1. Intro - Control Questions Flashcards
What kind of risks are relevant for IT security?
Milyen fajta kockázatok relevánsak az IT biztonságban?
○ the loss of confidentiality, integrity, or availability (CIA) of information that is processed, stored,
and transferred by IT systems
○ the unauthorized access, corruption, or denial of services that are provided by IT systems
○ → completely preventing such incidents is not possible in general the goal should be to ”minimize”
the risk of getting compromised
- a tárolt és feldolgozott adatok integritásának, elérhetőségének és bizalmasságának elvesztése
- IT rendszerek által biztosított szolgáltatások jogtalan hozzáférése, korrupciója vagy a kiszolgálás megtagadása
- -> nem lehet ezeknek az előfordulásának a lehetőségét teljesen megszüntetni, ezért inkább minimalizálni kell a kompromizáció kockázatát
What is the difference between safety and security?
- safety focuses on risk resulting from random failures, accidents, and natural disasters
/ véletlenszerű meghibásodások, balesetek és természeti katasztrófákból következő kockázatokra koncentrál / - security focuses on risk resulting from deliberate attacks carried out by intelligent attackers (malice)
/ intelligens támadók által elkövetett szándékos támadásokra koncentrál /
What factors do determine the IT security risk?
○ threats – entities who can do you harm (a.k.a. attackers)
» skill level, motive, opportunity, resources, …
○ vulnerabilities – weaknesses that can be exploited
» ease of discovery, ease of exploitation, awareness, …
○ countermeasures – precautions you take
» technical and non-technical
fenyegetések – alanyok, akik kárt okozhatnak (támadók)
» szakismeret, motiváció, lehetőség, erőforrások
sebezhetőségek/gyengeségek – amiket kihasználhatnak mások
»
ellenintézkedések – óvintézkedések, amiket megtehetsz
» technikai és egyéb
What type of vulnerabilities do exist in IT systems?
○ technical – design flaws and implementation errors in hardware, software, systems, and protocols
○ physical – weaknesses allowing for physical access (e.g., unlocked door)
○ operational – weaknesses in the procedures used to operate the system
○ personnel – lack of security awareness, know-how, and trustworthiness of people (employees,
operators, contractors)
Why those vulnerabilities (in IT systems) do occur in practice?
○ IT systems are designed, implemented, and operated by humans (imperfect and sometimes
irrational)
○ IT systems are increasingly complex
■ easy to overlook flaws
■ hard to test completely
○ business constraints strongly influence the selection of a trade-off among functionality, usability,
and security
■ increased security makes a system more difficult to sell (or to operate)
● users are looking for more features and better usability, but …
● security is at odds of usability and large number of features
■ different pressures during development result in neglecting security
● minimizing time-to-market
● limits on budget and work power
What does vulnerability management mean?
○ reported technical vulnerabilities get a globally recognized identifier
■ CVE ID – Common Vulnerabilities and Exposures (cve.mitre.org)
○ information on reported technical vulnerabilities is stored in public vulnerability databases
■ structured vulnerability information in a searchable form
■ example: US National Vulnerability Database (nvd.nist.gov)
○ public availability of vulnerability information helps keeping systems free from known
vulnerabilities
■ this alone can dramatically decrease the risk one faces
■ on the other hand, there may be systems where fixing known vulnerabilities is slow or even
impossible
● introducing patches requires extensive testing or needs special authorizations
● but at least you can count with those vulnerabilities when calculating the risk
What are zero-day vulnerabilities? Why are they important?
○ vulnerabilities that are known only to potential attackers
○ represent great advantage (hence value) for attackers
○ however, they are hard to find (or expensive to buy)
■ some companies make their living out of finding and selling zero-day vulnerabilities (or
exploits) to criminals and governments
○ often used only in targeted attacks, where …
■ successfully compromising a particular target is important
■ risk of detection and exposure of the zero-day vulnerability is small (exposed zero-day
vulnerabilities induce substantial loss for attackers)
What type of countermeasures do exist that reduce the risk? Give some examples for each type!
○ technical – host and network security controls
■ e.g., firewalls, anti-virus software, authentication tokens, security protocols, cryptographic
algorithms, …
○ physical – countermeasures providing physical security
■ e.g., locks, fences, security guards, tamper resistant hardware, …
○ operational – policies and procedures related to the operation of the system and management of the
personnel
■ e.g., password changing policies, key management procedures, regular security testing, …
■ e.g., hiring and firing procedures, promotion procedures, vacation policies…
○ personnel – measures for increasing security awareness and trustworthiness of people
■ e.g., security education, increasing employee satisfaction with good salaries
What is the difference between risk minimization and risk optimization?
What kind of questions do we need to answer during risk optimization?
○ we said the goal of security is to ”minimize” the risk of attacks
○ the goal is actually not risk minimization in an absolute sense (that would require to remove as
much risk as possible, no matter the costs)
○ rather, we want to minimize the risk under some budget constraint risk optimization
■ What are the plausible threats?
■ What are the known vulnerabilities?
■ What is the likelihood of those vulnerabilities being exploited by the plausible threats?
■ What is the expected loss?
■ What countermeasures can reduce the risk in a cost effective way?
What are the aspects of threat classification?
○ motivations
○ information gathering capabilities
○ level of technical expertise
○ amount of resources
What type of information is useful to collect before an attack?
○ useful information include:
■ general system architecture, available services, used hardware and software components and
their configuration settings, network topology and technology
■ employed security mechanisms (firewall, IDS, anti-virus, …)
■ known vulnerabilities of the used system elements and security solutions
■ who are the users and what are their access rights?
What levels of technical expertise can we distinguish?
○ understanding of the operation of computer systems and networks
○ being familiar with known vulnerabilities and exploit techniques
○ ability to discover new vulnerabilities and construct exploits – …
What can financial resources be converted to?
○ financial resources can be used to
■ increase information gathering capabilities
● » e.g., bribery, ransom, purchase of technical documentations, advanced social
engineering, or even use of intelligence approaches (OSINT, SIGINT)
■ deepen technical expertise
● » hiring of experts
● » improving own competencies and capabilities
■ obtain advanced attack tools and methods
● » zero-day exploits
● » advanced cryptanalysis tools
● » increased computing power
What typical threat models do exist?
Summarize each of those models in terms of attacker motivations, level of technical expertise,
information gathering capabilities, and available financial resources!
○ Script Kiddie
■ motivations:
● self-expression
● achieving some status
■ technical expertise: limited
● uses tools and methods developed by others
● may minimally extend existing tools, or combine them in new ways
● may improve in the long-term (education, self-study, practice)
■ information gathering capability: limited
● mainly publicly available information
● basic social engineering tricks
■ financial resources: limited
■ no strategic planning, opportunistic target selection
● chooses targets that seem to be easy to compromise
● potential success due to negligence on the system owner’s side
○ Disgruntled employee
■ motivations:
● revenge (typically after having been fired, or still as an employee)
■ can be very determined, sometimes even irrational
● well defined objectives, concious target selection
■ information gathering capabilities: potentially advanced
● former employee or still empoyed → internal access to information
● may have very detailed technical knowledge about the system
● has personal connections to other employees (effective social engineering)
■ technical expertise: potentially advanced
● depends on his (former) role in the company
■ financial resources: limited
■ example:
● sabotage against the Maroochy Shire (Australia) waste water management system
○ Hacktivist group
■ loosely organized group of amateurs
■ motivations :
● spread or defense of some political or social ideology
● objectives are often related to actual events (visible response to the event)
● no long term strategy, ad hoc campaigns
■ information gathering capabilities: limited
● no resources to obtain internal information
● may try to gather information by technical means (hacking)
■ technical expertise: variable
● few leaders who have potentially strong technical background and connections to
cyber criminal circles
● lot of followers who do what they are told to do
■ financial resources: limited
■ examples: Anonymous, Syrian Electronic Army
○ Terrorist organization
■ increased use of computers, but mainly as an auxiliary tool
● searching and storing information, plans, designs
● using hacking to obtain intelligence before physical attacks
● in the future, maybe simultaneous physical and cyber attacks (no example yet)
■ motivations:
● spread or defense of political or religious ideology
● determined, sometimes irrational behavior
● well defined objectives, strategic planning and target selection
■ information gathering capabilities: limited
■ technical expertise: limited
● although, they may have links to cyber criminal organizations
■ financial resources: potentially large
■ examples: no example yet
○ Cybercrime organization
■ one of the largest threat today for ordinary users and organizations
■ motivations:
● financial profit
● well-defined objectives and large scale attack campaigns in space and time
■ information gathering capabilities: potentially advanced
● mainly using technical approaches, such as spyware, hacking into servers, phishing,
and social engineering
■ technical expertise: advanced
● can employ expert hackers
● can buy exploits, malware, and other advanced attack tools
■ financial resources: potentially large
■ examples: many …
○ State sponsored attacker
■ motivations:
● political or economical, aligned with motivations of the sponsor state
● has clear objectives (espionage or sabotage), performs strategic planning, and carries
out long-term, targeted operations
■ information gathering capabilities: advanced
● cyber espionage and surveillance tools
● traditional intelligence gathering (e.g., SIGINT)
■ technical expertise: advanced
● complex research, development, and training programs
● can employ or train expert hackers
● can buy zero-day exploits, malware, and other advanced attack tools legitimately
■ financial resources: large
■ examples: APT1 (PLA 61398), TAO
How the cyber underground is organized?
What are the actors and what kind of infrastructure do they use?
○ different actors that collaborate and trade with each other
■ specialized roles
■ mutual benefits (win-win situations, non-zero sum games)
○ products and services are sold and bought on underground markets
■ on-line interactions using various communication infrastructure
■ anonymous payment methods such as WU, e-gold, or bitcoin
○ communication infrastructure
■ IRC (Internet Relay Chat) networks
■ social networks and public forums
■ anonymous communication systems (e.g., Tor)
○ Actors:
■ information dealers
● make profit by selling valuable information
● examples:
○ customer data (can be used for identity theft)
○ account credentials, credit card numbers
○ technical information, such as security vulnerabilities
■ resource dealers
● make profit by selling computing or human resources –
● examples:
○ create, maintain, and expand botnets
○ broking hackers
○ recruiting low level workers for attack campaigns
■ service providers
● make profit by offering different services
● examples:
○ bullet-proof hosting
■ offer locations to store attack content (exploit code, malware, and
stolen data)
■ typically offshore, based in safe havens (for attackers) such as Russia
and China
○ proxy, VPN, and re-direction services
○ running a spam or DDoS campaign
○ special malware checking services
○ social engineering and hacking-as-a-service
■ R&D people, tool makers
● make profit by creating and selling custom-ordered attack tools, such as malware,
packers, exploit code, DDoS tools, …
● before release, the product is put through a QA process to ensure that all is
functioning well and potentially evading detection
■ criminals, fraudsters, and attack launchers
● pay for information, resources, attack tools and services
● launch attacks such as financial fraud, spam, DDoS, and other crimes
■ cashiers or ”money mules”
● people who are knowingly or unknowingly used to launder money
○ anonymously move money from one country or bank account to another
○ typically through anonymous wire transfer services such as Western Union
● several mules, anonymous services and various bank accounts are used in order to
make it harder for authorities to trace funds and to place legal responsibility on the
mules themselves