quartz/content/notes/03-threats-social-engineering-and-failures.md

title	aliases	tags
03-threats-social-engineering-and-failures		comp210

News

• kiwis urged to get new passwords by government cybersecurity agency (big password energy)
• ukraine cyber agency reports cyber attack surge
• plymouth households hit by clarion housing cyber attack
• facebook "unintentionally uploaded" 1.5 million peoles email contacts without their consent
• threat maps: https://threatmap.checkpoint.com/ThreatPortal/livemap.html

Threats

events are circumstances that has the potential (risk) to adversely affect assets (reducing their value)

• e.g., possibility of text messages stop working -> phone loses value

Attack

intentional or unintentional (e.g., lightning) acts that can damage or compromise assets.

• the actual act of attacking
• can be passive attack: e.g., stumble accross information accidentaly

Exploits

• the techniques used

Vulnerabilities

• the potential weaknesses in assets or in their defensive control systems
• e.g., try to find weakpoints in a castle

Arms race

security is a never ending arms race. Security is improving but so are the number of potential exploits

12 groups of threats

Intellectual property

• creation ownership and control of original ideas
• common breaches include software priracy
• two organisatons investigate software abuse
  • software and information industry association (SIIA)
  • business software alliance (BSA)
• enforcement of copyright laws has been attempted with technical security mechanisms (e.g., watermark, you need an account, must register the software, etc)

deviations in quality of service

• when a product is not delivered as expected
• info systems depend of successful operation of many interdependent support systems
• internet, communications, power irregularities, all affect the availability of information systems
• internet:
  • ISP failures can considerably undermine the availability of information
  • outsourced web hosting assumes responsibility for all internet service as well as for the hardware and the web site operaing system software.
  • terms of service ensure that these services are guaranteed
• communication and other provider service issues include
  • other untilities: telephone, water, wastewater, garbage collection
  • these all affect the companies ability to function
• power irregularities
  • pwer exess, shortages, losses
  • sensitive equipment vulnerable to and easily damaged by fluctuations
  • controls can be applied to manage power quality e.g., UPS

espionage or trespass

• unauthorized attempts to gain illegal access to information
• competitive intelligence vs industrial espionage vs cyber terrorism
• shoulder surfing
• controls mark the virtual boundaries of an organisations
  • controls oftentimes let trespassers know they are encroaching on an organizations cyberspace
  • hackers use skill, guile, or fraud, to bypass controls protecting others information
    • expert
      • develop scripts and exploits
      • master of many skills
      • of create software (malware etc) and share with others
      • minority
    • novice
      • script kiddies
      • more common
      • use scripts written by experts
      • do not understand the systems the are hacking
      • packet monkeys: script kiddies that use worms to overload systems
    • cracker
      • cracks or removes software protections designed to precent unauthorized duplication
      • also crack passwords
    • phreaker
      • hacks the public telephone system to make free calls or disrupt services
      • more specific
• also includes password attacks
  • brute force- tried all possible combinations
  • dictionary - include information related to the target user
  • rainbow tables - a hacker with access to encrypted password, they can find the corresponding plaintext in a dataset called a rainbow table
  • social engineering - e.g., attacks as posing at IT professionals to gain access toa systems information (normally by contacting other employees)

Forces of nature

• fire, flood, lightening, earthquake, eruptions, etc.
• can use controls to protect against these
• very dynamic
• unpredicatble

Human errors or failure

• actions performed without malicious intent or ignorance (by an authorised user)
• inexperience
• improper training
• incorrect assumptions
• employees are among the greatest threats to an organisations data
• e.g,
  • accidental deletion
  • revelation of classified data
  • entry or erroneous data
  • storage in unprotected areas
  • failure to protect information
• can be prevented with training, ongoing awareness activites, and controls

Social engineering

• using social skills to convince people to reveal access credentials or other valuable information to an attacker
• used for a broad range of malicious activities through human interactions

Developing trust if a powerful technique in social engineering

• people are naturally helpful and trusting
• ask during seemingly innocent conversations
  • slowly ask for increasingly imprtant information
• lean company lingo, names of people, names, servers etc
• cause a problem and subsequently offer your help to fix it
• talk negatively about common enemy
• talk positively about common hero

Inducing strong emotions

• you won a prize etc
• excitement
• fear
• confusion

information overload technique

• reduce targets ability to sctrutinize arguments proposed by attacker
• trigger by
  • providing a lot of information
  • providing arguments from an unexpected angle, whicih forces the victim to analyse the situation from a new perspective which requires additional mental processing

Reciprocation

• technique that exploits our tendency to return a favour
• even if first