Unit-1 Introduction to the Management of Information Security

Que 1. Define InfoSec. What are the specialized areas and components of Information Security?

Information security (lnfoSec): Protection of the confidentiality, integrity, and availability of information assets, whether in storage, processing, or transmission, via the application of policy, education, training and awareness, and technology.

Security is often achieved by means of several strategies undertaken simultaneously or used in combination with one another. Many of those strategies will focus on specific areas of security. but they also have many elements in common. It is the role of management to ensure that each strategy is properly planned, organized, staffed, directed, and controlled. Specialized areas of security include:

  • Physical security – The protection of physical items, objects, or areas from unauthorized access and misuse.
  • Operations security – The protection of the details of an organization’s operations and activities.
  • Communications security – The protection of all communications media, technology, and content.
  • Cyber (or computer) security – The protection of computerized information processing systems and the data they contain and process.
  • Network security – A subset of communications security and cybersecurity; the protection of voice and data networking components, connections, and content.

Components of InfoSec

Information security (lnfoSec) focuses on the protection of information and the characteristics that give it value, such as confidentiality, integrity, and availability, and includes the technology that houses and transfers that information through a variety of protection mechanisms such as policy, training and awareness programs, and technology. InfoSec includes the board of areas of InfoSec management: computer security, data security, and network security. The figure also shows that policy is the space where these components overlap.

Confidentiality

Confidentiality means limiting access to information only to those who need it, and preventing access by those who do not. When unauthorized individuals or systems can view information, confidentiality is breached. To protect the confidentiality of information, a number of measures are used, including:
• Information classification
• Secure document (and data) storage
• Application of general security policies
• Cryptography ( encryption)
• Confidentiality is closely related to privacy. In an organization, confidentiality of information is
especially important for personal information about employees, customers, or patients. People
expect organizations to closely guard such information.
• Whether the organization is a government agency, a commercial enterprise, or a non-profit
charity, problems arise when organizations disclose confidential information. Disclosure can
occur either deliberately or by mistake.
• For example, confidential information could be mistakenly e-mailed to someone outside the
organization rather than the intended person inside the organization. Or perhaps an employee
discards, rather than destroys, a document containing critical information. Or maybe a hacker
successfully breaks into a Web-based organization’s internal database and steals sensitive
information about clients, such as names, addresses, or credit card information.

Integrity

  • The integrity or completeness of information is threatened when it is exposed to corruption, damage, destruction, or other disruption of its authentic state.
  • Corruption can occur while information is being entered, stored, or transmitted. Many computer viruses and worms, for example, are designed to corrupt data.
  • For this reason, the key method for detecting whether a virus or worm has caused an integrity failure to a file system is to look for changes in the file’s state, as indicated by the file’s size or, in a more advanced operating system, its hash value or checksum. File corruption is not always the result of deliberate attacks. Faulty programming or even noise in the transmission channel or
    medium can cause data to lose its integrity.
  • For example, a low-voltage state in a signal carrying a digital bit (a 1 or o) can cause the receiving system to record the data incorrectly. To compensate for internal and external threats to the integrity of information, systems employ a variety of error-control techniques, including the use of redundancy bits and check bits.
  • During each transmission, algorithms, hash values, and error-correcting codes ensure the integrity of the information. Data that has not been verified in this manner is retransmitted or otherwise recovered. Because information is of little or no value or use if its integrity cannot be verified, information integrity is a cornerstone of InfoSec.

Availability

  • Availability of information means that users, either people or other systems, have access to it in a usable format.
  • Availability does not imply that the information is accessible to any user; rather, it means it can be accessed when needed by authorized users.
  • To understand this concept more fully, consider the contents of a library- in particular, research libraries that require identification for access to the library as a whole or to certain collections. Library patrons must present the required identification before accessing the collection. Once they are granted access, patrons expect to be able to locate and access resources in the
    appropriate languages and formats.

Q.2) Describe CNSS security model. What are the three dimensions?

CNSS Security Model

  • The CNSS document NSTISSI No. 4011, “National Training Standard for Information Systems Security (InfoSec) Professionals;’ presents a comprehensive model of InfoSec known as the Mccumber Cube, which is named after its developer, John Mccumber.
  • Shown in Figure 1- 2, which is an adaptation of the NSTISSI model, the Mccumber Cube serves as the standard for understanding many aspects of InfoSec, and shows the three dimensions that are central to the discussion of InfoSec: information characteristics, information location, and security control categories.
  • If you extend the relationship among the three dimensions that are represented by the axes in the figure, you end up with a 3 x 3 x 3 cube with 27 cells. Each cell represents an area of intersection among these three dimensions, which must be addressed to secure information.
  • When using this model to design or review any InfoSec program, you must make sure that each of the 27 cells is properly addressed by each of the three communities of interest.
  • For example, the cell representing the intersection of the technology, integrity, and storage criteria could include controls or safeguards addressing the use of technology to protect the integrity of information while in storage. Such a control might consist of a host intrusion detection and prevention system (HIDPS), for example, which would alert the security administrators when a critical file was modified or deleted.
  • While the CNSS model covers the three dimensions of InfoSec, it omits any discussion of guidelines and policies that direct the implementation of controls, which are essential to an effective InfoSec program.

Que 3. Write a note on CIA Triad.

The three letters in “CIA triad” stand for Confidentiality, Integrity, and Availability. The CIA triad is a common model that forms the basis for the development of security systems. They are used for finding vulnerabilities and methods for creating solutions.

The confidentiality, integrity, and availability of information is crucial to the operation of a business, and the CIA triad segments these three ideas into separate focal points. This differentiation is helpful because it helps guide security teams as they pinpoint the different ways in which they can address each concern. Ideally, when all three standards have been met, the security profile of the organization is stronger and better equipped to handle threat incidents.

Confidentiality
Confidentiality means limiting access to information only to those who need it, and preventing access by those who do not. When unauthorized individuals or systems can view information, confidentiality is breached. To protect the confidentiality of information, a number of measures are used, including:

  • Information classification
  • Secure document (and data) storage
  • Application of general security policies
  • Education of information custodians and end users
  • Cryptography ( encryption)
  • Confidentiality is closely related to privacy. In an organization, confidentiality of information is especially important for personal information about employees, customers, or patients. People expect organizations to closely guard such information.
  • Whether the organization is a government agency, a commercial enterprise, or a non-profit charity, problems arise when organizations disclose confidential information. Disclosure can occur either deliberately or by mistake.
  • For example, confidential information could be mistakenly e-mailed to someone outside the organization rather than the intended person inside the organization. Or perhaps an employee discards, rather than destroys, a document containing critical information. Or maybe a hacker successfully breaks into a Web based organization’s internal database and steals sensitive information about clients, such as names, addresses, or credit card information.

Integrity

  • The integrity or completeness of information is threatened when it is exposed to corruption, damage, destruction, or other disruption of its authentic state.
  • Corruption can occur while information is being entered, stored, or transmitted. Many computer viruses and worms, for example, are designed to corrupt data.
  • For this reason, the key method for detecting whether a virus or worm has caused an integrity failure to a file system is to look for changes in the file’s state, as indicated by the file’s size or, in a more advanced operating system, its hash value or checksum. File corruption is not always result of deliberate attacks. Faulty programming or even noise in the transmission channel or medium can cause data to lose its integrity.
  • For example, a low voltage state in a signal carrying a digital bit (a 1 or o) can cause the receiving system to the record the data incorrectly. To compensate for internal and external threats to the integrity of information, systems employ a variety of error control techniques, including the use of redundancy bits and check bits.
  • During each transmission, algorithms, hash values, and error correcting codes ensure the integrity of the information. Data that has not been verified in this manner is retransmitted or otherwise recovered. Because information is of little or no value or use if its integrity cannot be verified, information integrity is a cornerstone of InfoSec.

Availability

  • Availability of information means that users, either people or other systems, have access to it in a usable format.
  • Availability does not imply that the information is accessible to any user; rather, it means it can be accessed when needed by authorized users
  • To understand this concept more fully, consider the contents of a library libraries that require identification for access to the in particular, research library as a whole or to certain collections. Library patrons must present the required identification before accessing the collection. Once they are granted access, patrons expect to be able to locate and access resources in the appropriate languages and formats.

Que 4. What are the types of espionage?

  • Espionage or trespass is a well known and broad category of electronic and human activities that can breach the confidentiality of information. When an unauthorized person gains access to information an organization is trying to protect, the act is categorized as espionage or trespass. Attackers can use many different methods to access the information stored in an information system.
  • Some information gathering techniques are legal for example, using a Web browser to perform market research. These legal techniques are collectively called competitive intelligence. When information gatherers employ techniques that cross a legal or ethical threshold, they are conducting industrial espionage.
  • Some forms of in public or espionage are relatively low tech. One example, called shoulder surfing, is used semi public settings when people gather information they are not authorized to have. Instances of shoulder surfing occur at computer terminals, desks, and ATMs; on a bus, airplane, or subway, where people use smartphones and tablet PCs; and in other places where employees may access confidential information. Shoulder surfing flies in the face of the unwritten etiquette among professionals who address information security in the workplace: If you can see another person entering personal or private information into a system, look away as the information is entered. Failure to do so constitutes not only a breach of etiquette, but also an affront to privacy and a threat to the security of confidential information.

Hackers

Acts of trespass can lead to unauthorized real or virtual actions that enable information gatherers to enter premises or systems without permission. Controls sometimes mark the boundaries of an organization’s virtual territory. These boundaries give notice to trespassers that they are encroaching on the organization’s cyberspace. Sound principles of authentication and authorization can help organizations protect valuable information and systems. These control methods and technologies employ multiple layers or factors to protect against unauthorized access and trespass. Hackers possess a wide range of skill levels, as with most technology users. However, most hackers are grouped into two general categories the expert hacker and the novice hacker:

  • The expert hacker is usually a master of several programming languages, networking protocols, and operating systems, and exhibits a mastery of the technical environment of the chosen targeted system. Once an expert hacker chooses a target system, the likelihood is high that he or she will successfully enter the system. Fortunately for the many poorly protected organizations in the world, there are substantially fewer expert hackers than novice hackers.
  • Novice hackers have little or no real expertise of their own, but rely upon the expertise of expert hackers, who often become dissatisfied with attacking systems directly and turn their attention to writing software. These programs are automated exploits that allow novice hackers to act as script kiddies or packet monkeys. The good news is that if an expert hacker can post a script tool where a script kiddie or packet monkey can find it, then systems and security administrators can find it, too. The developers of protection software and hardware and the service providers who keep defensive systems up to date also stay informed about the latest in exploit scripts. As a result of preparation and continued vigilance, attacks conducted by scripts are usually predictable and can be adequately defended against. Once an attacker gains access to a system, the next step is to increase his or her privileges(privilege escalation). While most accounts associated with a system have only rudimentary “use”permissions and capabilities, the attacker needs administrative or “root” privileges. These privileges allow attackers to access information, modify the system itself to view all information in it, and hide their activities by modifying system logs. The escalation of privileges is a skill set in and of itself. However, just as novice hackers can use tools to gain access, they can use tools to escalate privileges. Phreakers grew in fame in the 1970s when they developed devices called blue boxes that enabled them to make free calls from pay phones. Later, red boxes were developed to simulate the tones of coins falling in a pay phone, and finally black boxes emulated the line voltage. With the advent of digital communications, these boxes became practically obsolete. Even with the loss of the colored box technologies, however, phreakers continue to cause problems for all telephone systems.

Password attacks

Password attacks fall under the category of espionage or trespass just as lock breaking and entering. Attempting to guess or reverse –picking falls under calculate a password is often called cracking. There are a number of alternative approaches to password cracking:

  • Brute force The application of computing and network resources to try every possible password combination is called a brute force password attack. If attackers can narrow the field of target accounts, they can devote more time and resources to these accounts. This is one reason to always change the default administrator password assigned by the manufacturer. Brute force password attacks are rarely successful against systems that have adopted the manufacturer’s recommended security practices. Controls that limit the number of unsuccessful access attempts within a certain time are very effective against brute force attacks. The strength of a password is a combination of its length and complexity, which help determine its ability to withstand a brute force attack. Using best practice policies for passwords can greatly enhance their strength; use passwords of at least 10 characters and at least one uppercase and lowercase letter, one number and one special character, and systems that allow case sensitive passwords.
  • Dictionary attacks The dictionary password attack, or simply dictionary attack, is a variation of the brute force attack that narrows the field using a dictionary of common passwords and includes information related to the target user, such as names of relatives or pets, and familiar numbers such as phone numbers, addresses, and even Social Security numbers. Organizations can use similar dictionaries to disallow passwords during the reset process and thus guard against passwords that are easy to guess. In addition, rules requiring numbers and special characters in passwords make the dictionary attack less effective.
  • Rainbow tables A far more sophisticated and potentially much faster password attack is possible if the attacker can gain access to an encrypted password file, such as the Security Account Manager(SAM) data file. While these password file contain hashed representations of user password not the actual passwords, and thus cannot be used by themselves
  • Social engineering password attacks While social engineering is discussed in detail later in the section called “Human Error or Failure,” it is worth mentioning here as a mechanism to gain password information. Using an approach commonly referred to as pretexting, attackers posing as an organization’s IT professionals may attempt to gain access to systems information by contacting low level employees and offering to help with their computer issues. After all, what employee does not have issues with computers? By posing as a friendly and helpful helpdesk or repair technician, the attacker asks employees for their usernames and passwords, then uses the information to gain access to organizational systems. Some will ask the user to install a back door or rootkit, allowing the attacker to directly access the system. Some will even go so far as to actually resolve the user’s issues. Social engineering password attacks are much easier than hacking servers for password files.

Que5.How technical software failure can create threat to information security.

Ans:

  • Large quantities of computer code are written, debugged, published, and sold before all their bugs are detected and resolved. Sometimes, combinations of certain software and hardware reveal new failures that range from bugs to untested failure conditions. Sometimes these bugs are not errors, but purposeful shortcuts left by programmers for benign or malign reasons.
  • Collectively; shortcut access routes into programs that bypass security checks are called trap doors, and they can cause serious security breaches.
  • The Open Web Application Security Project (OWASP) was founded in 2001 as a consortium dedicated to helping non profit organizations create and operate software applications they could trust.

According to OWASP “The Ten Most Critical Web Application Security Risks” are:

  • Injection
  • Broken authentication and session management
  • Cross
  • Broken access controlsite scripting (XSS)
  • Security misconfiguration
  • Sensitive data exposure
  • Insufficient attack protection
  • Cross site request forgery (CSRF)
  • Using components with known vulnerabilities
  • Under protected APIs
  • Some errors made during software development are so critical that they have been characterized as”deadly sins of software security” because they render the software vulnerable to exploitation in the hostile environment of the Internet.'” These “deadly sins” fall into the four broad categories of Web application sins, implementation sins, cryptographicsins, and networking sins.

Web Application Sins

These sins are especially troublesome because in a very real sense, the Web is “the Internet” to many users. Whether posting to social media, making a travel reservation, completing an online purchase or managing finances, a Web application is the intermediary that implements the desired functionality.

  • SQL injection occurs when developers fail to properly validate user input before passing it on to a relational database. The possible effects of an adversary’s “injection” of SQL are not limited to improper access to information, but may include damaging operations such as dropping the USERS table or perhaps shutting down the database.
  • Web Cross server related vulnerabilities These sins Cross Site Scripting (XSS),Site Request Forgery (CSRF), and Response Splitting are actually defects in Web application that exploit how the Web server renders Webpages to make it appear that an adversary’s malicious content is actually coming from the Web site itself.
  • Web client related vulnerabilities (including XSS)Though similar to the previous sin, this malady isexecuted within the client’s Web browser andoften makes use of gadgets or widgets (miniapplications such as a stock ticker or weather report). These miniapplications are often written to minimize footprint and maximize functionality without consideration for security.
  • Use of magic URLs, predictable cookies, and hidden form fields HTTP is a stateless protocol in which computer programs on either end of the communication channel cannot rely on a guaranteed delivery of any message. This makes it difficult for software developers to track a user’s exchanges with a Website over multiple interactions. Too often, sensitive state information is included in hidden form fields on the HTML page or simply included in a “magic” URL (for example, the authentication ID is passed as a parameter in the URL for
  • the exchanges that will follow). If this information is stored as plain text, an attacker can harvest the information from a magic URL as it travels across the network, or use scripts n the client to modify information in hidden form fields. Depending on the structure of the application, the harvested or modified information can be used in spoofing or hijacking attacks, or to change the way the application operates.

Implementation Sin

These sins are classic programming errors that produce vulnerabilities in running software

  • Buffer overflow-Buffers are simply storage space in a program and are normally of some fixed size. When used to accept input from an external source (e.g., a form field on a Web page), the source may supply more information than the buffer was designed to hold and thus overwrite other areas in the program. This may cause the program to abort or the adversary may specially craft the excess data to cause the program to perform unintended actions.
  • Format string problems Computer languages often are equipped with built in capabilities to reformat data while they output it. The formatting instructions are usually written as a “format string.”Unfortunately, some programmers may use data from untrusted sources as a format string. 20 An attacker may embed characters that are meaningful as formatting directives (such as 0 /ox, 0 /od, 0 /op,etc.) into malicious input. If this input is then interpreted by the program as formatting directives, the attacker may be able to access information or overwrite very targeted portions of the program’s stackwith data of the attacker’s choosing.”
  • Integer overflows Although mathematical calculation theoretically can deal with numbers that contain an arbitary number of digits, the binary representations
  • Poor usability – Users prefer doing things the easy way. When faced with an “official way” of performing a task and an “unofficial way” which is easier issue is to provide only one way– they prefer the latter. The best solution to addres the secure way! Integrating security and this usability, adding training and awareness, and ensuring solid controls all contribute to the security of information. Allowing users to choose easier solutions by default will inevitably lead to Joss.
  • Not updating easily – It is a given that software will need to be changed at some point during its lifecycle, either to fix a problem, close a security vulnerability, or add new functionality. If the updating process is cryptic, users will probably not update their software, which may then be compromised due to a known and fixed vulnerability. As more computing capability is added to devices that do not look like computers, such as Internet of Things appliances, it becomes Jess obvious to know whether they need periodic updates. An equally important issue is to assure that updates come from trusted sources. After all, if Alice Adversary can convince your user to install her malicious software as an “important security update

Cryptographic Sins

Cryptography is a valuable tool for securing information, but like any tool, it must be used correctly.
When cryptography is misused, it often gives the illusion of security while leaving the user in worse
condition than before.

  • Use of weak password- based systems- Failure to require sufficient password strength and to control incorrect password entry is a serious security issue. Password policy can specify the acceptable number and type of characters, the frequency of mandatory changes, and even the reusability of old passwords. Similarly, a system administrator can regulate the permitted number of incorrect password entries that are submitted and further improve the level of protection. Systems that do not validate passwords, or that store passwords in easily accessible locations, are ripe for attack.
  • Weak random numbers- Most modem cryptosystems, like many other computer systems, use random number generators. However, a decision support system that uses random and pseudo-random numbers for Monte Carlo method forecasting does not require the same degree of rigor and the same need for true randomness as a system that seeks to implement cryptographic procedures. These “random” number generators use a mathematical algorithm based on a seed value and another system component (such as the computer clock) to simulate a random number. Those who understand the workings of such a “random” number generator can predict particular values at particular times.
  • Using the wrong cryptography – Many more people use cryptography than actually understand it, and this leads to cryptographic implementations that fail to deliver their promised contribution to security. Examples of these sins include using a home grown cryptographic algorithm rather than a professionally evaluated one such as AES, and poor implementations of key generation methods that lead to predictable keys (as well as poor operational procedures for managing keys that may lead to key leakage or loss).

Networking Sins

The network is the piping that enables the worldwide flow of information and makes the Internet such
an interesting place. However, because it is the medium for all that information flow, it is a rich target.

  • Failure to protect network traffic- With the growing popularity of wireless networking comes a corresponding increase in the risk that wirelessly transmitted data will be intercepted. Most wireless networks are installed and operated with little or no protection for the information that is broadcast between the client and the network wireless access point. This is especially true of public networks found in coffee shops, bookstores, and hotels. Without appropriate encryption such as that afforded by WPA, attackers can intercept and view your data.
  • Improper use of PKI, especially SSL- Programmers use Secure Sockets Layer (SSL) to transfer sensitive data, such as credit card numbers and other personal information, between a client and server. While most programmers assume that using SSL guarantees security, they often mishandle this technology. SSL and its successor, Transport Layer Security {TLS), commonly use certificates for auth enticating entities. Failure to validate a PKI certificate and its issuing certificate authority or failure to check the certificate revocation list (CRL) can compromise the security of SSL traffic.
  • Trusting network name resolution – As described earlier, DNS is vulnerable to attack or “poisoning:• DNS cache poisoning involves compromising a DNS server and then changing the valid IP address associated with a domain name into one the attacker chooses, usually a fake Web site designed to obtain personal information or one that accrues a benefit to the attacker- for example, redirecting shoppers from a competitor’s Web site or to a fake “bank” site. Aside from a direct attack against a root DNS server, most attacks are made against primary and secondary DNS servers, which are local to an organization and part of the distributed DNS system. DNS relies on a process of automated updates that can be exploited. Attackers most commonly compromise segments of the DNS by attacking the name of the name server and substituting their own DNS primary name server, by incorrectly updating an individual record, or by responding before an actual DNS can.

Que 6. Difference between Dos and DDoS attack.

  • In a denial-of-service (DoS) attack, the attacker sends a large number of connection or information requests to a target. So many requests are made that the target system becomes overloaded and cannot respond to legitimate requests for service. The systemmay crash or simply become unable to perform ordinary functions.
  • In a distributed denial-of-service (DDoS) attack, a coordinated stream of requests is launched against a target from many locations at the same time. Most DDoS attacks are preceded by a preparation phase in which many systems, perhaps thousands, are compromised.
  • The compromised machines are turned into a bot or zombie, a system that is directed remotely by the attacker (usually via a transmitted command) to participate in the attack.
  • DDoS attacks are more difficult to defend against, and currently there are no controls that any single organization can apply.
  • To use a popular metaphor, DDoS is considered a weapon of mass destruction on the Internet.
  • Any system connected to the Internet and providing TCP based network services (such as a Web server, FTP server, or mail server) is vulnerable to DoS attacks.
  • DoS attacks can also be launched against routers or other network server systems if these hosts enable other TCP services, such as echo.

Que 7. Which human errors can create threat to information security?

Ans:

  • This category includes acts performed without intent or malicious purpose or in ignorance by an authorized user. When people use information systems, mistakes happen.
  • Similar errors happen when people fail to follow established policy. Inexperience, improper training, and incorrect assumptions are just a few things that can cause human error or failure.
  • Regardless of the cause, even innocuous mistakes can produce extensive damage. One of the greatest threats to an organization’s information security is its own employees, as they are the threat agents closest to the information.
  • Because employees use data and information in everyday activities to conduct the organization’s business, their mistakes represent a serious threat to the confidentiality, integrity, and availability of data- even relative to threats from outsiders.
  • Employee mistakes can easily lead to revelation of classified data, entry of erroneous data, accidental deletion or modification of data, storage of data in unprotected areas, and failure to protect information.
  • Leaving classified information in unprotected areas, such as on a desktop, on a Web site, or even in the trash can, is as much a threat as a person who seeks to exploit the information, because the carelessness can create a vulnerability and thus an opportunity for an attacker.
  • However, if someone damages or destroys data on purpose, the act belongs to a different threat category. Human error or failure often can be prevented with training, ongoing awareness activities, and controls. These controls range from simple activities, such as requiring the user to type a critical command twice, to more complex procedures, such as verifying commands by a second party.
  • An example of the latter is the performance of key recovery actions in PK! (public key infrastructure) systems. Many military applications have robust, dual-approval controls built in. Some systems that have a high potential for data loss or system outages use expert systems to monitor human actions and request confirmation of critical inputs.

Some common types of human error include the following:

  • Social engineering- In the context of information security, social engineering is used by attackers to gain system access or information that may lead to system access. There are several social engineering techniques, which usually involve a perpetrator posing as a person who is higher in the organizational hierarchy than the victim.
  • Advance-fee fraud – Another social engineering attack called the advance-fee fraud (AFF), internationally known as the 4-1-9 fraud, is named after a section of the Nigerian penal code. The perpetrators of 4 1-9 schemes often use the names of legitimate companies, such as the Nigerian
  • National Petroleum Company. Alternatively, they may invent other entities, such as a bank, government agency, long-lost relative, lottery, or other nongovernmental organization.
  • Phishing- Some attacks are sent by e-mail and may consist of a notice that one’s e-mail storage allotment has been exceeded. The user is asked to log in, to run a test program attached to the e-mail, or even to log into their “bank” account (spoofed by the attacker) to verify their balance. While these attacks may seem crude to experienced users, the fact is that many e-mail users have fallen for them. These tricks and similar variants are called phishing attacks. Phishing attacks use two primary techniques, often in combination with one another: URL manipulation and Web site forgery. In URL manipulation, attackers send an HTML embedded e-mail message or a hyperlink whose HTML code opens a forged Web site. In Web forgery, the attacker copies the HTML code from a legitimate Web site and then modifies key elements. When victims type their banking ID and password, the attacker records that information and displays a message that the Web site is now offline.
  • Spear phishing- While normal phishing attacks target as many recipients as possible, spear phishing involves an attacker sending a targeted message that appears to be from an employer, a colleague, or other legitimate correspondent to a small group or even one person.
  • Pretexting- Pretexting, sometimes referred to as phone phishing, is a purely social engineering attack in which the attacker calls a potential victim on the telephone and pretends to be an authority figure in order to gain access to private or confidential information, such as health, employment, or financial risk.

Q.ue 8. How information extortion and sabotage create threat to information security?

Ans:
Information Extortion:

  • Information extortion, also known as cyberextortion, is common in the theft of credit card numbers.
  • In 2010, Anthony Digati allegedly threatened to conduct a spam attack on the insurance company, New York Life. He reportedly sent dozens of e-mails to company executives threatening to conduct a negative image campaign by sending over 6 million e-mails to people throughout the country. He then demanded approximately $200,000 to stop the attack, and next threatened to increase the demand to more than $3 million if the company ignored him. His arrest thwarted the spam attack. In 201 2, a programmer from Walachi Innovation Technologies allegedly broke into the organization’s systems and changed the access passwords and codes, locking legitimate users out of the system. He then reportedly demanded $300,000 in exchange for the new codes. A court order eventually forced him to surrender the information to the organization.
  • In Russia, a talented hacker created malware that installed inappropriate materials on an unsuspecting user’s system, along with a banner threatening to notify the authorities if a bribe was not paid. At 500 rubles (about $17), victims in Russia and other countries were more willing to pay the bribe than risk prosecution by less considerate law enforcement.
  • Recent information extortion attacks have involved specialized forms of malware known as ransomware. This attack is usually implemented with malware that is run on the victim’s system as a result of phishing or spear-phishing attacks. The result is that the user’s data is encrypted.
  • Paying the adversary a ransom in a digital currency may or may not result in the victim receiving the encryption key to recover the data. The WannaCry attacks in May 2017 triggered a global event that unfolded in just a few hours. This malware variant targeted out-of-date Windows computers, demanding ransom payments in the bitcoin cryptocurrency. WannaCry is believed to have infected over 200,000 systems. Other ransomware variants continue to plague computer users around the world; some, like Petya, were updated and made even more virulent in later versions. The most recent Petya variant, Not Petya, used a novel means of propagation in the June 2017 outbreak in the Ukraine. The malware is believed to have used a tax- preparation software product update to infect victims’ machines.
  • In May 2017, the Wana Decryptor (a.k.a. WannaCry) ransomware worm attack was first detected; it infected hundreds of thousands of systems in almost 200 countries. The chief concern about this ransomware is that the U.S. National Security Agency apparently detected the Microsoft Windows Etema!Blue exploit that the ransomware used and incorporated it into its own cyberwarfare operations rather than report it to Microsoft.
  • Because some advanced ransomware attacks within the larger attack automated the ransom payment and crypto key recovery, many experts speculated that the attack was focused more on damage than money. For example, WannaCry required a manual key recovery process after payment verification. Most of the organizations affected by WannaCry that paid the requested ransom reported no response from the attacking entity and no recovery of encrypted data.

Sabotage or Vandalism:

  • This category of threat involves the deliberate sabotage of a computer system or business, or acts of vandalism to destroy an asset or damage the image of an organization.
  • These acts can range from petty vandalism by employees to organized sabotage against an organization. Although they might not be financially devastating, attacks on the image of an organization are serious.
  • Vandalism to a Web site (a.k.a. Web site defacement) can erode consumer confidence, diminishing an organization’s sales, net worth, and reputation. For example, in the early hours of July 13, 2001, a group known as Fluffi Bunni left its mark on the front page of th e SANS Institute, a cooperative research and education organization. This event was particularly embarrassing to SANS Institute management because th e organization provides security instruction and certification. The defacement read, “Would you really trust these guys to teach you security?” ” At least one member of the group was subsequently arrested by British authorities
  • In 2010, visitors to the Web site of the European Union presidency were redirected to a mock site that displayed an image of fictional character Mr. Bean instead of Spain’s socialist leader Jose Zapatero. In 2013, Web sites of the U.S. Department of State and the U.S. Embassy were defaced by an Indonesian hacker.
  • Not all Web site defacement attacks involve hacking an organization’s Web servers. Some involve attacks on the DNS servers that direct users to the site(cross site scripting attacks) and result in users being directed to sites other than the ones they want to view.
  • In general, the only real risk to an organization from Web site defacement is the loss of public trust in the organization’s ability to protect its information assets. Defacement has become so common that most users tune it out when it occurs, similar to ignoring graffiti placed ( or tagged) on buildings using spray paint.
  • Organizations can minimize their risk of Web site defacement by backing up their Web sites regularly, closely monitoring their Web sites, and minimizing the use of exploitable software such as scripts, plugins, and other application programming interfaces (APis).

The use of the Internet and Web has moved activism to the digital age:

  • Online activism There are innumerable reports of hackers accessing systems and damaging or destroying critical data. Hacked Web sites once made front page news, as the perpetrators intended. The impact of these acts has lessened as the volume has increased. Today, security experts are noticing a rise in another form of online vandalism, hacktivist or cyber activist operations, in which e-mail or social media, and then release that information to the public.
  • Cyberterrorism and cyberwarfare–A much more sinister form of hacking is cyberterrorism. The United States and other governments are developing security measures intended to protect critical computing and communications networks as well as physical and power utility infrastructures. Some of these cyberterrorist attacks are perpetrated by individuals, organizations, or governments and are aimed at disrupting government agencies, while others seem designed to create m ass havoc with civilian and commercial industry targets. However, the U.S. government conducts its own cyber warfare actions, having reportedly targeted overseas efforts to develop nuclear enrichment plants by hacking into an destroying critical equipment. In April 2015 , the Pentagon announced a new strategy for cyberwarfare, identifying China, Russia, Iran, and North Korea as the countries that represent the greatest threat from cyberwarfare.
  • Positive online activism Not all online activism is negative. Social media outlets, such as Facebook, MySpace, Twitter, and YouTube, are commonly used to perform fundraising, raise awareness of social issues, gather support for legitimate causes, and promote involvement. Modern business organizations try to leverage social media and online activism to improve their public image and increase awareness of socially responsible actions.
Scroll to Top