Week 8 - Human Aspects Of Computer Security

Question 1

What are some bad practices with password policy?

Answer 1

Making passwords need to be overly complicated

Not encrypting passwords

Question 2

Why could making a password overly complicated hinder security?

Answer 2

A user might write down a complicated password if they cannot remember it, making it less secure as someone else could find this physical password.

Question 3

When was the first usable security and privacy conference held?

Answer 3

2005

Question 4

When did the first publications and research outlining users as not the enemy come out? And by who?

Answer 4

Late 1990s by Adams and Sass.

Question 5

What does SOUPS stand for?

Answer 5

Symposium on usable security and privacy.

Question 6

What are common mistakes that end users make to do with passwords?

Answer 6

Writing down passwords

Using easily guessed or common passwords

Question 7

What is a productive task?

Answer 7

A task where you are trying to achieve an objective or goal. This will have a secindary/supporting task attached.
This task could be to send an email.

Question 8

What is a secondary/supporting task?

Answer 8

A secondary task that you must complete in order to achieve a productive primary task. A secondary task will also have a productive primary task.
Seoncdary tasks are often authentication, an example of this could be logging into your email.

Question 9

What is human centered security.

Answer 9

When humans are considered as part of the security of a system. Their behaviour and motivations are factored into the security of the system, and the system is made to accommodate these needs.

Question 10

What are Yee’s 9 guidelines for developing usable security systems?

Answer 10

1. Path of least resistance
2. Explicit authorisation
3. Appropriate boundaries
4. Revocability
5. Expected ability
6. Trusted path
7. Identifiability
8. Expressiveness
9. Clarity

Question 11

What is the path of least resistance guideline?

Answer 11

It says that the most likely path of steps to complete a task should be the most secure, meaning that extra security should be put in place there.

Question 12

What is explicit authorisation guideline?

Answer 12

When a end user must explicitly grant authorisation to another actor (e.g another end user or process).

Question 13

What is appropriate boundaries guideline?

Answer 13

When the interface should make it clear where you have distinct objects and actions that are relevant to only the user. E.g. The resources available to the user with their authorisation.

Question 14

What is revocability guideline?

Answer 14

The interface should allow the user to revoke authorisation that they have granted in the past wherever possible.

Question 15

What is expected ability guideline?

Answer 15

When the interface should not appear to provide functionality that it does not provide.

Question 16

What is trusted path guideline?

Answer 16

The interface must provide an authenticated and secure communication channel between the user and trusted entities on the network.

Question 17

What is it the identifiability guideline?

Answer 17

The interface should make sure that all distinct objects/resources and actions are make clear to be distinct and are unspoofable.

Question 18

What is the expressiveness guideline?

Answer 18

The interface needs to be capable of describing a security policy with ease and allow users to easily implement their own security policies and rules to fit their goals.

Question 19

What is the clarity guideline?

Answer 19

If an action has a potential negative impact on the security of system, then the user should be clearly warned of the impact of this action before they attempt to take it.

Question 20

What is phishing?

Answer 20

When an attacker tries to trick a user into giving away login credentials, personal information or to download malware.

They use emails pretending to be a legitimate source, usually attaching a link that invites the user to click on it. The link is normally of a malicious but elgimate looking website (Often a recreation of a bank website) that asks the user to ‘confirm’ their details. The link could also be a download link for some malware.

Question 21

What type of attack is phishing?

Answer 21

A social engineering attack.

Question 22

How do you identify a phishing attacks?

Answer 22

Spelling errors
Lack of user identifiable information (Users name)
Wrong email address
Being asked to confirm login details over email
Non official website url

Advanced techniques):
Vieiwng original email source code

Question 23

How do you open the original source code for an email?

Answer 23

Open an email message, click the drop downs and click ‘Show original’.

Question 24

How do you get the from address if an email in the source code?

Answer 24

You need an SMTP server
The correct mailing software

You can use these to fill in the from email.

Question 25

What does SMTP stand for?

Answer 25

Simple Mail Transfer Protocol

Question 26

How do you verify an email is a valid email from that domain? E.g. That the IP address that send the email was authorised to do so on behalf of that domain

Answer 26

By using an SPF (Sender Policy Framework).

Question 27

How does SPF verify emails?

Answer 27

It compares the email of the sender to the IP address listed for that email in the SPF database record.

Question 28

What is spear phishing?

Answer 28

Phishing that is directly targeted at one user, most likely using some of their personal data like their name and such.

Question 29

What is spam phishing?

Answer 29

Phishing that targets many people at once by sending mass emails, hoping that some of these people will fall for the attack.

Question 30

What is a phishing website?

Answer 30

A website (Most likely linked in a phishing email) that looks like and imitates a legimate website, but it sends any data to the attacker. Commonly asks the user to enter their credentials for the website its disguised as.

Question 31

List some social engineering behavious/techniques.

Answer 31

Leveraging authority
Impersonation
Pressure and solution
Pretext

Question 32

What are the 3 personality traits that the dark triad associates with insider threats?

Answer 32

Machiavellianism
Narcissism
Psychopathy

Question 33

What does APT stand for?

Answer 33

Advanced Persistant Threat.

Question 34

What is an Advanced Persistant Threat?

Answer 34

A large, often well funded and organised campaign of attacks against a single organisation. APTs are long term continuous attacks (Can be upwards of years), and require a lot of research on the target organisation to begin.
APTs normally come from hacker/malicious organisation. Sometimes it can be funded by state actors (Governments).

Question 35

What is the most common attack technique/type that APTs use?

Answer 35

Social engineering against the end user.

Question 36

What are state actor?

Answer 36

Governments.

Question 37

Why are APTs dangerous?

Answer 37

APT are hard to detect as they are very inconspicuous. APTs try to disguise their attacks as much as possible, which is why they never include visible attacks like Ransomware. They use advanced techniques to mask attacks and malware traffic going into the organisation, and organisation have a very hard time identifying these as malicious.

APTs are long term. Meaning that the orginsation is constantly being attacked by a campaign that knows how to penetrate its security. Furthermore, if the APT is disguised well, it can be months or years before some attacks are even noticed.

Question 38

What are the stages of an APT?

Answer 38

Reconnaissance - researching the orginsational and their system, identifying members of staff for social engineering etc..

Inital Compromise - the first attack, used to get a foothold in the orginsations systems. They use this foothold to set up outbound traffic sending data from within the organisation to the attackers.

Maintain Access - attackers ensure they continue to have access to the system, and set up software to bypass the systems security mechanisms.

Lateral Movement - expansion further into the system, by spreading to another host or getting access to another network or system. They may also locate data for exfiltration.

Data Exfiltration - sending data back through the outbound traffic to the attackers.

Cover Tracks - covering their tracks and hiding evidence of the attack so that the attack goes unnoticed for as long as possible.

Question 39

How do we mitigate APT campaigns ?

Answer 39

Switch focus from perimeter security to internal security (Checking outbound traffic from the system for signs of APT outbound traffic). DO NOT replace perimeter with internal, implement both.

Doubling done on security like giving out permissions and authorisations to only those appropriate, patch management and updating security software, proper authentication for functionality.

Monitoring activities and behaviour of traffic let into the network to look for malicious behaviour.

Implementing measures to prevent social engineering like security awareness training. Training employees to spot social engineering attempts like phishing emails etc..

Question 40

What is perimeter security?

Answer 40

Security that protects a system/network from external sources and traffic. It can be achieved by software like Firewalls.

Question 41

What types of insider threats are there?

Answer 41

Turncloak
Pawn
Imposter

Question 42

What is a Turncloak insider?

Answer 42

An insider who abuses their access and misuses their privileges and permissions to perform malicious activities. They are charactirsed by malicious intent and common motivations for them and personal or financial gain. They often become an insider threat after they have joined the company.

Question 43

What is a Pawn insider?

Answer 43

An individual who unknowningly creates vulnerabilities and security risks. They are often tricked into aiding attackers using things like phishing, but can also mistakenly aid attackers themselves by carrying out insecure activities like sending sensitive data over email or losses a drive with sensitive information.

Question 44

What is an imposter insider?

Answer 44

An outsider that manages to get access to a system by claiming to be a legimate use for the company. They could be an end user, a contractor, partners or employees. They join the organisation with the intend to commit malicious activities. The incline towards corporate espionage.

Question 45

What is the most common type of insider?

Answer 45

A Pawn

Question 46

How do we mitigate against insider threats?

Answer 46

Training employees in security

Coordinating IT and HR e.g. Making sure IT knows about layoffs on time and when to revoke access and which employees to monitor

Monitoring and analysis employee behaviour e.g. Comparing past behaviour to current behaviour to search for abnormalities. Organisations can use UBA for this

Building a threat hunting team e.g. That monitor data and look for threats as they are happening

Question 47

What does UBA stand for?

Answer 47

Employ User Behavioral Analytics.