Cybersecurity Principles (PDF)

College of Computer Science Information Systems Department Cybersecurity principles (111SEC) Introduction ◼ What Is Computer Security? ◼ Vulnerabilities ◼ Threats ◼ Attacks & Harm ◼ Controls (Protection) ◼ Computer security is the protection of all Computer assets (the items you value) or computer system. ◼ Computer systems including hardware, software, and data have value and deserve security protection. Vulnerabilities – Threats – Attacks – and Controls ❑ A vulnerability: is a weakness in the system, for example, in procedures, design, or implementation, that might be exploited to cause loss or harm. Threats A threat to a computing system is a set of circumstances that has the potential to cause loss or harm. We can consider potential harm to assets in two ways: - First, we can look at what bad things can happen to assets. - Second, we can look at who or what can cause or allow those bad things to happen. Threats Choosing the threats we try to mitigate involves a process called risk management. Risk management involves choosing which threats to control and what resources to devote to protection. Harms o The negative consequence of an actualized threat is harm. Attackers A human who exploits a vulnerability perpetrates an attack on the system. An attack can also be launched by another system. A malicious attacker must have three things to ensure success: method, opportunity, and motive. Deny any one of these things the attack will fail. Security goals: ✓ Confidentiality: the ability of a system to ensure that an asset is viewed only by authorized parties. ✓ Integrity: the ability of a system to ensure that an asset is modified only by authorized parties. ✓ Availability: the ability of a system to ensure that an asset can be used by any authorized parties. make your computer valuable to you. Confidentiality ✓ Only authorized people or systems can access protected data. Integrity ✓ Only authorized people or systems can Modify protected data. For example, if we say that we have preserved the integrity of an item, we may mean that the item is: precise accurate unmodified modified only in acceptable ways modified only by authorized people modified only by authorized processes consistent & internally consistent meaningful and usable Availability Computer security seeks to prevent unauthorized viewing (confidentiality) or modification (integrity) of data while preserving access (availability). Controls We use a control or a countermeasure as protection to prevent threats from exercising vulnerabilities. A threat can be blocked by controlling of a vulnerability. We can deal with harm in several ways: Prevent it, by blocking the attack or closing the vulnerability. Deter it, by making the attack harder but not impossible. Deflect it, by making another target more attractive. Mitigate it, by making its impact less severe. Detect it, either as it happens or some time after the fact. Recover from its effects. Types of Control: Physicalcontrols: stop or block an attack by using something tangible too. fences – locks – (human) guards – sprinklers - fire extinguishers Procedural or administrative controls use a command or agreement that requires or advises people how to act; – laws, regulations – policies, procedures, guidelines – copyrights, patents – contracts, agreements Technical controls counter threats with technology (hardware or software), including – passwords – program or operating system access controls – network protocols – firewalls, intrusion detection systems – encryption – network traffic flow regulators. countermeasures It canbe effective to use overlapping controls or defense in depth: more than one control or more than one class of control to achieve protection. Attack Lifecycle Case Study #1: Show Me the Money In early January, an attacker manually exploited a Structured Query Language (SQL) injection vulnerability in a web page hosted on the server named WEB1. WEB1 was located in a demilitarized zone (DMZ) belonging to a small business unit. By exploiting a SQL injection vulnerability on WEB1, the attacker was able to execute commands on the backend database system named DB1. Case Study #1: Show Me the Money One week after gaining access to the internal environment, the attacker implanted a backdoor. The backdoor provided the attacker access to the corporate environment without having to rely on SQL injection. The attacker then extracted and cracked the password hash for the local administrator account on intDB1. This provided the attacker local administrative access to most systems in the environment Case Study #1: Show Me the Money In addition to reconnaissance activities, the attacker installed keystroke-logging malware. By mid-February, the attacker had implanted more than 20 backdoors. The primary backdoor family will be referred to as the BKDOOR family. The BKDOOR malware allowed the attacker to modify the binary enough to avoid antivirus detection as needed. This family of malware allowed the attacker full control of the victim system, file upload and download capabilities, the ability to tunnel traffic such as the Remote Desktop Protocol (RDP) into the environment, and the ability to proxy network traffic between backdoors. The BKDOOR malware used the RC4 algorithm to encrypt its command-and-control (C2).A C2 server, is a server typically outside of a victim environment, is controlled by the attacker, and is used to transfer C2 data to and from the attacker’s malware. The BKDOOR malware-maintained persistence through a technique known as “DLL search order hijacking Case Study #1: Show Me the Money The second family of malware was called PROXY, which proxied connections to a specified destination. The attacker first targeted usernames and passwords and then moved to network architecture and other IT- related information. Finally, the attacker targeted information about financial systems and how financial data was handled at the organization Case Study #1: Show Me the Money After identifying the data of interest, the attacker stole the data using two different methods: ❖ The first method the attacker used was to establish an outbound FTP connection to an attacker-controlled system and upload the data to the FTP server. ❖ The second method was to utilize one of the backdoors to transfer the data out of the environment to the backdoor’s C2 server Case Study #1: Show Me the Money By June, the attacker had discovered the jump server (JMPSRV)—a tightly controlled system that is the only one allowed to access sensitive resources—used by system administrators to access the restricted segment of the network that handled all sensitive financial data Case Study #1: Show Me the Money In this case, the data the attacker was interested in was credit and debit card information, also known as Payment Card Industry (PCI) to make fraudulent online purchases. The attacker installed the BKDOOR malware on five seemingly random systems in the financial environment and configured each instance to communicate with the PROXY malware listening on TCP port 88 on JMPSRV. On JMPSRV, the attacker installed the PROXY malware and configured it to proxy inbound connections received on TCP port 88, a common web proxy port, to yet another PROXY instance running on the primary mail exchanger, MAIL. The attacker proxied traffic from JMPSRV to MAIL because MAIL had direct Internet access and JMPSRV did not. Attack Lifecycle Initial compromise Case study #1 The attacker used a SQL injection attack against a vulnerable database server. Attack Lifecycle Establish foothold The attacker ensures remote access to a recently compromised system. Case study #1 The attacker installed backdoor malware on a system in the internal environment. Attack Lifecycle Escalate privileges Case study #1 The attacker used password hash dumping and cracked domain administrator passwords. Attack Lifecycle Internal reconnaissance Case studies #1 : The attackers manually explored the local user directories that commonly store documents Move laterally Case study #1 The attacker used RDP connections, mapping network shares, and interacting with backdoors. Attack Lifecycle Maintain Presence Case study #1 The attacker implanted multiple variants of two main families of backdoors. Each family of backdoor operated differently than the other, so even if all of the variants were found from one of the families of backdoors, the other family likely would not be detected. Attack Lifecycle Complete Mission Case study #1 The attacker stole cardholder data.

Cybersecurity Principles (PDF)

Document Details

Tags

Related

Summary

Full Transcript