Cyber Security Primer PDF
Document Details
Uploaded by SparklingRetinalite3126
Dr. May El Barachi
Tags
Summary
This document is a lecture on cyber security, exploring the fundamentals of cybersecurity, risks, challenges, and defense mechanisms. The lecture covers topics such as the definition of cybercrime, malware types, social engineering, as well as, the importance of security awareness in preventing cyberattacks.
Full Transcript
CYBER SECURITY PRIMER CSIT040 – modern computing skills Instructor: Dr. May El Barachi News ! Gulf News Fake Website Victim tricked...
CYBER SECURITY PRIMER CSIT040 – modern computing skills Instructor: Dr. May El Barachi News ! Gulf News Fake Website Victim tricked (educated person) Cyber Crime section – Dubai Police e-mail forensics E-mail Security Awareness, 3rd Edition header analysis 2 What comes to your mind when you think about cyber security? 3 Importance of Cybersecurity The internet allows an attacker to work from anywhere on the planet. The more connected we are, the more exposed and vulnerable we become to cyber attacks. Risks caused by poor security knowledge and practice: Identity Theft Monetary Theft Legal Ramifications (for yourself and your organization) Sanctions or termination if policies are not followed According to the SANS Institute, the top vectors for vulnerabilities available to a cyber criminal are: Web Browser IM Clients Web Applications Excessive User Rights Cybersecurity is Safety Security: We must protect our computers and data in the same way that we secure the doors to our homes. Safety: We must behave in ways that protect us against risks and threats that come with technology. 8 Challenges of Securing Information Security is one of the most important topic in the computer world Volume and diversity of attacks make it hard to defend against attacks No single simple solution to protecting computers and securing information Different types of attacks Difficulties in defending against these attacks 9 Difficulties in Defending Against Attacks Table 1-2 Difficulties in defending against attacks 10 Difficulties in Defending Against Attackers Speed of attacks With modern tools attackers can quickly scan systems to find weaknesses and launch attacks, Slammer 75,000 computers in first 11 mins Greater sophistication of attacks Hackers can use common internet tools (e-mail, HTTP) to send data or commands to attack computers, making it tricky to distinguish an attack from legitimate traffic Attackers detect weaknesses faster and can quickly exploit these vulnerabilities Even in 2004, there was only 5.8 days between the disclosure of a vulnerability and the release of an attack 11 Difficulties in Defending Against Attackers Increasing number of Zero Day attacks Occurs when an attacker discovers and exploits a previously unknown flaw. Attack can run rampant during the time spent to identify the vulnerability and issue a fix. Average time was 56.07 hrs in 2022 Distributed attacks Attackers can use thousands of computers (zombies, botnets) in an attack against a single computer or network. Denial of Service attack 12 Difficulties in Defending Against Attackers User confusion (most difficult to defend against) Users often have to make difficult security decisions regarding their computer systems, often with little or no information; e.g. Is it ok to open this port? (to unauthorized users!, what is a port?) Is it safe to quarantine this attachment? Do I want to permit my bank to install this add-in? The delay in applying software patches is another example of user confusion A patch is software used to repair security flaws or other problems in existing software, and is one of the primary defenses against attacks Many attacks have been successful due to users not installing patches long after they were available Vendors are also overwhelmed by the number of patches that need to be produced, to keep up with the rapidly produced malware. 13 Difficulties in Defending Against Attacks (simplicity of attack tools) Figure 1-1 Increased sophistication of attack tools 14 Difficulties in Defending Against Attacks (simplicity of attack tools) Figure 1-2 Menu of attack tools 15 Defining Information Security? 1. Describes task of guarding information that is in a digital format This information has high value to people and organizations. Examples ? There are some important security properties of the information that should be protected. 2. Ensures that protective measures are properly implemented creates a defense that attempts to ward off attacks and prevents the collapse of the system when an attack occurs, ie. Information Security is Protection ** What are the characteristics/properties of information that should be protected? 16 The C.I.A. Triangle Principles of Information Security, 2nd Edition Confidentiality: prevent unauthorized disclosure of sensitive information for data at rest, in transit or during transformation. Integrity: prevent unauthorized modification, replacement, corruption or destruction of systems or information. Availability: prevent disruption of service and productivity, addressing threats that could Integrity render systems inaccessible. Integrity 17 Other critical characteristics of information Integrity Availability Authenticity: Information is Utility: genuine and original/ data Information has origin can be value for some Information identified purpose accurately Possession: Confidentiality Ownership and control of information Accuracy: Info is free from mistakes and errors Examples - Availability Example violation: After you log in to the ZU network, you find that the library’s electronic catalog is not working (i.e., the resources you have access to are not available to you) 19 Examples - Accuracy Example violation: You have attended a class, but your teacher has marked you absent 20 Examples - Authenticity Example violation: You receive an SMS from your friend’s phone, but the content of the SMS does not seem to come from your friend. Is the SMS truly from your friend? Or has your friend just lost her phone and this message actually comes from a stranger? 21 Examples - Confidentiality Example violation: I left my phone banking personal identity number (PIN) on my desk. You call my bank and use my PIN to check my bank account balance. (You are not supposed to be authorized to access my banking information) 22 PIN issued by a bank 23 Examples - Integrity Example violation: (1) Noise in the transmission media cause data to lose its integrity; (2) You hack into my account and change your attendance record Closely related to and overlap with the concept of accuracy 24 Utility Example violation: You search for information about robotics on a search engine, but it returns you web pages in Japanese (and you don’t know Japanese) Another example? 25 Possession Example violation: I save the mid-term exam questions in a memory key and you steal it from me Closely related to the concept of confidentially. But the violation of possession does not necessarily mean violation of confidentiality… e.g., I may have already encrypted my memory key. Even if you now possess my memory key, you can’t read the files that contain the exam questions. 26 What critical characteristic(s) of information have been compromised? Question 1 A competitor steals Coca Cola’s secret formula. 28 Question 2 An on-line payment system alters an electronic check to read $10,000 instead of ¥10,000 29 Question 3 In 2020, a 15-year old Canadian boy launched denial-of-service attacks against websites belonging to several companies, including Amazon, Dell and eBay. The sites were bombarded with thousands of simultaneous messages, which prevented users from accessing them for up to five hours. 30 User Awareness System Administrators Some scripts appear useful to manage networks… Cracker: Computer-savvy Posts to programmer creates Hacker Bulletin Board attack software SQL Injection Buffer overflow Script Kiddies: Password Crackers Unsophisticated Password Dictionaries computer users who know how to execute programs Successful attacks! Crazyman broke into … CoolCat penetrated… Criminals: Create & sell bots -> generate spam Malware package earns $1K-2K Sell credit card numbers, 1 M Email addresses earn $8 etc… 10,000 PCs info earn $1000 31 Leading Threats & attack tools Viruses Worms Trojan Horses / Logic Bombs Social Engineering Rootkits Botnets / Zombies What is the difference between all these malware anyway? Viruses A virus attaches itself to a program, file, or disk. Program When the program is executed, the virus activates and A replicates itself. Extra Code The virus may be benign or malignant but executes its payload at some point (often upon contact). Viruses can cause computer crashes and loss of data. infects In order to recover or prevent virus attacks: Avoid potentially unreliable websites/emails. Program System Restore. B Re-install operating system. Use and maintain anti-virus software. Viruses Worms Independent program that replicates itself and sends copies from computer to computer across network connections. Upon arrival, the worm may be activated to replicate. Logic Bombs and Trojan Horses Logic Bomb: Malware logic executes upon certain conditions. The program is often used for otherwise legitimate reasons. Examples: Software which malfunctions if maintenance fee is not paid. Employee triggers a database erase when he is fired. Trojan Horse: Masquerades as a benign program while quietly destroying data or damaging your system. Download a game: It may be fun but contains hidden code that gathers personal information without your knowledge. Logic Bombs and Trojan Horses Social Engineering Social engineering is using psychology and social interactions to manipulate people into performing actions or divulging confidential information. Similar to a confidence trick or simple fraud, the term applies to the use of deception to gain information, commit fraud, or access computer systems. Phone Call: Email: This is John, ABC Bank has the System In Person: noticed a Administrator. What ethnicity problem with What is your are you? Your your account… password? mother’s maiden name? I have come to repair your and have machine… some lovely software patches! Social Engineering Phishing: Counterfeit Email A seemingly trustworthy entity asks for sensitive information such as EID, credit card numbers, login IDs or passwords via e-mail. Pharming: Counterfeit Web Pages Wiping over, but not clicking the link may reveal a different Misspelled address. With whom? Copyright date is old The link provided in the e-mail leads to a counterfeit webpage which collects important information and submits it to the owner. The counterfeit web page looks like the real thing Extracts account information 42 Botnet A botnet is a number of compromised computers used to create and send spam or viruses or flood a network with messages as a denial of service attack. The compromised computers are called zombies. Botnet in action Man In The Middle Attack An attacker pretends to be your final destination on the network. When a person tries to connect to a specific destination, an attacker can mislead him to a different service and pretend to be that network access point or server. Man In The Middle Attack – can you show me an example? Password Cracking Dictionary Attack and Brute Force Pattern Calculation Result Time to Guess (2.6x1018 tries/month) Personal Info: interests, relatives 20 Manual 5 minutes Social Engineering 1 Manual 2 minutes American Dictionary 80,000 < 1 second 4 chars: lower case alpha 264 5x105 8 chars: lower case alpha 268 2x1011 8 chars: alpha 528 5x1013 8 chars: alphanumeric 628 2x1014 3.4 min. 8 chars alphanumeric +10 728 7x1014 12 min. 8 chars: all keyboard 958 7x1015 2 hours 12 chars: alphanumeric 6212 3x1021 96 years 12 chars: alphanumeric + 10 7212 2x1022 500 years 12 chars: all keyboard 9512 5x1023 16 chars: alphanumeric 6216 5x1028 47 Identifying Security Compromises Symptoms: Antivirus software detects a problem. Disk space disappears unexpectedly. Pop-ups suddenly appear, sometimes selling security software. Files or transactions appear that should not be there. The computer slows down to a crawl. Unusual messages, sounds, or displays on your monitor. Stolen laptop: 1 stolen every 53 seconds; 97% never recovered. The mouse pointer moves by itself. The computer spontaneously shuts down or reboots. Often unrecognized or ignored problems. 48 Malware detection Spyware symptoms Changes to your browser homepage/start page. Ending up on a strange site when conducting a search. System-based firewall is turned off automatically. Lots of network activity while not particularly active. Excessive pop-up windows. New icons, programs, favorites which you did not add. Frequent firewall alerts about unknown programs when trying to access the Internet. Poor system performance. 49 Best Practices to avoid these threats uses multiple layers of defense to address technical, personnel and operational issues. User Account Controls Anti-virus and Anti-spyware Software Anti-virus software detects certain types of malware and can destroy it before any damage is done. Install and maintain anti-virus and anti-spyware software. Be sure to keep anti-virus software updated. Many free and commercial options exist. Contact your Technology Support Professional for assistance. Host-based Firewalls A firewall acts as a barrier between your computer/private network and the internet. Hackers may use the internet to find, use, and install applications on your computer. A firewall prevents many hacker connections to your computer. Firewalls filter network packets that enter or leave your computer Protect your Operating System Microsoft regularly issues patches or updates to solve security problems in their software. If these are not applied, it leaves your computer vulnerable to hackers. The Windows Update feature built into Windows can be set up to automatically download and install updates. Avoid logging in as administrator Apple provides regular updates to its operating system and software applications. Apply Apple updates using the App Store application. Use Strong Passwords Make passwords easy to remember but hard to guess: USG standards: Be at least ten characters in length Must contain characters from at least two of the following four types of characters: English upper case (A-Z) English lower case (a-z) Numbers (0-9) Non-alphanumeric special characters ($, !, %, ^, …) Must not contain the user’s name or part of the user’s name Must not contain easily accessible or guessable personal information about the user or user’s family, such as birthdays, children’s names, addresses, etc. Creating Strong Passwords A familiar quote can be a good start: “LOVE IS A SMOKE MADE WITH THE FUME OF SIGHS” William Shakespeare Using the organization standard as a guide, choose the first character of each word: LIASMWTFOS Now add complexity the standard requires: L1A$mwTF0S (10 characters, 2 numerals, 1 symbol, mixed English case: password satisfies all 4 types). Or be more creative! Password Guidelines Never use admin, root, administrator, or a default account or password for administrative access. A good password is: Private: Used by only one person. Secret: It is not stored in clear text anywhere, including on Post-It® notes! Easily Remembered: No need to write it down. Contains the complexity required by your organization. Not easy to guess by a person or a program in a reasonable time, such as several weeks. Changed regularly: Follow organization standards. Avoid shoulder surfers and enter your credentials carefully! If a password is entered in the username field, those attempts usually appear in system logs. Avoid Social Engineering and Malicious Software Do not open email attachments unless you are expecting the email with the attachment and you trust the sender. Do not click on links in emails unless you are absolutely sure of their validity. Only visit and/or download software from web pages you trust. 57 Avoid Stupid Hacker Tricks Be sure to have a good firewall or pop-up blocker installed. Pop-up blockers do not always block ALL pop-ups so always close a pop-up window using the ‘X’ in the upper corner. Never click “yes,” “accept” or even “cancel.” Infected USB drives are often left unattended by hackers in public places. 58 Secure Business Transactions Always use secure browser to do online activities. Frequently delete temp files, cookies, history, saved passwords etc. https:// Symbol indicating enhanced security Backup Important Information No security measure is 100% reliable. Even the best hardware fails. What information is important to you? Is your backup: Recent? Off-site & Secure? Process Documented? Encrypted? Tested? INTRO TO ETHICAL HACKING CSIT040 – modern computing skills Instructor: Dr. May El Barachi Defining Penetration Testing The term “hacker” How my English dictionary defines a hacker - A person who uses computers to gain unauthorised access to data - An enthusiastic and skilful computer programmer or user Different kinds of hackers White Hat Hackers (= ethical Hackers): Hackers thinking like attacking party but they work for the good guys. They are characterised by having a code of ethics which stipulates that they cause no harm. Grey Hat Hackers: Hackers straddling the line between good sides and bad sides. Perhaps they have been “rehabilitated”. Black Hat Hackers: Hackers operating on the wrong side of the law. They may have an agenda or no agenda at all. Cyberterrorists: A new form of hackers trying to destroy targets and cause bodily harm. Sometimes their actions are not stealthy. 8 Defining Penetration Testing Penetration tester? A penetration tester or a pen tester is a white hat hacker employed either as an internal employee or as an external entity to conduct a penetration test. Penetration testing? Surveying, assessing and testing the security of a given organization by using the same techniques, tactics and tools that a malicious hacker (black hat hacker and/or cyberterrorist) would use. In this subject, I would equate “penetration testing” with “ethical hacking”. Summary penetration testing = pentesting = ethical hacking Penetration tester = pentester = white hat hacker 9 Categories of Cybercrime According to Law - Reminder Identity theft Stealing of the information that allow a person to impersonate other person(s) for illegal purposes, mainly financial gains such as opening credit card/bank account, obtaining rental properties and etc. Theft of service Use of phone, Internet, streaming movies or similar items without permission; it usually involves password cracking Example: Sharing a Netflix account with even friends can be considered as theft and can be prosecuted in certain states of US. Network intrusion or unauthorized access Most common type of attack; it leads to other cybercrimes Example: Breaking into your neighbour’s WiFi network will open a lot of opportunities of attack. Categories of Cybercrime According to Law Posting and/or transmitting illegal material Distribution of pirated software/movies, child pornography Getting hard to stop it due to file sharing services, encryption and etc. Fraud Deceiving another party or parties to illicit information or access typically for financial gain or to cause damage Embezzlement A form of financial fraud involving theft and/or redirection of funds Dumpster Diving Gathering information from discarded/unattended material (ATM receipt, credit card statement and etc.) Going through rubbish itself is not illegal but going through rubbish in private property is Categories of Cybercrime According to Law Writing malicious codes Malicious codes refer to items like viruses, worms, spyware, adware, rootkits, ransomware and other types of malware This crimes is to cause havoc and/or disruption Unauthorized destruction or alteration of information This covers modifying, destroying and tampering with information without appropriate permission DoS (Denial of Service) /DDoS (Distributed Denial of Service) Overloading a system’s resources so that it cannot provide the required services to legitimate users DDoS is performed in a larger scale – It is not possible to prevent DoS by blocking one source Categories of Cybercrime According to Law Cyberstalking/Cyberbullying A relatively new crime on the list. The attacker uses online resources and other means to gather information about an individual and uses this to track, in some cases, to meet the person (cyberstalking); to harass the person (cyberbullying) Cyberterrorism Attackers make use of the internet to cause significant bodily harm to achieve political gains The scope of cyberterrorism is controversial Related to information warfare Let us test your understanding on this! Scenario: John steals personal information, including emirates ID numbers and credit card details, from unsuspecting individuals and uses it to open fraudulent bank accounts. What type of cybercrime is John committing? Scenario: Mary uses software to bypass the payment system of an online streaming platform and accesses premium content without paying for it. What type of cybercrime is Mary committing? Scenario: Mark gains unauthorized access to a company's computer network and extracts sensitive customer data. What type of cybercrime is Mark committing? Scenario: Sarah distributes copyrighted movies and software through a file-sharing service, allowing others to download them for free. What type of cybercrime is Sarah committing? Scenario: Tom deceives individuals into providing their bank account details by posing as a bank representative through email. He then uses this information to steal funds. What type of cybercrime is Tom committing? Let us test your understanding on this! Scenario: Lisa searches through trash bins outside a company's office to find discarded documents containing sensitive customer information. What type of cybercrime is Lisa committing? Scenario: Alex creates a computer virus that infects other users' devices, causing them to crash or steal personal information. What type of cybercrime is Alex committing? Scenario: Peter alters financial records within a company's database to redirect funds to his personal account. What type of cybercrime is Peter committing? Scenario: Emily floods a website's server with a massive amount of traffic, making it unavailable to legitimate users. What type of cybercrime is Emily committing? Scenario: Jessica repeatedly sends threatening and harassing messages to a classmate through social media platforms. What type of cybercrime is Jessica committing? Penetration Testing Methodology 1. Determining the objectives and scope of the job 2. Choosing the type of test to perform 3. Gaining permission via a contract 4. Performing penetration testing Process of penetration testing specifies steps 4.1 to 4. 6 5. Creating a risk mitigation plan (RMP) 6. Cleaning up any changes made during the test 1 6 Penetration Testing Methodology 1. Determining the objectives and scope of the job A pentester and a client should meet to discuss the objectives of the test Examples of objectives To determine security weakness To test an organization's security policy compliance, its employees’ security awareness To test an organization's ability to identify and respond to security incidents Scope of the test Usual network penetration testing Social engineering testing: Human aspect in vulnerability Application security testing: Finding flaws in software applications Physical penetration testing: Testing the security of premises where digital assets and network resources are stored 1 7 Penetration Testing Methodology 2. Choosing the type of test to perform Three typical types of testing 1) Black-Box Testing Most closely resembles the situation of an outside attack This test is called “external test” Execute the test from a remote location much like a real attacker The pentester will be extremely limited on information of the target 2) Grey-Box Testing The pentenster will have some limited knowledge on the target, for example, (at least) what operating system the target is mainly using 3) White-Box Testing This gives the pentester full knowledge on the target Basically this test simulates “insider attack” This test is called “internal test” 1 8 Penetration Testing Methodology 3. Gaining permission via a contract It is vitally important to get clear and unambiguous permission to perform a pentest. A written form of authorization rather than a verbal authorization is important. It should include: Systems to be evaluated Perceived risks Timeframe Actions to be performed when a serious problem is found Deliverables Penetration Testing Methodology 4. Performing penetration testing (More to come regarding this) 5. Creating a Risk Mitigation Plan (RMP) Purpose: RMP is to develop options and actions to enhance opportunities and reduce threats in an organization Contents: RMP should clearly document all the actions that took place including the results, interpretations and recommendations 4. Cleaning up any changes made during the test This is obvious step needed to prevent possible mishaps Penetration Testing Process What do we want to achieve? CIA triad Confidentiality Keep information secret/private from those who are not authorized Integrity Keep information in a format that retains its original purpose and meaning Availability Integrity Keep information and resources available to those legitimate What do we want to prevent? Anti CIA triad Improper disclosure Accidental or malicious revealing of information Unauthorized altercation Accidental or malicious modification of information Disruption Accidental or malicious disturbance Unauthorised altercation of information or resources LET US LEARN ABOUT THE FIRST STEP: INTELLIGENCE GATHERING Let us start by a proverb! “know yourself, know your enemy, and you shall win a hundred battles without loss” -- General Sun Tzu Introduction to Intelligence Gathering Intelligence gathering is a process of ethical hacking through which a pentester locates information about a target, which will be useful for later steps of the attack. Intelligence gathered about a target may refine the steps that will come later. Anything that have potential to be exploited should be sought. It is important to develop an “eye” to detect the useful information carefully, but sheer “luck” could work. Consequences to Intelligence Gathering Reputation/Business loss If customers find that their information and/or other data is not properly secured, the reputation of a company will be eroded and the incident will cause the customers to go elsewhere. Information leakage Vital information such as project information, employee data, personal details, financial information, or any of a number of possibilities can be lost. Consequences to Intelligence Gathering Privacy Loss If the information that is supposed to be kept confidential is lost, the legal repercussions as well as the loss of confidence can result. Corporate information Information that is uncovered through the intelligence gathering process can be sold to the competitors looking for details about their opponents. Types of information to be gathered Technical information Information regarding operating system, network and applications, IP addresses and/or IP address ranges, and device information. Additionally, information regarding webcams, alarm systems, mobile devices and etc. Administrative information Organizational structure, corporate policies, hiring procedures, details of employees, phone directories, vendor information, and etc. Physical details Data about location and facility. Intelligence gathering methods Passive Methods that do not engage the target. If the target is not engaged, little or no indication of an impending attack will be given to the target. Active Methods that do engage the target by, for example, making phone calls to the company, help desk, employees and/or other personnel. Care should be taken not to give the target an indication of the attack. Open Source Intelligence (OSINT) gathering Gathering intelligence from those sources that are typically publicly available and open. A kind of passive information gathering method. The least aggressive method. Gathering info about a domain Netcraft A website that provides comprehensive information about technologies that a domain uses URL: http://toolbar.netcraft.com/site_report In fact, Netcraft will provide almost all the information whois can provide It provides information about web hosting company, hosting history, type of web server, whether it sends spam, server-side and client-side technologies, web applications used and etc. (Many more!) All the above information can be exploited to find vulnerabilities of the target Gathering info about a domain Netcraft example As an example, query www.howtogeek.com on netcraft You can see this site is using WordPress as blog software Then go to www.exploit-db.com and search wordpress A long list of exploitable vulnerabilities exist! Gathering info about sub-domains Finding subdomains Subdomain: A subdomain is a domain which is a part of a larger domain Example uow.edu.au has subdomains media.uow.edu.au, eis.uow.edu.au, and etc. Reasons for having subdomains To organize content more effectively by giving different divisions or departments their own subsite that they can control and manage Or companies may want to “hide” contents by having subdomain sites, for example: beta.facebook.com A few web tools for searching for subdomains exist: https://searchdns.netcraft.com/ https://pentest-tools.com/information-gathering/find- subdomains-of-domain (more effective) Gathering intelligence from website What can be found People (personnel) Email addresses Physical addresses Job postings leaking information Product, project and service information Gathering intelligence about website Electronic dumpster diving (finding websites that do not exist any more) Process of looking for old, obsolete and obscure old data The Wayback Machine (archive.org) can be used The Wayback Machine project which started in 1996 contains around 435 billion web pages that have been archived Visit web.archive.org to get old web pages of our university Gathering intelligence about website The same server different websites: One server can serve/handle multiple websites. Gaining access to one of those websites on the same server can be helpful to attack others. Visit https://www.yougetsignal.com/tools/web-sites-on-web-server/ and query a website you know Example Enter www.uow.edu.au on the active window and see the results. These websites share the same IP address as www.uow.edu.au TIME FOR THE LAB!
