INTECH-3100-Lesson-1-Reviewer.pdf

Transcript

INTECH 3100 Criminal
FUNDAMENTALS OF INFORMATION AND - Criminal who use critical infrastructure
NETWORK SECURITY as a tools to commit crime
- Their motivation is money
Introduction to Fundamentals of War Fighting/Espionage/Terrorist
Information Security - What most people think of when
talking about threats to critical
Internet Evolution infrastructure
Patriotic/Principle
- Large groups of people motivated by
cause - be it national pride or a
passion aka Anonymous
Different ways to handle security as the Script kiddies
Internet evolves - little real ability, but can cause
damage if you're careless
Imperva Money makers
- Hack into machines, turn them into
spam engines, etc.
Government Intelligence Agencies,
AKA Nation State Adversaries

Joy Hacks
For fun
- with little skill using known exploits
Minimal damage
“To Beat A Hacker You Need To Think Like A - especially unpatched machines
Hacker” Random targets
Types Of Hackers And What They Do - anyone they can hit
Black Hat Hacker is an individual who Most hackers start this way
attempts to gain unauthorized entry into a - learning curve
system or network to exploit them for
malicious reasons. Opportunistic Hacks
Gray Hat Hacker exploit networks and Skilled (often very skilled) - also
computer systems in the way that black don't care whom they hit
hats do, but do so without any malicious - Know many different vulnerabilities
intent, disclosing all loopholes and and techniques
vulnerabilities to law enforcement Profiting is the goal - bank account
agencies or intelligence agencies. thefts, botnets, ransomwares....
White Hat Hacker, on the other hand, - WannaCry? Petya?
are deemed to be the good guys, working Most phishers, virus writers, etc.
with organizations to strengthen the
security of a system. Targeted Attack
Have a specific target!
Attack Motivation Research the target and tailor attacks
Nation States want SECRETS - physical reconnaissance
Organized criminals want MONEY At worst, an insider (behind all your
Protesters or activists want ATTENTION defenses)
Hackers and researchers want - Not-so happy employee
KNOWLEDGE Watch for tools like "spear-phishing"
May use 0-days
Advanced Persistent Threats (APT) launch further attacks from within the
Highly skilled (well funded) - specific network
targets – Mostly 0-days - Includes any kind of unauthorized or
Sometimes (not always) working for a malicious use of organizational
nation-state resources
An attack in which an unauthorized user - Although most of the attacks are
gains access to a system or network and facilitated by external actors, insiders
remains there for an extended period of (with or without privileged access) are
time without being detected. playing a key role in data breaches
Note: many lesser attacks blamed on APTs
4. Brute-Force Attacks
Attack Surface vs Attack Vector - A brute force attack, also known as an
Attack Surface represented by all of the exhaustive search, is a cryptographic
points on your network where an hack that relies on guessing possible
adversary can attempt to gain entry to combinations of a targeted password
your information systems. until the correct password is
discovered.

5. Ransomware
- Restricting access to a computer until a
ransom is paid
- If no payment is received, the data is
deleted or leaked
Attack Vector are the methods that - Organizations have to chose between
adversaries use to breach or infiltrate your paying or losing critical data forever
network.
6. Denial of Service
Major Attack Vectors - A distributed denial-of-service (DDoS)
1. Social Engineering: Phishing attack is a malicious attempt to disrupt
- Manipulating people into performing the normal traffic of a targeted server,
actions or divulging confidential service or network by overwhelming the
information. target or its surrounding infrastructure
with a flood of Internet traffic.
2. Remote Access
- How: Through open ports or the 7. Access through Intermediaries
exploitation of web code, hackers are - Doesn't require physical access to
able to gain unauthorized access to a target machine(s)
server. - Leverages on Autorun feature of
- Via SQL injection, malware download... removable devices and infects other
- Poorly configured devices are also removable devices soon-after
easily accessible using default - Remember Stuxnet?
username/passwords known to each - STUXnet is a malicious computer
device worm, first uncovered in 2010, thought
- Identifying which particular device is to have been in development since at
easy via shodan.io least 2005 !
- jointly built American/Israeli
3. Insider Threats cyberweapon
- How: Criminals are aided by the - typically introduced to the target
conscious assistance of an environment via an infected USB flash
organization's employee(s) drive
- In some cases, weak security of an
employee's devices is leveraged to
CIA TRIAD 16 Distinct Sectors Of Critical
- The CIA triad is a common, respected Infrastructure
model that forms the basis for the 1. Chemical Sector
development of security systems and 2. Commercial Facilities Sector
policies. 3. Communications Sector
4. Critical Manufacturing Sector
5. Dams Sector
6. Defense Industrial Base Sector
7. Emergency Services Sector
8. Energy Sector
9. Financial Services Sector
10. Food and Agriculture Sector
11. Government Facilities Sector
12. Healthcare and Public Health Sector
13. Information Technology Sector
Information Security (InfoSec) 14. Nuclear Reactors, Materials, and Waste Sector
- is preservation of confidentiality, integrity 15. Transportation Systems Sector
and availability of information. 16. Water and Wastewater Systems Sector
Cyber Security
- Defined as the “preservation of
confidentiality, integrity and availability of
information in the Cyberspace.”

Philippines Response to Cyber Security
Threats
CIA Objectives R.A. 10175
- To achieve the CIA objectives - Cybercrime Prevention Act of 2012
organizations must protect two aspects or - An act defining cybercrime, providing
their IT environment: application for the prevention, investigation,
security and data security. suppression and the imposition of
penalties therefore and for other
Critical Infrastructure purposes
- is the body of systems, networks and
assets that are so essential that their R.A. 10173
continued operation is required to ensure - Data Privacy Act of 2012
the security of a given nation, its economy, - An act protecting individual personal
and the public’s health and/or safety. information in information and
communication systems in the
government and the private sector,
creating for this purpose a National
Privacy Commission, and for other
purposes.

- Information technology is the fundamental
sector on which all others depend.
R.A. 10175 3. It is offense related to creation and
1. It is offense against the confidentiality, sharing of content.
integrity and availability of computer data 3.1 Cybersex
and systems. - Willful engagement, maintenance,
1.1. Illegal Access control, or operation, directly or
- Access to the whole or any part of a indirectly. of any lascivious exhibition
computer system without right of sexual organs or sexual activity,
1.2. Illegal Interception with the aid of a computer system
- Interception made by technical 3.2 Child Pornography
means without right - Unlawful or prohibited acts defined
1.3. Data Interference and punishable by Republic Act No.
- Intentional or reckless alteration, 9775 or the Anti-Child Pornography
damaging, deletion of computer data Act of 2009, committed through a
1.4. System Interference computer system
- Intentional alteration or reckless 3.3 Libel
interference with the functioning of a - Unlawful or prohibited acts of libel as
computer or computer network defined in Article 355 of the Revised
1.5. Misuse of Devices Penal Code, as amended, committed
- Use, production, sale, procurement, through a computer system
importation, distribution, or
otherwise making available, without Data Privacy vs Right to Privacy
right Data Privacy Violation
1.6. Cyber Squatting - Privacy violation is illegal or unwanted act
- Acquisition of a domain name over that endangers the privacy rights of a
the internet in bad faith to profit, person and security of personal data.
mislead, destroy reputation, and - Data privacy violation is penalized act
deprive others from registering the according to R.A. 10173 Chapter VIII.
same The complaint can be made through the
use of NPC Complaint-Assisted Form.
2. It is offense related with the use of
computer. 1. Unauthorized Processing
2.1. Forgery 3-6 years imprisonment 500K-4M penalty
- Input, alteration, or deletion of any - It is when personal information is
computer data without right resulting processed without the consent of the
in inauthentic data with the intent data subject, or without being
that it be considered or acted upon authorized using lawful criteria
for legal purposes as if it were 2. Negligence In Access
authentic 1-6 years imprisonment 500K-4M penalty
2.2. Fraud - It is when personal information is
- Unauthorized input, alteration, or made accessible due to negligence
deletion of computer data or and without being authorized by any
program or interference in the existing law.
functioning of a computer system, 3. Improper Disposal
causing damage thereby with 6 mos-3 years imprisonment 100K-1M penalty
fraudulent intent - It is when personal information is
2.3. Identity Theft knowingly or negligently disposed,
- Intentional acquisition, use, misuse, discard, or abandon in an area
transfer, possession, alteration or accessible to the public or has
deletion of identifying information otherwise placed the personal
belonging to another, whether information of an individual in any
natural or juridical, without right. container for trash collection
4. Unauthorized Purpose
1-7 years imprisonment 500K-2M penalty
- It is when personal information is
processed for purposes not authorized
by the data subject, or otherwise
authorized by any existing laws.
5. Unauthorized Access Or Intentional
Breach
1-3 years imprisonment 500K-2M penalty
- It is when an individual handling
personal information knowingly and
unlawfully, or violating data
confidentiality and security data
systems, breaks in any way into any
system where personal and sensitive
personal information are stored.
6. Concealment Of Breach
1-5 years imprisonment 500K-1M penalty
- It is when an individual or entity who
has knowledge of a security breach
and of the obligation to notify the
Commission pursuant to Section 20(f)
of the Act, intentionally or by omission
conceals the fact of such security
breach.
7. Malicious Disclosure
1-65years imprisonment 500K-1M penalty
- It is when an individual or entity with
malice or in bad faith, discloses
unwarranted or false information
relative to any personal information or
sensitive personal information
obtained by him or her
8. Unauthorized Disclosure
1-5 years imprisonment 500K-2M penalty
- It is when an individual or entity
discloses to third party personal
information not covered by legitimate
purpose, lawful criteria, and without
the consent of the data subject.
Identification
1. Cyber Squatting – Acquisition of a domain name over the internet in bad faith to profit,
mislead, destroy reputation, and deprive others from registering the same
2. R.A. 10175 – Cybercrime Prevention Act of 2012. An act defining cybercrime, providing for
the prevention, investigation, suppression and the imposition of penalties therefore and for
other purposes
3. Cybersex – Willful engagement, maintenance, control, or operation, directly or indirectly. of
any lascivious exhibition of sexual organs or sexual activity, with the aid of a computer system
4. Libel – Unlawful or prohibited acts of libel as defined in Article 355 of the Revised Penal Code,
as amended, committed through a computer system
5. Illegal Access – Access to the whole or any part of a computer system without right
6. Illegal Interception – Interception made by technical means without right
7. Data Interference – Intentional or reckless alteration, damaging, deletion of computer data
8. Child Pornography – Unlawful or prohibited acts defined and punishable by Republic Act No.
9775 or the Anti-Child Pornography Act of 2009, committed through a computer system
9. Misuse of Devices – Use, production, sale, procurement, importation, distribution, or
otherwise making available, without right
10. Computer-Related Forgery – Input, alteration, or deletion of any computer data without
right resulting in inauthentic data with the intent that it be considered or acted upon for legal
purposes as if it were authentic
11. System Interference – Intentional alteration or reckless interference with the functioning of
a computer or computer network
12. Computer-Related Fraud – Unauthorized input, alteration, or deletion of computer data or
program or interference in the functioning of a computer system, causing damage thereby
with fraudulent intent
13. Malicious Disclosure – It is when an individual or entity with malice or in bad faith, discloses
unwarranted or false information relative to any personal information or sensitive personal
information obtained by him or her
14. Unauthorized Access or Intentional Breach – It is when an individual handling personal
information knowingly and unlawfully, or violating data confidentiality and security data
systems, breaks in into any system where sensitive personal information are stored.
15. Unauthorized Disclosure – It is when an individual or entity discloses to third party personal
information not covered by legitimate purpose, lawful criteria, and without the consent of the
data subject.
16. Concealment of Breach – It is when an individual or entity who has knowledge of a security
breach and of the obligation to notify the Commission pursuant to Section 20(f) of the Act,
intentionally or by omission conceals the fact of such security breach.
17. Unauthorized Processing – It is when personal information is processed without the
consent of the data subject, or without being authorized using lawful criteria
18. Unauthorized Purpose – It is when personal information is processed for purposes not
authorized by the data subject, or otherwise authorized by any existing laws.
19. Negligence in Access – It is when personal information is made accessible due to negligence
and without being authorized by any existing law.
20. R.A. 10173 – Data Privacy Act of 2012. An act protecting individual personal information in
information and communication systems in the government and the private sector, creating
for this purpose a National Privacy Commission, and for other purposes.

TRUE or FALSE
1. T 6. F 11. F
2. T 7. F 12. F
3. T 8. T 13. T
4. T 9. F 14. F
5. T 10. F 15. F
Enumeration
1. Chemical Sector
2. Commercial Facilities Sector
3. Communications Sector
4. Critical Manufacturing Sector
5. Dams Sector
6. Defense Industrial Base Sector
7. Emergency Services Sector
8. Energy Sector
9. Financial Services Sector
10. Food and Agriculture Sector
11. Government Facilities Sector
12. Healthcare and Public Health Sector
13. Information Technology Sector
14. Nuclear Reactors, Materials, and Waste Sector
15. Transportation Systems Sector
16. Water and Wastewater Systems Sector