This presentation provides an introduction to cybersecurity. This presentation is a part of the Five days Faculty Development Program on Cybersecurity organized by the Department of Information Technology, Sri Ramakrishna Institute of Technology.
Take control of your SAP testing with UiPath Test Suite
Introduction to Cybersecurity
1. Introduction to Cyber Security
Adri Jovin J J, M.Tech., Ph.D., B.G.L.,
Assistant Professor (Sl. Gr.), Department of Information Technology
Sri Ramakrishna Institute of Technology
2. Attack Trends
Introduction to Cybersecurity 2
Image source: 2016s1-160a Cyber Security - IoT and CAN Bus Security, University of Adelaide
Why Cyber Security?
13-07-2020
If you know the enemy, and know yourself, you
need not fear the result of 100 battles.
If you know yourself, but not the enemy, for every
victory gained, you'll also suffer defeat.
If you know neither the enemy nor yourself, you will
succumb in every battle.
-Sun Tzu in Art of War
3. CIA Model (CIA Triad) – The base of Information Security
13-07-2020 Introduction to Cybersecurity 3
Network
Security
Availability
5. What is Cyber Security?
• Cyber security is a great umbrella term referring to protecting the confidentiality, integrity, and
availability of computing devices and networks, hardware, software, and most importantly,
data and information.
• Cyber security involves times when data or information is in transit, being processed, and at
rest.
• Cyber security is achieved through procedures, products, and people.
13-07-2020 Introduction to Cybersecurity 5
7. Asset
• Anything that need to be protected
• Information - Banking information, medical records
• Computer Systems – Defense systems, Critical Infrastructure
• Services – Websites, life safety systems
13-07-2020 Introduction to Cybersecurity 7
8. Threat
• A potential for violation of security, which exists when there is a circumstance, capability,
action, or event that could breach security and cause harm. That is, a threat is a possible
danger that might exploit a vulnerability.
• Some one wanting to do harm
• An insecure service
• A threat agent is anyone or anything that wants to do harm or harms an asset
• Hackers
• Hacktivists
13-07-2020 Introduction to Cybersecurity 8
9. Vulnerability
• A flaw or weakness in the design or implementation of an asset which could be utilized by a
threat or threat agent
• Incorrect configuration
• Open ports
• Poor backup strategy
• Poor coding
13-07-2020 Introduction to Cybersecurity 9
10. Exploit
• Any software or tools that are intentionally used to take advantage of a vulnerability on an
asset
• Metasploit
• Ophcrack
13-07-2020 Introduction to Cybersecurity 10
11. Risk
• Probability that a threat will take advantage of a vulnerability on an asset and cause harm
• Risk of losing data
• Risk of a personal photo collection
• Risk of banking data
13-07-2020 Introduction to Cybersecurity 11
12. Attack
• An assault on system security that derives from an intelligent threat; that is, an intelligent act
that is a deliberate attempt (especially in the sense of a method or technique) to evade
security services and violate the security policy of a system.
• Denial of service
• Data breach
• Physical destruction
13-07-2020 Introduction to Cybersecurity 12
13. Mitigation/Compensating Control
• Mitigation Control: Any tool, service or system that reduces the risk of attack
• Backup strategies
• Compensating Control: Any tool, service or system that takes lowers the risk of attack on an
asset by intentionally getting in the way of the threat
• Firewall
13-07-2020 Introduction to Cybersecurity 13
14. CIA Revisited
• Confidentiality
Preserving authorized restrictions on information access and disclosure, including means for
protecting personal privacy and proprietary information
Source: FIPS 199
• Industries try to keep information secret
• Intellectual Property (IP)
• Financial Information
• Government Secrets
• Student Data
• Day-to-day usage: Credit Cards, Website encryption, VPNs, Bitlocker
13-07-2020 Introduction to Cybersecurity 14
15. CIA Revisited
• Integrity
Guarding against improper information modification or destruction, and includes ensuring
information non-repudiation and authenticity
Source: FIPS 199
• Helps to verify data
• Credit card numbers
• IMEI numbers
• Aadhar
• Day-to-day usage: All packets in a network, Digital Signatures, Hashes
13-07-2020 Introduction to Cybersecurity 15
16. CIA Revisited
• Availability
Ensuring timely and reliable access to and use of information
Source: FIPS 199
• Day-to-day usage: RAID, Server clustering, load-balancing
• Why?
• October 21, 2016 – Mass denial of service launched against DynDNS (Tens of millions of
addresses coordinated to attack the key infrastructure on the internet)
13-07-2020 Introduction to Cybersecurity 16
18. Identify
• Inventory
• Access Control
• Background checks
• Individual user account
• Policy and Procedure
13-07-2020 Introduction to Cybersecurity 18
19. Protect
• Limit employee access
• Install surge protectors and UPS
• Update OS and applications regularly
• Install and activate firewalls
• Secure wireless access points
• Setup web and email filters
• Encrypt sensitive information
• Train employees
13-07-2020 Introduction to Cybersecurity 19
20. Detect
• Install and update anti-virus, anti-spyware etc.
• Maintain and monitor logs
• Train your employees
13-07-2020 Introduction to Cybersecurity 20
21. Respond
• Develop a plan for disasters and security incidents
• Roles and responsibilities
• Whom to call
• What type of activity constitutes a security incident
13-07-2020 Introduction to Cybersecurity 21
22. Recover
• Maintain full backups
• Test your backups
• Cyber Insurance
13-07-2020 Introduction to Cybersecurity 22
23. Some better practices
• Train your employee
• Phishing
• Social Media
• Clean Machines
• Update security software, browsers, OS
• Use firewalls
• Mobile Devices
• Passwords
• Avoid public networks
• Report if lost or stolen
13-07-2020 Introduction to Cybersecurity 23
24. Some better practices (Contd…)
• Maintain Backups
• Automatic
• Weekly
• Store off-site or on cloud
• User account for each employee
• Strong passwords
• Admin privileges limited
• Secure your Wi-fi
• Encrypt
• Do not broadcast network name
13-07-2020 Introduction to Cybersecurity 24
25. Some better practices (Contd…)
• Payment Cards
• Use trusted and validated tools
• Check https
• Limit Access
• No one has access to all
• Role based system
• Software installation must require permission
• Strong passwords
• Try changing every 3 months
• Have at least 12 characters
• Multifactor authentication
13-07-2020 Introduction to Cybersecurity 25
27. Heartbleed Bug
• Vulnerability in OpenSSL cryptographic software library
• Allows stealing of information by the SSL/TLS encryption
• SSL/TLS- security and privacy over the internet for most applications
• Discovered by Riku, Antti and Matti at Codenomicon and Neel Mehta
of Google Security and reported on April, 2014
• Allows attackers to
eavesdrop on communications
steal data directly from the services and users and
impersonate services and users
Introduction to Cybersecurity 27
} Release of message content
Masquerading
13-07-2020
28. Why heartbleed?
Bug discovered in the heartbeat extension of TLS
Exploitation leaked contents from server to client and from client to server
Left a large amount of private keys and other secrets exposed to the internet
Is the protocol specification wrong???
No….problem with implementation…a programming mistake
Introduction to Cybersecurity 2813-07-2020
29. What’s wrong with implementation???
Heartbeat message structure:
Introduction to Cybersecurity 29
struct
{
HeartbeatMessageType type;
uint16 payload_length;
opaque payload[HeartbeatMessage.payload_length];
opaque padding[padding_length];
} HeartbeatMessage;
/* Read type and payload length first */
hbtype = *p++;
n2s(p, payload);
pl = p;
Incoming Heartbeat message:
/* Enter response type, length and copy payload */
*bp++ = TLS1_HB_RESPONSE;
s2n(payload, bp);
memcpy(bp, pl, payload);
Response Heartbeat message:
hbtype = *p++;
n2s(p, payload);
if (1 + 2 + payload + 16 > s->s3->rrec.length)
return 0; /* silently discard per RFC 6520 sec. 4 */
pl = p;
Fixed Incoming Heartbeat message:
13-07-2020
30. What is leaked?
1. Primary key material
2. Secondary key material
3. Protected content
4. Collateral
Introduction to Cybersecurity 3013-07-2020
31. Leaked primary key material and recovery
Leakage
• Encryption keys
• Leaked key allows attacker to decrypt any past or future traffic to protected services and impersonate
Recovery
• Requires vulnerability patch
• Revocation of compromised keys
• Reissuing/redistribution of new keys
Introduction to Cybersecurity 3113-07-2020
32. Leaked secondary key material and recovery
Leakage
• User credentials used in vulnerable services
Recovery
• Restore trust
• Users can change their password and possible encryption keys
• Session keys and session cookies should be invalidated
Introduction to Cybersecurity 3213-07-2020
33. Leaked protected content and recovery
Leakage
• Actual content handled by the vulnerable service (e.g.)personal/financial details
Recovery
• Provider should inform users of the leakage
• Restore trust to the primary and secondary key material
Introduction to Cybersecurity 3313-07-2020
34. Leaked collateral and recovery
Leakage
• Other details exposed to the attacker in the leaked memory content
• Technical details such as memory addresses and security measures such as canaries
Recovery
• Can be fixed using patch
Introduction to Cybersecurity 3413-07-2020
35. Vulnerability of OpenSSL
• OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
• OpenSSL 1.0.1g is NOT vulnerable
• OpenSSL 1.0.0 branch is NOT vulnerable
• OpenSSL 0.9.8 branch is NOT vulnerable
Introduction to Cybersecurity 3513-07-2020
39. Privacy issues – The timeline
March 26, 2020
• Investigation by Motherboard revealed that Zoom App (iOS) was sending user analytics data to Facebook
March 27, 2020
• Zoom removed Facebook data collection features
March 30, 2020
• Investigation by Intercept found Zoom call data was sent back to the company without end-to-end encryption
• Two more bugs discovered: (i) Malicious actor can gain control over user microphone or webcam
(ii) Vulnerabilities that allow Zoom to gain root access on MacOS desktop
• Zoom violated California’s new data protection law
• Zoombombing – led FBI to issue public warning about Zoom security vulnerabilities
Introduction to Cybersecurity 3913-07-2020
40. The timeline…
April 1, 2020
• SpaceX bans Zoom
• Motherboard reported the leakage of data such as email addresses and photos to strangers through a feature which
operated as company directory
April 2, 2020
• Automated tool, zWarDial was able to find 100 Zoom meeting IDs, which were left unprotected by password, in an
hour
• New York Times reported that the data-mining feature of Zoom had secret access to Linkedin profile data of other
users
Introduction to Cybersecurity 4013-07-2020
41. The timeline…
April 3, 2020
• Investigation by The Washington Post found thousands of recordings of Zoom video calls left unprotected and viewable in
open web
• Plans for Zoomraids by attackers
April 5, 2020
• Some video calls were mistakenly routed through two Chinese Whitelisted servers
April 6, 2020
• New York’s Department of Education urged schools to switch to Microsoft Teams
• Zoom accounts found on the dark web (352 accounts)
• Third class action lawsuit filed against Zoom in California (3 issues: Facebook data-sharing, incomplete end-to-end encryption,
vulnerability which allows actors to access webcams)
Introduction to Cybersecurity 4113-07-2020
42. The timeline…
April 7, 2020
• Taiwan bans Zoom from government use
April 8, 2020
• Fourth lawsuit for falsely asserting that the service was end-to-end encrypted
• Google bans Zoom
• Sales of Zero-day exploits of Zoom by hackers for USD 5,000 TO USD 30,000, reported by Motherboard
• New update removing meeting ID from title bar for ongoing meetings to slow attackers who circulate screenshots
• AI Zoombombing
Introduction to Cybersecurity 4213-07-2020
43. The timeline…
April 9, 2020
• US Senate informs members not to use Zoom
• Singapore teachers banned from using Zoom
• German Ministry of Foreign Affairs in a circular told employees to stop using Zoom due to security concerns
April 10, 2020
• Pentagon restricts Zoom usage
April 13, 2020
• Cyble discovered that over 500,000 Zoom accounts are being sold on the dark web and hacker forums
• Zoom users advised to change their passwords and to check the data breach notification site https://haveibeenpwned.com/
Introduction to Cybersecurity 4313-07-2020
44. The timeline…
April 14, 2020
• Lawsuit against Facebook and Linkedin for eavesdropping on Zoom users’ personal data
• Zoom introduces new privacy option for paid users
April 15, 2020
• Two critical exploits, one for Windows and one for MacOS that could allow someone to spy Zoom calls for sale in underground
market for USD 500000
April 16, 2020
• Security researcher discovered two new crucial privacy vulnerabilities in Zoom
i. found a way to access and download a company's videos previously recorded to the cloud through an unsecured link
ii. discovered that previously recorded user videos may live on in the cloud for hours, even after being deleted by the user
• Zoom hired Luta security to revamp its bug bounty program allowing white hat hackers to identify security flaws
Introduction to Cybersecurity 4413-07-2020
45. Security and Privacy implications
Three basic problems
a. Bad privacy practices
b. Bad security practices
c. Bad user configurations
Introduction to Cybersecurity 4513-07-2020
46. Privacy issues
• Spies user for personal profits
• Collects data including user name, physical address, email address, phone number, job information, Facebook profile
information, computer or phone specs, IP address, and any other information you create or upload
• Uses data for profit against your interest
• On March 29, 2020, Zoom rewrote its privacy policy as
“We do not sell your personal data. Whether you are a business or a school or an individual user, we do not sell your data. ….. We do not use data we obtain from your use of
our services, including your meetings, for any advertising. We do use data we obtain from you when you visit our marketing websites, such as zoom.us and zoom.com. You
have control over your own cookie settings when visiting our marketing websites.”
Introduction to Cybersecurity 4613-07-2020
47. Security issues
• Last year, a researcher discovered that a vulnerability in the Mac Zoom client allowed any malicious website to enable
the camera without permission.
• Zoom designed its service to bypass browser security settings and remotely enable a user's web camera without the
user's knowledge or consent.
• Zoom patched this vulnerability last year.
• It only provides link(not end-to-end) encryption, which means everything is unencrypted on the company's servers
• Uses AES-128…ECB [Schneier quotes this as “there is no one at the company who knows anything about
cryptography”]
Introduction to Cybersecurity 4713-07-2020
48. Bad User Configuration
• If the meeting is not configured appropriately, it open to all sort of mischief.
• A common one: Zoombombing
• Even without screen sharing, people are logging in to random Zoom meetings and disrupting them
• Meeting ID not long enough to prevent someone from randomly trying them
“Instead of making the meeting IDs longer or more complicated -- which it should have done -- it enabled meeting passwords by default. Of
course most of us don't use passwords, and there are now automatic tools for finding Zoom meetings”
-Checkpoint Research
Introduction to Cybersecurity 4813-07-2020
49. Some guidelines
If usage of Zoom is unavoidable….
• Do not share meeting ID more that how much you have to
• Use password in addition to meeting ID
• Use waiting room if you can
• Pay attention to the permissions granted to users
• Advisory provided by Ministry of Home Affairs, Government of India
Introduction to Cybersecurity 4913-07-2020
50. References
• Bishop, M. A. (2002). The art and science of computer security.
• Vaudenay, S. (2006). A classical introduction to cryptography: Applications for communications
security. Springer Science & Business Media.
• Internet Security Glossary (RFC 2828), Internet Society
• Radack, S. M. (2004). Federal Information Processing Standard (FIPS) 199, standards for security.
• The Heartbleed Bug “https://heartbleed.com/”
• What is the Heartbleed bug, how does it work and how was it fixed?
“https://www.csoonline.com/article/3223203/what-is-the-heartbleed-bug-how-does-it-work-and-
how-was-it-fixed.html”
• Anatomy of OpenSSL's Heartbleed: Just four bytes trigger horror bug
“https://www.theregister.co.uk/2014/04/09/heartbleed_explained/”
Introduction to Cybersecurity 5013-07-2020
51. • Zoom: Two new security exploits uncovered “https://www.cnet.com/news/zoom-every-
security-issue-uncovered-in-the-video-chat-app/”
• Security and Privacy Implications of Zoom
“https://www.schneier.com/blog/archives/2020/04/security_and_pr_1.html”
• More on Zoom and privacy “https://blogs.harvard.edu/doc/2020/03/28/more-zoom/”
• EPIC Files Complaint with FTC about Zoom “https://epic.org/2019/07/epic-files-complaint-
with-ftc-.html”
• Zoom-Zoom: We Are Watching You “https://research.checkpoint.com/2020/zoom-zoom-we-
are-watching-you/”
13-07-2020 Introduction to Cybersecurity 51