Foundations of Cyber Security

Anonymous examples (3)

2008 Project Chanology 2010 Operation Avenge Assange 2011 Operation Tunisia

Carbanak APT

2013-2015. Unusual - cybercriminals not nation states, wasn't that technologically advanced. Loss of $1 billion

Security Assertions Markup Language

A flexible way of presenting documents online

Botnet

A group of compromised computers or mobile devices connected to a network

TLS

A more secure protocol than SSL, provides authentication and encryption for secure exchanges over the Internet

Baiting

A real-world trojan horse, e.g. USB

Tailgating/piggybacking

Accessing a secured building/area without authorisation, by walking behind another employee

Unintentional insider typical attacks (3)

Accidental posting/deleting information, visit websites infected with malcode

User access control requirements (3)

Account approval, removing unneeded accounts, two-factor authentication

APTs

Advanced Persistent Threat

Information processing (5)

Aggregation Identification Insecurity Secondary use Exclusion

Cyber criminal example

Albert Gonzalez, 2005-2007

Network convergence

All communications over a common network structure (vulnerable)

Petya

An infection from a trojan (not ransomware) which spread across networks stealing credentials

Hacktivist examples (2)

Anonymous, Snowden

Culture of hacktivism (5)

Anti-establishment, obsession with privacy, membership fluidity, lack of hierarchy, creativity

Threat source

Any activity which can generate an attack

Benefits of honeypots (3)

Attack detection, deflect attackers, gather information on attack strategies

Access control principles (3)

Authentication Authorisation Audit

SAML assertions (3)

Authentication statements Attribute statements Authorisation statements

OAuth grant flows (3)

Authorisation code grant flow Resource owner password grant flow Client credential grant flow

Pentesting

Authorised simulated attack, aimed at assessing the security of a system

Mirai

Biggest DDoS attack ever, 2016

Firewall requirements (3)

Block unauthenticated connections, document connections, monitor/protect administrative access

Types of firewall (2)

Boundary and host-based

Information dissemination

Breach of confidentiality Disclosure Exposure Increased Accessibility Blackmail Appropriation Distortion

Command and control examples (2)

Ciphered connection over HTTPS, use of Twitter hashtags

Nation state's typical motives (3)

Collecting information, sabotage, subversion

Dumpster diving

Combing through bins for sensitive information

Insider threat

Comes from someone with legitimate access to resources

What are the risks of user access control? (2)

Compromising privileged accounts will do more damage, attacker could lock admins out

Channel consolidation

Concentration of data on a few providers (data breach)

Privacy (3)

Confidentiality Control Practice

Why is cyberwar attractive? (5)

Cost effective, no casualties, fast, plausible deniability, hard for victim to detect

CNI

Critical National Infrastructure

Advanced (APT)

Cutting edge tech, zero-day exploits

Estonia

Cyber attack, April 2007

Who can be behind cyber attacks? (5)

Cyber criminals, nation states, hacktivists, insider threats, script kiddies/noobs

Problems with using standards (3)

Cyber security requires a holistic approach, threats are constantly evolving, companies become focussed on tick-list rather than innovative defence

Web defacement

Cyber vandalism - changing a website's content to be provocative or raise awareness of their cause, aiming to reach the news

Type of cyber attack on Estonia

DDoS and defacement

Anonymous' attacks

DDoS but using individuals not botnets

Actions on objectives examples (2)

Data exfiltration, lateral movement within target network

Advanced cyber defences (6)

Data protection, segregation of duties, network fragmentation, honeypots, pentesting, standards

Honeypots

Decoy systems to lure attackers away from critical systems

UK's National Cyber Security Strategy

Defend, deter, develop

Delivery

Delivery of payload to target

Script Kiddies/Noobs motives (3)

Desire to join real groups, challenge, curiosity

Weaponize

Development or purchase of cyber weapons

Bitcoin miner

Device attempting to resolve the mathematical puzzle in order to achieve bitcoin

DAC

Discretionary Access Control

Hacktivists VS cyberterrorists

Disruption VS destruction

DDoS

Distributed Denial of Service

DNS

Domain Name System

Mining malware

Downloading miner technology onto other people's devices to help attacker gain bitcoin

RBAC advantages (2)

Efficient permissions Reduced employee downtime

Sources of malware infection (3)

Email attachments, downloads, installation of software (e.g. USB)

Data protection methods (3)

Encryption, fragmentation, back-up data

Three phases of user authentication

Enrolment Identification Verification

Secure configuration

Ensure that devices are configured to reduce vulnerabilities and only provide required services

User access control

Ensure user accounts are only assigned to authorised individuals, and access is only provided to required resources

Patch management

Ensures devices are not vulnerable to known security issues

Installation

Ensures payload persistence within the target, giving malware the ability to withstand the computer being turned off

Types of cyberwarfare (3)

Espionage, sabotage, propaganda

Command and control

Establish a communication channel between target machine and external server

Secure Sockets Layer (SSL)

Establishes an encrypted link between a web server and a browser, ensuring that all data passed between them remain private

WannaCry exploit

EternalBlue

Actions on objectives

Execution of the attack - the more complex the target, the more phases of lateral movement are needed

Exploitation

Execution of the payload

Brute force attack

Exhaustive search of all possible combinations

Exploitation examples (3)

Exploiting known vulnerabilities, of OS, user deception

Wikileaks purpose

Feels world should be aware of data, acts as a proxy for journalists etc. who would be prosecuted

WannaCry protection

Firewall, secure configuration, user access control, patch management

Basic requirements of IT infrastructure (5)

Firewalls, secure configuration, user access control, malware protection, patch management

Wikileaks examples (3)

GTMO files, Hillary's emails, CIA's Vault 7 and 8

GDPR

General Data Protection Regulation

HTTPS process (2)

Get operation Post operation

Segregation of duties

Have sensitive tasks completed/signed off by multiple people

Threat event

How the attack is completed

HTTPS

Hypertext Transfer Protocol Secure

Reconnaissance example

Identifying the security means used by the target via online research

Nation state's typical attacks (3)

Influencing campaigns, data breach, DDoS

Intentional insider typical attacks (2)

Information leak, install a logic bomb

What is cyberspace? (4)

Information systems, data on them, services they provide, network device used for communication

Installation examples (2)

Injecting payload into trusted OS process, registering payload to auto-start

Types of insider threat (2)

Intentional and unintentional

IoT

Internet of Things, e.g. smartmeters

Sandbox

Isolated operating system within a honeypot

Why is HTTPS secure?

Its content can't be manipulated unless encryption is destroyed

Spearphishing example

John Podesta

Wikileaks

Julian Assange, 2006, publishes censored or restricted documents online

Patch management requirements

Keep software updated, don't use third party mods, remove unnecessary software

Approaches to user identification (3)

Knows (e.g. password) Has (e.g. ID card) Is (e.g. fingerprint)

Perpetrators of Estonia attack

Kremlin - no consequences

GDPR and data breaches

Legally, companies now have to report data breaches to government

Script Kiddies/Noobs

Less skilled hackers

Password cracking countermeasures (4)

Lockout mechanisms Throttling Protective monitoring Password blacklisting

Shoulder surfing

Looking over target's shoulder when they're at their computer

Wikileaks hosting

Mainly Bahnhof ISP, Sweden - acts from legally protected countries

What is a cyberattack?

Malicious attempt to damage, disrupt, or gain unauthorised access to computer systems, network or devices

Weaponize examples (3)

Malicious payload, social engineering, remote access trojan

Threat (APT)

Malicious, targeted

Nation state's typical attack vectors (4)

Malware, botnets, emails, social media

Cyber criminal's typical attack vectors (3)

Malware, email, botnet

Hacktivist typical attack vector (3)

Malware, email, botnet

Pentesting tool

Metasploit

Networked forces

Military innovation enabled by cyber technologies (drones)

Targets of Estonia attack

Ministries of Foreign Affairs and Justice websites, PM's website, banks, 112 emergency number

Cyber criminal's typical motive

Money

Cyber criminal's typical attacks (5)

Money theft, document ransom, data breach, DDoS

Hacker VS hacktivist

Motivation - hackers celebrate technology, hacktivists celebrate human agency

Anonymous

Movement began as hackers on 4chan in 2003, became hacktivists

Why is cyberspace an ideal target?

Network convergence, channel consolidation, networked forces

WannaCry

Non-targeted ransomware which spreads automatically over networks - doesn't require opening by the victim

Anonymous' core principles (3)

Not attacking media, not attacking critical infrastructure, working for justice

Post-exploitation (APT)

Occurs over time, repeated, issues instructions to payload, interacts with Remote Access Trojan/Command and Control

OAuth

Open Authorization protocol that allows a third-party application to access protected resources hosted on a HTTP server

DDoS method

Overloads machine providing a service using botnets

Persistent (APT)

Payload remaining hidden for months/years - waiting for the right time, launching multiple simultaneous attacks

PTES

Penetration Testing Executive Standard

Insider threat motives (3)

Personal vendetta, bribe, blackmail

PFI

Personally Identifiable Information

Access control in use (4)

Physical Web File access File sharing

Hash

Plaintext that has been transformed into short code

Anonymous' core values (4)

Pluralistic movement, anti-censorship, privacy, internet security

Access control system (3)

Policy Model Mechanisms

Phases of pentesting (6)

Pre-engagement interaction Intelligence gathering Threat modelling Vulnerability analysis Exploitation Post-exploitation

Steps of risk management (9)

Prepare for risk assessment Conduct assessment Identify threat source Identify threat events Identify vulnerabilities Determine likelihood Determine impact Communicate results Maintain risk assessment

Pretexting/blagging

Presenting oneself as someone else to obtain private information

Access control

Prevention of unauthorized use of a resource, including authorised use in an unauthorised manner

Risk management

Prioritising the identified risks in terms of likelihood, then making efforts to minimise, monitor, and control their impacts

Hacker ethics

Pro-freedoms, anti-authority

Risk assessment

Process of identifying, analysing, and evaluating risk

Keylogger

Program that monitors keystrokes

What is cyber security?

Protection of cyberspace from harm, misuse, or unauthorised access

OpenID connect

Provides a standard SSO protocol on top of OAuth 2.0 framework

RFID tags

Radio Frequency Identification Tags

Kill chain stages (7)

Reconnaissance Weaponize Delivery Exploitation Installation Command-and-control Actions on objectives

Why is user access control useful?

Reduces likelihood of insider threat

Hacktivist motives (3)

Religious, social, and political

Secure configuration requirements (4)

Remove unnecessary accounts, change non-secure passwords, disable auto-run, authenticate users before allowing access to data

OAuth actors (4)

Resource owner Resource server Authorisation server Client

Malware protection

Restrict execution of known malware and untrusted software

RBAC

Role Based Access Control

APT attack phases (4)

Scan and discovery Vulnerability exploitation Payload injection Post-exploitation

SSL

Secure Sockets Layer

SAML

Security Assertions Markup Language

Diffie-Helman Key Exchange

Shares key between users using symmetric encryption

SSO example

Shibboleth

How do honeypots work?

Simulated to look like the real system, so the attacker interacts with it instead of the OS

SSO

Single Sign On

Limitation of honeypots

Skilled hackers can tell

Forms of authentication (5)

Smart cards Magnetic stripe cards Biometrics Barcodes RFID tags

Insider threat examples

Snowden, Manning, Reality Winner

Firewalls

Software ensuring only safe/necessary networks can be accessed internally, prevents external access

Downloader variant

Something installed by the malware on a target device

Firewall blocking rules (3)

Source, destination, protocol

Public key infrastructure

System for issuing pairs of public and private keys and corresponding digital certificates

Script Kiddie example

TalkTalk 2015

Delivery examples (3)

Target downloads from website, USB, email attachment

Reconnaissance

Target research and selection, ends when attacker knows enough

Spearphishing

Targeted phishing

User authentication

The process of verifying an identity claimed by or for a system entity

Data breach

The unintended release of sensitive data or the access of sensitive data by unauthorized individuals.

Why were Macs more secure?

They didn't have as wide a market share, meaning they were targeted less

Stages of cyber risk (4)

Threat source Threat event Vulnerability Adverse impact

TLS

Transport Layer Security

Exploitation requirements

Two weapons - one to get through, one to do the damage

Nation state examples (5)

US election, China's Marriott hack, Stuxnet, Ukraine, Estonia

Why does cyber deterrence rarely work?

Unable to attribute attack

Malware protection requirements

Updated anti-malware software, auto-scan of sites and files, application whitelisting, application sandboxing

Single Sign On (SSO)

Using one authentication credential to access multiple accounts or applications

Security through obscurity

Using software, interfaces and protocols that aren't well known - therefore their vulnerabilities aren't either

Digital signature

Verifies authenticity/integrity of information

Vishing and smishing

Voice phishing and SMS phishing

Zero-day exploit

Vulnerabilities exploited before the software creator/vendor is aware of its existence.

WannaCry's kill switch

WannaCry tries to access a domain which doesn't exist - attack ended when domain was registered, triggering the kill switch

Kill switch

Way to remotely destroy all copies of malware, to stop it from propagating

Why are IoT more vulnerable? (2)

Weak credentials, lack of patches

What is a cyber vulnerability? (2)

Weakness or loophole in system

Hacktivist typical attacks (4)

Web defacement, data breach, information leak, DDoS

Data breach example

Yahoo