howy folks welcome to module two of Security Plus today's module is called comparing threet types and today we'll be diving a bit deeper into security the objectives we'll be covering today's module are two the first of which is compare and contrast attributes and motivations of threat act types the second objective is explain common threet vectors and attack services today's module consists of three main sections we'll be covering the first of which is threat actors the second main section will be attack surface and the last section we'll be diving in today is social engineering all righty folks before we jump into this module show the channel some love and give this video a like it does help both the video and the channel out when you do so and of course if you'd like to know when module three of this course goes live and maybe also consider subscribing now that we have all of that out of the way let's dive into module two of Security [Music] [Music] Plus all right folks let's start with that first main section which was called threat actors the first topic we've got up in this section is vulnerability threat and risk so we're going to be covering each of these individually all right folks I'm going to start you guys nice and slow so something that a lot of people don't necessarily know about vulnerability threat and risk is vulnerability plus threat actually equ equals risk so for that to make sense we're probably going to have to dive a little bit deeper into each of these individually so starting with vulnerability what is that that is generally some sort of weakness in your company or the company of your client so vulnerability is a weakness that could be triggered accidentally or exploited intentionally to cause a security breach so this is not necessarily related to just it folks this actually extends well beyond the Border of just it so this can be anything in real life so if there's some sort of vulnerability in a company whether it be an IT company or not somebody or something normally somebody can go and exploit that basically abuse that vulnerability and they can potentially gain access to something or are going and break something or just in general do something not so nice so it's a weakness of sorts is what it is so if you don't have a lot of security in your company that's a vulnerability if you for example don't have an antivirus on your machines or an antivirus is up to date that's a vulnerability if you've got a firewall but it's not a very good firewall that's a vulnerability or if that firewall is turned off or some of the ports are open on that firewall that's a vulnerability someone or something can take advantage of that weakness and they can go and exploit it to well do something not so nice as for fret this is the potential for someone or something to exploit a vulnerability and breach the security so basically what are the chances of someone or something actually doing that so we already know what a vulnerability is it's a weakness of some sort a threat is basically statistically wow I can't say that three times fast it's basically statistically uh the chances of that actually happening in a company so what are the chances of somebody exploiting that weakness so as long as it's there it's a threat so if you have your firewall turned off it doesn't mean something will happen but as long as it is off it's a vulnerability and it's also considered a threat cuz at any point in time could be right now could be tomorrow it could only be a month or a year from now but at any point in time someone or something could potentially go and take advantage of that so A thre is just what are the odds of this actually happening what are the odds of someone or some something taking advantage of that known weakness in your company or your client's company so we know vulnerability plus threat equals risk so what is risk risk is the level of Hazard posed by vulnerabilities and threats so let's say we do have a weakness in our company and let's say the chances of someone exploiting this is actually very high now if someone does you know theoretically go and exploit void this weakness of mine or yours or whatever it might be what is the risk to the company Hazard wise is it the situation of I'm just going to shrug my shoulders and be like eh tough bananas or is it a very serious situation so what is the risk to you your company or your client's company if someone were to actually go and exploit this vulnerability what are the risks to you and your company what is the hazard what hazard does it pose to you or the company is it a very big hazard in a s off it can cause you or your company Financial loss can it cause you damage maybe your backups are going to kick the bucket or some sort of server is going to kick the bucket or you're going to lose data what is the risk should this vulnerability be exploited if the risk is minimal then you'll see people are normally not that inclined to go and Patch this vulnerability um or at least they're not in a rush to do so but if the risk is quite high if someone were to go and exploit this then normally you'll find that someone or something will go and Patch this hole very quickly so to give you an example let's say Microsoft Windows has got a massive vulnerability that's just been discovered in their new operating system being Windows 11 it's a brand spanking new vulnerability that somebody has just discovered now as long as that whole is in the operating system let's just call it a hole a vulnerability as long as it's there it's a threat because someone out there could potentially Discover it and take advantage of that now what risk does that pose to the users can the hacker or the perpetrator go and take control of their machine will they be able to see data you know potentially financial data or is the risk minor you know just going to be able to fiddle of some of your settings and stuff so what exactly is the risk to you or the user should someone discover this one ability and actually go and exploit it all right let's move on to the second topic attributes of threat actors now guys unfortunately the threats these days are not as simple as they used to be many moons ago so with that being said known threats versus adversary behaviors in the old days to find a perpetrator or some form of malware in a company environment was quite easy peasy well maybe that's the wrong way to put it but it was a lot easier than compared to these days in the old days we would basically just be scanning for viruses Trojan horses maybe rans somewhere it wasn't quite that popular back in the day and um everything was quite simple you know all threats were quite simple we would basically be looking for known signatures if I have to put it in simple terms nowadays the whole thread landscape is completely changed the whole hacking world and cyber security world has been thrown upside down these perpetrators have gotten so creative these days that we can't just use your conventional antivirus and anti- spyware to locate these threats I mean yes you should still have these security softwares on your machines and your environment but that alone is not enough you'll find a lot of platforms these days like Microsoft 365 and Microsoft's aour platform a lot of these platforms have got sophisticated software and monitoring tools built into them these tools don't just scan for your traditional signatures and things like that no they look for Behavior something out of the ordinary for example I'm going to put this in simple terms for you guys if your user suddenly start signing in in irregular hours that is something weird right or if one of your users suddenly start signing in from a new device or potentially a new location all of these are suspicious it doesn't mean it is something suspicious maybe maybe this user is really legitimately just signing in from someplace new maybe they've been doing a bit of traveling but you never know rather a false positive than not detecting it at all or not knowing about it at all all that is very risky so if something like that pops up you or somebody from your security team can go and investigate and just check it out and if you see a hang on a moment this doesn't look like our user then you can obviously go and do something about it if you're not sure you can go and contact this user in question phone them if need be maybe contact them on WhatsApp or something and say Hey listen bro did you buy any chance just sign in 5 minutes ago from a new location a new device and if they say yes then well then you know confirm you can ignore it but if they say uh I don't know what you're talking about bra then that is a red flag and you need to immediately jump on this so yes folks known threats versus adversary behaviors the whole landscape is completely changed and the way we scan for this is it's quite tricky you are going to have to execute a certain level of skill here and you're going to have to make use of more sophisticated software now like looking at behaviors things that basically stand out anything that looks suspicious now as for the these threats they can either be internal or they can be external now you can probably guess if a threat is internal that it's more likely going to be someone that actually works for your company now believe it or not internal threats are not limited to your own internal employees this could potentially be a contractor consultant that's been granted temp access perhaps it could be a business partner you know you never know these days you really never know but to be honest it's more than likely going to be an internal employee a current employee or somebody that has just left the organization now these internal threats have authorized access already so this internal employee if they currently work for you or this client's company they most likely have some level of access you can imagine that's a bit scary so the question here is what level of access does the employee have that's one of the reasons why it is so important to always use the concept of least privilege something we'll talk about again later in this course it's not just your employees it's for yourself as well so it's in the event of somebody's account getting compromised or someone going off the rails they just going rogue like this case here so if you've got an internal threat which happens to be maybe an internal employee and if you appli the concept of lease privilege yes they might potentially be able to do some damage and they might potentially be able to see some stuff they're not supposed to but we can effectively limit what they can see and do and we can you know just control the damage it's a form of damage control so these internal threats generally yes they either have off rized access or very recently had authorized access something else to know about these internal threats guys is they are not necessarily people that's actually physically inside the building the threat could potentially be coming from outside the building so yeah before we jump onto that external threats what is that that is generally someone outside the company they don't necessarily work for your company they most likely don't have any access yet so they're going to have to go through all your security they're going to have to go through your firewall and anything else you or your client's company may or may not have implemented at this company so generally it is a lot harder to do whatever you need to do if this is an external threat so if you are let's say a hacker of sorts and you are coming in from the outside as an external person then yes generally speaking it's going to be a lot harder internal Frets they've got a lot easier they already behind your firewall they're already inside your network and they tend to one already have a certain level of access so internal threats are actually a little bit more risky if you think about it if you look at external threats it does not necessarily mean that if the attack comes from inside the building that's an internal threet it's still an external threet because it originates from externally the person might be sitting at home and they might be executing this attack remotely via some sort of remote tool so if I'm sitting at home and I use some form of remote tool to attack you remotely you know inside your company that is not necessarily an internal threat or attack it's an external attack because I myself am still sitting technically outside the company as for the level of sophistication and capability now that guys has obviously gone up a lot over the years attacks have gotten way more complicated these days and obviously there's a much higher need for way more sophisticated tools from our side to go and protect ourselves against these threats you know tools wise monitoring tools wise all that kinds of stuff and also in general you guys are going to have to have a lot more skill these days because the the evil guys the bad guys are going to obviously have a lot more skills as well so the more skills they learn the more skills you're going to have to learn the more creative they get the more creative you're going to have to get unfortunately now you get some people that have got low capabilities where called those low capability actors which rely on commodity tools so these are for lack of a better description let's just call them wannabe hackers they want to be hackers but they're not really hackers they know something about something enough to cause some sort of shenanigans on your environment but they're not really truly skilled obviously they differ in the level of experience that some of these guys got some of them might have a little bit more experience than others but in general they don't have a lot of experience they're most likely going to have to go and download some sort of tool or multi tools online to do whatever it is they want to go and do a real perpetrator real hacker which we call like high capability hacker they don't necessarily need some fancy tool they can go and download they can make their own tools they can go and create or develop new ways to get into your company or someone's environment for that matter so we call these high capability actors and these folks can obviously go and develop new attacks they can go and develop their own tools which are new tools so they might use tools they might not use tools U but the point here is these guys have got a lot of skills and then you get those guys that have got a high level of access these folks might potentially be very high up in politics or in Military and they could potentially go and make use of political or military assets to go and do some sort of hacking you know so they might potentially be in politics they might potentially be in military or they might just have access to resources in politics or something else you guys need to know about when it comes to these threat actors a low capability actor is probably a soul actor you know usually these WABE hackers are alone very rarely will they act in groups but the high capability actors are very often going to be working in groups these are generally organized groups they'll have maybe a coder or two they'll have a couple of guys that work on social engineering they'll have a couple of guys that do fishing they'll have a couple of guys that does this and that it's it's a very organized group normally and these groups they need resources and funding so in terms of resources the res one of the things that counts as resources is obviously the different kinds of people they've got in the group each of them is a different resource but the resources can also be resource they're getting from some sort of party this may or may not be a political party it may or may not be a military of some kind or even a whole state or country in some cases there are some evil groups out there guys that are actually funded by governments States or just the military in general or political parties in general yes you get those so believe it or not there are political parties out there in some countries that will hire a bad group like this that consists of various kinds of hackers some of them do fishing some do social engineering some do this some do that so these groups are funded sometimes by political parties state-owned parties or just whole freaking countries in some cases you never know especially in times of War all right and with that we can move on to the next section motivations of threat actors in other words why are these bad guys let's call them black hat hackers why are they doing what they're doing now there can be many reasons why they do this nonsense guys that would be the intent or motivation so sometimes when these folks that do this nonsense sometimes it's accidental sometimes it's on purpose in other words folks it can be malicious it can be maliciously targeted or it can be opportunistic so sometimes people they just got lucky they saw an opportunity they did not really intend on doing what they were about to do but since they saw the opportunity they just grabbed it and that's why they ended up doing that crime but most of the time from my experience I can tell you it's going to be malicious in nature someone maliciously targeted this target whatever it might be it was planned and in the day it was not opportunistic as for the intent behind it you know for these hackers and perpetrators it can be for many reasons guys it can be for something as simple as greed greed is a very common reason for a lot of perpetrators it can be curiosity yeah curiosity is a thing sometimes people hack stuff literally just because they were curious there's maybe something they wanted to see something they wanted to know and um some of these hackers have gone so far as to hack stuff purely out of curiosity it's not always greed greed that's normally financial gain curiosity that's also a very good motivation Force for a lot of people and then the last one which is also very good motivation Force for hackers is Revenge so someone happens to have a lot of skills when it comes to cyber security and somebody else did something not so nice to this first someone yeah they might put those skills to some bad use I suppose what we're saying here is never cheese off a hacker or a black hat hacker because they might use those skills to well get back at you I suppose now sometimes when people do get into stuff um it might not necess be on purpose so we spoke about maliciously targeted which means it was planned it was on purpose opportunistic is still well they still kind of went with their free will they did this on purpose it might not have been planned but they saw an opportunity and they went for it then you get cases which are very rare where it might be accidental Believe It or Not unintentional there has been some rare cases noted where somebody would actually get into something purely accidental it has happened it's very rare especially in very tight security environments but sometimes people see or do stuff purely accidental it was unintentional was not their intention to break into something they did something and they noticed oh shucks I just caught past this security mechanism Oopsy Daisy so end of the day folks it was never really their intention as for the strategies of these perpetrators these blackhe hackers why do they do this or should I say how do they plan on going about this so their strategies could be very well be to do something as simple as service disruption so in other words prevent an organization from working as it normally does this could potentially involve an attack on their website or maybe using malware to block access to service and employee workstations um service disruption can be an end in itself if the threat act as motivation is to so chaos or gain Revenge guys so sometimes the the perpetrator will literally go and do what they do because they want to get revenge on this company maybe they are an ex employee they potentially did not get that promotion they were hoping for that increase or that bonus they were hoping for and now they they may not even work for this company anymore for all we know and their end goal here their strategy is to get revenge on this company they want to sew chaos they want to make chaos they some people just like chaos they might not even really be a good reason behind it they just like chaos especially in the old days couple of years back I think actually more than 10 years back 20 30 years back a lot of hackers did what they did not for any real financial gain or because of Revenge they just likeed chaos so NE the day if they could hear their name on the news that's all they wanted to achieve was to get their name out there so it was kind of like a game of swords at times when they wanted to see if they can get their name out there so it was all about getting your name out there nowadays however that is kind of gone down it's simmered down so now it's more about other things like financial gain so in other words greed maybe because of curiosity like we said earlier or just play out revenge so of service disruption is generally because of Revenge other times the perpetrator strategy might be something like data exfiltration in other words they want to get some sort of data out of you your company or your client's company so this is a transfer or a copy of some type of valuable information from a computer potentially a network and this is normally without authorization and the threat actor being this perpetrator they might perform this type of f because they want the data asset for themselves because they can exploit its loss as blackmail or they can potentially go and sell this to a third party so the highest bidder as there some people might say and then the third one I'm going to give you guys in terms of strategy for these Bad actors is to falsify some type of trusted resource we call this disinformation information so this could be things like changing the content of a website you know maybe there was legitimate information on a website and now they go and change someone's information to false information misleading the public for whatever gain this could potentially be to go and manipulate search engines to inject fake sites yes that's a thing folks or believe it or not using Bots to post false information on social media websites this is actually very popular you'll see this on Tik Tok you'll see this on Facebook and Twitter which I believe they call X nowadays I think X and Facebook is probably the two main ones and probably a little bit of Instagram as well there's a lot of information out there folks which is fake so if you see something online this is this is very common knowledge if you see something don't believe the first thing you see verified from a trusted source so if you go and watch a video on Tik Tok and you see wow I didn't know this happened it doesn't necessarily mean it's true folks the same could be said about Facebook if you see a video on Facebook or you read something there or the same on Instagram or the same on X it does not necessarily mean it's true there's obviously a lot of false information out it's being spread by malicious people for malicious reasons this is normally to gain something out of this this could be a political party this could be a government this could be just someone that's got it out for someone else maybe a company or an individual so always verify information you see with a trusted known source now the motivations for these bad apples that can sometimes be chaotic you know motivations I did kind of touch on this earlier indirectly so in the early days of the internet like I said earlier many service disruption and disinformation attacks were perpetrated with the simple goal of causing chaos guys hackers might deface websites or release worms that brought corporate networks to a standstill for no other reason than to gain credit for the hack yes literally just to gain credit for the hack they just just one of the name out there and if you guys have ever watched a good Action episode or a good action movie where there maybe like some sort of serial killer or something in these movies uh or these episodes you'll find out if the police catches this perpetrator they will normally not say that they've caught them and they will especially not mention the person's name because very often why they did what they did was just to get their name out there they like seeing their name on the news these people maybe not all of them but a lot of them so yeah with that in mind the same could be said about these bad actors these bagged actors sometimes they cause chaos purely just because they want to gain credit for the hack they've got some sort of hacker name it might be an individual hacker name it might be a hacker group but they want to gain credit for the hack they want to get well known that is an example of a chaotic motivation the motivation might obviously be Financial as well which is probably one of the main ones for a lot of people not just Bad actors so as hacking and malware became both more sophisticated and better Comm modified the opportunities to use them for financial gain grew quickly over the years so if an attacker is able to steal data they might be able to sell it to other parties alternatively they might use an attack to threaten the victim with blackmail or extortion or to perpetrate fraud so yeah if you don't know with regards to Blackmail blackmail is demanding payment to prevent the release of information so normally it would get some sort of sensitive information about a company or a person and they would use that information to Blackmail a person or a company for while financial gain extortion sometimes for the same reason so extortion is demanding payment to prevent or halt some type of attack so maybe they've got information about your company this is especially the case of ransomware you'll find lots of cases of ransomware if you guys know what that is they will get a hold of some sort of sensitive information and they'll demand that this company normally the government or some well-known company they will demand for them to pay some sort of amount failing which they will go and release certain sensitive information about their customers or the users so it's a form of extortion and then fraud guys fraud you get so many kinds of fraud but in this sense fraud is falsifying things like records um internal fraud might involve tampering of accounts to edle funds or investing customer details to launder money that kinds of stuff and then the last motivation I'm going to give you guys for today on this specific topic is political motivations so political motivation or that can be a lot of things guys I mean you get subcategories of this for crying out loud so political motivation means that the Frat actor not which this black hat hacker uses an attack to bring about some type of change in society or governance this can cover a very wide range of motivations guys uh for example there's going to be an employee acting as a whistleblower because of some um because of some ethical concern about an organization's Behavior perhaps this could be a campaign group disrupting the services of an organization that they believe acts in contradiction to their ethical or philosophical beliefs this could be a nation state maybe using service disruption data exfiltration or disinformation against government organizations or companies in another state in Pursuit Of War aims so this could be because these political parties I don't know they want to do something in terms of War maybe they are fighting against other political parties because you know how politics is guys politics these guys get crazy sometimes all we see is the face they put on the TV you know they'll put up a front for us because they want our votes but sometimes what goes on behind the scenes yeah fol sometimes it'll make the hair on the back of your neck stand up if you know what these parties do in the background in the shadows all right folks let's move on to hackers and activists hope I'm pronouncing that correctly so I'm going to start you guys off by explaining what a hacker is or should always say the loan hacker now the term hacker describes an individual who has the skills to gain access to computer systems through unauthorized or unapproved means that part I'm sure you guys already know because everybody knows what a hacker is even if you're not an it now what you might not noo is originally hacker was a neutral term for a user who exceled at computer programming and computer systems Administration so it was basically just someone that was very skilled in it you know this person was pretty clued up when it came to programming and systems Administration so if you were very clued up in computers back in the day we would have called you a hacker but it did not necessarily mean you were up to no good so many many moons ago a hacker was just someone very good with computers nowadays not so much the term has kind of changed it's meaning has somewhat changed now many moons ago hacking into a system was actually a sign of technical skill and creativity now that has gradually became associated with illegal or malicious system intrusions unfortunately the terms unauthorized which was previously known as black hat and authorized which was previously known known as white hat are used to distinguish these motivations a white hat hacker always seeks authorization to perform penetration testing of private and proprietary systems guys so just to quickly summarize what I just said a white hat hacker is authorized he she has permission to do what it is they want to go and do an unauthorized person is a black hat hacker so a black hat hacker these days they are a bad actor and they are unauthorized they normally do not have permission to access the information that accessing or to do whatever it is they're trying to do a white hat hacker they are authorized and they generally do have permission to do whatever it is they're up to now that we've got that out of the way let's move on to unskilled attackers now what is an unskilled attacker I think the name speaks for itself wouldn't you guys say now folks an unskilled attacker is someone who uses hacker tools without necessarily understanding how they work or having the ability to craft new attacks unskilled attacks might have no specific Target or any reasonable goal other than gaining attention or proving technical abilities so in a nutshell what happens here is these unskilled attackers they want to be hackers they want to say hey look at me I'm a hacker I can do this I can do that meanwhile they don't really know Jack squat they don't actually know what they're doing they probably went online which actually might be a trojan horse which means they're malicious to the person themselves now actually so a lot of these tools which are supposedly hacker tools they've got Trojan horses in them that's the funny thing so this wannabe hacker is now going to try and do some sort of hacking and the tool might actually work to a certain degree but what this hacker doesn't know is that tool is a trojan horse and it's actually infecting his own machine and it's doing something bad on his own machine but anyway guys so yeah unskilled attackers generally these people just want attention a true blue hacker that actually does have the skills they don't need fancy fancy tools and they don't normally care about attention the people want attention that says hey look at me I'm a hacker very normally ones that don't really have any skills they either have no skills or they have very little skills and these people normally rely on some sort of tools they have to go and download online and somebody has to guide them that kinds of stuff and then folks you get hacker teams and activists so this is pretty much the exact opposite of a lone hacker I suppose so lone hacker is one individual he or she might be skilled they might not be skilled but a hacker team they normally are quite skilled because they're obviously going to go and look for more people that's got equal skill if I am a hacker of some kind you know theoretically I'm not going to go and associate myself with just any other weasel no I'm going to go look for other people that's got equal skills than me or better or skills that I don't have you know that's the whole idea about these haer teams is some of these guys have got the exact same amount of skills some of them have got different skills so generally they're going to go and look for people that's got different sets of skills so that they they can obviously go and break into more stuff and all that now what you guys might not know is historically the image of a hacker is that of a loner so many moons ago hackers were generally a loone but nowadays not necessarily so these hackers would normally act as an individual with have very few resources and little to know funding at all now folks while this loan hacker which is an individual while they still remain a threat till this day which we should probably still account for uh these guys are not really people we have to worry about as much at least not as much as when it comes to a team or a group of hackers it's actually these days way more common to find these hackers to work in a group or a team of source that's generally the more common scenario these days so the collaborative team effort means that these frit actors that's the proper name these days they're able to develop sophisticated tools and Noel strategies remember a true blue hacker doesn't need to go and download tools they can go and make their own little tools or they can go and make their own little weaknesses in a platform of some kind so they don't need to go and download stuff and if it's a team then obviously they're going to get this done a lot quicker and a lot easier now if you guys don't know what a activist group is a good example would be something like Anonymous the group called Anonymous I don't just mean you know hey I Anonymous no I mean there's a hacker group called Anonymous they're probably one of the most well-known ones out there you normally see them wearing these white masks so if they happen to appear in some sort of video they'll wear some sort of white mask and over the years there's obviously been a lot of people that's been trying to copycat them they'll pretend to be part of anonymous but meanwhile they're not so there's lots and lots of activist groups out there some of them are very well known like Anonymous some of them are less known and um some of them care about their Public Image you know it's all about the credit needed today for them where other ones don't really care they'll work silent in the background and only really the hacker Community will know who they really are and what they're capable of so a activist group such as Anonymous or Wikileaks or LS SE they use cyber weapons to promote a political agenda in most cases not always but generally that's the case activist groups might attempt to use data exfiltration to obtain and release confidential information to the public domain this could be maybe performing service disruption attacks or deface websites to spread disinformation like we said earlier now political media and financial groups and companies are usually most at risk of becoming a target for activists but environmental and animal advocacy groups May Target companies in a wide range of Industries so I suppose well depends on what kind of industry they're in but generally if you are in media politics or financial you're probably going to have the biggest pot Target on your back if you're not one of those Industries then you should be okay for the most part so yeah I suppose if you're in media political or financial make sure you're a good boy as long as you're a good boy they should for the most part leave you alone I've seen a lot of these activist group uh will not necessarily Target just any random media Outlet or political party it's normally the ones that are corrupt that did something bad now yes some of these activist groups have got chaotic um end goals so they don't really care whether you're innocent or not but a lot of them I've seen don't necessarily have chaotic end goals or chaotic strategies in mind for them it's about I don't know Justice I suppose so if someone's been a naughty boy they want Justice and they're going to serve it themselves all right once again moving on to the next topic here nation state actors and advanced persistent threats if you guys know what a nation state actor is well we already know what an actor is an actor is basically just another fancy name for a hacker if we have to put this in simple terms now nation state actors are let's call these hackers that work for the state they work for the government they potentially maybe work for some very well-known political party something along those lines it's not just some loone hacker or some random hacker group no this group of hackers they are normally employed by the government some government this could be one country it could be the next country the point is they actually work for a state or a government of some kind and generally you'll find that these people will not say that they are working for a government because they work at an arms length they want plausible deniability so very often when countries don't like one another or if they've got beef with one another you'll find that these countries like to go and use what we call nation state actors a lot of countries use these because it gives them plausible deniability now generally you'll find that during times of War countries very often make use of this especially countries that are not directly involved they don't want to be directly involved but they'll still kind of go and stick their fingers in where it doesn't belong and in those times it's actually very common to find those countries which we sometimes refer to as states to go and use what we call nation state actors so these are people with a very high level of cyber security skills and these people obviously act in the shadows in the background and they'll go and do all kinds of nonsense so in short we can say that these nation state actors are attached to military or secret Services it's not just some random hacker group or activists as some folks call them no these are normally attached to a state um more specifically military or secret Services you'll find that these folks generally have a very high level of capability I mean if they're going to be working for the state it's not just going to be some random wannabe Hacker no these folks generally have a very high level of capability they're very clued up and they don't normally act alone normally it's a whole group of people acting as one now folks most nation states have actually developed cyber security expertise and will use cyber weapons to achieve Military and Commercial goals a lot of countries and states have been doing it these days and it's actually becoming more and more common unfortunately now the term ADV advanced persistent threat which you see there in the title we call that a for short that was coined to understand the behavior underpinning modern types of cyber adversaries who knew rather than thinking in terms of systems being infected with a virus or trojen like in the old days and a in other words advanced persistent threat that refers to the ability of an adversary to achieve ongoing compromise of network security this is generally to go and obtain and maintain access and this can be done obviously using a variety of tools and techniques so it's not just your traditional virus or Trojan Horse this could be something potentially like a a ransomware this can be something potentially in your hard drive's route it can be a lot of things like that guys so it's kind of like a back door in some cases so there is a threat but this threet is not just a once off threat it's an ongoing threat these perpetrators these actors as we call them they've got a back door of sorts which gives them continuous access to whatever it is they're up to so that is not something we want that is very bad as you can imagine so if you are not one of these actors and um one of these actors are obviously acting against your company or one of your client companies that is absolutely not a situation you want to find yourself in because how do you cut these people off so one of the tools we like to go and use is obviously a very good firewall but that's that's only as good as the person implementing it so you need to get yourself a very good firewall they're not cheap so if you get yourself one of those proper physical firewalls if they don't come cheap they come with all kinds of fancy fancy features and functions and stuff but it's not really going to help you much if you don't know what they are and how to go and use them and how to go and Implement them it's obviously also wise to go and use all kinds of other monitoring software that allows you to keep an eye on your environment so as soon as something stands out you need to know about it immediately or at least your security team needs to know about it immediately now folks nation state actors they've unfortunately been implicated in many attacks over the years particularly on energy Health electoral system so when it's time to vote and all that this applies in all countries by the way I'm not referring to any specific country people love to go and T of votes so they'll go and hack some sort of system try and influence the votes they'll go and hack energy companies or something related to energy something related to health the goals of State actors are primarily disinformation and often Espionage so this is normally for some sort of strategic advantage of such there's a couple of countries that are very well known for doing this nonsense I'm not going to mention any countries by name I'm not going to bad mouth or promote any countries here but there is a couple of countries that are very well known for doing this and this could sometimes be to Target companies perhaps or for financial gain now State actors will work at arms length like I said earlier from the national government the military or security service that sponsors and protects them maintaining what we call plausible deniability like I said earlier so they might get sponsored and funded by their government or the military or whatever Secret Service they work for but they're going to work at arms length and if anyone asks them hey who do you work for they're going to say no we don't work for anyone and that's to maintain plausible deniability these folks are likely to pose as independent groups or even activists like I said earlier they may or may not wage false flag disinformation campaigns that try to implicate other states even in some cases all right and then moving on to a topic called organized crime and competi is now folks in many countries not all countries but in many countries cyber crime believe it or not has actually overtaken physical crimes in terms of number of incidents and losses isn't that hard to believe it's it's staggering to believe these stats now folks also something to keep in mind here is organized crime can actually operate across the internet from a different jurisdiction than its victim and this obviously as you can imagine increases the complexity when it comes to prosecution criminals will seek any opportunity they can get for profit but typical activities of these criminals will be things like financial fraud this is against individuals and companies and of course good old-fashioned blackmail and extortion you guys will also generally notice that these criminals are normally very well funded they've got a lot of resources it's not just some one be hacker somewhere a loone hacker as we call them no these are normally hacker groups that are very well organized and very well funded they've got a lot of resources to their disposal and often they've got high capability as well so that makes it a little bit harder to take these guys down because of well all the funding they've got sometimes you'll even find cases where some of these groups are funded by a state of some kind so you can only imagine how how much resources they'll have to disposal in those situations now most Espionage is fought to be pursued by state actors but it is not inconceivable that a rogue business might use cyber Espionage against its competitors very common nowadays so these days competitors will often use any means to to the disposal to try and take down their competitors or to try and give give them a disadvantage of some kind so if I work for company a and I've got a competitor let's call that Company B I might be inclined to go and hire some sort of cyber group let's just call them a cyber group to try and give my opponents or my competitors some sort of disadvantage this can be to go and damage their systems or it could be something as simple to go and spread some disinformation out there either way it's going to give me an advantage and my competitors a disadvantage that's a very good reason why people will sometimes can't do this so such attacks folks could aim at theft or to disrupt a competitor's business or damage their reputation like we said you know disinformation all that competitors's attacks might be facilitated by employees who may or may not have recently changed companies and they bring inside the knowledge with them so sometimes these employees that work for you maybe right from the beginning they were an inside man I'm not sure if you guys ever heard of those terms but they never really work for you they were on the payroll yes you hired them they might have gone through the whole hiring process and all that you know there was an interview all that but they never really fully worked for you from the beginning they were kind of a spy of sorts then you get those that this is actually the more common scenario which actually legitimately did work for you but now they went to your competitor maybe not because they didn't like you it's just they went to the competitor and now they're just giving the competitor all kinds of information which is why most companies these days will make their employees sign a non-disclosure agreement so should you go and work for another company whether they're in the same line of business or not you're not allowed to disclose any company secrets you know how do you do business anything regarding their clients you're not allowed to disclose that kinds of stuff so this even happened to me I've worked for many companies over my life and um you know even if I did not sign one of those agreements I still would not go disclose that information because you can get sued for that but um I did actually sign those disclosure agreements and when I went from one company to another company does the same thing I would not tell them anything about the previous company not just because of my ethics it's just I wouldn't because of the non-disclosure agreement you know you can get sued for that like I said but unfortunately not everybody's like me some people will go to a competitor and maybe that was their intention from the beginning to go to competitor and they'll give them all kinds of juicy details Trade Secrets you name it so yeah guys be very careful of that you should never do that yourself and unfortunately we need to try and be careful of our employees as well that might potentially go and do that so maybe make some of your employees sign some sort of non-disclosure agreement you know at least then you can kind of hold them liable legally speaking all right and then folks I'm going to take you to the next topic which is the last topic for this specific section and then we'll move into the next main section so this topic is internal threat actors once again we know an actor is someone that's you know doing some sort of cyber security activity may or may not be a hacker may or may not have a lot of experience or not which which they call capability so under this topic first thing we're going to mention is malicious internal threat so this is malicious which means it's most likely on purpose it's not accidental you get malicious which is obviously on purpose this was planned it was their intention unintentional or accidental well I think that speaks for itself it's a Oopsy Daisy kind of situation so under malicious internal threats what do we have there this could be someone that has or has had authorized access such as an employee this is maybe someone that's a disgruntled employee he or she is currently working for your company or they did work for your company they've got some level of privilege some level of access and that can be very dangerous as you guys can imagine this is one of the golden reasons why we use that golden rulin it which is called least privilege you never give someone or something more access than what they need to achieve a task or a goal including your own account this is for many reason reasons and one of those reasons is in case one of these people are a spy perhaps they become Rogue you know things like that so if they do have access to environment their access is going to be limited they can't see everything they can't access everything they can only see certain things and do certain things now that can still do a certain level of damage but at least we can control the damage we can contain the damage so yeah under has or has had this is potentially someone that's still currently working working for you a disgruntled employee or someone has not just left the company and they might have potentially gone to a competitor maybe that's why they're doing this or maybe they're just acting out they're staying at home they're still unemployed and they're acting out other kinds of malicious internal threat you might get is employees current employees which kind of still is the same thing as the previous point I just mentioned so current employees contractors or Partners so these are folks that are actively still in your environment or at least the environment of your client and they actively still have access so they are a threat it doesn't mean they will go and do something it's just the potential what is the chances of them possibly going in doing this so that is a threat something we did discuss actually earlier in this video we discussed what threat is and risk is and all that kinds of stuff you know along with vulnerability and then another malicious internal threat you get this is the last one under the militias sabotage financial gain and business Advantage there are going to be times you're going to have people that will sabotage you your company or your client's company it might have been their intention from the beginning or maybe they just changed their minds over time so maybe they've been working for you for a couple of years one of your competitors went to them and made them a nice fat offer and said hey we will hire you if you go and sabotage the following it could be maybe they're just Rogue that's the more common reason people have gone Rogue they're upset because they did not get that promotion that um yearly increase or that you know whatever it might be maybe that Christmas bonus they're upset about it and now they're going to sabotage the company before they leave normally they will do this right before they leave now on that note guys you'll find what a lot of companies will go and do is if someone has resigned from a company we'll normally go and revoke that person's privileges as quickly as possible because there's always this odd chance that this person might go and sabotage the company not saying it will happen but it actually happens more commonly than I would like to admit um I've seen some companies will even go and pay the person to leave early so if this person has to give one month's notice before they leave the company there are companies out there that'll even pay them out for that one month they'll say you know what we'll pay that one month salary but please leave early you know not on a not on a mean note anything like that but just very politely ask them please leave early and the reason they do that is because this person is a threat it's a very good chance that this person can go and sabotage the company while they still work there for them to be able to do their work they might still need some level of privilege but when they have that privilege that could be very very risky so we're not going to go and do that instead it might be better for the company to say you know what here's some money you can leave early you can even start earlier at your next company yes we're not going to have any employee now so I mean that's obviously bad as well but it's not nearly as bad as the potential for this person to go and sabotage your company um anyway so this person could also go and do this for financial gain you know maybe they see something in a company some sort of information or data and they can go and use this for some sort of financial gain they can sell it themselves they can take it to competitor uh maybe they want to use this for their own business to give their own business an advantage maybe they started their own company or they plan on going to another company and giving that other company a business advantage in exchange for once again some sort of financial gain or it could just be that this person was a spy from the beginning from a competitor and this could be because that competitor want some sort of once again business Advantage all right so let me give you guys a couple of unintentional inside of Threes so these are not on purpose it's just things we sometimes Overlook it could be things like weak policies and procedures these policies can be any kinds of policies it can be data loss prevention policies if you look at Office 365 you've got things like data loss prevention policies archiving policies retention policies sensitivity labels all kinds of things like that but something more common that you guys can relate to might be something like good oldfashioned group policies so maybe this is group policies or just general security policies in your company or your client's company and um when we say weak policies we mean either there is none or there's very little or they've not been configured properly this is often due to lack of it experience and things like that there's maybe not proper procedures in place these procedures are things like what people are allowed to do what they're not allowed to do when they're allowed to do it how they're allowed to go and do it things like that I'm going to I'm going to grab it some random straws here and give you guys a couple of examples so if you look at physical security in a company yes this also applies to physical security if somebody has to go and authenticate to open a door by let's say providing a pin a fingerprint or maybe a Rea scan you know or even a smart card if they've got authenticate ideally we want everybody to authenticate when they open that company door but if I go and authenticate and someone says hey can you please hold that door for me and I hold the door open which is called tailgating amongst many other things if I hold the door open that is a threat now because that person did not authenticate how do we know this person's allowed to be there or not allowed to be there so one of our procedures in our company could potentially be don't hold the door open for somebody let them authenticate politely tell them no I'm just going to close the door you have to offen toate again because of scary reasons but you can do it very politely you don't have to be a caring about it you know be very polite about it explain to them very quickly and politely it's sorry no that's against our company policies it's a security Risk please authenticate again and then once again in terms of weak policies I'm going to grab at some straws here and I'm going to give you guys some examples this could be that the company does not have a policy that says people's passs expire they might have one or two passord policies that says people need to have an 8 character password the longer but they don't have a policy that says people can't use the same password they don't have policies that says people are not allowed to use a posi that looks similar they don't have policies that says posi expire those are just some examples so you want to make sure you've got proper policies in place then you get of course situations where you do have policies of procedures but your company or that of your client is not adhering to these policies of procedures it's one thing to have them but it's an entirely different thing to get the users to actually adhere to set policies and procedures you might have a procedure in place it says don't hold the door open for people so it's actually there the procedure is there it says don't do it but when people are actually going to listen to the company yeah different story you might have a policy or a procedure in place that says don't use your company computer to go and do personal things like watching movies doing downloads that's a policy that's in place but will people actually adhere to that that's a different story now if you have employees that don't adhere to these policies and procedures that is going to go put certain things at risk so if you look at something like a computer that they're using now for personal um things like watching movies and whatnot that might potentially put that computer at risk they might potentially get some sort of malware that computer now and then later down the line they want to go and use that same computer to go access company resources putting the whole company at risk now due to that malware so yeah weak adherence to policies can also pose a massive risk to a company speaking of massive risks to company that brings us to lack of training in and security awareness I think that's easily the most dangerous thing you can find in any company you can have security that looks like it's straight from Microsoft or NASA or something but at the end of the day if your users don't have any training or at least the users of your clients's company that's not going to help you one bit it's always going to come down to the user you're only as strong as your weakest link what is the weakest link it is normally the users guys so you need to to go and give your people training it doesn't have to be anything fancy like what we're doing here right now nothing sophisticated like this no you could literally just invite them all to the boardroom perhaps one day during the lunch and say hey guys if you receive an email from people you don't know don't open it if you see it an attachment or a link in an email that you were not expecting do not open it do not click it so I'm using an email here as an example but you get the idea so this could be basic basic basic IT training telling people don't do this don't do that watch out for this watch out for that you guys get what I'm saying I think this should make more sense to you guys now you can also go and potentially put this in an email for the people but I've seen so many users ignore these emails a lot of companies do this including a lot of companies I work with at the moment I still work with a couple of companies and I still see them doing this they'll send out these Mass mailes to all their employees that says don't do this don't do that watch out for this watch out for that but more than 90% of people they don't even open that mail never mind read the mail they don't they completely ignore it that's what most people do they'll ignore this like a stop street so what can we do in these situations we might need to force it and one of the ways you can force it I know it's very inconvenient guys but we sometimes need to is to invite all of these people into a room physically and you know basically force it down their throat say watch out for this don't do this yes some of the people are still going to do it we know they're going to do it that but your compliancy ratio is going to be much higher if you invite them into a physical room and you force them to pay attention now yes a lot of people are working remotely these days some of them might never be at the office so you could potentially just invite them all into a zoom session or a team session and you can train them on there as well but I've seen the complian is a lot less there because what they'll do is they'll have the webcams off and they'll be doing other things in the background they might not even be at their computer some of them might be at their computer but they've got you on mute or they not listening to you they're watching a YouTube video or something in the background potentially something like this hopefully it's something like this because this is actually going to teach them something and then the last inside the threet I'm going to mention here under this topic guys is Shadow it sounds very weird the name but Shadow it basically comes down to the fact that some of your employees or your users will bring their own it equipment to the office it is it equipment that does not belong to the company they work for it belongs to the user this equipment is unsan mentioned it has not been approved by the company or the IT team normally the IT team would say what's allowed what's not allowed how it's allowed to be used when and where it's allowed to be used but if users are going to be bringing their own laptops phones and tablets and all kinds of things like that to the office that is an unsanctioned device that is an example of Shadow it the same applies that they bring an access point a router or anything like that it is Shadow it that device is something the IT team does not know about the IT team has not had the opportunity to investigate it to check it out to make sure it's secure in terms of settings and configurations to make sure it's up to date all that kind of stuff now if the IT team doesn't know about it that can obviously pose a massive risk because this user that's Now using it they may or may know nothing about it they don't understand the risks involved so now they're going to go and use their personal laptop or phone or whatever this might be on the company Network now and yeah you can only imagine how risky that's going to be and it has not been checked out by the IT team all right folks let's finally move on to the second main section of this video that was attack surface first topic up in this section is attack surface and vectors as you can see that's going to be very much the same as the title so in case you guys don't know the attack surface is how many things a perpet writer let's call this person an actor since that's probably the proper name to call them how many things an actor can Target to get into your environment this can be a human being in other words an employee or a user it can be an app it can be a file can be a network you get the idea so the attack surface is all the points at which a malicious threat actor in other words a hacker could try to exploit a vulnerability this can be any location or method where threat actor can interact with a network Port an app a computer or a user all of these are potential attack surfaces now obviously minimizing the attack surface means restricting access so that only a few known end points or a few protocol supports or a few services or methods are permitted each of these must be assessed for vulnerabilities and monitored for intrud ions so what we want to do is we want to try and minimize our tax surface and um in a nutshell this can be done by for example closing ports on a fir wallet does not need to be open if you've got Services running that does not need to be running you can go and turn them off if you've got users that's not been trained on security you might want to go and train them because if you train them that's actually technically reducing your attx surface if you think about it if you go and secure people's end points their laptops desktops tablets and phones that will be a way of reducing your attack surface so this can be by installing an antivirus that's going to be a good start obviously turning a firewall on or getting a better firewall and then even better would be to go and Implement some sort of policies compliance policies dat loss prevention policies all kinds of policies like this will obviously reduce your tax surface and then of course making sure these machines are up to date the more up to date they are the better because then you're also reducing your attack surface it's less things someone can go and take advantage of in a nutshell now to evaluate the attack service you need to consider attributes of thre actors that pose the most risk to your organization for example the attack surface for an external actor in other words a hacker outside your company should be far smaller than that of an Insider threat because people that's inside your company are inside your firewall they most likely are authorized they most likely have some sort of privilege which is pretty much the same thing so obviously what they can access and what they can do is a lot bigger than somebody that's outside the company now from a threat actor's perspective each part of the attack surface represents a potential Vector for attempting an intrusion now a Threat Vector in case you folks don't know what that is is the path that a threat actor uses to execute a data exfiltration service disruption or disinformation attack sophisticated threat actors will make use of multiple vectors most likely and they're probably very likely to go and plan a multi-stage campaign rather than a single Smash and grab type of raid also highly capable threat actors will be able to develop novel vectors this means that the threat actors knowledge of your organization's attack surface may be better than your own yes that's a thing guys so there is cases where the threat actor or this perpetrator will actually know your organization and its security sometimes better than you even do that is not a good thing and if they know it very well they'll obviously know how to go and abuse it and to take advantage of it and to get past your security because well they know it better than you all right and then moving on to the second Topic in this section vulnerable software vectors yes we're going to talk about so many kinds of vectors you're going to be tired of it by the end of this module guys so first upop vulnerable software now vulnerable software well I think the name speaks for itself we know what vulnerable means we know what software is so vulnerable software could be something like faults in code or in its design so maybe the manufacturers or developer of the software they made a boo boo because we are humans after all nobody's perfect and somebody someone somewhere that's got nothing better to do with the time they might have discovered that vulnerability this is generally going to be called a zero day exploit until the well the manufacturer or the developer goes and patches it now that is a problem that fault in the code or the design because until it gets patched you can imagine someone can go and take advantage of that that can be very disastrous for a huge organization or a huge company so that's just one example of vulnerable software other examples of vulnerable software is the delays and difficulty in patching it's not like in the old days like 10 years ago or should I say 20 years ago when you had a software and will take freaking forever for a newer version to be released but in the meantime the current version you have is generally going to be very up to date and very secure nowadays with the new modern softwares the softwares have gotten so freaking complex and there's a new update or a newer version out every second or third month which means these developers often Focus their attention more on the newer stuff instead of the older stuff that needs to be maintained and secured so if there is some sort of vulnerability in your software or your oper R system or whatever it might be the developers are not going to be so focused on your vulnerability they're instead going to be focused more on the newer version the software or the operating system that needs to be released because they're trying to make money and they're obviously they've got deadlines and stuff they need to meet so it's not just about money but that's one of the main driving forces for these people it's they want to make money so they're going to try and release a newer version as quickly as possible but they're also just in general more focused on the newer versions versus the older versions so if you've got an old version of a software yeah you can expect to wait a lot longer for it to be patched or for some sort of update to be released assuming of course it's actually still supported you'll notice these days operating systems and softwares they reach their end of life or let's just say their end of support a lot quicker I mean Windows 10 has already been announced they're going to stop supporting it I think around October 2025 so that's going to be this year now it's safe to assum Microsoft may or may not push that date back because if you look at the amount of people that's still currently on Windows 10 that's up to 70 % of people are still on Windows 10 which is quite weird now because of how many people are still on Windows 10 there's a very good chance that Microsoft might actually be forced to kick the date further back down the road in other words kicking the can down the road as some people might say uh other vulnerable software vectors is unsupported systems and applications so this could just be an application or a system that's very outdated that's actually the most likely reason we call this Legacy and um like I said earlier these days you know designers or these developers and stuff making softwares and operating systems quicker than ever so the older versions of their operating systems and applications are becoming Legacy or they're being considered Legacy a lot quicker which means there's absolutely no support so obviously after they're no longer supported if somebody or something discover some sort of weakness in an operating system or an application of some kind and yeah don't hold your breath there's not going to be any update anytime soon so unless this happens to be some sort of opsource operating system or application which which means you're allowed to go and edit the code and all that then you can get your own guys to go and Implement some sort of Remedy unless it happens to be open source um yeah you're going to have a problem folks that is going to be a problem how are you going to go and update it you might even have your own in-house developers they know how to go and do it but they can't go into it because it's not open source so yeah you better hope something is open source if it reaches the end of life sir if you have in-house developers they can hopefully go and Implement their own code and fix this this whole in the program or this whole operating system now with this all being said this is one of the main reasons why you'll find so many companies will go to a newer operating system it's not necessarily because they like the new operating system or because they want the new operating system and granted those might be some of the reasons it's often because they have to from a security perspective companies especially medium to large siiz companies whenever an older operating system is no longer going to be supported you'll find them switching over to the new one as quickly as possible they cannot afford for an application or especially an operating system to not be supported they need support from the developers or the manufacturers if you look at something like a Microsoft operating system like Windows 10 if Microsoft eventually decides to you know discontinue support for Windows 10 I can tell you now people are going to be switching over to Windows 11 very quickly not necessarily because they want to some yes some of them no it's because they will have to companies cannot afford to go without support they need these systems to to be updated so if there's a new weakness is discovered let's say tomorrow they need that weakness to be patched within the next couple of days as quickly as possible all right folks and then we've got something called client-based versus agentless now you're probably wondering what the heck is that well folks this has got a bit to do with scanning software in your company environments so with scanning software this helps organizations to automate the discovery and classification of software V abilities you'll find a lot of medium to large siiz companies these days they've got all kinds of cool fancy sophisticated scanning softwares but I suppose it depends on your it team skills their knowledge depends on your it budget whether you can afford these tools because you know these are not tools that necessarily come with Windows you'll have to go and buy these tools separately and you'll have to go and learn how to go and use them if you don't know how to go and use them yet now unfortunately folks these very same tools can also be used by threat actors the bad guys in other words as part of their reconnaissance against a Target this scanning software can be implemented as a client-based agent in case you didn't know the agent will then run as a scanning process installed on each host and it reports to a management server of some kind so normally how we'll go and do this is we will go and install this on each endpoint in our company you know people's machines and then these machines the client pieces will report to the server on which you've installed this alternate L the vulnerability management product might use an agentless technique to scan a host without requiring any sort of installation so that is possible these days but it does depend on the software we're talking about so I can't say that this is going to be the case for all of them it depends on which one we're talking about because you do get multiple ones out there folks now agentless scanning is most likely going to be used in flat actor reconnaissance because these threat actors remember e the bad guys they don't necessarily have direct access to the machine and they don't necessarily have the ability to go and install stuff directly on these machines so since they can't always install stuff on the machines they might need to use an agent less scanning approach instead of one that's actually installed in the machine makes sense doesn't it all right folks I think we've spoken enough about software vectors let's talk a bit about Network vectors even though the title says Network vectors here and there we are going to be mentioning software under this topic so with that being said vulnerable software folks gives a threat actor not was the bad guy the opportunity to execute malicious code on a system now to do this the threat actor must be able to run the exploit code on the system or over a network to trigger that vulnerability so it's not as simple as hey let me just go and run it they need to somehow be able to do that over the network now that being said an exploit technique for for any given software vulnerability can be classed as either remote or local so they're either going to be executed locally so the person might be nearby or they're going to be executing it remotely so they might be sitting someplace else now in terms of remote this means that the vulnerability can be exploited by sending code to the Target over a network and does not depend on an authenticated session with the system to execute in terms of local that folks means the exploit code must be executed from an authenticated session on the computer you'll find there's a lot of things these days where the hackers they might have a lot of skills there might be a very high capability user or some folks say but some of these things sometimes still requires the perpetrator to have direct access to the server or the machine that they're trying to compromise so the attack could still occur over a network but the threat actor needs to use some valid credentials or hijack an existing session to execute it consequently to minimize risks from softare vulnerabilities folks administrators must reduce the attack Surface by eliminating unsecure networks an unsecure Network in case you folks don't know is one that lacks the attributes of confidentiality integrity and availability something we have spoken about on this course before so starting with the first one confidentiality with the lack of confidentiality F actors are able to Snoop on network traffic and recover passwords or other sensitive information these are also described as EES dropping attacks folks and in terms of lack of Integrity the threed actors are able to attach unauthorized devices these can unfortunately be used to Snoop on traffic or intercept and modify it run spoof services and apps or run exploit code against other network hosts these are often described as on paath attacks and then the last one in terms of lack of availability the threat actors are able to perform service disruption attacks and these are also described as denial of service attack so each of these has their own you know main name and they've got like a subcategory name or a nickname if you want to call it that now folks a secure network uses an access control framework and cryptographic solutions to identify authenticate authorize and a nitic users hosts and traffic now folks there are some specific threat vectors associated with unsecured networks and these are as follows one of them would be something like direct access now this one the thre actor uses physical access to the site to perpetrate an attack examples could include getting let's say access to an unlocked working station using a boot disk to try and install malicious tools or believe it or not physically stealing a PC laptop or dis drive people still do that by the way and then when it comes to wired network if it's a wired Network a threat actor with access to the site attaches an unauthorized device to a physical Network Port and the device is permitted to communicate with other hosts that's very bad obviously this potentially allows the freight actor to launch EAS dropping on path and the N of service attack now just on a side note before we continue here guys you'll find what some companies will go and do to kind of mitigate against that is they'll go and put something called Port security so if someone goes and plugs out a n cable on a switch and they plug the same cable back in nothing happens as long as it's the same device on that Port because it memorizes the device's MAC address and things like that but if you go and plug out a device on a port on a switch and you plug another device in which obviously has a different Mac address and things like that Port Security will kick in now this could be just to send a nice little email you know to the IT team security that says hey watch out someone just plugged in something new on this port or it could do something different like shutting down the port which is my personal favorite so I used to implement this at companies where if someone plugs in something else on the port whether it was accidental or malicious it will shut down that Port automatically and I will have to come and that back on manually you know rather safe than sorry as folks say now on the specific vectors we've also got other things like remote Wireless cloud and Bluetooth just to name a few so on the remote and the wireless folks the attacker either obtains credentials for a remote access or wireless connection to the network or cracks the security protocols used for authentication alternatively the attacker spoofs a trusted resource such as an access point and uses it to perform credential harvesting and then use the stolen Account Details to access the network in terms of Cloud access many companies now Run part or all of the netor services via internet accessible clouds mean almost everybody's using the cloud these days the attacker only needs to find one account service or host with weak credentials to gain access scary thought isn't it the attacker is likely to Target the accounts used to develop services in the cloud or manage Cloud systems they may also try to attack the cloud service provider yes that's a thing as a way of accessing the victim's machine and in terms of Bluetooth Network the threat actor exploits a vulnerability or misconfiguration to transmit a malicious file to user device over the Bluetooth personal area Wireless networking protocol and then lastly folks under specific vectors this could be something like default credentials I mean you can probably guess what that is the attacker gauge control of a network device or app because it has been left configured with a D default password you probably heard that ruer 0 where we say change the default password folks this supplies to anything so if there's no password put a password on if it comes out of its default password which is normally going to be blank or admin or admin 1 2 3 4 those are very common default passwords for a lot of devices please my goodness folks change that so this can be something like a switch it can be a firewall it can be an access point it can be anything most of these devices either have a blank password in the beginning or their password is something like admin or admin 1 2 3 4 so whether it be an access point a router a firewall a switch you name it please login change the default password and in some cases you might even need to go and change the default IP address otherwise you can have an IP conflict but that's a topic for n plus not for Security Plus oh yeah and then one last one folks I almost forgot open Service Port so if you have an open port open your company then you can obviously imagine that that's that's going to be bad we always say any port that does not need to be open please go and close them now the good news is most ports out of the 65,536 ports most of them are closed by default for your own Safety and Security but there are a couple of them that are open for well various things some of these are considered well-known ports which are also known as common port numbers and um if you're not using some of these port numbers it would be wise to go and close these ports otherwise somebody like a threed actor can go and take advantage of that all right now moving on to another Vector lure based Vector so we spoke about software based vectors we spoke about network based vectors now we are on lure based vectors so in terms of lure based that name should also tell you what it's about it's about luring the user into doing something they're not supposed to tricking them luring them so this can be things like bait that will tempt the target into opening it maybe it's going to pretend to be some sort of game and then it's not sometimes they whatever they pretending to be it actually will do that because they don't want the user to go and uninstall this so if it's pretending to be a game it'll probably be a game but in the background it's also doing something else this can be via email where I will try and temp the user to open this email where they would normally not I'll maybe go and make the subject something juicy how to go and make money and only 5 days or I'll pretend like this is someone's salary slip that's been sent to them by mistake and because of people's curiosity they're going to want to see it and if they click on it boom you've got them now lure base can also be something like a removable device so lots of times the Fred actor they will try and trick the user or your users into opening this flash drive this external device or whatever it might be they're going to try and get them to plug it in and in some cases to try and Trigger something now lots of times the these days you don't even need to go and click on something as soon as you go and put the flash drive in or the external device into machine that alone is very often enough to trigger any form of mail where it might be on it other times you might need to actually open it and actually click on a file first U by the way we call this a drop attack and then the more common one these days is you don't need to do anything as soon as the user goes and inserts that into a machine it's going to trigger it automatically and that folks is one of the reasons why we turn something called autoplay off I'm not supposed to give you guys the solutions quite yet to these things but I'm just mentioning it if you turn autoplay off in your machine that's one of the ways you can somewhat mitigate against it now what we also find under lure based vectors is executable files now what I mean by that once again it's going to pretend to be something it's not it's going to pretend to be some cool useful toolbar some awesome game some awesome software and often whatever it pretends to be that something will works if it's pretending to be a game that game will most likely work because they don't want you to uninstall this otherwise the malw is missing in some cases so by tricking you to keep this on the machine you know distracting you if you will the stuff in the background the malware in the background which we call a trojan horse malware that thing can go and do what it's supposed to now a trojan horse in case you guys don't know what it is it is malware that pretends to be one thing meanwhile it is doing something else in the background meanwhile it's harming your machine in the background other lure based vectors you get this is just you know something that happens to fall under this category is document files this can be a Word document a PDF document things like that and generally what they'll have is they'll have stuff embedded in them so it might be a legitimate document with legitimate information on it but it's got other stuff embedded into it this includes but it's not limited to things like macros and scripting technology things like that guys so just because it's a document that legitimately looks like a Word document or a PDF document it might even open that doesn't necessarily mean it's safe folks which is why you should always go and scan this stuff this can also include image files or even video files for that matter image Files video files I forgot to list video files here but it actually can also include video files so if you got an image file guys the image might legitimately open it might be a photo of something or just a nice picture of something that image can have malicious codes in it so there are viewer or browser vulnerabilities but I've also seen some people will go and use once again macro or scripting Technologies on these images or video files and um if you go and download something very popular online chances are you're going to get infected one of the places I've seen this most often wor is video files especially to folks that goes and downloads movies and series is online so they go to these not so nice websites I believe coma calls them unsavory websites sites you know which ones I'm talking about and they'll go and download some sort of tant because this is not available in their country or it's not on their streaming service or they don't want to pay for a streaming service maybe they'll go and download these episodes and if it's a very popular show or a very popular movie there's a very good chance that video file folks it might have some sort of macro or scripting Technologies in it and you're not going to like how it's going to end trust me all right folks and then another Vector I've got for you yes there's another one this one is called message based vector or vectors this is the last one I'm going to talk about you know in terms of these different kinds of based vectors and then we'll move on to a slightly different topic in case you guys are tired of these vectors Now when using a file based lure folks the threat actor in other words the bad guy they need a mechanism to deliver the file and a message that will trick a user into actually opening the file on the computer now consequently any features that allow direct messaging to nitic users must be considered as part of the potential attack surface folks so I'm going to list a few here for you guys I'm going to list five for you guys the first one is email now of email the attacker sends a malicious file attachment via email or via any other communication system that allows attachments and in this case the attacker needs to use social engineering techniques to persuade or trick the user into actually opening attachment so just because I've managed to send this to you via email doesn't mean it's harmful it's only harmful if the user Falls victim to my social engineering so I'm going to tell him hey I just sent you a mail can you quickly look at this attachment and then boom I've got you in terms of message based vectors this can also be something like a short message system you folks might notice more commonly as an SMS so a file or a link to a file is simply just sent to someone's device using this SMS system and once they click on the link or they open the file and then boom now I personally don't really worry about SMS that much these days mean yes we still have sms's and people receive them every day but nine out of 10 people don't even check their sms's I actually missed one for the last two days I was supposed to go and pick up glasses for my son the other day and um the optometrist sent me an SMS I mean who still uses sms's I was expecting a phone call or a WhatsApp or an email and the optometrist sent me an SMS and then only after 2 days when I was doing something else I coincidentally see this SMS it says Hey U your son's lasses is ready for pickup and I was like what so purely by chance I saw this SMS if it wasn't for something else I had to go and check I would have missed this message very annoying so I'm personally not too concerned about SMS folks then you also get instant messaging good old I am man this brings back some Nostalgia so many years ago you got things like Yahoo messenger Hotmail Messenger or the oldfashioned Skype and things like that I'm not sure if any of you guys remember those it depends on how old you are nowadays you don't really get those I mean I suppose you still get Skype but people are not really using it that much anymore instead people use the company version which is called Skype for business which has now since been replaced by teams or they'll go use something else like Zoom or some of these other platforms now getting back to the point here in terms of IM there are many replacements for SMS that run on Windows Android or iOS now these can support voice and video Messaging Plus file attachments so all of the ones I've mentioned earlier both the old ones and the new on folks they all support file attachments so if I send you a message of a file attachment or a link even in it you can imagine that that's going to you know that's going to compromise your account it can give me access to your account or it's going to install some sort of malware or it's going to do something else either way not good then folks we also get web and social media yeah this is very popular especially on Facebook these days I'm not sure if you guys have seen But like literally half of Facebook accounts these days are hacked now folks I personally am almost never on Facebook because well just because of this fact you know there's just too many accounts that's been compromised and a lot of the people don't know it so if you go check on someone's wall that's one of the ways you'll notice if they start posting all kinds of weird nonsense that you know for a fact that this person would never post because maybe you know them very well you know talking about weight loss product or money making tactics and things like that and you know for a fact this friend or family member or work colleague or friend of yours if you know for a fact they will never post things like that yeah that's a Telltale sign that their accounts most likely been compromised sometimes the users been locked out other times they've not been locked out they just don't know that this is happening now if they're lucky by just changing their passwords they can potentially go and lock this perpetrator out but it's normally going to be an automated system now whatever I'm saying here guys is not limited to Facebook but that's one of the main ones I've seen where people are using it less and less these days because well it's just it's so annoying when half the people's accounts have been compromised there's no real security there so in terms of web and social media malware may be concealed in files attached to posts or presented as downloads folks the attacker May compromise a site so that it automatically infects vulnerable browser software a drive by download as some people call it now guys if you look at something once again like Facebook if you click on the wrong post that can give me access if you open the wrong picture that can give me access and my goodness if you use the instant messaging system on Facebook that's one of the easiest ways to gain access to someone's account so sometimes in the old days you have to click on a certain link first if someone sent you a message and they said hey look at this and you click on the link then boom I would have access to your account but these days it's as serious is you just opening an instant message so by not clicking on any link by someone just sending you a message even if it's someone you know if you just open that instant message that alone is enough to give me access to your account so do not use the instant messaging on Facebook's platform strangely enough WhatsApp is still fine which is technically the same platform because I think they're both called Meta Meta or meta I can't even pronounce that but WhatsApp used to be a separate entity that's probably where the difference comes in why the security is much better but in terms of Facebook Messenger guys don't use it if you're going to open a Facebook message even if it's from someone you know that's the quickest way you're going to get compromised also if you accept friend requests from people you don't know well these days can even be someone you know that alone also enough for me to compromise your account so if somebody wants to send me a friend invite I'm going to first ask them to send me a message and say hey I've sent you a friend invite please accept but if I get a friend invite from you even if I know you if I was not expecting one from you I'm not going to accept I expect you to First phone me or in person tell me Hey listen bro I just sent you a friend invite on Facebook and you please accept then I know it was you it was not some sort of automated system because if it was not you that's a very easy way to actually compromise someone's account anyway we're getting a little sidetracked here in terms of social media now something I also want to mention which is more of a voice and all that message based vectors can also be exploited by a threat actor to persuade a user to reveal a password or weaken the security configur figurations using some type of pretext folks now this type of attack might be perpetrated simply by placing a voice call to the user I can sometimes just call you you know if I'm this threat actor and I can trick you into doing some of this stuff for me you know I can be pretending to be from a help T and I can say Hey listen can you quickly just turn off the firewall for me I just need to quickly test something blah blah blah and before you know it boom you've been compromised all right then let's move on to the last Topic in this specific section supply chain attack surface on its own the name kind of makes sense but it also might sound somewhat confusing to some of you guys it actually entails a lot of things folks so let me start at the beginning a supply chain which is not just an it by the way but we're coming at this from an IT perspective a supply chain is the endtoend process of Designing manufacturing and distributing goods and services to a customer now that might make sense doesn't it now it's going to get a little bit more complicated from this point forward now folks rather than attacking the target directly a threat actor in other words the bad guy they may seek ways to infiltrate it via companies in its supply chain in other words the hacker is going to try and indirectly get um an attack in here now the process of ensuring reliable sources of equipment and software that folks is called procurement management now inv procurement management it is very helpful to distinguish several types of relationships I'm going to mention fre of you guys the first of which is supplier now the supplier folks I'm sure you guys know what the supplier does the supplier obtains products directly from a manufacturer to sell in bulk to other businesses this type of trade is often referred to as a business to business trade then you of course get the vendor you know well-known vendors and you would obviously be something like coma Microsoft those kinds of things but vendors are obviously not just limited to IT training vendors so of the vendor that obtains the products from the suppliers to sell to retail businesses which is also business to business quite frankly or directly to customers the vendor can actually also sell directly to customers now what the vendors also sometimes does the vendor might they may or may not add some level of customization and direct support so if we go look at something let's say like an operating system I'm Thum sucking here guys if you look at something like Windows 10 or Windows 11 something that most of you guys will probably know by now depending on the computer you buy that Windows 10 or Windows 11 is not the stock factory factory Windows 10 or 11 it might have a couple of extra additional softwares one such brand is Dell I'm just giving you guys a totally totally random um example here not promoting or demoting any Brands here but if you look at something like D they've got a lot of extra additional softwares functions and features embedded in the operating system it's not the stock standard version of the operating system they've got lots of extra thingies that's now embedded in here that's an example of the vendor adding their own customization now something else you get here is a business partner now business partners this implies a closer relationship where two companies share quite closely aligned goals and marketing opportunities for example guys if that doesn't make sense Microsoft which is a very big name so I'm going to use that name again is a major software manufacturer and a vendor of course but it is not feasible for such a huge entity for it to establish direct relationships with all its potential customers mean guys you know how big Microsoft is and we know how many customers they've got it is not feasible it's completely insane for them to go and directly communicate with all customers it's not feasible so they're going to need some help so to expand its markets it develops partner relationships with original equipment manufacturers which you guys might know as oems and solution Partners Microsoft then operates a program or certification kind of like this comti A+ certification so they've got their own programs of certification and training for its Partners which improves product support and security awareness so every time Microsoft releases a a product they will go and release various training courses for that product and various certifications people can go and go and learn about this course they can go and certifying that course and that in turn doesn't just give those people the skills and a potential income it also helps support Microsoft indirectly if you think about it so each supplier and vendor has its own supply chain folks for example something as simple as a motherboard manufacturer and supplier will use companies to fabricate individual chip components the supply chain extends to distribution and um obviously this includes things like delivery companies and careers which are part of it so yeah guys a motherboard is not just one person that makes it there's various companies that will go and make various chips the end of the day all of these companies will work together to actually get the board made and then we still need to get this board delivered to where it needs to go where it needs to be stored and sold and built into computers there's a lot of people here in this chain link each of these is a link in the chain so the supply chain breath and complexity exposes organizations to a huge attack service I mean if you look at how big the supply chain is mean we've got people making chips people that's making other components of the boards people has to put it all together um the people has to put it in boxes the people has to go and get it from one destination to another destination people has to store it and has to sell it and all that each of these things I've just mentioned is a link in the chain or a link in the supply chain and each of them could possibly be compromised so it's very important that you or whoever this is that they trust every Link in the supply chain because the bigger your supply chain is or the more links you've got in this this chain of yours imagine an actual chain the higher the threat is because the more places there is for a perpetrator uh a bad actor the more plac that there is for them to go and launch an attack of some kind basically anyone with the time and resources to modify the computer's firmware they can potentially go and create a backd door access you know so that's not good if anyone is alone or left alone of this motherboard you can only imagine what they can do they can go and compromise it put it back in its box and then go and sell it to the better market and then yeah whoever ends up with it is not going to be too happy the same is true for any computer or any network Hardware software or service quite frankly folks establishing a trusted supply chain for computer equipment and service essentially means denying malicious actors the time or resources to modify the assets supplied vit industry folks also depends on trade in Industry Services as well as physical assets a managed services provider which we generally just call MSP for short they provision and support ID resources such as networks security or web infrastructure now these msps are useful when an organization finds it cheaper or more reliable iable to Outsource all or even part of it provisioning rather than just trying to manage it all directly themselves from a security point of view this type of Outsourcing folks is complex as it can be difficult to monitor the whole MSP the msp's employees are all potential sources of Insider threats if you think about it so that's generally why we try and avoid that as much as we can you know all right folks so yeah finally that brings us to an end to the second main section of this video moving on to the third and the last main section in this module social engineering all right folks the first Topic in this last section is human vectors yes I know you're probably wondering there we go again of the vectors but this time we're talking about social engineering so human does not fall under the previous sections we were talking about a human Vector is part of social engineering because social engineering in a nutshell is to trick someone into doing something or to trick someone into giving you something that's if I have to put it into a nutshell but we'll go into that in more depth in just a moment so under human vectors we're talking about hacking the human like I said tricking them into doing something or giving you something now unfortunately this is one of the weakest links in most companies as I've said earlier in this module you can have security it looks like it's straight from NASA for crying out loud the latest of the latest the best of the best but if you have normal people working in your company that have not been educated in security then all that security is going to go out the window and it's not going to mean nothing so you need to train your people I'm not saying you have to put them on a fancy course just train them on the basic security what to look out for for example tell these people that someone will not mail them to ask them for their password or username for any platform that's not normally how it works most platforms they generally have your username and password on their system they will not contact you to ask you what your username and password is that will be an example because a lot of people are going to receive emails which are basically a fishing Expedition they're going to receive an email from some perpetrator a bad actor and they're going to pretend to be some sort of well-known person or well-known entity company like their bank and they're going to say hey we need you to quickly confirm username and password and these people are going to fall victim to that so train your people not to fall victim into those kinds of nonsense now the purposes of social engineering folks is to trick users like I've said so many times before so this includes but is not limited to things like reconnaissance and eliciting information so these people can go and use social engineering as a tactic to see what's going on in your company to learn more about your company because sometimes these Bad actors they're not inside your company they're working remotely now they want to compromise your company break into your company but sometimes to do do that they need a little bit more they need more information now if they can't get in another way to get the information they need is to trick your users into giving them what they need to know they might ask the these users do you have a firewall you know they'll obviously do it indirectly do you have servers on premises or on in Cloud how many servers do you have what kind of servers do you have U are you in administrator or blah blah blah so obviously these questions will not be asked directly but they are going to trick users into answering questions giving them more information which they can use into another attack now under all of this we can also say this is used to do intrusions and gaining unauthorized access so once they've gotten that information out of the user whatever information they were after they can use this to do some sort of intrusion or gain unauthorized access now there's many possible scenarios folks many I'm just going to give you guys three here but there's actually many so one scenario would be to persuade user to run a delicious file so sometimes there might be a scary message that pops up on user screen a fake message of sorts it tells them please click on the following file to run an antivirus scan your computer has been compromised click on the following button or the following link to run an antivirus scan and as soon as they click on this button or this link boom something happens on the machine so you'll find especially a lot of these happening in browsers so if you go to certain websites and you don't have proper sufficient security popup blockers and all that kinds of jazz you're going to see a lot of popups popping up now for people in it like ourselves it's not too big of a deal because we know we just ignore these but for someone that's not in it I'm not saying these are dumb people it's just they're in a different field they might be a doctor a lawyer or something they don't know about these threats how they work and all that kinds of stuff so we are there to protect these people like Guardians now unfortunately some of these people are going to click on some of these ads from time to time and they are going to install stuff on their machines from time to time or just execute malware in some cases so there's many ways that you can go and persuade the user to go and run a malicious file that is just one of them guys other possible scenarios would be to contact a help desk and solicit information out of them so sometimes these Bad actors these threat actors will contact an IT help desk or sometimes a different kind of help desk and they'll pretend like they need some sort of assistance meanwhile they don't really need assistance per se they're using this as an indirect method to get information out of the help desk yes it's a thing guys just because the help desk is an it does not mean they don't have a Target on their back help discs actually sometimes fall victim to this too believe it or not and then the last scenario I'm going to give you guys is gaining access to premises and installing a monitoring device now unfortunately for this to work the person generally needs direct access to the premises there is ways in means to do this without direct access but generally the perpetrator would have needed to be on premises physically in person at one point in time to install some sort of monitoring device this monitoring device could be software too by the way just FYI could be spyware if you look at spyware lots of forms of spyware often requires the perpetrator to have direct access to the machine at some point in time and if they had Direct access to the machine they can obviously go and insert a flash drive or something like that and install the software now there are ways to get Spire onto machine even if you don't have direct access but most of them involves having direct access access to the machine and the same applies to these monitoring devices you or the perpetrator would have had to have access to the premises at least once at some point in time all right I'm going to move you guys on to something called impersonation and pretexting so impersonation for those of you that don't know means pretending to be someone you're not I suppose you can say it's a form of spoofing to a certain extent if you know what spoofing is forging something now folks these people that are going to pretend to be someone they're not or from a department that not they're very persuasive consensus and they've got a liking approach so generally you'll find oh okay it it seems like the guy from I Department he or she is so friendly so helpful meanwhile this person doesn't even work for IT department they just pretending to work for IT department because they need information or they want to try and compromise your machine or gain some other form of unauthorized access they'll basically try and cers you into doing things you're not supposed to kind of force you so generally you know I would ask ask you hey um can you kindly please do the following for me if now it's not a good time let me know and I'll come back later if it's not urgent but these people especially these scammers and whatnot you can go and find a lot of videos about this online on YouTube by the way go on a search on YouTube when you've got free time and if you if you're in for a good laugh you know there's lots of funny videos about this on YouTube by the way Run a search on YouTube for these scammers these hacker scammers that get caught out by even bigger hacker a white hat hacker so you get lots of these it scammers that normally in some Urban countries and they'll try and trick people that know nothing about it into giving you important information or running a file or doing something it's not nice they they'll give you a sense of urgency that you need to do this right now if you don't do this right now you're going to lose your data or if you don't do this right now it's going to cost you the following amth they'll give you a sense of urgency these scammers and whatnot and if you're going to act calm and you're going to be slow on the phone you're going to really irritate these people and if you go watch those scammer videos it's hilarious to see how this white hat hackers which are sometimes way way better than the scammers how they catch them out they'll pretend to be dumb like they've got no experience like they're very incapable meanwhile they know way more than these um low capable scammers or hackers whatever you want to call them so just to summarize that first point we've got there persuasive consens of and liking so there's two ways to go about this you can either go and try and get the user or the department like you or you can try and intimidate them scare them into doing stuff force them into doing stuff stuff so the persuasive bullet point there that is to convince the Target that the request is a natural one and it will obviously be a bit impolite or even just odd to refuse this you know the second point there is one where you're going to go and give them a sense of urgency you're going to try and intimidate them you know maybe pretend to be someone from the IT department scare them and say tell them this needs to be done immediately I need to check your machine right now give me access right now there's something very urgent that I need to do and that's going to scared people especially if they know you're from the other department or if they think you're from the other department so that one we can say it is to intimidate the target with a bogus appeal to Authority or penalty such as getting fired or not acting quickly enough to prevent some dire outcome so you're just going to basically scare them you're going to tell them hey if you don't do this now you're going to get fired or something bad is going to happen you basically scare them to a certain degree now folks a classic impersonation attack is generally for a social engineer to do something like phoning into department and these social Engineers will then claim to have to adjust something on their system and they'll claim that they have to do this remotely they'll give you a sense of urgency we need to do this immediately and um generally they'll somehow get the user to reveal their password and that's the last thing the user needs to do as you can imagine they generally have a whole dialogue already planned you know so they probably have this written down for all we know a script if you want call it a script like a movie script so they've got a script of lines that they're ready to say and it's going to say sound very convincing now guys when they use this carefully crafted story which sounds very convincing and sometimes very intimidating to a certain degree that is called pre- texting it's a script of sorts so if you don't know what pre- texting is it's kind of when the perpetrator goes and makes a script of sorts they already know what they're going to say they've 10 to one written down the sentences of what they're going to say and if you have a certain response they've already got an automatic response for that so that is pre- texting they're kind of predicting what you're going to say they've got answers for every question you might have or everything you might potentially say so folks with pretexting these perpetrators normally make a very convincing impersonation and this is to either charm or intimidate the Target and this usually depends on the attacker obtaining privileged information about the organization so if this perpetrator has any information about the organization or the person they're talking to they can actually make this sound more believable and that's why you guys need to be very careful for other things which we call dumpster diving dump D diving is not a topic right now but it is security related so dumpster diving is not necessarily someone actually diving into a dumpster like the American dumpsters you get no this can just genely be someone going through your trash this could be a little bin underneath your desk maybe you've got some sticky notes there or any documents or papers that's not been shredded and if they can find anything of value which is not necessarily a password a username or an account number no this can just be general information about the company or the person at that desk now if they can find that information they can actually use that information to their advantage they can phone you or email you and list some of that information and they can make themselves sound more legit so they can pretend to be from that department and obviously if they mention some information that other people would normally not know it's going to sound more legit don't you think so be very careful of stuff you just throw in your trash guys because that can potentially be used in a pretexting environment now these pretexting environments you'll find the attacker will sometimes impersonate a member of the organization's it support team like I said the attack will be way more effective with the identity details of the person being impersonated and the target so obviously the more details they've got the more effective it's going to be the more believable it's going to be now folks some social engineering techniques are actually in fact dedicated to obtaining this type of intelligence as a reconnaissance activity so they might not be out to hack you immediately when when they talk to you their main goal that specific day or that specific moment might just be to get information so they can use it later down the line maybe later today next week next month or even next year in some cases you never know so as most companies are set up towards customer service rather than security yeah this information is typically quite easy to come by unfortunately now information that might seem innocuous such as Department employee lists job titles phone numbers Diaries invoice or purchase orders that guys can help an attack or penetrate an organization through impersonation the more they know the more believable it's going to sound because it's almost as if they work there meanwhile they don't work there they just kind of been carefully studying your company actually all right folks I'm going to move you on to the next topic here fishing and farming now before we dive into this topic I'm going to play a bit of a game with you guys so for those of you that's been on my channel for a while especially if you watch my long videos know what game is coming up right now so what I'm going to do is I'm going to give you either a word or a phrase and you guys can either go and type it as is in the comment section but that's just boring so I wouldn't advise that or you can have some fun with this word or phrase and make a new sentence with it now the purpose of this is just for laughs actually more than anything else so if anyone is reading through the comment section just randomly which people like to do from time to time and they have not watched the video up until this point they'll have no idea what's going on because why are people saying this random word or this random phrase the whole time and only people that's obviously watched the video up until this point only they will know what's going on so today's random word is one word it is sylon yes sylon so that is a word from a TV movie or a TV series if you've watched it you'll know what it is and I want you guys to preferably create a sentence using the word sylon now the only rules to this is you need to stick to YouTube's policies and guidelines so no swearing guys don't say anything mean so you're obviously welcome to make something funny of this if you want to but just stick to YouTube's rules I don't want the YouTube police on my case or your case that's not going to be nice so let's see who can be the most creative of the word syon now besides this you guys are obviously still welcome to post your normal questions in the comment section down below and if I see any questions I will gladly answer those questions as quickly as I possibly can so this is just an extra side game for for giggles and all that so that out of the way guys let's move on to fish fishing and farming now fishing yes you do spell it like that it's not a spelling mistake guys you actually get different kinds of fishing but the main kind of fishing you get is to trick a user normally via email into clicking on a link or to giving information so if I send you an email and I for example pretend to be a company or an entity that you're comfortable with let's say your bank perhaps if I send you an email and I pretend to be your bank and I ask you for using them in your with that would be an example of fishing on its own that's not very effective as you can imagine because even people that's not an it might not necessarily fall victim to this because if you see an email coming from the bank but it doesn't look like it's coming from the bank if you look at the email address and it comes from let's say an at gmail or an outlook.com email address yeah that that looks pretty suspicious wouldn't you say so even people that's not in it would not necessarily fall victim to that because even they know they need to go and look for the email address that it's coming from but if it actually comes from an email that actually looks like it's coming from the bank what do we call that that folks it's called spoofing fishing is most commonly combined with spoofing spoofing is basically a nutshell to go and for something like an email address so these perpetrators these Bad actors these bad apples they will go and spoof an email address for a well-known personal entity and they'll pretend to be that personal entity and they'll try and get information out of the user so that is fishing in a nutshell it's usually going to be by email but it's not limited to that so that being said fishing is to trick the target into using a malicious resource so I want to trick them into going to a certain website and maybe the website is the malicious platform that could be an example of farming which we'll talk about just in a moment that's also in the title or the link in itself was malicious so as soon as you click the link I've compromised your machine although that doesn't really classify fishing now now does it so generally for this to be fishing the link will take them to a resource like a website where I'm going to do something called farming more than that in just a second or in the email itself I'm just going to ask them for information it could be something like that fishing can also be to spoof legitimate Communications and sites so I can go and pretend to be someone I'm not a person or an entity and I send you an email looks like it's coming from them so that's spoofing legitimate Communications in terms of sites they will go and make a fake website that looks exactly like a real website this could be something as simple as Facebook guys Facebook requires a person to log in or Twitter which they now call X or Instagram or your banking website these websites requires users to log in and if I give you a link to click on and it takes you to website that looks exactly like the real website but it's not that is farming which we'll get you in just a second so if I trick you to go to that website and you go and type in your details I'm going to farm your details now other kinds of fishing you get let's call these subcategories is Vishing hopefully I'm pronouncing that correctly it's pretty much the same kind of worms folks this is just to do it via a voice telephone call so if I phone you instead of mailing you and I pretend to be some personal entity like the bank once again and I try and get information out of you that is called Ving then of course you get smishing I'm not even sure if I'm pronouncing that correctly I'm probably butchering the name but it is via a message so it's kind of like an SMS of sorts so I'm going to send you a message a text message most likely via SMS and I'm going to try and persuade you into giving me details now obviously folks it goes about saying that passive techniques have less risk of detection so the more passive it is the better for these perpetrators they will generally try and use the path of least resistance and it will generally try and use the PA that's the easiest and that's the least amount of risk for them to be detected and then just quickly recap here I did actually kind of accidentally explain this Farming Farming is usually to try and get a user on to a website how you do that is up to you if you're the perpetrator but it'll normally be a link in an email or something like that they click on the link or something like that they go to a website that looks like a legitimate website they type in their login details and this perpetrator will get their login details now sometimes to not raise suspicion and it's not really part of the topic here right after the user types in the login details it'll actually divert them to the real website that looks just like that why you ask well think about it if you go to Facebook or your bank or anything like that and you type in your login details and the page just says wrong login details or it just reloads and nothing happens you're going to you're going to start thinking this is suspicious don't you think you might even try and reset your password which is not what they want so to not raise any alarm Bells they'll divert you to the website after that and you're going to think okay what's going on maybe the internet was just being whacked that moment you'll try and log in a second time and the second time is most likely going to go in because you are on the real website and that's obviously going to raise less suspicion meanwhile the first time you logged in they actually captured your details which is why it's called farming now this guys is also done Often by using redirection by DNA spoofing just in case you guys didn't know all right folks and then I'm going to take you on to one of the last Topics in this video it's not the last top topic quite yet it is something called typo squatting yes I kid you not there's an actual term out there called typo squatting it's an actual Thing feel free to go and look it up now typo squatting makes fishing messages more convincing now what typ of squatting also is guys is when these threat actors these bad guys or hackers they will go and register a domain that looks very convincing it looks like a real legitimate domain as you guys know and are from with for example I am burning ick and my domain is burning I stick.com now these perpetrators might go and register a domain that's called burning eyes Tex instead of tech at the back there will be an S at the back T anything similar to the real domain now someone doesn't pay attention they might not notice this this can be someone that's even an it for crying out loud some people just don't pay attention they might not have noticed one letter in the domain has changed and that one letter guys can make a huge difference so this might seem like the real website but it's not there's a one-letter difference you are on a fake website that may or may not be a farming website the same can be said about emails I can send you an email that look like it's from my domain by the way my email address for this company is info@ burning ie.com now if you see an email coming from that same email address except it doesn't say burning ie.com there's a maybe an S behind the Tech once again that's also called typo squatting folks it's not really from me it is someone that has registered the domain that looks like it's from me and that is to try and trick you into giving them information or anything like that so it's generally to try and be very convincing in terms of email addresses websites that kinds of stuff they will normally go and register the domain and they will go and use this in terms of websites and email addresses so this is a form of email spoofing technique and you need to make sure you look at the from field it confuses people it's not an it but you guys will obviously know what it's about it unfortunately causes confusion because now these folks they don't know is this real is it not real does this entity have multiple domains because some well-known entities do legitimately have more than one well-known domain they might have one that's got an S at the back and one that does not have an S at the back we don't know is it real is it not it causes confusion if you're not sure do some research now type of squatting guys is cousin domains that look like a trusted domain that's another term for it so typ of squatting could be referred to as cousin domains it could be referred to as double gangers or it could even be referred to as counterfitters there's so many names guys there is many creative names I'm sure if you go run a search for it online you'll find lots of extra names that I didn't even mention here so you find something that I didn't know about feel free to mention in the comment section down below i' would love to hear what these other names are as well and then folks on that note if you've ever had this happen to you if you ever ever had an email being sent to you where they were pretending to be someone they're not let us know in the comment section down below or if you visit a website I think these are quite rare emails are not that rare but websites that pretend to be one website when they're actually not if you ever had that happen or if you had a client or a user that had happened to let us know down below tell us the story we would love to hear about it all right folks and then moving on finally to the last topic of this module I know this video is like more than twice as long was the first module unfortunately this module just has a lot of topics so I underestimated this module in terms of how long it was going to take to make so I apologize for the delay for this video going live but I do need to make sure I cover all the topics because if I don't cover all the topics you guys might potentially get asked about it in the exam and then you're not going to know what the answer is so my job is to cover all the topics make sure you understand it so that if and when you get questions about an the exam you will hopefully be able to answer them and if you guys feel this is a lot of information if you would like to maybe go back to another topic if you want to go and revise on the topic there's of course time stamps in the video description down below folks now that out of the way let's move on to the last topic business email compromise right folks so with business email compromise instead of just compromising random people's email addresses and hoping for some person to bite this bait of mine so to speak with business email compromise you'll find that the perpetrator this threat actor will often go after a specific individual this specific individual will normally be someone quite high up an executive a partner you know someone very high up in a company on the corporate ladder normally so someone very high up a vendor partner executive something of that nature and they're going to Target this individual by maybe using fishing fishing or one of those other kinds of attacks and once they've compromised this person they will pretend to be that person yes I kid you not they will most often pretend to be this executive this partner this vendor so when they go and pretend to be this person they are going to contact people in that company more than likely and they will pretend to be that person they will pose as a colleague they will pose as a business partner or as a vendor and it's is to further compromise other people's accounts or to compromise some sort of information or a server in that company but it all starts with a very high individual on the company in most cases they compromise that person's account or the very least just pretend to be that person they might just outright spoof their email address maybe they never even compromise the person's account they just outright spoof this individual's email account send a mail as if they are this person or contact you as if they are this person and if it's a very huge company that's got hundreds or thousands of users they might not necessarily know what this person's voice sounds like if they call you or what this person looks like so if it's a video conference they'll be inclined to believe this person if they say they are who they say they are are so if I tell you hey I am the following executive or hey I am the following partner or vendor the average user in the average company they might be inclined to believe that because the average person that's down the L they don't know necessarily what these people look like they don't necessarily know what these people sound like so if I phone you or I do a video conference with you or I just send you a plain old email which is the more likely one you're not going to know if it's real or not because you don't even know what I look like sound like or anything for that matter so yeah they will often pose as these individuals now with regarding this they will do something called spear fishing that is when we target someone specifically with fishing so I'm not just doing a random fishing attack with random bait and hoping someone bites this bait of mine no spear fishing is when I'm specifically targeting a specific individual company like an executive but spear fishing is sometimes also used for other kinds of attacks I mean I've seen spear fishing often used for it accounts because us it individuals we've got privilege much higher privilege than the average individual so they might be targeting your account as an ID individual because you've got privilege then we've got wailing which is just going after a high individual once again executive partner somethingone like that you've got CEO fraud or angler Fishing as well then folks you get brand impersonation and disinformation so that's usually to give a competitor an advantage I'm not saying that's the reason why this will happen but the more likely reason why this will happen is a competitor has got their knife in for you you might be doing better than them or they just want to eliminate the competition so they will try and impersonate your brand because they want to steal your audience or they will try and give thisinformation to hopefully give you a disadvantage of some kind you know they want to give you a bad name so that they can steal your your business so this is generally done via making convincing fake fishing messages business correspondents and farming websites so these farming websites might look like your websites but they're not and they're going to steal your clients or users details and that's the end of the day going to give your company a very bad RP lastly folks you get something called a watering hole attack not something I see often but I am mentioning it because I'm pretty sure they might ask you about this exam so just because I think they might ask you this exam that's why I'm mentioning it so Watering Hole attack feel free to go and read up more about this if you guys want to that is to compromise a third party site that the threat actor knows is used by the Target so if they know your company is using a third party company for whatever purpose you know for communications heck this can be to go and buy pizza for all we know if they know what third parties you're using for whatever they can use that information to their advantage to get other information about you or to compromise something these hackers or these perpetrators folks are very creative you wouldn't believe how creative they can sometimes be all righty folks we have finally finally reached the end of this module I hope you guys have learned something I really do uh I mean you wouldn't believe how much sweat I've got you know that's going down my cheek here from talking so much in one go I'm really tired I'm out of breath I'm going to go and drink something after this video now so guys if you've learned something feel free to mention that in the comment section down below it's always cool to see that you guys learn something and what that might be so if there's something you did not know something you appreciate let me know down in the comment section down below what you've learned obviously stay tuned for module three of this course and then of course guys remember to like this video if you've not done so mean I do put a lot of time and effort into this video I mean this is like two and a half hours almost for crying out loud so I do put a lot of effort into these videos guys so yeah give the video a like if you'd like to know when module 3 goes live maybe consider subscribing as well and then a thank you like usual to all the supporters and sponsors of this channel guys thank you very much if you would like to support or sponsor the channel you can find that information in the video description down below thank you very much to all the guys that clicked on the thanks button below the video if it's available in your country those of you just buying a coffee or a milkshake that link is in the description down below I think it's like three bucks and then of course the PayPal donations so all of you guys making PayPal donations there's a list of the guys thank you very much for making those donations on PayPal and then of course the patreons oh my goodness the patrons so the list has gotten quite long guys but in reality I think at this point in time there's like over 500 patreons and this list is not nearly 500 it's just most of the guys prefer to stay Anonymous so normally if you become a patreon I will contact you via DM I'll ask you if you would like to have your name listed and if so what name you want to have listed so you guys can actually choose what name you want to have listed in the videos it's not NE going to be whatever name you've got on patreon I'll ask you what name do you want to have listed if you want to be listed and that's on all the tiers it doesn't matter even if you take the cheapest tier not the three one but all the paid tiers tier one 2 and three all of them you can have your name on the video should you want to have it on the video all right folks and then the very last thing I'll mention before we call this a video um for those of you that don't know yet the channel does have a Discord server link is in the video description down below it's literally the very bottom of the video description check it out there's over 2,000 people the last time I checked in that server I'm in there other IG trainers are in there lots of people studying this course as well as other course are in there so if you'd like assistance of some kind you can ask your questions there if you'd like to assist other people or if you just want a community of like-minded people all of that can be found in that server all right guys I will see you in the next video which is module three of Security Plus [Music] [Music] TI to you [Music]