Information Security: Barbarians at the Gateway

Lecture 10: Information Security: Barbarians at the Gateway (And Just about Everywhere Else)

Introduction

  • Factors that can amplify a firm’s vulnerability of a security breach:

    • Personnel Issues: Human errors or intentional wrongdoing can lead to vulnerabilities.

    • Technology Problems: Inadequate security measures in technology can create entry points for breaches.

    • Procedural Factors: Lack of established protocols can lead to unaddressed security issues.

    • Operational Issues: Daily operational practices can inadvertently compromise security.

  • Constant Vigilance:

    • Individual Skill Set: Security awareness should be part of personal skills.

    • Organizational Culture: Security must be integral to an organization’s culture.

Got a Bank Account or Credit Card? You’ve Been Hacked!

  • Equifax Breach:

    • One of the largest breaches affecting 143 million consumers.

    • Stolen data included:

    • Addresses

    • Social Security numbers

    • Tax IDs

    • Driver’s license numbers

    • Hundreds of credit card numbers

    • International impact: 400,000 in the U.K. and over 100,000 Canadians were also affected.

    • Equifax failed to patch vulnerabilities within two months, exposing them to unnecessary risks.

    • Their consumer inquiry site had multiple vulnerabilities.

A Look at the Target Hack

  • Malware Installation:

    • Hackers infiltrated Target’s security and payment systems.

    • Results included:

    • 40 million credit cards stolen.

    • Additional personal information of 70 million consumers exposed.

    • Significant decline in transactions and profits, leading to lawsuits and the CEO's ouster.

  • Ignored Warnings: Target’s security software from FireEye had warnings that went unheeded.

  • They had disabled the option for automatic malware deletion, which could have prevented the theft.

Why Is This Happening? Who Is Doing it? And What’s Their Motivation?

  • Common motives for attacks include:

    • Account theft and illegal funds transfer.

    • Stealing personal or financial data.

    • Compromising computing assets for other crimes.

    • Hijacking hardware for cryptocurrency mining.

    • Extortion and intellectual property theft.

    • Espionage, cyberwarfare, and terrorism.

    • Pranksters or hacktivists, as well as revenge by disgruntled employees.

Specific Types of Cybercriminals

  • Data Harvesters: Cybercriminals infiltrate systems to collect data for illegal resale.

  • Cash-Out Fraudsters: Purchase from data harvesters to commit fraud, e.g., buying goods with stolen credit cards.

  • Botnets: Groups of infected computers remotely controlled for criminal activities.

  • Distributed Denial of Service (DDoS) attacks: Overloading systems with requests to slow or crash them.

Ransomware Attacks

  • Description: Cybercriminals infiltrate networks and encrypt data, holding it hostage until a ransom is paid in untraceable cryptocurrency.

  • Trends: Many attackers threaten to release data unless a payment is made.

Corporate Espionage

  • Actors: Could include insiders, rival companies, or foreign governments.

  • Targets: Various facilities working on sensitive projects (e.g., COVID-related information) have been breached.

    • Notable countries involved in espionage activities include China, Iran, North Korea, and Russia.

  • Example of Breaches: RSA Security and high-profile companies like GE Aerospace and Boeing.

Stuxnet: A New Era of Cyberwarfare

  • Overview: Stuxnet is one of the most significant acts of cyberwarfare, targeting Iranian facilities to sabotage uranium enrichment.

  • Potential Consequences: It raises concerns about accidental spread to non-targeted systems, endangering infrastructure and lives.

  • Implications: Stuxnet illustrated the capacity to disrupt critical infrastructure without traditional military engagement.

Hacktivism and Revenge Acts

  • Hacktivists: Use technology and hacks to promote political views or protests.

  • Malicious Pranksters: Known as griefers or trolls, who create chaos for amusement.

  • Revenge-Seeking Employees: Insiders may exploit their access for sabotage.

Government Surveillance

  • Edward Snowden's Revelations:

    • Disclosed extensive data collection methods by U.S. agencies, highlighting government overreach in surveillance.

    • XKeyscore: A system allowing comprehensive data collection on users' internet activities.

  • Legal Requirements: U.S. law requires that surveillance be warranted, though criticisms arise regarding technology firms' vulnerability to government demands.

Hacker Classifications

  • Hacker: A term that can refer to:

    • 1) A person who breaks into systems or

    • 2) A clever programmer.

  • Hack: Can denote either:

    • 1) Entering systems illegally or

    • 2) Innovative solutions.

  • Types of Hackers:

    • White Hat Hackers: Identify vulnerabilities to improve security without exploitation.

    • Black Hat Hackers: Criminals exploiting vulnerabilities.

    • Red Team: Simulated attackers to find weaknesses.

    • Blue Team: Defensive professionals protecting against attacks.

Potential Information System Security Weaknesses

  • Users/Administrators:

    • Bad Apple: Rogue individuals within organizations.

    • Social Engineering: Conning employees into compromising security.

    • Weak Passwords: Easily compromised passwords increase vulnerability.

    • Carelessness: Users untrained in security best practices.

Network Vulnerabilities

  • Threats include:

    • Sniffers, compromised relays, and DNS redirects.

    • Inadequate user authentication measures and open hotspots.

Physical Threats

  • Types of threats:

    • Dumpster Diving: Searching through trash to collect sensitive information.

    • Eavesdropping: Using key loggers, microphones, or cameras to steal information.

Client Vulnerabilities

  • Operating System Flaws: Unpatched security holes.

  • Application Weaknesses: Software with vulnerabilities prone to attacks.

  • Smart Devices: Vulnerabilities in IoT kids and devices.

Server Software Vulnerabilities

  • Risks associated with:

    • Unpatched OS and poorly coded applications.

    • Exploits allowing unauthorized access across systems.

A Sampling of Methods Employed in Social Engineering

  • Impersonation: Pretending to be high-ranking officials or contacts to gain information.

  • Generative AI: Utilizing deepfake technology to mimic insiders or create credibility.

  • Baiting: Eliciting information through claims made with confidence.

User and Administrator Threats

  • Bad Apples and Rogue Employees: Individuals who may exploit company resources or secrets.

  • Social Engineering Techniques: Cons to acquire sensitive information.

    • Phishing: High-level tech-driven schemes to capture data.

    • Spear Phishing: More targeted attacks focusing on specific groups.

Recognizing Phish Hooks

  • Spoofed Communications: Altered emails or packets pretending to be from trusted sources.

  • Example of a Phishing Email: Mimics an official communication to extract sensitive information.

Social Media: A Rising Security Threat

  • Zero-Day Exploits: New attacks not yet recognized by security systems.

  • Technical Openness: Social media platforms may inadvertently expose private data.

User and Administrator Threats Continued

  • AI as a Weapon: Utilizing AI for deception and hacking aids.

  • Deepfakes and Script Kiddies: Increasing threats from less skilled hackers using pre-existing scripts.

  • Need for Vigilance: Organizations must remain proactive against evolving threats.

Password Security Practices

  • Inefficient Password Systems: Many users fail to create strong, unique passwords.

  • Better Practices Include:

    • Biometrics: Identifying users through unique physical traits.

    • Two-Factor Authentication (2FA): Requiring two forms of identification.

    • Multi-Factor Authentication (MFA): Utilizing more than two identifiers for access.

Improving Transaction Security with Apple Pay

  • Security Features:

    • Multi-factor authentication, single-use tokenization, and biometric identification.

Passkeys—A Ladder Out of Password Hell

  • FIDO Alliance Initiative: Development of passkey technology to eliminate traditional passwords.

  • Mechanism: Users can access secure codes stored on their devices through biometric identification.

  • Challenges: Dependence on original devices for access could pose issues.

Technology Threats (Client and Server Software, Hardware, and Networking)

  • Malware Definitions:

    • Viruses: Attach to files or programs to spread.

    • Worms: Spread autonomously through vulnerabilities.

    • Trojans: Disguised as legitimate software.

  • Malware Goals:

    • Creating botnets, engaging in fraud and espionage.

  • Types of Malware:

    • Spyware, Keyloggers, Card Skimmers, Ransomware: used for various malicious intents.

Vulnerabilities within Modern Technology

  • Smartphones as Targets: Weaknesses in mobile security systems are increasingly exploited.

  • SQL Injection Risks: Poor programming practices expose apps to data breaches.

Push-Button Hacking, Made Worse by Generative AI

  • Automated Tools: Making it easier for less sophisticated hackers to engage in attacks.

  • Use of Generative AI: Assists in crafting sophisticated attacks and circumvents traditional security measures.

Network Threats

  • Source of Compromise: Networks are a primary target for hackers.

    • Physical Threats: Dumpster diving, shoulder surfing, or eavesdropping tactics.

The Encryption Prescription

  • Definition of Encryption: The process of disguising data with codes.

  • Key Management Difficulties: Challenges with managing encryption keys can lead to vulnerabilities.

Key Considerations on Encryption

  • Drawbacks of Encryption: Additional processing needs and potential compliance requirements.

  • Legislative Implications: Standards may require encryption for sensitive information.

Taking Action as a User

  • User Tips:

    • Surf smart, stay vigilant, stay updated.

    • Install comprehensive security software.

    • Secure home networks and encrypt crucial data.

    • Regularly back up systems and keep passwords updated.

Taking Action as an Organization

  • Framing Standards:

    • Utilize ISO 27000 series for effective information security management.

  • Education, Audits, and Enforcement:

    • Provide regular security training, monitor compliance, and audit procedures regularly.

Audit Process and Technologies

  • Red Teaming: Testing security by simulating adversarial attacks to identify weaknesses.

  • Risk Assessment: Understanding vulnerabilities and prioritizing security investments.

Technology’s Role in Security

  • Patching: Regular updates to close security gaps.

  • Monitoring Networks: Use of firewalls, intrusion detection systems, and honeypots to manage threats.

Securing Partnerships

  • Require Compliance: Partner firms should adhere to security standards and undergo regular audits.

Technology’s Role Continued

  • Single Sign-On Tools: Simplifying access while maintaining security.

  • Crisis Management: Implementing recovery plans and ensuring clear communication during incidents.

The Role of AI in Cybersecurity

  • Advances in AI Tools: AI can aid in monitoring networks, performing audits, and adapting to new threats.

  • Honeypots and Cyber Defense: AI can also create decoy systems to detect and end attacks.