Professional Documents
Culture Documents
CS Notes
CS Notes
4) Misconfiguration
- Weak password, access problem
Authentication
- Help establish proof of identities. (User)
- Ensures that the origin of email or document is correctly identified. (Data)
- Compromised: fabrication.
Integrity
- Meaning: Data not been changed during transmission.
- Example of attack: modification.
Non-Repudiation
- User denying or repudiating sending messages to recipients.
- Defeats the possibility of denying smtg after having done it.
Access Control
- Determines who should be able to access what.
- Role Managements: User side
- Rule Managements: Resources side
Availability
- Resources available to authorized parties at all times
- Example of attack: Denial of Service (DoS) attack
1.3.1 Vulnerabilities
- State of being exposed to the possibility of being attacked
Platforms
- System that consists of the hardware device and operating system that runs
software.
- Example of platforms:
a. Legacy platform: no longer in used/outdated
b. On-premises platforms: limited to the premise only.
c. Cloud platform
Configurations
- Features and security settings that must be properly configured to repel
attacks.
Third Parties
- Having third parties to assist in providing services → access organization
company network
- Security of the third party ↓ provides an opening for attackers.
Patches
- Version that is released by the developer to repair a vulnerability
a. Difficulty patching firmware
b. Few patches for application software
c. Delays in patching OS
Zero Day
- Vulnerabilities that can be exploited by attackers before anyone else knows it
exists.
- No one knows there is such a loophole.
1.3.2 Threats
- Potentially dangerous event that has not occurred but has the potential to cause damages if it does.
- Threat Actors: individual or entities responsible for cyber incidents
Information - Lack the technical - Strongly motivated - 国家的hacker for - Come from its own - Long-term, global,
knowledge by ideology launching employees common threat.
cyberattacks
- Attack not always - E.g. breaking a against their foes. - Manipulation data - Individual or in
successful website and from a trusted groups to achieve
changing its - Causing financial employee their purposes
contents harm or damage to
the enterprise's
reputation
- Target highly
sensitive economic
Motivation - Curiosity - Political, social, - Espionage (crime of - Financial gain or to - Financial gain or
ideological spying), political, seek revenge reputation
economic enhancement
1.3.3 Attack
Passive Attack
- Does not affect system resources.
- Eavesdropping on, on monitoring data transmission
- Two type of passive attacks (interception):
a. Release of message contents
b. Traffic analysis
Active Attack
- Alter system resources.
- Involve modification of the data stream
- Three categories:
a. Fabrication (Masquerade)
b. Modification (Replay Attack)
c. Interruption (DoS attack)
Attack Vectors
- Pathway or avenue used by a threat actor to penetrate a system.
- Categories:
1) Email (hyperlinks)
2) Wireless (Intercepted and read or altered)
3) Removable Media (USE flash drive)
4) Direct Access (physically such as “touch” the machine)
5) Social Media (instagram post)
6) Supply Chain (third-party vulnerabilities)
7) Cloud
Imprison
- Take away the freedom from the user
- Type: ransomware / cryptomalware
- Ransomware: lock user data – embed itself onto the computer (reboot also no
use) - resided in bios – until a fee/ransom is paid
- Cryptomalware: encrypts all the files on the device – use the resources to
mine cryptocurrency – cost of key increases every few hours or days
Launch
- Launch attacks on other computer
- Example: worm, virus, bot
Virus
- File-based virus vs Fileless virus
- File-based virus: malicious code that attached to a file
- Replicates itself without human intervention
- Appender infection – virus attaches to the end of the file → insert instruction
that points to the end at the beginning of the file → program launched, jump
instruction redirects to the virus.
- Armored file-based virus:
➢ split infection – split malicious code into several part → at random
positions
➢ mutation – has a set of predefined mutations to fool malware scanners
- Each time the infected program is launched/data file is opened:
1. Unloads a payload
2. Reproduces itself
3. Spread with the help of user (cannot automatically spread to another
computer – rely on user’s action)
- Fileless virus – Native services (run by OS) called as living-off-the-land
binaries (LOLBins) – Loaded directly in the computer random access
memory (RAM) thru LOLBins
- Advantages:
1. Easy to inflect – thru malicious webpage (silently send a script)
2. Extensive control – full access to the core OS (high executing power)
3. Persistent – not remove after reboot (write script into Windows
Registry)
4. Difficult to detect – anti malware DO NOT scan RAM
5. Difficult to defend against
Worm
- Use computer network to replicate
- Exploited the vulnerability on one system → search for the next computer that
has the same vulnerability.
Bot
- Allow the attacker to remote control on the infected computer.
- Infected computer – bot / zombie
- Bot + bot + … = botnet (control by bot herder)
- Received instruction thru command and control (C&C) structure
Snoop
- Type: spyware & keylogger
- Spyware: Collection information without user’s approval
- Keylogger: capture and store KEYSTROKE. (can be software or hardware)
- Can also capture user screen + record image using webcam
- Hardware keylogger: not easily detected BUT must install and remove the
device physically
Deceive
- Deceive the user and hide its true intentions
- Example: Potentially unwanted program (PuP), Trojan, remote access Torjans
(RATs)
- PuPs – pre-installed software on new device – cannot be easily removed
- Trojans – executable program masquerades as performing a benign(not
dangerous) activity
- RAT – same as trojan but gives unauthorized remote access to attackers.
Evade
- Avoid detection
- Example: backdoor, logic bomb, rootkit
- Backdoor – circumvents any normal security protection (might be
unintentionally)
- Logic bomb – computer code that triggers at specific logical event (lies
dormant and evades detection)
- Rootkit
- hide its presence and other malware
- Collect user IDs and password – give root or privileged access to
hacker
- Can change the config on the host machine
2.2 Countermeasure to prevent malware attack
1) Developing security policies
- Companies cyber security strategy
1. Social engineering awareness policy
2. Server malware protection policy – install anti-malware on server
3. Software installation policy – only allowed licensed software
4. Removable media policy – minimize use of removable media
3) Password attacks
○ Brute-force: try all possible pw exhaustively
○ Trojan horse program: spying
○ IP spoofing: faking IP address
○ Create backdoor for future access if the account has sufficient
privileges
5) Man-in-the-Middle Attack
○ Might change data stream
○ Requires the attacker has access to the network packets
○ Possible uses: theft of information, corruption of transmitted data, DoS
4.3 Defense Mechanism
1) Malware scanners
● Prevent malware from infecting a system.
● Match with any signature from a list of all known malware definition
○ File sizes
○ .dat file
● Malware-like behavior
○ Manipulating the Registry
2) Firewalls
○ Barrier between two computers/computer systems/networks.
○ Filter incoming packets based on – packet size, source IP address,
protocol, destination port
○ Benefits:
i) Block certain traffic based on a set of rules
ii) Prevent DoS attack (stateful packet inspection)
○ Limitation
i) Cannot block user from downloading Trojan horse
ii) Cannot stop internal attacks
○ Stateless Packet Filtering
i) Check protocol, port, IP address of packet whether is it blocked
by the firewall
ii) Each packet is treated as a singular event (without referring to
the previous conversation)
○ Stateful Packet Filtering
i) Record and check in future
ii) Examine each packet and deny or permit access based not only
on the rules of the firewall, but also on data derived from
previous packets.
iii) Less susceptible to ping floods, SYN floods, and spoofing
iv) same source IP send thousands packets continuously →
assume as DoS attack → block the packets.
○ Application Gateways (application proxy)
i) Programs that runs on a firewall (帮助隐藏client的details)
ii) Act on behalf of the client, hiding and protecting individual
computers
iii) Two connection:
(1) Client to proxy server
(2) Proxy server to destination
3) Antispyware
○ Check against a list of known spyware
4) IDSs
○ Inspects all inbound and outbound port activity (Instead of packet,
check port)
5) Digital certificates
○ Asymmetric encryption
○ Contain user’s public key along with other information
○ Authenticate the holder of the certificate
○ Consists of:
i) Owner’s Public Key
ii) Owner’s Distinguished name
iii) CA’s Distinguished name
6) SSl/TLS – traffic between a web browser and the web server is encrypted
Cipher categories
Substitution cipher – exchange character for another
- Caesar cipher: choose some number to shift each letter (easily bypass by
brute-force cryptanalysis)
- ROT13: entire alphabet is rotated 13 steps
Characteristics –
● Fixed size
● Unique
● Original
● Secure
Attacks of Password
Pass the Hash attack – use a stolen hash to impersonate the user
Password cracker – create candidates with commonly used passwords compare
with the list of stolen digest
Password Spraying – select common passwords & test on several user accounts
(try N error)
Rule attack
- conducts a statistical analysis on the stolen password
- Create a mask of the format of the candidate password
Dictionary Attack
- Creating digest of common dictionary words and compare with stolen digest
Rainbow Tables
- Large pregenerated data set of candidate digests
- Required significant amount of time
- Advantages:
1. Repeatedly for attacks on other passwords
2. Much faster than dictionary attacks
3. Amount of memory needed is reduced.
Password Collections
- Broke into a server and get passwords (cleartext) which serve as the
candidate password
- Foundation of password cracking
Token-based Authentication
Specialized Devices
Smart cards
● Credit-card-sized plastic card that can hold information to be used in
authentication process
● Disadvantages:
○ Must have specialized hardware reader and device driver software
○ Skimming – capture the information from the magnetic strip
Windowed Token
● Display one-time password (OTP)
● Two types of OTPs
○ Time-based one-time password (TOTP) – changes after a set period of
time
○ HMAC-based one-time password (HOTP) – event driven and changes
when a specific event occurs.
Smartphones
- Phone Call
○ Automated phone call to smartphone → whether requested to log in →
press digit on keypad for approval or to decline
- Authentication App
Security Key
- Dongle that is inserted into the USB port
- Attestation – key pair that is “burned” into the security key
- Advantages: do not transmit OTPs that can be intercepted or phished
- Disadvantages: can be stolen by someone
Biometric Authentication
Physiological biometrics
Biometric Scanner
1) Retina scanner – the amount of reflections & form pattern (comparison)
2) Fingerprint scanner
3) Vein Scanner
4) Gait recognition (dynamic biometrics) – walking style
Disadvantage
- Cost of devices/scanner (expensive)
- Not foolproof
- Can be tricked
- Concern with the efficacy rate (efficiency vs security lvl)
Remote User Authentication
- Take places over the Internet, network or a communication link
Access Control
- Implement a security policy that specifies who or what may have access to
each resources and the type of access that is permitted
- Authentication function – whether the user is permitted to access the system
- Access control function – specific requested access by the user is permitted
- Auditing function – monitors and keep a record of user accesses to resources
ABAC
- provide permission to specific target for specific time frame
Chapter 7
Formal process of answering the questions:
- What assets need to be protected
- How are those assets threatened
- What can be done to counter those threats
Risk Consequence
- Insignificant
- Minor
- Moderate
- Major
- Catastrophic
- Doomsday
● Suitable for
small-medium
organization where
IT systems are not
necessarily essential
Detail Risk ● Detailed risk ● More details ● More cost in time, ● large
Approach assessment of the examination resources and
organization's IT expertise needed ● IT systems
systems, using a ● Provide strong critical to their
formal structured justification ● Might delays in objectives
process providing suitable
● Future levels of protection
enhancement or
maintenance
Control Classes
Management controls
- Security policies, planning, guidelines and standards on reducing the risk and
protecting organization’s mission
Operational controls
- Mechanisms and procedures that are primarily implemented by people rather
than systems
Technical controls
- Involve the correct use of hardware and software security capabilities in
systems
8.2 Security Risk Assessment
Deterrent controls – discourage security violations (warning)
Preventive controls – prevent the threat (firewall)
Physical controls – defined structure and location
Detective controls – identify any threat
Compensating controls – alternative to normal control (plan B, if plan A can’t use)
Corrective controls – mitigate or lessen the damage caused by incident
Inherent risk → current risk level given the existing set of controls.
Residual risk → risk level after additional controls are applied.
❌
Goal of security:
✔️
eliminate all risk
achieving an acceptable level of risk and expenses while minimizing losses
8.3 IT Security Plan
Provide details of:
- What will be done
- What resources are needed
- Who is responsible
Identified personnel
- Implement new or enhanced controls
- May need system configuration changes, upgrades or new system installation
Maintenance
- Need continued maintenance and monitoring of implemented controls
Security Compliance
● Audit process to review security processes
● Checklist:
○ Suitable policies and plans were created
○ Suitable selection of controls were chosen
○ System are maintained and used correctly
Incident Handling
● Procedure – how to respond to a security incident
● Codify action to avoid panic (have a systematic process)
Type of security incident:
● Unauthorized access
● unauthorized modification
Detecting Incident
Responding to Incident
● Need to documented response procedures
○ Identify cause of the security incident
○ Describe action taken to recover
● Procedures should
○ Identify typical categories of incidents
○ Approach taken to respond
○ Making critical decision
○ Whether report incident to police/CERT etc
Documenting Incidents