Cyber Security Nikolaj Tatti

• • • • • • • • • • • •

• • • • • • • •

• • •

•

• •

•

• • •

•

• • • • • • • •

• • •

• •

• • • • • • •

14 •

•

• •

•

• • • •

• • • • • • •

A primer on cyber security Nikolaj Tatti

CSPrimer / Nikolaj Tatti May 18, 2021 0 / 11 Who are threat actors and what do they want? Attackers come in diﬀerent shapes • bored individuals • amateur hacker groups • criminal groups • hacker groups funded by nation states

What do they want from you? • just because • monetary: data that can be sold, computing resources • black mail • espionage • revenge

CSPrimer / Nikolaj Tatti May 18, 2021 1 / 11 Where do vulnerabilities come from

• software and data is literally everywhere

• there is an ongoing explosion in the number of devices needing software

• number of devices connected to the internet is in tens of billions

• the number of such devices is still increasing

• this poses a growing need for code and software developers, who will have great pressure to write both functional and secure code in a limited timeframe

• developers may face unrealistic time pressure to rush code to production

CSPrimer / Nikolaj Tatti May 18, 2021 2 / 11 Where do vulnerabilities come from

• in addition to the growing need for more code, the code base has gotten more complex • every machine is connected and larger systems are now distributed • diﬀerent parts of the systems may be developed by diﬀerent vendors, but need to interoperate • moreover, most current systems are based on software frameworks which enlarge the code footprint of even small applications, and/or are extensible with/via plugins and addons • combining the connectivity, complexity, and extensibility of the software, we get a comfortably-sized attack surface for the attacker • vulnerabilities and their statistics can be queried from the National Vulnerability Database (NVD) and from the Common Vulnerability and Exposure (CVE) database

CSPrimer / Nikolaj Tatti May 18, 2021 3 / 11 Attacking is easier than defending

• the attacking will stay easier than defending as long as the attacker can attack anywhere and the latter have to defend everywhere • with a successful security analysis, however, many of the obvious vulnerabilities—in other words, the low hanging fruit—–can be found • this doesn’t necessarily make a system totally secure, but rather that it makes the system able to withstand attack attempts by unskilled attackers, automated attacks • even though the software or/and the protocol it implements is at its mature phase it may still hold surprises • examples of holes in mature software: Beast, Heartbleed, Heist, Krack • ...but not all vulnerabilities are created equal, some require very speciﬁc circumstances to allow for an exploit

CSPrimer / Nikolaj Tatti May 18, 2021 4 / 11 On the word hacking

• the origin of the word comes from Tech Model Railroad Club (TMRC) at MIT • ..had nothing to do with cyber security • the connotation of the word hacking is controversial • media typically portraits as a negative term, and refers often to a malicious behaviour • ...but the word can also mean neutral or positive behaviour • ...and can also mean other than breaking into systems • hacker can mean skilled computer experts • sometimes words, like white hat, black hat are used to indicate intent • to complicate matters, some caught cyber criminals switched sides, and now work for security companies or wrote books on the topic

CSPrimer / Nikolaj Tatti May 18, 2021 5 / 11 Phone phreaking

• early example of hacking • during 50s–70s control signals for telephones used the same channel as voice • ...phone switches could be controlled by producing certain frequencies • above normal human speech but can be produced by whistling • also with devices known as blue boxes (some were produced by Steve Jobs and Steve Wozniak) • allowed to get free calls • phone phreaking is an example not properly sanitizing user data • ...as a result the users were able to change the behaviour of the underlying program • phone phreaking is outdated but similar oversights are still relevant

CSPrimer / Nikolaj Tatti May 18, 2021 6 / 11 Social engineering

• typically hackers use a combination of social engineering and technical vulnerabilities

• for example they get in the system by having somebody opening a malicious email

• this may give a very limited access to the local computer

• then using vulnerabilities they can increase their rights and/or

• ...hack into other computer / servers

• a lot of attention is devoted to deal with vulnerabilities

• ...but humans are always the weakest link

CSPrimer / Nikolaj Tatti May 18, 2021 7 / 11 New technology new vulnerabilities Introducing new technology has typically introduced new attack opportunities • dual-tone signaling in telecommunication systems led to phone phreaking

• internet led to worms

• macro languages in documents led to macro viruses

• storing, querying, and modifying user content through web servers signiﬁcantly increased attack surface: passwords, banking, credit data, personal data, emails

• bitcoin provided way to run ransomware

• smart phones have their own set of viruses

• Internet of things is no diﬀerent: smart devices have weak security

CSPrimer / Nikolaj Tatti May 18, 2021 8 / 11 Early vs modern

• early malware were primitive

• space constraints

• primitive tools to write code (assembly)

• modern malware can be very complex software

• ...may contain anti-detection software

• tools have also improved over time

• some hacking tools (such as metasploit) are actually created by security companies for analysis

CSPrimer / Nikolaj Tatti May 18, 2021 9 / 11 Human factor: making systems safer Modern cyber security protection does not only focus on detecting malicious software but also tries to limit the human factor • recognizing phishing emails

• recognizing malicious websites

• password constraints

• two-factor authentication

• user-friendly software update (a signiﬁcant, relatively recent improvement that is often overlooked)

• safe default options

CSPrimer / Nikolaj Tatti May 18, 2021 10 / 11 Human factor: enforcing best practices

• normal user account doesn’t have admin rights

• normal users don’t have admin rights on their computers

• keeping work computer and personal emails separate

• restrictions on where data can be kept

• ...but all these things may reduce usability

• having a data managment plan

• having a plan for a breach

CSPrimer / Nikolaj Tatti May 18, 2021 11 / 11