INTECH-3100-Lesson-1-Reviewer.pdf

Full Transcript

INTECH 3100 Criminal FUNDAMENTALS OF INFORMATION AND - Criminal who use critical infrastructure NETWORK SECURITY as a tools to commit crime - The...

INTECH 3100 Criminal FUNDAMENTALS OF INFORMATION AND - Criminal who use critical infrastructure NETWORK SECURITY as a tools to commit crime - Their motivation is money Introduction to Fundamentals of War Fighting/Espionage/Terrorist Information Security - What most people think of when talking about threats to critical Internet Evolution infrastructure Patriotic/Principle - Large groups of people motivated by cause - be it national pride or a passion aka Anonymous Different ways to handle security as the Script kiddies Internet evolves - little real ability, but can cause damage if you're careless Imperva Money makers - Hack into machines, turn them into spam engines, etc. Government Intelligence Agencies, AKA Nation State Adversaries Joy Hacks For fun - with little skill using known exploits Minimal damage “To Beat A Hacker You Need To Think Like A - especially unpatched machines Hacker” Random targets Types Of Hackers And What They Do - anyone they can hit Black Hat Hacker is an individual who Most hackers start this way attempts to gain unauthorized entry into a - learning curve system or network to exploit them for malicious reasons. Opportunistic Hacks Gray Hat Hacker exploit networks and Skilled (often very skilled) - also computer systems in the way that black don't care whom they hit hats do, but do so without any malicious - Know many different vulnerabilities intent, disclosing all loopholes and and techniques vulnerabilities to law enforcement Profiting is the goal - bank account agencies or intelligence agencies. thefts, botnets, ransomwares.... White Hat Hacker, on the other hand, - WannaCry? Petya? are deemed to be the good guys, working Most phishers, virus writers, etc. with organizations to strengthen the security of a system. Targeted Attack Have a specific target! Attack Motivation Research the target and tailor attacks Nation States want SECRETS - physical reconnaissance Organized criminals want MONEY At worst, an insider (behind all your Protesters or activists want ATTENTION defenses) Hackers and researchers want - Not-so happy employee KNOWLEDGE Watch for tools like "spear-phishing" May use 0-days Advanced Persistent Threats (APT) launch further attacks from within the Highly skilled (well funded) - specific network targets – Mostly 0-days - Includes any kind of unauthorized or Sometimes (not always) working for a malicious use of organizational nation-state resources An attack in which an unauthorized user - Although most of the attacks are gains access to a system or network and facilitated by external actors, insiders remains there for an extended period of (with or without privileged access) are time without being detected. playing a key role in data breaches Note: many lesser attacks blamed on APTs 4. Brute-Force Attacks Attack Surface vs Attack Vector - A brute force attack, also known as an Attack Surface represented by all of the exhaustive search, is a cryptographic points on your network where an hack that relies on guessing possible adversary can attempt to gain entry to combinations of a targeted password your information systems. until the correct password is discovered. 5. Ransomware - Restricting access to a computer until a ransom is paid - If no payment is received, the data is deleted or leaked Attack Vector are the methods that - Organizations have to chose between adversaries use to breach or infiltrate your paying or losing critical data forever network. 6. Denial of Service Major Attack Vectors - A distributed denial-of-service (DDoS) 1. Social Engineering: Phishing attack is a malicious attempt to disrupt - Manipulating people into performing the normal traffic of a targeted server, actions or divulging confidential service or network by overwhelming the information. target or its surrounding infrastructure with a flood of Internet traffic. 2. Remote Access - How: Through open ports or the 7. Access through Intermediaries exploitation of web code, hackers are - Doesn't require physical access to able to gain unauthorized access to a target machine(s) server. - Leverages on Autorun feature of - Via SQL injection, malware download... removable devices and infects other - Poorly configured devices are also removable devices soon-after easily accessible using default - Remember Stuxnet? username/passwords known to each - STUXnet is a malicious computer device worm, first uncovered in 2010, thought - Identifying which particular device is to have been in development since at easy via shodan.io least 2005 ! - jointly built American/Israeli 3. Insider Threats cyberweapon - How: Criminals are aided by the - typically introduced to the target conscious assistance of an environment via an infected USB flash organization's employee(s) drive - In some cases, weak security of an employee's devices is leveraged to CIA TRIAD 16 Distinct Sectors Of Critical - The CIA triad is a common, respected Infrastructure model that forms the basis for the 1. Chemical Sector development of security systems and 2. Commercial Facilities Sector policies. 3. Communications Sector 4. Critical Manufacturing Sector 5. Dams Sector 6. Defense Industrial Base Sector 7. Emergency Services Sector 8. Energy Sector 9. Financial Services Sector 10. Food and Agriculture Sector 11. Government Facilities Sector 12. Healthcare and Public Health Sector 13. Information Technology Sector Information Security (InfoSec) 14. Nuclear Reactors, Materials, and Waste Sector - is preservation of confidentiality, integrity 15. Transportation Systems Sector and availability of information. 16. Water and Wastewater Systems Sector Cyber Security - Defined as the “preservation of confidentiality, integrity and availability of information in the Cyberspace.” Philippines Response to Cyber Security Threats CIA Objectives R.A. 10175 - To achieve the CIA objectives - Cybercrime Prevention Act of 2012 organizations must protect two aspects or - An act defining cybercrime, providing their IT environment: application for the prevention, investigation, security and data security. suppression and the imposition of penalties therefore and for other Critical Infrastructure purposes - is the body of systems, networks and assets that are so essential that their R.A. 10173 continued operation is required to ensure - Data Privacy Act of 2012 the security of a given nation, its economy, - An act protecting individual personal and the public’s health and/or safety. information in information and communication systems in the government and the private sector, creating for this purpose a National Privacy Commission, and for other purposes. - Information technology is the fundamental sector on which all others depend. R.A. 10175 3. It is offense related to creation and 1. It is offense against the confidentiality, sharing of content. integrity and availability of computer data 3.1 Cybersex and systems. - Willful engagement, maintenance, 1.1. Illegal Access control, or operation, directly or - Access to the whole or any part of a indirectly. of any lascivious exhibition computer system without right of sexual organs or sexual activity, 1.2. Illegal Interception with the aid of a computer system - Interception made by technical 3.2 Child Pornography means without right - Unlawful or prohibited acts defined 1.3. Data Interference and punishable by Republic Act No. - Intentional or reckless alteration, 9775 or the Anti-Child Pornography damaging, deletion of computer data Act of 2009, committed through a 1.4. System Interference computer system - Intentional alteration or reckless 3.3 Libel interference with the functioning of a - Unlawful or prohibited acts of libel as computer or computer network defined in Article 355 of the Revised 1.5. Misuse of Devices Penal Code, as amended, committed - Use, production, sale, procurement, through a computer system importation, distribution, or otherwise making available, without Data Privacy vs Right to Privacy right Data Privacy Violation 1.6. Cyber Squatting - Privacy violation is illegal or unwanted act - Acquisition of a domain name over that endangers the privacy rights of a the internet in bad faith to profit, person and security of personal data. mislead, destroy reputation, and - Data privacy violation is penalized act deprive others from registering the according to R.A. 10173 Chapter VIII. same The complaint can be made through the use of NPC Complaint-Assisted Form. 2. It is offense related with the use of computer. 1. Unauthorized Processing 2.1. Forgery 3-6 years imprisonment 500K-4M penalty - Input, alteration, or deletion of any - It is when personal information is computer data without right resulting processed without the consent of the in inauthentic data with the intent data subject, or without being that it be considered or acted upon authorized using lawful criteria for legal purposes as if it were 2. Negligence In Access authentic 1-6 years imprisonment 500K-4M penalty 2.2. Fraud - It is when personal information is - Unauthorized input, alteration, or made accessible due to negligence deletion of computer data or and without being authorized by any program or interference in the existing law. functioning of a computer system, 3. Improper Disposal causing damage thereby with 6 mos-3 years imprisonment 100K-1M penalty fraudulent intent - It is when personal information is 2.3. Identity Theft knowingly or negligently disposed, - Intentional acquisition, use, misuse, discard, or abandon in an area transfer, possession, alteration or accessible to the public or has deletion of identifying information otherwise placed the personal belonging to another, whether information of an individual in any natural or juridical, without right. container for trash collection 4. Unauthorized Purpose 1-7 years imprisonment 500K-2M penalty - It is when personal information is processed for purposes not authorized by the data subject, or otherwise authorized by any existing laws. 5. Unauthorized Access Or Intentional Breach 1-3 years imprisonment 500K-2M penalty - It is when an individual handling personal information knowingly and unlawfully, or violating data confidentiality and security data systems, breaks in any way into any system where personal and sensitive personal information are stored. 6. Concealment Of Breach 1-5 years imprisonment 500K-1M penalty - It is when an individual or entity who has knowledge of a security breach and of the obligation to notify the Commission pursuant to Section 20(f) of the Act, intentionally or by omission conceals the fact of such security breach. 7. Malicious Disclosure 1-65years imprisonment 500K-1M penalty - It is when an individual or entity with malice or in bad faith, discloses unwarranted or false information relative to any personal information or sensitive personal information obtained by him or her 8. Unauthorized Disclosure 1-5 years imprisonment 500K-2M penalty - It is when an individual or entity discloses to third party personal information not covered by legitimate purpose, lawful criteria, and without the consent of the data subject. Identification 1. Cyber Squatting – Acquisition of a domain name over the internet in bad faith to profit, mislead, destroy reputation, and deprive others from registering the same 2. R.A. 10175 – Cybercrime Prevention Act of 2012. An act defining cybercrime, providing for the prevention, investigation, suppression and the imposition of penalties therefore and for other purposes 3. Cybersex – Willful engagement, maintenance, control, or operation, directly or indirectly. of any lascivious exhibition of sexual organs or sexual activity, with the aid of a computer system 4. Libel – Unlawful or prohibited acts of libel as defined in Article 355 of the Revised Penal Code, as amended, committed through a computer system 5. Illegal Access – Access to the whole or any part of a computer system without right 6. Illegal Interception – Interception made by technical means without right 7. Data Interference – Intentional or reckless alteration, damaging, deletion of computer data 8. Child Pornography – Unlawful or prohibited acts defined and punishable by Republic Act No. 9775 or the Anti-Child Pornography Act of 2009, committed through a computer system 9. Misuse of Devices – Use, production, sale, procurement, importation, distribution, or otherwise making available, without right 10. Computer-Related Forgery – Input, alteration, or deletion of any computer data without right resulting in inauthentic data with the intent that it be considered or acted upon for legal purposes as if it were authentic 11. System Interference – Intentional alteration or reckless interference with the functioning of a computer or computer network 12. Computer-Related Fraud – Unauthorized input, alteration, or deletion of computer data or program or interference in the functioning of a computer system, causing damage thereby with fraudulent intent 13. Malicious Disclosure – It is when an individual or entity with malice or in bad faith, discloses unwarranted or false information relative to any personal information or sensitive personal information obtained by him or her 14. Unauthorized Access or Intentional Breach – It is when an individual handling personal information knowingly and unlawfully, or violating data confidentiality and security data systems, breaks in into any system where sensitive personal information are stored. 15. Unauthorized Disclosure – It is when an individual or entity discloses to third party personal information not covered by legitimate purpose, lawful criteria, and without the consent of the data subject. 16. Concealment of Breach – It is when an individual or entity who has knowledge of a security breach and of the obligation to notify the Commission pursuant to Section 20(f) of the Act, intentionally or by omission conceals the fact of such security breach. 17. Unauthorized Processing – It is when personal information is processed without the consent of the data subject, or without being authorized using lawful criteria 18. Unauthorized Purpose – It is when personal information is processed for purposes not authorized by the data subject, or otherwise authorized by any existing laws. 19. Negligence in Access – It is when personal information is made accessible due to negligence and without being authorized by any existing law. 20. R.A. 10173 – Data Privacy Act of 2012. An act protecting individual personal information in information and communication systems in the government and the private sector, creating for this purpose a National Privacy Commission, and for other purposes. TRUE or FALSE 1. T 6. F 11. F 2. T 7. F 12. F 3. T 8. T 13. T 4. T 9. F 14. F 5. T 10. F 15. F Enumeration 1. Chemical Sector 2. Commercial Facilities Sector 3. Communications Sector 4. Critical Manufacturing Sector 5. Dams Sector 6. Defense Industrial Base Sector 7. Emergency Services Sector 8. Energy Sector 9. Financial Services Sector 10. Food and Agriculture Sector 11. Government Facilities Sector 12. Healthcare and Public Health Sector 13. Information Technology Sector 14. Nuclear Reactors, Materials, and Waste Sector 15. Transportation Systems Sector 16. Water and Wastewater Systems Sector

Use Quizgecko on...
Browser
Browser