- This topic has 15 replies, 9 voices, and was last updated 6 months, 1 week ago by
.
-
Posts
-
-
-
An attacker could use the following means to conduct an attack and breaches our data.
Weak Passwords: An attacker could simply guess your weak passwords like 1234 or password and gain access to your account and steal your personal information like your chat data. Some people do not even have a password to their devices, which can lead to attackers having easy access to their data and information.
Stealing your hardware: An attacker can simply gain access to your personal data and breaches your security, simply by stealing your hardware like mobile devices, computers, storage units like hard disks, and memory sticks.
Phishing emails: An attacker could send out an email that is similar to an email from your bank or shop asking for your passwords or user information to steal your data as well as money. For example, it says your bank accounts have been locked and we need your passwords to restore it or click on the link bait. When you give out your passwords or login credentials, your money and data will be stolen.
Owner’s Ignorance: An attacker could gain access to your data and information by one’s ignorance of security measures. For example, writing down your passwords and leaving them in public areas, forgetting to log out of your account in public internet cafe, leaving your mobile device or personal computer stay awake when you go to toilet or such can lead to the attackers gaining access to your system and breach your security.
-
-
Without describing technical details, there are simple ways to conduct a security attack as a simple user.
Offboarding malpractices: Normally, when an employee leaves an organization or company, he still has access to the internal information until the credentials are changed. This includes access to the business domain, API keys, database credentials, internal web applications he or others developed, cloud login details, and so on. To prevent this abuse, after every scope of authentication and authorization for an employee is reviewed before resignation, the access should be terminated because the employee has the opportunity to be an attacker himself.
Underestimating the probability of being attacked: Whether in a small-scale or enterprise system, the security of the healthcare system should be prioritized more than focusing on whether the system is functional. While offering the system to partners for internal purposes, if the system is unsecured, it seems like introducing and advertising the system to be hacked or opening the access channel to people’s medical information. As a best practice, the system should at least tighten its security based on OWASP security standards, then experiment with penetration testing by third-party services.
Using unlicensed or pirated software: The only alternative opportunity to using software without licensing is installing cracked or pirated software, consequently, the risk of using such software is permitting access to users’ computers to retrieve sensitive and personal information. Therefore, purchasing licenses are mandatory if they meet the expected price; otherwise, finding alternative solutions should be advised. For example, if a company requires a full-functional Word processor, the alternatives, OpenOffice or LibreOffice can be utilized.
Lack of cybersecurity awareness: Social engineering, and phishing are higher forms of manipulating methods. Normal people with digital literacy would not be aware of it. To prevent it effectively, cybersecurity awareness campaigns, training sessions, and phishing simulations with real-world examples should be implemented.
In conclusion, security attacks are driven not only by technical vulnerability but also by user malpractice, ignorance, and lack of security awareness.
-
A robust resignation process is essential to prevent former employees from accessing sensitive information. Stakeholders should promptly revoke user access upon the official resignation date. To streamline this process, we could consider automating user access revocation once a resignation letter is submitted to HR.
-
Thank you for your discussion point of “Offboarding malpractices”.
This is only my opinion and assumption, it is very important point for health information system.
The developers shouldn’t access and internal information after separation with organization or team group work. The resignation employee or team member must have ethical knowledge also.
-
-
Non-technical hacking a system or an information system.
– Password guessing: Simple or commonly used passwords (e.g., “password123,” “admin”, “birthdate”).
– Reuse of passwords: The same password across multiple platforms, so gaining access to one account could give access to others.
– Observation: Look for sticky notes, notebooks, or desks where employees might leave written passwords or access codes.
– Unattended Computers: Look for a device left unlocked or unsupervised then access directly from it.
– Monitor: Looking at someone’s screen when they are working on sensitive data, like usernames, passwords, or medical information.
– Impersonation: Pretending to be IT support team, requesting passwords or system information.
– Pretexting: Call someone claiming to be from a service provider (like a bank or health system) and ask for sensitive information under the pretense of solving a problem.
– Phishing: Sending deceptive emails or messages to trick users into providing login links.
– Forgotten Sessions: If someone leaves a system logged in, access their data or email and change information.-
Yes, according to my experience, among the end user used simple password and reused password for all accessible website and even their email.
This is very sensitive and important problem to get information easily for the attacker.
To change their habit or practices, technical person strongly recommended and sharing awareness session need to provide. -
-
-
End user of no technical skill or knowledge, many ways to conduct a security attack.
Login with weak Passwords: The attacker can guess the weak passwords, reused password write note on their desktop to check easily, they can access to the account and it can attack personal information and important data. Some end user do remember password in their devices such as web browsers, Mobile devices
and so on.it can easily to attack for the hacker.
Phishing email: An attacker can send out an email , there is similar an email from your school, bank and like promote some advistiment marketing products included malware links.
At that time some end user be careful the unnormal information. But the user click on their sending link, the attacker will keep
all information what the user clicking on their link and they got information and they will reach out to get more information step by step and the user data will be thief by the attacker.
Not using licensed software (like antivirus): If the user wouldn’t use antivirus software as licensed, it will be risked by user access permission to loss data. Therefore the user should use purchasing licenses as mandatory for their computer, It will be alternative solutions from software attack. -
-
It’s many to attack a security attack
Attack password – Hackers attempt to crack user passwords or take advantage of users’ weak or easily guessable passwords to gain unauthorized access to accounts or systems.
Phishing – Hackers send fraudulent emails or messages that appear to be from Reliable sources (like Facebook,Google etc.) to trick users into revealing sensitive information, such as passwords or credit card numbers.don’t click any link that you don’t sure what it is or untrusted.
Malware – software is designed to damage or gain unauthorized access to systems. It includes viruses, worms, trojans, ransomware, spyware, and adware. Hackers will trick you to download the software that looks harmless.
Zero-Day Exploit – hackers find a flaw or weakness in a software or system that the company or developers don’t know about yet.
-
-
Since there are many digital security threads, I would like to mention some methods that are mostly used by attackers as follows.
1) Phishing
Attacker faked themself as a legitimate one to receive valuable information like bank account information, digital login credentials, and demographic and health information. In recent years, attackers used not only email channels to scam but also several social media channels to steal sensitive information. Most organizations make users awareness on phishing on this day.2) Malware
A computer or digital device will be infected by malicious software to steal the information, encrypted the existed data or control the system. Downloading and installing pirated software causes a significant amount of malware infection in the digital system. The enterprise-level organization set up a firewall to control over the network, install antivirus software, promote to use of the license software, and ban malicious websites for safe surf over the internet.3) Ignorance and lack of digital literacy
Most people use the same login credentials for every account which means one breach will result in losing everything. Login and synchronization of the email in the browser, an auto-fill function is on and if that digital device is stolen for some reason will make a significant breach of digital security. -
1. Phishing Attacks
Links to Fake Websites: The message usually contains links to websites that closely resemble legitimate sites. When the victim enters their credentials or personal information on these sites, it is captured by the attacker.
Malicious Attachments: Some phishing emails include attachments disguised as legitimate documents. When opened, these attachments can install malware on the victim’s computer.2. Malware Infections
Rootkits: A set of tools that allow attackers to gain administrator-level access to a system while hiding their presence.
Spyware: Malware that secretly monitors user activity and collects personal or sensitive information without consent.3. SQL Injection
SQL Injection (SQLi): where an attacker exploits vulnerabilities in a web application’s database query process by injecting malicious SQL code into input fields or URLs. This attack allows the attacker to manipulate the database, potentially gaining unauthorized access to sensitive data, altering records, or even taking control of the entire database.4. Password Cracking
Dictionary Attack: Now, suppose the user’s password is “password123,” a relatively weak and common password. The attacker uses a dictionary attack, which tries commonly used passwords from a list (called a dictionary). The dictionary file contains common passwords such as: “123456” OR “password” OR “password123”. Since “password123” is a common password, the attacker finds it quickly in the dictionary list, which speeds up the process compared to brute force. -
-
You must be logged in to reply to this topic. Login here