Topic 8
Cybercrime
Why cybercrime is prevalent
- Increasing system complexity creates more entry points for attack
- Decreasing skills required: hacking tools are widely and cheaply available ("script kiddies")
- International organised crime groups now operate cybercrime at industrial scale
- Lack of management support leads to chronically underfunded security
- User behaviour: sharing passwords, weak credentials, careless device use
- Cloud computing and virtualisation expand the attack surface continuously
Types of threats
Unintentional threats (human error)
- Carelessness with laptops and mobile devices — loss or theft
- Opening suspicious emails; careless internet surfing
- Poor password selection — weak, reused, or shared
- Improper disposal of equipment without data wiping
- Highest risk departments: Human Resources and Information Systems
Deliberate threats
| Threat | Definition |
|---|---|
| Espionage / trespass | Unauthorised attempt to gain access to organisational information |
| Information extortion | Threatening to steal or actually stealing information, then demanding payment to not disclose it (ransomware) |
| Sabotage and vandalism | Defacing websites or damaging systems to harm an organisation's reputation |
| Theft of equipment | Stealing devices to access the information they contain |
| Dumpster diving | Searching through discarded material (printouts, drives) to find sensitive information |
| Identity theft | Assuming another person's identity to access their finances or frame them for crimes |
Social engineering
Social engineering: an attack in which the perpetrator uses social skills to trick or manipulate legitimate employees into providing confidential information such as passwords. Targets the human element — consistently the weakest point in any security framework.
| Technique | Description |
|---|---|
| Phishing | Fraudulent emails or websites appearing legitimate, designed to harvest credentials or install malware |
| Spear phishing | Targeted phishing using personalised information about the victim to appear credible |
| Pretexting | Creating a false scenario to justify requesting sensitive information (e.g. posing as IT helpdesk) |
| Urgency attacks | Artificial time pressure to bypass normal security procedures |
| Honey trap | Posing as an attractive person to build a fake relationship and extract sensitive information |
| Impersonation | Posing as a manager, helpdesk, or trusted colleague |
3 categories of software attacks
Category 1: Remote — user action required Virus: self-replicating code attached to programs; spreads when user runs infected program Worm: spreads across networks independently — NO user action needed (key difference from virus) Phishing: fraudulent emails/websites to harvest credentials Spear phishing: targeted phishing with personalised info Category 2: Remote — NO user action required DoS: Denial-of-Service — overwhelming a single server with requests DDoS: Distributed DoS — using a botnet of many computers to overwhelm target Category 3: Insider / programmer attacks Trojan horse: malicious code hidden inside legitimate software Back door: secret entry point bypassing normal authentication Logic bomb: dormant code that activates on a specific trigger condition
CIA triad of cybersecurity
Exam alert
The CIA triad in ICT521 has FOUR principles (not just three): Confidentiality, Integrity, Availability, AND Accessibility. Always state all four.
Principle Definition Primary threat
────────────── ──────────────────────────────────── ─────────────────────────
Confidentiality Only authorised users access data Phishing, password theft
Integrity Data is accurate and untampered Malware, insider modification
Availability Systems accessible at required DoS / DDoS attacks
performance level
Accessibility Authorised users can USE data System failures, misconfiguration
when they need it
| Principle | Definition | Primary threat | Key controls |
|---|---|---|---|
| Confidentiality | Only authorised users can access data; prevents unauthorised disclosure | Phishing, credential theft, unauthorised access | Access controls, encryption, data classification |
| Integrity | Data is accurate and consistent throughout its lifecycle; has not been modified by unauthorised parties | Malware, SQL injection, insider data manipulation | Checksums, audit logs, version control, digital signatures |
| Availability | Systems remain accessible at the required level of performance | DoS and DDoS attacks; ransomware; hardware failure | Redundancy, load balancing, firewalls, BCP |
| Accessibility | Authorised users can retrieve and use data and applications when needed | System failures, misconfiguration, access control errors | Business continuity planning, user access reviews |
Security operates across 4 layers: technical (hardware, networks, software, data), procedural (policies, monitoring, enforcement), personal (clearances, access controls, monitoring), and physical (access to facilities and equipment).
Risk management
Key principle
Security is a process, not a product. A security policy is built on: Assets × Threats × Vulnerabilities × Impact × Safeguards. This cycle must be continuously repeated.- Risk analysis: assess asset value; estimate probability of compromise; compare cost of compromise vs cost of protection
- Risk mitigation:
- Risk acceptance: cost of protection exceeds probable loss — accept the residual risk (must be documented)
- Risk limitation: implement controls that reduce likelihood or impact
- Risk transference: shift financial consequence to another party (cyber insurance)
- Controls evaluation: verify controls are working through audits, penetration testing, and compliance assessments
Security controls
| Control type | Examples |
|---|---|
| Physical | Walls, locks, badges, guards, alarm systems, CCTV |
| Access | Authentication using: something you ARE (biometrics), HAVE (security token), DO (behaviour), KNOW (password); multi-factor authentication |
| Communications | Firewall, anti-malware, whitelisting/blacklisting, encryption, VPN |
| Business continuity | Backup systems, disaster recovery plans, offsite storage, regular recovery testing |
| IS auditing | Security audits, penetration testing, compliance assessments |
Questions
Describe the CIA triad of cybersecurity and explain the main types of security controls.12 marks▶
Cybersecurity is defined as protection from cybercrimes that could compromise ICT systems, data, and networks. It is built on four core principles.
The four principles:
- Confidentiality: ensures that information is accessible only to those authorised to access it, and is protected from unauthorised disclosure. Threatened by phishing attacks, credential theft, and insider misuse. Protected through access controls, encryption, and data classification. A confidentiality breach in healthcare exposes patients' medical histories; in finance it enables identity theft.
- Integrity: ensures that information is accurate, complete, and consistent throughout its lifecycle, and that it has not been modified by unauthorised parties. Threatened by malware that corrupts data, SQL injection attacks that alter database records, and insider manipulation. Protected through checksums, cryptographic hashes, audit logs, and version control. A breach of integrity in a healthcare context (altering medication records) or financial context (altering transaction records) causes direct physical or financial harm.
- Availability: ensures that systems and data are accessible at the required level of performance to authorised users when needed. The principle targeted by DoS and DDoS attacks, ransomware, and hardware failures. Protected through redundancy, load balancing, firewalls, and business continuity planning. A hospital whose patient management system is unavailable through a DDoS attack cannot safely treat patients.
- Accessibility: ensures that authorised users can retrieve, use, and act on data and applications through ICT systems. While closely related to availability, it specifically addresses the ability to interact with data — a system may be technically available but inaccessible due to access control errors or network configuration problems.
The 5 categories of security controls:
- Physical controls: the most fundamental layer. Walls, fencing, locks, access badges, guards, alarm systems, and environmental controls prevent unauthorised physical access to hardware. No technical control is effective if a physical intruder can remove a server from a data centre.
- Access controls: verify identity before granting access to systems and data. The four authentication factors are: something you ARE (biometrics — fingerprint, facial recognition), something you HAVE (security token, smart card, mobile phone for MFA), something you DO (behavioural biometrics — typing rhythm, keystroke dynamics), and something you KNOW (password, PIN). Multi-factor authentication combines at least two, making credential theft alone insufficient to gain access.
- Communications controls: protect data in transit and systems from external attack. Firewalls filter traffic according to defined rules. Anti-malware systems detect and block malicious software. Whitelisting permits only approved applications; blacklisting blocks known malicious ones. Encryption ensures intercepted data cannot be read. VPNs create encrypted tunnels for remote access.
- Business continuity planning: ensures critical systems can be restored following an incident. Encompasses backup systems, offsite data storage, disaster recovery plans, and regular testing of recovery procedures. A plan that has never been tested is not a plan — it is a document.
- IS auditing: provides independent, ongoing assessment of whether controls are operating effectively. Regular security audits assess the current state against defined standards. Penetration testing simulates real attacks to identify vulnerabilities before malicious actors do. Compliance assessments verify adherence to Privacy Act obligations and industry standards.
Security is a process, not a product. Assets, threats, and vulnerabilities all change over time; the cycle of risk analysis, mitigation, and controls evaluation must be repeated continuously.
What is social engineering? Describe three techniques and appropriate defences for each.9 marks▶
Social engineering is an attack method in which the perpetrator uses social skills rather than technical exploitation to trick employees into providing confidential information, credentials, or system access. The defining characteristic is that it targets the human element of security — which is consistently the weakest point in any security framework. No firewall blocks an employee who voluntarily provides their password to someone who successfully poses as a manager.
Technique 1: Phishing
- Description: fraudulent emails or websites that appear to come from trusted organisations (banks, employers, government agencies). The email contains either a link to a fake website designed to harvest credentials, or a malicious attachment containing malware. Spear phishing is a targeted variant using specific information about the recipient (name, role, colleagues, recent activities) to appear highly personalised and credible.
- Why it works: exploits trust in familiar-looking brands and legitimate-appearing communications; 91% of all cybercrimes start with an email
- Defences:
- Security awareness training teaching employees to scrutinise sender addresses and URLs before clicking
- Email filtering systems that identify and quarantine phishing messages
- Multi-factor authentication so that compromised passwords alone are insufficient to gain system access
Technique 2: Pretexting
- Description: constructing a false scenario (a pretext) to justify a request for sensitive information. Classic examples: calling a helpdesk while pretending to be a senior executive in urgent need of a password reset; calling an employee while pretending to be a vendor's technical support representative who needs credentials to diagnose a critical problem.
- Why it works: exploits authority, urgency, and the natural human tendency to be helpful to someone who appears to have a legitimate reason for their request
- Defences:
- Strict identity verification protocols — credentials must never be provided over the phone regardless of claimed authority
- Policy that IT helpdesk staff never request passwords under any circumstances
- Call-back verification for all sensitive requests, using the phone number from official records — not the number provided by the caller
Technique 3: Urgency attacks
- Description: creating artificial time pressure to force the target to bypass normal security procedures. "Your account will be locked in 30 minutes — click here immediately to verify your credentials." The urgency prevents the target from pausing to verify the legitimacy of the request.
- Why it works: under time pressure, people defer to the path of least resistance rather than following security protocols; the emotional response to urgency overrides rational caution
- Defences:
- Training employees to recognise urgency as a social engineering trigger and to treat urgency as a reason to slow down, not speed up
- Organisational culture that rewards caution over speed in security-sensitive situations
- Escalation procedures that do not bypass verification steps regardless of apparent urgency
Across all techniques, the most effective defences are: ongoing security awareness training; clear escalation procedures; a culture that rewards security-conscious behaviour rather than treating security as an obstacle; and technical controls (MFA, access restrictions) that limit the damage a successful social engineering attack can cause even if credentials are compromised.
Describe the risk management process for cybersecurity.8 marks▶
Risk management provides a structured framework for making rational decisions about how to allocate security resources. It consists of three cyclical processes: risk analysis, risk mitigation, and controls evaluation. These are not performed once but repeated continuously because assets, threats, and vulnerabilities all change over time.
1. Risk analysis
- Assess asset value: identify what needs to be protected and its value — not only the replacement cost of data or systems but the business processes they support and the reputational consequences of their compromise. A customer database may be inexpensive to replace technically but represent a severe reputational and legal liability if breached.
- Estimate probability of compromise: requires understanding the current threat landscape, the organisation's specific vulnerabilities, and the attractiveness of the target to potential attackers. A major retailer holding payment card data for millions of customers faces a very different threat profile than a small professional services firm.
- Compare costs: compare the probable cost of the asset being compromised with the cost of protecting it. This comparison determines where security investment is economically rational and where it is not.
2. Risk mitigation (3 options)
- Risk acceptance: the cost of protection exceeds the probable cost of the risk materialising, or the probability is sufficiently low. Accepting a risk is a deliberate, documented decision — not negligence. It must be reviewed periodically.
- Risk limitation: implement controls that reduce either the likelihood of the risk occurring (e.g. training to reduce phishing susceptibility) or the impact if it does occur (e.g. backups to reduce the impact of ransomware). This is the most common approach for material risks.
- Risk transference: shift the financial consequence to another party — typically through cyber insurance. Insurance does not eliminate the risk; it provides financial compensation to cover costs of response, remediation, regulatory penalties, and litigation. Most appropriate for risks whose financial impact is significant but whose probability is low enough that prevention is not cost-effective.
3. Controls evaluation
- Regular security audits: assess current state of controls against the security policy and relevant standards (Privacy Act, PCI DSS, ISO 27001)
- Penetration testing: simulate real attacks to identify vulnerabilities that controls have not addressed — finds the gaps before malicious actors do
- Compliance assessments: verify adherence to legal requirements (Privacy Act APPs, Notifiable Data Breaches scheme) and contractual obligations
- Controls found to be ineffective must be remediated, and the risk analysis must be updated to reflect the changed control environment
The output of controls evaluation feeds back into risk analysis, completing the cycle. The fundamental principle: security is not a state to be achieved but a continuous process of assessment and response. A security programme that was adequate 18 months ago may be inadequate today.