3. OBJECTIVE
February 2, 2016 2
Describing any One of the Information Security Threats.
A case of the Security Threat happening.
To suggest ways of remediating the security threat.
4. INFORMATION SECURITY THREATS
February 2, 2016 3
Any organization that has a computer system and sensitive information wants to protect that
information. The greatest threat to computer systems and their information comes from
humans, through actions that are either malicious or ignorant. When the action is malicious,
some motivation or goal is generally behind the attack.
Attackers generally have motives or goals—for example, to disrupt normal business
operations or steal information. To achieve these motives or goals, they use various methods,
tools, and techniques to exploit vulnerabilities in a computer system or security policy and
controls.
Goal + Method + Vulnerabilities = Attack
5. SOME MAJOR SECURITY THREATS
February 2, 2016 4
THREATS MOTIVES/GOALS METHODS SECURITY POLICIES
Employees
Malicious
Ignorant
Non-employees
Outside attackers
Natural disasters
Floods
Earthquakes
Hurricanes
Riots and wars
Deny services
Steal information
Alter information
Damage information
Delete information
Make a joke
Show off
Social engineering
Viruses, Trojan,
horses, worms
Packet replay
Packet modification
IP spoofing
Mail bombing
Various hacking tools
Password cracking
Vulnerabilities
Assets
Information and data
Productivity
Hardware
Personnel
7. MALICIOUS ATTACKS
February 2, 2016 5
A malicious attack is an attempt to forcefully abuse or take advantage of someone's
computer, whether through computer viruses, social engineering, phishing, or other types of
social engineering.
This can be done with the intent of stealing personal information (such as in social
engineering) or to reduce the functionality of a target computer.
8. MALICIOUS CODE
February 2, 2016 6
Malicious code is the term used to describe any code in any part of a software system or
script that is intended to cause undesired effects, security breaches or damage to a system.
Malicious code is an application security threat that cannot be efficiently controlled by
conventional antivirus software alone.
Malicious code describes a broad category of system security terms that includes attack
scripts, viruses, worms, Trojan horses, backdoors and malicious active content.
Malicious code can also cause network and mail server overload by sending email messages;
stealing data and passwords; deleting document files, email files or passwords; and even
reformatting hard drives.
10. TYPES OF MALICIOUS ATTACKS
February 2, 2016 8
Viruses - Attackers can develop harmful code known as viruses. Using hacking techniques, they
can break into systems and plant viruses. Viruses in general are a threat to any environment.
They come in different forms and although not always malicious, they always take up time.
Viruses can also be spread via e-mail and disks.
Trojan horses - These are malicious programs or software code hidden inside what looks like a
normal program. When a user runs the normal program, the hidden code runs as well. It can
then start deleting files and causing other damage to the computer. Trojan horses are
normally spread by e-mail attachments. The Melissa virus that caused denial-of-service attacks
throughout the world in 1999 was a type of Trojan horse.
11. TYPES OF MALICIOUS ATTACKS
February 2, 2016 9
Worms - These are programs that run independently and travel from computer to computer
across network connections. Worms may have portions of themselves running on many
different computers. Worms do not change other programs, although they may carry other
code that does.
Password cracking - This is a technique attackers use to surreptitiously gain system access
through another user's account. This is possible because users often select weak passwords.
The two major problems with passwords is when they are easy to guess based on knowledge
of the user (for example, wife's maiden name) and when they are susceptible to dictionary
attacks (that is, using a dictionary as the source of guesses).
12. TYPES OF MALICIOUS ATTACKS
February 2, 2016 10
Denial-of-service attacks - This attack exploits the need to have a service available. It is a
growing trend on the Internet because Web sites in general are open doors ready for abuse.
People can easily flood the Web server with communication in order to keep it busy.
Therefore, companies connected to the Internet should prepare for (DoS) attacks. They also
are difficult to trace and allow other types of attacks to be subdued.
E-mail hacking - Electronic mail is one of the most popular features of the Internet. With access
to Internet e-mail, someone can potentially correspond with any one of millions of people
worldwide. There are a number of ways in which a hacker can illegally gain access to an email
account and the majority of them rely on user behavior.
13. TYPES OF MALICIOUS ATTACKS
February 2, 2016 11
Eavesdropping - E-mail headers and contents are transmitted in the clear text if no encryption
is used. As a result, the contents of a message can be read or altered in transit. The header
can be modified to hide or change the sender, or to redirect the message.
Packet replay - This refers to the recording and retransmission of message packets in the
network. Packet replay is a significant threat for programs that require authentication
sequences, because an intruder could replay legitimate authentication sequence messages to
gain access to a system. Packet replay is frequently undetectable, but can be prevented by
using packet time stamping and packet sequence counting.
Packet modification - This involves one system intercepting and modifying a packet destined for
another system. Packet information may not only be modified, it could also be destroyed.
14. TYPES OF MALICIOUS ATTACKS
February 2, 2016 12
Impersonation - The sender address on Internet e-mail cannot be trusted because the sender
can create a false return address. Someone could have modified the header in transit, or the
sender could have connected directly to the Simple Mail Transfer Protocol (SMTP) port on the
target computer to enter the e-mail.
Spamming - is the use of electronic messaging systems to send unsolicited messages (spam),
especially advertising, as well as sending messages repeatedly on the same site.
Intrusion attacks - In these attacks, a hacker uses various hacking tools to gain access to
systems. These can range from password-cracking tools to protocol hacking and manipulation
tools. Intrusion detection tools often can help to detect changes and variants that take place
within systems and networks.
15. TYPES OF MALICIOUS ATTACKS
February 2, 2016 13
Social engineering - This is a common form of cracking. It can be used by outsiders and by
people within an organization. Social engineering is a hacker term for tricking people into
revealing their password or some form of security information.
Network spoofing - In network spoofing, a system presents itself to the network as though it
were a different system (computer A impersonates computer B by sending B's address
instead of its own). The reason for doing this is that systems tend to operate within a group of
other trusted systems. Trust is imparted in a one-to-one fashion; computer A trusts computer
B (this does not imply that system B trusts system A). Implied with this trust is that the system
administrator of the trusted system is performing the job properly and maintaining an
appropriate level of security for the system.
17. CASES OF MALICIOUS ATTACK
February 2, 2016 14
UBS PaineWebber - Not all attackers steal data — some just want to do damage. The UBS
PainWebber case is one example of an attack designed to disable the company rather than
gain information.
Roger Duronio was sentenced to 97 months for planting a "logic bomb" that took down as
many as 2,000 servers around the country in UBS PaineWebber offices. This meant that the
company was unable to make trades for up to several weeks in some offices and the company
reported a cost of $3.1 million to recover from the attacks. It's unknown how much the
company lost in business during the time its networks were disabled.
18. CASES OF MALICIOUS ATTACK
February 2, 2016 15
Insider from Outside - Sometimes an insider attack isn't committed inside the company at all —
but by contractors given access to the company network. Consider the case of leaked British
bank accounts from call centers in India.
According to the report, as many as 200,000 bank accounts were compromised by a call
center in Pune, India. Officials were quick to note that "offshoring" was not the issue, but the
way that the company handled security. At any rate — companies should be very careful in
allowing access to sensitive data by contractors.
19. CASES OF MALICIOUS ATTACK
February 2, 2016 16
Terry Childs - If you haven't been hiding from the news for the past few years, you've no doubt
heard of Terry Childs. Childs was a system administrator for the city of San Francisco.
According to reports, Childs changed network passwords to the Fiber WAN system that carried
the majority of network traffic for the San Francisco city government.
In 2008, Childs refused to provide the passwords to his supervisor saying he was "unqualified"
to have access. The incident didn't end well for Childs, who has been sentenced to four years
in state prison for the hack. It didn't do much for the city of San Francisco, either — which
claimed it cost $900,000 to try to regain control of the network over the 12 days that it was
locked out. Not to mention the black eye the city received in the press over its lax security.
20. CASES OF MALICIOUS ATTACK
February 2, 2016 17
The Athens Affair - Not all insider attacks are solved, but what IEEE Spectrum has dubbed "The
Athens Affair seems likely to have been an insider attack. According to reports, more than 100
government officials, dignitaries, and employees of the U.S. embassy in Greece were caught
out by an insider attack.
How? Cell phone tapping carried out by a subversion of the Vodafone Greece telephone
network. It's unknown what, exactly, was learned by the attack — but it was clear that the
attack gave access to quite a few government officials' conversations, and possibly access to
government secrets. This was discovered in March of 2005, and was considered one of the
biggest insider attacks on a government — until Wikileaks.
21. CASES OF MALICIOUS ATTACK
February 2, 2016 18
Wikileaks: Bradley Manning - Some people are big fans of Wikileaks, others not so much — but
there should be little disagreement that it was a major illustration of how not to secure
sensitive documents.
Bradley Manning had access to the Department of Defense's Secret Internet Protocol Router
Network (SIPRNet), and accessed material from the network and passed it to Wikileaks. How
much material? According to Wired about 260,000 classified diplomatic cables. What's scarier?
Manning had access to the networks and managed to smuggle the data out on CD-RWs that
he brought into his post. If the physical and network security for the Department of Defense is
that weak, it should make businesses think about their security.
22. CASES OF MALICIOUS ATTACK
February 2, 2016 19
April 27, 2000 - Cheng Tsz-chung, 22, was put behind bars last night after changing the
password on another user's account and then demanding $500 (Hong Kong currency) to
change it back. The victim paid the money and then contacted police. Cheng has pleaded
guilty to one charge of unauthorized access of a computer and two counts of theft. The
magistrate remanded Cheng in custody and said his sentence, which will be handed down on
May 10 pending reports, must have a deterrent effect. Cheng's lawyer told Magistrate Ian
Candy that his client committed the offenses "just for fun."
24. HOW TO PREVENT MALICIOUS ATTACKS
The organization must take an
enterprise-wide view of
information security, first
determining its critical assets,
then defining a risk
management strategy for
protecting those assets from
both insiders and outsiders.
All employees in an
organization must understand
that security policies and
procedures exist, that there is a
good reason why they exist,
that they must be enforced, and
that there can be serious
consequences for infractions.
February 2, 2016 20
INSTITUTE PERIODIC
ENTERPRISE-WIDE RISK
ASSESSMENTS.
INSTITUTE PERIODIC
SECURITY AWARENESS
TRAINING
Effective separation of duties
requires the implementation of
least privilege; that is,
authorizing people only for the
resources they need to do their
jobs.
ENFORCE SEPARATION OF
DUTIES AND LEAST
PRIVILEGE
25. HOW TO PREVENT MALICIOUS ATTACKS
If the organization’s computer
accounts can be compromised,
insiders have an opportunity to
circumvent both manual and
automated mechanisms in
place to prevent insider attacks.
Logging, periodic monitoring,
and auditing provide an
organization the opportunity to
discover and investigate
suspicious insider actions
before more serious
consequences ensue.
February 2, 2016 21
IMPLEMENT STRICT
PASSWORD AND ACCOUNT
MANAGEMENT POLICIES
LOG, MONITOR, AND AUDIT
EMPLOYEE ONLINE
ACTIONS
Typically, logging and
monitoring is performed by a
combination of system
administrators and privileged
users. Therefore, additional
vigilance must be devoted to
those users.
USE EXTRA CAUTION WITH
SYSTEM ADMINISTRATORS
AND PRIVILEGED USERS
26. HOW TO PREVENT MALICIOUS ATTACKS
System administrators or
privileged users can deploy
logic bombs or install other
malicious code on the system
or network. These types of
attacks are stealthy and
therefore difficult to detect
ahead of time.
Insiders tend to feel more
confident and less inhibited
when they have little fear of
scrutiny by coworkers;
therefore, remote access
policies and procedures must
be designed and implemented
very carefully.
February 2, 2016 22
ACTIVELY DEFEND AGAINST
MALICIOUS CODE
USE LAYERED DEFENSE
AGAINST REMOTE ATTACKS
Organizations should closely
monitor other suspicious or
disruptive behavior by
employees in the workplace.
Policies and procedures should
be in place for employees to
report such behavior when they
observe it in coworkers.
MONITOR AND RESPOND
TO SUSPICIOUS OR
DISRUPTIVE BEHAVIOR
27. HOW TO PREVENT MALICIOUS ATTACKS
When an employee terminates
employment, whatever the
circumstances are, it is
important that the organization
have in place a rigorous
termination procedure that
disables all of the employee’s
access points.
Should an insider attack, it is
important that the organization
have evidence in hand to
identify the insider and follow
up appropriately.
February 2, 2016 23
DEACTIVATE COMPUTER
ACCESS FOLLOWING
TERMINATION
COLLECT AND SAVE DATA
FOR USE IN
INVESTIGATIONS
It is important that
organizations prepare for the
possibility of an attack or
disruption by implementing
secure backup and recovery
processes that are tested
periodically.
IMPLEMENT SECURE
BACKUP AND RECOVERY
PROCESSES
29. CONCLUSION
February 2, 2016 24
Vulnerabilities left unpatched can
and will be used against you.
Attackers are more sophisticated.
Need to understand the attackers’
perspective.
No organization can do without
antivirus and anti-spyware
software, so you should keep
updating your software.
Computer security professionals
should understand the realm of
threats and attacks that happen to
information systems daily.
Top computer security is a process
and is continuous. Technology
alone will not solve computer
security.
The human element is the most
damaging threats to information
systems that researchers are still
trying to figure out.