Information Security Midterm Review

Sandboxing - Protection against malware

Running code in an isolated "safe" environment to test its behaviors

Malware protection

Scanning Defenses, Containment, Sandboxing, Firewalls, Trust

Drive-by-download

Occurs when a user visits a web page and a download occurs without the user knowing it, or when the user knows it but does not understand the effects of the download

Attacks can be both...

mathematics and statistics

Trust - Protection against malware

"[S]ecure," like "trust," is a relative notion, and the design of any mechanism for enhancing computer security must attempt to balance the cost of the mechanism against the level of security desired and the degree of trust in the base that the site accepts as reasonable

Symmetric cryptosystems

(Also called single key or secret key cryptosystems) are cryptosystems that use the same key for encipherment and decipherment

Challenge - Motive

A large portion of hackers are driven by the opportunity to break the unbreakable system and gaining the recognition from their peers. This competitive behavior drives groups of hackers to challenge each other to cause disruption at the expense of another business.

Examples of Threats/Data Breaches/Attacks

1. Snooping/Eavesdropping/Wiretapping 2. Modification/Alternation 3. Masquerading/Spoofing 4. Repudiation of Origin 5. Denial of Receipt 6. Delay 7. Denial of Service

7 Domains of IT Infrastructure

1. User 2. Workstation 3. LAN 4. LAN to WAN 5. WAN 6. Remote Access 7. Systems/Applications

10 Common IT Security Risks in the Workplace

1.Failure to cover cybersecurity basics 2.Not understanding what generates corporate cybersecurity risks 3.Lack of a cybersecurity policy 4.Confusing compliance with cybersecurity 5.The Carbon Lifeform - the weakest link 6.Bring your own device policy (BYOD) and the cloud 7.Funding, talent and resources constraints 8.No information security training 9.Lack of a recovery plan10.Constantly evolving risks

Why we need Information Security - Risks

1.Ransomware attacks on the Internet of Things (IoT) devices 2.AI-powered chatbots manipulate information 3.Compromised blockchain systems 4.Cyber warfare influencing global trade 5.Government surveillance expose corporate secrets 6.Cryptocurrency hijacking attacks reach new levels 1.Data Theft via Third-Party Vendors 2.Loss of Data Due to Shadow IT 3.Poor Security Policies Compromise Trade Secrets 4.Data Heists Led by Insider Threats 5.Phishing Schemes Lead to Business Email Compromise (BEC) 6.Fraud Enabled by Compromised Blockchain

Adware

A Trojan horse that gathers information for marketing purposes and displays advertisements

Spyware

A Trojan horse that records information about the use of a computer, usually resulting in confidential information such as keystrokes, passwords, credit card numbers, and visits to web sites

Botnets

A collection of bots

LAN Domain of IT Infrastructure

A collection of computers connected to one another or to a common connection medium Network connection mediums can include wires, fiber-optic cables, or radio waves Generally organized by function or department

Combination

A combination of malware attacks

Malicious Code/Malware

A computer program written to cause a specific action to occur, such as erasing a hard drive. A virus is a computer program written to cause damage to a system, an application, or data. Human-caused threats to a computer system include viruses, malicious code, and unauthorized access

Digital Signature

A construct that authenticates both the origin and contents of a message in a manner that is provable to a disinterested third party

Service Level Agreement (SLA)

A contract that guarantees a minimum monthly availability of service for wide area network (WAN) and Internet access links (or servers and services)

Standard - Policy Framework

A detailed written definition for hardware and software and how they are to be used

Denial of Receipt

A false denial that an entity received some information or message, is a form of deception.

Modification/Alternation

A modification is the alteration of data contained in transmissions or files Modifications to the system configuration can also compromise the integrity of a network resource. Modifications might include creating, changing, deleting, and writing information to a network resource

Rootkit

A pernicious (subtle/hidden) Trojan horse

Cash - Motive

A primary motivation for hackers is the money they can obtain by stealing your passwords, bank details, holding your customer information for ransom or selling your data to competitors or on the dark web

Firewalls - Protection against malware

A program or dedicated hardware device that inspects network traffic passing through it and denies or permits that traffic based on a set of rules you determine at configuration

Rabbits and Bacteria

A program that absorbs all of some class of resource

Logic Bombs

A program that performs an action that violates the security policy when some external event occurs

Trojan Horse/Propagating Trojan Horses

A program with an overt (documented or known) purpose and a covert (undocumented or unexpected) purpose

Ciphertext

A secret or disguised way of writing; a code

Policy - Policy Framework

A short, written statement that the people is charge of an organization have set as a course of action or direction

Guideline - Policy Framework

A suggested course of action for using the policy, standards, or procedures

Computer Security Incident Response Team (CSIRT)

A team established to assist and co-ordinate responses to a security incident among a defined constituency

Vulnerability

A weakness that allows a threat to be realized or to have an effect on an asset

Workstation Domain of IT Infrastructure

A workstation can be a desktop computer, a laptop computer, a special-purpose terminal, or any other device that connects to your network - Workstation computers are generally thin clients or thick clients. - A thin client is software or an actual computer with no hard drive that runs on a network and relies on a server to provide applications, data, and all processing. Thin clients are commonly used in large organizations, libraries, and schools. - A thick client is more fully featured hardware that contains a hard drive and applications and processes data locally, going to the server mainly for file storage. An ordinary PC is an example of a thick client Other devices that can be considered workstations are personal digital assistants (PDAs), smartphones, and tablet PCs

Data Breaches

An incident where information is stolen or taken from a system without the knowledge or authorization of the system's owner. There are so many different kinds: Stolen Information. Ransomware. Password Guessing. Recording Key Strokes. Phishing. Malware or Virus. Distributed Denial of Service (DDoS)

Shoulder Surfing

An attacker watches the target enter the password

Threat

Any action that could damage an asset. Information systems face both natural and human-induced threats. Examples: - Floods - Earthquakes - Severe storms * Require organizations to create plans to ensure that business operation continues and that the organization can recover

Onetime pad

Has a key that is at least as long as the message and is chosen at random, so it does not repeat. It is thought to be impossible to break. The weakness of this is that the key must never be used more than once.

Potential Targets to be hit with Information Insecurity

Banking/Financial/ Credit Card Cryptocurrencies Healthcare Government Educational / Research Retail operations Credit Bureaus Hotels / Accommodations Social Media Internet of Things Industrial control systems Power plants and grid (If it's online it can, and will, become a target)

Infection Vectors

Boot Sector, Executables, Data

Why we need Information Security - Motives

Cash, Challenge, Hacktivism, Revenge, Subversion, Infamy

Revenge - Motive

Certain types of hackers are motivated by anger and use their skills to directly affect a person, group or company without any fear of repercussion.

Substitution Cipher

Changes characters in the plaintext to produce the ciphertext

Metamorphic viruses

Changes its internal structure but performs the same actions each time it is executed

Polymorphic viruses

Changes the form of its decryption routine each time it inserts itself into another program

Cryptography

Comes from two Greek words meaning "secret writing" and is the art and science of concealing meaning

WAN Domain of IT Infrastructure

Connects remote locations. As network costs drop, organizations can afford faster Internet and WAN connections

Remote Access Domain of IT Infrastructure

Connects remote users to the organization's IT infrastructure. Critical for staff members who work in the field or from home—for example, outside sales reps, technical support specialists, or health care professionals. Important to have but dangerous to use. It introduces many risks and threats from the Internet

Operational Issues

Cost-Benefit Analysis, Risk Analysis, Laws and Customs

CRUD

Create, Read, Update, Delete

File level permissions

Create, read, write, execute, delete

Public-key Cryptography or Asymmetric Cryptography

Cryptographic system that uses pairs of keys: public keys which may be disseminated widely, and private keys which are known only to the owner. - It must be computationally easy to encipher or decipher a message given the appropriate key - It must be computationally infeasible to derive the private key from the public key. - It must be computationally infeasible to determine the private key from a chosen plaintext attack.

Opportunities are everywhere in cyberspace

Data - both secured and unintentionally left unsecured Business, Non-Profit & Government systems - disruption or usurpation of systems 43% of cyber attacks target small businesses

Disaster Recovery Plan (DRP)

Defines how a business gets back on its feet after a major disaster such as a fire or hurricane occurs Prepare a disaster recovery plan based on the BCP. Start DRP elements for the most important computer systems first. Organize a DRP team and a remote data center

Delay

Delay of information to the receiver or sender

Detection

Detect attackers' violation of security policy.

Snooping/Eavesdropping/Wiretapping

Eavesdropping, or sniffing, occurs when a host sets its network interface on promiscuous mode and copies packets that pass by for later analysis Wiretapping can be active, where the attacker makes modifications to the line. It can also be passive, where an unauthorized user simply listens to the transmission without changing the contents.

Criticality - Asset Characterization

Essential, Required, Deferrable

Phases of Intrusion Handling

Preparation, Identification, Containment Phase, Eradication Phase, Recovery, Follow-Up Phase (Incident Response Groups)

Business Continuity Plan (BCP)

Gives priorities to the functions an organization needs to keep going Conduct a business impact analysis (BIA) and decide which computer uses are most important. Define RTOs for each system. Prepare a BCP focused on those things that are most important for the business to keep going.

Intrusion Response

Goal is to handle the (attempted) attack in such a way that damage is minimized (as determined by the security policy)

Infamy - Motive

Hackers are motivated by a sense of achievement, working independently or in groups they want to be recognized. Social media has given them a platform to boast about their exploits on a global scale.

Subversion - Motive

Hackers have been accused of meddling in current and corporate affairs - a modern-day version of espionage.

Seven Domains of a Typical IT Infrastructure

Humans are the weakest links!

Defender's Dilemma

In essence ... the defenders must get it right every time, the attackers only need to get it right once

Asset

In the context of IT Security, Can be a computer, a database, or a piece of information (something of value) Something that needs to be protected

Hacktivism - Motive

Infamous hacker groups use their skills to target large organizations and embarrass their IT teams, break their sophisticated security systems and humiliate the upper management.

CIA Triad

Information has value! Confidentiality, Integrity, Availability - Confidentiality = Only authorized users can view information - Integrity = Only authorized users can change information - Availability = Information is accessible by authorized users whenever they request the information

Asset types

Information, Personnel, Hardware, Software, Legal

Threat Sources

Insider & Outsider sources

Outsider Threat

Most attacks come from anonymous outsider

Containment - Protection against malware

Limiting the objects accessible to a given process run by the user is an obvious protection technique

Bots

Malware that carries out some action in coordination with other bots

Ransomeware

Malware that inhibits the use of resources until a ransom, usually monetary, is paid

User Seucrity

Passwords/Password Managers Root/Administrator accounts Login/Logout/Walking away without logging out Trusted hosts Roles Group access

Policy Framework

Policy, Standard, Procedure, Guidelines, Security Lifecycle

Masquerading/Spoofing

Pretending to be another person online Masquerade attacks usually include one of the other forms of active attacks, such as IP address spoofing or replaying Spoofing is a type of attack in which one person, program, or computer disguises itself as another person, program, or computer to gain access to some resource. A common spoofing attack involves presenting a false network address to pretend to be a different computer

Prevention

Prevent attackers from violating security policy

Incident Prevention

Preventing an attack or breach from occuring at any possible costs

Goals of Security

Prevention, Detection, Recovery

Worms

Program that copies itself from one computer to another

Transposition Cipher

Rearranges the characters in the plaintext to form the ciphertext. The letters are not changed

Intrusion Handling

Restoring the system to comply with the site security policy and taking any actions against the attacker that the policy specifies

Sensitivity - Asset Characterization

Restricted or Unrestricted

Denial of Service (DoS)

Result in downtime or inability of a user to access a system. A coordinated attempt to deny service by occupying a computer to perform large amounts of unnecessary tasks. This excessive activity makes the system unavailable to perform legitimate operations.

Asset Characterization

Sensitivity and Criticality

Scanning Defenses - Protection against malware

Signatures & Behavior-based

Multi-factor Authentication

Something you know, Something you have, Something you are

Concealment

Stealth viruses, Encrypted viruses, Polymorphic viruses, Metamorphic viruses

Recovery

Stop attack, and assess and repair damage.Retaliation-Stop and capture attackers.

LAN-to-WAN Domain of IT Infrastructure

The LAN-to-WAN Domain is where the IT infrastructure links to a wide area network and the Internet Network applications use two common transport protocols: Transmission Control Protocol (TCP) and User Datagram Protocol (UDP)

Systems/Applications Domain in IT Infrastructure

The System/Application Domain holds all the mission-critical systems, applications, and data

Phishing

The act of impersonating a legitimate entity, typically a web site associated with a business, in order to obtain information such as passwords, credit card numbers, and other private information without

Social Engineering

The art of exploiting human psychology, rather than technical hacking techniques, to gain access to buildings, systems or data At its core, social engineering is the building and leveraging of influence in order to persuade others to act as you want them to Attack Vectors: - On the phone = Vishing - social engineering approach that leverages voice communication - In the office - Online including email and fraudulent web pages = Phishing - the fraudulent practice of sending emails purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords and credit card numbers

Cryptanalysis

The breaking of codes

Information Systems Security

The collection of activities that protect the information system and the data stored in it

Risk

The likelihood that something bad will happen to an asset Examples: - Losing data - Losing business because a disaster has destroyed your building - Failing to comply with laws and regulations

Repudiation of Origin

The originator/send of the message/data/file denies that they are the sender

User Domain of IT Infrastructure

The people who access an organization's information system

Asset Lifecycle

The phases that an asset goes through from creation (collection) to destruction Planning, Acquiring, Deploying, Managing, and Retiring

Clear/Plaintext

The readable original message

Digital Forensics

The science of identifying and analyzing entities, states, and state transitions of events that have occurred or are occurring

Attack Surface

The set of entry points and data that attackers can use to compromise a system

Ways to avoid social engineering attacks

Training / vigilance, Separation of duties / extra process controls, Test your incident response and test phish

Computer Virus

When the Trojan horse can propagate freely and insert a copy of itself into another file, it becomes a ...

Encryption files on disk

Whole disk, whole volume/partition, files (pgp or gpg)

Procedure - Policy Framework

Written instructions for how to use policies and standards

Assets - Information Security

You need to know what you have in order to protect it! Resources or information to be protected

What is an attack?

a sequence of actions that create a violation of a security policy

What is a multi-stage attack?

an attack that requires several steps to achieve its goal

What is a threat?

any circumstance or event with the potential to harm an information system through unauthorized access, destruction, disclosure, modification of data, and/or denial of service. Threats arise from human actions and natural events

Insider Threat

can occur from an employee, contractor, or trusted person within the organization A malicious danger to an organization that comes from people within the organization, such as employees, former employees, contractors or business associates, who have inside information concerning the organization's security practices, data and computer systems

Compliance Laws and Regulations

create (expensive) requirements to which corporate security must respond, i.e. documentation, identity management, etc.

File deletions usually...

don't remove the data, but Wiping files secures the deletion

What is a goal?

is that which the attacker hopes to achieve

What is a vulnerability?

its security procedures, internal controls, or design and implementation, which could be exploited to violate the system security policy

What is a target?

of an attack is the entity that the attacker wishes to affect