EEL 4935 University of South Florida Information Security Concept Questions

User Generated

zbuun21

Engineering

EEL 4935

University of South Florida

EEL

Description

Unformatted Attachment Preview

Standards Editor: Barry Leiba • barryleiba@computer.org Aspects of Internet Security Barry Leiba • Huawei Technologies Internet standards development requires consideration of security issues in the protocols. But what does “security” mean in this context? We often conflate several different aspects into the blanket term “security.” Here, the author looks at some of these aspects separately. A s we develop standards at the various Internet layers, we must ensure that each standard, each protocol, is secure. We often talk about security with respect to computers and computer networks as though it were a clearly defined, monolithic concept. It’s not; security has several aspects, and, in differing contexts, we might refer to one aspect or another, or some varying combination. In particular, when we develop Internet standards, we often touch on these various aspects of Internet security. I like to loosely split the general topic of security into the following subtopics: • Availability. Is the system available when it’s needed? • Authentication. W ho am I, and how can I prove it? • Authorization. What am I allowed to do? • Access control. What data am I allowed to access, change, create, or delete? • Confidentiality. Are communications and data safe from unauthorized viewing? • Integrity. Are communications and data safe from unauthorized modification? These aren’t absolute — you could certainly come up with a different set or choose to add to or remove things from the list, and some aspects overlap. Also, not all aspects apply to all situations. Many Internet services we use don’t need and wouldn’t benefit from authentication, require no access control, or present no confidentiality issues. And you’ll note that “encryption” 72 IC-16-04-Standards.indd 72 Published by the IEEE Computer Society isn’t on this list — encryption isn’t security, but is rather a technology that can help establish aspects of security. We generally use encryption in authentication processes, for example, and to ensure confidentiality and integrity. On the whole, it’s a good list to work from. As we design standards, protocols, and services, we must decide what aspects are important, and at what level of rigor we should apply them. Availability To provide context for these subtopics, I’ll be examining some of the threats Internet security mechanisms and standards try to defend against. One threat that came up in conversation recently was from an old New York Times editorial1 about an investigation into overloading telephone lines for a political purpose: […] the New Hampshire phone jamming case was the real thing. Republican operatives hired an Idaho telemarketing firm to jam the lines to prevent people who needed help in voting from getting through. The scheme was a direct attack on American democracy. The scheme was also what we call a denial-ofservice (DoS) attack. In a DoS attack, the attacker demands so much service that legitimate users have little or no opportunity to get any. The one described in the editorial isn’t computer-related, but DoS attacks on websites are common, a popular way for a group to try to block a website that it doesn’t like. We sometimes refer to distributed DoS — think about the difference between one phone 1089-7801/12/$31.00 © 2012 IEEE IEEE INTERNET COMPUTING 6/5/12 9:31 AM Aspects of Internet Security calling repeatedly with the redial button, as opposed to thousands of phones each calling (distributed) — but essentially every Internet DoS attack these days is distributed, and our defenses must assume that they are, so the distinction is mostly unimportant. We can think of spam as a DoS attack as well: if your inbox fills with enough junk, it might be impossible to find the real mail. Worse, spam filters, designed to defend your inbox, might misclassify some mail as spam and delete it. Spam isn’t generally meant to have this effect — something can become an unintentional DoS attack. Defense against DoS attacks can be difficult because determining which service requests are legitimate can be problematic. Rate-limiting and blocklisting are probably the most common mechanisms. Certain Internet addresses are known to be bad, and are blocked outright — all contact from them is discarded. Other addresses can make requests, but if they make too many in too short a time, they, too, are blocked, usually for some time period, although repeat offenders might be put on a permanent block-list. Availability issues are considered in many Internet standards and related informational documents. For example, RFC 5782 addresses using block lists for spam, RFC 3882 is about preventing DoS attacks on the Border Gateway Protocol (a protocol for routing data on the Internet), and RFC 4732 looks at the general issue of denial of service on the Internet. Authentication Authentication is a precursor to some of the other aspects, for reasons that we’ll see as we examine those further. It should be obvious, for instance, why authentication is related to authorization and access control. In particular, authentication mechanisms are built into many Internet-standard protocols. As we update these protocols, we often seek to add new mechanisms that are more secure. Everyone reading this is familiar with the authentication mechanism we started out with: some sort of user identifier (name, account number, serial number) and password. It served us well over the years, but isn’t a very secure system, for several reasons. For one thing, people don’t choose good passwords. If they’re made to use good passwords, they record them in inappropriate places. Even what seem like good passwords often don’t have enough unpredictability. And the password authentication systems themselves expose passwords to attack. We can broadly divide what authentication mechanisms use into and what you are (your signature). The latter combines what you have (the ATM card) and what you know (your PIN). Another what-you-have mechanism is the SecurID device, which gives you a generated code that you can get only if you have the device with you. Other what-you-are mechanisms use fingerprints, retina scans, and voice or handwriting analysis — collectively, biometric mechanisms. The most secure authentication systems combine multiple biometric mechanisms with an identification card and password, with all authentication information transferred securely. This makes a system that’s pretty hard to break. Of course, it also makes one that can be pretty People don’t choose good passwords. If they’re made to use good passwords, they record them in inappropriate places. three categories: what you know, what you have, and what you are. When you log into webmail, Flickr, MySpace, online banking, or online access to your credit-card account, the authentication mechanism you use employs what you know. Most what-you-k now mechanisms are variations on the user ID/password combination, and all of them share the weaknesses I’ve described previously. The other mechanisms can help fix some of these deficiencies, especially when used in combination with passwords. The most well-known combinations are point-of-sale credit-card purchases, where you sign the credit slip, and ATM transactions, where you enter a PIN. The former combines what you have (the credit card) cumbersome to use. Biometrics are also subject to some serious limitations. If someone can spoof your left thumbprint, for example, you aren’t really in a position to change it. And when you’re ill, your voice-print might not be particularly useful. Note, finally, that some people are reluctant to use systems that go beyond what you know, because carrying the what-you-have card or device is burdensome (what happens if you lose it or leave it at home when you’re traveling?), and biometr ic readers can be expensive. But also, you might sometimes wish to let an assistant or some other delegate act on your behalf, and it’s easy to give the delegate your password — but much harder to “lend” them your retina. JULY/AUGUST 201273 IC-16-04-Standards.indd 73 6/5/12 9:31 AM Standards The answer to this is to understand the difference between impersonation and delegation, which goes beyond authentication and into the next two aspects, authorization and access control. The right way to handle delegation is to have the delegate authenticate with his or her own identity, and then be authorized to act on your behalf and receive access to the necessar y information and resources. You should never allow another person to act on your behalf by impersonating you — there’s no accountability in that. Authorization and Access Control I group these two together because they both deal with what the entity you authenticated as can do once you’ve logged in. I consider them separate aspects, however, because different mechanisms usually control each. When I talk about authorization, I’m usually referring to actions that an authenticated user can take. Can you start and stop services, such as a Web server or a file transfer server? Can you shut the computer down? Can you add and remove users from a multiuser system? Can you send mail, install programs, change the system time, or set a computer’s various other operational aspects? Access control refers not to actions but to access to data. What files can you read? Can you create new files? What files can you modify or delete? We’ll collectively call what you’re authorized to do and what access you’re allowed privileges. Many computer systems, particularly those set up for use by more than one person, have two kinds of users: administrators and normal users. The former can do anything, and can get full access to all files. The latter are restricted in what they can do. On Windows systems prior to Vista, the lone user is generally set up as an administrator. 74 IC-16-04-Standards.indd 74 www.computer.org/internet/ Those who try to do otherwise often run into difficulty because software (non-Windows software, that is — applications) assumes that the user’s privileges aren’t restricted. On MacOS, certain actions (such as updating the OS) and access to some files require that an administrator password be entered, essentially re-authenticating the user as an administrator. And for some things on MacOS, as on Linux, you must explicitly authenticate as the “root” user. On the Internet, too, there are privileges. By logging into my Gmail account on my Web browser, I may send, read, and delete mail; manage my contacts; post to my blog and edit and delete blog posts; and send and receive instant messages. I can post comments to other blogs that use Blogger, and I can later delete those comments, but not other users’ comments. On my own blog, I can delete anyone’s comments, because I have that access. By using other authentication, I can access my credit cards, bank accounts, airline frequent-flier programs, and so on. Clearly, we must have restrictions on privileges over the Internet, but why should I want to limit my privileges on my own computer? Well, anyone who’s made a mistake and deleted something accidentally, or gotten their computer infected with a virus while surfing the Web, should understand: if you don’t have privileges that you don’t need right now, you can’t accidentally use those privileges to hurt yourself (well, to hurt your computer). A rule of thumb called the leastprivilege principle says that you should never be operating with more privileges than you need at the time. Most of us go around creating, modifying, and deleting personal files constantly, so we normally want such access. But how often do we need to delete files in the Windows directory, or in the System directory on MacOS? Seldom. And so we’d like to avoid having that access unless we specifically ask for it. And now we get back to something I said at the end of the authentication section: that authentication should be separate from authorization and access control. The right way to run a computer system is to have me authenticate as Barry, and then have privileges set up for what Barry can do and access. This provides auditability and accountability. If I want someone to be able to post to my blog and moderate comments in my absence, rather than giving him my Gmail password, allowing him to act as me in all ways (such as reading my mail, too), I should make sure he has his own blog account, and then give that account the privileges needed to manage my blog — but not my email. Internet standards, too, often have delegation built into the protocols. For example, the Salted Challenge Response Authentication Mechanism (S C R A M ; R F C 5 8 0 2) a l lo w s f o r separate authentication identity and authorization identity, which allows delegation from the latter to the former. Confidentiality and Integrity Like authentication and access control, confidentiality and integrity are closely related: both deal with situations in which an attacker gets in the middle of the data stream. In the first case, the attacker is just snooping; in the second, the attacker is trying to modify or replace the data. These attacks are similar but have different characteristics and consequences. Note that I’m talking, here, about the confidentiality and integrity of data flowing through the system. Once the information is stored somewhere, a largely different set of threats and defenses are in play. W hen you send a pa ss word , credit-card number, or other personal information over a computer network — and especially over an IEEE INTERNET COMPUTING 6/5/12 9:31 AM Aspects of Internet Security open network such as the Internet — someone might be “listening in.” We think of information being sent from one computer to another, but it doesn’t happen quite that way. Networks are segmented to a significant degree, but at some level, your data goes out to a set of computers, with a specific computer’s address attached to it, and the other computers all ignore those data packets that aren’t addressed to them. Imagine if you received your postal mail by having the whole pile for your street left at the door of the first house, with each house’s occupant looking through the envelopes and keeping only those meant for him or her, then giving the rest of the pile to the next house. What happens on the Internet is something like this. In this situation, someone could choose to keep a piece of mail meant for someone else, or could open one and read it before passing it on. The same is true with the Internet: a computer could be programmed to look at and record data intended for other systems. The most common way to avoid this is to use data encryption, which can happen at the network layer, using IPsec (RFC 4301), on top of the transport layer, using TLS (RFC 5246) or SSL, or at the application layer, using standards such as S/MIME for email (RFC 5751). When you visit a website whose URL begins with https://, your communication with that website is encrypted using TLS or SSL. The Web browser ensures that the computer you’re talking to has security credentials that match the address in the URL, then negotiates encrypted communication. A computer program can still peek at and record the data packets — but a snooper won’t be able to decipher the data, which will thus be useless. Similarly, if a snooper should try to replace or modify the data you’re sending — say, to change a $20 payment to $2,000 — encrypted communication would prevent the attacker from being able to modify the encr ypted information in a valid way. Encr ypting an entire communication, however, has been fairly expensive in the past, slowing down the communication. Encrypting the information you get from Wikipedia or the New York Times is fairly unnecessary, so to speed things up, we don’t encrypt everything on the Internet. This is, however, changing, as computing speeds have increased to the point where Web traffic encryption is no longer a performance issue. Sometimes, though, it’s not important to protect information from prying eyes, and the likelihood of its being altered by an attacker is small — but it’s important enough that we want to know if it’s been altered. In such cases, we don’t need to prevent the alteration, but we do need to detect it. For that, we can use digital signatures. A detailed explanation of digital signatures goes beyond this column’s scope. The short version is that they provide a mechanism for ensuring that the person we think sent information is actually the person who sent it, and that it wasn’t altered along the way. Otherwise, we know something is wrong — we don’t know how to correct it, but we know to ignore the faulty data. Of cou r se, a l l d i sc u s sion of encryption and digital signatures here assumes that the encryption technology and algorithms used are current and sufficiently strong, and are used properly. This is usually the case, but weak and compromised algorithms are still used on the Internet surprisingly often. As developers of Internet standards, we often update the standards to deprecate the older algorithms and replace them with stronger ones. Still, it takes time for deployed software to catch up. As a user, your best defense is to make sure you’re using a current Web browser (and other software, such as mobile apps), and that you’re keeping the browser and the operating system updated regularly. Current versions of Firefox, Internet Explorer, and Chrome no longer support older, f lawed versions of SSL, or they have those old versions disabled by default. So stay up to date. S tandards development organizations have shown increasing awareness of the need to think about security at every stage of development, and to consider what aspects are needed for the protocols and use cases they’re developing. The IETF, for example, has an organizational area devoted to security, and every document must have a Security Considerations section that describes what the issues are for that document. ATIS has started a focus group on cyber­security. And, of course, the IEEE’s Standards Association includes security review for appropriate standards. Reference 1. “The New Hampshire Phone Scam,” New York Times, 17 Sept. 2007; www.nytimes. com/2007/09/17/opinion/17mon3.html. Barry Leiba is a standards manager at Huawei Technologies. He currently focuses on the Internet of Things, messaging and collaboration on mobile platforms, security and privacy of Internet applications, and Internet standards development and deployment. Leiba has been active in the IETF for roughly 15 years, is an author of several current and pending proposed standards, has chaired numerous working groups, served on the Internet Architecture Board from 2007 to 2009, and is currently serving as Applications Area Director. He edits this column, and can be reached at barryleiba@computer.org. Selected CS articles and columns are also available for free at http:// ComputingNow.computer.org. JULY/AUGUST 201275 IC-16-04-Standards.indd 75 6/5/12 9:31 AM EEL 4935: Spring 2021 Homework 1 Questions 1. Define the terms Authentication, confidentiality, integrity, and availability. 2. Describe the following terms used for attackers: • Black hat hacker • White hat hacker • Gray hat hacker 3. Research and give a practical example of the first step of the kill chain. 4. An organization that purchased security products from different vendors is demonstrating which security principle? Explain. a. obscurity b. diversity c. limiting d. layering 5. Consider an automated teller machine (ATM) in which users provide a personal identification number (PIN) and a card for account access. Give examples of confidentiality, integrity, and availability requirements associated with the system. In each case, indicate the degree of importance of the requirement. 6. Read the article “Aspects of Internet Security.” Compose a paper of no more than 2 pages that summarizes the key concepts that emerge from the paper. 2 Objectives • Define malware and payloads • List the types of malware • Describe the types of social engineering psychological attacks • Explain physical social engineering attacks 3 Malware • Generic term for software that has a malicious purpose 4 Signature A malware signature is a continuous sequence of bytes (common for a certain malware sample) It’s contained within the malware or the infected file and not in unaffected files 5 Malware Classification Based on Traits • Circulation Primary trait of spreading rapidly (e.g., viruses, worms, Trojans) • Infection Primary trait of “infect/embed” into the system; some attach themselves to a legit program (virus), others function as stand-alone (Trojan) • Concealment Primary trait of avoiding detection by concealing its presence from scanners (e.g., rootkit) • Payload capability When payload capability is the primary malware focus. Payload carries the destructive capabilities of the malware (collect data, delete data, modify security settings, launch attacks) 6 Malware Classification Based on Mutation Malware mutates to attempt to evade pattern matching • Oligomorphic malware Changes its internal code to one of a set number of predefined mutations whenever executed • Polymorphic malware Changes from its original form whenever it is executed. E.g., encrypted payload; when ready, it decrypts the payload • Metamorphic malware Can actually rewrite its own code and thus appears different each time it is executed (adding useless loops, instructions, etc.) 7 Virus • Symantec: “a small program that replicates and hides itself inside other programs” • Keywords: replicate, spread on the same computer • Relies on user action to spread to other computers (e.g., email) • Two “carriers”: program it attaches to, and human (to transport to other computers) • Actions • Crash computers, erase files, reformat hard drive • Turn off computer’s security settings • Spread to another file on same computer 8 Virus – Swiss Cheese Infection • Instead of having a single “jump” instruction to the “plain” virus code, some viruses perform two actions • Encrypt the virus code to make it more difficult to detect • Then divide engine to “unscramble” (decryptor) the virus code into different pieces and inject the pieces throughout the infected program code • When the program is launched, the different pieces are then tied together and unscramble (decrypt) the virus code 9 Virus – Split infection • Instead of inserting pieces of the decryptor throughout the program code, some viruses split the malicious code • These parts are placed at random positions throughout the program code 10 Worm ~ Network Virus • Execute an arbitrary code and install copies of itself in the memory of the computer system • Spread across the network • Slow down networks • Most often used to create backdoor to the infected host or create DoS 11 Worm • Worms are responsible for some of the most devastating attacks on the Internet • In 2001, Code Red worm infected 658 servers. Within 19 hours, the worm had infected over 300,000 servers 12 Worm • Worms are responsible for some of the most devastating attacks on the Internet • In 2001, Code Red worm infected 658 servers. Within 19 hours, the worm had infected over 300,000 servers 13 Trojan Horse • Term originated from Greek mythology • Greek warriors offered the people of Troy (Trojans) a giant hollow horse • The Trojans brought the giant horse into their walled city • After most Trojans were asleep, Greek warriors burst out of the horse 14 Trojan Horse • Electronic Trojan horse appears to be legit software • Once inside, it secretly downloads a malware • User downloads “free calendar program” • Program scans system for credit card numbers and passwords • Transmits information to attacker through network • Trojan Vs Virus • Virus infects system without user’s knowledge • Trojan is installed with user’s knowledge but conceals malicious payload 15 Trojan Horse • Remote-access Trojan horse Enables unauthorized remote access • Data-sending Trojan horse Provides the attacker with sensitive data, such as passwords • Destructive Trojan horse Corrupts or deletes files • Proxy Trojan horse Uses victim's computer as source device to perform illegal activities • FTP Trojan horse Enables unauthorized file transfer services on end devices • Security-software disabler Trojan horse Stops antivirus programs or firewalls from functioning 16 Viruses, Worms, and Trojans • Differences 17 Spyware • Secretly spies on users by collecting their information • E.g., keylogger • Records your keystrokes • Takes periodic screenshots of your computer • Data sent immediately or stored for later retrieval by the attacker • Can also make screen captures or silently turn on web camera 18 Other Malware • Logic bomb Lays dormant until some logical condition is met; software does malicious act (delete files, alter configuration, release virus) • Ransomware Denies access to infected computer and demands a paid ransom • Adware Displays annoying pop-ups to generate revenue for its author; analyzes user interests by tracking websites visited • Phishing Attempts to convince people to provide sensitive information; e.g., receiving an email from the bank asking for password • Rootkits Installed on a compromised system; hide its intrusion and maintain privileged access to the hacker 19 Other Malware • A rootkit remove all traces of evidence that may reveal the malware, such as log entries • One approach is to alter OS files with modified versions • Modified files are designed to ignore malicious evidence • Rootkit will replace OS’s files with rootkit’s own files • Scanning software assumes OS will willingly carry out those instructions and retrieve all files; it does not know that the computer is providing files approved by rootkit 20 Other Malware • Logic bomb examples 21 Backdoor • A backdoor gives access to a computer, program, or service that circumvents any normal security protections • Backdoors that are installed on a computer allow the attacker to return at a later time and bypass security settings 22 Zombies and Botnets • Zombie ~ robot (bot); botnet ~ multiple zombies • Bot herder controls botnet • Command and control (C&C or C2) are instructions from bot herder/s regarding which computers to attack • Communication protocol can be HTTP 23 Social Engineering • Technology is not always needed for attacks on IT • Social engineering is a means of gathering information for an attack by relying on weaknesses of individuals 24 Social Engineering • Impersonation Masquerade as a real or fictitious character, play out the role of that person on a victim (IT support, manager, trusted third party) 25 Social Engineering • Phishing Fraudulent attempt to obtain sensitive information; e.g., sending emails claiming to be from legitimate source, trick user into giving private info: password, credit card number, etc. Variation of phishing attacks • Spear phishing: targets only specific users; emails are customized • Whaling: spear phishing targeting “big fish” (wealthy individuals) 26 Social Engineering • Phishing Fraudulent attempt to obtain sensitive information; e.g., sending emails claiming to be from legitimate source, trick user into giving private info: password, credit card number, etc. Variation of phishing attacks • Pharming: automatically redirects the user to the fake site • Vishing: Instead of using email to contact the potential victim, a phone call can be used instead (voice phishing) 27 Module Activities • CSSIA Lab 09: Analyze and Differentiate Types of Malware • Assignment Module 2 28 Module Activities • Main idea of Lab 09 192.168.100.5 192.168.100.3 Attacker Internet Firewall and/or other security appliance Victim Windows Protected network 2 Objectives • Describe the challenges of securing information • Define information security and explain why it is important • Identify the types of attackers that are common today • List the basic steps of an attack • Describe the five basic principles of defense 3 Challenges of Securing Information • Widespread attacks on desktops, laptops, smartphone, tablets, servers, etc. • Information security is focused on protecting electronic information of organizations and users 4 Needs for Information Security Personnel • Chief Information Security Officer Assessing, managing, implementing security; may be primary author of security policies • Security manager Supervises technicians, admins, security staff • Security administrator Manages daily security operations • Security technician Provide technical support, configure security hardware, implement security software, t’shoot problems 5 Information Security Employment • Security is rarely offshored or outsourced • Job outlook is exceptionally strong • U.S. Bureau of Labor Statistics (BLS) • “Occupational Outlook Handbook” indicates job outlook for information security analysts through end of decade expected to grow by more than 25%, much faster than average (https://www.bls.gov/emp/ep_table_102.htm) E.g., jobs.lanl.gov 6 Today’s Security Attacks • Balances manipulated on prepaid debit cards (intrusion) • Twitter accounts exploited • ATM malware • Aircraft manipulation • Computer cluster for cracking passwords • Electronic data records stolen 7 Equifax Case • Equifax was alerted in March to the software security vulnerability that led to hackers obtaining personal information of more than 140 million Americans but took months to patch it Website offers customer an interactive user experience, allowing them to input data and receive responses Customers interactive with a web application that uses potentially vulnerable plugin Plug-in is a software component that adds a specific feature to a program. 8 Difficulties in Defending 9 Understanding Security • Security can be defined as a process (how to achieve security) or as a goal (what it means to have security) • Maybe both? The goal to be free from danger as well as the process to achieve that freedom • Security is the necessary steps to protect a person or property from harm 10 Goal of Information Security • Ensure that protective measures are implemented to ward off attacks and prevent the system collapse when a successful attack occurs • Information security cannot completely guarantee that a system is totally secure 11 Data Protection • Data is likely to be an organization’s most valuable asset • How can we protect it? • Ensuring confidentiality: only authorized parties can access information • Ensuring integrity: information is not altered • Ensuring availability: information is accessible when needed • Also, AAA must be employed • Authentication: the individual is who he/she claims to be • Authorization: Providing permission to specific resources • Accounting: Provides tracking of events 12 Security Layers Data stored (at rest) by hardware, manipulated by software, and transmitted by communications, must be protected • Policies and procedures Plans and policies in place to ensure people correctly use the products • People Those who implement and properly use security products to protect data • Products Security around the data (door locks, firewalls, intrusion prevention system) 13 Information Security Definition • Information security defined as “that which protects the confidentiality, integrity, and availability of information on the devices that store, manipulate, and transmit the information through products, people, and procedures” 14 Technology Assets • An item that has value • Provide value to the organization • Cannot easily be replaced without a significant investment in expense, time, worker skill, and/or resources 15 Technology Assets • An item that has value • Provide value to the organization • Cannot easily be replaced without a significant investment in expense, time, worker skill, and/or resources 16 Threats • Information security threats Events representing a danger to information assets • The potential for creating a loss is real Corruption or theft of information, a delay in information being transmitted, loss of reputation, etc. • Threat agent Person or element (e.g., malicious software) that has the power to carry out a threat 17 Information Security Terminology: Vulnerability • Vulnerability is a weakness that allows a threat agent to bypass security A software defect that allows an unauthorized user to gain control of a computer without the user’s knowledge or permission 18 Information Security Terminology: Threat Vector • An threat vector is a path or other means by which an attacker can gain access to a server, host, or network • An attacker, knowing that a flaw in a web server’s OS has not been patched, is using the threat vector (exploiting the vulnerability) to steal user passwords 19 Importance of Information Security: Preventing Theft • Preventing data theft • Often cited as primary objective of information security • Business, personal data; e.g., credit card numbers • Lost wages and productivity during an attack and cleanup: Cost of attacks 20 Importance of Information Security: Preventing Identity Theft • Using another’s personal information for financial gain • Steal person’s SSN • Create new credit card account • Charge purchases • Serious problem for Internal Revenue Service (IRS) • In one year, it delivered more than $5 billion in refund checks • A single address in Lansing, Michigan, was used to file 2137 separate tax returns ($3.3 million in refunds) • 590 refunds totaling more than $900,000 into a single bank account 21 Importance of Information Security: Avoid Legal Consequences • Businesses that fail to protect data they possess may face serious financial penalties from federal or state laws • Laws protecting electronic data privacy: • Health Insurance Portability and Accountability Act of 1996 (HIPAA) Those who wrongfully disclose individually identifiable health information can be fined up to $50,000 for each violation up to a maximum of $1.5 million per calendar year and sentenced up to 10 years in prison • Sarbanes-Oxley Act of 2002 (Sarbox) Covers the corporate officers, auditors, and attorneys of publicly traded companies. Stringent reporting requirements and internal controls on electronic financial reporting systems are required • Gramm-Leach-Bliley Act (GLBA) All electronic and paper data containing personally identifiable financial information must be protected. The penalty for noncompliance for a class of individuals is up to $500,000 22 Importance of Information Security: Avoid Legal Consequences • Businesses that fail to protect data they possess may face serious financial penalties from federal or state laws • Laws protecting electronic data privacy: • Payment Card Industry Data Security Standard (PCI DSS) Security standards that all companies that process, store, or transmit credit card information must follow. The maximum penalty for not complying is $100,000 per month • CA Database Security Breach Notification Act Requires businesses to inform California residents within 48 hours if a breach of personal information has or is believed to have occurred 23 Who Are the Attackers? • Hacker – skilled Older term for someone who uses advanced knowledge to attack computers • Black hat hackers – personal gain Attackers who violated computer security for personal gain or to inflict malicious damage • White hat hackers – received permission “Ethical attackers” who received permission to probe system for any weaknesses • Gray hat hackers – no permission, disclose vulnerability Attackers who would break into a computer system without permission and then publically disclose vulnerability 24 Who Are the Attackers? • Cybercriminals • Launch attacks against other users and their computers • == attackers • Highly motivated, less risk-averse, well-funded • Goal is financial gain; steal information to generate income • Can launch advanced persistent threats (APTs) APT ~ unauthorized access to a network and stays there undetected for a long period of time (or try to …) 25 Who Are the Attackers? • Script kiddies • Unskilled users; goal: breaking into computers (damage) • Download automated hacking software (scripts) • Attack software today has attack capabilities that are even easier for unskilled users; ~40% of attacks performed by script kiddies 26 Who Are the Attackers? • Brokers • Uncover vulnerabilities and do not report them to vendor • Sell vulnerability to other attackers, governments • Buyers pay a high price because this vulnerability is unknown 27 Who Are the Attackers? • Insiders • Employees, contractors, partners who steal from employer • Sabotage or theft of intellectual property • Employees believing that accumulated data is owned by them 28 Who Are the Attackers? • Cyberterrorists • Ideologically motivated • Perform attacks because of their beliefs • Target example: computers that control the electrical power grid of a state or region 29 Who Are the Attackers? • Hactivists • Ideologically motivated • Unlike cyberterrorists who incite panic, hactivists are generally not well defined • Attacks can involve breaking into a website and changing the contents on the site to make a political statement • Retaliatory attacks • E.g., Anonymous, Wikileaks • Who (if any) should be punished for disclosing information? 30 Who Are the Attackers? • State-sponsored attackers • Supported by governments • Attackers target foreign governments or even citizens of the government who are considered hostile or threatening • Do countries participate (to some degree) in state-sponsored hacking? 31 Steps of an Attack • Kill chain Malware delivers a malicious “payload” that performs a harmful function 32 Defenses Against Attacks - Principles • Layering If a layer is penetrated, several more layers must still be breached • Limiting Only those who must use the data should have access to it; access should be limited to what those people need to perform • Diversity Attackers cannot use the same technique to break multiple layers • Obscurity Not revealing the network topology, computer type, OS version • Simplicity System should be simple for those on the inside to understand 33 Module 1 Activities • Homework Module 1
Purchase answer to see full attachment
User generated content is uploaded by users for the purposes of learning and should be used following Studypool's honor code & terms of service.

Explanation & Answer

Hey!

1

Information Security Concept HW

Student's Name
Department, University
Course Name
Professor's Name
Date

2

Information Security Concept HW

Question 1
Authentication refers to the process of verifying the truth or validity of something. It is an
action that verifies the real identity of who a person or a device for what it is. It is done by using
usernames ad passwords. Only the person or machine with the correct credentials s will be given
entry to the system to proceed with the relevant access. If a person or a device fails the
authentication, the access is denied.
Confidentiality is the process of keeping sensitive or any information that an
unauthorized person or device should not access. Only those with access and privileges can be
able to access sensitive data at any time.
Integrity refers to the state where data and information is not corrupt. Integrity ensures
that data modification is not allowed and that the data remains in its original condition while I
transmission and while it is being stored. It prevents data corruption.
Availability means that the authorized user of a computing system has access to the data
at any given time at any place in the correct format. At all times, the information must be readily
available to those who have the privileges of access ("Confidentiality, Integrity, and Availability Archive of obsolete content | MDN", 2021).

Question 2
i.

Black hat hacker
Black Hat hackers refer to the criminals that attack a computing system and gain access

through breaking in with the intention of damage. They have malicious purposes. They often

3

release malware that destroys files, causes the denial of service, or steals personal credentials
such as passwords and credit cards. They are motivated by the financial gains in stealing
financial information that can be used to withdraw the money. They are also involved in cyber
espionage and other related cybercrimes. They seek to modify, steal or destroy data.
ii....


Anonymous
I was struggling with this subject, and this helped me a ton!

Studypool
4.7
Trustpilot
4.5
Sitejabber
4.4

Related Tags