Introduction to Cybersecurity

Introduction to Cyber Security
Adri Jovin J J, M.Tech., Ph.D., B.G.L.,
Assistant Professor (Sl. Gr.), Department of Information Technology
Sri Ramakrishna Institute of Technology

Attack Trends
Introduction to Cybersecurity 2
Image source: 2016s1-160a Cyber Security - IoT and CAN Bus Security, University of Adelaide
Why Cyber Security?
13-07-2020
If you know the enemy, and know yourself, you
need not fear the result of 100 battles.
If you know yourself, but not the enemy, for every
victory gained, you'll also suffer defeat.
If you know neither the enemy nor yourself, you will
succumb in every battle.
-Sun Tzu in Art of War

CIA Model (CIA Triad) – The base of Information Security
13-07-2020 Introduction to Cybersecurity 3
Network
Security
Availability

CIA magnified
• Confidentiality
• Unauthorized access
• Disclosure
• Integrity
• Unauthorized modification
• Use
• Availability
• Disruption
• Destruction
Cyber Security
Privacy
Physical
Security
Contingency
planning &
Disaster
Recovery
Operational
Security
Personnel
Security

What is Cyber Security?
• Cyber security is a great umbrella term referring to protecting the confidentiality, integrity, and
availability of computing devices and networks, hardware, software, and most importantly,
data and information.
• Cyber security involves times when data or information is in transit, being processed, and at
rest.
• Cyber security is achieved through procedures, products, and people.

Key Terms
• Asset
• Threat
• Vulnerability
• Exploit
• Risk
• Attack
• Mitigation/Compensation Control

Asset
• Anything that need to be protected
• Information - Banking information, medical records
• Computer Systems – Defense systems, Critical Infrastructure
• Services – Websites, life safety systems

Threat
• A potential for violation of security, which exists when there is a circumstance, capability,
action, or event that could breach security and cause harm. That is, a threat is a possible
danger that might exploit a vulnerability.
• Some one wanting to do harm
• An insecure service
• A threat agent is anyone or anything that wants to do harm or harms an asset
• Hackers
• Hacktivists

Vulnerability
• A flaw or weakness in the design or implementation of an asset which could be utilized by a
threat or threat agent
• Incorrect configuration
• Open ports
• Poor backup strategy
• Poor coding

Exploit
• Any software or tools that are intentionally used to take advantage of a vulnerability on an
asset
• Metasploit
• Ophcrack

Risk
• Probability that a threat will take advantage of a vulnerability on an asset and cause harm
• Risk of losing data
• Risk of a personal photo collection
• Risk of banking data

Attack
• An assault on system security that derives from an intelligent threat; that is, an intelligent act
that is a deliberate attempt (especially in the sense of a method or technique) to evade
security services and violate the security policy of a system.
• Denial of service
• Data breach
• Physical destruction

Mitigation/Compensating Control
• Mitigation Control: Any tool, service or system that reduces the risk of attack
• Backup strategies
• Compensating Control: Any tool, service or system that takes lowers the risk of attack on an
asset by intentionally getting in the way of the threat
• Firewall

CIA Revisited
• Confidentiality
Preserving authorized restrictions on information access and disclosure, including means for
protecting personal privacy and proprietary information
Source: FIPS 199
• Industries try to keep information secret
• Intellectual Property (IP)
• Financial Information
• Government Secrets
• Student Data
• Day-to-day usage: Credit Cards, Website encryption, VPNs, Bitlocker

CIA Revisited
• Integrity
Guarding against improper information modification or destruction, and includes ensuring
information non-repudiation and authenticity
Source: FIPS 199
• Helps to verify data
• Credit card numbers
• IMEI numbers
• Aadhar
• Day-to-day usage: All packets in a network, Digital Signatures, Hashes

CIA Revisited
• Availability
Ensuring timely and reliable access to and use of information
Source: FIPS 199
• Day-to-day usage: RAID, Server clustering, load-balancing
• Why?
• October 21, 2016 – Mass denial of service launched against DynDNS (Tens of millions of
addresses coordinated to attack the key infrastructure on the internet)

NIST Cybersecurity Framework
Identify
Protect
DetectRespond
Recover

Identify
• Inventory
• Access Control
• Background checks
• Individual user account
• Policy and Procedure

Protect
• Limit employee access
• Install surge protectors and UPS
• Update OS and applications regularly
• Install and activate firewalls
• Secure wireless access points
• Setup web and email filters
• Encrypt sensitive information
• Train employees

Detect
• Install and update anti-virus, anti-spyware etc.
• Maintain and monitor logs
• Train your employees

Respond
• Develop a plan for disasters and security incidents
• Roles and responsibilities
• Whom to call
• What type of activity constitutes a security incident

Recover
• Maintain full backups
• Test your backups
• Cyber Insurance

Some better practices
• Train your employee
• Phishing
• Social Media
• Clean Machines
• Update security software, browsers, OS
• Use firewalls
• Mobile Devices
• Passwords
• Avoid public networks
• Report if lost or stolen

Some better practices (Contd…)
• Maintain Backups
• Automatic
• Weekly
• Store off-site or on cloud
• User account for each employee
• Strong passwords
• Admin privileges limited
• Secure your Wi-fi
• Encrypt
• Do not broadcast network name

Some better practices (Contd…)
• Payment Cards
• Use trusted and validated tools
• Check https
• Limit Access
• No one has access to all
• Role based system
• Software installation must require permission
• Strong passwords
• Try changing every 3 months
• Have at least 12 characters
• Multifactor authentication

CASE STUDIES

Heartbleed Bug
• Vulnerability in OpenSSL cryptographic software library
• Allows stealing of information by the SSL/TLS encryption
• SSL/TLS- security and privacy over the internet for most applications
• Discovered by Riku, Antti and Matti at Codenomicon and Neel Mehta
of Google Security and reported on April, 2014
• Allows attackers to
 eavesdrop on communications
 steal data directly from the services and users and
 impersonate services and users
} Release of message content
Masquerading
13-07-2020

Why heartbleed?
Bug discovered in the heartbeat extension of TLS
Exploitation leaked contents from server to client and from client to server
Left a large amount of private keys and other secrets exposed to the internet
Is the protocol specification wrong???
No….problem with implementation…a programming mistake
Introduction to Cybersecurity 2813-07-2020

What’s wrong with implementation???
Heartbeat message structure:
struct
{
HeartbeatMessageType type;
uint16 payload_length;
opaque payload[HeartbeatMessage.payload_length];
opaque padding[padding_length];
} HeartbeatMessage;
/* Read type and payload length first */
hbtype = *p++;
n2s(p, payload);
pl = p;
Incoming Heartbeat message:
/* Enter response type, length and copy payload */
*bp++ = TLS1_HB_RESPONSE;
s2n(payload, bp);
memcpy(bp, pl, payload);
Response Heartbeat message:
hbtype = *p++;
n2s(p, payload);
if (1 + 2 + payload + 16 > s->s3->rrec.length)
return 0; /* silently discard per RFC 6520 sec. 4 */
pl = p;
Fixed Incoming Heartbeat message:
13-07-2020

What is leaked?
1. Primary key material
2. Secondary key material
3. Protected content
4. Collateral

Leaked primary key material and recovery
Leakage
• Encryption keys
• Leaked key allows attacker to decrypt any past or future traffic to protected services and impersonate
Recovery
• Requires vulnerability patch
• Revocation of compromised keys
• Reissuing/redistribution of new keys

Leaked secondary key material and recovery
Leakage
• User credentials used in vulnerable services
Recovery
• Restore trust
• Users can change their password and possible encryption keys
• Session keys and session cookies should be invalidated

Leaked protected content and recovery
Leakage
• Actual content handled by the vulnerable service (e.g.)personal/financial details
Recovery
• Provider should inform users of the leakage
• Restore trust to the primary and secondary key material

Leaked collateral and recovery
Leakage
• Other details exposed to the attacker in the leaked memory content
• Technical details such as memory addresses and security measures such as canaries
Recovery
• Can be fixed using patch

Vulnerability of OpenSSL
• OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
• OpenSSL 1.0.1g is NOT vulnerable
• OpenSSL 1.0.0 branch is NOT vulnerable
• OpenSSL 0.9.8 branch is NOT vulnerable

Vulnerable Operating Systems
• Debian Wheezy (stable), OpenSSL 1.0.1e-2+deb7u4
• Ubuntu 12.04.4 LTS, OpenSSL 1.0.1-4ubuntu5.11
• CentOS 6.5, OpenSSL 1.0.1e-15
• Fedora 18, OpenSSL 1.0.1e-4
• OpenBSD 5.3 (OpenSSL 1.0.1c 10 May 2012) and 5.4 (OpenSSL 1.0.1c 10 May 2012)
• FreeBSD 10.0 - OpenSSL 1.0.1e 11 Feb 2013
• NetBSD 5.0.2 (OpenSSL 1.0.1e)
• OpenSUSE 12.2 (OpenSSL 1.0.1c)

Non-vulnerable Operating Systems
• Debian Squeeze (oldstable), OpenSSL 0.9.8o-4squeeze14
• SUSE Linux Enterprise Server
• FreeBSD 8.4 - OpenSSL 0.9.8y 5 Feb 2013
• FreeBSD 9.2 - OpenSSL 0.9.8y 5 Feb 2013
• FreeBSD 10.0p1 - OpenSSL 1.0.1g (At 8 Apr 18:27:46 2014 UTC)
• FreeBSD Ports - OpenSSL 1.0.1g (At 7 Apr 21:46:40 2014 UTC)

Zoom
• Cloud-based Video Conferencing Service
• Founded: 2011
• Founder: Eric Yuan
13-07-2020

Privacy issues – The timeline
March 26, 2020
• Investigation by Motherboard revealed that Zoom App (iOS) was sending user analytics data to Facebook
March 27, 2020
• Zoom removed Facebook data collection features
March 30, 2020
• Investigation by Intercept found Zoom call data was sent back to the company without end-to-end encryption
• Two more bugs discovered: (i) Malicious actor can gain control over user microphone or webcam
(ii) Vulnerabilities that allow Zoom to gain root access on MacOS desktop
• Zoom violated California’s new data protection law
• Zoombombing – led FBI to issue public warning about Zoom security vulnerabilities

The timeline…
April 1, 2020
• SpaceX bans Zoom
• Motherboard reported the leakage of data such as email addresses and photos to strangers through a feature which
operated as company directory
April 2, 2020
• Automated tool, zWarDial was able to find 100 Zoom meeting IDs, which were left unprotected by password, in an
hour
• New York Times reported that the data-mining feature of Zoom had secret access to Linkedin profile data of other
users

The timeline…
April 3, 2020
• Investigation by The Washington Post found thousands of recordings of Zoom video calls left unprotected and viewable in
open web
• Plans for Zoomraids by attackers
April 5, 2020
• Some video calls were mistakenly routed through two Chinese Whitelisted servers
April 6, 2020
• New York’s Department of Education urged schools to switch to Microsoft Teams
• Zoom accounts found on the dark web (352 accounts)
• Third class action lawsuit filed against Zoom in California (3 issues: Facebook data-sharing, incomplete end-to-end encryption,
vulnerability which allows actors to access webcams)

The timeline…
April 7, 2020
• Taiwan bans Zoom from government use
April 8, 2020
• Fourth lawsuit for falsely asserting that the service was end-to-end encrypted
• Google bans Zoom
• Sales of Zero-day exploits of Zoom by hackers for USD 5,000 TO USD 30,000, reported by Motherboard
• New update removing meeting ID from title bar for ongoing meetings to slow attackers who circulate screenshots
• AI Zoombombing

The timeline…
April 9, 2020
• US Senate informs members not to use Zoom
• Singapore teachers banned from using Zoom
• German Ministry of Foreign Affairs in a circular told employees to stop using Zoom due to security concerns
April 10, 2020
• Pentagon restricts Zoom usage
April 13, 2020
• Cyble discovered that over 500,000 Zoom accounts are being sold on the dark web and hacker forums
• Zoom users advised to change their passwords and to check the data breach notification site https://haveibeenpwned.com/

The timeline…
April 14, 2020
• Lawsuit against Facebook and Linkedin for eavesdropping on Zoom users’ personal data
• Zoom introduces new privacy option for paid users
April 15, 2020
• Two critical exploits, one for Windows and one for MacOS that could allow someone to spy Zoom calls for sale in underground
market for USD 500000
April 16, 2020
• Security researcher discovered two new crucial privacy vulnerabilities in Zoom
i. found a way to access and download a company's videos previously recorded to the cloud through an unsecured link
ii. discovered that previously recorded user videos may live on in the cloud for hours, even after being deleted by the user
• Zoom hired Luta security to revamp its bug bounty program allowing white hat hackers to identify security flaws

Security and Privacy implications
Three basic problems
a. Bad privacy practices
b. Bad security practices
c. Bad user configurations

Privacy issues
• Spies user for personal profits
• Collects data including user name, physical address, email address, phone number, job information, Facebook profile
information, computer or phone specs, IP address, and any other information you create or upload
• Uses data for profit against your interest
• On March 29, 2020, Zoom rewrote its privacy policy as
“We do not sell your personal data. Whether you are a business or a school or an individual user, we do not sell your data. ….. We do not use data we obtain from your use of
our services, including your meetings, for any advertising. We do use data we obtain from you when you visit our marketing websites, such as zoom.us and zoom.com. You
have control over your own cookie settings when visiting our marketing websites.”

Security issues
• Last year, a researcher discovered that a vulnerability in the Mac Zoom client allowed any malicious website to enable
the camera without permission.
• Zoom designed its service to bypass browser security settings and remotely enable a user's web camera without the
user's knowledge or consent.
• Zoom patched this vulnerability last year.
• It only provides link(not end-to-end) encryption, which means everything is unencrypted on the company's servers
• Uses AES-128…ECB [Schneier quotes this as “there is no one at the company who knows anything about
cryptography”]

Bad User Configuration
• If the meeting is not configured appropriately, it open to all sort of mischief.
• A common one: Zoombombing
• Even without screen sharing, people are logging in to random Zoom meetings and disrupting them
• Meeting ID not long enough to prevent someone from randomly trying them
“Instead of making the meeting IDs longer or more complicated -- which it should have done -- it enabled meeting passwords by default. Of
course most of us don't use passwords, and there are now automatic tools for finding Zoom meetings”
-Checkpoint Research

Some guidelines
If usage of Zoom is unavoidable….
• Do not share meeting ID more that how much you have to
• Use password in addition to meeting ID
• Use waiting room if you can
• Pay attention to the permissions granted to users
• Advisory provided by Ministry of Home Affairs, Government of India

References
• Bishop, M. A. (2002). The art and science of computer security.
• Vaudenay, S. (2006). A classical introduction to cryptography: Applications for communications
security. Springer Science & Business Media.
• Internet Security Glossary (RFC 2828), Internet Society
• Radack, S. M. (2004). Federal Information Processing Standard (FIPS) 199, standards for security.
• The Heartbleed Bug “https://heartbleed.com/”
• What is the Heartbleed bug, how does it work and how was it fixed?
“https://www.csoonline.com/article/3223203/what-is-the-heartbleed-bug-how-does-it-work-and-
how-was-it-fixed.html”
• Anatomy of OpenSSL's Heartbleed: Just four bytes trigger horror bug
“https://www.theregister.co.uk/2014/04/09/heartbleed_explained/”

• Zoom: Two new security exploits uncovered “https://www.cnet.com/news/zoom-every-
security-issue-uncovered-in-the-video-chat-app/”
• Security and Privacy Implications of Zoom
“https://www.schneier.com/blog/archives/2020/04/security_and_pr_1.html”
• More on Zoom and privacy “https://blogs.harvard.edu/doc/2020/03/28/more-zoom/”
• EPIC Files Complaint with FTC about Zoom “https://epic.org/2019/07/epic-files-complaint-
with-ftc-.html”
• Zoom-Zoom: We Are Watching You “https://research.checkpoint.com/2020/zoom-zoom-we-
are-watching-you/”

Introduction to Cybersecurity

Recomendados

Recomendados

Mais conteúdo relacionado

Mais procurados

Mais procurados (20)

Semelhante a Introduction to Cybersecurity

Semelhante a Introduction to Cybersecurity (20)

Mais de Adri Jovin

Mais de Adri Jovin (20)

Último

Último (20)

Introduction to Cybersecurity