Please enable JavaScript.
Coggle requires JavaScript to display documents.
The Web - User Side - Coggle Diagram
The Web - User Side
Email Attacks
Fake (Inaccurate) Email Header Data
Headers in emails are easy to spoof, so the user trusts the source.
Phishing
The email tries to trick the recipient into disclosing private data or taking another unsafe action
Fake Email
Protecting Against Email Attacks
PGP - Pretty Good Privacy
Originally developed for plain messages
S/MIME
is an Internet Standard for secure email attachments like multimedia data, spreadsheets, presentations, etc.
Fake Email as Spam
Spam
Fictitious or misleading email
Volume of Spam
M86 Security Labs Estimates spam accounts for 86% of all mail
Advertising
Pump and Dump
Malicious Payload
Links to Malicious content
The Price is Right
Browser Attacks
Vectors
Tackle the browser or one of its components, add-ons, or plug-ins so its activity is altered.
Intercept of modify communication to or from the browser
Go after the operating system
Types
Man in the browser
Trojan horse that intercepts data passing through the browse
data is intercepted before encryption
Keystroke logger
Page-in-the-middle
Program Download Substitution
A user agreeing to install a program has no way to know what that program will actually do.
User-in-the-middle
How they succeed: Failed Identification and Authentication
Human Authentification
Human capacity is limited to easy/familiar authentifiers which are easy to discover.
Computer Authentication
vulnerabilities in authentication include not just the authentication data but also the processes used to implement authentication
Countermeasures
Shared Secret
One-Time Password
Out-Of-Band Communication
Continuous Authentication
Web Attacks Targeting Users
False or Misleading Content
Defaced Web Site
An attacker replaces or modifies the content of a legitimate web site
Prove a point
embarrass a victim
Fake Web SIte
The attacker can get all the images a real site uses; fake sites can look convincing
Fake Code
Download a fake program
Protecting Web Sites Against Change
Integrity Checksum
Signed Code or Data
Malicious Web Content
Substitute Content on a Real Web Site
Web Bug
clear GIF, 1X1 GIF, tracking bug
Clickjacking
tricking a user into clicking a link by disguising what the link points to
Drive by download
downloading and installing code other than what a
user expects
Protecting Against Malicious Web Pages
Separation
Obtaining User or Website Data
Code within Data
Cross-Site Scripting
executable code is included in the interaction between client and server and executed by the client or server
Scripting attacks force a server to execute commands (a script) in a normal data fetch request
Persistent Cross-site scripting attacks
Website Data: A User's Problem Too
Users are partially responsible for their own data, due to the strength of their personal security measures that they must make for themselves (passwords, security questions, 2FA).
Foiling Data Attacks