CSIS 340 STUDY GUIDE (NOTES) (Latest 2023/2024) Verified and Rated A+

CSIS 340 STUDY GUIDE (NOTES) 1. Asymmetrical warfare: two opponents are very different from each other. Few people terrorizing a large target a. Technology, government, researches vs. small individuals, limited resources i. Terrorism tactics: make themselves look like a bigger competitor, threat 1. Ex. Attacking ATMs -> resulting in disruptions 2. Cyber War of 2007: Russia attacked Estonia (Baulkin Country Part of Soviet Union) Can’t prove who attacked Estonia. Extremely difficult to prove. 3. Bot Net Attacks: Extremely common: collection of enslaved computers that can be used by someone to attack other computers a. Bot hurters- insert software onto computers that enables them to access your computer and using your computer to attack other computers without detection by users i. Large collection of computers attacking another 4. Zero Day attack: (produce more secure software -> all software is vulnerable because it is created by humans) If someone detects a problem and alerts someone to fix the vulnerability 5. Cyber Crime Gone retail: buying codes to crack system codes over the internet 6. Co-operates: Governments or Criminals – governments done co- operate because of different beliefs and competing reasons to not co- operate. Criminals co-operate to enable a larger attack 7. Pharming & Phishing: (information in video) 8. Does the Internet make old crimes more efficient or create new crimes? a. Internet has only been around for 20 years. Sounds like brand new crimes as a result. But the crimes originate from old tactics. i. Ex. Extortion, Data-napping 9. Information Security: Offensive and Defensive (mostly defensive, but there are some offensive actions) 10. Social Engineering: manipulation of people so that you can do something malicious with the computer they are associated with. Bribes, coercion, gossip, hearsay. 11. Crackers vs hackers: a. Hackers/hacking: people who break into computer systems for be-nine reasons Crackers: people who break into a computer system for malevolent reasons. Criminals What is Information Systems Security? • Information Systems Security (ISS): Page3 – the act of protecting information and the systems that store and process it o It’s not just the information inside a computer you need to protect. Information needs to be protected in any form. o Some believe that security measures designed to protect buildings and people will protect information. ▪ In any process of some importance, you would use some type of life cycle process to reduce errors and make sure all requirements are considered. • COBIT: Control Objectives for Information and related Technology. o 4 domains that collectively represent a conceptual information systems security life cycle: (CHART Figure 1.1 Pg. 4) ▪ Plan and Organize ▪ Acquire and Implement ▪ Deliver and Support ▪ Monitor and Control Plan and Organize-page 5 • The COBIT Plans and Organize domain includes basic details of an organization’s requirements and goals. o An (Service Level Agreements) SLA is a stated commitment to provide a specific service level o It makes no sense to sign a contract for a supplier who cannot meet the basic business requirements. Acquire and Implement • The “build” is where the security control is built, and policies and supporting documents written. • The building based on the requirement created in the Plan and Organize phase. o Build to fit the needs of the organization-which goals does it fulfill? Deliver and Support • In the COBIT Deliver and Support domain, the staf f tunes the environment to minimize threats. o This could mean adjusting controls, policies, procedures, contracts, and SLAs. Monitor and Evaluate (control) • Testing and monitoring of controls occur and the results analyzed for effectiveness. o Are your controls and supporting policies and procedures keeping pace with changes in technology and in your environment? ▪ Looks at specific business requirements and strategic direction, and determines if the system still meets these objectives. What is Information Assurance?- p.6-7 • Information Systems Security and Information Assurance are NOT the same thing o ISS focuses on protecting information regardless of form or process o IA focuses on protecting information during process and use ▪ The five pillars of the IA models • (CIA Triad of Information Security) • Confidentiality: Generally accepted as ISS and IA tenets • Integrity: • Availability: • Authentication: • Nonrepudiation No Classs: Professor had a family emergency • Confidentiality: refers to information dissemination o You allow only authorized individuals to see or possess the information. ▪ Every User typically needs access to an organization’s intranet. • Does not mean, however, that every user needs access to all information o This concept is need to know: The idea that individuals should have access only to information required to do their jobs. • Integrity: ensures that information has not been improperly changed. o Data owner must approve any change to the data or approve the process by with the data changes ▪ Encryption also ensures integrity as well as confidentiality. o Figure 1-2 & 1-3 • Authentication: is the ability to verify the identity of a user or device. o The use of user ID and password. ▪ It is not just humans who need their identities verified. ▪ There is a lot involved in maintaining good authentication processes, such as forcing users to change their passwords periodically and forcing rules on how complicated passwords should be. • One of the more critical keys to success is having credentials that are hard to forge or guess. o DO NOT CONFUSE WITH AUTHORIZATION • Availability: ensures information is available to authorized users and devices. o Also means preventing denial of service (DoS) attacks o The owner must determine who needs access to the data and when ▪ It is critical that data be available 24/7 or is 9 – 5 adequate. ▪ If you don’t need it to be available, don’t make it available; only make it available when you need it. • Nonrepudiation: an individual cannot deny or dispute they were part of a transaction. o Authentication, for example, helps establish identity ▪ Ex. Businesses implementing biometric scanners as an authentication control. o However, that is not nonrepudiation ▪ You still don’t know if the message or transaction was tampered with during transmission. • You can encrypt the data or use digital signatures ▪ Information can also be tampered with at point of delivery • If the data was protected during transmission, there most likely is a corresponding technology on the delivery side. What is Governance? • Governance: both a concept and specific actions an organization takes to ensure compliance with its policies, processes, and guidelines. o The focus of governance is ensuring everyone is following established rules ▪ What is assumed in governance is that these business objectives were well understood and baked into the rules • Following the rules = achieve business goals • An organization puts formal processes in place and committees to act as gateways. o Must be properly demonstrated o Governance ensures accountability, monitors, activity, and records what is going on Why is Governance Important? • Good governance provides assurance and confidence that rules are being followed o Senior management needs to know that its business objectives are being met o Regulators look at the governance structure for assurance that risks to shareholders, customers, and public are being properly managed. What are Information Systems Security Policies? Policy Framework 4 different types of documents in a framework: • Policy: a document that states how the organization is to perform and conduct business functions and transactions with a desired outcome • Standard: As established and proven norm or method, which can be a procedural standard or a technical standard implemented organization- wide o Usually external, very broad o A process or a method for implementing a solution ▪ Involves technology, hardware, or software that has a proven record of performance. • Procedure: a written statement describing the steps required to implement a process • Guideline: A parameter within which a policy, standard, or procedure is suggested but optional Where Do Information Systems Security Policies Fit Within an Organization? • Protecting information is everyone’s concern • Organizations rely as much on information systems as they do on human resources Why are Information Systems Security Policies Are Important? (page 15) • Protecting systems from the insider threat • Protecting information at rest and in transit • Controlling change to IT infrastructure ** Chapter 3 – U.S. Compliance Laws and Information Security Policy Requirements Romans 11:33a U.S Compliance Laws • Figure 3-1 Pressures on security policies o A well-defined security policy clearly addresses these pressures. • Government is concerned with consumer protection, promoting a stable economy and maintaining a reliable source of tax revenue o Government regulations do exist and will exist • Shareholders of a company are investors who expect to make money o Maximizing profit and maintaining a healthy stock price is a business concern. ▪ Both business and government goals face risks from the limitations and vulnerabilities of technology. • InfoSec is expensive • Government agencies that regulate information handling exist at a federal and state levels o Sometimes have competing interests ▪ Compliance can be difficult and costly with conflicting language ▪ Data Privacy What Are They? Study all these regs to get common concepts • As much as these regulations might differ, there are also common concepts • The best approach to regulatory compliance is common sense. o Rather than building rules into security policies for each regulation, you should build in the key control concepts. ▪ Concepts not specific technologies • i.e. HTTPS • Consumer rights- deal with creating rules on how to handle a consumer’s transaction and other information • Personal Privacy- deals with how to handle personal information and what it is used for Federal Information Security Management Act (FISMA) • Example of government self-regulation put into law in 2002 o The federal government is unique in that it can identify the standards it wants to follow and passes laws requiring the standards to be followed o PII (Personally Identifiable Information) – ex. Social security card, name, address, Date of birth o Table 3-1 • FISMA requires govnerment agencies to adopt a common set of information security standards. o Understand common sense concepts of the laws *** o Military goes beyond these standards o Creates mandatory requirements to ensure the integirty, confidentiality, and availablity of data ▪ Requires that agencies to send annual reviews to the Office of Management and Budget (OMB) ▪ The National Institute of Standards and Technology (NIST) is responsible for developing FISMA-mandated information security standsards and procedures. • Each agency is then responsible for adopting them as part of their agency’s information security policies. o Congress Law o NIST  Standard/Regulation o DOJ, DHHS, etc  Policies, Procedures o OMB  Audit • To be compliant with NIST publications, your policies must includes key security control requirements and required key common-sense concepts : (terms on page 49) o Inventory—The NIST standards require an inventory of hardware, software, and information. The inventory identies the type of information handled, how data passes to the systems, and special attention to national security systems. o Categorize by risk level—The NIST standards outline an approach to classify risk. They outline how to map risk level to computer systems and information. The risk drives what security is to be applied. o Security controls—The NIST standards outline which controls should be applied and when. They outline how these controls are documented and approved. It is a risk-based approach giving some fexibility to the agency to tailor controls to meet its operational needs. o Risk assessment—The NIST standards defne and outline the process to conduct risk assessments. Risk assessments are an essential part of a risk- based security approach. The risk assessment results drive the type of security controls to be applied. Risk management process (flowchart) o System security plan—The NIST standards require a formal security plan for major systems and for the system or application owner. The security plan serves as a road map. It is updated to keep current with threats and is an important part of a certifcation and accreditation process. o Certifcation and accreditation—This process occurs after the system is documented, controls tested, and risk assessment completed. It is required before going live with a major system. Once a system is certifed and accredited, responsi- bility shifts to the owner to operate the system. This process is also referred to as the “security certifcation” process. o Continuous monitoring—All certifed and accredited systems must be continuously monitored. Monitoring includes looking at new threats, changes to the system, and how well the controls are working. Sometimes a system has so many changes that it must be re-certifed. ( Accountability) 2 Corinthians 6:17a • Health Insurance Protability and Accountability Act (HIPAA)-1996 o The law protects a person’s privacy; recongizes that digital data exchange of health records is a necessity ▪ Health records-law wants to ensure that patient privacy is maintained o PHI: refers to both digital and physical paper copies of health records o EPHI: refers to just the electronic form of the PHI records ▪ HIPPA establishes privacy rules that outline how EPHI can be collected, processes, and disclosed. • Health care providers-doctors, hospitals, clinic, and others • Health plans- Those that pay the cost for the medical care such as insureance companies • Health care clearinghouses-Those that process and facilitate billing ▪ To be HIPAA compliant, key control requirements must be in your security policies • Administrative safeguards-refers to the formal security policies and procedures that map to HIPAA security standards. It also refers to the governance of the security policies and their implementation • Physical safeguards- Refers to the physical security of computer systems and the physical health records • Technical safeguards- Refers to the controles that use technology to protect information assets, The law also requires risk assessment and risk-based management approach to information security • Gramm-Leach-Bliley Act (GLBA)- 1999 o NOT focused on technology o Reason for the law was to repeal past laws so that banks, investment companies, and other financial services companies could merge o Under what is known as Section 501(b), the law outlines information security requirements for the privacy of customer information o The FFIEC Website introduces the 501(b) rules: terms on page 51 • Sarbanes-Oxley (SOX) Act -2002 o Law was enacted in reaction to a series of accusations of corporate fraud ▪ Enron and WorldCom o SOX goes well beyond information security policies ▪ InfoSec is a side sircus, but this law has great InfoSec impact o The basic idea behind SOX 404 is to require security policies and controls that provide confidence in the accuracy of financial statements ▪ Security policies mest ensure the intergity of the financial date • Family Educational Rights and Privacy Act (FERPA) 1974 o Law applies to educational institutions such as college and universities o Education records as any information related to the educational process that can uniquwly identify the student ▪ Awareness:The school must post its FERPA security policies and provide awareness of them ▪ Permission:Generally, schools must have recorded permission to share the student’s education records ▪ Directory Information:The school can make directory information (such as name, address, telephone number and date of birth) about the student publicly available but must provide the student with a chance to opt out of such public disclosure ▪ Exclusions: The school can share information without permission for legitimate education evaluation reasons as well as for ehalth and safety reasons. • Children’s Internet Protection Act (CIPA) - 2000 o Tells schools and libraries that receive federal funding that they must block pornographic and explicit sexual materail on their computers ▪ The Federal Communications Commission (FCC) establishes the rules that schools and libraries must follow. The CIPA regulation was challenged in a lawsuit • CIPA components that must be adopted in your security policies (Required Key common-sense concepts): o Awareness: The school or library must post its CIPA security policies and provide awareness of them o Internet Filters: Best efforts must be made to keep the internet filters current so that only the targeted material intented by CIPA is blocked o Unblocking:There must be a process to allow the filter to be unblocked or disabled for adults who request access to blocked sites. (option to opt out) • Some Important Industry Standards (page 59) o Payment Card Industry Data Security Standard (PCI DSS): a worldwide information security standard that describes how to protect credit card information. Jakobsson Chapter 3: Malware in Peer-to-Peer Networks • Among the most popular sues of P2P networks are sharing and distribution of files • The popularity of these networks also makes them attractive • Centralized P2P and Decentralized P2P • Download phase and query phase • Content search • All nodes • Hopcount (page 57) • Querier picks • Two options for defending against malware in P2P networks o The first option relies on identifying malware through antivirus tools after the content has been downloaded ▪ Shortcomings: • An actual download of the entire file must occur before the antivirus software can scan it • While antivirus software may prevent a user from running downloaded malware, it does nothing to prevent the spread of malware, via P2P networks or otherwise. • This approach is effective only no known malware • Although simple in theory, this approach is not practical because it relies on user’ diligence in keeping their antivirus software running and up-to- date • Second option, is to filer potentially malicious responses in the query phase itself o Prevents an actual download of malware-containing files. o Prevents the spread of malware; it does not require user intervention o However, the filtering must be done only with knowledge about information contained in query responses—namely, the query string itself, file name, size, and the IP address of the offering peer. • LimeWire flags the responses returned as the result of a query as malicious o File names or metadata does not match the words contained in the query o The extension of the returned file is not considered by LimeWire to match the file type asked for o LimeWire believes the response contains the Mandragore worm 3.2 Human-Propagated Crimeware (page 76) 3.2.1 The Problem • People are naturally drawn to web sites containing fun content or something humorous, and then generally want to share that experience with their friends. • Human propagation: referral to a location based on recommendation of peers o Method of propagation cannot be stopped  always will be, a reliable method of disseminating information • Viral Marketing: marketing techniques that use pre-existing social networks and other technologies to produce increases in brand awareness or to achieve other marketing objectives (such as product sales) through self-replicating viral processes, analogous to the spread of viruses or computer viruses o Example: Superbowl A 3.2.3 • An attacker with a mirrored (but infected) copy of this popular advertisement could draw people to his or her site by using many different techniques. • Cousin-domain phishing attacks o Domain similar to a legitimate • Listed in search engines o Web ring or other heavily linked network (because many search engines rank sites based on the number of links to a page) • Audio Recording of the NPR (National Public Radio) o Cyber attacks ▪ The bank isn’t always going to reimburse you for a cyber attack ▪ 1978 bill EFTA • Regulation-E **Make up notes from Tuesday** (page 95-96) Leadership, Values and Ethics • Values-good leaders have core values. Good leaders will embrace the • Goals • Teamwork • Ownership-instill a sense of ownership in each individual • Support-how leaders react to errors in judgement can build long-term loyalty or promote mistrust • Reward- good leaders reward results, not personalities • Part of understanding human nature in the workplace is recognizing its complexity • A leader can’t simply issue commands and expect good results time after time The Importance of Executive Management Support (page 104) • Implementing security policies starts with executive management. Without executive support, policies are just words. To have meaning they must be given the right priority and be enforced. That’s when the benefits and values of security policies are realized for an organization. o Security policies and risk awareness as an IT issue Selling Information Security Policies to an Executive • These perceptions must be overcome (you are usually starting in the negative) o Unclear purpose- clarity of value the project brings. Security policies will reduce risk; it is equally important to demonstrate how the policies were derived in a way that kept the business cost and impact low o Doubt- refers to the need for change. Change is perceived as a distraction; gets in the way of day-to-day business o Insufficient Support from Leadership- the broad support for the project; you need to explain both the depth and breadth of support for the policies. Be sure to anticipate where your support will emerge or evaporate o Organizational Baggage- How the organization executes based on past unsuccessful efforts. Organizations that reorganize twice a year or have frequent leadership changes fall within this category. o Lack of Organizational Incentives- the inability to motivate behavior; Value is only derived from policies when they are enforced. Must have a low or zero tolerance for security policy violations o Lack of Candor- not having open, candid conversations. Executives need a sense that they were part of a process and not just the recipients of the result. o Low Tolerance for bad news- how executives react to missteps. You need to prepare ecevutives for the ineitable; gague how they will react o Unmanageable Complexity- how complex and realistic the project is. The ability of the organization to support the security policies will be an important topic of conversation Before, During and After Policy Implementation **take notes from paragraph** • Checklist for packaging implementation tasks and to help stay on point with Security: o Things to do- what exact tasks are to be performed and by whom? o Things to pay attention to- How does the business know if it is successful? o Things to report-What should be reported and when? o Roles and Responsibilities- who is responsible for what? o Things to be aware of- why is the security policy in place? o Things to reinforce with employees- what is the messaging to the staff? • Executives who truly support you will continue their support when things do not go as planned. Policy Roles, Responsibilities, and Accountability (page 109) • A comprehensive security policy is a collection of individual policies covering different aspects of the organization’s information security. o It is rate that an organization goes from having no security policies to implementing a complete set ▪ “When you implement security policies you are implementing change. This can include implementing business perspectives and organizational values. This means sometimes you are implementing culture/model change.” Change Model (page 110) **Figure 5-6** 1. Create urgency- for change to happen there must be an urgent need. The greater the sense of urgency the more likely that change will occur a. Example in urgency: breach in the system, breach in like system 2. Form a powerful coalition-authority and influences of leadership are needed to make true change happen 3. Create a vision for change-must be clear what you are asking of people and what value the change will bring 4. Communicate the Vision- Once you have support, you need to communicate your intent widely. You need to let everyone know what’s coming and keep it a priority in their minds 5. Remove Obstacles- Remove the barriers while continually moving “change” forward a. Example of Obstacles: tradition, mental inertia, money, resources, etc. 6. Create Short Term Wins- success, no matter how small, breeds more success. If you can achieve a number of short-term successes, you can silence critics and build toward long-term goals a. **manage change so that it is NOT an all-or-nothing concept** 7. Build on the Change- Real change takes time and continued effort. 8. Anchor the Changes in Corporate Culture- Make the change become habit and part of the culture. Roles and Accountability • The organization is ultimately accountable for information security. o When something catastrophic occurs, with lawyers and regulators engages the organization’s leaders have to explain what happened. ▪ Who is held liable? ▪ Different individuals accountable for each of the following roles: (p. 115) • Information Security Officer-Accountable to ensure corresponding security controls are designed and implemented • Executive- responsible for driving the security massage within an organization and ensuring the security policy implementation is given appropriate priority • Compliance Officer- Monitoring adherence to laws and regulations. Compliance officer often uses adherence to security policies as a measure of regulatory compliance • Data Owner- approves access rights to information; accountable for ensuring only the access that is needed to perform day-to-day operations is granted, ensure there is a separation of duties to reduce risk of errors or fraud • Data Manager- establishing procedures on how data should be handled; ensure data is properly classified. • Data Custodian- maintenance of data; data custodians back up and recover data as needed; grant access based on approval from the data owner • Data User- the end user; have an obligation to understand their security responsibilities and not to violate policies • Auditor- assessing the design and effectiveness of security policies; Auditors can be internal or external to the organization; they offer formal opinions in writing; Auditors do not report to the leader they are auditing; independent second opinion. Chapter 4: Crimeware In Small Devices-Jakobsson Text • 4.1 Propagation Through USB Device o Used in data storage and transfer (USB Device) (widely available) o Used by system administrators to load configuration information and software tools (perfect vector with privileges) o Used to launch an operation system (Circumvent security software) o Used as carries of viruses, spyware and Crimeware ▪ They can be integrated into a watch or pen • Example: 2006 • (side note: BIOS excerpt from How BIOS Works by Jeff Tyson) o Intentionally or unintentionally Selling USE drives preloaded with Crimeware ▪ Intentionally drop USB flash drives containing Crimeware in places where they are sure to be found ▪ 2006 example: • Prepared some USB flash drivers imprinted with a Trojan, would collect passwords, logins. Scattered these drives in the parking lot • Plugged the drives into their computers immediately • The harvested data helped his colleagues to compromise additional systems of the company ▪ Many portable media players (PMPs) have their data saved on USB flash drives. • Some media players based on USB flash drives have inborn threats before they are shipped out from ▪ Shares files wirelessly with other Zunes • Zune will be able to transmit corporate data outside the building without going through the company’s networks 4.1.1 Example: Stealing Windows Passwords • To steal the passwords of a Windows system with a USB flash drive. o Usernames and passwords are kept in the Windows registry • It is possible to copy the SAM file by booting the machine with another operating system o Bootable USV flash drives o The SAM file can be copies to a directory of the connected USB drive • SAM file can be processed offline by using a password recovery tool (not malware) o Retrieve the passwords of users without their awareness ▪ Does not make any change to the target system • IoT “Internet of Things” o Example: small devices in packaging to detect if leaving store without paying ▪ Inventory control 4.2 Radio Frequency ID Crimeware • Radio frequency identification (RFID) technology is on the grebe of exciting times; standards are solidifying, RFID tag prices have hit an all-time low, and the mandates of the two largest proponents of RFID- the U.S. government and Wal-Mart- have motivated RFID trials on a global scale. • Wide-variety of physically distributed RFID readers 4.2.1 Radio Frequency Identification RFID Applications • Unleash a flood of new applications o Asset tracking and supply chain management • Police our residential, industrial, and national borders. • Toll payment systems o E-Z pass • Smart refrigerators to interactive children’s toys, to domestic assistance facilities for the elderly o Subdermal RFID chips have even become hip accessories for patrons of some European nightclubs Why RFID Is Big Money • $24.5 billion • However, despite the value of RFID itself, the application domains that use RFID equipment are worth even more • Pharmaceuticals • Retail economy • With these amounts of money at stake, it is easy to see how the success of RFID in any given application depends on having a reliable and secure environment for operations. Last weeks notes are written – red ink • Jakobsson Chapter 6: Crimeware in the Browser Continued • 2 Building a Transaction Generator • Types of Transaction Generators (TG) o Pump and dump o Purchasing goods o Election system fraud o Financial theft o A clever TG in the user’s bowser can intercept report pages and erase their own transactions from the report o Countermeasures: CAPTCHA complicates the checkout procedure and can reduce conversion rates • 6.3 Using JavaScript to Commit Click Fraud o Traditional malware which installs itself on a user’s machine and simulates the clicking of advertisements o It is easier to accomplish than that if infecting a machine with malware ▪ All it requires is that a user visit a web site in a JavaScript- enabled browser o Referred to as badvertisement *has been experimentally verified on several prominent advertisement schemes o This means a higher number of visits registered for a sponsored ad, leading to a higher per-ad cut revenue for the publisher ▪ The fraudster can cause both click-throughs and non-click- throughs (in any desired proportion ▪ Keeping end users unaware of the advertisement • Zero size advert o Owners of sites that are sued to generate revenue for a “badvertiser” might be unaware of the attack they are part of. ▪ Mounted by a corrupt web master of theirs, or a person who is able to impersonate the web master • 6.3.1 Terms and Definitions o Phishing. Attempting to fraudulently acquire a person’s credentials, usually for financial gain. o JavaScript. A simple programming language that is interpreted by web browsers. It enables web site designers to embed programs in web pages, making them potentially more interactive. Despite its simplicity, JavaScript is quite powerful. o REFERER. When a web browser visits a site, it transmits to the site the URL of the page it was linked from, if any. That is, if a user is at site B and clicks a link to site A, when the web browser visits A, it tells A that B is its REFERER. The REFERER information need not always be provided, however. Note that this word is not spelled in the same way as the English word “referrer.” o Spidering. The process of surfing the web, storing URLs, and indexing keywords, links, and text. It is commonly used by search engines in their efforts to index web pages [385]. o . A file that may be included at the top level of a web site, specifying which pages the web master does not wish web spiders to crawl. Compliance is completely voluntary on the part of web spiders, but is considered good etiquette 6.3.2 Building Blocks o Two components: delivery and execution • The Delivery Component (social engineering) o Bringing users to the corrupt information may rely either on sires that users visit voluntarily and intentionally due to their content or on sites that may contain information of no particular value, but which users are tricked to visit. • The Execution Component (exploit vulnerability) o For all situations described here, successful execution can be achieved when the fraudster can cause the spam email in question to be delivered and viewed by the targeted users. (not voluntary) o Increasing sophistication of spammers’ obfuscation techniques means that one cannot count on a spam filter as the only line of defense ▪ Bad code can be written in many different ways o The badvertisement attack does rely on clients having JavaScript enabled. This is not a real limitation, however, both because 90% of web browsers have it enabled and because the advertising services themselves count on users having JavaScript enabled. Thus the execution component of the attack relies simply on a JavaScript trick ▪ Just like cookies, JavaScript is enabled October 16, 2015 • 6.3.3. The Making of a Badvertisement o Successful badvertisement is one that is able to silently generate automatic click- throughs on advertisement banners when users visit the site, but remains undetected by auditing agents of the ad provider. o Ad provider may play restrictions on the type of content that may be shown on a page containing its ads ▪ Façade page ▪ Dual-personality page • Changes its personality (behavior) based on the kind of its visitor o A spider crawls through pages to check for suspicious activities, it sees only the “good” side of the dual personality page ▪ Is not registered with the ad provider • Ad-Provider Evasion o Auditing method commonly used by ad providers is a web spider that follows the REFERER links on clicked advertisements ▪ An auditing spider may choose to follow the REFERER link back to the page that served the clicked ad. o The goal of the fraudster must then be to detect when the page is being viewed by an auditing spider and to serve a harmless page for that instance o The only way to get to expose its evil personality is to visit it through • 6.3.6. Detecting and Preventing Abuse o Most of the attacks discovered and reported so far have been malware-based attacks (caught by anti-malware apps) o Tracks the OP addresses of machines generating of clicks ▪ Irregularities such as a repeated number of clicks for a certain advertisement from a particular IP address o Active client-side approach ▪ Would appear as an actual user to the servers it interacts with ▪ Agent would act like a user as closely as possible o Passive Client-Side Approach ▪ Observes the action performed on the machine of the person appearing to perform the click • Done by running all JavaScript components in a virtual machine (appearing to be a browser) • Any web page that causes a call of a type that should be made only after a click occurred can be determined to be fraudulent. ▪ Housed in security toolbars or in antivirus software. o Not necessary to trap all abuse ▪ Even if a rather small percentage of abuse is detected, it would betray the locations that house click-fraud, with a high likelihood that increases with the number of users who are taken to the same fraud- inducing domain. o Evidence shows that if only a small percentage of users had such a client-side detection tool installed, it would make attacks almost entirely unprofitable, given reasonable assumptions on the per-domain cost associated with this type of click fraud. • 6.3.7 Brief Economic Analysis • 6.3.8 Implications o This type of click fraud is a serious attack with significant revenue potential for its perpetrators. Phishers might find attacks of this mature more profitable than identity theft. ▪ Criminal will do both ▪ More convenient to perform: • The perpetrator can make cash directly, rather than coming into possession of credit card numbers that must be used to buy merchandise to be converted into cash. The execution of this type of click fraud does not require significant technical knowledge (assuming the development of a page preprocessor that would insert the malicious code),so it could be performed by almost any unscrupulous web master Fill in notes from Monday Wednesday, October 21, 2015 Policies and Standards Design Considerations • Policies and standards are a collection of concrete definitions that describe acceptable and unacceptable human behavior. o Consequences for failing to follow approved standards ▪ Not a trivial undertaking  legal repercussions • Documents that people cannot understand or that make compliance highly difficult or impossible o Six key questions who, what, where, when, why and how o Note: Most often, the questions related to where, when, and how are more appropriate for procedures or guidelines rather than policies or standards. Try to keep your policies and standards at the what, who and why levels of detail. Principles for Policy and Standards Development • Because no two organizations or risk assessment outcomes are the same, there are no universal recipes for building an IT security program. o Principles help you make decisions in new situations. **** MOST IMPORTANT*** ▪ Accountability Principle: personal responsibility of information systems security should be explicit. ▪ Awareness Principle: Owners, providers, and users of information systems, and other parties should be informed of the existence and general context of policies, responsibilities, practives, procedures, and organization for security of information systems. Chapter 7: Bot Networks (Jakobsson text) • Bot networks are an emerging threat area with a wide variety of malicious applications including spam, phishing, distributed denial of service, click fraud, data harvesting, password cracking, online reputation inflation, and adware installation, among others. o *BOTNETS are not so much a threat as a vehicle or vector for threat technologies • A bot is an end-user machine containing software that allows it to be controlled by a remote administrator via a command and control (C&C) network o Without the actual knowledge of the human end user on the machine o Software running on the machine may not be inherently malicious ▪ Ex. Allows remote technical support ▪ Example: the attacker may have tricked the user into installing the bot software • Alternatively, the attacker may have exploited a vulnerability • Similar malicious code is not a bot unless it can receive a command from the botmaster o Entirely predetermined ▪ Not considered a bot o Often lay dormant until the C&C provides instructions • Collectively referred to as a bot network (often abbreviated as botnet) o THE C&C server is often controlled by a human operator who tells the bots under his or her control what to do; this human operator is often referred to as a botmaster or botherder. o The C&C itself can also be (and often is) a machine that was compromised ▪ The location of a particular botnet or C&C says nothing about the location of the person controlling it • Ex. A botmaster in Russia could be operating a C&C server in China that instructs a network of bots in the US to carry out a denial-of-service attack on a web server in England (Multiple type attacks) ▪ The botmaster can even rent his or her bots to other their parties 7.1.1. Challenges of Estimating the Botnet Problem • Before providing actual numbers related to the size of the problem (very problematic) • A single botnet might, through its lifetime, contain tens of thousands of bots o Bots might leave the network as the machine gets cleaned or goes offline o Bots might joining the network as more hosts are compromised and infected o Some bots might be directed by their botmaster to migrate from one botnet to another o Some bots can be instructed to clone themselves o Important to note that a given botnet might lay dormant for some time before striking ▪ Therefore, there may be a discrepancy between the population of observable botnets and the population of actual bot-infected machines ▪ If bots are migrant and the same infected machine is counted multiple of times. • Footprint: the aggregate size of the infected population at any point during the botnet’s lifetime • Live population: the number of infected bots that can actually receive commands at a given point in time (have live communication channel with the C&C server) o The footprint represents the potential scope of damage a botnet can cause, while the live population represents the scope of damage that can actually be caused at a given moment o Two techniques for measuring botnet size or infiltration and redirection ▪ Infiltration: an attempt is made to join the botnet and then count the number of active bots on the C&C channel • Measure botnet sizes can be challenging • Botmaster suppresses the identities of the bots joining the channel or if a single bot uses multiple identities ▪ Redirection: the DNS record for the IRC server used by the botnet is modifies and resolves instead to a local sinkhole • When the bot tries to connect to the sinkhole, its IP address is recorded • Determine whether there is overlap among seemingly different botnets Chapter 7.2.1 Characteristics of Botnet Communications • Unlimited number of ways for botnet communications to be conducted o Almost any form of network communication can be used for botnets o Internet relay chat similar to text messages group chat channels and 1 to 1 private channel • Botnet Topology o Simplest and easiest to program topology is to have a central, master C&C server o Botmaster connects to (or has physical access to) the server and issues commands there, which are them propagated to all bots ▪ Concerns • a central point of failure • single node knows the whole botnet • scalability ▪ Figure 7.2 Botnet topologies • Scalability: can also be aided by employing a hierarchical communication structure; does not promote reliability in the event of a central failure; does reduce the number of bots that need to be aware of the location of the central server; is this way of doing business able to grow • Failure: a way to address having a single point of failure; carefully coordinate with one another; no central node; only the bot that reported to that server would be affected; how easy is it for the communications setup to fail; what does it take to fail • Setup: set up, techniques, process of creating the herd; topological way of setting up the herd • Latency: how long does it take to get information around the herd network, fast or slow • Resiliency: what does it take to make the system collapse; how hard is it to make something fail, can it continue operating Chapter 7 Jakobsson Text Page (4/6) • Central nodes can be avoided by having bots connect directly to one another o Any node in the network and issues a command o Considerably more difficult to engineer Jakobsson Text-Chapter 7 Command Initiation and Response o Regardless of protocol and topology used, a bot’s essential requirement in terms of communication is that it receives commands from the botmaster o most straightforward form on communication is pushing out a command to a bot ▪ example: chat/email (herder initiated) ▪ may be bot-initiated, with the bot initiating the communication to check for new commands ▪ Push method is clearly convenient for the botmaster: The command can be executed almost immediately by all bots, which allows a last-minute command to be executed. ▪ Downside: botmaster either must be aware of how to reach all of his bots or much broadcast the command to the set of all possible bots; noisy ▪ If the bots initiate the command check, the botmaster need not know how to reach all the bots • Neither can reveal this information to investigators • A bot-initiated check can be either interactive or non-interactive o In an interactive check, the bot issues a query of some sort and the botmaster or C&C channel software replies with a command ▪ The botmaster performs a command push in response to a bot making a query o Non-interactive check is one which the commands for the bots are put into place independent of any query ▪ Commands may be stored in a variety of ways including web pages, files on an FTP server, or on peer-to-peer networks. • A case in which the storage mechanism for a non- interactive check is not affiliated with either the bot or the botmaster is the analogues of the “dead drop” o This approach provides a significant degree of separation between the botmaster and the bots o Scanning the comments or trackback section of a third-party blog for a message placed by the botmaster Communication Directions • Bot initiates a check for commands, the communication channel used must be bidirectional. o When the botmaster pushes commands to the bot, the communication channel could potentially be inbound only o All bots require some form of inbound communication channel otherwise they cannot receive commands 7.3.1 General Software Features of Bots • Communication component: establishes a channel to the botmaster (required) • Control component: receives and processes commands issued by the botmaster (required) • Main functional component: loads and runs the bot functionality as a stand-along module user mode or kernel mode module or within a trusted person (What does it actually do) (required) • Propagation Component: tried to find other vulnerable hosts on a network through subnet scanning, port scanning, brute-force attacks, or even vulnerability scanning scripts. (additional to enhance) • Self-update component: downloads updates to the bot software to either (1) entirely update the bot binary, (2) seed an update for covert communication, (3) get the latest shell code that exploits a vulnerability by which the bot can spread itself, or (4) obtain a new polymorphic engine for evading detection (additional to enhance) 7.4.1 Botnets 2.0: Browser-Based Bots • Traditional bots are viewed as client-server executables that run directly on top of the operating system o Potential mechanism: run inside a web browser (everyone has a browser, so no special bot software needs to be installed) [Something like TG’s] • Several Key differences between traditional botnets and browser-based botnets: Same-Origin Policy • Same-origin policy: states any document loaded from one origin cannot get or set properties of a document loaded from another origin o For 2 documents to be considered as having the same origin, their protocol type, host, and port number must match • Nothing precludes a document originating in one domain from loading a document in a different domain o However, the first document will not be able to read the contents of the second document, nor will it be able to modify the contents of the second document • From the browser’s perspective, any script loaded into a document will take on that document’s origin as its own origin, regardless of where it actually came from