Cisco - CyberOps Associate - Module 01 - The Danger
Summary
TLDRThis video course introduces the Cyber Ops Associate Version One, focusing on skills and knowledge for security analysts at security operations centers. It covers the Cisco 200-201 certification, exploring the fundamentals of cybersecurity operations. The course delves into threat actors, their motivations, and the potential impact of cyber threats. It discusses the anatomy of cyber attacks, the kill chain, and the importance of protecting sensitive information like PII, PHI, and PSI. The course also touches on the growing concerns of ransomware and targeted attacks on critical infrastructure, highlighting the evolving nature of cyber threats.
Takeaways
- 🔒 The course aims to prepare learners for the Cisco 200-201 certification, focusing on cybersecurity operations fundamentals.
- 🌐 The script discusses the dangers to networks, including war stories and the impact of threats, emphasizing potential rather than direct impact.
- 📡 The 'evil twin' attack is highlighted as a common method where hackers set up rogue Wi-Fi networks to intercept data.
- 💸 Ransomware is a growing concern, with companies either paying ransoms or losing data, depending on their ability to survive without the compromised data.
- 🏭 The script addresses the vulnerability of key infrastructure to cyber attacks, such as power plants and water systems.
- 🔍 The 'kill chain' model of cyber attacks is introduced, detailing the steps from reconnaissance to obfuscation.
- 🔑 The script explains the anatomy of a seven-phase cyber attack, including reconnaissance, weaponization, delivery, exploitation, command and control, internal reconnaissance, and maintaining access.
- 👨💼 Four main types of threat actors are identified: cyber criminals, hacktivists, state-sponsored attackers, and insider threats.
- 💼 The purposes of hacking are varied, including financial gain, protest, espionage, and sabotage.
- 🏢 The importance of protecting Personally Identifiable Information (PII), Protected Health Information (PHI), and Personal Security Information (PSI) is emphasized due to their value and sensitivity.
- 🚨 The consequences of data breaches can be severe, leading to loss of competitive advantage, legal violations, and erosion of trust in the affected organization.
Q & A
What is the main goal of the Cisco 200-201 certification course?
-The main goal of the Cisco 200-201 certification course is to prepare learners for understanding the Cisco cyber security operation fundamentals, known as CBROPS.
What are the potential consequences of connecting to a rogue wireless network, also known as an 'evil twin'?
-Connecting to an evil twin network can lead to all of your online activities being monitored and sensitive data, including HTTPS sessions, being stripped of encryption and made readable to the attacker.
What is ransomware and how does it impact a company?
-Ransomware is a type of malware that encrypts a company's data and demands a ransom for its release. It can significantly impact a company by disrupting operations, potentially leading to data loss, and forcing the company to decide whether to pay the ransom or risk losing access to critical data.
How can targeted attacks on key infrastructure, such as power plants and water systems, affect a city or region?
-Targeted attacks on key infrastructure can lead to severe disruptions in essential services, potentially causing water shortages, power outages, and other critical failures that can endanger public safety and the economy of a city or region.
What is the 'kill chain' and how does it relate to cyber attacks?
-The 'kill chain' is a model that describes the stages of a cyber attack, which typically includes reconnaissance, weaponization, delivery, exploitation, command and control, internal reconnaissance, and maintaining access. Understanding this chain helps in developing strategies to prevent or mitigate cyber attacks.
What are the four main types of threat actors mentioned in the script?
-The four main types of threat actors mentioned are cyber criminals, hacktivists, state-sponsored attackers, and insider threats.
Why might a hacker target an organization for financial gain?
-A hacker might target an organization for financial gain to access sensitive information such as banking details or medical records, which can be sold or used to extort money from the organization or individuals.
What is the significance of PII, PHI, and PSI in the context of cyber security?
-PII (Personally Identifiable Information), PHI (Protected Health Information), and PSI (Personally Security Information) are types of data that are often targeted by cybercriminals. Protecting these is crucial as their compromise can lead to identity theft, financial fraud, and loss of trust in the organization holding the data.
How can the compromise of PII, PHI, or PSI impact an organization's competitive advantage?
-The compromise of PII, PHI, or PSI can lead to a loss of competitive advantage by damaging the organization's reputation, leading to loss of customer trust, potential legal penalties, and the potential for competitors to gain an edge through the theft of intellectual property.
What are some of the motivations behind hacktivism and how does it manifest?
-Hacktivism is motivated by ideological differences, where hackers use their skills to publicly protest against perceived injustices. This can manifest through activities such as leaking sensitive information, defacing websites, or launching DDoS attacks to disrupt services of organizations that the hacktivist opposes.
How can IoT devices become a gateway for threat actors to enter a network?
-IoT devices can become a gateway for threat actors because they are often connected to the internet but not always updated with the latest security patches. This makes them vulnerable to exploitation, potentially allowing attackers to gain access to the network through these devices.
Outlines
🔒 Introduction to Cyber Ops Associate Course
The video introduces the Cyber Ops Associate course, designed to equip security analysts with the skills needed for a Security Operations Center. It aims to prepare viewers for the Cisco 200-201 certification, focusing on cybersecurity fundamentals. The course begins with an exploration of network dangers, including war stories and the concept of threat actors and their motivations. The discussion also covers the potential impact of threats, emphasizing the importance of mitigation strategies to prevent realized harm. An example of a 'war story' is the 'evil twin' attack, where hackers set up rogue Wi-Fi networks to intercept and monitor user data, highlighting the need for vigilance when connecting to public networks.
💡 The Anatomy of a Cyber Attack
This section delves into the anatomy of a cyber attack, using the 'kill chain' model to illustrate the stages of an attack. The model includes reconnaissance, attack, expansion, and obfuscation. However, a more detailed seven-phase model is also discussed, which further breaks down the attack phase into weaponization and delivery. The summary explains how threat actors use this model to plan and execute cyber attacks, with examples ranging from ransomware affecting businesses to targeted attacks on critical infrastructure like power plants and water systems. The narrative underscores the vulnerability of infrastructure and the potential consequences of successful cyber attacks.
🚀 Advanced Cyber Attack Strategies
The paragraph discusses advanced strategies in cyber attacks, detailing the steps from weaponization to delivery and exploitation. It explains how attackers craft exploits targeting specific vulnerabilities and deliver them through various means like phishing emails or infected websites. The narrative then moves to the command and control phase, where the malware communicates with the attacker to receive further instructions. The subsequent steps of internal reconnaissance and maintaining a presence within the compromised network are also covered, emphasizing how attackers aim to stay undetected and build bot networks for further actions.
🌐 Threat Actors and their Motivations
This section identifies and explains the different types of threat actors, including cyber criminals, hacktivists, state-sponsored attackers, and insider threats. It discusses the motivations behind their actions, such as financial gain, ideological protests, or espionage. The summary also touches on the evolving nature of threat actors, with the inclusion of amateurs who, despite their lack of advanced skills, can still pose significant threats by using readily available tools and scripts.
🏥 The Impact of Cyber Threats on Information and Infrastructure
The focus of this paragraph is on the impact of cyber threats, particularly on personal identifiable information (PII), protected health information (PHI), and personal security information (PSI). It discusses how the theft or breach of this information can lead to identity theft, financial fraud, and a loss of competitive advantage for organizations. The narrative also extends to the broader implications for national security and political stability, highlighting the far-reaching consequences of cyber attacks on both private and public sectors.
🌐 The Role of IoT in Cybersecurity Threats
This section discusses the role of the Internet of Things (IoT) in cybersecurity threats, explaining how unsecured IoT devices can serve as entry points for threat actors into networks. The summary emphasizes the importance of understanding and securing IoT devices to prevent them from becoming vulnerabilities in the network. It also touches on the concept of labs researching IoT application vulnerabilities, suggesting a proactive approach to identifying and mitigating these risks.
🏛️ The Broader Implications of Cyber Threats
The final paragraph summarizes the key points discussed in the module, including the roles of threat actors, the importance of understanding IoT vulnerabilities, and the types of information that are often targeted in cyber attacks. It reiterates the significance of the kill chain structure in understanding how cyber attacks unfold and the need for comprehensive strategies to mitigate these threats. The summary concludes by inviting questions or concerns, indicating an interactive approach to learning about cybersecurity.
Mindmap
Keywords
💡Cyber Ops Associate
💡Threat Actors
💡Evil Twin
💡Ransomware
💡Key Infrastructure
💡Kill Chain
💡IoT (Internet of Things)
💡PII (Personally Identifiable Information)
💡PHI (Protected Health Information)
💡PSI (Personally Security Information)
Highlights
Introduction to the Cyber Ops Associate course, covering skills and knowledge for security analysts.
Preparation for the Cisco 200-201 certification focusing on cyber security operations fundamentals.
Exploration of the dangers to networks, including basic war stories and threat actor motivations.
Discussion on the potential impact of threats and the importance of mitigation strategies.
Example of an 'evil twin' attack, where hackers set up rogue Wi-Fi networks to intercept data.
Risks associated with connecting to public Wi-Fi and the potential for SSL stripping.
The growing concern of ransomware and its impact on companies and infrastructure.
Case studies on ransomware attacks, including negotiations with threat actors.
The significance of targeted attacks on key infrastructure such as power and water systems.
Analysis of the Stuxnet worm and its impact on non-networked systems.
The anatomy of a cyber attack, including the four-step process of reconnaissance, attack, expansion, and obfuscation.
Detailed breakdown of a seven-phase cyber attack model, from reconnaissance to maintain and obfuscate.
The role of threat actors in security incidents and their various motivations.
Different types of threat actors, including cyber criminals, hacktivists, state-sponsored attackers, and insider threats.
The purpose behind hacking, ranging from financial gain to industrial espionage.
The importance of protecting Personally Identifiable Information (PII), Protected Health Information (PHI), and Personal Security Information (PSI).
The consequences of data breaches, including loss of competitive advantage and trust.
The impact of cyber attacks on national security and the potential for disruption of essential services.
Summary of the module, covering threat actors, IoT vulnerabilities, and the importance of information protection.
Transcripts
welcome and in this video course we are
looking
at the cyber ops associate version one
course
this course is going to cover the skills
and knowledge
needed for successfully handling the
tasks and duties responsibilities
of an associate level security analyst
working at a security operations center
the goal of this video series is to help
prepare learners
for the cisco 200-201
certification that's focusing on
understanding the cisco
cyber security operation fundamentals
course
known as c b r o p
s
welcome module one the dangers to the
network
so we're going to be looking at why we
have to do this some basic war stories
we're going to be looking at threat
actors and what they are that includes
the motivations kind of why they're
doing specific
things and we're going to look at the
threat impact
and again threat impact we're looking at
potential impact
not always direct impact
because keep in mind the goal is to
mitigate
the threats so that they're not actually
realized
that's why we discuss things in
potential
as opposed to actually occurring
so first off some basic war stories
one of the fun ones is this hijacked
people
and essentially hackers can set up rogue
wireless networks for example you're at
starbucks you connect to the wi-fi
are you really connecting to the
starbucks wi-fi or are you connecting to
a rogue wireless network that is
mimicking
starbucks wi-fi so
this is actually known as an evil twin
and this is actually fairly simple to do
you have a lot of networking devices on
the market today that do this so
when we're talking technical ability it
used to be
a little higher to do these types of
attacks but not necessarily
so it's the purpose of an evil twin well
if you actually connect to an evil twin
instead of the original network
and again you probably won't even
realize it's an evil twin
everything that you do can be monitored
could be stripped
so even https sessions can have the
encryption
stripped from the data so they can be
readable
so we have to be extremely careful what
we
are doing now granted not all instances
of
ssl can be stripped a lot of them can
not all of them so you have to be a
little more careful
when you're at starbucks maybe not check
your banking maybe not
check specific financial uh
backing up options you're on facebook
so i'd be concerned with that because if
someone
is actually able to gain access to my
social media
would that cause an issue and if the
answer is yes you probably don't want to
be checking that with open wi-fi
so another danger is ransomed companies
so it is a growing concern
when you have companies that are lured
to
open attachments to have infections
that will hold their devices ransom
typically called ransomware and
essentially it will encrypt everything
and it will force the user or the
business to pay a ransom
it's really interesting because
ransomware has been around for a number
of years
and we're starting to see more and more
concern
with ransomware and we're also seeing
ransomware kind of shift a few years ago
60 minutes did a great special on a
small
county i think in oklahoma that had
ransomware
the ransom was 10 grand the mayor was
like we can't afford that we could pay
you five
grand the ransomware group was like okay
they took five grand unlocked everything
and moved forward
because somebody some money was better
than no money in that
situation however in that same 60 minute
episode a larger city had a
2 million dollar ransom they had the
money
but they refused to pay it because if
they paid it
then it would promote individuals to
keep doing this
so the large city was like no we're not
going to pay it and they
lost data for years
they lost security camera footage they
lost
dash cam footage from police i mean they
lost a lot of information
so with ransomware some companies are
paying some companies are not paying
it really just depends on can you
survive
without that data or can you survive
with paying the ransom
and those are things that are growing in
concern and they're
not an easy answer it's not as cut and
dry as
don't pay because you will keep
encouraging this
if you don't have your data can you
operate simple as that
another huge issue is these targeted
nations so when we look at key
infrastructure
power water the other key infrastructure
transit all of this
should have a certain level of security
but the question is
do they power plants after you've
already been
shown that they can be taken down with
malware
we've seen that malware such as uh
stuxnetworm
which was introduced to a non-networked
or
it was introduced to a power plant or
power grid
through a usb device that then
ultimately led
to the crash of a power plant
basically the software was designed to
jump from machine to machine
until it reached a programmable logic
controller a plc and from the plc
it took down very specific critical
systems for that power plant
however you see the same thing in water
where i come from in northern california
we've actually seen that our water pumps
are susceptible to ransomware attacks
and people may think well what's the big
deal if we turn off a water pump here or
there
well in some large cities the water
pumps control
fresh water to everyone's homes
so if you can imagine a city like la or
las vegas
having water pumps turned off or reduced
how quickly would the water dry up in
those cities
in la i think rough estimates were five
days
in vegas rough estimates were if key
water systems were compromised less than
three days
granted these issues have been addressed
by dhs
and recent audits but
before those audits those two large
cities
were critical i mean that water pump
could have accidentally
killed you know hundreds of thousands of
people
if they were infected so key
infrastructure is
definitely being targeted and we've seen
that because our
infrastructure is very vulnerable
not just the water system not just power
grid not just
infrastructure like roadways train
systems
transit systems all of those are being
targeted
for disruption
so in our course we do actually have
a video discussing the anatomy of an
attack
and essentially this is what's known as
a kill chain
so the kill chain can be broken down in
a few different steps
in a very basic model we have a
four-step process for
a cyber attack reconnaissance attack
expansion obfuscation
basically you do some recon you figure
out where you can attack them you attack
them
and you expand once you have attacked
and gained access
once you have expanded you can start
obfuscating what you're doing
hide your tracks that is the general
agreed-upon anatomy however we can dive
a lot deeper in those types of
attacks than just four steps
that is the general model that most
organizations use
however there have been a lot more
research done in
a seven phase attack instead
reconnaissance is always going to be the
beginning
except here we take the attack phase and
we break it down to two additional
phases
weaponization and delivery essentially
you do the reconnaissance you figure out
what is what
how things are are associated how things
are
vulnerable what systems there are what
operating systems there are
and you can weaponize that information
if you know they are running
a unpatched version of windows server
2012
well you can weaponize that information
you can craft an
exploit that will be able to exploit
that system
the third step again that after
weaponization is that delivery
now that you know what exploit to run
you can figure out ways to deliver that
exploit to
that target the
delivery could be an email could be
infecting a website
could be sending a phishing could be
social engineering it could be as simple
as
calling a secretary and saying that
you're your boss's boss
and that you need her to look at an
email again that's going to be more of a
phishing email
but you can deliver the
malware in multiple ways so after you've
done the delivery
the exploitation portion will uh
happen the exploit has been delivered it
needs to be executed without being
detected
so that's why phishing emails are
becoming more popular
most organizations still lack decent
phishing user training some
organizations are actually doing
proper training but most are not so
after the exploit has
ran we have a command and control that's
phase
five essentially once the exploit has
been
executed the exploit should then
communicate with the threat actor to
figure out what to do next to download
newer versions of malware
to run certain scripts or
to expand or lots of other
options and that is done through a
command and control
server once that
actually occurs phase six will be
internal
reconnaissance again we're doing
reconnaissance again
they may start looking to see
what is internal what networks are
available what workstations are
available
in order to move lateral through the
organization
you need to have a decent map of the
infrastructure
how to the different devices connect to
one another
are there networks inside of networks
are there systems inside systems
we're not quite sure so that's where
that internal reconnaissance has to take
place
are there internal security measures
is there an ips is there an ids
is there a network for iot or plc-based
devices not quite sure that's why
that reconnaissance is so important
the last step is maintain and obfuscate
hide your track and stay as long as
possible
the deeper you dig inside the network
the harder it is for them to
remove you or find you things like being
able to install
root kits in very specific files
is a great way for things not to be able
to detect you
also with root kits we could uh
have a slave of computers
slaves zombies can actually slowly build
a
bot network or a bot kit
bots or bot network is just a bunch of
slave computers
that can do whatever the command and
control server says
these are all ways that a cyber attack
can move forward and again this is not a
complete list like this kill chain is
ever evolving ever changing
because these steps are always being
modified and refined
for easier attack ability
so the important part is why do hackers
do this
gain information gain data
because they're mad at a company there's
a huge
list it could be that you're being paid
to do this for some reason
the reason hackers do what they do is a
pretty long
list a threat actor is typically defined
as a malicious actor also known as a
threat actor
that is an entity that is partially or
wholly responsible for a security
incident that
impacts or has the potential to impact
an organization's security
oftentimes threat actors come in four
main flavors
they are going to be cyber criminal like
hackers
hacktivists state-sponsored attackers
or possible insider threats those are
the main four
types of threat actors that is not a
complete list that's just the main
i did this before going to the next
slide because
as information as days go by
everything changes cisco defines
five major groups hacktivists
organized crime hackers state sponsors
terrorist groups but they're also now
including
amateurs so amateurs are going to be
anyone that
doesn't have any real skill that is able
to compromise security like a script
kitty
so kind of what are their purposes
again amateurs script kitties they use
built-in tools
and they have basic understanding how to
do things
so they can still be pretty dang
devastating to a business
even though their skill level is
relatively low
hacktivists are hackers who publicly
protest against
a reason and they use that
ideological difference and they're
actually targeting individuals opposed
to that difference
they could be posting articles videos
leaking information
for example just an example let's say
that i'm against cosmetics that use
animal testing i'm targeting a company
that says they don't
uh use animals but i know they do
because i broke into their server
and i have video footage showing them
using animals for
testing i post their video
internal videos online that would be an
example of a hacktivist
and they can do this so many different
ways
they could be hacking they could be just
straight
using ddos denial services to
disrupt an organization's ability to
function
another thing is financial gain a lot of
what hackers do
is because they're getting paid it may
not be because
i'm philosophical against what you're
doing
it could just be because i'm getting
paid to do job
or task x and i need to make rent this
month so i do it
so motivated by financial gain is a huge
part
cyber criminals want to gain access to
information
banking information medical information
things that can be
leveraged to generate cash
that's always a huge portion of why
hackers hack
is to generate funding that is not the
only reason
for some hackers they want to prove that
they can do it
for some other hackers they want to make
money
there is private information
intellectual property i
p out there trade secrets that
should be protected at times some nation
states may disagree with that
intellectual property being private
so they target and publicly announce
what that ip is
so again other countries could also
interfere with political
systems can influence other political
systems
they may be interested in industrial
sabotage
i may want to go into the wind turbine
industry but i don't want to uh do the r
d i maybe go to the same industry but a
different organization
commit in industrial espionage or cyber
espionage
distill their plans i make a knockoff
version of it and sell that
i actually don't have to spend as much
money doing r d
so i actually can sell my product
cheaper
that's a great example of espionage
that's pretty dang common
basically the theft of intellectual
property
is a huge part of why some organizations
do commit espionage
intellectual property is actually a
billion dollar industry each year if i
have
the recipe to make product x or i've
got the plans to make product y
and if you can still them then you don't
have to put as much r d
which means you can run cheaper so
intellectual property theft is a huge
growing business and a huge growing
concern
again these are not a list of every
reason this is just a brief
overview of main reasons why
individuals hack and kind of the
different
groups of hackers and why they hack
so earlier we talked about iot and plcs
well iot is also known as internet of
things
and these iot devices basically help
individuals connect things to improve
quality of life could be a smart light
could be a smart refrigerator could be a
smart
garage door opener things of that nature
these types of devices connect to the
internet and they're not always
updated so that is why some of them
become a
gateway into the network threat actors
actually prey on these devices because
they create opportunities
for the threat actor to enter a network
we have another lab researching and
analyzing iot application
vulnerabilities
again labs are done in a separate video
last major section are threat impacts
what is the purpose of the threat how
does it impact the organization
so there's a key set of information that
organizations want to protect pii
personal identifiable
information that's one of the big ones
this is any information that can be used
to positively identify an individual
name and address name and phone number
name and social security birth date
credit card numbers
things of that nature cyber criminals
definitely try to obtain lists of pii so
that they could uh
steal people's identities that's one of
the big ones
or they can use this pii to create fake
accounts fake bank records
or open up legitimate bank accounts and
then
withdraw it or open up legitimate credit
card lines
and then not pay them or loans or things
of
that nature we also have
protected health information phi
and that's typically a subset of pii
we have a growing digital system of
medical records
in the us and these are typically
electronic medical records
emr based systems the emr-based systems
protect the phi and this is going to be
procedures this is
anything medical done by an individual
well to an individual not by the
individual
doctors do the actual
procedures so pii
phi and then we have personal security
information
this is another common type of pii and
this includes
user names passwords any security
question
responses or challenge responses any
information that can
an individual can use to pretend to be
someone else
these are all main areas that can be
targeted and compromised
so who cares if someone steals pii or
phi or psi well all of these
one are expected to be protected
but individuals that have pii with
a organization and that organization
has the ability to leverage that pii as
a competitive advantage
so breach of pii or phi or psi
can result in the organization losing
their competitive advantage
if you go to a hospital and you know
that hospital
is constantly leaking out your pai
you're less likely to go to that
hospital
so the protection of the information
about you
is that organization's competitive
advantage we're going to ignore the fact
that
certain level or expected levels of
privacy are
mandates like phi is protected by ferpa
sorry purpose educational records it's
protected by
hipaa if you're in a school
and your grades are not protected that's
a violation of ferpa
if you are dealing with financial
information
there are compliances guarding financial
information
if you are or an organization storing
credit card information
and there's a breach there that's a pci
dss
violation so
certain types of data are protected by
industry
or by state and federal laws or
country laws so any
types of breach in that could lead to
that loss of competitive advantage
that means loss of intellectual property
to a competitor again we talked about
that earlier about industrial espionage
and how the competitor can now
improve their product without having to
pay for the r d that your organization
paid for
other concerns are loss of trust or
faith in that organization meaning or
individuals no longer want to go to that
organization so that organization
eventually will
fail
other threat impacts could be political
or
national security it's not just
businesses getting hacked government's
getting hacked all the time
in the news in the last several years
how many federal
organizations have had data breaches irs
is one of the big ones but it's not the
only one
state supported hackers are causing
disruptions and destruction
over digital services in the uk
you've actually had hackers target uk
internet providers
to shut down the internet and porch
portions of the uk
in eastern europe same thing
when you have hackers that disagree with
what the government's doing
hackers take down infrastructure the
internet has become essential
as medium for commercial
businesses for financial
activities for banking for
infrastructure
for users for sharing of information
all that's done through the internet so
with a disruption of internet services
it could actually devastate an
organization it could devastate
a country
if a business loses internet it could be
their complete cut off from the world
they may not be able to purchase things
or sell things or
connect with their vendors or consumers
if a country is cut off from the
internet that means everyone in the
country
individuals consumers businesses
government
all cut off from the outside world and
that definitely can destroy a country's
economy
another lab visualizing black cats
so let's go ahead and summarize what we
learned
in this module we learned about threat
actors how they
function why they do what they do we've
looked at iot we looked at different
types of
information pii phi psi
and why those are areas of concern we
talked about
overall kill chain structure
and that is it for this lecture if you
have any questions or concerns
please
تصفح المزيد من مقاطع الفيديو ذات الصلة
Introduction - Cybersecurity and Privacy - Prof. Saji K Mathew
The Hacking Wars - How Governments Hack Each Other
CompTIA Security+ SY0-701 Course - 2.1 Compare and Contrast Common Motivations - PART B
Sweet New Threat Intel Just Dropped
Melindungi Organisasi
Are Hackers the Biggest Threat to America’s Critical Infrastructure?
5.0 / 5 (0 votes)