunt work.

We can prevent these attacks from being successful by adhering to good password practice so that it is unlikely to appear on such a list.

Drive-by downloads (Level 5)

A drive-by download refers to the unintentional download of a piece of malware onto a computer or mobile device.

Opening a compromised web page could allow dangerous code to install on your device. Users just need to visit or ‘drive by’ a web page, without stopping to click or accept any software, and the malicious code can download in the background to the device.

A drive-by download will usually exploit a browser, app, or operating system that is out of date and has a security flaw.

DDOS attacks (Level 5)

A DDOS (Distributed Denial of Service) attack involves overwhelming a target with network traffic to the point where it can no longer be accessed.

A large website will have many powerful servers, capable of responding to a large number of requests simultaneously, with no problems or delays.

If, however, there was suddenly a huge increase in the number of requests for the web page, the server would not be able to cope with the increased demand, and people would not be able to access the site.

A cyber criminal would use a small piece of code called a bot. A bot is a small piece of code that can be installed on a computer to instruct it to do something, such as request a website from a server. A computer that has been infected with a bot is known as a zombie machine. Each bot will request the target website at the same time.

Other types of attack (Level 6)

An advanced persistent threat is a prolonged attack on a specific target with the intention of compromising the system in some way.

Some security professionals reserve this term for cyber attacks by governments of other powerful organisations, as these will be significantly more complex than those perpetrated by small hacker groups or script kiddies.

Other types of attack (Level 5)

Social Engineering is defined as any action that influences a person to do something that may not be in their best interest. Essentially, it is the employment of con-tricks, manipulation or deceit, to gain access to restricted computer systems, areas or sensitive information, often with the intention of stealing or  committing fraud.

​Phishing is the act of pretending to be a legitimate organisation, such as a bank or a well-known company, and sending e-mails to lots of people in the hope that they will be duped into responding with sensitive information, such as bank details or usernames and passwords. Typically, a user would receive some sort of correspondence that appears to be from a legitimate organisation.

There are a number of ways to spot a phishing correspondence, as they often exhibit some or all of the following traits - Ambiguous greeting, poor spelling/grammar, tempting offer/sense of urgency and untrustworthy links. Spear phishing is the name given to a phishing attack that, instead of being sent out to thousands of random people, targets a few key individuals.

Other types of attack (Level 5)

E-mail spoofing is the act of forging an e-mail header so that it appears to originate from someone else. This highly effective technique is used in conjunction with spear phishing, as people are far more likely to open and trust an e-mail that has been sent from someone they know.

Psychological manipulation is the act of getting someone to do something they should not, by preying on human weaknesses. Psychological manipulation often preys on the instinctive need for people to ‘be helpful’; often, the perpetrator does not even ask for the help they receive.

Tailgating is another method of gaining access to a restricted area, such as a building or a particular room. It is a simple matter of waiting until someone with authorisation opens the door, and then following them in.

Dumpster diving is an effective (if unhygienic) method of finding sensitive information. It involves raiding the bins of companies, or individuals, in the hope of finding discarded documents that contain valuable information.

Other types of attack (Level 5)

Insider threat is a threat that originates from someone inside the organisation. There are two main types of insider threat: accidental and malicious.

Accidental insider threat is damage caused to an organisation through an employee accidentally divulging or deleting data.

As the name suggests, malicious insider threat relates to deliberate actions intended to cause harm or disruption to the company. This could be a disgruntled employee or an individual who wishes to damage the organisation for any reason.

A watering hole attack is a malware attack in which the attacker observes the websites often visited by a victim or a particular group, and infects those sites with malware.

CIA (Level 5)

When assessing the potential (or actual) damage of a cyber attack, it helps to consider three aspects concerning the compromised data: Confidentiality, Integrity and Availability.

If the confidentiality of data is compromised, this means that an attack was able to ‘see’ the data and perhaps take a copy of it.

If the integrity of data has been compromised, this means that the data has been changed in some way.

If the availability of data is affected, this means that legitimate users no longer have access to it. This type of breach is the basis for ransomware attacks, where users are prevented from accessing their data.

Security precautions (Level 5)

A tabletop exercise is a planned exercise where employees of an organisation work through a hypothetical real-world scenario. The company would simulate a security breach and then rehearse their response to such an incident.

A firewall acts like a filter, analysing any data packets for malicious intent before they are allowed into your network.

Access controls - If an individual has Read-Only (RO) access to a file or folder, this means they can see the contents, but cannot change or delete them

Educators, on the other hand, may wish to add to, modify or delete the contents of these folders, so they would be granted Read/Write (RW) access.

Two-factor authentication (sometimes called two-step verification) provides an additional layer of security when accessing computer systems. Essentially, it is based on the fundamental principle that, to grant access to a system, it will require two things: something you have and something you know.

Security precautions (Level 5)

Biometrics is the name given to any type of authentication method that uses a biological characteristic to verify someone's identity. Many mobile phones and computer systems have fingerprint scanners, which means the user simply has to touch the device to unlock it, instead of having to enter a passcode.

It is important to download and install all software security patches as soon as they are released. When a flaw or vulnerability is discovered, the software manufacturers will develop a fix for the issue and release it as a software patch, which they recommend all users download and install.

Backup strategies (Level 6)

Full backup - A full backup will copy every item of data, creating a complete second version of what is stored. The data from a full backup is usually stored in a different location to the original data.

Differential backup - Does not take as long as a full backup, as only the data that has changed since the last full backup is stored.

Incremental backup - Only saves changes since the last backup of any kind, regardless of whether the last backup was a full backup, differential backup or incremental backup.