• • • • • • • • • • • •
• • • • • • • •
• • •
•
•
•
• •
•
•
•
• • •
•
• • • • • • • •
• • •
• •
• • • • • • •
14 •
•
• •
•
• • • •
• • • • • • •
A primer on cyber security Nikolaj Tatti
CSPrimer / Nikolaj Tatti May 18, 2021 0 / 11 Who are threat actors and what do they want? Attackers come in different shapes • bored individuals • amateur hacker groups • criminal groups • hacker groups funded by nation states
What do they want from you? • just because • monetary: data that can be sold, computing resources • black mail • espionage • revenge
CSPrimer / Nikolaj Tatti May 18, 2021 1 / 11 Where do vulnerabilities come from
• software and data is literally everywhere
• there is an ongoing explosion in the number of devices needing software
• number of devices connected to the internet is in tens of billions
• the number of such devices is still increasing
• this poses a growing need for code and software developers, who will have great pressure to write both functional and secure code in a limited timeframe
• developers may face unrealistic time pressure to rush code to production
CSPrimer / Nikolaj Tatti May 18, 2021 2 / 11 Where do vulnerabilities come from
• in addition to the growing need for more code, the code base has gotten more complex • every machine is connected and larger systems are now distributed • different parts of the systems may be developed by different vendors, but need to interoperate • moreover, most current systems are based on software frameworks which enlarge the code footprint of even small applications, and/or are extensible with/via plugins and addons • combining the connectivity, complexity, and extensibility of the software, we get a comfortably-sized attack surface for the attacker • vulnerabilities and their statistics can be queried from the National Vulnerability Database (NVD) and from the Common Vulnerability and Exposure (CVE) database
CSPrimer / Nikolaj Tatti May 18, 2021 3 / 11 Attacking is easier than defending
• the attacking will stay easier than defending as long as the attacker can attack anywhere and the latter have to defend everywhere • with a successful security analysis, however, many of the obvious vulnerabilities—in other words, the low hanging fruit—–can be found • this doesn’t necessarily make a system totally secure, but rather that it makes the system able to withstand attack attempts by unskilled attackers, automated attacks • even though the software or/and the protocol it implements is at its mature phase it may still hold surprises • examples of holes in mature software: Beast, Heartbleed, Heist, Krack • ...but not all vulnerabilities are created equal, some require very specific circumstances to allow for an exploit
CSPrimer / Nikolaj Tatti May 18, 2021 4 / 11 On the word hacking
• the origin of the word comes from Tech Model Railroad Club (TMRC) at MIT • ..had nothing to do with cyber security • the connotation of the word hacking is controversial • media typically portraits as a negative term, and refers often to a malicious behaviour • ...but the word can also mean neutral or positive behaviour • ...and can also mean other than breaking into systems • hacker can mean skilled computer experts • sometimes words, like white hat, black hat are used to indicate intent • to complicate matters, some caught cyber criminals switched sides, and now work for security companies or wrote books on the topic
CSPrimer / Nikolaj Tatti May 18, 2021 5 / 11 Phone phreaking
• early example of hacking • during 50s–70s control signals for telephones used the same channel as voice • ...phone switches could be controlled by producing certain frequencies • above normal human speech but can be produced by whistling • also with devices known as blue boxes (some were produced by Steve Jobs and Steve Wozniak) • allowed to get free calls • phone phreaking is an example not properly sanitizing user data • ...as a result the users were able to change the behaviour of the underlying program • phone phreaking is outdated but similar oversights are still relevant
CSPrimer / Nikolaj Tatti May 18, 2021 6 / 11 Social engineering
• typically hackers use a combination of social engineering and technical vulnerabilities
• for example they get in the system by having somebody opening a malicious email
• this may give a very limited access to the local computer
• then using vulnerabilities they can increase their rights and/or
• ...hack into other computer / servers
• a lot of attention is devoted to deal with vulnerabilities
• ...but humans are always the weakest link
CSPrimer / Nikolaj Tatti May 18, 2021 7 / 11 New technology new vulnerabilities Introducing new technology has typically introduced new attack opportunities • dual-tone signaling in telecommunication systems led to phone phreaking
• internet led to worms
• macro languages in documents led to macro viruses
• storing, querying, and modifying user content through web servers significantly increased attack surface: passwords, banking, credit data, personal data, emails
• bitcoin provided way to run ransomware
• smart phones have their own set of viruses
• Internet of things is no different: smart devices have weak security
CSPrimer / Nikolaj Tatti May 18, 2021 8 / 11 Early vs modern
• early malware were primitive
• space constraints
• primitive tools to write code (assembly)
• modern malware can be very complex software
• ...may contain anti-detection software
• tools have also improved over time
• some hacking tools (such as metasploit) are actually created by security companies for analysis
CSPrimer / Nikolaj Tatti May 18, 2021 9 / 11 Human factor: making systems safer Modern cyber security protection does not only focus on detecting malicious software but also tries to limit the human factor • recognizing phishing emails
• recognizing malicious websites
• password constraints
• two-factor authentication
• user-friendly software update (a significant, relatively recent improvement that is often overlooked)
• safe default options
CSPrimer / Nikolaj Tatti May 18, 2021 10 / 11 Human factor: enforcing best practices
• normal user account doesn’t have admin rights
• normal users don’t have admin rights on their computers
• keeping work computer and personal emails separate
• restrictions on where data can be kept
• ...but all these things may reduce usability
• having a data managment plan
• having a plan for a breach
CSPrimer / Nikolaj Tatti May 18, 2021 11 / 11