CS

Thursday, 24 November 2022 1:57 AM

1) Potentially Unwanted Program

- Software installed along with other programs
- Usually user does not want it on their computer
- Resulted as user overlook the default installation options
- It may be pre-installed software

2) Trojan
- An executable program that act as performing a benign activity but
actually does something malicious.
- Eg. Downloading a program that is advertised for being a calculator,
but actually is a malware that scans user info

3) Remote Access Trojan (RAT)

- Has basic functionality of a Trojan
- Gives threat agent unauthorized remote access to victim's computer
- Threat agent would have unrestricted access to victim's computer
- Attacker can monitor, change user computer settings, copy files
- Attacker can even use the computer to access other computers in the
network

- Helps malware avoid being detected by scanner.

1) Backdoor
- Gives access to computer, program, service that avoid normal security
protections.
- Once installed in computer, it allows attacker to return later and bypass
security settings.
- Is a common practice by developers when do not want to be hindered by
continual requests for passwords.
- Backdoor should be remove once app is finalized, but attackers left it
installed to bypass security later.

2) Logic Bomb
- Difficult to detect before they are triggered.
- Often embedded in large computer programs and trusted employee can
easily enter few lines of computer code into a long program without
being detected
- Programs not routinely scanned for containing malicious actions.
- Purpose: to seek revenge against company.

3) Rootkits
- Can hide its presence on the computer.
- By accessing lower layers of the operating system
- Enable it to become undetectable by operating system.
- A collection of tools that allow hacker to mask their intrusion and get
admin level access to computer or network.
- Done by exploiting known vulnerability or crack passwords.
- Rootkit can:
○ Monitor traffic & keystrokes, create backdoor, alter log files.

1) Develop Security Policies

- Act as a road map so employees know what and when to do, and who get
access to system or info.
- Factors to consider:
○ Tells employees what to do
○ Tells employees when to do it
○ Who get access to system/info
- Policy eg. :
A. Social Engineering Awareness - aware of threat of social engineering
B. Server Malware Protection - required to have antivirus
C. Software Installation - requirements of installing software
D. Removable Media - minimize usage

2) Provide Security Awareness Training

- To prevent massive losses to cyber attacks
- Training eg:
A. Baseline Testing - likelihood falling to phishing attack
B. Training Users - educate users
C. Phishing Campaigns - perform simulation of phishing attack
D. Reporting Results - use stats and graphs for training & phishing
activities

3) Using Multi-Factor Authentication

- Able to deter malware attacks
- Weakness: easily bypassed by SMS based MFA when threat actors capture
OTP.

4) Install Anti-Malware & Spam Filters

- Install anti-malware & spam filters to mail servers
- As email are primary method for malware delivery
- Good practice to purchase 2 different vendors for host-based & network
anti-malware

5) Change default OS Policies

- Improve default security settings for OS
- Eg.
○ Change password history from 10 to 24 passwords. So no repeated
passwords.
○ Reduce max password age from 90 to 42 days.

6) Perform Routine Vulnerability Assessments

- Scans help to identify known vulnerabilities.
- Eg. Nessus to scan ports, analyze protocols and map a network.
- Able to know which hosts using what services on a network.
- Consists of remediation plan to resolve at risk systems.
- Org. implement patch management program: to report on security
vulnerabilities.

Physical security threat:

- Potential cause of an incident that may result in loss or physical dmg to computer systems.

1) Internal:
- Fire threats, prevented with automatic fire detectors & extinguishers
- Backup tapes, stored in fireproof safe
- Unstable power supply, prevented with voltage controllers
- Humidity in computer room, controlled with air conditioner
2) External:
- Lightning protection systems, reduce chances of lightning causing dmg
- House computer systems in highlands, prevent dmg caused by flood
3) Humans:
- Computer systems locked in secure room with as few people to access as possible.
- Old backup tapes, destroyed b4 disposal

Server Rooms/Data Centers:

- Should be fire-resistant, have strong door with strong lock eg. Deadbolt
- Have good HVAC system.

IP Spoofing / Smurf attack / DoS attacks

- Happens when an attacker outside network pretend to be a trusted computer.

- Uses IP address that is within the range of IP Address of own network
- Attacker change all routing tables to point to the spoofed IP address to receive all network packets

Defense Mechanism / Countermeasures / Mitigations

1. Malware scanners
- Prevent malware from infecting system.
- Match files with any signature from a list of known malware definitions.
- Look for malware-like behaviour, eg. Manipulating registry.
2. Firewalls
- A barrier between computers of networks
- Should be turned on and installed with right configuration.
- Filter incoming packets based on certain parameters such as packet size & source IP addr
- Prevents DoS attack.
i. Stateless packet filtering
- Check to see if packet meets firewall rules.
- Criteria checked eg.: protocol, port, IP address.
ii. Stateful packet inspection (SPI)
- Examine packet based on data derived from previous packets
- Less susceptible to ping floods, SYN floods and spoofing
- Eg. Determine as DoS attack when alot of packets continuously coming from same
source IP.
iii. Application Gateway
- It connects client program to proxy.
- Proxy establishes connection with destination behind firewall on behalf of client, to
hide and protect individual computers on the network.
3. Antispyware
- Scans device whether there is any spyware running.
- Check against a list of known spyware included in antimalware solutions.
4. VPN
- Creates virtual connection between remote user or site and a central location.
- Packets transmitted in the connection are encrypted, making it private.
- VPN must emulate a direct network connection.

Cryptography:
- Practice of transforming info so that it cant be understood by unauthorized parties
- Scramble the info so that only approved recipients understand it.

Encryption:
- The process of changing original text into a scrambled msg
- Plaintext to ciphertext.

Decryption:
- The process of changing the msg back to its original form.
- Ciphertext to plaintext.

Plaintext: unencrypted data, input of enc, output of dec

Ciphertext: scrambled and unreadable, output of enc
Cleartext: unencrypted data, not intended for encryption
Cipher: a cryptographic algorithm to encrypt plaintext, uses mathematical formula

Key elements of effective cryptosystem

1. Must be reversible
- No practical use if info cant be unscramble after it has been scrambled
2. Secrecy and length of the key
- Security dependent on the secrecy and length of key, not details of algorithm.
- Longer key provides better security.
3. Subjected to substantial cryptanalysis
- Algorithms have to be analysed completely to make sure no serious or exploitable weakness. Should not be easy for
attacker to crack the cipher. Best case is that the strength of cipher is same as the key length.

Categories of ciphers

1. Substitution cipher
- Exchange 1 character for another
- Caesar cipher:
§ Replace each letter of the alphabet with a letter standing x place further, shifting
§ Eg. Shift to the right 3 times, ABC -> DEF, BCD -> EFG
§ Formula: (x+n) % 26

§ Brute force cryptanalysis can be easily performed onto this cipher

2. XOR cipher
- Based on binary operation exclusive OR to compare two bits
- Diff bits = 1, same bits = 0
- Commonly used in stream cipher
- Provides a range of security protections including:
§ Confidentiality: only authorized parties can view it
§ Integrity: ensure that info is correct and not altered
§ Authentication: eg. By using digital signature
§ Nonrepudiation: inability to deny, verified with digital signature
§ Obfuscation: encryption applied, make info unclear

3 states of data

- Data in processing
- Data in transit
- Data at rest

Symmetric cryptography

- Uses the same key to encrypt & decrypt

- Key must be kept private
- Key size larger, kept secret = more secured
- Encryption is relatively fast.

Weakness:
- Key/algorithm has to be shared.
- Not well suited for spontaneous communication.
- Provides no process for authentication or non-repudiation.
- Has complex administration.

1. Block Cipher
○ Convert plaintext into ciphertext in fixed-size blocks

1. Stream Cipher
○ Encrypts a continuous string of binary digits
○ Data cannot be chopped
○ Encryption is done 1 bit or byte at a time
○ Combines a key and a nonce digit to produce keystream
○ Key + name = keystream

DES
○ Block cipher, divides plain text into 64-bit blocks and encrypts each block.
○ The small key size is not good enough to defend against brute-force attacks

AES
○ Used to replace DES
○ Block cipher, works on 128-bit blocks
○ Can have one of the three key sizes: 128, 192, 256 bits.
○ Strong enough to protect military top secret data.

RC
○ RC4 - stream cipher, accepts keys up to 128 bits
○ RC5 - block cipher, has variable key length up to 2040 bits.

Link encryption

• Requires a lot of encryption devices

• Provides a high level of security
• Disadvantage: msg must be decrypted each time data enters a frame switch.

End-to-End encryption

• Encryption process is carried out at the 2 end systems.

• Source host encrypts data, data transmitted in encrypted form to destination.
• Destination shares a key with the source to decrypt the data.

For greater security:

• Both link and end-to-end encryption is needed.
• User data portion of a frame uses with end-to-end encryption key.
• Entire frame uses link encryption key.

Key distribution:

• Session key: for establishing logical connection. Encrypt user data with a one-time session key.
• Permanent key: used between entities to distribute session keys.
• Key distribution center (KDC):
○ determine which systems are allowed to communicate with each other.
○ Establish connection by providing a one-time session key for that connection.
• Steps:
a. Transmits connection request packet when a host wish to set up connection with another host.
b. SSM saves the packet and applies to the KDC to establish connection.
c. Encrypt communication between SSM and KDC. If connection approved, KDC generate session key and deliver to 2
appropriate SSMs using a permanent key.
d. The requesting SSM release connection request packet, connection set up between 2 end systems.

Asymmetric cryptography

• Key pairs: asymmetric requires a pair of keys, public + private key

• Public key: do not need to be protected, can be freely given to anyone.
• Private key: must be kept confidential and never shared. Only owner can have it.
• Both directions: a documented encrypted with public key can be decrypted with the corresponding private key, and vice versa.
• Eg. Bob use Alice private key to encrypt msg, then Alice use own private key to decrypt msg

Asymmetric algorithms

a. RSA
§ Algorithm (factoring) :
□ Block cipher, key size typically is 1024 bits
□ Multiplies 2 large prime numbers, p and q, to computer product n = pq
□ Use a new number, e, that is less than n and not sharing a prime factor to (p-1)(q-1) denoted as m
□ Another number, d is determined so that (ed-1) is divisible by m
□ Public key is (n,e) . Private key is (n,d)
§ Used in web browsers, email, VPNs, chat, communication channels.
§ Make secure connections between VPN clients and servers.

b. ECC
§ Algorithm:
□ Unlike RSA, ECC is not using factoring
□ Uses an obscure branch of mathematics, called elliptic curves.
□ It is a set of points that satisfy a specific mathematical equation.
□ Uses sloping curves, by adding values of 2 points on curve, get 3rd point on curve, which the inverse is used.
§ ECC is more difficult to break, making it more secured.
§ ECC has smaller key sizes as compared to RSA.
§ ECC is faster in computations and lower in power consumption.

c. DSA
§ Used to provide proofs to be certain of who's the sender.
§ Helps in authentication, non-repudiation and integrity.
§ Able to verify sender, as digital signature confirms the sender identity.
§ Prevent sender from disowning the msg, sender can't claim that the signature was forged.
§ Prove the message integrity, a digital signature proves that the msg is not altered.
§ Steps:
1) After sender create and has the msg, generates a digest on it.
2) Sender encrypts digest with his private key. Encrypted digest is the digital key for the msg.
3) Sender send both msg and digital signature to recipient.
4) Recipient decrypt the digital signature using sender's public key, reveal the digest. Can decrypt = verified sender
5) Recipient has the memo with the same hash algorithm received from sender. If same = msg not altered.

d. Diffie-Hellman key exchange

§ Eliminates confusion in which key to use.
§ Sender and recipient agree upon a large prime number and related integer, through mathematical computations and
exchange of intermediate values, can separately create same key to encrypt & exchange info.

Hash Algorithm

• Used for comparison purposes

• Has following characteristics: fixed size, unique, original, secure
• Used to verify that the original contents have not been changed
• Algorithm:
a. MD - used to check the integrity of files or to encode smaller strings
b. SHA
c. HMAC
§ used to ensure msg integrity
§ Detect intentional alterations in a msg

Authentication Process

User authentication:
- basic for most types of access control and for user accountability.
- Is the process of verifying an identity claimed for a system entity.
- Steps:
1. Identification step: present an identifier to the security system, eg. Username
2. Verification step: present an authentication information, eg. Password

Four means of authenticating user identity

1. Something the individual knows

- Password, pin.
2. Something the individual possesses
- Smartcard, physical key.
3. Something the individual is
- Fingerprint, face.
4. Something the individual does
- Voice pattern, handwriting.

Password authentication

- A secret combination of letters, numbers and characters.

- Provides a weak protection and are constantly under attack.
- Challenges:
Ø Difficult for users to memorize long & complex passwords.
Ø Difficult to remember different passwords for many accounts.
Ø Difficult to remember unique passwords for many accounts.
Ø Users have to repeatedly memorize new passwords if old passwords can't be reused.
- Shortcuts taken due to challenges:
Ø Use weak passwords, predictable sequence of characters, reuse same password
Ø Predictable patterns: appending (eg. simon1) , replacing (eg. s1mon)
Ø Common passwords: 123456, abcdefg, qwerty, abcd1234
- Attacks:
1. Pass the Has Attack
- Attacker steal file of password digests.
- Use password cracker to create known digests and compare with the stolen digests.
2. Password Spraying
- Select one or few common passwords and enters them trying to login to several
accounts.
- Result in occasional success, though not optimal
3. Brute Force Attack
- Exhaustively try every possible combination of letters, numbers and characters to
determine the user's password.
- Attack is done towards the same account continuously, and not upon multiple
accounts.
4. Rule attack
- Conduct a statistical analysis on the stolen passwords.
- Create a mask of the format of the candidate password.
- Eg. ?u?l?l?d?d?d
- Steps:
1. Steal password plaintext file
2. Perform statistical analysis
3. Generate a series of masks

Token-Based Authentication

- Approved user have a specific item in his possession, used along with passwords.
- Often called multifactor authentication (MFA)
- 1 type auth: single-factor auth. 2 types: two-factor auth (2FA)
- Most common items: specialized devices, smartphones, security keys.
1. Smart cards
○ inserted into card reader
○ Or contactless smart cards that require to be in close proximity
○ uses NFC/RFID
○ Must have magnetic strip
2. Windowed token
○ Display a dynamic value, is an OTP, authentication code used only once for a limited time
○ 2 types:
- Time based, TOTP: changes after a period of time
- HMAC, HOTP: change when specific event occurs, event driven
3. Smartphones
○ Once enter username & password, auth with smartphone by
- Phone call, SMS, authentication app (approve / deny)
○ Convenience but not considered to be a secure option
4. Security keys
○ A dongle inserted into USB port or near endpoint using NFC
○ Contains all necessary cryptographic info to authenticate user
○ Do not transmit OTP, easier to use

Biometric Authentication

- Physiological biometrics

○ Relate to which a body part functions

○ Uses body part uniquely functions in an individual
○ Specialized Biometrics Scanners:
- Retinal scanner:
□ layer at the back of eyeball, sensitive to light
□ Retina is complex, no similar pattern, may be altered due to diabetes
- Fingerprint scanner
□ Locates the point where fingerprint ridges end and split
- Vein scanner
□ Scan through blood circulation system in human body
- Gait recognition
□ A person's manner of walking
○ Standard input devices:
- Voice recognition
□ Size of person's head and age affects voice uniqueness
□ Concern: record user voice and play it as recording
- Iris scanner
□ Using webcam to scan
- Facial recognition
□ Distinguishable landmarks of facial features, eg. eyes nose mouth
□ Each human has approximately 80 nodal points
○ Disadvantages:
- Cost of specialized biometric scanners
- Not fool proof, genuine users rejected, imposters accepted
- Can be tricked, collect fingerprints

- Cognitive biometrics

○ Related to the perception, thought process and understanding of the user

○ Easier for user to remember, based on life experiences
○ Difficult for attacker to imitate
○ Is a knowledge-based authentication
○ Eg. Windows Picture Password, select at least 10 points of interest, gestures are recorded
- Need to know the part highlighted, order of gestures and direction

- Remote User Authentication

○ Generally rely on some form of challenge-response protocol

○ Eg. :
- Password protocol
- Token protocol
- Static Biometric Protocol
- Dynamic Biometric Protocol

User Authentication Security Issues

- Eavesdropping: use some sort of attack to learn user password

- Host attacks: directed at user file where the passwords are stored
- Replay: repeatedly resend data packet
- Client attacks: attempts to achieve user authentication without access to the remote host
- Trojan horse: an app pretend as authentic application and capture user password
- Denial-of-service: attempt to disable user authentication service by flooding the service"

Access Control
○ Grant or deny specific requests either to obtain data or enter specific physical facilities
○ A process where system resources usage are regulated according to a security policy
○ Specifies who or what may have access to system resource
○ Specifies the type of access that is permitted in each instance.
○ Authentication: verify whether user is valid
○ Authorization: determine the permission granted to user for system resources.
○ Audit: independent review of system records and activities.

a. DAC
§ Based on the identity of the requestor and on access rules.
§ Assign RWX permissions to file owners
§ Generally used for OS and dbs management system
§ Often provided using an access control matrix
§ List subjects on row and objects on columns

2. MAC
§ Based on comparing security labels with security clearances
§ Is more secure than DAC
§ Security admin define a central policy
§ Strive to defend against trojan horse
§ Labels eg. General, secret, top secret
3. RBAC
§ Based on user's role
§ Many to many relationship btw roles to resources
4. ABAC
§ Based on attributes of the user, resource and other conditions
§ Solves RBAC limitation in the digital environment complexity
§ Attributes:
□ Subject
® User attribute, eg. Username, age
□ Action
® Action to perform, eg. Read, transfer
□ Object
® Resource such as file, eg. File name, creation date
□ Contextual
® Requested time and place, eg. In past 24hrs.

IT Security Management

- provides info to decide what management, operational, and technical controls needed to reduce
risks.
- A process used to maintain CIA + accountability, authenticity and reliability.
- Used to determine org. IT security objectives, strategies & policies.
- Determines IT security requirements, threats and risks.
- Not undertaken once. It is a cyclic process that must be repeated constantly to keep pace with
rapid changes in both IT technology and risk environment.

Plan Do Check Act

1. Plan:
- Establish security policy, objectives, processes & procedures.
- Perform risk assessment and develop risk treatment plan
2. Do:
- Implement the risk treatment plan.
3. Check:
- Monitor and maintain the risk treatment plan.
4. Act:
- Maintain and improve the info security risk management process in response to identified
changes.

Security Risk Assessment

- Approaches to identify and mitigate risks to an org. IT infrastructure:

1. Baseline
- Implement basic general level of security controls
- Use baseline documents, codes of practice and industry best practice.
- Used only for small sized org.
- Adv:
□ Does not require to spend extra resources to conduct formal risk assessment
□ Same measures can be replicated over a range of systems
- Disadv:
□ No consider variations in the org. risk exposure based on how sys is used
□ Baseline level may be set too high or low
2. Informal
- Conduct some form of informal risk analysis for the org. IT systems
- Exploits the knowledge and expertise of the individuals performing this analysis.
- Used for small to medium sized org.
- Adv:
□ No extra skills required.
□ Can be performed quickly and cheaply.
- Disadv:
□ Some risks may leave the org. vulnerable due to risks not considered
appropriately
□ Inconsistent results due to prejudices of the individuals performing the analysis
3. Detailed risk
- Uses formal structured process to conduct detailed risk assessment
- For large org.
- Adv:
□ More detailed examination of security risks
□ Provides strong justification for spending on the controls to be implemented
- Disadv:
□ Involve significant cost in time, resources and expertise
□ Takes long time to analyze, causes delay in implementation
4. Combined
- Combines elements of baseline, informal and detailed risk analysis approaches
- Aim to provide reasonable levels of protection as quickly as possible
- Adv:
□ Ensures that a basic level of security protection is implemented early
□ Cost effective
- Disadv:
□ Inaccuracy in initial high-level analysis may leave system to be vulnerable for
some time.

Detailed Security Risk Analysis

Establish the context

a. Initial step: determine the basic parameters and identify the assets
b. Explore political and social environment: legal constraints as baseline
c. Risk appetite: determine the level of risk where the org. view as acceptable

Asset: system resources that requires protection

Threat: potential source for attacker to exploit a vulnerability
Vulnerability: a flaw or weakness in asset that may be exploited
Risk: potential for loss

Risk likelihood

a. Rare - unlikely to occur

b. Unlikely - could occur at some time
c. Possible - might occur and might not
d. Likely - will probably occur not surprisingly
e. Almost certain - expected to occur sooner or later

Risk consequences

a. Insignificant - minor security breach in a single area. Require only minor expenditure.
b. Minor - security breach in 1 or 2 areas.
c. Moderate - Limited systemic security breaches.
d. Major - Ongoing systemic security breach.
e. Catastrophic - Major systemic security breach.
f. Doomsday - multiple instances of major systemic security breaches. Substantial loss of
business

Risk treatment alternatives

a. Risk acceptance - accept risk

b. Risk avoidance - not proceed with the activity that creates this risk
c. Risk transfer - share responsibility with third party, buy insurance
d. Reduce consequence - modify the structure, change internal processes
e. Reduce likelihood - implement suitable controls to lower the chance, install antivirus

Security Control:
- A safeguard or countermeasure employed to protect CIA of system.
- Limit exposure to danger.

Control Classes

1. Management controls
- Address management issues
- Security policies, planning, guidelines, standards to protect organization
2. Operational controls
- Address correct implementation and use of security policies
- Relate to mechanisms and procedures implemented
3. Technical controls
- Involve the correct use of hardware and software security capabilities in systems
- Eg. Use anti virus, firewall, pop-up blocker

Inherit risk: current risk level given the existing set of controls.
Residual risk: risk level that remains after additional controls are applied.

Goal of security controls:

- Reach a balance between achieving an acceptable level of risk and expense while minimizing
losses

IT security plan

- Goal: detail the actions needed to improve the identified deficiencies in the risk profile.
- Details to be included:
- Risks, recommended controls, action priority
- Selected controls, resources needed
- Responsible personnel, implementation dates
- Maintenance requirements

Implementation details in Security Plan

- Risk
○ Combinations of asset, threat and vulnerability
- Recommended controls
○ What can be done from the risk assessment
- Priority
○ Whether low or high priority, action to be taken immediate or not
- Selected control:
○ What action is to be taken based on cost-benefit analysis