Unit 09 - Enderoth

advertisement
ORGANISATIONAL SYSTEMS SECURITY
T/601/7312
LEVEL 3 UNIT 5
LO1 - Understand the impact of
potential threats to IT systems


Organisations collect, create and manipulate a wide range of data and
information; the cost of these activities is often much higher than the
organisation realises until they are lost or stolen. Everyone who works with an
information system should understand their responsibility to protect the
system against theft or loss and all IT professionals need to understand how
to support the organisation in protecting its digital assets and hardware. This
unit will enable the learner to recognise the importance of protecting systems
against any security issues or failures when working with the hardware and
software and providing guidance to customers on the security of their
systems. Additionally, it will also ensure that learners keep the importance of
security at the forefront of their activities in order to identify threats and
protect the organisation and its assets as they work with the information
system while working towards the qualification as well as in the work place.
The aim of this unit is to provide the learner with an understanding of the
importance of securing organisational IT systems, the impact of the law on the
application of security policies and the range of security threats which must
be protected against with an organisation and the tools which are used to
provide protection. The learner will be able to apply this knowledge to any
organisation through reviewing and making recommendations for
improvements.
Scenario
Criteria
1
2
3
4
5
6
7
8
9
Assessment
Learning Outcome (LO)
The learner will:
Pass
The assessment criteria are
the pass requirements for
this unit.
The learner can:
Merit
For merit the evidence must show
that, in addition to the pass
criteria, the learner is able to:
1
Understand the
impact of potential
threats to IT systems
P1
Explain the impact of
different types of threat
on an organisation
M1
Compare and contrast the
impact of different types
of threat to different
organisation types
2
Know how
organisations can
keep systems and
data secure
P2
Describe how physical
security measures can
aid in keeping systems
secure
M2
Discuss the effectiveness
of physical security
measures used in an
identified organisation
Describe how software
and network security
can keep systems and
data secure
M3
Discuss the effectiveness
of software security
measures used in an
identified organisation
P3
3
Understand the
organisational issues
affecting the security
of IT systems
P4
Explain the policies and
guidelines for
managing
organisational IT
security issues
P5
Explain how
employment contracts
can affect security
P6
Scenario
Criteria
1
2
Assess the laws related
to security and privacy
of data
3
4
5
6
7
8
9
Assessment
Distinction
For distinction the evidence
must show that, in addition
to the pass & merit criteria,
the learner is able to:
D1
Recommend
modifications to
policies and
guidelines for
managing
organisational IT
security issues
D2
Review contracts of
employment in an
organisation and
their impact on
security


P1: Learners could prepare a presentation explaining the impact
of different types of threat to an IT system of an organisation.
They should include a minimum of five threats as per the
teaching content, including physical and technological threats
that are realistically applicable to modern organisations and their
IT systems.
For merit criterion M1 Learners should compare and contrast the
impact of threats (ideally those they have explained in P1) and
what this would mean for two different types of organisation,
including their own organisation if applicable, and why. The
learner must provide a complete set of speaker notes which
contain detailed information for the bullets or data on their
slides. In a workplace, this could be evidenced with the learner
taking part in a security audit within a group or individually.
Where the evidence has been used is a group activity then the
learner must identify their own contribution and have a witness
testimony from their supervisor or manager, confirming that they
have undertaken the specific tasks identified in the
documentation which is being offered as evidence of having
achieved the assessment criteria.
Scenario
Criteria
1
2
3
4
5
6
7
8
9
Assessment



The internet, journals or newspaper articles and books on IT security
are full of interesting and relevant cases: many are humorous, in a
macabre way, and others reflect things that learners will have seen in
films, this approach makes the subject more alive and relevant to the
learner.
Learners should be encouraged to work as groups to find examples
of these cases and should then as part of a small or wider group
discuss the impacts to organisations and what steps could or were
taken to secure against the identified threats. Learners should be
encouraged to maintain their research for the latest IT security
failure on the news and should be encouraged to investigate
different approaches to IT security and examples of successes and
failures across an increasingly wide spectrum of organisations.
Learners should take their general findings and apply them to an
organisation they are familiar with wither through work experience,
workshop or their training facility. Alternatively learners may carry
out research on an organisation of their choice to identify how these
historical security failures would realistically impact on that
organisation.
Scenario
Criteria
1
2
3
4
5
6
7
8
9
Assessment



Organisations have always depended on information to ensure success.
Over the years, organisations have changed their information systems
from dealing purely with data processing to strategic and decision
support, making their network do more things and in the process
opening themselves up to additional risks.
Managers need information to plan successfully in the short, medium
and long term. It is also recognised nowadays that information is
required at all levels in an organisation and that information itself can
have many sources. The importance of valid information in gaining
competitive advantage needs to be stressed.
Risks to this information can take many forms, internal and external,
technical and environmental, accidental and deliberate. Most can be
seen, the threat exists and can be prepared for, physically and
technically but with the increase in groups such as Ludzsec and
Anonymous the threats are becoming more frequent, more co-ordinated
and more damaging. The recent attacks on Sony, Iran Nuclear Facilities
and Natwest show that protection methods work to a degree.
Scenario
Criteria
1
2
3
4
5
6
7
8
9
Assessment
◦
◦
◦
◦
There are two kinds of physical threats against computers and data, environmental and
deliberate. The damage from each of these can vary according to the suddenness and
length of the attack.
Physical damage can be repaired to a degree, hard drives can be recovered from most
kinds of damage except the most severe, computers can be replaced and insurance can
be used to replace all but the time lost.
Environmental damage such as temperatures – Hard drives particularly do not like heat,
it causes disk tracks to warp, it can overheat a computer and cause fire, it can cause a
CPU to burn out so Ram crashes and loses data in memory. Longer term temperature
damage will break down the magnetic tracking on hard drives and cause more crashes,
particularly to stored information and making the operating system more unreliable.
Computer systems do not like adverse cold conditions either, LCD monitors particularly
crack when they get too cold and though this is an easy replacement, it can still be an
inconvenience to companies.
Humidity – on a normal office humidity is not a real problem form computers but in
countries and places where the humidity is high, computers, specifically servers and full
size machines suffer. Moisture can build up inside the computer and possibly ground
some parts and cause them to fail. Moisture in the air can make the air much hotter, and
thus puts your computer at more of a risk to fail. But, as long as your ambient
temperature is between 65-80f then there should not be a problem. Whereas Servers are
stored in a cold room in the building, have cooling fans and this is not an issue until
they fail. A server room will get very hot in a short period of time without cooling, add
humidity in there and this can cause electrical fires, loss of data and complete crashes.
Scenario
Criteria
1
2
3
4
5
6
7
8
9
Assessment
◦ Natural disasters however are more of a threat to computer systems. We think of small problems
like how can we get back in the office, what will we do for computers but on a grander scale like
Kyoto, the store for masses of data when the earthquake hit, companies worldwide suffered for
weeks until the data was recovered.
 Earthquakes – not something we worry about in Britain that much but when the information
is stored elsewhere or the information we require from business partners happens to be in
places like Japan, Italy, West Coast America or other earthquake zones then this becomes an
issue. The data itself is not affected, hard drives will not die because of the shake, it is more
of an issue when a building then falls on it. Most companies keep backups, so recovery time
is reduced significantly. The 2011 Japanese earthquake and Tsunami in Japan damaged
about half of the cable running across the Pacific Ocean and repair times were quoted to be
between a week and several weeks. Downtime severely impacted the revenues of numerous
network operators and enterprises around the world.
 Flooding. We se this as a greater problem in Britain, especially in January 2014. Computer
systems on the ground floor of buildings will be out, electricity in buildings will be off and
any computer that is directly in contact with water will probably be damaged. For insurance
reasons this is not a major issue, companies are usually covered but downtime is a bigger
issue. A Sony plant responsible for magnetic tape and Blu-ray Discs was inundated with
water when a tsunami washed through the town of Tagajyo and is one of six Sony plants
currently idle. Two Nikon plants were severely damaged and won't be back online until at
least the end of March. And Fujitsu's major chip plant in Aizu Wakamatsu is still closed with
no estimate of when production will begin again.
Scenario
Criteria
1
2
3
4
5
6
7
8
9
Assessment
Malicious damage however is a greater risk from day to day information and data. Similarly
it has the more obvious solutions to the problems.
 Causing system crashes through manipulating software - Spyware, malware, keylogging and DDOS, these are all problems that are caused by people deliberately trying
to provoke or break a computer system. None of them are permanent but all of them
cause degrees of damage to data and to a company’s finances and reputation. Internally
and externally these are a problem and one network managers face every day. The
larger the company, the more likely and more deliberate the attack. Under the DPA all
information needs to have a degree of Protection on it but this is not always enough.
Key logging for instance is usually an internal threat unless it is a malware coded, and
allows a user to gain information like names and passwords, security logins and a track
of what they have been doing and how they have been getting there. This can be
hardware or software based.
 Wilful damage to monitors, hard discs - this is an internal problem, staff can and often
abuse systems for one reason or another, either accidently, water spills, dropping
laptops, or deliberate, anger issues, mistreatment or maliciously damaging the system.
Usually this is a one off, one computer, one frustration, a damaged printer, a
photocopier etc. But what this causes in terms of damage or loss of data is minor,
downtime is another issue. A dead or damaged laptop will usually lose any data stored
on it, but most companies encourage staff to work off the network so the damage is
limited, whereas a broken machine will mean downtime while it is replaced or repaired.
A broken printer can affect a whole office, a broken photocopy can affect multiple
offices.
Scenario
Criteria
1
2
3
4
5
6
7
8
9
Assessment
 Physical theft – this is purely deliberate. Computers get stolen, laptops and tablets particularly and some
places are worse than others. In schools for instance mice go missing, an average classroom of computers will
lose one every week. In companies this is true for other things, staplers, sticky notes, folders etc. When the
London riots happened it was hardware that could not be tracked that went missing first, laptops, base units,
televisions and monitors as well as projectors and tablets. Memory sticks are the worst for theft, small, east to
take, harder to track, they all look the same, or can do, and information on the memory sticks can have
degrees of importance, it could be some work that needed finishing and therefor restarting or something
private, medical records, finance details. Either way it is rare for staff to return these knowing how important
they are. Click here and here for the worst case scenario and here for how often it happens.
Task 1 – P1.1 – Produce a report that identifies the Impact of potential threats to an organisation of
Environmental, Malicious and Physical threats to the data.
 The risk to Data and the threats in terms of Environmental, Malicious and Physical vary from company to
company. High profile companies like Banks have more of a threat in terms of malicious code, malware and
outside attacks than theft or physical damage because of the amount of monitoring that goes on. Schools
however are more at threat to flooding and Physical attacks than earthquakes or malicious code but these still
happen. For Merit, you need to state the nature of the data two different companies hold and compare the
threat and the impact of the threat to this data.
Task 2 – M1.1 - Compare and contrast the impact of different types of threat to different organisation types
Threats to Company Data
Nature of the Threat
Risk of Damage
Earthquakes
Medium to data, High to
Customer Account Information
Flooding
Crashes through
manipulating software
Wilful damage to hardware
Physical theft
Scenario
Criteria
1
2
3
4
5
6
7
8
9
Assessment
Impact to the business
Scenario
Criteria
1
2
3
4
5
6
7
8
9
Assessment









Europe has Entered a ‘Cyber Cold War’ (Source: NATO,
FBI, McAfee & Serious Organized Crime Agency)
China Most Actively Spying, but with 120 Other
Countries !
• NATO Said that All 26 of its Member Countries Have
Been Targeted by Cyber-Attacks (e.g.: Estonia)
Georgia’s Government Websites Fall Victim to CyberAttacks (DDoS & Defacements) … “Too Sophisticated for
Amateurs !”
Tibetan Government Web Site Injected with Malicious
Source-Code
Palin’s Yahoo Account Hacked in Less then 45 Minutes
Using Password Reset Functionality
Web Defacers Hacked into CERN Website of the LHC
(Large Hadron Collider)
UK Minister Confirms Cyber-Terrorists Attempting to
Take Out the National Grid (Aug ’08)
Recent Virus infiltration of Iran’s Nuclear Programme.
Scenario
Criteria
1
2
3
4
5
6
7
8
9
Assessment



Viruses have been the bane of IT
and companies since networks
were introduced into companies
for business transactions.
Remember that all computer
viruses have been created by
someone for a purpose, whether
it is to annoy, destroy,
deliberately bring down a
company or website.
computer virus n. A computer
program that is designed to
replicate itself by copying itself
into the other programs stored
in a computer. It may be benign
or have a negative effect, such
as causing a program to operate
incorrectly or corrupting a
computer's memory.
All viruses are different so they
all act in a different way and
have a different purpose. On
Symantec the threats are
defined daily according to the
possibility of risk and the
exploit a virus takes advantage
on in its attack such as:
Scenario
Criteria
1
2
3
4
5
6
http://www.symantec.com/norton/sec
urity_response/threatexplorer/index.js
p
7
8
9
Assessment
A computer virus is simply a malicious computer program that can copy itself and infect a computer. The
term "virus" is also commonly used to refer to other types of malware. A true virus can spread from one
computer to another (in some form of executable code) when its host is taken to the target computer;
for instance because a user sent it over a network or the Internet, or carried it on a removable medium
such as a floppy disk, CD, DVD, or USB drive. Viruses can increase their chances of spreading to other
computers by infecting files on a network file system or a file system that is accessed by another
computer.[3][4]
Viruses are sometimes confused with worms and Trojan horses, which are technically different. A worm
can exploit security vulnerabilities to spread itself automatically to other computers, while a Trojan horse
is a program that appears harmless but hides malicious functions. Some viruses and other malware have
symptoms noticeable to the computer user, but many are surreptitious or simply do nothing to call
attention to themselves. Some viruses do nothing beyond reproducing themselves. Examples include:


The Explorer.zip worm appeared in 1999, following in the footsteps of Melissa. The worm deleted
Word, Excel, and PowerPoint files and randomly altered other types of files sending fake error message
to the user. Instead of using Outlook to gather e-mail addresses, it watched the in-box of the infected
computer and then sent automatic replies to senders, using the same e-mail subject as the original
message.
Magistr is one of the most complex viruses to hit the Internet. Its victims were hooked by an infected
e-mail attachment. The virus in 2001, sent garbled messages to everyone in the infected user's e-mail
address book. Attached were files pulled at random from the infected PC's hard drive plus an
executable file with the Magistr code. This virus was not as widespread as many others, but it was very
destructive. Magistr overwrites hard drives and erases CMOS and the flashable BIOS, preventing
systems from booting. It also contained anti-debugging features, making it hard to detect and
destroy.
Scenario
Criteria
1
2
3
4
5
6
7
8
9
Assessment



The Melissa virus swamped corporate networks with a tidal wave of e-mail messages in
1999. Through Microsoft Outlook, when a user opened an e-mail message containing an
infected Word attachment, the virus was sent to the first 50 names in the user's address
book. The e-mail fooled many recipients because it bore the name of someone the
recipient knew and referred to a document they had allegedly requested. So much e-mail
traffic was generated that companies like Intel and Microsoft had to turn off their e-mail
servers. The Melissa virus was the first virus capable of hopping from one machine to
another on its own with multiple variants.
The Klez worm, which blends different virus traits, was first detected in 2001. Klez isn't
as destructive as other worms, but it is widespread, hard to exterminate and still active.
It spreads via open networks and e-mail regardless of the e-mail program you use. Klez
sometimes masquerades as a worm-removal tool. It may corrupt files and disable
antivirus products. It steals data from a victim's e-mail address book, mixing and
matching new senders and recipients for a new round of infection.
LoveLetter is the worm everyone learned to hate in 2000. The infection affected millions
of computers and caused more damage than any other computer virus to date. Users
were infected via e-mail, through Internet chat systems, and through other shared file
systems. The worm sent copies of itself via Microsoft Outlook's address book entries.
The mail included an executable file attachment with the e-mail subject line,
"ILOVEYOU." The worm had the ability to overwrite several types of files. It modified the
Internet Explorer start page and changed Registry keys. It also moved other files and hid
MP3 files on affected systems.
Scenario
Criteria
1
2
3
4
5
6
7
8
9
Assessment
A Trojan virus is malware that appears to perform a desirable function for the user prior to run
or install but instead opens a door access of the user's computer system. It is a harmful piece of
software that looks legitimate. Users are typically tricked into loading and executing it on their
systems.
A horse may modify the user's computer to display advertisements in undesirable places, such
as the desktop or in uncontrollable pop-ups, or it may be less notorious, such as installing a
toolbar on to the user's Web browser without prior notice. This can create revenue for the
author of the Trojan.
Trojan horses in this way require interaction with a hacker to fulfil their purpose. It is possible for
individual hackers to scan computers on a network using a port scanner in the hope of finding
one with a malicious Trojan horse installed, which the hacker can then use to control the target
computer. Examples include:
 Code Red virus of 2001 provides a frightening example of the powerful combination of worms
and Trojans. Code Red contaminated tens of thousands of computers and caused $2 billion in
damages. After propagating itself using the techniques of a worm, Code Red attempted to use
the coordinated power of infected machines to launch a distributed denial of service (DOS)
attack against www.whitehouse.gov at predetermined date.
 Backdoor.LegMir.BZ is a backdoor worm. On execution it installs
itself as a legitimate program, copies itself with various names
and at various locations on the infected machine, opens a port
and gives unauthorised access to attackers. It also has the ability
to capture passwords and send that information to the author
of this program.
Scenario
Criteria
1
2
3
4
5
6
7
8
9
Assessment
A computer worm is a self-replicating malware computer program. It uses a computer network to
send copies of itself to other computers on the network, often without permission. This is due to
security shortcomings on the target computer. Unlike a virus, it does not need to attach itself to an
existing program. Worms almost always cause at least some harm to the network, even if only by
consuming bandwidth, whereas viruses almost always corrupt or modify files on a targeted computer.
Many worms that have been created are only designed to spread, and don't attempt to alter the
systems they pass through. However, as the Morris worm and Mydoom showed, the network traffic
and other unintended effects can often cause major disruption. A "payload" is code designed to do
more than spread the worm–it might delete files on a host system (e.g., the ExploreZip worm), encrypt
files in a cryptoviral extortion attack, or send documents via e-mail. A very common payload for
worms is to install a backdoor in the infected computer to allow the creation of a "zombie" computer
under control of the worm author. Examples include:
 Melissa - In 1999, hungry and curious minds downloaded a file called List.DOC in the alt.sex Usenet
discussion group, assuming that they were getting free access to over 80 pornographic websites.
Little did they know that the file within was responsible for mass-mailing thousands of recipients
and shutting down nearly the entire Internet. Melissa spread through Microsoft Word 97 and Word
2000, mass emailing the first 50 entries from a user's address book in Outlook 97/98 when the
document was opened. The Melissa worm randomly inserted quotes from The Simpsons TV show
into documents on the host computer and deleted critical Windows files. The Melissa worm caused
$1 billion in damages.
Scenario
Criteria
1
2
3
4
5
6
7
8
9
Assessment
Nimda - In 2001, Nimda ("admin" backwards) infected a variety of Microsoft
machines very rapidly through an email exploit. Nimda spread by finding email
addresses in .html files located in the user's web cache folder and by looking at the
user's email contacts as retrieved by the MAPI service. The consequences were
heavy: all web related files were appended with Javascript that allowed further
propagation of the worm, users' drives were shared without their consent, and
"Guest" user accounts with Administrator privileges were created and enabled. It
was estimated that Nimda caused $530 million in damages after only one week of
propagation. Several months later, reports indicated that Nimda was still a threat.
 ILOVEYOU (also known as VBS/Loveletter or Love Bug Worm) Users got an email in
2000 with the subject line "ILOVEYOU." If you deleted it, you were safe from one of
the most costly worms in computer history. The attachment in that email, a file
called LOVE-LETTER-FOR-YOU.TXT.vbs, started a worm that spread like wildfire by
accessing email addresses found in users' Outlook contact lists. Unsuspecting
recipients, believing the email to be harmless, would execute the document only to
have most of their files overwritten. The net result was an estimated $5.5 billion to
$8.7 billion in damages. Ten percent of all Internet-connected computers were hit.
Onel A. de Guzman, the creator of the virus and a resident of the Philippines, had
all charges dropped against him for creating the worm because there were no laws
at the time prohibiting the creation of computer worms.
Task 3 – P1.2 – Produce a report that identifies the threat and Impact of potential
virus threats to organisation’s data.

Scenario
Criteria
1
2
3
4
5
6
7
8
9
Assessment




In today’s society, people have a more common way to buy and shop. People
use credit cards instead of cash. They purchase goods and services online
instead of at a store. Instead of going to the bank people have online bank
accounts. This is called the plastic era or the wireless generation. We have
the convenience and opportunity to purchase goods from around the world;
to pay our bills at two o'clock in the morning; or to check our bank
statement from home.
Technology has brought about tremendous advances but technology has
also advanced the common criminal, giving birth to a new breed of criminal.
This type of criminal steals someone's identity in order to commit fraudulent
acts through Phishing, bin rummaging, telephone scams and hacking.
Thieves are on the look out for our personal information so they can obtain
credit cards, bank loans, utility services, wireless phone service and more by
using our identity. Victims of identity theft suffer from damaged credit
reports, drained bank accounts and even a criminal record.
Some identity thieves will give your personal information when they are
arrested. This causes embarrassment to you as it creates a criminal record.
Often, victims of identity theft do not find out they have been victimised until
they receive their bank statement or credit card statement in the post or
when they are turned down for a loan or flat rental.
Scenario
Criteria
1
2
3
4
5
6
7
8
9
Assessment



Computer hacking is the practice of modifying computer hardware and software to
accomplish a goal outside of the creator’s original purpose. People who engage in
computer hacking activities are often called hackers. Since the word “hack” has long
been used to describe someone who is incompetent at his/her profession, some hackers
claim this term is offensive and fails to give appropriate recognition to their skills.
Computer hacking is most common among teenagers and young adults, although there
are many older hackers as well. Many hackers are true technology buffs who enjoy
learning more about how computers work and consider computer hacking an “art” form.
hey often enjoy programming and have expert-level skills in one particular program. For
these individuals, computer hacking is a real life application of their problem-solving
skills. It’s a chance to demonstrate their abilities, not an opportunity to harm others.
Since a large number of hackers are self-taught prodigies, some corporations actually
employ computer hackers as part of their technical support staff. These individuals use
their skills to find flaws in the company’s security system so that they can be repaired
quickly. In many cases, this type of computer hacking helps prevent identity theft and
other serious computer-related crimes.
Computer hacking can also lead to other constructive technological developments, since
many of the skills developed from hacking apply to more mainstream pursuits. For
example, former hackers Dennis Ritchie and Ken Thompson went on to create the UNIX
operating system in the 1970s. This system had a huge impact on the development of
Linux, a free UNIX-like operating system. Shawn Fanning, the creator of Napster, is
another hacker well known for his accomplishments outside of computer hacking.
Scenario
Criteria
1
2
3
4
5
6
7
8
9
Assessment





Hacking has many negative effects; Personal information may be leaked,
Intellectual Property could be stolen, and lives can be ruined. There is no effective
way to eliminate cracking. Any security measure put out will be circumvented
sooner or later (as an example, see the iPhone 3G unlock). So the only way to keep
unwanted criminals out is to keep your software up-to-date and protected from
the outside world, i.e. firewalls. Cracking isn't always bad.
Some people crack software or security in order to learn how to prevent it. There
is a difference between good and bad though; White hat hackers vs. Black hat
hackers.
Hacking can take many forms and the infiltration level can vary from curiosity to
espionage. Levels of hacking are usually only detected after the fact. Setting
systems on Subnet masks is useful but not foolproof, firewalls involve degrees of
encrypted security from 8bit to 64bit but can still be accessed. We all know the
story of the Norad hack from the movie War Games but how close to the truth is
hacking. Governments have set up agencies like CIPAV or US-CERT to determine
hacking and security threats to governmental systems but businesses are less
prepared. For information look at:
http://www.wired.com/threatlevel/2009/04/fbi-spyware-pro/
For a detailed explanation see: http://technet.microsoft.com/hiin/magazine/2005.01.anatomyofahack(en-us).aspx
Scenario
Criteria
1
2
3
4
5
6
7
8
9
Assessment
Piggy backing occurs when a user with a laptop or Wi-Fi connection connects to an
unprotected network server. Routers can be protected by a WEP key or WPA
protection through 16 or 32 bit encryption and network protocols. But a lot of
modems made by the same company have the same initial password to connect to
the routers administrative functions or have no WEP or WPA protection set, allowing
a user to connect and download without restrictions in the same way a user could
user an unprotected Wi-Fi hotspot.
 Over half of UK internet users have admitted using other people's Wi-Fi networks
to piggyback onto the internet. It is estimated that 54 per cent of respondents had
used someone else's wireless internet access without permission.
 Many internet-enabled homes fail properly to secure their wireless connection with
passwords and encryption, allowing passers-by and neighbours to 'steal' their
internet access.
 Although most businesses have security measures in place to protect their Wi-Fi
networks, the protections a lot of companies take is too light to stop a determined
piggy-backer.
 The worst case scenario is an external user connecting not just to the internet
through the Wi-Fi but to the network, allowing a user access and control over
stored files leading to deletion, corruption and industrial espionage.
Task 4 – P1.3 – Produce a report that identifies the threat and Impact of potential ID
Theft, Hacking and Piggybacking threats to organisation’s resources and data.

Scenario
Criteria
1
2
3
4
5
6
7
8
9
Assessment





Phishing is an e-mail fraud method in which the perpetrator sends out legitimatelooking email in an attempt to gather personal and financial information from
recipients. Typically, the messages appear to come from well known and
trustworthy Web sites. Web sites that are frequently spoofed by phishers include
PayPal, eBay, MSN, Yahoo, BestBuy, and America Online. A phishing expedition,
like the fishing expedition it's named for, is a speculative venture: the phisher
puts the lure hoping to fool at least a few of the prey that encounter the bait.
Phishers use a number of different social engineering and e-mail spoofing ploys
to try to trick their victims.
In one typical case before the Federal Trade Commission (FTC), a 17-year-old
male sent out messages purporting to be from AOL that said there had been a
billing problem with recipients' AOL accounts. The perpetrator's e-mail used AOL
logos and contained legitimate links. If recipients clicked on the "AOL Billing
Center" link, however, they were taken to a spoofed AOL Web page that asked for
personal information, including credit card numbers, personal identification
numbers (PINs), social security numbers, banking numbers, and passwords. This
information was then used for identity theft.
The Trojan infects and then waits for the victim to visit his or her bank
Information is gathered by injecting additional fields into the genuine bank web
page as it loads in the browser. No fake web sites are used
The SSL connection between client and bank is valid (padlock is shown and
certificate chain is OK) Classical Anti virus software did not detect this threat
Scenario
Criteria
1
2
3
4
5
6
7
8
9
Assessment
Adware is software that generates advertisements such as pop-ups on Web pages that are not part of a
page's code. Adware can add links to your favorites and icons on the desktop. It will often change your
home page and your search engine to sites that earn income from various advertisers. This income is
dependent on how many people visit the adware site, or how many people click on the links or
advertisements. Many adware programs do not give users enough notice or control.
From a technical viewpoint, the most obvious problem caused by unauthorised programs is computer
instability. Badly infected systems may operate very slowly, crash constantly, or not start at all. The
owners of such badly infected machines may face serious problems when trying to clean up their
machines. Their attempts to use popular anti-spyware software may fail if the number of items that
require removal is so great that the software cannot cope with the load. Sometimes when the hijacking
software is removed the computer's ability to connect to the internet may be damaged.
There is also a privacy and security risk. Adware may exhibit spyware tendencies, reporting where you
go on the internet, when and how often, what you enter into search engines, and what advertisements
you respond to. Adware may add itself to the pop-up blocker exception list in Windows, or to the
Windows Firewall exceptions.

Home page and search engine hijacking - When a user's preferred choice of home page or search
engine is changed to an unknown site an unwary victim may be exposed to an increased risk of
further malware or spyware infection. It is not unusual for malware sites to direct hijacked
computers to other Web sites that download and install even more malware. There may also be
an increased risk of exposure to unwanted or unsavory content such as gambling or adult links via
advertisements or sponsored links.
Scenario
Criteria
1
2
3
4
5
6
7
8
9
Assessment

Tool bars that appear out of nowhere - Often such toolbars are search engine based.
Sometimes they cannot be turned off permanently and reappear on reboot, and
sometimes they cannot be turned off at all. Sometimes, as part of their installation, they
will disable other toolbars that may already be installed – for example, if a reputable
toolbar such as GoogleBar, or AltaVista's toolbar is installed the hijacker will turn off
those toolbars to remove competition.

Search results from hijacking toolbars may be restricted to only sites that pay for
positioning, otherwise known as "sponsored" results.

Pop-up windows - Pop-up advertisements can be very intrusive. Sometimes they
interfere with Web browsing by taking over the entire computer screen. They can be
difficult or impossible to close. In bad cases, many windows will appear in rapid
succession, making the computer virtually unusable.
Examples include:
180SearchAssistant, Bonzi Buddy, ClipGenie, Comet Cursor,
Cydoor, DollarRevenue, ErrorSafe,
Gator, Security Tool, VirusProtectPro
Scenario
Criteria
1
2
3
4
5
6
7
8
9
Assessment
Spyware is software that collects and transmits user specific behaviour and information, with or
without permission. Sometimes, permission to collect and transmit is assumed to have been
given simply by the act of installing software or loading a Web page.
Like ads, data collection can be okay if done with consent or for a reasonable purpose. For
example, software that transmits user specific information for the legitimate purpose of
confirming eligibility for updates or upgrades should not be classed as spyware. Programmers
are entitled to ensure that their software is not being pirated, and that the users of pirated
software are not receiving the same benefits as legitimate users.
Spyware is a type of software intrusive camera that can be installed on computers, and which
collects small pieces of information about users without their knowledge. The presence of
spyware is typically hidden from the user, and can be difficult to detect. Typically, spyware is
secretly installed on the user's personal computer. Sometimes, however, spywares such as
keyloggers are installed by the owner of a shared, corporate, or public computer on purpose in
order to secretly monitor other users, registering key presses and passwords.
While the term spyware suggests software that secretly monitors the user's computing, the
functions of spyware extend well beyond simple monitoring. Spyware programs can collect
various types of personal information, such as Internet surfing habits and sites that have been
visited, but can also interfere with user control of the computer in other ways, such as installing
additional software and redirecting Web browser activity. Spyware is known to change computer
settings, resulting in slow connection speeds, different home pages, and/or loss of Internet
connection or functionality of other programs.
Scenario
Criteria
1
2
3
4
5
6
7
8
9
Assessment
Examples of Spyware

CoolWebSearch, a group of programs, takes advantage of Internet Explorer vulnerabilities. The package
directs traffic to advertisements on Web sites including coolwebsearch.com. It displays pop-up ads,
rewrites search engine results, and alters the infected computer's hosts file to direct DNS lookups to these
sites.

Internet Optimizer, also known as DyFuCa, redirects Internet Explorer error pages to advertising. When
users follow a broken link or enter an erroneous URL, they see a page of advertisements.

HuntBar, aka WinTools, was installed by an ActiveX drive-by download at affiliate Web sites, or by
advertisements displayed by other spyware programs—an example of how spyware can install more
spyware. These programs add toolbars to Internet Explorer, track browsing behaviour, redirect rival
references, and display advertisements.

MyWebSearch has a plug-in that displays a search toolbar near the top of a browser window, and it spies
to report user search-habits. MyWebSearch is notable for installing over 210 computer settings, such as
over 210 MS Windows registry keys/values. Beyond the browser plug-in, it has settings to affect Outlook,
email, HTML, XML, etc.

WeatherStudio has a plug-in that displays a window-panel near the bottom of a browser window. The
official website notes that it is easy to remove WeatherStudio from a computer, using its own uninstallprogram.

Zango (formerly 180 Solutions) transmits detailed information to advertisers about the Web sites which
users visit. It also alters HTTP requests for rival advertisements linked from a Web site, so that the
advertisements make unearned profit for the 180 Solutions company. It opens pop-up ads that cover over
the Web sites of competing companies.

Zlob trojan, or just Zlob, downloads itself to a computer via an ActiveX codec and reports information back
to the company. Some information can be the search-history, the Websites visited, and even keystrokes.
More recently, Zlob has been known to hijack routers set to defaults.
Scenario
Criteria
1
2
3
4
5
6
7
8
9
Assessment
Malware is software that damages your system, causes instability such as changing settings or
interfering with a computer's registry and security settings. Some adware can also be classified as
spyware. For example BonziBUDDY, an application marketed as an "Intelligent software agent", corrupted
many of the user's system files, forcing the display of many obscene advertisements (composed mostly
of infected Flash coding); these and the main application logged browsing details and sent them to
various third parties.
The best-known types of malware, viruses and worms, are known for the manner in which they spread,
rather than any other particular behaviour. The term computer virus is used for a program that has
infected some executable software and that causes that when run, spread the virus to other executables.
Typical examples include malware carrying computer viruses or worms.




Albert Gonzalez was accused of masterminding a ring to use malware to steal and sell more than 170
million credit card numbers in 2006 and 2007—the largest computer fraud in history. Among the
firms targeted were BJ's Wholesale Club, TJX, DSW Shoe, OfficeMax, Barnes & Noble, Boston Market,
Sports Authority and Forever 21.
A Trojan horse program stole more than 1.6 million records belonging to several hundred thousand
people from Monster Worldwide Inc’s job search service. The data was used by cybercriminals to craft
phishing emails targeted at Monster.com users to plant additional malware on users’ PCs.
Customers of Hannaford Bros. Co, a supermarket chain based in Maine, were victims of a data
security breach involving the potential compromise of 4.2 million debit and credit cards. The
company was hit by several class-action law suits.
The Torpig Trojan has compromised and stolen login credentials from approximately 250,000 online
bank accounts as well as a similar number of credit and debit cards. Other information such as email,
and FTP accounts from numerous websites, have also been compromised and stolen.
Task 05 - P1.4 – Produce a report that identifies the threat and Impact that Spyware, Adware and
Malware pose to organisations and describe threats to an organisation’s data.
Scenario
Criteria
1
2
3
4
5
6
7
8
9
Assessment
Page Jacking or Spyware is software that collects and transmits user specific behaviour and
information, with or without permission. Sometimes, permission to collect and transmit is assumed to
have been given simply by the act of installing software or loading a Web page.
Like ads, data collection can be okay if done with consent or for a reasonable purpose. For example,
software that transmits user specific information for the legitimate purpose of confirming eligibility for
updates or upgrades should not be classed as spyware. Programmers are entitled to ensure that their
software is not being pirated, and that the users of pirated software are not receiving the same
benefits as legitimate users.
Pagejacking and Spyware is a type of software intrusive camera that can be installed on computers,
and which collects small pieces of information about users without their knowledge. The presence of
spyware is typically hidden from the user, and can be difficult to detect. Typically, spyware is secretly
installed on the user's personal computer. Sometimes, however, spywares such as keyloggers are
installed by the owner of a shared, corporate, or public computer on purpose in order to secretly
monitor other users, registering key presses and passwords.
While the term spyware suggests software that secretly monitors the user's computing, the functions
of spyware extend well beyond simple monitoring. Spyware programs can collect various types of
personal information, such as Internet surfing habits and sites that have been visited, but can also
interfere with user control of the computer in other ways, such as installing additional software and
redirecting Web browser activity. Spyware is known to change computer settings, resulting in slow
connection speeds, different home pages, and/or loss of Internet connection or functionality of other
programs.
Scenario
Criteria
1
2
3
4
5
6
7
8
9
Assessment





CoolWebSearch, a group of programs, takes advantage of Internet Explorer
vulnerabilities. The package directs traffic to advertisements on Web sites including
coolwebsearch.com. It displays pop-up ads, rewrites search engine results, and alters
the infected computer's hosts file to direct DNS lookups to these sites.
HuntBar, aka WinTools, was installed by an ActiveX drive-by download at affiliate Web
sites, or by advertisements displayed by other spyware programs—an example of how
spyware can install more spyware. These programs add toolbars to Internet Explorer,
track browsing behaviour, redirect rival references, and display advertisements.
MyWebSearch has a plug-in that displays a search toolbar near the top of a browser
window, and it spies to report user search-habits. MyWebSearch is notable for installing
over 210 computer settings, such as over 210 MS Windows registry keys/values. Beyond
the browser, it has settings to affect Outlook, email, HTML, XML, etc.
Zango (formerly 180 Solutions) transmits detailed information to advertisers about the
Web sites which users visit. It also alters HTTP requests for rival advertisements linked
from a Web site, so that the advertisements make unearned profit for the 180 Solutions
company. It opens pop-up ads that cover over the Web sites of competing companies.
Zlob trojan, or just Zlob, downloads itself to a computer via an ActiveX codec and reports
information back to the company. Some information can be the search-history, the
Websites visited, and even keystrokes. More recently, Zlob has been known to hijack
routers set to defaults.
Scenario
Criteria
1
2
3
4
5
6
7
8
9
Assessment


Scenario
Criteria
1
2
3
4
5
Most networks today are built on what
is called the eggshell principle: hard
on the outside and soft on the inside.
This means that if an attacker can gain
a foothold onto the network, the rest
of the network will usually fall like
dominoes.
Once inside, the most difficult part is
often to figure out what to attack next
and where to go for the really juicy
bits of information. It does not have to
be this way. With the proper
techniques, we as network
administrators can achieve two crucial
objectives: to make it much more
difficult to gain a foothold in the first
place and to make it much more
difficult to use that foothold to get
anywhere else on the network.
6
7
8
9
Assessment
Denial-of-service attacks come in a variety of forms and aim at a variety of services. There are
three basic types of attack:
◦ consumption of scarce, limited, or non-renewable resources
◦ destruction or alteration of configuration information
◦ physical destruction or alteration of network components
Consumption of Scarce Resources
Computers and networks need certain things to operate: network bandwidth, memory and disk
space, CPU time, data structures, access to other computers and networks, and certain
environmental resources such as power, cool air, or even water.
 Network Connectivity Denial-of-service attacks are most frequently executed against
network connectivity. The goal is to prevent hosts or networks from communicating on the
network. An example of this type of attack is the "SYN flood" attack described in
http://www.cert.org/advisories/CA-1996-21.html
 In this type of attack, the attacker begins the process of establishing a connection to the
victim machine, but does it in such a way as to prevent the ultimate completion of the
connection. In the meantime, the victim machine has reserved one of a limited number of
data structures required to complete the impending connection. The result is that legitimate
connections are denied while the victim machine is waiting to complete bogus "half-open"
connections.
 You should note that this type of attack does not depend on the attacker being able to
consume your network bandwidth. In this case, the intruder is consuming kernel data
structures involved in establishing a network connection. The implication is that an intruder
can execute this attack from a dial-up connection against a machine on a very fast network.
(This is a good example of an asymmetric attack.)
Scenario
Criteria
1
2
3
4
5
6
7
8
9
Assessment
Using Your Own Resources Against You
An intruder can also use your own resources against you in
unexpected ways. One example is described in
http://www.cert.org/advisories/CA-1996-01.html
In this attack, the intruder uses forged UDP packets to
connect the echo service on one machine to the charged
service on another machine. The result is that the two
services consume all available network bandwidth between
them. Thus, the network connectivity for all machines on
the same networks as either of the targeted machines may
be affected.
Task 06 - P1.5 – Produce a report that identifies the threat
and Impact that Page jacking and DDOS attacks pose to
organisations and describe threats to an organisation’s
data.
Scenario
Criteria
1
2
3
4
5
6
7
8
9
Assessment
 Data theft happens as much from internal employees as from
hackers and can cause as much damage tot eh company as
any other attack in terms of loss of faith and trust. Staff can
do this by accessing the network remotely and using their
privileges to download and use data from the network for
their own personal gain.
 If it was just hacking then there would not be such an issue
but staff abusing the system by taking information using their
own accounts is more difficult to track or prosecute. As a
member of staff they already have been given permission to
access certain levels of information, if this is priviliged data
then there could be a justification for them to access the
materials.
 Externally taking data is theft, hacking or privileged it is still
prosecutable. To use this information for things such as
blackmail, threats, to expose companies or people adds an
extra level of criminality to the process.
Scenario
Criteria
1
2
3
4
5
6
7
8
9
Assessment
Accidental damage (e.g. spilling drinks on key boards, deleting
programs or files) – Despite all the risks and countermeasures
companies put in place to protect their systems from damage, you
cannot easily protect from spillage and user damage, the bulk of which
will not be returned through insurance claims as it is not worth it.
Despite user policies in place, staff still bring drinks to their desks, they
still make mistakes, they still accidently delete files off the system or
more commonly save files over the old ones.
 Backup servers are great for solving this issue but they are not 100%
foolproof. The amount of single incident problems adds up. Think of the
number of times you have deleted a file and add a cost to this, look
around you in the room and see the on-going damage left behind. Add
this to a company scale, most companies will admit to a 5% downtime for
systems, 10% for hardware and spend 3% of their time recovering files
lost by staff from the system. Time measured is as much a cost to a
company of this kind of damage.
Task 07 - P1.6 – Produce a report that identifies the threat and Impact
that Data Theft and Accidental Damage pose to organisations and describe
threats to an organisation’s data.

Scenario
Criteria
1
2
3
4
5
6
7
8
9
Assessment



All these attacks and levels of damage have consequences, down time,
loss of business, loss of faith etc. things that a company will struggle to
reclaim off insurance. Each will have an impact on the company, some to
the point of closing for business altogether.
Financial (e.g. loss of business, pricing data, invoicing information) this is
the biggest concern of any company, how much money it will cost to fix,
how much business will be lost, can they afford to repair and prevent it
from happening again. The Kyoto earthquake was a huge loss to business
as well as life, similarly the tidal wave from the Fukishima earthquake.
Other than down time the loss of information, the loss of computers, the
corruption of data and the criminal damage is estimated to cost billions
each year to Britain alone.
Loss of reputation – Sony found it very hard to recover from the hack,
Banks like Allied Irish found it hard to justify to shareholders and
stakeholders, and government ministers apologise all the time for losing
data. Reputation for some companies is everything. Loss of faith and loss
of image can seriously damage business. Look at Ratners and the scandal
after their slip up, compare this to Wikileaks and the damage done to
companies reputation through hacking and information leakages. Click
here.
Scenario
Criteria
1
2
3
4
5
6
7
8
9
Assessment
Loss of service and access – for a period of time, and to sop other attacks companies
tend to take their services offline. Networks shut down after virus attacks to make sure
their network is now more secure and virus free, this downtime costs a lot of money
through loss of business, again not something that can be claimed off insurance. Think
of how long Sony was offline, similarly RBS Bank in Northern Ireland came offline for
almost a week, a week when all customer accounts, including business accounts froze,
stopping thousands of companies from selling and cashing in sales of goods.
 Loss of security of confidential information (e.g. national security, payroll information,
business strategies)- National security issues like Wikileaks are bad. A whole country’s
reputation relies on this, lives, liberties and freedom of movement is restricted. This is
the worst case scenario. Loss of payroll can cost a company huge amounts but losing
corporate business strategies (corporate espionage) can cost a company more. Think of
how much Samsung might gain to know what Apple will do next, or how Sony might
have used use leaked information about the Xbox in terms of what to develop and what
to make different or better. Click here.
Task 08 - M1.2 – Discuss the threat and impact on business of 2 companies that have
been victim of attacks.
Task 09 - M1.3 – Compare the threat and impact on business of 2 companies that have
been victim of attacks in terms of Loss of Service, Security of data, Reputation and
Finances.

Financial
Scenario
Criteria
Loss of
reputation
1
2
3
4
Loss of service
and access
5
6
7
8
9
Loss of security of
confidential information
Assessment
Task 1 – P1.1 – Produce a report that identifies the Impact of potential threats to an
organisation of Environmental, Malicious and Physical threats to the data.
Task 2 – M1.1 - Compare and contrast the impact of different types of threat to
different organisation types
Task 3 – P1.2 – Produce a report that identifies the threat and Impact of potential
virus threats to organisation’s data.
Task 4 – P1.3 – Produce a report that identifies the threat and Impact of potential ID
Theft, Hacking and Piggybacking threats to organisation’s resources and data.
Task 05 - P1.4 - Produce a report that identifies the threat and Impact that
Spyware, Adware and Malware pose to organisations and describe threats to an
organisation’s data.
Task 06 - P1.5 - Produce a report that identifies the threat and Impact that Page
jacking and DDOS attacks pose to organisations and describe threats to an
organisation’s data.
Task 07 - P1.6 – Produce a report that identifies the threat and Impact that Data
Theft and Accidental Damage pose to organisations and describe threats to an
organisation’s data.
Task 08 - M1.2 – Discuss the threat and impact on business of 2 companies that have
been victim of attacks.
Task 09 - M1.3 – Compare the threat and impact on business of 2 companies that have
been victim of attacks in terms of Loss of Service, Security of data, Reputation and
Finances.
Scenario
Criteria
1
2
3
4
5
6
7
8
9
Assessment
Download