CPSC 257: Information Security in the Real...

CPSC 257: Information Securityin the Real World

Ewa Syta

January 21, 2016

CPSC 257 January 21, 2016 1 / 35

1 Essentials of Information Security

2 Real-world adversaries and their attacks

CPSC 257 Outline January 21, 2016 2 / 35

Essentials of Information Security

CPSC 257 Essentials of Information Security January 21, 2016 3 / 35

Achieving Security

In the ideal world, we would like to achieve perfect security ofinformation.

It is impossible to protect everything against every attacker under allcircumstances while maintaining usability (utility of the system).


Simplistic Approach

Goal: We want to protect the password.

password

Client Server


Simplistic Approach

How: Use strong encryption to encrypt the password.

password

Client Server


The Reality

So much more going on!

password

Client Serverpasswordrecovery

psw1


Achieving Security

Security is a trade-off of what we want to achieve and what we canachieve.

• Make the system as secure as possible.• What does it even mean?

• Make the system as secure as possible given our constraints.• Value of assets• Risk tolerance• Cost• Usability and convenience• Legal obligations


Achieving Security

Security is about risk management.

• Identify specific risks to assets.

• Identify the level of risk tolerance.

• Identify appropriate protections to reduce or remove risks.

• Identify and accept responsibility for untreatable residual risks.


Cost-Benefit Analysis

In the real world, everything is about making the best possible choice:balancing costs and benefits.

• Evaluate what level of security is necessary, appropriate, ordesirable.

• From adversary’s perspective• Cost of launching a particular attack vs. value of attack to an

adversary.

• From company’s perspective• Cost of damages from an attack vs. cost of defending against the

attack.

• Likelihood of a particular attack.


Information as an Asset

Information is a strategic business asset.

• Transaction information.

• Client information.

• Proprietary information.


Example: Amazon

• Type of information.

• Value (cost of loss).


Security Mindset

Security is not a product, it is a process.

We need to learn to think with a “security mindset”.

• How could this system be attacked?

• Who could attack this system?

• Are they likely to attack the system?

• What is the weakest point of attack?

• How could this system be defended?

• How effective will a given countermeasure be?

• What is the trade-off between security, cost, and usability?


Security Mindset

You see an advertisement for a new product. What is your reaction?

“Wow! This is such a cool product. I can’t wait to use it!!!”

“Wow! This is a neat product but I wonder what are thepotential consequences of using it? Does it work asadvertised? Is it safe? Can something go wrong while usingit? Can someone else exploit it?”


Example: Nest Learning Thermostat

YouTube: How Nest Learning Thermostat Learns


https://www.youtube.com/watch?v=5thQRIX3Rio

Security of an Information System

We cannot protect information on its own.

You need to look at the entire system within which the informationexists.

A system is only as strong as its weakest component.


Analyzing the security of IS

• Understand the system and its components.

• Identify assets.

• Identify vulnerabilities.

• Identify attacks.

• Identify adversaries.


Assets

You need to know what there is to protect.

You need to know what is worth protecting.


Vulnerabilities

Vulnerabilities are weaknesses that could be exploited to causedamage to assets.

• Bad passwords

• Buggy software

• Untrained employees

• Lack of encryption


Attacks

Attacks are ways of exploiting a vulnerability.

• Bad passwords: using password crackers.

• Buggy software: launching an SQL injection attack.

• Untrained employees: tricking them to share their credentials.

• Lack of encryption: eavesdropping on communications.


Attacks

There are several ways to classify attacks.

By damage to the assets

• Confidentiality, integrity, availability.

By the source of the attack

• Insider vs outsider, local vs remote.

By the actions

• Interception, interruption, modification, fabrication.


Real-world adversaries and their attacks

CPSC 257 Real-world adversaries and their attacks January 21, 2016 22 / 35

Adversaries

Adversaries are entities that may carry out attacks.

• Hackers

• Governments

• Terrorists

• Competitors

• Clients

• Employees


Adversaries

An adversary must have three things:

• Method: the skills, knowledge, tools, and resources.

• Opportunity: the time and access to accomplish the attack.

• Motive: a reason to want to perform this attack against thissystem.


Classification of Adversaries Image source:TIM Review


http://timreview.ca/article/838

Actions and Motivations of Adversaries Image source:TIM Review

Political: destroying, disrupting, or taking control of targets; espionage; and making political statements, protests, orretaliatory actions.Economic: theft of intellectual property or valuable assets (e.g., funds, credit card information); fraud; industrialespionage and sabotage; and blackmail.Socio-cultural: philosophical, theological, political, and even humanitarian goals, curiosity, and a desire for publicity orego gratification.


http://timreview.ca/article/838

Modern Adversaries

All types of adversaries are often referred to as hackers.

Black Hat is an annual conference that brings together a variety ofpeople interested in information security.

• Representatives of government agencies,

• Representatives of corporations,

• Hackers.

Thycotic surveyed 127 self-identified hackers at the 2014 Black Hatevent.


Motivation Image source:Thycotic Black Hat 2014 Report


http://betanews.com/2014/08/14/what-motivates-modern-hackers/

Consequences Image source:Thycotic Black Hat 2014 Report



Targeted Employees Image source:Thycotic Black Hat 2014 Report



Old tricks still work Image source:Thycotic Black Hat 2014 Report

Phishing is the attempt to acquire sensitive information such as usernames, passwords, and credit card details bymasquerading as a trustworthy entity in an electronic communication.



They are worried too Image source:Thycotic Black Hat 2014 Report



Real-World Security Breaches by Motivation

By another government.

• In December 2014, Sony Pictures was hacked.

• A group called “The Guardians of Peace” took responsibility forhacking Sony over the released of “The Interview”, a movieabout an assassination of Kim Jong Un, the leader of NorthKorea.

• FBI attributed the attack to the North Korean government.

• The incident was labeled as cyberwarfare.



By hackers whose motivation was financial.

• In January 2014, Target was hacked.

• Hackers stole credit and debit card numbers, expiration dates,the three-digit CVV security code, and even PIN data for up to70 million customers.

By hackers whose motivation was political.

• In July 2015, Canadian government websites were taken down.

• A group called “Anonymous” claimed responsibility for a Denialof Service attack against Canadian government websites inprotest of the passage of bill C-51- an anti-terror legislation thatgrants additional powers to Canadian intelligence agencies.



By dishonest employees.

• In January 2015, Korea Credit Bureau’s data was leaked.

• An employee of KCB has been arrested and accused of stealing20 million customer records from three credit card firms whileworking for them as a temporary consultant.

By employee.

• In March 2015, Australian Immigration Department’s data wasaccidentally revealed.

• An employee of the agency inadvertently sent the passportnumbers, visa details and other personal identifiers of al worldleaders attending the G20 Brisbane summit to the organizers ofthe Asian Cup football tournament.

• Barack Obama, Angela Merkel, Vladimir Putin, David Cameronand many others were affected.


CPSC 257: Information Security in the Real...

Documents

Transcript of CPSC 257: Information Security in the Real...