Information Systems Chapter 3

Mean time to failure

(MTTF): The average amount of time between failures for a particular system

Countermeasure for confidentiality

(incoming) Patching, authentication and authorization (outgoing) encryption

Protocol analyzer

(or packet sniffer) is a software program that enables a computer to monitor and capture network traffic. Can be either a wired LAN or wireless LAN. Using this, attackers can capture passwords, and cleartext data. They can come in both hardware versions, software versions, or a combination of both. Can operate in promiscuous mode.

Eavesdropping

(or sniffing) occurs when a host sets its network interface on promiscuous mode and opies packets that pass by for later analysis. Promiscuous mode enables a network device to intercept and read each network packet, even if the packet's address doesn't match the network device.

Availability equation

(total uptime)/(total uptime + total downtime)

What is a phishing email?

A fake or bogus e-mail to trick the recipient into clicking on an embedded URL link or opening an e-mail attachment.

Script kiddie

A person with little or no skill. Just follows directions or uses a cookbook to carry out a cyber attack.

What is a cookie?

A text file that contains details gleaned from past visits to a Web site. These details might include the user's username, credit card info, etc.

Port Scanner

A tool used to scan IP host devices for open ports that have been enabled. A port is like a channel selector switch in the IP packet. Request for Comment (RFC) 1700 defines IP port numbers and their associated services.

Spoofing

A type of attack in which one person, program, or computer disguises itself as another person, program, or computer to gain access to some resource. A common spoofing attack involves presenting a false network address to pretend to be a different computer.

What is hijacking and the the forms of it?

A type of attack in which the attacker takes control of a session between two machines and masquerades as one of them. Man-in-the-middle hijacking (attacker can come between two computers, and pretend to be the other) Browser HIjacking - the user is directed to a different Web site than what he or she requested. Attackers can use this attack with phishing to trick a user into providing private information, such as a password.

Keystroke logger

A type of surveillance software or hardware that can record every keystroke a user makes with a keyboard to a log file. Can then receive mechanically. Employers might use keystroke loggers to ensure that employees use work computers for business purposes only. However, spyware can also embed keystroke logger software, enabling it to transmit information to an unknown third party.

AUP

Acceptable use policy.

APT

Advanced persistent threat is a type of cybercrime directed at a specific target, such as an individual, organization or political group. Can span over long periods of time, deploying malware that goes undetected for months.

White-hat hackers or Ethical hacker

An information systems security professional who has authorization to identify vulnerabilities and perform penetration testing.

IANA

Assigned Numbers Authority

ACH

Automated clearing house....transactions used for electronic payments or transfer of funds.

Finances and financial data?

Bank accounts, credit card data, and financial transaction data.

Two methods of active wiretapping are

Between-the-lines wiretapping - Does not alter the messages sent by the legitimate user, but inserts additional messages into the communication line when the legitimate user pauses. Piggyback-entry wiretapping - intercepts and modifies the original message by breaking the communications line and routing the message to another computer that acts as a host.

Name anti-malware products available to prevent malware

BitDefender, Kaspersky Anti-Virus, Norton Antivirus, G DATA Antivirus, etc.

Common threats and vulnerabilities with Remote Access Domain

Brute-force password attacks on access and private data. Unauthorized remote access to resources. Data leakage from remote access or lost storage devices.

Active threats include...

Brute-force passwords attacks, dictionary password attacks, IP address spoofing, hijacking, replay attacks, man-in-the-middle attacks, masquerading, social engineering, phishing, phreaking, pharming.

Name firewall solution vendors

Cisco systems,SonicWALL, WatchGuard Technologies, Check Point, ZyXEL, Netgreat, Nortel, Juniper Networks, DLink, MultiTech Systems

Information Security: C-I-A Triad

Confidentiality Integrity Availability

Reputation?

Corporate compliance and brand image.

The first virus recorded was the

Creeper virus, written by researcher Bob Thomas in 1971, copied itself to other networked computers displaying the message "I'm the creeper, catch me if you can!"

Data has integrity if

Data not altered, is valid, accurate

Activities that can cause a security breach include

Denial of service (DoS) attacks, distributed denial of service (DDoS) attacks, unacceptable Web-browsing behavior, wiretapping, use of a backdoor to access resources, accidental data modification.

EDI

Electronic data interchange ...numbers

Common threats and vulnerabilities with LAN-to-WAN Domain

Exposure and unauthorized access to internal resources from the outside.

Name the categories of attacks

Fabrications, Interceptions, Interruptions, Modifications

Port 21

File Transfer Protocol (FTP)

Countermeasure for integrity

Firewalls (incoming) Digital signatures (outgoing)

Backdoors

Give developers or support personnel easy access to a system, without having to struggle with security controls. But don't always stay hidden...when an attacker finds this, they can bypass existing security controls such as passwords, encryption, and so on.

Port 80

HTTP for web traffic

In an IT and network infrastructure...

Hardware and software are key pieces of any organization's infrastructure.

What is IT and network infrastructure?

Hardware, software, and services.

An organization's assets can include the following...

IT and network infrastructure, intellectual property, finances and financial data, service availability and productivity, and reputation

Which group is responsible for responding to any reported cyberattack?

Incident response team.

The ease of access makes assets that are connected to the...

Internet the most common first point of attack. That means you should put your most valuable assets deep inside of your IT infrastructure. This allows for a layered security defense.

One of the best defenses against DoS attacks is to use

Intrusion prevention system (IPS) software or devices to detect and stop the attack.

Gray-hat hackers (wannabe)

Is a hacker with average abilities who may one day become a black-hat hackers, but could also opt to become a white-hat hacker. (Different people use this term in different ways)

Common threats and vulnerabilities with User Domain...

Lack of awareness or concern for security policy. Accidental aceptable use policy violation. Intentional malicious activity. Social engineering.

Two common types of DoS attacks are...

Logic attacks (use software flaws to crash or slow the performance of remote servers) You can prevent many of these attacks by installing the latest patches to keep your software up to date. Flooding attacks - overwhelm the victim computer's CPU, memory or network resources by sending large numbers of useless requests to the machine.

What are rootkits?

Malicious software programs designed to be hidden from normal methods of detection. They allow an attacker to gain access to a computer system. Rootkits are installed by attackers once they obtain root or system administrator access privileges. Rootkits commonly include backdoors. Traditional rootkits replace critical programs to give attackers backdoor access and enable them to hide on the host system.

Name things that can be embedded in a phishing e-mail?

Malicious software, Trojans, or keystroke loggers can be embedded in a phishing e-mail. Antivirus, anti-spyware, and anti-malicious-software applications are needed to combat this type of incident.

Name the most common threats...

Malicious software, hardware or software failure, internal attacker, equipment theft, external attacker, natural disaster, industrial espionage, terrorism, etc.

Promiscuous mode

Means it is nonintrusive and does not generate network traffic. This means every data packet is captures and can be seen by the sniffer. Sniffers then decode the frame and IP data packet allowing you to see data in cleartext if it has not been encrypted.

What is one of the most popular backdoor tools in use today?

Netcat.

Name examples of hardware and software tools to perform an actual attack.

Protocol analyzers, port scanners, OS fingerprint scanners, Vulnerability scanners, Exploit software, Wardialers, Password crackers, Keystroke loggers.

What is Intellectual property?

Sensitive data like patens, source code, formulas, or engineering plans.

Attackers can launch DoS attacks using common Internet protocols such as

TCP and Internet Control Message Protocol (ICMP). Brings down one or more network servers or devices by flooding it with useless packets and providing false information about the status of network services. This is a packet flood.

Port 23

Telnet

Service availability and productivity?

The ability of computing services and software to support productivity for humans and machinery.

Session hijacking

The attacker attempts to take over an existing connection between two network computers. The first step in this attack is for the attacker to take control of a network device on the LAN, such as a firewall or another computer, in order to monitor the connection. This enables the attacker to determine the sequence numbers used by the sender and receiver. After determining the sequence numbering, the attacker generates traffic that appears to come from one of the communicating parties. This steals the session from one of the legitimate users. To get ride of the legitimate user who initiated the hijacked session, the attacker overloads one of the communicating devices with excess packets so that it drops out of the session.

Common threats and vulnerabilities with WAN Domain

Transmitting private data unencrypted. Malicious attacks from anonymous sources. Denial of service attacks. Weaknesses in software.

Black-hat hackers

Tries to break IT security and gain access to systems with no authorization, in order to prove technical prowess. Usually use special software tools to exploit vulnerabilities. They like to poke holes in systems, but do not attempt to disclose vulnerabilities they find to the administrators of those systems. They tend to promote the free and open use of computing resources as opposed to the notion of security. In it for the fun or to exploit.

Wardialers

Tries to connect to modem. are becoming more archaic and less often used given the rise of digital telephony and now IP telephony or Voice over IP (VoIP). Prior to VoIP, attackers would use wardialers to gain access to PBX phone systems in a n attempt to obtain dial tone or international dialing capability to commit toll fraud. Would also use wardialer to identify analog modem signals and gain access to the remote system within an IT infrastructure. It is essentially a computer program that dials telephone numbers, looking for a computer on the other end. Successfully connecting to a computer using a modem makes it possible to access the rest of the organization's network.

Hardware and software are damaged by malicious attacks such as....

Trojan horses or worms

Common threats and vulnerabilities with LAN Domain

Unauthorized network access. Transmitting private data unencrypted. Spreading malicious software.

Common threats and vulnerabilities with System/Application Domain

Unauthorized physical or logical access to resources. Weaknesses in server operating system or application software, data loss form errors, failures, or disasters.

Common threats and vulnerabilities with with Workstation Domain

Unauthorized user access. Malicious software introduced. Weaknesses in installed software.

What are the 7 domains of a typical IT infrastructure?

User Domain, Workstation Domain, LAN Domain, LAN-to-WAN Domain, Remote Access Domain, WAN Domain, and System/Application Domain.

True downtime cost

Usually measures the loss of productivity experienced by an organization due to downtime.

Countermeasure for availability

Virus protection, end user training (incoming) Redundancy (outgoing)

One of the popular techniques for launching a packet flood is...

a SYN flood. A SYN is a TCP control bit used to synchronize sequence numbers. In a SYN flood, the attacker sends a large number of packets requesting connections to the victim computer. Essentially fills the connection table of victim computer.

Operating System (OS) fingerprint scanner

a software program that allows an attacker to send logon packets to an IP host device. These logon packets mimic various operating systems used in workstations, servers, and network devices. When an IP host device responds to these logon packets, then the OS fingerprint scanner can guess what operating system is installed on the device. Once an attacker knows what OS and version is installed, it is possible to find known software vulnerabilities and exploits.

Password cracker

a software program that performs one of two functions: brute-force password attack, trying every possible character combination until it succeeds. Dictionary attacks are a subset of brute-force attacks.

Phishing is

a type of fraud in which an attacker attempts to trick the victim into providing primate information such as credit card numbers, passwords, dates of birth, bank account numbers, ATM PINs, Social Security numbers, etc.

The main difference between a virus and a worm is that

a worm does not need a host program to infect. The worm is a standalone program.

Wiretapping can be

active (modifying it) or passive. Telephone lines or data communications. but data communications wiretapping is more commonly called sniffing.

Exploit software

an application that incorporates known software vulnerabilities, data, and scripted commands to "exploit" a weakness in a computer system or IP host device.

Name active threats

brute-force, masquerading, IP address spoofing, session hijacking, replay, man-in-the-middle, dictionary password attacks.

The problem with cookies is that they store info in...

cleartext files.

Components of an IT infrastructure's domain may ....

connect to a network or to the Internet, and can be vulnerable to malicious attacks.

Hackers are different from....

crackers. A cracker has a hostile intent, possesses sophisticated skills, and may be interested in financial gain. Crackers represent the greatest threat to networks and information resources.

Phone phreaking (phreaking)

describes the activity of a subculture of people who study, experiment with, or exploit telephone systems, equipment and systems connected to public telephone networks.

DDOS attacks are more difficult to stop than DoS attacks because they originate from..

different sources.

Name passive threats

eavesdropping and monitoring.

Intrusive penetration testing

generates malicious network traffic. It is what a black-hat or white-hat hacker performs to penetrate a computer system or IP host device.

Dictionary password attack

hackers try shorter and simpler combinations, including actual words because such passwords are so common.

Name the types of threats

integrity threats, availability threats, confidentiality threats.

Replay attacks

involve capturing data packets from a network and retransmitting them to produce an unauthorized effect. The receipt of duplicate, authenticated IP packets may disrupt service or have some other undesired consequence.

DoS attack

is a coordinated attempt to deny service by causing a computer to perform an unproductive task. This excessive activity makes the system unavailable to perform legitimate operations. When a disk fills up, the system locks an account out, a computer crashes, or a CPU slows down, the result is denial of service - hence the name.

Vulnerability scanner

is a software program that is used to identify and detect what operating system and software is installed on an IP host device such as a computer server or router. With this, a vulnerability scanner compares known software vulnerabilities in its database with what it has just found. The scanner works by sending OF fingerprint messages and requests for logon to various operating systems. When the scanner identifies the operating system, it examines the known software vulnerabilities list to see if there is a match. IT examines the known software vulnerabilities and prioritizes them as critical, major, or minor.

A trojan horse (trojan) is

malware that masquerades as a useful program.

Disclosure

occurs any time unauthorized users access private or confidential information that is stored on a network resource or while it is in transit between network resources.

Typically, malicious attacks are targeted

on the User, Workstation, LAN, and LAN-to-WAN Domains.

A rootkit modifies or replaces

one or more existing programs to hide traces of attacks. A host-based IDS can help detect rootkit activity, however.

Where phishing attempts to scam people one at a time with an email or instant messages,

pharming enables scammers to target large groups of people at one time through domain spoofing.

A violation of a C-I-A security tenets is a

security breach.

Pharming

seeks to obtain personal or private financial information through domain spoofing. Doesn't use messages to trick victims into visiting spoofed Web sites. Uses domain spoofing "poisoning" a domain name system server (DNS) server. navigates to the attackers site.

Man-in-the-middle attack

takes advantage of the multihop process used by many types of networks. An attacker intercepts messages between two parties before transferring them on to their intended destination. Use this technique to steal info, execute DoS attacks, corrupt transmitted data, gain access to an organization's internal computer, etc.

Define opportunity cost

the amount of money a company loses due to downtime.

Malware that tends to hide includes...

trojan horses, rootkits, spyware.

Keystroke logger (hardware)

typically a battery-sized plug that serves as a connector between the user's keyboard and computer. Then saves it to its own tiny hard drive. The person must then come and remove it physically.

Keystroke logger (software)

usually disguised as a Trojan malicious software program. Can be hidden in a URL link, PDF file, or ZIP file. As long as an attacker has network access to a computer, he or she can transfer any file. Users can also download keystroke loggers as spyware, which an attacker can then execute as port of a rootkit. The keystroke logger program records each keystroke the user types and periodically uploads the information over the Internet to whoever installed the program.

The opportunity cost of unintentional downtime is...

usually much higher than the opportunity cost of intentional downtime.

The best way to avoid data-modification issues is to...

validate data before storing it and to ensure that your programs adhere to strict data-integrity rules.

Estimated yearly cost of dealing with cybercrime and malicious attacks?

~ $1 trillion