mirror of
https://github.com/jackyzha0/quartz.git
synced 2025-12-26 06:14:06 -06:00
165 lines
6.5 KiB
Markdown
165 lines
6.5 KiB
Markdown
---
|
|
title: "03-threats-social-engineering-and-failures"
|
|
aliases:
|
|
tags:
|
|
- comp210
|
|
- lecture
|
|
sr-due: 2022-08-05
|
|
sr-interval: 9
|
|
sr-ease: 250
|
|
---
|
|
|
|
# News
|
|
- kiwis urged to get new passwords by government cybersecurity agency ("big password energy")
|
|
- ukraine cyber agency reports cyber attack surge
|
|
- plymouth households hit by clarion housing cyber attack
|
|
- facebook "unintentionally uploaded" 1.5 million peoples email contacts without their consent
|
|
- threat maps: https://threatmap.checkpoint.com/ThreatPortal/livemap.html
|
|
|
|
# Threats
|
|
events are circumstances that has the potential (risk) to adversely affect assets (reducing their value)
|
|
- e.g., possibility of text messages stop working -> phone loses value
|
|
|
|
# Attack
|
|
intentional or unintentional (e.g., lightning) acts that can damage or compromise assets.
|
|
- the actual act of attacking
|
|
- can be passive attack: e.g., stumble accross information accidentaly
|
|
|
|
# Exploits
|
|
- the techniques used
|
|
|
|
# Vulnerabilities
|
|
- the potential weaknesses in assets or in their defensive control systems
|
|
- e.g., try to find weakpoints in a castle
|
|
|
|
# Arms race
|
|
security is a never ending arms race. Security is improving but so are the number of potential exploits
|
|
|
|
# 12 groups of threats
|
|
|
|
|
|
## Intellectual property
|
|
- creation ownership and control of original ideas
|
|
- common breaches include software priracy
|
|
- two organisatons investigate software abuse
|
|
- software and information industry association (SIIA)
|
|
- business software alliance (BSA)
|
|
- enforcement of copyright laws has been attempted with technical security mechanisms (e.g., watermark, you need an account, must register the software, etc)
|
|
|
|
## deviations in quality of service
|
|
- when a product is not delivered as expected
|
|
- info systems depend of successful operation of many interdependent support systems
|
|
- internet, communications, power irregularities, all affect the availability of information systems
|
|
- internet:
|
|
- ISP failures can considerably undermine the availability of information
|
|
- outsourced web hosting assumes responsibility for all internet service as well as for the hardware and the web site operaing system software.
|
|
- terms of service ensure that these services are guaranteed
|
|
- communication and other provider service issues include
|
|
- other untilities: telephone, water, wastewater, garbage collection
|
|
- these all affect the companies ability to function
|
|
- power irregularities
|
|
- pwer exess, shortages, losses
|
|
- sensitive equipment vulnerable to and easily damaged by fluctuations
|
|
- controls can be applied to manage power quality e.g., UPS
|
|
|
|
## espionage or trespass
|
|
- unauthorized attempts to gain illegal access to information
|
|
- competitive intelligence vs industrial espionage vs cyber terrorism
|
|
- shoulder surfing
|
|
- controls mark the virtual boundaries of an organisations
|
|
- controls oftentimes let trespassers know they are encroaching on an organizations cyberspace
|
|
- hackers use skill, guile, or fraud, to bypass controls protecting others information
|
|
- expert
|
|
- develop scripts and exploits
|
|
- master of many skills
|
|
- of create software (malware etc) and share with others
|
|
- minority
|
|
- novice
|
|
- script kiddies
|
|
- more common
|
|
- use scripts written by experts
|
|
- do not understand the systems the are hacking
|
|
- packet monkeys: script kiddies that use worms to overload systems
|
|
- cracker
|
|
- cracks or removes software protections designed to precent unauthorized duplication
|
|
- also crack passwords
|
|
- phreaker
|
|
- hacks the public telephone system to make free calls or disrupt services
|
|
- more specific
|
|
- also includes password attacks
|
|
- brute force- tried all possible combinations
|
|
- dictionary - include information related to the target user
|
|
- rainbow tables - a hacker with access to encrypted password, they can find the corresponding plaintext in a dataset called a rainbow table
|
|
- social engineering - e.g., attacks as posing at IT professionals to gain access toa systems information (normally by contacting other employees)
|
|
|
|
# Forces of nature
|
|
- fire, flood, lightening, earthquake, eruptions, etc.
|
|
- can use controls to protect against these
|
|
- very dynamic
|
|
- unpredicatble
|
|
|
|
# Human errors or failure
|
|
- actions performed without malicious intent or ignorance (by an authorised user)
|
|
- inexperience
|
|
- improper training
|
|
- incorrect assumptions
|
|
- employees are among the greatest threats to an organisations data
|
|
- e.g,
|
|
- accidental deletion
|
|
- revelation of classified data
|
|
- entry or erroneous data
|
|
- storage in unprotected areas
|
|
- failure to protect information
|
|
- can be prevented with training, ongoing awareness activites, and controls
|
|
|
|
# Social engineering
|
|
- using social skills to convince people to reveal access credentials or other valuable information to an attacker
|
|
- used for a broad range of malicious activities through human interactions
|
|
|
|
|
|
|
|
Developing trust is a powerful technique in social engineering
|
|
- people are naturally helpful and trusting
|
|
- ask during seemingly innocent conversations
|
|
- slowly ask for increasingly imprtant information
|
|
- lean company lingo, names of people, names, servers etc
|
|
- cause a problem and subsequently offer your help to fix it
|
|
- talk negatively about common enemy
|
|
- talk positively about common hero
|
|
|
|
Inducing strong emotions
|
|
- you won a prize etc
|
|
- excitement
|
|
- fear
|
|
- confusion
|
|
|
|
information overload technique
|
|
- reduce targets ability to sctrutinize arguments proposed by attacker
|
|
- trigger by
|
|
- providing a lot of information
|
|
- providing arguments from an unexpected angle, whicih forces the victim to analyse the situation from a new perspective which requires additional mental processing
|
|
|
|
Reciprocation
|
|
- technique that exploits our tendency to return a favour
|
|
- even if first favour was not requested
|
|
- even if the return favour is more valuable
|
|
- double disagreement
|
|
- if the attacker created a double disagreement and gives in one, the victim will have the tendency to ive in the other
|
|
- expectation
|
|
- if the victim is requested to give the first favour, they will believe that the attacker becomes a future ally
|
|
|
|
tendency to obey authority
|
|
- milgram experiement
|
|
|
|
dont be a commitment creep
|
|
- people have a tendency to follow commitments even when is might be unwise
|
|
|
|
information exortion is the practive of requesting a ransom for your valuable information
|
|
- ransomware
|
|
|
|
# Attacks
|
|
represent intentional or unintentional acts that can damage or compromise assets
|
|
- range from petty to vandalism to organized sabotage
|
|
- defacing
|
|
- threats are rising
|
|
- cyberterrorism/warfare is much more sinister form of hacking |