IT Security EVALUATION and AUDITING

Lecture 10

Dr. IMRAN MAKHDOOM

1
 PROTECTING INFORMATION
ASSETS
CISA: Certified Information Systems Auditor (Study Guide)
Fourth Edition
David Cannon – Chapter 7

2
 CHAPTER OBJECTIVES

To acquaint the students with following concepts:

Ø Threats to security, perpetrators, and attack methods
Ø Using a Records Management System to define the entire
information security program
Ø Logical access controls for identification, authentication, and
restriction of users
Ø Necessity of never using the vendor’s default installation for
hardware or software

3
 CHAPTER OBJECTIVES Contd..

Ø Changes in wireless security, including the robust security

network
Ø Encryption systems using symmetric and asymmetric public keys
Ø How encryption is used to provide confidentiality or
authentication

4
 UNDERSTANDING THE THREAT
Types of Threats and Computer Crimes
v Theft
Ø The theft of information, designs, plans, and customer lists
could be catastrophic to an organization.
Ø Have equivalent controls in place to prevent the theft of
valuable intellectual property.

5
 UNDERSTANDING THE THREAT
Types of Threats and Computer Crimes
v Fraud
Ø Misrepresentation to gain an advantage is the definition of
fraud.
Ø Electronic records may be subject to remote manipulation for
the purpose of deceit, suppression, or unfair profit.
Ø Fraud may occur with or without the computer.
Ø Variations of fraud include using false pretenses, also known
as pretexting, for any purpose of deceit or misrepresentation.
Ø E.g., The attacker uses phone calls to trick victims into disclosing sensitive
information or giving attackers remote access to the victim's computer
device. For example, a common vishing scheme (verbal scam) involves the
threat actor calling victims while pretending to be an official from the FBR.

6
 UNDERSTANDING THE THREAT
Types of Threats and Computer Crimes
v Sabotage is defined as wilful and malicious destruction of an
employer’s property, or to cause malicious interference with
normal operations.
v Blackmail
Ø Unlawful demand of money or property under threat to do
harm.
Ø Examples are to damage property, make an accusation of a
crime, or expose disgraceful defects.
Ø This is commonly referred to as extortion.

7
 UNDERSTANDING THE THREAT
Types of Threats and Computer Crimes
v Industrial Espionage
Ø The world is full of competitors and spies.
Ø Espionage is a crime of spying by individuals and governments
with the intent to gather, transmit, or release information to
the advantage of any foreign organization.
Ø It’s not uncommon for governments to eavesdrop on the
communications of foreign companies. The purpose is to
uncover business secrets to share with companies in their
country.
Ø Additional care must be taken to keep secrets out of the hands
of a competitor.

8
 UNDERSTANDING THE THREAT
Types of Threats and Computer Crimes
v Unauthorized Disclosure is the release of information without
permission. The purpose may be fraud or sabotage.
Ø E.g., unauthorized disclosure of trade secrets or product
defects may cause substantial damage that is irreversible.
Ø The unauthorized disclosure of client records would cause a
violation of privacy laws, not to mention details that would be
valuable for a competitor.
v Cyber Conduit for Remote Attacks: This is using compromised
systems of the auditee to silently leak information from the
auditee or run stealth attacks against other organizations and
business partners to further the hacker’s penetration.

9
 UNDERSTANDING THE THREAT
Types of Threats and Computer Crimes
v Loss of Credibility
Ø is the damage to an organization’s image, brand, or executive
management.
Ø This can severely impact revenue and the organization’s ability
to continue.
Ø Fraud, sabotage, blackmail, and unauthorized disclosure may
be used to destroy credibility.
v Loss of Proprietary Information: The mishandling of information
can result in the loss of trade secrets. Once a secret is out, there
is no way to make the information secret again.

10
 UNDERSTANDING THE THREAT
Types of Threats and Computer Crimes
v Legal Repercussions
Ø The breach of control or loss of an asset can create a situation
of undesirable attention.
Ø Privacy concerns have created new requirements for public
disclosure following a breach.
Ø Without a doubt, the last thing an organization needs is
increased interest from a government regulator.
Ø Stockholders and customers may have grounds for subsequent
legal action in alleging negligence or misconduct, depending
on the situation.

11
 UNDERSTANDING THE THREAT
Types of Threats and Computer Crimes

12
 UNDERSTANDING THE THREAT
Types of Threats and Computer Crimes

According to the U.S. Federal Bureau of Investigation

(FBI), the top three losses are due to:
v Malware attack
v Unauthorized access
v Theft of proprietary information

13
 CHECKPOINT ?
Which of the following techniques is used to prevent the
encryption keys from being susceptible to an attack against
standing data?
a. Key wrapping
b. Key generation
c. Symmetric-key cryptosystem
d. Asymmetric-key cryptosystem

14
 IDENTIFYING THE PERPETRATORS
v The perpetrators of crime may be casual or sophisticated.
v Motives may be financial, political, thrill seeking, or a biased
grudge against the organization.
v However, the damage impact is usually the same regardless of
the perpetrator’s background or motive.
v A common trait is that a perpetrator will have time, access, or
skills necessary to execute the offense.

15
 IDENTIFYING THE PERPETRATORS
Hackers
v The term hacker has a double meaning. Honorable or
dishonorable interpretation - an undesirable criminal.
v The criminal hacker focuses on a desire to break in, take over,
and damage or discredit legitimate computer processing.
v The first goal of hacking is to exceed the authorized level
of system privileges. This is why it is necessary to monitor
systems and take swift action against any individual who
attempts to gain a higher level of access.
v Hackers may be internal or external to the organization.
v Attempts to gain unauthorized access within the organization
should be dealt with by using the highest level of severity,
including immediate termination of employment.

16
 IDENTIFYING THE PERPETRATORS
Crackers
v The term cracker is a variation of hacker, with the analogy equal
to a safe cracker.
v Some individuals use the term cracker in an attempt to
differentiate from the honorable computer programmer
definition of hacker.
v The criminal cracker and criminal hacker terms are used
interchangeably.
v Crackers attempt to illegally or unethically break into a system
without authorization.

17
 IDENTIFYING THE PERPETRATORS
Script Kiddies
v An individual who executes computer scripts and programs
written by others.
v His motive is to hack a computer by using someone else’s
software. Examples include password decryption programs and
automated access utilities.
v Most dangerous type, as they do not know what they are doing
or the extent of the damage that they may cause.

18
 PROTECTING AGAINST WHITE HAT HACKERS
v Security penetration testing should be part of the job description
of software testers or software QA testers under the IS
programming team or an internal audit team.
v Separation of duties requires the white hat (ethical hacker) to
operate under the management of an internal auditor or an
equivalent audit role.
v Forced separation of duties provides evidence that protects both
management and the technician.
v The ethical hacker must not have any operational duties or
otherwise be involved in daily IT operations.

19
 CHECKPOINT ?
Which of the following VPN methods will transmit data
across the local network in plain text without encryption?
a. Secure Sockets Layer (SSL)
b. IPsec
c. Transport Layer Security (TLS)
d. Layer 2 Tunneling Protocol (L2TP)

20
 UNDERSTANDING ATTACK METHODS
v Computer attacks can be implemented with a computer or
against a computer.
v There are basically two types of attacks: passive and active.
v How do these attacks are characterized?

21
 UNDERSTANDING ATTACK METHODS
Passive Attacks
v These are characterized by techniques of observation.
v The intention is to gain additional information before launching
an active attack.
v Examples:
Ø Network Analysis
Ø Host Traffic Analysis
Ø Eavesdropping

22
 UNDERSTANDING ATTACK METHODS
Passive Attacks
v Network Analysis
Ø The computer traffic across a network can be analyzed to
create a map of the hosts and routers.
Ø Common tools such as IBM Tivoli, Cisco Works, HP Business
Technology Optimization (OpenView), Network Instruments
Observer, or free open source equivalents like OpenNMS and
OpsView are useful for creating live network maps.
Ø The objective is to create a complete profile of the network
infrastructure prior to launching an active attack.

23
 UNDERSTANDING ATTACK METHODS
Passive Attacks
v Network Analysis
Ø Computers transmit large numbers of requests that other
computers on the network will observe.
Ø Simple maps can be created with no more than the observed
traffic or responses from a series of ping commands.
Ø The concept of creating maps by using network analysis is
commonly referred to as painting or footprinting.

24
 UNDERSTANDING ATTACK METHODS
Passive Attacks
v Host Traffic Analysis
Ø is used to identify systems of particular interest.
Ø The communication between host computers can be
monitored by the activity level and number of service
requests. It is an easy method to identify servers on the
network.
Ø Specific details on the host computer can be determined by
using a fingerprinting tool such as the open source Nmap.
Ø The Nmap utility is active software that sends a series
of special commands, each command unique to a particular
operating system type and version.

25
 UNDERSTANDING ATTACK METHODS
Passive Attacks
v Host Traffic Analysis
Ø E.g., a Unix system will not respond to a NetBIOS 137 request
because NetBIOS is a nonstandard port used only by
Microsoft.
Ø However, a computer running Microsoft Windows will answer.
Ø The exact operating system of the computer can usually be
identified with only seven or eight simple service requests.
Ø Host traffic analysis will provide clues to a system even if all
other communication traffic is encrypted. This is an excellent
tool for tracking down a rogue IP address.

26
 UNDERSTANDING ATTACK METHODS
Passive Attacks
v Host Traffic Analysis
Ø The Nmap utility provides information as to whether the
destination address is a Unix computer, Macintosh computer,
computer running Windows, or something else such as an HP
printer.
Ø This fingerprinting technique is also popular with hackers for
the same reason.

27
 UNDERSTANDING ATTACK METHODS
Passive Attacks
v Eavesdropping
Ø Traditional method of spying with the intent to gather
information.
Ø Computer network analysis is a type of eavesdropping.
Ø Other methods include capturing a hidden copy of files or
copying messages as they traverse the network.
Ø Email messages and IM are notoriously vulnerable to
eavesdropping because of their insecure design.
Ø Computer login IDs, passwords, and user keystrokes can be
captured by using eavesdropping tools.

28
 UNDERSTANDING ATTACK METHODS
Passive Attacks
v Eavesdropping
Ø Encrypted messages can be captured by eavesdropping with
the intention of breaking the encryption at a later date.
Ø Eavesdropping helped the Allies crack the secret code of radio
messages sent using the German Enigma machine in World
War II.

29
 UNDERSTANDING ATTACK METHODS
Active Attacks
v Passive attacks tend to be relatively invisible, whereas active
attacks are easier to detect.
v The attacker will proceed to execute an active attack after
obtaining sufficient background information.
v The active attack is designed to execute an act of theft or cause a
disruption in normal computer processing.

30
 UNDERSTANDING ATTACK METHODS
Active Attacks
v Examples
Ø System or Network Penetration Testing
Ø Social Engineering
Ø Phishing
Ø Spear Phishing
Ø Dumpster Diving

31
 UNDERSTANDING ATTACK METHODS
Active Attacks
v System or Network Penetration Testing
Ø Anyone is able to start automated penetration tests against
your systems and your network.
Ø Active attacks start by grabbing banners, then progress to
sending test or attack data to software programs, and finally
sending escalation commands through known vulnerabilities to
take over your devices.
Ø Banner grabbing is a technique used to gain information about
a computer system on a network and the services running on
its open ports.
Ø Live network traffic monitoring and IDPS will usually detect
pen testing attempts.

32
 UNDERSTANDING ATTACK METHODS
Active Attacks
v Social Engineering
Ø Criminals can trick an individual into cooperating by using a
technique known as social engineering.
Ø The social engineer will fraudulently present themselves as
a person of authority or someone in need of assistance.
Ø The social engineer’s story will be woven with tiny bits of truth.
Ø All social engineers are opportunists who gain access by asking
for it.
Ø E.g., the social engineer may pretend to be a contractor or
employee sent to work on a problem.
Ø The social engineer will play on the victim’s natural desire to
help.

33
 UNDERSTANDING ATTACK METHODS
Active Attacks
v Social Engineering

34
 UNDERSTANDING ATTACK METHODS
Active Attacks
v Phishing
Ø A social engineering technique called phishing (pronounced
fishing) uses fake emails sent to unsuspecting victims that
contain a link to the criminal’s counterfeit website.
Ø A phishing criminal copies legitimate web pages into a fake
email or to a fake website.
Ø The message tells the unsuspecting victim that it is necessary
to enter personal details such as Social Security number, credit
card number, bank account information, or online user ID and
password.
Ø Phishing attacks can also be used to install spyware on
unprotected computers.
Ø Many phishing attacks can be avoided through user education.

35
 UNDERSTANDING ATTACK METHODS
Active Attacks
v Phishing

36
 UNDERSTANDING ATTACK METHODS
Active Attacks
v Phishing

37
 UNDERSTANDING ATTACK METHODS
Active Attacks
v Spear Phishing
Ø One of the most effective attack techniques.
Ø This attack targets a specific user, or system.
Ø Spear-phishing is easier than it sounds.
Ø Target systems can be identified through traffic analysis or
remnant metadata found in exported files or simply by
browsing a web page and right-clicking View Source.
Ø Dynamic pages, including user-submitted forms with HTML or
Post Hypertext Processor (PHP) usually contain a POST or GET
command that contains the exact address of your server, your
database name, valid login ID of the program, and real
password.

38
 UNDERSTANDING ATTACK METHODS
Active Attacks
v Spear Phishing

39
 UNDERSTANDING ATTACK METHODS
Active Attacks
v Spear Phishing
Ø These specific parameters must be disclosed (required) for
programming the web page to get data out of your database,
for web surfers to view content, or for users to save data
submitted through online forms.
Ø Object-oriented programming in Java is one method to help
protect against spear-phishing by using object delegation.
Ø Separation of duties between programs isolates certain
functions to another program out of the attacker’s reach.
Ø But security works only if multiple layers of strong
authentication are used between the programs.

40
 PERSISTENT ELECTRONIC THREATS
What is the basic characteristic of these threats?

41
 PERSISTENT ELECTRONIC THREATS
What is the basic characteristic of these threats?
Mostly executed remotely. Hence, difficult to detect.

42
 CHECKPOINT ?
Which of the following is not true concerning dumpster
diving?
a. It’s illegal trespassing.
b. It’s a legitimate way to collect data.
c. It’s not a concern if paper records are shredded.
d. It’s not a problem if discarded devices are purged.

43
 PERSISTENT ELECTRONIC THREATS
v Malware
Ø This title refers to every malicious software program ever
created, whether it exploits a known vulnerability or creates
its own.
Ø There are so many different ones that it’s easier to just call the
entire group by the title of malware.
Ø The king of the malware threat is known as the Trojan horse.

44
 PERSISTENT ELECTRONIC THREATS
v Trojan Horse
Ø A revised concept of the historical Trojan horse has been
adapted to attack computers.
Ø In a tale from the Trojan war, soldiers hid inside a bogus gift
known as the Trojan horse.
Ø The unassuming recipients accepted the horse and brought it
inside their fortress, only to be attacked by enemy soldiers
hiding within.
Ø Malicious programs frequently use the Trojan horse concept
to deliver viruses, worms, logic bombs, and other rootkits
through downloaded files.

45
 PERSISTENT ELECTRONIC THREATS
v Virus
Ø The goal of a virus is to disrupt operations.
Ø Users inadvertently download a program built like a Trojan
horse containing the virus.
Ø The attacker’s goal is usually to damage your programs or data
files.
Ø Viruses may append themselves to the end-of-file (EOF)
marker on computerized files (File Viruses).
Ø It changes the start of a program so that the control jumps to
its code.
Ø After the execution of its code, the control returns back to the
main program. Its execution is not even noticed.
Ø It is also called Parasitic virus because it leaves no file intact
but also leaves the host functional.

46
 PERSISTENT ELECTRONIC THREATS
v Worm
Ø An Internet worm operates in a similar manner to the Trojan
or virus, with one major exception: Worm programs can freely
travel between computers because they exploit unprotected
data transfer ports (software programming sockets) to access
other systems.
Ø Internet worms started by trying to access the automatic
update (file transfer) function through software ports with
poor authentication or no authentication mechanism.
Ø It is the responsibility of the IS programmer to implement
security of the ports and protocols.
Ø IT technicians for hardware and operating system support
cannot fix poor programming implementations.

47
 PERSISTENT ELECTRONIC THREATS
v Worm
Ø For IT technicians, the only choice is to disable software ports,
but that won’t happen if the programmer requires the port
left open for the user’s application program to operate.

48
 PERSISTENT ELECTRONIC THREATS
v Logic Bomb
Ø The concept of the logic bomb is designed around dormant
program code that is waiting for a trigger event to cause
detonation.
Ø Unlike a virus or worm, logic bombs do not travel.
Ø Remains in one location, awaiting detonation.
Ø Logic bombs are difficult to detect.
Ø Some logic bombs are intentional, and others are the
unintentional result of poor programming.
Ø Intentional logic bombs can be set to detonate after the
perpetrator is gone.

49
 PERSISTENT ELECTRONIC THREATS
v Time Bomb
Ø Time Bomb Programmers can install time bombs in their
program to disable the software on a predetermined date.
Ø Might be used to kill programs on symbolic dates such as April
Fools’ Day or the anniversary of a historic event.
Ø E.g. ??

50
 PERSISTENT ELECTRONIC THREATS
v Trap Door
Ø Computer programmers frequently install a shortcut, also
known as a trapdoor, for use during software testing.
Ø The trapdoor is a hidden access point within the computer
software.
Ø A competent programmer will remove the majority of
trapdoors before releasing a production version of the
program.
Ø However, several vendors routinely leave a trapdoor in a
computer program to facilitate user support.
Ø Commercial encryption software began to change in 1996
with the addition of “key recovery” features. This is basically a
trap door feature to recover lost encryption keys and to allow
the government to read encrypted files, if necessary.

51
 PERSISTENT ELECTRONIC THREATS
v RootKit
Ø One of the most threatening attacks is the secret compromise
of the operating system kernel.
Ø Attackers embed a rootkit into downloadable software.
Ø Subverts security settings by linking itself directly into the
kernel processes, system memory, address registers, and swap
space.
Ø Rootkits operate in stealth to hide their presence.
Ø Hackers designed rootkits to never display their execution as
running applications.
Ø The system resource monitor does not show any activity
related to the presence of the rootkit.
Ø After the rootkit is installed, the hacker has control over the
system.

52
 PERSISTENT ELECTRONIC THREATS
v RootKit
Ø The computer is completely compromised.
Ø Automatic update features use the same techniques as
malicious rootkits to allow the software vendor to bypass
your security settings.
Ø Vendors know that using the term rootkit may alarm users.
Ø Software agent is just another name for a rootkit.

53
 PERSISTENT ELECTRONIC THREATS
v Brute Force Attacks

54
 PERSISTENT ELECTRONIC THREATS
v Brute Force Attacks
Ø Frequently used against user logon IDs and passwords.
Ø In one particular attack, all of the encrypted computer
passwords are compared against a list of all the words
encrypted from a language dictionary.
Ø After the match is identified, the attacker will use the
unencrypted word that created the password match.
Ø This is why it is important to use passwords that do not appear
in any language dictionary.

55
 PERSISTENT ELECTRONIC THREATS
v Crash Restart
Ø An attacker loads malicious software onto a computer or
reconfigures security settings to the attacker’s advantage.
Ø Then the attacker crashes the system, allowing the computer
to automatically restart (reboot).
Ø The attacker can take control of the system after it restarts
with the new configuration.
Ø The purpose is to install a backdoor for the attacker.

56
 PERSISTENT ELECTRONIC THREATS
v Crash Restart
Ø Recommended control is to run a system file integrity utility
like Tripwire or NSA System Integrity Management Platform
(SIMP) before each backup is created.
Ø If properly configured, this practice will detect altered files
before allowing the backup to run.
Ø There is no reason to back up files if the system programs are
corrupted.
Ø Just restore from a known good backup and try to recover or
re-create any lost user data.

57
 PERSISTENT ELECTRONIC THREATS
v Maintenance Accounts
Ø Most computer systems are configured with special
maintenance accounts.
Ø These maintenance accounts may be part of the default
settings or created for system support.
Ø E.g., user account named DBA for database administrator, or
tape for a tape backup device.
Ø Vendors publish online user manuals containing examples of
all the maintenance accounts on their system.
Ø It is advisable to disable the default maintenance accounts on
a system.
Ø The security manager may find an advantage in monitoring
access attempts against the default accounts.

58
 PERSISTENT ELECTRONIC THREATS
v Robot Networks (Botnets)
Ø By using malware programs such as a Trojan horse, hackers
can build a remote-controlled robot network (a.k.a. a bot-net)
composed of computers owned by unsuspecting users.
Ø The bot-net operates a distributed attack against other
systems or delivers email spam messages against other
systems.
Ø If the victim attacks back against the sender, the attack will
harm only the unsuspecting user because the hacker is
invisibly reflecting the attack off the compromised system.

59
 PERSISTENT ELECTRONIC THREATS
v Robot Networks (Botnets)

60
 PERSISTENT ELECTRONIC THREATS
v Programming Vulnerability
Ø A significant number of computer programs contain multiple
vulnerabilities due to poor programming practices,
homegrown implementations with ineffective mechanisms, or
inherent lack of security in the original design.
Ø This is why the industry has a push toward using Common
Criteria certification of systems.
Ø The ISO 15408 Common Criteria toolkit is recognized as the
worldwide evaluation model of program security mechanisms.
Ø Unfortunately, even a Common Criteria–certified system can
be exploited if the user’s application program is poorly
written.

61
 PERSISTENT ELECTRONIC THREATS
v Middleware Attack
Ø Computer programming is a complex process.
Ø Frequently the programmer will pass data between programs
to create an invisible workflow for the user’s benefit.
Ø Every program between the user and their data constitutes
middleware, which are invisible programs in the middle of the
processing flow.

62
 PERSISTENT ELECTRONIC THREATS
v Middleware Attack

63
 PERSISTENT ELECTRONIC THREATS
v Middleware Attack
Ø Data passing between the programs is usually not
authenticated, meaning we do not know exactly where it
came from or if it is valid data acceptable as input.
Ø This is how SQL injection and XSS operate.
Ø The lack of true source authentication and input validation is a
major risk in middleware attacks.
Ø Even worse, most middleware programs have privileged
accounts or execute at the privileged level within the
operating system.
Ø Hackers can exploit these middleware accounts in addition to
any program vulnerabilities and thereby take control of the
critical portion of the invisible workflow, completely
undetected by the user.

64
 CHECKPOINT ?
An e-commerce website needs to be monitored to detect
possible hacker activity. What would be the best security
component to perform this function?
a. Third-generation firewall
b. Honeynet ACL router with built-in sniffer software
c. Elliptic data encryption for privileged files
d. Statistical or signature-based detection software

65
 CHECKPOINT ?
What method provides the best level of access control to
confidential data being processed on a local server?
a. Writing a history of all transaction activity to the system
log for auditing.
b. Processing of sensitive transactions requires a separate
login and password.
c. Application software uses internal access control rules
to implement least privilege.
d. System login access is restricted to particular stations or
hours of operation.

66
THANKS

67