Module 1 Textbook | ITE-249-02 Introduction to Information Security
One of the most alarming recent unsecured root account vulnerabilities was revealed in 2017 on the Apple macOS High Sierra OS. A user could enter the word root in the username field of a login prompt, move the insertion point to the password field, and then press Enter. The user would then be logged in with root privileges.
(kinda sounds like SQL injections tbh)
Known as the CIA Triad, three protections must be extended over information:
1. Confidentiality. Only approved individuals should be able to access sensitive information. For example, the credit card number used to make an online purchase must be kept secure and unavailable to unapproved entities. Confidentiality ensures that only authorized parties can view the information. Providing confidentiality can involve several security tools, ranging from software to encrypt the credit card number stored on the web server to door locks to prevent access to those servers. 2. Integrity. Integrity ensures that the information is correct and no unauthorized person or malicious software has altered the data. In the example of an online purchase, an attacker who could change the amount of a purchase from $10,000.00 to $1.00 would violate the integrity of the information. 3. Availability. Information has value if the authorized parties who are assured of its integrity can access the information. Availability ensures that data is accessible to only authorized users and not to unapproved individuals. For example, the total number of items ordered as the result of an online purchase must be made available to an employee in a warehouse so that the correct items can be shipped to the customer, but the information should not be available to a competitor.
lack of vendor support
A lack of expertise to handle system integration.
supply chain
A network that moves a product from the supplier to the customer and is made up of vendors that supply raw material, manufacturers who convert the material into products, warehouses that store products, distribution centers that deliver them to the retailers, and retailers who bring the product to the consumer.
Zero Day As noted earlier, patches are created and distributed when the software developer learns of a vulnerability and corrects it. What happens if it is not the developer who uncovers the vulnerability, but a threat actor who finds it first? In this case, the vulnerability can be exploited by attackers before anyone else even knows it exists. This type of vulnerability is called a zero day because it provides zero days of warning.
A variation on a zero-day vulnerability is when the software developer is actively working on a patch, but the vulnerability is discovered by the threat actors who launch an attack before the patch is completed. This could occur when an independent security investigator instead of the software developer uncovers the vulnerability and then alerts the developer who begins work on a patch. However, in the interim, the information about the vulnerability leaks out or is even sold to attackers, who exploit the vulnerability while the developers rush to patch it.
direct access
An attack vector in which a threat actor can gain direct physical access to the computer.
system integration
Connectivity between the systems of an organization and its third parties.
outsourced code development
Contracting with third parties to assist the organization in the development and writing of a software program or app.
Script kiddies are individuals who want to perform attacks, yet lack the technical knowledge to carry them out. Script kiddies instead do their work by downloading freely available automated attack software (scripts) and use it to perform malicious acts.
Due to their lack of knowledge, script kiddies are not always successful in penetrating defenses, but when they are, they may end up causing damage to systems and data instead of stealing the data.
Dumpster Diving Dumpster diving involves digging through trash receptacles to find information that can be useful in an attack.
Dumpster diving: Digging through trash receptacles to find information that can be useful in an attack.
Although there are many specific types of attacks, like vulnerabilities, attack vectors can be grouped into the following general categories:
Email, Wireless, Removable media, Direct access, Social media, Supply chain, and Cloud.
Weak Configurations Configuration and Explanation 1. Default settings: Default settings are predetermined by the vendor for usability and ease of use (not for security) so the user can immediately begin using the product. 2. Open ports and services: Devices and services are often configured to allow the most access so that the user can close ports that are specific to that organization. 3. Unsecured root accounts: A root account can give a user unfettered access to all resources. 4. Open permissions: Open permissions are user access over files that should be restricted. 5. Unsecure protocols: Also called insecure protocols, this configuration uses protocols for telecommunications that do not provide adequate protections. 6. Weak encryption: Users choosing a known vulnerable encryption mechanism.
Example 1. A router comes with a default password that is widely known. 2. A firewall comes with FTP ports 20 and 21 open. 3. A misconfigured cloud storage repository could give any user access to all data. 4. A user could be given Read, Write, and Execute privileges when she should have only Read privileges. 5. An employee could use devices that run services with unsecure protocols such as Telnet or SNMPv1. 6. A user could select an encryption scheme that has a known weakness or a key value that is too short.
Descriptions of Other Threat Actors Threat Actor and Description 1. Competitors: Launch attacks against an opponent's system to steal classified information. 2. Criminal syndicates: Move from traditional criminal activities to more rewarding and less risky online attacks. 3. Shadow IT: Employees become frustrated with the slow pace of acquiring technology, so they purchase and install their own equipment or resources in violation of company policies. 4. Brokers: Sell their knowledge of a weakness to other attackers or governments. 5. Cyberterrorists: Attack a nation's network and computer infrastructure to cause disruption and panic among citizens.
Explanation 1. May steal new product research or a list of current customers to gain a competitive advantage. 2. Usually run by a small number of experienced online criminal networks that do not commit crimes themselves but act as entrepreneurs. 3. Installing personal equipment, unauthorized software, or using external cloud resources can create a weakness or expose sensitive corporate data. 4. Individuals who uncover weaknesses do not report it to the software vendor but instead sell them to the highest bidder who is willing to pay a high price for the unknown weakness. 5. Targets may include a small group of computers or networks that can affect the largest number of users, such as the computers that control the electrical power grid of a state or region.
Another serious threat to an enterprise comes from its own employees, contractors, and business partners, called insiders, who pose an insider threat of manipulating data from the position of a trusted employee.
For example, a healthcare worker disgruntled about being passed over for a promotion might illegally gather health records on celebrities and sell them to the media, or a securities trader who loses billions of dollars on bad stock bets could use her knowledge of the bank's computer security system to conceal the losses through fake transactions. These attacks are harder to recognize because they come from within the enterprise, yet they may be costlier than attacks from the outside.
Types of Hackers Hacker Type and Description Black hat hackers: Threat actors who violate computer security for personal gain (such as to steal credit card numbers) or to inflict malicious damage (corrupt a hard drive). White hat hackers: Also known as ethical attackers, they attempt to probe a system (with an organization's permission) for weaknesses and then privately provide that information back to the organization. Gray hat hackers: Attackers who attempt to break into a computer system without the organization's permission (an illegal activity) but not for their own advantage; instead, they publicly disclose the attack in order to shame the organization into taking action.
However, these broad categories of hackers no longer accurately reflect the differences between attackers. Today threat actors are classified in more distinct categories, such as script kiddies, hacktivists, state actors, insiders, and others.
Individuals that are strongly motivated by ideology (for the sake of their principles or beliefs) are hacktivists (a combination of the words hack and activism). Most hacktivists do not explicitly call themselves "hacktivists," but the term is commonly used by security researchers and journalists to distinguish them from other types of threat actors.
In the past, the types of attacks by hacktivists often involved breaking into a website and changing its contents as a means of making a political statement. (One hacktivist group changed the website of the U.S. Department of Justice to read Department of Injustice.) Other attacks were retaliatory: hacktivists have disabled a bank's website because the bank stopped accepting online payments deposited into accounts belonging to groups supported by the hacktivists. Today many hacktivists work through disinformation campaigns by spreading fake news and supporting conspiracy theories.
Instead of using an army to march across the battlefield to strike an adversary, governments are increasingly employing their own state-sponsored attackers for launching cyberattacks against their foes. These attackers are known as state actors.
Many security researchers believe that state actors might be the deadliest of any threat actors.
Not all attacks rely on technology vulnerabilities; in fact, some cyberattacks use little if any technology to achieve their goals. Social engineering is a means of eliciting information (gathering data) by relying on the weaknesses of individuals.
Social engineering: Gathering data by relying on the weaknesses of individuals. eliciting information: Gathering data.
Spim is spam delivered through instant messaging (IM) instead of email. For threat actors, spim can have even more impact than spam. The immediacy of instant messages makes users more likely to reflexively click embedded links in a spim. Furthermore, because spim may bypass some antimalware defenses, spim can more easily distribute malware. As antispam measures for email are more widely implemented, more spammers may be inclined to migrate to sending spim.
Spim: Spam delivered through instant messaging (IM) instead of email.
Vendor management
The process organizations use to monitor and manage the interactions with all external third parties with which they have a relationship.
Phishing One of the most common forms of social engineering is phishing. Phishing is sending an email message or displaying a web announcement that falsely claims to be from a legitimate enterprise in an attempt to trick the user into surrendering private information or taking action. Users are asked to respond to an email message or are directed to a website where they are requested to update personal information, such as passwords, credit card numbers, Social Security numbers, bank account numbers, or other information. However, the email or website is actually an imposter site set up to steal the information the user enters. Users may also receive a fictitious overdue invoice that demands immediate payment and, in haste, make the payment (called an invoice scam).
The word phishing is a variation on the word "fishing," to reflect the idea that bait is thrown out knowing that while most will ignore it, some will bite. Phishing: Sending an email or displaying a web announcement that falsely claims to be from a legitimate enterprise in an attempt to trick the user into surrendering private information or taking action. invoice scam: A fictitious overdue invoice that demands immediate payment.
data storage
Third-party facilities used for storing important data.
Caution! Common roles that are often impersonated include a repair person, an IT support technician, a manager, or a trusted third party. Often attackers impersonate individuals whose roles are authoritative because victims generally resist saying "no" to anyone in power. Users should exercise caution when receiving a phone call or email from these types of people asking for something suspicious.
To impersonate real people, the threat actor must know as much about them as possible to appear genuine. This type of reconnaissance is called credential harvesting and is typically carried out by Internet and social media searches. reconnaissance: Learning as much about a person as possible in order to appear as genuine while acting as an imposter. credential harvesting: Using the Internet and social media searches to perform reconnaissance.
Choose which statement is wrong by applying your knowledge from the reading. 1-2 a. Script kiddies are responsible for the class of attacks called Advanced Persistent Threats. b. Brokers sell their knowledge of a weakness to other attackers or a government. c. Hacktivists are strongly motivated by ideology.
a. Script kiddies are responsible for the class of attacks called Advanced Persistent Threats. Correct. This statement is wrong. State actors are responsible for the class of attacks called Advanced Persistent Threats.
Effects on the Enterprise A successful attack can also have grave consequences for an enterprise. First, the attack may make systems inaccessible (availability loss). This results in lost productivity, which can affect the normal tasks for generating income (financial loss). One of the most devastating effects is on the public perception of the enterprise (reputation).
availability loss: The loss that results from making systems inaccessible. financial loss: The monetary loss as a result of lost productivity. reputation: Public perception.
Choose which statement is wrong by applying your knowledge from the reading. 1-1 a. A security manager works on tasks identified by the CISO and resolves issues identified by technicians. b. Since 2015, the number of unfilled cybersecurity positions has increased by 10 percent. c. The relationship between security and convenience is inversely proportional: as security is increased, convenience is decreased.
b. Since 2015, the number of unfilled cybersecurity positions has increased by 10 percent. Correct. This statement is wrong. The number of unfilled cybersecurity positions since 2015 has increased by 50 percent.
Choose which statement is wrong by applying your knowledge from the reading. 1-3 a. Spear phishing targets specific users. b. "I'm the CEO calling" is an example of the psychological principle of authority. c. The goal of impersonation is often prepending, which is obtaining private information.
c. The goal of impersonation is often prepending, which is obtaining private information. Correct. Pretexting is obtaining private information.
Hoaxes Threat agents can use hoaxes as a first step in an attack. A hoax is a false warning, often contained in an email message claiming to come from the IT department. The hoax purports that there is a "deadly virus" circulating through the Internet and that the recipient should erase specific files or change security configurations and then forward the message to other users. However, changing configurations allows an attacker to compromise the system. And erasing files may make the computer unstable, prompting the victim to call the phone number in the hoax email message for help, which is actually the phone number of the attacker.
hoax: A false warning often contained in an email message claiming to come from the IT department.
Impersonation Social engineering impersonation (also called identity fraud) is masquerading as a real or fictitious character and then playing the role of that person with a victim. For example, an attacker could impersonate a help desk support technician who calls the victim, pretends that there is a problem with the network, and asks for her username and password to reset the account. Sometimes the goal of the impersonation is to obtain private information (pretexting).
impersonation: (also called identity fraud) Masquerading as a real or fictitious character and then playing out the role of that person with a victim. identity fraud: (also called impersonation) Masquerading as a real or fictitious character and then playing out the role of that person with a victim. pretexting: Using impersonation to obtain private information.
Social engineering is also used as influence campaigns to sway attention and sympathy in a particular direction.
influence campaigns: Using social engineering to sway attention and sympathy in a particular direction.
Another redirection technique is pharming.
pharming: Exploiting how a URL is converted into its corresponding IP address to redirect traffic away from its intended target to a fake website instead.
Another technique is called prepending, which is influencing the subject before the event occurs. A common general example is a preview of a soon-to-be-released movie that begins with the statement, "The best film you will see this year!" By starting with the desired outcome ("The best film"), the statement influences the listener to think that way.
prepending: Influencing a subject before an event occurs
Shoulder Surfing If an attacker cannot enter a building as a tailgater without raising suspicion, an alternative is to watch an individual entering the security code on a keypad. Known as shoulder surfing, this technique can be used in any setting that allows an attacker to casually observe someone entering secret information, such as the security codes on a door keypad. Attackers are also using webcams and smartphone cameras to "shoulder surf" users of ATM machines to record keypad entries.
shoulder surfing: Watching an individual enter a security code on a keypad.
Smishing. A variation on vishing uses short message service (SMS) text messages and callback recorded phone messages. This is known as smishing. The threat actors first send a text message to a user's cell phone that pretends to come from their bank saying that their account has been broken into or their credit card number has been stolen.
smishing: Using short message service (SMS) text messages to perform phishing.
Spear phishing. Whereas phishing involves sending millions of generic email messages to users, spear phishing targets specific users. The emails used in spear phishing are customized to the recipients, including their names and personal information, to make the message appear legitimate.
spear phishing: Targeting specific users.
Tailgating Organizations can invest tens of thousands of dollars to install specialized doors that permit access only to authorized users who possess a special card or who can enter a specific code. These automated access control systems are designed to restrict entry into an area. However, a weakness of these systems is that they cannot always control how many people enter the building when access is allowed; once an authorized person opens the door, one or more individuals can follow behind and also enter. This is known as tailgating.
tailgating: Following an authorized user through a door.
Vishing. Instead of using email to contact the potential victim, attackers can use phone calls. Known as vishing (voice phishing), an attacker calls a victim who, upon answering, hears a recorded message that pretends to be from the user's bank stating that her credit card has experienced fraudulent activity or that her bank account has had unusual activity.
vishing: Using a telephone call to perform phishing.
Watering Hole Attack In the natural world, similar types of animals are known to congregate around a pool of water for refreshment. In a similar manner, a watering hole attack is directed toward a smaller group of specific individuals, such as the major executives working for a manufacturing company. These executives all tend to visit a common website, such as that of a parts supplier to the manufacturer. An attacker who wants to target this group of executives tries to determine the common website that they frequent and then infects it with malware that will make its way onto the group's computers.
watering hole attack: An attack directed toward a smaller group of specific individuals, such as the major executives working for a manufacturing company.
Whaling. One type of spear phishing is whaling. Instead of going after the "smaller fish," whaling targets the "big fish"—namely, wealthy individuals or senior executives within a business who typically have large sums of money in a bank account that an attacker could access if the attack is successful. By focusing on this smaller group, the attacker can invest more time in the attack and finely tune the message to achieve the highest likelihood of success.
whaling: Targeting wealthy individuals or senior executives within a business through phishing.
The information security workforce is usually divided into two broad categories. Information security managerial personnel administer and manage plans, policies, and people, while information security technical personnel are concerned with designing, configuring, installing, and maintaining technical security equipment. Within these two broad categories are four generally recognized types security positions:
• Chief information security officer (CISO). This person reports directly to the chief information officer (CIO). (Large enterprises may have more layers of management between this person and the CIO.) The CISO is responsible for assessing, managing, and implementing security. • Security manager. The security manager reports to the CISO and supervises technicians, administrators, and security staff. Typically, a security manager works on tasks identified by the CISO and resolves issues identified by technicians. This position requires an understanding of configuration and operation but not necessarily technical mastery. • Security administrator. The security administrator has both technical knowledge and managerial skills. A security administrator manages daily operations of security technology and may analyze and design security solutions within a specific entity as well as identifying users' needs. • Security technician. This position is generally entry level for a person who has the necessary technical skills. Technicians provide technical support to configure security hardware, implement security software, and diagnose and troubleshoot problems.
However, as important as patches are, they can create vulnerabilities:
• Difficulty patching firmware. Firmware, or software that is embedded into hardware, provides low-level controls and instructions for the hardware. Updating firmware to address a vulnerability can often be difficult and requires specialized steps. Furthermore, some firmware cannot be patched. • Few patches for application software. Outside of the major application software such as Microsoft Office, patches for applications are uncommon. In most cases, no automated process can identify which computers have installed the application, alert users to a patch, or to distribute the patch. • Delays in patching OSs. Modern operating systems—such as Red Hat Linux, Apple macOS, Ubuntu Linux, and Microsoft Windows—frequently distribute patches. These patches, however, can sometimes create new problems, such as preventing a custom application from running correctly. Many organizations test patches when they are released to ensure that they do not adversely affect any customized applications. In these instances, the organization delays installing a patch from the developer's online update service until the patch is thoroughly tested.
Financial cybercrime is often divided into three categories based on its targets:
• Individual users. The first category focuses on individuals as the victims. The threat actors steal and use stolen data, credit card numbers, online financial account information, or Social Security numbers to profit from their victims or send millions of spam emails to peddle counterfeit drugs, pirated software, fake watches, and pornography. • Enterprises. The second category focuses on enterprises and business organizations. Threat actors attempt to steal research on a new product so that they can sell it to an unscrupulous foreign supplier who then builds an imitation model of the product to sell worldwide. This deprives the legitimate business of profits after investing hundreds of millions of dollars in product development, and because these foreign suppliers are in a different country, they are beyond the reach of domestic enforcement agencies and courts. • Governments. Governments are also the targets of threat actors. If the latest information on a new missile defense system can be stolen, it can be sold—at a high price—to that government's enemies. In addition, government information is often stolen and published to embarrass the government in front of its citizens and force it to stop what is considered a nefarious action.
