Difference between revisions of "Cyber Attack"
From Open Risk Manual
Wiki admin (talk | contribs) |
Wiki admin (talk | contribs) |
||
Line 27: | Line 27: | ||
* Exploitation of IT system and/or (web) application vulnerabilities (e.g. SQL injection ...) to gain access to the internal IT system. | * Exploitation of IT system and/or (web) application vulnerabilities (e.g. SQL injection ...) to gain access to the internal IT system. | ||
* Attacks against e-banking or payment services, with objective to commit unauthorised transactions. | * Attacks against e-banking or payment services, with objective to commit unauthorised transactions. | ||
− | * The creation and sending out of fraudulent payment transactions from within the internal payment systems of the institution (e.g. fraudulent SWIFT messages). | + | * The creation and sending out of fraudulent payment transactions from within the internal payment systems of the institution (e.g. fraudulent [[SWIFT]] messages). |
* Pump and dump attacks where the attackers gain access to e-banking securities accounts of customers and place fraudulent buying or selling orders to influence the market price and /or make gains based on previously established securities positions. | * Pump and dump attacks where the attackers gain access to e-banking securities accounts of customers and place fraudulent buying or selling orders to influence the market price and /or make gains based on previously established securities positions. | ||
* Eavesdropping/intercepting unprotected transmission of authentication data in plain-text. | * Eavesdropping/intercepting unprotected transmission of authentication data in plain-text. | ||
[[Category:Cyber Risk]] | [[Category:Cyber Risk]] | ||
+ | [[Category:SWIFT]] |
Latest revision as of 11:37, 15 June 2021
Contents
Definition
A Cyber Attack is a specific form of Cyber Risk/IT Security Risk that involves an attack to an organizations digital asses by an external agent
Cyber Attack Purpose
Attacks performed from the internet or outside networks for different purposes
- fraud
- espionage
- activism / sabotage
- cyber terrorism
Cyber Attack Techniques
- social engineering
- intrusion attempts through the exploitation of vulnerabilities
- deployment of malicious software resulting in taking control of internal IT systems
Other Types of Cyber Attack
- Execution of fraudulent payment transactions by hackers through the breaking or circumvention of the security of e-banking and payment services and/or by attacking and exploiting security vulnerabilities in the internal payment systems of the institution.
- Execution of fraudulent securities transactions by hackers through the breaking or circumvention of the security of the e-banking services that also provide access to the customer’s securities accounts.
- Attacks on communication connections and conversations of all kinds or IT systems with the objective of collecting information and/or committing frauds.
Examples
NB: The detailed examples are drawn from financial industry specifics
- APT (Advanced Persistent Threat) for taking control of internal systems or stealing information (e.g. identity theft related information, credit card information).
- Malicious software (e.g. ransomware) that encrypts data with the aim of blackmail.
- Infection of internal IT systems with Trojan horses for committing malicious system actions in a hidden manner.
- Exploitation of IT system and/or (web) application vulnerabilities (e.g. SQL injection ...) to gain access to the internal IT system.
- Attacks against e-banking or payment services, with objective to commit unauthorised transactions.
- The creation and sending out of fraudulent payment transactions from within the internal payment systems of the institution (e.g. fraudulent SWIFT messages).
- Pump and dump attacks where the attackers gain access to e-banking securities accounts of customers and place fraudulent buying or selling orders to influence the market price and /or make gains based on previously established securities positions.
- Eavesdropping/intercepting unprotected transmission of authentication data in plain-text.