Cyber Security Threats

Quick links




Cyber security




Methods to detect and prevent
cyber security threats


Questions on
cyber security



Syllabus content

Content   Additional Information

Understand and be able to explain the following cyber security threats:


Explain what penetration testing is and what it is used for.  

Penetration testing is the process of attempting to gain access to resources without knowledge of usernames, passwords and other normal means of access. Students should understand that the aim of a white-box penetration test is to simulate a malicious insider who has knowledge of and possibly basic credentials for the target system. Students should understand that the aim of a black-box penetration test is to simulate an external hacking or cyber warfare attack. (more..)



What is a cyber security threat?

What is Cyber Security?

Cyber security – defined as the protection of systems, networks and data in cyberspace – is a critical issue for all businesses. Cyber security will only become more important as more devices are connected to the Internet.

While rapid technological developments have provided vast areas of new opportunity and potential sources of efficiency for organisations of all sizes, these new technologies have also brought unprecedented threats.

Cyber security for organisations

An effective cyber security posture should be proportional to the risks faced by each organisation, and should be based on the results of a risk assessment.

All organisations face two types of cyber attack:

They will be deliberately attacked because they have a high profile and appear to have valuable data (or there is some other publicity benefit in a successful attack).

They will be attacked by opportunists because an automated scan detects the existence of exploitable vulnerabilities. Virtually every Internet-facing entity will have exploitable vulnerabilities unless it has been specifically tested and secured.

Cyber criminals are indiscriminate. Where there is a weakness, they will try to exploit it. Therefore, all organisations need to understand the cyber threats they face, and safeguard against them.

For more information on cyber security, we recommend downloading our free green paper Cyber Security – A critical business issue.

Cyber security frameworks

Organisations can use a number of frameworks to reduce the cyber threat. Two popular frameworks used in the UK are ISO 27001 and Cyber Essentials:

ISO 27001 and cyber security

As well as protecting their critical assets, customer details and operating systems, effective cyber security can help organisations win new business by providing assurances of their cyber security commitment to their supply chain, partners, stakeholders and customers.

In order to achieve real cyber security, today’s organisations have to recognise that software alone is not enough to protect them from cyber threats. The three fundamental domains of effective cyber security are people, processes and technology.

ISO 27001 is the internationally recognised best-practice standard for information security management. It forms the backbone of every intelligent cyber security risk management strategy. Other standards, frameworks and methodologies need ISO 27001 in order to deliver their specific added value. Implementing ISO 27001 will help you protect your information assets in cyberspace, comply with your regulatory obligations, and thrive by assuring your customers and stakeholders that you are cyber secure.

Cyber Essentials
The Cyber Essentials scheme was developed by the UK government to help businesses deal with the business-critical issues of cyber security and cyber resilience. The scheme provides a set of controls that organisations can implement to achieve a basic level of cyber security.

Types of cyber risks

Cyber risks can be divided into three distinct types:

Cyber crime
Conducted by individuals working alone or in organised groups. Cyber criminals are intent on extracting money, data or causing disruption. Cyber crime can take many forms, including the acquisition of credit/debit card data and intellectual property, and impairing the operations of a website or service.
Cyber war
A nation state conducting sabotage and espionage against another nation in order to cause disruption or to extract data. This could involve the use of advanced persistent threats (APTs).
Cyber terror
An organisation, working independently of a nation state, conducting terrorist activities through the medium of cyberspace.

Organisations that have to consider measures against cyber war or cyber terror include governments, those within the critical national infrastructure, and very high-profile institutions. It is unlikely that most organisations will face the threat of cyber war or cyber terror.

How cyber criminals work

Cyberspace is unregulated and it is increasingly simple and inexpensive to commit cyber crime; criminals can even buy off-the-shelf hacking software, complete with support services.

Congruent with the rapid pace of technological change, the world of cyber crime never stops innovating. Every month, Microsoft publishes a bulletin of the vulnerabilities of its systems, an ever-growing list of known threats, bugs and viruses. For a more complete overview of cyber security threats, mailing lists such as Bugtraq can provide up-to-date resources listing all new bugs.

Types of malware

Cyber criminals operate remotely, in what is called ‘automation at a distance’, using numerous types of attack that broadly fall under the umbrella term ‘malware’ (malicious software). These include:

Aim: Gain access to, steal, modify and/or corrupt information and files from a targeted computer system.
Technique: A virus is a small piece of code that can replicate itself and spread from one computer to another by attaching itself to another computer file.

Aim: Exploit weaknesses in operating systems to damage networks and deliver payloads that allow remote control of the infected computer.
Technique: Worms are self-replicating and do not require a program to attach themselves to. Worms continually look for vulnerabilities and report back to the worm author when weaknesses are discovered.

Aim: Take control of your computer and/or collect personal information without your knowledge.
Technique: Spyware/adware can be installed on your computer when you open attachments, click on links or download infected software.

Aim: Create a ‘backdoor’ on your computer by which information can be stolen and damage caused.
Technique: A Trojan virus is a program that appears to perform one function (for example, virus removal) but actually performs malicious activity when executed.

Attack vectors
There are also a number of attack vectors available to cyber criminals that allow them to infect computers with malware or harvest stolen data:

Phishing – An attempt to acquire users’ information by masquerading as a legitimate entity. Examples include spoof emails and websites. See ‘social engineering’ below.

Pharming – An attack to redirect a website’s traffic to a different, fake website, where the individuals’ information is then compromised. See ‘social engineering’ below.

Drive-by – Opportunistic attacks against specific weaknesses within a system.

Man in the middle (MITM) – An attack where a middleman impersonates each endpoint and is able to manipulate both victims.

Social engineering – An exploitation of an individual’s weakness, achieved by making them click malicious links, or by physically gaining access to a computer through deception. Pharming and phishing are examples of social engineering.

Social engineering techniques

Social engineering attacks, which rely on human interaction and fraudulent behavior to trick people, are the fastest growing security threat for enterprises today.

While traditional attacks leverage technology-based system vulnerabilities, such as software bugs and misconfigurations, social engineering attacks take advantage of human vulnerabilities by using deception to trick targeted victims into performing harmful actions.

Examples of social engineering attacks, which are typically launched via email, include phishing, spear phishing, trojans and Business Email Compromise (BEC). According to the FBI, BEC scams have resulted in losses of $3.1 billion as of May 2016.

Spear Phishing

Spear phishing attacks are highly targeted. The spear phishers use carefully crafted emails combined with social engineering tactics to convince the victim to open and engage with the email.

Consumer Phishing

In a consumer phishing attack, a criminal sends a large number of consumers a deceptive email appearing to come from a respected brand usually in order to gain account credentials.

Business Email Compromise

Business Email Compromise (BEC), also known as CEO fraud, is a sophisticated email attack in which a criminal sends targeted emails to an organization’s employees.


Ransomware is a form of malware that infects victim computers, encrypts their content, and requires victims to pay a ransom to the criminal responsible for the attack in order to regain access to their content.

Data Breach

Data breaches are often the result of intrusions caused by credential theft or malware installation, which in turn is fueled by social engineering and identity deception.

Malicious code


Malicious code is the term used to describe anycode in any part of a software system or script that is intended to cause undesired effects, security breaches or damage to a system. Malicious code is an application security threat that cannot be efficiently controlled by conventional antivirus software alone.


Malicious software is any software that the user did not authorize to be loaded or software that collects data about a user without their permission. The following is a list of terminology commonly used to describe the various types of malicious software:

  • Spyware- Spyware is any technology that aids in gathering information about a person or organization without their knowledge. On the Internet (where it is sometimes called a Spybot or tracking software), Spyware is programming that is put in someone's computer to secretly gather information about the user and relay it to advertisers or other interested parties. Spyware can get in a computer as a software virus or as the result of installing a new program.

  • Virus- a virus is a program or programming code that replicates by being copied or initiating its copying to another program, computer boot sector or document. Viruses can be transmitted as attachments to an e-mail note or in a downloaded file, or be present on a diskette or CD

  • Worm- a worm is a self-replicating virus that does not alter files but duplicates itself. It is common for worms to be noticed only when their uncontrolled replication consumes system resources, slowing or halting other tasks.

  • Logic bomb- a logic bomb is programming code, inserted surreptitiously or intentionally, that is designed to execute (or "explode") under circumstances such as the lapse of a certain amount of time or the failure of a program user to respond to a program command. It is in effect a delayed-action computer virus or Trojan horse. A logic bomb, when "exploded," may be designed to display or print a spurious message, delete or corrupt data, or have other undesirable effects.

  • Trapdoor- is a method of gaining access to some part of a system other than by the normal procedure (e.g. gaining access without having to supply a password). Hackers who successfully penetrate a system may insert trapdoors to allow them entry at a later date, even if the vulnerability that they originally exploited is closed. There have also been instances of system developers leaving debug trapdoors in software, which are then discovered and exploited by hackers.

  • Trojan (Trojan Horse)- a Trojan horse is a program in which malicious or harmful code is contained inside apparently harmless programming or data in such a way that it can get control and do its chosen form of damage, such as ruining the certain area on your hard disk. A Trojan horse may be widely redistributed as part of a computer virus.

  • RATs (Remote Admin Trojans) - are a special form of Trojan Horse that allows remote control over a machine. These programs are used to steal passwords and other sensitive information. Although they are "invisible", symptoms such as a slow moving system, CD ports opening and closing and unexplained restarting of your computer may manifest.

  • Malware - Malware (for "malicious software") is any program or file that is harmful to a computer user. Thus, malware includes computer viruses, worms, Trojan horses, and also Spyware, programming that gathers information about a computer user without permission.

  • Mobile Malicious Code - web documents often have server-supplied code associated with them which executes inside the web browser. This active content allows information servers to customize the presentation of their information, but also provides a mechanism to attack systems running a client browser. Mobile malicious code may arrive at a site through active content such as JavaScript, Java Applets and ActiveX controls or through Plug-ins.

  • Malicious Font - webpage text that exploits the default method used to de-compress Embedded Open Type Fonts in Windows based programs including Internet Explorer and Outlook. These malicious fonts are designed to trigger a buffer overflow which will disable the security on Windows-based PCs. This allows an intruder to take complete control of the affected computer and remotely execute destructive activities including installing unauthorized programs and manipulating data.

  • Rootkits - Rootkits are a set of software tools used by an intruder to gain and maintain access to a computer system without the user's knowledge. These tools conceal covert running processes, files and system data making them difficult to detect. There are rootkits to penetrate a wide variety of operating systems including Linux, Solaris and versions of Microsoft Windows. A computer with rootkits on it is called a rooted computer.

    There are three types of rootkits. Below is a description of the characteristics of each:

    • Kernel Rootkits - hide a backdoor on a computer system by using modified code to add or replace a portion of the system's existing kernel code. Usually the new code is added to the kernel via a device driver or loadable module. Kernel rootkits can be especially dangerous because they can be difficult to detect without appropriate software.
    • Library Rootkits - hide information about the intruder by manipulating system calls with patches, hooks, or replacements.
    • Application Rootkits - replace or modify regular application binaries with camouflaged fakes, hooks, patches, or injected code.
Computer Virus

Computer Virus

A computer virus is a self replicating computer program which can attach itself to other files/programs, and can execute secretly when the host program/file is activated. When the virus is executed, it can perform a number of tasks, such as erasing your files/hard disk, displaying nuisance information, attaching to other files, etc.

Type of virus
Memory-Resident Virus

This type will reside in main system memory. Whenever the operating system executes a file, the virus will infect a file if it is a suitable target, for example, a program file.

Program File Virus

This will infect programs like EXE, COM, SYS etc.

Polymorphic Virus

The virus itself can change form using various polymorphism techniques.

Boot Sector Virus

This type will infect the system area of a disk, when the disk is accessed initially or booted.

Stealth Virus

A virus which uses various stealth techniques in order to hide itself from detection by anti-virus software.

Macro Virus

Unlike other virus types, these viruses attack data files instead of executable files. Macro viruses are particularly common due to the fact that they attach to documents and files, which are platform independent and the document is sent to other computers by, for example, email or file exchange. Recipients are receiving the infected document from a "trusted" sender.

Email virus

A virus spread by email messages.

Trojan Horses

A trojan horse is a non-replicating program that appears legitimate, but actually performs malicious and illicit activities when executed. Attackers use trojan horses to steal a user's password information, or they may simply destroy programs or data on the hard disk.

A trojan horse is hard to detect as it is designed to conceal its presence by performing its functions properly.

Some recent examples are:

  • Trojan horses embedded into online game plug-ins which will help online gamer to advance their game characters; however, the online game account and password are also stolen. The gamer's cyber assets are therefore stolen.
  • Trojan horses are embedded into popular commercial packages and uploaded to websites for free download or to be shared across peer-to-peer download networks.

Trojan horses are particularly dangerous due to the fact that they can also open a back door into a system and allow an attacker install further malicious programs on your computer. Back Orifice and SubSeven are two well-known remote access trojan horses that allow attackers to take control of a victim's computer.


A worm is a self-replicating program that does not need to attach to a host program/file. Unlike viruses, worms can execute themselves. Worms have the ability to spread over a network and can initiate massive and destructive attacks in a short period of time.

One typical example of a massive attack is the "SQL Sapphire Slammer (Sapphire)" that occurred on 25 January 2003. The Sapphire exploited an MS SQL Server or MSDE 2000 database engine vulnerability. The weakness lays in an underlying indexing service that Microsoft had released a patch in 2002. It doubled in size every 8.5 seconds, and infected more than 90 percent of vulnerable hosts within 10 minutes. It eventually infected at least 75,000 hosts and caused network outages that resulted in:

  • Canceled airline flights

  • Interference with elections

  • Bank ATM failures

Spyware & Adware

Spyware is a type of software that secretly forwards information about a user to third parties without the user's knowledge or consent. This information can include a user's online activities, files accessed on the computer, or even user's keystrokes.

Adware is a type of software that displays advertising banners while a program is running. Some adware can also be spyware. They first spy on and gather information from a victim's computer, and then display an advertising banner related to the information collected.

A system with spyware / adware installed may display one or more of the following symptoms:

  • The default start page of the web browser is changed to another website and/or new items are added to the Favorites folder without the user's consent. The user cannot undo the changes, and these browser hijackers force the user to visit the unwanted websites in order to, for example, inflate the hit rate of the websites for higher advertising value.

  • Pop-up windows with advertisements open on the screen even when the user's browser is not running or when the system is not connected to the Internet.

  • New software components, such as browser toolbars, are installed on a user's computer without his or her permission.

  • Suspicious network traffic appears on the user's computer when he or she is not performing any online activities.

However, there are some spyware carefully programmed to avoid being noticed, and hence cannot be picked up by the above abnormalities. This type of spyware can only be detected and removed by anti-spyware products / tools.


A rootkit is a collection of files that alter the standard functionality of an operating system on a computer in a malicious and stealthy manner. By altering the operating system, a rootkit allows an attacker to act as system administer on the victim's system. (Or the "root" user in a Unix system - hence the name "rootkit".)

Many rootkits are designed to hide their existence and the changes they made to a system. This makes it very difficult to determine whether a rootkit is present on a system, and identify what has been changed by the rootkit. For example, a rootkit might suppress directory and process listing entries related to its own files.

Rootkits may be used to install other types of attacker tools, such as backdoors and keystroke loggers. Examples of rootkits include LRK5, Knark, Adore, and Hacker Defender.

Active Content

Unlike the traditional methods of working with static data files using a software program, today's data objects, such as web pages, email and documents can interweave data and code together, allowing dynamic execution of program code on the user's computer. The fact that these data objects are frequently transferred between users makes them efficient carriers of viruses. The transparency of code execution can be a security concern.

The two main 'active content' technologies are ActiveX controls and Java. In general, ActiveX poses a greater threat because it has direct access to native Windows calls, and hence any system function. Java, on the other hand, is "sandboxed" or insulated from operating system services by the Java Virtual Machine. However, this does not mean that there will never be a Java virus.

Zombies and Botnets

A zombie computer, usually known in the short form zombie, is a computer attached to the Internet that has been compromised and manipulated without the knowledge of the computer owner. A botnet refers to a network of zombie computers that have been taken over and put under the remote control of an attacker.

A botnet might consist of thousands of zombie computers, and even more. The zombie computers in the botnets can consist of computers at homes, schools, businesses and governments scattered around the world.

A zombie computer itself may only be slowed down slightly, or displaying mysterious messages. However, the whole botnet can be used by the attacker for a massive attack, such as DDoS (the Distributed Denial of Service) attack, against another system or network. Due to the large number of machines in a botnet, the aggregate computing power can be enormous when all these machines work together to launch a DDoS attack against a single target.

You should protect your machines or systems from becoming zombie computers.


Scareware, or sometimes called rogueware, comprises several classes of ransomware or scam software with malicious payloads. While pretending as legitimate anti-virus software or the likes, scareware is in fact dummy software without functions, or sometimes even a malicious software which may, for example, steal the victim's personal information and credentials such as passwords or credit card details. Ransomware makes your computer files inaccessible. The victim is then requested to pay a fee ("ransom") to regain access to their files.

Scareware usually entices victims by convincing them that a virus has infected their computer, then suggesting that they download (and pay for) an anti-virus software to remove it. Very often, the virus is entirely fictional, and the software installed is the scareware itself. In additional to the loss of money paid for the scareware, the personal details and credit card information provided by the victim during the purchase of the scareware can be used by criminals in further fraud or sold on black market forums.

Ransomware is a twisted form of scareware. One of common tactics is that the malware attacks victims through phishing emails with a malicious attachment. Once infected, the malware makers of ransomware can "kidnap" user’s computer and hold it to ransom by, for example, stopping the computer working, encrypting key system files or locking up some of the personal information. The victim needs to pay ransom to free their machines and get their files back.

Protection against scareware and ransomware would require the common best practices against malware, in particular, users must be cautious and exercise their common sense, and use of legitimate security software is of particular importance. Some best practices for protection against scareware, ransomware, as well as other virus and malicious code attacks are:

  • Backup important data frequently and keep the backup data disconnected from the computer

  • Refrain from visiting suspicious websites or downloading any files from them

  • Do not open any suspicious emails or instant messages, as well as the attachments and hyperlinks inside

  • Check and keep your anti-malware program and signatures are up-to-date

  • Install the latest patches for software in use

  • Disable macros for Microsoft Word, Excel and other office applications by default

  • Enable security features of the system and browser

  • Install software and mobile apps from trusted sources, do not install those apps if suspicious permission rights are required

  • For business operations with a higher risk of exposure to malware infection such as customer enquiry emails handling, a dedicated computer with no shared drives and restricted network connectivity to internal network should be used to minimise the impact of infection and the handling staff should keep alert of possible infection.

In case a computer device is infected, users should consider to take immediate actions to:

  • Disconnect the network cable of the computer to avoid affecting network drives and other computers

  • Power off the computer to stop the ransomware encrypting more files

  • Jot down what have been accessed (such as programs, files, emails and websites) before discovering the issue;

  • Recover the data from backup to a clean computing device

To learn more about ransomware, please visit the Cyber Security Information Portal.


Virus Hoax

A virus hoax is a false virus warning, usually in the form of an email message. It suggests the reader to forward the message to others, resulting in a rapidly growing proliferation of emails that may overload systems.

Mobile Device Virus / Worms

Like any computing platform, mobile devices are also susceptible to malicious code attacks. Although at present, malicious codes for handheld devices and smart phones are not that common, there is likely to be an increase as the functionality of mobile applications increase and with the wider deployment of these devices.

The open architecture of mobile application development environments, often with extensive software development documentation and tools, also allow attackers to create malicious code for these platforms quite easily.

Malicious code can infect mobile devices in several ways. These include:

  • Via email SMS or MMS: a message containing a hyperlink to a malicious code is sent to entice a user to select the link and download the code. Alternatively, the code can be sent in an email as an attached file and infect the device when executed. Similarly, malicious code can also be propagated via MMS messages. SymbOS / Commwarrior.M is a worm that is capable of spreading via MMS messages on Symbian Series 60 devices.

  • Via desktop synchronisation: the worm Cxover is one such an example. Cxover is a proof-of-concept worm that can affect both Windows PC and Windows Mobile devices. If it is executed on a Windows Mobile device, it will copy itself to the computer over an ActiveSync connection. If it is executed on a Windows PC, it will search for any handled devices connected over ActiveSync and copy itself to the device.

  • Via Bluetooth, Infra-red or Wi-Fi: the first worm capable of spreading via Bluetooth was discovered in June 2004 and was named Cabir. It was a proof-of-concept worm for Symbian OS Series 60 smart phones but it has not been found in the wild since then. The worm required several interactive steps on the part of the recipient in order to execute. An attacker who intentionally sends a malicious program to trick the recipient into accepting it can also exploit the potential weakness of Bluetooth.

Logic Bombs

A logic bomb is a program code which is embedded in another program, and can be activated when a certain predefined criteria are met.

For instance, a time bomb will attack a system and erase all data if a licence key or another program code is not found in the system. In some cases, a logic bomb will inform the attacker via the Internet that the bomb is ready to attack the victim.

Trap Door

A trap door is a secret entry point into a program that is intentionally included in the program code. While it can facilitate debugging during program development, it may be used for malicious purposes as well.

Common Obfuscation Techniques

The following are common obfuscation techniques used by malicious code developers and writers to evade detection and destruction:

  • Binders and Packers
    Most virus signature files are created based on the checksum value which makes use of the file properties and first few bytes of the malicious code binaries. The binders technique is to bind the virus and malicious code file on to another file, which changes its form. The packers technique is to compress the virus code before it is embedded.

  • Self-Encryption and Self-Decryption
    Malicious code may encrypt and decrypt itself, even using several layers of encryption and decryption and/or using random keys in encryption and decryption. This makes them harder to examine directly.

  • Polymorphism
    Malicious code can change its default encryption settings as well as the decryption code during self-encryption. These make it much more difficult to detect.

  • Metamorphism
    Malicious code change its form by, for instance, rearranging its code fragments or/and by adding useless lines of code into its source, and recompiling itself into a new form.

  • Code conversion to a VB (Visual Basic) script
    This method converts an executable program (.exe) into a visual basic script (.vbs) file that can be attached to a document, data files or email messages.

  • Stealth
    The technique is designed to evade anti-virus software detection by hiding the code itself. One example is to monitor system calls to files; the malicious code then modifies the return information to the process call by returning only original information.


Weak and default passwords

People’s choice of passwords continues to pose a huge security risk, according to new research.

The data comes as part of an annual Worst Passwords List. Compiled by SplashData, it is designed to encourage users to adopt stronger passwords.

It revealed that the two most commonly used are ‘123456’ and ‘password’, both of which have remained at the top of the list since it first started back in 2011. This highlights the fact that people are still not being vigilant when it comes to online security.

There were signs this year that people are trying to be more creative with their passwords – there were longer alternatives on this year’s list, for example. However, unfortunately, these are not as secure as people like to think, as users are simply adding meaningless additions to the end of the original password.

For example, instead of ‘123456’, many chose ‘1234567890’. This is a basic extension, which cybercriminals can take full advantage of.

Morgan Slain, CEO of SplashData, said: “We have seen an effort by many people to be more secure by adding characters to passwords, but if these longer passwords are based on simple patterns they will put you in just as much risk of having your identity stolen by hackers.”

Perhaps unsurprisingly, Star Wars themed passwords have cropped up on the list this year, with ‘starwars’, ‘solo’ and ‘princess’ featuring for the very first time.
Despite their more unique nature, these kinds of passwords are found to be just as insecure, SplashData explained.

Sports also continues to be a popular theme with ‘baseball’ and ‘football’ both appearing in the Top 10.

Mr. Slain goes on to say that thanks to more publicity about how risky it is to use weak passwords, “more people will take steps to strengthen their passwords and, most importantly, use different passwords for different websites”.

Password strength is a measure of the effectiveness of a password against guessing or brute-force attacks. In its usual form, it estimates how many trials an attacker who does not have direct access to the password would need, on average, to guess it correctly. The strength of a password is a function of length, complexity, and unpredictability. Click here for the rest of the article.


Password is a secret word or more technically defined a string of characters used to authenticate, gain access to resources or prove identity. It must be kept in secret from others who are not allowed to access those resources. In most cases passwords are used in common with usernames.

Passwords have been used with computers since the earliest days of computing. One of the first time sharing systems, was introduced in 1961. It had a LOGIN command that requested a user password. After typing “PASSWORD”, the system turns off the printing mechanism, if possible, so that the user may type in his password with privacy.

The strength of a password is a function of length, complexity, and unpredictability. It measures the effectiveness in resisting guessing it.
Weak passwords shorten the time necessary to guess it and gain access to personal/corporate e-mails, sensitive data like financial info, credit cards, business info etc.

Examples of weak passwords:

  • Dictionary words: sky, grass, hummer etc.
  • Double words: skysky, grassgrass etc.
  • Unchanged default password of a device
  • Words with simple obfuscation : p@ssword, password1
  • Well known sequence: 123456, qwerty123, 123password

There are many other ways a password can be weak corresponding to the strengths of various attack schemes.

Attacks against passwords are classified according to the way they are implemented.

Passive online attack

In passive online attacks an attacker don’t contact with authorizing party for stealing password, in other words he attempts password hacking but without communicating with victim or victim account. Types of passive online attacks are:

  • Wire sniffing – Sniffing occurs when a wire-tap is applied to computer network. All the traffic which passes to the tap is analyzed by a software and thus a password could be obtained.
  • Man in the middle – Man in the middle attack is a form of eavesdropping in which the attacker makes independent connections with the victims and relays messages between them, making them believe that they are talking directly to each other over a private connection, but the entire conversation is controlled by him.

Active online attack

This type of attack is termed as password guessing. An attacker tries number of passwords one by one using either a manual or automated approach against victim to guess his/her password. Password guessing isn’t always as difficult because practice shows that most people uses common simple words as passwords.

Offline attack

Offline password attacks are performed from a location other than the actual computer where the password reside or were used. Offline attacks requires access to the computer which stores password file, the attacker copies the password file and then tries to break passwords in his own system. The following types of offline attack are used:

  • Brute force attack – Brute force approach is to try to guess the password repeatedly by using mathematical algorithm. This method is very fast when used to check all short passwords, but for longer passwords the time is longer
  • Dictionary attack – Dictionary attack uses a targeted technique of successively trying all the words in an exhaustive list of pre-arranged values. Dictionary attacks are not guaranteed to succeed, but this doesn’t mean it is less preferred method, because most users use standard dictionary word as a password.

Non-technical attacks

These attacks does not require any technical knowledge and includes the following approaches:

  • Shoulder surfing
  • Keyboard sniffing
  • Social engineering


Most important rule to avoid weak passwords in organizations is implementing password policies and strictly following them without exceptions.

Password polices include:

  • Minimum length of password characters – at least 6
  • Password must include special character, lower and upped cases, numbers
  • Number of wrong attempts after which the account is locked for a reasonable time
  • Changing passwords over defined time
  • History of used passwords
  • Using strong encrypting algorithms

Another important rule is to educate employees to avoid non-technical attacks:

  • Using password manager to store passwords
  • Using different passwords for different applications and sites
  • Teaching employees to memorizing techniques to assist remembering passwords

WordPress Vulnerability

Massive WordPress Attack Targets Weak Admin Passwords

If you’re using the popular open source blogging tool WordPress to power your website, you may be vulnerable to a new web-based attack.
If your WordPress admin pages suddenly become sluggish, unreachable or you’re unable to log in there’s a good chance your site is being attacked.

According to CloudFlare CEO Matthew Prince, the attack is using brute force against WordPress’ admin pages using the old default username “admin” and then trying thousands of passwords. There’s nothing new about that approach, but what makes this attack different, and particularly potent, is that the attackers have some 90,000 unique IP addresses at their disposal.

For its part CloudFlare has pushed out an update that “detects the signature of the attack and stops it.”

Popular WordPress Host HostGator reports that it too has “seen over 90,000 IP addresses involved in this attack.”

WordPress creator Matt Mullenweg has also weighed in, pointing out that it’s been over three years since WordPress used the username “admin” as the default for new installations.

However, there are no doubt a great many sites that still have — whether they use it or not — the “admin” user account hanging around in WordPress. It’s also worth noting that, while this attack appears limited to trying the “admin” username, a more sophisticated approach could do the same thing, but with unique usernames — for example, find the most frequently used account name on the public site, assume it’s an admin account and run the same attack against the admin pages. So far that hasn’t happened.

“Here’s what I would recommend,” writes Mullenweg on his blog, “if you still use “admin” as a username on your blog, change it, use a strong password, if you’re on turn on two-factor authentication, and of course make sure you’re up to date on the latest version of WordPress.”

Unfortunately, given the number of IP addresses that seem to be at the attackers’ disposal, other common security measures — like tools that limit logins by IP address — aren’t going to be terribly effective against this attack. Short of getting rid of the default “admin” account (if it still exists), there isn’t a whole lot you can do to stop the attacks (unless you want to use a web application firewall like CloudFlare or ModSecurity). Be sure to contact your hosting company if you think your site has come under attack.

Think you have a strong password?

Think you have a strong password? Hackers crack 16-character passwords in less than an HOUR


  • During an experiment for Ars Technica hackers managed to crack 90% of 16,449 hashed passwords
  • Six passwords were cracked each minute including 16-character versions such as 'qeadzcwrsfxv1331'

By Victoria Woollaston

PUBLISHED: 17:17, 28 May 2013 | UPDATED: 18:15, 28 May 2013

A team of hackers has managed to crack more than 14,800 supposedly random passwords - from a list of 16,449  - as part of a hacking experiment for a technology website. 

The success rate for each hacker ranged from 62% to 90%, and the hacker who cracked 90% of hashed passwords did so in less than an hour using a computer cluster. 

The hackers also managed to crack 16-character passwords including 'qeadzcwrsfxv1331'.

A team of hackers have managed to crack more than 14,800 cryptographically hashed passwords - from a list of 16,449  - as part of a hacking experiment for tech website Ars Technica.

A team of hackers have managed to crack more than 14,800 cryptographically hashed passwords - from a list of 16,449 - as part of a hacking experiment for tech website Ars Technica. The success rate for each hacker ranged from 62% to 90%, including 16-character passwords with a mix of numbers and letters. The hacker who cracked 90% of hashed passwords did so in less than an hour

The hackers, working for the website Ars Technica, have now published how they cracked the codes and the traditional methods used to create an anatomy of a hack. 

Rather than repeatedly entering passwords into a website, the hackers used a list of hashed passwords they managed to get online. 

Hashing takes each user's plain text password and runs it through a one-way mathematical function.

This creates a unique string of numbers and letters called the hash. 

Hashing makes it difficult for an attacker to move from hash back to password and it lets sites keep a list of hashes, rather than storing them insecurely as plain-text passwords.

This means if a list is stolen, the plain text passwords can't be obtained easily. 

However, this experiment shows this doesn't mean its impossible.

When a user types a password into an online form or service, the system hashes the entered word and checks it against the user's stored, pre-hashed password. 

When the two hashes match, the user is allowed entry to their account. 

And using characters, a mix of lower and upper case letters and numbers creates slight variations of a hash. 

The example, Ars Technica use is: hashing the password 'arstechnica' produced the hash c915e95033e8c69ada58eb784a98b2ed. 

Adding capital letters to make 'ArsTechnica' becomes 1d9a3f8172b01328de5acba20563408e after hashing. 

Jeremi Gosney, the founder and CEO of Stricture Consulting Group, managed to crack the first 10,233 hashes, or 62 percent of the leaked list, in 16 minutes. 

He used a so-called 'brute-force crack' for all passwords that were one to six characters long. 

Brute-force attacks is when a computer tries every possible combination of six letters and characters, starting with 'a' and ending with '//////.'

It took Gosney just two minutes and 32 seconds to complete the first round, which found 1,316 plain-text passwords.

Gosney then used brute-force to crack all passwords seven or eight characters long that only contained lower letters. This yielded 1,618 passwords. 

He repeated this for seven and eight-letter passwords using only upper-case letters to reveal another 708 passwords.

This graph shows how long in days it took the Ars Technica hackers to crack the list of 16,449 hashed passwords based on the method used.

This graph shows how long in days it took the Ars Technica hackers to crack the list of 16,449 hashed passwords based on the method used. It also shows how long it took to crack passwords based on how long they were. Each hacker used a combination of wordlists, brute-force attacks and Markov chains to crack the list. One hacker managed to crack 90% of the list

Using passwords that contained only numbers, from one to 12 digits long, Gosney managed to brute-force 312 passwords in three minutes and 21 seconds.

Gosney has spent years perfecting word lists that contain a list of all the six-letter words, for example, to make cracking the weaker passwords faster. 

One hurdle Gosney had to jump during stage one of the hack was 'salted hashes', a technique where sites add random characters to passwords to make them harder to crack.

This can include adding random numbers, characters or letters to the start or end of a password during the hashing process so hackers can't automatically enter a six-letter word, for example, and match the hash automatically. 

However, Gosney explained that once one weak, 'cryptographically salted' hashes are cracked it becomes easier to work out the rest. 

Once Gosney had obtained the weaker passwords, even those that had been salted, using brute-force he moved onto stage two. 

Using a hybrid attack - which combines a dictionary attack with a brute-force attack - he added all possible two-character strings of both numbers and symbols to the end of each word in his dictionary. 

Jeremi Gosney used a mixture of brute-force attacks, a hybrid attack that combined wordlists with brute-force attempts

Jeremi Gosney used a mixture of brute-force attacks, a hybrid attack that combined wordlists with brute-force attempts, statistically generated guesses using Markov chains, and other rules to turn a list of hashed passwords into plain text. It took him 14 hours and 59 minutes to complete all stages

He recovered 585 plain passwords in 11 minutes and 25 seconds.

He next added all possible three-character strings to get another 527 hashes in 58 minutes to complete. 

Thirdly, he added all four-digit number strings and he took 25 minutes to recover 435 passwords.

In round four he added all possible strings containing three lower-case letters and numbers and got 451 more passwords. 

In five hours and 12 minutes he managed to get 2,702 passwords.

He continued to crack the rest of the passwords using a hybrid attack and cracked a total of 12,935 hashes, or 78.6 percent of the list, in five hours and 28 minutes.

During the third stage, in which Gosney attempted to crack the most complicated passwords, he used a mathematical system known as Markov chains.

This method uses previously cracked passwords and a statistically generated brute-force attack that makes educated guesses to analyse plain text passwords, and determine where certain types of characters are likely to appear in a password.

A Markov attack on a seven-letter password has a threshold of 65 tries; using the 65 most likely characters for each position.  

And because passwords usually have capital letters at the start, lower-case letters in the middle, and symbols and numbers at the end, Markov attacks can crack almost as many passwords as a straight brute-force.

Hackers use mix of wordlists, rainbow tables (pictured) and an algorithm called a Markov chain to crack passwords from a hashed list.

Hackers use a mix of wordlists, rainbow tables (pictured) and an algorithm called a Markov chains, among other techniques, to crack passwords from a hashed list. A rainbow table is a precomputed table for reversing cryptographic hash functions, usually for cracking password hashes. Tables are usually used in recovering the plaintext password, up to a certain length consisting of a limited set of characters

From this method, Gosney discovered that people who don't know each other use very similar, and in some cases, identical passwords for the same sites. 

During this third stage, Gosney also used other wordlists and rules and it took Gosney 14 hours and 59 minutes to complete all stages. 

He managed to get another 1,699 more passwords - three hours to cover the first 962 plain passwords in this stage and 12 hours to get the remaining 737.

The other two password experts who cracked this list used many of the same techniques and methods, although not in the same sequence and with different tools. 

They used a wordlist that was created directly from the 2009 breach of online games service RockYou. 

This hack leaked more than 14 million unique passwords in plain text and this list is the largest list of 'real-world passwords ever to be made public.'

This method cracked 4,900 of the passwords. The same list was then used again, but this time the last four letters of each word were replaced with four digits. This yielded 2,136 passcodes. 

Hacker radix then tried brute-forcing all numbers, starting with a single digit, then two digits, then three digits, and so, and managed to recover 259 additional passwords. 

He then ran the 7,295 plain text passwords he'd recovered through the Password Analysis and Cracking Toolkit, developed by password expert Peter Kacherginsky, to identify patterns.

A 25-computer cluster that can cracks passwords by making 350 billion guesses per second

A 25-computer cluster that can cracks passwords by making 350 billion guesses per second. It was unveiled in December by Jeremi Gosney, the founder and CEO of Stricture Consulting Group. It can try every possible Windows passcode in the typical enterprise in less than six hours to get plain-text passwords from lists of hashed passwords

Radix then used this information to run a mask attack, which uses the same methods as Gosney's hyrbid attack but took less time. 

He replaced common letters with numbers, for example he replaced 'e' with the '3' and recovered 1,940 passwords.

In December, Gosney created a 25-computer cluster that can make 350 billion guesses a second. 

In an email to Ars Technica, Gosney explained: 'Normally I start by brute-forcing all characters from length one to length six because even on a single GPU, this attack completes nearly instantly with fast hashes.

'And because I can brute-force this really quickly, I have all of my wordlists filtered to only include words that are at least six chars long. 

'This helps to save disk space and also speeds up wordlist-based attacks. 

'Same thing with digits. I can just brute-force numerical passwords very quickly, so there are no digits in any of my wordlists. 

'Then I go straight to my wordlists + best64.rule since those are the most probable patterns, and larger rule sets take much longer to run. 

'Our goal is to find the most plains in the least amount of time, so we want to find as much low-hanging fruit as possible first.'

Entropy and "Brute Force"

Access rights

Definition of: access rightsaccess rights. The permissions that are granted to a user, or to an application, to read, write and erase files in the computer. Access rights can be tied to a particular client or server, to folders within that machine or to specific programs and data files.

Misconfigured access rights

Author: Francis Cianfrocca, Bayshore Networks
The actual practice of information assurance in industrial control systems (ICS) has changed very little in recent years, even as recognition and awareness of vulnerabilities have risen sharply and statutory/regulatory pressures have intensified. In this presentation, we identify the key reasons for this mismatch between need and action. We show that, while business and organizational issues get much of the attention, a far more serious gap has opened between system vulnerabilities (including the capabilities of attackers) and commonly-deployed cyber security technology.
The technology gap is widening rapidly as organizations seek 1) broader integration of industrial control systems with enterprise IT; and 2) increased sharing of operational data across organizational boundaries.
Standard practice and regulations generally view the assurance of ICS integrity/availability as either an access-control problem or a problem that encrypted streams can solve. This approach has value, but is quite inadequate to address both 1) the expanding scale of potential attacks against civil infrastructure; and 2) the potential monetary and societal losses from successful attacks. The current state of ICS security parallels that of enterprise IT security in the past, with respect to the differences between the network (Layer-3) and the application (Layer-7) approaches. History shows that network-level security failed to adequately protect enterprise applications. ICS security is at that point today.
We present experience-based results from new technologies developed and/or applied by our organization in industrial control systems. Among the technologies to be described are 1) new data-flow protection methodologies including flow-based heuristics; 2) improving the detection of malicious or dangerous events within "normal" ICS data flows; 3) architectural controls such as unidirectional flows; 4) the value of "big-data" approaches, particularly in large-scale metasystems such as electric power transmission and distribution; 5) how to inhibit attacks like Stuxnet and Duqu in real-time.
We also assess the applicability of many existing OWASP recommendations for enhancing security in enterprise IT to the ICS threat.
Use-cases will be drawn from sectors including: building/factory-floor management; electrical grid; oil/gas; tactical/battlespace applications; and/or any of the 18 critical infrastructure sectors as defined by the Department of Homeland Security.

How Misconfiguration Can Leave You Vulnerable to Attackers

Configuration is an essential part of every application. Misconfiguration can happen at any level of the application stack – from code, to web and application servers, to databases and frameworks. Below, I’ve compiled a list of some of the most common scenarios.

Deployment of development configuration to production

Development configuration can include tracing, unencrypted string connections, test accounts with a weak password, descriptive error messaging, and more. A malicious attacker will be able to use tracing or error messaging to gain access to insecure accounts, compromising the application. When deploying an application, make sure to use the correct set of configuration settings in your deployment scripts.

Failure to secure directories

Protected or private directories are directories that are available only to confirmed application users, admins, or to the application’s code. Protected directories might include sensitive information in the form of files and images, or an account control panel.

Third-party applications installed on a production server

A production server that has additional applications installed on it often poses a security risk. Some applications have their own vulnerabilities and known exploits. For example, some applications might need to use a port in the firewall that otherwise might be blocked. Rather than trying to attack your application directly, a clever attacker may fish for known holes in other applications which they guess might reside on your server. You can do everything right, but your server is only as secure as your least secure application.

Web serving source files

A web server that is not configured to run a technology in a desired endpoint might serve the file back to the client instead of executing it. This can include compiled class files, PHP code and more. Once a hacker has access to your source code, they will be able to access any aspect of your application stack.

Directory listings enabled

With directory listing enabled, an attacker can view all of the files on your web application. This can lead into sensitive files that are not linked from the application, viewed by the client. Even if the file itself cannot be accessed, the mere presence of that file – or the file’s name – may give the attacker damaging information about you or your site.

Default accounts are not changed

If your default account is admin or test, and you left your password as password, an attacker can easily guess them and log on to the application. You should always modify every default account on all applications and servers.

Misconfigured firewalls

A firewall that allows more ports than necessary to be open, or allows unauthorized hosts to connect to the server, can result in an attacker gaining control over the server. For example, a database server that requires an open port in order to execute queries from the web server may neglect to restrict access to the open port. In that case, any attacker can then connect to that port and attack the database, using brute force techniques.

Missing OS security patches

Neglecting to update your OS will result in an attacker utilizing security holes to gain control over your server. It is recommended to apply critical security patches immediately and have a regular maintenance interval for all OS updates. Regular updates should be tested in development before deployment to production to insure application compatibility. Remember, if your OS or application vendor sends you a security patch, by definition, it’s known to the world. Leaving a security patch un-applied is an invitation for exploitation.


Misconfiguration is a part of the OWASP top 10 most critical applications security risks. Calavista rigorously manages configuration and security on our projects – as all reputable software development shops should. When hiring a software development group, ask them hard questions about how they manage security issues – both during development and in the deployment phase. A good shop should be able to answer that question without hesitation. Beware of the deer-in-the-headlights look.

Misconfigured Access Point Attack

The Misconfigured APs are a type of security surface, that are the easiest to breach, if its detected. The place, where you will most likely meet misconfigured AP's are home wireless network or very small businesses. Large wireless environments are most likely using centralized management platforms that control hundreds or thousands of AP and keep them synchronized, therefore it is less likely to meet any configuration error there.

Most common areas of misconfiguration, that leads to wireless cracking’s are −

  • Some AP configurations are left to factory defaults, like usernames and passwords or default WLAN's broadcasted (SSID's) and default settings may be found in manuals of the specific vendor on the internet.

  • Human Error - advanced security policies are configured on a set of AP's across the organization, and other ones are forgotten and left with default weak security settings.

As a counter-measure against misconfigured AP, organizations should follow the ongoing site surveys as a tool to monitor a secure wireless environment.

Examples of a default username/password database for some of the Linksys wireless home devices are −

Model Username Password
BEFSR series (none) or admin admin
E series admin or (none) admin or (none)
EA series admin admin or (none)
WAG series admin or (none) admin or (none)
WRT series (none) admin

Removable media

I thought it would be valuable to put the top ten most important incidents regarding removable devices, including hardware keystroke loggers, USB thumb drives, and MP3 players, together into a list. It helps highlight the risks inherent in removable devices to have all of these incidents in one place.

10. UK Policeman loses memory stick containing terrorist cell information “The black 4GB stick was lost after being taken out of Castle Vale police station by an officer on patrol. It was reported that the memory stick contains details of terror cells being tracked by police but the force refused to comment.” Article.

9. UK Prison inmate information loss. “a consultant for PA Consulting copied files containing records on all 84,000 prisoners in England and Wales onto a USB drive, which then got lost.” Article.

8. Sumitomo Bank Heist. This incident is still the largest attempted bank robbery in history. A PS2 hardware  keystroke logger was used to capture information used to attempt SWIFT wire transfers from the London Branch of Sumitomo Mitsui. More details are trickling out from the trial of the some members of the gang this month. Questions on Sumitomo.

7. Apple ships iPods infected with a windows virus. It turns out that manufacturers of removable media have to ensure antiseptic environments when they pre-load software and data on their devices. Also worth mentioning is Sony’s inclusion of hidden files on USB devices that could prove useful to virus and worm writers.

6. US Military spy incident. A former U.S. military contractor has pleaded guilty to exceeding authorized access to a computer and aggravated identity theft after he was accused of selling names and Social Security numbers of 17,000 military employees, the U.S. Department of Justice said. Price $500.

5. USB Candy Drop. A Security investigator dropped 20 Trojan carrying USB thumb drives in a Credit Union Parking Lot. According to his report “Of the 20 USB drives we planted, 15 were found by employees, and all had been plugged into company computers” within three days.

4. New Zealand man buys MP3 player with US military data . ONE News has gained access to the personal files of American soldiers, uncovering military secrets from the most powerful nation in the world.

3. Indian Spy Incident. A CIA operative “Rosanne Minchew, third secretary in the US embassy in Delhi” reportedly paid $50,000 for a USB device loaded with Indian secret information. Note that the CIA pays considerably more for information than other agencies (see above).

2. Countrywide theft of 2 million records. “For more than two years, the employee was able to steal up to 20,000 records a time by copying files from the corporate network to a USB flash drive.” Article.

1. Russian attack on US Military Central Command. The agent for this attack is apparently the USB born worm w32.agent.btz According to F-Secure the worm is installed from an infected thumb drive and places itself on every drive on a computer including any USB drive that is attached to it. Article.

The Business Risk Of Removable Media

Many businesses use removable media devices as a quick and easy means of data storage and transfer. The nature of removable media devices means that they are not without their share of risks, however, with press reports and surveys bringing issues around the loss of devices and the consequences of transferring malware from machine to machine to the fore.

Part of the problem is that the convenience means the devices can find themselves being connected to a variety of essentially unknown and untrusted systems. If the temporary home is infected with malware then it may hop across, and get taken away as an added extra on the device.

And that, of course, is if the device is taken away in the first place – many end up being forgotten and left behind in machines. We certainly find it’s a common phenomenon amongst students in our university labs and (somewhat ironically) we have a growing collection of keys that were left in machines in our security lab.

So, the security issues around removable media can be linked directly to threats around both data loss and leakage, and malware infection. It’s also important that we don’t overlook the different guises in which the risk can exist. If we use the term ‘removable media’, many people will naturally think about USB keys, memory cards, and external hard drives, but content can also be copied to a variety of other devices including cameras, MP3 players, and of course smartphones and tablets.

Given the prevalence of the devices, it’s fair to ask what we’re doing to protect them (and indeed to protect against them). Unfortunately, the answer often appears to be not much. For example, PWC’s Information Security Breaches Survey 2012 suggests that only 58% of large organisations have a policy for mobile computing (small organisations were far behind at 27%) and only a third of respondents overall provided any training in relation to mobile device threats.

While guidance around removable media may still occur in other contexts, this still gives an indication of the relative immaturity of our behaviour around the routes that are enabling our data to go mobile – especially given that virtually all organisations will be using mobile devices in some form, even if they are not formally issuing them to staff themselves. Indeed, a proliferation of personal devices is now specifically embraced and encouraged by initiatives such as BYOD (Bring Your Own Device).

Giving these practices a label helps to make them sound more strategic, but that doesn’t by any means imply that they’re secure. In fact, organisations have less opportunity (and less authority) to ensure that these devices are well managed, and so may end up with a more varied and inherently less protected mobile fleet.

In terms of addressing the risks, a good starting point is to recognise that unless guided otherwise, staff are likely to be (a) using devices to hold a mixture of corporate and personal data and (b) unlikely to be giving a great deal of thought towards protection beyond trying their best not to lose them.

A good foundation is therefore to establish (and promote) a clear policy to users. Fundamentally, this needs to cover the circumstances in which it’s permitted to use the devices, what data can legitimately be stored on them, and the safeguards that ought to be followed. In terms of the latter, key considerations ought to be encrypted storage and malware protection.

In common with the position around policies, surveys suggest that relatively few users will be employing encryption by default (e.g. Ernst & Young’s 2011 Global Information Security Survey suggested that less than half of the respondents were doing so on mobile devices as a whole), and so this could usefully be advocated in order to support a data mobility policy. There are several ways in which protection can be provided, including via operating system features, third party tools, and (for USB keys) by getting encrypted media in the first place.

Similar safeguards can also be applied on other mobile devices such as smartphones and tablets, and here there are also opportunities for frontline authentication via PINs and passwords (and in some cases using biometrics such as face recognition). However, our own findings from survey work at Plymouth suggests that significantly less than half of users protect their phones in this way.

For malware, there are at least two levels at which protection ought to be considered. The first is on any target systems into which removable media may be connected, to ensure that they are not allowing malware to transfer in. The other is on the devices themselves, with smartphones and tablets now being increasingly prone to malware strains being written to target them (and which could add to the risk for data they hold).

Removable media should therefore be an entirely manageable risk – businesses are familiar with the devices and aware of the problems inherent in their use. What they must remember is that the threats from loss or malware infection are very real, and are issues that must be addressed by all organisations.


Removable Media Controls

Failure to control or manage the use of removable media can lead to material financial loss, the theft of information, the introduction of malware and the erosion of business reputation. It is good practice to carry out a risk benefit analysis of the use of removable media and apply appropriate and proportionate security controls, in the context of their business and risk appetite.

2. What is the risk?
The use of removable media to store or transfer significant amounts of personal and commercially sensitive information is an everyday business process. However, if organisations fail to control and manage the import and export of information from their Information and Communications Technologies (ICT) using removable media they could be exposed to the following risks:

Loss of information
The physical design of removable media can result in it being misplaced or stolen, potentially compromising the confidentiality and availability of the information stored on it

Introduction of malware
The uncontrolled use of removable media will increase the risk from malware if the media can be used on multiple ICT systems

Information leakage
Some media types retain information after user deletion; this could lead to an unauthorised transfer of information between systems

Reputational damage
A loss of sensitive data often attracts media attention which could erode customer confidence in the business

Financial loss
If sensitive information is lost or compromised the organisation could be subjected to financial penalties

3. How can the risk be managed?
Removable media should only be used to store or transfer information as a last resort, under normal circumstances information should be stored on corporate systems and exchanged using appropriately protected and approved information exchange connections.

3.1 Produce corporate policies
Develop and implement policies, processes and solutions to control the use of removable media for the import and export of information.

3.2 Limit the use of removable media
Where the use of removable media is unavoidable the business should limit the media types that can be used together with the users, systems and types of information that can be stored or transferred on removable media.

3.3 Scan all media for malware
Protect all host systems (clients and servers) with an anti-virus solution that will actively scan for malware when any type of removable media is introduced. The removable media policy should also ensure that any media brought into the organisation is scanned for malicious content by a standalone media scanner before any data transfer takes place.

3.4 Audit media holdings regularly
All removable media should be formally issued by the organisation to individuals who will be accountable for its secure use and return for destruction or reuse. Records of holdings and use should be made available for audit purposes.

3.5 Encrypt the information held on the media
Where removable media has to be used, the information should be encrypted. The type of encryption should be proportionate to the value of the information and the risks posed to it.

3.6 Lock down access to media drives
The secure baseline build should deny access to media drives (including USB drives) by default and only allow access to approved authorised devices.

3.7 Monitor systems
The monitoring strategy should include the capability to detect and react to the unauthorised use of removable media within an acceptable time frame.

3.8 Actively manage the reuse and disposal of removable media
Where removable media is to be reused or destroyed then appropriate steps should be taken to ensure that previously stored information will not be accessible. The processes will be dependent on the value of the information and the risks posed to it and could range from an approved overwriting process to the physical destruction of the media by an approved third party.

3.9 Educate users and maintain their awareness
Ensure that all users are aware of the risks posed to the organisation from the use of removable media and their personal security responsibility for following the corporate removable media security policy.

Unpatched and/or outdated software.



Unpatched and/or outdated software.



3.1 Fundamentals of algorithms

3.2 Programming

3.3 Fundamentals of data representation

3.4 Computer systems

3.5 Fundamentals of computer networks

3.6 Fundamentals of cyber security

3.7 Ethical, legal and environmental impacts of digital technology on wider society, including issues of privacy

3.8 Aspects of software development

Glossary and other links

Glossary of computing terms.

AQA 8520: The 2016 syllabus

General content

Keep cyber Threats from destroying your clients business

10 ways to secure your digital content

Flashpoint - Business risk intelligence report

Email secirity risk assessment inforgraphic

MimeCast email report

Cost of data breach study 2016

The cyber threat to UK businesses

Biggest cybersecurity threats in 2016

Social Engineering Report ISMG

How Identity Deception Increases the Success of Ransomware

5 Social Engineering Attacks to Watch Out For

Top 5 Social Engineering Exploit Techniques

Top 10 Social Engineering Tactics

Social Engineering Attacks: Common Techniques & How to Prevent an Attack

Hacking the mind

Understanding Social Engineering Attacks

Social Engineering - Definition

Infoseceye (Read the blog entries!)

NCSC Managing Information Risk

The cyber advisory service


Malicious code and malware.

What is Malicious Code?

Program Security

Finding the kill switch to stop the spread of ransomware

Common Malware Types: Cybersecurity 101

Rogue Sheep


The Story of Bob, Alice, and Eve: A Love Triangle Gone Bad (or, How I Came to Love PKI)

The Alice and Bob After Dinner Speech

History of Encryption

Past, present, and future methods of cryptography and data encryption

The Alternative History of Public-Key Cryptography

How PGP works

Beginners guide to PGP


Identity and passwords blog

Even Jedi can't achieve Password Perfection

NCSC Password Security

63% of data breaches involve weak, default or stolen passwords

Password meter

How secure is my password?

Cyber security

NCSC 10 Steps To Cyber Security NCSC

NCSC Bring Your Own Device

NCSC Cyber Attacks

Active Cyber Defence

How Every Cyber Attack Works – A Full List

Misconfigured access rights

Lesson Plan Misconfigured Access Rights

Wireless threats

Risks of portable devices

Risks Of Portable Devices

Advert of sorts

AQA: New computer science gcse arms students with cyber security knowledge

The Story of Alice and Bob

(Short extract from after-dinner speech by John Gordon at The Zurich Seminar April 1984) I go to lots of conferences on Coding Theory in which complicated protocols get discussed. You know the sort of thing:

"A communicates with someone who claims to be B. So to be sure, A tests that B knows a secret number K. So A sends to B a random number X. B then forms Y by encrypting X under key K and sends Y back to A." and so on.

Because this sort of thing is is quite hard to follow, a few years ago theorists stopped using the letters A and B to represent the main players, and started calling them Alice and Bob.

So now we say "Alice communicates with someone claiming to be Bob. So to be sure, Alice tests that Bob knows a secret number K. Alice sends to Bob a random number X. Bob then forms Y by encrypting X under key K and sends Y back to Alice."

It's supposed to make it easier to understand. Now there are hundreds and hundreds of papers written about Alice and Bob. Alice and Bob have been used to illustrate all sorts of protocols and bits of coding theory in scientific papers. Over the years Alice and Bob have tried to defraud insurance companies, they've exchanged secret messages over a tapped line, and the've played poker for high stakes by mail. Now if we put together all the little details from lots of papers - a snippet from here, a snippet from there - we get a facinating picture of their lives.

This may be the first time in the history of coding theory that a definitive biography of Alice and Bob has been given.

Take Bob. Bob is often selling securities to speculators so we can be pretty sure he's a stockbroker. But from his concern about eavesdropping he is probably into something subersive on the side too.

Take Alice. From the number of times Alice tries to buy stock from him we can say she is probably a speculator. And she's also worried that her husband doesn't get to find out about her financial dealings.

So Bob is a subversive stockbroker and Alice is a two-timing speculator. But Alice has a number of serious problems. She and Bob only get to talk by telephone or by email. And in the country where they live the phone service is very expensive. And Alice and Bob are cheapskates.

So the first thing Alice must do is MINIMISE THE COST OF THE PHONE CALL.

The telephone in their country is also pretty lousy. The interference is so bad that Alice and Bob can hardly hear each other. So the second thing Alice must do is to PROTECT HER MESSAGES AGAINST ERRORS in transmission. On top of that Alice and Bob have very powerful enemies. One of their enemies the is the Tax Authority. Another is the Secret Police.

These enemies have almost unlimited resources. They always listen in to telephone conversations between Alice and Bob. This is a pity since Bob and Alice are always plotting tax frauds and overthrowing the government.

So the third thing ALICE must do is PROTECT HER COMMUNICATIONS FROM EAVESDROPPING. And these enemies are very sneaky. One of their favourite tricks is to telephone Alice and pretend to be Bob. So the fourth thing Alice has to do is to BE SURE SHE IS COMMUNICATING WITH WHOM SHE THINKS SHE IS. Well, you think, so all Alice has to do is listen very carefully to be sure she recognises Bob's voice. But no. You see Alice has never met Bob. She has no idea what his voice sounds like.

All in all Alice has a whole bunch of problems. Oh yes, and there is one more thing I forgot so say - Alice doesn't trust Bob.

Now most people in Alice's position would give up. Not Alice.She has courage which can only be described as awesome. Against all odds, over a noisy telephone line, tapped by the tax authorities and the secret police, Alice will happily attempt, with someone she doesn't trust, whom she can't hear clearly, and who is probably someone else, to fiddle her tax return and to organise a cout d'etat, while at the same time minimising the cost of the phone call.

A coding theorist is someone who doesn't think Alice is crazy. (C) John Gordon 1984