click below
click below
Normal Size Small Size show me how
COMP2216
Cyber Security
Term | Definition |
---|---|
cyber security CIA triad | confidentiality, integrity, availability |
availability | ensuring timely and reliable access to and use of information |
integrity | guarding against improper information modification or destruction, including ensuring information nonrepudiation and authenticity; also making sure that the application logic of an information system is not altered inappropriately |
confidentiality | preserving authorised restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information |
authenticity | an integrity related concept; being genuine and capable of being verified and trusted |
accountability | an integrity related concept; security goal that generates the requirement for actions of an entity to be traced uniquely to that entity (able to trace a security breach to a responsible party) |
asset | hardware, software, data, communication facilities and networks |
types of asset vulnerabilities | corrupted system, leaky system, unavailable (or very slow) system |
threat | represents a potential security harm; each vulnerability corresponds to a threat capable of exploiting it |
attack | a threat carried out; leads to an undesirable violation of security |
adversary | attacker; threat agent |
active attack | an attempt to alter assets or affect their operation |
passive attack | an attempt to learn or make use of information from the system that does not affect assets |
inside attack | initiated by an entity inside the security perimeter; the insider has authorised access uses it to carry out malicious acts |
outsider attack | initiated from outside the security perimeter by an unauthorised or illegitimate user of the system |
risk | a function of the adverse impacts caused if the event occurs, and the likelihood of occurence |
countermeasure | deal with threat: detection, prevention, mitigation, recovery |
encryption | transformation of data using secret key |
access control | rules, policies, and mechanisms that limit access to resources to certain systems/individuals based on identity and role |
authorisation | determining is a person or system is allowed access to resources based on an access control policy |
authentication | determination of the identity or role that someone has (smart card, password, fingerprint) |
physical security | establishment of physical barriers to limit access to protected computational resources (locks on cabinets and doors) |
backups | periodic archiving of data; to enable restoration of data |
checksums | computation of a function that maps the contents of a file to a numerical value |
computational redundancies | computers and storage devices that serve as fallbacks in case of failures |
cyber actors | cybercriminals, nation states, hacktivists, insiders, script kiddies |
cybercriminals | interested in illegal profit; typical attacks: money theft, personal document ransom, data breaches, ransomware (DDoS); attack vectors: malware, social engineering, botnet |
DDoS | distributed denial of service |
botnet | network of bots that infect the system with malware |
nation states | interested in: high quality intelligence, sabotage activities/critical infrastructures, subversion; typical attacks: influence campaigns, data breaches, DDoS,APT; attack vectors: malware, social engineering, botnet, social media |
APT | advanced persistence threats |
hacktivists | motivated by: political, religious, social ideologies; typical attacks: web defacement, data breaches, DDoS; attack vectors: malware, social engineering/email, botnet |
insider threats | legitimate access to valuable resources; intentional attacks (e.g. by disgruntled employees): publish information on the web, install malware, steal and sell information |
unintentional attacks | we do not consider them as insider threats; accidentally delete/post classified files; visit malicious websites, which leads to infecting the enterprise network |
script kiddies | less skilled hackers; motivated by: desire to join real hacker groups, the challenge itself, curiosity; just use tools found on the internet; no strategy; no clear methodology; despite this, they can succeed |
attack instigator | initiates the attack, is often the one in control |
attack perpetrator | carries out the attack |
cyber attack analysis | figure out how past attacks succeeded; develop knowledge based on past attacks; identify how to predict assets; forecast next steps of an ongoing asset |
reconnaissance | target research and selection; what information does the adversary need in order to carry out this attack? |
reconnaissance examples | crawling of web sites to gather email addresses; scans and probes to identify the security means used by the target |
weaponization | development of required cyber weapons, e.g. malicious payload, pairing it with an exploit; what cyber tools and weapons does the adversary need? |
weaponization example | PDF or Microsoft Office documents with embedded malicious scripts; Remote Access Trojan (RAT); setup the C&C infrastructure; phishing email |
delivery | delivery of the payload to the target; how are cyber weapons delivered to the target? |
delivery example | download from web site; email attachment; USB stick |
exploitation | execution of the payload, e.g., through the exploit; how is the cyber weapon executed? |
exploitation examples | exploit of known vulnerabilities of the target; exploit of OS auto-start feature; user deception |
installlation | ensure payload persistence within the target; how does the cyber weapon make sure it will be executed after a reboot? |
installation example | inject the malicious payload inside an OS process (e.g., explorer.exe); register the malicious payload as OS service with autostart mode |
command and control | establish a communication channel with an external command and control (C2) server; how does the cyber weapon communicate with the adversary? |
command and control example | ciphered connection over HTTPS; information exchange through public, beyond suspicion channels (e.g. on Twitter through tweets having specific hashtags) |
actions on objectives | execution of desired actions within the target, depending on the commands from C&C |
actions on objectives example | data exfiltration; disruption |
Zeus | one of the most famous banking Trojan horse; targets Windows OS; man-in-the-browser attack - encryption useless; captures credentials- keylogging, form grabbing |
evolution of Zeus | active since 2007; in 2017 was still among the three main financial trojan families |
money theft | from end users, enterprises, financial institutions, cryptocurrency |
BEC | (business email compromise) aka CEO fraud or whaling; request (large) money transfer by pretending to be CEO/senior manager; more likely if employee is physically distant from CEO/manager |
Bangladesh bank heist | February 2016; instructions to steal around $1 billion; managed to steal $101 million; about $38 million recovered; fraudulent transactions over the SWIFT network |
SWIFT | (Society for Worldwide Interbank Financial Telecommunication); network for financial institutions to exchange; information on financial transactions; transports financial messages in a highly secure way |
crypto wallets/exchanges | people usually rely on wallets to manage crypto capitals; wallets/exchanges can be hacked to steal money |
ransomware | a type of malware which prevents you from accessing your device and the data stored on it, usually by encrypting your files |
WannaCry events | thousands of computers infected; self-propagate and spread across local networks and via Internet; EternalBlue exploit used to execute arbitrary code on a targeted computer; the patch for the corresponding vulnerability was released two months before |
WannaCry function | kill switch was a domain; if it is unavailable, WannaCry keeps going with its encrypting and spreading; otherwise, halts its operations; a researcher registered that domain and WannaCry spread was substantially decreased |
WannaCry | example of personal document ransom; around 200K computers infected across 150 countries |
Yahoo | example of a data breach; 3 billion accounts impacted; stolen data - names, email addresses, telephone numbers, encrypted/unencrypted security questions/answers, dates of birth, hashed passwords |
stolen data use | public disclosure, private intelligence, sold on the black market |
DDoS | (Distributed Denial of Service) aim at making a service unavailable to its intended users; service disruption is usually accomplished by overloading its resources; the overloading is commonly due to service request flooding |
botnets in DDoS | Large groups of computers networked together that use their combined computing power to cause DDoS attacks; built from vulnerable systems with no concern for who their owners are; a botnet is commonly controlled by a Command & Control infrastructure |
Mirai | DDos example; continuous scanning for vulnerable IoT devices over the Internet; protected by factory default; hardcoded usernames and passwords; infection with a malware that forces them to report to a C&C |
influence campaigns | series of cyber-attacks and releases of information aimed to influence thinking and choices of a large number of persons; use massive amounts of bots in social media platforms; e.g John Podesta phishing email |
web defacements | change the appearance of a web site; mostly by Hacktivists -use known/unsophisticated vulnerabilities/techniques; targets chosen based on - ease to hack, expected media attention |
cryptojacking | malicious cryptomining; mining allows to earn substantial economic rewards; steal computational power from victims’ machines; designed to stay hidden from users |
supply chain attacks | compromise the weakest link in the supply chain and reach the target from there |
social engineering | psychologically manipulate people into: performing some action or divulging specific information; gather information left around by people |
information gathering | on the web - company website, social networks; dumpster diving - looking through disposed documents to find info; shoulder surfing |
interaction with the target | phishing, vishing, smishing, physical impersonation |
phishing | practice of sending emails appearing to be from reputable sources with the goal of influencing or gaining personal information; URL and email manipulation |
vishing | social engineering using the telephone system |
smishing | social engineering using the text message system |
whaling | targets high-ranking individuals within an organization |
spear-phishing | goes after a category of individuals with a lower profile |
baiting | like real world trojan horse; e.g infected removable media left where people can find them |
tailgaiting | accessing a secured building/area without any smart-card/biometric, by simply walking closely behind an authorised employee |
cyber essentials main goal | protect against the most common cyber threats |
cyber essentials can't defend | day-zero vulnerabilities, social engineering, advanced persistence threats |
basic IT infrastructure protection | firewalls, secure configuration, user access control, malware protection, patch management |
cyber essentials scope | boundaries of the IT infrastructure to protect |
cyber essential requirements | apply to all software/devices within the boundary that: accept incoming connections via internet from untrusted hosts, establish outbound connections via internet, control the flow of data between these devices and the internet |
firewalls objective | ensure that only safe and necessary network services can be accessed from the internet |
firewalls | network security device; reduce exposure to attacks; rules to block/allow traffic on the basis of source, destination, protocol; block all connections by default (except services meant to be accessed from the internet) |
secure configuration objective | ensure that computers/devices are configured to reduce vulnerabilities and provide only strictly required services |
secure configuration | set of best practices for the configuration of computers/devices; default configurations are not always secure (default password, unnecessary apps and services); requirements - remove/disable software, disable auto-run features, change default password |
user access control objective | ensure user accounts are assigned to authorised individuals only and provide access to actually required resources only |
user access control | set of processes and techniques to manage accounts and authorisations; reduce the risk of information being stolen or damaged; compromised accounts with high privileges can result in sever damage |
user access control requirements | setup a process to create and approve new user accounts; always authenticate users before granting access to applications/devices; remove/disable accounts when no longer required; 2 factor authentication; administrative accounts to perform certain tasks |
malware protection objective | restrict execution of known malware and untrusted software |
malware protection | verify if software is malicious; reduce risk of damage caused by harmful code; potential source of malware infection - email attachments, downloads, direct installation of unauthorised software; malware causes - malfunctioning, data loss/leakage |
malware protection requirements | anti-malware software; up to date, at least daily; auto scan when files are downloaded, opened or accessed from a network folder; auto scan of visited web pages, blacklisting malicious/suspicious websites; application whitelisting |
patch management objective | ensure devices/software are not vulnerable to known security issues for which fixes are available |
patch management | set of best practices for the maintenance and update of software; known vulnerabilities are likely to be exploited soon by attackers; patches released - as soon as new vulnerabilities discovered, or periodically |
patch management requirements | keep all software updated, keep all software licenced and supported |
data protection methods | understanding risk, encryption, fragmentation, data backups, privacy protection |
understanding risk | what data? who would want it? what would be the impact? |
using encryption | data at rest and in transit; key management |
fragmentation | split data into multiple pieces, stored in diverse locations; harder for an attacker to collect all the fragments |
data backup | frequently make copies of data; keep backup of data on different, separate devices |
privacy protection | sanatise information to remove PII |
segregation of duties | have more than one person required to complete a critical task |
segregation of duties application | if n accounts are required to execute a security-critical task, then n accounts should be compromised to undermine that task |
segregation of duties example | banking - every sensitive order has to be signed off by at least 2 different people from 2 different departments |
network fragmentation and monitoring | split infrastructure on - business processes, necessary exposure, risk levels; use firewalls at boundaries (beware of reconfiguration) |
network fragmentation and monitoring example | offices need access to internet; front end needs to be accessed from internet; back end only accessed by privileged users |
intrusion detection/prevention system | observe/record all traffic on network; detect/block malicious traffic; signature-based vs anomaly-based; alert on suspicious traffic (based on certain threshold) |
intrusion detection/prevention systems example | unknown computer starts scanning the whole address space; task is to identify if this a threat; use machine learning techniques - accuracy, explainability, adversarial learning |
honeypots | a decoy to lure attackers; hardware, software and data to simulate a real system, actually isolated; attack detection; deflect attackers; gather valuable info on attack strategies; research/production honeypots; high/low interaction honeypots |
pentesting | authorised simulated attack, aimed at assessing the security of a system; effective way to find vulnerabilities; can identify how an attacker could compromise the system; frameworks to automate and ease common pentesting operations are available |
phases of pentesting | pre-engagement interactions; intelligence gathering; threat modelling; vulnerability analysis; exploitation; post exploitation |
standards | ISO 27000 series, NIST 800 series(big, generic, complicated); specific standards for specific industries - PCI DSS, HIPAA; compliance-driven security is dangerous ;yet standards are an efficient stick to drive adoption |
APT post-exploitation | gained access into target system; persistence; c&c communication; lateral spread; data exfiltration |
APT - advanced | cutting edge techniques; exploitation of known vulnerabilities (e.g day zero exploits) |
day zero exploits | when security teams are unaware of their software vulnerability; they've had 0 days to work on a security patch or an update to fix the issue |
APT - persistent | use of stealthy techniques to pursue the goal of remaining hidden in the target system (can hide for months) |
APT - threat | malicious nature (aimed at data exfiltration for espionage purposes) |
APT perpetrators | hacking team of well-trained attackers; well-funded; specific and clear goal |
Carbanak APT | APT style campaign against financial institutions aimed at money theft; first infection in 2013; discovered 2014; active until 2015; 100 financial institutions hit; financial loss up to $1 billion |
Anatomy of Carbanak | spear phishing email with attachment; install backdoor; manual reconnaissance to compromise relevant computers; infected computers recorded and sent videos to C&C; keyloggers to understand victims actions (how to cash out money); ATMs dispense cash |
APT reconnaissance | identify potential targets; gather information; scan for vulnerabilities; social engineering |
APT initial compromise | gain foothold in target system; exploit vulnerabilities in software; phishing attacks to steal credentials or trick users into downloading malware |
APT maintain stable access | remain hidden (persist); establish communication channel with C&C; move around network looking for target (lateral spread); in case of data breach - exfiltrate data |
targeted and complex attack requirement | keep the foothold; maintain access as long as possible |
APT command and control | maintain ongoing control over the compromised system in stealthy ways; send commands and receive data from the compromised system; encrypting data, using non-standard communication protocols and innocent looking network traffic to hide malicious activity |
APT lateral spread | move laterally through target network; seek new systems to compromise and maintain access; analyse already compromised machines; network analysis; exploit via stolen credentials or social engineering |
APT data exfiltration | gather sensitive information and exfiltrate to their own systems or to a third party; use staging servers to accumulate data and apply transformations; reduce size of data transferred to avoid detection; speed/risk trade-off |
war | state of armed conflict between two or more parties; use of force to cause damage, destruction or casualties |
warfare | methods of fighting a war (e.g conventional, biological, atomic, chemical) |
cyberwarfare | the activity of fighting a cyberwar, often including the weapons and methods (digital technology and computer networks) that are used in cyberspace |
cyberwar battlefield | cyberspace; efficient but vulnerable; common network; concentration of data; networked forces |
cyberwar objectives | same as conventional war; espionage (sensitive information); sabotage; propaganda |
cyberwarfare increase | becoming more common; more aspects of life dependent on computer networks and technology |
result of cyberwarfare | cybersecurity has become a critical component of national security |
Estonia cyber attack | 2007 DDoS attacks; ministry of foreign affairs and justice websites shut down; botnet attack; Estonia blamed the Kremlin but Moscow denied involvement |
conventional war | a state of conflict between states characterised by violence; physical damage or destruction |
cyberwar ambiguity | the threshold for regarding a cyber attack as the use of force |
cyberwarfare advantages over conventional | cheaper; harder to identify guilty party; more possibilities; redirect accountability (hire a proxy); quicker to develop/deploy; no casualties; disrupt adversary rather than detroy |
hacktivist | politically motivated hackers; driven by pursuit of social change; don't seek profit or information |
hacktivism | form of civic participation |
hacker ethics | information should be free; all should have access to computers; mistrust authority; judge by technical ability; hacking is an act of art; computers are a positive thing |
hacktivist principles | libertarian and anarchist; opponents of power elites; equated with cyber-terrorism (by media) |
anonymous | collective loosely networked movement; politically oriented organisation; anti-censorship; privacy; should not attack critical infrastructure; work for justice and freedom; no leadership/hierarchy; community based |
WikiLeaks | multi-national media organisation and associated library; publishes censored or restricted documents; bring important info to the public; bulletproof hosting |
national infrastructure | facilities, systems, sites, information, people, networks, and processes necessary for a country to function and upon which daily life depends |
loss of national infrastructure | major detrimental impact on the availability, delivery or integrity of essential services, leading to severe economic or social consequences or loss of life |
industrial control systems | control critical infrastructures; safety-critical processes and most production processes; e.g: traffic lights, water system; public transport |
critical infrastructure security | security through obscurity; air-gap ICS network from IT network |
Struxnet | cyber attack against Iranian nuclear facilities in 2009 and 2010; goal to damage centrifuges used for uranium enrichment to hinder nuclear program; used day-zero exploits; sophisticated malware |
BlackEnergy | power outage in Ukraine; energy substations switched off; IT infrastructure component disabled; files removed; DoS on call-centre |
cryptography/cryptology | the practice and study of techniques for secure communication in the presence of adversarial behaviour |
symmetric encryption | same key is used to encrypt and decrypt a piece of information x; ensures confidentiality of x; e.g advanced encryption standard |
asymmetric (public key) encryption | user has public and private key; sender encrypts a piece of information x with the public key of the recipient; recipient decrypts with its private key; e.g digital signature algorithm |
digital signature | sender encrypts a piece of information x with their private key; the recipient decrypts with the sender's public key; this is evidence the message came from that sender, as only they have the private key |
hash function | denoted by h: {0,1}* -> {0,1}n; where n is a security parameter; maps data of arbitrary size to a bit string of fixed size |
key distribution | symmetric encryption requires shared secret keys between each pair of communicating parties; asymmetric encryption requires each sender to have their own public and private key |
man in the middle attack | while a secret key is being shared between two parties, a third party can intercept and use the secret key to encrypt and decrypt messages, pretending to be each party at either end |
Diffie-Hellman key exchange protocol | enables two users to securely exchange a key to be used for subsequent symmetric encryption; algorithm is limited to the exchange of secret values; effectiveness depends on the difficulty of computing discrete logarithms |
man in the middle attack prevention | sender needs to put the signature; but to verify you need the public key of the sender |
validating a digital signature | recipient can't know with certainty the senders public key |
sending an encrypted message | sender can't know with certainty the recipients public key |
digital/public-key certificate | consists of a public key and a user ID of the owner, with the whole block signed by a trusted third party |
public key infrastructure (PKI) | set of hardware, software, people, processes, policies, and procedures needed to create, manage, store, distribute and revoke digital certificates based on asymmetric cryptography, to enable secure, convenient and efficient acquisition of public keys |
public key infrastructure players | trusted third parties: certificate authorities and registration authorities; also PKI repositories and PKI users |
PKI certification authority | issue, revoke, and distribute public key certificates; certificates are signed with CA,s private key so everybody can check authenticity of certificates |
PKI registration authority | performs functions for certificate authority but doesn't issue certificates; identification and authentication; approval and rejection of applications; revocations or suspensions; processing subscriber requests; approving or rejecting requests to renew |
PKI repositories | for storing and distributing certificates and certificate revocation lists and managing updztes to certificates |
reasons to revoke a digital certificate | compromised private key; expiration; human resources reason; company changes name, physical address or DNS |
digital certificate revocation lists | list of no longer valid certificates; published regularly by the certificate authority in the PKI repository; sent to any relying party; issues - not issued frequently enough, expensive to distribute, vulnerable to DDoS |
X.509 | most widely accepted format for public-key (digital) certificates |
X.509 certificate revocation list | each entry contains a serial number of a certificate and the revocation date; due to overheads in retrieving and storing these lists, very few applications use these |
Comodo case | attack to PKI; compromised a registration authority user account; used the account to issue 9 certificates for 7 different domains |
Comodo case consequences | use the certificates to craft fake websites; certificates were later revoked; registration authority account was suspended |
DigiNotar case | attack to PKI; attacker gained control of all certificate authority servers; created 531 rogue certificates; used man in the middle attack for google.com against 300,000 gmail accounts in Iran |