CyberSecurity Exam 1

Attacks may exploit weak points of _____ beyond just technical weak points.

"Business model"

Not every member in an organisation has to become a security expert, but all members should know

-Why security is important for themselves and for the organisation. -What is expected of each member. -Which good practices they should follow.

First electronic computers (year)

1940s

Possible dangers for countries

Cyber Warfare Cyber Vandalism Cyber Espionage Cyber Terrorism

Threat

Possible danger

______________________ should be part of the general security strategy.

Security awareness programs

a threat to confidentiality

Unauthorized disclosure

The NIST Computer Security handbook defines computer security as

"The protection afforded to an automated information system in order to attain the applicable objectives of preserving the integrity, availability and confidentiality of information system resources" (includes hardware, software, firmware, information/data, and telecommunications).

Start of computer industry (year)

1950s

Software comes into its own. Multi user systems emerged, needing mechanisms to protects systems from users (year)

1960s

Age of the mainframe. Needing sensitive data protection, access control, encryption (year)

1970s

Age of the PC. Multi Level Security (MLS), information flow, security research, viruses and worms (year)

1980s

Age of the internet. Increased exposure to Hostile environments (year)

1990s

Age of the web. The paradise of hackers Communication security, network security, web security. (year)

2000's

Security Charter

A crisp document explaining general rules

What is Cyber Security?

A necessary science for protecting people and their values from security threats over the internet

Denial of Service Case Study (2004)

A worm spread through email and Kazza P2P File Sharing platform. Looked like a genuine error message. When opened created a denial of service attack on sco.com

attempt to alter system resources or affect their operation

Active attack

An entity that attacks, or is a threat to, a system.

Adversary (Threat Agent)

Starting point of computer security in 1972 dealing with the Air Force.

Anderson report.

Is this system secure?

Asking the wrong question. Need to be more specific about protection requirements... ie: -Protect PC from virus and worm attacks? -No unauthorized access to corporate LAN? -Keep sensitive documents secret? -Verify identity of partners in a business transaction?

An assault on system security that derives from an intelligent threat; that is, an intelligent act that is a deliberate attempt (especially in the sense of a method or technique) to evade security services and violate the security policy of a system.

Attack

Used to analyse how an attack is executed in detail. To get a clear picture of potential threats, attack trees can be constructed.

Attack trees

Possible dangers monetary dangers

Computer Fraud Phishing Vishing Identity theft Theft of information Theft of assets

The CIA triad

Confidentiality, Integrity, Availability

An action, device, procedure, or technique that reduces a threat, a vulnerability, or an attack by eliminating or preventing it, by minimizing the harm it can cause, or by discovering and reporting it so that corrective action can be taken.

Countermeasure

Possible dangers for organizations (Companies, banks, etc)

Cyber Piracy Denial of Service Intrusion Unauthorized access Disclosure of information Modification of data

Possible dangers for people

Cyber trolling Cyber stalking Cyber harassment Cyber bullying Cyber extortion

Reliability

Deals with accidental failures

Masquerade (an attempt by an unauthorized user to gain access to a system by posing as an authorized user; ), falsification (a student may alter his or her grades on a school database), and repudiation(., a user denies sending or receiving data.) are threat actions that cause __________ threat consequences.

Deception

a threat to system integrity

Deception

Damages can include:

Disclosure of information Modification of data Being unable to do your job because required resources are not available Identity spoofing (identity "theft") Unauthorised access to services Lost revenue Damaged reputation Theft of equipment ...

Security problems can rarely be ______ but they can be ______.

Eliminated, managed.

Availability (As Key security concept)

Ensuring timely and reliable access to and use of information

Telecommunication Fraud

First gen cell phones' user identifiers transmitted unprotected and were easy to intercept, used by hackers to make long distance calls, charged to the user

Integrity (As Key security concept)

Guarding against improper information modification or destruction, including ensuring information nonrepudiation and authenticity

Assets of a computer system

Hardware, Software, Data, Communication facilities and networks

Assets can include

Hardware, software, Data & Information, Services & revenue,Reputation of enterprise, trust, brand name, Employees' time

initiated by an entity inside the security perimeter

Insider attack

Incapacitation (physical destruction of a system hardware), corruption (Malicious software operates in such a way that system resources or services function in an unintended manner), obstruction (disabling communication links or altering communication control information. ) are threat actions that cause _____ threat consequences

Obstruction

initiated from outside the perimeter

Outsider attack

attempt to learn or make use of information from the system that does not affect system resources

Passive Attack

Confidentiality (As Key security concept)

Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information

Means used to deal with security attacks

Prevent Detect Respond Recover

Insider Fraud Case Study (1966)

Programmer for bank wrote code to ignore overdrafts in his bank account. Discovered when computer went down and account balances were processed manually.

An expectation of loss expressed as the probability that a particular threat will exploit a particular vulnerability with a particular harmful result

Risk

A set of rules and practices that specify or regulate how a system or organization provides security services to protect sensitive and critical system resources

Security Policy

Security

Security deals with intentional failures: there is at some stage a decision by a person do something he is not supposed to do.

Computer security strategy consists of

Security policy, Security implementation, Assurance, Evaluation

Password Sniffing Case Study (1978)

Student wrote program for "time sharing" and left on flash drive sitting out for curious students to pick up. Upon execution, program would "crash" and then ask for username and password, obtaining users login information.

Data contained in an information system; or a service provided by a system; or a sysem capability;

System Resource (Asset)

SMS Fraud

Text sent to number asking them to call back a number and they were then redirected to a long distance number and charged for it.

Levels of Impact - Low

The loss could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals

Levels of Impact - Moderate

The loss could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals

Levels of Impact - High

The loss could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals

A potential violation of security; which exists when there is a circumstance capability, action, or event that could breach security and cause harm.

Threat

Identity Fraud Case Study (1971)

Two competing companies with mutual customer. One company's employee obtains customers number that he uses to call companies. Calls competitor using that number pretending to be customer and requests codes and punch cards to be sent. Discovered when company asks customer about these things and customer has no idea about it.

Possible Dangers for Computer systems

Viruses Worms Trojan Horses Spyware Adware Backdoors Logic bombs others

Human Attack Surface

Vulnerabilities created by personnel or outsiders, such as social engineering, human error, and trusted insiders

Software Attack Surface

Vulnerabilities in application, utility, or operating system code

Network Attack Surface

Vulnerabilities over an enterprise network, wide-area network, or the Internet

Attack=

a threat carried out

Usability

addresses problems arising from operating mistakes made by users.

Software (as an asset) includes:

applications, operating systems, database systems, source code, object code

a threat to availability to system integrity

disruption

Data & Information (as an asset) includes:

essential data for running and planning your business, design plans, digital content, data about customers, ...

Hardware (As an asset) includes:

laptops, servers, routers, PDAs, mobile phones, smart cards

Some thing is Unavailable or very slow (Category of vulnerability)

loss of availability

Some thing is Leaky (Category of vulnerability)

loss of confidentiality

Some thing is Corrupted(Category of vulnerability) =

loss of integrity

Protection of the assets of an organisation is the responsibility of

management.

Attacker only needs to find ________ while developers must find __________

one single weakness / all possible weaknesses

Security requires ______________ monitoring

regular and constant

To decide what to protect you should perform some kind of

risk analysis

Security policies formulate

security objectives

Price paid for security should not exceed

the value of the assets you want to protect.

To be effective, security policies must be supported by ________. They should issue a ________.

top management, security charter

Exposure (intentional releases of sensitive information), interception (a determined hacker can gain access to communication traffic and other data transfers between two persons or entities. ) , interference (adversary gains information from analyzing the network traffic. ), intrusion(adversary gaining unauthorized access to sensitive data information.) cause

unauthorized disclosure

Users and system managers tend to not see the benefits of security

until a failure occurs

Misappropriation (a distributed denial of service attack,) and misuse (disabling or thwarting security functions of a service) are threat actions that cause ______ threat consequences

usurpation

a threat to system integrity

usurpation

A flaw or weakness in a systems design

vulnerability