Introduction and Security Trends

L02 - Background 2/6/2019

INTRODUCTION AND SECURITY TRENDS

Reading

• Textbook – Chapter 1 • US Intelligence Report www.dni.gov/files/ODNI/documents/2019-ATA-SFR---SSCI.pdf

Intelligence report reading should focus on the cyber related sections (e.g., Cyber)

1 L02 - Background 2/6/2019

Session Objectives

• Begin to • Understand recent trends in computer security • Understand the various types of threats that exist for computers and networks • Understand categories of threats and defenses • Learn of a few actual examples

Also start to think about the project you would like to do

The Security Problem

• Unlike fifty years ago, we live in an information society • Security is no longer only a physical issue • Computers now control most equipment and machinery • Computers are usually connected to the Internet • The value of the data on computers often exceeds the value of the equipment

Why does this make security more difficult?

2 L02 - Background 2/6/2019

Example – Computers in Automobiles

• Cars can have as many as 50 computers integrated into the system • Functions • Diagnostics • Simplification of manufacture How do we measure • Reduction in wiring the safety of auto computer systems? • Safety • Comfort and convenience

Source – howstuffworks.com

Trends SW of 20-30 years ago • Size of software was likely generated all (easy to hide malicious SW) by one SW team • Use of software components (often 3rd party components) • Transformation of mainframes to interconnected network of smaller systems • Operating systems (and even HW) not designed with security in mind • Evolution of Internet as a single network architecture connecting all devices

3 L02 - Background 2/6/2019

Some Definitions

• Malware – Malicious (or malevolent) software • Disrupts computer operations • Gathers sensitive data • Gain access to private systems • Malware includes • Computer viruses – SW that can replicate itself and spread from one computer to another and usually requires a user action • Worms – SW that can replicate itself and spread to other computers, usually without user action

Botnet

• Collection of Internet- connected computers whose security has been compromised and are partially controlled by a 3rd party

Bot (Web robot) – SW that runs Some estimate that ¼ of the automated tasks over the Internet 1B computers worldwide are part of some botnet

4 L02 - Background 2/6/2019

Why Are Computers Attacked?

• Fun? • Theft Have laws kept pace with the new developments in computer crime? • Vandalism • Warfare

Have system designers considered all threats to systems they design?

Threat Categories

• Viruses and Worms • Intruders • Insiders • Criminal Organizations • Nation states, Terrorists, and Information Warfare

5 L02 - Background 2/6/2019

Examples …

Malicious Pranks Financial Theft

• The Morris Worm • Citibank and Vladimir Levin • Kevin Mitnick • Adil Yahya Zakaria Shakour • Worcester Airport and “Jester” • Solar Sunrise • The Melissa Virus • The Love Letter Virus

Botnet extortion incidents – … Examples difficult to obtain data

Revenge Vandalism

• Omega Engineering and Timothy • The Code Red Worm Lloyd • The Slammer Worm

Physical Attack Information Warfare • Fiber Cable Cut • Ukraine electric grid Ransomware • US Electric Power Grid • Conficker (?) • WannaCry

6 L02 - Background 2/6/2019

Ukraine Electric Grid

• December 2015 • Successful attack against their electric grid (first know attack of this type) • Disruption to customers of 3 energy distribution companies • Damaged equipment and operations • Attack attributed to Russian government

Ransomware

• Grown steadily since 2012 • Represents a $1B (approximate) criminal enterprise • Files are locked on a victim’s computer until a ransom is paid

7 L02 - Background 2/6/2019

Brand Name Attacks

• Hacker groups develop tools, and then either use them or sell them. • Sometimes the group behind an attack can be identified through an analysis of their tools and processes • Examples • Energetic Bear – group of Russian hackers • Sandworm – Russian hackers involved in attack on the Ukraine • Shadow Brokers – Team that purportedly leaked NSA hacking tools • Equation Group – US team • Regin – UK group • Cozy Bear and Fancy Bear – Russian hackers

Detailed Example - Hacking

• Hacking into DoD contractor computers (used for scientific research) • Random event detection • Activity monitoring • Arrest Observations • Confession 1. Difficult to trace origins • Prosecution of attack 2. Events often outpace legal structure

8 L02 - Background 2/6/2019

Viruses and Worms

• Distinction between the writers of malware and those who release it • Viruses have no useful purpose. • The most common problem of an organization • Antivirus software and system patching can eliminate a large portion of this threat • Viruses and worms generally are non-discriminating threats • Viruses are detectable and usually not the choice for highly structured attacks.

Hacker Intruders

• Hacking - act of deliberately accessing computer systems and networks without authorization • Hackers - individuals who conduct this activity. • Unstructured threats • are conducted over short periods of time (lasting at most a few months), • do not involve a large number of individuals, • have little financial backing, and • are accomplished by insiders or outsiders who do not seek collusion with insiders

9 L02 - Background 2/6/2019

Types of Intruders

• Script kiddies - individuals who do not have the technical expertise to develop hacking code • Script writers - those people who are capable of writing scripts to exploit known vulnerabilities. • Elite hackers - highly technical individuals, who are capable of discovering new vulnerabilities

Insiders

• Insiders are more dangerous because they have the access and knowledge • Insider attackers are often disgruntled employees • Insiders can also make mistakes that cause damage

Some organizations create protection domains Some security audits include both internal and external attacks

10 L02 - Background 2/6/2019

Detailed Example – Identity Theft

• Thanksgiving 2002 – largest identity theft at the time • Former Help Desk employee stole access codes (Ford MC) • Theft of identity of 30,000+ people ($2.7B) • Sold for up to $60 per credit report • Hacker sentenced to 14 years in prison

Observations 1. Danger with consolidation of data 2. Evolving set of security best practices

Criminal Organizations

• Criminal organizations follow the money • Fraud, extortion, theft, embezzlement, and forgery occur in an electronic environment • A structured threat is characterized by • a greater amount of planning, • longer time to conduct the attack, and • more financial backing than in an unstructured attack.

11 L02 - Background 2/6/2019

Terrorists and Information Warfare

• Computer systems are now targets of unfriendly foreign powers • Information warfare - warfare conducted against the information and information processing equipment used by an adversary • Information warfare is a highly structured threat

Critical Infrastructures

• During warfare, nations have chosen targets other than the opposing army • Critical infrastructures - loss or impairment would have severe repercussions on society (e.g., water, electricity, oil/gas, banking, and communications) • Terrorists may also target Who is responsible critical infrastructures for protecting national infrastructure? How prevalent are computers in industrial and consumer devices?

12 L02 - Background 2/6/2019

Security Trends

• Level of sophistication of attacks has increased • Level of automation of attacks has increased • Data on security incidents and losses is unreliable

Avenues of Attack

• Systems are attacked when • It is specifically targeted or • It is a target of opportunity • Equipment may be targeted because of the organization it belongs to or for political reasons • A hacktivist is a hacker who uses their skills for political purposes A related term is “hacktivism”

13 L02 - Background 2/6/2019

More Definitions

• Host – computer on a network • IP Address (Internet Protocol address) - numerical label assigned to each device (e.g., computer, printer) participating in a computer network that uses the Internet Protocol for communication • Port – numbered application on a computer • Used to connect a network request with the application code that will handle the request • Example – port 80 is typically used for Web servers to handle http requests

You will use some of these Tools tools later in the semester • Nmap – scanner used to discover hosts and services on a network • Ping – network administration tool used to test the reachability of a host on an IP network • Superscan – port scanning software used to determine open ports • Whois – used to determine a domain name from an IP address

14 L02 - Background 2/6/2019

The Steps in an Attack

Step

1. Profiling Gather information on Check the SEC EDGAR web site the target organization (www.sec.gov/edgar.shtml), whois look up, Google 2. Identify available Ping sweep with nmap or superscan systems 3. Finger Determine the OS and Nmap or superscan, banner grab printing open ports 4. Discover penetration a. Search web sites for vulnerabilities and exploits that opportunities exist for the OSs and services discovered b. Search social networking sites for personal info that might assist in an e-mail attachment attack 5. Execute opportunity Execute attack

Banner grabbing uses information from a typical service response (e.g., http) to gain more host info

Minimizing Possible Avenues of Attack

System Involves reducing the services that are running on the hardening system Limiting Makes it more difficult for an attacker to develop the attack services by limiting the services available on each computer Patching Ensures that your operating system and applications are up-to-date

Typically, an organization will hire consultants to attempt to penetrate systems

15 L02 - Background 2/6/2019

Types of Attacks

• If successful, an attack may produce one or more of the following: • Loss of confidentiality – information is disclosed to individuals not authorized to see it • Loss of integrity – information is modified by individuals not authorized to change it • Loss of availability – information or the system processing it are not available for use by authorized users when they need the information

Case Study – NY Times Attack-Background

• 4 month persistent attack from China, beginning 9/13/2012 • Coincided with investigative news article on accumulated wealth of Wen Jiabao (China PM) • Attacker looking for names of sources • Hackers obtained passwords of reporters and other employees • NY Times tracked and expelled intruders • Since 2008, part of an effort to target journalists

Unusual amount of detail in NYT news article

16 L02 - Background 2/6/2019

Case Study – NY Times Attack -Technique

• Launched by US University botnet (same botnet used in attacks against US military contractors) • Malware associated with attacks originating from China • Attack occurred during Beijing normal working hours (8:00AM- late afternoon (sometimes later)) • Origin of attack not identified (spear-phishing suspected) • Set up a “digital base camp,” then attacked the domain controller (contains hashed PWs) • Attackers installed 45 pieces of custom malware (anti-virus SW found only one)

Case Study – NY Times Attack - Defense

• AT&T monitoring NYT systems for indications of an attack (Oct, 2012) • NYT notified the FBI (voluntarily) • Attackers not expelled by Nov, 2012 • Mandiant engaged in cyber defense • NYT allowed attackers to “spin a digital web for four months” • NYT replaced compromised computers • NYT installed new defenses (new PWs, blocked compromised outside computers, removed back doors, additional security “wrappers”)

17 L02 - Background 2/6/2019

Approaches to Computer Security

• Correctness • ensuring that a system is fully up to date • Ideally provable • Isolation • Access control • Physical security • Obfuscation • Hiding important elements of a system • Use of randomization

Have You Achieved the Objectives?

18 L02 - Background 2/6/2019

Summary of Key Terms

• Critical infrastructures • Port scan • Elite hackers • Script kiddies • Hacker • Structured threat • Hacking • Unstructured threat • Hacktivist • Highly structured threat • Information warfare • Ping sweep