8/27/18 ITSS 4V95 IT Cybersecurity Prithi Narasimhan UT-Dallas Introduction to IT Security 1 Computer Security Concepts u The NIST Computer Security Handbook [NIST95] defines the term computer security as: “The protection afforded to an automated information system in order to attain the applicable objectives of preserving the integrity, availability, and confidentiality of information system resources (includes hardware, software, firmware, information/data, and telecommunications).” 2 Introduction u u u Security has always been a major business concern u Physical assets are protected with locks, barriers, guards. u Information assets are protected with passwords, coding, certificates, encryption. Computers and Internet have redefined the nature of information security Laws and enforcement in cyber crime u Slow to catch-up u Breaking into a computer is now a federal crime in the U.S. u New laws against cyberborder crimes, yet difficult to enforce, sentences are typically very light 3 1 8/27/18 Computer Security Incidents u Computer security increasingly important u More sophisticated tools for breaking in u Viruses, u u u worms, credit card theft, identity theft leave firms with liabilities to customers Incidents are escalating at increasing rate Computer Emergency Response Team (CERT) was formed at Carnegie Mellon University with US DoD support u responds and raises awareness of computer security issues, www.cert.org Worldwide annual information security losses may be $2 trillion 4 Financial Impact of Security u Security issues can impact consumer confidence u 70% of all email sent worldwide was spam in 2006. Today ??? u New laws on data privacy and financial information include Sarbanes-Oxley Act (SOX) and Health Insurance Portability and Accountability Act (HIPPA) 5 Why Networks Need Security u Organizations vulnerable due to dependency on computing and widely available Internet access to its computers and networks u Business loss potential due to security breaches u $350,000 average loss per incident u Reduced consumer confidence as a result of publicity u Loss of income if systems offline u Costs associated with strong laws against unauthorized disclosures (California: $250K for each such incident) u Protecting organizations’ data and application software u Value of data and applications far exceeds cost of networks u Firms may spend about $1,250/employee on network security 6 2 8/27/18 7 37Z_ _w__ /us2017 Cyber Secur it y St udy, r et r ieved fr om ht t ps://www.accent ur e.com/t 201709 26T 0728 en/_acnmedia/PDF -61/ Acce nt ur e- 2017 - Cost Cyb er Cr im eSt ud y. pdf 8 37Z_ _w__ /us2017 Cyber Secur it y St udy, r et r ieved fr om ht t ps://www.accent ur e.com/t 201709 26T 0728 en/_acnmedia/PDF -61/ Acce nt ur e- 2017 - Cost Cyb er Cr im eSt ud y. pdf 9 37Z_ _w__ /us2017 Cyber Secur it y St udy, r et r ieved fr om ht t ps://www.accent ur e.com/t 201709 26T 0728 en/_acnmedia/PDF -61/ Acce nt ur e- 2017 - Cost Cyb er Cr im eSt ud y. pdf 3 8/27/18 Q1: What Is the Goal of Information Systems Security? Copyrigh t © 2 0 1 5 Pearson E du cat ion , Inc. 10 Examples of Threat/ Loss Copyrigh t © 2 0 1 5 Pearson E du cat ion , Inc. 11 What Are the Sources of Threats? Copyrigh t © 2 0 1 5 Pearson E du cat ion , Inc. 12 4 8/27/18 Goal of Information Information Security u Find an appropriate trade-off between the risk of loss and the cost of implementing safeguards. u Get in front of the security problem by making appropriate trade-offs for your life and your business. Copyrigh t © 2 0 1 5 Pearson E du cat ion , Inc. 13 Average Computer Crime Cost and Percent of Attacks by Type (5 Most Expensive Types) Copyrigh t © 2 0 1 5 Pearson E du cat ion , Inc. 14 5 37Z_ _w__ /us2017 Cyber Secur it y St udy, r et r ieved fr om ht t ps://www.accent ur e.com/t 201709 26T10728 en/_acnmedia/PDF -61/ Acce nt ur e- 2017 - Cost Cyb er Cr im eSt ud y. pdf 5 8/27/18 Ponemon Study Findings (2012) u It is difficult to estimate the exact cost of a computer crime. u Cost of computer crime is usually based on surveys. u Data loss is the single most expensive consequence of computer crime, accounting for 44% of costs in 2012. u 80% of respondents believe data on mobile devices poses significant risks. Copyrigh t © 2 0 1 5 Pearson E du cat ion , Inc. 16 2017 Cyber Secur it y St udy, r et r ieved fr om ht t ps://www.accent ur e.com/t 201709 26T 0728 37Z_ _w__ /usen/_acnmedia/PDF -61/ Acce nt ur e- 2017 - Cost Cyb er Cr im eSt ud y. pdf 17 Top Attacks Experienced 2017 Cyber Secur it y St udy, r et r ieved fr om ht t ps://www.accent ur e.com/t 20 1709 26T 0728 37Z_ _w__ /usen/_acnmedia/PDF -61/ Acce nt ur e- 2017 - Cost Cyb er Cr im eSt udy .pd f 18 6 8/27/18 Summary Findings u Median cost of computer crime increasing. u Malicious insiders increasingly serious security threat. u Data loss is principal cost of computer crime. u Survey respondents believe mobile device data a significant security threat. u Security safeguards work Copyrigh t © 2 0 1 5 Pearson E du cat ion , Inc. 19 2017 Statistics 2017 Cyber Secur it y St udy, r et r ieved fr om ht t ps://www.accent ur e.com/t 20 1709 26T 0728 37Z_ _w__ /usen/_acnmedia/PDF -61/ Acce nt ur e- 2017 - Cost Cyb er Cr im eSt udy .pd f 20 Information Security? What is information security? • Information security (also called computer security) is the act of protecting data and information from unauthorized access, unlawful modification and disruption, disclosure, corruption, and destruction or theft. • It typically includes an in-depth plan on how to secure data, computers, and networks. 21 7 8/27/18 y Data and services t gri e Int Co nfi den tia lity The Security Requirements Triad Availability 22 Figure 18.1 The Security Requirements Triad Protec ting Data at Res t Protec ting Data In Trans it / Motion (Network Sec urity ) 23 Computer Security Objectives Confidentiality Integrity Da ta co n fid e n tia lity a ssu re s th a t p riva te o r co n fid e n tia l in fo rma tio n is n o t ma d e a va ila b le o r d isclo se d to u n a u th o rize d in d ivid u a ls Da ta in te g rity a ssu re s th a t in fo rma tio n a n d p ro g ra ms a re ch a n g e d o n ly in a sp e cifie d a n d a u th o rize d ma n n e r P riva cy a ssu re s th a t in d ivid u a ls co n tro l o r in flu e n ce wh a t in fo rma tio n re la te d to th e m ma y b e co lle cte d a n d sto re d a n d b y wh o m a n d to wh o m th a t in fo rma tio n ma y b e d isclo se d Syste m in te g rity a ssu re s th a t a syste m p e rfo rms its in te n d e d fu n ctio n in a n u n imp a ire d ma n n e r, fre e fro m d e lib e ra te o r in a d ve rte n t u n a u th o rize d ma n ip u la tio n o f th e syste m Disclosure Alteration Availability Assu re s th a t syste ms wo rk p ro mp tly a n d se rvice is n o t d e n ie d to a u th o rize d u se rs Destruction 24 8 8/27/18 Q4: How Should Organizations Respond to Security Threats? Copyrigh t © 2 0 1 5 Pearson E du cat ion , Inc. 25 Q5: How Can Technical Safeguards Protect Against Security Threats? Copyrigh t © 2 0 1 5 Pearson E du cat ion , Inc. 26 Threat Consequence Table 18.1 Threat Consequences, and t he Types of Threat A ct ions That Cause Each Consequence (Based on RFC 2828) Threat Action (attack) Unauthorized Disclosure Exposure: Sensitive data are directly released to an unauthorized A circumstance or entity. event whereby an entity Interception: An unauthorized entity directly accesses sensitive gains access to data for data traveling between authorized sources and destinations. which the entity is not Inference: A threat action whereby an unauthorized entity authorized. indirectly accesses sensitive data (but not necessarily the data contained in the communication) by reasoning from characteristics or byproducts of communications. Intrusion: An unauthorized entity gains access to sensitive data by circumventing a system's security protections. Deception Masquerade: An unauthorized entity gains access to a system or A circumstance or event that may performs result in an a malicious authorizedact entity by posing receiving as anfalse authorized data andentity. believing it to be true. Falsification: False data deceive an authorized entity. Repudiation: An entity deceives another by falsely denying responsibility for an act. Disruption A circumstance or event that interrupts or prevents the correct operation of system services and functions. Incapacitation: Prevents or interrupts system operation by disabling a system component. Corruption: Undesirably alters system operation by adversely modifying system functions or data. Obstruction: A threat action that interrupts delivery of system services by hindering system operation. Usurpation Misappropriation: An entity assumes unauthorized logical or A circumstance or event that results physical in control control of system of a system services resource. or functions by an unauthorized entity. 2 7 to perform a function or Misuse: Causes a system component service that is detrimental to system security. 9 8/27/18 Scope of System Security Computer System Data Computer System 4 Sensitive files must be secure (file security) 1 Access to the data must be controlled (protection) Data 3 Data must be securely transmitted through networks (network security) Processes representing users Guard Processes representing users Guard 2 Access to the computer facility must be controlled (user authentication) Users making requests 28 Figure 18.2 Scope of System Security Classroom Activity u The following examples affect which TRIAD of IT Security? • Equipment Stolen of Disabled thus affecting users from using the system. – Availability • Programs Deleted denying access to users. – Availability • A program was modified to cause it to fail or do unintentional actions – Integrity • An unauthorized copy of the software is made 29 – Confidentiality Classroom Activity • A program was modified to cause it bring the systems down. What has been compromised? – Integrity • An unauthorized data read is performed and data is being analyzed. – Confidentiality • Messages are passively interpreted and directed to a remote location – Confidentiality 30 10 8/27/18 Availability Confidentiality Integrity Equipment is stolen or Hardware disabled, thus denying service. A working program is modified, either to cause it to fail during execution or to cause it to do some unintended task. Programs are deleted, An unauthorized copy Software denying access to users. of software is made. Data An unauthorized read of data is performed. Files are deleted, An analysis of denying access to users. statistical data reveals underlying data. Messages are destroyed or deleted. Communication Lines Communication lines or networks are rendered unavailable. Existing files are modified or new files are fabricated. Messages are read. The traffic pattern of messages is observed. Messages are modified, delayed, reordered, or duplicated. False messages are fabricated. 31 Table 18.2 Computer and Network Assets, with Examples of Threats The AAA of Computer Security Authentication u Authentication When a person’s identity is established with proof u When a per son’s ident it y isa estsystem ablished wit h pr oof and and confirmed by confir med by a syst em Authorization u Authorization When a user is given access to certain data or u When a user is given access t o cer t ain dat a or ar eas of a areas buildingof a building Accounting u Ac c ounting The tracking of data, computer usage, and u The t r acking of dat a, comput er usage, and net wor k r esour ces network resources 32 Categories of Attacks u Passive attacks u Attempts to learn or make use of information from the system but does not affect system resources. u Are in the nature of eavesdropping on, or monitoring of, transmissions. u Goal of attacker is to obtain information that is being transmitted. u Difficult to detect because they do not involve any alteration of the data. u Emphasis is on prevention rather than detection. u Two types: u Release of message contents u u Pr event an opponent fr om lear ning t he cont ent s of a t r ansmission. Traffic analysis u Encr ypt ing t he cont ent s of a message so even if an opponent capt ur es t he message, t hey cannot ext r act t he infor mat ion. 33 11 8/27/18 Categories of Attacks u Active attacks u Involve some modification of the data stream or the creation of a false stream u Goal is to detect them and to recover from any disruption or delays Four categories: u Replay u Masquerade u u Modification of messages Denial of service Replay • Involves the passive capture of a data unit and its subsequent retransmission to produce an unauthorized effect Masquerade • Takes place when one entity pretends to be a different entity • Usually includes one of the other forms of active attack Modification of messages • Some portion of a legitimate message is altered, or that messages are delayed or reordered, to produce an unauthorized effect Denial of service • Prevents or inhibits the normal use or management of communications facilities • Disruption of an entire network, either by disabling the network or by overloading it with messages so as to degrade performance 34 Q &A u A software script that listens to changes in an LDAP directory and writes the changes into another directory is an example of what kind of attack (active or passive)? u A software script that listens to changes in an LDAP directory and modifies entries in the same directory rending applications faulty is a kind of ? 35 Types of Controls/ Countermeasures u Mechanisms that reduce or eliminate the threats to network security u Types of controls: u Preventative controls u Mit igat e or st op a per son fr om act ing or an event fr om occur r ing (e.g., locks, passwor ds, backup cir cuit s) u Act as a det er r ent by discour aging or r est r aining u Detective controls u Reveal or discover unwant ed event s (e.g., audit ing) u Document ing event s for pot ent ial evidence u Corrective controls u Remedy an unwant ed event or a t r espass (e.g., r einit iat ing a net wor k cir cuit ) 36 12 8/27/18 Types of Controls/ Countermeasures - Deterrent controls u Det er user s fr om per for ming act ions on a syst em. Ex: Fence ar ound a building; Huge fines for speeding; The r isks or implicat ions of a failed at t ack is not wor t h pur suing t he at t ack. uDirective controls u Cont r ols designed t o specify accept able r ules of behavior wit hin an or ganizat ion. Ex> U ser Accept ance Policy uRecovery u Aft er a secur it y incident , r ecover y cont r ols may have t o be t aken in or der t o r est or e funct ionalit y of t he syst em and or ganizat ion. Ex: Reinst all OS fr om a disc or image, dat a r est or ed fr om backup. - Compensating u An addit ional cont r ol in place t o compensat e for weakness in syst em. Ex: Wat ching non-wor k r elat ed mult imedia movies at wor k can be a cause for losing a job. This is an administ r at ive cont r ol. u 37 Security Implementation u Securing the Assets or infrastructure elements requires personnel designated to be accountable for controls: u Develop controls Ensure that controls are operating effectively u Update or replace controls when necessary u u Need to be reviewed periodically for usefulness, verification and testing: u Ensure that the control is still present (verification) u Determine if the control is working as specified (testing) u Is the control still working as it was specified? Are there procedures for temporary overrides on control? u 11 - 38 Intrusion Examples u u u u u u u u u u Performing a remote root compromise of an e-mail server Defacing a Web server Guessing and cracking passwords Copying a database containing credit card numbers Viewing sensitive data without authorization Running a packet sniffer on a workstation to capture usernames and passwords Using a permission error on an anonymous FTP server to distribute pirated software and music files Dialing into an unsecured modem and gaining internal network access Posing as an executive, calling the help desk, resetting the executive’s e-mail password, and learning the new password Using an unattended, logged-in workstation without 39 permission 13 8/27/18 Intruder Behavior Patterns u Hackers u Criminals u u Organized group of intruders who hack into a computer for the thrill or for status u Usually have specific targets or classes of targets in mind u Once a site is penetrated, the attacker acts quickly, scooping up as much valuable information as possible and exiting Insider Attacks u Difficult to detect and prevent u Employees have access to and knowledge of the structure and content of databases u Can be motivated by revenge or a feeling of entitlement 40 Types of Hackers White hats These people are non-malicious; for example, an IT person who attempts to hack into a computer system before it goes live to test the system. Black hats These are malicious individuals who attempt to break into computers and computer networks without authorization. Black hats are the hackers who attempt identity theft, piracy, credit card fraud, and so on. Penalties for this type of activity are severe. Gray hats These are individuals who do not have any affiliation with a company, but risk breaking the law by attempting to hack a system. 41 Types of Hackers (cont.) Blue hats These are individuals who are asked to attempt to hack into a system by an organization, but the organization does not employ them. Elite These hackers are the ones who first find out about vulnerabilities. Only 1 out of an estimated 10,000 hackers wears the Elite hat. 42 14 8/27/18 Other Types of Attackers Script kiddies These are individuals with little or no technology skills. They typically use code that was written by others and is freely accessible on the Internet. Hacktivists The name of hacktivist is often applied to different kinds of activities; from hacking for social change, to hacking to promote political agendas, to full-blown cyberterrorism. Organized crime groups Individuals who are part of an organized crime group are often well-funded and can have a high level of sophistication. Advanced persistent threats (APTs) Often, an APT entity has the highest level of resources, including open-source intelligence (OSINT) and covert sources of intelligence. 43 Malicious Software u u u Malware u Malicious software that exploits system vulnerabilities u Designed to cause damage to or use up the resources of a target computer u Frequently concealed within or masquerades as legitimate software Two categories u Those that need a host program u Those that are independent (parasitic) May or may not replicate 44 Malicious Software What is malware? Malware is software designed to infiltrate a u What is malware? computer system and possibly damage it without Malwar e is soft war e designed t o infilt r at e a comput er syst em the uuser’s knowledge or t he consent. and possibly damage it wit hout user ’s knowledge or consent . Types of malware u Types of malware Viruses u Vir uses Worms u Wor ms Trojan horses u Tr ojan hor ses Ransomware u Ransomwar e Spyware u Spywar e Rootkits u Root kit s u Spam Spam 45 15 8/27/18 Malicious Programs u Back door (also known as a trap door) u Secret entry point into a program that allows someone who is aware of the back door to gain access without going through the usual security access procedures. u A maintenance hook is a backdoor inserted by a programmer to aid in testing and debugging. u Logic Bomb u One of the oldest types of program threats u Code embedded in some legitimate program that is set to “explode” when certain conditions are met. 46 Malicious Programs u Trojan Horse u A useful, or apparently useful, program or command procedure containing hidden code that, when invoked, performs some unwanted or harmful function u Can be used to accomplish functions indirectly that an unauthorized user could not accomplish directly Trojan horses fit into one of three models: • Continuing to perform the function of the original program and additionally performing a separate malicious activity • Continuing to perform the function of the original program but modifying the function to perform malicious activity or to disguise other malicious activity • Performing a malicious function that completely 47 replaces the function of the original program Ransomware u What is ransomware? u Ransomwar e is a t ype of malwar e t hat r est r ict s access t o a comput er syst em and demands t hat a r ansom be paid. u Per sonal files ar e encr ypt ed and t he user is locked out . u The malwar e t hen infor ms t he user t hat in or der t o decr ypt t he files, or unlock t he comput er t o r egain access t o t he files, a payment would have t o be made t o one of sever al banking ser vices, oft en over seas. u An example of r ansomwar e is Cr ypt oLocker. u Cr ypt oLocker encr ypts cert ain files on the comput er’s drives using a public key. 48 16 8/27/18 Malicious Programs u Spyware and Adware are types of Trojans. u Spyware monitors what happens on a target computer. u An example of spyware is the Internet Optimizer.The Internet Optimizer redirects Internet Explorer error pages out to other websites’ advertising pages. u Adware monitors user actions and displays pop-up ads on the user’s screen. u Grayware u Grayware is another general term that describes applications that are behaving improperly but without serious consequences. 49 Copyright 2011 John Wiley & Sons , Inc Rootkit u A rootkit is a type of software designed to gain administrator-level control over a computer system without being detected. u It is used to perform malicious operations on a target computer at a later date without the knowledge of the administrators or users of that computer. u Rootkits can target the UEFI/BIOS, boot loader, kernel, and more. u Rootkits are difficult to detect because they are activated before the operating system has fully booted. u Sony spyware rootkit example. u To track users who might be illegally copying and distributing copies of CDs. u Used a rootkit on audio CDs sold in 2005 that can conceal its existence to users. u The Federal Trade Commission ruled in 2007 that Sony had violated Federal laws and had to reimburse consumers upto $150. 50 Viruses u Software that can “infect” other programs by modifying them u u The modification includes injecting the original program with a routine to make copies of the virus program, which can then go on to infect other programs Virus has three parts: u Infection mechanism u The means by which a virus spreads, enabling it to replicate u Also referred to as the infection vector u Trigger u Payload u The event or condition that determines when the payload is activated or delivered u What the virus does, besides spreading u May involve damage or may involve benign but activity noticeable 51 17 8/27/18 Viruses u Typical hosts for viruses in a computer are: u EXE files in Windows Machine u Book sectors of disk partitions. u Script files for system administrators u u BAT files in Windows and SH files in Unix. Documents that are allowed to contain macros u Word, Excel, Access database, etc. 52 Virus Phases • Dormant Phase • Virus is idle • Will eventually be activated by some event • Not all viruses have this stage. • Propagation Phase • Virus places an identical copy of itself into other programs • Each infected program will now contain a clone of the virus, which will itself enter a propagation phase • Triggering Phase • Virus is activated to perform the function for which it was intended • Execution Phase • The function is performed 53 Virus Classifications by Target u Boot sector infector u Infects a master boot record and spreads when a system is booted from the disk containing the virus u File infector u Macro virus u u Infects files that the operating system or shell considers to be executable Infects files with macro code that is interpreted by an application 54 18 8/27/18 Virus Classification by Concealment Strategy Encrypted virus • A portion of the virus creates a random encryption key and encrypts the remainder of the virus • The key is stored with the virus Stealth virus • A form of virus explicitly designed to hide itself from detection by antivirus software • The entire virus, not just the payload, is hidden Polymorphic virus Metamorphic virus • A virus that mutates with every infection, making detection by the “signature” of the virus impossible • Mutates with every infection • Rewrites itself completely at each iteration, increasing the difficulty of detection 55 Macro Viruses u In the mid 1990’s became by far the most prevalent type of virus u Threatening because: u u A macro virus is platform independent u Macro viruses infect documents, not executable portions of code u Macro viruses are easily spread u Traditional file system access controls are of limited use in preventing their spread Is an executable program embedded in a word processing document or other type of file 56 E-Mail Viruses The first rapidly spreading e-mail viruses made use of a Microsoft Word macro embedded in an attachment If t he r ecipient opens t he email at t achment t he Wor d macr o is act ivat ed The vir us sends it self t o ever yone on t he mailing list in t he user ’s e-mail package The vir us does local damage on t he user ’s syst em In 1999 a virus appeared that could be activated merely by opening an e-mail that contains the virus rather than opening an attachment The vir us uses t he Visual Basic scr ipt ing language suppor t ed by t he e-mail package Malware arrives via e-mail and uses e-mail software features to replicate itself across the Internet The vir us pr opagat es it self as soon as it is act ivat ed t o all of t he e-mail addr 5 7 esses known by t he infect ed host 19 8/27/18 Worms u A wor m is much like a vir us, except t hat it self-r eplicat es, wher eas a vir us does not . It does t his in an at t empt t o spr ead t o ot her comput er s. u Pr ogr ams t hat can r eplicat e t hemselves and send copies fr om comput er t o comput er acr oss net wor k connect ions u In addition to propagation the worm usually performs some unwanted function u Wor ms t ake advant age of secur it y holes in oper at ing syst ems and applicat ions, including backdoor s. u Act ively seek out mor e machines t o infect and each machine t hat is infect ed ser ves as an aut omat ed launching pad for at t acks on ot her machines u A network worm: u Exhibits the same characteristics as a computer virus u May attempt to determine if a system has previously been infected before copying itself 58 Example – Morris Worm u A 23 year old Doctoral student from Cornell, Robert Morris, wrote a small program in November 1988 and it brought the entire internet down. u Reads Passwords from Unix etc/passwords location. u Used dictionary words to decipher the passwords. u Tries to crack passwords of hosts it knows about and uses services available within a host it gained access into to attack other hosts. 59 Example – Code Red worm u Observed in the internet in 2001. u Attacked computers running Microsoft IIS Web servers. u u Exploited a vulnerability known as “buffer overflow” by using a large string of repeated N to overflow the buffer. Affected the whitehouse. 60 20 8/27/18 Example: ILoveYou worm u ILoveYou worm u Damages estimated at $10 billion in 2000. u Created by two Filipino programers, Reonel Ramones and Onel de Guzman u Used social engineering to make people to click on the attachment, in this case a confession. u The attachment was a TXT file. u Once clicked the worm broadcasted itself to everyone on the mailing list and made the host computer unbootable. u This led to the enactment of E-Commerce law 61 Ways to Deliver Malicious Software Malware can be delivered in several ways: • • • • • • Via software, messaging, and media Botnets and zombies Active interception Privilege escalation Backdoors Logic bombs 62 Bots u Also know as a zombie or drone u Program that secretly takes another Internet-attached computer, then uses it to launch attacks that are difficult to trace to the bot’s creator u A botnet is a collection of bots capable of coordinating attacks Characteristics: • The bot functionality • A remote control facility • A spreading mechanism to propagate the bots and construct the botnet 63 21 8/27/18 Uses of Bots u Distributed denial-of-service attacks u Installing advertisement add-ons and browser helper objects (BHOs) u Spamming u Manipulating online polls/games u Sniffing traffic u Keylogging u Spreading new malware 64 Remote Control Facility u Is what distinguishes a bot from a worm u A typical means of implementation u u A worm propagates itself and activates itself, whereas a bot is controlled from some central facility is on an IRC server All bots join a specific channel on this server and treat incoming messages as commands Once a communications path is established between a control module and the bots, the control module can activate the bots u 65 Example: Bot u Mariposa bot: u Observed in 2008. Involved in cyberspamming and DOS attacks. u Monitored activity for password, bank credentials and credit cards. 66 22 8/27/18 u Constructing a Network Attack Software to carry out the attack must be able to run on a large number of machines and remain concealed u The attack must be aware of a vulnerability that many system administrators have failed to notice u A strategy for locating vulnerable machines must be implemented u This is known as scanning or fingerprinting 67 Scanning Strategies Random Hit List • Each compromised host probes random addresses in the IP address space, using a different seed • The attacker first compiles a long list of potential vulnerable machines • Once the list is compiled the attacker begins infecting machines on the list Topological Local subnet • Uses information contained on an infected victim machine to find more hosts to scan • If a host can be infected behind a firewall, that host then looks for target in its own local network • Host uses the subnet address structure to find other hosts that would otherwise be protected by 68 the firewall Spam (Unsolicited Bulk Email) and SPIM The extremely low cost required to send large volumes of e-mail has led to the rise of unsolicited bulk email, commonly known as spam A number of recent estimates suggest that spam may account for 90% or more of all e-mail sent • This imposes significant cost s bot h on t he net work infrast ruct ure needed t o relay t his t raffic and on users who need t o filt er out t heir legit imat e e-mails Is a significant carrier of malware May be used in a phishing attack, typically directing the user to a fake Web site that mirrors some legitimate service and capturing the user’s personal information or logins and passwords Spim (s pam ov er ins tant mes s aging) is a deriv ativ e of s pam. Spim is the abus e of ins tant mes s aging s y s tems , c hat rooms , and c hat func tions in games s pec ific ally . 69 It is als o k nown as mes s aging s pam, or IM s pam. 23 8/27/18 Credential Theft, Keyloggers, and Spyware u Keylogger u Captures keystrokes on the infected machine to allow an attacker to monitor this sensitive information Spyware u Subverts the compromised machine to allow monitoring of a wide range of activity on the system u May include monit or ing t he hist or y and cont ent of br owsing act ivit y u Redir ect ing cer t ain Web page r equest t o fake sit es cont r olled by t he at t acker u Dynamically int er est modifying dat a exchanged bet ween t he br owser and cer t ain Web sit es of 70 Phishing and Identity Theft u Phishing u u u Exploits social engineering to leverage user’s trust by masquerading as communications from a trusted source Spam e-mail may direct a user to a fake Web site controlled by the attacker, or to complete some enclosed form and return to an e-mail accessible to the attacker, which is used to gather a range of private, personal information on the user Spear-phishing u E-mail claiming to be from a trusted source, however, the recipients are carefully researched by the attacker and each e-mail is carefully crafted to suit its recipient specifically, often quoting a range of information to convince them of its authenticity 71 Security Technologies Used Anti-virus software Firewall Anti-spyware software Virtual private network (VPN) Vulnerability/Patch Management Encryption of data in transit Intrusion detection system (IDS) Encryption of data at rest (in storage) Web/URL filtering Application firewall Intrusion prevention system (IPS) Log management software Endpoint security software Data loss prevention/ content monitoring Server-based access control list Forensic tool Static account logins/passwords Public key infrastructure (PKI) Smart cards and other one-time tokens Specialized wireless security Virtualization-specific tools Biometrics Other 0% 20% 40% 60% Percent of respondents 80% 100% Source: Computer Security Institute 2010/2011 Computer Crime and Security Survey 72 Figure 18.6 Security Technologies Used 24 8/27/18 2017 73 http://www.himss.org/sites /him ssor g/file s/2 016 -cyb ers ecu rity- rep ort .pdf 25