Chapter 17: Information Security
Motivations of Hackers
-Account theft and illegal fund transfer -Stealing personal or financial data -Compromising computing assets for use in other crimes -Extortion -Intellectual property theft -Espionage -Cyberwarfare -Terrorism -Pranksters -Protest hacking (hacktivism) -Revenge (upset employees)
Certificate authority
A trusted third party that provides authentication services in public key encryption schemes
Adversary ROI
Asset value to adversary - adversary cost -Adversary cost include both resources/knowledge/tech required for exploit but also the risk of getting caught
Zero-Day Exploits
Attacks that are so new that they haven't been clearly identified, and so they haven't made it into security screening systems.
Spear Phishing
Attacks that specifically target a given organization or group of users -EX: Medical center employees receive email being told they were laid off and to click link to job counseling site
Shoulder Surfing
Gaining compromising information through observation (as in looking over someone's shoulder to obtain password or proprietary info) -Firm might also be susceptible to eavesdropping (ie. device may be hidden inside package that might be in mailroom scanning for open connections or forwarding conversations; compromised wireless network, malware keylogger/screen capture, hardware devices, tracking microphones/cameras built into PC, etc...)
Malware and Smartphones
Malware can infiltrate phone via email, Internet, MMS attachments, or even Bluetooth -"Commwarrior" virus spread to 8 countries via MMS and bluetooth -Most smartphones have layers of security so hackers look for weak victims like jail broken phones -Any device with microphone or devices with voice assistant always on also susceptible (employees dealing with highly sensitive info should be careful)
Collection and resale operations
Market in which data harvesters collect information such as credit card numbers, and sell it to cash out fraudsters who use then use that information for resale of goods/their own financial gain -EX: DarkMarket; ShadowCrew websites
Malware (malicious software)
Software that seeks to compromise a computing system without permission -Malware now threatens nearly any connected system running software -Some hackers attempt to put malware on system via phishing or even infected USB drives left around -Average time for infection for unprotected PC is 5 min -Most attacks used to focus on weaknesses of operating system but now expanded to browsers, plug in, and scripting language -Adobe is primary means by which hackers attempt try to infect/control PC as installed on nearly every PC (including Mac or Linux)
White hat hackers
Someone who uncovers computer weaknesses without exploiting them. The goal of the white hat hacker is to improve system security (many firms hire consultants to conduct white hack as auditors of security systems)
Biometrics
Technologies that measure and analyze human body characteristics for identification or authentication (ex: fingerprint readers, retina scanners, voice, face recognition) -EX: Apple and Samsung (but still long way to go)
Voice-Print
Technology that identifies users via unique characteristics in speech
Spoofed (faked)
Term used in security to refer to forging or disguising the origin or identity. E-mail transmissions and packets that have been altered to seem as if they came from another source are referred to as being "spoofed."
True or False: Cybercrime and cyber espionage will cost US economy 2 trillion by 2019
True
True or False: Hackers also infiltrate computer system hardware so that their path is difficult for law enforcement to track/follow
True
True or False: Law enforcement agencies dealing with computer crimes are outnumber, outskilled, and underfunded while organized crime networks even have own R&D labs
True
True or False: Extortionists leverage botnets and threaten DDoS in order to demand large amounts of payment to avoid retribution
True -Cost of renting out large number of machines that could be used for extortion also low
True or False: Corporate espionage has been performed by insiders, rivals, and even foreign governments
True -EX: scientist Gary Min from DuPont leaked 400 million worth of information on R&D and secret data -EX: Spies breached US Joint Strike Fighter Program -EX:RSA security Breach - data keys used in firm's commercial authentication devices stolen and hackers entered the systems of RSA customers -China place of origin for series of attacks against the Google accounts of politicians -EX: Sony hack blamed on North Korean gov but hack actually conducted by insiders -EX: Government of Tunisia tried to shut down Facebook accounts that were in protest/critical of regime -EX: Upset employee made San Francisco Gov loose control of own computer network
True or False: Most firms don't know what they need to protect or where their data is stored
True -Only 33% kept accurate inventory of locations of data storage and only 24% knew which third parties used their customer data -Risk assessment: Also important that firms assess which how vulnerable firm is to various risks and make the right investments
True or False: Security is just as much about people, process, and policy as it is about technology
True -People: security function requires expertise (operations employees monitor systems, R&D involved in understanding emerging threats, team should include reps from specialized security and audits) -Processes and policies: include education and awareness (important for policies to be audited both announced and surprise; also can hold white hat demonstration attacks)
True or False: Because modern information systems have so many interrelated components, there is a large attack surface for potential infiltration
True (Users/admin, physical threats, network, client vulnerabilities, computing hardware, server software...)
True or False: Most organizations don't document enforcement procedures in security policies
True: -More than 1/3 do not audit user compliance with security policies -Only 48% annually measure effectiveness of security policies
Cyberwarfare
Use of technology as weapon by terrorists or foreign powers to attack/disrupt a nation (shut down infrastructure, oil refinery, and power grids) -EX: Hacks on Brazil have cut off their power -EX: Spring 2018 - communication to 7 US pipeline firms cut off
Multi-factor Authentication
When identity is proven by presenting more than one item for proof of credentials; Multiple factors often include a password and some other identifier such as a unique code sent via email or mobile phone text, a biometric reading (fingerprint or iris scan), swipe or tap card, or other form of identification -However not full proof (has been bypassed by hackers who hacked into Google and JP Morgan) -Other firms use single use passwords
Goals of Malware
-Botnets or zombie networks: tons of secretly controlled computers controlled remotely by central command (used for crimes where controlling difficult to identify PCs useful like click fraud, sending spam, dictionary password attempts, or DDoS, even mine bitcoins or decipher Captchas) -Malicious adware: programs installed without full user consent or knowledge that later serve unwanted ads -Spyware: Software that secretly monitors users actions, network traffic or scans for files -Keylogger:Type of software that records keystrokes (can either be software or hardware based - ie. recording dongle) -Screen capture: Variant of keylogger approach - software that records pixels that appear on user's screen for later playback in hopes of identifying proprietary info -Card skimmer: Software program that secretly captures data from a swipe cards magnetic strip -RAM scraping or storage scanning software: Malicious code that scans computing memory for sensitive data looking for patterns like credit card of social security numbers) -Ransomware: Malware that encrypts a user's files (perhaps threatening to delete them) with demand that user pay to regain control of data/device -Blended threats: Attacks combining multiple hardware or hacking exploits
Passwords
-Most users use few passwords for everything (typical web user has 6.5 passwords, each used on four sites on average; while some sites require users to change passwords, users make minor tweaks and store it unsafe places; secret questions easy to guess and can be uncovered online) -Many vendors sell software with common default password account and combination -If users set systems for open access (turning on file sharing on PC) then vulnerable -Websites demanding more secure passwords but best passwords are acronym based (otherwise susceptible to dictionary hacks)
Data Breach Statistics
-Only 5% of retailers discover breaches through own monitoring -Average cost of a data breach in a year: 11.7 million -Average time to identify breach: 201 days -Average time to resolve breach: 70 days -Annual breach costs worldwide: 600 billion -Victims include health insurance Anthem and Government Office of Personnel Management
Heartland Breach
-Responsible for handling transfer of funds between retailers and financial institutions (5th largest payment processor) -100 million cards compromised (stock tanked) -Although heartland passed audits for compliance, still not secure -Since then have worked for cradle to grave encryption that encrypts card info from moment of payment to settlement
Security Improvement for Electronic Payment (Apple Pay)
-Tokenization: sends one time use representation of credit card over internet than be reused if stolen -Biometrics (voice-print) add security to multi-factor authentication during purchase -Unique identifier so transactions can only happen from authorized devices and banks must provide verification upon initial use
Technology's role in protective measures
1. Patch - firm must be vigilant and install software updates to plug existing holes (patches); hackers targeting applications but organization takes twice as long to patch applications (sometimes patches can cause problems with system but important) 2.Lock down hardware - In order to maintain stricter control, many firms issue standard hardware and systems (prevents unapproved software installation, forces file saving to hardened servers, some may re-image end user PC to wipe out any malware, disable boot capability, prevent WiFi, require VPN encryption; cloud also helps as firms may choose to have employees run virtual PC) -Particularly important for financial services firms, law offices,health care providers.... 3.Lock down network - network monitoring (Firewalls to prevent/approve access to network, intrusion detection systems, offering honeypots to distract attackers, identify IP address of intrusion, deploy blacklists or whitelists..) 4. Lock down partners - insist partners are compliant and audit them; many firms build security expectations into SLA 5.Lock down systems - Audit for SQL injection and application exploits; monitor audit trails of access of to data (log who/when/from where assets accessed), single sign in tool with one very strong password, multiple administrators should control key systems 6.Have failure and recovery plan - More and more firms coming forward/obligated to disclose data breaches so awareness being raised
Major securities issues to consider:
1. Surf smart: question links, download requests, integrity of site before you click/visit, avoid suspicious emails, don't access confidential info on public machines - be on guard 2.Stay vigilant - Question both computer use and personal interactions 3.Stay updated - turn on software update features for OS and applications 4.Stay armed - Install full security software (increasingly built into operating systems, browsers, and deployed at ISP level) 5.Setting smart - Don't turn on risky settings like file sharing that may allow hackers to drop malware; secure home networks with password/firewall; encrypt hard drives; register phones for location ID; Don't click remember me/save password on public machines; with public hotspots turn on VPN to encrypt transmission 6.Password smart - change default password on new products; update password; use multiple passwords; don't save passwords in non-secure files/notes 7.Be disposal smart - shred personal documents; wipe hard drives before recycling/throwing away (deleted files can be recovered); Destroy media with sensitive info; erase USB 8.Back up - Back up data to prevent hardware failure ruining files; can either use cheap plug in hard-drives or back up provided off-site over the Internet 9. Check with your administrator - Use resources provided by your organizations
Methods of Infection of Malware
1. Viruses: Programs that infect other software or files; requires an executable (running program) to spread, attaching to other executables -Can spread via operating systems or boot/autorun feature of media -Some apps have executable languages (macros) that can host viruses that run and spread when file open 2.Worms: Programs that take advantage of security vulnerability to automatically spread, but do not require an executable -Some worms scan for and install themselves on systems with incredible speed 3.Trojans: Exploits that try to sneak in by pretending to be something they are not - user tricked into installing malware (often via phishing)
_____________ of loss-causing security incidents involve insiders (Bad Apples)
70% -Firm employees, temporary staff/contract employees that firms hires, or outsource key components of infrastructure (Edward snowden NSA contractor) -Even cleaning/security staff
Black hat hackers (crackers)
A computer criminal who exploits computer weakness for nefarious/illegal activity
Hacktivists
A protestor seeking to make a political point by leveraging tech tools, often through system infiltration, defacement, or damage -EX: Social media brought down as Russian hacktivists tried to silence accounts of single Georging blogger and through DDoS collaterly brought down site
Honeypots
A seemingly tempting, but bogus target meant to draw hacking attempts. By monitoring infiltration attempts against a honeypot, organizations may gain insight into the identity of hackers and their techniques, and they can share this with partners and law enforcement.
Firewalls
A system that acts as a control for network traffic, blocking unauthorized traffic while permitting acceptable use
Intrusion Detection Systems
A system that monitors network use for potential hacking attempts; Such a system may take preventative action to block, isolate, or identify attempted infiltration, and raise further alarms to warn security personnel.
Hacker
A term that, depending on the context, may be applied to either 1) someone who breaks into computer systems, or 2) to a particularly clever programmer (can have both positive and negative connotation)
Public Key Encryption
A two key system used for securing electronic transmissions - one key distributed publicly is used to encrypt data (lock it) but it cannot unlock data; Unlocking can only be performed by the private key -Private key can't be reverse engineered from public key -By distributing public key but keeping private key, Internet services can ensure transmissions to their site are secure -Used by most websites that deal with financial transactions -If web address begins with https instead of http should be secure and look for padlock icon in corner of web browser -Look at certificate authority and make sure it matches URL
Captchas
An acronym for Completely Automated Public Turing Test to Tell Computers and Humans Apart; scrambled character images many sites require to submit some sort of entry (account setup, ticket buying) and are mean to be a Turing Test - test to distinguish if task being performed by computer or human
Brute Force Attacks
An attack that exhausts all possible password combinations in order to break into an account. The larger and more complicated a password or key, the longer a brute-force attack will take. -Largest known brute force attack demonstration hasn't come close to breaking type of encryption used to scramble transmissions browsers use when communicating with banks
Key
Code that unlocks encryption.
Dumpster Diving
Combing through trash to identify valuable assets than can be stolen or used to launch security attack -EX: discarded passwords, unshredded printed account listings, bringing back files from discarded hard drives...
Phishing
Con executed using tech, typically targeted at acquiring sensitive info or tricking someone into installing malicious software -Leverages reputation of trusted firm or friend to trick victim into performing action or revealing info -EX: pretend to be security alert from bank or e-commerce site (reset password), message from employer, or notice from gov while mimicking logos, layout, and language -Might also trick user into downloading dangerous software (malware) that can record passwords/copy data, give hackers access, or make computer part of botnet (ie. install updated Adobe Flash) -Cost 3.2 billion per year -Firms create blacklists that block harmful websites and screen for common tactics -Emails can be spoofed -Know how to read a complete URL -Hover cursor over link to reveal actual URL on email -Social media makes it easier to send phishing scams since malware can send messages that seem to come from trusted friends/fewer context -If social media code has holes can create entry point for hacker
Social engineering
Con games that trick employees into revealing information or performing tasks that compromise firms Methods: -Impersonating management, end user needing help with systems, investigators, or staff -Identifying individual by name pretending to be a friend/co-worker -Making claims with confidence/authority -Baiting someone to add info that can help hacker -Using harassment, guilt, intimidation -Using attractive individual to charm others and gain favors -Setting off false alarms that cause disabling alarm system -Answering fake surveys -EX: Data aggregator ChoicePoint sold private info to criminals who pretended to be legit clients and had to pay 15 million in settlements (no computers compromised - just handed over info)
Cash-out Fraudsters
Criminals who purchase assets from data harvesters to be used for illegal financial gain; Actions may include using stolen credit card numbers to purchase goods, creating fake accounts via identity fraud and more
Data Harvesters
Cyber Criminals who infiltrate systems and collect data for illegal resale
Stuxnet
Cyberware effort suspected to have been launched by either US or Israeli intelligence that infiltrated Iranian nuclear facilities and reprogrammed the control software operating it - computer worm made devices spin so fast that facility destroyed itself and shut down Iranian nuclear efforts -Extremely sophisticated (altered equipment readings to report normal activity) -Worm contained - designed to target specific systems and each copy designed to only infect 3 additional machines and self destruct when done -Similar code spotted outside of Iran
DDoS
Distributed Denial of Service: An attack where firm's computer systems flooded with thousands of seemingly legit requests and the sheer volume of requests slow down or shut down the site's use; Often performed via botnets
Target Hack
Hackers installed malware on targets security/payment system designed to steal the information of every credit card used -One of largest credit card breaches in US history -Target had number of warnings from security system of unauthorized software that it could have deleted but ignored them and hackers collected data on 1/3 of US customers over two weeks -Database for credit card transactions not separated from rest of system -Unsophisticated malware: snuck into system using credentials of one of Target's partners and disguised as product -40 million cards stolen and info of 70 million customers exposed -Profits and transactions fell significantly
___________________ sold on online black market provide tools that interrogate/probe systems for latest vulnerabilities and launch appropriate attacks
Hacking Toolkits -Profitable business to make toolkits -Barrier of entry to carry out attacks low
Whitelists
Highly restrictive programs that permit communication only with approved entities and/or in an approved manner
Botnets (Zombie Networks)
Hordes of surreptitiously infiltrated computers, linked and controlled remotely, also known as zombie networks -Used to send spam or stage DDoS attack -Capable of launching 100 billion spam messages a day -Some botnets control 10 million zombie computers
Network Threats
If network not secured can be a source of compromise for firms -EX: Retailer TJX left WiFi access point open and allowed thieves to steal 45.7 million credit and debit card numbers (1.35 billion in damages) -Wireless access points easy and cheap to install which could provide entry for anyone -DNS cache poisoning: Domain Name Service - collection of software that maps an Internet address to an IP address (has potential to redirect users to other replicated sites that launch malware exploits)
Frameworks and Standards
International Organization for Standards (ISO, ISO27k, ISO 27000 series): Framework that provides standards for maintaining/improving information security management Compliance Requirements: Failure to meet compliance requirements could result in fines/punishment -HIPAA (Health Insurance Portability and Accountability Act) - regulates health data -Gramm-Leach-Bliley Act: regulates financial data -Children's Online Privacy Protection Act: regulates data collection on minors -US gov agencies must comply with FISMA (federal information security management act) -Some level of state data breach laws -Compliance does not equal security (while important you are taking all appropriate measures to not get sued goal is to make firm secure) -Re-assess security in M&A deals
Heartbleed Bug
Open source SSL security software used by 2/3 of websites and embedded into internet connected website that had vulnerability that allowed a program to instruct a website to send it data -Design flw open for two years before discovered but within days of discovery top 1,000 most popular websites fixed -Little more difficult to fix software embedded in hardware since difficult to update
Blacklists
Programs that deny entry or exit of specific IP addresses, products, Internet domains, and other communication restrictions
__________ locks and encrypts infected computers, making them unusable/irrecoverable unless instructions followed (typically payment in untraceable bitcoin)
Ransomware -Spring 2018: Atlanta victim to ransomware exploit SamSam which disrupted 5 government departments
Russia's influence of US elections
Russian government allegedly conspired to influence and alter American opinion during US elections favoring Bernie Sanders and Donald Trump by spreading fake news via fake accounts/social media groups (some gained over 100,000 followers)
___________________ technique targets poor programming practice where software developers don't validate user input
SQL -Websites programmed to take what you enter into user ID field, find it in the database, and execute the command -However if user entries in ID field are not verified and just passed along, any hacker familiar with SQL could enter code into user ID field instructing it to add, delete, insert, or return all entries (or redirect users to another website that scans weaknesses and launches more attacks) -Over half a million SQL injection attempts identified per day -Critical lesson that all applications must be thoroughly tested (legacy, existing, partner, SaaS, etc; Microsoft and Visa require partners to apply rigorous testing standards)
Encryption
Scrambling data using a code or formula known as a cipher such that it is hidden from those who do not have the unlocking key -Makes data unreadable to any program that doesn't have the descrambling password or key -Sensitive data should be encrypted before being sent/stored as it dramatically lowers potential damage of stolen laptop or recovered hardware -Employed in VPN (virtual private network) that scrambles data passed across network -Key management important because if keys not secure then data vulnerable; encryption also requires power and slows computing tasks
Equifax Hack
Security breach against Equifax (one of three leading firms who monitors credit and financial information) -Credit card number, social security numbers, addresses, drivers license of 143 million in US compromised -Hole in open source Apache Struts -Negligence of procedures on behalf Equifax -Most expensive breach in corporate history
Snowden Report
Snowden disclosures revealed US gov agencies (including NSA and FBI) had data monitoring efforts including direct access to audio, video, photographs, emails, documents, and connection logs at nine major US companies including Google, FB, Yahoo, Microsoft, Apple and unlimited access to phone records from Verizon -Temporary asylum in Russia -US gov charged Snowden with espionage and revoked passport but still has made appearances remotely -US Claims need search warrant but FISA granted warrants to majority of requests -Collected US firms losses projected to 35 billion through 2016