Internet Security (Lecture 1)

Question 1

What proportion of URL’s are malicious?

Answer 1

One in Ten

Question 2

What percentage are web attacks up by?

Answer 2

56%

Question 3

What is the average number of websites compromised with formjacking each month?

Answer 3

4,800

Question 4

What percentage have supply chain attacks increased by

Answer 4

Increased by 78%

Question 5

What has been the recent trend in Cryptojacking occurrence?

Answer 5

There have been more cryptojacking events blocked in 2018 than 2017 but it’s trending down (52% drop in occurrence between Jan and Dec 2018

Question 6

What percentage of malicious email attachments are office files?

Answer 6

48% - up from 5% in 2017

Question 7

What is the process of malicious email Powershell scripts infecting systems

Answer 7

Email disguised as a notification (invoice, receipt)

The attached Office file contains the malicious script

Opening the attachment executes the script and downloads the malware

Question 8

What is the prime source of disruption for end users and organisations?

Answer 8

E-mail, in the form of

• unwanted email (spam)
• Propagation of ransomware
• Targeted Spear-phishing

Question 9

What is a Business Email Compromise (BEC) Scam

Answer 9

A scam involving Spear-phishing emails (low tech) often pretending to be the CEO or senior employees who request large money transfers

Question 10

What was the malicious email rate in 2018

Answer 10

1 in 412 were malicious emails with most appearing to look like they related to a bill, email delivery failure or package delivery

Question 11

What were the top malicious email attachment categories in 2018

Answer 11

Scripts (47.5%)
Executables (25.7%)
Other (25.1%)

Question 12

What are some reasons for targeted attacks? (4)

Answer 12

Attacks for subversive purposes (change social order, structure of power or authority)

Geopolitical - Groups affiliated with nations launch cyber attacks against nation they have grievance

Economic Espionage (Financial) - P2P sale systems in retail (credit/debit) attacked and details sold on black market

Cause Disruption - protest actions, decisions of an organisation or to serve as distraction while attackers plant something malicious in the network

Question 13

List best practice methods to avoid attacks (7)

Answer 13

1 - Emphasise multiple, overlapping and mutually supportive defensive systems to guard against single point failures in any specific technology

2 - Use regularly updated firewalls, anti-virus software, intrusion detection or protection systems (IPS), web security gateway solutions throughout the network

3 - Receive alerts for new vulnerabilities and threats across vendor platforms and patch known vulnerabilities ASAP

4 - Implement and enforce a security policy whereby sensitive data is encrypted at rest and transit including customer data

5 - Educate employees on risks of Spear-phishing emails including exercising caution around opening attachments and emails from unfamiliar sources and use full protection stack to block email-borne threats

6 - Ensure strong passwords (10+ characters with mix of letters, numbers, symbols) and discourage reusing old passwords or sharing them.

7 - Delete unused credentials ASAP and limit administrative-level profiles

Question 14

What does a full protection stack look like

Answer 14

Defends against email threats. Symantec Email Security Cloud blocks email-borne threats, Symantec EndPoint Protection blocks malware on the endpoint and Symantec Messaging Gateway’s disarm technology can protect from threats by removing malicious content from attached documents before they reach the user

Question 15

What security challenges has the Cloud presented

Answer 15

Misconfiguration issues

Vulnerabilities in hardware chips

In 2018 S3 buckets emerged as an Achilles heel for organisations with more than 70 million records stollen due to poor configuration

Question 16

What trends have been observed in IoT attacks

Answer 16

Worms and bots continued to account for majority of IoT attacks

In 2018 IoT was used as an infection vector to compromise routers and connected cameras and these were the most infected devices accounting for 75% and 15% of the attacks

Question 17

Describe what Mirai is

Answer 17

Mirai is a type of malware that turns networked devices running Linux into remotely controlled bots which can then be used as part of a botnet in large scale network attacks.

Primarily for Distributed Denial of Service (DDoS) attack but could be used to compromise personal information

In 2016 Mirai took advantage of insecure IoT devices by scanning big blocks of the internet for open Telnet ports, then attempted to log in using 61 default username and passwords.

Mirai can launch both HTTP flood and network-level attacks

There are certain IP address ranges that Mirai is hard-wired to avoid, including those owned by GE, Hewlett-Packard, and the U.S. Department of Defense

Upon infecting a device, Mirai looks for other malware on that device and wipes it out, in order to claim the gadget as its own

Question 18

Explain how a DDoS attack works

Answer 18

DDoS - Distributed Denial of Service attack

In a DDoS attack, a target server is simply bombarded with web traffic until it’s overwhelmed and knocked offline.

Question 19

List best practice methods for security of IoT devices (7)

Answer 19

1- Research capabilities and security features of IoT device before purchasing

2- Perform audit of all IoT devices on your network

3- Change all default usernames and passwords for strong passwords on all accounts and devices

4- Use strong encryption such as WPA2

5- Disable services and features that aren’t required

6- Disable Telnet login and use SSH where possible

7- Regularly check for firmware updates

Question 20

How do you protect mobile phones from threats (5)

Answer 20

Keep software up to date

Don’t download apps from unfamiliar sites and only from trusted sources

Pay attention to requested permissions from apps

Make frequent back-ups

Install suitable mobile security app such as Norton Security

Question 21

Best practice for websites (5)

Answer 21

Regularly assess website for vulnerabilities

Set the secure flag for all session cookies

Secure against man-in-the-middle attacks and malware infection

Choose SSL Certificates with extended validation to verify protection and display recognised trust marks

Carefully select plugins - the more third-party software used the greater the attack surface

Question 22

What has been the most recent trend in Ransomware attacks

Answer 22

Overall number of ransomware infections fell, dropping by more than 20% year-on-year but ransomware affecting businesses and organisations increased by 12%

Question 23

What is WannaCry?

Answer 23

WannaCry is a type of ransomware which was used in 2017 to target computers running Microsoft Windows operating system by encrypting data and demanding ransom payments in the form of Bitcoin.

It is considered a network worm because it also includes a transport mechanism to automatically spread itself

Transport code scans for vulnerable systems, then uses the EternalBlue exploit to gain access and the DoublePulsar tool to install and execute a copy of itself

Question 24

What is Formjacking

Answer 24

Formjacking occurs when a threat actor installs malicious Javascript code on a website to steal credit/debit card and other personal information.

Once a customer submits their information the malicious code sends a copy back to the attacker as well as the merchant website. The information is then used to make fraudulent transactions or sold on the black market

Question 25

Why is formjacking difficult to detect?

Answer 25

It doesn’t rely on a user downloading a file as the malicious code is contained in the website. This means anti-virus software doesn’t detect it

Website appears legitimate and still has the green padlock icon in search bar

Question 26

What methods are used to counter against formjacking

Answer 26

All major browsers have employed learning-based strategies to detect malicious URL’s. They use a blacklisting approach, blocking users from accessing suspicious sites
(Smartscreen URL, Norton Safe Web)

Not very reliable

Question 27

What is Ransomware?

Answer 27

Ransomware is a type of malware that takes control of a victims computer and either locks the screen to prevent it being used or encrypt the files so they cannot be accessed (depending on type of ransomware)

Usually victims will be provided with instructions to follow which involves transferring cryptocurrency to the attacker before the files are decrypted

Question 28

What counter measures are there against Ransomware?

Answer 28

Prevention or detection

Multi-layered approach including education and organisational support from management

As signature based detection can be ineffective a network should be constantly monitored to identify ransomware before it can encrypt any data

Question 29

What has the recent trend of Ransomware been?

Answer 29

Before 2017 most ransomware attacks targeted individuals but there has been a shift towards targeting businesses. In 2018, 81% of all ransomware infections affected businesses

Question 30

What is Phishing and Spear-phishing?

Answer 30

Phishing involves sending a number of emails to random people claiming to be a legitimate organisation such as HMRC, TV Licensing or other agency to obtain personal information. By clicking the link malware may be installed on the system or the user is taken to a fraudulent website

Spear-phishing targets specific individuals, usually senior managers or other people with higher user privileges and access rights. Fraudulent emails are engineered to be appealing to the target from gathered intel so they are more likely to open malicious links

Question 31

What countermeasures are there to defend against Spear-phishing? (3)

Answer 31

Educate users on phishing and dangers of opening links from what look like legitimate sources

Cloud-hosted service that uses artificial intelligence for real-time spear-phishing and cyber fraud defence

Software that scans your email traffic to block malicious attachments and URLs, including those in phishing and spear-phishing emails. It also uses advanced analysis to spot typo-squatting, link protection, and other signs of phishing

Question 32

What is a Distributed Denial-of-Service (DDoS) attack and how does it work?

Answer 32

Target websites and online services

Attempts to make a website or network inoperable by flooding it with more traffic than the server can handle

DDoS is accomplished through a network of remotely controlled, hacked computers or bots. These are often referred to as “zombie computers.” They form what is known as a “botnet” or network of bots. These are used to flood targeted websites, servers, and networks with more data than they can accommodate.

Botnets can be used for a variety of purposes, including sending spam and forms of malware such as ransomware

Question 33

What countermeasures are there to prevent a DDoS attack?

Answer 33

Anti-DDoS services can assist in recognising legitimate spikes in network traffic and a DDoS attack

Have a back-up ISP or services that disperse volumes of DDoS traffic

Firewalls and routers should be configured to reject bogus traffic and you should keep your routers and firewalls updated with the latest security patches