Information Security Fundamentals

CPIS-601
Lab Assignment 3
Semester 1, 2021, 1441
College of Computer Science and Engineering

Student Name: Manal Saeed Alhejaily

Student ID: 2100399

1. Explain what is cyber hygiene, why it is important and how you implement it?
In order to resist cyber-attacks and internet safety challenges, cyber hygiene is about educating
yourself to think proactively about your cyber security. Any individuals take cyber protection
for granted, however as cyber-attacks begin to develop, this can change. Meanwhile, it should
be normal to set up good cyber hygiene procedures. Using the right cyber hygiene equipment,
such as antivirus and malware applications, a network firewall, and password protection, all
help to secure your home computer's private data. Render the routine a matter of cyber hygiene.
It is important because you are creating cyber habits which will help you to keep your devices
and information safe and secure online.
According to [1], you could implement it by follow 9 steps:
Step 1: Install reputable antivirus and malware software
Step 2: Use network firewalls
Step 3: Update software regularly
Step 4: Set strong passwords
Step 5: Use multi-factor authentication
Step 6: Employ device encryption
Step 7: Back up regularly
Step 8: Keep your hard drive clean
Step 9: Secure your router [1]

2. What is Shamon attack? Explain Shamoon attack that hit the Kindgom of Saudi Arabia
(between 300 to 500 words)?
The Kingdom of Saudi Arabia is being subjected to extreme and repeated cyberattacks on
fragile infrastructure. In addition to seizing access information for the purpose of downloading
malware, the new attacks targeting Saudi Arabia today are intended to disable the servers of
all essential services in the world, in an effort to influence the function of such installations.
Palo Alto Networks came across new Disttrack samples that seem to have been included in a
modified assault strategy in confirmation of these claims and markers. In Saudi Arabia, the
attack targeted at least one group associated with the original targeting of the Shamoon attacks.
The aim of the new Disttrack samples seems to be primarily based on destruction, as the
samples were designed to report to a non-operational C2 server and were scheduled to begin
precisely wiping data on 2016/11/29.
An attack campaign known as Shamoon attacked a Saudi Arabian energy firm in August 2012
in order to distribute a malware called Disttrack. Disttrack is a multipurpose tool that
demonstrates worm-like behavior by trying to use stolen user credentials to propagate to other
networks on a local network.
 Information Security Fundamentals
CPIS-601
Lab Assignment 3
Semester 1, 2021, 1441
College of Computer Science and Engineering

Disttrack focuses largely on the degradation of evidence and trying to harm as many systems
as possible. To do so, this malware tries to use what are presumably compromised user
credentials to spread to other network systems. This is again equivalent to the Shamoon attacks
in 2012, where corrupted but legal credentials gained prior to the attacks were also hard-coded
into the malware to assist in its dissemination. Disttrack will also import and run external
programs to the device, as well as schedule the date for the start of wiping systems remotely.
Disttrack uses individual domain names and passwords to login to the same network segment's
remote networks. By extracting the IP address for the device, the malware specifies the local
network segment associated with the target system (call to gethostname) (call to
gethostbyname). To enumerate the /24 network (x.x.x.0-255) that the system is networked
with, it then uses the system's IP addresses which can aim to expand to any of these remote
networks.
The reporting company resisted referring to the origins of these attacks, but simply reported
"Wild Fire," the firewall used by the attackers. Iran is funding these attacks, which affect Saudi
Arabia's official pages, according to officials at the US intelligence agencies [2].

3. What is Wannacry attack? Explain Wannacry attack that hit the United Kingdom (between
300 to 500 words)?
WannaCry is a ransomware worm which in May 2017, spread rapidly across a number of
computer networks. It encrypts files on the PC's hard drive after infecting a Windows
device, making them difficult for users to reach, then allows a bitcoin ransom payment to
decrypt them.

A number of factors made the initial spread of WannaCry particularly noteworthy: it struck
a number of important and high-profile systems, including many in Britain's National
Health Service; it exploited a Windows vulnerability that was suspected to have been first
discovered by the United States National Security Agency; and it was tentatively linked by
Symantec and other security researchers to the Lazarus Group, a cybercrime organization
that may be connected to the North Korean government.

What is WannaCry ransomware?

Several elements make up the WannaCry ransomware. It appears in the shape of a dropper
on the infected device, a self-contained program that removes the other components of the
application embedded within itself. Those elements comprise:

An application which encrypts and decrypts information

• Directories containing keys for encryption

• A clone of Tor
 Information Security Fundamentals
CPIS-601
Lab Assignment 3
Semester 1, 2021, 1441
College of Computer Science and Engineering

The program code is not obfuscated and was relatively easy for security pros to analyze.
Once launched, WannaCry tries to access a hard-coded URL (the so-called kill switch); if
it can't, it proceeds to search for and encrypt files in a slew of important formats, ranging
from Microsoft Office files to MP3s and MKVs, leaving them inaccessible to the user. It
then displays a ransom notice, demanding $300 in Bitcoin to decrypt the files.

How does WannaCry infect PCs?

The attack vector for WannaCry is more interesting than ransomware itself. The WannaCry
exploit bug occurs in the Windows implementation of the Service Message Block (SMB)
protocol. To link to a network, the SMB protocol needs different nodes, and specially
constructed packets will trick Microsoft's implementation into running arbitrary code.

It is suspected in the U.S. This flaw was found by the National Security Agency which
generated code to exploit it, called EternalBlue, rather than reporting it to the infosec
community. In exchange, this exploit was stolen by a hacker group known as the Shadow
Brokers, who on April 8, 2017, published it obfuscated in an apparently political media
post. A month ago, Microsoft itself found the flaw and released a patch, but several devices
remained unstable, and on May 12, WannaCry, which used EternalBlue to infect machines,
started to spread exponentially. Microsoft slammed the U.S. government in the aftermath
of the epidemic for not having expressed its awareness of the risk earlier.

In the United States, it is accused of The National Security Agency, which created code to
exploit it, called EternalBlue, discovered this vulnerability rather than disclosing it to the
group of infosec. In response, this vulnerability was stolen by a hacker community known
as the Shadow Brokers, who released it in a seemingly political media post on April 8,
2017. A month ago, Microsoft itself found the flaw and released a patch, but several devices
remained unstable, and on May 12, WannaCry, which used EternalBlue to infect machines,
started to spread exponentially. Microsoft slammed the U.S. government in the aftermath
of the epidemic for not having expressed its awareness of the risk earlier.

WannaCry would not actually begin encrypting files even after a PC has been successfully
compromised. That's because it first attempts to navigate a very long, gibberish URL before
it goes to function, as mentioned above. WannaCry shuts itself down until it is able to enter
the domain. What the purpose of this feature is is not fully clear. This was meant to be a
way for the malware's developers to pull the trigger on the attack, some researchers thought.
However, Marcus Hutchins, the British security researcher who noticed that WannaCry was
trying to contact this URL, claims it was designed to make it more difficult to analyze the
file. Many researchers run malware in a "sandbox environment from which every URL or
IP address would appear accessible; their developers hoped to guarantee that the malware
 Information Security Fundamentals
CPIS-601
Lab Assignment 3
Semester 1, 2021, 1441
College of Computer Science and Engineering

did not go through its paces for researchers to watch by hard-coding into WannaCry an
effort to contact a nonsense URL that was not currently supposed to occur.

Not only did Hutchins locate the hard-coded URL, but he paid $10.96 to register the domain
and set up a platform there, helping to distribute the malware bluntly, but not preventing it.
Hutchins was arrested in 2014, soon after being hailed as a hero for this for reportedly
creating multiple malware. He got his innocence declared [3].

4. What are the advantages and disadvantages of VMs?

Advantages of Virtual Server:

1. Simplified services, space savings, time and expense savings.

2. Centralized administration with full device usability.
3. Greater availability in the event of a catastrophe and quicker recovery.
4. The ability to perform copies and the ability to use different environments on the
same machine operating system.
5. Managed access to intellectual property and confidential data by keeping them
secure within the data center.
6. Best utilization of space: the less mounted physical equipment, the greater the space
efficiency in racks.
7. transparently migrating servers to new hardware.
8. Reliability and availability: other facilities are not impaired by device malfunction.
9. Using tiny virtual machines on a more efficient single computer, cost savings are
feasible.
10. Adapting to various workloads that can simply be managed. Virtualization software
usually automatically reallocates hardware resources between a virtual machine and
another.
11. Load Balancing: It encapsulates the entire virtual machine. It is then easy to modify
the platform of the virtual machine and improve its performance.
12. Help for legacy applications: You should keep your old operating system running on
a virtual machine when an enterprise wishes to migrate to a new operating system,
which decreases the expense of conversion.
13. By using fewer physical equipment, reducing staff expenses, electricity, and cooling.
14. Better hardware use: virtual machine hardware sharing is limited to idle equipment.
15. Creates user experiences that are autonomous. For applications such as software
verification, keeping it apart is extremely useful.
16. Decreased downtime.
17. Ease of migration environments-prevents systems to be migrated from being
reinstalled and reconfigured.
 Information Security Fundamentals
CPIS-601
Lab Assignment 3
Semester 1, 2021, 1441
College of Computer Science and Engineering

Disadvantages of Virtual Server:

1. The greatest downside to virtual servers is that if or when the server goes down, all of
the websites it runs will go down as well. Hence the organization could set up a cluster
of servers to solve this.
2. Management: It is important to instantiate (create instances on virtual machines),
track, configure and save virtual worlds.
3. Difficulty in accessing hardware indirectly, such as individual cards or USB units.
4. Output-no consolidated approaches are currently available to assess the performance
of virtualized environments.
5. If many virtual machines operate on the same host, performance can be impeded if
the computer on which it operates lacks adequate power.
6. Massive consumption of RAM since a separate region of the same would consume
any virtual machine.
7. It needs several ties in a chain that must cohesively operate together.
8. Great usage of disk space, since it requires all the files on each virtual machine built
with each operating system [4].

5. If the host computer got infected with a malware, does the malware going to infect the other
VMs? Or if one of the VM got infected with a malware, does the malware going to infect
the host and the other VMs? Explain your answer.
Yes, a virus from the host can infect the VM. A infected VM can infect the network back
again. When you run the VM in bridged mode it acts like any other pc connected on the local
network. So the Vm needs a firewall and virus scanner like any other pc would [5].

6. Briefly explain how to use virtualization to simulate an entire Network?

Virtualization of the network decouples network facilities from the physical infrastructure and
requires an entire network to be virtually provisioned. It enables all software networks to be
programmatically built, supplied, and controlled, while continuing to leverage the underlying
physical network as the backplane of packet forwarding. Physical network services are shared,
delivered in software, such as switching, routing, firewalling, load balancing, virtual private
networks (VPNs), and more, and need only packet forwarding from the underlying physical
network via Internet Protocol (IP).
Network and software security resources are spread over a virtual layer (data center
hypervisors) and are 'attached' to individual workloads, such as the virtual machines (VMs) or
containers, in compliance with the networking and security policies specified by each linked
device. Network resources and security protocols shift with it as a workload is transferred to
another server. And the requisite policies are dynamically added to these new workloads as
new workloads are generated to scale an application, enabling greater policy flexibility and
network agility [6].
 Information Security Fundamentals
CPIS-601
Lab Assignment 3
Semester 1, 2021, 1441
College of Computer Science and Engineering

References:
[1] Us.norton.com. 2020. Good Cyber Hygiene Habits To Help Stay Safe Online. [online]
Available at: <https://us.norton.com/internetsecurity-how-to-good-cyber-hygiene.html>
[Accessed 16 December 2020].
[2] Mcit.gov.sa. 2020. Second Wave Of &Quot;Shamoon 2&Quot; Attacks Targets Saudi
Arabia. [online] Available at: <https://www.mcit.gov.sa/en/media-center/news/89515>
[Accessed 16 December 2020].
[3] Fruhlinger, J., 2020. What Is Wannacry Ransomware, How Does It Infect, And Who Was
Responsible?. [online] CSO Online. Available at:
<https://www.csoonline.com/article/3227906/what-is-wannacry-ransomware-how-does-
it-infect-and-who-was-responsible.html> [Accessed 16 December 2020].
[4] ESDS Official Knowledgebase. 2020. Advantages And Disadvantages Of Virtual Server
- ESDS. [online] Available at: <https://www.esds.co.in/kb/advantages-and-disadvantages-
of-virtual-server/> [Accessed 16 December 2020].
[5] Bleepingcomputer.com. 2020. Will A Virus Get Into A Virtual PC Even If It Is Virtually
Disconnected? - General Security. [online] Available at:
<https://www.bleepingcomputer.com/forums/t/551895/will-a-virus-get-into-a-virtual-pc-
even-if-it-is-virtually-disconnected/> [Accessed 16 December 2020].
[6] VMware. 2020. Network Virtualization. [online] Available at:
<https://www.vmware.com/topics/glossary/content/network-virtualization> [Accessed 16
December 2020].