ITP 101 Intro to Information Technology Information Security.

ITP 101Intro to Information

Technology

Information Security

2

Before we starthttp://www.colbertnation.com/the-colbert-report-videos/375428/february-24-2011/corporate-hacker-tries-to-take-down-wikileaks

3

Overview• What is security?• Why do we need security?• The History of Information Security• What is an attack?

– What is malware– What is phishing?

• Who is vulnerable?• What is a hacker?

– Why hack?

• How do I protect myself?

4

What is Security?• What does security mean to you?

• “Freedom from doubt, anxiety, or fear; confidence”– dictionary.com’s definition of the word security

• Most security professionals agree that security involves the following:– Confidentiality, Integrity, Availability

5

What is Security?• Since information security is such a huge area of study,

it has been divided into 10 domains of focus:– Cryptography– Software development security– Telecommunications / Network Security– Operations security– Physical Security– Legal, regulations, investigations and compliance– Business continuity and disaster recover planning– Information security governance and Risk Management– System architecture and design– Access Control

6

Why do we need security?• To keep in private the information that we deem important

– Confidentiality

• To make sure what we send/receive has not been tampered with– Integrity

• To ensure that our services are always usable– Availability

• You can image all the other reasons why you need security.

7

Hacking throughout History

8

History of Information Security

• 70’s– IBM mainframes and end user security– Phone networks

• Phreaking (phone hacking)

• 80’s– Hacking groups started to appear

• Only wanted to learn more about the complex computer networks/setups that each organization has

– Started to see some hackitivsm startup here– Beginning of government laws with it comes to

computer crimes

9

History of Information Security

• 90’s– Government crack down against computer crimes

• Still a lack of true understanding of the power of the computer

– At the end of the 90’s government started to see computers are a potential as a weapon

• 2000’s– An increase of computer attack awareness (thanks

Internet)– Increase of people hacking for money, this actually

started in the late 80’s

10

Percentage of IT Budget on Security

“If you spend more on coffee than on IT security, then you will be hacked. What's more, you deserve to be hacked.”

- Richard Clarke

11

Types of Security Technology Used

12

What is an attack?• An attack usually has a clearly identified target and has a goal

– Example Targets:• a company, a server, a website

– Example goals:• deface a web page, get system access, make server unavailable, steal documents

– Attacks can employ malware

• Attack Examples– Eavesdropping

• documents, messages, passwords,...

– Man-in-the-middle• intercept communication link

– Tampering• modify system, manipulate data

– Spoofing• email with wrong sender, phishing

– Hijacking• hijack session (e.g. Telnet), hijack host (zombie)

– Capture – replay• capture and reply of command messages

– Denial of service• crash or overload server with (e.g. malformed) requests

Goal Attacks

Confidentiality EavesdroppingMan-in-the-middleHijacking

Integrity (+Authentication)

Man-in-the-middleHijackingTamperingSpoofingCapture-replay

Availability Denial of service

13

Who is vulnerable?• Any machine/person

– It does not need to be connected to a network

• i.e. Iran Nuclear Program

• Typically most modern operating systems cannot be directory attacked if fully patched

– Attackers will aim for other things installed or not installed.

14

What is malware?• Any software program developed for the performing an

action unknowing and unwanted by the end user (malicious software)

• First known in the 80’s as a Trojan horse

• Various types– Trojan horse– Virus– Worm– Spyware– Adware– …

15

Types of Malware• Trojan Horse

– A harmful piece of software that isdisguised as legitimate software

• Virus– A program that spreads by inserting

copies of itself into other executable code or documents (host dependent, replication)

– Requires the user to transmit infected file to other users

16

Types of Malware• Worms

– A self-contained, self-replicating computerprogram

– Similar to a computer virus, but does not needa user to transmit an infected file does not typically destroy the computer.

– First Internet worm in 1988

• Spyware– Software that collects and sends information about users or, more precisely, the

results of their computer activity,without explicit notification

• Adware– Advertising-supported software– At times can be a subset of spyware

17

What is phishing?

• Phishing is the act of attempting to acquire information by masquerading as a trustworthy entity in an electronic communication

– Some of this information include:

• usernames, passwords, and credit card details (and sometimes, indirectly, money)

18

Who gets hacked?• Government servers

– North Korean Social Media Hackedhttp://www.cnn.com/2013/04/04/world/asia/north-

korea-hacking

• Banks, e-commerce sites– Bank of America Hacked by Anomymous

http://www.ibtimes.com

/bank-america-hacked-anonymous-hackers-leak-secrets-about-executives-salaries-spy-activities-1107947

• Educational institutions– USC Applications Database Hack

http://news.cnet.com

/Man-charged-with-hacking-USC-database/2100-7350_3-6063470.html

19

What is a hacker?• Hacker is a term that has been

used to mean a variety of different things in computing. The term could refer to a person in any one of several distinct communities and subcultures:

– People committed to circumvention of computer security.

– A community of enthusiast computer programmers and systems designers.

– The hobbyist home computing community, focusing on hardware

20

World’s definition of a hacker

• Media definition of hacker is definition of criminal hacker

– Someone who maliciously breaks into networks and systems for personal gain

– Crack (v) – to break into a systemwith malicious intent

21

Who are these hackers?• Internal threats (rogue

insiders)– Bored students– Disgruntled employees

• External threats– Bored people– Political action groups– Ex-employees

• Basically anyone

22

Levels of Hackers• Script kiddies/Cyberpunks

– Novices

– Very little actual knowledge of what goes on behind

the scenes. They simply find a cool tool on the net

• Intermediate Hackers

– “halfway hackers”

– Know enough to cause serious damage

– Most want to be advanced (l33t), and will

get there if they’re not caught

• Advanced Hackers

– Criminal Experts

– Uber/l33t hackers

– These are the authors of the hacking tools, viruses,

and malware

– They know enough to hide their tracks• most of the time you won’t even know that your system has been

compromised

23

Why hack?• For the lulz

• Curiosity, notoriety, fame

• Profit ($$$ or other gain)– Hackers for Hire– Sell people’s personal

information on the black market

• Hacktivism

• Cyberterrorists

24

Hacker Methodology1. Information Gathering (passive)

2. Scanning (active)

3. Exploitation

4. Maintaining Access

5. Covering Tracks

25

APT (Advanced Persistent Threat)

• Usually refers to a group, such as a foreign government, with both the capability and the intent to persistently and effectively target a specific entity

– Originally used to classify persistent attacks against government and government contractors• Now attacks directed at anyone with valuable information

• Advanced– Operators behind the threat have a full spectrum of intelligence-gathering techniques at their

disposal

• Persistent– Operators give priority to a specific task, rather than opportunistically seeking information for

financial or other gain.

• Threat– APTs are a threat because they have both capability and intent. – APT attacks are executed by coordinated human actions, rather than by mindless and

automated pieces of code. – The operators have a specific objective and are skilled, motivated, organized and well funded.

26

APT Example• Operation Aurora (2009)

– Targets:• Adobe Systems, Juniper Networks and Rackspace have

publicly confirmed that they were targeted.– According to media reports, Yahoo, Symantec, Northrop Grumman,

Morgan Stanley and Dow Chemical were also among the targets.

– Goal:• The attack was to gain access to and potentially modify source

code repositories at these high tech, security and defense contractor companies.

– Team:• APT based in Beijing, China with ties to the People’s Liberation

Army

27

How Widespread is the APT?

28

Where is the APT?

29

How do I protect myself?

• Keep your software up to date

• Use protection software "anti-virus software" and keep it up to date

• Don't open unknown, unscanned or unexpected email attachments

• Use hard-to-guess passwords

• Understand what a firewall is and how to use it.

• Use the least shared privileges

• Sharing is not caring

30

How do I make a good password?

• Passwords should contain at least 8 characters

• Use one of each of the following:– Uppercase letters ( A-Z )– Lowercase letters ( a-z )– Numbers ( 0-9 )– Punctuation marks ( !@#$%^&*()_+=- )

• The best password is one that is totally random to anyone else except you

31

Password Examples• kEp*-h&y = keep your laser handy• yCag5wyw = you can't always get what you want• imcmit2s,Ibl = if my car makes it through 2 semesters, I'll be

lucky• oBGcat$7t = only Bill Gates could afford this $70.00

textbook• WtimaciK2? = What time is my computer class in KAP 267?• If33lg8! = I feel great!• W1ldcatzR#1 = Wildcats are #1• d0lf1n’sfan = Dolphins Fan• Uc1@SuX! = UCLA Sucks!

32

Password Rules• Don't use your name, your pet's name, your birth date or other

information that is easy to get

• Don't use 'qwerty' or any word in the dictionary

• Never write down your password

• Never tell anyone your password

• Remember – the key to security is embedded in the word security

SEC - - Y

33

Careers• Security Administrator

– Implements network security policies and procedures– Average salary is $69,000

• Web Security Administrator– Develops, implements, and maintains firewall

technologies that secure an organization's website– Average salary is $79,000

• IT Security Consultant– Average salary is $106,000

34

Security at USC• Introductory & Intermediate Classes

– ITP 125 – From Hackers to CEOs: Introduction to Information Security

– ITP 325 – Ethical Hacking and Systems Defense– ITP 357 – Enterprise Network Design– ITP 375 – Digital Forensics

• Minor in Applied Computer Security

• Minor in Computer & Digital Forensics

35

Resources• Computer Security Institute

– http://gocsi.com/survey

• Messagelabs Intelligence October 2010– http://www.messagelabs.com/intelligence.aspx

• Ponemon Institute 2009 Annual Study: Cost of a Data Breach– http://www.ponemon.org/local/upload/fckjail/generalcontent/18/file/US_Ponemon_C

ODB_09_012209_sec.pdf

• Symantec Global Internet Security Threat Report– http://eval.symantec.com/mktginfo/enterprise/white_papers/b-whitepaper_internet_

security_threat_report_xv_04-2010.en-us.pdf

• Verizon 2010 Data Breach Investigations Report– http://www.verizonbusiness.com/resources/reports/rp_2010-data-breach-report_en

_xg.pdf