Secure
Systems
Programming
7WCM1027
Nathan Sweeney
Table of Contents
Question 1 ..................................................................................................................................................... 2
Cyber Security ........................................................................................................................................... 2
Cyber-Warfare .......................................................................................................................................... 3
Remote Database Access Scenario ........................................................................................................... 3
Flow diagrams; ...................................................................................................................................... 4
Points of interest and threats ............................................................................................................... 5
Skillset required ........................................................................................................................................ 6
Threat Modelling and Risk Analysis .......................................................................................................... 6
Cyber Warfare scenario ........................................................................................................................ 7
Question 2 ..................................................................................................................................................... 8
What is malware? ................................................................................................................................. 8
What is Stuxnet? ................................................................................................................................... 9
What is a bot? ..................................................................................................................................... 10
What is a worm? ................................................................................................................................. 11
Comparison between Stuxnet, Bots and Worms ................................................................................ 12
Bibliography ................................................................................................................................................ 13
1|Page
Question 1
Cybersecurity and cyber warfare are terms that have emerged in the media recently and are attracting
the attention of many researchers engaged in the development of secure systems.
A software development team is to be formed to design and develop a secure system for the retrieval of
sensitive information from a remote database.
a) Explain what is meant by the terms cybersecurity and cyber warfare.
b) Present a possible scenario, for the retrieval of sensitive information from a remote database. Include
data flow diagrams to identify points at which threats could emerge.
c) Describe those skills that, in your opinion are essential for a team to possess in order to complete the
above task. Justify your claims throughout.
d) Using examples of your own explain how the team could employ Threat Modelling and Risk Analysis
in developing a secure system. How do these tools compare to those presented in a cyber-warfare
setting?
Cyber Security
Cyber security is the way in which we defend ourselves and companies from real and potential threats
of people trying to get at your information and business critical information. There are a number of
aspects that refer to cyber security some of which are listed below;




Staff training
Tight network access
Honeypots
Social engineering
The biggest threat to cyber security is training of internal staff. I have seen so many instances of users
installing (or attempting to) software on their laptops only to find that they end up with some malware.
As well as this anybody picking up a USB stick and using it to transfer files is potentially putting
companies at risk due to not knowing what is on the drives.
To combat this the training that staff receive, as well as the correct governing policies and procedures,
can help, however without the correct technical limitations to follow suite they are pointless.
An example of this would be having a windows domain along and not implementing the correct group
policies limiting the end users so that they are unable to install software.
2|Page
Cyber-Warfare
Cyber warfare is the weaponisation of code which is used over the internet in order to cause damage to
a user or company. Normally used for political gain with the likes of China using techniques like this in
order to be able to secure their technical future.
Attacks that would be classed as cyber warfare can range from simple DDOS attacks through to complex
attacks like Stuxnet which was aimed at specific software.
In current times governments are now stating that the number 1 threat towards national security is
cyber warfare. This is due to the fact that everything that you do now has a computer involved at some
point which can be exploited.
As an example, let’s say you don’t have a mobile phone and you take the car to work every day. Your
car has a computer that runs diagnostics every time it is in use, which can be exploited to produce false
results to mechanics and cause you serious injury.
Remote Database Access Scenario
You work for a multimillion pound company who specializes in PCI database integration with high
volume SQL back end databases. A DB developer has been given the task of writing a module for a new
mobile app which allows specific data to be pulled from the SQL database.
The DB admin has created the module however during testing and implementation had left the
company but the module was implemented anyway.
Whilst working on the application the database developer had placed the usernames and passwords in
plain text in their own custom module with the intention of tidying up afterwards.
A few months later data is stolen from the company’s servers.
3|Page
Flow diagrams;
Infrastructure flow diagram showing the data being transferred from the end user through the
company’s infrastructure.
Data flow diagram showing the request for data through the infrastructure;
4|Page
Points of interest and threats
Below are the points of interest from the above diagram along with the threats that may come from
them.




End User
Firewall
Web Server
Database Server
End User threat;
The end user could run a trace program, something like wireshark, watching their own internet traffic
coming from there phone and the application that has been worked on by our developer. As the Web
and DB username and password is in plain text we can then start to investigate and hack the network.
Firewall issues;
If a firewall has a hardware limitation it can be exploited too. Such as a Juniper SSG5 only has 100mB
ports however a Juniper SSG 140 has GigE ports. Therefore if a company has an SSG5 protecting their
infrastructure they could be open to a DDOS attack without much from the attacker.
Web Server;
Web servers are full of exploits from IIS to Apache and PHP to ASP. If you could find out if the company
was using a CMS (content management system) you could even exploit that.
Database Server;
With the above scenario in mind we have the Web and DB usernames and passwords it now comes to
downloading the information. But what would stop us from analyzing the database, setting up our own
and then pushing the database storage requests there instead.
Rather than outright stealing from someone else’s database we are getting the direct information from
the users of the system.
5|Page
Skillset required
In my opinion I believe that the team would require the below skillset;




Understanding of the whole picture
Being able to see the end goal of a project gives everyone
PCI standards awareness
ISO27001 standards awareness
A background, in some aspect, of security
However the company they work for would have to ensure this by providing the below;



Diligent security awareness courses
Policies that staff adhere to
Procedures that staff adhere to
Threat Modelling and Risk Analysis
Threat modelling is the process of identifying any weaknesses in code before and during the application
development lifecycle. This allows for threats to be taken into consideration and dealt with before they
affect the business.
Companies such as Microsoft have created tools to allow developers to analyze their software at the
design phase to help mitigate potential issues. There are a multitude of different methodologies out
there for analyzing the businesses requirements to help take into consideration the security elements
when designing software.
Some of these are;



P.A.S.T.A. (Process for attack simulation and threat analysis)
TRIKE
OWASP
Threat modelling can be broken down into 3 steps;


Decompose the application
This stage is used to go through the application and take apart all of the points that would be of
interest to a third party attacker. At this point DFD’s would be used to determine and show
these points of interest for an attacker
Determine and rank threats
Different methodologies for ranking threats can be used such as STRIDE (from the attacker) and
ASF (from the defensive side). These will allow you to identify threats, categorize them and
subsequently rank them.
6|Page

DREAD can be used to quantify the risk based upon general risk factors.
Determine countermeasures and mitigation
Once the threats have been identified a business will then determine whether the risk factor is
great enough to warrant a countermeasure of some description.
If the risk is determined not to be great enough and the company deems any loss would not be
impacting.
Once the software has been implemented in order to form countermeasures and mitigate against future
attacks penetration testing would be completed in order to form continuity moving forward of the
secure system.
Once exploits have been found they can then be protected against.
Cyber Warfare scenario
The tools described above are in preparation for an attack on the software itself however they could be
implemented with the mindset of a hacker to create software or take advantage of existing
vulnerabilities.
Taking this approach you could look at software from a different perspective understanding how it
interacts with other systems. Once this is understood you could then write malicious code which took
advantage of this in order to cause damage.
7|Page
Question 2
In this question I would like you to compare and contrast Stuxnet with Bots and one other different form
of malware. In your discussion, identify the original purpose of each type of malware, together with
their development and those steps, if any, which have been taken to counter the use of such software.
Include an indication of how recent each form of malware is.
What is malware?
Malware stands for malicious software which is aimed at performing a malicious act against a computer
or user of that computer whilst disguised as a piece of legitimate software.
These acts can be such things as simple product advertisements or worse still they can result in
malicious hackers being able to control or use your computer for illegitimate purposes without your
consent.
Examples of malicious software would be viruses, worms and Trojan horses which can be grouped
together and defined as malware.
A virus is a piece of code which is designed to spread itself across from one machine to another and
cause issues to the host computer attaching itself to an existing piece of software. Viruses can also
replicate themselves which can cause issues like memory utilization issues on the host machine thus
slowing it down and not being a useable machine.
Ways that viruses spread can be such as email attachments, social engineering, phishing scams, browser
toolbars, free games and infected sites.
A worm is a standalone piece of software and as such does not need to attach itself to any other
programs. Worms are mostly used to replicate and spread across networks but do not cause much
harm except that of bandwidth usage, if they are payload free.
However as worms can contain payloads they can contain exploits to machines which can do a
multitude of different things to the host machine. With this in mind and the additional payload attached
to the worm it can also create even more additional bandwidth across a network causing significant
disruption to the point of collapse.
A Trojan horse is a standalone virus that is concealed within what may look like a legitimate piece of
software. Once the software is installed on the host machine it will then take advantage of a variety of
vulnerabilities on the host machine.
This can range from accessing personal information, allowing remote access to the host and destroying
data.
8|Page
What is Stuxnet?
Stuxnet was a worm which was developed to get into PCL (programmable logic controller) and change
the standard operating procedures whilst giving false positive results.
A PCL (programmable logic controller) is a component created to continuously monitor states of the
input device allowing decisions to be made in order to control the state of the output device.
The use of Stuxnet
As Stuxnet was a worm it was able to replicate itself across a network which allowed it to be quite
persistent across large distances. As Stuxnet was designed to attack a specific piece of hardware it
would scan its host to see if the software that integrates with the hardware is installed and if so it
became active.
If the software that integrated with the PCL controllers was not installed the worm would remain
dormant on the host machine.
Stuxnet had an array of capabilities which took advantage of zero day vulnerabilities in the Microsoft
Operating System. Zero day vulnerabilities are exploits that the programmers have not had time to fix
and update after the software had been deployed.
Security certificates were stolen from Verisign which meant Stuxnet was masqueraded as a normal
program making it undetectable by malware and ant-virus programs.
Stuxnet was a weapon for cyber warfare due to the nature of the malware. This has caused cyber
warfare to become one of the biggest threats in global security of recent times.
Development
Stuxnet was developed over time and used command and control servers to update itself and allowing
data to be uploaded from Stuxnet itself. Symantec have further detailed the lifespan and development
of Stuxnet available here: Symantec (26th February 2013) Stuxnet 0.5: How it Evolved [Online] Available
from - http://www.symantec.com/connect/blogs/stuxnet-05-how-it-evolved. [Accessed: 19th March
2015]
Countering the threat
Stuxnet, amongst others, has now been included in all anti-virus software packages and the zero day
vulnerabilities have been fixed to combat the malware.
9|Page
What is a bot?
Bots are automated pieces of code that run on the internet performing menial tasks at machine speed
where it would not be practical for humans to do so. Examples of this would be key search index bots
aka spiders, which trawl website indexes for keywords and then they can rank that website using
additional algorithms.
Other automated bots would be artificial intelligence chat or help centers on the website you are
visiting. The aim of these is to improve the customer interaction with the site whilst behind the scenes
the bot is trying to guess how best to route you or your query.
Malicious use of Bots
Bots can be used maliciously in order to perform tasks such as advertising where you would not
necessarily like. As an example a bot could look for specific code strings which it knows has
vulnerabilities, report this back and then an attack could be conducted on that website.
A bot can also be used to take over a user’s machine and make it become part of a botnet subsequently
becoming zombies. This botnet can then be used together to perform acts such as spamming/DDOS
attacks.
Development
Bots are now being used to attack mobile platforms due to the increase in cellular activity globally and
the increase of the hardware capability. The mobile phones are then becoming part of a remote botnet
allowing the master to take control and attack from a mobile platform.
Attacking remotely from a mobile platform is now making it even more difficult to track the attackers
and prosecute them.
Countering the threat
Due to the fact that Bots are automated it is now increasingly more common to see things like Captcha
forms that present an image which an automated piece of software cannot distinguish against text
however humans can.
There are botnet removal tools which updated on a regular basis so that they recognize the latest bots
however these bot tools do contain a lot of ads which can themselves slow down your machine.
10 | P a g e
What is a worm?
A worm is a piece of software that is not attached to any other software and replicates itself from host
to host across computer networks. Whilst taking advantage of the networking components to replicate
itself the worm can also contain ‘payloads’ which can contain malicious pieces of code.
Malicious use of worms
Worms have been used to perform tasks like DDOS (distributed denial of service) attacks which is an
attack on the TCP protocol handshake that is given when you visit a website. Due to the fact a worm
takes advantage of the networking vulnerabilities it can carry a payload containing such things as bots.
As the bots are automated they can then start an attack on a specified target processing a large amount
of TCP acknowledgement requests from a specified target, subsequently sending a lot of junk data to
the website and taking it offline.
Development
Worms can be developed to be used for destroying data right through to causing utter chaos and to the
point of having to shut network services/email servers/database servers down. Even to the point of null
routing IP addresses so that attacks stop on specified targets.
Due to the fact that worms take advantage of the networking vulnerabilities and can contain payloads
they can be scripted to be quite specific in their attacks using multiple viruses/Trojan horses to get the
‘attack’ complete.
Countering the threat
In the context of a DDOS attack the best way to defend a network would be to block the incoming IP
address and null route the internal IP address so that the external ‘attacker/s’ do not think the IP is
there anymore and cease there attack.
In order to detect these types of attacks there are a number of technologies which monitor network
traffic and alert when there are anomalies in the network traffic so that it can be investigated and acted
on accordingly.
Also there are continual updates of anti-virus software solutions which detect and confine know
malware exploits.
11 | P a g e
Comparison between Stuxnet, Bots and Worms
In order to compare the discussed malware I have created the below chart which shows the differences
between them. With this in mind as long as you know what you want to achieve you can tailor your
malware to those specific needs.
Standalone?
Self-Replicating
Network exploit
Machine access exploit
Phishing
XSS
Contains a payload
Web Based
Remote update
Stuxnet
X
X
X
X
Bot
X
Worm
X
X
X
X
X
X
X
X
X
X
12 | P a g e
Bibliography
Norton (n.d.) Malware [Online] Available from - http://uk.norton.com/security_response/malware.jsp
[Accessed: 3rd March 2015]
McAfee (n.d.) View Recent Malware [Online] Available from - http://www.mcafee.com/threatintelligence/malware/latest.aspx [Accessed: 3rd March 2015]
MalwareBytes (n.d.) HomePage [Online] Available from - https://www.malwarebytes.org/mobile/
[Accessed: 3rd March 2015]
BBC (21st November 2014) 'Sophisticated' Android malware hits phones [Online] Available from www.bbc.co.uk/news/technology-30143283 [Accessed: 3rd March 2015]
Hackmageddon (11th August 2011) One Year Of Android Malware (Full List) [Online] Available from http://hackmageddon.com/2011/08/11/one-year-of-android-malware-full-list/ [Accessed: 3rd March
2015]
Microsoft (n.d.) What is malware? [Online] Available from - http://www.microsoft.com/engb/security/resources/malware-whatis.aspx [Accessed: 3rd March 2015]
PcTools (n.d.) What is malware and how can we prevent it? [Online] Available from http://www.pctools.com/security-news/what-is-malware/ [Accessed: 3rd March 2015]
Wikipedia (n.d.) Malware [Online] Available from - http://en.wikipedia.org/wiki/Malware [Accessed: 3rd
March 2015]
Dummies (n.d.) Know the Different Types of Malware [Online] Available from http://www.dummies.com/how-to/content/know-the-different-types-of-malware.html [Accessed: 3rd
March 2015]
Securelist (9th December 2014) Kaspersky Security Bulletin 2014. Malware evolution [Online] Available
from - http://securelist.com/analysis/kaspersky-security-bulletin/68052/kaspersky-security-bulletin2014-malware-evolution/ [Accessed: 3rd March 2015]
Webroot (n.d.) Computer Virus Information [Online] Available from http://www.webroot.com/gb/en/home/resources/articles/pc-security/computer-security-threatscomputer-viruses [Accessed: 3rd March 2015]
Wikipedia (n.d.) Computer virus [Online] Available from - http://en.wikipedia.org/wiki/Computer_virus
[Accessed: 3rd March 2015]
Webopedia (n.d.) computer virus (virus) [Online] Available from http://www.webopedia.com/TERM/V/virus.html [Accessed: 3rd March 2015]
13 | P a g e
Wikipedia (n.d.) Stuxnet [Online] Available from - http://en.wikipedia.org/wiki/Stuxnet [Accessed: 14th
March 2015]
Symantec (February 26th 2013) Stuxnet 0.5: How It Evolved [Online] Available from http://www.symantec.com/connect/blogs/stuxnet-05-how-it-evolved [Accessed: 14th March 2015]
Technopedia (n.d.) Internet Bot [Online] Available from http://www.techopedia.com/definition/24063/internet-bot [Accessed: 13th March 2015]
Wikipedia (n.d.) Internet Bot [Online] Available from - http://en.wikipedia.org/wiki/Internet_bot
[Accessed: 13th March 2015]
Cleverbot (n.d.) Homepage [Online] Available from - http://www.cleverbot.com/ [Accessed: 13th March
2015]
Captcha (n.d.) Homepage [Online] Available from - http://www.captcha.net/ [Accessed: 13th March
2015]
Veracode (n.d.) Common Malware Types: Cybersecurity 101 [Online] Available from https://www.veracode.com/blog/2012/10/common-malware-types-cybersecurity-101 [Accessed: 5th
March 2015]
Cisco (n.d.) What Is the Difference: Viruses, Worms, Trojans, and Bots? [Online] Available from http://www.cisco.com/web/about/security/intelligence/virus-worm-diffs.html [Accessed: 5th March
2015]
BBC (9th September 2010) What is an internet worm? [Online] Available from http://www.bbc.co.uk/webwise/guides/internet-worms [Accessed: 5th March 2015]
Wikipedia (n.d.) Computer Worm [Online] Available from http://en.wikipedia.org/wiki/Computer_worm [Accessed: 5th March 2015]
Computerhope (n.d.) Worm [Online] Available from http://www.computerhope.com/jargon/w/worm.htm [Accessed: 5th March 2015]
Wikipedia (n.d.) Trojan horse (computing) [Online] Available from http://en.wikipedia.org/wiki/Trojan_horse_(computing) [Accessed: 5th March 2015]
Webopedia (n.d.) Trojan Horse [Online] Available from http://www.webopedia.com/TERM/T/Trojan_horse.html [Accessed: 5th March 2015]
Computerhope (n.d.) Trojan horse [Online] Available from http://www.computerhope.com/jargon/t/trojhors.htm [Accessed: 5th March 2015]
Norton (n.d.) Malware [Online] Available from - http://uk.norton.com/security_response/malware.jsp
[Accessed: 5th March 2015]
14 | P a g e
Symantec (20th April 2010) Trojan Horse [Online] Available from http://www.symantec.com/security_response/writeup.jsp?docid=2004-021914-2822-99&tabid=2
[Accessed: 5th March 2015]
Cisco (n.d.) A Cisco Guide to Defending Against Distributed Denial of Service Attacks [Online] Available
from - http://www.cisco.com/web/about/security/intelligence/guide_ddos_defense.html [Accessed:
14th March 2015]
Owspa (n.d.) Application Threat Modeling [Online] Available from https://www.owasp.org/index.php/Application_Threat_Modeling [Accessed: 17th March 2015]
15 | P a g e