CIS 321 Ch. 4 TYU
What are cyberterror and cyberwar attacks?
Cyber attacks by terrorists and nation states.
What is the specific goal of authentication?
To determine if the supplicant is the true party or an impostor.
What type of adversary are most hackers today?
Cybercriminals who hack to make money.
Distinguish between private networks and virtual private networks.
Private networks are for the exclusive use of an organization. Virtual private networks use physical networks that mix the traffic of many organizations but provide protection to individual conversations so that users appear to have private networks as far as security goes.
What are Trojan horses?
Programs that disguise themselves by taking the name a legitimate program, usually a system program.
What is ransomware?
Ransomware encrypts your hard drive. To get it unencrypted, you must pay ransom.
What can retailers do to defend themselves against counterfeit credit cards?
Retailers can defend themselves against the counterfeit credit cards in one way. If the card having the last four digit same as the physical credit card.
Which form of authentication that we looked at depends on the supplicant proving that it knows something that only the true party should know?
Reusable password and Digital certificate authentication. If an access card must be supplemented by a PIN, knowing the pin would qualify.
Why may ex-employees attack?
Revenge or theft.
Why is SSL/TLS attractive for VPNs to connect browsers to webservers?
SSL/TLS is built into every browser and webserver, so it can simply be turned on with no other cost.
Does the verifier decrypt with the true party's public key or the supplicant's public key? Why is this important?
The True Party's public key. If it used the Supplicant's public key, it would always decrypt the response message correctly whether the supplicant is the True Party or an impostor.
Explain "advanced" in the term advanced persistent threat.
The attack uses sophisticated techniques beyond those of most hacking and other cybercrimes
To what computer does the attacker send messages directly?
The command and control server.
What are the two states in connections for SPI firewalls?
The connection-opening state and the ongoing communication state.
What is a cipher?
An encryption method for achieving confidentiality.
What is a collection of compromised computers called?
Botnet.
Which programs directly attack the victim in a distributed denial-of-service attack?
Bots.
What is the person who controls them called?
Bot master.
Who is the true party?
The party the supplicant claims to be.
How were consumers damaged by the breach?
• The consumer damaged by the breach if they not reported the fraudulent transaction to the company. • Consumers are safe against the fake credit card purchases if they inform quickly to their credit card company about the fraudulent charges on their bills. • The company then will drop these fraudulent transactions from the bills. This process resulted in time loss and frustration.
List the internal Target servers the attackers compromised.
• Vendor Server • Malware Download Server • Holding Server • Extrusion Server • Landing Server
What name do we give to attacks that occur before a patch is available?
• Zero-day attacks are termed as a treats that exploits the unknown type of vulnerability in system and the user have not enough time to address this attack and patched. • It is called the zero day attack because of the fix time for it, is defined only one day and the patches scheme is not available.
What are the implications of the fact that bots can be updated?
1. Errors in their operation can be fixed after these flaws are discovered. The software is no longer unfixable after release. 2. Code can be added to repurpose bots for things like transmitting spam. The botnet or a portion of it can then be rented to spammers.
How do viruses and worms differ?
1. Virus is a small code which attach themselves to other programs, that is, it requires a host program, that is, it requires fully functional program which operate itself without need of other program. 2. Antivirus programs can stop viruses but not directly propagating worms. 3. Firewalls keep safe systems safe from directly propagating worms but they are unable to stop viruses.
What is the minimum size for encryption keys to be considered strong in most encryption ciphers?
128 bits.
What individual victim or group of individual victims suffered the most harm?
?
Explain "persistent" in the context of APTs.
A P T attacks may proceed for weeks, months, or years. This allows the attacker to move through the system, hide its traces, and do other things that take time to accomplish. They can also steal data and do other damage for a long time.6
What if this information is learned by an attacker?
Authentication can be done falsely.
How does security thinking differ from network thinking?
A network allows us to share information and resources. It provide the access to almost anything, anywhere and anytime. Similarly, it provides access to the criminals, attackers and terrorist. Hence, network security has become a very serious matter. Security thinking differs from network thinking as show n in the following table:
What kind of attack may succeed against a system with no technological vulnerabilities?
A phishing attack
Distinguish between phishing and spear phishing attacks.
A phishing attack pretends to be from a company the user does business with or from another seemingly trustworthy source. The text of the e-mail message is also convincing. Using HTML, it may look exactly like e-mail messages the source usually sends. Spear phishing is even more specific. The attacker personalizes the e-mail message to a particular person, such as the chief executive officer of the company. Spear phishing e-mails are even more convincing because they typically appear to come from a specific trusted person and contain information that only that person is likely to know. For example, it may mention specific projects or locations while traveling.
What is a vulnerability?
A security flaw in any programing file that allows the one or set of attacks against this programming file to succeed. • The computer user and network owner need to update the security patches to protect from vulnerability.
What should be done before an employee leaves the firm?
All access must be terminated before their leaving.
For what four reasons are employees especially dangerous?
Already have access Know the systems Know how to avoid detection Are trusted
What two protections do electronic signatures provide?
Authentication and message integrity.
Why must authentication be appropriate for risks to an asset?
Better authentication methods are more expensive. (They also tend to be more inconvenient to use.) Authentication should be strong enough to counter risks to the asset, but it should not be far stronger. If the risks are high, however, using strong authentication is required.
What protection does confidentiality provide?
Confidentiality ensures that any eavesdropper who intercepts your messages cannot read them.
What three protections are typically given to each packet?
Confidentiality, authentication, and message integrity.
What are credentials?
Credentials are proofs of identity (passwords, fingerprints, etc.).
Why are cyberwar attacks especially dangerous?
Dangerous because they tend to be sophisticated (and well financed) Dangerous because they try to do widespread damage
What two benefits should this new recommendation bring?
Easier to remember. Also better security because the rule is less likely to be circumvented by users.
In digital certificate authentication, what does the supplicant do?
Encrypts the plaintext challenge message with his, her, or its (the supplicant's) private key.
What three types of attacks may come from your firm's business competitors?
Espionage to steal trade secrets Denial-of-service attacks Attack your reputation via social media
Why is two-factor authentication desirable?
Each form of authentication faces threats. For two-factor authentication to fail, two threats must succeed. This is less likely in most cases.
Why is it undesirable to use reusable passwords for anything but the least sensitive assets?
Far too many passwords are easily guessable. <The Mirai botnet takeover method tried fewer than 70 username/password combinations but was extremely successful.
How did the attackers gain access to Target's network?
First get the credential for accessing the vendor server, now attacker can move inside the network. • Now the attackers uploaded the POS malware which w as purchased from an online crimeware shop, to a malware download server within target. • Now attackers actually took over Target's internal server that have the downloaded updates to the POS systems. • Now the attacker can changed the software to attack the target POS terminal.
Which is more harmful to the victim? (credit card number theft or identity theft.) Why?
For credit card theft, quick reporting of unauthorized purchases will delete these transactions without paying for them. In identity theft, there can be large reimbursed losses, and even discovering these may take as long period of time
What is malware?
Generic name for evil software. It includes viruses, worms, Trojan horses, and other dangerous attack software.
Who are the most dangerous employees?
IT employees and security employees
Critique (positively or negatively) the fact that Target knew that fraud was already occurring with the stolen card data but did not reveal this when it announced the breach.
If the target is already knew that the fraud is already existing with the stolen card then the card holder need to take the responsible steps against the card provided organization. He need to show the statement which represent that something happening wrong with the card, so the card provider can protect the card information.
If you click on a link expecting to go to a legitimate website but are directed to a website that contains information you are not authorized to see, is that hacking? Explain in terms of the definition.
If you do not look around after going there, then there is no intentionality, so accessing it without authorization is not hacking. <However, the government can still prosecute you, claiming intentionality. Calling law enforcement immediately is a good idea.>
How does the verifier get the true party's public key?
In a digital certificate from a certificate authority (CA).
What is authentication?
In authentication, a supplicant attempts to prove its identity to a verifier by sending credentials. The verifier's mission is to determine if the supplicant is who he, she, or it claims to be (usually a particular True Party.) If the verifier does not, the verifier is treated as an in impostor.
Distinguish between credit card number theft and identity theft.
In credit card theft, the cybercriminals steal your credit card number and perhaps related information. They use this to commit credit card fraud by buying things with your credit card. In identity theft, the cybercriminal steals enough personally identifiable information about you to impersonate you in large transactions such as purchasing a car. This includes your birth date, social security number, and other information that should be difficult to obtain (but often is not).
Why is face recognition controversial?
It can be used surreptitiously, without the person's knowledge.
What does a firewall do when an arriving packet is definitely an attack packet?
It drops it and logs it.
Why is direct propagation especially dangerous?
It happens without victim action. There is no indication that it is occurring. It happens very, very rapidly.
Why may fingerprint recognition be acceptable for user authentication
It is a weak form of authentication, but low-value laptops.
Which state needs the most security protection? Why?
It is the connection-opening state, because this is when you authenticate the other party. Also, you exchange secrets that will be used during the connection.
Why is iris recognition desirable?
It is very precise and difficult to deceive, but it is expensive, so it is best for higher-value targets.
Does a firewall drop a packet if it probably is an attack packet?
It passes the packet and does not log it.
What is the difference between the two types of spyware mentioned in the text?
Keystroke loggers record your keystrokes. Data miners search your computer for specific information, such as bank accounts, social security numbers, and passwords
Why are contractor firms more dangerous than other outside firms?
Like employees, they have access, know the systems, know how to avoid detection, and are trusted.
What was the traditional recommendation for passwords?
Make them long (8 to 12 bits, usually) and make them complex, with a combination of uppercase letters, lowercase letters, digits, and keyboard special characters (#^?, etc.). Change them frequently.
What is the U.S. National Institute of Standards and Technology's new recommendation?
Make them very long (passphrases instead of passwords), make them un-guessable, and don't worry about complexity. Do not change them frequently.
What are the most frequent types of attacks on companies?
Malware attacks are the most frequent problems that companies face. Nearly every firm has one or more significant malware compromise each year.
Do all worms spread by direct propagation?
No. Only some.
Who mounts APTs today?
Originally, only nation states. Today, cybercriminals are also addling APTs.
What are payloads?
Payloads are pieces of code that malware executes to do damage.
What is the goal of social engineering?
Social engineering consists of tricking the user into taking an action that compromises security. In some cases, a social engineering attack entices the user to click on a link that will take the victim to a site that asks the person to download a program to view a particular attachment. This downloaded program will actually be malware. In other cases,the e-mail may contain the malware directly, in the form of an attachment.
Is the supplicant the true party or is the supplicant an impostor?
Sometimes it is the True Party, sometimes an impostor. The whole purpose of authentication is to determine which it is.
What is spyware?
Spyware steals information from your computer and send it to attackers.
What is the definition of hacking?
The intentional use of a computer resource without authorization or in excess of authorization.
In encryption for confidentiality, what must be kept secret?
The key (not the cipher itself).
What characteristic of the true party is used in access card authentication, iris authentication, and digital certificate authentication?
The physical access card and usually a memorized PIN. The supplicant's iris pattern in his or her eye. Knowing the True Party's private key.
Distinguish between the supplicant and the verifier.
The supplicant is the party attempting to prove its identity, usually as a particular True Party. The verifier appraises the supplicant's credentials. If it is satisfied that the supplicant is who he, she, or it claims to be, the supplicant is verified.
What is biometrics?
The use of biological measurements to authenticate you.
What does the verifier do?
The verifier decrypts the response message with the True Party's public key. If this recreates the challenge message, then the supplicant must know the True Party's private key and therefore is the True Party because only the True Party should know it.
Why are stateful packet inspection (SPI) firewalls attractive?
They are relatively inexpensive and provide quite strong protection.
What resources can they purchase and sell over the Internet?
They can purchase attack software and the time of expert attackers. They can use crime shops to sell what they have stolen.
How do Trojan horses propagate to computers?
They cannot travel by themselves. They do not mail themselves or propagate directly. They must be placed there by a hacker, another piece of malware, or the users themselves succumbing to social engineering.
Why is this type of attacker extremely dangerous?
They have the resources to procure good attack software and the income to sustain prolonged attacks.
How do viruses and worms propagate using social engineering?
They trick the user into opening an attachment or take some other action that installs them on the system.
How do adversaries often enter the system and then expand to other parts of it?
Though an employee or other insider, such as a contractor. A phishing attack is common.
Why are other forms of authentication being created?
To end the use of reusable passwords.
Why is it important to read firewall logs daily?
To find out the types of attacks and volume of attacks you are facing.
What is the purpose of a denial-of-service attack?
To make the resource unavailable to legitimate users.
Why may employees attack?
To steal money and trade secrets they can sell. To take revenge on their employer or ex-employers.
If you see a username and password on a sticky note on a monitor, is it hacking if you use this information to log in? Explain in terms of the definition. (Answer: Yes it is; you did not receive authorization to use it.)
Yes it is. You have no authorization to use it.
Is it still important not to use the same password at multiple sites?
Yes.
How do you authenticate yourself with an access card?
You swipe it.
You discover that you can get into other e-mail accounts after you have logged in under your account. You spend just a few minutes looking at another user's mail. Is that hacking? Explain in terms of the definition.
You used the resource in excess of your authorization. By looking around, even briefly, you added intentionality. It is hacking.
How can users eliminate vulnerabilities in their programs?
• If vulnerability is find in the program then user needs a patch file. Patch is a small program which is designed to fix the security vulnerability. • Once the user installs the patch, the program would be safe from malware based on that particular vulnerability.
How was Target damaged by the breach?
• In Target breach, one of the victims is the Target itself which can be the cause of the sales falling rate. From the period of breach revelation to February 2014, Target sales fell 5.3% from the previous year and the profit fells 46% which was roughly $500 million. • In addition to this, Target will probably pay several hundred million dollars due to law suits which was brought by the commercial and governmental organizations. Soon after the breach, the company's Chief Technical Officer resigned and the company's CEO resigned in May 2014.
How were retailers damaged by the breach?
• In Target breach, the fraud hit retailers the hardest. The fraudulent merchandise purchases are rarely recovered by the retailers. • Once credit card companies get notification from the consumers about the fraudulent purchases, they do not pay the retailers for those fraudulent purchases. Hence, the retailer faces great money loss.
Were banks and credit card bureaus damaged by the breach?
• No, in target breach banks and credit card bureaus did not suffer much loss of money as Target if the fraudulent purchase loss is reported. • These financial services companies do not pay the retailer stores w here the fraudulent purchases are made as the consumer does not pay them. • Also these financial services companies drop the fraudulent transactions from the consumer's bill, if they are notified quickly by the consumers. These companies only face substantial costs in the replacement of compromised cards.
List the criminal groups, besides the main attackers, who were involved in the overall process.
• Online crime w are shop which sells point-of-sale malware to the attackers. • Online card shops which purchase the batches of card data from the attackers. • Counterfeiters which purchase the card data from online card shop to create fake cards.
How did the attackers exfiltrate the card data?
• The attackers first get the credential to get the access of the network then move to inside the network or internal server that downloads the updates to the POS system. • Now the malware composed the data from every card swiped at POS terminal and sent these data to a compromised holding server. Thus, the attacker's exfiltrate the data from the POS systems.
What benefit did the attackers seek to obtain from their actions?
• The attackers stole the card data from the POS systems and sell them to the online card shops. • Counterfeiters refined their purchases based on the same factors and create the fake card with the same information. • Based on the characteristics of each card, the attackers gain from $20 to more than $100 per card.