Foundations of Cyber Security
Anonymous examples (3)
2008 Project Chanology 2010 Operation Avenge Assange 2011 Operation Tunisia
Carbanak APT
2013-2015. Unusual - cybercriminals not nation states, wasn't that technologically advanced. Loss of $1 billion
Security Assertions Markup Language
A flexible way of presenting documents online
Botnet
A group of compromised computers or mobile devices connected to a network
TLS
A more secure protocol than SSL, provides authentication and encryption for secure exchanges over the Internet
Baiting
A real-world trojan horse, e.g. USB
Tailgating/piggybacking
Accessing a secured building/area without authorisation, by walking behind another employee
Unintentional insider typical attacks (3)
Accidental posting/deleting information, visit websites infected with malcode
User access control requirements (3)
Account approval, removing unneeded accounts, two-factor authentication
APTs
Advanced Persistent Threat
Information processing (5)
Aggregation Identification Insecurity Secondary use Exclusion
Cyber criminal example
Albert Gonzalez, 2005-2007
Network convergence
All communications over a common network structure (vulnerable)
Petya
An infection from a trojan (not ransomware) which spread across networks stealing credentials
Hacktivist examples (2)
Anonymous, Snowden
Culture of hacktivism (5)
Anti-establishment, obsession with privacy, membership fluidity, lack of hierarchy, creativity
Threat source
Any activity which can generate an attack
Benefits of honeypots (3)
Attack detection, deflect attackers, gather information on attack strategies
Access control principles (3)
Authentication Authorisation Audit
SAML assertions (3)
Authentication statements Attribute statements Authorisation statements
OAuth grant flows (3)
Authorisation code grant flow Resource owner password grant flow Client credential grant flow
Pentesting
Authorised simulated attack, aimed at assessing the security of a system
Mirai
Biggest DDoS attack ever, 2016
Firewall requirements (3)
Block unauthenticated connections, document connections, monitor/protect administrative access
Types of firewall (2)
Boundary and host-based
Information dissemination
Breach of confidentiality Disclosure Exposure Increased Accessibility Blackmail Appropriation Distortion
Command and control examples (2)
Ciphered connection over HTTPS, use of Twitter hashtags
Nation state's typical motives (3)
Collecting information, sabotage, subversion
Dumpster diving
Combing through bins for sensitive information
Insider threat
Comes from someone with legitimate access to resources
What are the risks of user access control? (2)
Compromising privileged accounts will do more damage, attacker could lock admins out
Channel consolidation
Concentration of data on a few providers (data breach)
Privacy (3)
Confidentiality Control Practice
Why is cyberwar attractive? (5)
Cost effective, no casualties, fast, plausible deniability, hard for victim to detect
CNI
Critical National Infrastructure
Advanced (APT)
Cutting edge tech, zero-day exploits
Estonia
Cyber attack, April 2007
Who can be behind cyber attacks? (5)
Cyber criminals, nation states, hacktivists, insider threats, script kiddies/noobs
Problems with using standards (3)
Cyber security requires a holistic approach, threats are constantly evolving, companies become focussed on tick-list rather than innovative defence
Web defacement
Cyber vandalism - changing a website's content to be provocative or raise awareness of their cause, aiming to reach the news
Type of cyber attack on Estonia
DDoS and defacement
Anonymous' attacks
DDoS but using individuals not botnets
Actions on objectives examples (2)
Data exfiltration, lateral movement within target network
Advanced cyber defences (6)
Data protection, segregation of duties, network fragmentation, honeypots, pentesting, standards
Honeypots
Decoy systems to lure attackers away from critical systems
UK's National Cyber Security Strategy
Defend, deter, develop
Delivery
Delivery of payload to target
Script Kiddies/Noobs motives (3)
Desire to join real groups, challenge, curiosity
Weaponize
Development or purchase of cyber weapons
Bitcoin miner
Device attempting to resolve the mathematical puzzle in order to achieve bitcoin
DAC
Discretionary Access Control
Hacktivists VS cyberterrorists
Disruption VS destruction
DDoS
Distributed Denial of Service
DNS
Domain Name System
Mining malware
Downloading miner technology onto other people's devices to help attacker gain bitcoin
RBAC advantages (2)
Efficient permissions Reduced employee downtime
Sources of malware infection (3)
Email attachments, downloads, installation of software (e.g. USB)
Data protection methods (3)
Encryption, fragmentation, back-up data
Three phases of user authentication
Enrolment Identification Verification
Secure configuration
Ensure that devices are configured to reduce vulnerabilities and only provide required services
User access control
Ensure user accounts are only assigned to authorised individuals, and access is only provided to required resources
Patch management
Ensures devices are not vulnerable to known security issues
Installation
Ensures payload persistence within the target, giving malware the ability to withstand the computer being turned off
Types of cyberwarfare (3)
Espionage, sabotage, propaganda
Command and control
Establish a communication channel between target machine and external server
Secure Sockets Layer (SSL)
Establishes an encrypted link between a web server and a browser, ensuring that all data passed between them remain private
WannaCry exploit
EternalBlue
Actions on objectives
Execution of the attack - the more complex the target, the more phases of lateral movement are needed
Exploitation
Execution of the payload
Brute force attack
Exhaustive search of all possible combinations
Exploitation examples (3)
Exploiting known vulnerabilities, of OS, user deception
Wikileaks purpose
Feels world should be aware of data, acts as a proxy for journalists etc. who would be prosecuted
WannaCry protection
Firewall, secure configuration, user access control, patch management
Basic requirements of IT infrastructure (5)
Firewalls, secure configuration, user access control, malware protection, patch management
Wikileaks examples (3)
GTMO files, Hillary's emails, CIA's Vault 7 and 8
GDPR
General Data Protection Regulation
HTTPS process (2)
Get operation Post operation
Segregation of duties
Have sensitive tasks completed/signed off by multiple people
Threat event
How the attack is completed
HTTPS
Hypertext Transfer Protocol Secure
Reconnaissance example
Identifying the security means used by the target via online research
Nation state's typical attacks (3)
Influencing campaigns, data breach, DDoS
Intentional insider typical attacks (2)
Information leak, install a logic bomb
What is cyberspace? (4)
Information systems, data on them, services they provide, network device used for communication
Installation examples (2)
Injecting payload into trusted OS process, registering payload to auto-start
Types of insider threat (2)
Intentional and unintentional
IoT
Internet of Things, e.g. smartmeters
Sandbox
Isolated operating system within a honeypot
Why is HTTPS secure?
Its content can't be manipulated unless encryption is destroyed
Spearphishing example
John Podesta
Wikileaks
Julian Assange, 2006, publishes censored or restricted documents online
Patch management requirements
Keep software updated, don't use third party mods, remove unnecessary software
Approaches to user identification (3)
Knows (e.g. password) Has (e.g. ID card) Is (e.g. fingerprint)
Perpetrators of Estonia attack
Kremlin - no consequences
GDPR and data breaches
Legally, companies now have to report data breaches to government
Script Kiddies/Noobs
Less skilled hackers
Password cracking countermeasures (4)
Lockout mechanisms Throttling Protective monitoring Password blacklisting
Shoulder surfing
Looking over target's shoulder when they're at their computer
Wikileaks hosting
Mainly Bahnhof ISP, Sweden - acts from legally protected countries
What is a cyberattack?
Malicious attempt to damage, disrupt, or gain unauthorised access to computer systems, network or devices
Weaponize examples (3)
Malicious payload, social engineering, remote access trojan
Threat (APT)
Malicious, targeted
Nation state's typical attack vectors (4)
Malware, botnets, emails, social media
Cyber criminal's typical attack vectors (3)
Malware, email, botnet
Hacktivist typical attack vector (3)
Malware, email, botnet
Pentesting tool
Metasploit
Networked forces
Military innovation enabled by cyber technologies (drones)
Targets of Estonia attack
Ministries of Foreign Affairs and Justice websites, PM's website, banks, 112 emergency number
Cyber criminal's typical motive
Money
Cyber criminal's typical attacks (5)
Money theft, document ransom, data breach, DDoS
Hacker VS hacktivist
Motivation - hackers celebrate technology, hacktivists celebrate human agency
Anonymous
Movement began as hackers on 4chan in 2003, became hacktivists
Why is cyberspace an ideal target?
Network convergence, channel consolidation, networked forces
WannaCry
Non-targeted ransomware which spreads automatically over networks - doesn't require opening by the victim
Anonymous' core principles (3)
Not attacking media, not attacking critical infrastructure, working for justice
Post-exploitation (APT)
Occurs over time, repeated, issues instructions to payload, interacts with Remote Access Trojan/Command and Control
OAuth
Open Authorization protocol that allows a third-party application to access protected resources hosted on a HTTP server
DDoS method
Overloads machine providing a service using botnets
Persistent (APT)
Payload remaining hidden for months/years - waiting for the right time, launching multiple simultaneous attacks
PTES
Penetration Testing Executive Standard
Insider threat motives (3)
Personal vendetta, bribe, blackmail
PFI
Personally Identifiable Information
Access control in use (4)
Physical Web File access File sharing
Hash
Plaintext that has been transformed into short code
Anonymous' core values (4)
Pluralistic movement, anti-censorship, privacy, internet security
Access control system (3)
Policy Model Mechanisms
Phases of pentesting (6)
Pre-engagement interaction Intelligence gathering Threat modelling Vulnerability analysis Exploitation Post-exploitation
Steps of risk management (9)
Prepare for risk assessment Conduct assessment Identify threat source Identify threat events Identify vulnerabilities Determine likelihood Determine impact Communicate results Maintain risk assessment
Pretexting/blagging
Presenting oneself as someone else to obtain private information
Access control
Prevention of unauthorized use of a resource, including authorised use in an unauthorised manner
Risk management
Prioritising the identified risks in terms of likelihood, then making efforts to minimise, monitor, and control their impacts
Hacker ethics
Pro-freedoms, anti-authority
Risk assessment
Process of identifying, analysing, and evaluating risk
Keylogger
Program that monitors keystrokes
What is cyber security?
Protection of cyberspace from harm, misuse, or unauthorised access
OpenID connect
Provides a standard SSO protocol on top of OAuth 2.0 framework
RFID tags
Radio Frequency Identification Tags
Kill chain stages (7)
Reconnaissance Weaponize Delivery Exploitation Installation Command-and-control Actions on objectives
Why is user access control useful?
Reduces likelihood of insider threat
Hacktivist motives (3)
Religious, social, and political
Secure configuration requirements (4)
Remove unnecessary accounts, change non-secure passwords, disable auto-run, authenticate users before allowing access to data
OAuth actors (4)
Resource owner Resource server Authorisation server Client
Malware protection
Restrict execution of known malware and untrusted software
RBAC
Role Based Access Control
APT attack phases (4)
Scan and discovery Vulnerability exploitation Payload injection Post-exploitation
SSL
Secure Sockets Layer
SAML
Security Assertions Markup Language
Diffie-Helman Key Exchange
Shares key between users using symmetric encryption
SSO example
Shibboleth
How do honeypots work?
Simulated to look like the real system, so the attacker interacts with it instead of the OS
SSO
Single Sign On
Limitation of honeypots
Skilled hackers can tell
Forms of authentication (5)
Smart cards Magnetic stripe cards Biometrics Barcodes RFID tags
Insider threat examples
Snowden, Manning, Reality Winner
Firewalls
Software ensuring only safe/necessary networks can be accessed internally, prevents external access
Downloader variant
Something installed by the malware on a target device
Firewall blocking rules (3)
Source, destination, protocol
Public key infrastructure
System for issuing pairs of public and private keys and corresponding digital certificates
Script Kiddie example
TalkTalk 2015
Delivery examples (3)
Target downloads from website, USB, email attachment
Reconnaissance
Target research and selection, ends when attacker knows enough
Spearphishing
Targeted phishing
User authentication
The process of verifying an identity claimed by or for a system entity
Data breach
The unintended release of sensitive data or the access of sensitive data by unauthorized individuals.
Why were Macs more secure?
They didn't have as wide a market share, meaning they were targeted less
Stages of cyber risk (4)
Threat source Threat event Vulnerability Adverse impact
TLS
Transport Layer Security
Exploitation requirements
Two weapons - one to get through, one to do the damage
Nation state examples (5)
US election, China's Marriott hack, Stuxnet, Ukraine, Estonia
Why does cyber deterrence rarely work?
Unable to attribute attack
Malware protection requirements
Updated anti-malware software, auto-scan of sites and files, application whitelisting, application sandboxing
Single Sign On (SSO)
Using one authentication credential to access multiple accounts or applications
Security through obscurity
Using software, interfaces and protocols that aren't well known - therefore their vulnerabilities aren't either
Digital signature
Verifies authenticity/integrity of information
Vishing and smishing
Voice phishing and SMS phishing
Zero-day exploit
Vulnerabilities exploited before the software creator/vendor is aware of its existence.
WannaCry's kill switch
WannaCry tries to access a domain which doesn't exist - attack ended when domain was registered, triggering the kill switch
Kill switch
Way to remotely destroy all copies of malware, to stop it from propagating
Why are IoT more vulnerable? (2)
Weak credentials, lack of patches
What is a cyber vulnerability? (2)
Weakness or loophole in system
Hacktivist typical attacks (4)
Web defacement, data breach, information leak, DDoS
Data breach example
Yahoo