SENG 411 Cyber Security Lecture Notes PDF
Document Details
Uploaded by Deleted User
Emin Emrah Özsavaş
Tags
Summary
SENG 411 Cyber Security lecture notes cover various aspects of cyber security, including concepts, scope, and methodologies. The syllabus details weekly topics and sub-topics, along with related textbooks and resources. The material delves into different types of attacks categorized as passive, active, close-in, and distribution attacks.
Full Transcript
SENG 411 Cyber Security Dr. Emin Emrah Özsavaş [email protected] 1 Aim & Scope Describe the elements of cyber security Explain cyber threats and attacks Describe hacking methodologies Understand security controls and countermeasures Understand...
SENG 411 Cyber Security Dr. Emin Emrah Özsavaş [email protected] 1 Aim & Scope Describe the elements of cyber security Explain cyber threats and attacks Describe hacking methodologies Understand security controls and countermeasures Understand security governance 2 Textbook & other material Ethical Hacking and Countermeasures Ver. 12, EC-Council 2022 Praise for CISSP All-in-One Exam Guide, Fernando Maymi, Shon Harris, McGraw Hill 2022 Practical Information Security Management: A Complete Guide to Planning and Implementation, Tony Campbell, Apress 2016 3 Syllabus Week Topic Sub-topics 1 Introduction and Basics Language of security, overview Identity and Access Identification, authentication, 2 Management, System authorization, access control, system Architectures architecture concepts Symmetric and asymmetric encryption, 3 Cryptography hash functions, digital signatures Network attacks, security architectures, 4 Network Security countermeasures Footprinting and reconnaissance, 5 Hacking Methodology scanning networks, enumeration, vulnerability analysis System hacking (gaining access, Hacking Methodology escalating privileges, maintaining 6 and Sniffing access, clearing logs), sniffing concepts and techniques 4 Syllabus Week Topic Sub-topics Malware concepts, APT, trojan, virüs, 7 Malware Threats worm, analysis, countermeasures Social Engineering and Session 8 Concepts, threats, countermeasures Hijacking Web Server and Web 9 Concepts, threats, countermeasures Application Security 10 Mobile and Cloud Security Concepts, threats, countermeasures 11 Wireless, IoT, and OT Security Concepts, threats, countermeasures Threat intelligence, digital evidence Security Operations, Role of 12 and incident response, digital AI/ML forensics, AI/ML in security posture Risk management, organizational 13 Security Governance security, security implementation, secure system development 14 General Review 5 Grading Assignments & quizzes Midterm exam Final exam 6 Language of security & overview 7 InfoSec, IT/ICT Sec, Cyber Sec * Information Security: protection of information from unauthorized access, use, disclosure, disruption, modification, or destruction, in order to provide confidentiality, integrity, and availability. - consist of information both digital and analog, includes personnel, physical, ICT, and document security. * IT security is protection of information Technologies, no difference between ICT security and IT security. * Cyber security: ability to protect or defend the use of cyberspace from cyber attacks. It includes information and non-information. Cyber security is all about security of anything in cyber realm (space), information security is all about security of information regardless of the realm. 8 InfoSec - Information: Processed data - Protecting the information - C.I.A. 9 InfoSec Integrity Availability Confidentiality 10 InfoSec Confidentiality: assurance that the information is accessible only to those authorized to have access Integrity: the trustworthinessof data or resources in terms of preventing improper or unauthorized changes Availability: assurance that the systems responsible for delivering, storing, and processing information are accessible when required by the authorized users 11 InfoSec - Confidentiality: ACL, file permission, enc. … - Integrity: hash func., digital signature … - Availability: disaster rec. plan, redundancy … 12 InfoSec Availability: disaster rec. plan, proper back up, redundancy … ‘the condition of any backup is unknown until a restore is attempted’ 13 InfoSec Info assurance is the higher tier, InfoSec falls under this tier Two more pillars Info assurance = C.I.A. + authenticity + non-repudiation Authenticity: Refers to the characteristic of a communication, document, or any data that ensures the quality of being genuine Non-Repudiation: A guarantee that the sender of a message cannot later deny having sent the message and that the recipient cannot deny having received the message 14 InfoSec Authenticity checking identity before allowing access Three types: something you know, have, are Non-Repudiation knowing who sent or received information digital signatures 15 Cyber Sec 16 Cyber Sec vs. Defense - two interconnected disciplines - focused on protecting critical digital assets and infrastructure - prevention, reducing attack surfaces, hardening systems - threat detection and minimizing impacts of incidents 17 Cyberwarfare Fifth domain of battle (2011): Pentagon declared that they accept ‘cyber’ as the fifth domain of battle, after land, sea, air, and space. 18 Cyberwarfare Fifth domain of battle (2011) 19 Cyberwarfare two major approaches: 20 Cyber security Protecting cyber realm towards to cyber attacks and reducing the risks There are lots of hackers, cyber terrorists and spies (general idea, true?) Risks stem from errors of hardware & software (broad perspective) Can we protect every asset? 21 Cyber security Hardware & Software errors: 22 Cyber security Three basic components: Vulnerability - Weakness of a system, when exploited loss and damage may occur Threat - Situation resolved when weakness is prevented - Attack or fault of an innocent person - Exploiting a vulnerability intentionally is called an ‘attack’ Countermeasure - Resolving a vulnerability 23 Cyber security potential for loss, damage, or destruction of an asset, as a result of a threat exploiting a vulnerability * BCP: Business Continuity Planning 24 Cyber security Example: a system that allows weak passwords * A password is vulnerable for dictionary or exhaustive key attacks: * An intruder can exploit the password weakness to break into the system: * Resources within the system are prone for illegal access/modify/damage by the intruder: vulnerability, threat, risk? 25 Cyber security Attacks = Motive (Goal) + Method + Vulnerability * motives originates out the notion that target system stores or processes something valuable * attackers try various tools and attack techniques to exploit vulnerabilities 26 Cyber security Motives: - Disrupt business continuity - Perform information theft - Manipulating data - Create fear and chaos by disrupting critical infrastructures - Bring financial loss to the target - Propagate religious or political beliefs - Achieve a state's military objectives - Damage the reputation of the target - Take revenge - Demand ransom 27 Cyber security Classification of attacks: - Passive Attacks - Active Attacks - Close-in Attacks - Insider Attacks - Distribution Attacks 28 Cyber security Classification of attacks / Passive attacks: - intercepting and monitoring network traffic and data flow on the target network and do not tamper with the data - very difficult to detect as the attacker has no active interaction with the target system or network o Footprinting o Sniffing and eavesdropping o Network traffic analysis 29 Cyber security Classification of attacks / Active attacks: - tamper with the data in transit or o Man-in-the-Middle attack disrupt communication or services to o DNS and ARP poisoning bypass or break into secured systems o Compromised-key attack o Denial-of-service (DoS) attack o Firewall and IDS attack o Bypassing protection mechanisms o Profiling o Malware attacks (such as o Arbitrary code execution o Privilege escalation viruses, worms, ransomware) o Backdoor access o Modification of information o Cryptography attacks o Spoofing attacks o SQL injection o Replay attacks o XSS attacks o Password-based attacks o Directory traversal attacks o Session hijacking o Exploitation of application and OS software 30 Cyber security Classification of attacks / Close-in attacks: - performed when the attacker is in close physical proximity with the target system or network - main goal is to gather or modify information or disrupt its access o Social engineering (Eavesdropping, shoulder surfing, dumpster diving, and other methods) 31 Cyber security Classification of attacks / Insider attacks: - performed by trusted persons, having physical access to the critical assets of the target - involves using privileged access - insiders can easily bypass security rules, corrupt valuable resources, and access sensitive - difficult to figure out o Eavesdropping and wiretapping o Theft of physical devices o Data theft 32 Cyber security Classification of attacks / Distribution attacks: - occur when attackers tamper with hardware or software prior to installation - examples are backdoors created by software or hardware vendors at the time of manufacture - used to gain unauthorized access to the target 33 Cyber security * step-by-step process to perform ethical hacking * follows the same process as that of an attacker, only differences are hacking goals and strategies 34 Cyber security * footprinting & reconnaissance: attacker gathers as much information as possible about the target prior to launching an attack (IP address range, namespace, and employees …) * scanning: used to identify active hosts, open ports, and unnecessary services enabled on particular hosts. Often, the reconnaissance and scanning phases overlap, and it is not always possible to separate them * enumeration: involves making active connections to a target system or subjecting it to direct queries. Gathering information such as network user lists, routing tables, security flaws, shared users, groups, applications … * vulnerability analysis: examination of the ability of a system or application, including its current security procedures and controls 35 Cyber security * System Hacking: Attackers follow a certain methodology to hack a system o Gaining Access o Escalating Privileges o Maintaining Access o Clearing Logs 36 Cyber security Cyber Kill Chain Methodology - used for identification and prevention of malicious intrusion activities, enhances intrusion detection and response - provides greater insight into the attack phases, helps security professionals in identifying the steps that adversaries follow 37 Cyber security Tactics, Techniques, and Procedures (TTPs) - activities and methods associated with specific threat actors or groups of threat actors, determine the behavior of a threat actor (hacker) - helpful in analyzing threats and profiling threat actors; can further be used to strengthen the security infrastructure - tactics: a guideline that describes the way an attacker performs attacks from beginning to end; predict and detect evolving threats in the early stages - techniques: technical methods used by an attacker to achieve intermediate results during attacks; identify vulnerabilities and implement defensive measures in advance - procedures: organizational approach followed by the threat actors to launch their attacks; identify what the attacker is looking for within the target organization's infrastructure 38 Cyber security Tactics, Techniques, and Procedures (TTPs) - tactics: obtain information available on the Internet or perform social engineering approach the target employees one by one or as a group constant payload from the beginning to the end of the attack or changeable payload - techniques: different techniques at each stage of the threat life cycle for the 1st stage, in social engineering, certain non-technical software tools are used for the middle stages, set of tools are used for the last stage there are technical and nontechnical aspects 39 Cyber security Tactics, Techniques, and Procedures (TTPs) - procedures: sequence of actions performed number of actions usually differs depending upon the objectives of the procedure and the APT group detailed description of how tactics are executed using the choice of techniques 40 Cyber security 41 Cyber security Indicators of Compromise (IoCs) - procedures: clues, artifacts, and pieces of forensic data found on a network or operating system of an organization that indicate a potential intrusion or malicious activity in the organization's infrastructure are not intelligence divided into four categories: - Email Indicators: sender's email address, email subject, and attachments or Iinks - Network Indicators: URLs, domain names, and IP addresses - Host-Based Indicators: filenames, file hashes, registry keys, DLLs - Behavioral Indicators: used to identify specific behavior related to malicious activities such as code injection into the memory, document executing PowerShell script 42 Cyber security Indicators of Compromise (IoCs) - Unusual outbound network traffic - Unusual activity through a privileged user account - Geographical anomalies - Multiple login failures - Increased database read volume - Large HTML response size - Multiple requests for the same file - Mismatched port-application traffic - Suspicious registry or system file changes - Unusual DNS requests - Unexpected patching of systems - Signs of Distributed Denial-of-Service (DDoS) activity -… 43 Cyber security MITRE ATT&CK (Adversarial Tactics, Techniques and Common Knowledge) Framework - globally accessible knowledge base of adversary tactics and techniques based on real-world observations (https://attack.mitre.org) - used as a foundation for the development of specific threat modeis and methodologies - three collections of tactics and techniques: Enterprise, Mobile, and ICS (industrial control systems) matrices - 14 tactics for enterprise and mobile, 12 tactics for ICS & corresponding techniques 44 Cyber security 45 Cyber security Attackers - Amateur: download a tool, try it, and use it on another person’s mobile phone to take a look at private photographs. Mostly script kiddies - Hacker (Cracker): innocent, they detect and report the vulnerabilities to the owner of a system. Crackers are malicious hackers - State-funded spy - Terrorist 46 Cyber security - Black hats: individuals with extraordinary computing skills, resort to malicious or destructive activities (crackers) - White hats: individuals use their skills for defensive purposes, security analysts, they have permisson form the system owner - Gray hats: individuals who work as black hat and white hat at various times 47 Cyber security Ethical hackers: Work with professional and ethical values, no hidden agenda Get Out of Jail Free doc from the requestor (system owner) Report of the findings, regular documentation Respecting privacy (e.g., passwords, personally identifiable information-PII) No crashing tested systems 48 Cyber security Ethical hackers’ technical capabilities: OS knowledge (Windows, Linux, Mac, Unix) Network knowledge (hardware & software) Attack knowledge and other capabilities - Organizational security policies - Standards and laws 49 Cyber security Hackers vs. malicious users Hackers: External, unauthorized Malicious users: Internal, authorized Which one is much more dangerous? 50 Cyber security teams in general: * Blue team: Defend side, defends against both real attackers and red teams, System admins, other IT personnel * Red team (aggressor team): White hat (ethical hacker) team 51 Cyber security Penetration Test (PenTest) * Assess your security before an attacker does * Penetration testing tools simulate real-world attack scenarios 52 Cyber security PenTest Methods: 53 Cyber security White box * Pros - Deep and thorough testing - Maximizes testing time - Extends the testing area * Cons - Non realistic attack 54 Cyber security Black box * Pros - Simulates a very realistic scenario * Cons - Testing time can not be maximised - Some areas of the infrastructure might remain untested 55 Cyber security - official permission before starting, Rules of Engagement - RoE includes:. IP addresses/blocks. Hosts that will be excluded. Test methods and tools. Timing. Testers’ IP addresses. Contact info 56 Cyber security Defense in depth: several protection Iayers Border Router Perimeter firewall Internal firewall Intrusion Detection System Policies & Procedures & Audits Authentication Access Controls 57 Cyber resilience continuously deliver the intended outcome despite adverse cyber events collaboration of people, processes, technology and facilities cyber security and keeping things running 58