ORGANISATIONAL SYSTEMS SECURITY T/601/7312 LEVEL 3 UNIT 5 LO1 - Understand the impact of potential threats to IT systems Organisations collect, create and manipulate a wide range of data and information; the cost of these activities is often much higher than the organisation realises until they are lost or stolen. Everyone who works with an information system should understand their responsibility to protect the system against theft or loss and all IT professionals need to understand how to support the organisation in protecting its digital assets and hardware. This unit will enable the learner to recognise the importance of protecting systems against any security issues or failures when working with the hardware and software and providing guidance to customers on the security of their systems. Additionally, it will also ensure that learners keep the importance of security at the forefront of their activities in order to identify threats and protect the organisation and its assets as they work with the information system while working towards the qualification as well as in the work place. The aim of this unit is to provide the learner with an understanding of the importance of securing organisational IT systems, the impact of the law on the application of security policies and the range of security threats which must be protected against with an organisation and the tools which are used to provide protection. The learner will be able to apply this knowledge to any organisation through reviewing and making recommendations for improvements. Scenario Criteria 1 2 3 4 5 6 7 8 9 Assessment Learning Outcome (LO) The learner will: Pass The assessment criteria are the pass requirements for this unit. The learner can: Merit For merit the evidence must show that, in addition to the pass criteria, the learner is able to: 1 Understand the impact of potential threats to IT systems P1 Explain the impact of different types of threat on an organisation M1 Compare and contrast the impact of different types of threat to different organisation types 2 Know how organisations can keep systems and data secure P2 Describe how physical security measures can aid in keeping systems secure M2 Discuss the effectiveness of physical security measures used in an identified organisation Describe how software and network security can keep systems and data secure M3 Discuss the effectiveness of software security measures used in an identified organisation P3 3 Understand the organisational issues affecting the security of IT systems P4 Explain the policies and guidelines for managing organisational IT security issues P5 Explain how employment contracts can affect security P6 Scenario Criteria 1 2 Assess the laws related to security and privacy of data 3 4 5 6 7 8 9 Assessment Distinction For distinction the evidence must show that, in addition to the pass & merit criteria, the learner is able to: D1 Recommend modifications to policies and guidelines for managing organisational IT security issues D2 Review contracts of employment in an organisation and their impact on security P1: Learners could prepare a presentation explaining the impact of different types of threat to an IT system of an organisation. They should include a minimum of five threats as per the teaching content, including physical and technological threats that are realistically applicable to modern organisations and their IT systems. For merit criterion M1 Learners should compare and contrast the impact of threats (ideally those they have explained in P1) and what this would mean for two different types of organisation, including their own organisation if applicable, and why. The learner must provide a complete set of speaker notes which contain detailed information for the bullets or data on their slides. In a workplace, this could be evidenced with the learner taking part in a security audit within a group or individually. Where the evidence has been used is a group activity then the learner must identify their own contribution and have a witness testimony from their supervisor or manager, confirming that they have undertaken the specific tasks identified in the documentation which is being offered as evidence of having achieved the assessment criteria. Scenario Criteria 1 2 3 4 5 6 7 8 9 Assessment The internet, journals or newspaper articles and books on IT security are full of interesting and relevant cases: many are humorous, in a macabre way, and others reflect things that learners will have seen in films, this approach makes the subject more alive and relevant to the learner. Learners should be encouraged to work as groups to find examples of these cases and should then as part of a small or wider group discuss the impacts to organisations and what steps could or were taken to secure against the identified threats. Learners should be encouraged to maintain their research for the latest IT security failure on the news and should be encouraged to investigate different approaches to IT security and examples of successes and failures across an increasingly wide spectrum of organisations. Learners should take their general findings and apply them to an organisation they are familiar with wither through work experience, workshop or their training facility. Alternatively learners may carry out research on an organisation of their choice to identify how these historical security failures would realistically impact on that organisation. Scenario Criteria 1 2 3 4 5 6 7 8 9 Assessment Organisations have always depended on information to ensure success. Over the years, organisations have changed their information systems from dealing purely with data processing to strategic and decision support, making their network do more things and in the process opening themselves up to additional risks. Managers need information to plan successfully in the short, medium and long term. It is also recognised nowadays that information is required at all levels in an organisation and that information itself can have many sources. The importance of valid information in gaining competitive advantage needs to be stressed. Risks to this information can take many forms, internal and external, technical and environmental, accidental and deliberate. Most can be seen, the threat exists and can be prepared for, physically and technically but with the increase in groups such as Ludzsec and Anonymous the threats are becoming more frequent, more co-ordinated and more damaging. The recent attacks on Sony, Iran Nuclear Facilities and Natwest show that protection methods work to a degree. Scenario Criteria 1 2 3 4 5 6 7 8 9 Assessment ◦ ◦ ◦ ◦ There are two kinds of physical threats against computers and data, environmental and deliberate. The damage from each of these can vary according to the suddenness and length of the attack. Physical damage can be repaired to a degree, hard drives can be recovered from most kinds of damage except the most severe, computers can be replaced and insurance can be used to replace all but the time lost. Environmental damage such as temperatures – Hard drives particularly do not like heat, it causes disk tracks to warp, it can overheat a computer and cause fire, it can cause a CPU to burn out so Ram crashes and loses data in memory. Longer term temperature damage will break down the magnetic tracking on hard drives and cause more crashes, particularly to stored information and making the operating system more unreliable. Computer systems do not like adverse cold conditions either, LCD monitors particularly crack when they get too cold and though this is an easy replacement, it can still be an inconvenience to companies. Humidity – on a normal office humidity is not a real problem form computers but in countries and places where the humidity is high, computers, specifically servers and full size machines suffer. Moisture can build up inside the computer and possibly ground some parts and cause them to fail. Moisture in the air can make the air much hotter, and thus puts your computer at more of a risk to fail. But, as long as your ambient temperature is between 65-80f then there should not be a problem. Whereas Servers are stored in a cold room in the building, have cooling fans and this is not an issue until they fail. A server room will get very hot in a short period of time without cooling, add humidity in there and this can cause electrical fires, loss of data and complete crashes. Scenario Criteria 1 2 3 4 5 6 7 8 9 Assessment ◦ Natural disasters however are more of a threat to computer systems. We think of small problems like how can we get back in the office, what will we do for computers but on a grander scale like Kyoto, the store for masses of data when the earthquake hit, companies worldwide suffered for weeks until the data was recovered. Earthquakes – not something we worry about in Britain that much but when the information is stored elsewhere or the information we require from business partners happens to be in places like Japan, Italy, West Coast America or other earthquake zones then this becomes an issue. The data itself is not affected, hard drives will not die because of the shake, it is more of an issue when a building then falls on it. Most companies keep backups, so recovery time is reduced significantly. The 2011 Japanese earthquake and Tsunami in Japan damaged about half of the cable running across the Pacific Ocean and repair times were quoted to be between a week and several weeks. Downtime severely impacted the revenues of numerous network operators and enterprises around the world. Flooding. We se this as a greater problem in Britain, especially in January 2014. Computer systems on the ground floor of buildings will be out, electricity in buildings will be off and any computer that is directly in contact with water will probably be damaged. For insurance reasons this is not a major issue, companies are usually covered but downtime is a bigger issue. A Sony plant responsible for magnetic tape and Blu-ray Discs was inundated with water when a tsunami washed through the town of Tagajyo and is one of six Sony plants currently idle. Two Nikon plants were severely damaged and won't be back online until at least the end of March. And Fujitsu's major chip plant in Aizu Wakamatsu is still closed with no estimate of when production will begin again. Scenario Criteria 1 2 3 4 5 6 7 8 9 Assessment Malicious damage however is a greater risk from day to day information and data. Similarly it has the more obvious solutions to the problems. Causing system crashes through manipulating software - Spyware, malware, keylogging and DDOS, these are all problems that are caused by people deliberately trying to provoke or break a computer system. None of them are permanent but all of them cause degrees of damage to data and to a company’s finances and reputation. Internally and externally these are a problem and one network managers face every day. The larger the company, the more likely and more deliberate the attack. Under the DPA all information needs to have a degree of Protection on it but this is not always enough. Key logging for instance is usually an internal threat unless it is a malware coded, and allows a user to gain information like names and passwords, security logins and a track of what they have been doing and how they have been getting there. This can be hardware or software based. Wilful damage to monitors, hard discs - this is an internal problem, staff can and often abuse systems for one reason or another, either accidently, water spills, dropping laptops, or deliberate, anger issues, mistreatment or maliciously damaging the system. Usually this is a one off, one computer, one frustration, a damaged printer, a photocopier etc. But what this causes in terms of damage or loss of data is minor, downtime is another issue. A dead or damaged laptop will usually lose any data stored on it, but most companies encourage staff to work off the network so the damage is limited, whereas a broken machine will mean downtime while it is replaced or repaired. A broken printer can affect a whole office, a broken photocopy can affect multiple offices. Scenario Criteria 1 2 3 4 5 6 7 8 9 Assessment Physical theft – this is purely deliberate. Computers get stolen, laptops and tablets particularly and some places are worse than others. In schools for instance mice go missing, an average classroom of computers will lose one every week. In companies this is true for other things, staplers, sticky notes, folders etc. When the London riots happened it was hardware that could not be tracked that went missing first, laptops, base units, televisions and monitors as well as projectors and tablets. Memory sticks are the worst for theft, small, east to take, harder to track, they all look the same, or can do, and information on the memory sticks can have degrees of importance, it could be some work that needed finishing and therefor restarting or something private, medical records, finance details. Either way it is rare for staff to return these knowing how important they are. Click here and here for the worst case scenario and here for how often it happens. Task 1 – P1.1 – Produce a report that identifies the Impact of potential threats to an organisation of Environmental, Malicious and Physical threats to the data. The risk to Data and the threats in terms of Environmental, Malicious and Physical vary from company to company. High profile companies like Banks have more of a threat in terms of malicious code, malware and outside attacks than theft or physical damage because of the amount of monitoring that goes on. Schools however are more at threat to flooding and Physical attacks than earthquakes or malicious code but these still happen. For Merit, you need to state the nature of the data two different companies hold and compare the threat and the impact of the threat to this data. Task 2 – M1.1 - Compare and contrast the impact of different types of threat to different organisation types Threats to Company Data Nature of the Threat Risk of Damage Earthquakes Medium to data, High to Customer Account Information Flooding Crashes through manipulating software Wilful damage to hardware Physical theft Scenario Criteria 1 2 3 4 5 6 7 8 9 Assessment Impact to the business Scenario Criteria 1 2 3 4 5 6 7 8 9 Assessment Europe has Entered a ‘Cyber Cold War’ (Source: NATO, FBI, McAfee & Serious Organized Crime Agency) China Most Actively Spying, but with 120 Other Countries ! • NATO Said that All 26 of its Member Countries Have Been Targeted by Cyber-Attacks (e.g.: Estonia) Georgia’s Government Websites Fall Victim to CyberAttacks (DDoS & Defacements) … “Too Sophisticated for Amateurs !” Tibetan Government Web Site Injected with Malicious Source-Code Palin’s Yahoo Account Hacked in Less then 45 Minutes Using Password Reset Functionality Web Defacers Hacked into CERN Website of the LHC (Large Hadron Collider) UK Minister Confirms Cyber-Terrorists Attempting to Take Out the National Grid (Aug ’08) Recent Virus infiltration of Iran’s Nuclear Programme. Scenario Criteria 1 2 3 4 5 6 7 8 9 Assessment Viruses have been the bane of IT and companies since networks were introduced into companies for business transactions. Remember that all computer viruses have been created by someone for a purpose, whether it is to annoy, destroy, deliberately bring down a company or website. computer virus n. A computer program that is designed to replicate itself by copying itself into the other programs stored in a computer. It may be benign or have a negative effect, such as causing a program to operate incorrectly or corrupting a computer's memory. All viruses are different so they all act in a different way and have a different purpose. On Symantec the threats are defined daily according to the possibility of risk and the exploit a virus takes advantage on in its attack such as: Scenario Criteria 1 2 3 4 5 6 http://www.symantec.com/norton/sec urity_response/threatexplorer/index.js p 7 8 9 Assessment A computer virus is simply a malicious computer program that can copy itself and infect a computer. The term "virus" is also commonly used to refer to other types of malware. A true virus can spread from one computer to another (in some form of executable code) when its host is taken to the target computer; for instance because a user sent it over a network or the Internet, or carried it on a removable medium such as a floppy disk, CD, DVD, or USB drive. Viruses can increase their chances of spreading to other computers by infecting files on a network file system or a file system that is accessed by another computer.[3][4] Viruses are sometimes confused with worms and Trojan horses, which are technically different. A worm can exploit security vulnerabilities to spread itself automatically to other computers, while a Trojan horse is a program that appears harmless but hides malicious functions. Some viruses and other malware have symptoms noticeable to the computer user, but many are surreptitious or simply do nothing to call attention to themselves. Some viruses do nothing beyond reproducing themselves. Examples include: The Explorer.zip worm appeared in 1999, following in the footsteps of Melissa. The worm deleted Word, Excel, and PowerPoint files and randomly altered other types of files sending fake error message to the user. Instead of using Outlook to gather e-mail addresses, it watched the in-box of the infected computer and then sent automatic replies to senders, using the same e-mail subject as the original message. Magistr is one of the most complex viruses to hit the Internet. Its victims were hooked by an infected e-mail attachment. The virus in 2001, sent garbled messages to everyone in the infected user's e-mail address book. Attached were files pulled at random from the infected PC's hard drive plus an executable file with the Magistr code. This virus was not as widespread as many others, but it was very destructive. Magistr overwrites hard drives and erases CMOS and the flashable BIOS, preventing systems from booting. It also contained anti-debugging features, making it hard to detect and destroy. Scenario Criteria 1 2 3 4 5 6 7 8 9 Assessment The Melissa virus swamped corporate networks with a tidal wave of e-mail messages in 1999. Through Microsoft Outlook, when a user opened an e-mail message containing an infected Word attachment, the virus was sent to the first 50 names in the user's address book. The e-mail fooled many recipients because it bore the name of someone the recipient knew and referred to a document they had allegedly requested. So much e-mail traffic was generated that companies like Intel and Microsoft had to turn off their e-mail servers. The Melissa virus was the first virus capable of hopping from one machine to another on its own with multiple variants. The Klez worm, which blends different virus traits, was first detected in 2001. Klez isn't as destructive as other worms, but it is widespread, hard to exterminate and still active. It spreads via open networks and e-mail regardless of the e-mail program you use. Klez sometimes masquerades as a worm-removal tool. It may corrupt files and disable antivirus products. It steals data from a victim's e-mail address book, mixing and matching new senders and recipients for a new round of infection. LoveLetter is the worm everyone learned to hate in 2000. The infection affected millions of computers and caused more damage than any other computer virus to date. Users were infected via e-mail, through Internet chat systems, and through other shared file systems. The worm sent copies of itself via Microsoft Outlook's address book entries. The mail included an executable file attachment with the e-mail subject line, "ILOVEYOU." The worm had the ability to overwrite several types of files. It modified the Internet Explorer start page and changed Registry keys. It also moved other files and hid MP3 files on affected systems. Scenario Criteria 1 2 3 4 5 6 7 8 9 Assessment A Trojan virus is malware that appears to perform a desirable function for the user prior to run or install but instead opens a door access of the user's computer system. It is a harmful piece of software that looks legitimate. Users are typically tricked into loading and executing it on their systems. A horse may modify the user's computer to display advertisements in undesirable places, such as the desktop or in uncontrollable pop-ups, or it may be less notorious, such as installing a toolbar on to the user's Web browser without prior notice. This can create revenue for the author of the Trojan. Trojan horses in this way require interaction with a hacker to fulfil their purpose. It is possible for individual hackers to scan computers on a network using a port scanner in the hope of finding one with a malicious Trojan horse installed, which the hacker can then use to control the target computer. Examples include: Code Red virus of 2001 provides a frightening example of the powerful combination of worms and Trojans. Code Red contaminated tens of thousands of computers and caused $2 billion in damages. After propagating itself using the techniques of a worm, Code Red attempted to use the coordinated power of infected machines to launch a distributed denial of service (DOS) attack against www.whitehouse.gov at predetermined date. Backdoor.LegMir.BZ is a backdoor worm. On execution it installs itself as a legitimate program, copies itself with various names and at various locations on the infected machine, opens a port and gives unauthorised access to attackers. It also has the ability to capture passwords and send that information to the author of this program. Scenario Criteria 1 2 3 4 5 6 7 8 9 Assessment A computer worm is a self-replicating malware computer program. It uses a computer network to send copies of itself to other computers on the network, often without permission. This is due to security shortcomings on the target computer. Unlike a virus, it does not need to attach itself to an existing program. Worms almost always cause at least some harm to the network, even if only by consuming bandwidth, whereas viruses almost always corrupt or modify files on a targeted computer. Many worms that have been created are only designed to spread, and don't attempt to alter the systems they pass through. However, as the Morris worm and Mydoom showed, the network traffic and other unintended effects can often cause major disruption. A "payload" is code designed to do more than spread the worm–it might delete files on a host system (e.g., the ExploreZip worm), encrypt files in a cryptoviral extortion attack, or send documents via e-mail. A very common payload for worms is to install a backdoor in the infected computer to allow the creation of a "zombie" computer under control of the worm author. Examples include: Melissa - In 1999, hungry and curious minds downloaded a file called List.DOC in the alt.sex Usenet discussion group, assuming that they were getting free access to over 80 pornographic websites. Little did they know that the file within was responsible for mass-mailing thousands of recipients and shutting down nearly the entire Internet. Melissa spread through Microsoft Word 97 and Word 2000, mass emailing the first 50 entries from a user's address book in Outlook 97/98 when the document was opened. The Melissa worm randomly inserted quotes from The Simpsons TV show into documents on the host computer and deleted critical Windows files. The Melissa worm caused $1 billion in damages. Scenario Criteria 1 2 3 4 5 6 7 8 9 Assessment Nimda - In 2001, Nimda ("admin" backwards) infected a variety of Microsoft machines very rapidly through an email exploit. Nimda spread by finding email addresses in .html files located in the user's web cache folder and by looking at the user's email contacts as retrieved by the MAPI service. The consequences were heavy: all web related files were appended with Javascript that allowed further propagation of the worm, users' drives were shared without their consent, and "Guest" user accounts with Administrator privileges were created and enabled. It was estimated that Nimda caused $530 million in damages after only one week of propagation. Several months later, reports indicated that Nimda was still a threat. ILOVEYOU (also known as VBS/Loveletter or Love Bug Worm) Users got an email in 2000 with the subject line "ILOVEYOU." If you deleted it, you were safe from one of the most costly worms in computer history. The attachment in that email, a file called LOVE-LETTER-FOR-YOU.TXT.vbs, started a worm that spread like wildfire by accessing email addresses found in users' Outlook contact lists. Unsuspecting recipients, believing the email to be harmless, would execute the document only to have most of their files overwritten. The net result was an estimated $5.5 billion to $8.7 billion in damages. Ten percent of all Internet-connected computers were hit. Onel A. de Guzman, the creator of the virus and a resident of the Philippines, had all charges dropped against him for creating the worm because there were no laws at the time prohibiting the creation of computer worms. Task 3 – P1.2 – Produce a report that identifies the threat and Impact of potential virus threats to organisation’s data. Scenario Criteria 1 2 3 4 5 6 7 8 9 Assessment In today’s society, people have a more common way to buy and shop. People use credit cards instead of cash. They purchase goods and services online instead of at a store. Instead of going to the bank people have online bank accounts. This is called the plastic era or the wireless generation. We have the convenience and opportunity to purchase goods from around the world; to pay our bills at two o'clock in the morning; or to check our bank statement from home. Technology has brought about tremendous advances but technology has also advanced the common criminal, giving birth to a new breed of criminal. This type of criminal steals someone's identity in order to commit fraudulent acts through Phishing, bin rummaging, telephone scams and hacking. Thieves are on the look out for our personal information so they can obtain credit cards, bank loans, utility services, wireless phone service and more by using our identity. Victims of identity theft suffer from damaged credit reports, drained bank accounts and even a criminal record. Some identity thieves will give your personal information when they are arrested. This causes embarrassment to you as it creates a criminal record. Often, victims of identity theft do not find out they have been victimised until they receive their bank statement or credit card statement in the post or when they are turned down for a loan or flat rental. Scenario Criteria 1 2 3 4 5 6 7 8 9 Assessment Computer hacking is the practice of modifying computer hardware and software to accomplish a goal outside of the creator’s original purpose. People who engage in computer hacking activities are often called hackers. Since the word “hack” has long been used to describe someone who is incompetent at his/her profession, some hackers claim this term is offensive and fails to give appropriate recognition to their skills. Computer hacking is most common among teenagers and young adults, although there are many older hackers as well. Many hackers are true technology buffs who enjoy learning more about how computers work and consider computer hacking an “art” form. hey often enjoy programming and have expert-level skills in one particular program. For these individuals, computer hacking is a real life application of their problem-solving skills. It’s a chance to demonstrate their abilities, not an opportunity to harm others. Since a large number of hackers are self-taught prodigies, some corporations actually employ computer hackers as part of their technical support staff. These individuals use their skills to find flaws in the company’s security system so that they can be repaired quickly. In many cases, this type of computer hacking helps prevent identity theft and other serious computer-related crimes. Computer hacking can also lead to other constructive technological developments, since many of the skills developed from hacking apply to more mainstream pursuits. For example, former hackers Dennis Ritchie and Ken Thompson went on to create the UNIX operating system in the 1970s. This system had a huge impact on the development of Linux, a free UNIX-like operating system. Shawn Fanning, the creator of Napster, is another hacker well known for his accomplishments outside of computer hacking. Scenario Criteria 1 2 3 4 5 6 7 8 9 Assessment Hacking has many negative effects; Personal information may be leaked, Intellectual Property could be stolen, and lives can be ruined. There is no effective way to eliminate cracking. Any security measure put out will be circumvented sooner or later (as an example, see the iPhone 3G unlock). So the only way to keep unwanted criminals out is to keep your software up-to-date and protected from the outside world, i.e. firewalls. Cracking isn't always bad. Some people crack software or security in order to learn how to prevent it. There is a difference between good and bad though; White hat hackers vs. Black hat hackers. Hacking can take many forms and the infiltration level can vary from curiosity to espionage. Levels of hacking are usually only detected after the fact. Setting systems on Subnet masks is useful but not foolproof, firewalls involve degrees of encrypted security from 8bit to 64bit but can still be accessed. We all know the story of the Norad hack from the movie War Games but how close to the truth is hacking. Governments have set up agencies like CIPAV or US-CERT to determine hacking and security threats to governmental systems but businesses are less prepared. For information look at: http://www.wired.com/threatlevel/2009/04/fbi-spyware-pro/ For a detailed explanation see: http://technet.microsoft.com/hiin/magazine/2005.01.anatomyofahack(en-us).aspx Scenario Criteria 1 2 3 4 5 6 7 8 9 Assessment Piggy backing occurs when a user with a laptop or Wi-Fi connection connects to an unprotected network server. Routers can be protected by a WEP key or WPA protection through 16 or 32 bit encryption and network protocols. But a lot of modems made by the same company have the same initial password to connect to the routers administrative functions or have no WEP or WPA protection set, allowing a user to connect and download without restrictions in the same way a user could user an unprotected Wi-Fi hotspot. Over half of UK internet users have admitted using other people's Wi-Fi networks to piggyback onto the internet. It is estimated that 54 per cent of respondents had used someone else's wireless internet access without permission. Many internet-enabled homes fail properly to secure their wireless connection with passwords and encryption, allowing passers-by and neighbours to 'steal' their internet access. Although most businesses have security measures in place to protect their Wi-Fi networks, the protections a lot of companies take is too light to stop a determined piggy-backer. The worst case scenario is an external user connecting not just to the internet through the Wi-Fi but to the network, allowing a user access and control over stored files leading to deletion, corruption and industrial espionage. Task 4 – P1.3 – Produce a report that identifies the threat and Impact of potential ID Theft, Hacking and Piggybacking threats to organisation’s resources and data. Scenario Criteria 1 2 3 4 5 6 7 8 9 Assessment Phishing is an e-mail fraud method in which the perpetrator sends out legitimatelooking email in an attempt to gather personal and financial information from recipients. Typically, the messages appear to come from well known and trustworthy Web sites. Web sites that are frequently spoofed by phishers include PayPal, eBay, MSN, Yahoo, BestBuy, and America Online. A phishing expedition, like the fishing expedition it's named for, is a speculative venture: the phisher puts the lure hoping to fool at least a few of the prey that encounter the bait. Phishers use a number of different social engineering and e-mail spoofing ploys to try to trick their victims. In one typical case before the Federal Trade Commission (FTC), a 17-year-old male sent out messages purporting to be from AOL that said there had been a billing problem with recipients' AOL accounts. The perpetrator's e-mail used AOL logos and contained legitimate links. If recipients clicked on the "AOL Billing Center" link, however, they were taken to a spoofed AOL Web page that asked for personal information, including credit card numbers, personal identification numbers (PINs), social security numbers, banking numbers, and passwords. This information was then used for identity theft. The Trojan infects and then waits for the victim to visit his or her bank Information is gathered by injecting additional fields into the genuine bank web page as it loads in the browser. No fake web sites are used The SSL connection between client and bank is valid (padlock is shown and certificate chain is OK) Classical Anti virus software did not detect this threat Scenario Criteria 1 2 3 4 5 6 7 8 9 Assessment Adware is software that generates advertisements such as pop-ups on Web pages that are not part of a page's code. Adware can add links to your favorites and icons on the desktop. It will often change your home page and your search engine to sites that earn income from various advertisers. This income is dependent on how many people visit the adware site, or how many people click on the links or advertisements. Many adware programs do not give users enough notice or control. From a technical viewpoint, the most obvious problem caused by unauthorised programs is computer instability. Badly infected systems may operate very slowly, crash constantly, or not start at all. The owners of such badly infected machines may face serious problems when trying to clean up their machines. Their attempts to use popular anti-spyware software may fail if the number of items that require removal is so great that the software cannot cope with the load. Sometimes when the hijacking software is removed the computer's ability to connect to the internet may be damaged. There is also a privacy and security risk. Adware may exhibit spyware tendencies, reporting where you go on the internet, when and how often, what you enter into search engines, and what advertisements you respond to. Adware may add itself to the pop-up blocker exception list in Windows, or to the Windows Firewall exceptions. Home page and search engine hijacking - When a user's preferred choice of home page or search engine is changed to an unknown site an unwary victim may be exposed to an increased risk of further malware or spyware infection. It is not unusual for malware sites to direct hijacked computers to other Web sites that download and install even more malware. There may also be an increased risk of exposure to unwanted or unsavory content such as gambling or adult links via advertisements or sponsored links. Scenario Criteria 1 2 3 4 5 6 7 8 9 Assessment Tool bars that appear out of nowhere - Often such toolbars are search engine based. Sometimes they cannot be turned off permanently and reappear on reboot, and sometimes they cannot be turned off at all. Sometimes, as part of their installation, they will disable other toolbars that may already be installed – for example, if a reputable toolbar such as GoogleBar, or AltaVista's toolbar is installed the hijacker will turn off those toolbars to remove competition. Search results from hijacking toolbars may be restricted to only sites that pay for positioning, otherwise known as "sponsored" results. Pop-up windows - Pop-up advertisements can be very intrusive. Sometimes they interfere with Web browsing by taking over the entire computer screen. They can be difficult or impossible to close. In bad cases, many windows will appear in rapid succession, making the computer virtually unusable. Examples include: 180SearchAssistant, Bonzi Buddy, ClipGenie, Comet Cursor, Cydoor, DollarRevenue, ErrorSafe, Gator, Security Tool, VirusProtectPro Scenario Criteria 1 2 3 4 5 6 7 8 9 Assessment Spyware is software that collects and transmits user specific behaviour and information, with or without permission. Sometimes, permission to collect and transmit is assumed to have been given simply by the act of installing software or loading a Web page. Like ads, data collection can be okay if done with consent or for a reasonable purpose. For example, software that transmits user specific information for the legitimate purpose of confirming eligibility for updates or upgrades should not be classed as spyware. Programmers are entitled to ensure that their software is not being pirated, and that the users of pirated software are not receiving the same benefits as legitimate users. Spyware is a type of software intrusive camera that can be installed on computers, and which collects small pieces of information about users without their knowledge. The presence of spyware is typically hidden from the user, and can be difficult to detect. Typically, spyware is secretly installed on the user's personal computer. Sometimes, however, spywares such as keyloggers are installed by the owner of a shared, corporate, or public computer on purpose in order to secretly monitor other users, registering key presses and passwords. While the term spyware suggests software that secretly monitors the user's computing, the functions of spyware extend well beyond simple monitoring. Spyware programs can collect various types of personal information, such as Internet surfing habits and sites that have been visited, but can also interfere with user control of the computer in other ways, such as installing additional software and redirecting Web browser activity. Spyware is known to change computer settings, resulting in slow connection speeds, different home pages, and/or loss of Internet connection or functionality of other programs. Scenario Criteria 1 2 3 4 5 6 7 8 9 Assessment Examples of Spyware CoolWebSearch, a group of programs, takes advantage of Internet Explorer vulnerabilities. The package directs traffic to advertisements on Web sites including coolwebsearch.com. It displays pop-up ads, rewrites search engine results, and alters the infected computer's hosts file to direct DNS lookups to these sites. Internet Optimizer, also known as DyFuCa, redirects Internet Explorer error pages to advertising. When users follow a broken link or enter an erroneous URL, they see a page of advertisements. HuntBar, aka WinTools, was installed by an ActiveX drive-by download at affiliate Web sites, or by advertisements displayed by other spyware programs—an example of how spyware can install more spyware. These programs add toolbars to Internet Explorer, track browsing behaviour, redirect rival references, and display advertisements. MyWebSearch has a plug-in that displays a search toolbar near the top of a browser window, and it spies to report user search-habits. MyWebSearch is notable for installing over 210 computer settings, such as over 210 MS Windows registry keys/values. Beyond the browser plug-in, it has settings to affect Outlook, email, HTML, XML, etc. WeatherStudio has a plug-in that displays a window-panel near the bottom of a browser window. The official website notes that it is easy to remove WeatherStudio from a computer, using its own uninstallprogram. Zango (formerly 180 Solutions) transmits detailed information to advertisers about the Web sites which users visit. It also alters HTTP requests for rival advertisements linked from a Web site, so that the advertisements make unearned profit for the 180 Solutions company. It opens pop-up ads that cover over the Web sites of competing companies. Zlob trojan, or just Zlob, downloads itself to a computer via an ActiveX codec and reports information back to the company. Some information can be the search-history, the Websites visited, and even keystrokes. More recently, Zlob has been known to hijack routers set to defaults. Scenario Criteria 1 2 3 4 5 6 7 8 9 Assessment Malware is software that damages your system, causes instability such as changing settings or interfering with a computer's registry and security settings. Some adware can also be classified as spyware. For example BonziBUDDY, an application marketed as an "Intelligent software agent", corrupted many of the user's system files, forcing the display of many obscene advertisements (composed mostly of infected Flash coding); these and the main application logged browsing details and sent them to various third parties. The best-known types of malware, viruses and worms, are known for the manner in which they spread, rather than any other particular behaviour. The term computer virus is used for a program that has infected some executable software and that causes that when run, spread the virus to other executables. Typical examples include malware carrying computer viruses or worms. Albert Gonzalez was accused of masterminding a ring to use malware to steal and sell more than 170 million credit card numbers in 2006 and 2007—the largest computer fraud in history. Among the firms targeted were BJ's Wholesale Club, TJX, DSW Shoe, OfficeMax, Barnes & Noble, Boston Market, Sports Authority and Forever 21. A Trojan horse program stole more than 1.6 million records belonging to several hundred thousand people from Monster Worldwide Inc’s job search service. The data was used by cybercriminals to craft phishing emails targeted at Monster.com users to plant additional malware on users’ PCs. Customers of Hannaford Bros. Co, a supermarket chain based in Maine, were victims of a data security breach involving the potential compromise of 4.2 million debit and credit cards. The company was hit by several class-action law suits. The Torpig Trojan has compromised and stolen login credentials from approximately 250,000 online bank accounts as well as a similar number of credit and debit cards. Other information such as email, and FTP accounts from numerous websites, have also been compromised and stolen. Task 05 - P1.4 – Produce a report that identifies the threat and Impact that Spyware, Adware and Malware pose to organisations and describe threats to an organisation’s data. Scenario Criteria 1 2 3 4 5 6 7 8 9 Assessment Page Jacking or Spyware is software that collects and transmits user specific behaviour and information, with or without permission. Sometimes, permission to collect and transmit is assumed to have been given simply by the act of installing software or loading a Web page. Like ads, data collection can be okay if done with consent or for a reasonable purpose. For example, software that transmits user specific information for the legitimate purpose of confirming eligibility for updates or upgrades should not be classed as spyware. Programmers are entitled to ensure that their software is not being pirated, and that the users of pirated software are not receiving the same benefits as legitimate users. Pagejacking and Spyware is a type of software intrusive camera that can be installed on computers, and which collects small pieces of information about users without their knowledge. The presence of spyware is typically hidden from the user, and can be difficult to detect. Typically, spyware is secretly installed on the user's personal computer. Sometimes, however, spywares such as keyloggers are installed by the owner of a shared, corporate, or public computer on purpose in order to secretly monitor other users, registering key presses and passwords. While the term spyware suggests software that secretly monitors the user's computing, the functions of spyware extend well beyond simple monitoring. Spyware programs can collect various types of personal information, such as Internet surfing habits and sites that have been visited, but can also interfere with user control of the computer in other ways, such as installing additional software and redirecting Web browser activity. Spyware is known to change computer settings, resulting in slow connection speeds, different home pages, and/or loss of Internet connection or functionality of other programs. Scenario Criteria 1 2 3 4 5 6 7 8 9 Assessment CoolWebSearch, a group of programs, takes advantage of Internet Explorer vulnerabilities. The package directs traffic to advertisements on Web sites including coolwebsearch.com. It displays pop-up ads, rewrites search engine results, and alters the infected computer's hosts file to direct DNS lookups to these sites. HuntBar, aka WinTools, was installed by an ActiveX drive-by download at affiliate Web sites, or by advertisements displayed by other spyware programs—an example of how spyware can install more spyware. These programs add toolbars to Internet Explorer, track browsing behaviour, redirect rival references, and display advertisements. MyWebSearch has a plug-in that displays a search toolbar near the top of a browser window, and it spies to report user search-habits. MyWebSearch is notable for installing over 210 computer settings, such as over 210 MS Windows registry keys/values. Beyond the browser, it has settings to affect Outlook, email, HTML, XML, etc. Zango (formerly 180 Solutions) transmits detailed information to advertisers about the Web sites which users visit. It also alters HTTP requests for rival advertisements linked from a Web site, so that the advertisements make unearned profit for the 180 Solutions company. It opens pop-up ads that cover over the Web sites of competing companies. Zlob trojan, or just Zlob, downloads itself to a computer via an ActiveX codec and reports information back to the company. Some information can be the search-history, the Websites visited, and even keystrokes. More recently, Zlob has been known to hijack routers set to defaults. Scenario Criteria 1 2 3 4 5 6 7 8 9 Assessment Scenario Criteria 1 2 3 4 5 Most networks today are built on what is called the eggshell principle: hard on the outside and soft on the inside. This means that if an attacker can gain a foothold onto the network, the rest of the network will usually fall like dominoes. Once inside, the most difficult part is often to figure out what to attack next and where to go for the really juicy bits of information. It does not have to be this way. With the proper techniques, we as network administrators can achieve two crucial objectives: to make it much more difficult to gain a foothold in the first place and to make it much more difficult to use that foothold to get anywhere else on the network. 6 7 8 9 Assessment Denial-of-service attacks come in a variety of forms and aim at a variety of services. There are three basic types of attack: ◦ consumption of scarce, limited, or non-renewable resources ◦ destruction or alteration of configuration information ◦ physical destruction or alteration of network components Consumption of Scarce Resources Computers and networks need certain things to operate: network bandwidth, memory and disk space, CPU time, data structures, access to other computers and networks, and certain environmental resources such as power, cool air, or even water. Network Connectivity Denial-of-service attacks are most frequently executed against network connectivity. The goal is to prevent hosts or networks from communicating on the network. An example of this type of attack is the "SYN flood" attack described in http://www.cert.org/advisories/CA-1996-21.html In this type of attack, the attacker begins the process of establishing a connection to the victim machine, but does it in such a way as to prevent the ultimate completion of the connection. In the meantime, the victim machine has reserved one of a limited number of data structures required to complete the impending connection. The result is that legitimate connections are denied while the victim machine is waiting to complete bogus "half-open" connections. You should note that this type of attack does not depend on the attacker being able to consume your network bandwidth. In this case, the intruder is consuming kernel data structures involved in establishing a network connection. The implication is that an intruder can execute this attack from a dial-up connection against a machine on a very fast network. (This is a good example of an asymmetric attack.) Scenario Criteria 1 2 3 4 5 6 7 8 9 Assessment Using Your Own Resources Against You An intruder can also use your own resources against you in unexpected ways. One example is described in http://www.cert.org/advisories/CA-1996-01.html In this attack, the intruder uses forged UDP packets to connect the echo service on one machine to the charged service on another machine. The result is that the two services consume all available network bandwidth between them. Thus, the network connectivity for all machines on the same networks as either of the targeted machines may be affected. Task 06 - P1.5 – Produce a report that identifies the threat and Impact that Page jacking and DDOS attacks pose to organisations and describe threats to an organisation’s data. Scenario Criteria 1 2 3 4 5 6 7 8 9 Assessment Data theft happens as much from internal employees as from hackers and can cause as much damage tot eh company as any other attack in terms of loss of faith and trust. Staff can do this by accessing the network remotely and using their privileges to download and use data from the network for their own personal gain. If it was just hacking then there would not be such an issue but staff abusing the system by taking information using their own accounts is more difficult to track or prosecute. As a member of staff they already have been given permission to access certain levels of information, if this is priviliged data then there could be a justification for them to access the materials. Externally taking data is theft, hacking or privileged it is still prosecutable. To use this information for things such as blackmail, threats, to expose companies or people adds an extra level of criminality to the process. Scenario Criteria 1 2 3 4 5 6 7 8 9 Assessment Accidental damage (e.g. spilling drinks on key boards, deleting programs or files) – Despite all the risks and countermeasures companies put in place to protect their systems from damage, you cannot easily protect from spillage and user damage, the bulk of which will not be returned through insurance claims as it is not worth it. Despite user policies in place, staff still bring drinks to their desks, they still make mistakes, they still accidently delete files off the system or more commonly save files over the old ones. Backup servers are great for solving this issue but they are not 100% foolproof. The amount of single incident problems adds up. Think of the number of times you have deleted a file and add a cost to this, look around you in the room and see the on-going damage left behind. Add this to a company scale, most companies will admit to a 5% downtime for systems, 10% for hardware and spend 3% of their time recovering files lost by staff from the system. Time measured is as much a cost to a company of this kind of damage. Task 07 - P1.6 – Produce a report that identifies the threat and Impact that Data Theft and Accidental Damage pose to organisations and describe threats to an organisation’s data. Scenario Criteria 1 2 3 4 5 6 7 8 9 Assessment All these attacks and levels of damage have consequences, down time, loss of business, loss of faith etc. things that a company will struggle to reclaim off insurance. Each will have an impact on the company, some to the point of closing for business altogether. Financial (e.g. loss of business, pricing data, invoicing information) this is the biggest concern of any company, how much money it will cost to fix, how much business will be lost, can they afford to repair and prevent it from happening again. The Kyoto earthquake was a huge loss to business as well as life, similarly the tidal wave from the Fukishima earthquake. Other than down time the loss of information, the loss of computers, the corruption of data and the criminal damage is estimated to cost billions each year to Britain alone. Loss of reputation – Sony found it very hard to recover from the hack, Banks like Allied Irish found it hard to justify to shareholders and stakeholders, and government ministers apologise all the time for losing data. Reputation for some companies is everything. Loss of faith and loss of image can seriously damage business. Look at Ratners and the scandal after their slip up, compare this to Wikileaks and the damage done to companies reputation through hacking and information leakages. Click here. Scenario Criteria 1 2 3 4 5 6 7 8 9 Assessment Loss of service and access – for a period of time, and to sop other attacks companies tend to take their services offline. Networks shut down after virus attacks to make sure their network is now more secure and virus free, this downtime costs a lot of money through loss of business, again not something that can be claimed off insurance. Think of how long Sony was offline, similarly RBS Bank in Northern Ireland came offline for almost a week, a week when all customer accounts, including business accounts froze, stopping thousands of companies from selling and cashing in sales of goods. Loss of security of confidential information (e.g. national security, payroll information, business strategies)- National security issues like Wikileaks are bad. A whole country’s reputation relies on this, lives, liberties and freedom of movement is restricted. This is the worst case scenario. Loss of payroll can cost a company huge amounts but losing corporate business strategies (corporate espionage) can cost a company more. Think of how much Samsung might gain to know what Apple will do next, or how Sony might have used use leaked information about the Xbox in terms of what to develop and what to make different or better. Click here. Task 08 - M1.2 – Discuss the threat and impact on business of 2 companies that have been victim of attacks. Task 09 - M1.3 – Compare the threat and impact on business of 2 companies that have been victim of attacks in terms of Loss of Service, Security of data, Reputation and Finances. Financial Scenario Criteria Loss of reputation 1 2 3 4 Loss of service and access 5 6 7 8 9 Loss of security of confidential information Assessment Task 1 – P1.1 – Produce a report that identifies the Impact of potential threats to an organisation of Environmental, Malicious and Physical threats to the data. Task 2 – M1.1 - Compare and contrast the impact of different types of threat to different organisation types Task 3 – P1.2 – Produce a report that identifies the threat and Impact of potential virus threats to organisation’s data. Task 4 – P1.3 – Produce a report that identifies the threat and Impact of potential ID Theft, Hacking and Piggybacking threats to organisation’s resources and data. Task 05 - P1.4 - Produce a report that identifies the threat and Impact that Spyware, Adware and Malware pose to organisations and describe threats to an organisation’s data. Task 06 - P1.5 - Produce a report that identifies the threat and Impact that Page jacking and DDOS attacks pose to organisations and describe threats to an organisation’s data. Task 07 - P1.6 – Produce a report that identifies the threat and Impact that Data Theft and Accidental Damage pose to organisations and describe threats to an organisation’s data. Task 08 - M1.2 – Discuss the threat and impact on business of 2 companies that have been victim of attacks. Task 09 - M1.3 – Compare the threat and impact on business of 2 companies that have been victim of attacks in terms of Loss of Service, Security of data, Reputation and Finances. Scenario Criteria 1 2 3 4 5 6 7 8 9 Assessment