CD5102 Cyber Security
How can identity theft be prevented?
- Education: how to manage sensitive data online - Shred documents containing personal information - Report suspicious activities found on statements - Ensure home network is secure - Ignore phishing emails
What are the aims of counter strategies?
- Eliminate risk - Reduce risk to an acceptable level - Limit damage from a risk - Compensate the damage
What issues may arise from using honeypots?
- False positives - Breach of legal/ethical policy - Single computer may not be attacked - Honeypot may be compromised to launch attacks - Attacker may try other attacks if they detect the honeypot
What types of malware primarily possess the concealment trait?
- Rootkits: software tools used by an attacker to hide actions or presence of other types of malicious software. E.g. hide/remove log entries
What is rule-based access control?
- Rules define what is allowed E.g. firewall rules, parental controls
How does an attacker use spam during social engineering?
Spam: unsolicited emails - Often contains nonsense text to appear legitimate - May use images of text to circumvent text-based filters
What are subjects and objects?
Subjects: users or groups that will access an object Object: a file, folder, printer, or other asset which subjects may want to access
What is cyber crime?
Criminal activity using an electronic device.
What is malware?
Software that is intended to damage or disable computers and computer systems. - Enters a computer system without the user's knowledge or consent - Uses a threat vector to deliver a malicious payload that performs a harmful function once invoked
What are some characteristics of cyber attacks?
(Threats Goal) - (Security Controls) - Masquerade - Authenticity - Interception - Confidentiality - Capture - Non-Repudiation - Identity Theft - Identification - Modification - Integrity - Interruption - Availability - Escalation - Authorisation - Covering Tracks - Accountability
What is a social engineering attack?
- A means of gathering information for an attack by relying on the weaknesses of individuals.
What is clickbait?
- A text or thumbnail link designed to entice users to view online content. - Headlines typically aim to exploit the "curiosity gap", providing information to make users curious but not enough to satisfy their curiosity without reading the content
What are romance scams?
- Aim to gain trust of victims, then request money or personal details
How can machine learning be used to classify clickbait ads?
- Analyse the titles - Analyse redirection URL and destination URL - Analyse domains of clickbait websites - Analyse content length of clickbait webpage
What does a risk management plan consist of?
- Analyse various risks based on impact of threats and vulnerabilities - Rate risks according to priority - Prepare a risk treatment plan using risk ratings and identify possible controls
What is meant by risk assessment?
- Based on the security policy, assets intended to secure, the current system - Controls are intended to reduce or eliminate risks to assets - Risks are determined based on threats and vulnerabilities to assets - Need to determine the real and potential value of an asset in addition to predicting likelihood of loss
What is meant by group policy?
- Central point of administration - Implemented on a Windows domain controller - Security settings affect all computers and users in a domain
What are the features of research honeypots?
- Collect compact amounts of high value information - Discover new tools and tactics - Understand motives and behaviour of attackers - Develop analysis and forensic skills - Tend to be more complex
What types of malware primarily possess the payload capabilities trait?
- Collect data: Spyware, Key logger - Delete data: Logic Bomb - Modify system security settings: Backdoor - Launch attacks: Bot
What actions do worms perform?
- Consume system resources - Leave behind a payload to harm infected systems
What is meant by account management?
- Creating, managing, disabling, or terminating user accounts Centralised: - single point of administration e.g. Windows domain controller using LDAP Decentralised: - accounts stored on each workstation locally e.g. Windows workgroup
What are the aims of counter measures?
- Define security policies based on risks - Implement security policies - Define security roles and processes
What are the types of online advertising?
- Display ads: floating banners, text, static images, popups - Social media ads: ads promoted via social media. E.g. Facebook, Twitter, Instagram, Pinterest - Search Engine Marketing (SEM): ads based on keyword searches - Native advertising: presents ads in the format that resembles the content of the website. E.g. in-feed, promoted ads.
What are the common features of fake websites?
- Does not use HTTPS - Domain name includes dashes instead of periods - Company name similar to authentic company - Poorly designed website - Suspiciously low prices
What techniques are used in physical social engineering?
- Dumpster diving: digging through trash to find information that can be useful in an attack. Variation includes using Google to search for documents and data online (i.e. Google dorking) - Tailgating: follow behind an authorised individual through an access door. - Shoulder surfing: watching an authorised individual enter a security code
What is discretionary access control?
- Each object has an owner - Owner assigns access rights at their discretion * used in Windows computers that are not in a corporate domain
What are some security controls that can be used to reduce exposure?
- Firewalls: establish network perimeter defences; particularly web proxy and filtering and firewall policies. These can detect and block executable downloads, block access to known malicious domains, and prevent users' computers communicating directly with the internet. - Malware protection: establish and maintain defences to detect and respond to known attack code. - Patch management: patch known vulnerabilities with the latest version of software to prevent attacks which exploit software bugs. - Whitelisting and execution control: prevent unknown software from being able to run. e.g. AutoRun on USB drives. - Secure configuration: restrict functionality of every device, OS and application to minimum needed for business functions. - Password policy: set and enforce an appropriate password policy. E.g. minimum length and complexity. - User access control: enforce the principle of least privilege- only give minimum permissions needed.
What are the five aims of a risk assessment?
- Focus: on key assets - Protect: against likely threats - Prioritise: future actions - Balance:cost with benefits - Identify/justify: appropriate security measures
How could you mitigate the affect stage?
- Good understanding of what constitutes 'normal' activity on the network, and network monitoring capable of identifying unusual activity - Full defence in-depth strategy
What information could a honeypot provide?
- IP addresses of attackers: block to prevent future attacks - Vulnerabilities: to patch - Source code: to analyse
Where may honeypots be located?
- In front of the firewall - Behind the firewall (Intranet) - Demilitarized zone (DMZ)
Why cyber security?
- Increasing complexity of network infrastructure - Decreasing skill level required to exploit a system - Impact of security breaches on corporate assets - Increased number of network applications
What are examples of technical controls?
- Least privilege: users have minimum permissions needed to perform business functions - Antivirus software: scans for and removes viruses - Intrusion Detection Systems (IDS): monitors a network or host for network-based threats - Firewalls: restrict network traffic with rules
What is meant by account access review?
- Log and audit times of logon and logoff - Detect password-guessing attacks - Monitor remote access logins
What is mandatory access control?
- Most restrictive - Subjects and objects are classified by a higher authority E.g. top secret, secret, confidential, unclassified * used by military - Top secret data must remain on authorised devices and only seen by cleared personnel
What are client honeypots?
- Not a server waiting to be attacked - A client that actively crawls the web visiting servers (i.e. web browsing) - Can detect changes in sandbox environment - Changes analysed for vulnerability assessment
What is a targeted attack?
- Organisation is singled out because the attacker has a specific interest in the business or has been paid to target it - Often involves extensive preparation to find the best way to exploit the system
How could you mitigate the breach stage?
- Patch management: ensures patches are applied at the earliest opportunity, limiting time exposed to known software vulnerabilities - Malware protection: detect known malicious code in an imported item e.g. email - User access controls: restrict applications, privileges and data that users can access - Secure configuration: remove unnecessary software and default user accounts. Change default passwords and disable automatic features that could immediately activate malware. - Capability to monitor network activity and to analyse it to identify any malicious or unusual activity - User training and education: reduce likelihood of social engineering being successful
What are some techniques used in un-targeted attacks?
- Phishing: sending emails to large numbers of people asking for sensitive information or encouraging them to visit a fake website - Waterhole: setting up a fake website or compromising a legitimate one in order to exploit visiting users - Ransomware: may include spreading disk encrypting extortion malware. Requests money in exchange for allowing user access to their system - Scanning: attacking wide swathes of the Internet at random
What are the functions of controls?
- Preventative: prevent an incident from occurring - Detective: detect when a vulnerability has been exploited - Corrective: reverse the impact of an incident after it has occurred
What are the considerations of quantitative risk analysis?
- Probability of an event occurring and the likely loss should it occur - Annual rate of occurrence (ARO): educated guess of the likelihood of a threat occurring - Exposure factor (EF): educated guess to an asset from a particular defined threat - Single loss expectancy (SLE): Asset total value * EF - Annual loss expectancy (ALE): SLE * ARO * what monetary loss can be expected on average to assets over a year * good technique to deal with risks which occur frequently
What are the two types of honeypots?
- Production honeypot - Research honeypot
What techniques are used in psychological social engineering?
- Psychological approaches: to persuade the victim to provide information or take action. Attackers may: * provide a reason * project confidence * use evasion and diversion Techniques include: impersonation, phishing, spam, hoaxes, watering hole attacks
How could you mitigate the survey stage?
- Published information should be filtered before it is released (e.g. removing metadata, sensitive data) - User training and awareness: * users should understand how published information can reveal potential vulnerabilities * awareness of risks discussing work-related topics on social media * training on how to identify phishing emails - Secure configuration: minimise the information that Internet-connected devices disclose about their configuration and software versions; ensures they cannot be probed for vulnerabilities
What is mass market scam mail (MMSM)?
- Receive a letter or email claiming you have won a prize - Requests personal details to claim prize
What are the four access control models?
- Role-based access control (RBAC) - Rule-based access control (RBAC) - Discretionary access control (DAC) - Mandatory access control (MAC)
What are examples of preventative controls?
- Security guards: attacker is less likely to attempt social engineering and succeed. - Change management: all changes must go through a change management process. Prevents ad-hoc configuration errors. - Account disablement policy: deactivate employee accounts when terminated. - System hardening: * make system more secure than default configuration * remove/disable unnecessary services and protocols * patches and updates * enable firewalls
What are the types of launch attacks?
- Spamming: botnets enable an attacker to send large amounts of spam e.g. via email - Spreading malware: botnets can download and execute a file sent by an attacker - Manipulating online polls: each bot has a unique IP so each vote will have the same credibility as a real person - Denying services: botnets can flood a web server with thousands of requests to overwhelm it so that it cannot respond to legitimate requests
What are some techniques used in targeted attacks?
- Spear-phishing: sending emails to targeted individuals that may contain an attachment or link that downloads malware - Deploying a botnet: to deliver a DDOS attack - Subverting the supply chain: attack equipment or software being delivered to the organisation
What are the considerations of building a honeypot?
- Specify goals - Select implementation strategies (types, number, locations, deployment) - Implementing data capture - Logging and managing data - Mitigating risk - Mitigating fingerprint
What are the stages of cyber attacks?
- Survey: investigating and analysing available information about the target to identify potential vulnerabilities - Delivery: getting to the point in a system where a vulnerability can be exploited - Breach: exploiting the vulnerability to gain some form of unauthorised access - Affect: carrying out activities within a system that achieve the attacker's goal - Maintain access: creating an access route for future visits - Covering tracks: removing evidence of the attackers' presence
What techniques do armored viruses use to avoid detection?
- Swiss cheese infection: virus injects itself into executable code. Virus code is "scrambled" to make detection difficult. - Split infection: virus splits into several parts. - Mutation: viruses that mutate or change.
What are the types of controls?
- Technical: uses technology to reduce vulnerabilities - Management: primarily administrative - Operational: ensure that daily operations comply with security plan
What is the dilemma of security?
- Too much security might make access hard to get and people will stop using the system - A too easy access protocol might provide a security hole for the network
What types of malware primarily possess the infection trait?
- Trojans - Ransomware - Crypto-malware
What are the common features of phishing emails?
- Unfamiliar sender address - Attachments - Generic greetings - Request for urgency - Unsolicited contents
What actions do viruses perform?
- Unloads a payload to perform malicious action E.g. corrupt files, system crash - Reproduces itself by inserting its code into another file on the same computer
How could you mitigate the delivery stage?
- Up-to-date malware protection: may block malicious emails and prevent malware from being downloaded from websites - Firewalls and proxy servers: can block insecure or unnecessary services and maintain a list of known bad websites - Technically enforced password policy: prevent users from setting weak passwords. Lock accounts after specified number of attempts - Additional authentication measures for access to highly confidential information - Secure configuration: limit systems functionality to minimum needed for business operations- apply to every device that is used to conduct business
What is role-based access control?
- Users are grouped into roles - Rights and permissions are assigned to roles * commonly used in Windows domains
What types of malware primarily possess the circulation trait?
- Viruses - Worms
What are examples of corrective controls?
Active IDS: - Detect attacks and modifies the environment to block them Backups and System Recovery: - Ensures lost data can be recovered - Restore damaged systems to operation
What is crypto-malware?
A form of ransomware which encrypts all files on the device.
What is a worm?
A malicious program that uses a computer network to replicate. Worms exploit a vulnerability in an application or OS.
What is meant by risk analysis?
A means to determine the real and potential value of an asset.
What is a demilitarized zone (DMZ)?
A physical or logical subnet that separates an internal LAN from other untrusted networks. External-facing servers, resources and services are located in the DMZ; so, they are accessible from the internet, but the rest of the internal LAN remains unreachable. This restricts the ability of hackers to directly access internal servers and data via the internet.
What is a Trojan Horse attack?
A program the seems legitamate but is actually malicious code that releases a virus when executed.
What is shoulder surfing?
A social engineering attack in which the attackers obtain confidential information by looking over somebody's shoulder to read what's on their computer screen or to observe what they're typing.
What are the elements of security?
A state of information in which possibility of exposure, theft, tampering or disruption is kept to minimum - Confidentiality: the concealment of information - Integrity: the trustworthiness of data - Availability: the ability to use the information or resource
What is meant by implicit deny regarding access controls?
A user not on the list gets no access.
What is a vulnerability?
A weakness of the system through which a threat can be realised.
What is a threat?
Any circumstance or event with the potential to cause harm to a system.
What is an un-targeted attack?
Attackers randomly target as many devices, users, or services as possible. They are not concerned about who the victim is as there will be several machines or services with vulnerabilities.
What may occur during the survey stage of a cyber attack?
Attackers seek technical, procedural or physical vulnerabilities which can be exploited. They may use the following to collect information about the target: - Open source information (e.g. social media) - Domain name management/search services - Network scanning tools - Social engineering User error can also reveal information: - Releasing information about the organisation's network on a technical support forum - Neglecting to remove metadata from documents e.g. software version, author
What may occur during the delivery stage of a cyber attack?
Attackers seek to position themselves to exploit an identified or potential vulnerability. This may include: - Attempting to access an organisation's online services - Sending an email with a link or attachment containing malware - Creating a false website - Giving away an infected USB drive Attackers must select the best delivery path for malware or commands.
What may occur during the covering tracks stage of a cyber attack?
Attackers will look to erase any evidence of their presence in the system to minimise risk identification or increased security on part of the organisation which may improve the difficulty of future attacks. This may include erasing system logs.
What are examples of operational controls?
Awareness and Training: - Maintain password security - Clean desk policy - Understand phishing and malware Configuration Management: - Record performance baselines - Change management Contingency Planning: - Prepare for outages Physical Protection: - Door locks - Cameras
How can honeypots for email be used?
Email routing: - can look like an email relay - determine where mail is coming from - learn the address credibility/reputation Spam detection: - unused/unpublished email address - not expecting to have mail - mail that arrives is analysed for signature detection
How does an attacker use hoaxes during social engineering?
Hoaxes: a false warning - Often claim to come from IT department - Try to get victims to change configuration settings to allow attacker to compromise the system
How may honeypots capture information?
Host-based: - Keystrokes - Syslog Network-based: - Firewall - Sniffer - IP not resolve name
What is a honeypot?
Decoy systems that are designed to lure a potential attacker away from critical systems. They can divert an attacker, collect information about the attacker's activity, encourage the attacker to stay on the system long enough for administrators to respond.
How does an attacker use impersonation during social engineering?
Impersonation: attacker pretends to be someone else e.g. IT support, colleague. - Will often impersonate a person with authority as victims will generally resist saying no
How are honeypots classified?
Level of interaction: - High - Low Implementation: - Virtual - Physical Purpose: - Production - Research
What is least privilege?
Limiting access to information based on what is needed to perform a job function using access controls.
How does an attacker use phishing during social engineering?
Phishing: sending an email claiming to be from a legitimate source. - Attempts to trick user into giving private information Variations include: - Spear phishing: targets specific users - Whaling: targets authoritarian figures - Vishing: instead of email, a telephone call instead is used
What are the types of honeypot implementation?
Physical: - real machines - own IP addresses - often high interaction Virtual - simulated by other machines that: * respond to traffic sent to the honeypots * may simulate multiple virtual honeypots simulatenously
What levels of interaction may a honeypot feature?
Low interaction: - simulates some aspects of the system - easy to deploy, minimal risk - lower resource requirement - limited information provided by the honeypot High interaction: - simulates all aspects of the OS - more information provided by the honeypot - can be compromised; higher risk - more resources required
What is a computer virus?
Malicious code that replicates and executes itself to alter the way a computer operates. It often inserts its own code in the path of the execution of another program. Viruses rely on user actions to spread via files.
What is ransomware?
Malicious software designed to block access to a computer system until a fee is paid.
How can malware be classified?
Malware can be classified by the primary trait it possesses: - Circulation: spreading rapidly to other systems in order to impact a large number of users - Infection: how it embeds itself into a system - Concealment: avoid detection by concealing its presence from scanners - Payload capabilities: what actions the malware performs
What is a trojan?
Software that pretends to be a useful program while secretly performing another function. A remote access Trojan (RAT) gives the threat actor remote access to the victim's computer.
What may occur during the maintain access stage of a cyber attack?
Once inside the system, an attacker may look to maintain a presence there to gather as much data as possible. A backdoor may be put in place to provide easy access for future attacks.
What is phase 1 of the risk assessment process?
Preparation and identification: - Current business practices - The future - Identification of assets - Information value - Threat assessment
What are the features of production honeypots?
Prevention: - keep attackers out - ineffective prevention mechanisms - deception, deterrence, decoys do NOT work against automated attacks e.g. worms Detection: - detecting attacker once they infiltrate Response: - little to no data pollution - can be easily pulled offline - Tend to be low interaction; simple.
What are the considerations of qualitative risk analysis?
Qualitative: threats + impact + likelihood = risk - Value of asset vs value of security controls - Widely used - Determine threats, categories used: * availability, privacy * integrity/accuracy * access control * legal * identification/authentication - Impact rating - Likelihood rating
What is phase 4 of the risk assessment process?
Recommendations: - Known deficiencies: * additional controls recommended to reduce risk to an acceptable level * recommend types of controls to use, priority and suggested implementation plan - Risk management plan: * status of security controls * assessment of existing controls to produce a report of the risks which can be managed or accepted * managerial decision to accept risks status
What is phase 3 of the risk assessment process?
Risk assessment: - Gap analysis: highlight differences between current and required security architecture - Risk assessment: assess results of gap analysis * produce level of risk measured by probability of compromise to the CIA of the system * determine level of risk by comparing relationship between threats and known vulnerabilities
What are examples of management controls?
Risk assessments: - Quantitative risk assessment: uses cost and asset values to determine monetary risk - Qualitative analysis: categorises and rates risks Vulnerability assessments
What are examples of detective controls?
Security Audit: - Examine the security posture of an organisation - Password audit - User permissions audit Video Surveillance: - Records activity and detects what occurred
What is phase 2 of the risk assessment process?
Security architecture analysis: - Required security architecture: uses information collected in phase 1 to identify security requirements- each identified threat is matched to a control - Identification of current security architecture: identify existing controls, policies to determine a baseline
What may occur during the affect stage of a cyber attack?
The activities carried out during the attack will depend on the attackers' objectives. These may include: - Retrieving sensitive information e.g. intellectual property, user data - Making changes for their own benefit e.g. arranging payments into their bank account - Disrupting business operations e.g. overloading the organisation's internet connection
What is identity theft?
The fraudulent acquisition and use of a person's private identifying information, usually for financial gain.
What may occur during the breach stage of a cyber attack?
The harm caused by attackers will depend on the nature of the vulnerability and exploitation method. It may allow attackers to: - Make changes that affect systems operations - Gain access to online accounts - Achieve full control of a user's device The attacker could pretend to be the victim and use their legitimate access to gain further access to other systems and information.
What is risk?
The likelihood that a threat will exploit a vulnerability, resulting in a loss.
How does an attacker use watering hole attacks during social engineering?
Watering hole attack: malicious attack directed toward a small group of specific individuals who visit the same website