--- title: "03-threats-social-engineering-and-failures" aliases: tags: - comp210 - lecture sr-due: 2022-08-05 sr-interval: 9 sr-ease: 250 --- # News - kiwis urged to get new passwords by government cybersecurity agency ("big password energy") - ukraine cyber agency reports cyber attack surge - plymouth households hit by clarion housing cyber attack - facebook "unintentionally uploaded" 1.5 million peoples email contacts without their consent - threat maps: https://threatmap.checkpoint.com/ThreatPortal/livemap.html # Threats events are circumstances that has the potential (risk) to adversely affect assets (reducing their value) - e.g., possibility of text messages stop working -> phone loses value # Attack intentional or unintentional (e.g., lightning) acts that can damage or compromise assets. - the actual act of attacking - can be passive attack: e.g., stumble accross information accidentaly # Exploits - the techniques used # Vulnerabilities - the potential weaknesses in assets or in their defensive control systems - e.g., try to find weakpoints in a castle # Arms race security is a never ending arms race. Security is improving but so are the number of potential exploits # 12 groups of threats ![](https://i.imgur.com/d5i1wpA.png) ## Intellectual property - creation ownership and control of original ideas - common breaches include software priracy - two organisatons investigate software abuse - software and information industry association (SIIA) - business software alliance (BSA) - enforcement of copyright laws has been attempted with technical security mechanisms (e.g., watermark, you need an account, must register the software, etc) ## deviations in quality of service - when a product is not delivered as expected - info systems depend of successful operation of many interdependent support systems - internet, communications, power irregularities, all affect the availability of information systems - internet: - ISP failures can considerably undermine the availability of information - outsourced web hosting assumes responsibility for all internet service as well as for the hardware and the web site operaing system software. - terms of service ensure that these services are guaranteed - communication and other provider service issues include - other untilities: telephone, water, wastewater, garbage collection - these all affect the companies ability to function - power irregularities - pwer exess, shortages, losses - sensitive equipment vulnerable to and easily damaged by fluctuations - controls can be applied to manage power quality e.g., UPS ## espionage or trespass - unauthorized attempts to gain illegal access to information - competitive intelligence vs industrial espionage vs cyber terrorism - shoulder surfing - controls mark the virtual boundaries of an organisations - controls oftentimes let trespassers know they are encroaching on an organizations cyberspace - hackers use skill, guile, or fraud, to bypass controls protecting others information - expert - develop scripts and exploits - master of many skills - of create software (malware etc) and share with others - minority - novice - script kiddies - more common - use scripts written by experts - do not understand the systems the are hacking - packet monkeys: script kiddies that use worms to overload systems - cracker - cracks or removes software protections designed to precent unauthorized duplication - also crack passwords - phreaker - hacks the public telephone system to make free calls or disrupt services - more specific - also includes password attacks - brute force- tried all possible combinations - dictionary - include information related to the target user - rainbow tables - a hacker with access to encrypted password, they can find the corresponding plaintext in a dataset called a rainbow table - social engineering - e.g., attacks as posing at IT professionals to gain access toa systems information (normally by contacting other employees) # Forces of nature - fire, flood, lightening, earthquake, eruptions, etc. - can use controls to protect against these - very dynamic - unpredicatble # Human errors or failure - actions performed without malicious intent or ignorance (by an authorised user) - inexperience - improper training - incorrect assumptions - employees are among the greatest threats to an organisations data - e.g, - accidental deletion - revelation of classified data - entry or erroneous data - storage in unprotected areas - failure to protect information - can be prevented with training, ongoing awareness activites, and controls # Social engineering - using social skills to convince people to reveal access credentials or other valuable information to an attacker - used for a broad range of malicious activities through human interactions ![kevin mitnick quote](https://i.imgur.com/Q7ChU37.png) Developing trust is a powerful technique in social engineering - people are naturally helpful and trusting - ask during seemingly innocent conversations - slowly ask for increasingly imprtant information - lean company lingo, names of people, names, servers etc - cause a problem and subsequently offer your help to fix it - talk negatively about common enemy - talk positively about common hero Inducing strong emotions - you won a prize etc - excitement - fear - confusion information overload technique - reduce targets ability to sctrutinize arguments proposed by attacker - trigger by - providing a lot of information - providing arguments from an unexpected angle, whicih forces the victim to analyse the situation from a new perspective which requires additional mental processing Reciprocation - technique that exploits our tendency to return a favour - even if first favour was not requested - even if the return favour is more valuable - double disagreement - if the attacker created a double disagreement and gives in one, the victim will have the tendency to ive in the other - expectation - if the victim is requested to give the first favour, they will believe that the attacker becomes a future ally tendency to obey authority - milgram experiement dont be a commitment creep - people have a tendency to follow commitments even when is might be unwise information exortion is the practive of requesting a ransom for your valuable information - ransomware # Attacks represent intentional or unintentional acts that can damage or compromise assets - range from petty to vandalism to organized sabotage - defacing - threats are rising - cyberterrorism/warfare is much more sinister form of hacking