Task 5: Cybersecurity (CS)

External network threats

Social engineering (phishing)

DoS (DDoS)

Back door

IP spoofing

SQLi

MitM

XSS

Malware

Physical network threats

Zero day vulnerabilities

Malware

Any type of malicious software designed to harm or exploit any programmable device, service or network

Spyware, ransomware, trojans

e.g., WannaCry ransomware attack

Social engineering (phishing)

Way attackers trick users into giving them personal info

Phishing - usually through fraudulent emails or text messages pretending to be from a large, trusted and known org

e.g., ANU spearphishing

Denial of service (DoS)

Aims to make a machine or network resource unavailable to its intended users by overwhelming it with a flood of Internet traffic

Distributed DoS - multiple compromised systems attacking a single target, creating a much larger volume of traffic

e.g., AWS DDoS

Back door

Any method by which authorised and unauthorised users are able to get around normal security measures and gain high level user access on a computer system, network or software application

e.g., PoisonTap

IP spoofing

The creation of IP packets with a forged source IP address, with the purpose of concealing the identity of the sender or impersonating another computing system

e.g., DNS spoofing on Brazilian banks

SQL injection

Code injection technique that exploits vulnerabilities in an app's software by inserting malicious SQL code into input fields, allowing attackers to manipulate the backend database

Man in the middle (MitM)

Attacker secretly intercepts and possibly alters the communication between two parties who believe they are directly communicating with each other

Cross-site scripting

Security vulnerability typically found in web apps, allowing attackers to inject malicious scripts into content from otherwise trusted websites

Physical network threat

Physical access to a network’s infrastructure and components is vulnerable

Zero day vulnerabilities

Software security flaw that is unknown to the software vendor or developer

Since there is no fix available, it can be exploited by attackers

Ethical hacking

Practice of using hacking techniques with authorisation to identify and fix security vulnerabilities in computer systems and networks

Ethical hacking characteristics

Hack for good reasons

Improve security systems, not exploit

Identify weaknesses and how to improve them

Legal and authorised

Ethical vs unethical hacking

Use the same methods and techniques for different reasons

Hacking

Gaining unauthorised access to data in a system or computer

Penetration testing

Practice cyberattack conducted on a computer system to find and fix any weak spots before real attackers can exploit them

Red team

Cybersecurity experts that imitate network assaults on a company to find weaknesses (attackers)

Blue team

Prevent assaults and maintaining the security posture of the company (defenders)

APPs

Australian Privacy Principles

Establishes standards for processing personal info and sets obligations for agencies under the Privacy Act regarding access to and correction of personal info

Comply to APP by…

Up to date policy about how they deal with customer info
Show how it collects and holds this info and discloses this info to others
Show this policy on their company website
Explain why they are collecting the info
Individuals must consent to providing info to companies

APPs apply to:

Orgs with annual turnover of at least $3 million

Small business if they:
operate in healthcare
buy or sell personal data
serve as a contracted service provider to the Aus Gov
are accredited by the Consumer Data Right System

APP 1

Open and transparent management of personal info

Ensures that APP entities manage personal info in an open and transparent way, including having a clearly expressed and up to date APP privacy policy

APP 2

Anonymity and pseudonymity

Requires APP entities to give individuals the option of not identifying themselves or using a pseudonym, limited exceptions apply

APP 3

Collection of solicited personal info

Outlines when an APP entity can collect personal info that is solicited, applying higher standards to the collection of sensitive info

APP 4

Dealing with unsolicited personal info

Outlines how APP entities must deal with unsolicited personal info

APP 5

Notification of the collection of personal info

Outlines when and in what circumstances an APP entity that collects personal info must tell an individual about certain matters

APP 6

Use or disclosure of personal info

Outlines the circumstances in which an APP entity may use or disclose personal info that it holds

APP 7

Direct marketing

An org may only use or disclose personal info for direct marketing purposes if certain conditions are met

APP 8

Cross-border disclosure of personal info

Outlines the steps an APP entity must take to protect personal info before it is disclosed overseas

APP 9

Adoption, use or disclosure of gov related identifiers

Outlines the limited circumstances when an org may adopt a gov related identifier of an individual as its own identifier, or use or disclose a gov related identifier of an individual

APP 10

Quality of personal info

APP entity must take reasonable steps to ensure the personal info it collects is accurate, up to date and complete

Must also take reasonable steps to ensure the personal info it uses or discloses is accurate, up to date, complete and relevant, having regard to the purpose of the use or disclosure

APP 11

Security of personal info

APP entity must take reasonable steps to protect personal info it holds from misuse, interference and loss, and from unauthorised access, modification or disclosure

Has obligations to destroy or de-identify personal info in certain circumstances

APP 12

Access to personal info

Outlines an APP entity’s obligations when an individual requests to be given access to personal info held about them by the entity., including a requirement to provide access unless a specific exception applies

APP 13

Correctio of personal info

Outlines an APP entity’s obligations in relation to correcting the personal info it holds about individuals

Internal network threats

Lost or stolen devices

Compromised credentials

Misuse by employees

Lost or stolen devices

Can be used to access sensitive company data, infiltrate networks and compromise systems

Compromised credentials

Allow attackers to bypass security measures, impersonate legit users and move within the network

Misuse by employees

Un/intentional actions that can compromise security which can lead to loss of info and security breaches

Security solutions

Analysis of log files

Anti-malware

Firewall filtering

ACL

IPS

VPN

User training

ICT code of conduct

Physical security

Analysis of log files

Process of reviewing, interpreting and understanding logs generated by systems, networks and apps

Can identify potential security threats by looking for unusual activities

e.g., multiple failed login attempts from one IP address - brute force attack

Anti-malware

Software program that protects computer systems from all forms of malicious software

Block malware infiltration and detect ongoing intrusions

e.g., Malwarebytes

Firewall filtering

Controls traffic by inspecting packets and applying rules to determine which packets are allowed or blocked

Prevents unauthorised access, cyberattacks and malware from entering the network

e.g., allow incoming web traffic on one port but block incoming email traffic on another

Access control lists (ACL)

List of rules that specifies which users or systems are granted or denied access to a particular object or system resource

Prevent unwanted users and traffic

e.g.,

Intrusion prevention systems (IPS)

Continuously monitors a network for malicious activity and takes action to prevent it

Reports, blocks and drops activity when detected to provide additional security

Virtual private networks (VPN)

Encrypted connection over the internet

Ensures sensitive data is safely transmitted and prevents unauthorised people from eavesdropping on the traffic

User training

Educating people to understand, identify and avoid cyber threats

Prevent data breaches and attacks based on social engineering

ICT code of conduct

Establishes guidelines and expectations for responsible use of ICT resources

Mitigate unauthorised access, data breaches and malware infections

Physical security

Protection of hardware, software, networks and data from physical actions and events that could cause serious loss or damage

e.g., locks

Cryptography

Process of hiding or coding info so that only the intended person can read the msg

Encryption

Method for en/decrypting data using a secret digital key

More bits in a key - more secure, more processing power required to en/decrypt

Modern techniques generally use 128/256 bit keys

AES

Advanced encryption standard (AES)

Considered virtually unbreakable

Using supercomputer to brute force will take 1 billion years

Symmetric encryption

Both sender and receiver use the same key

Typically fast

Suitable for encrypting large volumes of data

Providing a secure method for key distribution and managing multiple keys presents a notable challenge

Asymmetric encryption

Employs 2 different keys - public and private

Addresses issues present in symmetric by having parties each share their own public key while having a private key that isn’t exchanged

Sending party encrypts msgs using the receiving party’s private key which can only be decrypted with that key

Public key (digital) certificates

Electronic doc used to prove the validity of a public key

Includes the key, info about it, info about the identity of its owner and digital signature of an entity that has verified its contents

Often include a hash which verifies that the signed data hasn’t been modified while in transit

Encryption purpose

Asymmetric encryption ensures that sensitive data can be securely sent across networks without threat of MitM intercepting and stealing data

Sensitive data must be secured and authenticated

Symmetric encryption methods

Caesar and vigenere cipher

Data encryption standard (DES)

Triple DES

AES

Asymmetric encryption methods

Diffie-Hellman key exchange

Rivest-Shamir-Adleman (RSA)

Digital signature algorithm (DSA)

Elliptic curve DSA

ECDSA

Require smaller key sizes (256 bits)

More performant (faster) compared to earlier asymmetric ciphers

Privacy Amendment Act (Notifiable Data Breaches) Act 2017

Amends the Privacy Act 1988 to introduce mandatory data breach notification requirements

Applies to entities covered by Privacy Act

In the case of ‘eligible data breach’, requires notification to affected individuals and the Office of the Aus Info Commissioner (OAIC)

Amendment purpose

To make orgs more accountable for protecting personal info

Help raise awareness of data breaches

Encourage orgs to take proactive measures to prevent breaches from occurring

Role of OAIC

Established to uphold info rights in Aus

Overseas compliance with Privacy Act

Handles privacy complaints and investigates potential privacy breaches

Orgs that experience eligible data breach notify OAIC who provides guidance on how to assess and respond to breach

Eligible data breach

Breach that results in unauthorised access to or disclosure of personal info

Loss of personal info where unauthorised access or disclosure is likely

Breach likely to cause serious harm to affected individuals