CSI1101 – Computer Security

Module 1 Recap

• Started with some reflection questions, real-life security breaches,

and case studies to understand why computer security domain is
critical
‒ Issues with broadband routers

‒ Security breaches – Toll Group, Gas Pipeline shutdown, Citrix System,

Marriot Hotels, etc.

‒ 3 x case studies
 Module 1 Recap

• Defined Computer Security

Computer security deals with computer-related assets that are subject
to a variety of threats and for which various measures are taken to
protect those assets

• Three fundamental questions

‒ assets to protect
‒ threats to assets
‒ countermeasures
 Module 1 Recap

• 5 Aims of security
‒ Confidentiality
‒ Integrity Often referred to as the CIA triad

‒ Availability
‒ Authenticity Some consider there to be only 3 aims i.e. CIA
Others consider there to be 5 aims
‒ Non-repudiation
 Module 1 Recap

• 3 Goals of Security
‒ Prevention

‒ Detection

‒ Recovery
 Module 1 Recap: Let’s test our Understanding

• Identify the following as a violation of CIA or of some combination thereof:

‒ Jack copies Mat’s homework – breach of confidentiality

‒ Sophie crashes Lynda’s system - breach of availability

‒ Jack changes the amount of Sophie’s check from $100 to $1,000 - breach of integrity

‒ Mat forges Lynda’s signature on a deed - breach of integrity

‒ Jack spoofs Mat’s IP address to gain access to his computer - breach of integrity
 Compromise of one Aim leading to another

• Suppose a password has been compromised

• Attacker uses the password to gain unauthorised access to the

system – breach of confidentiality

• Changes the data – breach of integrity

• Changes the password – breach of availability

Module 2: Key Terminologies and Concepts in Computer Security
 Breaching the Aims of Security

• Coronavirus…….. What is it doing in this unit?

• Playing with human psyche

• From Jan 20 onwards, security organisations have seen cyber

criminals using coronavirus to launch attacks - how
 Breaching the Aims of Security

• Situation 1:
‒ Cyber criminals sending emails pretending to be originated from
Centers for Disease Control and Prevention or the World Health
Organisation
 Breaching the Aims of Security
• Situation 1:
• Cyber criminals sending emails pretending to be originated from Centers
for Disease Control and Prevention or the World Health Organisation
 Breaching the Aims of Security

• Situation 2:
‒ Cyber criminals sending emails that contains attached files (PDF, Word
Docs, MP4)

‒ Opening the file installs malware on the system

‒ Could be ransomware, backdoor, exfiltrate sensitive data

 Breaching the Aims of Security

• Situation 2:
 What is a Cyber Criminal?

• A “cyber criminal” is an individual who maliciously breaks into a computer

system

• Hacker (or hacking) is an abused term often confused with cyber criminal

• Hacking is a term often (ab)used by the media

• A hacker is an individual who tests and identifies system’s vulnerabilities (pen-

tester)
 What is an Asset?

• Something you are trying to protect

‒ Hardware (servers, firewalls, IDS, IPS, networking devices)
‒ Software (mission critical applications, support systems)
‒ Confidential information

• Assets should be protected from:

‒ illicit access/use
‒ disclosure
‒ alteration
‒ destruction
‒ theft
 What is a Threat?

• An entity likely to cause harm or damage or danger

• An act designed to obtain/ produce a negative response or

consequence
 Grouping Generic Threats

• In cyber security we group concepts into categories for simplified

analysis

• In terms of cyber security, there are typically four generic threat

categories
‒ Interception
‒ Modification
‒ Fabrication
‒ Interruption
 Grouping Generic Threats

• Interception
‒ when an entity access info that it/they should not be accessing
‒ e.g. accessing a computer
‒ breach of confidentiality

• Modification
‒ when an entity modify an existing data
‒ when a disgruntled employee making a false entry into a database or
intercepts wireless traffic and alters it before forwarding
‒ breach of integrity
 Grouping Generic Threats

• Fabrication
‒ when an entity creates new data
‒ a sale order is created and items are taken out of the store without payment being
made
‒ breach of integrity and authenticity (can you think of a situation J)

• Interruption
‒ making a resource unavailable
‒ a website becomes inaccessible
‒ breach of availability
 What is a Vulnerability?

• A flaw or weakness in the design, implementation, or operation of a

system

• How open something is to an attack

• Threats act on or exploit vulnerabilities

 What is a Vulnerability?

• Vulnerabilities can make things (general types of vulnerability)

‒ Corrupted
• integrity (changing or entering wrong values in a database)

‒ Leaky
• confidentiality (someone accessing information who should not have
access to it)

‒ Unavailable
• availability (system or network becoming unavailable)
 What is an Exploit?

• A process or series of commands designed to take advantage of a

system’s vulnerability

• Threat exploits a vulnerability

‒ House with glass windows - smash the window -> access the house ->
take someone’s items -> profit?

‒ Telephones don’t fully authenticate callers - call someone and tell them
you are from the bank and you need their credit card number because
they are compromised -> Identity theft? Profit?
 Threat Agents/Attackers

• A threat agent is the individual or group who has the potential to manifest a
threat

• Threat agent examples may include (non-exhaustive list)

‒ Malware writers
‒ Hackers (crackers)
‒ Fraudsters
‒ Organised criminals
‒ Disgruntled employees
‒ An opposing team/company
‒ Governments
 Motivations of Attackers

• Financial
• Emotional – revenge etc.
• Ideological – activists, hacktivists etc.
• Opportunistic
• Compulsion/addiction
• Social acceptance
• Challenge
This is by no means an exhaustive list
 Capabilities of Attackers

• Is the threat agent an individual? A group? An organisation?

• What are the capabilities of the threat agents?

• How well resourced are they?

‒ The NSA might have the resources to brute force an encryption algorithm
‒ The average individual probably would not
 What is a Countermeasure?

• Device(s) or technique(s) that denies an undesirable or adversarial

activity, unauthorised access to a system, etc.

• Implementation/Deployment of available controls and safeguards

• Allows us to achieve the aims of security

• Could be in the form of a technical control or a non-technical control

 Countermeasures: Controls and Safeguards

• Controls are techniques designed to prevent, detect, or respond to a

threat
e.g.
Firewalls
Preventative and/or Security guards
Delaying Passwords
Cryptography

e.g. e.g.
Security guards Security guards
Log file analysis Detective Responsive Law Enforcement
Intrusion Detection Forensic analysis
Systems
 Countermeasures: Controls and Safeguards

• How do we determine the most effective controls to mitigate a threat?

• It’s not feasible to purchase every single security control

‒ Financially not feasible
‒ Security, convenience, and usability (more controls impact the convenience)

• Each control has strengths and weaknesses that need to be evaluated and
acknowledged
 Countermeasures: Determining Effective Controls - Questions

• What types of controls are available?

• How effective is the control in mitigating threats?
• How economically feasible are the controls?
• How technically feasible and practical are the controls?
• Are there any potential trade-offs?
• How much security do we gain?
• What will it cost short/long term?
• Some security measures provide a false sense of security
 Countermeasures: Trade-offs

• Security controls almost always involve trade-offs

• Money
‒ Purchase price
‒ Training
‒ Maintenance
• Privacy/Liberty
‒ E.g. CCTV cameras, passenger screening lists
• Convenience
‒ If controls are overly restrictive, users may try to circumvent them
 Countermeasures for Computer Security Aims

Countermeasure Confidentiality Integrity Availability

Passwords ü ü

Encryption ü

Data backup ü

Network firewalls ü ü ü

Intrusion Detection ü ü
Systems
Anti-virus software ü ü ü

Biometric ü ü
authentication
 What is Risk and Risk Assessment

Risk is
the likelihood of the occurrence of a vulnerability
multiplied by
the value of the asset
minus
the percentage of risk mitigated by current controls
plus
the uncertainty of current knowledge of the vulnerability
 Risk Management

• Risk management is the decision-making process of;

‒ Identifying threats and vulnerabilities and their potential impacts

‒ Determining the costs to mitigate such events

‒ Deciding what actions are cost effective for controlling the risks
Risk Management
 Risk Management

Identify Issues,
Assess Risks

Monitor and Prioritize and

Evaluate Select Controls

Implement
Controls

Figure 3.2 Risk Management Life Cycle

 Risk Control Strategies

• Defence: apply a safeguard to reduce the risk

• Mitigate: develop plans to make outcome less severe (IR Plans in case of a
compromise)
• Accept: accept the outcome of an exploitation. Likelihood of occurrence is very
less (in many years)
• Transfer: shift the risk to other assets, processes or organisations
(insurance) - taking out insurance – you insure a device to adsorb that financial
impact
• Terminate: remove an asset from the environment
(chances are quite high and should be remove)
 Relationship

Owners Threat agents

value
wish to abuse
wish to impose and/or
minimize may damage
give
rise to
countermeasures assets

to
reduce

to to
risk threats
that
increase

Figure 1.2 Security Concepts and Relationships

 The Role of People in Security

• Regardless of the security controls, people will always be the

weakest link
‒ those that introduce/maintain the controls

‒ those that are technologically illiterate

‒ those that use technology

‒ those that develop policies

 Social Engineering

• Social engineering is the process of convincing an authorized target to

undertake a specific activity

• The ‘target’ may either

‒ Divulge sensitive or confidential information
‒ Perform a task that creates a vulnerability for attacker

• Why do humans fall for social engineering attacks?

‒ It is human nature to be helpful
‒ It is human nature to avoid confrontational matters
 Specific Social Engineering Techniques

• Phishing – the use of fraudulent bulk-based emails to obtain sensitive information from a target

• Spear phishing – the use of a fraudulent email to specifically target a single user to obtain
information

• Pharming – use of phishing techniques to redirect a target to a compromised website/server

• Vishing – simulating calls (via VoIP) from legitimate entities to perform phishing centric attacks

• Reverse social engineering – techniques to encourage target to initiate contact with attacker
 Contingency Planning (CP)

• A CP is used to anticipate, react to, and recover from events that

threaten information assets, it involves;
‒ A Business Impact Analysis (BIA)
‒ Incident Response Plan (IRP)
‒ Disaster Recovery Plan (DRP)
‒ Business Continuity Plan (BCP)
• Differ in scope, applicability, and design
Contingency Planning (CP)
 Business Impact Analysis

• The BIA takes up where the risk assessment process leaves off

• The BIA provides detailed scenarios of the potential impact each

attack could have on an organisation

• Develop scenarios (best case, worst case, contextualize attacks)

 Contingency Planning (CP)

• IRP: focuses on immediate response, but if the attack escalates or is

disastrous (e.g., fire, flood, earthquake, or total blackout) the process
moves on to disaster recovery and the BC plan

• DRP: focuses on restoring systems at the original site after disasters

occur, and as such is closely associated with the BC plan

• BCP: occurs concurrently with the DR plan when the damage is major or
ongoing, requiring more than a simple restoration of information and
information resources. BC plan establishes critical business functions at an
alternate site
 Defence in Depth (DiD) Model

Lookout towers

High walls

Water
 Defence in Depth (DiD)

• Concept of protecting a computer network with a series of defensive

mechanisms such that if one mechanism fails, another will already be
in place to thwart an attack

• Why: no single method exists for successfully protecting an asset(s)

• Reduces the risk of a successful attack on the asset by the threat

agents as it is difficult to defeat several countermeasures than just
one
Defence in Depth (DiD)
Optional Topic

Identify and Analyse Threats

Optional Topic

Modelling Threats

• Threats are identified in an ad hoc manner

‒ They are addressed in the order that we think of them
‒ What about the threats that we don’t think of?
‒ Is there a more structured way?
‒ A methodology?

• Bruce Schneier advocates a technique known as attack trees or

threat trees
Optional Topic

Attack Trees

• A formalised way of identifying threats

• We put ourselves in the position of the attacker

• We first decide on our overall ‘main’ goal

• We then decide on a number of ways to achieve this

• Then each of these becomes a goal…

…and we think of how to achieve these
Optional Topic

Attack Tree Example

• Suppose that our ultimate aim is to steal a diamond from a store that
we already know is kept inside of a locked safe

• We could represent many different approaches in the form of an

attack tree

• Sometimes these diagrams are referred to as “Threat Trees” or

“Threat Modelling”
Optional Topic

Attack Tree Example

• The person looking at the diagram could be management who may

not want to read a detailed (lengthy) report
• The first node is our main goal
• It should be specific, i.e. a goal of just ‘diamond’ does not tell the
reader anything
• So lets start with the first node…”Steal Diamond”

Steal Diamond
Optional Topic

Attack Tree Example

• Next we need to consider perhaps through ‘research’ the ways in which the
diamond could be stolen from the safe…
• In this scenario 4 ways have been identified
• However, we could have identified 2 or even 20 ways…
• The 4 identified ways on row 2 now become our new goals

Steal Diamond

Determine Intercept
combination of Force Safe Open Steal entire safe Diamond
safe to/from safe
Optional Topic

Attack Tree Example

• Again we have researched and identified 4 ways as to how we could determine the
combination of the safe
Steal Diamond

Determine
combination of
safe

Trick user into Search offices

Bribe authorised Blackmail
revealing for combination
user authorised user
combination (written down)
Optional Topic

Attack Tree Example

• Next, we look at the ways that we could force the safe open

Steal Diamond

Force Safe Open

Placing
By using Drilling into the
explosives near
crowbar safe
safe
Optional Topic

Attack Tree Example

The process continues until sufficient information is provided on the

diagram so that an individual who has little expertise in the area could
understand and interpret the attack approach that is being described
Optional Topic

Attack Tree Example

Steal Diamond

Determine Intercept Diamond

Steal entire safe Force Safe Open
combination of safe to/from safe

Bribe Blackmail Trick user into Search Placing Drilling

By using
authorised authorised revealing offices for explosives into safe
crowbar
user user combination combination near safe

Sending Phoning employee

employee trick pretending to be
email manager
Optional Topic

Determining Possible Attack Avenues?

• Determining possible attack avenues is not an easy or quick task

• Black Hat conferences, Defcon, Kiwicon
• Journal papers, conference papers
• News media, magazines
• Using variations of old attacks
• Common Vulnerabilities and Exposures (cve.mitre.org)
Common Vulnerabilities and Exposures (CVE)
Searching CVE Database