Introduction to Cyber-Security

CyberSecurity

June , 2016
Christopher, K. Chepken (PhD)

C4DLab
Introduction to Cyber Security

Hacking

C4DLab
Hacking

• Is an attempt to circumvent or bypass the security

mechanisms of an information system or network

• Ethical – identifies weakness and recommends solution

• Hacker – Exploits weaknesses

• It is the art of exploring various security breaches

• Has consequences
– denial of service
C4DLab
Hacking: Reasons & Justification
• To steal services, data or files
• Thrill and excitement
• To promote some tools or skills
• Disease: Feel like doing it!
• Believe that all info needs to be free
• Ethical hacking-show security problems

C4DLab
Hacking: Discussion
• How is your organization? How are staff
responding to tightenning of security
loopholes?

C4DLab
Hacking techniques
• Hacking techniques are different ways which
hackers use to exploit systems.
– Can be as many hacking techniques as there are
hackers.
• Some are known, others unknown (developing
everyday)

• IT security personnel’s work is to keep track of

upcoming and threatening hacking techniques.

C4DLab
Hacking techniques
• Vulnerability scanning :a tool used to quickly check
computers on a network for known weaknesses e.g.
Open ports
• Brute force Attack e.g password guessing
• Dictionary attack
• Password cracking: process of recovering
passwords from data
• Packet sniffer
• Spoofing attack (Phishing): masquerades as
another by falsifying data

C4DLab
Hacking techniques
• Programmed threats e.g. Virus, worms or
trojans

• Social engineering: E.g. A hacker can

contact the system administrator and pose
as a user who cannot get access to his or her
system; or a call may come in masquerades
as the boss who is about to fire IT security
expert.

C4DLab
Hacking techniques
• Social engineering May be an act of
– Intimidation
– Helpfulness: Oppossite of Intimidation
– Name-dropping : Using names of authorised
users
– Technical e.g. Sending an email to a legitimate
user, seeking a response that contains vital
information

C4DLab
Hacking Techniques
• Keystroke logging: A keylogger is a tool
designed to record ("log") every keystroke
on an affected machine for later retrieval
– Key loggers can be
• Legitimate:, to detect evidence of employee
fraud, Mac on iphone, ipads??
• Illegitimate: To steal info, viruses

C4DLab
Hackers techniques: Denial of service
• DoS: an attempt made by attackers to make computers’
resources inaccessible to its anticipated user

• Attackers may not use their systems, they create Botnets

(a network of zombie computers)

• All computers in a botnet are notified to do something

on a single computer/network or server

• Distributed Denial of service (DDoS) is on a network or

web service

C4DLab
Hacking: Information gathering
• Identity management is the process for managing the entire
life cycle of digital identities, including the profiles of people,
systems, and services, as well as the use of emerging
technologies to control access to company resources.
– Identity theft

• Access management is the process of regulating access to

information assets by providing a policy-based control of who
can use a specific system based on an individual's role and the
current role's permissions and restrictions.
– Unauthorised Access

C4DLab
Information gathering
• What do robbers do before they break into
the bank or anything else? They gather
information.
• You can gather information to
– Protect yourself
– To harm others (hackers)
– Just to know or solve a problem
• Example: http://www.shortinfosec.net/2009/02/security-information-gathering-brief.html

C4DLab
Areas of interest to attackers

Source: http://resources.infosecinstitute.com/network-
intelligence-gathering/

C4DLab
Hacking: Insider threats
• A malicious insider threat is a current or former employee, contractor, or other
business partner who has or had authorized access to an organization's
network, system, or data and intentionally exceeded or misused that access in
a manner that negatively affected the confidentiality, integrity, or availability of
the organization's information or information systems. (http://www.cert.org/insider-
threat/)

• Insiders are now the biggest threat compared to hackers

• It is a big threat- agree/disagree?

• Case of entire payroll publishing, Edward Snowden (former CIA- Disclosed to

several media outlets thousands of classified documents from his former
employers )!!
– Example report for your reading

C4DLab
Hacking: Rogue wireless points
• Rogue wireless points entice you to connect.
• Consequences can be very bad
– Information gathering
– Stealing data
– Installing malware
–

C4DLab
Hacking: Spam and email threats
• Spam is unsolicited email

• Spaming is the single most attack to firewalls

• Threats include
– Information harvesting
– Malware introduction
– Denial of service
– Identity theft

C4DLab
Hacking: Spam and email threats
• Phishing: Emails that ask for your personal
information

• “Spear-Phishing” – carefully crafted emails

to fool even security experts

C4DLab
Hacking: Attack on devices
• These devices include PDAs, USBs and other
hand held devices.
– Theft – both data and hardware
– Hijack, interception
– Malware, viruses, trojans etc.

C4DLab
Hackers: Routers & firewalls

C4DLab
Hacking: Routers & firewalls
• Interception

• Firewall vulnerabilities
– Firewall is S/W hence can have bugs
– Vendor back door
• Session hijacking/man-in-the middle
– Sniffing
– May insert commands in between communication sessions
• Attack on exposed servers e.g. SQL injection, default
passwords etc
– An exposed port is vulnerable

C4DLab
Hacking wireless network
• Wireless networks, sometimes called WiFi,
allow you to connect to the internet without
relying on wires- Use radio waves which
connect to a hotspot with idendifying
information called service set identifier
(SSID)

C4DLab
Hacking wireless network
• Hijack or intercept an unprotected connection

• A practice known as wardriving involves individuals equipped

with a computer, a wireless card, and a GPS device driving
through areas in search of wireless networks and identifying the
specific coordinates of a network location.

• Wardriving can be used to intercept the connection between

your computers and the hospot

• Download of unlawful or dangerous content

C4DLab
Introduction to Cyber Security

Prevention

C4DLab
Attack prevention: DDoS
• Increase bandwidth:
– Problem: Bandwidth is not unlimited
• DDoS mitigation Service
– Use DDoS protection and mitigation network,
automated tools,
– Use anti-DDoS technicians who are real-time as per
the varying DDoS attack characteristics
• Restrict connections to your servers:
install/configure your routers and firewall so
as to limit the connectivity

C4DLab
Attack prevention
• Harden your systems / lockdown
• Patch all your systems
• Install a firewall on each system, or at least
on the network

C4DLab
Securing routers and the network
• Assess network security and degree of
exposure to the Internet
– Portscan your own network from outside to see the
exposed services (TCP/IP service that shouldn't be
exposed, such as FTP)
– run a vulnerability scanner against your servers
– monitor your network traffic
– refer to your system log
– check your firewall logs

C4DLab
Securing routers and the network
• Limit who has access to the router
configuration
• Ensure that there is control over who can
make changes to router configuration
• Reduce the services running on the router
• Encrypt passwords
• Ensure that you understand security
loopholes which have been identified

C4DLab
 Attack prevention: Use passwords
• Do not use
– real words or combinations thereof
– numbers of significance (eg birthdates)
– similar/same password for all your accounts

• Characteristics of a strong password include:

– Length:
– Structure: should never be a single word found in a dictionary
– Distinctness: Do not use one password for all of your access
codes
– Frequency: change password frequently

C4DLab
Passwords (very important)
• "A password should be like a toothbrush. Use it every day;
change it regularly; and DON'T share it with friends.” - USENET)
• Don’ts for password (http://oreilly.com/catalog/csb/chapter/ch03.html)
– Allow any logins without passwords. If you're the system
administrator, make sure every account has a password.
– Keep passwords that may have come with your system
– Write your password down
– Type a password while anyone is watching.
– Record your password online or send it anywhere via electronic
mail.
– Keep the same password indefinitely.

C4DLab
Attack prevention: Routers & network

• Encrypt connections
• Do not install software from little known sites
• Limit access to your server(s)
• Use Anti-Virus Software
• install secure certificates on web sites
• purchase and deploy of products according to
identified needs

C4DLab
Attack prevention: General
• Monitor suspicious traffic patterns
• Control on Mobile Devices
• Do not use public Email systems like Gmail,
Yahoo!... For official work
• Do not use professional credentials online
• Regularly conduct awareness trainings
• Do employee background checks
• Continuous training and learning new
technologies and methods

C4DLab
Attack Prevention: General
• Attending conferences and events by professional
industry groups in computer security.

• Don’t use Generic Usernames

• Prevent illegal “‘farmers’” from “harvesting” your

lists

• Use a strong firewall

C4DLab
Protection against attacks in social media

• Awareness training
• Regular vulnerability scans and tests
• Monitoring of networks for suspicious activity
• Implementation of best practices
• Avoid Unsolicited Installation of Scripts
• Organizational usage policy is recommended

C4DLab
Securing cables
• Mainly against physical attack
• Monitoring – manually or automatic
• Use reputable, experienced providers
• Make sure the wires are properly hidden
against the wall to prevent anyone from
tripping on them and causing damage.

C4DLab
Securing firewalls
• Tighten the Routers at your border to the Internet in
terms of packets that can be admitted or let out.

• Deploy strong packet filtering firewalls

• Setup proxy servers for services you allow through

your packet-filtering firewalls

• Develop special sustom made server or Internet

services client and server software

C4DLab
Securing firewalls
• Install updated service packs and Enable auto updates
for firewall

• Tweaking the settings to your usage

• Keeping settings consistent across your network

• Hide your PC/internal network whenever possible

• Do not use weak passwords

C4DLab
Securing firewalls: Best practice
• Use acceptable usage policy

• Limit the number of applications that run on the firewall- let the
firewall do it's work.

• Ensure that you're filtering or disabling all unnecessary ports

• Regularly perform vulnerability assessments on your firewall

• Constantly monitor (or subscribe to) your firewall vendor's security

bulletins

• Perform ongoing audits, at least yearly, on the firewall

C4DLab
Securing Mobile handheld devices
• Mobile handheld devices:
– Any device operating to hold, store, process, and
access data, including smartphones, cellphones,
tablets, or personal digital assistants (PDAs)

• The primary risk to any hand held device is

loss or theft of the device.

C4DLab
Securing Mobile handheld devices
• Passcode lock

• Automatic sleep mode

• Remote wipe: Enable the ability to remotely wipe the device

• Data encryption or do not keep confidential data

• Disable any short range network e.g. Bluetooth and wi-fi

• Know what GPS and Location-Based Services can do

C4DLab
Securing Mobile handheld devices
• Avoid sharing mobile devices

• Back up your data, especially contacts

• Do not use rogue Wi-Fi networks- ensure has password

• Install apps from trusted sources

• Delete any text you receive with passwords or other

sensitive information

C4DLab
Securing Mobile handheld devices
• Wipe each device thoroughly before disposing of it

• Install updates and anti-virus software if available

• Treat your mobile devices like your wallet or purse

• If you lose your mobile, change your login details

such as email passwords immediately and contact
the phone provider

C4DLab
Securing laptop computers
• Treat it like cash
• Get it out of the car…don't ever leave it behind
• Keep it locked…use a security cable
• Keep it off the floor…or at least between your feet
• Keep passwords separate…not near the laptop or
case
• Don't leave it "for just a sec"…no matter where you
are
• Pay attention in airports…especially at security

C4DLab
Securing laptop computers
• Use bells and whistles…if you've got an alarm,
turn it on
• Avoid distraction
• Mind the bag- May say you have a laptop
• Be vigilant in hotels
• Know where to turn for help
• No one thinks their laptop will be stolen- start
thinking from today

C4DLab
Penetration testing
• Also called pen testing, is the practice
of testing a computer system, network or
Web application to find vulnerabilities that
an attacker could exploit.
– Sometimes called white hat- the good guys
break in
– Main objective is to identify weaknesses
– Can be manual or automated

C4DLab
Penetration testing: process
• The generic process is
– Information gathering about target
– Identifying possible entry points
– Attempting to break in (either virtually or for
real)
– Reporting back the findings

C4DLab
Penetration testing: strategies
• Targeted testing: By IT team and pen test team- “light-turned” on pen
test

• External testing: On externally visible servers

• Internal testing: mimicks an inside attack by a user with standard

previleges

• Blind testing: team performing the attack has limited information e.g.
Only company name

• Double blind testing :A few people might be aware a test is being

conducted

C4DLab
Penetration testing
• Various Tools for pen tests exist.

• Class Exercise:
– Look for open source pen tests tools
– Try using simple open source pen tests tools

C4DLab
Preventing Data Loss (PDL)
• Data can be: any data or sensitive data.
– Identify: Identify where you have stored data under
your control.
– Inventory what data you have stored in ALL of these
places
– Dispose: do not keep any sensitive data, e.g. Credit
card numbers, ID etc, in electronic form unless you
absolutely must
– Stop and think whenever handling sensitive data

C4DLab
Preventing Data Loss (PDL)
• Saving to the wrong locations
– Do not save data in wrong locations
– Do not save sensitive data on mobile or removable media
– Do not save sensitive data on shared environment, should be
in a private area on a secure server; encrypt the data

• Not knowing where your sensitive data is

– You may share a file with sensitive data without knowing

• Human error
– If you know there has been an incident, do incident response

C4DLab
Securing wireless networks
• Change default passwords - Most network
devices, including wireless access points,
are pre-configured with default
administrator passwords to simplify setup
• Restrict access - Only allow authorized
users to access your network (Use media
access control- MAC of every device )
• Encrypt the data on your network

C4DLab
Securing wireless networks
• Protect your SSID - To avoid outsiders
easily accessing your network, avoid
publicizing your SSID; Turn network name
broadcasting off
• Use firewall
• Use up to date anti-virus
• Change the default name of the network

C4DLab
Physical security
• Physical access- definition
– Server room
– Office with network computers
– Other areas
• Measures
– E.g. log book, Biometrics
– One controlling point e.g. soldier
• How do you trace back in case of breakage-
Incident response

C4DLab
Physical security
• Computer physical security is a methodology for
safeguarding computer systems, peripherals and all
assets that form these systems- As important as other
security.

• Any other computing security starts at the physical level

• Example of physical access security policy:

http://dii.vermont.gov/sites/dii/files/pdfs/Physical-Security-for-Computer-
Protection.pdf
– Use of Secure Areas to Protect Data and Information
– Physical Access management to protect data and information

C4DLab
Physical access: Measures
 Restrict Access - For servers and other important computing
devices, out of sight, out of mind is the motto.

 Make sure the most vulnerable devices are in that locked room

 Set up surveillance- You need to know who goes in or out,

authorised or unauthorised- CCTV, log book etc

 Protect the hard drives- lock them up using case locks

 Protect any workstations in the network- even the one at the

reception!

C4DLab
Physical access: Measures
 Protect the portables- a laptop or hand held device may
be stolen with saved passwords or data- lock them up

Pack up the backups- Do not have backups in the same
place as servers. Do not leave them anywhere!

Disable the drives e.g. USB, floppy or CD-Rom- they may
be used to fraudulently copy data

 Printers and other output devices save a lot of

information- protect them. Mostly ignored.

C4DLab
Incident handling
• What is an incident?
• Handling?

C4DLab
Incident Handling
 What is an incident? Must be defined
 How to report, who to contact
 Plan your strategies and course of action
 Have a policy in place
 Have written procedures to follow
 Communications – notifying affected
personnel

 Incident handling e.g. what happened at JKIA?

C4DLab
Incident Response Plan

 Documentation – of incident at all stages, needed for

evidence and post-incident review
 Determination – determining an incident, admitting an
incident has occurred
 Notification – advising appropriate parties i.e. management,
police, legal counsel etc.
 Containment – minimising the impact of the incident
 Assessment – assess the scope of the damage
 Eradication – removal of the cause of the incident
 Recovery – return system back to normal with fixes in place

C4DLab
Incident detection
 Accidental or malicious source?
 Need to monitor to detect incidents and
violations
 Must have profiles of vulnerability – list of
known vulnerabilities
 Use Intrusion Detection Systems (IDS)
 Profiles of normal activity for computer networks, users,
and attack patterns
 Physical access Intrusion Detection System
 In most cases, internal staff pick up suspected
abnormal behavior and situations

C4DLab
Reaction

 Reactive activities must reflect good business

practices and support the organisation’s
objectives and/or missions

 Must provide protection of personnel and

information assets

 The Security Incident Plan must be separate

from the Disaster Recovery Plan

C4DLab
Incident response philosophies
 Watch and Warn – monitor and notify
appropriate personnel on detection of an incident

 Repair and Report – identify intrusion, repair

the vulnerability or contain situation, and close
incident as soon as possible

 Pursue and Prosecute – monitor attack, collect

and maintain evidence, prosecute via legal system

C4DLab
Response
 Define roles for personnel, responsibilities and
authority for each role
 Determine costs for establishing response plan
 Define under what circumstances services can be
disabled
 Define who has authority to shut down services
 Isolate affected segments/machines – both to
limit further infection and to gather evidence

C4DLab
Incident notification
 Minimise surprises
 Notify in a timely manner, to the appropriate
people, following written procedures
 Notify response team, management and chief
security manager (or equivalent)
 Contact
 Organisations offering advisory and assistance response e.g. CERT
 Affected parties and partners
 Law enforcement
 News media

C4DLab
Incident Containment
 Stop the spread of containment or abuse
 Determine the affected systems
 Deny access, where possible
 Eliminate rogue processes
 Regain control
 Lock out attacker/abuser
 Block the source
 Disable the service affected
 Disconnect from the network or Internet
 Clean the system
 Rebuild the system

C4DLab
Assessing the damage
 Determine the scope of damage
 Compromised data, systems, services, privileges, etc.
 Determine the length of the incident
 Determine the cause of the incident
 Vulnerability exploited
 Safeguard bypassed
 Detection avoided
 Determine the responsible party
 Source of attack
 Online identity
 Attack fingerprints

C4DLab
Incident recovery
 Set priorities based upon costs and criticality
 Repair the vulnerability – do not leave the
hole for others to abuse
 Apply a patch
 Disable the service
 Change the procedure
 Redesign
 Improve the safeguard
 Update detection systems
 Restore data and services
 Monitor for additional signs of attack

C4DLab
Incident documentation
 Documentation is needed to provide evidence and for post-
incidence review

 Some sources of evidence/documentation come from video

surveillance systems, electronic security monitoring systems,
handwritten journals, service logs, telephone logs, interviews,
etc.

 Develop an incident timeline

 Each event must be supported by the original documents – this is

crucial

C4DLab
Sources of Information
 Help desk logs
 Network logs
 System logs
 Administration logs
 Physical access logs
 Accounting logs
 Audit logs
 Security logs
 Backups
 Staff clock logs
 Staff

C4DLab
Computer forensics investigations

C4DLab
Computer forensics investigations
• Electronic record : any data that is recorded or preserved on any
medium in or by a computer system or other similar device, that
can be read or perceived by a person or a computer system or
other similar device. It includes a display, printout or other
output of that data.
• Computer Forensics: Computer forensics is the scientific
examination and analysis of data held on, or retrieved from,
computer storage media in such a way that the information can
be used as evidence in a court of law.

• Anti-forensics is the process of cybercriminals getting into a

targeted environment and hacking the forensics tools
themselves.

C4DLab
Computer forensics investigations &
Incident handling
• Handling data under investigation
– For hand held devices, mobile phones
– For computers, servers and laptops
– Any other computing devices

C4DLab
Computer forensics investigations:
Some history
• Early in 1970’s students discovered how to gain
unauthorized access to large timeshared computer
systems.
• 1978 the Florida Computer Crime Act was the 1st law
to help deal with computer fraud and intrusion.
Employees at a dog track used a computer to print
fraudulent winning tickets. The act also defined all
unauthorized access as a crime.
• 1984 US Federal Computer Fraud and Abuse Act was
passed. (Morris Worm 1988)

C4DLab
Properties of digital evidence
• Digital evidence is any data stored or
transmitted using a computer that supports
or refutes a theory of how an offense
occurred or that addresses critical elements
of the offense such as intent or alibi. (Casey,
Eoghan. Digital Evidence and Computer Crime, p12)

• Extremely fragile, similar to a fingerprint.

C4DLab
Properties of digital evidence
• “Latent” : it can not been seen in it’s natural state,
much like DNA.
– Any actions that can alter, damage or destroy digital
evidence will be scrutinized by the courts.

• Is often constantly changing and can be very time

sensitive

• Can transcend borders with ease and speed

C4DLab
Recognizing Potential Evidence
 There are many ways:
1. Contraband or fruits of a crime
– Stolen Computer Equipment
– Stolen Software
2. A tool of the offense
– Theft committed using computer
– Fraud committed using computer
– E-mail sent from a computer
– Sex offense committed after being arranged on computer
– Fraudulent money or ID’s made with computer

C4DLab
Recognizing Potential Evidence (cnt)
3. Only incidental to the offense
– Drug dealer maintaining records or ordering
supplies
– Child molester keeping records on children
– Suicide notes or pictures of the crime stored online
– Victim keeping diary or electronic journal
– Suspect searching the web for info about crime
– Credit card fraud records being kept on computer
– Child pornography being stored on computer

C4DLab
Recognizing Potential Evidence (cnt)

4. Both instrumental to the offense and a

storage device for evidence
– Hacker uses computer to attack another system
and stores the information on their computer.
– Child pornographer uses computer to
manufacture, distribute and store pornography

C4DLab
Types of crime that might involve
digital evidence
– Online auction fraud – Extortion
– Child exploitation/Abuse – Gambling
– Computer Intrusion – Identity Theft
– Homicide
– Narcotics
– Domestic Violence
– Economic Fraud, – Prostitution
Counterfeiting – Software Piracy
– Threats, Harassment, – Telecom Fraud
Stalking

C4DLab
Types of investigations
 Internal: no search warrant or subpoena needed, quickest
investigation
– Corporate investigation that involves IT administrator
reviewing documents that they should not be viewing.
 Civil: other side may own the data, may need subpoena
– One party sues another over ownership of intellectual
property, must acquire and authenticate digital evidence so it
can be submitted in court.
 Criminal: highest stakes, accuracy and documentation
must be of highest quality, slowest moving
– Child porn investigation that involves possession and
distribution of contraband.

C4DLab
Qualities of a good investigator
 Highest level of ethics
 Unbiased
 State facts not opinions (unless requested to do
so)
 Aware of when to call for help
 Has good documentation skills
 Good communications skills
 Follows same process/methodology every time

C4DLab
Incident response and business continuity
plans

• Business continuity (BC) is enabling your

business to stay on course whatever storms it
is forced to weather.

• BC is defined as the capability of the

organization to continue delivery of products
or services at acceptable predefined levels
following a disruptive incident. (Source: ISO
22301:2012)

C4DLab
Incident response and business continuity
plans
• Three key elements for business continuity are: (wikipedia)

1. Resilience: critical business functions and the supporting

infrastructure should not be materially affected by most
disruptions.
2. Recovery: arrangements are made to recover or restore
critical and less critical business functions that fail for some
reason.
3. Contingency: the organization establishes a generalized
capability and readiness to cope effectively with whatever
major incidents and disasters occur, including those that were
not, and perhaps could not have been, foreseen.

C4DLab
Business Continuity Management
• Business Continuity Management (BCM) is a
holistic management process that identifies
potential threats to an organization and the
impacts to business operations those threats, if
realized, might cause, and which provides a
framework for building organizational resilience
with the capability of an effective response that
safeguards the interests of its key stakeholders,
reputation, brand and value-creating
activities. (Source: ISO 22301:2012)- BCI.org

C4DLab
Maltego: for showing the connections you have

• Find out about Maltego

C4DLab