# EMSE6540 Chapter 1 ###### tags: `Course` `EMSE6540` --- :::success **Key terms:** * Computer security ~ Computer security is defined by a system operating in a manner in which it does what it is supposed to do and only what it is supposed to do. * Information security ~ Information security is defined by the information being protected from unauthorized access or alteration and yet is available to authorized individuals when required. * Script kiddies ~ Individuals who do not have the technical expertise to develop scripts or discover new vulnerabilities in software but who have just enough understanding of computer systems to be able to download and run scripts that others have developed. * Elite hackers ~ Someone who not only have the ability to write scripts that exploit vulnerabilities but also are capable of discovering new vulnerabilities.  * Unstructured threats ~ An unstructured threat refers to a computer attack from novice hackers, often called script kiddies, who use software created by more advanced hackers to gain information from or access to a system, or launch a denial of service attack. Unstructured threats are the most prevalent threat to a company or organization's computer system. ~ Attacks by an individual or even a small group of attackers fall into the unstructured threat category. ~ Attacks at this level generally are conducted over short periods of time (lasting at most a few months), do not involve a large number of individuals, have little financial backing, and are accomplished by insiders or outsiders who do not seek collusion with insiders. * Structured threats ~ Attacks by criminal organizations usually fall into the structured threat category, which is characterized by a greater amount of planning, a longer period of time to conduct the activity, more financial backing to accomplish it, and possibly corruption of, or collusion with, insiders. * Highly structured threats ~ This type of threat is characterized by a much longer period of preparation (years is not uncommon), tremendous financial backing, and a large and organized group of attackers. > Nation-States, Terrorists, and Information Warfare falls into the highly structured threat category. * Hacking ~ The act of deliberately accessing computer systems and networks without authorization. * Hackers ~ Individuals who conduct hacking activity. * Insiders ~ Insiders are more dangerous in many respects than outside intruders because insiders have the access and knowledge necessary to cause immediate damage to an organization. * The Inside Threat ~ Since employees already have access to the organization and its assets, additional mechanisms need to be in place to detect attacks by insiders and to lessen the ability of these attacks to succeed. * Critical infrastructures ~ Critical infrastructures are those whose loss would have severe repercussions on the nation. > Water, electricity, oil and gas refineries and distribution, banking and finance, telecommunications. * Open Source Intelligence ~ Open source intelligence, sometimes called open source threat intelligence, is the term used to describe the processes used in the collection of threat intelligence information from public sources. * Threat intelligence ~ Threat intelligence is the gathering of information from a variety of sources, including non-public sources, to allow an entity to properly focus their defenses against the most likely threat actors. > Major sources: ISAOs and ISACs. ::: **Threats to Security** 1. One way to categorize them is to separate threats that come from outside of the organization from those that are internal. 2. Look at the various levels of sophistication of the attacks 3. Examine the level of organization of the various threats, from unstructured threats to highly structured threats. :::info **Hacking organizations** * Energetic Bear ~ A group of Russian hackers who used Havex malware in critical infrastructures. Also called Dragonfly. * Sandworm ~ A group of Russian hackers who have brought major issues to Ukraine via numerous attacks over the past couple of years. Also known as Elektrum. * Shadow Brokers ~ A team that purportedly leaked NSA hacking tools to the public domain. * Equation Group ~ A team of hackers allegedly linked to the U.S. government. * Regin ~ A team of hackers allegedly associated with the UK’s GCHQ. * Cozy Bear and Fancy Bear ~ Hacker groups allegedly tied to Russia and the hacking of the Democratic National Committee (DNC) servers. Fancy Bear, also called Sofacy, is connected to Russia’s GRU, and Cozy Bear, also called CozyDuke, is associated with the FSB. * Vault 7 ~ A list of leaks posted to WikiLeaks claiming to represent CIA cyber-operation methods and tools. * Lazarus Group ~ A group of hackers linked to North Korea and attacks including an $81 million bank robbery and the WannaCry ransomware attacks. * Comment Crew ~ A group of hackers associated with China. Also known as APT1. ::: **Attributes of Actors** Threat actors can be divided into groups based on abilities, as shown previously in the chapter. Other ways to differentiate the threat actors are by location (internal or external), by level of sophistication, by level of resources, and by intent. :::danger **Targets and Attacks** * Specific Target ~ In this case, the attacker has chosen the target not because of the hardware or software the organization is running but for another reason—perhaps a political reason. * Opportunistic Target ~ The second type of attack, an attack against a target of opportunity, is conducted against a site that has software that is vulnerable to a specific exploit. > Targeted attacks are more difficult and take more time than attacks on a target of opportunity. The latter simply relies on the fact that with any piece of widely distributed software, there will almost always be somebody who either has not patched the system or has not patched it properly. ::: **Minimizing Possible Avenues of Attack** Understanding the steps an attacker will take enables you to limit the exposure of your system and minimize those avenues an attacker might possibly exploit. 1. The first step an administrator can take to reduce possible attacks is to ensure that all patches for the operating system and applications are installed. 2. The second step an administrator can take is hardening the system, which involves limiting the services that are running on the system. :::warning **Approaches to Computer Security** * Correctness ~ Ensuring that a system is fully up to date, with all patches installed and proper security controls in place. > Correctness begins with a secure development lifecycle (covered in Chapter 18), continues through patching and hardening (Chapters 14 and 21), and culminates in operations (Chapters 3, 4, 19, and 20). * Isolation ~ rotecting a system from unauthorized use, by means of access control and physical security > Isolation begins with infrastructure (covered in Chapters 9 and 10), continues with access control (Chapters 8, 11, and 12), and includes the use of cryptography (Chapters 5, 6, and 7). * Obfuscation ~ Making it difficult for an adversary to know when they have succeeded. Whether accomplished by obscurity, randomization, or obfuscation, increasing the workload of an attacker makes it more difficult for them to succeed in their attack. ::: **Cyberattack Kill Chain** One of the newer methods of modeling attacks is via a cyberattack kill chain, a step-by-step process that attacks follow to target and achieve results on victim systems. The kill chain concept is important because in many cases the detection of an adversary on your network will be earlier in the kill chain process, giving a firm an opportunity to break the attack pattern before actual damage is done.