"MfG" der Cyber-Security - pt.1: APT, IEEE, and C&A
Based on my article '"MfG" der Cyber-Security' here on LinkedIn (refer https://tinyurl.com/m5aaru5v) from November 2023 I thought its a good idea to additionally explain the acronyms there. For sure one can easily look these up these days in case not known or what's behind. But the approach I want to take here and moving forward is to explain them in my own words, based on knowledge and sometimes even experiences made myself. I claim not however to know everything, all being complete, might miss out essential things etc. I target to post one article once a week, cannot promise though.
This article covers line 1:
APT, IEEE und C&A
APT - Advanced Persistence Threat
An APT (freely translated into German: Fortgeschrittene beharrliche Bedrohung) is if someone attempts to gain access to assets or an infrastructure for at the end obtaining confidential data (espionage), impacting such assets or infrastructure for blackmailing purposes (ransomware), or even destroying it, like data deletion or even asset destruction, e.g. Stuxnet as a "classic" example - using more or less sophisticated approaches and methods, also called attack vector/s.
Such attack vectors can be collecting publicly available technical and social information’s online and offline and exploiting based on these information’s known weaknesses and vulnerabilities or even discovering new ones (zero-day exploit).
But as well considerable trivial attacks are used: Most staff these days is present on business related social media like LinkedIn including posting their position. Secondly most if not even all companies or organizations follow in their email addresses a certain naming convention - like for instance:
<FirstLetterOfGivenName><LastName>@<CompanyName>.<biz>.
So, let’s say John Doe works as a registered manager (German: Prokurist) in a big corporation in the finance department of Daggobert Corp. and its CEO being Dagobert Duck. Having these information’s an attacker now sends an Email from the CEO's address [email protected]., which is technically pretty easy for quite some centuries, also called spoofing, to [email protected]. asking him to transfer USD 100.000,00 to an account with account number IBAN DE99 1234 1234 9876 5432 11 but to keep this secret, because its still a highly secret project to finance, promising much more revenue in the future ... so basically one valid looking story behind it.
The above is a typical example, the term in the information security world actually is "CEO fraud", of how an APT could look like, based here on a little more sophisticated method of so-called social engineering. And such attacks are often very well planned not to mention take time. Attackers actually are very patient for the most part and very well executed not to mention successful attacks are never discovered and don't even make it to the public at all.
Another such an example I came across myself many many years ago was when a celebrity used the name of its pet, known from news and media, as the access password to its voice mailbox. And hackers just tried it out during a call to support and were able to retrieve voice mail messages, hence able to put that celebrity on the spot, perhaps blackmail it, or even sell the recorded messages to gossip magazines.
Last not least a very classic example of such an APT even prior the Internet ages during Cold War times was, where so-called Gigolo agents of the former East German intelligence service Staatssicherheit (Stasi) flirted with and dated single executive secretaries of the West German government and at the end obtained highly secret military data of the NATO from or rather through them.
That said, it is important to train everyone in a company or organization - and repeatedly, at least once a year - to be aware of such (possible) threats, rather double check in case not sure, not easily to trust - cumulating sometimes even in what is called the Zero Trust approach, which is another topic on its own.
In our example from the beginning that would be for instance John Doe to call, second channel / buzzword: two-way, directly the CEO Dagobert Duck and to ask: Did you really send that message? But such also implies on the other hand the culture and climate in an organization or company has to be right, open and it not being built on strong hierarchies, as one actually still finds very often these days and staff not questioning (to some extend), not encouraged to do so, fearing disadvantages, what supervisors (supposedly) communicated.
领英推荐
So "Holzauge sei wachsam." as a German saying goes, or "pay attention" / "be aware" in English if you like, always use common sense and ask yourself: Does it make sense what I am doing there, giving out these information’s, being approached from someone this or that way, is this legit ... ? ... and so on.
IEEE - Institute of Electrical and Electronics Engineers
This is a worldwide organization connecting professionals working in the field of electrical engineering and information technology (IT). It is as well responsible for developing (further), releasing and maintaining essential worldwide standards, e.g. the IEEE 802 series, covering everything related to networks starting with Layer 1 of the OSI model (the media like cables) to higher layers; including routing, WLAN, Bluetooth etc.
C&A - Certification and Accreditation
An acronym found especially in north American standards like the NIST-800 series and can be summarized as "Authority to Operate" assets and infrastructures by being properly certified and accredited based on ability, roles, and assessments.
This concludes pt. 1 of this series, the base, pt. 0 if one likes, (again) can be found here on LinkedIn https://tinyurl.com/m5aaru5v.
The next part pt. 2 - covering IDS, IPS, and SLA - can be found here: https://tinyurl.com/22asur39.
#cyber-security #datenschutz #informationssicherheit #knowledge #knowledgesharing #informationsecurity #it #ot #dsgvo #gdpr #netzwerke #networks #buzzwords #acronyms #abbreviations #MfG #APT #IEEE #C&A #CEOfraud #awareness