Malware Types: Definitions, Examples & Prevention PDF

OFFICIAL (CLOSED) \ NON-SENSITIVE C235 IT SECURITY AND MANAGEMENT LESSON 2.1 : TYPES OF MALWARE OFFICIAL (CLOSED) \ NON-SENSITIVE LEARNING OBJECTIVES  Explain the definition of malware  List and describe the different categories of malware.  Distinguish between the different categories of malware.  Explain the potential dangers and damages from different type of malwares. OFFICIAL (CLOSED) \ NON-SENSITIVE MALWARE: MALICIOUS SOFTWARE  Refers to unwanted software running on a user’s computer that performs malicious actions.  Malware often exploits weaknesses or bugs in the target machine.  Malicious actions include: Stealing information Causing damage (e.g., corrupting or removing files) Causing annoyances (e.g. pop-up advertising) A backdoor is an avenue that can be used to Spam emails access a system while circumventing normal security mechanisms and can often be used to Opening backdoor install additional executable files that can lead to more ways to access the compromised system. OFFICIAL (CLOSED) \ NON-SENSITIVE TYPES OF MALWARE  Virus  Scareware  Worm  Adware  Rootkit  Logic Bomb  Trojan  Ransomware  Spyware  Zero day  Botnet 4 OFFICIAL (CLOSED) \ NON-SENSITIVE VIRUS  A Virus is a piece of malicious code that replicates by attaching itself to another piece of executable code.  When the other executable code is run, the virus also executes and seizes the opportunity to infect other files as well as perform any other malicious actions it was designed to do.  The specific way that a virus infects other files, and the type of files it infects, depends on the type of virus. OFFICIAL (CLOSED) \ NON-SENSITIVE TYPES OF VIRUS  Boot Sector Virus  Program Virus  Macro Virus 6 OFFICIAL (CLOSED) \ NON-SENSITIVE BOOT SECTOR VIRUS  Infects the code in the boot sector of a drive, which run each time the computer is turned on or restarted.  Can be difficult to remove, since the boot program is the first program that the computer runs.  If the boot sector is infected with a virus, then that virus can make sure it has copies of itself placed in other operating system files. A boot sector is a region of a hard disk, floppy disk, optical disc, or other data storage device that contains machine code to be loaded into random-access memory (RAM) by a computer system's built-in 7 firmware. OFFICIAL (CLOSED) \ NON-SENSITIVE PROGRAM VIRUS  Attaches itself to executable files - typically files ending in.exe or.com on Windows based systems.  The virus is attached in such a way that it is executed before the program executes.  Like other types of viruses, program viruses are often not detected until after they execute their malicious payload. Payload is the portion of a program that does damage. For example, the payload of a 8 virus can damage the operating system. OFFICIAL (CLOSED) \ NON-SENSITIVE VIRUS ATTACHING TO A PROGRAM + Virus Code = Virus Code Original Original Program Program OFFICIAL (CLOSED) \ NON-SENSITIVE MACRO VIRUS  A macro virus is also known as a document virus, which is launched when a document is opened, at which time the virus then searches for other documents to infect.  Can insert itself into the standard document template, which makes every newly created document infected.  Further propagation occurs when infected documents are emailed to other users. A macro is a series of commands and actions that help to automate some 10 tasks. It is effectively a program but is usually quite short and simple. OFFICIAL (CLOSED) \ NON-SENSITIVE WATCH VIDEO ON “WHAT IS A COMPUTER VIRUS?” https://youtu.be/fKxuKWsA_JI 11 OFFICIAL (CLOSED) \ NON-SENSITIVE WORM  A Worm is a standalone computer program that replicates independently by sending itself to other systems.  Since a worm does not have to attach itself to something else, it can spread much faster than virus.  Worms typically cause damage two ways: first by the malicious code they carry; the second type of damage is loss of network availability due to aggressive self- propagation. OFFICIAL (CLOSED) \ NON-SENSITIVE WATCH VIDEO ON “WHAT IS A COMPUTER WORM?” https://youtu.be/oyUsZu6ygq8 13 OFFICIAL (CLOSED) \ NON-SENSITIVE Quiz Click the Quiz button to edit this object OFFICIAL (CLOSED) \ NON-SENSITIVE ROOTKIT  It is a malware specifically designed to modify the operating system supporting functions, changing the nature of the system’s operations.  It can avoid the security functions of the operating system to avoid detection.  The installation of the Rootkit usually result in the hacker getting root or escalated privileges (i.e. admin). OFFICIAL (CLOSED) \ NON-SENSITIVE WATCH VIDEO ON “ROOTKIT” https://www.youtube.com/watch?v=X9x2UzzXP8w 16 OFFICIAL (CLOSED) \ NON-SENSITIVE TROJAN  Gets its name from ancient Greek mythology, was named after a large wooden horse that secretly housed Greek soldiers.  Program that appears to be useful (i.e. accounting software) but contains malicious code that could: Open a backdoor Log keyboard inputs to steal passwords - keylogger Steal information - spyware  Standalone Program  Require some form of human interaction (e.g. clicking/installing a program) OFFICIAL (CLOSED) \ NON-SENSITIVE WATCH VIDEO ON “WHAT IS A TROJAN?” https://www.youtube.com/watch?v=Vjkq5TknEqk 18 OFFICIAL (CLOSED) \ NON-SENSITIVE Quiz Click the Quiz button to edit this object OFFICIAL (CLOSED) \ NON-SENSITIVE ADWARE  The term Adware is frequently used to describe a form of malware which presents unwanted advertisements to the user of a computer.  The advertisements produced by adware are sometimes in the form of a pop-up or sometimes in an "unclosable window". 20 OFFICIAL (CLOSED) \ NON-SENSITIVE EXAMPLE OF ADWARE 21 OFFICIAL (CLOSED) \ NON-SENSITIVE WATCH VIDEO ON “WHAT IS ADWARE?” https://youtu.be/jIyIqjOlqzY 22 OFFICIAL (CLOSED) \ NON-SENSITIVE SPYWARE  Malware that: “Spies” on users, recording and reporting on their activities For example, monitors users’ online activities to create profiles based on search habits Advertisement may be pushed to victims based on information collected 23 OFFICIAL (CLOSED) \ NON-SENSITIVE EXAMPLE OF SPYWARE  Music-lyric sites may trick a person into downloading spyware 24 OFFICIAL (CLOSED) \ NON-SENSITIVE WATCH VIDEO ON “WHAT IS SPYWARE?” https://youtu.be/-Z3pp14oUiA 25 OFFICIAL (CLOSED) \ NON-SENSITIVE BOTNET  Also known as a zombie army  number of Internet computers that, although their owners are unaware of it, have been set up to forward transmissions to other computers on the Internet.  Any such computer is referred to as a zombie - in effect, a computer "robot" or "bot" that serves the wishes of some master spam or virus originator.  A zombie or bot is often created through an Internet port that has been left open and through which a small 26 Trojan horse program can be left for future activation. OFFICIAL (CLOSED) \ NON-SENSITIVE WATCH VIDEO ON “BOTNET” https://www.youtube.com/watch?v=Z8KtojO5eGI 27 OFFICIAL (CLOSED) \ NON-SENSITIVE WATCH VIDEO ON “WHAT IS BOTNET AND HOW DOES IT SPREAD?” https://www.youtube.com/watch?v=s0sgiY93w9c 28 OFFICIAL (CLOSED) \ NON-SENSITIVE SCAREWARE  Poses as legitimate software and tools such as registry cleaners and virus removers.  Typically useless software although some may hide malicious intent.  Trick users in purchasing them through shock, anxiety or through the perception of a threat.  Some of them look tremendously convincing. OFFICIAL (CLOSED) \ NON-SENSITIVE EXAMPLE OF SCAREWARE OFFICIAL (CLOSED) \ NON-SENSITIVE WATCH VIDEO ON “WHAT IS SCAREWARE?” https://youtu.be/rXn8CXE14Fw 31 OFFICIAL (CLOSED) \ NON-SENSITIVE LOGIC BOMB  Generally installed by an authorized user, but in some cases it maybe from an external source (e.g. “Friday the 13th” malware).  It will remain dormant until an event invokes its malicious payload. 32 OFFICIAL (CLOSED) \ NON-SENSITIVE WATCH VIDEO ON “LOGIC BOMB” https://www.youtube.com/watch?v=1fJLS-Y-lUk 33 OFFICIAL (CLOSED) \ NON-SENSITIVE RANSOMWARE Restricts access to the computer systems that it infects and demands a ‘ransom’ to be paid for removal of the restriction. 34 OFFICIAL (CLOSED) \ NON-SENSITIVE WATCH VIDEO ON “RANSOMWARE” https://youtu.be/eyyogKy3tW0 35 OFFICIAL (CLOSED) \ NON-SENSITIVE ZERO DAY MALWARE  Zero Day Malware is a previously unknown malware for which specific antivirus software signatures are not yet available.  A zero-day vulnerability refers to a hole in software that is unknown to the vendor. This security hole is then exploited by hackers before the vendor becomes aware and hurries to fix it. This exploit is called a zero day attack. Signature - The virus signature is like a Antivirus software - fingerprint in that it can be used to detect software designed to and identify specific viruses. Anti-virus 36 detect and destroy software uses the virus signature to scan computer viruses. for the presence of malicious code. OFFICIAL (CLOSED) \ NON-SENSITIVE WATCH VIDEO ON ZERO DAY ATTACKS https://www.youtube.com/watch?v=3-zQlUJweE4 37 OFFICIAL (CLOSED) \ NON-SENSITIVE AT THE END OF THIS LESSON, YOU SHOULD BE ABLE TO:  Explain the definition of malware  List and describe the different categories of malware.  Distinguish between the different categories of malware.  Explain the potential dangers and damages from different type of malwares. 38 OFFICIAL (CLOSED) \ NON-SENSITIVE C235 IT SECURITY AND MANAGEMENT LESSON 2.2 : MALWARE PROTECTION AND PREVENTION OFFICIAL (CLOSED) \ NON-SENSITIVE LEARNING OBJECTIVES  Describe the various malware protection methods.  Explain the various measures taken to prevent malware. OFFICIAL (CLOSED) \ NON-SENSITIVE MALWARE PROTECTION The term “anti-virus”  Anti-virus Software software is also sometimes referred to as “anti-  Personal Software Firewall malware” software, although the term “anti-virus” is more commonly used.  Pop-up Blockers  Windows Defender  Anti-spam Software 41 OFFICIAL (CLOSED) \ NON-SENSITIVE ANTI-VIRUS SOFTWARE  The purpose of anti-virus software is to detect and eliminate malware.  Most anti-virus software combine the following approaches when scanning for malware: Heuristic - Derived from a Greek word that means "to Heuristic Scanning discover“. Signature-based Scanning Signature - A virus signature is a unique string of bits, or binary pattern. The virus signature is like a fingerprint in that it can be used to detect and identify specific viruses. OFFICIAL (CLOSED) \ NON-SENSITIVE SIGNATURE-BASED SCANNING  Anti-virus software contains a virus dictionary with thousands of known virus signatures.  Virus signatures in the dictionary must be frequently updated, as new viruses are discovered daily.  This approach will catch known viruses but is limited by the virus dictionary. It cannot catch what it does not know. 43 OFFICIAL (CLOSED) \ NON-SENSITIVE HEURISTIC SCANNING  Heuristic scanning is a method of detecting potentially malicious behaviour by examining what a program or section of a code does.  Anything that is “suspicious” or potentially “malicious” is closely examined to determine whether or not it is a threat to the system. 44 OFFICIAL (CLOSED) \ NON-SENSITIVE CAPABILITIES OF ANTI-VIRUS SOFTWARE 1. Automated Updates: Up-to-date signatures 2. Automated Scanning: Scheduled scans 3. Manual Scanning: On demand 4. Media Scanning: Thumb drive, etc. 5. Email Scanning: Attachments 6. Resolution: 1. Quarantine the infected file 2. Repair the infected file 3. Delete the infected file 45 OFFICIAL (CLOSED) \ NON-SENSITIVE PERSONAL SOFTWARE FIREWALLS  Personal firewalls monitor and control traffic passing into and out of a single system.  It can be used to determine what traffic is ‘good’ and allowed to pass, and what traffic is ‘bad’ and should be blocked. 46 OFFICIAL (CLOSED) \ NON-SENSITIVE PERSONAL SOFTWARE FIREWALLS  Most modern operating systems have pre-installed basic personal firewall.  For example, both Windows and macOS have built-in firewall features which help protect the system from unauthorized access and various types of cyber threats. 47 OFFICIAL (CLOSED) \ NON-SENSITIVE POP-UP BLOCKER Pop-up blocker is a functionality in many web browsers to Pop-up Blocker setting for Chrome Browser prevent pop-ups. 48 Pop-up Blocker setting for Edge Browser OFFICIAL (CLOSED) \ NON-SENSITIVE WINDOWS DEFENDER  Purpose is to protect computer from spyware and other unwanted software. ▪ Spyware Detection and Removal ▪ Scheduled Scanning ▪ Automatic Updates ▪ Real-time Protection ▪ Software Explorer ▪ Configurable Responses 49 OFFICIAL (CLOSED) \ NON-SENSITIVE WINDOWS DEFENDER 1. Spyware Detection and Removal ▪ Windows defender is designed to find and remove spyware and other unwanted programs that display pop-ups, modify browser or Internet settings, or steal personal information from your PC. 2. Scheduled Scanning ▪ You can schedule when you want your system to be scanned, or you can run scans on demand. 3. Automatic Updates ▪ Updates to the product can be automatically downloaded and installed without user interaction. 50 OFFICIAL (CLOSED) \ NON-SENSITIVE WINDOWS DEFENDER 4. Real-time Protection ▪ Processes are monitored in real time to stop spyware and malware when they first launch, attempt to install themselves, or attempt to access your PC. 5. Software Explorer ▪ Windows Defender provides you with details on your PC, whether or not the software is “good” or considered to be known malware, the file size, publication date and other information. 6. Configurable Responses ▪ Windows Defender lets you choose what actions you want to take in response to detected threats; you can automatically disable the 51 software, quarantine it, attempt to uninstall it, and perform other tasks. OFFICIAL (CLOSED) \ NON-SENSITIVE WINDOWS DEFENDER  Below shows confirmation message after turning off the Windows Defender in Windows operating system: 52 OFFICIAL (CLOSED) \ NON-SENSITIVE ANTI-SPAM PRODUCTS  Attempt to filter out the endless streams of junk emails, so you don’t have to do it manually.  Some products operate at the corporate level, filtering messages as they enter or leave designated email servers.  Other products operated at the host level, filtering messages as they come into your personal inbox at your laptop. 53 OFFICIAL (CLOSED) \ NON-SENSITIVE MALWARE PREVENTION ▪ Education On being careful when you install or run software. On ensuring that download is only from reliable sources. ▪ Disable autorun For removable media such as thumb drive. ▪ Security software Personal Software Firewall (block unwanted traffic) Anti-virus (get virus dictionary updated) OFFICIAL (CLOSED) \ NON-SENSITIVE MALWARE PREVENTION ▪ Operating System updates  Windows Update to get the latest bugs fixes that are potentially exploitable  Same with other OS (Linux, Mac OS X, etc) ▪ Application updates  Application bugs are potentially exploitable  May not be part of the Operating System updates – must be updated separately ▪ Advisories circulation by the IT Department  Updates of new malicious threats  All users should take note and be vigilant OFFICIAL (CLOSED) \ NON-SENSITIVE WATCH VIDEO ON “MALWARE PREVENTION” https://youtu.be/uJRqZTNMCMo 56 OFFICIAL (CLOSED) \ NON-SENSITIVE AT THE END OF THIS LESSON, YOU SHOULD BE ABLE TO  Describe the various malware protection methods.  Explain the various measures taken to prevent malware. OFFICIAL (CLOSED) \ NON-SENSITIVE C235 IT SECURITY AND MANAGEMENT LESSON 2.3 : MALWARE TRENDS OFFICIAL (CLOSED) \ NON-SENSITIVE LEARNING OBJECTIVES  Malware Trends  Major Malwares  Ransomware Trends  Ransomware Case Study OFFICIAL (CLOSED) \ NON-SENSITIVE MALWARE TREND 1  The total malware infections have been on the rise for the past decades.  230,000 new malware samples are produced every day — and this is predicted to only keep growing.  92% of malware is delivered by email.  (source: https://purplesec.us/resources/cyber-security-statistics/) 60 OFFICIAL (CLOSED) \ NON-SENSITIVE MALWARE TREND 2  Read this: The 8 Most Notorious Malware Attacks of All Time  Then this: 11 real and famous cases of malware attacks  And this: 10 Most Dangerous New Malware and Security Threats in 2021 (updated on January 23, 2024)  Hackers have used different types of malware attacks for the purpose of data theft and other illegal activities.  In recent years, Ransomware attacks have gained prominence 61 as they have been on the rise. OFFICIAL (CLOSED) \ NON-SENSITIVE MALWARE TREND 3  Read about: Emotet Trojan (2014): The King of Malware World’s most dangerous malware EMOTET disrupted through global action  Read about: WannaCry Ransomware (2017) What Has Changed Since the 2017 WannaCry Ransomware Attack?  Read about: Zeus Trojan (2007) The life and death of the ZeuS Trojan  The code bases of these malwares have mutated into variants that are still haunting the world today. Cybersecurity students should study them. 62 OFFICIAL (CLOSED) \ NON-SENSITIVE RANSOMWARE TREND 1  Ransomware is an ever-growing threat to thousands of organizations and businesses worldwide.  Ransomware remains the most prominent malware threat. Source: https://www.varonis.com/blog/ransomware- statistics)  In the first half of 2022, there were around 236.1 million ransomware attacks globally. Source: The Latest Ransomware Statistics 63 (updated June 2024) OFFICIAL (CLOSED) \ NON-SENSITIVE RANSOMWARE TREND 2  Ransomware attacks in numbers: (source: https://www.eweek.com/security/new-ransomware-trends-causing-fear-in- 2021/) ✓ 51% of companies faced ransomware attacks. ✓ 26% of companies paid the ransom to cybercriminals. ✓ The average ransom amount in 2020 was $180,000 for big companies. ✓ The average ransom amount in 2020 for small businesses was $6,000. ✓ A set of software tools needed to launch a ransomware attack costs about $50 on the darknet. ✓ A new ransomware attack was detected every 11 seconds.  Ransomware delivery mechanisms: ✓ Email remains the most common ransomware delivery mechanism. 64 ✓ Web browsing is the second most common way to fall victim to a ransomware attack. OFFICIAL (CLOSED) \ NON-SENSITIVE RANSOMWARE TREND 3 The top trends in Ransomware attacks (updated 2024) include: (source: https://www.varonis.com/blog/ransomware-statistics) 1. The exploitation of IT outsourcing services 2. Greater attention towards vulnerable industries 3. New Ransomware and defenses evolving 4. Spread to mobile 5. Ransomware-as-a-Service (RaaS) is increasing Ransomware-as-a-Service (RaaS) is a subscription that allows affiliates to use ransomware tools that are already developed to carry out ransomware attacks. It also allows them to extend their reach, and the decentralized nature of 65 the attacks makes it difficult for the authorities to shut down the attacks. The creators of these tools take a percentage of each successful ransom payment. OFFICIAL (CLOSED) \ NON-SENSITIVE RANSOMWARE ATTACKS  In the past, most of the attackers simply ask for the money in exchange for a key to the encryption so that companies can get access to their data again, but a recent evolution has been to leak sensitive or proprietary data or sell it off to others. This site tracks Ransomware attacks: https://cloudian.com/ransomware-attack- list-and-alerts/) Ransomware attacks were rampant during the Covid-19 pandemic (refer to the infographics on the right). The Colonial Pipeline Ransomware attack is an important case study for learning 66 about ransomwares, and how malwares can affect critical national infrastructure. OFFICIAL (CLOSED) \ NON-SENSITIVE COLONIAL PIPELINE RANSOMWARE  The Ransomware attack (by cybercriminal hacking group known as DarkSide) against Colonial Pipeline (which is responsible for nearly half of oil & gas for Eastern US) is the largest compromise of US critical infrastructure to date.  On May 7, 2021, Colonial Pipeline suffered a ransomware cyberattack that impacted computerized equipment managing the pipeline. In response, the company halted all of the pipeline's operations to contain the attack.  Colonial Pipeline paid the requested ransom (75 bitcoins or $4.4 million) within several hours after the attack. The hackers then sent Colonial Pipeline a software application to restore their network, but it operated very slowly.  On June 7, the Department of Justice announced that it had recovered 63.7 of the bitcoins (approximately $2.3 million) from the ransom payment via a counter-seizure of DarkSide’s Bitcoin wallet.  Watch this news report (pay the video): Ransomware attack on Colonial 67 Pipeline is work of criminal gang called DarkSide - CBS News OFFICIAL (CLOSED) \ NON-SENSITIVE WATCH VIDEO ON “COLONIAL PIPELINE CRIPPLED BY CYBER ATTACK” https://www.youtube.com/watch?v=qJM5zG9XhZ8 68 OFFICIAL (CLOSED) \ NON-SENSITIVE WATCH VIDEO ON “COLONIAL PIPELINE PAID RANSOM TO DARKSIDE” https://www.youtube.com/watch?v=o9pBv-ktsIM 69 OFFICIAL (CLOSED) \ NON-SENSITIVE WATCH VIDEO ON “COLONIAL PIPELINE – HOW THE ATTACK HAPPENED” https://www.youtube.com/watch?v=ek_mnh3tpWc 70 OFFICIAL (CLOSED) \ NON-SENSITIVE Quiz Click the Quiz button to edit this object OFFICIAL (CLOSED) \ NON-SENSITIVE AT THE END OF THIS LESSON, YOU SHOULD BE ABLE TO  Describe the various malware and ransomware trends.  Distinguish between major malware attacks.  Relate to ransomware attacks. Official (Closed) \ Sensitive Normal C235 IT Security and Management Lesson 3.2: Social Engineering Cases Official (Closed) \ Sensitive Normal Learning Objectives Social Engineering Trends Scenarios Major Attacks Case Study Official (Closed) \ Sensitive Normal How easy is it to perform Social Engineering Hacking? Official (Closed) \ Sensitive Normal Watch “Jessica Clark – Social Engineer Hacker” https://www.youtube.com/watch?v=lc7scxvKQOo Official (Closed) \ Sensitive Normal Watch this Hacker break in with a phone call (in 2 min) https://youtu.be/PWVN3Rq4gzw Official (Closed) \ Sensitive Normal Watch this funny Vishing attack https://www.youtube.com/watch?v=Hc01oZPvByg Official (Closed) \ Sensitive Normal Here’s another “Live” Social Engineering Hack https://youtu.be/LYilP-1TwMg Official (Closed) \ Sensitive Normal Social Engineering Trends 98% of cyber-attacks relied on social engineering. 43% of IT professionals said they had been targeted by social engineering schemes. New employees are the most susceptible to socially engineered attacks, with 60% of IT professionals citing recent hires as being at high risk. 21% of current or former employees use social engineering to gain a financial advantage, for revenge, out of curiosity or for fun. Business Email Compromise (BEC) scams cost organizations $676 million in 2017. 30% of phishing messages get opened by targeted users, and 12% of those users clicked on the malicious attachments or links. (source: https://purplesec.us/resources/cyber-security-statistics/#SocialEngineering) Official (Closed) \ Sensitive Normal Famous Cases Read this: The Top 5 Most Famous SE Attacks of the Last Decade Then this: 7 Most Famous Social Engineering Attacks in History And this: 10 Real and Famous Cases of Social Ubiquiti - Wikipedia Toyota Logo, HD, Meaning Engineering Attacks How Target Figured Out A Teen Girl Was Pregnant Before Her Father Did Toyota Boshoku Corporation https://techcrunch.com/wp-content/uploads/2013/04/ap_rgb.png?w=311 Official (Closed) \ Sensitive Normal 2011 Social Engineering Attack In 2011, RSA Security – the folks who provide the SecurID 2 factor authentication devices to millions of people – was hacked by a phishing email. Significance of Damages: 1. RSA fell prey to a famous phishing attack that compromised the security of their systems and cost the company $66 million. The financial damage, being in the millions, was very significant to the company and the CyberSecurity industry. 2. RSA also suffered reputation loss, and this case became one of the Top 10 examples often cited by CyberSecurity websites. Important hack to remember for three reasons: 1. The phishing email was primitive and should have been seen for what it was – a fake. 2. The attack demonstrates that even security companies are vulnerable to simple social engineering techniques. 3. A common form of 2-Factor authentication was compromised, possibly leaving many millions of users at risk. Source: Classic Hacks: The 2011 RSA SecurID Attack Official (Closed) \ Sensitive Normal RSA 2011 Attack: Chronology of Events The incident was a 3-stage operation that was similar to several other prominent attacks on technology companies at that time: 1st stage: Attacker sent “phishing” e-mails with the subject line “2011 Recruitment Plan” to 2 groups of employees over 2 days. One employee was interested enough to retrieve the message from junk mail and open the Excel attachment. The Excel contained a zero-day malware that exploited Adobe Flash to install a backdoor. 2nd stage: Installing a stealthy tool that allowed the hacker to control the victim’s machine, steal several account passwords, and use them to gain entry into other systems, where the hacker could gain access to other employees with access to sensitive data. 3rd stage: Spiriting RSA files out of the company to a hacked machine at a hosting provider, and then on to the hacker himself. Damage done! Source: The RSA Hack: How They Did It - The New York Times Dropped malware: Backdoor:W32/PoisonIvy RAT Official (Closed) \ Sensitive Normal RSA 2011 Attack: Resolution Read: RSA SecurID attack details unveiled – lessons learned RSA eventually saw the attack, using its implementation of NetWitness, and stopped the attack before more damage could be done. RSA came clean and told its customers immediately about the attack (which is something other companies have not done) and should be credited for handling a bad situation as well as it can. The irony though with RSA was that they did not eat their own dog food. NetWitness helped them find the attack in real time but obviously were not able to shut down the attack in real time. RSA should have used its own fraud detection systems based on user and account profiling which use statistical Bayesian models, and rules, to spot abnormal behavior and intervene in real time. The old adage rings true: The shoemaker’s children have no shoes. Official (Closed) \ Sensitive Normal Watch video on “Anatomy of the RSA targeted attack” https://www.youtube.com/watch?v=I6fVydTJ1cg Official (Closed) \ Sensitive Normal Other Notable Cases Frank Abagnale, Jr. Subject of the movie: Catch Me If You Can Abagnele was portrayed by Leonardo DiCaprio Kevin Mitnick Hacker known for his social engineering skill ILOVEYOU Worm Catchy email subject line: "ILOVEYOU" Nigerian Scam Advance fee fraud or 419 fraud Official (Closed) \ Sensitive Normal Quiz Click the Quiz button to edit this object Official (Closed) \ Sensitive Normal Additional Readings - Talks ( for those keen to do self-study and learn more about the 1st step of hacking … ) DEF CON Black Badge, Jen Fox at SANS Security Awareness Summit 2018: The Dark Arts of Social Engineering (40:11) DEF CON Social Engineering CTF Winner, Rachel Tobac: How I Would Hack You: Social Engineering Step-by-Step (18:55) Watch: How phishing scammers manipulate your amygdala and oxytocin | Christopher Hadnagy | TEDxFultonStreet (11:00) Watch: DEF CON 24 SE Village - Chris Hadnagy - 7 Jedi Mind Tricks: Influence Your Target without a Word (51:26) Watch: Hacking Humans : Social Engineering Techniques and How to Protect Against Them (46:44) Watch: TEDxSanAntonio - Brian Brushwood - Social Engineering - How to Scam Your Way into Anything (15:59) Watch: Defcon 21 - Stalking a City for Fun and Frivolity (45:19) Official (Closed) \ Sensitive Normal Additional Readings - OSINT ( for those keen to do self-study and learn more about the 1st step of hacking … ) Open-Source Intelligence (OSINT) Gathering is one of the most powerful assets used by cyber attackers for social engineering and phishing attacks to gather the information that can vary from descriptive data to some credential information. It is rapidly becoming a strategy for hackers to target various organizations and companies for social engineering and phishing attacks. OSINT techniques can help cyber attackers find out where they can easily do targeted attacks. Read: OSINT & Social Engineering Read: OSINT: What is open source intelligence and how is it used? Watch: What is Open Source Intelligence? Intro to OSINT Episode 1 (5:44) Watch: Intro to OSINT Episode 2: Geolocation and visual analysis (4:58) Watch: OSINT - Open Source Intelligence Overview (6:37) Watch: Open Source Intelligence 101 (46:49) Short Course: The Complete Open Source Intelligence (OSINT) Training Course (2:25:33) Learn about: Top 25 OSINT Tools (Whats Hot! Whats Not!) (18:44) Learn about: Comprehensive List of OSINT Tools (18:45) Official (Closed) \ Sensitive Normal At the end of this lesson, you should be able to Describe the various social engineering trends. Distinguish between various social engineering scenarios and attacks. Relate to cases of social engineering attacks. Official (Closed) \ Non-Sensitive AY2024 Sem 2 C235 IT Security and Management Lesson 3.1: Social Engineering Official (Closed) \ Non-Sensitive Learning Objectives Ability to distinguish between various Social Engineering techniques Understand why Social Engineering works and its impact Understand the importance of protecting organisations from Social Engineering attacks Apply protective measures against Social Engineering Official (Closed) \ Non-Sensitive Social Engineering Social Engineering is the use of influence and persuasion to deceive people for the purpose of obtaining information or persuading the victim to perform some action for the hacker. * * EC-Council Ethical Hacking and Countermeasures (V4.0) Official (Closed) \ Non-Sensitive Social Engineering Clever manipulation of the natural human tendency to trust. Social Engineering is an illegal act. You can be charged in court and may face a jail term in some countries. People do it for various reasons. It can be for fun, gaining competitive edge, or even sabotage. It is difficult to eliminate social engineering because people are trusting by nature. Ponder: Are employees the weak links in organizations? Official (Closed) \ Non-Sensitive Watch Video on “Social Engineering” https://www.youtube.com/watch?v=xcJV2JGeVn0 Official (Closed) \ Non-Sensitive Social Engineering Techniques Pretexting Identity Theft Phishing Spear phishing Vishing Tailgating Dumpster Diving Shoulder Surfing Baiting Official (Closed) \ Non-Sensitive Pretexting It is an act of creating and using an invented scenario (the pretext) to engage a targeted victim in a manner that increases the chance the victim will reveal information. It is used to persuade the victim to release information or perform an action. It involves some prior research or setup. Official (Closed) \ Non-Sensitive Watch video on “Pretexting” https://www.youtube.com/watch?v=RJq_rnadSX0 Official (Closed) \ Non-Sensitive Watch video on “Pretexting: Fake Employee to Help Desk” https://www.youtube.com/watch?v=gYYBOvZqP-Y Official (Closed) \ Non-Sensitive Identity Theft It is a form of fraud or cheating using another person's identity Someone pretends to be someone else by assuming that person's identity, in order to access resources or obtain credit and other benefits in that person's name. Official (Closed) \ Non-Sensitive Watch video on “Identity Theft” https://youtu.be/kDFeSUUwRnA Official (Closed) \ Non-Sensitive Phishing It is an act of obtaining sensitive information from a user by masquerading as a trusted entity in an email or instant message sent to a large group of often random users. It is used to fool a computer user into submitting personal information by creating a counterfeit website that looks like a real (and trusted) site. In The Latest Phishing Statistics from aag-it.com, phishing remains the most common form of cyber crime. Official (Closed) \ Non-Sensitive Watch video on “Phishing” https://www.youtube.com/watch?v=v8JCHu4VCZc Official (Closed) \ Non-Sensitive Spear Phishing Spear phishing is the term that has been created to refer to the special targeting of groups with something in common when launching a phishing attack. By targeting a specific group, the ratio of successful attacks (that is, the number of responses received) to the number of e-mails or messages sent usually increases. This is because a targeted attack will seem more plausible than a message sent to users randomly. Official (Closed) \ Non-Sensitive Watch video on “Know the Risk - Raise Your Shield: Spear Phishing” https://www.youtube.com/watch?v=X5P-VYxPNrk Official (Closed) \ Non-Sensitive Vishing Vishing is a variation of phishing that uses voice communications technology to obtain the information the attacker is seeking. Vishing takes advantage of the trust that some people place in the telephone network. Generally, the attackers are hoping to obtain credit card numbers or other information that can be used in identity theft. Official (Closed) \ Non-Sensitive Watch video on “Vishing” https://www.youtube.com/watch?v=aL_m6jelF1M Official (Closed) \ Non-Sensitive Tailgating It is an act of an unauthorized person who follows someone to a restricted area without the consent of the authorized person. Official (Closed) \ Non-Sensitive Watch video on “Tailgating” https://www.youtube.com/watch?v=9M_ri97l3Po Official (Closed) \ Non-Sensitive Examples of “Tailgating” https://youtu.be/jksOir0WGM8 Official (Closed) \ Non-Sensitive Dumpster Diving It is an act of gathering information through the victim’s careless: disposal of documents or uncollected documents in common areas (e.g., documents left at the printer, document thrown into the dustbin, etc.) disposal of hard disk, thumb drive, and other forms of data storage. Official (Closed) \ Non-Sensitive Watch video on “Dumpster Diving” https://www.youtube.com/watch?v=Ld-fZVn85SU Official (Closed) \ Non-Sensitive Shoulder Surfing It is an act of looking over the shoulder of someone doing something confidential. The best defence against this type of attack is simply to survey your environment before entering confidential data. Official (Closed) \ Non-Sensitive Watch video on “Shoulder Surfing” https://www.youtube.com/watch?v=NQxwN8-wuV4 Official (Closed) \ Non-Sensitive Impersonation The social engineer "impersonates" or plays the role of someone you are likely to trust or obey convincingly enough to fool you into allowing access to your office, to information, or to your information systems. Impersonation differs from other forms of social engineering because it occurs in person, rather than over the phone or through email. Official (Closed) \ Non-Sensitive Watch video on “Impersonation” https://www.youtube.com/watch?v=YX04oJa3ogc Official (Closed) \ Non-Sensitive Baiting It is an act of laying a trap for unsuspecting victims to fall prey, usually counting on the curiosity or greed of the victim (e.g., placing a USB thumbdrive with a virus to be “found” by the victim; the virus is triggered when the victim accesses the thumbdrive out of curiosity.) Official (Closed) \ Non-Sensitive Watch Video on “Baiting” https://youtu.be/V2wnM5MJngI Official (Closed) \ Non-Sensitive Quiz Click the Quiz button to edit this object Official (Closed) \ Non-Sensitive Human Weakness Social Engineering focuses on the following human weaknesses: Carelessness Fear Lack of Awareness Gullibility Trusting Nature Eagerness to Help Official (Closed) \ Non-Sensitive Counter-Measures No measures can fully protect a person from Social Engineering attacks: Human Factor cannot be eliminated totally. Protection by Controls: Security Policy Physical Security Education and Awareness Good IT Security Infrastructure Report Security incidents Source: Social Engineering: A Means To Violate A Computer System by Malcolm Allen Official (Closed) \ Non-Sensitive Examples of Counter-Measures Activating screen savers or locking the screen when away. Do not write passwords on papers or throw confidential information in rubbish bin. Shred confidential papers instead of throwing into dustbins. Do not stick any pricings, passwords around the workstation. Visitors should report at the counter and exchange for visitor pass. Do not allow visitors to wander by themselves. Verify visitors’ information. Do not disclose any information through phones or emails. Verify email information and don’t click on any suspicious link. ……… and many more ……… Official (Closed) \ Non-Sensitive Watch video on “Tips on Withstanding Social Engineering” https://www.youtube.com/watch?v=uVSfZPboVms Official (Closed) \ Non-Sensitive Social Engineering vs Malware Social Engineering: Pertains to human factors, weaknesses. Malware: More technical in nature, e.g., exploiting software, OS vulnerabilities, spreading onto networks, etc. Attackers can use a combination of Social Engineering and Malware to achieve their objectives: Example – using social engineering to trick users to install malware (such as key loggers, trojans) on their systems. Official (Closed) \ Non-Sensitive Watch Video on Nancy the Attacker https://www.youtube.com/watch?v=h7IQlOB8CdY Official (Closed) \ Non-Sensitive Quiz Click the Quiz button to edit this object Official (Closed) \ Non-Sensitive At the end of this lesson, you should be able to Distinguish between the different categories of Social Engineering attacks. Explain how the different Social Engineering techniques exploit human weaknesses. Identify relevant counter-measures to prevent Social Engineering attacks. Official (Closed) \ Non-Sensitive Thank You OFFICIAL (CLOSED) Official (Closed) \ NON-SENSITIVE \ Sensitive Normal AY2024 Sem 2 C235 – IT Security and Management Lesson 4.1 - Cryptography OFFICIAL (CLOSED) Official (Closed) \ NON-SENSITIVE \ Sensitive Normal Learning Objectives Explain the basic concepts of cryptography Explain the basic workings of symmetric ciphers Apply encryption and decryption using symmetric ciphers OFFICIAL (CLOSED) Official (Closed) \ NON-SENSITIVE \ Sensitive Normal Keywords Cryptography Ensuring privacy by keeping information hidden from anyone for whom it is not intended. Cryptanalysis Finding a method to break encrypted message given incomplete information (no key, unknown encryption method, etc.). Encryption Transformation of data into a form that is as close to impossible to read. Decryption Transformation of encrypted data back into an intelligible form. OFFICIAL (CLOSED) Official (Closed) \ NON-SENSITIVE \ Sensitive Normal Keywords Encryption method/algorithm that Original data that is encrypted determines the steps to encrypt the into an unreadable form original data Key length = 4; a factor for encryption strength Original data that is to be kept secret Piece of information that changes the - Could be a human-readable text file output of the encryption process - Or a computer binary file OFFICIAL (CLOSED) Official (Closed) \ NON-SENSITIVE \ Sensitive Normal Cryptography Cryptography Symmetric Asymmetric Cipher Cipher Substitution Transposition Cipher Cipher Poly-alphabetic Cipher Legend Topics for this week Mono-alphabetic Cipher Topics for LP2 OFFICIAL (CLOSED) Official (Closed) \ NON-SENSITIVE \ Sensitive Normal Substitution Cipher OFFICIAL (CLOSED) Official (Closed) \ NON-SENSITIVE \ Sensitive Normal What is Substitution Cipher? The name substitution cipher comes from the fact that each letter that you want to encipher is substituted by another letter. The message you want to keep secret (plaintext) is transformed into the enciphered message (ciphertext) by substituting each letter by another letter. OFFICIAL (CLOSED) Official (Closed) \ NON-SENSITIVE \ Sensitive Normal Types of Substitution Cipher There are 2 types of substitution cipher: ▪ Mono-alphabetic cipher ▪ Poly-alphabetic cipher OFFICIAL (CLOSED) Official (Closed) \ NON-SENSITIVE \ Sensitive Normal Mono-alphabetic Cipher In a mono-alphabetic cipher, substitution letters are a random permutation of the 26 letters of the alphabet, for example: Each letter of a plaintext is substituted by one and only one letter in the permutation to form the ciphertext: Plain Text: A R R I V E D Cipher Text: OFFICIAL (CLOSED) Official (Closed) \ NON-SENSITIVE \ Sensitive Normal Mono-alphabetic Cipher In a mono-alphabetic cipher, substitution letters are a random permutation of the 26 letters of the alphabet, for example: Each letter of a plaintext is substituted by one and only one letter in the permutation to form the ciphertext: A B C D E F G H I J K L M N O P Q R S T U V W X Y Z Q W E R T Y U I O P A S D F G H J K L Z X C V B N M Plain Text: A R R I V E D Cipher Text: QK K OC T R OFFICIAL (CLOSED) Official (Closed) \ NON-SENSITIVE \ Sensitive Normal Poly-alphabetic Cipher In poly-alphabetic cipher, each letter can be substituted by more than one letter. For example, the plaintext ARRIVED can be encrypted as Plaintext: A R R I V E D Ciphertext: P T U K L B F Note that the letter R is substituted as T and U. OFFICIAL (CLOSED) Official (Closed) \ NON-SENSITIVE \ Sensitive Normal Examples of Substitution Ciphers Caesar Cipher Vigenère Cipher One-Time Pad OFFICIAL (CLOSED) Official (Closed) \ NON-SENSITIVE \ Sensitive Normal Encryption using Caesar Ciphers Encryption is to substitute each letter with another letter nth places further along the alphabet. For example, if n=3, the letters are shifted as follows: Plaintext: WE ARE HERE A B C D E F G H I J K L M N O P Q R S T U V W X Y Z A B C Ciphertext: ZH DUH KHUH OFFICIAL (CLOSED) Official (Closed) \ NON-SENSITIVE \ Sensitive Normal Decryption Decryption using Caesar Ciphers Decryption is to substitute each letter with another letter nth places back along the alphabet Ciphertext: ZH DUH KHUH Key: 3 A B C D E F G H I J K L M N O P Q R S T U V W XX YY ZZ X Y Z Plaintext: WE ARE HERE OFFICIAL (CLOSED) Official (Closed) \ NON-SENSITIVE \ Sensitive Normal QUIZ Caesar cipher is a poly-alphabetic cipher. A. True B. False OFFICIAL (CLOSED) Official (Closed) \ NON-SENSITIVE \ Sensitive Normal QUIZ In a Caesar cipher, the letter G is encrypted as the letter K. What is the key of this Caesar cipher? A. 3 B. 4 ABCDEFG HIJK C. 5 Distance = 4 D. 6 OFFICIAL (CLOSED) Official (Closed) \ NON-SENSITIVE \ Sensitive Normal QUIZ Given that the key of a Caesar cipher is 7, the plaintext for the ciphertext ‘ZHPSPUN’ is A. RESTING B. TAILING C. SAILING D. SINGING OFFICIAL (CLOSED) Official (Closed) \ NON-SENSITIVE \ Sensitive Normal QUIZ Given that the key of a Caesar cipher is 9, the ciphertext for the plaintext ‘TERROR’ is A. YJWWTW B. CNAAXA 9 letter down the road C. ALYYVY example T+9=C D. VGTTQT E+9=N TUVWXYZABC C = 9 letter OFFICIAL (CLOSED) Official (Closed) \ NON-SENSITIVE \ Sensitive Normal Vigenère Cipher A B C D E F G H I J K L M N O P Q R S T U V W X Y Z Requires A B A B C D E B C D E F G H F G H I I J J K L M N O P Q R S T U V W X Y Z K L M N O P Q R S T U V W X Y Z A ▪ Vigenère Table C D C D E D E F G H F G H I I J J K L M N O P K L M N O P Q R Q R S S T U V W X Y Z A B T U V W X Y Z A B C ▪ Key E E F G H I J K L M N O P Q R S T U V W X Y Z A B C D F F G H I J K L M N O P Q R S T U V W X Y Z A B C D E G G H I J K L M N O P Q R S T U V W X Y Z A B C D E F H H I J K L M N O P Q R S T U V W X Y Z A B C D E F G I I J K L M N O P Q R S T U V W X Y Z A B C D E F G H J J K L M N O P Q R S T U V W X Y Z A B C D E F G H I K K L M N O P Q R S T U V W X Y Z A B C D E F G H I J L L M N O P Q R S T U V W X Y Z A B C D E F G H I J K M M N O P Q R S T U V W X Y Z A B C D E F G H I J K L N N O P Q R S T U V W X Y Z A B C D E F G H I J K L M O O P Q R S T U V W X Y Z A B C D E F G H I J K L M N P P Q R S T U V W X Y Z A B C D E F G H I J K L M N O Q Q R S T U V W X Y Z A B C D E F G H I J K L M N O P R R S T U V W X Y Z A B C D E F G H I J K L M N O P Q S S T U V W X Y Z A B C D E F G H I J K L M N O P Q R T T U V W X Y Z A B C D E F G H I J K L M N O P Q R S U U V W X Y Z A B C D E F G H I J K L M N O P Q R S T V V W X Y Z A B C D E F G H I J K L M N O P Q R S T U W W X Y Z A B C D E F G H I J K L M N O P Q R S T U V X X Y Z A B C D E F G H I J K L M N O P Q R S T U V W Y Y Z A B C D E F G H I J K L M N O P Q R S T U V W X Z Z A B C D E F G H I J K L M N O P Q R S T U V W X Y OFFICIAL (CLOSED) Official (Closed) \ NON-SENSITIVE \ Sensitive Normal Encryption using Vigenère Cipher For example, encrypt the plaintext ‘KING OF ENGLAND’ with the key ‘SCOT’ Plaintext K I N G O F E N G L A N D Key S C O T S C O T S C O T S Cipher Text CC KK BB ZZ G H S G Y N O G V OFFICIAL (CLOSED) Official (Closed) \ NON-SENSITIVE \ Sensitive Normal Decryption using Vigenère Cipher For example, to decrypt the message: CKBZGHSGYNOGV Key is SCOT Cipher C K B Z G H S G Y N O G V Text Key S C O T S C O T S C O T S Plaintext K I NG K I N G O F E N G L A N D OFFICIAL (CLOSED) Official (Closed) \ NON-SENSITIVE \ Sensitive Normal QUIZ Vigenère cipher is a mono-alphabetic cipher. A. True B. False OFFICIAL (CLOSED) Official (Closed) \ NON-SENSITIVE \ Sensitive Normal QUIZ Given that the key of a Vigenère cipher is ‘CAT’. If the plaintext is ‘CONFIDENTIAL’, what is the ciphertext? A. HCMKWCJBSNOK B. FCTIWJHBZLOR C. EOGHIWGNMKAE D. JEOMYELDUPQM OFFICIAL (CLOSED) Official (Closed) \ NON-SENSITIVE \ Sensitive Normal QUIZ Given that the key of a Vigenère cipher is ‘DARK’. If the ciphertext is ‘GOTEPEED’, what is the plaintext? A. SETTINGS B. DOCUMENT C. UNKNOWNS D. WEDDINGS OFFICIAL (CLOSED) Official (Closed) \ NON-SENSITIVE \ Sensitive Normal Encryption using One-Time Pad Plaintext: 18 S 10 K 24 Y The mod 26 operation + 18+2 (mod 26) = 20 (U) 10 + 7 (mod 26) = 17 (R) Key: C 2 H 7 D 3 24 + 3 (mod 26) = 1 (B) Ciphertext: U 20 R 17 B 1 OFFICIAL (CLOSED) Official (Closed) \ NON-SENSITIVE \ Sensitive Normal One TimePad Decryption usingOne-Time Pad Ciphertext: U 20 R 17 B 1 The mod 26 operation - 20 - 2 (mod 26) = 18 (S) 17 – 7 (mod 26) = 10 (K) Key: C2 H7 D3 1 – 3 (mod 26) = 24 (Y) Plaintext: S 18 K 10 Y 24 OFFICIAL (CLOSED) Official (Closed) \ NON-SENSITIVE \ Sensitive Normal QUIZ One Time-Pad is a poly-alphabetic cipher. A. True B. False OFFICIAL (CLOSED) Official (Closed) \ NON-SENSITIVE \ Sensitive Normal QUIZ Given that the key of a One Time-pad cipher is GUN. If the plaintext is PEN, what is the ciphertext? A. WYA B. VYA C. WXA D. VYB Gun -> 6 20 13 Pen -> 15 4 13 -> 21 24 0 (VYA) OFFICIAL (CLOSED) Official (Closed) \ NON-SENSITIVE \ Sensitive Normal QUIZ Given that the key of a One Time-Pad cipher is BIT. If the ciphertext is SCG, what is the plaintext? A. GUN B. RAT C. RUN D. RAG BIT -> 1 8 19 SCG -> 18 2 6 -> 9 6 13 ( OFFICIAL (CLOSED) Official (Closed) \ NON-SENSITIVE \ Sensitive Normal Transposition Cipher OFFICIAL (CLOSED) Official (Closed) \ NON-SENSITIVE \ Sensitive Normal What is Transposition Cipher? In Transposition cipher, plaintext characters are rearranged in some regular pattern to form ciphertext. For example: Plaintext: YOU ARE IN DANGER Ciphertext: REGNAD NI ERA UOY (is a form of transposition cipher.) OFFICIAL (CLOSED) Official (Closed) \ NON-SENSITIVE \ Sensitive Normal Example of Transposition Cipher Columnar Transposition Cipher Rail Fence Transposition Cipher OFFICIAL (CLOSED) Official (Closed) \ NON-SENSITIVE \ Sensitive Normal Encryption using Columnar Transposition Cipher Plaintext: WE ARE DISCOVERED FLEE AT ONCE Key : SCOT S C O T Number of columns is Message is written out in 3 1 2 4 defined by the length of the rows of a fixed length key W E A R E D I S C V E Columns are ordered by O R E D F the alphabetical order of Random filler letters the letters in the key L E E A to complete the columns T O N C E X Z E Message is read out column by column Ciphertext: EDOEEOX AIVDENZ WECRLTE RSEFACE OFFICIAL (CLOSED) Official (Closed) \ NON-SENSITIVE \ Sensitive Normal Decryption using Columnar Transposition Cipher Ciphertext: EDOEEOX AIVDENZ WECRLTE RSEFACE Key : SCOT S C O T 1. Write down the Key and the 3 1 2 4 alphabetical order of the letters W E A R in the key. E D I S C O V E 2. Write down the letters in the R E D F appropriate column. L E E A T O N C 3. Read off the message row by E X Z E row. Plaintext: WE ARE DISCOVERED FLEE AT ONCE XZE These letters are fillers OFFICIAL (CLOSED) Official (Closed) \ NON-SENSITIVE \ Sensitive Normal QUIZ If the length of the of a columnar transposition cipher is 5, how many possible keys are there? A. 5 B. 5x5x5x5x5 C. 5x4x3x2x1 D. 50 OFFICIAL (CLOSED) Official (Closed) \ NON-SENSITIVE \ Sensitive Normal QUIZ Given that the key of a columnar transposition cipher is BOAT. If the plaintext is STAY PUT WAIT FOR ME, what is the ciphertext? A. YWFE SPAO TUIR ATTM B. ATTM SPAO TUIR YWFE C. SPAO ATTM YWFE TUIR D. ATTM TUIR SPAO YWFE OFFICIAL (CLOSED) Official (Closed) \ NON-SENSITIVE \ Sensitive Normal QUIZ Given that the key of a columnar transposition cipher is PIG. If the ciphertext is GTT OAA DCR, what is the plaintext? A. DOG RAT CAT B. CAT DOG RAT C. RAT DOG CAT D. DOG CAT RAT OFFICIAL (CLOSED) Official (Closed) \ NON-SENSITIVE \ Sensitive Normal Encryption using Rail Fence Transposition Cipher Plaintext : WE ARE DISCOVERED FLEE AT ONCE Key : 3 The key refers to number of rows. Next the text will be arranged in a zig-zag manner as shown below: W E C R L T E E R D S O E E F E A O O C A A II V D EF N Read from the 1st row till the last row. The following is the ciphertext: OFFICIAL (CLOSED) Official (Closed) \ NON-SENSITIVE \ Sensitive Normal Decryption using Rail Fence Transposition Cipher Ciphertext : WECRLTEERDSOEEFEAOCAIVDEN Key : 3 Step 3: 2: 4: 1: Fill Form Count Sinceupakey=3, the how table, letter manywith there on letters 25 st row thecolumns are 31rows are there and till we and the in3 the rows. position canciphertext. of derive the position last letterof case In this each ,row. it is 25. Followed by the 2nd row below and finally the last row. 25 Columns 1 W 5E 9 C 13 R 17 L 21 T 25 E 3 Rows E2 R4 D6 S8 10 O 12 E 14 E 16 F 18 E 20 A 22 O 24 C A 3 I7 V 11 D 15 E 19 N 23 Plaintext : WEAREDISCOVEREDFLEEATONCE OFFICIAL (CLOSED) Official (Closed) \ NON-SENSITIVE \ Sensitive Normal QUIZ Quiz Given that the key of a rail fence cipher is 3. If the plaintext is NEVER GIVE UP ON ME, what is the ciphertext? A. NVRIEPNEEEGVUOM B. NINEGVOMVREPEEU C. NRENEEGVUOMVIPE D. NEEVUVIPEEGOMRN OFFICIAL (CLOSED) Official (Closed) \ NON-SENSITIVE \ Sensitive Normal QUIZ Given that the key of a rail fence cipher is 3. If the ciphertext is FEISSTATSBGETAISSTGEE, what is the plaintext? A. BIGGEST FASTEST EASIEST B. FASTEST EASIEST BIGGEST C. EASIEST FASTEST BIGGEST D. FASTEST BIGGEST EASIEST OFFICIAL (CLOSED) Official (Closed) \ NON-SENSITIVE \ Sensitive Normal At the end of the lesson, you should be able to: Explain the basic concepts of cryptography Explain the basic workings of symmetric ciphers Apply encryption and decryption using symmetric ciphers Official Official(Closed) (Closed)\ Sensitive \ Non-Sensitive Normal AY2024 Sem 2 C235 – IT Security and Management Lesson 4.2 - Cryptanalysis Official Official(Closed) (Closed)\ Sensitive \ Non-Sensitive Normal Learning Objectives Explain and apply cryptanalysis techniques Distinguish between substitution and transposition ciphers Official Official(Closed) (Closed)\ Sensitive \ Non-Sensitive Normal What is Cryptanalysis? It is the study of cryptographic systems in order to attempt to understand how they work, and if any flaws exist that will allow them to be broken, with or without the key. Example of cryptanalysis techniques ▪ Brute Force Attack ▪ Frequency Analysis Official Official(Closed) (Closed)\ Sensitive \ Non-Sensitive Normal Cryptanalysis Techniques Cryptanalysis Brute Force Attack Frequency Analysis Attack Official Official(Closed) (Closed)\ Sensitive \ Non-Sensitive Normal Brute Force Attack Try all possible methods and permutations. Time consuming and may not be effective. Even with the help of computers, some modern ciphers may take billion of years to break by trying all possible permutations. Official Official(Closed) (Closed)\ Sensitive \ Non-Sensitive Normal Examples of Brute Force Attack Caesar Cipher ▪ Start to decipher with key of 1, 2, 3, and hope to find the right number of shifts. ▪ In the worst case, you have to try 25 keys. Official Official(Closed) (Closed)\ Sensitive \ Non-Sensitive Normal Bruce Force (Caesar Cipher) We assume the message is an English text and is encrypted using Caesar cipher as VYR JSV CSYV PMJI In Brute Force attack, all possible shifts are tried until a meaningful English message is obtained. Key=1: UXQ IRU BRXU OLIH Key=2: TWP HQT AQWT NKHG Key=3: SVO GPS ZPVS MJGF Key=4: RUN FOR YOUR LIFE Official Official(Closed) (Closed)\ Sensitive \ Non-Sensitive Normal Frequency Analysis It is the study of the frequency of letters in a ciphertext, as an aid to breaking mono-alphabetic ciphers. There is a characteristic distribution of letters that is roughly the same for almost all samples of that language. For instance, given a section of English language, E, T, A and O are the most common, while Z, Q and X are rare. Official Official(Closed) (Closed)\ Sensitive \ Non-Sensitive Normal Caesar Cipher https://www.youtube.com/watch?v=sMOZf4GN3oc Official Official(Closed) (Closed)\ Sensitive \ Non-Sensitive Normal Letter Frequency a 8.167% b 1.492% English Letter Frequency c d 2.782% 4.253% e 12.702% f 2.228% g 2.015% 14.00% h 6.094% i 6.966% 12.00% j 0.153% k 0.772% 10.00% l 4.025% m 2.406% 8.00% n 6.749% o 7.507% 6.00% p 1.929% 4.00% q 0.095% r 5.987% 2.00% s 6.327% t 9.056% 0.00% u 2.758% a b c d e f g h i j k l m n o p q r s t u v w x y z v 0.978% w 2.360% Figure 1 x 0.150% y 1.974% z 0.074% Official Official(Closed) (Closed)\ Sensitive \ Non-Sensitive Normal Frequency of Letters in Transposition Cipher Since transposition does not affect the frequency of individual letters, transposition ciphertext can be easily detected by frequency analysis. If a ciphertext letters has a frequency distribution very similar to English plaintext, then most likely it is a transposition ciphertext. Official Official(Closed) (Closed)\ Sensitive \ Non-Sensitive Normal Frequency of Letters in Transposition Cipher 14.00% 12.00% 10.00% 8.00% 6.00% English plaintext 4.00% 2.00% 0.00% a b c d e f g h i j k l m n o p q r s t u v w x y z 14.00% 12.00% 10.00% Transposition 8.00% ciphertext 6.00% 4.00% with key ‘hello’ 2.00% 0.00% a b c d e f g h i j k l m n o p q r s t u v w x y z Official Official(Closed) (Closed)\ Sensitive \ Non-Sensitive Normal Frequency of Letters in Transposition Cipher If a ciphertext’s letters have a frequency distribution that is similar to English plaintext but peaks across different letters, then most likely it is a Caesar ciphertext. Official Official(Closed) (Closed)\ Sensitive \ Non-Sensitive Normal Frequency of Letters in Caesar Cipher 14.00% 12.00% 10.00% 8.00% English plaintext 6.00% 4.00% 2.00% 0.00% a b c d e f g h i j k l m n o p q r s t u v w x y z 14.00% 12.00% 10.00% 8.00% Caesar ciphertext 6.00% with key=4 4.00% 2.00% 0.00% a b c d e f g h i j k l m n o p q r s t u v w x y z Official Official(Closed) (Closed)\ Sensitive \ Non-Sensitive Normal QUIZ The frequency distribution of letters below is likely to be that of A. Caesar cipher B. Columnar Transposition cipher C. Vigenère cipher D. Substitution cipher but not Caesar cipher 14.00% 12.00% 10.00% 8.00% 6.00% 4.00% 2.00% 0.00% a b c d e f g h i j k l m n o p q r s t u v w x y z Official Official(Closed) (Closed)\ Sensitive \ Non-Sensitive Normal QUIZ A given ciphertext has G as the highest frequency letter and V as the 2nd highest frequency letter. This ciphertext is likely to be produced by a: A. Rail Fence Transposition cipher B. Columnar Transposition cipher C. Vigenère cipher D. Caesar cipher Official Official(Closed) (Closed)\ Sensitive \ Non-Sensitive Normal QUIZ Given that a Caesar ciphertext has K as the highest frequency letter. What is the key of the Caesar cipher? A. 5 B. 6 C. 7 D. 8 Official Official(Closed) (Closed)\ Sensitive \ Non-Sensitive Normal QUIZ Which of the following ciphertexts cannot be decrypted using frequency analysis of letters? A. Caesar cipher with key = 19 B. Mono-alphabetic cipher using one of the permutations of the alphabet letters as key C. Vigenère cipher with key = AAA D. Transposition cipher with key = WEAK Official Official(Closed) (Closed)\ Sensitive \ Non-Sensitive Normal At the end of the lesson, you should be able to explain Explain and apply cryptanalysis techniques Distinguish between substitution and transposition ciphers Official (Closed) \ Non-Sensitive AY2024 Sem2 C235 : IT Security and Management Lesson 5.1 : Modern Symmetric Cryptography 190 Official (Closed) \ Non-Sensitive Learning Objectives Explain the basic mechanism of symmetric key algorithms Explain how modern cryptography is built Describe different attacks on encryption systems Official (Closed) \ Non-Sensitive What is Symmetric Key Algorithm? The SAME key is used to encrypt and decrypt a message. Examples of Symmetric key algorithms: ▪ Caesar cipher ▪ Vigenère cipher ▪ Columnar Transposition cipher ▪ Rail Fence cipher ▪ One-Time Pad cipher 192 Official (Closed) \ Non-Sensitive What is Symmetric Key Algorithm? The SAME key is used to encrypt and decrypt a message. ▪ Caesar cipher Encryption Key : 4 BOMB FB SO Q M FB F SQ F Decryption Key : 4 ▪ Vigenère cipher Encryption Key : SCOT Decryption Plaintext K I N G O F E N G L A N D Key S C O T S C O T S C O T S CipherText C K B Z G H S G Y N O G V Official (Closed) \ Non-Sensitive Modern Cryptography The two most common types of encryption algorithm used in modern cryptography are the block and stream ciphers. Modern ciphers are normally made of a set of simple ciphers, e.g., XOR ciphers. 194 Official (Closed) \ Non-Sensitive XOR Cipher XOR (eXclusive XOR) is a binary operation where: ▪ 0  0 = 0 ▪ 0  1 = 1 ▪ 1  0 = 1 ▪ 1  1 = 0 This property allows us to use it as a symmetric cipher. XOR Encryption: XOR Decryption: Text: 65 = 0100 0001 Cipher: 03 = 0000 0011 Key: 66 = 0100 0010 Key: 66 = 0100 0010 ---------------  --------------- Cipher: 03 = 0000 0011 Text: 65 = 0100 0001 195 Official (Closed) \ Non-Sensitive Stream Cipher Stream Cipher ▪ Encrypt on byte-by-byte (or character-by- character) basis ▪ Faster but generally weaker ▪ Used in the following encryption algorithm: Caesar Vigenère Bit stream generation algorithm Plaintext Byte-by-byte encryption Ciphertext XOR 196 Official (Closed) \ Non-Sensitive Block Cipher Block-by-block encryption Ciphertext Encryption Algorithm Block Cipher ▪ Encryption on group of bytes/characters (block) ▪ Slower but generally stronger ▪ Used in the following encryption algorithm: Rail Fence Columnar Transposition Plaintext Official (Closed) \ Non-Sensitive Modern Symmetric Ciphers DES DES is a block cipher. The block size is 64 bits, which means DES takes a 64-bit input and outputs 64 bits of ciphertext. This process is repeated for all 64-bit blocks in the message. DES uses a key length of 56 bits, and all security rests within the key. The same 3DES algorithm and key are used for both encryption and decryption. In 1999, a supercomputer and 100,000 PC’s ran through 240 billion keys per second and broke a 56-bit DES key in less than a day. By AES 2016, 8 nVidia GPU’s could do this in less than 2 days. Triple-DES (or 3DES) is a variant of DES. Depending on the specific variant, it uses either 2 or 3 keys instead of the single key that DES uses. It also spins through the DES algorithm 3 times via what is called multiple encryption. AES can have key sizes of 128, 192, and 256 bits, with the size of the key affecting the number of rounds used in the algorithm. Longer key versions are known as AES-192 and AES-256 respectively. It is also a block cipher. 198 Official (Closed) \ Non-Sensitive Modern Symmetric Ciphers DES ▪ Block cipher ▪ Block size: 64 bits, Key sizes: 56 bits 3DES ▪ Block cipher ▪ Block size: 64 bits, Key size: 168 bits (3*56 if all 3 keys are different) AES ▪ Block cipher ▪ Block size: 128 bits ▪ Key sizes: 128, 192, and 256 bits 199 Official (Closed) \ Non-Sensitive Modern Symmetric Ciphers - DES Uses multiple combination of transposition and substitution, together with XOR operations. We will illustrate how DES work in the next slide. 200 Official (Closed) \ Non-Sensitive How DES work? 1. Each block of 64 bits are split into two equal halves 64 bits (Li and Ri). Li Ri 2. 56-bit key is modified depending on the round and 32 bits 32 bits 48 bits are selected. 3. The right block is expanded from 32 bits to 48 bits. 56-bit key 48 bits are chosen Ri 4. The 48 bits key sequence and the 48 bits right block 32 bits 48 bits are XORed. 48 bits are chosen 48 bits 5. Eight S-boxes are used to transform the result into a 32-bit sequence. S-Boxes 6. The 32-bit sequence is permuted by the P-box to create a new 32-bit block. 32 bits Permuted by P-Box 7. The 32-bit block that is created is XORed with the left block (Li) to create the right block half (Ri+1) for Li the next round. 32 bits 32 bits 8. Ri will become the left block portion for the next 32 bits 32 bits round (Li+1). Ri = Li+1 Ri+1 9. The process is repeated for another 15 rounds starting from step 2. 201 Official (Closed) \ Non-Sensitive What makes a Good Cryptosystem? Two properties that a good cryptosystem should have to hinder statistical analysis: Confusion Diffusion 202 Official (Closed) \ Non-Sensitive Confusion and Diffusion Confusion ▪ Hides the relationship between the key and the ciphertext through complexity. ▪ Can’t determine the key based on the ciphertext. Diffusion ▪ Hides the relationship between plaintext and ciphertext by spreading the statistics of the plaintext onto the ciphertext ▪ To defeat statistical analysis (remember the weakest of substitution ciphers, the hacker can use the letter frequency patterns to recover the plaintext from the cipher text) ▪ Changing one bit of input results in at least 50% change in output. ▪ Uses a combination of transposition and substitution (or other more elaborate) methods like DES. ▪ Reference: Confusion and diffusion - Wikipedia 203 Official (Closed) \ Non-Sensitive Evaluating Cryptosystems Kerckhoffs’ principle: (Kerckhoffs's principle - Wikipedia) ▪ “a cryptosystem should be secure even if everything about the system, except the key, is public knowledge.” Therefore: ▪ The key is the only thing that is secret. ▪ The algorithms (methods) should not be secret. Good cryptosystem must be open. Only openness ensures rigorous testing by cryptography experts. If after rigorous testing, it is still

Malware Types: Definitions, Examples & Prevention PDF

Document Details

Tags

Related

Summary

Full Transcript