Threats and Attacks

Terminology (1)

• Vulnerability: Weakness or fault that can lead to an exposure

• Threat: Generic term for objects, people who pose potential danger to assets
(via attacks)
• Threat agent: Specific object, person who poses such a danger (by carrying out an
attack)
– DDoS attacks are a threat
– If a hacker carries out a DDoS attack, he’s a threat agent
• Risk: Probability that “something bad” happens times expected damage
to the organization
– Unlike vulnerabilities/exploits; e.g., a web service running on a server may
have a vulnerability, but if it’s not connected to the network, risk is 0.0
• Exposure: a successful attack
• Vector: how the attack was carried out, e.g., malicious email attachment

1
 Terminology (2)

• Malware: malicious code such as viruses, worms, Trojan horses, bots,

backdoors, spyware, adware, etc.
• Disclosure: responsible, full, partial, none, delayed, etc.
• Authentication: determining the identity of a person, computer, or
service on a computer
• Authorization: determining whether an entity (person, program,
computer) has access to object
– Can be implicit (email account access) or explicit (attributes specifying
users/groups who can read/write/execute file)
• Incident: definitions vary
– Any attack, all attacks using vulnerability X, etc.
– Anything resulting in service degradation other than problem mgmt.,
service request fulfillment

2
 Threats (1)

• Threat: an object, person, or other entity that represents a constant danger to an

asset

• Management must be informed of the different threats facing the

organization

• By examining each threat category, management effectively protects

information through policy, education, training, and technology controls

3
 Threats (2)

• 2004 Computer Security Institute (CSI) / Federal Bureau of Investigation (FBI) survey
found:

– 79% of organizations reported cyber security breaches within the last

12 months

– 54% of those orgs. reported financial losses over

$141 million

• Take the survey with a grain of salt

– Underreporting, fear of bad publicity

– Cybercrime: easy $$ at perceived low risk to attacker

4
 Table 2.1: Threats to Info. Security

Threat Category Examples

Acts of human error or failure Accidents, employee mistakes
Intellectual property compromise Piracy, copyright infringement
Deliberate espionage or trespass Unauthorized access, data collection
Deliberate information extortion Blackmail of info. disclosure
Deliberate sabotage or vandalism Destruction of systems or info.
Deliberate theft Illegally taking equipment or info.
Deliberate software attacks Viruses, worms, denial of service
Forces of nature Fires, floods, earthquakes
Deviations in service from providers Power and Internet provider issues
Technological hardware failures Equipment failure
Technological software failures Bugs, code problems, unknown loopholes
Technological obsolescence Antiquated or outdated technologies 6
Acts of Human Error or Failure (1)

• Includes actions without malicious intent

• Causes include:

– Inexperience

– Improper training

– Incorrect assumptions

• Employees: among the greatest threats to organization’s data

7
Acts of Human Error or Failure (2)

• Employee mistakes can easily lead to:

– Revelation of classified data

– Entry of erroneous data

– Accidental data deletion or modification

– Data storage in unprotected areas

– Failure to protect information

• Many of these threats can be prevented with controls

• Then there’s the insider threat…

8
 Questions

• Who poses the biggest threat to your company?

– “Script kiddie” software hacker?

– Convicted burglar in area?

– Employee who accidentally deletes sole copy of project source code?

• How can we guard against these threats?

9
 Deliberate Acts of Espionage/Trespass

• Unauthorized people access protected information

• Competitive intelligence (legal) vs. industrial espionage (illegal)
• Shoulder surfing occurs anywhere a person accesses confidential information
• Controls let trespassers know they are encroaching on organization’s cyberspace
• Hackers uses skill, guile, or fraud to bypass controls protecting others’ information
• European Network and Info. Sec. Agency video

10
 Deliberate Acts of Theft

• Illegal taking of another’s

physical, electronic, or
intellectual property
• Physical theft can be
easily controlled
• Electronic theft is more complex:
evidence of crime not obvious

11
Source: Pixabay/OpenClipArt
 Deliberate Software Attacks

• Malicious software (malware) damages, destroys, or denies service to target

systems
• Includes:
– Viruses: Malware propagating with human help
– Worms: Self-propagating malware over networks
– Trojan horses: Malware claiming benign purpose
– Logic bombs: Malicious code placed in software, triggered by attacker
– Backdoors: Hidden bypass of system authentication
– Denial-of-service (DoS) attacks: Attackers’ traffic floods take down Internet
services (one type)

12
 Forces of Nature

• Forces of nature: among most

dangerous threats
• Disrupt individual lives
plus information storage, transfer,
use
• Organizations must implement
controls to limit damage, prepare for
worst-case scenarios

Sources: U.S. Dept. of Agriculture, NASA

13
 Deviations in Quality of Service

• Situations where products,

services not delivered as
expected
• Info. system depends on many
support systems
• Internet service,
communications, and power
outages affect systems
availability

U.S. states and provinces affected (2003 Northeast blackout)

Source: Wikipedia 14
 Internet Service Issues

• Internet service provider (ISP) failures can undermine information

availability …

• Company’s outsourced Web hosting provider responsible for all company

Internet services plus hardware, OS, and software

15
 Attacks (1)

• Act or action that exploits vulnerability (i.e., an identified weakness) in

controlled system

• Accomplished by threat agent which damages or steals organization’s

information

16
 Attacks (2)

• Malicious code: launching viruses, worms, Trojan horses, and active Web
scripts aiming to steal or destroy info.
• Backdoor: accessing system or network using known or previously
unknown mechanism
• Password crack: attempting to reverse calculate
a password
• Brute force: trying every possible combination of options of a password
• Dictionary: selects specific accounts to attack and uses commonly used
passwords (i.e., the
dictionary) to guide guesses

17
 Attacks (3)

 Denial-of-service (DoS): attacker sends large number of connection or

information requests to a target

 Target system cannot handle successfully along with other, legitimate

service requests

 May result in system crash or inability to perform ordinary functions

 Distributed denial-of-service (DDoS): coordinated stream of requests

is launched against target from many locations simultaneously

18
 Attacks (4)

• Spoofing: technique used to gain unauthorized access; intruder assumes a

trusted IP address

• Man-in-the-middle: attacker monitors network packets, modifies them, and

inserts them back into network

• Spam: unsolicited commercial e-mail; more a nuisance than an attack, though is

emerging as a vector for some attacks

19
 Attacks (5)
• Mail bombing: also a DoS; attacker routes large quantities of e-mail to
target

• Sniffers: program or device that monitors data traveling over network; can be
used both for legitimate purposes and for stealing information from a network

• Social engineering: using social skills to convince people to reveal access

credentials or other valuable information to attacker

20
 Attacks (6)

• Buffer overflow: application error where more data sent to a buffer than can be
handled

• Timing attack: explores contents of a Web browser’s cache to create

malicious cookie

• Side-channel attacks: secretly observes computer screen

contents/electromagnetic radiation, keystroke sounds, etc.

21
 Table 2.2: Attack Replication Vectors

Attack Vector Description

IP Scan and Attack Malware-infected system scans for target IP addresses, then probes
for vulnerable system components (e.g., Conficker).
Web Browsing Malware-infected systems with webpage write privileges infects
Web content (e.g., HTML files).
Viruses Malware-infected system infects other systems to which it has
access via executable scripts (human activity required).
Unprotected Shares Malware-infected system uses file system vulnerabilities to spread
malware to all writable locations.
Mass Email Malware-infected system spams all contacts found in users’ address
books.
Simple Network Malware-infected systems use SNMP to guess common or weak
Management Protocol passwords on other network-connected systems, then spread.
(SNMP) (Vendors have fixed many of these bugs.)
22
IP Spoofing Attack

23
Source: Wikipedia
Denial-of-Service Attack
Man-in-the-Middle Attack

Source: Wikipedia 24
LAWS, Ethics Introduction

• You need to understand an organization’s legal, ethical responsibilities

• To minimize liabilities and reduce risks, the

information security practitioner must:

– Understand current legal environment

– Stay current with laws and regulations

– Watch for emerging issues

 Terminology (1)

• See also page 89 of textbook

• Cultural mores: fixed morals or customs of a group of people, form basis of ethics
• Ethics: Rules that define socially acceptable behavior, not necessarily
criminal, not enforced (via authority/courts)
• Laws: Rules that mandate or prohibit behavior, enforced by governing
authority (courts)
– Laws carry sanctions of governing authority, ethics do not
• Policy: “Organizational laws”
– Expectations that define acceptable workplace behavior
– General and broad, not aimed at specific technologies or procedures
– To be enforceable, policy must be distributed, readily available, easily understood,
and acknowledged by employees
 Terminology (2)

• Standards, guidelines, best practices: define what must be done to comply with
policy, how to do so
• Jurisdiction: a court’s right to hear a case if a wrong was committed in its
territory or against its citizens
• Long-arm jurisdiction: court’s ability to “reach far” and apply law (another
state, country)
• Case law: documentation about application of law in
various cases
• Liability: legal obligation beyond what’s required by law, increased if you fail to
take due care
• Due care: has been taken when employees know what is/isn’t acceptable,
what the consequences are
• Due diligence: sustained efforts to protect others
 Types of Law

• Civil: laws governing nation or state

• Criminal: harmful actions to society, prosecuted by the state
• Tort: individual lawsuits as recourse for “wrongs”,
prosecuted by individual attorneys
• Private: includes family, commercial, labor law
• Public: includes criminal, administrative, constitutional law
 Law and Information Security

• In practice, you can be sued for almost anything; no “absolute” protection

against litigation
• Information security practices can:
– Reduce likelihood that incidents result in lawsuits
– Reduce likelihood that you lose (by showing due care, due diligence)
– Minimize damages/awards
– Help you respond effectively to incidents
• We’ll focus on criminal laws. Know Table 3-1 in the book; FERPA, HIPAA,
DMCA.
 Relevant Federal Laws (General)

• Computer Fraud and Abuse Act of 1986 (CFAA)

• National Information Infrastructure Protection Act of 1996
• USA PATRIOT Act of 2001 (made permanent in 2006)
– Broadens reach of law enforcement agencies
– Broadens “protected” information regarding open records law
– Increased accountability, sanctions against money laundering
– National Security Letters: administrative subpoenas with permanent gag
orders
• Telecommunications Deregulation and Competition Act of 1996
• Communications Decency Act of 1996 (CDA) (partly struck down)
• Computer Security Act of 1987: sets minimal federal government security
standards
 Relevant Federal Laws (Privacy)

• Federal Privacy Act of 1974: Federal government

• Electronic Communications Privacy Act of 1986: Regulates interception of
electronic communications
• Health Insurance Portability and Accountability Act of 1996 (HIPAA), Gramm-
Leach-Bliley Act of 1999 (GLBA): Requires privacy policies in healthcare and
financial industries, restricts sharing & use of customer info
• Family Education Rights and Privacy Act (FERPA): Restricts distribution of
“student academic records” (including names and grades)
• Freedom of Information Act of 1966: can request info from gov’t, some info is
protected
• FACTA Red Flag regulation of 2009 (ID theft)
Relevant Federal Laws (Copyright)

• Intellectual property (IP) protection in U.S., other countries

• Copyright law extends to electronic formats
• With citations, you can include brief portions of others’ work as reference (“fair use”)
• U.S. Copyright Office website:
http://www.copyright.gov
• Digital Millennium Copyright Act of 1998 (DMCA):
criminalizes circumvention of technological copyright protection measures (some
exceptions)
 State and Local Regulations

• Restrictions on organizational computer technology use at state, local levels

• Information security professional responsible for understanding applicable
regulations, compliance
• State of Ohio:
– Ohio Rev. Code §1347: notify data breach victims
– Open records, anti-spam laws
 International Laws and Legal Bodies

• European Council Cyber-Crime Convention:

– International task force oversees Internet security functions for

standardized international technology laws

– Attempts to improve effectiveness of international investigations

into breaches of technology law

• General Data Protection Regulation (GDPR): requires website disclosure

about data collection, user consent (Europe)
 United Nations Charter

• Makes provisions, to a degree, for information security during information

warfare (IW)

• IW uses information technology to conduct

organized and lawful military operations
• IW is fairly new type of warfare, although military has been conducting
electronic warfare operations for decades
Ethics and Information Security
 Ethical Differences Across Cultures

• Cultural differences create difficulty in determining ethical behavior

• Difficulties arise when one nationality’s

ethical behavior conflicts with ethics of another national group

• Example: many ways in which Asian cultures

use computer technology considered piracy
Ethics and Education

• Education levels ethical perceptions within a small group of people

• Employees must be trained in expected

behaviors, especially regarding information security
• Proper ethical training vital to creating informed, well prepared, and low-risk
system user
Association of Computing Machinery (ACM)

• ACM established in 1947 as “world’s first educational and scientific computing

society”

• Code of ethics contains references to protecting information confidentiality,

causing no harm, protecting others’ privacy, and respecting others’
intellectual property
 Computer Security Institute (CSI)

• Provides training to support computer, networking, and info. security

professionals

• Argued for adoption of ethical behavior among

info. security professionals
 Key U.S. Federal Agencies

• Department of Homeland Security (DHS)

• Federal Bureau of Investigation’s (FBI’s) National Infrastructure
Protection Center (NIPC)
• National Security Agency (NSA)
• U.S. Secret Service
 Policy, Standards and Practices

• Communities of interest need to consider policies as starting point for

security efforts

• Policies direct how issues should be addressed and technologies used

• Security policies are least expensive controls to execute but most difficult to
implement

• Shaping policy is difficult

 OSU Policies and Standards

• Policies • Standards
– Responsible Use of – University Computer
University Computing & Security Standards:
Network Resources
• Min. Computer Security
– Archives & Retention
• Critical Server Security
– Merchant Services & Use of
Credit Cards • Web Server Security
– Deployment, Use of Wireless • DB Server Security
Data Networks – Local Administrative
– Public Records Privilege Standard
– Data Policy • See http://ocio.osu.edu for more
– Personal Info Disclosure details
 Policy Management

• Policies management needed due to change

• To remain viable, security policies must have:
– People responsible for reviews
– A schedule of reviews
– Method for recommending reviews
– Specific policy issuance and revision date
 Information Classification

• Information classification an important aspect of policy (e.g., public, internal,

classified)
• Specific company policies may be classified, but general guidelines
shared among companies
• A clean desk policy stipulates that at end of business
day, classified information is properly secured
• Questions:
– Feasibilities?
– Benefits?
 Security Education, Training, and Awareness Program

• Security education, training and awareness (SETA) implementation should

follow security policy
– Designed to reduce accidental security breaches

– Training builds on general knowledge employees need for their jobs

(focused on security aspects)
 Security Education

 Everyone in an organization needs to be trained and aware of information

security; not every member needs formal degree or certificate in information
security

 When formal education for individuals in security is needed, an employee

can identify curriculum available from local institutions of higher learning
or continuing education

 A number of universities have formal coursework in

information security
 Security Training

• Involves providing members of organization with detailed information and

hands-on instruction designed to prepare them to perform their duties securely
• Management of information security can develop customized in-house
training or outsource the training program
Spheres of Security (Fig. 5-15)
Design of Security Architecture

• Defense in depth
– Implementation of security in layers
– Requires that organization establish sufficient security controls and safeguards
so that an intruder faces multiple layers of controls
• Security perimeter
– Point at which an organization’s security protection ends and
outside world begins
– Does not apply to internal attacks from employee threats or on-site physical
threats
 Security Technology Components

• Firewall: device that selectively allows information into/out of

organization

• Demilitarized Zone (DMZ): “no-man’s land” between inside, outside

networks; some companies place Web servers here

• Intrusion Detection Systems (IDSs): detects unauthorized (strange) activity on

organizational network, individual machines, or both
Network Security Architecture (Fig. 5-18)
 Summary

• Laws: state-enforced rules that mandate or prohibit certain behavior; drawn

from ethics

• Ethics: define socially acceptable behaviors (may vary among groups)

• Policies: organizational laws

• Management needs to “set tone” for security practices, support their

deployment