You are on page 1of 38

Module I - Information Security

Fundamentals
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
News: Default Passwords Led to $55
Million in Bogus Phone Charges
By Brian Krebs | June 12, 2009; 2:13 PM ET
The U.S. Justice Department today unsealed indictments against three Filipino residents accused of hacking into
thousands of private telephone networks in the United States and abroad, and then selling access to those
networks at call centers in Italy that advertised cheap international calls.
The indictments correspond to a series of raids and arrests announced today in Italy, where authorities apprehended five men
alleged to have been operating the call centers and using the profits to help finance terrorist groups in Southeast Asia.
The U.S. government alleges that the individuals arrested in the Philippines were responsible for hacking
so-called private branch exchange (PBX) systems -- computerized telephone switches and voice mail
systems -- owned by more than 2,500 companies in the United States, Canada, Australia and Europe.
The indictment alleges that between October 2005 and December 2008, Manila residents Mahmoud Nusier, Paul
Michael Kwan and Nancy Gomez broke into PBX systems, mainly by exploiting factory-set or default passwords on the
voicemail systems. The government charges that their Italian call center operators paid the hackers $100 for each hacked
PBX system they found.
The indictments explain the scam like this: People wishing to make cheap, international phone calls from Italy would enter
one of several local call centers set up by the alleged co-conspirators there. They would be charged a cheaper per-minute rate
than what it would otherwise cost for them to make a call from their own phone, yet more than what the call center operators
are paying by routing their calls through a hacked PBX that has access to cheaper dialing rates. The call center operators are
still charged for the initial long distance call to the hacked PBX, but since the rates per minute are much less than if they
dialed from their own country, they can pocket the difference between what their customers pay and the cost of the hacked
PBX routing rate.
Source: http://voices.washingtonpost.com/
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
News: Google Crash Hits
Millions of Internet Users
Source: www.telegraph.co.uk
Google's Internet search engine crashed for several
hours, leaving several million users unable to access
the site because of a temporary fault.
Published: 1:54AM BST 15 May 2009
The technical problem brought down not only the company's hugely popular home page
but also affected Gmail, its email service.
Other companies who use Google to power their own websites' searches were also affected by the fault.
It served as a potent reminder of society's growing dependence on the firm's technology.
People around the world reported a slowdown, and the subject became one of the day's most discussed
on Twitter within the hour, with the phrase 'googlefail' as one of the most searched for terms.
Problems were also reported on Google News, Google Maps and the Google Calendar, all of which
operated with varying degrees of success in various locations around the world.
A Google UK spokesman refused to say how badly the British operations had been affected.
It is also thought to have affected AdSense, the application that places advertisements on websites
around the world, acting as the sole source of revenue for many smaller sites.
There has been intense speculation as to the cause of the glitch, whether it was a failure of the internet
giant's servers or a hacking attempt.
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
2009 Data Breach Investigations
Report
Who is behind the data breaches?
Source: Verizons 2009 Data Breach Investigations Report, www.verizon.com
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
2009 Data Breach Investigations
Report (contd)
0
10
20
30
40
50
60
70
80
Significant Errors Hacking Malware Privilege Misuse Physical Attacks
2008
2009
How do breaches occur?
Source: Verizons 2009 Data Breach Investigations Report, www.verizon.com
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Security Threat Report 2009:
SOPHOS
Source: www.sophos.com
30%
27.7%
9.1%
2.3%
2.1%
1.8%
1.7%
1.5%
1.3%
1.2%
14.3%
0 5 10 15 20 25 30 35
US
China
Russia
Germany
South Korea
Ukraine
Ukraine
Turkey
Czeck Republic
Thailand
Other
The top 10 malware hosting countries Top 10 email attachment-based malware for 2008
31%
18.1%
13.8%
4.4%
4.3%
2.9%
2.2%
1.8%
1.6%
1.5%
18.4%
0 5 10 15 20 25 30 35
Troj/Agent
Troj/Invo
Mal/EncPK
Win32/Netsky
Troj/PushDo
Troj/Doc
Troj/FakeVir
Mal/Iframe
Troj/VidRar
Troj/DwmLdr
Other
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Data Breach Investigations
Report
Breakdown of Hacking
Attack Pathways
Source: Verizons 2008 Data Breach Investigations Report, www.verizon.com
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Internet Crime Report: IC3
Source: www.nw3c.org
Yearly Comparison of Complaints Received via the IC3 Website
2008 Yearly Dollar Loss (in millions) Referred Complaints
16838
50412
75064
124515
207449
231493
207492 205884
275284
0
50000
100000
150000
200000
250000
300000
2000 2001 2002 2003 2004 2005 2006 2007 2008
$17.80
$54.00
$125.60
$68.14
$183.12
$198.44
$239.09
$264.59
0
50
100
150
200
250
300
2001 2002 2003 2004 2005 2006 2007 2008
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Top Internet Security Threats of
2008
Data Breaches
In 2008, the Identity Theft Resource Center (ITRC)
documented 548 breaches, exposing 30,430,988
records
Spam and Phishing
In 2008, spam levels were at 76 percent until the
McColo incident in November 2008, when spam
levels dropped to 65 percent
Economic Crisis
Social Networks
Advanced Web Threats
Botnets
VoIP attacks
Source: www.symantec.com
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Emerging Cyber Threats
Report for 2009
Theft of data continues to be the motive behind the emerging threats for 2009
Five specific trends of threats in 2009 and beyond, include:
Malware
Botnets
Cyber warfare
Threats to VoIP and mobile devices
The evolving cyber crime economy
Source: Department of Homeland Security
Means of Attack
The Federal government reported 18,050 cybersecurity
breaches in fiscal 2008. Breakdown by type:
Malicious
code
12%
Scam, probes,
attempted
access
7%
Under
investigation
/ Others
42%
Improper
usage
21%
Unauthorized
access
18%
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
The Most Prevalent Web
Vulnerabilities
Source: www.webappsec.org
Cross-site Scripting
59%
Information Leakage
6%
SQL Injection
8%
Content Spoofing
6%
Predictable Resource
Location
5%
Insufficient
Authorization
2%
Insufficient
Authentication
2%
Others
12%
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Module Objective
Information Security
Why Security
Essential Terminologies
Present Trends in Security
Statistics Related to Security
Information Security Laws and Regulations
This module will familiarize you with:
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Information Security
Present Trends in Security
Statistics Related to Security
Need for Security
Essential Terminologies
Information Security
Laws and Regulations
Module Flow
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Information Security
Information security refers to securing the data or
information and information systems from the
unauthorized access, unauthorized use, misuse,
destruction, or alteration
It plays a vital role in protecting the interests of individuals
who depend on information or data
The goal of information security is to protect the
confidentiality, integrity, and availability of information
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Need for Security
Direct impact of security breach on corporate
asset base and goodwill
Increasing speed of attacks:
Evolution of technology focused on ease
of use
Increased network environment and
network based applications
Increasing complexity of computer
infrastructure administration and
management
Source: http://asert.arbornetworks.com [2008 Worldwide Infrastructure Security
Report]
A
t
t
a
c
k

S
i
z
e
-
G
i
g
a
b
i
t
s
-
P
e
r
-
S
e
c
o
n
d
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Cost of Computer Crime
Online fraud and other computer schemes cost the US $265 million-up from
$239 million in 2007 or an average of average individual loss was $931
The FBI said 275,284 complaints were received in 2008 by the Internet Crime
Complaint Center (IC3), and the National White Collar Crime Center (NW3C),-
up from 206,884 (33%) over 2007.
Computer crime costs $265M in 2008, an all-time
high (the FBI)
YEAR COMPLAINTS LOSS
2008 275,284 $265 million
2007 206,884 $239.09 million
2006 207,492 $198.44 million
2005 231,493 $183.12 million
2004 207,449 $68.14 million
Source: www.networkworld.com
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
The Security, Functionality, and Ease
of Use Triangle
The number of exploits are minimized when the number of weaknesses are
reduced => greater security
Takes more effort to conduct the same task => reduced functionality
Moving the ball towards
security means moving away
from the functionality and ease
of use
Functionality
Ease of Use Security
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Common Terminologies
Target of Evaluation:
An IT system, product, or component that is
identified/subjected to require security evaluation
Attack:
An assault on the system security derived from an
intelligent threat
An attack is any action violating security
Exploit:
A defined way to breach the security of an IT system
through vulnerability
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Common Terminologies (contd)
Security:
A state of well-being of information and infrastructure in which
the possibility of successful yet undetected theft, tampering, and
disruption of information and services are kept low or tolerable
Threat:
An action or event that might compromise security
A threat is a potential violation of security
Vulnerability:
Existence of a weakness, design, or implementation error that
can lead to an unexpected and undesirable event compromising
the security of the system
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Common Terminologies (contd)
Refers to a person who uses his/her hacking skills for
offensive purposes
Cracker:
Describes the rapid development of new programs or the
reverse engineering of the already existing software to
make the code better and more efficient
Hacking:
Refers to security professionals who apply their hacking
skills for defensive purposes
Ethical hacker:
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Elements of Information
Security: CIA
Confidentiality
The concealment of
information or
resources
Integrity
The trustworthiness
of data or resources
in terms of
preventing improper
and unauthorized
changes
Availability
The ability to use
the desired
information or
resource
Any hacking event will affect any one or more of the essential security elements
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Trends in Security
More regulatory and legislative
Increased focus on certification and accreditation
ISO17799 set as defining architecture
Development of GAISP/GASSP
Executive and board oversight of information security
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
20-Year Trend: Stronger Attack
Tools
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Information Security More
Than An IT Challenge For SME
The European Network and Information Security Agency recently warned that Small and
Medium Enterprises are most at risk when it comes to attacks on PCs and IT systems. They are
seen as an easy target since they tend to employ few dedicated IT staff, let alone any staff
dedicated to protecting their critical business information. But since most businesses cannot
function for more than a few hours without all or some of this information, it is vitally important
that they implement and maintain effective security policies.
Approximately one third of businesses below 100 employees have had a security issue in the last
year. Above this number of employees this rises to 50% or more. In many cases smaller
organisations report a lower number of incidents because they are unaware that they have been
impacted.
Although there is widespread awareness of the need for security in general, we find that a
surprising number of organisations still believe that anti-virus software will do the job. A review
of statistics from a number of agencies in countries in which COLT operates indicates that on
average 95-98% of SME use antivirus software. But less than half of businesses with fewer than
50 employees use a firewall, although some may not be aware that they are using a firewall built
in to their PC operating system or DSL router. For 50-250 employees, use of firewalls rises to
about 70%.
Source: http://www.freshbusinessthinking.com/
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Statistics Related to Security
Of all the vulnerabilities identified in 2008, 63
percent affected web applications, up from 59
percent in 2007
In 2008, Symantec detected 55,389 phishing
website hosts, an increase of 66 percent over
2007, when Symantec detected 33,428 phishing
hosts
In 2008, 78 percent of confidential information
threats exported user data, and 76 percent used
a keystroke-logging component to steal
information such as online banking account
credentials
Source: Symantec Corporation
Source: Sophos Security threat report: July 2009 update
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Attack on Social Network Sites
for Identity Theft
In January 2008, a flash application Secret Crush with a link to an AdWare program
was placed on Facebook
In May 2008, Trojan-Mailfinder.Win32.Myspamce.a has spread spams through
comments on MySpace
In July 2008, social networking sites such as Facebook, MySpace, and Vkontakte was
infected by Net-Worm.Win32.Koobface.a Trojan which contains a link to fake
YouTube like site
In December 2008, links to malicious programs for mobile phones were spread on
VKontakte
Source: Kaspersky Lab
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
The Top Ten List Of Malware-
hosting Countries in 2009
Source: http://www.sophos.com/
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
2010 Threat Predictions
http://www.mcafee.com/
Social networking sites such as Facebook will face more
sophisticated threats as the number of users grows
The explosion of applications on Facebook and other services will be
an ideal vector for cybercriminals, who will take advantage of friends
trusting friends to click links they might otherwise treat cautiously
HTML 5 will blur the line between desktop and online applications.
This, along with the release of Google Chrome OS, will create
another opportunity for malware writers to prey on users
Email attachments have delivered malware for years, yet the
increasing number of attacks targeted at corporations, journalists,
and individual users often fool them into downloading Trojans and
other malware
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
2010 Threat Predictions (contd)
http://www.mcafee.com/
Cybercriminals have long picked on Microsoft products due
to their popularity. In 2010, we anticipate Adobe software,
especially Acrobat Reader and Flash, will take the top spot
Banking Trojans will become more clever, sometimes
interrupting a legitimate transaction to make an
unauthorized withdrawal
Botnets are the leading infrastructure for cybercriminals,
used for actions from spamming to identity theft. Recent
successes in shutting down botnets will force their
controllers to switch to alternate, less vulnerable methods of
command, including peer-to-peer setups
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Information Security Laws and
Regulations
UK Data Protection Act 1998
Computer Misuse Act 1990
EU Data Retention laws
The Family Educational Rights and Privacy Act (FERPA)
(20 U.S.C. 1232 g; 34 CFR Part 99)
Health Insurance Portability and Accountability Act
(HIPAA)
Gramm-Leach-Bliley Act of 1999 (GLBA)
Sarbanes-Oxley Act of 2002 (SOX)
Payment Card Industry Data Security Standard (PCI DSS)
State Security Breach Notification Laws
The information security laws and
regulations of different countries are:
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Computer Misuse Act
(1) Any person who knowingly causes a computer to
perform any function for the purpose of securing access
without authority to any program or data held in any
computer shall be guilty of an offence and shall be liable
on conviction to a fine not exceeding $5,000 or to
imprisonment for a term not exceeding 2 years or to both
and, in the case of a second or subsequent conviction, to a
fine not exceeding $10,000 or to imprisonment for a term
not exceeding 3 years or to both
(2) If any damage is caused as a result of an offence under
this section, a person convicted of the offence shall be
liable to a fine not exceeding $50,000 or to imprisonment
for a term not exceeding 7 years or to both
Section 3: Unauthorized access to
computer material
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Computer Misuse Act (contd)
(1) Any person who causes a computer to perform any function for the purpose
of securing access to any program or data held in any computer with intent to
commit an offence to which this section applies shall be guilty of an offence
(2) This section shall apply to an offence involving property, fraud, dishonesty
or which causes bodily harm and which is punishable on conviction with
imprisonment for a term of not less than 2 years
(3) Any person guilty of an offence under this section shall be liable on
conviction to a fine not exceeding $50,000 or to imprisonment for a term not
exceeding 10 years or to both
Section 4: Access with intent to commit or facilitate
commission of offence
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Data Protection Act 1998
Section 55: Unlawful obtaining etc. of personal data
(1) A person must not knowingly or recklessly, without the
consent of the data controller -
(a) Obtain or disclose personal data or the information
contained in personal data, or
(b) Procure the disclosure to another person of the
information contained in personal data
(2) Subsection (1) does not apply to a person who shows -
(a) That the obtaining, disclosing, or procuring -
(i) was necessary for the purpose of preventing or detecting
crime
(ii) was required or authorized by or under any enactment, by
any rule of law or by the order of a court
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Data Protection Act 1998
(contd)
(3) A person who contravenes subsection (1) is guilty of an
offence
(4) A person who sells personal data is guilty of an offense if he
has obtained the data in contravention of subsection (1)
(5) A person who offers to sell personal data is guilty of an
offense if
(a) He has obtained the data in contravention of subsection (1), or
(b) He subsequently obtains the data in contravention of that subsection
(6) For the purposes of subsection (5), an advertisement
indicating that personal data are or may be for sale is an offer to
sell the data
(7) Section 1(2) does not apply for the purposes of this section;
and for the purposes of subsections (4) to (6), personal data
includes information extracted from personal data
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Gramm-Leach Bliley Act
The Financial Privacy Rule governs the collection and disclosure of customers'
personal financial information by financial institutions
Financial Privacy Rule
The Safeguards Rule requires all financial institutions to design, implement, and
maintain safeguards to protect the customers information
Safeguards Rule
The Pretexting provisions of the GLB Act protect consumers from individuals and
companies that obtain their personal financial information under false pretenses
Pretexting provisions
The Financial Modernization Act of 1999, also known as the "Gramm-Leach-Bliley Act"
or GLB Act, includes provisions to protect the consumers personal financial information
held by financial institutions
There are three principal parts to the privacy requirements:
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Summary
Information security refers to securing the data or information and
information systems from unauthorized access, unauthorized use, misuse,
destruction, or alteration
In 2008, 78 percent of confidential information threats exported user data,
and 76 percent used a keystroke-logging component to steal information such
as online banking account credentials
Security is dependant on factors such as confidentiality, authenticity,
integrity, and availability
Hacker refers to a person who enjoys learning the details of computer
systems as well as stretching his/her capabilities
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited