ITI Exam 3 - 2

CIA Triad

Confidentiality, Integrity, Availability

- Model that forms the basis of information privacy
- Used for finding vulnerabilities and methods for creating solutions

Confidentiality

Preserve restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information

Availability

Ensure timely / reliable access to and use of information

Integrity

Guard against improper information modification or destruction and ensure information non-repudiation / authenticity

Data Integrity

Property that data has not been altered without authorization
- Accounts for data in storage, during processing, and in transit

System Integrity

Quality that a system has when it performs its intended function without being altered

Privacy in Public assignment

Asking us to stalk others (listen to their conversation at a train station, gather information without being noticed, and try to find them online)
- Shows how someone using information observed in a public place is uncomfortable / can be used to find you online
- This is what big tech does

Griswold v. Connecticut

Established that there is an implied right to privacy in the U.S. Constitution
- Right to privacy exists "in the penumbras" of the Bill of Rights

Is there a right to privacy?

No.
- Not mentioned in the Constitution or Bill of Rights

Is the right to privacy implied?

Yes.
- Implied in Bill of Rights
- 4th amendment: citizens have a right to protect themselves, their homes, effects, etc. from "unreasonable searches and seizures" by the government

Umbra

Shadow effect / darkest area
- Bill of Rights context: Directly stated in the Bill of Rights

Penumbras

Not as dark, affected by shadow and light
- Bill of Rights context: Not directly stated but implied

FERPA (Family Educational Rights and Privacy Act)

Law that states students have the right to access their own education record, seek to have records amended, and control of disclosure of personally identifiable information
- Part of CIA triad: Confidentiality

Information Security

- Protects organizations from bad people
- Protects individuals from bad organizations

Hacker

Advanced computer technology enthusiast
- Often a member of a computing / programming subculture (ex: "Hacker culture")

Hacking

Manipulating something to do something it was not originally made to do
- Furniture ___: Changing a bookshelf to be a desk
- Computer _____: Changing a computer to executer commands it isn't supposed to do

Social Engineering

Any intentional act that influences a person to take an action that may or may not be in their best interests
- Ex: TV commercials (evoke emotions to get you to do something)

Types of social engineering attacks

- Pretexting
- Phishing / Whaling
- Vishing
- Scareware
- Tailgating / Piggybacking
- Urgency
- Authority

Pretexting

Form of social engineering where an attacker makes up a believable story

Authority

Form of social engineering that uses intimidation

Five phases of a typical social engineering attack

SE Pyramid (top -> down)

1. OSINT / Intel
2. Pretext Development
3. Attack Plan
4. Attack Launch
5. Reporting

Phase 1: OSINT

Open-source information / intelligence gathering
- Sources: Internet, social media, government records
- Skills needed: Research, analysis, writing
- Most time consuming
- Documentation: How will you document, save, and catalog all information you find?

Phase 2: Pretext Development

What kind of scenario can we put people in that will increase the likelihood of success when we try to attack the weakest link?
- Decide what changes / additions need to made to ensure success
- Decide what props / tools are needed

Phase 3: Attack Plan

What are the specific steps we will take to compromise the weakest link?
- Contingency plans. back up plans, etc...
- Skills needed: Creativity, great collaboration skills
- Three W's: What, when, who

Three W's

What, When, Who
- What: What's the plan? What are we trying to achieve? What does the client want?
- When: When is the best time to launch the attack?
- Who: Who needs to be available at a moment's notice for support / assistance?

Phase 4: Attack Launch

Execute the plan
- Use an outline
- Be prepared, don't be so scripted that you can't be dynamic during the attack

Phase 5: Reporting

When you are doing this for a client, they want to know how successful you were in attacking them
- Most important phase
- Skills needed: Professional writing and interpersonal skills

Social Engineering in Action: Professor's experience

- Hired as a contractor security engineer
- Sometimes tested whole system, including human part of system
- Tasked with trying to steal information about the organization's business from the new team of lawyers working there
- Reason: If we can do it, so can actual criminals

Is hacking a crime?

No.
- You can be paid to do it (as a professional)
- Crime is separate from the hacking itself

DNS (Domain Name System)

Converts domain names / host names into IP addresses
- Allows users to remember a "friendly name" instead of numbers (easier to remember www.cisco.com than 198.133.219.25)

Domain

Any text / string you enter to reach a webpage
- Ex: abc.com

IP Address

Number sequence
- If you type this into a browser, it will take you to that website

DNS resolver

"Phone book" of the full system
- When a user searches for a website name, this matches it to the IP address

Route Server

Top level of DNS hierarchy
- Found in different locations across the world
- Managed by 12 organizations

Cache Memory

A type of memory used to temporarily store frequently used data or programs (in this case websites) for quick access

TLD (Top Level Domain)

Has all information on top level domains
- Ex: .com, .net, .org

Auth Name Server (Domain Name Server)

Sends back the IP address of a particular website the user requested
- IP address is sent back to DNS resolver, which stores it in its cache
- After storing the IP address, it is then sent back to the web browser that originally requested it

SOPA (Stop Online Piracy Act) / PIPA (Protect IP Act)

Proposed bills that are aimed to combat online piracy / copyright infringement
- Raised concerns about potential censorship / threats to internet freedom

SOPA / PIPA methods to combat online piracy

- Cut off money (Force a financial service provider to not give money to people associated with a disliked site)
- Block access (DNS, when a user searches a site send them somewhere else / prevent access)

Problems with SOPA / PIPA

- Threaten free speech (if websites have users who break infringement rights, the Supreme Court can go after the website itself)
- Stifle innovation / new startups (Innovative companies will get in trouble if the idea could harm existing ones (ex: Movie industry tried to stop VCR by suing them, music industry thought MP3 players were a threat))
- Grant a lot of power to big media corporations

Censor Search

Search engines would be asked to not show any results for blacklisted web pages

DNS' role in SOPA and PIPA

Allowed websites to redirect users to other sites
- Ex: Looking up reddit, the IP address you got was a different one given to your computer

Hacktivism

Use of computer technology to achieve a political agenda through legally ambiguous means
- Goal: Bring issues to light / cause social change

Aaron Swartz

Hacktivist
- Arrested by MIT after connecting a computer to MIT network to download academic journals from JSTOR
- Found dead by suicide

Encryption

Process of encoding messages to keep them secret, so only "authorized" parties who know the cipher can read it

Algorithm

Series of steps

Plain text

Text that is not encrypted

Cipher text

Scrambled form of the message / data

Specific substitution ciphers to remember

Caesar, ROT13, Vigenere

Cipher

Process of turning plain text into cipher text

Caesar Cipher

Technique for encryption that shifts the alphabet by some number of characters

ROT13

Rotate letters by 13 (or whatever number given)

Process of encryption

- Plain text is enciphered to become cipher text
- Cipher text is deciphered through a key

Key (encryption)

Code that unlocks encryption
- Receiver needs to know the steps of the key in order to decipher plain text

Substitution cipher

Substituting letters for other ones to encrypt a message

Information System

Discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information

System

Reflect the broader applicability of information resources of any size / complexity organized for the collection, processing, use, etc. of data / information

Information

Facts, ideas, or knowledge that could be represented as various forms of data and communicated between systems

Data-Mining

Process of analyzing data to extract information not offered by raw data alone
- Allows NSA to create a more detailed understanding of a person's life

AES (Advanced Encryption Standard)

- Hardest shell (encryption)
- Available as 128, 192, or 256 bits
- Used in most email programs / web browsers
- Considered so strong that NSA has approved it for government communications
- Due to how strong it is, it was one of the reasons the Utah Data Center was more (since NSA can't break it, they want to be able to store it)
- The more messages a target sends, the more likely it is the system will recognize patterns

How trackers work

- When you visit a website, the browser makes a "request" (HTTP request)
- Since advertising code / invisible trackers are on the site, your browser might make hundreds of requests to third parties
- Data is collected (browser, time zone, browser settings, what version of a software you have installed)
- While some data is collected to help the site run correctly, most of the info gathered is to get information on you

Main methods of data collection

- Cookie tracking
- Browser fingerprinting

Cookies

Small chunks of information that websites store in your browser
- Main purpose: Remember helpful things (ex: login info)

Digital Fingerprint

List of characteristics that are unique to a single user, their browser, and their hardware setup
- Includes info such as information browser needs to access websites and location of website user is requesting
- Hosts seemingly insignificant information (screen resolution, installed fonts)
- Tracking sites combine all small pieces to form a "fingerprint" of your device

Difference between cookies and digital fingerprinting

Cookies:
- Accurate / effective while being used
- Lose all value if removed
- Track user until deleted

Fingerprinting:
- More permanent identifiers
- Things they track are harder to change and impossible to delete

Main dynamics that make trackers hard to avoid online

- Impact on usability
- Identifiable protections

Impact on usability

Enhanced privacy comes at expense of functionality
- Many pages require you to disable your ad blocker to see content, or require you to use an "official" app
- Ex: Disable javascript but could result in website losing functionality

Identifiable protections

Protections can become a part of your fingerprints
- Add ons could lead to identification

Reason for increase in social engineering

- Easiest to attack
- Cost to set up is low
- Risk of doing an attack is lower
- Potential payout is high

Brain modes

- Alpha
- Beta

Goal of a social engineer

Get you to make a decision without thinking
- Desired brain mode: Alpha

Alpha (brain mode)

Daydreaming, "relaxed, focused concentration"
- Anyone who wants to manipulate you wants you in this mode

Beta (brain mode)

Alert, observant, aware of things going on

Hacker (Original definition)

Someone who needs to know how something works
- Not satisfied with base knowledge
- Once advanced knowledge was obtained, they would see if it was possible to bypass, enhance, exploit, alter original purpose

Oxytocin

Hormone that helps us make decisions
- Linked with trust

Dopamine

Produced by brain, released in moments of pleasure, happiness, or stimulation

Four vectors of social engineering (malicious)

- SMiShing
- Vishing
- Phishing
- Impersonation
Combination attacks are most common

SMiShing

Phishing through text messages
- Includes links
- Once links are clicked, they steal credentials and / or load malware onto devices

Vishing

Voice phishing
- Easy, cheap, profitable for attacker
- Ex: AI voice, people will use it to make it sound like it's a loved one in danger

Phishing

Sending a message from what appears to be a trusted source in order to obtain personal information
- Most dangerous

Impersonation

People impersonate authority and commit crimes
- Ex: A man impersonated police and used that to deal in child pornography

What is the weakest link in cybersecurity?

Humans
- Most likely to violate security procedures (error, not knowing information, deliberate actions that compromise an organization)

Idea to improve the human factor in cybersecurity

Educate people on how to protect themselves
- Hope: People will comply with expectations and respect the information they have access to

Current goal of cybersecurity in organizations

Give humans the context they need on cybersecurity
- Stop using mentality of "weakest link in the chain"
- New focus: Reliable / resistant factor of the system (recognize individual behaviors, acknowledge it's part of an ongoing learning process)

Cybersecurity misconception

Companies will be safer if they invest in new technologies
- Incorrect because despite how good tech is, people are the weakest link

Solution to people being a risk in cybersecurity

Education needs to teach employees to understand:
- How their actions affect reality / the organization they are a part of
- Individuals need to assume responsibility for risk that they expose the organizations digital things to

Practices used by organizations to make employees more secure

- Practice 1: Training
- Practice 2: Raising awareness
- Practice 3: Appropriation

First two are most commonly used

Practice 1: Training

Meeting called to give people information on the organization's process / practices concerning data protection
- Typically done during onboarding process

Informs people of:
- How the relationship is
- How to handle information the organization has
- What is expected of them in terms of their access to information
- Consequences of failing to adhere to organization processes

Practice 2: Raising Awareness

Use of concrete actions / experiences to train people
- Allows for development of practical skills / knowledge
- Typically done in the workplace to contextualize actions in people's everyday tasks

Practice 3: Appropriation

Construct a meaning / mission for protecting information
- Make it possible to act according to ethical / responsible measures
- Goal: Connect individuals with their responsibilities for results of their choices / actions in relation to data security

Aaron Swartz' goal with JSTOR

Distribute a significant portion of their archive
- Reason: "Information is power. But like all power, there are those who want to keep it for themselves"

EIFL

Mission: Expand access to scholarly work
- Common theme: Frustration since progress with publishers / online archives was slow
- Prime annoyance: JSTOR (despite claim that they would embrace values of education, JSTOR refused to negotiate discounts)

Swartz arrest

Arrested less than 4 months after initial attack (caught breaking into computer closet)
- Indicted on four counts (wire fraud, computer fraud, recklessly damaging a protected computer)
- 9 counts added in September 2012

Aaron Swartz attack on JSTOR

Bought a laptop, logged into MIT computer network, and began liberating JSTOR
- Ensuring court case led him to commit suicide on January 11, 2013

Guerilla Open Access Manifesto

Aaron Swartz' manifesto discussing the idea of making online information open to the public
- "Information is power"

Open Access Movement

Working to change the privatization of online info
- Don't want scientists to do all the work only to have their research locked away
- Might be too late (even if this can be changed, it'll only apply to new things, not stuff that's already behind a paywall)

According to Swartz, private corporations are

- Charging academics to pay to read their colleagues works
- Scan entire libraries but only allow companies to read them
- Scientific articles are only able to be accessed by students in elite universities

Swartz' advice for the public

What we need to do:
- Take information, make copies, share them
- Take stuff that isn't copyrighted and add it to archives
- Buy secret databases and put them on the web
- Download scientific journals and upload them to the file-sharing networks

What we can do to help:
- Password share
- Download and upload things

Why large corporations are blinded by greed (Aaron Swartz opinion)

- Laws they work under require it
- Shareholders would be mad if they gave everything away for free
- Politicians support them
- Pass laws that make it illegal to share

Data "at rest"

Data that is stored somewhere (mobile device, laptop, server, external hard drive)
- Not moving from one place to another