insider attack , cryptogrraphy, password policy

umairchill5

boyle_ccs3_pp_01.ppt

Home >Information Systems homework help >insider attack , cryptogrraphy, password policy

Chapter 1

Define the term threat environment.
Use basic security terminology.
Describe threats from employees and ex-employees.
Describe threats from malware writers.
Describe traditional external hackers and their attacks, including break-in processes, social engineering, and denial-of-service attacks.
Know that criminals have become the dominant attackers today, describe the types of attacks they make, and discuss their methods of cooperation.
Distinguish between cyberwar and cyberterror.

This is a book about security defense, not how to attack

Defense is too complex to focus the book mostly on specific attacks

However, this first chapter looks at the threat environment—attackers and their attacks
Unless you understand the threats you face, you cannot prepare for defense
All subsequent chapters focus on defense

1.1 Introduction and Terminology

1.2 Employee and Ex-Employee Threats

1.3 Malware

1.4 Hackers and Attacks

1.5 The Criminal Era

1.6 Competitor Threats

1.7 Cyberwar and Cyberterror

The Threat Environment

The threat environment consists of the types of attackers and attacks that companies face

Security Goals

Confidentiality

Confidentiality means that people cannot read sensitive information, either while it is on a computer or while it is traveling across a network

Security Goals

Integrity

Integrity means that attackers cannot change or destroy information, either while it is on a computer or while it is traveling across a network. Or, at least, if information is changed or destroyed, then the receiver can detect the change or restore destroyed data.

Security Goals

Availability

Availability means that people who are authorized to use information are not prevented from doing so

Compromises

Successful attacks

Also called incidents

Also called breaches (not breeches)

Countermeasures

Tools used to thwart attacks

Also called safeguards, protections, and controls

Types of countermeasures

Preventative

Detective

Corrective

The TJX Companies, Inc. (TJX)

A group of more than 2,500 retail stores operating in the United States, Canada, England, Ireland, and several other countries

Does business under such names as TJ Maxx and Marshalls

Discovery

On December 18, 2006, TJX detected “suspicious software” on its computer systems

Called in security experts who confirmed an intrusion and probable data loss

Notified law enforcement immediately

Only notified consumers a month later to get time to fix system and to allow law enforcement to investigate

Discovery

Two waves of attacks, in 2005 and 2006

Company estimated that 45.7 million records with limited personal information included

Much more information was stolen on 455,000 of these customers

The Break-Ins

Broke into poorly protected wireless networks in retail stores

Used this entry to break into central processing system in Massachusetts

Not detected despite long presence, 80 GB data exfiltration

Canadian Privacy Commission: poor encryption, keeping data that should not have been kept

The Payment Card Industry-Data Security Standard (PCI-DSS)

Rules for companies that accept credit card purchases

If noncompliant, can lose the ability to process credit cards

12 required control objectives

TJX knew it was not in compliance (later found to meet only 3 of 12 control objectives)

Visa gave an extension to TJX in 2005, subject to progress report in June 2006

The Payment Card Industry-Data Security Standards (PCI-DSS) (Figure 1-3)

The Fall-Out: Lawsuits and Investigations

Visa and MasterCard estimated 94 million accounts stolen (double TJX’s estimate)

Settled with most banks and banking associations for $65+ million to cover card reissuing and other costs

$9.75 million to settle cases with 41 states

ID theft insurance for 455,000 victims

Other victims given $30 voucher

Albert Gonzalez sentenced to 20 years in prison

1.1 Introduction and Terminology

1.2 Employee and Ex-Employee Threats

1.3 Malware

1.4 Hackers and Attacks

1.5 The Criminal Era

1.6 Competitor Threats

1.7 Cyberwar and Cyberterror

Employees and Ex-Employees Are Dangerous

Dangerous because

They have knowledge of internal systems

They often have the permission to access systems

They often know how to avoid detection

Employees generally are trusted

IT and especially IT security professionals are the greatest employee threats (Qui custodiet custodes?)

Employee Sabotage

Destruction of hardware, software, or data

Plant time bomb or logic bomb on computer

Employee Hacking

Hacking is intentionally accessing a computer resource without authorization or in excess of authorization

Authorization is the key

Employee Financial Theft

Misappropriation of assets

Theft of money

Employee Theft of Intellectual Property (IP)

Copyrights and patents (formally protected)

Trade secrets: plans, product formulations, business processes, and other info that a company wishes to keep secret from competitors

Employee Extortion

Perpetrator tries to obtain money or other goods by threatening to take actions that would be against the victim’s interest

Sexual or Racial Harassment of Other Employees

Via e-mail

Displaying pornographic material

Internet Abuse

Downloading pornography, which can lead to sexual harassment lawsuits and viruses

Downloading pirated software, music, and video, which can lead to copyright violation penalties

Excessive personal use of the Internet at work

Carelessness

Loss of computers or data media containing sensitive information

Careless leading to the theft of such information

Other “Internal” Attackers

Contract workers

Workers in contracting companies

1.1 Introduction and Terminology

1.2 Employee and Ex-Employee Threats

1.3 Malware

1.4 Hackers and Attacks

1.5 The Criminal Era

1.6 Competitor Threats

1.7 Cyberwar and Cyberterror

Malware

A generic name for any “evil software”

Viruses

Programs that attach themselves to legitimate programs on the victim’s computer

Spread today primarily by e-mail

Also by instant messaging, file transfers, etc.

ILOVEYOU virus source code:

Worms

Full programs that do not attach themselves to other programs

Like viruses, can spread by e-mail, instant messaging, and file transfers

Worms

In addition, direct-propagation worms can jump from one computer to another without human intervention on the receiving computer

Computer must have a vulnerability for direct propagation to work

Direct-propagation worms can spread extremely rapidly because they do not have to wait for users to act

Blended Threats

Malware propagates in several ways—like worms, viruses, compromised webpages containing mobile code, etc.

Payloads

Pieces of code that do damage

Implemented by viruses and worms after propagation

Malicious payloads are designed to do heavy damage

Nonmobile Malware

Must be placed on the user’s computer through one of a growing number of attack techniques

Placed on computer by hackers

Placed on computer by virus or worm as part of its payload

The victim can be enticed to download the program from a website or FTP site

Mobile code executed on a webpage can download the nonmobile malware

Trojan Horses

A program that replaces an existing system file, taking its name

Trojan Horses

Remote Access Trojans (RATs)

Remotely control the victim’s PC

Downloaders

Small Trojan horses that download larger Trojan horses after the downloader is installed

Trojan Horses

Spyware

Programs that gather information about you and make it available to the adversary

Cookies that store too much sensitive personal information

Keystroke loggers

Password-stealing spyware

Data mining spyware

Trojan Horses

Rootkits

Take control of the super user account (root, administrator, etc.)

Can hide themselves from file system detection

Can hide malware from detection

Extremely difficult to detect (ordinary antivirus programs find few rootkits)

Mobile Code

Executable code on a webpage

Code is executed automatically when the webpage is downloaded

Javascript, Microsoft Active-X controls, etc.

Can do damage if computer has vulnerability

Social Engineering in Malware

Social engineering is attempting to trick users into doing something that goes against security policies

Several types of malware use social engineering

Spam

Phishing

Spear phishing (aimed at individuals or specific groups)

Hoaxes

1.1 Introduction and Terminology

1.2 Employee and Ex-Employee Threats

1.3 Malware

1.4 Hackers and Attacks

1.5 The Criminal Era

1.6 Competitor Threats

1.7 Cyberwar and Cyberterror

Traditional Hackers

Motivated by thrill, validation of skills, sense of power

Motivated to increase reputation among other hackers

Often do damage as a byproduct

Often engage in petty crime

Anatomy of a Hack

Reconnaissance probes (Figure 1-11)

IP address scans to identify possible victims

Port scans to learn which services are open on each potential victim host

Anatomy of a Hack

The exploit

The specific attack method that the attacker uses to break into the computer is called the attacker’s exploit

The act of implementing the exploit is called exploiting the host

Chain of attack computers (Figure 1-13)

The attacker attacks through a chain of victim computers

Probe and exploit packets contain the source IP address of the last computer in the chain

The final attack computer receives replies and passes them back to the attacker

Often, the victim can trace the attack back to the final attack computer

But the attack usually can only be traced back a few computers more

For probes whose replies must

be received, attacker sends

probes through a chain of

attack computers

Victim only knows the identity

of the last compromised host

(123.125.33.101)

Not that of the attacker

Social Engineering

Social engineering is often used in hacking

Call and ask for passwords and other confidential information

E-mail attack messages with attractive subjects

Piggybacking

Shoulder surfing

Pretexting

etc.

Often successful because it focuses on human weaknesses instead of technological weaknesses

Denial-of-Service (DoS) Attacks

Make a server or entire network unavailable to legitimate users

Typically send a flood of attack messages to the victim

Distributed DoS (DDoS) Attacks (Figure 1-15)

Bots flood the victim with attack packets

Attacker controls the bots

Skill Levels

Expert attackers are characterized by strong technical skills and dogged persistence

Expert attackers create hacker scripts to automate some of their work

Scripts are also available for writing viruses and other malicious software

Skill Levels

Script kiddies use these scripts to make attacks

Script kiddies have low technical skills

Script kiddies are dangerous because of their large numbers

1.1 Introduction and Terminology

1.2 Employee and Ex-Employee Threats

1.3 Malware

1.4 Hackers and Attacks

1.5 The Criminal Era

1.6 Competitor Threats

1.7 Cyberwar and Cyberterror

The Criminal Era

Today, most attackers are career criminals with traditional criminal motives

Adapt traditional criminal attack strategies to IT attacks (fraud, etc.)

The Criminal Era

Many cybercrime gangs are international

Makes prosecution difficult

Dupe citizens of a country into being transshippers of fraudulently purchased goods to the attacker in another country

Cybercriminals use black market forums

Credit card numbers and identity information

Vulnerabilities

Exploit software (often with update contracts)

Fraud

In fraud, the attacker deceives the victim into doing something against the victim’s financial self-interest

Criminals are learning to conduct traditional frauds and new frauds over networks

Also, new types of fraud, such as click fraud

Financial and Intellectual Property Theft

Steal money or intellectual property they can sell to other criminals or to competitors

Extortion

Threaten a DoS attack or threaten to release stolen information unless the victim pays the attacker

Stealing Sensitive Data about Customers and Employees

Carding (credit card number theft)

Bank account theft

Online stock account theft

Identity theft

Steal enough identity information to represent the victim in large transactions, such as buying a car or even a house

Corporate Identity Theft

Steal the identity of an entire corporation

Accept credit cards on behalf of the corporation

Pretend to be the corporation in large transactions

Can even take ownership of the corporation

1.1 Introduction and Terminology

1.2 Employee and Ex-Employee Threats

1.3 Malware

1.4 Hackers and Attacks

1.5 The Criminal Era

1.6 Competitor Threats

1.7 Cyberwar and Cyberterror

Commercial Espionage

Attacks on confidentiality

Public information gathering

Company website and public documents

Facebook pages of employees, etc.

Trade secret espionage

May only be litigated if a company has provided reasonable protection for those secrets

Reasonableness reflects the sensitivity of the secret and industry security practices

Commercial Espionage

Trade secret theft approaches

Theft through interception, hacking, and other traditional cybercrimes

Bribe an employee

Hire your ex-employee and soliciting or accept trade secrets

National intelligence agencies engage in commercial espionage

Denial-of-Service Attacks by Competitors

Attacks on availability

Rare but can be devastating

1.1 Introduction and Terminology

1.2 Employee and Ex-Employee Threats

1.3 Malware

1.4 Hackers and Attacks

1.5 The Criminal Era

1.6 Competitor Threats

1.7 Cyberwar and Cyberterror

Cyberwar and Cyberterror

Attacks by national governments (cyberwar)

Attacks by organized terrorists (cyberterror)

Nightmare threats

Potential for far greater attacks than those caused by criminal attackers

Cyberwar

Computer-based attacks by national governments

Espionage

Cyber-only attacks to damage financial and communication infrastructure

To augment conventional physical attacks

Attack IT infrastructure along with physical attacks (or in place of physical attacks)

Paralyze enemy command and control

Engage in propaganda attacks

Cyberterror

Attacks by terrorists or terrorist groups

May attack IT resources directly

Use the Internet for recruitment and coordination

Use the Internet to augment physical attacks

Disrupt communication among first responders

Use cyberattacks to increase terror in physical attacks

Turn to computer crime to fund their attacks

Publishing as Prentice Hall