Info Security Technology

Topic 1
Introduction to Information Security

1
 References
• Security+ Guide to Network Security
Fundamentals, 4th Edition; Mark Ciampa.
– Chapter 1: Introduction to Security
– Chapter 14: Risk Mitigition (Pg 539-550)

2
 Objectives
• Describe the challenges of securing information
• Define information security
• Identify the types of attackers
• List the basic steps of an attack
• Describe the five steps in a defense
• Understand how risk can be mitigated through
security policies
• Appreciate computer misuse laws and information
ethics

3
 Challenges of Securing
Information
• No single solution to protect computer and securing
information
• Different types of attacks
• Difficult to defend against attacks

4
 Different Types of Attacks
• Booby-trapped Web pages are growing at an
increasing rate
• Hacktivism through Anonymous Attack
• Advanced Persistent Threat
• Mobile devices are targeted
• Security statistics: 70% of Singapore Net Users hit
by Cybercrime

5
 Booby-trapped Web pages
• Hackers make 57,000 booby-trapped websites
weekly: experts
September 10, 2010

• The online traps are often made to look like versions of legitimate
bank, auction, or shopping websites
• The problem is that when you visit a website through email or search
engines, it can be difficult for users to know whether it is genuine or
not.
• Bogus websites are typically designed to slip viruses onto visitors's
computers and trick people into typing in valuable information such
as account names or passwords.
• Nearly two-thirds of the trick websites had to do with banks,
according to PandaLabs.

6
Booby-trapped Web pages

7
 Hacktivism
• Hacktivism is the use of computers and computer networks to
promote political ends, chiefly free speech, human rights, and
information ethics.
• Anonymous’ hacker targets The Straits Times website in protest
against licensing rules for news websites on Nov 01, 2013.

8
 Hacktivism

IDA managing director Jacqueline Poh says the Singapore

Government faces millions of attempted cyber intrusions every day.
~The Straits Times, Friday Feb 21, 2014

9
 Advanced Persistent Threat
• Advanced persistent threat (APT) usually refers to a
group of sophisticated, determined and
coordinated attackers that seek to systematically
compromise government and commercial
computer networks.
• These are highly complex threats that differ from
traditional threats in that they are targeted,
persistent, evasive and extremely advanced.
• Two well-known examples are Operation Aurora,
and Stuxnet.

10
 Stuxnet
• 2010 June, Iran nuclear plants
using Siemens control systems,
under attack.
• 1st worm that spies on and reprograms industrial
systems, unusual large file size and take large team &
long effort to develop (nation state or large
organisation sponsored)
• The primary goal of the attack was to gain access and
control the industrial plants by reprogram the
programmable logic controllers (PLCs) using first ever
PLC rootkit.

11
Mobile Devices are targeted

Nov 05, 2013

12
13
 Difficulties in Defending
against Attacks
• Increased speed of attacks
– Attackers can launch attacks against millions of computers
within minutes from anywhere in the world

• Greater sophistication of attacks

– Attack tools vary their behaviour so the same attack appears
differently each time.

• Simplicity of attack tools

– Attacks are no longer limited to highly skilled attackers

14
 Difficulties in Defending
against Attacks
• Quicker detection of vulnerabilities
– Attackers can discover security holes in hardware or software
more quickly. Zero day attack

• Delays and weak patching

– Many software products lack a means to distribute security
patches in timely fashion.

• Distributed attacks
– Attackers use thousands of computers in an attack against a
single computer or network

• User confusion
– Users are required to make difficult security decision with little or
no instruction

15
 What Is Information Security?
• Before defense is possible, one must
understand:
– What information security is
– Why it is important
– Who the attackers are

16
 Defining Information Security
• Security
– Steps to protect person or property from harm
• Harm may be intentional or non intentional
• Sacrifices convenience for safety
• Information security
– Guard digitally-formatted information
• Protect information that has value to people and
organizations
• Value comes from the characteristics of the information

17
 Defining Information Security
• Characteristics of information that must be protected
by information Security
– Confidentiality
• To ensure that unauthorized parties cannot get the information.
It prevents sensitive information from reaching the wrong
people.
– Integrity
• To ensure that unauthorized parties cannot modify the data. It
maintains the consistency, accuracy, and trustworthiness of
data.
– Availability
• To ensure that information must be available when needed by
authorised parties. It prevents service disruptions.
 Defining Information Security
• Protections to secure information
– Authentication
• To verify user credentials to be sure that they are who
they claim to be and not an imposter. One way to
authenticate is to use personal password.
– Authorization
• To grant permission or ability to access confidential
information.
– Accounting
• To keep track of user access to information. For example,
event log.

19
 Defining Information Security
• Information Security is achieved through a
combination of three entities.
– Products
• Form the physical security around the data; may be as
basic as door locks or as complex as network security
equipment
– People
• Those who implement and use security products to
protect data.
– Procedures
• Plan and policies established by an organisation to
ensure the people use the products correctly.

20
Information Security Terminology
• Asset
– An item that has a value.
• Threat
– A event that has the possibility to endanger an asset.
• Threat Agent
– Person that has the power to carry out a threat.
• Vulnerability
– A weakness that allows a threat agent to bypass security.
• Exploit
– An action that take advantage of the vulnerability
• Risk
– The likelihood that a threat agent will exploit the vulnerability
21
Term: Vulnerability; Exploit; Threat agent; Risk; Threat; Asset

Information Security Terminology

22
The Goals of Information Security
• Prevent data theft
– The theft of data is one of the largest causes of financial loss due to an
attack.

• Prevent identity theft

– Identity theft involves using someone’s personal information to establish
bank or credit card accounts

• Maintain Productivity
– Cleaning up after an attack diverts resources such as time and money
away from normal activities

• Counter cyber terrorism

– Could cripple a nation’s electronic and commercial infrastructure. Utility,
telecommunications, and financial services companies are considered
prime targets of cyber terrorists

23
 Who Are the Attackers?
• Hacker
– Person who uses computer skills to attack computers.
– White hat hackers: Goal to expose security flaws; not to steal or corrupt
data
– Black hat hackers: Goal is malicious and destructive

• Script kiddies
– Want to break into computers to create damage
– Unskilled users
– Download automated hacking software (scripts) from Web sites and
use it to break into computers

• Computer Spies
– A person who has been hired to break into a specific computer and
steal information
– Goal: steal information without drawing attention to their actions
– Spies, like hackers, possess excellent computer skills

24
 Who Are the Attackers?
• Insiders
– Employees, contractors, and business partners
– 48 percent of breaches attributed to insiders
– An employee might want to show the company a weakness in their
security
– Disgruntled employees may be intent on retaliating against the company
– Industrial espionage, Blackmailing

• Cybercriminals
– Network of attackers, identity thieves, spammers, financial fraudsters
– More highly motivated, less risk-averse, better funded, and more
tenacious than hackers
– Cybercriminals have a more focused goal that can be summed up in
a single word: money

25
 Who Are the Attackers?
• Cyberterrorists
– Their motivation may be defined as ideology, or attacking for the sake of
their principles or beliefs
– Attack networks and computer infrastructures to cause panic among
citizens.

Goals of a cyberattack:
– To deface electronic information and spread misinformation and
propaganda
– To deny service to legitimate computer users
– To commit unauthorized intrusions into systems and networks that result in
critical infrastructure outages and corruption of vital data

26
World’s Most Wanted List

27
 Largest Bank Hacked
• Russian-born Jewish Vladimir Levin siphon $10
million from Citibank and transfer the money to
bank accounts around the world, in 1994
• No extradition treaties between the US and
Russia covering these crimes
• 1995 Levin was apprehended at London's Airport
when making an interconnecting flight from
Moscow.

28
 FBI "Most Wanted"

• Kevin Mitnick became the first attacker to

appear on an FBI "Most Wanted" poster, for
breaking into the Digital Equipment Company
computer network.
• At 12, Mitnick used social engineering to bypass
the punchcard system used in the Los Angeles
bus system.
• In February, 1995, Mitnick was arrested again for
breaking into various computers and
downloading 20,000 credit card numbers.

29
 Virus that damage Hardware

• A 24 yrs old from Taiwan Uni student studying IT

• Chen Ing Hao wrote a virus that delete most of
the data stored on computers and can even
wipe out the BIOS - the basic instructions that tell
the computer to start.
• 2 million PCs suffered data loss
• Employed to design ATI, GForce, Radeon Cards

Topic 3 Virus and Worms 30

 First Worm 1988
• Robert Morris, a graduate of Cornell University,
released The First Internet Worm
• The worm infected 10 percent of the machines
(approximately 6,000) connected to the Internet
at that time.
• The virus caused an estimated $100 million in
damage.
• Had Mr. Morris a little more knowledge of what
he was doing, the effect of the worm would not
have been so devastating.

31
 Disguntled Employee
• On July 30, 1996, a software “time bomb” at
Omega Engineering deleted all design and
production programs of the company.
• This severely damaged the small company
forcing the layoff of 80 employees.
• The program was traced back to Timothy Lloyd
who had left it in retaliation for his dismissal.

32
 Chinese Attackers
• Young Cyber hackers in China.
• Operate hackers website with 10,000 users and
50,000 hits a day.
• Offer useful advice and free software
download
• Claimed to have hacked into Pentagon and
download information.

33
 Steps of an Attack
• The five steps that make up an attack
– Probe for information
– Penetrate any defenses
– Modify security settings
– Circulate to other systems
– Paralyze networks and devices

34
35
Probe for Information
Perform a Ping Sweep
• The first step in the technical part of an attack is often to
determine what target systems are available and active.
• This is often done with a ping sweep, which sends a “ping”
(an ICMP echo request) to the target machine. If the machine
responds, it is reachable.
Port Scanning
• The next step is to perform a port scan.
• This will help identify the ports (doors) that are open, which
gives an indication of the services running on the target
machine.
Password Guessing
• Whois the owner
• Domain Name System lookup for IP
• Google advanced search
• Social Engineering (Facebook)

36
Penetrate Any Defenses
Email Attachment
• Never open an attachment with .exe extension
Buffer Overflow
• A Buffer Overflow is a flaw that occurs when more data is
written to a block of memory, or buffer, than the buffer is
allocated to hold.
Back door Trojan
• Backdoor Trojan allows for its author to control a computer
by using Internet Relay Chat (IRC).

37
Modify security settings
Create New Files
• Create new .exe files
Modify Existing Files
• Modify command.com
Install new Services
• Create new .dll files
Register trap door
• Trap door is basically a back door entry
point
Weaken existing security
• Deceive operating system and antivirus

38
Circulate to other systems
Email virus to address book
• Propagate to unsuspecting users
Web connection
• Open web connection to external
server.
FTP
• File transfer protocol

39
Paralyze networks and devices
Crash servers
• Destruction
Denial of services
• a denial of service (DoS) attack is an
incident in which a user or organization is
deprived of the services of a resource.
Delete files
• Destruction

40
 Defenses against Attacks
• Layering
– A layered approach creates a barrier of multiple defenses.
– If one layer is penetrated, several more layers must be
breached.

• Limiting
– Limiting access to information reduces the threat against it
– Only those who must use data should have access to it

• Diversity
– A diversity of defence that complements the various
layers of security
– If attackers penetrate one layer, they cannot use the
same techniques to break through all other layers
41
 Defenses against Attacks
• Obscurity
– Hiding information can be an important way to protect
information
– An attacker who knows that information can more easily
determine the weaknesses of the system to attack it
• Simplicity
– As much as possible, a secure system should be simple
for those on the inside to understand and use
– Complex security schemes are often compromised to
make them easier for trusted users to work with

42
 What Is a Security Policy?
• Security policy
– Document that outlines protections to ensure
organization’s assets face minimal risks
• An organization’s information security
policy can serve several functions:
– It can be an overall intention and direction
– It details specific risks and how to address them
– It can create a security-aware organizational culture
– It can help to ensure that employee behavior is
directed and monitored

43
 Designing a Security Policy
• Policy
– A document that outlines the requirements or
rules that must be met.
– Standard
• A collection of requirements specific to the system
– Guideline
• A collection of suggestions that should be
implemented
– Procedure
• Step-by-step instructions on how to implement a
policy that must be met by everyone

44
 Designing a Security Policy
• A policy generally has these characteristics:
– Policies communicate a consensus of judgment
– Policies define appropriate behavior for users
– Policies identify what tools and procedures are needed

45
 Types of Security Policies
• Most organizations have security policies that
address:
– Acceptable use
– Anti-virus
– Password management
– E-mail and retention
– Wireless communication
– Disposal and destruction

46
Singapore Computer Misuse Act
• The Computer Misuse Act 1998 addresses computer crimes in
Singapore. It was enacted to respond to the growing threat
of hacking to computer systems and data.

• The Act covers offences such as:

– Unauthorized access to computer material
– Access with intent to commit or facilitate commission of offence
– Unauthorized modification of computer material
– Unauthorized use or interception of computer service
– Unauthorized obstruction of use of computer
– Unauthorized disclosure of access code
– Enhanced punishment for offences involving protected
computers

 Reference: http://wiki.nus.edu.sg/display/1105sgict/Computer+Misuse+Act
47
 Singapore Computer Misuse Act
23 Sep 2010

• A MALAYSIAN who allegedly accessed the computer

network of integrated resort Marina Bay Sands six times in
May was brought to court to face 6 computer misuse
charges.
• Leslie Liew Cheong Wee, 35, is accused of computer
misuse from a flat in Teck Whye Lane between May 9 and
12.
• He is said to have knowingly caused a server to perform a
function for securing a remote access without the
authority of the Marina Bay Sands workstation computer
• If convicted, he faces a fine of up to $50,000 or a jail term
of up to seven years or to both.

48
 Singapore Computer Misuse Act
17 January 2007
• A 17-year-old boy was sentenced to 18-months probation
and 80-hours of community service in Singapore today for
tapping into his neighbor's Wifi network.
• The tapper in question, Garyl Tan Jia Lou, is the third
person to be charged with illegally hitching onto a wireless
network under Singapore's “Computer Misuse Act.”
• The judge punished him not so much for slowing down a
neighbors network as for his lifestyle. Judge cited Tan's
Internet gaming and on-line gambling addiction as
destructive to the youth who had few friends.
• His punishment includes being banned from accessing the
Internet for the extent of his probation, and a
recommendation for addiction treatment.

49
 Privacy Laws
• Unlike many other Western countries , there is no common law
protection for torts of privacy in Singapore.

• Lack of Legislative Guidelines for:

– Employers' monitoring of employees' email
– Obtaining personal information from children
– Surreptitious collection of personal information through
cookies
– Other areas of privacy concerns
• trails of one's historical website visits to be tracked by
others.
• certain browsers are not secure
• sophisticated and miniature eavesdropping, tapping
and spy cam equipment available in the private market
50
 Reference: http://www.lawgazette.com.sg/2001-2/Feb01-focus3.htm
 Privacy Laws
Data Protection Law
• A national Do-Not-Call registry is launched for
people to list their numbers
• To prevent unsolicited communications including
telemarketing, junk mail, SMS and fax and MMS
• Those who defy the rule risk a maximum $10,000 fine,
should the consumer complain to a new watchdog
body.

51
 Ethics
• Ethical principles are ideas of behaviour that are commonly
acceptable to society.
• Using ethical principles as a basis for decision making prevents
us from relying only on intuition or personal preference.
• Some unethical actions can put us on the wrong side of the
law. Other unethical actions, though not illegal, can have
drastic consequences for our careers and reputations.
• Examples of unethical actions:
– Browse through computer files when you are not
authorised to do so.
– Use of computer to develop systems to do unethical or
illegal activities.
– Activity that violates copyright and invasion of privacy.
52
 Summary
• Attacks against information security have grown exponentially There
are difficulties to defend against today’s attacks
• Information security may be defined as that which protects the
integrity, confidentiality, and availability of information on the devices
that store, manipulate, and transmit the information through products,
people, and procedures
• The main goals of information security are to prevent data theft, thwart
identity theft, maintain productivity, and foil cyber terrorism
• The types of people behind computer attacks are generally divided
into Hackers, Script Kiddies, Cybercriminals, Spies and Cyber terrorists.
• There are five general steps that make up an attack and five
fundamental security principles for defense.
• To reduce risk, we need security policies, computer misuse laws and
information ethics

53