introduction to computer/information security · information security. when information systems are...
TRANSCRIPT
© Gilbert Ndjatou Page 1
Introduction to Computer/Information Security
An organization should have the following multiple layers of security in place to protect its operations:
Physical security:
To protect physical items, objects, or areas from unauthorized access and misuse.
Personnel security:
To protect the individual or group of individuals who are authorized to access the organization
and its operations.
Operations security:
To protect the details of a particular operation or series of activities.
Communication security:
To protect communication media, technology, and content.
Network security:
To protect networking components, connections, and contents.
Information security:
To protect the confidentiality, integrity, and availability of information assets, whether in storage,
processing, or transmission.
Networks Security
Networks security consists of the following:
Security mechanisms used to protect TCP/IP protocols, which powers communication over the
internet and many internal LANs.
Security considerations unique to networked systems.
The use of firewalls to protect an organization’s LAN from external attack.
The use of intrusion detection systems to identify cases where other protection mechanisms have
failed.
Information Security
Information security can be defined in terms of three major goals known as the “CIA triad:”
confidentiality,
integrity, and
availability.
© Gilbert Ndjatou Page 2
Confidentiality:
Confidentiality is about not letting confidential information fall into the hands of an unauthorized person.
Access controls are used to protect the confidentiality of data
by preventing unauthorized personnel from entering a system and
preventing legitimate users from accessing information that they are not authorized access.
Encryption systems (which are software implementations of mathematical algorithms) are also used to
facilitate the confidential exchange of information over insecure communication channels such as the
internet.
Integrity
Integrity is about ensuring that data may be modified only through an authorized mechanism.
It involves protecting data from the following types of unauthorized modifications:
Unauthorized users altering data:
e.g. a hacker breaking into a database and altering its records.
Authorized users making unauthorized changes:
e.g. a bank teller adding money to his personal account rather than that of the customer.
Data being altered through inappropriate mechanism:
e.g. a power surge causing a database corruption.
Many of the mechanisms used to protect the confidentiality of data are also used to protect its integrity:
Access control mechanisms help prevent the first two types of data modification in the list above.
Encryption systems use digital signature technology to prevent the modification of data by an
unauthorized mechanism.
Availability
Availability is about the ability of authorized users to access data for legitimate purposes:
a hacker who manages to prevent authorized access to a system may often be considered as successful
as one who manages to steal or manipulate the data stored within it.
© Gilbert Ndjatou Page 3
Components of an Information System
An information system consists of the following six components:
Software
Hardware
Data
People
Procedures, and
Network
Each of these components has its own security requirements.
Software
The software consists of :
The applications,
The operating system, and
The command utilities
The exploitation of errors in software programming accounts for a substantial portion of the attacks on
information.
Many facets of daily life are affected by buggy software, from smartphones that crash to flawed
automotive control computers that lead to recalls.
Hardware
The hardware is the physical component that does the following:
House and execute the software
Store and transport the data, and
Provide interfaces for the entry and removal of information from the system.
Securing the physical location of computers and the computers themselves is important because a breach
of physical security can result in a loss of information.
Applying the traditional tools of physical security such as locks and keys restricts access to and interaction
with the hardware.
© Gilbert Ndjatou Page 4
Data
Data is stored, processed, and transmitted by a computer system.
It is often the most valuable asset possessed by an organization and
It is the main target of intentional attacks.
People
People can be the weakest link in an organization’s information security program
Unless policy, education and training, awareness, and technology are properly used to prevent them from
accidental or intentionally damaging or losing information.
Social engineering can:
prey on human errors, and
can be used to manipulate the actions of people to obtain access to information about a system.
Procedures
Procedures are written instructions for accomplishing a specific task.
When an unauthorized user obtains an organization’s procedure, this poses a threat to the integrity of the
information.
Educating employees about safeguarding procedures is as important as physically securing the
information system.
Networks
Networks are the IS components that have created much of the need for increased computer and
information security.
When information systems are connected to each other to form LANs, and these LANs are connected to
other networks such as the Internet, new security challenges emerge.
The implementation of alarm and intrusion systems to make system owners aware of ongoing
compromises is essential.
© Gilbert Ndjatou Page 5
Threats
In the context of information security, a threat is an object, a person, or any entity that presents an
ongoing danger to an asset.
To make sound decisions about information security, the management must be informed about the various
threats to an organization’s information system.
The following fourteen general categories of threats have been identified:
Compromises to intellectual property
Software attacks
Deviations in quality service
Espionage or trespass
Forces of nature
Human error or failure
Information extortion
Missing, inadequate, or incomplete organizational policy or planning
Missing, inadequate, or incomplete controls
Sabotage or vandalism
Theft
Technical hardware failures or errors
Technical software failures or errors
Technological obsolescence
Compromises to Intellectual Property
Intellectual property is defined as “the ownership of ideas and control over the tangible or virtual
representation of those ideas.”
Use of another person’s intellectual property may or may not involve royalty payments or permission,
But it should always include proper credit to the source.
Intellectual property can be:
Trade secrets: a secret device or technique used by a company in manufacturing its products.
Copyrights: the exclusive legal right, given to an originator or an assignee to print, publish, perform,
film, or record literary, artistic, or musical material, and to authorize others to do the same.
© Gilbert Ndjatou Page 6
Trademarks: a symbol, word, or words legally registered or established by use as representing a
company or product.
synonyms: logo, brand, emblem, sign, mark, stamp, symbol, badge, crest, monogram, colophon;
Patents: a government authority or license conferring a right or title for a set period, especially the
sole right to exclude others from making, using, or selling an invention.
The most common intellectual property breach is the unlawful use or duplication of software-based
intellectual property (a.k.a software piracy).
The unauthorized appropriation of intellectual property constitutes a threat to information security.
Deliberate Software Attacks
Deliberate software attacks occur when an individual or group designs and deploys software to attack
a system.
Most of this software is referred to as:
malicious code or
malicious software, or
malware.
These software components or programs are designed to damage, destroy, or deny service to the target
systems
Some of the more common instances of malicious code are:
Viruses,
Worms,
Trojan horses
Logical bombs,
Back doors,
Back Orifice, and
root kit
© Gilbert Ndjatou Page 7
Virus
A computer virus consists of segments of code that perform malicious actions.
The code attaches itself to an existing program and takes control of that program’s access to the target
computer.
The virus-controlled target program then carries out the virus’s plan by replicating itself into additional
targeted systems.
Computer viruses are passed from machine to machine via
physical media,
e-mail, or
other forms of computer data transmission.
When a virus infects a machine, it immediately scan the local machine for e-mail applications, or even
sends itself to every user in the e-mail address book.
One of the most common methods of virus transmission is via e-mail attachment files.
Two of the most common types of computer viruses are:
The macro virus: is embedded in automatically executing macro code used by word processors,
spread sheets and database applications, and
The boot virus: infects the key operating system code located in a computer’s boot sector.
Worms
A worm is a malicious program that replicates itself constantly, without requiring another program
environment.
Worms can continue replicating themselves until they completely fill available resources such as
memory, hard disk space, and network bandwidth.
Once a worm has infected a computer, it can redistribute itself to all e-mail addresses found on the
infected system.
A worm can also deposit copies of itself onto all web servers that the infected system can reach, so that
users who subsequently visit those web sites become infected.
Worm also take advantage of open shares found on the network in which an infected system is located,
placing working copies of the worm code onto the server so that users of those shares are likely to become
infected.
© Gilbert Ndjatou Page 8
Trojan Horses
Trojan horses are software program that hide their true nature and reveal their designed behavior only
when activated.
They are frequently disguised as helpful, interesting, or necessary pieces of software such as readme.exe
files often included with shareware or freeware packages.
Back Door or Trap Door
A virus or a worm can have a payload that installs a back door or a trap door component in a system
which allows the attacker to access the system at will with special privileges.
Examples of these kinds of payloads are Subseven and Back Orifice.
Polymorphic Threads
A polymorphic thread is a virus or a worm which actually evolves, changing its size and other external
file characteristics to elude detection by antivirus software programs.
© Gilbert Ndjatou Page 9
Virus and Worm Hoaxes
Well-meaning people can disrupt the harmony and flow of an organization when they send group emails
warning of supposedly dangerous viruses that do not exist.
A number of Internet resources enable individuals to research viruses to determine if they are fact or
fiction:
Latest information on viruses, worms, and hoaxes and other security information can be found at the
websites: www.cert.org and www.hoax-slayer.com.
Back Orifice
Back Orifice (often shortened to BO) is a computer program designed for remote system
administration.
It enables a user to control a computer running the Microsoft Windows operating system from a remote
location.
It can also control multiple computers at the same time using imaging.
Back Orifice was designed with a client–server architecture.
A small and unobtrusive server program is installed on one machine, which is remotely manipulated by
a client program with a graphical user interface on another computer system.
In a reference to the Leet phenomenon, this program commonly runs on port 31337.
Although Back Orifice has legitimate purposes, such as remote administration, there are other factors
that make it suited for less benign uses.
The server can hide itself from cursory looks by users of the system:
As the server can be installed without user interaction, it can be distributed as payload of a
Trojan horse.
For those and other reasons, the antivirus industry immediately categorized the tool as malware and
appended Back Orifice to their quarantine lists.
Root Kit
A root kit is a collection of computer software, typically malicious, designed to enable access to a
computer or areas of its software that is not otherwise allowed (for example, to an unauthorized user)
It often masks its existence or the existence of other software.
Rootkit installation can be automated, or an attacker can install it after having obtained root or
Administrator access.
© Gilbert Ndjatou Page 10
Once installed, it becomes possible to hide the intrusion as well as to maintain privileged access.
The key is the root or administrator access:
Full control over a system means that existing software can be modified, including software that might
otherwise be used to detect or circumvent it.
Rootkit detection is difficult because a rootkit may be able to subvert the software that is intended to
find it.
Detection methods include using:
o an alternative and trusted operating system,
o behavioral-based methods,
o signature scanning,
o difference scanning, and
o memory dump analysis.
Removal can be complicated or practically impossible, especially in cases where the rootkit resides in
the kernel:
o reinstallation of the operating system may be the only available solution to the problem.
When dealing with firmware rootkits, removal may require hardware replacement, or specialized
equipment.
Deviations in Quality of Service
An organization’s information system depends on the successful operation of many inter-dependent
support systems, including:
power grids,
telecom networks,
part suppliers,
service vendors, and even
janitorial staff and garbage haulers
Irregularities in Internet service, communication, and power supplies can drastically affect the
availability of information and systems.
© Gilbert Ndjatou Page 11
Espionage or Trespass
Espionage or trespass is the act of gaining access to the information that an organization is trying to
protect by an unauthorized individual.
Attackers can use many different methods to access the information stored in an information system:
Legal techniques such as using the web browser to perform market research are collectively called
competitive intelligence.
Information gatherers are conduction industrial espionage when they employ techniques that are
not legal or unethical.
When foreign governments are involved, these activities are considered espionage.
One form of espionage is called shoulder surfing:
This technique is used in public or semipublic settings (such as terminal, desk, ATM machine, bus,
or subway) when individuals gather information they are not authorized to have by looking over
another individual’s shoulder or viewing the information from a distance.
The classic perpetrator of espionage or trespassing is the hacker.
Hackers are individuals who use and create computer software to gain access to information illegally.
There are two skill levels among hackers:
Expert or elite hackers, and
Script kiddies
An expert hacker is usually a master of several programming languages, networking protocols, and
operating systems.
He also exhibits a mastery of the technical environment of the chosen target system.
A script kiddie is an unskilled individual who uses scripts or programs developed by others to attack
computer systems and networks and deface websites.
There are other terms for system rule breakers that may be less familiar:
A cracker is an individual that removes software protection that is designed to prevent
unauthorized duplication.
A phreaker hacks the public telephone network to make free calls or disrupt services.
© Gilbert Ndjatou Page 12
Forces of Nature
Forces of nature or acts of God can present some of the most dangerous threats because they usually
occur with very little warning and are beyond the control of people.
These threats include events such as:
Fires
Floods,
Earthquakes,
Lighting,
Hurricane or typhoon,
Landslide or mudslide
Tsunami,
Electrostatic discharge (ESD), and
Dust contamination.
Human Error or Failure
This category of threads includes acts performed without intent of malicious purpose by an authorized
user.
Some few things that cause human errors or failures are:
Inexperience,
Improper training, and
Incorrect assumptions.
Employee mistakes can easily lead to the following:
Revelation of classified data,
Entry of erroneous data,
Accidental deletion or modification of data,
Storage of data in unprotected areas, and
Failure to protect information.
Much human error or failure can be prevented with:
Training,
Ongoing awareness activities, but also with
© Gilbert Ndjatou Page 13
Controls
Ranging from simple procedures such as requiring the user to type a critical command twice,
To more complex procedures such as the verification of commands by a second party.
Information Extortion
Information extortion occurs when an attacker or trusted insider steals information from a computer
system and demands compensation for its return or for an agreement not to disclose it.
Extortion is common in credit card number theft.
Missing, Inadequate, or Incomplete Organizational Policy or
Planning
Missing, inadequate, or incomplete organizational policy or planning makes an organization vulnerable
to loss, damage, or disclosure of information assets.
The organization’s executive leadership is responsible for the strategic planning for the security as well
as for the IT and business functions.
Missing, Inadequate, or Incomplete Controls
This category of threads is about security safeguards and information asset protection controls that are:
Missing,
Misconfigured,
Antiquated, or
Poorly designed or managed.
It makes an organization more likely to suffer losses when other threats lead to attacks.
Routines security audits to assess the current levels of protection help to ensure the continuous
protection of an organization’s assets.
© Gilbert Ndjatou Page 14
Sabotage or Vandalism
This category of threats involves
the deliberate sabotage of a computer system or business or
acts of vandalism to either destroy an asset or damage the image of an organization.
Examples of acts of sabotage and vandalism include the following:
Defacement of a company web site,
Damaging and destroying critical data
Hacktivist or cyber-activist operations:
Operations which interfere with or disrupt systems to protest the operation, policies, or actions
of an organization or a government agency.
Cyberterrorism
A cyberterrorist hacks systems to conduct terrorist activities via a network or Internet
pathways.
Cyberterrorism has thus far been largely limited to acts such as the defacement of the NATO
Web pages during the war in Kosovo.
Theft
When electronic information is stolen, the crime is not always readily apparent.
If thieves are clever and cover their tracks carefully, no one may ever know of the crime until it is far
too late.
Technical Hardware Failures or Errors
Technical hardware failures or errors occur when a manufacturer distributes equipment containing a
known or unknown flaw.
These defects can cause the system to perform outside of expected parameters, resulting in unreliable
service or lack of availability.
Some errors are terminal: they result in the unrecoverable loss of the equipment whereas
Some errors are intermittent: they only periodically manifest themselves, resulting in faults that are not
easily repeated.
© Gilbert Ndjatou Page 15
Technical Software Failures or Errors
Large quantities of software are published and sold before all their bugs are detected and resolved.
Sometimes, combinations of certain software and hardware reveal new bugs.
Failures may also be due to untested failure conditions.
However, some bugs are not errors, but rather purposely shortcuts left by programmers for benign or
malign reasons.
Collectively, shortcut access routes into programs that bypass security checks are called trap doors and
can cause serious security breathes.
Some Web sites such as www.securityfocus.com are dedicated to document software bugs.
These web sites provide up-to-the-minute information on the latest security vulnerabilities, as well as an
archive of past bugs.
Technological Obsolete
Antiquated or outdated infrastructure can lead to unreliable and untrustworthy systems.
Management’s strategic planning should always include an analysis of the technology currently in use.
Ideally, proper planning by the management should prevent the technology from becoming obsolete,
and
When obsolescence is manifest, the management must take immediate action to rectify the situation.
© Gilbert Ndjatou Page 16
Attacks
An attack is an act that takes advantage of a vulnerability to compromise a controlled system.
It is accomplished by a threat agent that damages or steals an organization’s information or physical
asset.
A vulnerability is an identified weakness in a controlled system where controls are not present or are
no longer effective.
The following sections discuss each of the major types of attacks used against controlled systems.
Malicious Code
The malicious code attack includes the execution of:
viruses,
worms,
Trojan horses, and
active web scripts
with the intent to destroy or steal information.
These attack programs use up to six known attack vectors to exploit a variety of vulnerabilities in
commonly found information system devices.
The following table lists and describes the six categories of known attack vectors.
Attack Vector Description
IP scan and attacks
The infected system scans a random or local range of IP
addresses and
targets any of several vulnerabilities known to hackers
or left over from previous exploit such as Code Red,
Back Orifice, or PoizonBox.
Web browsing
If the infected computer has write access to any web
documents,
it makes all web contents (.html, .asp, cgi, …) infectious
so that users who browse to those pages become
infected.
virus
Each infected machine infects certain common
executable of script files on all computers to which it
can write with the virus code that can cause infection.
© Gilbert Ndjatou Page 17
Unprotected shares
Using vulnerabilities in files systems and the way many
organizations configure them,
the infected machine copies the viral component to all
locations it can reach.
Mass mail
By sending e-mail infections to addresses found in the
address book,
the infected machine infects many users,
whose mail-reading programs also automatically run the
program and infect other systems.
Simple Network Management Protocol (SNMP)
By using the widely known and common passwords that
were employed in early versions of this protocol (which
is used for remote management of network and
computer devices),
the attacking program can gain control of the device.
Most vendors have closed these vulnerabilities with
software updates.
Other forms of malware include covert software applications such as:
Bots
Spyware, and
Adware
That are designed to work out of sight of users or via an apparently innocuous user action.
Bot
A bot (an abbreviation of robot) is an automated software program that executes certain commands
when it receives a specific input.
Bots are often the technology used to implement:
Trojan horses,
logic bombs,
back doors, and
spyware.
© Gilbert Ndjatou Page 18
Spyware
A spyware is any technology that is placed on a computer to secretly gather information about a user or
an organization and report it without their knowledge.
Examples of types of spywares are listed as follows:
Web Bug
Is a tiny graphic on a web site that is referenced within
o the Hypertext Markup Language content of a web page or
o an email
to collect information about the user viewing the HTML content.
Tracking cookie
A cookie is a small quantity of data stored by the Web browser on the local system, at the
direction of the Web server.
A tracking cookie is placed on a user’s computer to track the user’s activity on different web
sites and to create a detailed profile of the user’s behavior.
Adware
Is any software program intended for marketing purposes.
For example programs used to deliver and display
o advertising banners or
o popups to the user’s screen or
o tracking the user’s online usage or purchasing activity.
Each of these hidden code components can be used to collect information from or about the user.
This information could then be used in:
a social engineering or
identity theft attack.
Hoaxes
A virus hoax is a seemingly legitimate message about a virus that does not exit.
Another form of attack on computer systems is to transmit a virus hoax with a real virus attached to.
© Gilbert Ndjatou Page 19
Password Crack
A cracking attack is an attempt of trying to reverse-calculate a password.
It is a component of many dictionary attacks, and
It is used when a copy of the Security Account Manager (SAM) data file, which contains the hash
representation of the users’ passwords, can be obtained.
Brute Force
In a brute force attack (also called password attack) the hacker uses computing or network resources
to try every possible password combination.
If attackers can narrow the field of target accounts, they can devote more time and resources to these
accounts.
That is one reason to always change the manufacturer’s default administrator account names and
passwords.
Password attacks are rarely successful against systems that have adopted the manufacturer’s
recommended security practices.
Controls that limit the number of unsuccessful access attempts per unit of elapsed time are very
effective against brute force attacks.
Dictionary
Dictionary attack is a variation of the brute force attack which narrows the field by:
selecting specific target account and
using a list of commonly used passwords (dictionary) instead of random combinations.
Organizations can use similar dictionaries to disallow passwords during the reset process and thus
guard against easy-to-guess passwords.
Rules that require numbers and/or special characters in passwords make the dictionary attack less
effective.
© Gilbert Ndjatou Page 20
Denial-of-Service (DoS) and Distributed Denial-of-Service (DDoS)
In a DoS attack, the attacker sends a large number of connection or information requests to a target
system.
With so many connections or information requests, the target system becomes overloaded and cannot
respond to legitimate requests for service.
The system may crash or simply become unable to perform ordinary functions.
A DDoS attack is an attack in which a coordinated stream of requests is launched against a target from
many locations at the same time.
Most DDoS attacks are preceded by a preparation phase in which many systems sometimes in the order
of thousands are compromised.
The compromised systems are turned into zombies machines that are directed remotely usually by a
transmitted command by the attacker to participate in the attack.
DDoS attacks are difficult to defend against, and they are presently no controls that any single
organization can apply.
There are however some cooperative efforts to enable DDoS defenses among groups of service
providers.
Any TCP-based Internet application (such as Web server, FTP server, or mail server) is vulnerable to
DoS attacks.
DoS attacks can also be launched against routers.
Spoofing
Spoofing a technique used to gain unauthorized access to a computer.
With spoofing, the intruder sends messages with a source IP address that has been forget (changed) to
indicate that the messages are coming from a trusted host.
Hackers use a variety of techniques to obtain trusted IP addresses, and then modify the packet headers
by inserting these forged addresses into them.
Newer routers and firewall arrangements can offer protection against IP spoofing.
© Gilbert Ndjatou Page 21
Man-in-the-Middle
With the man-in-the-middle (or TCP hijacking) attack, an attacker
monitors (or stiffs) packets from the network,
modifies them, and
inserts them back into the network.
This type of attack uses IP spoofing to enable an attacker to impersonate another entity on the network.
It allows the attacker
to eavesdrop as well as
to change,
delete,
reroute,
add,
forge, or
divert data.
A variant of TCP hijacking involves the interception of an encryption key exchange, which enables the
hacker to act as an invisible man-in-the-middle.
Mail Bombing
Mail bombing is a version of DoS attack in which an attacker routes large quantities of email to the
target.
This can be accomplished by means of social engineering or by exploiting technical flaws in the Simple
Mail Transport Protocol (SMTP).
By sending large emails with forged header information, attackers can take advantage of poorly
configured email systems on the Internet and trick them into sending many emails to an address chosen
by the attacker.
© Gilbert Ndjatou Page 22
Sniffers
A sniffer (or packet sniffer) is a program or device that can monitor data traveling over a network.
A sniffer program shows all the data going by, including:
Passwords,
The data inside files such as word processing documents, and
Screens full of sensitive data from applications.
Unauthorized sniffers can be extremely dangerous to a network’s security because
they are virtually impossible to detect and
they can be inserted almost anywhere.
Social Engineering
Social engineering is the process of using social skills to convince people to reveal access credentials or
other valuable information to the attacker.
There are many social engineering techniques, and
They usually involve a perpetrator posing as a person higher in the organizational hierarchy than the
victim.
Phishing
Phishing is an attempt to gain personal and financial information from an individual, usually by posing
as a legitimate entity.
Phishing attacks use the following three primary techniques, often in combination with one another:
URL manipulation,
Web site forgery, and
Phone phishing.
URL Manipulation and Web Site Forgery
In a URL manipulation, an attacker sends
an HTML embedded email message, or
a hyperlink whose HTML code opens a forged Web site.
Some phishing attackers use very sophisticated simulated Web sites in their emails, usually copied from
actual Web sites.
© Gilbert Ndjatou Page 23
Phone Phishing
Phone phishing is pure social engineering
The attacker calls a victim on the phone and pretends to be someone they are not in order to gain access
to private or confidential information such as health or employment records, or financial information.
Pharming
Pharming is the process of redirecting legitimate Web traffic (for example browser requests) to an
illegitimate site for the purpose of obtaining private information.
Pharming often uses Trojans, worms, or other virus technologies to attack the internet browser’s
address bar so that the valid URL typed by the user is modified to that of the illegitimate Web site.
Pharming may also exploit the Domain Name System (DNS) by causing it to transform the legitimate
host name into the illegitimate Web site IP address.
This form of pharming is called DNS cache poisoning.
Timing Attack
A timing attack explores the contents of a Web browser’s cache and stores a malicious cookie on the
client’s system.
This cookie can allow its designer to collect information on how to access password protected sites.
Another type of timing attack involves the interception of cryptographic elements to determine keys
and encryption algorithms.
Spam
A spam is an unsolicited commercial email.
The most significant consequence of spam is the waste of computer and human resourses.
However, spams have been used as a mean of enhancing malicious code attacks.
Many organizations attempt to cope with the flood of spam by using email filtering technologies.
Other organizations simply tell the users of the mail system to delete unwanted messages.
© Gilbert Ndjatou Page 24
Back Doors
A backdoor or back door may take the form of:
a hidden part of a program one uses,
a separate program (e.g. Back Orifice may subvert the system through a rootkit), or
code in the firmware of ones hardware[3] or
parts of ones operating system such as Microsoft Windows.
Using known or newly discovered access mechanisms, an attacker can gain access to a system or
network resource through a back door.
Backdoor are normally secretly installed,
But in some cases they are deliberate and widely known.
These kinds of backdoors might have "legitimate" uses such as providing the manufacturer with a way
to restore user passwords.
Default passwords (or other default credentials) can function as backdoors if they are not changed by
the user.
A trap door is a backdoor (such as debugging features) that are left behind by system designers or
maintenance staffs.
Trap doors are hard to detect because very often, the programmer who puts it in place also makes the
access exempt from the usual audit logging feature of the system.
Webserver backdoors are used for a number of malicious activities, including:
Data theft
Website defacing
Server hijacking
The launching of distributed denial of service (DDoS) attacks
Infecting website visitors (watering hole attacks), and
Advanced persistent threat (APT) assaults
© Gilbert Ndjatou Page 25
Common Activities performed by Information Security
Professionals
Common activities performed by Information Security (InfoSec) personnel in the course of their duties
are either
managerial or
technical in nature.
Managerial activities are those activities that involve
policy,
plans,
projects,
programs,
personnel, and
practices,
whereas technical activities are the ones that involve information security and information system
technologies.
Information System Technologies
Information systems technologies are in general organized into the following twelve major categories:
Firewall,
Remote access protection,
Access controls,
Vulnerability assessment,
Penetration testing,
Forensics and anti-forensics,
Client security,
Perimeter defense,
Server security,
Intrusion detection,
Network security, and
cyber defense.
© Gilbert Ndjatou Page 26
1. Firewall
In general, a firewall is anything (hardware, software, or a combination of both) that can filter the
transmission of packets of digital information as they attempt to pass through an interface between
networks.
Firewalls perform two basic security functions:
Packet filtering: determining whether to allow or deny the passage of packets of digital information,
based on established security rules.
Application proxy: providing network services to users while shielding individual host computers.
This is done by breaking the IP flow (that means the traffic into and out of the network).
2. Remote access protection
Remote access in the context of this study is the management of user accounts required for the user to
access systems from outside the traditional network environment.
This includes dial-up and/or high-speed Internet-based access.
3. Access controls
Access controls encompass four processes:
identification,
authentication,
authorization, and
accountability.
They specifically address the admission of users into a trusted area of the organization.
They usually consist of a combination of policies, programs, and technologies.
4. Vulnerability assessment
The primary goal of vulnerability assessment and remediation is to identify specific, documented
vulnerability and remediate them in a timely fashion.
© Gilbert Ndjatou Page 27
5. Penetration testing
One method of finding faults is to use the vulnerability assessment processes to find the physical and
logical vulnerabilities present in both information security and related non-security systems.
This assessment is most often accomplished with penetration testing.
Penetration testing is the simulation or execution of specific and controlled attacks by security personnel
to compromise or disrupt their own systems by exploiting documented vulnerabilities.
6. Forensics and anti-forensics
Forensics is the coherent application of methodical investigatory techniques to present evidence of crime
in a court like setting.
Not all events involve crimes: some involve
natural events,
accidents, or
system malfunction.
Forensics allows investigators to determine what happened by examining the results of an event.
It also allows them to determine how it happened by examining
activities,
individual actions,
physical evidence, and
testimony related to the event.
Digital forensics investigators use a variety of tools to support their work, and digital forensics can be
used to
7. Client security
The tasks associated with the assessment, protection, and audit of client systems include examining
systems processes and services, understanding browser protection, systems logs, passwords, antivirus and
malware prevention.
The most important piece of protecting client systems is a program called Security Education, Training
and Awareness (SETA) that teaches the end user how to care for their own systems.
© Gilbert Ndjatou Page 28
8. Perimeter defense
An organization perimeter is that (invisible) boundary between the organization’s information assets,
known as the trusted network, and the external environment, known as the untrusted network.
Most organizations refer to their gateway router connecting the organization to the Internet as their
perimeter, although it may also include dial-up connection and lease lines.
The tasks involved here include access controls and logs associated with perimeter devices, hardware and
software firewalls, intrusion detection, and network monitoring tasks.
9. Server security
Information servers are the backbones of most modern organizations.
They provide the services necessary to sustain business operations and to facilitate business
communications.
The tasks involved here expand on those of the perimeter defense, by adding to them tasks associated
with scanning systems services and functions not normally associated with clients.
There are also tasks associated with data management and backups, along with intrusion detection
systems.
10. Intrusion detection
An intrusion occurs when an attacker attempts to gain entry or disrupt the normal operation of an
information system, usually with the intent to do harm.
Intrusion detection consists of procedures and systems that identify system intrusions.
Intrusion reaction encompasses the actions an organization takes when an intrusion is detected.
Intrusion prevention consists of activities that deter an intrusion.
The actions of intrusion detection and prevention seek to limit the loss from an intrusion, and return
operations to a normal state, and seek to identify the source and method of the intrusion in order to ensure
that the same type of attack cannot occur again.
11. Network security
The tasks involved here are associated with the examination, protection, and audit of network-attached
systems.
These tasks combine those of the other technologies, but focus on network resources rather than all
resources in the organization.
© Gilbert Ndjatou Page 29
Information security professionals assigned as network security administrators are responsible for
perimeter defense activities, intrusion detection systems, and network attached servers and services.
12. Cyber defense
Cyber defense is about the comprehensive assessment and protection of all organizational information
assets through the use of all available and appropriate technologies.
It is about the range and depth of the technical responsibilities of the modern information security
professional.
Questions:
Part I
1. What are the six components of an information system?
2. Name five common instances of malicious code.
3. What are the two most common types of computer viruses?
4. Provide 4 examples of Intellectual property.
5. What are the two skill levels among hackers?
6. What are the six categories of known attack vectors?
7. Provide the description of each of the six known attack vectors.
8. Provide three examples of spyware.
9. What are the two basic security functions performed by firewalls?
10. What are the four processes that an access control encompasses?
11. What is the primary goal of vulnerability assessment and remediation?
Part II
Fill in the blank with the most appropriate answer:
1. A ____________________ is a code that attaches itself to an existing program and takes control of
that program’s access to the target computer.
2. A _________________ is a malicious program that replicates itself constantly, without requiring
another program environment.
© Gilbert Ndjatou Page 30
3. A __________________ is a software program that hides its true nature and reveals its designed
behavior only when activated.
4. A _________________is a virus or a worm which actually evolves, changing its size and other
external file characteristics to elude detection by antivirus software programs.
5. _____ ________________is the act of gaining access to the information that an organization is
trying to protect by an unauthorized individual.
6. A _________________ is an individual who uses and creates computer software to gain access to
information illegally.
7. ___________________occurs when an attacker or trusted insider steals information from a
computer system and demands compensation for its return or for an agreement not to disclose it.
8. An ___________________ is an identified weakness in a controlled system where controls are not
present or are no longer effective.
9. A ____________________is an automated software program that executes certain commands when
it receives a specific input.
10. A ____________ is placed on a computer to secretly gather information about the user and report it.
11. A ___________________is a tiny graphic on a web site that is referenced within the Hypertext
Markup Language content of a web page or email to collect information about the user viewing the
HTML content.
12. A _____________________is placed on a user’s computer to track the user’s activity on different
web sites and create a detailed profile of the user’s behavior.
13. An ___________________________is any software program intended for marketing purposes.
14. A ______________________is a method, often secret, of bypassing normal authentication or
encryption in a computer system, a product, or an embedded device (e.g. a home router), or its
embodiment.
15. A ______________is anything (hardware, software, or a combination of both) that can filter the
transmission of packets of digital information as they attempt to pass through an interface between
networks.
16. ____________________ is the simulation or execution of specific and controlled attacks by security
personnel to compromise or disrupt their own systems by exploiting documented vulnerabilities.
17. __________________is the coherent application of methodical investigatory techniques to present
evidence of crime in a court like setting.
18. _______________________is a method, often secret, of bypassing normal authentication or
encryption in a computer system, a product, or an embedded device (e.g. a home router), or its
embodiment, e.g. as part of a cryptosystem, an algorithm, a chipset, or a "homunculus computer"
(such as that as found in Intel's AMT technology).