Intro

Question 1

What can loss mean?

Answer 1

• financial loss both direct and indirect
• recovery cost
• productivity loss
• business disruption
• reputation damage

Question 2

What can we say about the complexity of the ICT scenario?

Answer 2

Complexity is an enemy of obscurity. Related to this there is the first axiom of engineering: “The more complex a system is, the more difficult its correctness verification will be, meaning its implementation, management, operation”. Based on it there is the KISS concept: Keep It Simple, Stupid

Question 3

How can we perform a risk estimation and which approaches can we have?

Answer 3

We have to take into account:
* service
* a service is implemented via an asset = set of good, data, Human Resources
* there are some event related to the asset:
* vulnerabilities: intrinsic weaknesses of that asset, including natural events
- threats: possibile deliberate action (Attack) or accidental event that can produce the loss of a security property by exploiting a vulnerability

• the consequences of these events are measured on their impact and their probability of happening
• from these measures we get to estimating the risk by listing all the possible risks prioritizing them by their impact and by the available time and budget

How to represent the risk estimation:
- risk assessment matrix
- risk heat map

Approaches:
1. address the most important risk
2. maximize the number of risks covered

Question 4

Which are the basic problems in the ICT scenario insecurity?

Answer 4

• humans: they are not aware of the possibile risks, they have a natural instinct to trust, they don’t understand complex architectures…
• attackers use social techniques: they target users via mail, phone, …, they put psychological pressure on people or they study their their habits to make them lower their level of defense
• most networks are insecure: communication in clear, via broadcast, with shared links, using third party routers
• weak user authentication, often password based + no server authentication
• software with many bugs

Question 5

What is a Zero Trust Architecture?

Answer 5

It is an architecture implemented above the concept “the enemy is everywhere”

Question 6

Incident - data breach - data disclosure

Answer 6

Incident: a security event that compromises the integrity, confidentiality, availability of an asset (security properties)

Data breach: and incident that results in the disclosure or potential exposure of data

Data disclosure: a breach for which it was confirmed that data was actually disclosed and not just exposed to an unauthorized party

Question 7

What is C.I.A. in the security field?

Answer 7

Confidentiality, integrity, availability (pyramid)

Question 8

Which are the components of a cyber threat?

Answer 8

1. Actors + Motivation
   
   • actors = pyramid: people who do it just for fun-> criminal who do it for profit -> organized crime -> terrorists -> APTs (Advanced Persistent Threats, for example governments)
   • motivation: MICE = Money, Ideology, Compromise, Ego
2. Vulnerable target
3. Vectors = Vulnerabilities + context

Question 9

Which are the standardization Bodies for cybersecurity?

Answer 9

ISO, ITU… TODO

Question 10

Which are the security principles? Just list them

Answer 10

• security in depth
• security by default
• neet-to-know
• least privilege
• security by design

Question 11

Security in depth

Answer 11

It is one of the security principles.

It refers to the practice of using multiple layers of security controls (defensive mechanisms) throughout an information system. The idea is that if one layer fails, another will stop the threat, thereby providing a comprehensive defense strategy against a wide range of threats.

Example: An organization might implement a firewall to prevent unauthorized access from the internet, use encryption to protect data in transit, deploy antivirus software to detect and remove malware, and enforce strong authentication mechanisms. Even if a hacker bypasses the firewall, the encryption and antivirus layers provide additional barriers to protect the data.

Question 12

Security by default

Answer 12

It is one of the security principles.

It means that the default configuration settings of software products and systems are set to the most secure settings possible. This principle ensures that without any additional configuration, the system will operate in a secure manner, minimizing the risk of vulnerabilities due to misconfiguration or default weak settings.

Example: When a person get a wifi modem from a company he is forced to change the password in order to use it

Question 13

Need-to-Know

Answer 13

It is one of the security principles.

The need-to-know principle restricts aims to give access to information only to parties that require it to carry out their duties. This can lead to reduce the risk of unauthorized disclosure or access.

Example: consider a company that has various departments, each handling different types of sensitive data. Under the Need-to-Know principle, employees in the finance department would have access to financial records and reports, but not to the human resources files, unless their job explicitly requires access to both.

Question 14

Least privilege

Answer 14

It is one of the security principles.

The principle of least privilege involves providing individuals or systems the minimum levels of access—or permissions—needed to perform their duties. This reduces the risk of accidental or deliberate misuse of permissions and limits the potential damage from incidents, in fact the more the permission the more the possible attacks.

Example: A system administrator may have access to all systems for maintenance purposes, but a regular employee is only given access to the network resources necessary for their job, such as email, specific databases, or certain applications, and nothing beyond that.

Question 15

Security by Design

Answer 15

It is one of the security principles.

Security by Design means that security is integrated into IT systems from the earliest stages of development, rather than being added as an afterthought. This approach entails considering security in all aspects of system design and architecture, thereby ensuring that the system is fundamentally secure from the ground up.

Example: When developing a new software application, the development team incorporates input validation checks, secure authentication mechanisms, and encryption of sensitive data right from the planning and design phases, rather than retrofitting these security measures into an existing product.

Question 16

When can we say that something is secure?

Answer 16

To say that something is secure means nothing, to say that something follows some of the security properties means a lot.

Question 17

Which cases of data protection we have to consider in applying a security property?

Answer 17

• data in transit
• data at rest: in the device storage
• data at work: in RAM to be used

Question 18

List all the security properties

Answer 18

• authentication: simple or mutual, peer or data
• authorization
• non-repudiation: formal proof, acceptable by a court of justice, that gives undeniable evidence of the data creator. It is not present when something is automatic
• privacy: of a communication, of data/action/position…
• integrity: this property leads to the detection of data modification, cancellation or filtering
• confidentiality: if data are changed this property doesn’t give the possibility to detect the changes ≠ integrity
• availability
• traceability, accountability
• serialization

Question 19

Which types of enemy actions we have?

Answer 19

• MITM: Man In The Middle
• MATE: Man At The End, inside one peer
• MITB: Main In The Browser, inside one specific component of a peer

These actions can be active or passive:
- active: read, modify, delete, create
- passive: read only

Question 20

Which are the security pillars?

Answer 20

0. planning
1. Avoidance using FW, VPN, etc.
2. Detection using IDS, monitor, etc.
3. Investigation with forensic analysis, internal audit, … -> 1

Question 21

What is a Trojan?

Answer 21

It is a program containing a dangerous payload. It is a malware vector.
The problem is that even if network channels are more protected, user terminals are less protected: they use devices such as Smartphone, smart-TV, they use IoT (Internet-of-Things) and they are often “ignorant” users

A trojan can be implemented as classic attack tools (e.g. keylogger as part of a game) or as modern ones (e.g. browser extension)

It is often used to create a
- MATE = Man-At-The-End
- MITB = Man-In-The-Browser

Question 22

What is a Zeus?

Answer 22

Zeus, also know as Zbot, is currently a major malware + botnet. it is the father of all bots.
It was discovered (born?) on 2007 and sold (?) on 2010.

It can be used:
- directly: e.g. MITB for keylogging or form grabbing
- indirectly, to load other malware (e.g. the CryptoLocker ransomware)

It is very difficult to discover and remove, couse it hides itself with stealth techniques.
For example it presents itself as driver for a keyboard.

There are about 3.6 M active copies just in the USA

TODO: slide 62

Question 23

Which malware categories do we have? List them

Answer 23

• Trojan
• virus
• worm
• rootkit
• backdoor
• Potentially Unwanted Application - PUA: it’s a sort of grayware, not directly dangerous
• Ransomware

Question 24

Virus and worm

Answer 24

They are malware.

A virus damages the target and replicates itself. It is propagated by humans (involuntarily)

A worm damages the target by replicating itself (resource saturation) by automatic propagation.

The problem with virus and worms are their replicas, not the process they start itself. For example if the virus/worm enters the network it can crash the whole system because every device connected to that network will be infected.

They require complicity (may be involuntary) from: the user (gratis, free, urgent, important, …), the sys manager (wrong configuration), the producer (automatic execution, trusted, …)

Countermeasures:
- user awareness
- correct configuration / secure sw
- install antivirus (and keep updated!)

Question 25

Backdoor

Answer 25

It is a malware category and it is an **unauthorized access point**. Programmers often hide it in case they get not paid for their work.

Question 26

Rootkit

Answer 26

It is a malware category. A rootkit is a collection of softwares, typically malicious, designed to enable access to a computer or an area of its software that is not otherwise allowed (for example, to an unauthorized user) and often masks its existence or the existence of other software. Rootkit installation can be automated, or an attacker can install it after having obtained root or administrator access.

Question 27

What is a Malware Food Chain?

Answer 27

TODO slide 61 "Food Chain malware" as food chain in nature is composed by a number of people who behave on the basis of taking advantage on someone else, in the case of malware is own economic benefit. This process starts with the discovery of a vulnerability in a system, then a programmer creates a malware and sells it (on vulnerability marketplace) to a number of people. Afterwards, one of the buyers of the code exploits (modify it) and sell the code on the market toolkit market to a bigger number of people. Finally, one of the second-time buyers decides to conduct an attack.

Question 28

Ransomware

Answer 28

It is a malware oriented to get a ransom. The target can be: - a desktop or a laptop (disk content made unreadable) - also a tablet and a smartphone (made unusable) These are unblocked (not always) after paying a certain amount of money. Countermeasures (and problems): - encrypted data - backup - do it and try it on another computer to control that you can read it -> this helps in avoiding the silent ransomware: it stays silent and watches every time you do a backup - it has to be done offline - it has to be stored at minimum 30 km away and not near magnetic fields that could ruin it - good to have a system that can compute the difference between the new backup and the last one

Question 29

RaaS, example

Answer 29

Ransomware-as-a-service It is a business model adopted by cybercriminal made of: - developers of ransomware that lease them out to the attackers - attackers who actually launch the ransomware - often a payment system example: TOX malware (server in the TOR anonymous network): - ask for the ransom and handles the payment (with a 20% service fee) - the "customer" has only the task to distribute it to the victims - fast growth

Question 30

What is Stuxnet?

Answer 30

It is the prototype of a new kind of attack made of worm + virus for Windows. It is a malware for cyberphysical systems. Goals: - attempt to propagate to other systems - attempt to damage the SCADA systems (of a specific manufacturer) attached to the infected nodes Attack and propagation vectors: - 1 known vulnerability with available patch - 1 known vulnerability with no patch - 2 “zero-day” vulnerabilities Timing: - 17/6/10 first detection - 24/6/10 detected the use of a first signature certificate to appear as valid MS software !() - revoked on 17/7/10 - ... but the malware starts using a second signature certificate! - 14-15-16/7/10 security bulletins by CERT and MS - patches gradually released through October ’10 - self-stopped its propagation on 24/6/2012 Geographic distribution: - 52% Iran - 17% Indonesia, 11% India, ... Distribution and propagation: - USB key as initial attack vector: likely first infection via a USB key of a maintenance technician - shared disks (network share) - disguised as a driver: with a digital signature validated by Microsoft!!! + uses two different certificates - access from the infected node to the back-end DB thanks to a shared default pwd (!!!) on every node Lessons learnt - systems protected with physical separation (air gap) but without other standard protections such as anti-virus, patch, firewall are not good - unnecessary services active are not good: MS-RPC, shared network print queues, shared network disks - validation list for software to be installed

Question 31

Mirai

Answer 31

todo pag 88-89

Question 32

Source address spoofing attack

Answer 32

Someone uses the address of another host to take its place as a client or as a server. Typically it is forged the IP address but it is equally easy to forge the level 2 address ➜ its better to call this attack as “source address spoofing” By changing just the IP the attacker is detectable Attacks: - **data forging** - **unauthorized access to system** Countermeasures: do never use address-based authentication

Question 33

Shadow/fake server attack: definition, attacks, countermeasures

Answer 33

Host that manages itself to victims as a service provider without having the right to do so Techniques: - request sniffing and response spoofing. This is difficult because to do so the shadow server must be faster than the real one or this one must be unable to respond for example due to DDoS - wrong mapping for example with routing or DNS manipulation Attacks: - issue wrong answers by providing thus a “wrong” service to victims instead of the real one - **capture victim’s data provided to the wrong service** Countermeasures: server authentication

Question 34

Packet sniffing attack

Answer 34

It is the detection of packets in transit in a network and their analysis to steal sensitive information. It’s easy to do it in broadcast networks (LANs, …) or at the switching nodes Attack: - intercept anything Countermeasures: - non broadcast networks (impossible to not use them at all) - encryption of PAYLOAD data - protection from the statistical analysis of traffic by sending a continuous stream and continuous data - protect the ports of routers and switches - take care of the printers which obtain the information in clear.

Question 35

Connection hijacking / data spoofing

Answer 35

Hijacking (or Man In The Middle) is the hijacking of a connection by a part of an individual by manipulating packets: data are inserted/modified/cancelled during their transmission. It can be a logical or physical MITM: - physical level: the attacker is placed in the communication channel between two nodes and for example it can cut the cable - logical (by receiving packets on the one hand, handling, and redirecting to the other) Attacks: - reading, insertion of false data and modification of data exchanged between two parties - Phishing - DoS - Replay - Eavesdropping - Chosen-ciphertext - Substitution Countermeasures: - confidentiality, authentication, integrity and serialization of each individual packet to guarantee that all the packets arrived and none is missing - the authentication must be performed non just when the connection is created because a MITM arrives after

Question 36

DoS

Answer 36

The functionality of a service is limited or disrupted. This is done by keeping a host busy so that it cannot provide its services ➜ when other attacks are impossible to make Discovering this type of attack is difficult because it is often not easy to identify whether it is actually an attack or a simple malfunction (not to mention the fact that the inaccessibility of the service makes it difficult to diagnose it). Attack: - block the use of a system/service examples: - mail/log saturation - ping flooding (bombing): ICMP empty packets without waiting for the response - SYN attack Countermeasures: being a predominantly brute force attack, there is no simple method to protect against it other than by increasing the agility and flexibility of the system in question, perhaps by increasing the number of servers and connections or by improving the efficiency of security software

Question 37

DDoS

Answer 37

Software for DoS are installed on **many nodes** that are called **daemon/zombie/malbot** to create a **Botnet**. These daemons are remotely controlled by a **master** that makes them work in **synchro** `effect = DoS * #daemons` A DDoS attack can be improved by: * using a reflector: to hide the attacker’s tracks, to multiply the attackers * using an amplification factor N:1: look for a reflector server with response| >> |request|, it depends on the attack protocol used (easy with UDP and ICMP) **Examples**: - command & control infrastructures - C/S or P2P communications - ecrypted or “covert” channels: e.g. UDP packet over ICMP (= the UDP packet is set as the payload of an ICMP packet so that it seems a ping when it is not) - auto-update capability

Question 38

Defacement attack

Answer 38

Website defacement is an attack on a website that changes the visual appearance of a website or a web page

Question 39

Replay attack

Answer 39

A replay attack is a type of network attack where a valid data transmission is maliciously or fraudulently **repeated or delayed**. This attack is often executed by an **attacker who intercepts data and retransmits it to deceive the receiver into believing they are receiving a legitimate message**, thereby potentially gaining unauthorized access to a system or service. example: intercepting data in a bank system that enable a payment and sending them repeatedly. Countermeasures: * authentication * nonce * timestamp

Question 40

Phishing attack

Answer 40

Phishing is an attack that **uses the social engineering** and can be **achieved using Connection Hijacking (MITM).** It aims to attract the victim via email or instant messaging convincing it to provide sensitive personal information (password to access the bank account, credit card number, etc ...). There are two variants: - **Spear phishing**: increase the credibility of the message by entering some personal information from the victim or very accurate data that give the message an apparent authenticity. - **Whaling**: aims to "bite" important people (eg CEOs), in fact the higher the hierarchical level, the lower the level of expertise especially on technology. Countermeasures: - Be careful to visit non secure sites. In case of request for personal information, account numbers, passwords, or credit card, never send this kind of information - it is good practice to forward a copy to the competent authorities and notify the bank or other interested parties, so that they can take further measures against the fake site and inform their users. - Check the icon, lock icon in all browsers, indicating that it is established a secure connection (eg SSL / TLS).

Question 41

Spoofing attack

Answer 41

It can be data spoofing or source address spoofing

Question 42

Explain what social engineering is, give an example of this attack, indicate the countermeasures that a company can take to defend itself.

Answer 42

By social engeniiring we mean a type of attack that does not hit the "IT" side of a company / organization, but the human side, exploiting the psychological and social weaknesses of people in prominent positions. A very relevant and widespread example is the phishing mail which consists in sending fake emails that push the user to click on malicious links. The best countermeasure a company can employ in this regard is to educate its employees about these risks. Countermeasures: - Organizations must, at employee / personnel level, establish a trust infrastructure (when / where / why / how sensitive data should be treated) - Organizations need to identify what information is sensitive and discuss its integrity in all forms (ie: social engineering, computer security, etc ...) - Organizations must establish security protocols for people who manage sensitive information (eg legal documentation for the dissemination of information) - Employees must be trained in security protocols relevant to their position in the institution (for example, employees must identify people who are directed to sensitive information, in situations like tailgating, in which an unauthorized person sneaks into the restricted areas following those authorized, if a person's identity can not be verified, then the employees must be trained to politely refuse access) - The infrastructure trusted organization must be periodically checked performing test without notice.

Question 43

What do the following words mean? Vulnerability, threat, security control, assets and attack? How are they related?

Answer 43

- Vulnerability: intrinsic weakness of an IT asset - Threat: An intentional or accidental event that can cause the loss of a security property by exploiting a vulnerability - **Attack: occurrence of an "intentional event" threat** - Security control: used to limit / prevent any type of threat to assets - Asset: the set of assets, data and people necessary for the provision of an IT service

Question 44

Say what the window of exposure is and where you can act to reduce it

Answer 44

The exposure window is the length of time the system is exposed to a security threat: 1. Discovery phase: an attacker exploits an unknown vulnerability: (a) an attacker discovers a new vulnerability; (b) the attacker develops an attack program, called an exploit, which exploits this vulnerability; (c) the attacker begins to carry out attacks, causing the vulnerability to become public; 2. Publishing stage: people try to limit the damage: (a) the victim of the attack informs the producer of the vulnerability; (b) the manufacturer informs all its customers of the existence of this problem; (c) customers update defense tools (eg IDS signatures), pending a patch; (d) the manufacturer releases a patch; 3. protection phase: customers apply the countermeasure: (a) the patch is made available to all customers; (b) only when everyone installs the patch can the problem be considered solved. To reduce it, periodic security checks can be carried out to detect vulnerabilities in advance, and notify the public as soon as possible in the event of an attack so as to minimize damage.

Question 45

Bruce Scheiner wrote "security is a process, not a product". Explain the meaning of this statement and provide a practical example of its implementation with technical elements.

Answer 45

Buying a single product to make security is not enough to make a system protected as the single product is not free from bugs, but it is necessary to design your own security system using multiple systems in parallel, possibly from different manufacturers in order to guarantee a major defense. The most practical example is to use a firewall from a manufacturer and an identification system from a second manufacturer (IDS), so in the event of a bug with the first product, the second takes over to stem the damage.

Question 46

Briefly explain the security property called integrity by saying which attacks it protects against both when the data it refers to is stored and when it is transmitted.

Answer 46

Integrity is a security property that ensures data is accurate, consistent, and unaltered during storage and transmission. This means that any unauthorized changes to the data can be detected. Stored data: integrity protects against * Malware: Integrity checks can help detect malware that tries to modify files or databases * Insider Threats: Even authorized users may attempt to alter data maliciously Transmitted data: integrity protects against * MITM * **replay attacks** * eavesdropping (if data eavesdropped are modfied too) * data forging

Question 47

Explain at least two ways to perform a sniffing attack

Answer 47

● Using a hub between the firewall and the switch. Hub is a device which input is reproduced in all of the other ports, with the help of this instrument a sniffer pc can be placed in one of the ports succeeding in obtaining all of the information going through the network because all the ethernet frames are sent to all the other ports ● Directly on the nodes of sorting (router-switch) by the administrator or someone who has access on it. In this point mail for instance can be read easily.