csc388 ch1
script kiddies
individuals who do not have the technical expertise to develop scripts or discover new vulnerabilities in software but who have just enough understanding of computer systems to be able to download and run scripts that others have developed.
Specific target
In this case, the attacker has chosen the target not because of the hardware or software the organization is running but for another reason, perhaps a political reason.
highly structured threat
This type of threat is characterized by a much longer period of preparation (years is not uncommon), tremendous financial backing, and a large and organized group of attackers. The threat may include attempts not only to subvert insiders but also to plant individuals inside of a potential target in advance of a planned attack.
Opportunistic Target
The second type of attack, an attack against a target of opportunity, is conducted against a site that has software that is vulnerable to a specific exploit. The attackers, in this case, are not targeting the organization; instead, they have learned of a vulnerability and are simply looking for an organization with this vulnerability that they can exploit.
Minimizing attack
Updated all software and system hardening -- limiting the services running on the system
critical infrastructures
Water, electricity, oil and gas refineries and distribution, banking and finance, telecommunications—all fall into the category of critical infrastructures for a nation. Critical infrastructures are those whose loss would have severe repercussions on the nation.
Hacktivist
a computer hacker whose activity is aimed at promoting a social or political cause.
information warfare
warfare conducted against the information and information processing equipment used by an adversary. information warfare falls into the highly structured threat category.
structured threat
which is characterized by a greater amount of planning, a longer period of time to conduct the activity, more financial backing to accomplish it, and possibly corruption of, or collusion with, insiders.
elite hackers
who not only have the ability to write scripts that exploit vulnerabilities but also are capable of discovering new vulnerabilities.
Ethics
•Ethics is commonly defined as a set of moral principles that guides an individual's or group's behavior. •Because information security efforts frequently involve trusting people to keep secrets that could cause harm to the organization if revealed, trust is a foundational element in the people side of security.
Operation Bot Roast
(2007) In 2007, the FBI announced that it had conducted Operation Bot Roast, identifying over 1 million botnet crime victims. In the process of dismantling the botnets, the FBI arrested several botnet operators across the United States. Although seemingly a big success, this effort made only a small dent in the vast volume of botnets in operation.
Cyberwar?
(2007) In May of 2007, the country of Estonia was crippled by a massive denial-of- service (DoS) cyberattack against all of its infrastructure, firms (banks), and government offices. This attack was traced to IP addresses in Russia, but was never clearly attributed to a government-sanctioned effort.
Conficker
(2008-2009) In late 2008 and early 2009, security experts became alarmed when it was discovered that millions of systems attached to the Internet were infected with the Downadup worm. Also known as Conficker, the worm was believed to have originated in Ukraine. Infected systems were not initially damaged beyond having their antivirus solution updates blocked. What alarmed experts was the fact that infected systems could be used in a secondary attack on other systems or networks. Each of these infected systems was part of what is known as a bot network (or botnet) and could be used to cause a DoS attack on a target or be used for the forwarding of spam e-mail to millions of users.
GhostNet (APT)
(2009) In 2009, the Dalai Lama's office contacted security experts to determine if it was being bugged. The investigation revealed it was, and the spy ring that was discovered was eventually shown to be spying on over 100 countries' sensitive missions worldwide. Researchers gave this APT-style spy network the name GhostNet, and although the effort was traced back to China, full attribution was never determined.
Fiber Cable Cut
(2009) On April 9, 2009, a widespread phone and Internet outage hit the San Jose area in California. This outage was not the result of a group of determined hackers gaining unauthorized access to the computers that operate these networks, but instead occurred as a result of several intentional cuts in the physical cables that carry the signals. The cuts resulted in a loss of all telephone, cell phone, and Internet service for thousands of users in the San Jose area. Emergency services such as 911 were also affected, which could have had severe consequences.
Operation Aurora (APT)
(2009) Operation Aurora was an APT attack first reported by Google, but also targeting Adobe, Yahoo, Juniper Networks, Rackspace, Symantec, and several major U.S. financial and industrial firms. Research analysis pointed to the People's Liberation Army (PLA) of China as the sponsor. The attack ran for most of 2009 and operated on a large scale, with the groups behind the attack consisting of hundreds of hackers working together against the victim firms.
Computer security
Computer security and information security both refer to a state where the hardware and software perform only desired actions and the information is protected from unauthorized access or alteration and is available to authorized users when required.
Approaches to computer security (cio)
Correctness: ensuring that a system is fully up to date with all patches installed isolation: protecting a system from unauthorized use by means of access control and physical security Obfuscation: making it difficult for an adversary to know when they have succeeded.
US Electric Power Grid
( April 2009) In April 2009, Homeland Security Secretary Janet Napolitano told reporters that the United States was aware of attempts by both Russia and China to break into the U.S. electric power grid, map it out, and plant destructive programs that could be activated at a later date. She indicated that these attacks were not new and had in fact been going on for years. One article in the Kansas City Star, for example, reported that in 1997 the local power company, Kansas City Power and Light, encountered perhaps 10,000 attacks for the entire year. By 2009 the company experienced 30-60 million attacks.
Stuxnet, Duqu, and Flame (APT)
(2009-2012) Stuxnet, Duqu, and Flame represent examples of state-sponsored malware. Stuxnet was a malicious worm designed to infiltrate the Iranian uranium enrichment program, to modify the equipment and cause the systems to fail in order to achieve desired results and in some cases even destroy the equipment. Stuxnet was designed to attack a specific model of Siemens programmable logic controller (PLC), which was one of the clues pointing to its objective, the modification of the uranium centrifuges. Although neither the United States nor Israel has admitted to participating in the attack, both have been suggested to have had a role in it. Duqu (2011) is a piece of malware that appears to be a follow-on of Stuxnet, and has many of the same targets, but rather than being destructive in nature, Duqu is designed to steal information. The malware uses command and control servers across the globe to collect elements such as keystrokes and system information from machines and deliver them to unknown parties. Flame (2012) is another piece of modular malware that may be a derivative of Stuxnet. Flame is an information collection threat, collecting keystrokes, screenshots, and network traffic. It can record Skype calls and audio signals on a machine. Flame is a large piece of malware with many specific modules, including a kill switch and a means of evading antivirus detection. Because of the open nature of Stuxnet—its source code is widely available on the Internet—it is impossible to know who is behind Duqu and Flame. In fact, although Duqu and Flame were discovered after Stuxnet, there is growing evidence that they were present before Stuxnet and collected critical intelligence needed to conduct the later attack. The real story behind these malware items is that they demonstrate the power and capability of nation-state malware.
Sony (APT)
(2011) The hacker group LulzSec reportedly hacked Sony, stealing over 70 million user accounts. The resulting outage lasted 23 days, and cost Sony in excess of $170 million. One of the biggest issues related to the attack was Sony's poor response, taking more than a week to notify people of the initial attack, and then communicating poorly with its user base during the recovery period. Also notable was that although the credit card data was encrypted on Sony's servers, the rest of the data stolen was not, making it easy pickings for the disclosure of information.
Saudi Aramco (Shamoon) (APT)
(2012) In August of 2012, 30,000 computers were shut down in response to a malware attack (named Shamoon) at Saudi Aramco, an oil firm in Saudi Arabia. The attack hit three out of four machines in the firm, and the damage included data wiping of machines and the uploading of sensitive information to Pastebin. It took 10 days for the firm to clean up the infection and restart its business network.
Nation-State hacking (APT)
(2013 - present) Nation-states have become a recognized issue in security, from the Great Firewall of China to modern malware attacks from a wide range of governments. Threat intelligence became more than a buzzword in 2014 as firms such as CrowdStrike exposed sophisticated hacking actors in China, Russia, and other countries. In 2014 CrowdStrike reported on 39 different threat actors, including criminals, hactivists, state-sponsored groups, and nation-states. Learning how these adversaries act provides valuable clues to their detection in the enterprise. Groups such as China's Hurricane Panda represent a real security threat. Hurricane Panda focuses on aerospace firms and Internet service companies. Not all threats are from China. Russia is credited with its own share of malware. Attribution is difficult, and sometimes the only hints are clues, such as the timelines of command and control servers for Energetic Bear, an attack on the energy industry in Europe from the Dragonfly group. The Regin platform, a complete malware platform, possibly in operation for over a decade, has been shown to attack telecom operators, financial institutions, government agencies, and political bodies. Regin is interesting because of its stealth, its complexity, and its ability to hide its command and control network from investigators. Although highly suspected to be deployed by a nation-state, its attribution remains unsolved. In 2015, data breaches and nation-state hacking hit new highs with the loss of over 20 million sensitive personnel files from the computers at the U.S. Office of Personnel Management (OPM). This OPM loss, reportedly to China, was extremely damaging in that the data loss consisted of the complete background investigations on peoples who had submitted security clearances. These records detailed extensive personal information on the applicants and their family members, providing an adversary with detailed intelligence knowledge. In the same year it was reported that email systems in the Department of State, the Department of Defense, and the White House had been compromised, possibly by both Russia and China. The sensitive nuclear negotiations in Switzerland between the U.S., its allies, and Iran were also reported to have been subject to electronic eavesdropping by parties yet unknown.
Data Breaches (APT)
(2013-present) From the end of 2013 through to the time of this writing, data breaches have dominated the security landscape. Target Corporation announced its breach in mid-December, 2013, stating that the hack began as early as "Black Friday" (November 29) and continued through December 15. Data thieves captured names, addresses, and debit and credit card details, including numbers, expiration dates, and CVV codes. In the end a total of 70 million accounts were exposed. Following the Target breach, Home Depot suffered a breach of over 50 million debit and credit card numbers in 2014. JP Morgan Chase also had a major data breach in 2014, announcing the loss of 77 million account holders' information. Unlike Target and Home Depot, JP Morgan Chase did not lose account numbers or other crucial data elements. JP Morgan Chase also mounted a major PR campaign touting its security program and spending in order to satisfy customers and regulators of its diligence. At the end of 2014, Sony Pictures Entertainment announced that it had been hacked, with a massive release of internal data. At the time of this writing, hackers have claimed to have stolen as much as 100 terabytes of data, including e-mails, financial documents, intellectual property, personal data, HR information ... in essence, almost everything. Additional reports indicate the destruction of data within Sony; although the extent of the damage is not known, at least one of the elements of malware associated with the attack is known for destroying the Master Boot Record (MBR) of drives. Attribution in the Sony attack is also tricky, as the U.S. government has accused North Korea, while other groups have claimed responsibility, and some investigators claim it was an inside job. It may take years to determine correct attribution, if it is even possible.
Kevin Mitnick
(February 1995) Kevin Mitnick's computer activities occurred over a number of years during the 1980s and 1990s. Arrested in 1995, he eventually pled guilty to four counts of wire fraud, two counts of computer fraud, and one count of illegally intercepting a wire communication and was sentenced to 46 months in jail. In the plea agreement, Mitnick admitted to having gained unauthorized access to a number of different computer systems belonging to companies such as Motorola, Novell, Fujitsu, and Sun Microsystems. He described using a number of different "tools" and techniques, including social engineering, sniffers, and cloned cellular telephones.
The Slammer Worm
(January 25 2003) On Saturday, January 25, 2003, the Slammer worm was released. It exploited a buffer-overflow vulnerability in computers running Microsoft SQL Server or SQL Server Desktop Engine. Like the vulnerability in Code Red, this weakness was not new and, in fact, had been discovered and a patch released in July of 2002. Within the first 24 hours of Slammer's release, the worm had infected at least 120,000 hosts and caused network outages and the disruption of airline flights, elections, and ATMs. At its peak, Slammer-infected hosts were generating a reported 1TB of worm- related traffic every second. The worm doubled its number of infected hosts every 8 seconds. It is estimated that it took less than 10 minutes to reach global proportions and infect 90 percent of the possible hosts it could infect.
The Code Red Worm
(July 19 2001) On July 19, 2001, in a period of 14 hours, over 350,000 computers connected to the Internet were infected by the Code Red worm. The cost estimate for how much damage the worm caused (including variations of the worm released on later dates) exceeded $2.5 billion. The vulnerability was a buffer-overflow condition in Microsoft's IIS web servers, had been known for a month.
Omega Engineering and Timothy Lloyd
(July 1996) On July 30, 1996, a software "time bomb" went off at Omega Engineering, a New Jersey-based manufacturer of high-tech measurement and control instruments. Twenty days earlier, Timothy Lloyd, a computer network program designer, had been dismissed from the company after a period of growing tension between Lloyd and management at Omega. The program that ran on July 30 deleted all of the design and production programs for the company, severely damaging the small firm and forcing the layoff of 80 employees. The program was eventually traced back to Lloyd, who had left it in retaliation for his dismissal.
Citibank and Vladimir Levin
(June-October 1994) Starting about June of 1994 and continuing until at least October of the same year, a number of bank transfers were made by Vladimir Levin of St. Petersburg, Russia. By the time he and his accomplices were caught, they had transferred an estimated $10 million. Eventually all but about $400,000 was recovered. Levin reportedly accomplished the break-ins by dialing into Citibank's cash management system. This system allowed clients to initiate their own fund transfers to other banks.
Worcester Airport and "Jester"
(March 1997) In March of 1997, telephone services to the FAA control tower as well as the emergency services at the Worcester Airport and the community of Rutland, Massachusetts, were cut off for a period of six hours. This disruption occurred as a result of an attack on the phone network by a teenage computer "hacker" who went by the name "Jester."
The Melissa Virus
(March 1999) Melissa is the best known of the early macro-type viruses that attach themselves to documents for programs that have limited macro programming capability. The virus, written and released by David Smith, infected about a million computers and caused an estimated $80 million in damages.
The Love Letter Virus
(May 2000) Also known as the "ILOVEYOU" worm and the "Love Bug," the Love Letter virus was written and released by a Philippine student named Onel de Guzman. The virus was spread via e-mail with the subject line of "ILOVEYOU." Estimates of the number of infected machines worldwide have been as high as 45 million, accompanied by a possible $10 billion in damages (it should be noted that figures like these are extremely hard to verify or calculate).
Website Defacements
(May 2006) In May of 2006, a Turkish hacker using the handle iSKORPiTX successfully hacked over 21,000 websites in a single effort. The rationale for his actions was never determined, and over the next few years he hacked hundreds of thousands of websites, defacing their cover page with a statement of his hack. A nuisance to some, those affected had to clean up their systems, including repairing vulnerabilities, or he would strike again.
The morris worm
(november 1988) Robert Morris, then a graduate student at Cornell University, released what has become known as the Internet worm (or the Morris worm). The worm infected roughly 10 percent of the machines then connected to the Internet (which amounted to approximately 6000 infected machines). The worm carried no malicious payload, the program being obviously a "work in progress," but it did wreak havoc because it continually re-infected computer systems until they could no longer run any programs.
unstructured threat
Generally, attacks by an individual or even a small group of attackers fall into the unstructured threat category. Attacks at this level generally are conducted over short periods of time (lasting at most a few months), do not involve a large number of individuals, have little financial backing, and are accomplished by insiders or outsiders who do not seek collusion with insiders.
Advanced Persistent Threats
Not a specific threat. Any threat that is advanced in nature that can cause major destruction over a long period of time.
Hacking and hackers
The act of deliberately accessing computer systems and networks without authorization is generally referred to as hacking, with individuals who conduct this activity being referred to as hackers. The term hacking also applies to the act of exceeding one's authority in a system.