IT6011

Introduction to
Information Security
MIDTERM THEORY

Done By: Ghadeer Shehab

[email protected]
WEEK 1

What is Information Security?

Securing / Safeguarding an organization's data from unauthorized access or

modification to ensure its availability, confidentiality, and integrity.
Information security is designed to protect the confidentiality, integrity and
availability of computer system data.

What needs to be secured?

• Network
• Applications
• Operating Systems
• Transmitted data

What are the types of assets?

• The elements that are to be protected (financial information, emails,
procedures, patents, customer information,...)
• The elements that are prone to attacks are (servers, software, networks,
employees,...)
Confidentiality
Information is disclosed only to those authorized to see/modify it, Protection from
unauthorized access

Implementation

• Encrypting sensitive data and only providing key to those who need access
• Information classification labeling (Top Secret, restricted )
• Access controls over systems (ACLs)
• Encrypting credit card transactions on eCommerce systems

Breach
• Misconfigured file shares – (everyone READ)
• Capturing personal data on a hidden web site directory
• Leaving your bag on the train or bus
Integrity
Protecting accuracy, completeness and consistency of information, Protecting
information from unauthorized modification.

Implementation

• Applying a checksum to data files

• Applying controls over who can modify files/data

Breach

• Unprotected data files, open to modification

• Weak database protection
Availability
Ensuring information is accessible by authorized users when they need it, this
does not mean availability to all systems.

Implementation

• Systems disaster recovery solutions

• Alternative locations for data processing in event of system loss
• Having a backup policy
• Intelligent IT upgrade policy
Breach
• Natural disaster at or near data centre or office
• Systems failure with no backup
• Power outage
• System upgrades

Why is Information Security needed?

• Protect Information Assets
• Set rules for staff & 3rd party
• Meet legal requirements
• Ability to respond when a security incident occurs
• Build customer confidence
Information Security Controls
Security controls is the term given to countermeasures to avoid, prevent or
minimize security risks or threats. They must address one or more of the three
principles (CIA).
Examples of controls:
• Username and passwords for system accounts
• File permission settings
• Encryption

Information Security Framework

The layers of control documents are:
Policy – Statement of management commitment and direction.
(Info Sec Baselines – Minimum security level standards to be met.
Standards – Specific security requirements need to be met.
Procedures – Instructions on how to implement security/standards.
Guidelines – Recommendations on how to do something (actions and/or
operations).
• IS Policy is the most common type, it is often aligned with International
Standards ISO27001.

ISO27001
ISO2700x Series of standards stem from both Information Security and Risk
Management worlds, it is necessary to merge concepts from both fields in order
to properly address the Information Security Risks.
ISO31000
The ISO31000 international standard is for general risk management, including the
principles and guidelines for managing risk
WEEK 2

Information Security standard ISO 27000, defines the concepts of:

• External context: The most probable sources of threats

• Internal context: These contexts define the supporting assets and their
main vulnerabilities

There’s no guarantee of complete security, organizations often assume that their

system is completely secured. The users in the organization display these traits:

• Knowledge (e.g. failure in uploading security updates)

• Lack of awareness (assuming that it will never occur within the company)
• Not informing the security department of any security concerns
• Failure to adopt the organizational security procedures (e.g. approach to
internet security)
Which leads to risks, threats and breaches.

Hacker online services

• Email password recovery
• Spying services
• System hacking
• Virus creation

Malware kits are available online (freeware & paid subscription) they can
create viruses, phishing attacks, etc.

Lifecycle of an attack Info gathering → Initial invasion → Asset discovery →

Asset capture → Compromise
Attackers vary their approach
Attackers get better results by combining several low-level skills than focusing on
one high-level skill
Example of a scam:
• Preparation = asset discovery, about the company’s organization, mix of
open source and human interaction
• Resources = scam email sent from “close-to-correct” domain name
(example: mcdonald.com instead of mcdonalds.com)
• Action = social engineering, to convince the employee that he has to do
something (transfer money!) or will lose job!

Internal context
• Bring your own device (BYOD)
• Cloud computing: makes it necessary to define exactly in which country
data is stored
• Social Networks: users are prone to leak a variety of information through
them
• Recognition in a global cause

Zero-day
It’s a term given to attacks that are unknown, so from day zero once the
organization becomes aware of the breach, there’s a count of days until its
resolved.

How to protect your company?

• A vulnerability check
• Ethical hacking
• Penetration testing.
Penetration testing
It’s an ethical hacking technique of finding flaws in a target system with the focus
being to breach the system.

Penetration testing and risk management

A penetration test identifies vulnerabilities in a system. Using these vulnerabilities,
a risk management matrix is applied to determine their impact factor. Senior
management makes strategic decisions on how to respond to these
vulnerabilities. Cost efficiency is also considered in this process. All these factors
collectively determine whether the vulnerabilities can be resolved.

Ethical Hacking
Ethical hacking involves all hacking techniques and it aims at a larger project by
breaching more than one target system including several different techniques.
It is performed by a company or individual to help identify potential threats on a
computer or network. The ethical hacker attempts to bypass the system's security
to search for any weak points that could be exploited by malicious hackers. This
information is then used by the organization to improve the system security and
minimize any potential attacks.
Risk management

Risk and Treats

Risks are threats after being released, causing harm, loss, or damage to an asset.
Threats are intentional or accidental events that cause harm, loss, or damage.

Risk Management Controls: Users, customers, processes, technology, physical

measures.
The main control types: Prevention, detection, recovery.

Risk Management methods:

COSO, ITIL, NIST SP 800-30, ISO 27000, Octave.

Risk Assessment Concepts Identifying threats, vulnerabilities, likelihood, impact,

countermeasures, and residual risk.

Benefits of Risk Management

Control recommendations, cost comparison, security requirements, standards for
improvement.

Factors for Mitigating Threats: Size, finances, reputation, market position, data
sensitivity.
WEEK 3

Attacker Objectives

To gain administrative access to: Remote system and/or server.

To gain access to sensitive data or protected files.
To attack a target without having any previous knowledge about it.

Approach
A structured approach is the typical methodology, there are several phased
approaches.
The timescale is non-specific as it takes time to access and gather the correct
information to avoid detection.

Example on a structured approach

Penetration Testing and Ethical Hacking

Penetration testing and ethical hacking use the same principles as criminals to
breach corporate networks and systems. The organizations use the penetration
results to correct flaws and improve overall security.
Ethical Hacking
The use of hacking techniques raises ethical questions regarding the integrity of
the tester in maintaining a professional and ethical distance. It is important for
professionals to uphold a separate code of conduct from criminals and maintain
their professionalism. Security professionals often sign a code of ethics that they
must be bound to.

Serve and protect the client

Testing should not be carried out without the permission of the organization.
Past customer data should not be used to promote the services of a tester.
Notify the client immediately when a high-risk issue is discovered.
Results of testing should not be presented to implicate individuals.
Client confidentiality must be maintained.

Uphold the security profession

DO:
• Be well-versed in information security
• Understand how tools work
• Testing tools in an isolated laboratory before use in production systems
• Maintain experience/qualifications
DON’T:
• Rely solely on automated tools
• Test systems that are known to be highly vulnerable

Avoid conflicts of interest

Penetration tests that do not find any issues are not free.
Inform the company to engage a different tester if it’s in the best interest.
Avoid public hacking scenarios.
Deliver accurate findings
Complete external testing first and avoid false positives & negatives.
Better work with the client during tests to avoid deployment of security measures.
Only notify key staff of any relevant testing.

Legal compliance
Contracts should include clauses for non-disclosure and limited liability.
Ensure that scope tests are accurate.
Establish fail-safe procedures before conducting the testing.
Do not use Fear, Uncertainty or Doubt to sell services.
Stay updated on current legal issues.

Other threats
They include: physical threats, natural events, internal criminal activity, and
malware.

Malware
Ethical hacking improves security, identifies vulnerabilities, and controls malware.
There are various tools that create viruses, the object now will be to sample these
tools using automated and manual methods to create viruses.
WEEK 4

Penetration testing process

Testing Rules

Testing rules are a set of agreed-upon rules between parties involved in testing.
They define limitations and boundaries of the testing environment.
The rules specify which systems or parts of the network can be used for
operational purposes during the test.
Agreements on the test scope and rules may require legal documentation.
Each client may prioritize either the test scope or the rules based on their specific
requirements.
Deviating from the agreed rules or test scope can lead to system downtime,
financial and reputational damage, and potential legal consequences.
Test awareness
Two types of tests can take place: announced or unannounced.
Announced tests are pre-planned and IT departments are given notice of intent
to conduct the test.
Gathering information (network and host)
For gathering information Google is a useful tool to gather info about a company
or organization. It can return information on the main domain (your target) as
well as other services they provide.
Google Advanced Search and using operators can also return useful results.
You can use other methods to gather more information about an organization.
There several methods, these can include:
• Maps (e.g. Google Maps or Google Earth)
• Social Networking (e.g. Facebook, Twitter, LinkedIn)
• Physical searching (e.g. searching in trash)
• Social Engineering (e.g. Faking entry to a building)
Ensure that it is legal!

Lookup (network-tools.com)
The Lookup will give you an IP address.
You can then perform a whois with various tools to find out more.

Scanning
Scanning a target environment can create an inventory of possible machines to
attack. It also allows the evaluation of those systems to find vulnerabilities.
The purpose of scanning is to learn more about the target by interacting with
them to find possible vulnerabilities which minimizes the risk of being detected.
This is achieved by determining:
• Network addresses of live hosts (servers and clients), firewalls, routers,
switches, etc.
• Network topology of target environment.
• Operating system types.
• Open ports and network services
Network Scanning
There are several techniques which are used, including:
• Network sweeping
• Network mapping
• Port scanning
• OS fingerprinting
• Version scanning
• Vulnerability scanning

Network Mapping
Network mapping is the process of identifying and listing all hosts, servers, or
clients within a network.
Nmap is a commonly used network mapping tool with various scanning
techniques.
Port scanning is one technique used in network mapping, which involves scanning
for open ports on remote hosts. It provides information about which ports on
specific machines are actively listening.
Listener processes are the services provided by machines on the network.
Network mapping helps gain an understanding of the network's structure and the
devices connected to it.

False positives
Scanning tools can give you what is known as ‘false positives’
False positives are correct, or true, results that are, in fact, incorrect
E.g. the scanning tool may run a scan that returns 10 listening ports. After
investigation, you discover that only 9 of them are listening. Therefore, 1 port is a
false positive.
When scanning, it is important to try to make it as effective and insightful as
possible and with experience you will find your own method
Whilst scanning, run a sniffer
Running a sniffer at the same time as a scan allows you to monitor network
activity. E.g. displaying packet data on screen that you can monitor.
There are several tools you can use, a common tool in use is tcpdump

tcpdump
Tcpdump is a command-line-based sniffer that comes with most versions of Linux.
It allows you to analyse network traffic by capturing packets. It also allows basic
filtering of certain traffic
It is freeware and can sniff on various protocols (IP, TCP, UDP, ICMP)

Wireshark
Wireshark is the world’s foremost and widely-used network protocol analyser.
It is a free and open-source packet analyzer.
It’s used for network troubleshooting analysis, software and Communications
protocol development, and education.
WEEK 5

Nmap
Port scanning is useful but only indicates that something is listening.
Network mapping compliments port scanning and the Nmap tool includes this
feature in addition to:-
• Host discovery
• Operating System detection
• Version detection
• Scriptable interaction with the target
Nmap adopts techniques to identify host and network applications and services
after a port scan. It utilizes a technique called “fingerprinting”.
This technique is used when Nmap cannot identify an application.
The application fingerprint can then be submitted to the Nmap database.
Over time, the database grows and becomes more capable of identifying such
applications.

Summary
• Nmap is a powerful tool with both command line and GUI capability.
• It can be used for; port scanning, TCP and UDP scanning, operating system
and version identification, etc.
• You can also save the output of scans.
• It allows both a network and system administrator to determine what can
be seen from the outside i.e. by a potential attacker.
• They can then do something about this.
• Scans should be run frequently to see if there are any changes, particularly
after system upgrades.
• From an attacker’s point of view, it can be useful as it will give more
network mapping details & operating system versions) on the target
network.
WEEK 6

Gaining access
Once you have identified possible points to attack, access is required (commonly
known as ‘exploitation’).

Exploit is to use a code or technique to take advantage of a vulnerability in a

target.
Access can be gained to a target system to perform various commands such as
moving or retrieving files, sniffing packets, reconfiguring, or installing software.
Exploiting a target poses risks that should be discussed and agreed upon in the
testing rules.

Risks of exploitation
• service or system crashes
• compromised system stability
• integrity
• data exposure
Exploits can be categorized as server-side (attacking network services), client-side
(attacking client applications), or local privilege escalation (increasing attacker
privileges within the network).

Metasploit
It’s a free, open-source exploitation framework used for gaining access.
Metasploit uses exploits and payloads to take advantage of vulnerabilities and
execute desired actions on the target machine.
It can run on Linux, Mac OS, and Windows operating systems.
WEEK 7

Cryptography The art of creating and implementing secret codes and cypher.
It is one possible tool to bring appropriate countermeasures

Legitimate user
Legitimate users take advantage of cryptography to preserve the security of
information to be shared.

Encryption is the process of a legitimate user encoding information, with the help
of a secret (human-oriented) or key (machine-oriented). It helps protect
information, by preventing unauthorized parties from accessing it.
Encryption transforms the original information (plaintext) into an unintelligible
chain of signal elements (ciphertext)
Encryption doesn't prevent hacking but it prevents the hacker from reading the
data that is encrypted.
Encryption algorithm and key together, form an encryption scheme
Encryption scheme is carried by an encryption function, which is packaged in an
encryption tool.

Encryption methods
• Substitution: In this method, characters in the plaintext are replaced with
different characters. E.g. Caesar cipher.
• Transposition: The transposition method involves rearranging the characters of
the plaintext to form the ciphertext.
• Polyalphabetic: Uses multiple substitution alphabets. It replaces characters in
the plaintext based on position or other factors, enhancing security.
• Running Key: In the running key encryption, characters in both the message
and the key are converted to numeric values and added together.
Decryption is the process of a legitimate user decoding primarily encrypted
information, with the help of a secret or key.
Decryption transforms the ciphertext back to plaintext

Cryptanalysis is the art of deriving plaintext from ciphertext, without the use of a
secret or key.

Symmetric and Asymmetric

Symmetric:
• The same encyrption key is used for encryption and decryption.
• The key needs to be shared by the 2 parties.
Asymmetric:
• each party generates a pair of keys, 1 public and 1 private.
• Only public keys are exchanged.

One-way hash
Information is transformed into unreadable and cannot be decrypted.
Only comparisons between hashes can be performed.
e.g. password checking

Steganography:
The main disadvantage of traditional cryptography is that ciphered text is that It’s
recognised easily by : protocol analysis and statistical analysis.
Steganography is the technique of hiding information in another piece of
information. In any place where bits are left unused OR header can be expanded
artificially. Also it can be spreaded over multiple files.

Watermarking is the process of hiding control information in a legitimate control

channel. It is not considered cryptography because no information is contained
within.