mirror of
https://github.com/jackyzha0/quartz.git
synced 2025-12-26 06:14:06 -06:00
243 lines
11 KiB
Markdown
243 lines
11 KiB
Markdown
---
|
||
title: "03-threats-social-engineering-and-failures"
|
||
aliases:
|
||
tags:
|
||
- comp210
|
||
- lecture
|
||
sr-due: 2022-08-21
|
||
sr-interval: 23
|
||
sr-ease: 250
|
||
---
|
||
|
||
# News
|
||
- kiwis urged to get new passwords by government cybersecurity agency ("big password energy")
|
||
- ukraine cyber agency reports cyber attack surge
|
||
- plymouth households hit by clarion housing cyber attack
|
||
- facebook "unintentionally uploaded" 1.5 million peoples email contacts without their consent
|
||
- threat maps: https://threatmap.checkpoint.com/ThreatPortal/livemap.html
|
||
|
||
# Threats
|
||
events are circumstances that has the **potential** (risk) to adversely affect assets (reducing their value)
|
||
- e.g., possibility of text messages stop working -> phone loses value
|
||
|
||
# Attack
|
||
intentional or unintentional (e.g., lightning) **acts** that can damage or compromise assets.
|
||
- the actual act of attacking
|
||
- can be passive attack: e.g., stumble accross information accidentaly
|
||
|
||
# Exploits
|
||
- the **techniques** used
|
||
|
||
# Vulnerabilities
|
||
- the potential weaknesses in assets or in their defensive control systems
|
||
- e.g., try to find weakpoints in a castle
|
||
|
||
# Arms race
|
||
security is a never ending arms race. Security is improving but so are the number of potential exploits
|
||
|
||
# 12 groups of threats
|
||
|
||
|
||
## Intellectual property
|
||
- creation ownership and control of original ideas
|
||
- common breaches include software priracy
|
||
- two organisatons investigate software abuse
|
||
- software and information industry association (SIIA)
|
||
- business software alliance (BSA)
|
||
- enforcement of copyright laws has been attempted with technical security mechanisms (e.g., watermark, you need an account, must register the software, etc)
|
||
|
||
## deviations in quality of service
|
||
- when a product is not delivered as expected
|
||
- info systems depend of successful operation of many interdependent support systems
|
||
- internet, communications, power irregularities, all affect the availability of information systems
|
||
- internet:
|
||
- ISP failures can considerably undermine the availability of information
|
||
- outsourced web hosting assumes responsibility for all internet service as well as for the hardware and the web site operaing system software.
|
||
- terms of service ensure that these services are guaranteed
|
||
- communication and other provider service issues include
|
||
- other untilities: telephone, water, wastewater, garbage collection
|
||
- these all affect the companies ability to function
|
||
- power irregularities
|
||
- pwer exess, shortages, losses
|
||
- sensitive equipment vulnerable to and easily damaged by fluctuations
|
||
- controls can be applied to manage power quality e.g., UPS
|
||
|
||
## espionage or trespass
|
||
- unauthorized attempts to gain illegal access to information
|
||
- competitive intelligence vs industrial espionage vs cyber terrorism
|
||
- shoulder surfing
|
||
- controls mark the virtual boundaries of an organisations
|
||
- controls oftentimes let trespassers know they are encroaching on an organizations cyberspace
|
||
- hackers use skill, guile, or fraud, to bypass controls protecting others information
|
||
- expert
|
||
- develop scripts and exploits
|
||
- master of many skills
|
||
- of create software (malware etc) and share with others
|
||
- minority
|
||
- novice
|
||
- script kiddies
|
||
- more common
|
||
- use scripts written by experts
|
||
- do not understand the systems the are hacking
|
||
- packet monkeys: script kiddies that use worms to overload systems
|
||
- cracker
|
||
- cracks or removes software protections designed to precent unauthorized duplication
|
||
- also crack passwords
|
||
- phreaker
|
||
- hacks the public telephone system to make free calls or disrupt services
|
||
- more specific
|
||
- also includes password attacks
|
||
- brute force- tried all possible combinations
|
||
- dictionary - include information related to the target user
|
||
- rainbow tables - a hacker with access to encrypted password, they can find the corresponding plaintext in a dataset called a rainbow table
|
||
- social engineering - e.g., attacks as posing at IT professionals to gain access toa systems information (normally by contacting other employees)
|
||
|
||
# Forces of nature
|
||
- fire, flood, lightening, earthquake, eruptions, etc.
|
||
- can use controls to protect against these
|
||
- very dynamic
|
||
- unpredicatble
|
||
|
||
# Human errors or failure
|
||
- actions performed without malicious intent or ignorance (by an authorised user)
|
||
- inexperience
|
||
- improper training
|
||
- incorrect assumptions
|
||
- employees are among the greatest threats to an organisations data
|
||
- e.g,
|
||
- accidental deletion
|
||
- revelation of classified data
|
||
- entry or erroneous data
|
||
- storage in unprotected areas
|
||
- failure to protect information
|
||
- can be prevented with training, ongoing awareness activites, and controls
|
||
|
||
# Social engineering
|
||
- using social skills to convince people to reveal access credentials or other valuable information to an attacker
|
||
- used for a broad range of malicious activities through human interactions
|
||
|
||
|
||
|
||
Developing trust is a powerful technique in social engineering
|
||
- people are naturally helpful and trusting
|
||
- ask during seemingly innocent conversations
|
||
- slowly ask for increasingly imprtant information
|
||
- lean company lingo, names of people, names, servers etc
|
||
- cause a problem and subsequently offer your help to fix it
|
||
- talk negatively about common enemy
|
||
- talk positively about common hero
|
||
|
||
Inducing strong emotions
|
||
- you won a prize etc
|
||
- excitement
|
||
- fear
|
||
- confusion
|
||
|
||
information overload technique
|
||
- reduce targets ability to sctrutinize arguments proposed by attacker
|
||
- trigger by
|
||
- providing a lot of information
|
||
- providing arguments from an unexpected angle, whicih forces the victim to analyse the situation from a new perspective which requires additional mental processing
|
||
|
||
Reciprocation
|
||
- technique that exploits our tendency to return a favour
|
||
- even if first favour was not requested
|
||
- even if the return favour is more valuable
|
||
- double disagreement
|
||
- if the attacker created a double disagreement and gives in one, the victim will have the tendency to ive in the other
|
||
- expectation
|
||
- if the victim is requested to give the first favour, they will believe that the attacker becomes a future ally
|
||
|
||
tendency to obey authority
|
||
- milgram experiement
|
||
|
||
dont be a commitment creep
|
||
- people have a tendency to follow commitments even when is might be unwise
|
||
|
||
information exortion is the practive of requesting a ransom for your valuable information
|
||
- ransomware
|
||
|
||
# Attacks
|
||
represent intentional or unintentional acts that can damage or compromise assets
|
||
- range from petty to vandalism to organized sabotage
|
||
- defacing
|
||
- threats are rising
|
||
- cyberterrorism/warfare is much more sinister form of hacking
|
||
|
||
## Types of attacks
|
||
- Virus - code segments that attach to existing program and take control of access to the targeted computer
|
||
- Worms - replicate themselves until they completely fill available resources like memory and hardrive space
|
||
- Tojan Horses - malware disguised as helpful, intersting or necessary pieces of software
|
||
- Polymorphic threat - actually evolves to elude detection
|
||
- Virus and worm hoaxes - nonexistent malware that employees waste time spreading awareness about
|
||
- back door - gain access to system or network using known or previously unknown/newly discovered access mechanism
|
||
- DoS - attacker sends a large number of connection or information requests to a target
|
||
- target becomes overloaded and cannot respond to legitamate requests for service
|
||
- may result in crach or inability to perform ordinary functions
|
||
- DDoS - coordinated stream of requresets is launched against a target from many locations
|
||
- Mail bombing (also a DoS - attacker routes large quantities of e-mail to a target to overwhelm them
|
||
- Spam (unusoliciited commercial e-mail) - more a nuisiance than an attack, is emerging as a vector for some attacks
|
||
- packet sniffer - monitors data traveling over network, can also be used for legit purposes, but can be used to steal data
|
||
- spoofing -> technique used to gain unauthorized access; intruder assumes a trusted IP address
|
||
- pharming - attacks browsers address bar to redirect users to a illegitamate site for the purpose of obtaining private information .e.g., DNS cache poisoning
|
||
- make the DNS change to point to an illegitamate site instead of the real site
|
||
- man-in-the-middle - an attack monitors (sniffs) the network packes, modifies them, and inserts them back into the network.
|
||
|
||
# failure
|
||
> A failure occur when our security mechanisms (controls), hardware, or information systems have failed to protect our assets
|
||
|
||
Technical Hardware Failures (or Errors) occur when an equipment is distributed containing a unknown or known flaw
|
||
- They can cause the system to perform outside of expected parameters, resulting in unreliable service or lack of availability.
|
||
- Some errors are terminal and some are intermittent.
|
||
- Intel Pentium CPU failure – the floating point operation bug (loss over 475 million).
|
||
- Mean time between failure (or mean time to failure): measures the amount of time between hardware failures or to failure.
|
||
|
||
## Spectre & meltdown
|
||
https://meltdownattack.com/
|
||
|
||
|
||
|
||
## Technical Software Failures or Errors
|
||
- Large quantities of computer code are written, debugged, published, and sold before all bugs are detected and resolved.
|
||
- Combinations of certain software and hardware can reveal new software bugs.
|
||
- Entire Web sites are dedicated to documenting bugs.
|
||
- Open Web Application Security Project (OWASP) is dedicated to helping organizations create/operate trustworthy software and publishes a list of top security risks.
|
||
|
||
## The Deadly Sins in Software Security
|
||
- Buffer overruns
|
||
- Catching exceptions
|
||
- Command injection
|
||
- Cross-site scripting (XSS)
|
||
- Failure to handle errors
|
||
- Failure to protect network traffic (e.g., by not using WPA in a local wifi)
|
||
- Failure to store and protect data securely (e.g., access control)
|
||
- Failure to use cryptographically strong random numbers
|
||
- Format string problems
|
||
- Neglecting change control
|
||
- Improper file access
|
||
- Improper use of Secure Sockets Layer (SSL)
|
||
- Information leakage
|
||
- Integer bugs (overflows/underflows)
|
||
- Race conditions
|
||
- SQL injection
|
||
- Trusting network address resolution
|
||
- Unauthenticated key exchange
|
||
- Use of magic URLs and hidden forms
|
||
- Use of weak password-based systems
|
||
- Poor usability
|
||
|
||
# Technological obsolescence
|
||
> when antiquated/outdated infrastructure can lead to security issues
|
||
|
||
- Proper managerial planning should prevent technology obsolescence.
|
||
- IT plays a large role
|
||
|
||
# Theft
|
||
occurs when taking of another’s physical, electronic or intellectual property
|
||
- Physical theft is controlled relatively easily
|
||
- Electronic theft is a more complex problem as the evidence of crime is not really apparent (e.g., you don’t notice the theft as you would for a physical object)
|
||
|
||
# what to do
|
||
- Don’t panic!
|
||
- Knowledge and Education are key.
|
||
- You make more progress by fixing the problem than by fixing the blame. (H.B. Wolfe) |