CIS2103-Week03-4-CH2_Identify Threats and Vulnerabilities-2.pdf

Transcript

CIS 2103 - Principles of Information Assurance, Security
and Privacy
Chapter 2: Identify Threats and Vulnerabilities (CLO2)

1
 2

Credits and Revision Control

Change description: existing material is revised and updated
Change level: minor

Version Author Effective Date Change Description DRC No

1.0 Unknown NA Define the first version 001

1.1 Dr. Samer Aoudi Fall 2021 (August 2021) Revise the first version 002

1.2 Dr. Abdel-Karim Al-Tamimi Spring 2022 Add examples/animations 003

Revise and Update 004
Dr. Omar Taher Fall 2022 (August 2022)
2.0
3.0 Revise and Update 005
Dr. Waleed Al-Sit Fall 2024(August 2024)

2
 3

Delivery Outline
W1-2: CH1 - Introduce the Foundation of Information Security (CLO1)
W3-4: CH2 - Identify Threats and Vulnerabilities (CLO2)
W5-6: CH3 – Apply Cryptography Basics (CLO3)
W7: CH4 – Discuss Identity and Access Management (CLO3)
W8: CH5 – Identify Software Security Fundamentals (CLO3)
W9: CH6 – Discuss Host and Network Security (CLO3)
W10-11: CH7 - Apply Basics of Information Security Risk Management (CLO4)
W12: CH8 - Apply Basics of Operational Security and Contingency Planning (CLO4)
W13: CH9 – Discuss Legal, Ethical and Privacy related Aspects (CLO1)
W14-15: Project: Research and Poster Competition: 30% (CLO All)
Chapter 2: Identify Threats
and Vulnerabilities (CLO2)
 5

Chapter Learning Objectives

Upon completing this chapter, students will be able to:
Identify categories of threats.
Discuss various types of attacks.
Discuss different types of vulnerabilities.
Introduction to security control and mechanisms.
Activities: The impact of data breaches
 6

Video: Cyber Security - Top 10 Threats – 5 Minutes
https://www.youtube.com/watch?v=dVW1FNWSaTg

Duration 3:00
 7

Video: The Life of a Cyberthreat – 5 Minutes
https://www.youtube.com/watch?v=iF8DBpyR23E

Duration 3:00
 8

Information Security Threats and Attacks

Threat: A potential risk to an asset’s loss of value.
Attack: An intentional or unintentional act that can damage or otherwise
compromise information and the systems that support it.
Exploit: A technique used to compromise a system.
Vulnerability: A potential weakness in an asset or its defensive control
system(s).
Management must be informed about the various threats to an
organization’s people, applications, data, and information systems.
Overall security is improving, but the number of potential hackers is
growing.
 9

Categories of Threats to InfoSec
Threat Category Examples
1. Compromise to Intellectual Property (IP) Piracy (software, music, movies, etc.)
2. Software Attacks Malware (virus, worm, Trojan Horse, ransomware, etc.)
3. Deviations in Quality of Service (QoS) Power outage, ISP connectivity issues, etc.
4. Espionage or Trespass Unauthorized access to premises and/or data
5. Forces of Nature Fire, floods, earthquakes, etc.
6. Human Errors Data entry mistake; accidents; etc.
7. Social Engineering Extortion, blackmail, phishing, etc.
8. Sabotage or Vandalism Destruction or damaging of information assets
9. Theft Stealing information assets
10. Technical Failures (Hardware of Software) Server malfunction (HW); Code bug like buffer overflow (SW)
11. Technological Obsolescence Outdated software (e.g. Adobe Flash, Windows XP, iOS 5.0)
 10

Compromises to Intellectual Property

Intellectual property (IP): creation, ownership, and control of original
ideas as well as the representation of those ideas
IP includes trade secrets, copyrights, trademarks, and patents.
The most common IP breaches involve software piracy.
Two watchdog organizations investigate software abuse:
Software and Information Industry Association (SIIA)
Business Software Alliance (BSA)
According to the BSA, in 2018, approximately 37 percent of software
installed on personal computers globally was not properly licensed.
 11

Software Attacks

Malicious software (malware) is used to overwhelm the processing
capabilities of online systems or to gain access to protected systems via
hidden means.
Software attacks occur when an individual or a group designs and deploys
software to attack a system.
When an attack makes use of malware that is not yet known by the
antimalware software companies, it is said to be a zero-day attack.
 12

Deviations in Quality of Service

An information system depends on the successful operation of many
interdependent support systems.
Internet service, communications, and power irregularities dramatically
affect the availability of information and systems.
Services are usually arranged with a service level agreement (SLA).
 13

Espionage or Trespass (1 of 5)-Competitive Intelligence

Competitive Intelligence Techniques
Definition: Competitive intelligence (CI) involves the ethical and legal collection
and analysis of information about competitors, the industry, and the business
environment to inform strategic decision-making.
Methods:
Publicly Available Information: CI relies on gathering information that is publicly accessible.
This includes financial reports, press releases, industry publications, company websites, patents,
and social media.
Market Analysis: CI includes analyzing market trends, customer preferences, and competitor
products and services.
Surveys and Interviews: Conducting surveys and interviews with customers, suppliers, and other
stakeholders.
Ethical Standards: Practitioners of CI adhere to a code of ethics, such as those outlined by
professional organizations like the Strategic and Competitive Intelligence Professionals (SCIP).
 14

Espionage or Trespass (2 of 5)- Industrial Espionage

Definition: Industrial espionage, also known as corporate or economic
espionage, involves the illegal and unethical acquisition of confidential
information from a competitor or business.
Methods:
Hacking: Unauthorized access to competitors' computer systems to steal proprietary information.
Theft: Physically stealing documents, prototypes, or other property.
Spying: Using covert methods, such as planting spies within a competitor’s organization or using
surveillance techniques.
Deception: Engaging in deceit, such as pretending to be someone else to gain access to restricted
information.
 15

Espionage or Trespass (3 of 5)

Access of protected information by unauthorized individuals
Competitive intelligence techniques are legal, whereas industrial
espionage techniques are not.
Shoulder surfing can occur anywhere a person accesses confidential
information.
Acts of trespass can lead to unauthorized real or virtual actions that
enable information gatherers to enter premises or systems without
permission.
Hackers use skill, guile, or fraud to bypass controls protecting others’
information.
 16

Shoulder Surfing
 17

Espionage or Trespass (4 of 5)

Expert hacker
Develops software scripts and program exploits
Usually a master of many skills
Will often create attack software and share with others
Unskilled hackers
Many more unskilled hackers than expert hackers
Use expertly written software to exploit a system
Do not usually fully understand the systems they hack
Also known as script kiddies or packet monkeys
 18

Espionage or Trespass (5 of 5)

Other terms for system rule breakers:
Cracker: “cracks” or removes software protection designed to prevent
unauthorized duplication.
Phreaker: hacks the public telephone system to make free calls or disrupt
services.
Password attacks
Cracking
Brute force
Dictionary
Rainbow tables
Social engineering
 19

Forces of Nature

Forces of nature can present some of the most dangerous threats.
They disrupt not only individual lives, but also storage, transmission, and
use of information.
Threats include fires, floods, earthquakes, lightning, landslides, tornados,
hurricanes, tsunamis, ESD, dust contamination, solar activity, civil unrest,
and acts of war.
Organizations must implement controls to limit damage and prepare
contingency plans for continued operations.
 20

Human Error or Failure (1 of 2)

Includes acts performed without malicious intent or in ignorance
Causes include:
Inexperience
Improper training
Incorrect assumptions
Employees are among the greatest threats to an organization’s data.
 21

Human Error or Failure (2 of 2)

Employee mistakes can easily lead to:
Revelation of classified data
Entry of erroneous data
Accidental data deletion or modification
Data storage in unprotected areas
Failure to protect information
Many of these threats can be prevented with training, ongoing awareness
activities, and controls.
Social engineering uses social skills to convince people to reveal access
credentials or other valuable information to an attacker.
 22

Sabotage and Vandalism

Sabotage: Cyber sabotage involves deliberate actions taken to damage,
disrupt, or destroy information systems, networks, or data with the intent
to hinder or stop the functioning of an organization, system, or service.

Examples:
A state-sponsored attack that disrupts a country’s power grid.
Malware designed to destroy or disable critical industrial systems (e.g., Stuxnet).
Deleting or corrupting essential data to halt business operations.
 23

Sabotage and Vandalism

Vandalism: Cyber vandalism refers to the willful and malicious
defacement, destruction, or disruption of websites, applications, or data.
The intent is usually to cause damage, spread a message, or demonstrate
hacking skills, without necessarily aiming for strategic disruption.

Examples:
A hacker defaces a corporate website to display offensive messages.
Unauthorized access to a public figure’s social media account to post inappropriate
content.
Deleting or altering content on a blog or news site.
 24

Information Extortion

Also known as cyberextortion
Attacker steals information from a computer system and demands
compensation for its return or nondisclosure
Common in credit card number theft
 25

Sabotage or Vandalism

Threats can range from petty vandalism to organized sabotage.
Web site defacing can erode consumer confidence, diminishing an
organization’s sales, net worth, and reputation.
Threat of hacktivist or cyberactivist operations is rising.
Cyberterrorism/cyberwarfare: a much more sinister form of hacking
 26

Technical Hardware Failures or Errors

They occur when a manufacturer distributes equipment containing a
known or unknown flaw.
They can cause the system to perform outside of expected parameters,
resulting in unreliable service or lack of availability.
Some errors are terminal, while others are intermittent.
Intel Pentium CPU failure is a notable example.
Mean time between failure and annualized failure rates measure
hardware failure rates.
 27

Technological Obsolescence

Antiquated/outdated infrastructure can lead to unreliable and
untrustworthy systems.
Proper managerial planning should prevent technology obsolescence.
 28

Theft

It is the illegal taking of another’s physical, electronic, or intellectual
property.
Physical theft is controlled relatively easily.
Electronic theft is a more complex problem; the evidence of crime is not
readily apparent.
Types of Attacks
 30

Understanding Security Attacks
There are different types of attacks that try to exploit existing vulnerabilities in our systems
Attacks can be categorized by how they are carried out:
Using software (e.g. a virus)
Physically (e.g. breaking into an office and stealing a laptop)
Socially (e.g. tricking someone to give you their password)
Attacks can also be categorized by what they target:
Technological assets (e.g. hacking a server, laptop, router, etc.)
Physical assets (e.g. stealing or damaging a laptop)
People (e.g. social engineering)

Common attacks:
1. Malware Attacks
2. DoS Attacks (DDoS; Mail Bombing)
3. Network Traffic Attacks (Sniffing; Spoofing; MiTM)
4. Social Engineering (Phishing; Smishing)
5. Pharming
6. Misinformation & Disinformation (Scams and Hoaxes)
7. Spam Email
 31

Malware
Malware = Malicious
Software; in other words, code
(scripts, programs) written with
the intent to modify, destroy,
steal, or deny access to computer
systems or information
Malware is a category that
includes Viruses, Worms, Trojan
Horses, Ransomware, active Web
scripts, and other types of code:
Different types of malware are
categorized based on how they
work and what they target
 32

The Most Dangerous Malware Attacks to Date (1 of 2)

Malware Type Year Estimated Number Estimated Financial
of Systems Infected Damage
CIH, a.k.a. Chernobyl Memory-resident virus 1998 Unknown $250 million
Melissa Macro virus 1999 Unknown $300 million to $600
million
ILOVEYOU Virus 2000 10% of Internet $5.5 billion
Klez (and variants) Virus 2001 7.2% of Internet $19.8 billion
Code Red (and CR II) Worm 2001 400,000 servers $2.6 billion
Nimda Multivector worm 2001 Unknown Unknown
Sobig F Worm 2003 1 million $3 billion
SOL Slammer, a.k.a. Worm 2003 75,000 $950 million to $1.2 billion
Sapphire
 33

Categories of Malware
Malware Category Description
1. Virus Virus attaches itself to a file or program. Needs host and human interaction to replicate (e.g. click).
2. Worm Worm replicates and spreads without a host and without human interaction
3. Trojan Horse Trojans disguise themselves as useful programs but include malware
4. Polymorphic Malware Malware (virus, worm, etc.) that constantly changes its identifiable feature. Difficult to detect
5. Backdoor Malware that allows bypassing normal authentication
6. Rootkit Malware that attempts to conceal the existence of malware in the victim host (to avoid detection)
7. Ransomware Malware that holds computers or files for ransom and blackmails the victim to pay money
8. Spyware Malware that collects and sends information from infected computer to attacker
9. Adware Displays advertising popups and banners
10. Logic Bombs Special malware that activates only when certain conditions are met (e.g. on the 9th of July)
11. Botnet A collection of inter-connected devices infected with malware and controlled by a hacker
 34

Trojan vs Virus vs Worm
Trojan Virus Worm

Can replicate itself
Can not replicate itself
Can replicate itself (propagate through the
(locally on the system) network)
Uses social engineering
to spread
Attaches itself to No need to attach itself
Malware that disguises
existing programs to other programs
itself as a good software
(self contained)
 35

Class Activity – Virus, Worm, and Trojan - 10 Minutes

Research the three types of malware and write a paragraph differentiating
between them
How can people protect against malware?
 36

Ransomware

Ransomware is a malware attack on the host system that denies access to
the user and then offers to provide a key to allow access back to the user’s
system and data for a fee.
There are two types of ransomware: lockscreen and encryption.
Common phishing mechanisms to get a user to download ransomware
include pop-ups indicating that illegal information or malware was detected
on the user’s system, threatening to notify law enforcement, or offering to
delete the offending material if the user clicks a link or button.
Ransomware Notification Screen
 38

Denial of Service (DoS) Attacks

Denial of Service (Dos) attacks target the availability of information or
computer systems
Attacker sends large number of requests to a target system which
becomes busy and unable to handle legitimate service requests
Target system may crash or becomes slow
Distributed denial-of-service (DDoS) is a type of DoS where a
coordinated stream of requests is launched against a target from many
locations simultaneously
Mail bombing is a type of DDoS where the attacker routes large quantities
of e-mail to a target
DDoS attacks are often carried out via botnets
 39

Dos vs. DDoS

Attacker Target

Attacker Target
 40

Network Traffic Attacks

In computer networks, information travel via wired or wireless media from one
place to another
Attackers can target network traffic (i.e. packets of data) to gain access or steal
information
Common attacks:
Packet Sniffing is the process of monitoring and collecting data packets that pass
through a computer network
Spoofing is the process of disguising a communication from the hacker as being
from a known, trusted source (e.g. ARP Spoofing)
MiTM (Man-in-The-Middle) attack is when hackers position themselves in the
middle of communication between two nodes (e.g. customer and bank)
An attacker monitors network packets, modifies them, and inserts them back into the
network
They fool one or both thinking it’s the other
 41

IP Spoofing

Original Packet IP Source: 192.168.24.12 IP Destination: 10.0.0.75

Spoofed Packet IP Source: 10.0.0.80 IP Destination: 10.0.0.75

IP Address: 192.168.24.12

10.0.0.80 10.0.0.75 10.0.0.80 10.0.0.75

Attacker modifies Firewall allows packet Target
source IP to spoof the mistaken it for
firewall legitimate traffic
 42

MiTM Attack
MiTM attacker diverts
traffic and tricks both
users

User A thinks they’re User B thinks they’re
communicating with communicating with
User B User A

User A User B
 43
Social Engineering Attacks
What is the easiest way to get someone’s password?

Social Engineering is the art of manipulating people into providing information or a service they
otherwise would never have given
Using social skills, an attacker tries to convince people to reveal access credentials (passwords) or other
valuable information (credit card number; UAE ID; etc.)
Why do people fall for trickery?
Lack of awareness
Human nature to trust
Fear (can lead to information extortion and blackmail)
Greed
Etc.

Common attacks:
Phishing (trickery via email)
Smishing (trickery via SMS)

Countermeasures
Awareness is the best countermeasure
 44

Phishing

Fake email sent to thousands of people with
links to fake websites or malicious code
When victims click the links they either
download the malware and their computers
get infected, or they go to a fake website
where they reveal confidential information
Countermeasures:
Awareness
When not sure, always type the address of
the website (e.g. your bank)
 45

Phishing: Example
 46

Pharming
Pharming is the process of redirecting legitimate Web traffic
(e.g., browser requests) to illegitimate site for the purpose of
obtaining private information
This is a technical attack that requires changing a hosts file on
a victim's computer or exploiting vulnerable DNS servers
Countermeasures (as a user):
Always check the URL (address) of the website you visit
Verify the identity of the website through its digital certificate

www.google.com www.google.com www.evil.com
6.6.6.6 8.8.8.8 6.6.6.6
 47

Other Attacks

Spam is unsolicited commercial e-mail that we receive on a daily basis
from sources we don’t know
Spam is more a nuisance than an attack, though is emerging as a vector for
some attacks
Misinformation is false, inaccurate, or misleading information, regardless
of intent
Disinformation is knowingly spreading misinformation
Misinformation and disinformation allow for Scams and Hoaxes
Countermeasures:
Awareness: Don’t believe everything you read and don’t help spread hoaxes
Fact check information by using reliable sources
 48

Class Activity – UAE Law on Misinformation - 10 Minutes

Visit the UAE MOJ Laws & Regulations website
https://elaws.moj.gov.ae
Search for and find Federal Decree Law No. 5 of 2012
Find Article 29
Read and discuss
 49

Class Activity – Employees Threats - 10 Minutes

Employees are considered among the greatest threats to
organization’s information security.

Do you agree with this statement?
What can organizations do to protect against employees as a threat to
information security?
Types of Vulnerabilities
 51

Types of Vulnerabilities(1 of 3)

Vulnerabilities are weaknesses or flaws in a system that can be exploited by
attackers to gain unauthorized access or cause damage.
Knowing about vulnerabilities helps in protecting systems from potential threats

Software Vulnerabilities
Flaws, bugs, or weaknesses in software code.
Examples:
Buffer Overflow: When a program writes more data to a buffer than it can hold,
leading to crashes or arbitrary code execution.
SQL Injection: Attackers inject malicious SQL code into a database query to
manipulate or access data.
Cross-Site Scripting (XSS): Attackers inject malicious scripts into web pages
viewed by other users..
 52

Types of Vulnerabilities(2 of 3)
Hardware Vulnerabilities
Weaknesses in physical components of a computer system.
Examples:
Firmware Exploits: Bugs in firmware that can be exploited for control over hardware.
Side-Channel Attacks: Gaining information from the physical implementation of a
computer system (e.g., Meltdown and Spectre attacks).
Device Theft: Physical theft of devices leading to data breaches.

Network Vulnerabilities
Weaknesses in the design, implementation, or configuration of a network.
Examples:
Man-in-the-Middle (MITM) Attacks: Attackers intercept and potentially alter
communication between two parties.
Denial of Service (DoS) Attacks: Overloading a network with traffic to disrupt
services.
Weak Encryption Protocols: Using outdated or weak encryption can expose data to
interception.
 53

Types of Vulnerabilities (3 of 3)
Human Vulnerabilities
Weaknesses arising from human behavior and actions.
Examples:
Social Engineering: Manipulating individuals into divulging confidential information
(e.g., phishing attacks).
Weak Passwords: Using easily guessable passwords that can be cracked.
Lack of Awareness: Employees not aware of security policies or best practices.
interception.
 54

Security Control and Mechanisms: Control Types
A security control is a safeguard that is employed within an enterprise to protect the CIA of information and can include
the following:

Administrative
Covers personnel security, risk management, training, permissions, etc.
Physical
Limit a person’s physical access to assets or facilities, using locks, doors, fences, etc.
Example: Infrared monitoring system can detect the presence of an intruder.
Technical
Also known as logical controls.
Implemented in computing environments like operating systems, applications, databases, network devices, etc.
Prefer physical or technical controls, as administrative controls require manual enforcement.

User
***

Administrative Physical Technical
54
 55

Summary
Information security performs four important functions to ensure that
information assets remain safe and useful: Protecting the ability to
function; Enabling the safe operation of applications; Protecting data;
Safeguarding technology assets
Threats to information security come in various types and forms. Threats
are not always attacks
There are various types of attacks; some are technical, some are physical,
and others are social
 CIS 2103

800 MyHCT (800 69428) www.hct.ac.ae