ITP 101
Intro to Information Technology
Overview
• What is security?
• Why do we need security?
• What is malware?
• What is phishing?
• What is an attack?
• Who is vulnerable?
• What is a hacker?
• Why hack?
What is security?
• Definition of
security
from Dictionary.com:
1. Freedom from risk or danger; safety.
2. Freedom from doubt, anxiety, or fear; confidence. 3. Something that gives or assures safety, as:
1. A group or department of private guards: Call building security if a visitor acts suspicious.
2. Measures adopted by a government to prevent espionage, sabotage, or attack.
3. Measures adopted, as by a business or homeowner, to prevent a crime such as burglary or assault: Security was lax at the firm's smaller plant.
Why do we need security?
• Protect vital information while still allowing
access to those who need it
– Trade secrets, medical records, etc.
• Provide authentication and access control
for resources
• Guarantee availability of resources
What is malware?
• Any software program developed for the purpose of
causing harm to a computer system (malicious
software)
• First appearances in the 1970s
• All operating systems are susceptible (to some extent)
• Various types
– Trojan horse – Virus – Worm – Spyware – Adware – …Types of Malware
• Trojan Horse
– A harmful piece of software that is
disguised as legitimate software
– Typically used to steal information
– Pirated software is a good place to hide trojans
• Virus
– A program that spreads by inserting copies of
itself into other executable code or documents
(host dependent, replication)
– Requires the user to transmit infected file to other
users
Types of Malware
• Worms
– A self-contained, self-replicating computer program
– Similar to a computer virus, but does not need a user to transmit an infected file
– First Internet worm in 1988
• Spyware
– Software that collects and sends information about users or, more precisely, the results of their computer activity,
without explicit notification
– Spyware usually works and spreads like Trojan horses
• Adware
– Advertising-supported software
What is phishing?
• The act of attempting to fraudulently acquire sensitive personal information (passwords, credit card details, ...) with an legitimate-looking request for that information
• Typically an e-mail takes you to a webpage where you need to fill in details
• A phishing technique was described in detail in 1987, and the first recorded use of the term "phishing" was made in 1996
• Most methods of phishing use some form of technical deception designed to make a link in an e-mail (and the spoofed website it leads to) appear to belong to the spoofed organization.
• Misspelled URLs or the use of subdomains are common tricks used by phishers
What is an attack?
• An attack usually has a clearly identified target (e.g., a company, a server, a website) and has a goal (e.g., deface a web page, get system access, make server unavailable, steal documents)
• Attacks can employ malware • Typical attacks
– Eavesdropping
• documents, messages, passwords,...
– Man-in-the-middle
• intercept communication link
– Tampering
• modify system, manipulate data
– Spoofing
• email with wrong sender, phishing
– Hijacking
• hijack session (e.g. Telnet), hijack host (zombie)
– Capture – replay
• capture and reply of command messages
– Denial of service
• crash or overload server with (e.g. malformed) requests
Goal Attacks Confidentiality Eavesdropping Man-in-the-middle Hijacking Integrity (+Authentication) Man-in-the-middle Hijacking Tampering Spoofing Capture-replay Availability Denial of service
Who is vulnerable?
• Financial institutions and banks
• Internet service providers
• Pharmaceutical companies
• Government and defense agencies
• Contractors to various government agencies
• Multinational corporations
• Educational Institutions
Who gets hacked?
• Everybody
– http://www.2600.com/hacked_pages/
– http://www.privacyrights.org/ar/ChronDataBreaches.htm
• Government servers
– Swordfish – Hugh Jackman’s character hacked Department of Defense
– Live Free or Die Hard – Timothy Olyphant’s character hacked NORAD
• Banks, e-commerce sites
– Ebay!!!
• Educational institutions
What is a hacker?
• Definition of
hacker
according to Wikipedia:
– Computer and network security expert
• One who specializes in access control mechanisms for computer and network systems
World’s definition of a hacker
• Media definition of hacker = our definition
of criminal hacker
– Someone who maliciously breaks into
networks and systems for personal gain
– Crack (v) – to break into a system
Who are these hackers?
• Internal threats (rogue insiders)
– Bored students
– Disgruntled employees
• External threats
– Bored people (lots of them out there worldwide!) – Political action groups
– Crackers & hackers – Ex-employees
Levels of Hackers
• Script kiddies/Cyberpunks
– Novices
– Very little actual knowledge of what goes on behind the scenes. They simply find a cool tool on the net
– Media stereotype (pimply faced, lives in his mom’s basement, etc) – Sloppy, leave all sorts of digital evidence of their actions
– Most annoying and cause the most headaches
• Intermediate Hackers
– “halfway hackers”
– Know enough to cause serious damage – Most want to be advanced (l33t), and will
get there if they’re not caught
• Advanced Hackers
– Criminal Experts – Uber/l33t hackers
– These are the authors of the hacking tools, viruses, and malware – They know enough to hide their tracks – most of the time you
Why hack?
• Because they can!
• Curiosity, notoriety, fame
• Profit ($$$ or other gain)
– Hackers for Hire
• Korean National Police Agency busted
the Internet’s largest known organized
hacking mafia
• 4,400 members!!!!!
– Sell people’s personal information on the
black market
Why hack?
• Underlying the psyche of the criminal hacker is a deep sense of inferiority
– Consequently, the mastery of computer technology, or the shut down of a major site, might give them a sense of power
– "Causing millions of dollars of damage is a real power trip“
• Hacktivism – hactivist.net
– “Free Kevin” messages that were put onto websites without the owner's permission
• Cyberterrorists
– Crash critical systems, bring down power grids & air traffic control towers
– US fights this through the Department of Homeland Security
Hacker Methodology
1. Gather target information
2. Identify services offered by target to the
public (whether intentional or not)
3. Research the discovered services for known
vulnerabilities
4. Attempt to exploit the services
5. Utilize exploited services to gain additional
privileges from the target
Most notorious hacker ever was a…
• USC Student!!! J
• “Hacking is a noble, honorable art”
APT (Advanced Persistent Threat)
• Computer attacks usually sponsored by government agencies or terrorist organizations
• Originally used to classify persistent attacks against government and government contractors
– Now attacks directed at anyone with valuable information
• Advanced
– Operators of the attack are extremely capable (l33t)
– Individual components may not be advanced, but the combination and usage are – Will utilize any and all tools and methodologies
• Persistent
– Operators are given a specific target, and will not move on to the next target until target is compromised
– Operators are guided by external entities
– Targets are chosen not for immediate financial gain
• Threat
– Extreme coordination of attacks among many operators if necessary – Nothing is automated
– Operators are skilled, motivated, organized, and well funded – Have a 100% success rate of penetration
How do I protect myself ?
• Use protection software "anti-virus software" and
keep it up to date
• Don't open unknown, unscanned or unexpected
email attachments
• Use hard-to-guess passwords
• Protect your computer from Internet intruders
and use "firewalls"
• Don't share access to your computers with
anyone
– If you do, create different accounts and don't let
anyone else have admin privileges
How do I make a good password?
• Passwords should contain at least 8 characters
• Use one of each of the following:
– Uppercase letters ( A-Z )
– Lowercase letters ( a-z )
– Numbers ( 0-9 )
– Punctuation marks ( !@#$%^&*()_+=- )
• The license plate rule – take a phrase and try to
squeeze it into 8 characters
– Take the first letter of each word
– Replace letters with digits or special characters
• The best password is one that is totally random to
anyone else except you
Password Examples
• kEp*-h&y = keep your laser handy
• yCag5wyw = you can't always get what you want
• imcmit2s,Ibl = if my car makes it through 2
semesters, I'll be lucky
• oBGcat$7t = only Bill Gates could afford this $70.00
textbook
• WtimaciK2? = What time is my computer class in
KAP 267?
• If33lg8! = I feel great!
• W1ldcatzR#1 = Wildcats are #1
• d0lf1n’sfan = Dolphins Fan
Password Rules
• Don't use your name, your pet's name, your birth
date or other information that is easy to get
• Don't use 'qwerty' or any word in the dictionary
• Never write down your password
• Never tell anyone your password
• Remember – the key to security is embedded in
the word security
Resources
• Computer Security Institute– http://gocsi.com/survey
• Messagelabs Intelligence October 2010
– http://www.messagelabs.com/intelligence.aspx
• Ponemon Institute 2009 Annual Study: Cost of a Data Breach
– http://www.ponemon.org/local/upload/fckjail/generalcontent/18/file/ US_Ponemon_CODB_09_012209_sec.pdf
• Symantec Global Internet Security Threat Report
–
http://eval.symantec.com/mktginfo/enterprise/white_papers/b-whitepaper_internet_security_threat_report_xv_04-2010.en-us.pdf • Verizon 2010 Data Breach Investigations Report
– http://www.verizonbusiness.com/resources/reports/rp_2010-data-breach-report_en_xg.pdf
Careers
• Security Administrator
– Implements network security policies and procedures
– Average salary is $69,000
• Web Security Administrator
– Develops, implements, and maintains firewall
technologies that secure an organization's website
– Average salary is $79,000
• IT Security Consultant
Security at USC
• Introductory & Intermediate Classes
– ITP 125 – From Hackers to CEOs: Introduction to
Information Security
– ITP 325 – Ethical Hacking and Systems Defense
– ITP 357 – Enterprise Network Design
– ITP 375 – Digital Forensics
• Minor in Applied Computer Security
• Minor in Computer & Digital Forensics