Internet tracing

Activity on internet leaves a trail that can be traced. Tracing is a process that follows the Internet activity backwards, from the recipient to the user. 

Techniques of Internet tracking and tracing can enable authorities to pursue and identify those responsible for malicious Internet activity. 

Tracing email: Email transmissions have several features that make it possible to trace their passage from the sender to the recipient computers. For example, every email contains a section of information that is dubbed the header. Information concerning the origin time, date, and location of the message is present, as is the Internet address (IP) of the sender’s computer. The IP number can be used to trace the true origin of the transmission.

Internet Tracking

Internet tracking or Web tracking is the practice by which operators of websites and third parties collect, store and share information about visitors’ activities on the World Wide Web.

The purpose of internet tracking is to deliver a more personalized browsing experience.

Internet tracking involves collecting information about your use of or interaction with a particular web page. Web trackers can collect more information than just your browsing of a website. Websites also use them to collect your personal information: your IP address, where you came from, your geographic location and your browser characteristics.

The uses of web tracking include the following:

• Advertising companies actively collect information about users and make profiles that are used to individualize advertisements. User activities include websites visited, watched videos, interactions on social networks, and online transactions.
• Law enforcement agencies may use web tracking to spy on individuals and solve crimes.
• Web analytics focuses more on the performance of a website as a whole. Web tracking will give insight on how a website is being used and see how long a user spends on a certain page. This can be used to see who may have the most interest in the content of the website.

Three main methods used to track are: cookies, fingerprinting, and beacons. Websites may identify you with your login credentials, unique device identifiers or your IP address. Once a site determines your identity, it then assembles all the information it collects about you in a data profile.

Cookies are small files stored in your browser that help websites you visit often identify you. Websites use cookies to store your custom settings and preferences or log-in information. Cookies can add convenience to the sites you visit often, but unfortunately websites also use them to store your data.

Tracking beacons are small, transparent “images” often 1 pixel by 1 pixel, that load on on web pages (or within emails) for tracking and reporting purposes. Websites use beacons to get information about how many times visitors load certain pages. Advertisers also use these tracking beacons to determine how many impressions their ads get.

Fingerprinting is a more complex tracking method. Rather than storing a file in your browser or on your computer to identify you, it’s done by checking your browser configurations and settings. The methods of fingerprinting are always growing more complex. Other factors that are used to identify you could be your browser version, monitor size and resolution, or operating system.

Other methods for internet tracking are:

·         Canvas fingerprinting allows websites to identify and track users using HTML5 canvas elements instead of using a browser cookie.

·         Cross-device tracking are used by advertisers to help identify which channels are most successful in helping convert browsers into buyers.

·         Click-through rate is used by advertisers to measure the number of clicks they receive on their ads per number of impressions.

·         Mouse tracking collects the user’s mouse cursor positions on the computer.

·         Browser fingerprinting relies on your browser and is a way of identifying users every time they go online and track your activity. Through fingerprinting, websites can determine the users operating system, language, time zone, and browser version without your permission.

·         Supercookies or "evercookies" can not only be used to track users across the web, but they are also hard to detect and difficult to remove since they are stored in a different place than the standard cookies.

·         Session replay scripts allow the ability to replay a visitor's journey on a web site or within a mobile application or web application.

·         Web beacons are commonly used to check whether or not an individual who received an email actually read it.

·         Favicons can be used to track users since they persist across browsing sessions

Investigating information hiding

Information hiding is a research domain that covers a wide spectrum of methods that are used to make (secret) data difficult to notice. Due to improvements in network defenses such techniques are recently gaining an increasing attention from actors like cybercriminals, terrorist and state-sponsored groups as they allow to store data or to conceal communication in a way that is not easily discoverable.  Information-hiding techniques are used to hide the confidential or illegal data into innocent-looking material, for example, digital pictures.

Steganography is a well-known subfield of information hiding that aims is to cloak secret data in a suitable carrier. The use of covert techniques grew significantly during the two World Wars, in which the military developed several methods to hide information in innocent-looking objects.

Modern information-hiding techniques can be divided based on their application into two broad groups: covert data storage and covert data communication 

Covert data storage allows the application of data-hiding techniques to conceal secret information in such a way that no one besides the involved persons will know where the information is stored or how to extract it. Digital media steganography and file/file system/mass storage steganography are the most prominent classes belonging to this group.

Covert data communication methods focus on hiding the fact that any communication process took place and were initially described as channels that were not foreseen for communication. This means that involved parties can participate in a covert communication and, in principle, a third-party observer would be unaware of it. The most important classes belonging to this group include out-of-band covert channels, network steganography (also known as network covert channels), as well as local covert channels (that are limited in communication range to the single device).

Digital media steganography incorporates techniques to hide information within digital images, audio files, and digital videos.

Network steganography deals with the concealment of information within network transmissions. This means that network data that appears to be innocent is actually carrying hidden data.

Steganalysis is the technology that attempts to defeat steganography--by detecting the hidden information and extracting or destroying it.

Detecting hidden information

Steganography tools can create stego-images in which the change or distortion in the carrier is not obvious to the human eye. However, this distortion when detected can lead to the tools used for steganography. Let us look at a few examples:

1. Images: A lot of image steganography tools use least significant bit (LSB) modification to hide information. In low resolution images with 8 bit color, the modification of LSB can cause a noticeable shift in the color palette making it possible to detect hidden content. Another sign to the presence of hidden information is padding or cropping of an image. The Hide-and-Seek tool can only produce images of fixed sizes. If an image does not fit into one of these sizes it is cropped or padded with black spaces. StegoDos has a similar problem.
2. Disks: Unused areas on a disk that can be used to hide information. Tools like EnCase and ILook Investigator look for hidden information in unused clusters or partitions in storage devices.
3. TCP/IP Packets: TCP/IP packets have unused space in the packet headers. The TCP packet header has six reserved or unused bits, and the IP packet header has two reserved bits. Information can be hidden in these unused bits. Thousands of packets are transmitted with each communication channel, which provide an excellent way to communicate secretly. Filters can be applied, on firewalls for example, to detect TCP/IP packets that contain hidden information in places supposed to be unused.

Steganalysis methods

There are various methods of analysis depending on what information is available:

1. Stego-only attack: Only the stego-object is available for analysis.
2. Known cover attack: The stego-object as well as the original medium is available. The stego-object is compared with the original cover object to detect any hidden information.
3. Known message attack: The hidden message and the corresponding stego-image are known. The analysis of patterns that correspond to the hidden information could help decipher such messages in future.
4. Known stego attack:The steganography algorithm is known and both the original and stego-object are available.
5. Chosen stego attack:The steganography algorithm and stego-object are known.
6. Chosen message attack:The steganalyst generates a stego-object from some steganography tool or algorithm of a chosen message. The goal in this attack is to determine patterns in the stego-object that may point to the use of specific steganography tools or algorithms.

Disk based Analysis

Disk forensics is the science of extracting forensic information from digital storage media like Hard disk, USB devices, Firewire devices, CD, DVD, Flash drives, Floppy disks etc..

The process of Disk Forensics are:

1. Identify digital storage devices

First step in Disk Forensics is identification of storage devices at the scene of crime like hard disks with IDE/SATA/SCSI interfaces, CD, DVD, Floppy disk, Mobiles, PDAs, flash cards, SIM, USB/ Fire wire disks, Magnetic Tapes, Zip drives etc. These are some of the sources of digital evidence.

2. Seizure and Acquisition of Storage devices

Next step is seizing the storage media for digital evidence collection. This step is performed at the scene of crime.

In this step, a hash value of the storage media to be seized is computed using appropriate cyber forensics tool. After computing the hash value, the storage media is securely sealed and taken for further processing.

An exact copy of the original evidence is to be created for analysis and digital evidence collection. Acquisition is the process of creating this exact copy, where original storage media will be write protected and bit stream copying is made to ensure complete data is copied into the destination media. Acquisition of source media is usually done in a Cyber Forensics laboratory.

3. Authentication of the evidence

Authentication of the evidence is carried out in Cyber Forensics laboratory. Hash values of both source and destination media will be compared to make sure that both the values are same, which ensures that the content of destination media is an exact copy of the source media.

4. Preservation of the evidence

Electronic evidences might be altered or tampered without trace. Once the acquisition and authentication have been done, the original evidence should be placed in secure storage keeping away from highly magnetic and radiation sources. One more copy of image should be taken and it needs to be stored into appropriate media or reliable mass storage. Optical media can be used as the mass storage. It is reliable, fast, longer life span and reusable.

5. Verification and Analysis of the evidence

Verification of evidence before starting analysis is an important step in Cyber Forensics process. Hash value of the evidence is computed and compared it with the hash value taken at the time of acquisition. If both the values are same, there is no change in the content of the evidence. If both are different, there is some change in the content. The result of verification should be properly documented.

Analysis is the process of collecting digital evidence from the content of the storage media depending upon the nature of the case being examined. This involves searching for keywords, picture analysis, time line analysis, registry analysis, mailbox analysis, database analysis, cookies, temporary and Internet history files analysis, recovery of deleted items and analysis, data carving and analysis, format recovery and analysis, partition recovery and analysis, etc.

6. Reporting the findings

Case analysis report should be prepared based on the nature of examination requested by a court or investigation agency. It should contain nature of the case, details of examination requested, details of material objects and hash values, result of evidence verification, details of analysis conducted and digital evidence collected, observations of the examiner and conclusion. Presentation of the report should be in simple terms and precise way so that non-technical persons should be able to understand the content of the report.

7. Documentation

Documentation should be started from the planning of case investigation and continue through searching in scene of crime, seizure of material objects, chain of custody, authentication and acquisition of evidence, verification and analysis of evidence, collection of digital evidence and reporting, preservation of material objects and up to the closing of a case.

It is very important in every step of the Cyber Forensics process. Everything should be appropriately documented to make a case admissible in a court of law.

Cyber Forensics

Cyber Forensics (Computer forensics) is the application of investigation and analysis techniques to gather and preserve evidence from a particular computing device in a way that is suitable for presentation in a court of law.

Cyber forensics is a process of extracting data as proof for a crime (that involves electronic devices) while following proper investigation rules to nab the culprit by presenting the evidence to the court. 

The main aim of cyber forensics is to collect evidence and documentation to find out who did the crime digitally.

Cyber forensics can do the following:

• It can recover deleted files, chat logs, emails, etc
• It can also get deleted SMS, Phone calls.
• It can get recorded audio of phone conversations.
• It can determine which user used which system and for how much time.
• It can identify which user ran which program.

Importance of cyber forensics:

Computer forensic science essentially is data recovery with legal compliance guidelines to make the information admissible in legal proceedings.

Digital (cyber) forensics starts with the collection of information in a way that maintains its integrity. Investigators then analyze the data or system to determine if it was changed, how it was changed and who made the changes.

Apart from crime the forensic process is also used as part of data recovery processes to gather data from a crashed server, failed drive, reformatted operating system (OS) or other situation where a system has unexpectedly stopped working. 

Forensic investigation is the gathering and analysis of all crime-related physical evidence in order to come to a conclusion about a suspect.

Cyber Forensics Investigation

Digital forensics is the collection, assessment and presentation of evidence gathered from digital media. Digital evidence comes from computers, mobile phones and servers. Digital forensics helps solve complicated cases that rely on evidence from electronic devices.

Digital forensics helps investigative teams recover deleted data, discover evidence of misconduct and restore overwritten data. Digital analysts can mitigate damage, reverse system breakdowns and prove misuse of company property.

The digital forensic process is intensive. First, investigators find evidence on electronic devices and save the data to a safe drive. Then, they analyze and document the information. Once it’s ready, they give the digital evidence to police to help solve a crime or present it in court to help convict a criminal.

Phases of Digital Forensics

There are nine steps that digital forensic specialists usually take while investigating digital evidence.

1. First Response

As soon as a security incident occurs and is reported, a digital forensic team jumps into action.

2. Search and Seizure

The team searches devices involved in the crime for evidence and data. Investigators seize the devices to make sure the perpetrators can’t continue to act.

3. Evidence Collection

After seizing the devices, professionals collect the data using forensic methods to handle the evidence.

4. Securing of the Evidence

Investigators store evidence in a safe environment. In the secure space, the data can be authenticated and proved to be accurate and accessible.

5. Data Acquisition

The forensic team retrieves electronically stored information (ESI) from the devices. Professionals must use proper procedure and care to avoid altering the data and sacrificing the integrity of the evidence.

6. Data Analysis

Team members sort and examine the authenticated ESI to identify and convert data that is useful in court.

7. Evidence Assessment

Once ESI is identified as evidence, investigators assess it in relation to the security incident. This phase is about relating the data gathered directly to the case.

8. Documentation and Reporting

This phase happens once the initial criminal investigation is done. Team members report and document data and evidence in accordance with the court of law.

9. Expert Witness Testimony

An expert witness is a professional who works in a field related to the case. The expert witness affirms that the data is useful as evidence and presents it in court.

Security information management

Security information management (SIM) is the practice of collecting, monitoring and analyzing security-related data from computer logs and various other data sources.

Security information management (SIM) is software that automates the collection of event log data from security devices such as firewalls, proxy servers, intrusion detection systems and anti-virus software. This data is then translated into correlated and simplified formats.

SIM systems keep track and show the activity analytics of the system events as they happen. They translate events data gathered from many resources into a general and simplified format. Usually, the data is translated into an XML file.

SIM systems collect and coordinate data from various resources in such a way that helps administrators to recognize the real threats and false positives on the system. False positives mean events that seem to be a major threat but in reality it’s not a threat.

As soon as suspicious activities occur, the SIM tool responds to the event by sending alerts to administrators of organizations and by generating reports and graphical representations such as charts and graphs.

The reports generated by SIM systems are typically used to:  

1. Detect unauthorized access as well as modifications to files and data breaches.
2. Identify data trends that can be leveraged potentially by business organizations for their progression.
3. They are also used to identify network behavior and assess performance.

Reports are a critical part of any SIM program. A reliable SIM tool will generate regular reports, often in visual formats such as graphs or charts. Security personnel can use these reports to detect security events, identify suspicious behaviors, and detect and address ongoing threats.

Intrusion detection and intrusion prevention techniques

Intrusion detection and prevention are two broad terms describing application security practices used to mitigate attacks and block new threats.

An IDS( Intrusion detection system) is either a hardware device or software application that uses known intrusion signatures to detect and analyze both inbound and outbound network traffic for abnormal activities.

This is done through:

• System file comparisons against malware signatures.
• Scanning processes that detect signs of harmful patterns.
• Monitoring user behavior to detect malicious intent.
• Monitoring system settings and configurations.

Despite its benefits, including in-depth network traffic analysis and attack detection, an IDS has inherent drawbacks. Because it uses previously known intrusion signatures to locate attacks, newly discovered (i.e., zero-day) threats can remain undetected.

An IDS only detects ongoing attacks, not incoming assaults. To block these, an intrusion prevention system is required.

An IPS(Intrusion Prevention system) complements an IDS configuration by proactively inspecting a system’s incoming traffic to weed out malicious requests. A typical IPS configuration uses web application firewalls and traffic filtering solutions to secure applications.

An IPS prevents attacks by dropping malicious packets, blocking offending IPs and alerting security personnel to potential threats. Such a system usually uses a preexisting database for signature recognition and can be programmed to recognize attacks based on traffic and behavioral anomalies.

While being effective at blocking known attack vectors, some IPS systems come with limitations. These are commonly caused by an overreliance on predefined rules, making them susceptible to false positives.

Different types of intrusion detection systems: 

1. Network based intrusion detection system (NIDS) 

2. Host based intrusion detection system( HIDS)

Different types of intrusion prevention systems: 

1. Network based intrusion prevention system (NIPS) 

2. Host based intrusion prevention system( HIPS)

Ø  Network Based Intrusion Detection System

A Network Based Intrusion Detection System (NIDS), or Network Based IDS, is security hardware that is placed strategically to monitor critical network traffic. Traditional Network Based IDS analyzes passing network traffic and matches that traffic to a library of known attacks in its system.

Network Intrusion Detection Services is an advanced and expensive proposition for it to work properly and effectively within a company’s environment.  It is often used in Data Centers with Cloud Hosting providers to provide a higher level of cyber security assurance on their critical networks.

There are two main Intrusion Detection methods to identify malicious attacks or intrusion.

1. Signature-based Intrusion Detection Method

The IDS developed the Signature-based intrusion detection method to examine the network traffic and to detect attack patterns.

Signature-based IDS detects the attacks on the basis of the specific patterns such as number of bytes or number of 1’s or number of 0’s in the network traffic. It also detects on the basis of the already known malicious instruction sequence that is used by the malware. The detected patterns in the IDS are known as signatures.

Signature-based IDS can easily detect the attacks whose pattern (signature) already exists in system but it is quite difficult to detect the new malware attacks as their pattern (signature) is not known.

2. Anomaly-based Intrusion Detection Method

Organizations use the anomaly-based intrusion detection method to identify new and unknown suspicious attacks and policy breaching which the Signature-based detection method cannot identify easily.

In anomaly-based IDS there is use of machine learning to create a trustful activity model and anything coming is compared with that model and it is declared suspicious if it is not found in model.

Limitations of IDS

• Noise can severely limit an intrusion detection system's effectiveness. Bad packets generated from software bugs, corrupt DNS data, and local packets that escaped can create a significantly high false-alarm rate.
• Encrypted packets are not processed by most intrusion detection devices. Therefore, the encrypted packet can allow an intrusion to the network that is undiscovered until more significant network intrusions have occurred.
• Due to the nature of NIDS systems, and the need for them to analyse protocols as they are captured, NIDS systems can be susceptible to the same protocol-based attacks to which network hosts may be vulnerable. Invalid data and TCP/IP stack attacks may cause a NIDS to crash.
• Intrusion detection software provides information based on the network address that is associated with the IP packet that is sent into the network. This is beneficial if the network address contained in the IP packet is accurate. However, the address that is contained in the IP packet could be faked or scrambled.

Ø  Network-based Intrusion Prevention System (NIPS)

A network-based intrusion prevention system (NIPS) is a system used to monitor a network as well as protect the confidentiality, integrity, and availability of a network. Its main functions include protecting the network from threats, such as denial of service (DoS) and unauthorized usage.

An intrusion prevention system (IPS) sits in-line on the network and monitors the traffic. When a suspicious event occurs, it takes action based on certain prescribed rules. An IPS is an active and real-time device unlike an intrusion detection system, which is not inline and is a passive device. IPSs are considered to be the evolution of the intrusion detection system.

The majority of NIPSs utilize one of the three detection methods as follows:

·         Signature-based detection: Signatures are attack patterns predetermined and preconfigured. This detection method monitors the network traffic and compares it with the preconfigured signatures so as to find a match. On successfully locating a match, the NIPS takes the next appropriate action. This type of detection fails to identify zero-day error threats. However, it has proved to be very good against single packet attacks.

·         Anomaly-based detection: This method of detection creates a baseline on average network conditions. Once a baseline has been created, the system intermittently samples network traffic on the basis of statistical analysis and compares the sample to the created baseline. If the activity is found to be outside the baseline parameters, NIPS takes the necessary action.

·         Protocol state analysis detection: This type of detection method identifies deviations of protocol states by comparing observed events with predefined profiles.

 

Ø  Host intrusion detection system (HIDS)

A host intrusion detection system (HIDS) runs on all computers or devices in the network with direct access to both the internet and the enterprise's internal network. A HIDS has an advantage over an NIDS in that it may be able to detect anomalous network packets that originate from inside the organization or malicious traffic that an NIDS has failed to detect.

A HIDS may also be able to identify malicious traffic that originates from the host itself, such as when the host has been infected with malware and is attempting to spread to other systems.

Protocol-based Intrusion Detection System (PIDS)

Organizations set up a Protocol-based Intrusion Detection System at the front end of the server. It interprets the protocols between the server and the user. PIDS monitors the HTTPS server regularly to secure the web. Similarly, it allows the HTTP server which is related to the protocol.

Application Protocol-based IDS (APIDS)

APIDS is set up within a group of servers. It interprets communication with the applications within the server to detect the intrusion. It identifies the intrusions by monitoring and interpreting the communication on application-specific protocols.

Ø  Host-based intrusion prevention system (HIPS)

A host-based intrusion prevention system (HIPS) is a system or a program employed to protect critical computer systems containing crucial data against viruses and other Internet malware. Starting from the network layer all the way up to the application layer, HIPS protects from known and unknown malicious attacks. HIPS regularly checks the characteristics of a single host and the various events that occur within the host for suspicious activities.

HIPS can be implemented on various types of machines, including servers, workstations, and computers.

A HIPS uses a database of system objects monitored to identify intrusions by analyzing system calls, application logs, and file-system modifications

A HIPS has numerous advantages:

1. Enterprise and home users have increased protection from unknown malicious attacks.

2. HIPS use a peculiar prevention system that has a better chance of stopping such attacks as compared to traditional protective measures.

3. Another benefit of using such system is the need to run and manage multiple security applications to protect PCs, such as anti-virus, anti-spyware, and firewalls.

Anti – malware software

Antimalware is a type of software program created to protect information technology (IT) systems and individual computers from malicious software, or malware. Antimalware programs scan a computer system to prevent, detect and remove malware.

Antimalware software uses three strategies to protect systems from malicious software: signature-based detection, behavior-based detection and sandboxing.

1. Signature-based malware detection

Signature-based malware detection uses a set of known software components and their digital signatures to identify new malicious software. Software vendors develop signatures to detect specific malicious software. The signatures are used to identify previously identified malicious software of the same type and to flag the new software as malware. This approach is useful for common types of malware, such as keyloggers and adware, which share many of the same characteristics.

2. Behavior-based malware detection

Behavior-based malware detection helps computer security professionals more quickly identify, block and eradicate malware by using an active approach to malware analysis. Behavior-based malware detection works by identifying malicious software by examining how it behaves rather than what it looks like. Behavior-based malware detection is designed to replace signature-based malware detection. It is sometimes powered by machine learning algorithms.

3. Sandboxing

Sandboxing is a security feature that can be used in antimalware to isolate potentially malicious files from the rest of the system. Sandboxing is often used as a method to filter out potentially malicious files and remove them before they have had a chance to do damage.

For example, when opening a file from an unknown email attachment, the sandbox will run the file in a virtual environment and only grant it access to a limited set of resources, such as a temporary folder, the internet and a virtual keyboard. If the file tries to access other programs or settings, it will be blocked, and the sandbox has the ability to terminate it.

Uses of antimalware

Antimalware can help prevent malware attacks by scanning all incoming data to prevent malware from being installed and infecting a computer. Antimalware programs can also detect advanced forms of malware and offer protection against ransomware attacks.

Antimalware programs can help in the following ways:

• prevent users of from visiting websites known for containing malware;
• prevent malware from spreading to other computers in a computer system;
• provide insight into the number of infections and the time required for their removal; and
• provide insight into how the malware compromised the device or network.

Malware Infection

Malware — or “malicious software” — is any program designed to harm your device and data. Several types of malware — including trojans, viruses, ransomware, spyware and worms.

Malware infection occurs when malware, or malicious software, infiltrates your computer. Malware is a type of software created with the intent of damaging the victim's computer, stealing private information or spying on a computer without the consent of the user.

A malware infection can cause many problems that affect daily operation and the long-term security of your company. Here are some of the many things malware can do.

1. Steal Your Sensitive Information - Information theft is one of the most serious and costly results of malware. Once pieces of malware such as spyware and trojans are installed on your device, hackers can gather your personal and company information to sell to third-party sources. This information can include browsing history, passwords, client profiles and other sensitive data.

2. Slow Your Computer - Once a piece of malware is in action, it begins to consume a large chunk of your computer’s memory. Many types of malware also replicate themselves and fill your hard drive, so there’s little room left for legitimate programs. This loss of space can lead to a sluggish computer, which makes it difficult to carry on with business as usual.

3. Restrict Access to Your Files - Certain types of malware can damage or delete files and programs on your computer. Unless your data is backed up on another hard drive or cloud server, you won’t be able to regain access to many of these files after a cyber attack.

One type of malware known as ransomware holds the files on your computer hostage. Ransomware hackers threaten to delete all of your data unless you give them money.

4. Spread Throughout Your Network - Worms are an especially disruptive type of malware for businesses. Once this malware infects a computer, it replicates itself and spreads throughout the entire network. Most companies operate all their devices on a single network — which means that a worm could damage not just one employee’s computer, but the entire organization.

5. Disrupt Daily Operations - Adware is specifically a nuisance for business productivity. When installed onto a computer, it enables constant popups and can even redirect your search results to advertisers’ sites — making it hard for anyone to enjoy the functionality of their device.

Symptoms of Malware

Some of the most common symptoms of a malware infection include:

1.      Slow computer

2.      Lack of storage

3.      Crashing or freezing

4.      Pop-ups and unwanted programs

5.      Spam

Steps toward minimizing your risk of malware threats:

·         Install anti-malware software

·         Perform regular employee security training

·         Avoid clicking unknown links and pop-ups

·         Keep your system up to date

·         Implement network security

Prevent malware infection

1. Keep software up to date - Software updates patch vulnerabilities so they aren't available to exploits anymore.

2. Be wary of links and attachments - Email and other messaging tools are a few of the most common ways your device can get infected. Attachments or links in messages can open malware directly or can stealthily trigger a download. Some emails give instructions to allow macros or other executable content designed to make it easier for malware to infect your devices.

3. Watch out for malicious or compromised websites - When you visit malicious or compromised sites, your device can get infected with malware automatically or you can get tricked into downloading and installing malware. To block malicious websites, use a modern web browser like Microsoft Edge that identifies phishing and malware websites and checks downloads for malware.

4. Pirated material on compromised websites - Using pirated content is not only illegal, it can also expose your device to malware. Sites that offer pirated software and media are also often used to distribute malware when the site is visited. To stay safe, download movies, music, and apps from official publisher websites or stores.

5. Don't attach unfamiliar removable drives - Some types of malware spread by copying themselves to USB flash drives or other removable drives. There are malicious individuals that intentionally prepare and distribute infected drives by leaving them in public places for unsuspecting individuals. Only use removable drives that you are familiar with or that come from a trusted source. 

6. Use a non-administrator account - To help ensure that everyday activities do not result in malware infection and other potentially catastrophic changes, it is recommended that you use a non-administrator account for regular use. By using a non-administrator account, you can prevent installation of unauthorized apps and prevent inadvertent changes to system settings. Avoid browsing the web or checking email using an account with administrator privileges.

Unauthorized access by outsider

Unauthorized access is when someone gains access to a website, program, server, service, or other system using someone else's account or other methods.

Any access to an information system or network that violates the owner or operator’s stated security policy is considered unauthorized access. Unauthorized access is also when legitimate users access a resource that they do not have permission to use.

The most common reasons for unauthorized entry are to:

• Steal sensitive data
• Cause damage
• Hold data hostage as part of a ransomware attack
• Play a prank

The three primary objectives of preventing unauthorized access are:

• Confidentiality—the protection of sensitive information from unauthorized access
• Integrity—the protection of sensitive information from unauthorized modification or destruction
• Availability—the protection of sensitive information and information systems from unauthorized disruption

The damage from unauthorized access goes beyond time and money; trust and reputation are also casualties.

Protection of sensitive data should be top of mind and a high priority in all organizations. A defensive, proactive approach to preventing unauthorized access can protect information and systems from disclosure, modification, destruction, and disruption.