VIETNAM NATIONAL UNIVERSITY, HANOI

INTERNATIONAL SCHOOL

INS3157

Principles of Information Security

PROJECT REPORT

Report by: Cao Sỹ Minh

Lecturer: Michael Ommar

Hanoi - 2021
 CONTENTS

Chapter 1: INTRODUCTION ...................................................................................................................... 3

About the Report.................................................................................................................................. 3
Chapter 2: Types of security threat. ......................................................................................................... 3
1. What Is a Cyber Security Threat? ................................................................................................. 3
2. Types of Cyber Security Threats: .................................................................................................. 4
Chapter 3: Potential impact incorrect configuration of firewall policies and IDS. .................................. 11
Chapter 4: Method to assess and treat IT security risks. ........................................................................ 12
Chapter 5: Benefits to implement network monitoring systems ........................................................... 13
Chapter 6: How a ‘trusted network’ may be part of an IT security solution........................................... 15
REFERENCES ........................................................................................................................................... 16

2
 Chapter 1: INTRODUCTION

About the Report

VNPT works with medium sized companies in Vietnam, advising and implementing technical
solutions to potential IT security risks.

Most customers have outsourced their security concerns due to lacking the technical
expertise in house. As part of my role, my manager Jonson has asked to create an engaging
report presentation to help train junior staff members on the tools and techniques associated
with identifying and assessing IT security risks together with the organizational policies to
protect business critical data and equipment.

Chapter 2: Types of security threat.

1. What Is a Cyber Security Threat?

A cyber security threat refers to any possible malicious attack that seeks to unlawfully access
data, disrupt digital operations or damage information. Cyber threats can originate from
various actors, including corporate spies, hacktivists, terrorist groups, hostile nation-states,
criminal organizations, lone hackers and disgruntled employees.

In recent years, numerous high-profile cyber-attacks have resulted in sensitive data being
exposed. For example, the 2017 Equifax breach compromised the personal data of roughly
143 million consumers, including birth dates, addresses and Social Security numbers. In 2018,
Marriott International disclosed that hackers accessed its servers and stole the data of roughly
500 million customers. In both instances, the cyber security threat was enabled by the

3
organization’s failure to implement, test and retest technical safeguards, such as encryption,
authentication and firewalls.

Cyber attackers can use an individual’s or a company’s sensitive data to steal information or
gain access to their financial accounts, among other potentially damaging actions, which is
why cyber security professionals are essential for keeping private data protected.

2. Types of Cyber Security Threats:

There are different types of security threats to organizations, which can affect business
continuity of an organization.

1. Malware

Malware, short for "malicious software," refers to a type of computer program designed to
infect a legitimate user's computer and inflict harm on it in multiple ways. Malware can infect
computers and devices in several ways and comes in a number of forms, just a few of which
include viruses, worms, Trojans, spyware and more. It's vital that all users know how to
recognize and protect themselves from malware in all of its forms.

These criminals may employ a variety of sophisticated tactics. In some cases, as technology
site Public CIO [1] notes (which will prevent you from accessing data or information on your
computer until you pay a ransom or a specified amount of money), cybercriminals have even
"locked up" computer data — making the information inaccessible — then demanded ransom
from the users to get that data back.

But the main risk that cybercriminals pose to heavy computer users is stealing online banking
information such as banking and credit card accounts and passwords. The criminal hackers
who steal this information may then use it to drain your account or run up fraudulent credit
card bills in your name. Or they may sell your account information on the black market, where
this confidential information fetches a good price.

4
 2. Emotet:

Emotet is a computer malware program that was originally developed in the form of a banking
Trojan. The goal was to access foreign devices and spy on sensitive private data. Emotet has
been known to deceive basic antivirus programs and hide from them. Once infected, the
malware spreads like a computer worm and attempts to infiltrate other computers in the
network.

Emotet spreads mainly through spam emails. The respective email contains a malicious link or
an infected document. If you download the document or open the link, further malware is
automatically downloaded onto your computer. These emails were created to look very
authentic and many people have fallen victim to Emotet.

Emotet establishes a backdoor onto Windows computer systems via automated phishing
emails that distribute Word documents compromised with malware. Subjects of emails and
documents in Emotet campaigns are regularly altered to provide the best chance of luring
victims into opening emails and installing malware.

Those behind the Emotet lease their army of infected machines out to other cyber criminals as
a gateway for additional malware attacks, including remote access tools (RATs) [2] and
ransomware. In 2017, the extortion Trojan WannaCry [3] was able to take advantage of the
EternalBlue [4] exploit for a major cyberattack that caused devastating damage.

3. Denial of Service:

A denial-of-service (DoS) attack is a type of cyber-attack in which a malicious actor aims to

render a computer or other device unavailable to its intended users by interrupting the
device's normal functioning. DoS attacks typically function by overwhelming or flooding a
targeted machine with requests until normal traffic is unable to be processed, resulting in
denial-of-service to addition users. A DoS attack is characterized by using a single computer to
launch the attack.

5
How does it work? The primary focus of a DoS attack is to oversaturate the capacity of a
targeted machine, resulting in denial-of-service to additional requests. The multiple attack
vectors of DoS attacks can be grouped by their similarities.

DoS attacks typically fall in 2 categories:

• Buffer overflow attacks

An attack type in which a memory buffer overflow can cause a machine to consume all
available hard disk space, memory, or CPU time. This form of exploit often results in sluggish
behavior, system crashes, or other deleterious server behaviors, resulting in denial-of-service.

• Flood attacks

By saturating a targeted server with an overwhelming number of packets, a malicious actor is

able to oversaturate server capacity, resulting in denial-of-service. In order for most DoS flood
attacks to be successful, the malicious actor must have more available bandwidth than the
target.

4. Man-in-the-Middle:

A Man-in-the-Middle attack requires the attacker to place himself between two

communicating parties and relaying messages for them, while the parties believe they are
communicating with each other directly and securely. The attacker can then monitor and
possibly change the contents of messages. MitM concept [5] is not limited to computer
security, similar attacks have existed in physical world long before computers.

Man-in-the-middle attacks come in two forms, one that involves physical proximity to the
intended target, and another that involves malicious software, or malware. This second form,
like our fake bank example above, is also called a man-in-the-browser attack.

Cybercriminals typically execute a man-in-the-middle attack in two phases — interception and

decryption.

6
With a traditional MITM attack, the cybercriminal needs to gain access to an unsecured or
poorly secured Wi-Fi router. These types of connections are generally found in public areas
with free Wi-Fi hotspots, and even in some people’s homes, if they haven’t protected their
network. Attackers can scan the router looking for specific vulnerabilities such as a weak
password.

Once attackers find a vulnerable router, they can deploy tools to intercept and read the
victim’s transmitted data. The attacker can then also insert their tools between the victim’s
computer and the websites the user visits to capture log in credentials, banking information,
and other personal information.

A successful man-in-the-middle attack does not stop at interception. The victim’s encrypted
data must then be unencrypted, so that the attacker can read and act upon it.

5. Phishing:

Phishing is a cyber-attack that uses disguised email as a weapon. The goal is to trick the email
recipient into believing that the message is something they want or need — a request from
their bank, for instance, or a note from someone in their company — and to click a link or
download an attachment.

What really distinguishes phishing is the form the message takes: the attackers masquerade as
a trusted entity of some kind, often a real or plausibly real person, or a company the victim
might do business with. It's one of the oldest types of cyberattacks, dating back to the 1990s,
and it's still one of the most widespread and pernicious, with phishing messages and
techniques becoming increasingly sophisticated.

6. SQL Injection:

SQL injection, also known as SQLI, is a common attack vector that uses malicious SQL code for
backend database manipulation to access information that was not intended to be displayed.

7
This information may include any number of items, including sensitive company data, user lists
or private customer details.

The impact SQL injection can have on a business is far-reaching. A successful SQL injection
attack can result in unauthorized access to sensitive data, such as passwords, credit card
details, or personal user information. Many high-profile data breaches in recent years have
been the result of SQL injection attacks, leading to reputational damage and regulatory fines.
In some cases, an attacker can obtain a persistent backdoor into an organization's systems,
leading to a long-term compromise that can go unnoticed for an extended period.

Examples:

There are a wide variety of SQL injection vulnerabilities, attacks, and techniques, which arise in
different situations. Some common SQL injection examples include:

Retrieving hidden data, where you can modify an SQL query to return additional results.

Subverting application logic, where you can change a query to interfere with the application's
logic.

UNION [6] attacks, where you can retrieve data from different database tables.

Examining the database, where you can extract information about the version and structure of
the database.

Blind SQL injection, where the results of a query you control are not returned in the
application's responses.

7. Password Attacks:

A password attack is exactly what it sounds like: a third party trying to gain access to your
systems by cracking a user’s password.

8
This type of attack does not usually require any type of malicious code or software to run on
the system. There is software that attackers use to try and crack your password, but this
software is typically run on their own system.

Programs use many methods to access accounts, including brute force attacks made to guess
passwords, as well as comparing various word combinations against a dictionary file.

3. An example of a recently publicized security breach

In May 2019 Australian graphic design tool website Canva [7] suffered an attack that exposed
email addresses, usernames, names, cities of residence, and salted and hashed with bcrypt
passwords (for users not using social logins — around 61 million) of 137 million users. Canva
says the hackers managed to view, but not steal, files with partial credit card and payment
data.

The suspected culprit(s) — known as Gnosticplayers — contacted ZDNet to boast about the
incident, saying that Canva had detected their attack and closed their data breach server. The
attacker also claimed to have gained OAuth login tokens for users who signed in via Google.

The company confirmed the incident and subsequently notified users, prompted them to
change passwords, and reset OAuth tokens. However, according to a later post by Canva, a list
of approximately 4 million Canva accounts containing stolen user passwords was later
decrypted and shared online, leading the company to invalidate unchanged passwords and
notify users with unencrypted passwords in the list.

This case shows that organizational security procedures are essential to every network
companies. Here are 3 procedures you need to know about if you’re starting a new security
program:

1. Acceptable Use Policy (AUP)

9
An AUP stipulates the constraints and practices that an employee using organizational IT
assets must agree to in order to access to the corporate network or the internet. It is standard
onboarding policy for new employees. They are given an AUP to read and sign before being
granted a network ID. It is recommended that and organizations IT, security, legal and HR
departments discuss what is included in this policy.

2. Change Management Policy

A change management policy refers to a formal process for making changes to IT, software
development and security services/operations. The goal of a change management program is
to increase the awareness and understanding of proposed changes across an organization,
and to ensure that all changes are conducted methodically to minimize any adverse impact on
services and customers.

Information Security Policy

An organization’s information security policies are typically high-level policies that can cover a
large number of security controls. The primary information security policy is issued by the
company to ensure that all employees who use information technology assets within the
breadth of the organization, or its networks, comply with its stated rules and guidelines. There
are organizations ask employees to sign this document to acknowledge that they have read it
(which is generally done with the signing of the AUP policy [8]). This policy is designed for
employees to recognize that there are rules that they will be held accountable to with regard
to the sensitivity of the corporate information and IT assets.

10
Chapter 3: Potential impact incorrect configuration of firewall policies
and IDS.

Network firewalls are not easy to update. Keeping rules up to date when environments and
applications are dynamic and complex is almost impossible.

Because of this challenge, firewall policy is often behind the current status of your applications
and data. This means you are increasing risk in your data center until you manage to manually
set the rules. Moreover, those rules may well become obsolete again almost immediately, so
you can never truly stem the issue of growing risk.

So here we are this are the most common firewall misconfigurations:

• EC2 instances: Configuring security groups incorrectly can lead to unnecessary risk.
AWS itself reports that “Among the most egregious were AWS Security Groups
configured to leave SSH wide open to the Internet in 73 percent of the companies
analyzed.” Any approach that relies on IP addresses that constantly change is going
to be error-prone.
• VPC access: Of course, your business doesn’t want anyone on the internet to be able
to access your VPCs. That said, this is a common mistake. Many businesses use ACLs
to manage the problem, but it can be time-consuming and leave blind spots.
• Services permissions: It often happens those unnecessary services are left running
on the firewall, opening up enterprises to risk and broadening the attack surface.
When devices are configured from the start with the principle of zero-trust and least
privilege, this removes that risk. It also ensures that devices can only do the specific
function you need them for.
• Inconsistent authentication: Enterprises often have networks that work across
multiple geographies and locations, as well as different environments. Consistent

11
 authentication across these different places is a cornerstone of good firewall
hygiene. If some requirements are weaker than others, the misalignment creates
vulnerable areas of the enterprise that can be leveraged like an unlocked door. The
result is that your business will be open to attacks.

Beside those are listed above, we still need to mention about VPNs [9], VPNs is most exciting
technology but it's like trusting someone. So, it's totally on the other one how safe you are. If
the VPN provider is trusted one, then you won't worry about security but if it's not then it's a
problem because in VPN all network traffic are routed from their network to you. so, they
know all your secrets. They can miss use your data.

Chapter 4: Method to assess and treat IT security risks.

A security risk assessment identifies, assesses, and implements key security controls in
applications. It also focuses on preventing application security defects and vulnerabilities.

Carrying out a risk assessment allows an organization to view the application portfolio
holistically—from an attacker’s perspective. It supports managers in making informed
resource allocation, tooling, and security control implementation decisions. Thus, conducting
an assessment is an integral part of an organization’s risk management process.

Factors such as size, growth rate, resources, and asset portfolio affect the depth of risk
assessment models. Organizations can carry out generalized assessments when experiencing
budget or time constraints. However, generalized assessments don’t necessarily provide the
detailed mappings between assets, associated threats, identified risks, impact, and mitigating
controls.

12
If generalized assessment results don’t provide enough of a correlation between these areas,
a more in-depth assessment is necessary.

4 steps of a successful security risk assessment model:

1. Identification. Determine all critical assets of the technology infrastructure. Next,

diagnose sensitive data that is created, stored, or transmitted by these assets. Create a
risk profile for each.
2. Assessment. Administer an approach to assess the identified security risks for critical
assets. After careful evaluation and assessment, determine how to effectively and
efficiently allocate time and resources towards risk mitigation. The assessment
approach or methodology must analyze the correlation between assets, threats,
vulnerabilities, and mitigating controls.
3. Mitigation. Define a mitigation approach and enforce security controls for each risk.
4. Prevention. Implement tools and processes to minimize threats and vulnerabilities
from occurring in your firm’s resources.

Chapter 5: Benefits to implement network monitoring systems

As a company’s IT systems develop and overlap in function, active network monitoring helps
to ensure central servers and systems are functioning as intended, while also allowing
business management staff to keep an eye on employee activity in the process. Although the
importance of monitoring solutions is clear for most organizations, many business leaders and
teams might not be fully aware of the benefits such toolsets represent:

13
 1. Document Usage Metrics

Through the use of specialized IT monitoring tools, your team can leverage custom reports
generated from documented user activity.

Accurate reports help eliminate guesswork in determining which aspects of your company’s
daily operations could use developmental improvements and what those improvements ought
to affect. All manner of usage metrics can be targeted and monitored to glean clear,
actionable insights worth basing future development plans on.

2. Identify Potential Improvements

As metrics are amassed by your chosen monitoring tools, potential improvements can be
identified faster, leading to less time being taken to develop them in the first place.

Bottlenecks in employee workflow, management insight, and profitability can be identified at

the server level through consistent monitoring, then improved in increments to achieve
constant growth over time.

3. Centralize Server Reporting

Scanning log and configuration files for clues as to which direction research should proceed in
can waste a lot of your team’s time—time that could otherwise be put directly into
meaningful development.

Overcoming this obstacle means simplifying and streamlining IT infrastructure reporting

across the board. However, it can be costly to implement separate monitoring solutions at
each endpoint your current systems support, not to mention the confusion managing multiple
monitoring systems can cause.

Sophisticated IT monitoring solutions help by centralizing the process significantly, as is the

case with Power Admin’s Server Monitor software, which generates reports for your entire
server network that can be viewed on a single pane of glass.

14
 Chapter 6: How a ‘trusted network’ may be part of an IT security solution

1. Trusted network:

A trusted network (TN) architecture uses existing standards, protocols and hardware devices
to implement “trust.” TNs provide important security services such as user authentication,
comprehensive network device admission control, end-device status checks, policy-based
access control, traffic filtering, automated remediation of non-compliant devices and auditing.
The Trusted Computing Group (TCG) has promulgated industry standards for TNs. Several
commercial TN technologies have been developed, including Cisco TrustSec [10], Cisco
CleanAccess [11] (formerly known as Cisco Network Admission Control (NAC)), and Microsoft
Network Access Protection (NAP) [12]. Cisco NAC is interoperable with Microsoft NAP; details
about their interoperation can be found in.

2. Trusted network protocol:

TNs leverage existing standards and protocols to implement the required security
functionality; this reduces the cost of building TNs. Protocols used in TNs include IPSec [13]
for hardening communications, EAP [14] and 802.1x for authentication,

15
RADIUS/LDAP/Kerberos [15, 16, 17] for directory services and authentication, HCAP for
compliance communication, and GAME for communications between AAA and audit servers.

REFERENCES

1.) https://www.cio.com/asean/

2.) https://encyclopedia.kaspersky.com/glossary/rat-remote-access-
tools/#:~:text=Programs%20for%20remote%20access%20to,configuration%20of%20applicati
ons%20and%20devices.

3.) https://www.f-secure.com/v-descs/trojan_w32_wannacryptor.shtml

4.) https://www.avast.com/c-eternalblue

5.) https://www.imperva.com/learn/application-security/man-in-the-middle-attack-mitm/

6.) https://portswigger.net/web-security/sql-injection/union-attacks

7.) https://it360.co.nz/blog/canva-and-pdl-data-breach-2019/

16
8.) https://whatis.techtarget.com/definition/acceptable-use-policy-
AUP#:~:text=An%20acceptable%20use%20policy%20(AUP,corporate%20network%20or%20t
he%20Internet.&text=Not%20attempting%20to%20break%20the,Usenet%20groups%20with
out%20prior%20permission

9.) https://www.kaspersky.com/resource-center/definitions/what-is-a-vpn

10.) https://www.cisco.com/c/en/us/solutions/enterprise-networks/trustsec/index.html

11.) https://www.cisco.com/c/en/us/obsolete/security/cisco-nac-appliance-clean-access.html

12.) https://docs.microsoft.com/en-us/windows/win32/nap/network-access-protection-start-
page
13.) https://www.cloudflare.com/learning/network-layer/what-is-ipsec/

14.) https://www.shrm.org/resourcesandtools/tools-and-samples/hr-qa/pages/whatisaneap.aspx

15.) +16 https://jumpcloud.com/blog/ldap-vs-

radius#:~:text=RADIUS%2C%20or%20the%20Remote%20Access,of%20software%20and%20a
%20protocol.

17.) https://web.mit.edu/kerberos/

17
18