information security

Computer/Information SecurityDR M Y Siyal P1-1

EE4758 COMPUTER SECURITYIM3003 INFORMATION SECURITY

http://www.youtube.com/watch?v=pzjEzohHmaM


OBJECTIVE

This subject intends to provide students with essential concepts

of computer/information security, cryptography, secure protocols,

security Plan-Protect-Respond cycle, and other security

technologies, policies, and practices.

DESIRED OUTCOME

With the background obtained in this subject, a student should be

able to understand, develop, use and deploy appropriate security

technologies, policies, procedures and practices.

COURSE OUTLINES


The course assessment is done by:CONTINUOUS ASSESSMENT (CA) 20% One Quiz (date to be announced via course site)20 QuestionsMCQ, T/F, fill in blanks and short answersABSENTEE (WITHOUT OFFICIAL LEAVE)

WILL RECEIVE ZERO MARKSEXAMINATION 80%Four QuestionsClosed Book

COURSE ASSESSMENT


Text and Reference BooksWilliam Stallings, Cryptography and Network Security: Principles

and Practices, 6 Ed, Prentice Hall, 2013.William Stallings, Network Security Essentials: Applications and

Standards, 5 Ed, Prentice Hall, 2014.Other Useful Books

A. Menezes, P. van Oorschot, S. Vanstone, Handbook of AppliedCryptography, CRC Press, 1997.

Alan G. Konheim, Computer Security and Cryptography, Wiley-Interscience, 2007, ISBN: 978-0-471-94783-7.

D. Gollmann, Computer Security, John Wiley & Sons, 2006.A.W. Dent, C.J. Mitchell, User's Guide to Standards and

Cryptography, Artech House, 2005.

BOOKS

Computer/Information Security

SAMPLE OF

COMPUTER/INFORMATION

SECURITY

INCIDENTS/ATTACKS

DR M Y Siyal P1-5


Simon Vallor, a Welsh Web designer and hacker, created one of the mostwidespread viruses.

Vallor admitted releasing GokarGokar: the third most prevalent virus, at one point infecting hundreds of

thousands of computers in 46 countries. It clogged networks and crashedcomputers.

All were in the form of email attachments. When the email was opened, Gokar sent itself to addresses in the user's email

directory. Crime: violating Computer Misuse Act. His plea: guilty. His sentence: 2 years in jail. Reason for his capture: He boasted in an chat room that "at last there's a

Welsh virus" and used his traceable Internet name Gobo. Like many hackers, he craved fame, which helps law enforcement capture

these criminals.

Computer 'Nerd' Jailed in Jan. 2003 for Global Virus Attack


A group of more than 2,500 retail stores companies operating in theUnited States, Canada, England, Ireland, and several other countries.

On December 18, 2006, TJX detected “suspicious software” on itscomputer systems.

Notified law enforcement immediately. Only notified consumers a month later to get time to fix system and

to allow law enforcement to investigate. Company estimated that 45.7 million customer records with personal

information were stolen. Hackers first broke into poorly protected wireless networks in retail

stores and used this entry to break into central processing system inMassachusetts.

Not detected despite 80 GB data being stolen. TJX suffered damages of $256 million as of August 2007.

THE TJX DATA BREACH


Albert Gonzalez, 28 , a computer hacker who was once a federal informantand was a driving force behind one of the largest cases of identity theft in U.S.history pleaded guilty in a deal which sent him to prison for up to 25 years.

He admitted pulling off some of the most prominent hacking jobs of the decadestealing tens of millions of credit and debit card numbers.

Gonzalez, was a self-taught computer genius and was arrested in 2003 forhacking but was not charged because he became an informant, helping theSecret Service to find other hackers.

However over the next five years, he hacked into the computer systems ofFortune 500 companies even while providing assistance to the governmentand lived a lavish lifestyle (had $2.8 million, bought a Miami condo and a BMWetc).

Gonzalez and two foreign co-defendants used hacking techniques thatinvolved cruising through different areas with a laptop computer and lookingfor retailers' accessible wireless Internet signals.

Once they located a vulnerable network, they installed "sniffer programs" thatcaptured credit and debit card numbers and then tried to sell the data.

Hacker pleads guilty to huge theft of card numbers (12 September 2009)


Two international cybercrime groups made $74 millions from fakeantivirus programs.

About 600 people suspected of implementing fraudulent onlineschemes were arrested in 11 Southeast Asian countries.

Cybercriminals used Amazon’s cloud to host and distribute malwarethat targeted Brazilian users and was designed to steal data fromcustomers of nine Brazilian banks.

Russian scammers tried their luck at making money for nothing in Juneusing the BitCoins virtual money system.

Over 200 million network attacks were blocked, 68 million web-borneinfections prevented, and 200 million malicious programs detected.

The Top 20 malicious programs on the Internet in June included a largenumber of new entries.

Once again it was dominated by malware that makes use of drive-byattacks: redirectors, script downloaders and exploits.

Securityextra.com Report (June 2011)


Barry Ardolf, 46, repeatedly hacked into the Wi-Fi network of hisneighbors, Matt and Bethany Kostolnik.

He created fake email accounts and online profiles in their name andused them to harass superiors and co-workers and even send deaththreats to US Vice President Joe Biden.

Matt was visited by FIB agents, however after interviewing him theyrealized that he has been framed and started looking for the realculprit.

Barry used password-cracking software to gain access to their wirelessrouter and he was then able to access the family's computers, stolefinancial data and use the internet as though he was in their house.

US District Judge Frank, after listening to the tearful testimony ofBethany Kostolnik, sentenced Barry Ardolf to 18 years in jail.

There have been similar cases in Australia, Europe and other parts ofthe world as well.

“I am going to kill you”: A Neighbor from hell hacker gets 18 years jail (July 2011)


LinkedIn has more than 160 million users in 200 countries. 6.5million encrypted passwords were published on a Russian hackers’

web forum on 5 June 2012. Security experts believe that the stolen passwords were used by

criminals. The problem concerned a mobile app which sent unencrypted calendar

entries, such as phone numbers and passwords for conference calls,to LinkedIn servers without the users’ knowledge.

Although LinkedIn does not contain a wealth of personal data like othersocial networking sites such as Facebook, however there is a risk thatLinkedIn members who use the same password for other websitescould be at risk of having other personal data stolen, including bankdetails.

Russian hacker leaks 6.5million LinkedIn account passwords on cybercrime forum (June 2012)


The 2013 Singapore cyber attacks were a series of hack attacksinitiated by organization called Anonymous.

Attack People's Action Party's Community Foundation's webpage.Ang Mo Kio Town Council.The Straits Times (news reporter Irene Tham’s blog on the

newspaper's official website). Seletar Airport websiteSingapore Prime Minister’s WebsiteIstana website

On 12 November 2013, James Raj was charged in Singapore court asthe alleged "The Messiah” (name used by the hacker).

On 20 November, the websites of 13 schools were defaced.

2013 SINGAPORE CYBER ATTACKS


Facebook: 318,000 Passwords Stolen2013 saw 318,000 Facebook accounts fall to malicious Key Logging

Software called Pony. LivingSocial: 50 Million Accounts Attacked

April 2013: A staggering 50 million customers were affected by the attack. Evernote: 50 Million User Accounts Compromised

March of 2013: Evernote’s 50M users accounts were compromised andthey needed to reset their passwords.

Drupal: 1 Million Passwords Stolen29 March 2013: Drupal.org forced to reset all user passwords.

Adobe: 38 Million User Accounts LeakedOctober 2013: Adobe suffered a massive data breach that exposed the

account information of 38 million users. Twitter: Taken For 250,000 Accounts

February 2013: 250,000 usernames and passwords were stolen.

2013 CYBER ATTACKS


EbayMay 2014: eBay revealed that hackers had managed to steal personal

records of 233 million users including usernames, passwords, phonenumbers and physical addresses.

Domino’s PizzaJune 2014: Hacking group Rex Mundi held Domino’s Pizza to ransom over

600,000 Belgian and French customer records. P.F. Chang’s

June 2014: The chain restaurant suffered a huge data breach and hackersstarted selling compromised credit cards in black market for $18.

Chang’s responded by going low-tech and using old manual credit cardimprinting machines.

1.2 Billion passwords stolenAugust 2014: The biggest theft of Internet credentials in history. Russian

crime ring stealing more than 1.2 billion passwords and 500 millionemail addresses from more than 420,000 websites.

2014 CYBER ATTACKS


2015 CYBER ATTACKS

Source: http://www.hackmageddon.com/2015/07/13/june-2015-cyber-attacks-statistics/


2015 CYBER ATTACKS



2015 CYBER ATTACKS



2015 CYBER ATTACKS



SYMANTEC 2015 REPORT











Data Breaches


INTRODUCTION TO

COMPUTER/INFORMATION

SECURITY

DR M Y Siyal P1-25


The protection afforded to an automated information system in order to attainthe applicable objectives of preserving the:ConfidentialityIntegrityAvailability

of information system resources Hardware Software Firmware Information/data Telecommunications

Examples of Security RequirementsConfidentiality – student gradesIntegrity – patient informationAvailability – authentication services

WHAT IS COMPUTER/INFORMATIONSECURITY?


SECURITYState of freedom from a danger or risk

INFORMATION SECURITYTasks of guarding information that is in a digital formatEnsures that protective measures are properly implementedProtect information that has value to people and

organizationsValue comes from the characteristics of the information

Security is achieved through a combination of three entitiesProductsPeopleProcedures

COMPUTER/INFORMATION SECURITY


A successful organization should have multiple layers of

security in place:

Physical security (Products)

Personal security (People)

Organization security (Procedure)

Communications security

Network security

Information security (CIA)

COMPUTER/INFORMATION SECURITY


COMPUTER/INFORMATION SECURITY COMPONENTS


COMPUTER/INFORMATION SECURITY COMPONENTS

C.I.A. TRIANGLE Was standard based on Confidentiality, Integrity, and

Availability Now expanded into list of critical characteristics of

information


COMPONENTS OF INFORMATION SECURITY


CNSS SECURITY MODELThe McCumber Cube


ASSETSomething that has a value

THREATEvent or object that may defeat the security measures in place and

result in a lossBy itself does not mean that security has been compromised

THREAT AGENTPerson or thing that has the power to carry out a threat

VULNERABILITYWeakness that allows a threat agent to bypass security

EXPLOITING THE SECURITY WEAKNESSTaking advantage of the vulnerability

RISKLikelihood that a threat agent will exploit a vulnerability

INFORMATION SECURITY TERMINOLOGY


INFORMATION SECURITY TERMINOLOGY


AUTHENTICATIONAssurance that communicating entity is the one claimed.

ACCESS CONTROLPrevention of the unauthorized use of a resource.

DATA CONFIDENTIALITYProtection of data from unauthorized disclosure.

DATA INTEGRITYAssurance that data received is as sent by an authorized entity.

NON-REPUDIATIONProtection against denial by one of the parties in a communication.

AVAILABILITYResource accessible/usable.

SECURITY MECHANISMFeature designed to detect, prevent, or recover from a security attack.

SECURITY SERVICES


C.I.A. INTEGRITY

CONFIDENTIALITY AVAILABILITY

SECURITY GOALS

DR M Y Siyal P1-36


ENCRYPTIONThe transformation of information using a secret (encryption) key, so that

the transformed information can only be read using another secret(decryption key) which may, in some cases, be the same as the encryptionkey.

TOOLS FOR CONFIDENTIALITY

encrypt decrypt

ciphertext

plaintextsharedsecret

key

sharedsecret

key

CommunicationchannelSender Recipient

Attacker(eavesdropping)

plaintext


ACCESS CONTROLRules and policies that limit access to confidential information to

those people and/or systems with a “need to know.”This need to know may be determined by identity, such as a

person’s name or a computer’s serial number, or by a role that aperson has, such as being a manager or a computer securityspecialist.

AUTHENTICATION The determination of the identity or role that someone has. This

determination can be done in a number of different ways, but it isusually based on a combination ofsomething the person has (like a smart card)Something the person knows (like a password)something the person is (like a human with a fingerprint).




Something you are

Something you know

Something you have

radio token withsecret keys

password=ucIb()w1Vmother=Jonespet=Caesarhuman with fingers

and eyes


AUTHORIZATIONThe determination if a person or system is allowed access to

resources, based on an access control policy.Such authorizations should prevent an attacker from tricking the

system into letting him have access to protected resources. PHYSICAL SECURITY The establishment of physical barriers to limit access to

protected computational resources.Such barriers include locks on cabinets and doors, the

placement of computers in windowless rooms, the use of sounddampening materials, and even the construction of buildings orrooms with walls incorporating copper meshes (called Faradaycages) so that electromagnetic signals cannot enter or exit theenclosure.



INTEGRITYThe property that information has not be altered in an unauthorized

way. TOOLSBackupsThe periodic archiving of data.

ChecksumsThe computation of a function that maps the contents of a file to a

numerical value.A checksum function depends on the entire contents of a file and is

designed in a way that even a small change to the input file (suchas flipping a single bit) is highly likely to result in a different outputvalue.

Data Correcting Codes Methods for storing data in such a way that small changes can be

easily detected and automatically corrected.

TOOLS FOR INTEGRITY


AVAILABILITYThe property that information is accessible and

modifiable in a timely fashion by those authorized to doso.

TOOLSPhysical ProtectionsInfrastructure meant to keep information available

even in the event of physical challenges.Computational Redundancies Computers and storage devices that serve as

fallbacks in the case of failures.

TOOLS FOR AVAILABILITY


HISTORY OF COMPUTER SECURITY Computer security began immediately after the first mainframes were

developed. Physical controls were needed to limit access to authorized personnel to

sensitive military locations. Only rudimentary controls were available to defend against physical theft,

espionage, and sabotage. THE 1960S Department of Defense’s Advanced Research Project Agency (ARPA) began

examining feasibility of redundant networked communications. Dr. Lawrence Roberts developed the project from its inception. THE 1970S AND 80S ARPANET grew in popularity as did its potential for misuse. Fundamental problems with ARPANET security were identified.

No safety procedures for dial-up connections to the ARPANET. User identification and authorization to the system were non-existent.

In the late 1970s the microprocessor expanded computing capabilities andsecurity threats.


HISTORY OF COMPUTER SECURITY The Federal Bureau of Investigation (FBI) made one of its first arrests

related to computer hacking in the early 1980s. A group of hackers known as the 414s, were indicted for attacking 60

different computers. A 25-year-old hacker named Kevin Mitnick began tapping into the e-mail

system used by computer security managers at both Digital EquipmentCorp. and MCI Communications Corp. As a result, Mitnick was arrestedand sentenced to one year in jail.

First National Bank of Chicago became the victim of $70 million computerfraud.

Three of the most well known viruses—Cascade, Friday the 13th, andStoned, all originated in 1987.

Graduate student Robert T. Morris, Jr. of Cornell University launches aMorris worm which spreads to 6,000 networked computers, clogginggovernment and university systems. Morris is dismissed from Cornell,sentenced to three years probation, and fined $10,000.


HISTORY OF COMPUTER SECURITY THE 1990S As networks of computers became more common, so did the need to

interconnect the networks, which resulted into global network of networks. By 1991, more than 1,000 viruses had been discovered by computer security

experts. During 1995, computers at the U.S. Department of Defence were attacked

roughly 250,000 times and one in every five Web sites was hacked. Russian crackers siphon $10 million from Citibank and transferred the money

to bank accounts in Finland and Israel. Vladimir Levin, the 30-year-oldringleader, stands trial in the United States and is sentenced to 3 years inprison.

A 15-year-old Croatian youth penetrates computers at a U.S. Air Force. In January 1998, Yahoo! notifies Internet users that they might have

downloaded a logic bomb and worm planted by hackers. In March 1999 the Melissa worm is released and quickly becomes the most

costly malware outbreak to date.


HISTORY OF COMPUTER SECURITY 2000 Hacking in 2000 increased 79% and many well known organizations lost

millions of dollars. one of the key hackers in many of these attacks, a 16-year-old Canadian boy

operating under the name Mafiaboy, was arrested. The ILOVEYOU worm infected millions of computers worldwide within a few

hours of its release. It is considered to be one of the most damaging wormsever. It originated in the Philippines.

Code Red worm, infects tens of thousands of machines. North Korea claims to have trained 500 hackers who successfully crack South

Korean, Japanese, and their allies' computer systems. 2006: A new worms is discovered. It had various names, including Kama Sutra

Black Worm, Mywife, Blackmal, Nyxem version D, Kapser, KillAV, Grew andCME-24. The worm would spread through e-mail address book.

Largest Defacement in Web History is performed by the Turkish hackeriSKORPiTX who successfully hacked 21,549 websites in one shot.


HISTORY OF COMPUTER SECURITY 2007 Estonia suffers massive denial-of-service attack. United Nations website hacked by Turkish Hacker Kerem125. FBI Operation Bot Roast II: 1 million infected PCs, $20 million in losses and

8 indictments. 2008 Around 20 Chinese hackers claim to have gained access to the world's most

sensitive sites, including The Pentagon. 2009 April 1: Conficker worm has infiltrated billions of PCs worldwide including

many government-level top-security computer networks. July 4: The July 2009 cyber attacks occur and the emergence of the

W32.Dozer attack the United States and South Korea. July 19: Kaspersky official website successfully hacked by Yusuf, a Turkish

Hacker


HISTORY OF COMPUTER SECURITY 2010 January: Google publicly reveals that it has been on the receiving end of

a "highly sophisticated and targeted attack” originating from China thatresulted in the theft of intellectual property from Google.

June: The Stuxnet worm is found by VirusBlokAda. Its payload targetedjust one specific model and type of SCADA systems. It slowly becameclear that it was a cyber attack on Iran's nuclear facilities.

2011 April 17: An "external intrusion" sends the PlayStation Network offline,

and compromises personally identifying information (possibly includingcredit card details) of its 77 million accounts, in what is claimed to be oneof the five largest data breaches ever.

June: The U.S Senate computers is hacked by hacker group LulzSecurity. World bank, IMF and other high profile sites are also attacked.


HISTORY OF COMPUTER SECURITY 2012

According to the Department of Homeland Security, in the firstquarter of 2012, there were 86 reported attacks on computersystems in the United States that control critical infrastructure.

FLAME VIRUS: The Flame computer virus is not only capableof espionage but it can also sabotage computer systems and likelywas used to attack Iran in April 2012.

JUNE 2012: LinkedIn Corp, has been sued for not having bettersecurity in place when more than 6 million customer passwords werestolen.

LONDON 2012: During Beijing Olympics, experts encountered about12 million potential cyber security problems each day. In London,they had 14 million security events per day.


HISTORY OF COMPUTER SECURITY 2013 15 May 2013: Lulzsec hackers caused millions of pounds of damage

during cyber attacks. Group included an A-level student and a 20-year-old working in his bedroom Ryan Cleary, 20 (left) and Mustafa Al-Bassam, 18 (right)

25 July 2013 Five hackers stole 160 Million credit card numbers in largest data theft case

ever prosecuted in the U.S. Four Russians and a Ukrainian are charged with running sophisticated

hacking organization over seven year period. One company - Heartland Payment Systems - suffered losses of about $200

million and 130 million cards numbers were stolen.


HISTORY OF COMPUTER SECURITY 2014 eBay asked its 145 million members to change their passwords as a their

data was compromised by hackers. Sony data breach: “The Interview” became one of the most watched

movies of all time. iCloud hack: Celebrities were most affected by the incident, but thousands

of non-famous people saw credentials stolen, private pictures made publiclyavailable, and activity histories illegally collected.

Heartbleed: A bug in OpenSSL, which is used by around 90% of websites,enabled anyone to access memory systems in vulnerable versions ofOpenSSL code.

Home Department USA: 56,000,000 credit/debt cards were compromisedin September 2014.

Home Department USA: 53,000,000 email addresses were compromisedin November 2014.


FAMOUS HACKERS KEVIN MITNICK He was once one of the most wanted criminals, with break-ins

ranging from the Pentagon to Digital Equipment Corp. Currently he runs Mitnick Security Consulting in USA, and is an

author. His latest book is called "Ghost in the Wires" . He has acquired a kind of celebrity status and regularly appears

at speaking engagements and book signings.


FAMOUS HACKERS GEORGE HOTZ A 22-year-old hacker best known for "jailbreaking" the iPhone

and hacking the PlayStation 3 (2011), which led to a showdownwith Sony Corp.

Sony sued Hotz, which resulted in a settlement forbidding Hotzfrom hacking Sony products.

The hacking group Anonymous took up Hotz's cause,retaliating with attacks against the company.

He was later hired by Facebook.


FAMOUS HACKERS ADRIAN LAMO He was arrested in 2003 for breaking into the New York Times'

computer network and was sentenced to house arrest. Lamo returned to the spotlight in 2010 when he and a young

Army private named Bradley Manning leaked classifiedgovernment communications to WikiLeaks.

Manning was charged, while Lamo has been branded as atraitor, leading to his harassment on the internet and at hackingconferences.


FAMOUS HACKERS ROBERT TAPPAN MORRIS Robert Tappan Morris attained notoriety in 1988 when, as a graduate

student at Cornell University, he unleashed the first widespread worm attackon the Internet, causing thousands of computers to crash.

The son of a high-ranking National Security Agency scientist, Morris said theprogram was a research experiment that got out of control.

He became the first person charged under an anti-hacking law that made itillegal to penetrate federal computers. He was fined $10,000 and ordered toperform 400 hours of community service, a punishment some securityexperts say was too steep considering the types of internet attacks that arenow launched daily.

Morris is currently a computer scienceprofessor at theMassachusetts Institute of Technology


FAMOUS HACKERSMAX BUTLER Max Butler is a former FBI informant who operated a stolen credit-card site

called “CardersMarket”. Known online as "Iceman," he assembled one of the Internet's largest

cybercrime commerce sites, with thousands of users, and ran it out of hisSan Francisco apartments.

A series of blunders by associates -- getting caught using stolen cards inretail stores -- led to the site's unravelling and Butler's arrest andincarceration. He was sentenced to 13 years in prison for stealing 2 millioncredit-card numbers, which were used to rack up $86 million in fraudulentcharges.


FAMOUS HACKERSMICHAEL LYNN Michael Lynn rose to fame in 2005 when Cisco Systems Inc went to great

lengths to try to censor his presentation on software vulnerabilities thatwould allow attackers to take over Cisco routers.

Cisco threatened a lawsuit, ordering workers to rip 20 pages out of theprogram for the Black Hat security conference and destroy 2,000 CDscontaining the presentation.

Lynn quit his employer, Internet Security Systems Inc., which he sayspressured him to censor the talk as well.

He gave it anyway, becoming a hacker hero. Lynn now works for Cisco rival Juniper Networks Inc. as a senior engineer.


FAMOUS HACKERS KEVIN POULSEN Kevin Poulsen is a convicted computer hacker who has transformed

himself into a top security journalist. He is the author of "Kingpin," a book about “CardersMarket” operator

Max Butler, and is the news editor at Wired.com. Poulsen's specialty was hacking telephone networks. He once commandeered all the phone lines of a Los Angeles radio

station to ensure he would be the winning caller in a Porschegiveaway.

Poulsen served more than five years in prison.


FAMOUS HACKERS Jonathan James At only fifteen years of age, he managed to hack into a number of

networks, including the U.S. Department of Defense, and NASA. Total cost to NASA was $1.7 millions, while NASA had to shut down for 3

days to complete the investigation, which incur another $41,000. He was convicted and sent to prison while he was still a minor. In 2007 a number of high profile companies fell victim to a massive wave

of malicious network attacks. Even though James denied any involvement, he was

suspected and investigated. In 2008, James committed suicide, believing he would

be convicted of crimes that he did not commit.


FAMOUS HACKERS Albert Gonzalez He was the leader of a hacker group known as “ShadowCrew” and stole

over 170 million credit cards and ATM cards and sold them online for profit. ShadowCrew also fabricated $4.3 million fraudulent passports, health

insurance cards, and birth certificates for identity theft crimes. He was caught when he hacked into the databases of TJX Companies and

Heartland Payment Systems for their stored credit card numbers. In 2010, Gonzalez was sentenced to prison for 20 years.


Policies, Practices, and Technology that must be in placefor an organization to transact business electronically vianetworks with a reasonable assurance of safety.

ASSETS AT RISK Data assets Knowledge assets Software assets Physical assets Monetary or financial assets Employee assets Customer and partner assets Goodwill

MODERN DEFINITION OF INFORMATION SECURITY

DR M Y Siyal P1-61


You cannot defend yourself unless you

know the threat environment you face.

THREATS AND RESPONSES

DR M Y Siyal P1-62


Companies defend themselves with a process

called the Plan-Protect-Respond Cycle.DR M Y Siyal P1-63



The Plan-Protect-Respond Cycle starts with Planning. We will look at important planning principles.

DR M Y Siyal P1-64



Companies spend most of their security effort on the protection phase, in which they apply

planned protections on a daily basis.DR M Y Siyal P1-65



Even with great planning and protection, incidents will happen, and a company must have

a well-rehearsed plan for responding to them.DR M Y Siyal P1-66



THE THREAT ENVIRONMENT


WHAT ARE THE THREATS?Various Types of attacksVarious Types of attackers

The Unchanging and Changing Nature of AttacksUNCHANGING – similar to “bricks and mortar” crimesRobberyEmbezzlementFraud

CHANGINGMore commonMore widespreadDifficult to track, capture and convict

ATTACKS AND ATTACKERS


Internet has THREE CHARACTERISTICS that aid Attacks1. AUTOMATIONSpeed of computers and networks makes minimal rate of return

attacks possible.Data mining is easy and getting easier, affecting privacy

2. ACTION AT A DISTANCEAttackers can be far away from their prey and still do damage.Interstate/International differences in laws can affect prosecution

3. ELECTRONIC TECHNIQUES EASILY TRANSFERABLE/DUPLICATED

Counterfeiting e-moneyAttack tools can be created by single personEasily modified per situation



TYPES OF ATTACKSCriminal Attacks

Basis is in financial gainIncludes fraud, destruction and theft (personal, brand, identity)

Privacy ViolationsPrivate/personal information acquired by organizations not authorized.Includes surveillance, databases, traffic analysis

Publicity AttacksAttacker wants to get their name(s) in the papersCan affect ANY system, not just related to profit centersDenial of service.

Legal AttackSetup situation to use discovery process to gather informationRare, but possibly devastating



TYPES OF ATTACKERSHackers

Attacks for the challengeOwn subculture with names, lingo and rulesCan have considerable expertise and passion for attacks

Lone CriminalsAttack for financial gainCause the bulk of computer-related crimes

Malicious insidersAlready inside the systemKnows weaknesses and tendencies of the organizationVery difficult to catch

PressGather information for a story to sell papers/commercial time



Industrial EspionageGain a competitive advantage by stealing trade secrets

Organized crimeLots of resources to put behind their attacks…usually very lucrative

PoliceLines are sometimes crossed when gathering information to pursue a

caseTerrorists

Goal is disruption and damageNational intelligence organizations

Highly funded and skilledVery risk averse

Info-warriorsMilitary based group targeting information or networking infrastructuresLots of resourcesWilling to take high risks for short term gain



SECURITY ATTACKS

DR M Y Siyal P1-73


EAVESDROPPING: PASSIVE ATTACK 1The interception of information intended for someone else during

its transmission over a communication channel.

Alice Bob

Eve

THREATS AND ATTACKS

DR M Y Siyal P1-74


EXAMPLE: PASSIVE ATTACK 2


ALTERATION OR MODIFICATION: ACTIVE ATTACKUnauthorized modification of information.

EXAMPLE: The man-in-the-middle attack, where a network stream isintercepted, modified, and retransmitted.

encrypt decrypt

ciphertext Cshared secret

key

plaintext M plaintext M′

sharedsecret

key

CommunicationchannelSender Recipient

Attacker(intercepting)

ciphertext C′

THREATS AND ATTACKS

DR M Y Siyal P1-76


MASQUERADINGThe fabrication of information that is purported to be from someone who is

not actually the author.

REPUDIATION The denial of a commitment or data receipt.This involves an attempt to back out of a contract or a protocol that

requires the different parties to provide receipts acknowledging that datahas been received.

“From: Alice”(really is from Eve)

THREATS AND ATTACKS

DR M Y Siyal P1-77


DENIAL-OF-SERVICE The interruption or degradation of a data service or information

access.EXAMPLE: Email spam, to the degree that it is meant to simply fill

up a mail queue and slow down an email server.

THREATS AND ATTACKS

Alice

DR M Y Siyal P1-78


Malicious software (malware) designed to damage, destroy, ordeny service to target systemsIncludes:VirusesWormsTrojan horsesLogic bombsBack door or trap doorPolymorphic threatsVirus and worm hoaxes

Usually exploits system vulnerabilitiesDR M Y Siyal P1-79

DELIBERATE SOFTWARE ATTACKS


Bacteria Worms

MALICIOUS PROGRAMS

DR M Y Siyal P6-80

TAXANOMY OF MALICIOUS PROGRAMS


Vulnerability-Specific versus Universal MalwareVendors release patches to close vulnerabilities.

However, users do not always install patches promptly or at all and socontinue to be vulnerable.

Also, zero-day attacks occur before the patch is released for thevulnerability.

VIRUS A program that piggybacks on other executable programs Not structured to exist by itself When the host program is executed, the virus code also executes and

performs its action Typically, actions may be

Spreading itself to other programs or disksDelete filesCause systems to become unusable

P1-81DR M Y Siyal

MALWARE


Source: http://isc.sans.org/diary.htmlP1-82DR M Y Siyal

VIRUS DETECTED


PROPAGATION/MIGRATION The way a virus replicates locally and over a network.PAYLOAD The mechanism by which a virus causes damage, such as a

computer command to delete files or send email. Payloads can beharmless or cause severe file system corruption.

SIGNATURE The identifier by which a virus is detected by AV software.TRIGGER The action that activates a virus. Many viruses are triggered when

a user clicks on an email attachment, often Visual Basic Script(VBS).

DETECTION AVOIDANCE The method by which a virus attempts to conceal or disguise

itself.P1-83DR M Y Siyal

FIVE CHARACTERISTICS OF VIRUSES


A typical virus goes through phases of:DORMANT : The virus is idle

PROPAGATION: The virus places an identical copy of itself intoother programs

TRIGGERING: The virus is activated to perform the function forwhich it was intended

EXECUTION: The function is performed

What Viruses CAN’T Do Viruses CAN’T physically damage your computer’s hardware.

If your computer suddenly bursts into flames

it isn’t a virus.

P1-84DR M Y Siyal

VIRUS


In the late 1980’s and early 1990’s, most viruses were spread by“FLOPPYNET.”

Someone inserts an infected floppy disk with a boot sectorvirus into their computer, infecting their computer andevery other floppy they insert thereafter.

Most viruses today spread through Contaminated media (USB drive, or DVD) Email and peer-to-peer sites

Part of another program

Visits to Websites (even legitimate ones)

Social networking sites

P1-85DR M Y Siyal

WAYS FOR VIRUSES TO GET INTO YOUR COMPUTER


ARMORED VIRUS COMPANION VIRUS MACRO VIRUS MULTIPARTITE VIRUS PHAGE VIRUS RETROVIRUS POLYMORPHIC VIRUS STEALTH VIRUS ARMORED VIRUS It is designed to make itself difficult to detect or analyze Cover themselves with a protective code that stop debuggers or

dis-assemblies from examining critical elements of the virus Some part of the code may also act as a decoy to distract

analysis Need to identify them quickly!

P1-86DR M Y Siyal

TYPE OF VIRUS


COMPANION VIRUS Attaches itself to legitimate program and when a user types the name

of the legitimate program, the companion virus executes instead ofthe real program

Or make changes to program pointers in the registry so that theypoint to the infected program

The infected program perform its dirty deed and then starts the realprogram

MACRO VIRUS It exploits the enhancements made to many applications Macro virus infects such macros such that the related documents are

infected and can spread to other systems via attached documents inan email

P1-87DR M Y Siyal

TYPE OF VIRUS


MULTIPARTITE VIRUS Attacks your system in multiple ways May infects your boot sector, all your executable files and destroy your

application files (e.g., MS word documents) at the same time The key is that you won’t be able to correct all the problems and will allow

infestation to continue PHAGE VIRUS

It modifies other programs and databasesRequire reinstallation of programs or databases to remove virus

POLYMORPHIC VIRUSThe virus changes form in order to avoid detection

Attempt to hide from your antivirus program by

Encrypting itself

Change its signature to fool the antivirus programDR M Y Siyal P1-88

TYPE OF VIRUS


RETROVIRUSIt bypasses the antivirus programMay directly attack the antivirus programDestroy the virus definition database fileMay leave you with a false sense of security

STEALTH VIRUSHide from antivirus program by masking itself from applicationMay attach itself to the boot sectorRedirects commands to avoid detectionReport a different file sizeMove around from file to file, e.g., from file A (not yet scanned) to file B

(already scanned) during a virus scan VIRUS TRANSMISSION

Some viruses destroy the target system immediately, while some use thevictim system as a carrier to infect other servers and eventually infects theoriginal victim system and destroy it completely.

P1-89DR M Y Siyal

TYPE OF VIRUS


Viruses, as just noted, are pieces of code that attach themselvesto other programs.

Worms, in contrast, are stand-alone programs that do not need toattach to other programs.

Can propagate like viruses through e-mail, and so on.Antivirus programs search for worms as well as viruses.

Directly-propagating worms jump to victim hosts directly.Can only do this if target hosts have a specific vulnerability.Directly-propagating worms can spread with amazing speed.

Directly-propagating worms can be thwarted by firewalls and byinstalling patches.Not by antivirus programs.

P1-90DR M Y Siyal

WORMS


PAYLOADSAfter propagation, viruses and worms execute their payloads.Payloads erase hard disks or send users to harmful sites.Often, the payload downloads another program.An attack program with such a payload is called a

downloader.Many downloaded programs are Trojan horses.Trojan horses are programs that disguise themselves as

system files.Spyware Trojans collect sensitive data and send the data they

collect to an attacker.Website activity trackersKeystroke loggers

P1-91DR M Y Siyal

MALWARE


MOBILE CODEHTML Webpages can contain scripts.

Scripts are snippets of code in a simplified programming languagethat are executed when the Webpage is displayed in a browser.

A common scripting language is JavaScript.Scripts enhance the user experience and may be required to see the

Webpage.Scripts are called mobile code because they are downloaded with the

Webpage.Scripts may be damaging if the browser has a vulnerability.

TROJAN HORSEA program that hides its malicious nature behind the facade of something

useful or interestingIt is a complete and self-contained program that is designed to perform

some malicious actionsIt may contain mechanism to spread itself

P1-92DR M Y Siyal

MALWARE

Computer/Information Security P1-93DR M Y Siyal

TROJAN HORSE ATTACK


LOGIC BOMBProgram or snippet of codes that execute when a certain

predefined events occursEvents could also be based on a certain date (e.g., Christmas) or

set of circumstances (certain employee has being sacked)It could send a message back to the attacker or launch an attack

such as DDoS, or grant access to the victim system at attacker’schoice of time

HOAX AND SPAMHoaxes usually claim to do things that are impossible for viruses

to do – the aim is to create widespread panicSpams are annoying, unwanted, unsolicited emails and come in

large volumeAnti-spam and filtering software are used to prevent spams

P1-94DR M Y Siyal

MALWARE


Source: http://isc.sans.org/diary.html

P1-95DR M Y Siyal

SPAM RATE INCREASE


Possible damages include Deletion of files Corruption of files Cause systems unusable Over consumption of resources Denial of services (DoS) Overload a network Access and pass on of privilege information

MELISSA: both virus and wormThe worm part enabled it to travel from system to system.The virus part replicated itself on local systems and did the damage.DAMAGE: $1.2 billion worldwide.Creator-author, David Smith, was sentenced to 20 months in prison and

fined $5,000 for releasing it.

P1-96DR M Y Siyal

Damages caused by Malicious Software


SOCIAL ENGINEERINGSocial engineering is a network intrusion technique based on

trickery.Hackers use it to fool someone into revealing access codes,

passwords, or other confidential information and break into a system.Works best if people don’t know one another and high staff turn over.

IDENTITY THEFTCollecting enough data to impersonate the victim in large financial

transactionsMay take a long time to restore the victim’s credit ratingIn corporate identity theft, the attacker impersonates an entire

corporation.Accept credit cards in the company’s name.Commit other crimes in the name of the firm.Can seriously harm a company’s reputation.

P1-97DR M Y Siyal

ATTACKS ON INDIVIDUALS


Social Engineering EXAMPLE NTU


Social Engineering RESPONSE FROM NTU


Viruses and worms only have a single attack method. Humans can keep trying different approaches until they succeed. HACKINGInformally, hacking is breaking into a computer.Formally, hacking is intentionally using a computer resource

without authorization or in excess of authorization. HACKEROriginally, an expert programmer.Today, someone who breaks into computers.

TYPES OF HACKERSElite HackersScript KiddiesScript writers

DR M Y Siyal P1-100

HUMAN BREAK-INS


HACKER ELITE HACKERSSuperior technical skillsVery persistentOften publish their exploitsNot only have the ability to write scripts that exploit vulnerabilities but

also are capable of discovering new vulnerabilities SCRIPT WRITERSWriting scripts to exploit known vulnerabilities.Much more technically competent than script kiddies

SCRIPT KIDDIESHacker in trainingScript kiddies use the scripts written by Elite hackers to make attacksScript kiddies have low technical skillsScript kiddies are dangerous because of their large numbers


HACKER


WHY DO HACKERS HACK? GOVERNMENT SPONSORED HACKING

Cyber WarfareCyber TerrorismEspionage

INDUSTRIAL ESPIONAGEAttacks on confidentialityPublic information gatheringTrade secret espionage

WHITE-HATS/ELITE HACKERSPublicize vulnerabilitiesHacking- ChallengeFinancial gains

SCRIPT KIDDIES – Gain Respect INSIDERS – Revenge


AVENUES OF ATTACKThere are two general reasons a particular system is attacked:

It is specifically targetedIt is a target of opportunity

Equipment may be targeted because of the organization it belongs to orfor political reasons.

Targets of opportunity – attacks are conducted against a site that hassoftware vulnerable to a specific exploit. In these instances, theattackers are not targeting the organization, instead they are targeting avulnerable device that happens to belong to the organization

Typical Stages in a Human Break-InScanning PhaseThe Break-InAfter the Break-In

HUMAN BREAK-INS


THE STEPS IN AN ATTACK

STEP

1 Profiling

Gather information on the target organization

Check the SEC EDGAR web site (www.sec.gov/edgar.shtml), whois look up, Google

2 Determine systems available

Ping sweep with nmap or superscan

3 Finger printing

Determine the OS and open ports

Nmap or superscan, banner grab

4 Discover applicable exploits

Search web sites for vulnerabilities and exploits that exist for the OSes and services discovered

5 Execute exploit Systematically execute exploits


First round of probe packets, such aspings, identify active IP addresses

and therefore potential victims.

DR M Y Siyal P1-106

The scanning phase: Probes and Exploits


Second round sends packets to specific ports on identified potential victims to identify applications.

DR M Y Siyal P1-107

PROBES AND EXPLOITS


STAGE 2: The Break-In

Uses an exploit –

A tailored attack method that is often a program.

Normally exploits a vulnerability on the victim computer.

The act of breaking in is called an exploit.

The hacker tool is also called an exploit.

DR M Y Siyal P1-108

HUMAN BREAK-INS


Third round of packets are exploits used in break-ins.

DR M Y Siyal P1-109

PROBES AND EXPLOITS


STAGE 3: After the Break-In1. The hacker downloads a hacker tool kit to automate hacking work.2. The hacker becomes invisible by deleting log files.3. The hacker creates a backdoor (way to get back into thecomputer).

Backdoor Account: An account with a known password andfull privileges.Backdoor Program: A program to allow re-entry; usually

Trojanized.The hacker can then do damage at his or her leisure.Download a Trojan horse to continue exploiting the computer

after the attacker leaves.Manually give operating system commands to do damage.

DR M Y Siyal P1-110

HUMAN BREAK-INS


COOKIESWhen you access a specific website, it might store information as a

cookieEvery time you revisit that server, the cookie is re-sent to the serverEffectively used to hold state information over sessionsCan also hold sensitive information

This includes passwords, credit card information, social securitynumber, etc.

Almost every large website uses cookiesCookies are stored on your computer and can be controlledHowever, many sites require that you enable cookies in order to use the

site

The expiration is set by the sites' session by default, which is chosen bythe server

This means that cookies will probably stick around for a whileP1-111

INTERNET ATTACKS

DR M Y Siyal


COOKIESFirst-party cookieThird-party cookieCannot contain a virus or steal personal information stored on a hard

driveCan pose a privacy risk

ADWARESoftware that delivers advertising contentUnexpected and unwanted by the userCan be a privacy riskTracking function

POPUPSmall Web browser window appears over the Web site that is being

viewedP1-112

INTERNET ATTACKS

DR M Y Siyal


ATTACKS WHILE SURFING Attacks on users can occur while pointing the browser to a site or just

viewing a site REDIRECTING WEB TRAFFIC

Mistake when typing Web addressAttackers can exploit a misaddressed Web name by registering the

names of similar-sounding Web sites DRIVE-BY DOWNLOADS

Can be initiated by simply visiting a Web siteSpreading at an alarming paceAttackers identify well-known Web siteInject malicious contentZero-pixel IFrame

Virtually invisible to the naked eyeP1-113

INTERNET ATTACKS

DR M Y Siyal


Software that violates a user’s personal security Tracking software that is deployed without adequate notice, consent, or

user control Spyware creators are motivated by profit Very widespreadAverage computer has over 24 pieces of spyware

KEYLOGGERSmall hardware device or a programMonitors each keystroke a user types on the computer’s keyboardTransmits keystrokes to remote locationAttacker searches for useful information in

captured text

P1-114DR M Y Siyal

SPYWARE


EFFECTS OF SPYWARE


Phishing is a way of attempting to acquire sensitive information such asusernames, passwords and credit card details by deceiving users.

Phishing is typically carried out by e-mail spoofing and it often directs usersto enter details at a fake website whose look and feel are almost identical tothe legitimate one.

Number of users that respond to phishing attacks is considered to beextremely high and social networking sites are prime target.

Experiments show a success rate of over 70% for phishing attacks on socialnetworks.

DAMAGED CAUSED BY PHISHINGIt is estimated that between May 2004 and May 2005, approximately 1.2

million computer users in the United States suffered losses caused byphishing, totaling approximately US$929 million.

In 2007, 3.6 million adults lost US$3.2 billion in the phishing attacks.In 2009 45K unique phishing sites were detected monthly.

P1-116DR M Y Siyal

PHISHING

http://www.youtube.com/watch?v=0yw5hW_bH1U


MOST TARGETED SITESFinancial services (e.g., Citibank)Payment services (e.g., PayPal)Auctions (e.g., eBay)Social networks (e.g., Facebook)

P1-117DR M Y Siyal

PHISHING


PHISHING EXAMPLE


PHISHING EXAMPLE


CYBER BULLYING CYBER BULLYING is being cruel to others by sending or posting harmful

material using technological means.


CYBER BULLYING STATISTICS 25% of teenagers have experienced repeated bullying. 52% young people report being cyber bullied. 55% teens who use social media have witnessed outright bullying. 95% teens who witnessed bullying on social media and have ignored it. The most common types of cyber bullying tactics are mean, hurtful

comments as well as the spreading of rumors. Cyber bullying affects all races and victims are more likely to suffer from low

self-esteem and to consider suicide as a result. SINGAPORE

1 in 3 had been bullied online, while 1 in 4 surveyed admitted to havingbullied their peers.

A 2012 study by Microsoft showed that Singapore had the secondhighest rate of cyberbullying globally.

Online bullying in Singapore was also more prominent than bullying in thereal world.

The highest rates of cyber bullying are reported in China and Singapore58% with India closely following on 53%.


CYBER BULLYING Cyber bullying is a crime in Singapore and the punishment is fine of up to

S$5,000 or a jail term not exceeding 12 months. Tips to Help Stop Cyberbullying

Don’t respond or retaliate: Sometimes a reaction is exactly whataggressors are looking for because they think it gives them power overyou, and you don’t want to empower a bully.

Save the evidence. Bullying online or on phones can usually becaptured, saved, and shown to someone who can help.

Tell the person to stop.Reach out for helpUse available tech tools: Most social media apps and services allow

you to block the person. You can also report the problem to the service.Protect your accounts. Don’t share your passwords with anyone – even

your closest friends, who may not be close forever – and password-protect your phone so no one can use it to impersonate you.

Documents

information security