CS263 - Cyber Security

Cyber security is the application of technologies, processes and controls to protect systems, networks, programs, devices and data from cyber attacks.

Brief history

  • 1940s - First computer
  • 1950s - Telephone hacking
  • 1971 - Creeper for ARPANET, the first worm
  • 1972 - Reaper, which removed Creeper, the first antivirus
  • 1983 - US Department of Defence published Trusted Computer System Evaluation Criteria
  • 1987 - First commercial antiviruses
  • 1988 - Morris worm, first charge under 1986 Computer Fraud and Abuse Act
  • 1991 - First polymorphic virus
  • 1994 - SSL protocol developed
  • 1999 - Melissa macro virus
  • 2010 - Stuxnet worm
  • 2017 - Wannacry ransomware
  • 2021 - Log4Shell

Cybersecurity threats

  • Destruction of data
  • Unauthorised modification of data
  • Theft of data
  • Disclosure of data
  • Interruption of services

Examples of exploits:

  • Buffer overflow - A program attempts to put more data in a buffer than it can hold. Writing outside the bounds of a block of allocated memory can allow for the execution of malicious code.
  • Man in the middle attack - An attacker intercepts and relays messages between two parties
  • Denial of service attack - Attacker prevents authorised users from accessing a service
  • Zero day exploit - A vulnerability discovered by an attacker before the vendor is aware of it
  • Backdoor - A method of bypassing normal authentication to gain unauthorised access to a system
  • Trojan - A program with a hidden malicious purpose

Kali Linux

Kali Linux is a Debian-based Linux distribution designed for digital forensics and penetration testing. It includes lots of tools including

  • nmap - Port scanning
  • John the Ripper - Password cracking
  • Wireshark - Packet sniffing
  • Burpsuite - Web application testing
  • Autopsy - Forensic analysis
  • GPG - Signatures and encryption
  • Steghide - Steganography (hiding data in an image)
  • Metasploit Framework - Penetration testing

Penetration testing

Penetration testing consists of 3 main stages: preparation, testing and reporting.

Preparation can include

  • Interviewing the client to assess their concerns
  • Determining the scope of testing
  • Signing a penetration testing agreement
  • Define the rules of engagement

When testing, it is important to only carry out the testing requested and consider relevant laws of all countries the testing takes place in.

Once testing has been completed, the findings can be compiled into a report. This explains to the client the vulnerabilities found, their severity and what can be done to mitigate them.

Reconnaissance

The aim of reconnaissance is to determine a list of targets to be scanned, assessed and exploited.

Open source intelligence (OSINT) is intelligence derived from publicly available sources. These sources may include websites, social media, job listings, arrest records, DNS records, archives and image metadata.

Scanning

Scanning is used to discover a system's vulnerabilities. Host discovery can be used for find hosts which are alive. Port scanning can be used to find vulnerable open ports. Tools like netstat, nmap, tcpdump, traceroute and wireshark can be used to analyse networks and read packets.

Exploitation

An exploit takes advantage of a vulnerability to perform an attack. It is important to not breach the rules of engagement when exploiting a system.

A common exploit payload is a shell. There are type types - bind and reverse shells. Bind shells open a port which listens for connections on the target whereas a reverse shell connects the target back to the attacker. A bind shell may be blocked by a firewall so reverse shells are usually more successful.

Web shells are malicious scripts installed onto a web server. They act as a backdoor and allow the attacker access to the web server. This attack can be prevented by using file integrity monitoring and suitable permission settings.

Web application testing

The OWASP testing guide describes four testing techniques

  • Manual inspections and reviews - Human reviews which test the security implications of people, policies and procedures
  • Threat modelling - Risk assessment for applications
  • Source code review - Manually checking source code for vulnerabilities
  • Penetration testing

Several tools exist for testing web application security. Examples include

  • w3af - Attack and audit framework
  • sqlmap - SQL injection detector
  • Hydra - login cracker
  • Nessus - vulnerability scanner
  • ZAP - man in the middle proxy, intercepts communications
  • Burp suite - Contains several tools for web application testing

Fuzzing is a software testing technique which random, invalid or unexpected data to find vulnerabilities.

Bug bounty programs incentivise the finding and disclosure of bugs in a program by offering a financial reward.

Web application attacks can be mitigated by performing vulnerability scanning, using a web application firewall (WAF) and secure development testing.

There are many types of web application attack, including

  • Cross site scripting (XSS)
  • Path traversal
  • Clickjacking
  • Cross site request forgery (CSRF)
  • Reflected DOM injection
  • SQL injection

A Same Origin policy only allows Javascript from the same host to run on a website. Cross site scripting can bypass this by manipulating a vulnerability in a website and returning malicious code to a user. There are three types of XSS attack

  • Reflected XSS - from the current HTTP request
  • Stored XSS - from the website's database
  • DOM-based XSS - from a vulnerability in client-side code

Program security

Some common vulnerabilities include

  • Stack overflow - memory used by a recursive function exceed stack capacity
  • Buffer overflow - Accessing memory outside of allocated buffer
  • Access after deallocation
  • Uninitialised variables
  • Time of check to time of use flaws
  • Side channel attacks - uses timing or processor utilisation to gather information

Application vulnerabilities can be found using three methods

  • Static code analysis - Checks source code for flaws without executing it
  • Reverse engineering - analyse binary/assembly
  • Fuzzing - Fuzz inputs until something happens

GRC

GRC stands for Governance, Risk management and Compliance. It is a way to align cyber security with business goals while managing risk and complying with regulations.

Governance is the set of policies that a company uses to achieve its business goals. It defines the responsibilities of key stakeholders. Risk management considers potential problems and how they can be managed and compliance ensures a business complies with any laws and regulations necessary. Cyber security can be taken into consideration for all of these principles.

Hashing

A hash function maps data of any size to a fixed size output. Hash functions are one-way, meaning they are computationally hard to reverse.

Message Authentication Codes (MAC) are keyed hash functions. It uses a key to hash data. The same key can be used by the recipient to check the hash matches and authenticate the sender.

The birthday paradox states that only 23 people are needed for the probability that two of them share a birthday to be greater than 50%. The birthday attack on a hash function exploits this probability. A good hash function should require an attacker to compute as many hashes as possible before finding a match.

Hashing can be used to ensure data integrity and to provide digital signatures.

Hashing is used to store passwords securely but common passwords will have the same hash, making them easy to crack. A salt is random data appended to a password which prevents this. In addition to this, a salted hash can then be peppered with a secret key stored separately to the passwords.

Hashing is also used for blockchain transactions.

Contingency planning

Contingency planning is how an organisation handles and unexpected event or incident. It aims to resume normal operation with minimal cost and disruption after an adverse event.

There are 4 types of contingency planning

  • Incident response - planning and preparation for detecting, reacting to and recovering from an incident
  • Disaster recovery - Recover assets after a disaster
  • Business continuity - Ensure business operations can continue after a disaster with as little downtime as possible
  • Crisis management - Overall management of emergencies

Contingency planning includes making backups and having backup servers.

Threat modelling

Threat modelling identifies, communicates and prioritises threats and proposes mitigations.

One threat model is STRIDE. Each threat and the security property it threatens are as follows

  • Spoofing - authentication
  • Tampering - integrity
  • Repudiation - non-repudiation
  • Information disclosure - confidentiality
  • Denial of service - availability
  • Elevation of privilege - authorisation

DREAD uses a formula to evaluate vulnerabilities. Risk value = (Damage + Affected users) x (Reproducibility + Exploitability + Discoverability)

Open Authentication (OAuth) allows third-party application to access a user's account from another service without giving the third-party any credentials. Third-parties are granted access tokens from the OAuth service.

Various cyber security tools

  • CashCat can be used to deliver a ransomware attack
  • foremost can be used to retrieve deleted files
  • Ettercap can be used to perform an ARP spoofing attack
  • Maltego is an information gathering tool

Various cyber security topics

Social engineering uses psychological manipulation to deceive victims into making a mistake. It relies on human error rather than vulnerabilities in software.

Physical security protects buildings and equipment.

Digital forensics is a branch of forensic science which focusses on recovery and investigation of devices used for cybercrime. Digital forensics is the process of identifying, preserving, analysing and documenting digital evidence.