18-631_Lecture02.pptx

Full Transcript

18-631: INTRODUCTION TO
INFORMATION SECURITY
Unit 01:
Foundations
 LESSONS LEARNED
Security by obscurity eventually fails
o The strength of a security system lies in its implementation, not in keeping it
secret

Recommendations:
o List all possible failure modes
o Document strategies that can reduce the likelihood of each failure mode
o Implementation strategies should be reviewed by many experts
o Certify personnel before putting them in charge cryptosystems

Page 2
 CHALLENGES
REMAIN
Some organizations now run bug bounty programs
o Encourage the public to find flaws in the organization’s systems
o Encourage responsible disclosure of discovered flaws

However, a lot of potentially buggy code remains proprietary (e.g.
macOS, Windows)
o Open source, while not perfect (see CVE-2021-44228 – Apache Log4j bug), is
still subject to more scrutiny

Many breaches still go unreported
o When reported, discovery still mostly comes from external notification

Page 3
 INTERNAL THREATS
Bank technicians could tamper with ATMs to record PINs and account numbers
o Enabled creation of counterfeit cards (still a problem today!)

U.K. banks issued a second ATM card to tellers
o Enabled tellers to withdraw cash from customer accounts

Senior Managers could override security controls designed to provide
accountability
o Resulted in 10x increase in losses

Lack of reporting, by customers or bank managers, exacerbated the problem
Page 4
 EXTERNAL
THREATS
Printing of full account numbers on ATM receipts
o Shoulder-surfers picked up discarded receipts after observing PIN
entry

Replay attacks due to improper message authentication
o Lack of encryption enabled interception of responses
o Captured responses could be replayed since they were not time-
bound

Postal interception of ATMs cards and PINs
o Why send both together?

Test
Page 5 transactions (that spit out money) not removed in production
 1. External Threats

Hackers: Individuals or groups with
malicious intent who exploit vulnerabilities to
gain unauthorized access to systems.

Malware: Malicious software, such as
viruses, worms, Trojans, and ransomware,
designed to infiltrate and compromise
systems.

Social Engineering: Deceptive tactics used
to trick individuals into revealing sensitive
Page 6
information or clicking on malicious links.
 1. External Threats
1. Virus
A virus is a type of malware that attaches itself to a legitimate program or file and spreads
from one computer to another. It can replicate itself and spread to other files or programs on
the same system, often causing damage or performing malicious actions, such as corrupting
data or consuming system resources.
2. Worm
A worm is a self-replicating malware that spreads across networks without the need for a host
program. Unlike viruses, worms can spread independently and usually exploit vulnerabilities in
operating systems or network services to propagate, often leading to widespread damage.
3. Trojan Horse (Trojan)
A Trojan is a type of malware that disguises itself as legitimate software or is hidden within a
legitimate program. Once activated, it can perform malicious actions such as stealing data,
installing additional malware, or providing unauthorized access to the attacker.
4. Ransomware
Ransomware is a type of malware that encrypts the victim's data and demands a ransom
payment in exchange for the decryption key. The attacker typically threatens to publish or
delete the victim's data if the ransom is not paid.
5. Spyware
Spyware
Page 7
is malware that secretly monitors and collects information about a user's activities
without their knowledge. It can track keystrokes, capture screenshots, or gather data such as
6. Adware
1. External Threats
Adware is malware that automatically displays or downloads unwanted advertisements on a
user's device. While not always harmful, adware can be intrusive and can lead to more
dangerous types of malware if clicked on.
7. Rootkit
A rootkit is a type of malware designed to gain unauthorized access to a computer and
maintain control over it without being detected. Rootkits can hide their presence and the
presence of other malware, making them particularly dangerous and difficult to remove.
8. Keylogger
A keylogger is a type of spyware that records every keystroke made on a computer or mobile
device. It is used by attackers to capture sensitive information, such as passwords, credit card
numbers, and other personal data.
9. Backdoor
A backdoor is a type of malware that creates a secret pathway into a system, allowing
attackers to bypass normal authentication processes. Backdoors enable unauthorized access
to the system and can be used to install additional malware or steal data.
10. Botnet
A botnet is a network of infected computers (bots) that are controlled remotely by an attacker.
These infected computers can be used to launch coordinated attacks, such as Distributed
Denial of Service (DDoS) attacks, or to distribute spam and other malware.
Page 8
11. Rogue Security Software
 1. External Threats
12. Scareware
Scareware is a type of malware that uses social engineering tactics to frighten users into
believing their computer is infected with a virus or other threat. It then prompts the user to
pay for unnecessary or fake software to "resolve" the issue.
13. RAT (Remote Access Trojan)
A RAT is a type of malware that provides attackers with remote access to a victim's computer.
Once installed, the attacker can control the system, access files, monitor user activity, and
even activate the webcam or microphone.
14. Zero-Day Exploit
A zero-day exploit refers to an attack that takes advantage of a previously unknown
vulnerability in software or hardware. Since the vulnerability is not yet known to the software
vendor, there is no patch or fix available at the time of the attack.
15. Malvertising
Malvertising involves injecting malicious advertisements into legitimate online advertising
networks and webpages. When users click on these ads, they may be redirected to malicious
websites or have malware automatically downloaded onto their systems.
16. Logic Bomb
A logic bomb is a piece of code intentionally inserted into software that triggers a malicious
actionPage
when
9 certain conditions are met, such as a specific date or the deletion of a file. Logic
 2. Inside Threats

Malicious Insiders: Individuals within an
organization who misuse their access privileges
to steal data or disrupt operations.

Negligent Insiders: Employees who
inadvertently cause security breaches due to
careless actions or lack of awareness.

Accidental: unintentional actions or errors by
individuals within an organization that could
lead to security vulnerabilities or breaches.
Page 10
 3. Supply Chain Attacks
Third-Party Vendors: Attackers exploit
vulnerabilities in products or services provided
by third-party vendors to compromise the
target organization's systems.

Software Supply Chain: Attacking software
updates or components distributed to users,
potentially infecting a large number of systems.

Page 11
 4. Distributed Denial of
Service (DDoS):
Attackers flood a system or network with a massive volume of traffic,
overwhelming its resources and causing disruption.

Page 12
 5. Advanced Persistent
Threat (APT)

Long-term, sophisticated
attacks conducted by well-
funded adversaries with
specific targets, often using
multiple attack vectors and
exploiting zero-day
vulnerabilities.

Page 13
 5. Advanced Persistent
Threat (APT)

Long-term, sophisticated
attacks conducted by well-
funded adversaries with
specific targets, often using
multiple attack vectors and
exploiting zero-day
vulnerabilities.

Page 14
 6. Zero-Day Attack

Zero-Day Vulnerabilities:
Exploiting previously
unknown vulnerabilities in
software or systems before
vendors release patches.

Page 15
 7. Ransomware Attacks
Malicious software
that encrypts a
victim's data and
demands a ransom
payment in
exchange for the
decryption key.

A quick LAB?

Page 16
 8. Social Engineering
What is it?
Variants?
A quick LAB

READ MORE ATTACKS HERE
: top-50-cybersecurity-threats.pdf (splunk.com)

Page 17
 8. Social Engineering

In a social engineering attack, an intruder
attempts to obtain sensitive information from
users by means of their social and psychological
skills.

They attempt to manipulate individuals into
divulging confidential information such as
passwords.

This kind of attack can best be restricted and
addressed by educating users through frequent
security awareness training.
 9. Other system attacks

Alteration attack: In this type of attack, the data or code is altered
or modified code without authorization. Cryptographic code is used to
prevent alteration attacks.

Botnets: Botnets are compromised computers, also known as
zombie computers. They are primarily used to run malicious software
for DDoS attacks, adware, or spam.
 9. Other system attacks
Buffer overflow: A buffer overflow, or buffer overrun, is a common
software coding mistake that an attacker could exploit in order to
gain access to the system.

This error occurs when there is more data in a buffer than it can
handle, causing the data to overflow into adjacent storage.

Due to this, an attacker gets an opportunity to manipulate the coding
errors for malicious actions. A major cause of buffer overflow is poor
programming and coding practices.
 9. Other system attacks

Dumpster diving: Dumpster diving is a
technique for retrieving sensitive information
from the trash or a garbage bin.

Organizations should take the utmost care and
avoid disposing of sensitive documents and other
information in the garbage.
 9. Other system attacks

War dialing: War dialing is a technique in which tools are used to
automatically scan a list of telephone numbers to determine the details of a
computer, modems, and other machines.

War driving: War driving is a technique for locating and getting access to
wireless networks with the aid of specialized tools. An intruder drives or
walks around the building while equipped with specialized tools to identify
unsecured networks. The same technique is used by IS auditors to identify
unsecured networks and thereby test the wireless security of an
organization.
 9. Other system attacks

Eavesdropping: Eavesdropping is a process in
which an intruder gathers the information flowing
through the network via unauthorized methods.

Using a variety of tools and techniques, sensitive
information, including email addresses,
passwords, and even keystrokes can be captured
by intruders.
 9. Other system attacks

Email attacks and techniques

Email bombing: In this technique, abusers repeatedly send an identical email
to a particular address.

Email spamming: In this attack, unsolicited emails are sent to thousands of
users.

Email spoofing: In this attack, the email appears to originate from some
other source and not the actual source. This is often an attempt to trick the
user into disclosing sensitive information.
 9. Other system attacks

Juice jacking: In this type of attack, data is copied from a device attached to
a charging port (mostly available at public places).
Here, charging points also act as data connections. This type of attack is also
used to insert malware in the attached devices:
 9. Other system attacks

Man-in-the-middle attack: In this
attack, the attacker interferes while two
devices are establishing a connection.

Alternatively, the attacker actively
establishes a connection between two
devices and pretends to be each of them
to be the other device.

In case any device asks for authentication,
it sends a request to the other device and
the response is then sent to the first
device. Once a connection is established,
the attacker can communicate and obtain
information as desired.
 9. Other system attacks

Masquerading: In this type of attack,
an intruder hides their original identity,
acting as someone else. This is done in
order to access systems or data that are
restricted. Impersonation can be
implemented by both people and
machines.

IP spoofing: In IP spoofing, a forged IP
address is used to break a firewall. IP
spoofing can be regarded as the
masquerading of a machine.
 9. Other system attacks

Packet replay: In this type of attack, an
intruder captures the data packet as data
moves along the vulnerable network.

Pharming: In this type of attack, website
traffic is redirected to a bogus website.
This is done by exploiting vulnerabilities
in DNS servers. Pharming is a major
concern for e-commerce websites and
online banking websites.
Piggybacking: In this type of attack,
an intruder follows an authorized
person through a secure door and so is
able to enter a restricted area without
authentication.

Piggybacking is regarded as a physical
security vulnerability:
Shoulder surfing: In a shoulder surfing attack, an intruder or a camera captures
the sensitive information by looking over the shoulder of the user entering the
details on the computer screen.

Passwords entered in the computer screen
should be masked to prevent shoulder
surfing attacks.
 ATM
SKIMMERS

Page Sourc e: https://krebsonsec urity.c om/all-about-
10 skimmers/
LEC TURE 02:
Attacking Trees
 ATTACK
TREES
The term “security” doesn’t have meaning unless also you know things like
“Secure from whom?” or “Secure for how long?”

Clearly, what we need is a way to model threats against computer systems.

If we can understand all the different ways in which a system can be
attacked, we can likely design countermeasures to thwart those attacks.

And if we can understand who the attackers are—not to mention their
abilities, motivations, and goals—maybe we can install the proper
countermeasures to deal with the real threats.
Page 33
 ATTACK
Proposed by Bruce Schneier back in 1999
TREES
o https://www.schneier.com/academic/archives/1999/12/attack_trees.html

Provide a formal + visual way, of describing the security of a system,
based on varying attacks

Usually represented with a tree structure
o Goal represented by the root node
o Different attack possibilities represented by leaf nodes

Nodes not explicitly labeled as AND nodes are considered OR nodes

Page 34
 BREAKING A
SAFE

Page 35
 BREAKING A
SAFE

Page 36
 Possible Attacks

Page 37
 Cost of Attack

Page 38
 Capability

Page 39
 Less than $100,000

Page 40
 Building and Analyse Attack Tree
Binomial Distribution: Suitable for modelling the number of
attacks in a fixed period.

Poisson Distribution: Useful for modelling the number of
incidents over time, especially for rare events.

Normal Distribution: Can be used for modelling the severity or
impact of an attack.

Example: For a bank, use a Poisson distribution to model the
number of phishing attempts per month and a Normal
distribution to model the financial loss per successful attack.
Page 41
 Building and Analyse Attack Tree
Exercise
Cyber Attack Simulation Using Attack Trees
A Python program to simulate a custom probability distribution related to
cyber attacks in a hospital or a bank using attack trees.

Given a set of random variables related to different types of attacks and their
probabilities, simulate and visualize the combined risk distribution.

Example: phishing, ransomware, and insider threats.
Define the probability distribution for each attack type (e.g., Binomial for the
likelihood of an attack occurring, Poisson for the number of incidents over
time, and Normal for the impact severity).
Page 42
 Define Attack Types and Distributions
1. Phishing Attacks:
Distribution: Poisson
Parameters: Mean number of phishing attempts per month
(e.g., λ = 5)

DDoS Attacks:
Distribution: Binomial
Parameters: Number of trials (e.g., 12 months), probability
of an attack each month (e.g., p = 0.1)

Fraud Impact:
Distribution: Normal
Parameters: Mean financial loss (e.g., $10,000), standard
Page 43
deviation (e.g., $2,000)
 Building and Analyse Attack Tree
Hospital

Demonstrate how to build an attack tree with nodes representing
different attack steps and branches representing attack paths.

Example: For a hospital, build an attack tree for ransomware that
includes initial phishing emails, compromised credentials, and
encryption of hospital data.

Page 44
 Phishing Attack Trees
HOSPITAL CASE

Phishing Attack
│ ── Email Phishing
│ ├ Fake Login Page
│ ├ Malicious Link
│ └─ Attachment with Malware
│ ── Spear Phishing
│ ├ Targeted Email (e.g., healthcare staff)
│ └─ Social Engineering (e.g., impersonating a senior
doctor)
└── Whaling
├ High-Profile Targets (e.g., hospital administrators)
└── Business Email Compromise (e.g., altering financial
transactions)

Page 45
 Ransomware Attack Trees
HOSPITAL CASE

Ransomware Attack
│── Initial Infection
│ ├ Email Attachment (e.g., malicious PDF)
│ ├ Drive-by Download (e.g., infected hospital website)
│ └─ Exploiting Vulnerabilities (e.g., outdated software)
│ ── Encryption of Files
│ ├Patient Records
│ ├ Administrative Files
│ └ Medical Imaging Data
└── Ransom Demand
│── Payment Instructions (e.g., cryptocurrency)
└── Negotiation with Attackers (e.g., ransom
reduction)
Page 46
 Ransomware Attack Trees
HOSPITAL CASE

Insider Threat
│── Malicious Insiders
│ ├Data Theft (e.g., patient records)
│ ├Sabotage (e.g., altering medical records)
│ └─ Unauthorized Access (e.g., accessing restricted
areas)
└── Negligent Insiders
├ Poor Security Practices (e.g., weak passwords)
└─Accidental Data Exposure (e.g., misaddressed
emails)

Page 47
 SUMMAR
Y
Security is about ensuring a system works as intended in face of
potential adversaries

Security can be achieved by a combination of legal, social, economic,
or technological means

No security by obscurity!
o Kerckhoff’s principle: “a cryptosystem should be secure even if everything
about the system, except the key, is public knowledge”

Leverage inspiration from safety-critical systems

Page 48
 SUMMAR
Y
Embrace openness, public review, proper training and certifications

Design for defense as well as recovery

Attack trees: a practical way of listing as many vulnerabilities of your
system
o Understand the system and attacks
o Benefit from incremental improvements (feedback)

Page 49