INTRODUCTION TO SECURITY

Bingham County Case Study

• Hit with ransomware on Feb. 15, 2017
• Done through brute force password attempts
until they had admin access
• Hackers demanded $25-30K in bitcoins
• County chose not to pay and used backups to
restore
• Two servers remained infected
• March 1, negotiated 3 bitcoins ($3,500) with the
hackers
• Received the decryption key
Source: https://www.eastidahonews.com/2017/03/bingham-county-pays-ransom-release-encrypted-servers/
10/22/2022 2
Security Statistics
Quick Hits Compiled from:
- NetDiligence/RSM 2016 Annual Cyber Claims Study

State and/or local governments are an attractive target

10/22/2022 3
Key Trends from 2015

10/22/2022 4
 Key Threats

• Advanced Persistent Threats (APTs)

• Ransomware
• Malvertising
• Phishing Attacks & Social Engineering
• Attacks on Cloud Systems
• Mobile Security & Smartphone Vulnerability
Threats (Wearables, IoT)

10/22/2022 5
 Why do Breaches Happen?
Vulnerabilities Malware

▪ Configuration
Errors ▪ Installing
▪ “Weak” defaults suspect
▪ Easy passwords applications
▪ “Bugs” ▪ Clicking
▪ Input malicious links
validation ▪ Phishing Emails
▪ Watering Hole attacks

Source: IBM Security Services 2013 Cyber Security Intelligence Index

10/22/2022 6
 Case Study
• Attacks are generally carried out in four stages
• These four stages are often referred to as
“The Breach Quadrilateral”
• Controls must be deployed within
the environment that impede your
adversary at each stage of the Infiltration

Exfiltration
breach cycle

• Typical defensive focus is on the

Propagation
infiltration stage, but attackers are
often most skilled in this area

• Successful defense is often tied to Aggregation

controls in the later three
10/22/2022 7
 Breach Quadrilateral (cont…)
Infiltration:
• Breaking in. Organizations often focus majority of their controls on
this phase
• Identify and block attackers during initial “foot printing” and
exploitation
• Never allow the attackers to gain the full access they need for later
stages.

Propagation:
• The most critical stage, but treated as an operations hygiene issue
by most organizations. When properly constructed early responses
can keep an issue as an “event” rather than an “incident”
• Most commonly missed component is the work to identify true
issues rather than just symptoms.

10/22/2022 8
 Breach Quadrilateral (cont…)

Aggregation:
• Accessing and collecting information. The stage where the issue
transitions from an “event” to an “incident.” Attacker access is
enough for a “breach”
• Corrective actions are focused on the attacker’s ability to remove it
from the environment.

Exfiltration:
• Taking the information out of your environment (intellectual
property, PII, Cardholder Data, corporate financials, etc.)
• Blocking/alerting on these attempts can kill the incident.
• Logging the actions can assist in post-breach issues

10/22/2022 9
 A Breach – Attack View
1. Attacker scans and attempts exploitation, but fails
2. Attacker utilizes social engineering against a selected population
3. Victim(s) fall for the ruse allowing attacker to enter the environment
4. Attacker leverages user/system access to spread to other systems
5. Attacker consolidates loot (data, passwords, bank access, etc.)
6. Attacker sends data back out of environment
74% of targeted
attack attempts use
email as a vector

Infiltration

Propagation
Exfiltration

10/22/2022 Aggregation 10
 A Breach – Attack View
Infiltration: External scanning/exploit attempts Password cracking, pass the
hash, default passwords, create new accounts Social Engineering Emails

Propagation: Internal Exploitation of unpatched system

Web App Remote Access Attacks Moving into critical areas of network
Attempts DoS, Malware infection

Aggregation: Attempts to access sensitive data Command and

control
Consolidation of data

Exfiltration:
Export stolen data out of the environment

10/22/2022 11
 A Breach – Corrective View
1. Blacklist attacker, add offending IP to custom IDS alerts
2. Rapid removal of emails, analyze malware from attachments/website, and
add custom AV alert
3. Isolate/rebuild systems, password resets for affected users
4. Mass password resets, network isolation, limitation to data stores
5. Emergency DLP scans, system/network isolation, enhanced logging
6. Emergency exfiltration changes, retroactive analysis of offending internal
and external IPs, initiation of full breach response process

Infiltration

Propagation
Exfiltration

10/22/2022 Aggregation 12
 A Breach – Corrective View
Infiltration: Propagation:
IDS alerts System logs, domain logs, authentication sources
Email system alerts,
DNS information, malware alerts Alerts from local protective solutions (endpoint, anti-
virus, internal IDS)
Failed logins, web app logs Failed access attempts
Notification from the attackers

Aggregation: Exfiltration:
Server logs, DLP alerts, database activity Firewall rejects, malicious IP/domain alerts

Connection logs including quantity

of data moved Firewall rejects for outbound filtering

10/22/2022 13
 Aspects of Security
• consider 3 aspects of network security:
– security attack: Any action that compromises the
security of information owned by an organization
– security mechanism: to detect, prevent, or recover
from a security attack
– security service: enhances the security of the data
processing systems and the information transfers
of an organization. The services are intended to
counter security attacks and make use of one or
more security mechanisms to provide the service

10/22/2022 14
 Security Attack
• any action that compromises the security of
information owned by an organization
• information security is about how to prevent attacks,
or failing that, to detect attacks on information-
based systems
• often threat & attack used to mean same thing
• have a wide range of attacks
• can focus of generic types of attacks
– passive
– active
10/22/2022 15
 Security Attacks

10/22/2022 16
 Security Attacks
• Interruption: This is an attack on availability
• Interception: This is an attack on
confidentiality
• Modification: This is an attack on integrity
• Fabrication: This is an attack on authenticity

10/22/2022 17
 Security Definitions
• Confidentiality (privacy)
• Authentication (who created or sent the data)
• Integrity (has not been altered)
• Non-repudiation (the order is final)
• Access control (prevent misuse of resources)
• Availability (permanence, non-erasure)
– Denial of Service Attacks
– Virus that deletes files

10/22/2022 18
 Security Goals

Confidentiality

Integrity
Avalaibility

10/22/2022 19
10/22/2022 20
 Passive Attacks

+ obtain message contents, or

+ monitor traffic flows
difficult to detect because they do not involve any alteration of the data
10/22/2022 21
 Active Attacks

10/22/2022 22
 Active Attacks
attempt to alter system resources or affect their operation.
By modification of data stream to:
+ masquerade of one entity as some other
+ replay previous messages
+ modify messages in transit
+ denial of service

• passive attacks are difficult to detect, measures are available to

prevent their success.
• it is quite difficult to prevent active attacks absolutely, because of the
wide variety of potential physical, software, and network
vulnerabilities.
• the goal is to detect active attacks and to recover from any disruption
or delays caused by them.

10/22/2022 23
 Security Service

• enhance security of data processing systems and information

transfers
• intended to counter security attacks
• using one or more security mechanisms
• often replicates functions normally associated with physical
documents
• which, for example, have signatures, dates; need protection
from disclosure, tampering, or destruction; be notarized or
witnessed; be recorded or licensed

10/22/2022 24
 Security Services
• Authentication - assurance that the communicating entity is the
one claimed
• Access Control - prevention of the unauthorized use of a resource
• Data Confidentiality –protection of data from unauthorized
disclosure
• Data Integrity - assurance that data received is as sent by an
authorized entity
• Non-Repudiation - protection against denial by one of the parties
in a communication

10/22/2022 25
 Security Mechanism

• feature designed to detect, prevent, or recover from a security

attack
• no single mechanism that will support all services required
• However, one particular element underlies many of the security
mechanisms in use:
• cryptographic techniques

10/22/2022 26
10/22/2022 27
• Software, firmware, and hardware design and implementation
processes have errors or corner cases that can be exploited by an
adversary.
• In computer security we call these weaknesses/vulnerabilities.
• A vulnerability is thus a threat to security.
• We call an attack a threat that is realized by an adversary, usually
exploiting one or more of a system’s vulnerabilities.
Challenges
 Technical Challenges

• IP address hiding/masking
• criminals can use a variety of tools to evade detection by
law enforcement agencies and obscure access and hide
darknet sites
• software vulnerabilities: A vulnerability could be a problem
in a programme or a misconfiguration that allows an
attacker to do something they should not be able to do (like
downloading customer credit card information)
• attackers sometimes find a vulnerability before the
company that makes the software: while the vulnerability
remains unknown, the software affected cannot be patched
and anti-virus products cannot detect the attack through
signature-based scanning"
https://www.youtube.com/watch?v=-BIANfzF43k
 Technical Challenges
Equifax - a US credit reporting service - lost "sensitive personal
data" on 143 million Americans because of a software
vulnerability. This vulnerability was exploited for three months,
until it was fixed.
Vulnerabilities leading to data loss are relatively common, even
for major organizations because it is difficult to properly create,
configure and secure digital systems
https://www.youtube.com/watch?v=8Q_w7EshIPU
• Cloud: Infrastructure is moved into a cloud- implies that
– The company shifts part of the cybersecurity responsibility to
the cloud provider (e.g., physical system security, data centre
security)
– When breaches happen, the company has to work with the
cloud provider to investigate the incidents, which may further
lead to technical and legal challenges
 Ethical Challenges
Ethical conduct using ICT involves refraining from harming others,
systems, and data, and respecting the rule of law and human rights
• Cambridge Analytica:
- paid to acquire Facebook users' personal information through
an outside researcher, Aleksandr Kogan, who created a data-
harvesting personality quiz app that told users that it was
collecting the information for academic purposes - a claim
Facebook did not verify and was not true. Although only
305,000 people participated in the quiz and consented to
having their data harvested, their friends also had their profiles
scraped, bringing the estimated number of those affected to 87
million
- revealed unethical behaviour on the part of those responsible
for the huge amount of data harvested on individuals and used
in a manner unanticipated by users who agreed to provide
information and in unauthorized ways for those who never
consented
 Operational Challenges

✔ One challenge is cooperation with other countries

✔ Requires harmonized laws between cooperating countries
✔ Agreements whereby parties agree to cooperate in
investigations and prosecutions of offences criminalized
under their national laws can be used to make formal
requests for assistance from one country to another
✔ Requests for international support can take a long time, and
may not produce usable results, such as preventing the
crime or producing evidence for use in court