1 Session 10 – More Cyber SecurityEECS

2 Today’s Outline Cyber risks Identity management Internet securitysecurity PC security Mobile security Payment card security EECS

3 Cyber Risks Virus Identity theft Hacking Scam Pornography RansomwareEECS

4 Virus Can spread by in the form of an attachment or a web link (URL), like Also can be spread when using someone’s memory disk. EECS

5 Virus A common virus is one that harvests addresses from an infected computer and uses one of the addresses to send an to a bunch of other addresses fetched from the infected computer. So when you receive such a message, that does not necessarily mean the sender’s computer is infected. EECS

6 Internet Worm A variant of virus that does not require you to click any thing. If your computer has the weakness targeted by the worm, it will be infected. The worm travels on the Internet. Once infected, your computer will be very slow and it may be used as a zombie to send the worm around the Internet. EECS

7 Internet Worm It can be used to disable web sites such as what happened in Sept to CNN, Netflex, Paypal and Twitter. Once your computer has up-to-date anti-virus software, the worm will be removed but can come back until your computer receives the necessary fix (update) from Apple or Microsoft (pushed to your computer automatically) EECS

8 EECS

9 Identity theft Phishing Password crackingVirus that copies your identity information or monitors your keystrokes. EECS

10 Phishing purporting to be from your bank asking you to click a link to update your account info like password. Banks do not send to customers except to remind them that their statements are ready for viewing, and customers would have to sign in to view, instead of clicking a link from the . Check the URL provided with right click. EECS

11 Hacking Every computer connected to the Internet faces this risk even if you are not using the browser or checking . Hacking is largely automated and your computer, once hacked, may be used to hack other computers. Hackers can copy or change your info like passwords, delete files or plant malicious programs. EECS

12 Scam enticing people to put up a small sum for large gain, like buying material to work at home. Or that asks for help saying your friend is in distress. Just delete, or call your friend or his/her family. EECS

13 Child pornography Storing, sending or active viewing is criminal.Exercise caution when text or graphic starts to bother you. A quick way to avoid incrimination is to shut down the computer immediately. EECS

14 EECS

15 Password Should not be shared Should be changed by userShould be changed frequently and upon compromise (suspected unauthorized disclosure) EECS

16 EECS

17 Password Long, at least 8 charactersAlphanumeric and include at least 1 upper case letter Hashed (one-way scrambling) by operating system EECS

18 Password Cracking Methods by HackersDictionary attacks – try scrambling the common names and all dictionary words Brute force – try scrambling all possible combinations of characters, most time consuming Systematic deduction – try name followed by month, etc. Hacker community has tables of hashes, called rainbow tables to help in cracking. EECS

19 Passwords An 8-letter password is 676 times stronger than a 6-letter password. A user chosen 6- character alphanumeric Word password can be cracked in an hour. A 6-character alphanumeric password is 7 times stronger than a 6-letter password. A completely random 8-character, case sensitive, alphanumeric password takes a modern PC 6 months to crack. EECS

20 PIN Change regularly. Do not use as your PC or phone password.Use different PINs for debit and credit cards. EECS

21 EECS

22 OS Confiruation Controlled by a system administrator. A system administrator has full control of a computer and must therefore be closely monitored by management, think of Snowden. Organizations should have a standard blue print for each OS to ensure consistency. EECS

23 System Administrator ControlCareful screening before hiring, e.g., criminal record check, psychology test. Rotation of duties among servers. Segregation of duties, e.g.., an SA must not also be a DBA. Use vendor supplied tools to generate reports on SA activities for frequent management review. EECS

24 User Control General users should not be given root access to the operating system. General users should not be given administrative privilege to their computers so that they cannot change OS setting and cannot install programs. This helps to prevent virus spreading, copyright infringement and hacking. EECS

25 Patching A patch is a fix from an operating system vendor to cover a security hole used by hackers. A security hole is also called a vulnerability, it is made up of a service, port, combination thereof, or the way some services can be combined to achieve successful hacking. EECS

26 Patching Organizations should procure patching tools to check for updates from OS vendors, test the updates and then automatically distribute the updates to servers, workstations and laptops. Patching should also apply to organization owned smart phones. Devices should be checked by the organization network for up to date patches when users log in. EECS

27 Access Control Access control lists (ACL) can be set up in an OS to restrict access by applications and those users who have direct access an OS. An ACL will define the subject (application), object (data and OS services etc.) and the type of access (read, write, delete). Most business users access don’t need direct access to the OS. EECS

28 Browser Security Ordinary users without local administration privilege can change browser security and privacy settings. This means more monitoring and education are required. The web usage policy should indicate what options should not be turned on. EECS

29 Modern OS Security FeaturesAnti-virus software, firewall and full hard drive encryption now come standard with commercial PC operating systems. EECS

30 Windows Action Center It allows the user to schedule Windows updates so that updates will be downloaded and implemented automatically. Organizations should disable this function and instead, let the domain controller (server) oversee this function. EECS

31 Windows Action Center Locking down users to prevent them from installing programs. Defining user access rights as guest, folder owner, administrator (full access), and specific user (requiring logon account). Defining access control lists for folders and files. EECS

32 Windows Action Center Data Execution Prevention feature that prevents buffer overflow by marking certain memory pages intended for data as non-executable. This feature is turned on by default in Windows XP and later versions of Windows. Protected Media Path to protect digital rights management through denying access of digitally righted material by unauthorized applications. This prevents the copying of programs that can only be executed. EECS

33 Active Directory This hierarchical access authentication and authorization structure has replaced the function of the primary domain controllers and backup domain controllers in authentication and authorization. It has the following features: Central location for network administration and security Information security and single sign-on for user access to networked resources The ability to scale up or down easily Standardizing access to application data Synchronization of directory updates across servers EECS

34 Password Salting Most operating systems add a bit string to the raw password before hashing to make it difficult to crack. Unix uses a 12 bit random salt each time a password is created or changed. Windows salts passwords only for offline access to compensate for the lack of Active Directory authentication. EECS

35 File Permissions on Critical FilesUnix controls access to files, programs, and all other resources via file permissions. Unix permission are controlled by three categories: Owner, Group, and World Each category has the ability to either READ, WRITE, and/or EXECUTE Unix files or resources Ex. –rwxr-x--x The key to Unix file permissions is to ensure that users in the World categories cannot read, write, or execute files or system resources unless absolutely necessary. A User is considered a World Users to a file or system resource if the user has not been specifically defined to a file or a resource. There are only two ways a user is specifically assigned to a file or resource. The User had to create a file, or the users belongs to a group who has been specifically assigned to the file or resource. All other users would access this file using the “World” user permissions. Hackers who may gain access to your servers also access your files and resources via the “world” permissions unless they compromise a superuser or ordinary users account. EECS

36 Syslog The syslog utility allows systems administrators to log various events occurring on the Unix system. If Syslog is configured correctly, Unix can log many security events without the use of a third party plug-in. EECS

37 Mainframe Operating Systemz/OS has weaker security than Windows and Unix because its predecessors, Multiple Virtual Storage and Virtual Memory, were developed well before the Internet and not designed to mitigate the risk of hacking. RACF should be installed to provide commercial grade security for Z series servers. EECS

38 Resource Access Control Facility (RACF)RACF provides user authentication, resource access control, security logging and audit reporting. It is much more granular than operating system security. For example, it makes available 254 security levels (labels) that can be assigned to each resource object. A label indicates the users or objects that can access a resource and how. A resource object may be a data table (file), a program, a workstation, an ATM or another network device. The type of access may be read, write, delete. EECS

39 RACF Each user has a profile that controls that user in terms of access allowed and binds the user to security policies like password change frequency, password length. A user may also be restricted by day of week and time of day. An administrator has full access. An “auditor” in RACF has full read access, including generating reports on access, profiles and history log. EECS

40 Penetration Testing Self hacking, should be done periodically by large organizations. EECS

41 Penetration Testing Map the network, i.e., studying the network to identify entry points including IP addresses. One might argue that this does not simulate hacking because a hacker would not have this information. If the penetration tester wants to be more objective and to simulate an actual hack more closely, s/he may decide not to rely on internal documentation of the network and instead, use external scanning, Internet research and social engineering. EECS

42 Penetration Testing Probe the network by using automated commands like ping to find out what ports are open on each web server. Use security scanning software to scan web server for loopholes, e.g., unpatched operating system. Try to hack into a system to view confidential information. There are automated tools available on the Internet and within the hacker community EECS

43 Obtain system administrator IDs and passwords of servers. Obtain firewall, IDS and IPS rules. Inject a small amount of bogus traffic to test the firewall and intrusion prevention system. There are automated tools available on the Internet and within the hacker community. Shows attempts and ability to cause denial-of-service attack, defacement or changing data. Report deficiencies to management and make recommendations for improvements. EECS

44 Conclusion PC and PC based server security continues to be improved by their vendors. Recently made available features include full hard disk encryption, application firewall and integrated malicious software features including anti-virus. In security, the weakest link is people, including people’s commitment to defining strong policies and complying with policies. Organizations should have tight operating system images for desktops and servers across the enterprise to comply with their policies. User access rights should be limited to their job functions and users should not be given administrator privilege to their desktops and laptops. System administrators should be controlled with thorough reference check, criminal record check before hiring and periodically thereafter, rotation of duties among servers, limiting the servers they support, limiting their other duties and regular management review of the system logs using software products to turn system logs into meaningful management reports. EECS

45 EECS