SIT 403

Systems Security and Audit

 Unit Objectives
i. Describe the security pitfalls in many important computing
tasks today;
ii. Asses the controls that can check these weaknesses;
iii. Identify the existing controls that are inadequate in
computing systems:
iv. Appraise the different kinds of computing applications
their weakness and controls.
v. Identify vulnerabilities associated with computer security
 Information Systems

• An information system is an integrated set of

components for
– Collecting data,
– Processing data
– Storing data
– Providing information
– Sharing information.
 Components of an information
systems
• Computer Hardware
• Computer Software
• Telecommunications
• Users
• Data
• Policies
Levels of Management and I.S
 I.S ACQUISITION
• Off-the- shelf
– is any kind of software solution that has been
developed for the mass market.
– It is a ready-made product that you can purchase
– E.g Office 365 suite

• Bespoke
– Custom-made to solve a specific business solution
e.g KIEMS, IFMIS
 Considerations
• Service Level Agreements
• Technical Support
• Training
• License Types
• Legal Conformations
LESSON TWO
 IS Security
• Information System security refers to protecting the system
from theft, unauthorized access and modifications, and
accidental or unintentional damage.

• In computerized systems, security involves protecting all

the parts of computer system which includes data,
software, and hardware.
 Need for Information Security

Confidentiality – restrict access to

authorized individuals
y
al i t

Int
Integrity – data has not been
nti

eg
altered in an unauthorized
de

r ity
manner
nfi
Co

Availability – information can be

accessed and modified by
authorized individuals in an
Availability appropriate timeframe
 Security Terms
Exposure - “actual harm or possible
harm”
Vulnerability - “weakness that may
be exploited”
Attack - “human originated
perpetration”
Threat - “potential for exposure”
Control - “preventative measure”
95752:1-11
 Why is IS Security Difficult
• Lack of specialized IT skills to
manage IS security
• Dynamic threat matrix of IS Threats
• Legal definitions often vague or
non-existent
• Legal prosecution is difficult
• IS security is expensive due to its
dynamic nature

95752:1-12
 Technical System Threats
• Hacking: Unauthorized user gaining access to a computer or a
network.

• Malware: Malicious softwares that disrupts computer operations,

gathers sensitive information, or gains access to a computer system
to compromise data and information.

• Data interception and theft - Where data is intercepted during

transmission. This is done using softwares such as packet sniffers,
which examines data packets as they are sent around a network, or
across the internet.

• Distributed Denial of service (DOS) - Where a computer is used to

prevent a server from performing its tasks. This is done by
bombarding the server over and over again with requests. Eventually
the server is tied up trying to handle all the DOS requests, making it
very difficult for it to respond to legitimate requests.
 Non-Technical Vulnerabilities
• Physical: Theft, tampering, snooping, sabotage, vandalism, local device access, and assault can
lead to a loss of data or information.

• Environmental: Natural events such as tornadoes, power loss, fires, and floods pose hazards to
the infrastructure in which data assets are located.

• Insider Threat: Employees, contractors, or partners can commit fraud, espionage or theft of
intellectual property.

• Social Media: Employees often fall victim to scams or reveal information not intended for public
knowledge on social media.

• Dumpster Diving: Improper disposal of sensitive data could lead to improper disclosures and
sensitive information just sitting in trash bins. Having internal procedures when disposing of
sensitive documents is crucial in preventing this kind of a non-technical vulnerability.

• Social Engineering: Attackers rely heavily on human interaction to gain access to company
networks or systems, usually tricking users into breaking normal security procedures and
revealing their account credentials.
 Malware Types

Programs embedded (hidden) within other files. They replicate themselves

Viruses and become part of other programs. Viruses often cause damage by
deleting or modifying data.

Programs similar to viruses except that they are not hidden within other files.
Worms
Worms often spread through emails.

Programs which pretend to be legitimate but in reality are malware. They are
Trojans often disguised as email attachments. Trojans cannot spread by themselves -
instead they deceive a user into installing the program.

Programs that monitor user activities (such as websites visited, usernames

Spyware
and passwords used) and send the information back to a hacker.

Programs that attempt to blackmail a user into making a payment to a

Ransom hacker. Some types of ransomware do little but try to scare users into
ware paying, while others go further - they encrypt documents and will not
decrypt them until a ransom is paid.
RANSOMWARE ANALYSIS
 Ransomware
• Most common form of malware.

• Ransomware attacks encrypt a device’s data and

holds it for ransom.

• If the ransom isn’t paid by a certain deadline,

the threat actor threatens to delete or release
the valuable data (often often opting to sell it on
the dark web).
Attack Process
 What to look out for

• Increase in DNS Size, DNS Queries & Replies

• Outbound zipped traffic with file extensions such as .zip, .onion, .tor, .bit
• Consistent SYN, SYN-ACK, ACK, FIN/PSH/RST
• Incomplete UserAgents
• IP-lookup by internal PC’s
• High MTU outbursts
• Suspicious Destination & Origin of connecting IPs
Distributed Denial of Service
(DDoS)
 DDoS

•A distributed denial-of-service (DDoS) attack is a malicious attempt to disrupt

the normal traffic of a targeted server, service or network by overwhelming
the target or its surrounding infrastructure with a flood of Internet traffic.

– Examples of Floods
• ICMP Flood
• SYN Flood
• HTTP Flood

•DDoS attacks achieve effectiveness by utilizing multiple compromised

computer systems as sources of attack traffic. Exploited machines can include
computers and other networked resources such as IoT devices.
 What to look out for

• Unexpected amounts of traffic originating from a single IP

address or IP range
• A flood of traffic from users who share a single behavioral
profile, such as device type, geolocation, or web browser
version
• An unexplained surge in requests to a single page or endpoint
• Odd traffic patterns such as spikes at odd hours of the day or
patterns that appear to be unnatural (e.g. a spike every 10
minutes)
 Assignment
• Download & Read the CMCA Regulations
• Identify Five technological security challenges
that will be addressed by the regulations
• Provide your recommendations
• Present in Groups
LESSON THREE
 Threat Monitoring
• A process dedicated to continuously monitor
across networks and/or endpoints for signs of
security threats such as attempts at intrusions
or data exfiltration.
 Benefits of Threat Monitoring
• Learn what is happening on networks, who is using them,
and whether or not they are at risk
• Understand how well network usage aligns with policy
requirements
• Meet the standards of regulatory compliance or business
partner agreements that require monitoring of sensitive
data types
• Find vulnerabilities in networks, applications, and security
architecture and understand how to fix them
• Proactively manage network, application and computing
resource performance.
 Threat Monitoring Tools
• Wireshark
• Zeek
• Suricata
• Brim
• Splunk
• IOTA
 Threat Monitoring aspects
Network Baselining – Process of recording network
traffic and performance, saving it for future reference
and/or reviewing it to see traffic patterns.
•Metrics to use
– Bandwidth usage over a specified time period
– Location of endpoints sending inbound traffic
– Applications accessed by users
– Amount of Inbound/Outbound traffic over a specified time
period
– Creation of new accounts
 Network Profiling
• A feature that monitors communication to the various
endpoint & applications and from the communication status
provides reports that make unknown threats and latent risks
visible.

• Examples Network Profiling Tools

– JA3/JA3S
– JARM

Benefits
– Identification of C2 Infrastructure