1/99
Looks like no tags are added yet.
Name | Mastery | Learn | Test | Matching | Spaced |
---|
No study sessions yet.
CIA Triad
Confidentiality, Integrity, Availability
- Model that forms the basis of information privacy
- Used for finding vulnerabilities and methods for creating solutions
Confidentiality
Preserve restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information
Availability
Ensure timely / reliable access to and use of information
Integrity
Guard against improper information modification or destruction and ensure information non-repudiation / authenticity
Data Integrity
Property that data has not been altered without authorization
- Accounts for data in storage, during processing, and in transit
System Integrity
Quality that a system has when it performs its intended function without being altered
Privacy in Public assignment
Asking us to stalk others (listen to their conversation at a train station, gather information without being noticed, and try to find them online)
- Shows how someone using information observed in a public place is uncomfortable / can be used to find you online
- This is what big tech does
Griswold v. Connecticut
Established that there is an implied right to privacy in the U.S. Constitution
- Right to privacy exists "in the penumbras" of the Bill of Rights
Is there a right to privacy?
No.
- Not mentioned in the Constitution or Bill of Rights
Is the right to privacy implied?
Yes.
- Implied in Bill of Rights
- 4th amendment: citizens have a right to protect themselves, their homes, effects, etc. from "unreasonable searches and seizures" by the government
Umbra
Shadow effect / darkest area
- Bill of Rights context: Directly stated in the Bill of Rights
Penumbras
Not as dark, affected by shadow and light
- Bill of Rights context: Not directly stated but implied
FERPA (Family Educational Rights and Privacy Act)
Law that states students have the right to access their own education record, seek to have records amended, and control of disclosure of personally identifiable information
- Part of CIA triad: Confidentiality
Information Security
- Protects organizations from bad people
- Protects individuals from bad organizations
Hacker
Advanced computer technology enthusiast
- Often a member of a computing / programming subculture (ex: "Hacker culture")
Hacking
Manipulating something to do something it was not originally made to do
- Furniture ___: Changing a bookshelf to be a desk
- Computer _____: Changing a computer to executer commands it isn't supposed to do
Social Engineering
Any intentional act that influences a person to take an action that may or may not be in their best interests
- Ex: TV commercials (evoke emotions to get you to do something)
Types of social engineering attacks
- Pretexting
- Phishing / Whaling
- Vishing
- Scareware
- Tailgating / Piggybacking
- Urgency
- Authority
Pretexting
Form of social engineering where an attacker makes up a believable story
Authority
Form of social engineering that uses intimidation
Five phases of a typical social engineering attack
SE Pyramid (top -> down)
1. OSINT / Intel
2. Pretext Development
3. Attack Plan
4. Attack Launch
5. Reporting
Phase 1: OSINT
Open-source information / intelligence gathering
- Sources: Internet, social media, government records
- Skills needed: Research, analysis, writing
- Most time consuming
- Documentation: How will you document, save, and catalog all information you find?
Phase 2: Pretext Development
What kind of scenario can we put people in that will increase the likelihood of success when we try to attack the weakest link?
- Decide what changes / additions need to made to ensure success
- Decide what props / tools are needed
Phase 3: Attack Plan
What are the specific steps we will take to compromise the weakest link?
- Contingency plans. back up plans, etc...
- Skills needed: Creativity, great collaboration skills
- Three W's: What, when, who
Three W's
What, When, Who
- What: What's the plan? What are we trying to achieve? What does the client want?
- When: When is the best time to launch the attack?
- Who: Who needs to be available at a moment's notice for support / assistance?
Phase 4: Attack Launch
Execute the plan
- Use an outline
- Be prepared, don't be so scripted that you can't be dynamic during the attack
Phase 5: Reporting
When you are doing this for a client, they want to know how successful you were in attacking them
- Most important phase
- Skills needed: Professional writing and interpersonal skills
Social Engineering in Action: Professor's experience
- Hired as a contractor security engineer
- Sometimes tested whole system, including human part of system
- Tasked with trying to steal information about the organization's business from the new team of lawyers working there
- Reason: If we can do it, so can actual criminals
Is hacking a crime?
No.
- You can be paid to do it (as a professional)
- Crime is separate from the hacking itself
DNS (Domain Name System)
Converts domain names / host names into IP addresses
- Allows users to remember a "friendly name" instead of numbers (easier to remember www.cisco.com than 198.133.219.25)
Domain
Any text / string you enter to reach a webpage
- Ex: abc.com
IP Address
Number sequence
- If you type this into a browser, it will take you to that website
DNS resolver
"Phone book" of the full system
- When a user searches for a website name, this matches it to the IP address
Route Server
Top level of DNS hierarchy
- Found in different locations across the world
- Managed by 12 organizations
Cache Memory
A type of memory used to temporarily store frequently used data or programs (in this case websites) for quick access
TLD (Top Level Domain)
Has all information on top level domains
- Ex: .com, .net, .org
Auth Name Server (Domain Name Server)
Sends back the IP address of a particular website the user requested
- IP address is sent back to DNS resolver, which stores it in its cache
- After storing the IP address, it is then sent back to the web browser that originally requested it
SOPA (Stop Online Piracy Act) / PIPA (Protect IP Act)
Proposed bills that are aimed to combat online piracy / copyright infringement
- Raised concerns about potential censorship / threats to internet freedom
SOPA / PIPA methods to combat online piracy
- Cut off money (Force a financial service provider to not give money to people associated with a disliked site)
- Block access (DNS, when a user searches a site send them somewhere else / prevent access)
Problems with SOPA / PIPA
- Threaten free speech (if websites have users who break infringement rights, the Supreme Court can go after the website itself)
- Stifle innovation / new startups (Innovative companies will get in trouble if the idea could harm existing ones (ex: Movie industry tried to stop VCR by suing them, music industry thought MP3 players were a threat))
- Grant a lot of power to big media corporations
Censor Search
Search engines would be asked to not show any results for blacklisted web pages
DNS' role in SOPA and PIPA
Allowed websites to redirect users to other sites
- Ex: Looking up reddit, the IP address you got was a different one given to your computer
Hacktivism
Use of computer technology to achieve a political agenda through legally ambiguous means
- Goal: Bring issues to light / cause social change
Aaron Swartz
Hacktivist
- Arrested by MIT after connecting a computer to MIT network to download academic journals from JSTOR
- Found dead by suicide
Encryption
Process of encoding messages to keep them secret, so only "authorized" parties who know the cipher can read it
Algorithm
Series of steps
Plain text
Text that is not encrypted
Cipher text
Scrambled form of the message / data
Specific substitution ciphers to remember
Caesar, ROT13, Vigenere
Cipher
Process of turning plain text into cipher text
Caesar Cipher
Technique for encryption that shifts the alphabet by some number of characters
ROT13
Rotate letters by 13 (or whatever number given)
Process of encryption
- Plain text is enciphered to become cipher text
- Cipher text is deciphered through a key
Key (encryption)
Code that unlocks encryption
- Receiver needs to know the steps of the key in order to decipher plain text
Substitution cipher
Substituting letters for other ones to encrypt a message
Information System
Discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information
System
Reflect the broader applicability of information resources of any size / complexity organized for the collection, processing, use, etc. of data / information
Information
Facts, ideas, or knowledge that could be represented as various forms of data and communicated between systems
Data-Mining
Process of analyzing data to extract information not offered by raw data alone
- Allows NSA to create a more detailed understanding of a person's life
AES (Advanced Encryption Standard)
- Hardest shell (encryption)
- Available as 128, 192, or 256 bits
- Used in most email programs / web browsers
- Considered so strong that NSA has approved it for government communications
- Due to how strong it is, it was one of the reasons the Utah Data Center was more (since NSA can't break it, they want to be able to store it)
- The more messages a target sends, the more likely it is the system will recognize patterns
How trackers work
- When you visit a website, the browser makes a "request" (HTTP request)
- Since advertising code / invisible trackers are on the site, your browser might make hundreds of requests to third parties
- Data is collected (browser, time zone, browser settings, what version of a software you have installed)
- While some data is collected to help the site run correctly, most of the info gathered is to get information on you
Main methods of data collection
- Cookie tracking
- Browser fingerprinting
Cookies
Small chunks of information that websites store in your browser
- Main purpose: Remember helpful things (ex: login info)
Digital Fingerprint
List of characteristics that are unique to a single user, their browser, and their hardware setup
- Includes info such as information browser needs to access websites and location of website user is requesting
- Hosts seemingly insignificant information (screen resolution, installed fonts)
- Tracking sites combine all small pieces to form a "fingerprint" of your device
Difference between cookies and digital fingerprinting
Cookies:
- Accurate / effective while being used
- Lose all value if removed
- Track user until deleted
Fingerprinting:
- More permanent identifiers
- Things they track are harder to change and impossible to delete
Main dynamics that make trackers hard to avoid online
- Impact on usability
- Identifiable protections
Impact on usability
Enhanced privacy comes at expense of functionality
- Many pages require you to disable your ad blocker to see content, or require you to use an "official" app
- Ex: Disable javascript but could result in website losing functionality
Identifiable protections
Protections can become a part of your fingerprints
- Add ons could lead to identification
Reason for increase in social engineering
- Easiest to attack
- Cost to set up is low
- Risk of doing an attack is lower
- Potential payout is high
Brain modes
- Alpha
- Beta
Goal of a social engineer
Get you to make a decision without thinking
- Desired brain mode: Alpha
Alpha (brain mode)
Daydreaming, "relaxed, focused concentration"
- Anyone who wants to manipulate you wants you in this mode
Beta (brain mode)
Alert, observant, aware of things going on
Hacker (Original definition)
Someone who needs to know how something works
- Not satisfied with base knowledge
- Once advanced knowledge was obtained, they would see if it was possible to bypass, enhance, exploit, alter original purpose
Oxytocin
Hormone that helps us make decisions
- Linked with trust
Dopamine
Produced by brain, released in moments of pleasure, happiness, or stimulation
Four vectors of social engineering (malicious)
- SMiShing
- Vishing
- Phishing
- Impersonation
Combination attacks are most common
SMiShing
Phishing through text messages
- Includes links
- Once links are clicked, they steal credentials and / or load malware onto devices
Vishing
Voice phishing
- Easy, cheap, profitable for attacker
- Ex: AI voice, people will use it to make it sound like it's a loved one in danger
Phishing
Sending a message from what appears to be a trusted source in order to obtain personal information
- Most dangerous
Impersonation
People impersonate authority and commit crimes
- Ex: A man impersonated police and used that to deal in child pornography
What is the weakest link in cybersecurity?
Humans
- Most likely to violate security procedures (error, not knowing information, deliberate actions that compromise an organization)
Idea to improve the human factor in cybersecurity
Educate people on how to protect themselves
- Hope: People will comply with expectations and respect the information they have access to
Current goal of cybersecurity in organizations
Give humans the context they need on cybersecurity
- Stop using mentality of "weakest link in the chain"
- New focus: Reliable / resistant factor of the system (recognize individual behaviors, acknowledge it's part of an ongoing learning process)
Cybersecurity misconception
Companies will be safer if they invest in new technologies
- Incorrect because despite how good tech is, people are the weakest link
Solution to people being a risk in cybersecurity
Education needs to teach employees to understand:
- How their actions affect reality / the organization they are a part of
- Individuals need to assume responsibility for risk that they expose the organizations digital things to
Practices used by organizations to make employees more secure
- Practice 1: Training
- Practice 2: Raising awareness
- Practice 3: Appropriation
First two are most commonly used
Practice 1: Training
Meeting called to give people information on the organization's process / practices concerning data protection
- Typically done during onboarding process
Informs people of:
- How the relationship is
- How to handle information the organization has
- What is expected of them in terms of their access to information
- Consequences of failing to adhere to organization processes
Practice 2: Raising Awareness
Use of concrete actions / experiences to train people
- Allows for development of practical skills / knowledge
- Typically done in the workplace to contextualize actions in people's everyday tasks
Practice 3: Appropriation
Construct a meaning / mission for protecting information
- Make it possible to act according to ethical / responsible measures
- Goal: Connect individuals with their responsibilities for results of their choices / actions in relation to data security
Aaron Swartz' goal with JSTOR
Distribute a significant portion of their archive
- Reason: "Information is power. But like all power, there are those who want to keep it for themselves"
EIFL
Mission: Expand access to scholarly work
- Common theme: Frustration since progress with publishers / online archives was slow
- Prime annoyance: JSTOR (despite claim that they would embrace values of education, JSTOR refused to negotiate discounts)
Swartz arrest
Arrested less than 4 months after initial attack (caught breaking into computer closet)
- Indicted on four counts (wire fraud, computer fraud, recklessly damaging a protected computer)
- 9 counts added in September 2012
Aaron Swartz attack on JSTOR
Bought a laptop, logged into MIT computer network, and began liberating JSTOR
- Ensuring court case led him to commit suicide on January 11, 2013
Guerilla Open Access Manifesto
Aaron Swartz' manifesto discussing the idea of making online information open to the public
- "Information is power"
Open Access Movement
Working to change the privatization of online info
- Don't want scientists to do all the work only to have their research locked away
- Might be too late (even if this can be changed, it'll only apply to new things, not stuff that's already behind a paywall)
According to Swartz, private corporations are
- Charging academics to pay to read their colleagues works
- Scan entire libraries but only allow companies to read them
- Scientific articles are only able to be accessed by students in elite universities
Swartz' advice for the public
What we need to do:
- Take information, make copies, share them
- Take stuff that isn't copyrighted and add it to archives
- Buy secret databases and put them on the web
- Download scientific journals and upload them to the file-sharing networks
What we can do to help:
- Password share
- Download and upload things
Why large corporations are blinded by greed (Aaron Swartz opinion)
- Laws they work under require it
- Shareholders would be mad if they gave everything away for free
- Politicians support them
- Pass laws that make it illegal to share
Data "at rest"
Data that is stored somewhere (mobile device, laptop, server, external hard drive)
- Not moving from one place to another