Unit 32 Assignment 1 Task 1
Six Possible Threats to Networks
Distributed Denial of Service (DDoS) Attack
A DDoS attack is a form of cyberattack that targets a network with large numbers of data packets as a means to overload it. While under attack, networks will become effectively unusable as the high amount of traffic will make it extremely difficult for client devices to make use of the bandwidth.
Botnets (also known as “Zombie Armies”) are a common tool/method for carrying out DDoS attacks. A botnet is a series of computers that have been compromised via Trojan so that they can be scripted to carry out acts without the user of an infected device even being aware. When a botnet has numerous computers under its control, it can use the combined power of all them to target a network, consuming its bandwidth and initiating a DDoS attack.
Source(s): My own Unit 28 Assignment 1 coursework, http://searchsecurity.techtarget.com/definition/botnet
Back Door Attacks
A back door is a way of entering a system while bypassing any existing security measures. Sometimes, back doors are put in place by developers for purposes of debugging or troubleshooting, but it’s possible for attackers to discover or create their own back doors to another system using some kind of exploit. Cybercriminals can use malicious software to install and access backdoors, from a remote location. Back door attacks are dangerous because they give the attacker a number of possible uses, including theft of information or the installation of a botnet.
A network port is a destination for network traffic. Computers have 65,535 ports, each with their own task of handling certain types of incoming traffic. Port scanners systematically scan these ports to identify weak points for a back door attack.
There a several types of port scans, the main two of which are vanilla scans, which attempt to connect to all ports, and strobe scans, which target a small number of specific ports.
Social engineering is a unique method of attack as it requires a different skillset from other, more technical attacks. The idea is that the cybercriminal can trick a user into making their systems vulnerable. This often involves gaining information from a user, either online or in person (likely online), and using this info to either guess a password, or answer any security questions to reset the password. There are several methods to this, one has the attacker search for personal information on social media such as: name, interests, friends’ names, address history, employment history, education history, and family details. Not all of this information is always available publicly, so an alternative is contacting the user while posing as someone else. This can be a deceptive way of asking casual questions to pick out important details from the answers without the target’s realisation.
Source(s): VLE/In-class resources
Vulnerabilities and exploits
Cybercriminals will search for vulnerabilities in a system to find a backdoor that allows for ease of entry into a network for an attack. Some kind of vulnerability can be exploited by a vigilant cybercriminal in any operating system, security software, or hardware. The constant discovery of vulnerabilities by malicious people is the reason for frequent security updates by developers. These updates patch loopholes in the code that could be exploited by those with malicious intent. Port scanning is one way of searching for network vulnerabilities.
Source(s): VLE/In-class resources
A cryptolocker is a kind of ransomware (malware that demands payment from the user to halt its effects) that encrypts the files on a computer so that they are inaccessible, and demands that the user pay within a certain amount of time before the private key needed to unencrypt the files is destroyed.
Social engineering is used to trick the user into installing the software. One scenario is that the cybercriminal contacts the user with an email pretending to be from a company. The email has an attached .zip file. The .zip contains a .pdf file that is actually a .exe file, but is disguised using Windows’ default setting of hiding extended file names. The software will then run, generating random keys for each file it encrypts, and automatically displaying a window detailing what is happening and what the attacker demands in order to halt the encryption.
Source(s): https://en.wikipedia.org/wiki/CryptoLocker, http://www.pandasecurity.com/mediacenter/malware/cryptolocker/, In-class/VLE resources
Unit 32 Assignment 1 Task 2
Three Examples of Network Breaches in the Last Two Years
Sony Pictures (November 2014)
Prior to the theatrical release of the 2014 movie “The Interview”, a comedy mocking the regime of North Korean dictator Kim Jong-Un, Sony Pictures was targeted by a hacking group which identified themselves as the “Guardians of Peace”. The attackers leaked information about the company and its 47,000 current and former employees including Social Security numbers; medical information; emails (including racist characterisations of President Obama); salaries; film budgets; and entire un-released movies.
On the day, Sony employees witnessed their workstation computers display an image threatening to leak stolen information later that evening. Suggesting a back door attack had taken place that had granted the attacker’s access to the system so that information could be stolen and that the image could be displayed on client machines.
US intelligence services claimed that the attack was perpetrated or sponsored by the North Korean Government. These claims were based on the use of tools and techniques that North Korea’s cyberwarfare agency, “Bureau 121” had been known to use in the past. It was also noticed that the IP addresses that communicated with the IPs coded into the attacker’s software were associated with a North Korean state-owned business located in China. On top of this convincing evidence, the government of North Korea is infamous for responding erratically to criticism. North Korea has denied all responsibility for the attack.
The attack was followed up with threats of terrorism against moviegoers at premiere of “The Interview” as well as its nation-wide theatrical release. The threats resulted in to film’s lead actors to cancel any media appearances leading up to the film’s intended release. These threats were made hours after former employees of Sony were filing a lawsuit for failing to protect their personal information on the network. Sony cancelled the theatrical release the following day.
The aforementioned lawsuit came from two former employees whose lawyer stated that Sony “failed to secure its computer systems, servers and databases, despite weaknesses that it has known about for years”, and failed to “timely protect confidential information of its current and former employees from law-breaking hackers”.
The forensic investigation of the attack is estimated to have costed Sony Pictures tens of millions of US dollars.
Source(s): http://www.nytimes.com/interactive/2015/02/05/technology/recent-cyberattacks.html, https://en.wikipedia.org/wiki/Sony_Pictures_Entertainment_hack, https://www.theguardian.com/film/2014/dec/16/employees-sue-failure-guard-personal-data-leaked-hackers
Anthem (February 2015)
Anthem, the second largest health insurer in the United States, suffered a security breach that is estimated to have affected up to 80,000,000 current and former customers and employees. The breached database contained details including names; Social Security numbers; birthdays; addresses; emails; and employment information. Anthem stated that the FBI were not able to identify the exact attackers, but a security firm was able to associate a group of hackers with the attack. No medical or credit card information had been stolen. The attack was reported to be one of the largest of customer information ever, and is likely the largest of a health care company.
Anthem’s CEO Joseph Swedish, called it a “very sophisticated external cyberattack”. However, Anthem decided not to encrypt their data, leaving them vulnerable to data theft. The Health Insurance Portability and Accountability Act states that health insurance companies are not required to encrypt their data, and only suggests that encryption should be used as a measure to mitigate risk. The problem with this is that Anthem could legally decide for themselves how they protect their data. A spokesperson for Anthem said that they only encrypt data when it’s being transferred in or out of the database but not while it remains stored. Another spokesperson said “Because an administrator’s credentials were compromised, additional encryption would not have thwarted the attack.” The cybercriminal’s method could have involved brute force or social engineering to gain administrative access. Brute force is more probable as it is unlikely that the attacker knew the administrator or had a way of obtaining his/her information.
The group considered to be guilty of the breach call themselves “Black Vine” – a group that has carried out several similar attacks in the last three years. They have a history of targeting high-profile persons in industries of aerospace; energy; and military equipment. The method they used involved infecting websites frequently used by targets with dormant malware which they use to steal data and information with. The senior security researcher at Symantec – the security firm that identified the gang as the perpetrators of the Anthem attack, said that there is “substantial value” in the health information of Black Vine’s typical targets, “This is the kind of data that’s used in combination with something else to reach an entirely non-healthcare related goal.”
Source(s): http://www.networkworld.com/article/2880366/security0/anthem-hack-personal-data-stolen-sells-for-10x-price-of-stolen-credit-card-numbers.html, http://www.nytimes.com/2015/02/05/business/hackers-breached-data-of-millions-insurer-says.html?_r=0, https://www.anthemfacts.com/, https://en.wikipedia.org/wiki/Anthem_medical_data_breach, https://www.cnet.com/news/anthems-hacked-customer-data-was-not-encrypted/, http://www.wsj.com/articles/anthem-hacked-database-included-78-8-million-people-1424807364
Securus Technologies (November 2015)
Securus Technologies is an American telecommunications company who provide communication services primarily to detained or imprisoned citizens. In 2015, A cyberattacker anonymously revealed his findings on Securus; detailing over 70 million cases of recorded phone calls made by US jail prisoners across the country, along with personal information on 63 thousand prisoners and their families. The personal information included in the database were names; the phone numbers called; the date, time and length of the calls; as well as other information. The recordings gathered began in December 2011 and ended in early 2014. The attacker provided downloadable links to each of the millions of audio files of private phone calls. At least 14 thousand recorded calls were between lawyers and their arrested clients, making some of the recordings by Securus illegal under violation of the client-attorney privilege. The director of the American Civil Liberties Union described the leak as something that “may be the most massive breach of the attorney-client privilege in modern U.S. history”. Securus appeals to its government clients by offering a secure platform for telecommunications that allows for the monitoring and recording of calls. These calls are then securely stored in a database where they can only be accessed by authorised prosecutors or government workers. Securus’ pledge states “We will provide the most technologically advanced audio and video communications platform to allow calls with a high level of security, we understand that confidentiality of calls is critical, and we will follow all Federal, State, and Local laws in the conduct of our business.”, a statement proven wrong with the breaching of 70 million recordings.
The attacker’s justification for the leak was that he/she was concerned that Securus was violating the rights of prisoners. He/she was able to uncover the URL’s that are automatically created for each call, giving each audio recording a download link. The links could easily be distributed and downloaded. If the findings were made public, the calls would have likely been downloaded by thousands of people, if not more.
Securus was also breached in July 2014 when three recordings of phone calls by a detained former NFL player were stolen by a cybercriminal. Securus did not comment on this event until the 2015 leak.
In November 2015, Securus released a statement regarding the attacks in 2014 and 2015. They claimed that there was no evidence that the database was remotely targeted using any kind of malware; backdoor; or brute force attack, but were instead made vulnerable due to authorised users sharing the protected data they had access to. Securus still has confidence in their system, describing it as using “extensive measures to help ensure that all data is protected from both digital and physical breaches.”. Despite their sureness, Securus still hired a forensic data analysis firm to learn about the cause and method of the attack.
After the leak, Securus’ reputation was tarnished due to the moral and legal controversy following the discovery that client-attorney calls had been recorded and stored, as well as the retention of simple conversations between prisoners and their families where they discussed life and family matters.
Source(s): https://theintercept.com/2015/11/11/securus-hack-prison-phone-company-exposes-thousands-of-calls-lawyers-and-clients/, https://theintercept.com/2016/02/12/not-so-securus-lawyers-speak-out-about-massive-hack-of-prisoners-phone-records/
Unit 32 Assignment 1 Task 3
How Networks Are Protected and the Methods of Doing so
Email Systems and Messages
An organisation will have an email system set up to allow for the communication and the exchange of information between users. There are two notable kinds of email-related threats to networks, account breaching, and spam.
An account can be breached using social engineering or brute force attacks, and can be protected by simply guarding personal information and using a complicated password.
Spam is a kind of email used by cybercriminals to bait the user into giving away personal information or following an infected link. Spam is protected against using filtering solutions – sets of rules which examine emails to determine whether or not they are spam. Networks can also have blacklists which block known senders of spam. If the email system is purely for internal members of an organisation, a whitelist will only allow authorised users to communicate through email.
Source(s): http://unit32.2plus2isfive.co.uk/2016/09/27/spaaam/ (Blog post by Owen Thomas)
Wireless networks, unlike wired networks, do not need to have the user be physically connected in order to access the network, Instead, the network can be accessed remotely. Once someone with malicious intent has access to a network, they can steal information or damage network performance.
The most important and basic level of security is a password. Passwords can be easily implemented and prevent access to everyone within network range.
Site surveys are a process for planning network deployment. Software exists that network administrators can use to visualise LAN activity. By having these kinds of tools, networks are more effectively and easily managed to improve performance and security.
Source(s): http://unit32.2plus2isfive.co.uk/2016/09/27/wireless-site-surveys/ (Blog post by Jordan Bradbury)
In networks, wired or wireless, routers are protected using something called an “intrusion prevention system (IPS)”. An IPS is a network or host-based appliance that bridges between a network switch and router, monitoring all traffic that passes through.
Network-based IPS’s are good because only a single one is needed to monitor network traffic, but it provides no feedback to the user for further action to be taken. Host-bases IPS’s allow for visible details of network intrusion, but is usually expensive for an organisation because a license will be required to run the software on multiple computers.
Wired Transmission Media
Wired transmission media is any medium used to transfer data physically over a wired network. There are various kinds of cables that can be used for this. Wired data transfer cannot be intercepted like wireless, and so at first glance, this option seems more secure. However, it is possible to place a scanner on a network cable to scan for signals. The way this works is that it is constantly and rapidly scanning for the pulses of electricity that come from binary signals, and uses this to assemble unencrypted data.
Some types of cable are designed to be secure against these kinds of attack, category 6 (Cat6) cables have an internal metal coating which alters the electromagnetic field so that scanners cannot pick it up. Cat5 and many other cables on the other hand do not have this feature and are liable the scanning.
It is difficult to steal information using this method, because placing a scanner would require the attacker to physically reach the target network.
Source(s): http://unit32.2plus2isfive.co.uk/2016/09/27/wired-transmission-media (Blog post by myself)
Encryption is the conversion of data into something that cannot be used by an unauthorised device or person if access is attempted or if it is intercepted during a transmission. Encryption uses complex algorithms which are designed in such a way that they make it difficult to successfully convert data back to its original form, making it almost impossible to access data without authorisation. Encryption not only improves the confidentiality of data, but, by decrypting the message correctly once it reaches its destination, it also proves that the origin of a transmission is legitimate and that the data has not been somehow hijacked and modified mid-transmission.
Digital encryption uses ‘keys’. A key is a value applied to a message using an algorithm. A public key is usable by anyone, but a private key is confidential and only accessible to its owner. Anything that is encrypted with a public key can only be unencrypted by its corresponding private key and vice versa. So, if you want to send a message to someone, it will be encrypted with their public key, and only the recipient will have the corresponding private key to unencrypt it.
Source(s): http://unit32.2plus2isfive.co.uk/category/group1/, http://unit32.2plus2isfive.co.uk/paddv/week-6-protection/, http://www.webopedia.com/TERM/E/encryption.html, http://www.webopedia.com/TERM/S/symmetric_encryption.html, http://searchsecurity.techtarget.com/definition/encryption, https://www.comodo.com/resources/small-business/digital-certificates2.php, https://support.microsoft.com/en-gb/kb/246071
Precautionary Measures: Intrusion Detection Systems
An intrusion detection system (IDU) is any system that detects threats that have intruded a network. Three examples of IDU’s are “honeypots”, firewalls and virus protection software.
Honeypots are computer systems that are used to improve network security. They simulate a realistic system which can be targeted by cyberattackers. However, the honeypot’s isolated environment safely separates it from the rest of the network, and it can be monitored to analyse the methods, details, and tools used to attack networks.
There are high-interaction and low-interaction honeypots. High-interaction honeypots simulate an entire system so that more information can be gathered, but studies activity while the intruder has access to the replicated data, thus creating some risk to the honeypot user though the vulnerability of some visible system data. Low-interaction honeypots only simulate commonly targeted aspects of a network; making them less complicated and safer to use, but is unable to gather as much data from the attack.
Auditing is the process of analysing a network for its usage and security. There are several third-party auditing applications available, but Microsoft Windows comes built in with tools for auditing. Audits can also be done manually without software, but in this blog post I will be looking at the effectiveness and use of automated audits.
Auditing tools carry out automated scans (audits) that determine the security and functionality of a network. On top of this, audits also review the performance/optimisation of a network. Once an audit is complete, a report, summarising any findings, is sent to network administrators for action to be taken.
While scanning, auditing tools view all network nodes and scan all files and services and look out for possible threats. These can be identified if certain patterns a found, or if unauthorised items or known threats are detected.
Source(s): http://unit32.2plus2isfive.co.uk/2016/10/18/auditing-for-dummies/ (My own blog post about audits), http://searchsecurity.techtarget.com/definition/honey-pot, http://unit32.2plus2isfive.co.uk/paddv/week-5-ids/, https://www.techopedia.com/definition/29973/network-auditing