This document provides an introduction to concepts related to computer and information security. It defines computer security as protecting computer systems and information from harm, theft, and unauthorized use. It discusses the differences between information security, computer security, and cybersecurity. Computer security aims to provide confidentiality, integrity, and availability of computer systems and their components, including hardware, firmware, and software. The document also introduces concepts like information assurance, threats, vulnerabilities, and risk management frameworks. Overall, it serves as a high-level overview of fundamental terms and principles for securing computer systems and information.
Original Description:
Original Title
Part 1. Fundamentals of Computer Networks Security and Information assurance.pdf
This document provides an introduction to concepts related to computer and information security. It defines computer security as protecting computer systems and information from harm, theft, and unauthorized use. It discusses the differences between information security, computer security, and cybersecurity. Computer security aims to provide confidentiality, integrity, and availability of computer systems and their components, including hardware, firmware, and software. The document also introduces concepts like information assurance, threats, vulnerabilities, and risk management frameworks. Overall, it serves as a high-level overview of fundamental terms and principles for securing computer systems and information.
This document provides an introduction to concepts related to computer and information security. It defines computer security as protecting computer systems and information from harm, theft, and unauthorized use. It discusses the differences between information security, computer security, and cybersecurity. Computer security aims to provide confidentiality, integrity, and availability of computer systems and their components, including hardware, firmware, and software. The document also introduces concepts like information assurance, threats, vulnerabilities, and risk management frameworks. Overall, it serves as a high-level overview of fundamental terms and principles for securing computer systems and information.
10/21/2019 Prepared by ZIRARUSHYA Pierre Celestin 1
Introduction to Computer Security
10/21/2019 Prepared by ZIRARUSHYA Pierre Celestin 2
Introduction The Internet has transformed our lives in many good ways. Unfortunately, this vast network and its associated technologies also have brought in their wake, the increasing number of security threats. The most effective way to protect yourself from these threats and attacks is to be aware of standard cybersecurity practices. This presents an introduction to computer security and its key concepts.
10/21/2019 Prepared by ZIRARUSHYA Pierre Celestin 3
What is computer security? Computer security basically is the protection of computer systems and information from harm, theft, and unauthorized use. It is the process of preventing and detecting unauthorized use of your computer system. Often people confuse computer security with other related terms like information security and cybersecurity. One way to ascertain the similarities and differences among these terms is by asking what is being secured
10/21/2019 Prepared by ZIRARUSHYA Pierre Celestin 4
Nuances in three terms Information security is securing information from unauthorized access, modification & deletion Computer Security means securing a standalone machine by keeping it updated and patched Cybersecurity is defined as protecting computer systems, which communicate over the computer networks It’s important to understand the distinction between these words, though there isn’t necessarily a clear consensus on the meanings and the degree to which they overlap or are interchangeable. 10/21/2019 Prepared by ZIRARUSHYA Pierre Celestin 5 Computer security So, Computer security can be defined as controls that are put in place to provide confidentiality, integrity, and availability for all components of computer systems. Components of computer system The components of a computer system that needs to be protected are: Hardware, the physical part of the computer, like the system memory and disk drive Firmware, permanent software that is etched into a hardware device’s nonvolatile memory and is mostly invisible to the user Software, the programming that offers services, like operating system, word processor, internet browser etc 10/21/2019 Prepared by ZIRARUSHYA Pierre Celestin 6 Information ASSURANCE
10/21/2019 Prepared by ZIRARUSHYA Pierre Celestin 7
Data & Information Data are the factual elements that describe objects or events. They represent the raw numbers and raw text you gather from your investigations. Information represents data that have been processed in order to provide you with some insight into their meaning. In other words, the data have been analyzed, summarized and processed into a more understandable and useful format. Converting your data into information may lead to graphs, charts and text or tables summarizing facts
10/21/2019 Prepared by ZIRARUSHYA Pierre Celestin 8
Data, Information, Knowledge, Wisdom and Theory
10/21/2019 Prepared by ZIRARUSHYA Pierre Celestin 9
Information assurance - Definition Information assurance (IA) is about protecting your information assets from destruction, degradation, manipulation and exploitation by an opponent (DoD,1996). Actions taken that protect and defend information and information systems by ensuring their availability, integrity, authentication, confidentiality and nonrepudiation. This includes providing for restoration of information systems by incorporating protection, detection and reaction capabilities. “Information assurance is the confidence that the information assets will protect the information they handle and will function as they need to, when they need to, under the control of legitimate users.”
10/21/2019 Prepared by ZIRARUSHYA Pierre Celestin 10
Information security - Definition “The protection of information against unauthorized disclosure, transfer, modification, or destruction, whether accidental or intentional.” BS7799/ISO17799 defines information security as the preservation of confidentiality, integrity and availability of information. Information security and Information Assurance are concerned with both intentional and unintentional attacks. Information assurance covers those areas that are not covered by the information security such as perception management. 10/21/2019 Prepared by ZIRARUSHYA Pierre Celestin 11 Threat & Risk In information security, an exposure is a form of possible loss or harm against an information asset. That information asset may be either logically based (i.e. 1’s and 0’s inside a computer) or physically based (i.e. hardware). Examples of exposure include unauthorized disclosure of data, modification of data or denial of legitimate access to the information asset. This type of exposure is often referred to as risk. ISO13335 defines risk and threat as: “Risk is the potential that a given threat will exploit vulnerabilities of an asset or group of assets and thereby cause harm to the organization. The threat is the potential cause of an incident that may result in harm to a system or organization.”
10/21/2019 Prepared by ZIRARUSHYA Pierre Celestin 12
Threat
A party with potential to do a harm to a system
or organization
10/21/2019 Prepared by ZIRARUSHYA Pierre Celestin 13
10/21/2019 Prepared by ZIRARUSHYA Pierre Celestin 14 Vulnerability assessment Some questions to ask
10/21/2019 Prepared by ZIRARUSHYA Pierre Celestin 15
Vulnerability Assessment(2)
10/21/2019 Prepared by ZIRARUSHYA Pierre Celestin 16
RISK
Risk= Threat * vulnerability
Risk= Impact (vulnerability getting exploited) * frequency
10/21/2019 Prepared by ZIRARUSHYA Pierre Celestin 17
NIST RISK MANAGEMENT FRAMEWORK (SP 800-37)
10/21/2019 Prepared by ZIRARUSHYA Pierre Celestin 18
Risk Management Steps
10/21/2019 Prepared by ZIRARUSHYA Pierre Celestin 19
10/21/2019 Prepared by ZIRARUSHYA Pierre Celestin 20 ISO27005 OVERVIEW (2)
10/21/2019 Prepared by ZIRARUSHYA Pierre Celestin 21
Characteristics of Information Assurance Information assurance can be considered at three levels: ◦ physical, ◦ information infrastructure and ◦ perceptual.
10/21/2019 Prepared by ZIRARUSHYA Pierre Celestin 22
Characteristics of the Physical Level
10/21/2019 Prepared by ZIRARUSHYA Pierre Celestin 23
Characteristics of Information Structure Level
10/21/2019 Prepared by ZIRARUSHYA Pierre Celestin 24
Characteristics of the perception level
10/21/2019 Prepared by ZIRARUSHYA Pierre Celestin 25
Information Assurance / Information Operations Information assurance is sometimes referred to as information operations (IOs) that protect and defend information systems by ensuring their availability, integrity, authentication, confidentiality and non- repudiation. This includes providing for restoration of information systems by incorporating protection, detection and reaction capabilities. Information assurance is concerned with the containment of, and recovery from, an attack. It also defines how attacks are to be detected through the use of a set of indicators and warnings, and how once an attack has occurred we should respond to the attack. In addition, the IA deals with deterring attacks and the application of legislation designed to address issues of privacy, computer-related crime, computer forensics and the like. The term “IO” is used to refer to actions taken to affect an opponent’s information and information systems while defending one’s own information and information systems.10/21/2019 Prepared by ZIRARUSHYA Pierre Celestin 26 Information Security in Context
10/21/2019 Prepared by ZIRARUSHYA Pierre Celestin 27
Information Security in Context (2) The owner possesses a set of assets that have value to the owner. The owner may be aware of a set of vulnerabilities that could lead to the loss of an asset. In order to protect the asset, the owner imposes a set of protection and defensive countermeasures on the asset in the belief that by doing so that owner is protecting the asset from possible loss, exploitation, abuse or damage by a threat- agent. The threat-agents are the parties that give rise to the threats to the assets of the system. An asset can be a physical component of a system, such as a hard disk, or it can be a logical component of a system such as a file stored on a hard disk. 10/21/2019 Prepared by ZIRARUSHYA Pierre Celestin 28 The Process of Risk Management
10/21/2019 Prepared by ZIRARUSHYA Pierre Celestin 29
Interruption, Interception, Modification and Fabrication The following factors adversely impact the Information Assurance: Interruption: • In an interruption, an information asset of the system becomes unusable, unavailable or lost. • For example, the physical theft or physical destruction of a computer system would be viewed as an interruption. • The removal of information or software from an information system would also be viewed as an interruption. Interception: • An interception means that some unauthorized party has gained access to an information asset. • The party can be a program, computer system or person. • For example, recording a telephone conversation or monitoring a computer network can be viewed as interception . 10/21/2019 Prepared by ZIRARUSHYA Pierre Celestin 30 Interruption, Interception, Modification and Fabrication Modification: • Modification of an asset means that some unauthorized party tampers with the asset. • For example, the unauthorized installation of monitoring software or hardware, or the unauthorized insertion, manipulation or deletion of information can be viewed as modification. Fabrication: • Fabrication of an asset means the counterfeiting of an asset. • For example, an intruder may insert spurious transactions into a computer network.
10/21/2019 Prepared by ZIRARUSHYA Pierre Celestin 31
Nature of the Threat All a person needs to enter the world of Information Warfare (IW) is motive, means and opportunity. ◦ A motive is a function of the players’ concerns, commitments and beliefs. ◦ Means are determined capabilities and availability of technical and information-based resources. ◦ An opportunity is a function of access and also includes other factors such as perception and belief. For example, ◦ Many individuals may believe in their cause so much that they are prepared to go to prison for it. ◦ However, most do not believe they will be caught. Although anyone can engage in offensive IW, in general offensive players in the world of IW come in six types: insiders, hackers, criminals, corporations, governments and terrorists 10/21/2019 Prepared by ZIRARUSHYA Pierre Celestin 32 Security threats.
10/21/2019 Prepared by ZIRARUSHYA Pierre Celestin 33
Defense mechanisms localization
10/21/2019 Prepared by ZIRARUSHYA Pierre Celestin 34
IT security mechanisms locations.
10/21/2019 Prepared by ZIRARUSHYA Pierre Celestin 35
Firewalls
10/21/2019 Prepared by ZIRARUSHYA Pierre Celestin 36
Three layers of network security measures.
10/21/2019 Prepared by ZIRARUSHYA Pierre Celestin 37
The Hacking Process
10/21/2019 Prepared by ZIRARUSHYA Pierre Celestin 38
Why Is Computer and Network Security Important? It is crucial for organizations to define why they want to achieve computer security to determine how they will achieve it. It is also a useful tool to employ when seeking senior management's authorization for security-related expenditures. Computer and network security is important for the following reasons:
10/21/2019 Prepared by ZIRARUSHYA Pierre Celestin 39
To protect company assets: One of the primary goals of computer and network security is the protection of company assets. The assets are comprised of the "information" that is housed on a company's computers and networks. Information is a vital organizational asset. Network and computer security is concerned, above all else, with the protection, integrity, and availability of information. Information can be defined as data that is organized and accessible in a coherent and meaningful manner.
10/21/2019 Prepared by ZIRARUSHYA Pierre Celestin 40
To gain a competitive advantage: Developing and maintaining effective security measures can provide an organization with a competitive advantage over its competitors. Network security is particularly important in the arena of Internet financial services and e-commerce. It can mean the difference between wide acceptance of a service and a mediocre customer response. For example, how many people do you know who would use a bank's Internet banking system if they knew that the system had been successfully hacked in the past? Not many. They would go to the competition for their Internet banking services. 10/21/2019 Prepared by ZIRARUSHYA Pierre Celestin 41 To comply with regulatory requirements and fiduciary responsibilities:
Corporate officers of every company have a
responsibility to ensure the safety and soundness of the organization. Part of that responsibility includes ensuring the continuing operation of the organization. Accordingly, organizations that rely on computers for their continuing operation must develop policies and procedures that address organizational security requirements. 10/21/2019 Prepared by ZIRARUSHYA Pierre Celestin 42 To comply with regulatory requirements and fiduciary responsibilities (followed): Such policies and procedures are necessary not only to protect company assets but also to protect the organization from liability. For-profit organizations must also protect shareholders' investments and maximize return. Many organizations are subject to governmental regulation, which often stipulates requirements for the safety and security of an organization. For example, most financial institutions are subject to federal regulation. Failure to comply with federal guidelines can result in the seizure of a financial institution by federal regulators. In some cases, corporate officers who have not properly performed their regulatory and fiduciary responsibilities are personally liable for any losses incurred by the financial institution that employs them. 10/21/2019 Prepared by ZIRARUSHYA Pierre Celestin 43 To keep your job: Finally, to secure one's position within an organization and to ensure future career prospects, it is important to put into place measures that protect organizational assets. Security should be part of every network or systems administrator's job. Failure to perform adequately can result in termination. Termination should not be the automatic result of a security failure, but if, after a thorough postmortem, it is determined that the failure was the result of inadequate policies and procedures or failure to comply with existing procedures, then management needs to step in and make some changes. One thing to keep in mind is that network security costs money: to hire, train, and retain personnel; to buy hardware and software to secure an organization's networks; and to pay for the increased overhead and degraded network and system performance that results from firewalls, filters, and intrusion detection systems (IDSs). As a result, network security is not cheap. However, it is probably cheaper than the costs associated with having an organization's network compromised 10/21/2019 Prepared by ZIRARUSHYA Pierre Celestin 44 Security Trinity
10/21/2019 Prepared by ZIRARUSHYA Pierre Celestin 45
The Security Trinity The three legs of the "security trinity," prevention, detection, and response, comprise the basis for network security. The security trinity should be the foundation for all security policies and measures that an organization develops and deploys. Prevention/Protection The foundation of the security trinity is prevention. To provide some level of security, it is necessary to implement measures to prevent the exploitation of vulnerabilities. In developing network security schemes, organizations should emphasize preventative measures over detection and response: It is easier, more efficient, and much more cost- effective to prevent a security breach than to detect or respond to one. Remember that it is impossible to devise a security scheme that will prevent all vulnerabilities from being exploited, but companies should ensure that their preventative measures are strong enough to discourage potential criminals-so they go to an easier target.
10/21/2019 Prepared by ZIRARUSHYA Pierre Celestin 46
The Security Trinity (2) Detection Once preventative measures are implemented, procedures need to be put in place to detect potential problems or security breaches; in the event preventative measures fail. It is very important that problems be detected immediately. The sooner a problem is detected the easier it is to correct and cleanup. Response/Reaction Organizations need to develop a plan that identifies the appropriate response to a security breach. The plan should be in writing and should identify who is responsible for what actions and the varying responses and levels of escalation.
10/21/2019 Prepared by ZIRARUSHYA Pierre Celestin 47
The Security Trinity (3) Before beginning a meaningful discussion on computer and network security, we need to define what it entails. ◦ First, network security is not a technical problem; it is a business and people problem. The technology is the easy part. The difficult part is developing a security plan that fits the organization's business operation and getting people to comply with the plan. ◦ Next, companies need to answer some fundamental questions, including the following: • How do you define network security? • How do you determine what is an adequate level of security? To answer these questions, it is necessary to determine what you are trying to protect.
10/21/2019 Prepared by ZIRARUSHYA Pierre Celestin 48
Information Security Network security is concerned, above all else, with the security of company information assets. We often lose sight of the fact that it is the information and our ability to access that information that we are really trying to protect-and not the computers and networks. A simple definition for information security: Information security = Confidentiality + Integrity + Availability + authentication
10/21/2019 Prepared by ZIRARUSHYA Pierre Celestin 49
Security Trinity (4) There can be no information security without confidentiality; this ensures that unauthorized users do not intercept, copy, or replicate information. At the same time, integrity is necessary so that organizations have enough confidence in the accuracy of the information to act upon it. Moreover, information security requires organizations to be able to retrieve data; security measures are worthless if organizations cannot gain access to the vital information they need to operate when they need it. Finally, information is not secure without authentication determining whether the end user is authorized to have access. 10/21/2019 Prepared by ZIRARUSHYA Pierre Celestin 50 Security trinity (5) Among the many elements of information security are ensuring adequate physical security; hiring proper personnel; developing, and adhering to, procedures and policies; strengthening and monitoring networks and systems; and developing secure applications. It is important to remember that information security is not just about protecting assets from outside hackers. The majority of the time threats are internal to an organization: "We have found the enemy and it is us." Information security is also about procedures and policies that protect information from accidents, incompetence, and natural disasters. Such policies and procedures need to address the following: • Backups, configuration controls, and media controls; • Disaster recovery and contingency planning; • Data integrity. 10/21/2019 Prepared by ZIRARUSHYA Pierre Celestin 51 Security trinity (6) It is also important to remember that network security is not absolute. All security is relative. Network security should be thought of as a spectrum that runs from very unsecure to very secure. The level of security for a system or network is dependent on where it lands along that spectrum relative to other systems. It is either more secure or less secure than other systems relative to that point. There is no such thing as an absolutely secure network or system. Network security is a balancing act that requires the deployment of "proportionate defenses.“ The defenses that are deployed or implemented should be proportionate to the threat. Organizations determine what is appropriate in several ways, described as follows. • Balancing the cost of security against the value of the assets they are protecting; • Balancing the probable against the possible; • Balancing business needs against10/21/2019 securityPrepared needs.by ZIRARUSHYA Pierre Celestin 52 General Security Risk Assessment
10/21/2019 Prepared by ZIRARUSHYA Pierre Celestin 53
Security trinity (7) Organizations must determine how much it would cost to have each system or network compromised - in other words, how much it would cost in “dollars” to lose information or access to the system or to experience information theft. By assigning a dollar value to the cost of having a system or network compromised, organizations can determine the upper limit they should be willing to pay to protect their systems. For many organizations this exercise is not necessary, because the systems are the lifeblood of the business. Without them, there is no organization. Organizations also need to balance the cost of security against the cost of a security breech. Generally, as the investment in security increases, the expected losses should decrease. Companies should invest no more in security than the value of the assets they are protecting. This is where cost benefit analysis comes into play. 10/21/2019 Prepared by ZIRARUSHYA Pierre Celestin 54 Security trinity (8) Moreover, organizations must balance possible threats against probable threats: As it is impossible to defend against every possible type of attack, it is necessary to determine what types of threats or attacks have the greatest probability of occurring and then protect against them. For example, it is possible that an organization could be subjected to van Eck Monitoring or a high-energy radio frequency (HERF) attack , but the probability is low. It is also important to balance business needs with the need for security, assessing the operational impact of implementing security measures. Security measures and procedures that interfere with the operation of an organization are of little value. Those types of measures are usually ignored or circumvented by company personnel, so they tend to create, rather than plug, security holes. Whenever possible, security measures should complement the operational and business needs of an organization. 10/21/2019 Prepared by ZIRARUSHYA Pierre Celestin 55 WHAT MAKE A NETWORK VULNERABLE An isolated home user or a stand-alone office with a few employees is an unlikely target for many attacks. But add a network to the mix and the risk rises sharply. Consider how a network differs from a stand-alone environment: Anonymity. An attacker can mount an attack from thousands of miles away and never come into direct contact with the system, its administrators, or users. The potential attacker is thus safe behind an electronic shield. The attack can be passed through many other hosts in an effort to disguise the attack's origin.
10/21/2019 Prepared by ZIRARUSHYA Pierre Celestin 56
Many points of attack both targets and origins. A simple computing system is a self-contained unit. Access controls on one machine preserve the confidentiality of data on that processor. However, when a file is stored in a network host remote from the user, the data or the file itself may pass through many hosts to get to the user. One host's administrator may enforce rigorous security policies, but that administrator has no control over other hosts in the network. Thus, the user must depend on the access control mechanisms in each of these systems. An attack can come from any host to any host, so that a large network offers many points of vulnerability. 10/21/2019 Prepared by ZIRARUSHYA Pierre Celestin 57 WHAT MAKE A NETWORK VULNERABLE (2) Sharing. Because networks enable resource and workload sharing, more users have the potential to access networked systems than on single computers. Perhaps worse, access is afforded to more systems, so that access controls for single systems may be inadequate in networks.
10/21/2019 Prepared by ZIRARUSHYA Pierre Celestin 58
WHAT MAKE A NETWORK VULNERABLE (3) Complexity of system. operating system is a complicated piece of software. Reliable security is difficult, if not impossible, on a large operating system, especially one not designed specifically for security. A network combines two or more possibly dissimilar operating systems. Therefore, a network operating/control system is likely to be more complex than an operating system for a single computing system. Furthermore, the ordinary desktop computer today has greater computing power than did many office computers in the last two decades. The attacker can use this power to advantage by causing the victim's computer to perform part of the attack's computation. And because an average computer is so powerful, most users do not know what their computers are really doing at any moment. This complexity diminishes confidence in the network's security. 10/21/2019 Prepared by ZIRARUSHYA Pierre Celestin 59 WHAT MAKE A NETWORK VULNERABLE (4) Unknown perimeter. A network's expandability also implies uncertainty about the network boundary. One host may be a node on two different networks, so resources on one network are accessible to the users of the other network as well. Although wide accessibility is an advantage, this unknown or uncontrolled group of possibly malicious users is a security disadvantage. A similar problem occurs when new hosts can be added to the network. Every network node must be able to react to the possible presence of new, untrustable hosts. Figure below points out the problems in defining the boundaries of a network. Notice, for example, that a user on a host in network D may be unaware of the potential connections from users of networks A and B. And the host in the middle of networks A and B in fact belongs to A, B, C, and E. If there are different security rules for these networks, to what rules is that host subject? 10/21/2019 Prepared by ZIRARUSHYA Pierre Celestin 60 WHAT MAKE A NETWORK VULNERABLE
Unclear Network Boundaries
10/21/2019 Prepared by ZIRARUSHYA Pierre Celestin 61
Unknown path. Figure below illustrates that there may be many paths from one host to another. ◦ Suppose that a user on host A1 wants to send a message to a user on host B3. ◦ That message might be routed through hosts C or D before arriving at host B3. ◦ Host C may provide acceptable security, but not D. Network users seldom have control over the routing of their messages. Thus, a network differs significantly from a stand-alone, local environment. Network characteristics significantly increase the security risk.
10/21/2019 Prepared by ZIRARUSHYA Pierre Celestin 62
COMPUTRER NETWORK & INFORMATION SECURITY THREATS
10/21/2019 Prepared by ZIRARUSHYA Pierre Celestin 63
Computer security threats In simple language, computer security is making sure information and computer components are usable but still protected from people or software that shouldn’t access it or modify it. Computer security threats Computer security threats are possible dangers that can possibly hamper the normal functioning of your computer. In the present age, cyber threats are constantly increasing as the world is going digital. The most harmful types of computer security are the following: 10/21/2019 Prepared by ZIRARUSHYA Pierre Celestin 64 Threats and Solutions Information security must protect at its core the data/information of the organization. However, surrounding the data are several layers. These are the operating system, the applications software, the computer and its resources, the network, and the users. Each of these layers has different threats, and each will have its own forms of security. As some threats occur at multiple levels, we will address the threats rather than the layers. However, information security is not complete without protecting every layer. 10/21/2019 Prepared by ZIRARUSHYA Pierre Celestin 65 1.Social engineering Social engineering is a threat that targets users. The idea is that a user is a weak link in that he or she can be tricked, and often fairly easily. A simple example of a social engineering attack works like this: ◦ You receive a phone call at home one evening. The voice identifies itself as IT and says that “because of a server failure, they need your password to recreate your account. Without your password, all of your data may be lost”.You tell them your password. Now they can break into your account because they are not IT but in fact someone with malicious intent. 10/21/2019 Prepared by ZIRARUSHYA Pierre Celestin 66 Social engineering (2) Social engineering has been used to successfully obtain people’s passwords, bank account numbers, credit card numbers, social security numbers, PIN (personal identification number) values, and other confidential information. In a social setting, you are far more likely to divulge information that a clever hacker could then use to break your password: Pets’ name for pets lovers, loved ones, name, etc. 10/21/2019 Prepared by ZIRARUSHYA Pierre Celestin 67 2. Phishing A variation on social engineering is to trick a user by faking information electronically. Phishing involves e-mails to people to redirect them to a website to perform some operation. ◦ The website, however, is not what it seems. ◦ For instance, someone might mock up a website to make it look like a credit card company’s site. ◦ Now an e-mail is sent to some of the credit card company customers informing them that they need to log into their accounts or else the accounts will be closed. ◦ The link enclosed in the e-mail, however, directs them to the mocked up website. The user clicks on the link and is taken to the phony website. There, the user enters secure information (passwords, credit card number, etc.) but unknowingly, this information is made available to the wrong person.10/21/2019 Prepared by ZIRARUSHYA Pierre Celestin 68 Phishing and botnet Disguising as a trustworthy person or business, phishers attempt to steal sensitive financial or personal information through fraudulent email or instant messages. Phishing is unfortunately very easy to execute. You are deluded into thinking it’s the legitimate mail and you may enter your personal information.
• A botnet is a group of computers connected to the
internet, that have been compromised by a hacker using a computer virus. • An individual computer is called ‘zombie computer’. The result of this threat is the victim’s computer, which is the bot will be used for malicious activities and for a larger scale attack like DDoS. 10/21/2019 Prepared by ZIRARUSHYA Pierre Celestin 69 3. Protocol attacks Another class of threat attacks the computer system itself whether the attack targets the network, application software, or operating system. In a protocol attack, one attempts to obtain access to a computer system by exploiting a weakness or flaw in a protocol. There are, for instance, known security problems in TCP/IP (Transmission Control Protocol/Internet Protocol). One approach is called TCP Hijacking, in which an attacker spoofs a host computer in a network using the host computer’s IP address, essentially cutting that host off from its network. Many forms of protocol attacks are used as a form of reconnaissance in order to obtain information about a computer network, as a prelude to the actual attack. 10/21/2019 Prepared by ZIRARUSHYA Pierre Celestin 70 Protocol attacks (2) An ICMP (Internet Control Message Protocol) attack might use the ping program to find out the IP addresses of various hosts in a computer network. Once an attacker has discovered the IP addresses, other forms of attack might be launched. A smurf attack combines IP spoofing and an ICMP (ping) attack where the attacker spoofs another device’s IP address to appear to be a part of the network. Thus, the attacker is able to get around some of the security mechanisms that might defeat a normal ICMP attack.
10/21/2019 Prepared by ZIRARUSHYA Pierre Celestin 71
4. Software exploits Software exploits vary depending on the software in question. Two very popular forms of exploits are SQL injections and buffer overflows. In the SQL injection, an attacker issues an SQL command to a web server as part of the URL. The web server, which can accept queries as part of the URL, is not expecting an SQL command. A query in a URL follows a “?” and includes a field and a value, such as ww.mysite.com/products.php?productid = 1.
10/21/2019 Prepared by ZIRARUSHYA Pierre Celestin 72
Software exploits (2) In the previous case, the web page products.php most likely accesses a database to retrieve the entry productid = 1. An SQL injection can follow the query to operate on that database. For instance, the modified URL www.mysite.com/products.php?product = 1; DROP TABLE products would issue the SQL command DROP TABLE products, which would delete the relation from the database. If not protected against, the web server might pass the SQL command onto the database. This SQL command could potentially do anything to the database from returning secure records to deleting records to changing the values in the records.
10/21/2019 Prepared by ZIRARUSHYA Pierre Celestin 73
Software exploits (3) The buffer overflow is perhaps one of the oldest forms of software exploit and is well known so that software engineers should be able to protect against this when they write software. However, that is not always the case, and many pieces of software are still susceptible to this attack. A buffer is merely a variable (typically an array) that stores a collection of values and is of limited size. If the software does not ensure that insertions into the buffer are limited to its size, then it is possible to insert into the buffer a sufficient amount so that the memory locations after the array are filled as well. Since memory stores both data and code, one could attempt to overflow a buffer with malicious code. Once stored in memory, the processor could potentially execute this code and thus perform the operations inserted by the attacker. 10/21/2019 Prepared by ZIRARUSHYA Pierre Celestin 74 5.Intrusion Intrusion and other forms of active attacks commonly revolve around first gaining unauthorized access into the computer system. To gain entrance, the attacker must attempt to find a security hole in the operating system or network, or obtain access by using someone else’s account. To do so, the attacker will have to know a user’s account name and password. As stated above, there are social engineering and phishing means of obtaining passwords. Other means include writing a program that continually attempts to log in to a user’s account by trying every word of the dictionary. Another approach is to simply spy on a person to learn the person’s password, perhaps by watching the person type it in. Another means of obtaining a password is through packet sniffing. 10/21/2019 Prepared by ZIRARUSHYA Pierre Celestin 75 Intrusion (2) Aside from guessing people’s passwords, there are other weaknesses in operating systems that can be exploited to gain entrance to the system. Once inside, the intruder then can unleash their attack. The active attack could potentially do anything from deleting data files, copying data files, and altering data files to leaving behind malicious code of some kind or creating a backdoor account (a hidden account that allows the attacker to log in at any time). 10/21/2019 Prepared by ZIRARUSHYA Pierre Celestin 76 6.Insider Attack An even simpler approach to breaking through the security of an IT system is through an inside job. If you know someone who has authorized access and either can be bribed or influenced, then it is possible that the attacker can delete, copy, or alter files, insert malware, or otherwise learn about the nature of the computer system through the person. This is perhaps one of the weakest links in any computer system because the people are granted access in part because they are being trusted. That trust, if violated, can cause more significant problems than any form of intrusion. 10/21/2019 Prepared by ZIRARUSHYA Pierre Celestin 77 7.Malware Malware is one of the worst types of attacks perpetrated on individual users. The original form of malware was called a Trojan horse. The Trojan horse pretends to be one piece of software but is in fact another. Imagine that you download an application that you think will be very useful to you. However, the software, while pretending to be that application, actually performs malicious operations on your file system. A variation of the Trojan horse is the computer virus. The main differences are that the virus hides inside another, executable, file, and has the ability to replicate itself so that it can copy itself from one computer to another through a floppy disk (back when we used them), flash drive, or e-mail attachment. 10/21/2019 Prepared by ZIRARUSHYA Pierre Celestin 78 VIRUS A computer virus is a malicious program which is loaded into the user’s computer without user’s knowledge. It replicates itself and infects the files and programs on the user’s PC. The ultimate goal of a virus is to ensure that the victim’s computer will never be able to operate properly or even at all. 10/21/2019 Prepared by ZIRARUSHYA Pierre Celestin 79 WORMS • A computer worm is a software program that can copy itself from one computer to another, without human interaction.
10/21/2019 Prepared by ZIRARUSHYA Pierre Celestin 80
Worms Unlike a computer virus, which requires users to spread infected files to other users, a worm is a harmful program that resides in the active memory of the computer and duplicates itself. Worms differ from viruses in that they can propagate without human intervention, sending copies of themselves to other computers by e-mail or Internet Relay Chat (IRC). The negative impact of a worm attack on an organization’s computers can be considerable: ◦ lost data and programs, lost productivity due to workers being unable to use their computers; ◦ additional lost productivity as workers attempt to recover data and programs, and ◦ lots of effort for IT workers to clean up the mess and restore everything to as close to normal as possible. 10/21/2019 Prepared by ZIRARUSHYA Pierre Celestin 81 Malware (2) Still other forms of malware are network worms that attack computer networks. Spyware is often downloaded unknown to the user when accessing websites. The spyware might spy on your browsing behavior at a minimum, or report back to a website sensitive information such as a credit card number that you entered into a web form. Still another form of malware will hijack some of your software. For instance, it might redirect your DNS information to go to a different DNS, which rather than responding with correct IP addresses provides phony addresses that always take your web browser to the wrong location(s). 10/21/2019 Prepared by ZIRARUSHYA Pierre Celestin 82 Malware (3) One final form of attack that is common today, particularly to websites, is the denial of service attack. In the denial of service attack, one or more attackers attempts to flood a server with so many incoming messages that the server is unable to handle normal business. One of the simplest ways to perform a denial of service attack is to submit thousands or millions (or more) HTTP requests. However, this only increases the traffic; it does not necessarily restrict the server from responding to all requests over time.
10/21/2019 Prepared by ZIRARUSHYA Pierre Celestin 83
Malware (4) The above discussion is by no means a complete list of the types of attacks that have been tried. And, of course, new types of attacks are being thought of every year. What we need, to promote information security, are protection mechanisms to limit these threats to acceptable risks. Solutions are brought in from several different approaches.
10/21/2019 Prepared by ZIRARUSHYA Pierre Celestin 84
8. Rootkits A rootkit is a set of programs that enables its user to gain administrator level access to a computer without the end user’s consent or knowledge. Once installed, the attacker can gain full control of the system and even obscure the presence of the rootkit from legitimate system administrators. Attackers can use the rootkit to execute files, access logs, monitor user activity, and change the computer’s configuration. Rootkits are one part of a blended threat, consisting of the dropper, loader, and rootkit. The dropper code gets the rootkit installation started and can be activated by clicking on a link to a malicious Web site in an e-mail or opening an infected .pdf file. The dropper launches the loader program and then deletes itself. The loader loads the rootkit into memory; at that point the computer has been compromised. Rootkits are designed so cleverly that it is difficult to even discover if they are installed on a computer. 10/21/2019 Prepared by ZIRARUSHYA Pierre Celestin 85 Rootkit & Keyloggers A rootkit is a computer program designed to provide continued privileged access to a computer while actively hiding its presence. Once a rootkit has been installed, the controller of the rootkit will be able to remotely execute files and change system configurations on the host machine. • Also known as a keystroke logger, keyloggers can track the real-time activity of a user on his computer. • It keeps a record of all the keystrokes made by user keyboard. • Keylogger is also a very powerful threat to steal people’s login credential such as username and password. 10/21/2019 Prepared by ZIRARUSHYA Pierre Celestin 86 Note The above mentioned are perhaps the most common security threats that you’ll come across. Apart from these, there are others like spyware, wabbits, scareware, bluesnarfing and many more. Fortunately, there are ways to protect yourself against these attacks. https://securitytrails.com/blog/top-10-common- network-security-threats-explained
10/21/2019 Prepared by ZIRARUSHYA Pierre Celestin 87
Threats and Solutions
10/21/2019 Prepared by ZIRARUSHYA Pierre Celestin 88
Solution to attacks First, the organization’s users must be educated. By learning about social engineering, phishing, and forms of spying, the users can learn how to protect their passwords. Additionally, IT policies must ensure that users only use strong passwords, and change their passwords often.
10/21/2019 Prepared by ZIRARUSHYA Pierre Celestin 89
Solution to attacks (2) In some cases, organizations use a different approach than the password, which is sometimes referred to as “what you know”. Instead, two other approaches are “what you have” and “who you are”. In the former case, the access process includes possession of some kind of key. The most common form of key is a key card (swipe card). Perhaps this can be used along with a password so that you must physically possess the key and know the password to log in. In the latter case, the “who you are” constitutes some physical aspect that cannot be reproduced. Biometrics are used here; whether in the form of a fingerprint, voice identification match, or even a lip print, the metric cannot be duplicated. 10/21/2019 Prepared by ZIRARUSHYA Pierre Celestin 90 Attack Solutions
Target Vulnerability Control
For further details click here
10/21/2019 Prepared by ZIRARUSHYA Pierre Celestin 91
"Top 10 List" of Good Computing Practices Use passwords that can't be easily guessed, and protect your passwords. Minimize storage of sensitive information. Beware of scams. Protect information when using the Internet and email. Make sure your computer is protected with anti-virus and all necessary security "patches" and updates. Secure laptop computers and mobile devices at all times: Lock them up or carry them with you. Shut down, lock, log off, or put your computer and other devices to sleep before leaving them unattended, and make sure they require a secure password to start up or wake-up. Don't install or download unknown or unsolicited programs/apps. Secure your area before leaving it unattended. Make backup copies of files or data you are not willing to lose. 10/21/2019 Prepared by ZIRARUSHYA Pierre Celestin 92 10/21/2019 Prepared by ZIRARUSHYA Pierre Celestin 93 Demos: Data breaches (1) and internet threat scenario(2)