ISM week 12

Lost USB Flash drives can be a big problem if they contain confidential or sensitive information! Ponemon Institute says a good rule of thumb is that a company suffers a cost of roughly ______ for every data record lost.

$200

Flash drives - Ponemon Institute study about lost flash drives (physical) As a rule of thumb, each data record lost costs a company $_______ ___% of companies surveyed suffered loss of sensitive/confidential information

$200 for each lost device 70% companies suffered loss

Software Bugs What is a "bug"? Is it reasonable to expect that large software systems would be truly and totally bug-free? Why or why not? What can an attacker do with a bug?

-Programming flaw or oversight - Human are imperfect so you can expect some bugs in the millions of lines of program codes -Attacker can use bug to exploit and run undesired program code to change destroy or take your data, copy your keystrokes. Gain full control and unauthorized data access

Describe the characteristics of modern cybercrime syndicates

...

Roughly how large was Affinity Healthcare's fine for a breach that came from improper equipment disposal?

1.2 million $ fine for data left on machine

Mobile and BYOD Organizations spend most of their IT security dollars protecting _____________ Why are mobile devices at risk? Two examples of technical risk are listed below. For each one, be able to define the problem and explain why each is a vulnerability, using a piece of Gartner research data to illustrate your argument Direct data flow Mobile sync

13 billion spent securing Info systems (castle walls) Mobile devices are outside the castle walls and is vulnerable to attack Direct Data Flow - By 2018 25% of all corporate data traffic will go from mobile device to cloud provider, bypassing traditional corporate security defenses Mobile Sync - 2017 40% of enterprise contact information will be leaked into facebook

Lost mobile devices (physical) ___% of smartphones lost each year. About ___% had sensitive data... and most of those were NOT protected at all!

30 billion loss in 1 year 5% lost each year 60% had sensitive data 57% of the 60% were not protected in any way

According to PWC's Global State of Information Security Report... What is the annual growth rate for security incidents? _____% Approximately how many attacks reported per day? ______ Describe companies' ability to deal with attacks over the last 6+ years

66% 120000 attacks per day 50% of unprotected computers are compromised by an intruder within 12 minutes! Internet is getting more HOSTILE

2013: estimates that more than _____% of cyberespionage in US originated from ______.

90, China

What's the name of the extremely high-profile hacktivist group whose wallpaper and tagline were used in the lecture?

Anonymous

Insider threats Who are they? How does CERT define the term "insider"? What % of incidents involve insiders? Serious threat?

Bad Apples Insider - a current or former employee contractor or other partner who has or had authorized access and intentionally misuses that access. 70% of lost causing security incidents. Most use unsophisticated means but can cause big problems.

Lost Laptops (physical) Overall cost? Average cost to each company surveyed? Percentage of laptops lost over their service life: _____%

Billion dollar problem $6.4 million impact per company surveyed 7% of laptops lost

Equipment Disposal (physical)- What types of equipment? Why are they at risk?

Copy machines have hard drives that keep a record of scans, copies ect. inside the machines and they have data that could compromise

What is the source of most malicious hacking?

Cyber-Crime Sydicates Large groups, very professional, skilled people Money - underground economy to put into efforts Very effective

Your company's e-commerce webserver normally handles about 500 simultaneous users without any problem. Your users are almost entirely from the southeastern US. Suddenly, over 100,000 machines from around the globe are sending bogus service requests to your e-commerce webserver. Those requests are overwhelming the server. It's unable to respond to anybody. Your legitimate customers are getting frustrated and taking their business elsewhere. What kind of attack are you experiencing?

DDoS

List 5 valuable items that are vulnerable - briefly explain why each is vulnerable.

Data - Raw facts that provide insight for competitive advantage Intellectual Property - concepts or knowledge that gives an edge Business processes - critical to day to day operations Reputation- need customers trust Corporate survival - is dependent on the above information You must first be able to identify vulnerabilities in order to protect your company; Physical, Technological, Human.

Additional reasons to secure information systems themselves, in addition to their data

Data can competitive advantage, Data is an Asset. Privacy Regulations, need for security Info systems are an asset that can be high jacked by others.

Your company has just started using something called "DBAN" as part of its information security efforts. How is DBAN used to improve security?

It securely erases data from hard drives before they are discarded.

Crime-as-a-Service... what kind of services do they offer? Be able to offer a couple of examples. (you do not need to know specific dollar values)

Launch DDOS attacks, hourly, monthly Spamming Pay per install. Set up a site that posts malicious ads that will force your computer to download software Custom programming

Examples of breaches - be familiar with the "big picture" of... TJX breach - Why did this happen? What was stolen? Rough cost? State of Utah - What was stolen? Rough cost? LinkedIn (2012) - What was stolen? Rough cost?

LinkedIn eHarmony - published millions of passwords Java - hundreds of thousands of users exposed to malware 2014 Home Depot - payment data pay stations were breached; over 5 months millions of Credit cards were taken TJX breach - 45.6 million Credit Cards stolen, cost $1-$4 billion to clean up, vulnerable wireless routers *biggest security breach Target 70 million $140 mil to clean up Sonly PlayStation 77 million credit cards State of UTAH - Medicaid 780000 records exposed - $3.4 million cleanup LinkedIn - 6 million passwords;$1 million to clean up

What are the digital identities and why protect them?

Log in credentials,

Explain how they use the two methods below to achieve their goals: Denial of Service Information Exposure

Methods - Denial of service where the attackers basic plan is to overwhelm the victims network or servers with so many requests for service that they cannot be responded to so the original users cannot receive service Expose sensitive info to embarrass

Who are "script kiddies"? What characterizes their methods and motivation?

Methods - exploit well-known vulnerabilities using publicly available tools. Motivation - enhanced reputation, thrills

2014: FBI cybercrime unit warned of potential offensive cyber attacks from __________.

Middle East

What are the real drivers behind modern cyber-attacks?

Money and Power

Some people think that the attackers are "just kids" showing off their tech skills. True?

No its the drivers of money and power

We discussed 5 reasons why user passwords are a major source of vulnerability today. Briefly explain two of them. (2 sentences)

Passwords tend to have a lack of complexity making it easy for hackers to guess them. The root cause is that people want things that are easily remembered so that they don't have to deal with the hassle of remembering complex passwords.

Hacktivists - what characteristics typify hactivist groups? What overall strategies do they use to accomplish their goals?

Political power and influence Loose confederations of individuals who are dedicated to political activism They want to be noticed so they can bring about political change They use monetary pain to its victims in attempt to force them to change their behavior Embarrass and damage a victims reputation to get them to change their behavior Seek to gain public support

Dumpster Diving Why do attackers sometimes jump into your corporate trash can? What kinds of things do organizations toss into a dumpster that attackers would want to retrieve? What kinds of information do they get from those things?

Powerful tactic - "Gold mine of info", Pre-attack research, lists of phone #, Account names, Source code, Printouts, Media. They can get info on how to access data

Servers - What's the risk?

SMB- Leave them out in the open. Needs to be locked up with access control, Ayou need an alarm.

Social Engineering What is it? How is it done? What steps does an attacker take to exploit this vulnerability?

Social engineering - outsider exploits naïve insider. "the clever manipulation of the natural human tendency to trust" Baby steps . Research your victim - By obtaining small amounts of access bit by bit from diff employees. Ask for help - plausible requests to the right people mentioning the right names

Two reasons to secure data

Something of value that needs to be protected - Possessions, People, Reputation.

Shoulder Surfing What is it? How do attackers use it?

Spying, snooping, look over someones shoulder.. ATM peeker; computer passwords, lock codes on phone

This week, you learned about a security breach of incredible size: 45.6 million customer credit cards stolen Company estimtes $150 million cost to clean it up Total losses to the company estimated at $1 billion or higher The cause? An insecure WiFi access point. Which of the following companies experienced this disastrous security breach?

TJX

What is a "zero day exploit"?

The very day they vulnerability is known, bad guys are already intruding.

Risky Behavior - two types What are they? How are they different?

Uninformed people - don't know theyre doing something dangerous, potentially harmful (ice) Negligent people - knows the behavior is risky but they don't care. More of a problem. Both = HARM to people or org.

Suppose you were to (foolishly) put an unprotected computer on the Internet. According to the latest data, how long would it take for cybercriminals to compromise the machine?

about 4-5 minutes

A cybercriminal is attacking your corporate network account. He is trying every possible combination of characters, one after another, hoping that he'll get lucky before you discover the nefarious plot. What kind of attack is this?

brute force

This emerging type of threat involves the actions of either a nation-state or an international organization. Their goal is to attack or damage another nation's computers and/or network infrastructure. Many national security and intelligence experts consider this to be "the greatest national security threat to the United States."

cyberwarfare or cyber war

According to the text and lectures, information security attacks are becoming less common.

false

Good news! Mobile devices are immune to malware.

false

What is IP?

intellectual property refers to creations of the mind such as inventions, literary and artistic works, designs, and symbols, names, and images used in commerce.

cyber warfare

involves actions of nation state or international org to attack or damage another nations computers/network

What's a typical methodology?

modus operandi

In IP theft, one is often facing a "determined human adversary." What characterizes this type of opponent?

not deterred by early failures, repeated attacks, variety of techniques, significant resources from sponsors

These days most malicious hacking attacks are the result of ____________________.

organized groups of professional cybercriminals

This type of cyber attack is basically a con game delivered via email. The cybercriminal sends out email that looks like it's from a legitimate business, such as a bank, probably even using the company logo and other graphics to make it look more authentic. The email tells the victim that he/she needs to provide some information about his/her account, or perhaps update his/her password. Basically, the cybercriminal is trying to trick the victim into providing critical information that has value to the criminal. What type of cyber attack is this?

phishing

Your company has decided to implement public key encryption technology to protect its email system. Suppose that your boss has just sent an encrypted email message to you. Software on your boss' computer encrypted the message using a ______________. Software on your computer will decrypt the message using a ____________.

public key; private key

Fred's computer was just infected by malware. When he next tried to open an Excel spreadsheet, the malware displayed a message stating that all of Fred's files had been encrypted and that he must pay $250 to a particular website. If he does, they'll send him a password to decrypt his files. If he doesn't then his files are history. What's the name for this type of malware payload?

ransom ware

Your company's Chief Information Security Officer has announced a new initiative. The goal is to make sure that the organization spends the right amount of time and money protecting each information asset. As a metaphor, she mentions that we don't want to spend $1 million to secure a chicken coop, nor do we want to only spend $10 to protect the company's crown jewels. Which of the following terms is used for the initiative she is leading?

risk assessment

This type of attack attempts to exploit naive people, tricking them into providing information that the attacker will use to gain access to their networks and systems.

social engineering

Passwords What are the three user password vulnerabilities? Why is each a problem? What are the root causes of problems with user passwords? Why are "default passwords" a potential security problem?

sometimes its the only security measure in place 1. Sticky note 2. Guessable -phone numbers, names, b-day. Answers to password questions 3. Lack of complexity We are the root causes by being resistence to change and use easily remembered Default passwords - built in by manufacturer- need to change them right away

What does it mean to be "vulnerable"? (dictionary definition used repeatedly...)

susceptible to attack or harm

Why do IP thieves typically steal it?

to sell it

Sara got a popup message suggesting she try an amazing new disk defragger application. The popup said it'd make her computer run 47% faster. She was really excited and clicked to download and install the disk defragger. In addition to being a disk utility, the program also contained a really nasty little piece of malware. Sara's computer is now fully compromised and under the control of some cybercriminals. What type of malware did Sara download?

trojan