Fundamentals of Cyber Security

Hui Tian

Griffith University

Jul. 2020
 


7905 FCS
7809 NS
Data Security

7808 CSM
Societal Component
Security Security
7906 DF

Organizational
Security
Cyber Software
Security

Security
Human Connection
Security Security

System
Security
 


Data privacy protection
7905 FCS
Threats, attacks, crypto

Data Security
Career planning security assessment, security engineering

Societal Component
Security Security
Security awareness.
Compliance, assessment

Enterprise Network sec. Pentest

Organizational
Security
Cyber Software
Security

Security Software vulnerabilities

Human centric sec. Human Connection

Security Security Network security tech

System Mobility security

Security

AAA protocols
 


• Who “bad guys” are and what methods they use?
- various cyber attacks and their impact on an organization’s
capacity to accomplish its stated mission
• What you can do to protect cyberspace?
Policy
Technology
People
• How to develop essential skills in Cyber Security?
• Understanding cybersecurity career options
- business leaders, thought leaders, analysts, security and
technology specialists



• Intro. To Cyber Security • Cryptography
• Cyber Security Attacks & OS Module 1 Module 2 • AAA protocols
attacks
1. Cyber 2. Counter-
Threats measures

Policy Technology
4. Policy and 3. Network
Governance Security
• Cyber Security Standards &
Assessment Module 4-5 Module 3 • Network security
architectures
• Social Engineering and Security
Awareness • Firewalls
• Risk Management & Governance • IDS, IPS
• Privacy & Online Rights People
 


1. Cyber Threats and Attacks

T1.1: Introduction to Cyber Security

– Cyber IQ test
– Basics in cyber security
– CIA model
– Career plan for future cybersecurity professionals
T1.2: Cyber Security Attacks and Operating System Attacks
– Software threats such as worm, trojan horse program, virus, malware.
– Web attacks
– Network attacks such as DDOS attacks, botnet etc.
– Hardware attacks
– Attack surface
– Shellshock Attack
– Buffer Overflow Attack
– Return-to-libc Attack
– Race Condition Attack
 


2. Cyber Attack Countermeasures

T2.1: Cryptography
– Foundations of cryptography
– DES, 3-DES
– Kerberos
– Public Key Cryptographic Methods
– SSL
– Diffie-Helman key exchange
T2.2: AAA Protocols
– important protocols and techniques
– RSA, secureID
– Access control
– Passwords and analysis
 


3. Network Security

T3.1: Communication and Network Security

– Network Models
– Protocols and Services
– Network Attacks
T3.2: Realtime cyber threat detection and mitigation
– Intrusion Detection System (IDS)
– Intrusion Prevention System (IPS)
– IPsec, SSL, TLS
 


4. Policy and Governance
T5.1: Risk Management and Governance
– Various types of security assessment
T4.1: Cyber Security Standards and
Assessment – Penetration testing
– Basic Security Engineering principles – Risk analysis
– NIST engineering principles for IT – ISO27001/2
security – Organization Security
T4.2: Social Engineering and Security T5.2: Privacy and Online Rights
Awareness – Privacy protection mobility security
– Case study and deception
– Human Aspect of Cyber Security – Data Compliance
(HACS) – GDPR, APP
– Legal and Ethical Issues – Mobility security



Week 1-5:
• 2*2 hours lecture per week
• 2*2 hours workshop
Assessment:
• 20% 4 Workshop activities for Seedlab, W1-3
• 10% Case study, Thursday, Week 3
• 30% 4 Workshop activities for Case Study, Week 4-5
• 40% Final Presentation, Week 6



• Every Tue. and Thur. in Week 1-6 via Collaborate Ultra
Lecture 9:00-10:45
Workshop 11:00-12:45

• Communications via Microsoft Teams

Hui Tian G23 2.15b [email protected]
[email protected]
Tel: 07-55529641
 


• No textbook
• Reference books:
– CISSP (All in one) exam guide, Shon Harris, Fernando Maymi, Eighth edition
– Computer Sec. Principles and Practice 2nd Ed., W. Stallings and L. Brown (CSPP)
– Cryptography and Network Security: Principles and Practice, 6th ed., William Stallings
(CNS)
– Computer Security, Wenliang Du, 2017
– From CIA to APT: An Introduction to Cyber Security by Edward G. Amoroso , Matthew
E. Amoroso
– TCP/IP Illustrated Volume 1 (2nd Edition), Kevin Fall and W. Richard Stevens
• Recommended:
– Related Conference/Journal papers/Reports
– Youtube/Ted “cybersecurity” videos
– CompTIA
– https://www.cybrary.it/
– CISSP (Certified Information Systems Security Professional) or other certificates
 

"


• Why study Cyber Security?
• Why does cyber crime exist?
• Basics in Cyber Security
– CIA model
– Risks, threats, vulnerabilities, exploits
• Career options



Are apps/softwares secure?

Is my bank website secure?

Credit card payment safe?

equipment?

car?
 


Are apps/softwares secure?

https://www.cvedetails.com/browse-by-date.php
 


Is my bank website secure?

http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
 


Oct. 2016-IoT Botnet

• A massive and sustained Internet

attackattacks on Dyn, an Internet
infrastructure company
• Caused outages and network congestion
• Through hacking IoT devices
- CCTV video cameras
- digital video recorders
• Mirai, the malware in 620Gbpss attack

https://krebsonsecurity.com/2016/10/hacked-cameras-dvrs-powered-todays-massive-internet-outage/
 


Equipment? Car?

https://www.youtube.com/watch?v=UbD51wG04bs

Tesla Hacking (Defcon 2017)




Election?
Identity?
International issue?
 


- How did the attackers get in? Why do they win?
- What did they do with the data they compromised?
- How should we protect our data, network,
systems? Shellshock (2014)
Heartbleed (2014)

1988

Ghost (2015)
2015

1971
I love you,2000 2018
 


Exploit Toolkits on Tor Marketplace
 


International Cyber Security Awareness Month
Australian Cyber Week 7-11 October 2019
US National cyber awareness week

Clearwater, FL, October 17, 2018 – (ISC)² – the world’s

largest nonprofit association of certified cybersecurity
professionals – announced the findings of the 2018
(ISC)2 Cybersecurity Workforce Study. The research
shows a widening of the global cybersecurity workforce
gap to nearly three million across North America, Latin
America, Asia-Pacific (APAC), and Europe, the Middle
East and Africa (EMEA).

https://er.educause.edu/blogs/2018/11/what-higher-ed-can-do-to-address-the-shortage-of-cybersecurity-
professionals?utm_source=Informz&utm_medium=Email&utm_campaign=ER#_zstk0Le1_zl1bPL5
 


2018 Australian Cyber Security Challenge
https://www.cyberchallenge.com.au/index.html

2018 USA
https://www.nationalccdc.org/
Dec. 2019
https://www.austcyber.com/news-events
 


• AMO Framework

Motivation
Behavior

Opportunity Ability
 


• AMO Framework Motivation

• Profit$$$$
• Political
• Fun and fame
• Bragging rights

Opportunity Ability
• Heavy dependence on IT
• Insecure software • Free tools readily available
• Trusting people • Google anything
• Irrational people • Tor markets
• Everything is interconnected
 


• Why can attackers win?
- Asymmetric threat
- Insecure software/systems
- Human remains vulnerable
• How do they get in?
- Various attacks and threats Problem Exists Between Chair and Keyboard
• How to protect our data, network, systems? 90% of security incidents are caused by PEBCAK

If you think technology can solve your security

problems, then you don't understand the
problems and you don't understand the
technology. --- Bruce Schneier, Secrets & Lies
 


How to protect our data, network, systems?

If you know both yourself and your enemy, you can

win "a hundred" battles without jeopardy. If you know
yourself but not the enemy, for every victory gained
you will also suffer a defeat. If you know neither the
enemy nor yourself, you will succumb in every battle.
Sun Tzu –The Art of War

Black Hat Hacker = Crackers / Criminals

Engages in illegal activities for personal gains
- Money-driven
White Hat Hacker = “Ethical” Hackers
- Just for fun
Stays within the limit of the laws to fight cybercrime
- Ill purposed competition
Grey Hat Hacker = Somewhere in between
Engages in illegal activities, but not with malicious intent
#


 #


Core Goals of Security

Confidentiality

Integrity

Availability

Authenticity

Non-repudiation
 #


Confidentiality
• Relates to data/information security Common Confidentiality Classifications
Mitigating unauthorized access to • Private sector:
sensitive network assets Public
• Accomplish through various levels of Internal
Encryption Confidential
Authentication • Government agencies:
Access controls Unclassified
Restricted
Secret
Top secret
 #


Integrity
• Relates to data/information security
To protect data/info. agains against unauthorized or accidental change
• Encompasses data/info:
Consistency
Accuracy
Validity
• Accomplished through:
Security programs which manage and detect change
Permission to control access to assets
Auditing and accounting processes to record changes
 #


Availability
• Relates to data/information security
• Generally unfettered accessibility of resources to users, systems and applications
• Two common threats to availability
• Accidental
Natural disasters
Equipment failure
Unplanned outages
• Deliberate
DoS attacks
Network worms
 #


Authenticity
• Authenticate who sent/creates the data
• Accomplished through:
Message Authenticate Code
Time stamp
Authentication Protocols

Non-Repudiation
• Assure that the author/sender cannot deny an action
• Accomplished through:
Digital Signature
 #


Risks, Threats, Vulnerabilities, and Exploits

Motivation Ability Opportunity

Threat Actors Exploits Vulnerabilities

• Hacktivist • Hacking tools • Trusting human

• Industrial spies • Social engineering • Vulnerable software
• Nation/state • Malware • Misconfigured systems
• Hobbyist • Vulnerable wireless AP

Risk = Likelihood x Impact of Threats Exploiting Vulnerabilities

 #


Risk:
• The probability that a particular threat
using a specific exploit will take advantage
of a specific vulnerability
Threats, Vulnerabilities, and Exploits

• Often confused
• Distinction is important Questions:
– Documentation
– Organizational security policies • Lack of user awareness and training
• A hacker may hack the user by social engineering
• Trick the user to open file attachments that includes
malware
 #


Threats overview
“A potential violation of security”
- ISO 7498-2
Asset identification

• What has value to the organization? Threats have a negative effect on

– IT systems business operations:
– Customer data • Loss of revenue
• Loss of reputation
• What type of data is the most valuable? • Loss of consumer confidence
– Personally identifiable information (PII)
– Confidential corporate data Sources of threats:
• Accounting data • Malware
• Social engineering
• Trade secrets
• Security breach
– Intellectual property (IP) • Natural disasters
• Industrial or artistic • War
– Payment card information
 #


Threats
• Asset inventory
• Threat analysis
• Negative impact analysis against an asset
• Assets and threats must be prioritized
Threats classification
Known threats
• Unique virus signature https://www.fireeye.com/cyber-map/threat-map.html
• Firewall misconfiguration
Unknown threats
• 0-day
• Weakness in OS unknow to vendor
APT
• Backdoors
• Use a compromised system for a long period of time
 #


Vulnerabilities Exploits
• Hardware • Takes advantage of a vulnerability by
– Out of date firmware malicious users
– Lack of physical security controls • 0-day exploit: unknown to
manufacturer, known but not patched
– Unused open ports left running
• Telnet, SSH, HTTP
• Software
– Updates not applied
– Misconfiguration
– Default settings
– Design errors
• Policy flaws
• Human errors
 #


Risk = Likelihood x Impact of Threats Exploiting Vulnerabilities
= Vulnerabilities x Threats x Impact of Threats Exploiting Vulnerabilities

• Lack of user awareness and training

• A hacker may hack the user by social engineering
• Trick users to opening file attachments that
includes malware

CISSP exam book

 $

&

'


VERY Broad knowledge

Operating Systems Programming Languages

Hacker Methods
TCP/IP Networking CPU Architecture
Security Tools

Cryptography Computer Hardware Security Standards

Information Security Management Software Development

Risk Management Security Engineering/Architecture

Auditing Laws and Regulations Algorithms

Behavioural Psychology Identity and Access Management

 $

&

'


Important traits

• VERY Broad knowledge

• Lateral Thinking
• Communication Skills Technical
• Ethical
• Can think like criminals Communication
• Logical AND lateral (creative) thinking
• Takes nothing for granted Motivation
• Patience and persistence Learning
• Work under pressure
• Analytical
• Driven by purpose
• Attention to details
• Curiosity
• Autodidactic (continuous self learning)
 

&

https://www.cyberseek.org/pathway.html
 $

&

'


https://www.payscale.com/research/AU/Job=Information_Security_Specialist/Salary
 $

&

'


https://www.payscale.com/research/AU/Job=Chief_Information_Security_Officer/Salary
 $

&

'


https://en.wikipedia.org/wiki/Certified_Ethical_Hacker
 Security Certifications
Architect Manager Advanced
OSCE
SABSA Offsec
GSLC CISSP
SABSA C|CSA CREST CRT
GIAC (ISC)2
EC-Council CREST

CASP OSCP
CompTIA C|EH
Less Technical

Offsec

More Technical
EC-Council
CISM
ISACA Pentester
SSCP GPEN
(ISC)2 GIAC

Analyst
CISA
ISACA

CSIA+ GSEC
CompTIA GIAC
Auditor

Beginner
 $

&

'


Popular Certifications:
(ISC)2: CISSP – Certified Information System Security Professional
CompTIA: CASP – CompTIA Advanced Security Practitioner
ISACA:
• CISA - Certified Information Systems Auditor
• CISM - Certified Information Security Manager
SANS/GIAC Certification
Offensive Security:
• OSCP – Offensive Security Certified Professional
• OSCE – Offensive Security Certified Expert https://www.youtube.com/watch?v=Acqb1cdoVoM
Plus:
• Cryptography Certifications (and a good CV) will only
• Programming and algorithms get you as far as the interview….
• Networking and Routing(CCNA)
 $

&

'


Career advice

• Define your path early and make a plan.

• Set milestones to ensure focus on your plan.

• Assess progress annually and perform gap assessment.

• Fill gaps through training and certifications.

• Find a mentor to catch up on a regular basis.

• Stay motivated and keep learning!

https://www.bls.gov/careeroutlook/2018/interview/cybersecurity-consultant.htm?view_full
 $

&

'


Realize……

1. The world is full of dangerous cybercriminals and they are winning

2. Good cyber security talent
3. High demands in software developers who can write secure code
4. Cybersecurity is a great career option
5. Plan your journey early and get experience!
 


Module 1 – Topic 1.1

1. Why is cybersecurity important?

2. Basics in Cybersecurity
3. Career advice

Module 1 - Topic 1.2

1. Cyber Security Attacks

2. Operating System Attacks