One page answer

Jackie Channn

conklin_principlesofcomputersecurity_5e_Chap001_PPT.pptx

Home >Computer Science homework help >One page answer

Introduction and Security Trends

Chapter 1

Principles of Computer Security, Fifth Edition

Objectives

Define computer security.

Discuss common threats and recent computer crimes that have been committed.

List and discuss recent trends in computer security.

Describe common avenues of attacks.

Describe approaches to computer security.

Discuss the relevant ethical issues associated with computer security.

Principles of Computer Security, Fifth Edition

Key Terms (1 of 2)

Computer security

Critical infrastructure

Elite hacker

Hacker

Hacking

Hacktivist

Highly structured threat

Information Sharing Analysis Center (ISAC)

Information Sharing Analysis Organization (ISAO)

Information warfare

Kill chain

Open source threat intelligence

Principles of Computer Security, Fifth Edition

Computer security – In general terms, the methods, techniques, and tools used to ensure that a computer system is secure.

Critical infrastructure – Infrastructure whose loss or impairment would have severe repercussions on society.

Elite hacker – A hacker who has the skill level necessary to discover and exploit new vulnerabilities.

Hacker – A person who performs hacking activities. Hacking – The term used by the media to refer to the process of gaining unauthorized access to computer systems and networks. The term has also been used to refer to the process of delving deep into the code and protocols used in computer systems and networks.

Hacktivist – A hacker who uses his or her skills for political purposes.

Highly structured threat – A threat that is backed by the time and resources to allow virtually any form of attack.

Information Sharing Analysis Center (ISAC) - member-driven organization, delivering all-hazards threat and mitigation information to asset owners and operators.

Information Sharing Analysis Organization (ISAO) - identifies standards and guidelines for robust and effective information sharing and analysis related to cybersecurity risks, incidents, and best practices.

Information warfare – The use of information security techniques, both offensive and defensive, when combating an opponent.

Kill chain - newer method of modeling attacks is via a cyberattack, a step by step process that attacks follow to target and achieve results on victim systems.

Open source threat intelligence - describes the processes used in the collection of threat intelligence information from public sources.

Key Terms (2 of 2)

Script Kiddie

Structured Threat

Threat Intelligence

Unstructured Threat

Principles of Computer Security, Fifth Edition

Script Kiddie – individuals who do not have the technical expertise to develop scripts or discover new vulnerabilities in software but who have just enough understanding of computer systems to be able to download and run scripts that others have developed.

Structured threat – characterized by a greater amount of planning, a longer period of time to conduct the activity, more financial backing to accomplish it, and possibly corruption of, or collusion with, insiders

Threat Intelligence – actionable information about malicious actors and their tools, infrastructure, and methods.

Unstructured Threat – Attacks at this level generally are conducted over short periods of time (lasting at most a few months), do not involve a large number of individuals, have little financial backing, and are accomplished by insiders or outsiders who do not seek collusion with insiders.

The Computer Security Problem (1 of 2)

Fifty years ago companies did not conduct business across the Internet.

Today millions of people perform online transactions every day.

Companies rely on the Internet to operate and conduct business.

Vast amounts of money are transferred via networks, in the form of either bank transactions or simple credit card purchases.

Principles of Computer Security, Fifth Edition

Wherever there are vast amounts of money, there are those who will try to take advantage of the environment to conduct fraud or theft.

The Computer Security Problem (2 of 2)

There are many different ways to attack computers and networks.

Identity theft is so common today that most everyone knows somebody who’s been a victim of such a crime, if they haven’t been a victim themselves.

There are many other types of criminal activity and all are on the rise.

Principles of Computer Security, Fifth Edition

There are many different ways to attack computers and networks to take advantage of what has made shopping, banking, investment, and leisure pursuits a simple matter of “dragging and clicking” (or tapping) for many people.

Definition of Computer Security (1 of 2)

Computer security is not a simple concept to define.

If one is referring to a computer, then it can be considered secure when the computer does what it is supposed to do and only what it is supposed to do.

However, the security emphasis has shifted from the computer to the information being processed.

Information security is defined by the information being protected from unauthorized access or alteration and yet is available to authorized individuals when required.

Principles of Computer Security, Fifth Edition

Computer security is not a simple concept to define, and has numerous complexities associated with it.

Definition of Computer Security (2 of 2)

When one begins considering the aspects of information, it is important to realize that information is stored, processed, and transferred between machines, and all of these different states require appropriate protection schemes.

Information assurance is a term used to describe not just the protection of information, but a means of knowing the level of protection that has been accomplished.

Principles of Computer Security, Fifth Edition

Historical Security Incidents (1 of 3)

Electronic crime can take a number of different forms, but the ones we will examine here fall into two basic categories:

Crimes in which the computer was the target

Incidents in which a computer was used to perpetrate the act (bank fraud)

Virus activity existed prior to 1988, having started in the early 1980s.

Principles of Computer Security, Fifth Edition

By examining some of the computer-related crimes that have been committed over the last 30 or so years, we can better understand the threats and security issues that surround our computer systems and networks.

Prior to 1988, criminal activity was chiefly centered on unauthorized access to computer systems and networks owned by the telephone company and companies that provided dial-up access for authorized users.

Historical Security Incidents (2 of 3)

The Morris Worm (November 1988)

Citibank and Vladimir Levin (June–October 1994)

Kevin Mitnick (February 1995)

Worcester Airport and “Jester” (March 1997)

The Melissa Virus (March 1999)

The Love Letter Virus (May 2000)

Principles of Computer Security, Fifth Edition

The Morris Worm (November 1988)

Robert Morris, then a graduate student at Cornell University, released what has become known as the Internet worm (or the Morris worm).

The worm infected roughly 10 percent of the machines then connected to the Internet (which amounted to approximately 6000 infected machines).

The worm carried no malicious payload, the program being obviously a “work in progress,” but it did wreak havoc because it continually re-infected computer systems until they could no longer run any programs.

Citibank and Vladimir Levin (June–October 1994)

Starting about June of 1994 and continuing until at least October of the same year, a number of bank transfers were made by Vladimir Levin of St. Petersburg, Russia.

By the time he and his accomplices were caught, they had transferred an estimated $10 million.

Eventually all but about $400,000 was recovered.

Levin reportedly accomplished the break-ins by dialing into Citibank’s cash management system.

This system allowed clients to initiate their own fund transfers to other banks.

Kevin Mitnick (February 1995)

Kevin Mitnick’s computer activities occurred over a number of years during the 1980s and 1990s.

Arrested in 1995, he eventually pled guilty to four counts of wire fraud, two counts of computer fraud, and one count of illegally intercepting a wire communication and was sentenced to 46 months in jail.

In the plea agreement, Mitnick admitted to having gained unauthorized access to a number of different computer systems belonging to companies such as Motorola, Novell, Fujitsu, and Sun Microsystems.

He described using a number of different “tools” and techniques, including social engineering, sniffers, and cloned cellular telephones.

Worcester Airport and “Jester” (March 1997)

In March of 1997, telephone services to the FAA control tower as well as the emergency services at the Worcester Airport and the community of Rutland, Massachusetts, were cut off for a period of six hours.

This disruption occurred as a result of an attack on the phone network by a teenage computer “hacker” who went by the name “Jester.”

The Melissa Virus (March 1999)

Melissa is the best known of the early macro-type viruses that attach themselves to documents for programs that have limited macro programming capability.

The virus, written and released by David Smith, infected about a million computers and caused an estimated $80 million in damages.

The Love Letter Virus (May 2000)

Also known as the “ILOVEYOU” worm and the “Love Bug,” the Love Letter virus was written and released by a Philippine student named Onel de Guzman.

The virus was spread via e-mail with the subject line of “ILOVEYOU.”

Estimates of the number of infected machines worldwide have been as high as 45 million, accompanied by a possible $10 billion in damages (it should be noted that figures like these are extremely hard to verify or calculate).

Historical Security Incidents (3 of 3)

The Code Red Worm (2001)

The Slammer Worm (2003)

Cyberwar? (2007)

Operation Bot Roast (2007)

Conficker (2008–2009)

U.S. Electric Power Grid (2009)

Fiber Cable Cut (2009)

Principles of Computer Security, Fifth Edition

The Code Red Worm (2001)

On July 19, 2001, in a period of 14 hours, over 350,000 computers connected to the Internet were infected by the Code Red worm.

The cost estimate for how much damage the worm caused (including variations of the worm released on later dates) exceeded $2.5 billion.

The vulnerability was a buffer-overflow condition in Microsoft’s IIS web servers, had been known for a month.

The Slammer Worm (2003)

On Saturday, January 25, 2003, the Slammer worm was released.

It exploited a buffer-overflow vulnerability in computers running Microsoft SQL Server or SQL Server Desktop Engine.

Like the vulnerability in Code Red, this weakness was not new and, in fact, had been discovered and a patch released in July of 2002.

Within the first 24 hours of Slammer’s release, the worm had infected at least 120,000 hosts and caused network outages and the disruption of airline flights, elections, and ATMs.

At its peak, Slammer infected hosts were generating a reported 1TB of worm-related traffic every second.

The worm doubled its number of infected hosts every 8 seconds.

It is estimated that it took less than 10 minutes to reach global proportions and infect 90 percent of the possible hosts it could infect.

Cyberwar? (2007)

In May of 2007, the country of Estonia was crippled by a massive denial-of-service (DoS) cyberattack against all of its infrastructure, firms (banks), and government offices.

This attack was traced to IP addresses in Russia, but was never clearly attributed to a government-sanctioned effort.

Operation Bot Roast (2007)

In 2007, the FBI announced that it had conducted Operation Bot Roast, identifying over 1 million botnet crime victims.

In the process of dismantling the botnets, the FBI arrested several botnet operators across the United States.Although seemingly a big success, this effort made only a small dent in the vast volume of botnets in operation.

Conficker (2008-2009)

In late 2008 and early 2009, security experts became alarmed when it was discovered that millions of systems attached to the Internet were infected with the Downadup worm.

Also known as Conficker, the worm was believed to have originated in Ukraine.

Infected systems were not initially damaged beyond having their antivirus solution updates blocked.

What alarmed experts was the fact that infected systems could be used in a secondary attack on other systems or networks.

Each of these infected systems was part of what is known as a bot network (or botnet) and could be used to cause a DoS attack on a target or be used for the forwarding of spam e-mail to millions of users.

U.S. Electric Power Grid (2009)

In April 2009, Homeland Security Secretary Janet Napolitano told reporters that the United States was aware of attempts by both Russia and China to break into the U.S. electric power grid, map it out, and plant destructive programs that could be activated at a later date.

She indicated that these attacks were not new and had in fact been going on for years.

One article in the Kansas City Star, for example, reported that in 1997 the local power company, Kansas City Power and Light, encountered perhaps 10,000 attacks for the entire year.

By 2009 the company experienced 30–60 million attacks.

Fiber Cable Cut (2009)

On April 9, 2009, a widespread phone and Internet outage hit the San Jose area in California.

This outage was not the result of a group of determined hackers gaining unauthorized access to the computers that operate these networks, but instead occurred as a result of several intentional cuts in the physical cables that carry the signals.

The cuts resulted in a loss of all telephone, cell phone, and Internet service for thousands of users in the San Jose area.

Emergency services such as 911 were also affected, which could have had severe consequences.

The Current Threat Environment (1 of 2)

As time has gone on, more organized elements of cybercrime have entered the picture along with nation-states.

From 2009 and beyond, the cyber threat landscape became considerably more dangerous, with new adversaries out to perform one of two functions:

Deny the use of your computer systems

Use systems for financial gain including theft of intellectual property or financial information including personally identifiable information

Principles of Computer Security, Fifth Edition

The threats of the past were smaller, targeted, and in many cases only a nuisance.

The Current Threat Environment (2 of 2)

Advanced Persistent Threats (APTs)

GhostNet (2009)

Operation Aurora (2009)

Stuxnet, Duqu, and Flame (2009–2012)

Sony (2011)

Saudi Aramco (Shamoon) (2012)

Data Breaches (2013–present)

Nation-State Hacking (2013–present)

Principles of Computer Security, Fifth Edition

Advanced Persistent Threats

Although there are numerous claims as to when advanced persistent threats (APTs) began and who first coined the term, the important issue is to note that APTs represent a new breed of attack pattern.

Although specific definitions vary, the three words that comprise the term provide the key elements: advanced, persistent, and threat.

Advanced refers to the use of advanced techniques, such as spear phishing, as a vector into a target.

Persistent refers to the attacker’s goal of establishing a long-term, hidden position on a system. Many APTs can go on for years without being noticed.

Threat refers to the other objective: exploitation.

If an adversary invests the resources to achieve an APT attack, they are doing it for some form of long-term advantage.

APTs are not a specific type of attack, but rather the new means by which highly resourced adversaries target systems.

GhostNet (2009)

In 2009, the Dalai Lama’s office contacted security experts to determine if it was being bugged.

The investigation revealed it was, and the spy ring that was discovered was eventually shown to be spying on over 100 countries’ sensitive missions worldwide.

Researchers gave this APT-style spy network the name GhostNet, and although the effort was traced back to China, full attribution was never determined.

Operation Aurora (2009)

Operation Aurora was an APT attack first reported by Google, but also targeting Adobe, Yahoo, Juniper Networks, Rackspace, Symantec, and several major U.S. financial and industrial firms.

Research analysis pointed to the People’s Liberation Army (PLA) of China as the sponsor.

The attack ran for most of 2009 and operated on a large scale, with the groups behind the attack consisting of hundreds of hackers working together against the victim firms.

Stuxnet, Duqu, and Flame (2009–2012)

Stuxnet, Duqu, and Flame represent examples of state-sponsored malware.

Stuxnet was a malicious worm designed to infiltrate the Iranian uranium enrichment program, to modify the equipment and cause the systems to fail in order to achieve desired results and in some cases even destroy the equipment.

Stuxnet was designed to attack a specific model of Siemens programmable logic controller (PLC), which was one of the clues pointing to its objective, the modification of the uranium centrifuges. Although neither the United States nor Israel has admitted to participating in the attack, both have been suggested to have had a role in it.

Duqu (2011) is a piece of malware that appears to be a follow-on of Stuxnet, and has many of the same targets, but rather than being destructive in nature, Duqu is designed to steal information. The malware uses command and control servers across the globe to collect elements such as keystrokes and system information from machines and deliver them to unknown parties.

Flame (2012) is another piece of modular malware that may be a derivative of Stuxnet. Flame is an information collection threat, collecting keystrokes, screenshots, and network traffic. It can record Skype calls and audio signals on a machine. Flame is a large piece of malware with many specific modules, including a kill switch and a means of evading antivirus detection.

Because of the open nature of Stuxnet—its source code is widely available on the Internet—it is impossible to know who is behind Duqu and Flame. In fact, although Duqu and Flame were discovered after Stuxnet, there is growing evidence that they were present before Stuxnet and collected critical intelligence needed to conduct the later attack.

The real story behind these malware items is that they demonstrate the power and capability of nation-state malware.

Sony (2011)

The hacker group LulzSec reportedly hacked Sony, stealing over 70 million user accounts.

The resulting outage lasted 23 days, and cost Sony in excess of $170 million.

One of the biggest issues related to the attack was Sony’s poor response, taking more than a week to notify people of the initial attack, and then communicating poorly with its user base during the recovery period.

Also notable was that although the credit card data was encrypted on Sony’s servers, the rest of the data stolen was not, making it easy pickings for the disclosure of information.

Saudi Aramco (Shamoon) (2012)

In August of 2012, 30,000 computers were shut down in response to a malware attack (named Shamoon) at Saudi Aramco, an oil firm in Saudi Arabia.

The attack hit three out of four machines in the firm, and the damage included data wiping of machines and the uploading of sensitive information to Pastebin.

It took 10 days for the firm to clean up the infection and restart its business network.

Data Breaches (2013–present)

From the end of 2013 through to the time of this writing, data breaches have dominated the security landscape.

Target Corporation announced its breach in mid-December, 2013, stating that the hack began as early as “Black Friday” (November 29) and continued through December 15. Data thieves captured names, addresses, and debit and credit card details, including numbers, expiration dates, and CVV codes. In the end a total of 70 million accounts were exposed.

Following the Target breach, Home Depot suffered a breach of over 50 million debit and credit card numbers in 2014.

JP Morgan Chase also had a major data breach in 2014, announcing the loss of 77 million account holders’ information. Unlike Target and Home Depot, JP Morgan Chase did not lose account numbers or other crucial data elements. JP Morgan Chase also mounted a major PR campaign touting its security program and spending in order to satisfy customers and regulators of its diligence.

At the end of 2014, Sony Pictures Entertainment announced that it had been hacked, with a massive release of internal data. At the time of this writing, hackers have claimed to have stolen as much as 100 terabytes of data, including e-mails, financial documents, intellectual property, personal data, HR information…in essence, almost everything. Additional reports indicate the destruction of data within Sony; although the extent of the damage is not known, at least one of the elements of malware associated with the attack is known for destroying the Master Boot Record (MBR) of drives. Attribution in the Sony attack is also tricky, as the U.S. government has accused North Korea, while other groups have claimed responsibility, and some investigators claim it was an inside job. It may take years to determine correct attribution, if it is even possible.

Nation-State Hacking (2013–present)

Nation-states have become a recognized issue in security, from the Great Firewall of China to modern malware attacks from a wide range of governments.

In 2014 CrowdStrike reported on 39 different threat actors, including criminals, hactivists, state-sponsored groups, and nation-states.

Learning how these adversaries act provides valuable clues to their detection in the enterprise.

Groups such as China’s Hurricane Panda represent a real security threat. Hurricane Panda focuses on aerospace firms and Internet service companies.

Not all threats are from China. Russia is credited with its own share of malware. Attribution is difficult, and sometimes the only hints are clues, such as the timelines of command and control servers for Energetic Bear, an attack on the energy industry in Europe from the Dragonfly group.

In 2015, data breaches and nation-state hacking hit new highs with the loss of over 20 million sensitive personnel files from the computers at the U.S. Office of Personnel Management (OPM). This OPM loss, reportedly to China, was extremely damaging in that the data loss consisted of the complete background investigations on peoples who had submitted security clearances.

Ukraine Electric Grid and Ransomware

Ukraine electric grid cyber-attacked on December 23, 2015

Full restoration took 1 year

May be attributable to Russian government using BlackEnergy3 malware

Ransomware originated in 1990s

$1 billion criminal enterprise

Locks victims files until ransom is paid

Principles of Computer Security, Fifth Edition

Threats to Security

External versus internal threats

Sophistication of the attacks

Script kiddies versus elite hackers

Highly structured threats to unstructured threats

Principles of Computer Security, Fifth Edition

There are a number of ways that we can break down the various threats.

One way to categorize them is to separate threats that come from outside of the organization from those that are internal.

Another is to look at the various levels of sophistication of the attacks, from those by “script kiddies” to those by “elite hackers.”

A third is to examine the level of organization of the various threats, from unstructured threats to highly structured threats.

All of these are valid approaches, and they in fact overlap each other.

Viruses and Worms (1 of 2)

While your organization may be exposed to viruses and worms as a result of employees not following certain practices or procedures, generally you will not have to worry about your employees writing or releasing viruses and worms.

It is important to draw a distinction between the writers of malware and those who release malware.

Debates over the ethics of writing viruses permeate the industry, but currently, simply writing them is not considered a criminal activity.

Principles of Computer Security, Fifth Edition

A virus is like a baseball bat; the bat itself is not evil, but the inappropriate use of the bat (such as to smash a car’s window) falls into the category of criminal activity. (Some may argue that this is not a very good analogy since a baseball bat has a useful purpose—to play ball—but viruses have no useful purpose. In general, this is true, but in some limited environments, such as in specialized computer science courses, the study and creation of viruses can be considered a useful learning experience.)

Viruses and Worms (2 of 2)

By number, viruses and worms are the most common problem that an organization faces because literally thousands of them have been created and released.

Fortunately, antivirus software and system patching can eliminate the largest portion of this threat.

Viruses and worms generally are also nondiscriminating threats.

They typically are also highly visible once released.

Principles of Computer Security, Fifth Edition

Viruses and worms generally are also nondiscriminating threats; they are released on the Internet in a general fashion and aren’t targeted at a specific organization. They typically are also highly visible once released, so they aren’t the best tool to use in highly structured attacks where secrecy is vital.

Intruders (1 of 4)

The act of deliberately accessing computer systems and networks without authorization is generally referred to as hacking, with individuals who conduct this activity being referred to as hackers.

The term hacking also applies to the act of exceeding one’s authority in a system.

Hacking does not live up to the Hollywood hype.

Intruders are extremely patient.

Process takes persistence and dogged determination

Principles of Computer Security, Fifth Edition

Hacking includes authorized users who attempt to gain access to files they aren’t permitted to access or who attempt to obtain permissions that they have not been granted.

The attacker will conduct many pre-attack activities in order to obtain the information needed to determine which attack will most likely be successful. Typically, by the time an attack is launched, the attacker will have gathered enough information to be very confident that the attack will succeed.

Intruders (2 of 4)

Generally, attacks by an individual or even a small group of attackers fall into the unstructured threat category.

Attacks at this level generally are conducted over short periods of time (lasting at most a few months), do not involve a large number of individuals, have little financial backing, and are accomplished by insiders or outsiders who do not seek collusion with insiders.

Principles of Computer Security, Fifth Edition

Intruders (3 of 4)

Intruders definitely come in many different varieties and have varying degrees of sophistication.

Script kiddies do not have the technical expertise to develop scripts or discover new vulnerabilities in software.

At the next level are those people who are capable of writing scripts to exploit known vulnerabilities.

At the top are those highly technical individuals, often referred to as elite hackers.

Principles of Computer Security, Fifth Edition

At the low end technically are what are generally referred to as script kiddies, individuals who do not have the technical expertise to develop scripts or discover new vulnerabilities in software but who have just enough understanding of computer systems to be able to download and run scripts that others have developed. These individuals generally are not interested in attacking specific targets, but instead simply want to find any organization that may not have patched a newly discovered vulnerability for which the script kiddie has located a script to exploit the vulnerability.

At the next level are those people who are capable of writing scripts to exploit known vulnerabilities. These individuals are much more technically competent than script kiddies and account for an estimated 8 to 12 percent of malicious Internet activity.

At the top end of this spectrum are those highly technical individuals, often referred to as elite hackers, who not only have the ability to write scripts that exploit vulnerabilities but also are capable of discovering new vulnerabilities. This group is the smallest of the lot, however, and is responsible for, at most, only 1 to 2 percent of intrusive activity.

Intruders (4 of 4)

Figure 1.1 Distribution of attacker skill levels

Principles of Computer Security, Fifth Edition

Insiders

It is generally acknowledged by security professionals that insiders are more dangerous in many respects than outside intruders.

Insiders have the access and knowledge necessary to cause immediate damage to an organization.

Insiders frequently have knowledge of the security systems in place and are better able to avoid detection.

Often, numerous other individuals have physical access to company facilities.

Custodial crews, contractors or partners

Principles of Computer Security, Fifth Edition

Most security is designed to protect against outside intruders and thus lies at the boundary between the organization and the rest of the world. Insiders may actually already have all the access they need to perpetrate criminal activity such as fraud. Attacks by insiders are often the result of employees who have become disgruntled with their organization and are looking for ways to disrupt operations. It is also possible that an “attack” by an insider may be an accident and not intended as an attack at all. An example of this might be an employee who deletes a critical file without understanding its critical nature.

A contractor involved in U.S. Intelligence computing, Edward Snowden, was charged with espionage in 2013 after he released a wide range of data illustrating the technical capabilities of U.S. intelligence surveillance systems. He is the ultimate insider with his name becoming synonymous with the insider threat issue.

Criminal Organizations

Criminal activity on the Internet is basically no different from criminal activity in the physical world.

One difference is the level of organization that criminal elements employ in their attack.

Attacks by criminal organizations usually fall into the structured threat category.

Characterized by a greater amount of planning, a longer period of time to conduct the activity, more financial backing to accomplish it, and possibly corruption of, or collusion with, insiders

Principles of Computer Security, Fifth Edition

As businesses became increasingly reliant upon computer systems and networks, and as the amount of financial transactions conducted via the Internet increased, it was inevitable that criminal organizations would eventually turn to the electronic world as a new target to exploit. Fraud, extortion, theft, embezzlement, and forgery all take place in the electronic environment.

Criminal groups typically have more money to spend on accomplishing the criminal activity and are willing to spend extra time accomplishing the task provided the level of reward at the conclusion is great enough. With the tremendous amount of money that is exchanged via the Internet on a daily basis, the level of reward for a successful attack is high enough to interest criminal elements.

Nation-States, Terrorists, and Information Warfare (1 of 3)

Many nations today have developed to some extent the capability to conduct information warfare.

Warfare conducted against the information and information processing equipment used by an adversary

Information warfare falls into the highly structured threat category.

Characterized by a much longer period of preparation (years is not uncommon), tremendous financial backing, and a large and organized group of attackers.

Principles of Computer Security, Fifth Edition

As nations have increasingly become dependent on computer systems and networks, the possibility that these essential elements of society might be targeted by organizations or nations determined to adversely affect another nation has become a reality.

In practice, this is a much more complicated subject, because information not only may be the target of an adversary, but also may be used as a weapon. The threat may include attempts not only to subvert insiders but also to plant individuals inside of a potential target in advance of a planned attack.

Nation-States, Terrorists, and Information Warfare (2 of 3)

An interesting aspect of information warfare is the list of possible targets available.

Military forces are still a key target in information warfare.

Critical infrastructures are those whose loss would have severe repercussions on the nation.

Water, electricity, oil and gas refineries and distribution, banking and finance, telecommunications

Dependent on computer systems

Principles of Computer Security, Fifth Edition

We have grown accustomed to the idea that, during war, military forces will target opposing military forces but will generally attempt to destroy as little civilian infrastructure as possible.

With countries relying so heavily on these critical infrastructures, it is inevitable that they will be viewed as valid targets during conflict. Given how dependent these infrastructures are on computer systems and networks, it is also inevitable that these same computer systems and networks will be targeted for a cyberattack in an information war.

Nation-States, Terrorists, and Information Warfare (3 of 3)

Brand-Name Attacks

Energetic Bear - Vault7

Sandworm - Lazarus Group

Shadow Brokers - Comment Crew

Equation Group

Regin

Cozy Bear and Fancy Bear

Principles of Computer Security, Fifth Edition

Attributes of Actors

Internal: have access to system

External: need to gain access to system

Level of Sophistication

As skill level goes up so does use of minimal methods

Surprising number of old attacks using old vulnerabilities

Resources/Funding: criminal organizations and nation-states have big budgets, big teams

Intent/Motivation: ranging from script kiddies to APT threat actors

Principles of Computer Security, Fifth Edition

Security Trends (1 of 2)

The computing environment has transformed from large mainframes to a highly interconnected network of smaller systems.

There is a switch from a closed operating environment to one in which access to a computer can occur from almost anywhere on the planet.

This has, for obvious reasons, greatly complicated the job of the security professional.

The attackers have become more focused on gain over notoriety.

Principles of Computer Security, Fifth Edition

The type of individual who attacks a computer system or network has also evolved over the last 30 years. Today computer attacks are used to steal and commit fraud and other crimes in the pursuit of monetary enrichment. Computer crimes are big business today, not just because it is hard to catch the perpetrators, but also because the number of targets is large and the rewards greater than robbing local stores.

Security Trends (2 of 2)

The type of individual who attacks a computer system or network has evolved over the last 30 years.

Today computer attacks are used to steal and commit fraud and other crimes in the pursuit of monetary enrichment.

Computer crimes are big business today, not just because it is hard to catch the perpetrators, but also because the number of targets is large and the rewards greater than robbing local store.

Principles of Computer Security, Fifth Edition

Over the past several years a wide range of computer industry firms have begun issuing annual security reports. Among these firms is Verizon, which has issued its annual Data Breach Investigations Report (DBIR) since 2008 and is lauded because of its breadth and depth. The 2015 DBIR was based on over 2,100 data breaches and 79,790 security incidents in 61 countries. Perhaps the most valuable aspect of the DBIR is its identification of common details that result in a data breach. The Verizon DBIRs are available at www.verizonenterprise.com/DBIR/

Targets and Attacks

There are two general reasons a particular system is attacked:

It is specifically targeted by the attacker.

It is an opportunistic target.

Principles of Computer Security, Fifth Edition

Specific Target

The attacker has chosen the target not because of the hardware or software the organization is running but for another reason, perhaps a political reason.

Examples:

An individual in one country attacking a government system in another

The attacker targeting the organization as part of a hacktivist attack

Company website that sells fur coats defaced because the attacker feels that using animals in this way is unethical

Principles of Computer Security, Fifth Edition

Opportunistic Target

Attack is conducted against a site that has software that is vulnerable to a specific exploit.

The attackers are not targeting the organization.

They have learned of a vulnerability and are simply looking for an organization with this vulnerability that they can exploit.

An attacker might be targeting a given sector and looking for a target of opportunity in that sector.

Targeted attacks are more difficult and take more time than attacks on a target of opportunity.

Principles of Computer Security, Fifth Edition

This is not to say that an attacker might not be targeting a given sector and looking for a target of opportunity in that sector, however. For example, an attacker may desire to obtain credit card or other personal information and may search for any exploitable company with credit card information in order to carry out the attack.

Targeted attacks are more difficult and take more time than attacks on a target of opportunity. The latter simply relies on the fact that with any piece of widely distributed software, there will almost always be somebody who has not patched the system (or has not patched it properly) as they should have.

Minimizing Possible Avenues of Attack

There are multiple elements to a solid computer defense, but two of the key elements involve limiting an attacker’s avenues of attack.

The first step an administrator can take to reduce possible attacks is to ensure that all patches for the operating system and applications are installed.

The second step an administrator can take is system hardening, which involves limiting the services that are running on the system.

Principles of Computer Security, Fifth Edition

Understanding the steps an attacker will take enables you to limit the exposure of your system and minimize those avenues an attacker might possibly exploit. The first step an administrator can take to reduce possible attacks is to ensure that all patches for the operating system and applications are installed. Many security problems that we read about, such as viruses and worms, exploit known vulnerabilities for which patches exist. The reason such malware caused so much damage in the past was that administrators did not take the appropriate actions to protect their systems.

The second step an administrator can take is system hardening, which involves limiting the services that are running on the system. Only using those services that are absolutely needed does two things: it limits the possible avenues of attack (those services with vulnerabilities that can be exploited), and it reduces the number of services the administrator has to worry about patching in the first place. This is one of the important first steps any administrator should take to secure a computer system. System hardening is covered in detail in Chapter 14.

While there are no iron-clad defenses against attack, or guarantees that an attack won’t be successful, you can take steps to reduce the risk of loss. This is the basis for the change in strategy from a defense-based one to one based on risk management. Risk management is covered in detail in Chapter 20.

Approaches to Computer Security (1 of 2)

Correctness

Ensuring that a system is fully up to date, with all patches installed and proper security controls in place; this goes a long way toward minimizing risk.

Isolation

Protecting a system from unauthorized use, by means of access control and physical security.

Obfuscation

Making it difficult for an adversary to know when they have succeeded.

Principles of Computer Security, Fifth Edition

Approaches to Computer Security (2 of 2)

Cyberattack Kill chain

Step-by-step process that attacks follow to target and achieve results on victim systems

Threat Intelligence

Actionable information about malicious actors and their tools

ISACs and ISAOs

Open Source Threat Intelligence

Processes used to collect threat intelligence information

Principles of Computer Security, Fifth Edition

Ethics

Ethics is commonly defined as a set of moral principles that guides an individual’s or group’s behavior.

Because information security efforts frequently involve trusting people to keep secrets that could cause harm to the organization if revealed, trust is a foundational element in the people side of security.

Trust is built upon a code of ethics, a norm that allows everyone to understand expectations and responsibilities.

Principles of Computer Security, Fifth Edition

Any meaningful discussion about operational aspects of information security must include the topic of ethics. There are several different ethical frameworks that can be applied to making a decision, and these are covered in detail in Chapter 24.

Ethics is a difficult topic; separating right from wrong is easy in many cases, but in other cases it is more difficult. For example, writing a virus that damages a system is clearly bad behavior, but is writing a worm that goes out and patches systems, without the users’ permission, right or wrong? Does the ends justify the means? Such questions are the basis of ethical discussions that define the challenges faced by security personnel on a regular basis.

Chapter Summary

Define computer security

Discuss common threats and recent computer crimes that have been committed

List and discuss recent trends in computer security

Describe common avenues of attacks

Describe approaches to computer security

Discuss the relevant ethical issues associated with computer security

Principles of Computer Security, Fifth Edition