Week 12 -Advanced Thread Modelling and Malicious Software

Created Tuesday 10 November 2020

The traditional model of Cybersecurity

The traditional model of Cybersecurity (sucks)

• By default, you are safe with your stuff inside your house
• A bad guy comes in and takes it, or causes chaos

Interconnectedness with bad power policy:

Who decides what runs on your computer or phone?
What is "your data," exactly?

Who are the "stewards" —

i.e. the parties that have practical and/or legal control?
- The "provider of the OS and updates"
- The "owners of the cloud services you use"
- The "owners of the networks you use"
- People in your organization
- You

Theoretical threats, in order of "intent"

• Accidents ("non-human")
• Legal and ostensibly "good" actors
• Bad Actors

Accidents ("non-human")

(woops, a meteor hit a data center. or your phone)
- How easy is it to make backups?
- Where is it located- PHYSICALLY?
- Who has access to your stuff
- If it still exists, what guarantees your access to it?

Legal and ostensibly "good" actors

i.e. govt and business
- What current practical access do they have to your data
- What current legal access do they have?
- What responsibilities do they have to keep it safe?

BAD ACTORS

- Vandals - seek to create chaos (again, this SCALES)
- Thieves - want to steal your stuff
- Spies - want to use your information
- Third Party Exploiters (machine) - e.g. Botnets
- Third Party Exploiters (human) - e.g. Ransomware

HARM

- Theft
- Loss of privacy
- Loss of (digital) reputation
- Physical device harm
- Trust Erosion

TYPES OF MALWARE:

- Viruses
- Spyware
- Adware
- Botnets/ cryptojacking (resource users)

Remedies : ANTIVIRUS -

- by definition, always cat-and-mouse.

FAIL ELEGANTLY

TODAY, we talk most about

- Phishing
- Ransomware
-IoT Susceptibility
- Cloud Vulnerability
- Internal Attacks
- Data Rights Compliance

In response to proposals

So far, so good: a few notes.

All of the following (like literally everything you learn)
are HEURISTICS, not RULES

Paid SERVICE good, Paid SOFTWARE (usually) bad

or at least unnecessary.
If it's a "shrink wrapped" product...
...especially if it's Windows Mac and not Linux
It's probably unnecessary
e.g. "Disk Drill"

Again, prefer and seek out the Linux side of things

Mostly because you'll get clearer information...
..and much less "people trying to sell you stuff."

This is VERY nonintuitive. "Disk Drill" does one thing and costs money..
"Kali Linux" does NEARLY EVERYTHING and is FREE.

Relatedly, quality resources:

Look for the MOTIVATION of the WRITER/CREATOR

• Wikipedia is great
• Message Boards (reddit, hacker news, stack overflow) are good..
  • because the writers are mostly not trying to sell you stuff
• Pages with lots of ads are a very mixed bag. Can go either way.

---

Backlinks: FSU Courses:LIS4774:RawSlides

• About The Site
• Bookmarks
• FSU Courses
  • LIS3353
  • LIS4022
  • LIS4708
  • LIS4774
    • Calendar
    • COMPLETE VM SecNet Instructions
    • First Day Secnet Lab
    • Lab Exercise 1
    • Password Exercise
    • Port Scanning Assignment
    • Project Ideas and Resources
    • RawSlides
    • Second Day Notes
    • Syllabus
    • Term Project Rubric
    • Week 7 Exercise
    • Week 12 -Advanced Thread Modelling and Malicious Software
    • Week 13 - Cybersecurity Policy
    • Week 14 - Code injection and XSS
  • LIS4910
  • LIS5362
  • LIS5364
  • LIS5367
  • LIS5411
  • LIS5417
  • That Time I Turned a Routine Traffic Ticket into the Constitutional Trial of the Century
• Home
• Journal
• Misc
• My Media
• Networking
• On Discord
• On My Online Quizzes
• Project Code Sources
• Self-Hosted Ideas and Resources
• Tech Guides
• Videos
• Web Design