Learning slides combined.pdf - Introduction to Computer...

This preview shows page 1 out of 923 pages.

Unformatted text preview: Introduction to Computer Security ICT287 Computer Security What Is Security? “The quality or state of being free from danger” Security is achieved using several strategies simultaneously Dimensions of Security Securing data in transit and rest Physical security of personnel and equipment Secure coding and application development The list goes on... All of these have to be USABLE or security will fail Hackers • Those who enjoy the intellectual challenge of overcoming and circumventing limitations of systems and who try to extend their capabilities • Act of engaging in activities (such as programming or other media) in a spirit of playfulness and exploration is termed hacking • Hacking entails some form of excellence, for example exploring limits of what is possible • Bad hackers were called crackers Hacking in the Media • Mainstream media tend to use the term “hacker” to describe predominantly negative and illegal activities • What we do know though, is that there are plenty of them around • And reported hacks are likely tip of iceberg only Hacks in 2015 • US Office of Personnel Management (June 2015) • Biggest breach of US government systems so far • Data theft of addresses, health and financial details of 19.7 million people who had been subjected to government background checks • Believed to be perpetrated by Chinese hackers, but there is no proof • Attackers gained valid user credentials to OPMs systems, likely through social engineering • Attackers then used malware package to escalate their privileges and install back door Hacks in 2015 • Ashley Madison (July 2015) • Web site enabling extramarital affairs • Hackers (“Impact Team”) broke into site and leaked user database, executive emails, other data and code • Allegedly data leakage has cause several suicides • Not publicly known how exactly they broke in • Passwords were stored as hashes • Some cracked due to being too simple • 10-15 million cracked due to “coding error” that meant wrong hash function was used Hacks in 2016 • MySpace (May 2016) • Actual hack took place in 2013 already, but data was only leaked in 2016 • Unclear how hack was done and also unclear whether MySpace intentionally hid breach or they just never knew about it • Data for 360 million user accounts compromised including passwords • Passwords were stored in weak form (unsalted hashes) which made it easy to brute-force them and vast majority have been cracked • You can download list of user names, email addresses and cracked passwords Hacks in 2016 • Apple iPhone Spy Hack (August 2016) • Ahmed Mansoor, 46-year-old human rights activist from United Arab Emirates, received strange text message from unknown sender with embedded link • Upon examination link lead to sophisticated spyware leveraging three unknown exploits to jailbreak phone with “a click on a link” allowing monitoring of all activities on phone • Unclear who developed this, but primary suspect is little-known Israeli surveillance vendor called NSO Group Hacks in 2016 • Yahoo Hack (September 2016) • Actual hack took place in 2014 but data was only dumped in dark web in mid 2016 • Hackers stole data of over 500 million users • Names, emails, phone number, security question answers and responses (some as cleartext), hashed passwords (at least they were salted) • Yahoo claims “state-sponsored” hackers to be responsible, but there is no evidence for that Hacks in 2016 • Largest DDoS attack reported so far (September 2016) • Attack launched from over 150,000 devices • Peak attack traffic from simultaneous DDoS was close to 1Tbps • Launched against (unconfirmed) websites belonging to customers hosted by France-based hosting provider OVH (hosts Krebs on Security blog) • Hijacked devices coerced into botnet • Many Internet of Things (IoT) devices, such as CCTV cameras and DVRs • Mirai botnet ( ) Hacks in 2017 • WannaCry Ransomware (May 2017) • World-wide ransomware attack against Windows hosts • Encrypt data files and show ransom note demanding bitcoin payment • Once user pays, decryption key is sent to infected client • Exploited vulnerability in Microsoft’s SMB protocol • Microsoft already released fixes 2 months before, but many had not updated Hacks in 2017 • Meltdown (2017) • Hardware vulnerability of Intel x86 and ARM-based CPUs • Exploits race condition between memory access and privilege checking during instruction processing • Combined with cache timing attack allows unauthorised process to read data from any address mapped to current process's memory • Many OS map physical memory, kernel processes etc. into address space of every process, so bad process can read these • OS developers deployed kernel patches to isolate kernel from user memory (performance loss); Intel is addressing issue in next generation of CPUs • Related attack: Spectre Hacks in 2017 • Many other attacks and data breaches in 2017, but following is different (April 2017) • Dallas (US) has warning system with 156 sirens distributed across city • Hackers hacked system and managed to set sirens of for multiple times between 23:45 and 1:00 at night • This is turn clogged up 911 hotline with few thousand calls related to incident • System is not connected to Internet but controlled by special radio communication, so hackers must have had knowledge about radio frequencies and codes required for access / Hacks in 2018 • Russian Grid Hacking: Russian hackers infiltrating and probing United States power companies • US Universities: nine Iranian hackers over an alleged spree of attacks on more than 300 universities in the United States and abroad; the hackers stole 31 terabytes of data, estimated to be worth $3 billion in intellectual property • Rampant Data Exposures: often occurs when cloud users misconfigure a database or other storage mechanism so it requires minimal or no authentication to access • Under Armour: Hackers breached Under Armour’s MyFitnessPal app, compromising usernames, email addresses, and passwords from the app's roughly 150 million users • One to Watch VPNFilter: a Russian hacking campaign that has impacted more than 500,000 routers worldwide Hacks in 2018 • Marriott: in November the massive hotel chain Marriott announced that as many as 500 million travellers who made a reservation at a Starwood hotel since 2014 had their data compromised. About 170 million impacted Marriott customers only had their names and basic information like address or email address stolen, but about 327 million people lost much more. • Facebook: in September Facebook disclosed a data breach in which attackers gained access to 30 million accounts by stealing "user authorization tokens," essentially access badges that get generated after a user successfully logs in. • Atlanta Ransomware: In March, a ransomware attack locked down the City of Atlanta's digital systems, destabilizing municipal operations. Hacks in 2018 • Quora: attackers made off with information from 100 million accounts. Details like a user's Social Security number, other data like names, email addresses, IP addresses, usernames, encrypted passwords, user account settings, a user's Quora activity and content—including drafts—and data from potentially linked services like Google and Facebook may have been compromised. • Olympic Destroyer: Russian hackers orchestrated a hack that crippled the event's IT infrastructure, knocking out Wi-Fi, the Olympics website, and network devices in the process. • British Air: British Airways revealed a data breach that impacted information from 380,000 reservations. • Apollo: Apollo disclosed a massive breach in October that included a diverse array of information on companies and their employees. The incident involved billions of records. White Hat / Black Hat Model White hat • Identify security weaknesses, but instead of performing malicious attacks and theft, they expose security flaw to alert owner • Might be paid consultants or actual employees of company that needs its systems protected Black hat • Use their knowledge of security weaknesses to circumvent the law, illegally obtain information or deny service -often for profit Grey hat • Somewhere in between Hacker Profiles Hacker Profile Description Novice (= Script Kiddy) Limited knowledge Rely on toolkits Can cause extensive damage as they don’t understand attacks Looking for media attention Old guard hackers No apparent criminal intent More interested in the intellectual side Internal/Insider Disgruntled employees who may use privileges assigned through their job. These pose a big threat! Petty thieves: Opportunistic, taking advantage of poor internal security Coders Develop toolkits for sale Nation states State sponsored attackers or cyber spies Professional criminals Make money from hacking directly or subcontract for fee Hacktivists Often politically motivated activists using Internet as platform Evolution of Hacking “Hacker” was word for hobbyist in any technical area. This arose in the 1960s around the MIT mainframe programming community First password hacks arose in 1960 around the same IBM mainframe’s time sharing system Hackers circumvented this system to anonymously access the computer Phreaking In the 1970’s phone phreaking originated. Phone phreaks used variety of methods to access telephone networks to make free calls Phreaking • Bell Labs published two papers in 1954 and 1960 titled "In-Band Single-Frequency Signaling" and "Signaling Systems for Control of Telephone Switching" • People discovered that 2600Hz tone was used to signal unused trunk lines. Using certain other tones, phreakers could setup calls from their phone on “unused” trunk lines, allowing free calls around the world • Famous phreakers included Steve Wozniak and Steve Jobs First Network Hacking • In 1980’s phreakers discovered that any server with modem could potentially be entered • War dialing emerged, to search for open modems • This pre-dates the Internet, so it all seems far fetched! Viruses and Trojans • In late 80’s, viruses and trojans started to appear on the scene • Still here today, although the motivations have changed • In the past viruses or worms might have just been created for intellectual challenge, now its all about money Some more terminology… Malware: Short for malicious software, is umbrella term used for any kind of software that gathers information, disrupts computer system or attempts to spread to increase access Malware can have very different objectives, sometimes to secretly spy on users, other times to deliberately disrupt use of system Some more terminology… Virus: Program that attaches itself to another program, generally can’t replicate without host Viruses tend to do malicious damage to system, although attacks have changed in recent years Worm: Replicates and propagates without having to attach to host. Theoretically worm that can replicate unchecked could infect every computer in the world. Worms often don’t have a malicious payload but still cause damage. Those with payload may install backdoor into the system or do something malicious. Some more terminology… Trojan: Malicious program that disguises itself as useful program; these often install remote administration tool on victim machine so that attacker can remotely control it later Spyware: Very broad category of software that sends information from infected computer to the attacker If you search for “spyware” on Google you will find free spyware removal tools, many of these are actually spyware themselves So you can see how hard it is for less technically literate people to get by! Some more terminology… Exploit: Software, data, or sequence of commands that takes advantage of bugs or vulnerabilities to cause unintended or unanticipated behaviour to occur in computer software or hardware. Often used for malicious purposes. Zero-day exploit: Exploit or vulnerability that was previously unknown to creator of software or hardware and other people. Only known by hacker. Core principles • Security starts with several core principles integrated throughout organization • These drive many security-related decisions at multiple levels so understanding them is important • Confidentiality, Integrity, and Availability (CIA) together form security triad • Each element is important to address in any security program Confidentiality • Confidentiality helps prevent unauthorized disclosure of data • It uses multiple methods like authentication combined with access controls and cryptography • Authentication and cryptography are presented later in this unit Key Concepts Related to Confidentiality Confidentiality ensures that data is only viewable by authorized users Unauthorized personnel are unable to access information Encryption algorithms make data unreadable. If the encrypted data falls into wrong hands, the unintended recipient will not be able to read it. Besides encryption, many elements of security help to enforce confidentiality, including authentication, access control methods / permissions and physical security. Integrity • Integrity provides assurances that data has not been modified, tampered with or corrupted • Ideally, only authorized users modify data • However, there are times when unauthorized or unintended changes occur - can be from unauthorized users or through system or human errors • When this occurs, the data has lost integrity Key Concepts Related to Integrity • Cryptographic hashing techniques like MD5 (outdated) or SHA can enforce integrity • Briefly, hash is simply a number created by executing hashing algorithm on data, such as file or message • As long as data is unchanged, resulting hash will always be same • Comparing hashes created at two different times, you can determine if original data is still unchanged - if hashes are the same, the data is the same Hashing Example Simple hash of message could be 123. Hash is created at source and sent with message. When received, the message is hashed. If hash of received message is 123 data integrity is maintained. If hash is say 456, you know that message is not the same. Data integrity has been lost. Availability • Availability means that data and services are available for legitimate users when needed • For some companies, this simply means that the data and services must be available between 8am and 5pm • Common goal of fault tolerance and redundancy techniques is to remove single points of failure (SPOF) Key Concepts for Availability • Availability ensures that systems are up and operational when needed and often addresses single points of failure • Redundnacy • Fail-over • Availability also means making data accessible to the right people when needed • In networking concepts, detect and mitigate Denial of Service (DoS) attacks Balancing CIA Availability • It’s possible to ensure confidentiality, integrity and availability of data • However, organization may have priorities Confidentiality Integrity • One way of prioritizing these is with simple values such as low, medium, and high • For example, if system holds proprietary secrets, confidentiality is of primary importance and value of confidentiality is high • If information is shared anonymously with the public, importance of confidentiality is low Balancing CIA Availability • Imagine that you host online forum for users to share information about IT security • Users can read data Confidentiality anonymously and post data after logging in What would your priorities be in this example? Integrity Balancing CIA Availability • Instead, now you host online gaming site that holds accounts for hundreds of thousands of users, including their credit card data • Users pay for time they’re online playing games Confidentiality What would your priorities be in this example? Integrity Non-repudiation • Non-repudiation isn’t one of core principles in security triad, but it is closely related and often specifically mentioned • Non-repudiation provides proof of person’s identity; can be used to prevent individuals from denying they took specific actions • Non-repudiation is commonly used with credit cards. If I buy something with credit card and sign receipt, I can’t later deny making purchase. My signature can be used to repudiate me if I deny making purchase. In other words, my signature is used for non-repudiation. Non-repudiation • Non-repudiation is used to prevent entities from denying they took an action • Some common examples of non-repudiation within computer systems are: • Using digital signatures to verify someone sent message. If I send you e-mail that is signed with my digital signature, you know that I sent it • Logging activity in audit log. Audit logs will log details, such as who, what, when, and where; “who” in audit log provides non-repudiation Defence in Depth • Defence in depth refers to security practice of implementing several layers of protection • You can’t simply take single action, such as implementing firewall or installing antivirus (AV) software, and consider yourself protected • You must implement security at several different layers Defence in Depth Multiple countermeasures are taken to protect information assets Strategy is based on principle that its harder to beat multi-layered defence system than to penetrate single barrier Implicit Deny • Implicit deny indicates that unless something is explicitly allowed, it is denied • Routers and firewalls often have access control lists (ACLs) that explicitly identify allowed traffic • If traffic doesn’t meet any explicit rules, the traffic is blocked Implicit Deny • Firewall configured to allow HTTP or HTTPS traffic on ports 80 and 443 respectively would have explicit rules defined to allow this traffic to server • With no other rules, all other traffic would be implicitly denied • For example, any SMTP traffic sent to this web server on port 25 would be implicitly denied Implicit Deny • Same idea applies to file and folder permissions • For example, in NTFS you can grant permissions, such as Full Control, Read, and Modify • If Sally is granted Full Control permission to file named Projects and she is only person granted permission, then she would have full control • What permissions does Bob have? Since Bob is not explicitly granted any permissions, he is implicitly denied all access to file Basic Risk Concepts Basic goal of implementing IT security is to reduce risk • Risk is possibility or likelihood of threat exploiting vulnerability and resulting in loss • Threat is any circumstance or event that potentially compromises confidentiality, integrity or availability • Vulnerability is weakness; can be weakness in hardware, software, configuration or even in users operating a system Information Security Threats Network Threats • Sniffing/Eavesdropping • Session Hijacking • Spoofing • Denial of Service (DoS) Host Threats • Malware attacks • Privilege escalation • Unauthorized access Application Threats • Information disclosure • Buffer overflows • Configuration management Hacking Phases Let’s consider phases that would be followed when gaining access to system Reconnaissance Scanning Gaining Access Maintaining Access Clearing Tracks Reconnaissance Scanning Gaining Access Maintaining Access Clearing Tracks Preparatory phase where attacker seeks to gather information about target, prior to launching attack Recon targets may include, clients, staff, networks and systems Passive Reconnaissance Don’t directly interact with target E.g. searching public records or news Active Reconnaissance Directly interact with target by some means E.g. phoning up the technical department Reconnaissance Scanning Gaining Access Maintaining Access Clearing Tracks • This phase allows attacker to plan strategy and may take time • There are numerous recon techniques, many of them don’t involve computers at all • In this week’s lab we will do some basic technical recon investigating Internet addresses, domain names and contacts Reconnaissance Scanning Gaining Access Maintaining Access Clearing Tr...
View Full Document

  • Left Quote Icon

    Student Picture

  • Left Quote Icon

    Student Picture

  • Left Quote Icon

    Student Picture