8.1 Security risks

8.1.1 Know the type of confidential information held by organisations:

• Human Resources:

o salaries and benefits

o staff personal details

• commercially sensitive information:

o client details

o stakeholder details

o intellectual property

o sales numbers

o contracts

• access information:

o usernames

o passwords

o multi-factor authentication details

o personal identification number (PIN)

o access codes

o passphrases

o biometric data.

8.1.2 Understand why information must be kept confidential by organisations:

• salary and benefits:

o prevent competitors from offering higher wages to attract staff

o prevent employees from comparing salaries/demanding

comparable pay

• staff details:

o protect privacy

o prevent competitors from directly contacting them

• intellectual property:

o prevent competitors from copying designs

• client details:

o prevent competitors from contacting clients

o protect client privacy

• sales numbers

• access information:

o prevent unauthorised access.

8.1.3 Understand the potential impact to an organisation of failing to maintain

privacy and confidentiality:

• non-compliance with regulations:

o loss of licence to practice

• loss of trust

• damage to organisation’s image

• financial loss:

o fines

o refunds

o loss of earnings/termination of contracts

• legal action

• reduced security.

8.2 Types of threats and vulnerabilities

8.2.1 Understand potential technical threats and their impacts on organisations and individuals, including prevention and mitigation methods:

Botnets

What is a Botnet?

A botnet is a network of internet-connected devices (known as “bots” or “zombies”) that have been infected with malicious software and are controlled remotely by an attacker (known as a “botmaster” or “bot herder”). These devices could include PCs, servers, smartphones, or even IoT devices like smart cameras or routers.

The attacker uses a Command and Control (C2) infrastructure to coordinate the bots, often through hidden servers, peer-to-peer networks, or even social media accounts. Once under control, botnets can be used for large-scale malicious activity.

Technical Threats of Botnets

Botnets present several significant threats to both individuals and organisations:

• Distributed Denial of Service (DDoS) Attacks
  Multiple compromised devices flood a target with traffic, overwhelming services and causing downtime.

• Spam & Phishing Distribution
  Botnets send massive volumes of spam emails containing scams, phishing links, or malware.

• Data Theft
  Bots may harvest sensitive data (logins, credit card details, personal information) from infected machines.

• Credential Stuffing & Brute Force Attacks
  Botnets can automate large-scale login attempts using stolen credentials.

• Click Fraud
  Bots generate fake ad clicks to manipulate marketing metrics or steal advertising revenue.

• Cryptojacking
  Infected devices are used to mine cryptocurrency, draining resources and slowing down systems.

• Propagation of Malware
  Botnets distribute additional malware payloads (e.g., ransomware, spyware).

Impacts on Organisations & Individuals

Organisations

• Service Outages: Botnet-driven DDoS can make websites, online shops, or cloud services unavailable.

• Financial Losses: Lost revenue due to downtime, fraud, or ransom payments.

• Reputation Damage: Customers lose trust if services are repeatedly disrupted.

• Regulatory Penalties: GDPR fines if customer data is exfiltrated.

• Resource Drain: Servers or cloud resources overwhelmed, increasing costs.

 Individuals

• Privacy Risks: Stolen login details, banking information, or personal files.

• Device Performance Issues: Infected devices slow down, overheat, or drain battery.

• Unwitting Criminal Activity: Personal devices become part of a criminal network (unknowingly helping DDoS or phishing).

• Financial Fraud: Botnets used to steal money directly via online banking malware.

Prevention Methods

• Patch & Update Regularly: Keep operating systems, applications, and IoT devices updated to prevent exploitation of known vulnerabilities.

• Endpoint Protection: Use antivirus/antimalware with real-time scanning.

• Firewalls & IDS/IPS: Detect and block unusual traffic patterns that indicate botnet activity.

• Strong Authentication: Use strong, unique passwords with multi-factor authentication (MFA) to reduce credential stuffing risks.

• Secure IoT Devices: Change default passwords on smart devices and segment them from critical networks.

• Email & Web Filtering: Block phishing and spam emails before they reach users.

• User Awareness Training: Educate users on phishing links, suspicious downloads, and safe browsing practices.

Mitigation Strategies (if compromised)

• Detection:

  • Use SIEM (Security Information & Event Management) tools to detect unusual outbound traffic.

  • Monitor for spikes in CPU, memory, or bandwidth usage.

• Containment:

  • Isolate infected systems from the network immediately.

  • Use network segmentation to limit botnet spread.

• Removal:

  • Run antivirus/antimalware scans to remove malicious software.

  • Re-image infected machines if needed.

• Recovery:

  • Reset passwords for compromised accounts.

  • Restore systems from clean, verified backups.

• Cooperation:

  • Work with ISPs, law enforcement, and threat intelligence providers to help dismantle the botnet infrastructure.

Denial of service (DoS)/Distributed Denial of Service (DDoS)

Threat Actor: Political/Social Activists
Scenario Overview:
On the day of your company’s most important annual sales event, a large-scale DDoS attack cripples the e-commerce website. Customers are unable to complete transactions, leading to lost revenue and reputational damage. An activist group claims responsibility, linking the attack to protests against your company’s supply chain practices. A hashtag campaign gains traction online, attracting national media attention.

Initial Inject: Monitoring systems show a traffic surge; checkout pages fail.

Escalation Injects:
Social media criticism trends globally.
ISP confirms traffic flood originates from botnets overseas.

Decision Points: Divert traffic via scrubbing service? Take the platform offline? What do you tell customers and the press?
Considerations: Customer trust, sales impact, reputational harm.
Learning Objectives: Speed of detection, ISP collaboration, public communications.

Malicious hacking:

How does it work? Network chuck explains it all and shows how its done.

Hacktivists/nation states/organised crime/individual

Password cracking/brute force

Password cracking is any attempt to discover a user’s password so an attacker can gain unauthorised access. Brute-force is the simplest conceptual method: try every possible combination until one works. In practice attackers use smarter approaches (see below) to make cracking faster and to increase the chance of success.

Typical attacker methods (conceptual, defensive focus)

• Online brute-force: Repeated login attempts against a live authentication endpoint (e.g. web sign-in). Slower and noisy, but can succeed if there are weak rate limits or very short passwords.

• Password spraying: Try a small set of common passwords (e.g. “Password123!”, “Summer2024”) across many accounts, avoiding immediate lockouts and exploiting users who use weak common passwords.

• Credential stuffing: Use lists of credentials leaked in previous breaches and try them against other services — succeeds because many users reuse passwords.

• Offline cracking: If an attacker obtains a hashed password database (e.g. via a breach), they can attempt cracking offline using tools and GPUs — much faster because there is no network throttling. Defence is focussed on making offline cracking computationally expensive.

• Dictionary & hybrid attacks: Use wordlists and permutations (common substitutions, appended numbers) to guess likely passwords faster than trying every single character combination.

• Rainbow tables / precomputed hashes: Precomputed tables map hash outputs to plaintext for weak hashing schemes — mitigated by salts.

How to spot password-cracking activity (indicators)

• Unusual spikes in failed login attempts (system-wide or for single accounts).

• Many failed attempts from the same IP or from a range of IPs (distributed).

• Authentication attempts from unexpected geographies/IPs for particular users.

• Repeated login attempts using a small set of passwords across many accounts (password spraying pattern).

• Multiple account lockouts in a short period.

• Evidence of exfiltrated hashed password stores (indicates risk of offline cracking).

Logging, SIEM rules and alerting are critical to detect these indicators early.

Prevention & hardening (best practice)

1. Use strong password hygiene policies (but avoid usability traps)

• Require long passphrases (recommendation: minimum 12 characters; encourage 16+ for higher-risk accounts).

• Do not force frequent random password changes unless compromise is suspected; that tends to push users to weaker choices. Instead, require changes when there is evidence of compromise.

• Encourage or require password managers to eliminate reuse and make long random passwords practical.

2. Multi-factor authentication (MFA)

• Enforce MFA for all high-risk and admin accounts.

• Prefer phishing-resistant MFA such as hardware/security keys or platform authenticators (FIDO2/WebAuthn) for privileged users. One-time codes (TOTP) are better than nothing but can be phished or intercepted.

3. Throttle & lockout controls (online attacks)

• Implement rate limiting and progressive delays (exponential backoff) on authentication attempts.

• Account lockouts should be conservative to avoid denial-of-service by lockout abuse — consider temporary lockouts with verified unlocks (email or out-of-band verification) or CAPTCHA challenges after N failures. A common pattern: lock after 5–10 failed attempts with temporary cooldowns and additional identity checks. Use adaptive rules based on risk.

• Apply per-IP and per-account limits and block suspicious IPs or ranges. Use reputation lists and firewalls to block known bad actors.

4. Detect & block credential stuffing

• Integrate breached credential checking (e.g. block passwords found in public breach datasets). Organisations can check submitted passwords against known breached lists (hashed) and refuse them.

• Use rate limiting and anomaly detection for unusual credential reuse patterns.

5. Strong password storage (protect against offline cracking)

• Never store plaintext passwords. Use slow, memory-hard hashing algorithms with a unique salt per password: Argon2id, bcrypt, or scrypt. Argon2id is recommended for new systems.

• Use sufficiently high cost parameters (memory/iterations) appropriate to your hardware. The goal is to make each hash computation expensive so offline cracking is slow and costly.

• Use a unique cryptographic salt per password and store the salt with the hash. Consider a separate pepper (a secret value stored outside the database) to add an extra defensive layer against database theft (pepper must be protected).

• Rehash on login when cost parameters are increased.

6. Privileged account controls

• Apply least privilege, role-based access controls (RBAC), and privileged access management (PAM) for admin accounts.

• Require MFA and session monitoring for all elevated sessions.

• Use dedicated admin workstations that are hardened and not used for general browsing/email.

7. Network & device hardening

• Use IP reputation services, web application firewalls (WAF), and bot detection services to block malicious login patterns.

• Segment authentication systems and critical services; separate user networks from admin/management networks.

• Ensure endpoints are patched and have EDR tools, reducing the chance of local credential theft.

8. Monitoring & intelligence

• Centralise logs (SIEM) and create alerts for failed login patterns, rapid lockouts, and geographic anomalies.

• Use anomaly detection and UEBA (user and entity behaviour analytics) to flag unusual authentication behaviour.

• Subscribe to threat intelligence / breach feeds to know when employee or customer credentials appear in public breaches.

9. User education

• Train staff on phishing, social engineering and the importance of unique, strong passwords and password managers.

• Make reporting suspicious login attempts easy and encourage use of self-service MFA resets with verification.

Mitigation & incident response if cracking is suspected

1. Immediate containment

   • Temporarily global or selective enforce MFA and force password resets for affected accounts.

   • Rate-limit or block suspicious IP ranges.

   • Disable compromised sessions and revoke tokens (invalidate existing sessions and API keys).

2. Forensic triage

   • Collect and preserve authentication logs and failed attempt records for investigation.

   • Identify whether the attack is online (targeting your auth endpoint) or the result of an offline breach (stolen hashed database).

3. Remediation

   • If online brute-force / spraying: tighten throttling, add CAPTCHA or progressive delays, require password resets for high-risk accounts.

   • If database leaked: rotate credentials, enforce organisation-wide password resets, increase hashing cost parameter and rehash on next login, inform regulators if needed.

   • Revoke exposed API keys, OAuth tokens and session cookies.

4. Communication & legal

   • Notify affected users with clear guidance (change passwords, enable MFA, check linked services).

   • If personal data compromised, follow regulatory breach notification rules (e.g. GDPR within 72 hours if required).

   • Liaise with incident response / legal / PR teams for public statements.

5. Post-incident

   • Review and harden authentication flows, update lockout and monitoring rules, and fix any identified systemic weaknesses.

   • Run a forced re-auth for critical systems and consider step-up authentication for sensitive operations.

Practical configuration guidance (concise)

• Minimum password length: 12 characters for general users; encourage 16+ or passphrases for privileged accounts.

• Account lockout: e.g. temporary lock after 5–10 failed attempts with increasing cooldown and human verification flows — use adaptive lockouts to reduce DoS risk.

• Hashing algorithm: Use Argon2id (or bcrypt/scrypt if Argon2 not available) with a strong cost parameter; re-evaluate parameters periodically as hardware improves.

• MFA: Mandatory for all admin accounts; recommended for all user accounts. Use hardware security keys or FIDO2 where possible.

• Password reuse / breached checks: Block commonly breached passwords and alert users if their password appears in a breach feed.

Cross-site scripting

Cross-Site Scripting (XSS) is a type of cybersecurity vulnerability typically found in web applications. It occurs when a malicious actor injects malicious scripts (usually JavaScript) into content that is then delivered to other users. When the unsuspecting user views the affected page, the script runs in their browser as if it came from a trusted source — often without their knowledge.

This vulnerability allows attackers to:

• Steal cookies, session tokens, or other sensitive information.
• Hijack user sessions.
• Redirect users to malicious websites.
• Deface websites or deliver misleading content.
• Carry out phishing attacks within a trusted domain.

XSS is commonly caused by poor input validation — when websites fail to properly check or sanitise user-supplied data before displaying it on the page.

Types of XSS

1. Stored XSS (Persistent)
   The malicious script is permanently stored on the server (e.g. in a database, comment field, or forum post) and is served to users whenever they access the infected page.
2. Reflected XSS (Non-persistent)
   The script is reflected off a web server, typically via a URL or form submission, and executed immediately in the browser. It’s often delivered through phishing emails or malicious links.
3. DOM-based XSS
   This type of XSS occurs when the vulnerability is in the client-side script rather than the server. The page’s JavaScript processes user input insecurely and executes unintended code.

Examples of XSS Attacks

Stealing session cookies:
An attacker injects a script like:

If a user is logged in, this can capture their session token and allow the attacker to impersonate them.

Malicious redirection:

This sends users to a fake site to steal credentials or deliver malware.

Keylogging:

This records users’ keystrokes, potentially capturing usernames and passwords.

Case Studies: Real-World XSS Incidents

eBay Vulnerability (2014)

Type: Stored XSS

Security researchers discovered that eBay allowed sellers to embed JavaScript in item listings. Attackers abused this to insert scripts that redirected users to phishing sites. Because eBay is a trusted site, users were more likely to fall for the scam.

Impact: Phishing and fraud.

Outcome: eBay faced criticism for not resolving the issue quickly and for its weak content filtering practices.

Twitter (Now X / 2010)

Type: DOM-based XSS

A vulnerability in Twitter’s website allowed users to create tweets with JavaScript that executed automatically when others hovered over the tweet.

Impact: It was used to spread worms, redirect users to porn sites, and auto-retweet malicious posts.

Outcome: Twitter quickly patched the vulnerability, but not before it affected thousands of users in a matter of hours.

MySpace (Samy Worm / 2005)

Type: Stored XSS

This is one of the earliest and most famous examples. A developer named Samy Kamkar created a script that made people who viewed his profile automatically add him as a friend and replicate the code on their own profile.

Impact: Over 1 million profiles were affected in under 24 hours.

Outcome: Samy was banned from using computers for several years and was put under probation — but it exposed how dangerous XSS could be on social platforms.

PayPal XSS Vulnerability (2013)

Type: Reflected XSS

A researcher discovered a reflected XSS vulnerability on PayPal’s secure pages, including paypal.com/webapps.

Impact: Could have been used to steal login credentials or perform phishing attacks.

Outcome: PayPal patched the issue after it was responsibly disclosed, and the researcher was rewarded through its bug bounty programme.

SQL injection

Try out the Network Chuck SQL injection website as discussed in the video using the following link
Network Chuck Bank
Another website to experiance and tryout SQL injection 
Hack Splanning 
 

Buffer overflow

A buffer overflow is a type of cyber attack where a hacker takes advantage of a weakness in a program. Computers store data in memory spaces called buffers. These buffers are designed to hold a set amount of data. But if more data is sent to the buffer than it can handle, the extra data can "spill over" into other memory areas. This is known as a buffer overflow.

When this happens, hackers can sometimes use the overflow to inject malicious code, crash the system, or gain unauthorised access to sensitive information. Think of it like overfilling a glass of water—it spills everywhere, and that can cause problems.

Why is This a Problem in IT Security?

Buffer overflows can allow hackers to:

• Run harmful software on a system

• Take control of devices or servers

• Steal or damage data

• Crash whole networks or systems

Software developers are supposed to write code that checks how much data is being used, but if this is done badly or not at all, buffer overflows become a serious risk.

Case Study: The Blaster Worm Attack (2003) – Affecting Microsoft

What happened?
In 2003, a malicious computer worm called Blaster (also known as Lovsan or MSBlast) spread quickly across the internet. It used a buffer overflow vulnerability found in Microsoft Windows systems, especially Windows XP and Windows 2000.

Hackers exploited a weakness in a system service called DCOM RPC. They sent too much data to the buffer, which allowed them to run harmful code without the user doing anything.

Who was affected?
Millions of computers around the world were infected. Even big organisations like the U.S. government, British businesses, and individual home users were hit. While Microsoft itself wasn’t directly hacked, it had to act fast because it was their system that had the vulnerability.

What was the outcome?

• The worm caused computers to shut down or restart constantly.

• Microsoft had to release an emergency patch and gave advice to users on how to protect themselves.

• Businesses lost money because of downtime.

• It highlighted the need for regular software updates and better code testing.

What Can We Learn From This?

• Always update software and systems regularly—patches fix these types of vulnerabilities.

• Programmers must write secure code that checks how much data is going into buffers.

• Buffer overflow attacks are still a real threat today, especially for systems that haven’t been updated.

Objective:
Work in small teams (2–4 members) to explore how buffer overflows work using a guided, safe online simulation. Investigate how attackers exploit these vulnerabilities, how systems respond, and how patches can fix the problem.

What You’ll Need:
Access to the internet
A simulation environment such as:

Cyber Security Lab by NOVA Labs – free and interactive
OverTheWire: Bandit Level 1–5 – beginner-friendly command-line challenges
OR a virtual machine with a basic buffer overflow lab set up using TryHackMe or Hack The Box (Beginner level)

Time Needed:
45–60 minutes

How It Works:
Step 1: Warm-Up Discussion (5–10 minutes)
Each team discusses:
- What is a buffer?
- What might happen if too much data is sent into a buffer?
- Why is this important for cybersecurity?

They then write down your predictions.

Step 2: Simulation Challenge (25–30 minutes)
Using the simulation:
1. Observe or interact with a system vulnerable to buffer overflow.
2. Simulate an attack by inputting a longer string of characters than the program expects.
3. The system responds by either crashing, behaving strangely, or showing an error—demonstrating how buffer overflows work.

The simulation walks them through how a patch or input validation can prevent this.
Teams complete a worksheet (or Google Form) answering:
- What happened when you overloaded the buffer?
- What was the system's weakness?
- How could the code be improved to stop the overflow?
- What real-life example does this remind you of? (Hint: Blaster Worm)

Step 3: Team Reflection & Presentation (10–15 minutes)
Teams share their findings with the class. Each group presents:
- What they learned
- How serious buffer overflows can be
- How developers and IT teams can prevent them

 Learning Outcomes:
Understand the concept of a buffer and what a buffer overflow is.
Recognise how cyber attackers exploit vulnerabilities.
Appreciate the importance of secure coding and regular system updates.
Collaborate effectively to solve IT security challenges.

Malware:

https://app.any.run/tasks/0952f52c-1562-4c49-b5bd-d9030f32f86c

viruses
 

A computer virus is a type of malicious software (malware) designed to spread from one device to another, much like a biological virus. It attaches itself to legitimate files or programmes, and once executed, it can replicate, spread, and damage systems by corrupting files, stealing data, slowing down performance, or even rendering entire systems unusable.

Viruses often spread through:

• Infected email attachments
• Malicious downloads
• USB drives or other external storage
• Exploiting software vulnerabilities

Unlike worms (which spread on their own), a virus typically requires some form of user interaction to activate — like opening a file or running a programme.

Types of Computer Viruses

File Infectors – Attach to executable files and spread when those files are run.

Boot Sector Viruses – Infect the master boot record of a system; they activate when the computer starts.

Macro Viruses – Written in macro languages used by office software (e.g. Microsoft Word) and activate when the document is opened.

Polymorphic Viruses – Change their code each time they replicate, making them hard to detect.

Resident Viruses – Load into memory and can infect files even when the original host is no longer active.

Famous Examples of Computer Viruses

1. ILOVEYOU (2000)
   • A worm-like virus that spread via email with the subject “ILOVEYOU” and a malicious attachment.
   • Once opened, it overwrote files and emailed itself to all contacts in the victim’s address book.
   • It caused an estimated £7 billion in damages worldwide.
2. Melissa Virus (1999)
   • A macro virus that infected Microsoft Word documents and sent itself to the top 50 contacts in the victim’s Outlook address book.
   • It caused mail servers across businesses and government departments to crash due to overload.
3. Mydoom (2004)
   • One of the fastest-spreading email viruses ever recorded.
   • It launched denial-of-service (DoS) attacks and allowed remote access to infected machines.
   • It caused billions in economic damage.
4. Conficker (2008)
   • A highly sophisticated virus that exploited Windows vulnerabilities.
   • It created a botnet (a network of infected machines) and was very difficult to remove.
   • Millions of computers, including government and military systems, were affected.
5. Stuxnet (2010)
   • A state-sponsored virus believed to have been developed by the US and Israel.
   • It specifically targeted Iran’s nuclear facilities by damaging centrifuges.
   • This was a turning point in cyberwarfare, showing that viruses could cause physical damage to infrastructure.

Real-World Case Studies

1. NHS and WannaCry Ransomware (2017)

While WannaCry is technically ransomware, it behaved much like a virus by spreading rapidly from one system to another using a vulnerability in outdated Windows systems.

• Impact: Affected more than 80 NHS Trusts, causing appointment cancellations, equipment shutdowns, and severe operational delays.
• Cause: NHS systems were running unpatched versions of Windows.
• Result: The government estimated it cost the NHS £92 million in direct costs and lost output.
• Lesson: The case underlined the importance of regular updates and cybersecurity training.

2. Sony Pictures Hack (2014)

• The Destover virus, linked to North Korea, was part of a wider cyberattack against Sony Pictures.
• The virus wiped data from company servers and leaked sensitive files, including unreleased films and private emails.
• It was reportedly launched in retaliation for the film “The Interview.”
• Impact: Tens of millions of dollars in damages, legal action, and reputational harm.

3. UK Parliament Cyberattack (2017)

• A large-scale email-based virus attack targeted the email accounts of British MPs and staff.
• Hackers used malicious software, possibly including Trojan viruses, to gain access to confidential communications.
• Impact: Up to 90 email accounts were compromised.
• Response: The network was temporarily shut down to prevent the spread.

4. The University of Cambridge (2020)

• The university detected a virus infection on internal systems, believed to have entered through a malicious email attachment.
• It was suspected to be part of a targeted phishing and data exfiltration campaign.
• Impact: Temporary network restrictions and system reconfiguration.
• Lesson: Even academic institutions are prime targets for virus-based attacks due to their large volumes of research and personal data.

Exploring Computer Virus Behaviour

1. Computer Virus Simulator
This simulation offers a safe environment to experience the effects of various computer viruses. It mimics how viruses can disrupt systems, providing insights into their operations.

Features:
Simulated virus attacks causing system errors and disruptions.
Realistic replication of virus behaviours without actual harm.
Educational insights into virus prevention and system protection. 

Access the Simulator:
Computer Virus Simulator on Steam

Note: This is a safe, controlled simulation containing no actual malicious code.

2. Beglitched
Beglitched is a puzzle game that combines elements of hacking and cybersecurity. Players navigate through challenges that simulate virus detection and removal in a stylised, engaging manner.

Features:
Puzzle-solving with a focus on cybersecurity themes.
Visual representation of virus infiltration and system defence.
Encourages strategic thinking related to virus management. 
Learn More:
Beglitched on Wikip
 

Worms

A computer worm is a type of malicious software (malware) that is capable of self-replication and self-spreading across networks without any need for user interaction. Unlike viruses, worms do not need to attach themselves to files or programmes — they can operate as standalone entities. Their primary purpose is to spread rapidly and infect as many systems as possible.

Worms can cause severe damage by:

• Consuming network bandwidth and system resources
• Delivering payloads such as ransomware or Trojans
• Stealing data or creating backdoors
• Disrupting essential services or operations

How Do Worms Spread?

Worms typically exploit vulnerabilities in:

• Operating systems (e.g. unpatched Windows systems)
• Network protocols
• Poor security configurations
• Removable media (e.g. USB drives)

Once a worm infects a device, it scans the network for other vulnerable systems and spreads itself automatically.

Famous Examples of Computer Worms

1. ILOVEYOU (2000)
   • One of the most damaging worms in history.
   • Spread via email with the subject “ILOVEYOU” and an attachment labelled as a love letter.
   • When opened, it replicated itself and sent copies to everyone in the user’s address book.
   • Damage: Over £7 billion in global losses.
2. Blaster Worm (2003)
   • Exploited a vulnerability in Microsoft Windows.
   • Displayed the message “Billy Gates why do you make this possible?” and caused computers to shut down.
   • Slowed internet traffic globally.
3. Conficker (2008)
   • Infected millions of Windows systems worldwide.
   • Created a botnet capable of remote control, password cracking, and disabling security services.
   • One of the most widespread worms ever seen.
4. Stuxnet (2010)
   • A highly sophisticated worm targeting industrial systems (SCADA).
   • Believed to be developed by the US and Israel to sabotage Iran’s nuclear facilities.
   • Demonstrated that worms could cause physical damage to infrastructure.
5. WannaCry (2017)
   • A worm-like ransomware attack that exploited a Windows vulnerability (EternalBlue).
   • Spread rapidly through networks and encrypted files, demanding ransom in Bitcoin.
   • One of the most destructive cyberattacks in recent history.

Case Studies: Real-World Worm Incidents

NHS and the WannaCry Attack (UK, 2017)

• Worm type: Ransomware with worm-like spreading
• Impact: Over 80 NHS Trusts affected, surgeries cancelled, emergency patients diverted.
• The worm exploited outdated Windows systems and spread through internal networks.
• Outcome: The UK government estimated the cost at £92 million.
• It was later linked to a North Korean hacking group.
• Lesson: Keeping systems patched is critical to prevent worm attacks.

Maersk Shipping and NotPetya Worm (2017)

• Although not British, this incident heavily affected UK ports and logistics.
• NotPetya spread like a worm using the same vulnerability as WannaCry.
• It encrypted data and destroyed entire networks.
• Maersk’s UK operations were severely disrupted, with port terminals offline and shipping halted.
• Global losses exceeded £750 million.

British Universities Targeted by Conficker (2009)

• Several UK universities reported Conficker infections that slowed networks and disabled security systems.
• The worm exploited weak passwords and unpatched systems.
• IT teams struggled to remove the worm due to its complexity and adaptive nature.

Microsoft Windows Networks (Global, including UK, 2003)

• The Blaster worm caused widespread disruption to businesses, government departments, and home users using Windows XP and 2000.
• Systems would repeatedly crash or reboot.
• Microsoft had already issued a patch, but many systems remained unpatched.
• Lesson: Timely updates are crucial.

Key loggers

A keylogger (or keystroke logger) is a type of surveillance software or hardware that records every keystroke a user types on their device. The primary aim of a keylogger is to capture sensitive information, such as usernames, passwords, credit card numbers, and personal messages, without the user being aware. Keyloggers can be malicious (used by cybercriminals) or legitimate (used for monitoring employees or children, with consent). However, in the context of security threats, keyloggers are most often malicious tools used in cyberattacks.

Keyloggers can be delivered via:

• Malware: When downloaded via phishing emails or malicious websites.
• Trojan horses: Embedded within legitimate-seeming files or programmes.
• Physical devices: Plugged into the victim’s computer to track typing.

Keyloggers can either store the captured data locally and send it to the attacker later or transmit it in real-time.

Example of  different types of Keyloggers

1. Software Keyloggers: These are programs that run on the victim’s device, either in the background or disguised as part of the system. They can monitor keyboard input, track applications used, and even capture screenshots.
   • Example: Perfect Keylogger – A popular tool that allows attackers to monitor every keystroke and generate detailed logs of users’ activities.
      
2. Hardware Keyloggers: These are physical devices that are inserted between a keyboard and the computer. They are harder to detect since they don’t require software installation.
   • Example: KeyGhost – A small device that intercepts and records all keystrokes made on a computer, often used for spying purposes.
      
3. Cloud-based Keyloggers: These operate by transmitting data to a remote server, often in real-time. This type of keylogger is harder to detect and allows attackers to monitor activities from anywhere.
   • Example: Spyrix Keylogger – A cloud-based keylogger that transmits recorded keystrokes to an attacker’s server, making it a highly effective surveillance tool.
      
4. Browser-based Keyloggers: These target users when they interact with web forms or input fields, often capturing login credentials.
   • Example: Revealer Keylogger – A browser-based keylogger that focuses on capturing sensitive data entered in online forms.

Case Studies of Organisations Affected by Keyloggers

The Target Data Breach (2013)

Attack Type: Keyloggers used for stealing credit card data

During the infamous Target data breach in 2013, cybercriminals installed keyloggers as part of their attack strategy. They gained access to Target’s network through compromised vendor credentials and deployed keylogging malware to capture customer credit card information. The attack resulted in the exposure of over 40 million credit card numbers and personal data from 70 million customers. While other forms of malware were also involved, keyloggers played a significant role in gathering sensitive data.

The Snapchat Hack (2014)

Attack Type: Keyloggers for stealing personal information

In 2014, a Snapchat security breach occurred where hackers exploited vulnerabilities in the system to steal millions of users’ personal data. While the breach itself involved other methods like API exploitation, keyloggers were suspected of being part of the attack to capture users’ personal messages and login credentials. The hackers posted the stolen data online, demonstrating the risks associated with keylogging software being used in conjunction with other vulnerabilities to steal private information.

The Gmail Hack (2014)

Attack Type: Keyloggers for espionage

In 2014, a targeted attack involving a keylogger led to the compromise of several high-profile Gmail accounts. The attackers installed malware on the victims’ devices, which secretly recorded keystrokes and sent the data to the attackers. The stolen information included sensitive emails, login credentials, and personal data, which were used for espionage purposes. The breach resulted in significant security awareness, particularly in government and corporate sectors, where sensitive communication was targeted.

Preventing Keylogger Attacks

To protect against keyloggers, individuals and organisations can take the following measures:

1. Use Security Software: Regularly update anti-virus and anti-malware tools to detect and block keyloggers and other forms of malicious software.
2. Enable Two-Factor Authentication (2FA): Using 2FA can mitigate the damage even if login credentials are compromised by a keylogger, as an attacker would need access to the second form of authentication.
3. Regular Software Updates: Ensure that all software and operating systems are kept up to date with the latest patches to prevent vulnerabilities that keyloggers can exploit.
4. Monitor for Suspicious Activity: Watch for unusual activity on accounts, such as unauthorised logins or changes in login patterns, which could indicate a keylogger infection.
5. Educate Users: Train employees and users to recognise phishing attacks or suspicious links that could lead to the installation of keyloggers.
6. Use Virtual Keyboards: Some anti-keylogging software offers on-screen keyboards that can help prevent physical keylogging by bypassing traditional keystrokes.

Simulating Keylogger Behaviour
Objective: To illustrate how keyloggers capture keystrokes and the potential risks involved.

Step 1: Access the Simulation
Visit the following link to access the keylogger simulation:
Keylogger Simulation Tool
Note: This is a safe, educational tool designed for learning purposes.

Step 2: Understand the Interface
Upon accessing the simulation, you’ll see a mock login form. As you type into the form, a separate panel will display the captured keystrokes in real-time, mimicking how a keylogger records input.

Step 3: Experiment with Input
Enter various types of data, such as usernames, passwords, and messages.
Observe how each keystroke is logged instantly.
Try using backspace or special characters to see how they’re recorded.

Step 4: Reflect on the Implications
Consider the following questions:
How easily can sensitive information be captured?
What are the potential consequences if such data falls into the wrong hands?
How can individuals and organisations protect against such threats?

Further Learning Resources
To deepen your understanding of keyloggers and their impact, explore these resources:CrowdStrike: Keyloggers – How They Work & How to Detect ThemUniversity of Phoenix: What You Need to Know About KeyloggingKaspersky: What is Keystroke Logging and Keyloggers?

Engaging with this simulation provides firsthand insight into the mechanics of keyloggers, emphasising the importance of cybersecurity measures to protect sensitive information.

Ransomware

Ransomware is a type of malicious software (malware) that locks or encrypts a victim’s files, data, or entire system, effectively holding it hostage. The attacker demands a ransom, usually in cryptocurrency, in exchange for providing a decryption key or unlocking the affected system. If the victim refuses to pay, their data may be permanently lost or exposed.

Ransomware attacks typically begin when a victim unknowingly downloads or opens a malicious attachment or link, often as part of a phishing email. Once activated, the ransomware can spread across a network, affecting numerous systems and data, making it a particularly dangerous threat for organisations.

How Ransomware Works

1. Infection: The ransomware is delivered through phishing emails, malicious websites, or software vulnerabilities.
2. Encryption: Once activated, the ransomware encrypts files or locks the system.
3. Ransom Demand: A message appears, demanding payment in cryptocurrency (usually Bitcoin) to receive the decryption key.
4. Payment: The victim is given a set amount of time to pay, and if they do, they are promised the decryption key (though this is not always guaranteed).
5. Data Exposure: In some cases, attackers will threaten to release sensitive data if the ransom is not paid, adding additional pressure on the victim.

Examples of Ransomware

1. WannaCry (2017)
   WannaCry is one of the most notorious ransomware attacks, which affected more than 200,000 systems across 150 countries. It spread rapidly by exploiting a vulnerability in Microsoft Windows (known as EternalBlue), which had been discovered by the US National Security Agency (NSA) and later leaked. The attack caused widespread disruption, including to the UK’s National Health Service (NHS), where it led to cancelled appointments and surgery delays.
2. NotPetya (2017)
   Originally thought to be a variant of ransomware, NotPetya quickly became clear that it was more destructive in nature. Although it encrypted files, it was designed to cause maximum damage rather than to extort money. It targeted systems primarily in Ukraine but spread globally, affecting organisations such as Maersk, a global shipping company, and Merck, a major pharmaceutical company. It caused billions of dollars in damage.
3. Ryuk (2018–Present)
   Ryuk is a highly targeted ransomware-as-a-service strain, used in advanced, targeted attacks on organisations worldwide. It is often deployed after initial access is gained by other malware, such as Emotet or TrickBot, which are used to gain a foothold in a network before Ryuk encrypts critical systems. Ryuk has been used in attacks on hospitals, schools, and municipal governments, where it has caused major disruption.
4. Maze (2019–2020)
   The Maze ransomware group was notable for combining traditional ransom demands with data theft, exfiltrating sensitive data from victims before encrypting their systems. If the ransom wasn’t paid, the group would publish the stolen data online. This “double extortion” tactic set a dangerous precedent for future ransomware operations. Maze targeted companies in the healthcare, financial, and manufacturing sectors.
5. REvil (2020–Present)
   REvil, also known as Sodinokibi, is a prolific ransomware group that demands ransoms from high-profile victims. It is known for its double extortion tactics and for targeting large corporations, often making headlines with major attacks on companies such as Kaseya (2021), a provider of IT management software. REvil has been linked to multiple high-profile breaches, often disrupting essential services.

Case Studies of Ransomware Attacks on Organisations

The NHS and WannaCry (2017)

Attack Type: WannaCry ransomware

Impact: In May 2017, the NHS in the UK was severely affected by the WannaCry ransomware attack. The ransomware exploited a vulnerability in Windows, causing widespread disruption across hospitals and GP surgeries. The attack forced the cancellation of thousands of appointments and surgeries, with some hospitals unable to access patient records or treat people in a timely manner. The NHS was particularly vulnerable due to outdated software and the lack of timely updates.

Outcome: The NHS faced severe disruption, with financial losses and potential harm to patients. The attack highlighted the critical importance of timely security patches and updates in healthcare systems.

The City of Atlanta (2018)

Attack Type: SamSam ransomware

Impact: In March 2018, the City of Atlanta in the US was targeted by the SamSam ransomware, which encrypted vital data across multiple departments. The attack disrupted services, including online payment systems, court operations, and law enforcement databases. The city refused to pay the ransom, leading to a multi-week recovery process.

Outcome: While the city did not pay the ransom, it faced a prolonged recovery period, costing an estimated $17 million. This case showed how local governments can be vulnerable to ransomware attacks, with significant operational and financial consequences.

The University of Leeds (2020)

Attack Type: Maze ransomware

Impact: The University of Leeds in the UK was hit by a ransomware attack in 2020. The attackers used Maze ransomware to encrypt university files and steal sensitive data. The attackers demanded a ransom to decrypt the files, but they also threatened to release confidential research and student information.

Outcome: The university was able to restore its data from backups, avoiding the ransom payment, but it had to manage the damage caused by the exposure of sensitive data. The attack prompted further discussions about the need for universities and educational institutions to improve their cybersecurity protocols.

Garmin (2020)

Attack Type: WastedLocker ransomware

Impact: In July 2020, the wearable technology company Garmin was hit by a ransomware attack that affected its global operations, including customer support and fitness tracking services. The attackers used WastedLocker ransomware, which encrypted Garmin’s systems and caused major disruptions, including the temporary shutdown of its fitness app services.

Outcome: Garmin reportedly paid a ransom of around $10 million to retrieve its data, though the company did not confirm this publicly. The attack highlighted the vulnerability of consumer-facing companies, especially those with large, international customer bases.

The Kaseya Attack (2021)

Attack Type: REvil ransomware

Impact: In July 2021, the Kaseya attack targeted managed service providers (MSPs) and their clients using REvil ransomware. The attackers exploited a vulnerability in Kaseya’s VSA software, which allowed them to encrypt the data of hundreds of organisations worldwide. The victims included schools, local governments, and private businesses.

Outcome: The ransomware attack affected over 1,500 businesses. Kaseya worked with law enforcement and cybersecurity experts to mitigate the impact, but the attack caused significant financial losses. The REvil group demanded a $70 million ransom, though it was unclear whether it was paid.

The UK’s NHS and Ransomware Attack (2017)

Attack Type: Keyloggers as part of broader ransomware attack

The NHS (National Health Service) in the UK was severely impacted by the WannaCry ransomware attack in 2017. Although ransomware was the main malicious payload, the attack also involved the use of keyloggers to gather login credentials and spread the malware across the NHS network. The attackers were able to encrypt critical data and demand a ransom. While the primary impact of WannaCry was ransomware, keyloggers were believed to have been used for espionage and gaining access to sensitive medical and personal data, highlighting how keyloggers can be used as part of a larger attack strategy.

The UK Parliament Cyberattack (2017)

Attack Type: Keyloggers and phishing for credential theft

In 2017, the UK Parliament suffered a cyberattack that targeted its IT infrastructure. Hackers gained access to MPs’ and their staff’s email accounts through phishing emails, and it was later revealed that keyloggers were used to monitor their keystrokes and steal login credentials. This breach compromised the security of sensitive political and governmental communication, and the attackers reportedly had access to MPs’ systems for several days. The incident prompted an investigation into cybersecurity protocols within the UK government.

Spyware

Remote access trojans

A Remote Access Trojan (RAT) is a type of malicious software (malware) that allows an attacker to remotely control a victim’s computer or network, typically without the victim’s knowledge. Once a RAT is installed on a device, it grants the attacker full control, enabling them to perform various malicious actions, such as:

• Accessing sensitive data (e.g., passwords, financial information)
• Taking screenshots or recording keystrokes to spy on the victim
• Activating webcams or microphones to spy on the user
• Stealing files or installing additional malware
• Controlling the system remotely, much like the user would
• Spreading the infection to other devices on the same network

RATs can be delivered through various methods, including phishing emails, malicious downloads, or exploiting system vulnerabilities.

Below are some examples of Remote Access Trojans and why they were used

DarkComet RAT
DarkComet is one of the most widely known RATs, used by cybercriminals and hackers for various malicious purposes. It’s known for its user-friendly interface and powerful capabilities, such as keylogging, webcam control, and remote file management. It has been used in cyber-espionage attacks and is commonly spread via phishing campaigns or malicious attachments.

njRAT
njRAT is another well-known RAT, often associated with cybercriminal groups and used in attacks against both individuals and organisations. It’s capable of accessing and controlling remote systems, stealing information, logging keystrokes, and even turning on webcams. It is often used in cyber espionage and to launch distributed denial of service (DDoS) attacks.

Remote Access Tool (RAT) - RemoteSpy
RemoteSpy allows attackers to spy on users’ activity, taking screenshots, logging keystrokes, and stealing personal information. It has been used by cybercriminals to target both individuals and companies for financial gain.

Ammyy Admin
While not inherently malicious, Ammyy Admin has been hijacked by cybercriminals to install RATs. This software is a legitimate remote desktop tool, but when used maliciously, it enables attackers to gain full control of a system, often after being installed through phishing emails or malicious links.

Case Studies: Organisations Affected by RAT Attacks

The Sony Pictures Hack (2014)

Attack Type: RAT and other malware

In 2014, Sony Pictures Entertainment was hit by a devastating cyber attack, which was later attributed to a group linked to North Korea. Hackers used RATs to infiltrate Sony’s network, stealing vast amounts of sensitive data, including emails, personal information of employees, and unreleased films. The attackers used malware (including RATs) to maintain persistent access to the network, enabling them to spy on operations, steal information, and disrupt business activities. This incident demonstrated how a RAT could be used not just for espionage but for large-scale data theft and organisational disruption.

Target Data Breach (2013)

Attack Type: RAT used in conjunction with other malware

During the infamous Target data breach in 2013, cybercriminals used a RAT as part of a broader attack that compromised the company’s point-of-sale systems. Hackers gained access via a third-party vendor, and once inside Target’s network, they deployed a RAT to exfiltrate credit card information from more than 40 million customers. The attackers were able to access systems remotely and monitor the compromised network for weeks, highlighting how RATs can be used to maintain undetected control over a network.

The Bangladesh Bank Heist (2016)

Attack Type: RATs and malware for financial fraud

In 2016, a cyber attack on the Bangladesh Bank resulted in the theft of nearly $81 million. The attackers gained access to the bank’s internal systems using a RAT, which allowed them to monitor transactions and manipulate the bank’s system. The attackers used this remote access to initiate fraudulent transfers, exploiting vulnerabilities in the system. RATs were critical in maintaining control over the bank’s network, enabling them to carry out the theft without detection for a time.

The Syrian Electronic Army (SEA) and RAT Attacks (Various Years)

Attack Type: RATs for political espionage

The Syrian Electronic Army, a hacker group loyal to the Syrian government, has used RATs in multiple cyber attacks over the years. These attacks have targeted news agencies, human rights organisations, and political figures. The RATs enabled the group to remotely control the computers of journalists and activists, steal emails, monitor communications, and gather intelligence. The use of RATs in these politically motivated attacks underscores their potential in cyber-espionage.

Preventing RAT Attacks

To protect against RATs, organisations should consider the following security measures:

• Regular updates: Ensure all systems, software, and security patches are kept up to date to prevent exploitation of known vulnerabilities.
• Anti-virus and anti-malware software: Install and regularly update trusted security software to detect and block RATs.
• Network segmentation: Use firewalls and segment networks to limit the spread of malware once inside the system.
• Security training: Educate employees on recognising phishing attacks and suspicious behaviour to reduce the likelihood of RAT infection.
• Two-factor authentication (2FA): Implement 2FA to add an extra layer of security to sensitive accounts.
• Remote desktop monitoring: Regularly monitor and audit any remote access tools in use to ensure they are not being exploited.

Social engineering:

Phishing

Threat Actor: Customer (used as cover)
Scenario Overview:
Finance staff receive emails appearing to come from a regular customer, requesting urgent invoice payments. While some report the email as suspicious, one employee unknowingly provides credentials on a fake login page. Soon, fraudulent transactions are processed to a foreign bank.

Initial Inject: Multiple staff report suspicious emails.

Escalation Injects:
Credentials compromised by a finance worker.
Payments diverted to unknown accounts.

Decision Points: Freeze all financial transactions? Reset finance logins? Inform the spoofed customer?
Considerations: Financial loss, supplier/customer trust, regulator disclosure.
Learning Objectives: Awareness training, fraud controls, customer engagement.

Spear phishing

Smishing

Vishing

Pharming

Create a presentation that could be delivered to a set of secondary/college students on Malisious Spam, cover all the areas of, Phishing, Spear Phishing, Smishing, Vishing and Pharming. Make your presentations interesting and informative, where you are able to show examples of situations where people have been caught out. At the end of the presentation provide details on how you and organisations could protect themselves from this threat.

Watering hole attacks

USB baiting

Domain name server attack/redirection of traffic

Open/unsecured Wi-Fi networks.

Create an informative Infographic that explains the above Mailware elements, in your infographic you also need to give details on what you can do to mitigate (avoid/reduce/minimise) the risks and provide examples of where they have occurred to other companies and organisations. Make this visually appealing to bring the possible issues to those that have not heard of them.
You will need to target the following;
- Virus
- Trojans
- Worms
- RATs
- Key Logging
- Ransomware
- Spyware
- Adware

8.2.2 Understand potential technical vulnerabilities to systems and data:

• inadequate security processes:

o weak encryption

o inadequate password policy

o failure to use multi-factor authentication

• out-of-date components:

o hardware

o software (lack of support/compatibility with legacy systems, zero-day bugs)

Zero-Day Exploit - Case Study
Threat Actor: Nation State

Scenario Overview:
Nation-state actors exploit a zero-day in your enterprise email system. Executives’ communications are intercepted, with sensitive discussions appearing in the press. Government cyber agencies contact you directly, warning of possible national security implications.

Initial Inject: Suspicious logins from foreign IPs discovered.

Escalation Injects:
Leaked board emails appear in the media.
Government agency requests urgent collaboration.

Decision Points: Shut down email entirely? Switch to alternative comms? Warn staff of surveillance risks?
Considerations: Espionage, brand impact, liaison with authorities.
Learning Objectives: Response to zero-day exploitation, secure communications, coordination with intelligence services.

o firmware.

8.2.3 Understand potential human threats, including prevention and mitigation

methods, to systems and data:

• human error:

o file properties

o confirmation boxes

o staff training

• malicious employee:

o immediate removal from the premises

o suspend user accounts immediately

• disguised criminal:

o accompany all visitors

o check identification of visitors

• poor cyber hygiene:

o locking all unattended machines

o not writing passwords down

o poor password management.

8.2.4 Understand potential physical vulnerabilities, including prevention and

mitigation methods, to systems, data and information, including:

• lack of access control:

o entry control systems

• poor access control:

o do not allow tailgating

o use complex access codes

o change codes regularly

o monitor access areas

o audit of staff access to secure areas

• nature of location:

o protect against shoulder surfing

o protect against the environment

o protect against vandalism

• poor system robustness:

o rugged machines

• natural disasters.

8.2.5 Understand the potential impact to an organisation of threats and

vulnerabilities:

• loss/leaking of sensitive data

• unauthorised access to digital systems

• data corruption

• disruption of service

• unauthorised access to restricted physical areas.

8.3 Threat Mitigation

8.3.1 Understand the purposes, processes, benefits and drawbacks of common

threat mitigation techniques:

• security settings:

o hardware

o software

• anti-malware software:

o function

o actions

• intrusion detection

• encryption:

o hashing

o symmetric

o asymmetric

• user access policies

• staff vetting

• staff training

• software-based access control

• device hardening

• backups:

o type (full, incremental, differential)

o safe storage

• software updates

• firmware/driver updates

• air gaps

• certification of APIs (application programme interface)

• VPNs (Virtual private networks)

• multi-factor authentication (MFA)

• password managers

• port scanning

• penetration testing:

o ethical hacking

o unethical hacking

8.3.2 Understand the processes and procedures that assure internet security,

and the reasons why they are used:

• firewall configuration:

o rules for traffic (inbound and outbound)

o traffic type rules

o application rules

o IP address rules

• network segregation:

o virtual

o physical

o offline network

• network monitoring

• port scanning.

8.4 Interrelationship of components required for effective security

8.4.1 Understand how the relationships in the CIA triad interrelate:

• confidentiality:

o ensuring that data is kept private by controlling who has access to

the data

• integrity:

o ensuring that the data has not been tampered with; this can be done

by maintaining confidentiality

• availability:

o ensuring that data is available and useful; this can be done by

ensuring integrity.

8.4.2 Understand the elements of the Identification Authentication Authorisation

Accountability (IAAA) model, including the techniques used and their

benefits and drawbacks:

• identification:

o recognising the individual within a digital system

o knowledge-based identification, including username

o possession-based identification methods

o biometric-based ID methods

• authentication:

o verifying the identity claimed during the identification phase

o multi-factor authentication methods

o passwords and pass phrases

o biometric authentication

• authorisation:

o ensuring that authenticated users can only access resources and

perform actions that they are permitted to

o role-based using the role of the user within the digital system

o access control lists

• accountability:

o ensuring that any actions within a system can be traced back to the

responsible user

o audit logs

o user activity monitoring.