• No results found

ECSSv3 Module 01 Information Security Fundamentals

N/A
N/A
Protected

Academic year: 2021

Share "ECSSv3 Module 01 Information Security Fundamentals"

Copied!
38
0
0

Loading.... (view fulltext now)

Full text

(1)Module I - Information Security Fundamentals.

(2) News: Default Passwords Led to $55 Million in Bogus Phone Charges By Brian Krebs | June 12, 2009; 2:13 PM ET. The U.S. Justice Department today unsealed indictments against three Filipino residents accused of hacking into thousands of private telephone networks in the United States and abroad, and then selling access to those networks at call centers in Italy that advertised cheap international calls. The indictments correspond to a series of raids and arrests announced today in Italy, where authorities apprehended five men alleged to have been operating the call centers and using the profits to help finance terrorist groups in Southeast Asia.. The U.S. government alleges that the individuals arrested in the Philippines were responsible for hacking so-called private branch exchange (PBX) systems -- computerized telephone switches and voice mail systems -- owned by more than 2,500 companies in the United States, Canada, Australia and Europe. The indictment alleges that between October 2005 and December 2008, Manila residents Mahmoud Nusier, Paul Michael Kwan and Nancy Gomez broke into PBX systems, mainly by exploiting factory-set or default passwords on the voicemail systems. The government charges that their Italian call center operators paid the hackers $100 for each hacked PBX system they found. The indictments explain the scam like this: People wishing to make cheap, international phone calls from Italy would enter one of several local call centers set up by the alleged co-conspirators there. They would be charged a cheaper per-minute rate than what it would otherwise cost for them to make a call from their own phone, yet more than what the call center operators are paying by routing their calls through a hacked PBX that has access to cheaper dialing rates. The call center operators are still charged for the initial long distance call to the hacked PBX, but since the rates per minute are much less than if they dialed from their own country, they can pocket the difference between what their customers pay and the cost of the hacked PBX routing rate.. EC-Council. Source: http://voices.washingtonpost.com/. Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

(3) News: Google Crash Hits Millions of Internet Users Google's Internet search engine crashed for several hours, leaving several million users unable to access the site because of a temporary fault. Published: 1:54AM BST 15 May 2009. The technical problem brought down not only the company's hugely popular home page but also affected Gmail, its email service. Other companies who use Google to power their own websites' searches were also affected by the fault. It served as a potent reminder of society's growing dependence on the firm's technology. People around the world reported a slowdown, and the subject became one of the day's most discussed on Twitter within the hour, with the phrase 'googlefail' as one of the most searched for terms. Problems were also reported on Google News, Google Maps and the Google Calendar, all of which operated with varying degrees of success in various locations around the world. A Google UK spokesman refused to say how badly the British operations had been affected. It is also thought to have affected AdSense, the application that places advertisements on websites around the world, acting as the sole source of revenue for many smaller sites. There has been intense speculation as to the cause of the glitch, whether it was a failure of the internet giant's servers or a hacking attempt. Source: www.telegraph.co.uk. EC-Council. Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

(4) 2009 Data Breach Investigations Report Who is behind the data breaches?. Source: Verizon’s 2009 Data Breach Investigations Report, www.verizon.com. EC-Council. Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

(5) 2009 Data Breach Investigations Report (cont’d) How do breaches occur? 80 70 60 50 40. 2008. 30. 2009. 20 10 0 Significant Errors. Hacking. Malware. Privilege Misuse. Physical Attacks. Source: Verizon’s 2009 Data Breach Investigations Report, www.verizon.com. EC-Council. Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

(6) Security Threat Report 2009: SOPHOS Other. 14.3%. Thailand. 1.2%. Czeck Republic. Other. 18.4%. Troj/DwmLdr. 1.5%. 1.3%. Troj/VidRar. 1.6%. Turkey. 1.5%. Mal/Iframe. 1.8%. Ukraine. 1.7%. Troj/FakeVir. Ukraine. 1.8%. Troj/Doc. South Korea. 2.1%. Troj/PushDo. 4.3%. Germany. 2.3%. Win32/Netsky. 4.4%. Russia. 9.1% 27.7%. US 10. 15. 20. 25. 30. 13.8%. Troj/Invo. 18.1%. Troj/Agent. 30% 5. 2.9%. Mal/EncPK. China. 0. 2.2%. 35. The top 10 malware hosting countries. 31% 0. 5. 10. 15. 20. 25. 30. 35. Top 10 email attachment-based malware for 2008 Source: www.sophos.com. EC-Council. Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

(7) Data Breach Investigations Report. Breakdown of Hacking. Attack Pathways. EC-Council. Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Source: Verizon’s 2008 Data Breach Investigations Report, www.verizon.com.

(8) Internet Crime Report: IC3 300000. 275284 231493. 250000. 207449. 207492. 205884. 2006. 2007. 200000 150000. 124515. 100000 50000. 75064 50412 16838. 0 2000. 2001. 2002. 2003. 2004. 2005. 2008. Yearly Comparison of Complaints Received via the IC3 Website 300 $239.09. 250 $183.12. 200 150. $198.44. $125.60. 100 50. $264.59. $68.14. $54.00 $17.80. 0 2001. 2002. 2003. 2004. 2005. 2006. 2007. 2008. 2008 Yearly Dollar Loss (in millions) Referred Complaints. EC-Council. Source: www.nw3c.org. Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

(9) Top Internet Security Threats of 2008 Data Breaches • In 2008, the Identity Theft Resource Center (ITRC) documented 548 breaches, exposing 30,430,988 records. Spam and Phishing • In 2008, spam levels were at 76 percent until the McColo incident in November 2008, when spam levels dropped to 65 percent. Economic Crisis Social Networks Advanced Web Threats Botnets VoIP attacks EC-Council. Source: www.symantec.com. Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

(10) Emerging Cyber Threats Report for 2009 Theft of data continues to be the motive behind the emerging threats for 2009 Five specific trends of threats in 2009 and beyond, include: Malware. Botnets. Cyber warfare. Means of Attack The Federal government reported 18,050 cybersecurity breaches in fiscal 2008. Breakdown by type:. Unauthorized access 18%. Malicious code 12%. Scam, probes, attempted access 7%. Improper usage 21%. Threats to VoIP and mobile devices Under investigation / Others 42%. The evolving cyber crime economy EC-Council. Source: Department of Homeland Security. Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

(11) The Most Prevalent Web Vulnerabilities Insufficient Authorization 2%. Insufficient Authentication 2%. Predictable Resource Location 5% Content Spoofing 6% SQL Injection 8%. Others 12%. Cross-site Scripting 59%. Information Leakage 6%. Source: www.webappsec.org. EC-Council. Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

(12) Module Objective This module will familiarize you with: • Information Security • Why Security • Essential Terminologies • Present Trends in Security • Statistics Related to Security • Information Security Laws and Regulations. EC-Council. Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

(13) Module Flow. EC-Council. Information Security. Need for Security. Present Trends in Security. Essential Terminologies. Statistics Related to Security. Information Security Laws and Regulations. Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

(14) Information Security Information security refers to securing the data or information and information systems from the unauthorized access, unauthorized use, misuse, destruction, or alteration. It plays a vital role in protecting the interests of individuals who depend on information or data. The goal of information security is to protect the confidentiality, integrity, and availability of information. EC-Council. Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

(15) Need for Security Direct impact of security breach on corporate asset base and goodwill. Increased network environment and network based applications. Increasing speed of attacks:. Increasing complexity of computer infrastructure administration and management. EC-Council. Attack Size- Gigabits-Per-Second. Evolution of technology focused on ease of use. Source: http://asert.arbornetworks.com [2008 Worldwide Infrastructure Security Report] Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

(16) Cost of Computer Crime Computer crime costs $265M in 2008, an all-time high (the FBI) • Online fraud and other computer schemes cost the US $265 million-up from $239 million in 2007 or an average of average individual loss was $931 • The FBI said 275,284 complaints were received in 2008 by the Internet Crime Complaint Center (IC3), and the National White Collar Crime Center (NW3C),up from 206,884 (33%) over 2007.. EC-Council. YEAR. COMPLAINTS. LOSS. 2008. 275,284. $265 million. 2007. 206,884. $239.09 million. 2006. 207,492. $198.44 million. 2005. 231,493. $183.12 million. 2004. 207,449. $68.14 million. Source: www.networkworld.com. Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

(17) The Security, Functionality, and Ease of Use Triangle The number of exploits are minimized when the number of weaknesses are reduced => greater security Takes more effort to conduct the same task => reduced functionality Functionality. Security EC-Council. Moving the ball towards security means moving away from the functionality and ease of use. Ease of Use Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

(18) Common Terminologies Target of Evaluation: • An IT system, product, or component that is identified/subjected to require security evaluation. Attack: • An assault on the system security derived from an intelligent threat • An attack is any action violating security. Exploit: • A defined way to breach the security of an IT system through vulnerability EC-Council. Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

(19) Common Terminologies (cont’d) Security: • A state of well-being of information and infrastructure in which the possibility of successful yet undetected theft, tampering, and disruption of information and services are kept low or tolerable. Threat: • An action or event that might compromise security • A threat is a potential violation of security. Vulnerability: • Existence of a weakness, design, or implementation error that can lead to an unexpected and undesirable event compromising the security of the system EC-Council. Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

(20) Common Terminologies (cont’d) Cracker: • Refers to a person who uses his/her hacking skills for offensive purposes. Hacking: • Describes the rapid development of new programs or the reverse engineering of the already existing software to make the code better and more efficient. Ethical hacker: • Refers to security professionals who apply their hacking skills for defensive purposes EC-Council. Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

(21) Elements of Information Security: CIA Confidentiality The concealment of information or resources. Integrity The trustworthiness of data or resources in terms of preventing improper and unauthorized changes. Availability The ability to use the desired information or resource. Any hacking event will affect any one or more of the essential security elements. EC-Council. Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

(22) Trends in Security More regulatory and legislative. Increased focus on certification and accreditation. ISO17799 set as defining architecture. Development of GAISP/GASSP. Executive and board oversight of information security EC-Council. Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

(23) 20-Year Trend: Stronger Attack Tools. EC-Council. Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

(24) Information Security – More Than An IT Challenge For SME The European Network and Information Security Agency recently warned that Small and Medium Enterprises are most at risk when it comes to attacks on PCs and IT systems. They are seen as an easy target since they tend to employ few dedicated IT staff, let alone any staff dedicated to protecting their critical business information. But since most businesses cannot function for more than a few hours without all or some of this information, it is vitally important that they implement and maintain effective security policies. Approximately one third of businesses below 100 employees have had a security issue in the last year. Above this number of employees this rises to 50% or more. In many cases smaller organisations report a lower number of incidents because they are unaware that they have been impacted. Although there is widespread awareness of the need for security in general, we find that a surprising number of organisations still believe that anti-virus software will do the job. A review of statistics from a number of agencies in countries in which COLT operates indicates that on average 95-98% of SME use antivirus software. But less than half of businesses with fewer than 50 employees use a firewall, although some may not be aware that they are using a firewall built in to their PC operating system or DSL router. For 50-250 employees, use of firewalls rises to about 70%. Source: http://www.freshbusinessthinking.com/. EC-Council. Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

(25) Statistics Related to Security Of all the vulnerabilities identified in 2008, 63 percent affected web applications, up from 59 percent in 2007. In 2008, Symantec detected 55,389 phishing website hosts, an increase of 66 percent over 2007, when Symantec detected 33,428 phishing hosts. In 2008, 78 percent of confidential information threats exported user data, and 76 percent used a keystroke-logging component to steal information such as online banking account credentials Source: Symantec Corporation. EC-Council. Source: Sophos Security threat report: July 2009 update. Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

(26) Attack on Social Network Sites for Identity Theft In January 2008, a flash application Secret Crush with a link to an AdWare program was placed on Facebook. In May 2008, Trojan-Mailfinder.Win32.Myspamce.a has spread spams through comments on MySpace. In July 2008, social networking sites such as Facebook, MySpace, and Vkontakte was infected by Net-Worm.Win32.Koobface.a Trojan which contains a link to fake YouTube like site. In December 2008, links to malicious programs for mobile phones were spread on VKontakte Source: Kaspersky Lab. EC-Council. Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

(27) The Top Ten List Of Malwarehosting Countries in 2009. Source: http://www.sophos.com/. EC-Council. Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

(28) 2010 Threat Predictions http://www.mcafee.com/. Social networking sites such as Facebook will face more sophisticated threats as the number of users grows. The explosion of applications on Facebook and other services will be an ideal vector for cybercriminals, who will take advantage of friends trusting friends to click links they might otherwise treat cautiously. HTML 5 will blur the line between desktop and online applications. This, along with the release of Google Chrome OS, will create another opportunity for malware writers to prey on users Email attachments have delivered malware for years, yet the increasing number of attacks targeted at corporations, journalists, and individual users often fool them into downloading Trojans and other malware EC-Council. Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

(29) 2010 Threat Predictions (cont’d) http://www.mcafee.com/. Cybercriminals have long picked on Microsoft products due to their popularity. In 2010, we anticipate Adobe software, especially Acrobat Reader and Flash, will take the top spot. Banking Trojans will become more clever, sometimes interrupting a legitimate transaction to make an unauthorized withdrawal. Botnets are the leading infrastructure for cybercriminals, used for actions from spamming to identity theft. Recent successes in shutting down botnets will force their controllers to switch to alternate, less vulnerable methods of command, including peer-to-peer setups EC-Council. Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

(30) Information Security Laws and Regulations The information security laws and regulations of different countries are:. • • • • • • • • •. EC-Council. UK Data Protection Act 1998 Computer Misuse Act 1990 EU Data Retention laws The Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. § 1232 g; 34 CFR Part 99) Health Insurance Portability and Accountability Act (HIPAA) Gramm-Leach-Bliley Act of 1999 (GLBA) Sarbanes-Oxley Act of 2002 (SOX) Payment Card Industry Data Security Standard (PCI DSS) State Security Breach Notification Laws Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

(31) Computer Misuse Act Section 3: Unauthorized access to computer material • (1) Any person who knowingly causes a computer to perform any function for the purpose of securing access without authority to any program or data held in any computer shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $5,000 or to imprisonment for a term not exceeding 2 years or to both and, in the case of a second or subsequent conviction, to a fine not exceeding $10,000 or to imprisonment for a term not exceeding 3 years or to both • (2) If any damage is caused as a result of an offence under this section, a person convicted of the offence shall be liable to a fine not exceeding $50,000 or to imprisonment for a term not exceeding 7 years or to both. EC-Council. Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

(32) Computer Misuse Act (cont’d). Section 4: Access with intent to commit or facilitate commission of offence. • (1) Any person who causes a computer to perform any function for the purpose of securing access to any program or data held in any computer with intent to commit an offence to which this section applies shall be guilty of an offence • (2) This section shall apply to an offence involving property, fraud, dishonesty or which causes bodily harm and which is punishable on conviction with imprisonment for a term of not less than 2 years • (3) Any person guilty of an offence under this section shall be liable on conviction to a fine not exceeding $50,000 or to imprisonment for a term not exceeding 10 years or to both. EC-Council. Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

(33) Data Protection Act 1998 . Section 55: Unlawful obtaining etc. of personal data • (1) A person must not knowingly or recklessly, without the consent of the data controller – (a) Obtain or disclose personal data or the information contained in personal data, or – (b) Procure the disclosure to another person of the information contained in personal data • (2) Subsection (1) does not apply to a person who shows – (a) That the obtaining, disclosing, or procuring – (i) was necessary for the purpose of preventing or detecting crime – (ii) was required or authorized by or under any enactment, by any rule of law or by the order of a court. EC-Council. Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

(34) Data Protection Act 1998 (cont’d) • (3) A person who contravenes subsection (1) is guilty of an offence • (4) A person who sells personal data is guilty of an offense if he has obtained the data in contravention of subsection (1) • (5) A person who offers to sell personal data is guilty of an offense if— – (a) He has obtained the data in contravention of subsection (1), or – (b) He subsequently obtains the data in contravention of that subsection. • (6) For the purposes of subsection (5), an advertisement indicating that personal data are or may be for sale is an offer to sell the data • (7) Section 1(2) does not apply for the purposes of this section; and for the purposes of subsections (4) to (6), “personal data” includes information extracted from personal data EC-Council. Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

(35) Gramm-Leach Bliley Act The Financial Modernization Act of 1999, also known as the "Gramm-Leach-Bliley Act" or GLB Act, includes provisions to protect the consumers’ personal financial information held by financial institutions There are three principal parts to the privacy requirements: Financial Privacy Rule • The Financial Privacy Rule governs the collection and disclosure of customers' personal financial information by financial institutions. Safeguards Rule • The Safeguards Rule requires all financial institutions to design, implement, and maintain safeguards to protect the customer’s information. Pretexting provisions • The Pretexting provisions of the GLB Act protect consumers from individuals and companies that obtain their personal financial information under false pretenses. EC-Council. Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

(36) Summary Information security refers to securing the data or information and information systems from unauthorized access, unauthorized use, misuse, destruction, or alteration In 2008, 78 percent of confidential information threats exported user data, and 76 percent used a keystroke-logging component to steal information such as online banking account credentials. Security is dependant on factors such as confidentiality, authenticity, integrity, and availability. Hacker refers to a person who enjoys learning the details of computer systems as well as stretching his/her capabilities EC-Council. Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

(37) EC-Council. Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

(38) EC-Council. Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

(39)

References

Related documents

Jim the book might be described as a search for that lost and forgotten plow, or better, perhaps, a quest for understanding the experience that caused the plow to magnify into

The most significant contract law feature of the regulation of share- transfer restrictions is the necessity of consent for a restriction to apply to a holder's

Organisational.. For child-specific interventions, guidelines were classified as consistent with evidence if the guideline followed the best available evidence for children.

Owner investment in the business, collateral varieties applicable at the bank and Banks fairness in their dealings with SMEs were all highly significant in determining the

Determine reasonably foreseeable internal threats that could result in unauthorized disclosure, misuse, alteration, or destruction of company or client information or

Furthermore, to check the effectiveness and accuracy of the proposed method, conventional methods, such as, ‘Newton-Raphson’, ‘Particle Swarm Optimisation, Search

This system uses a Secure Alternate Viable (SAV) algorithm to make sure that no un-trusted access to the PHR, but allows the authorized data consumers to decrypt the

Table 3 – Limiting temperature values and presentation of results Material from which test column constructed Type of closure opposite to vertical protective membrane