Computer Security Principles - Assignment PDF

Preview

Summary

Download Computer Security Principles - Assignment PDF

Description

Computer Security Principles - Assignment 1! !

Permanent TSB Group Holdings plc

Introduction

3

Section 1 - Internal Security Awareness

3

Current Malware Threats

3

Threats that might have specific interest on Permanent TSB Group Holdings plc

3

Use of Ransomware in Online Attacks

6

Section 2 - Footprint of Permanent TSB Group Holdings plc What is Footprinting?14

7 7

Weaknesses in the Footprint that could possibly exploited

11

Resolve weaknesses in the Footprint

11

Extend the security policy to Social Media and other uses of the Internet

12

Section 3 - Social Engineering as a Threat

13

What is Social Engineering?

13

Good practices for physical and digital authentication

14

Recommended authentication systems

14

Bibliography

16

!

“Companies spend millions of dollars on firewalls, encryption, and secure access devices and it's money wasted because none of these measures address the weakest link in the security chain: the people who use, administer, operate and account for computer systems that contain protected information.” - Kevin Mitnick

R00145533

2

Introduction Permanent TSB Group Holdings plc is a public company providing financial services in the Republic Of Ireland which was founded in 1884. Offered products are banking and asset management either online, via phone or in a branch. The official website of the company is http:// www.permanenttsbgroup.ie. Permanent TSB is based in 56-59 St Stephen’s Green, Dublin 2, Republic of Ireland and registered with registrar number 474438 as an Irish Company.1

Section 1 - Internal Security Awareness Current Malware Threats Being aware of threats is the first step in protecting against them. Please find below a number of websites that provides details on the latest malware threats. -

https://www.mcafee.com/threat-intelligence/malware/latest.aspx https://www.symantec.com/security_response/landing/threats.jsp https://defintel.com/blog/index.php/2017/01/7-biggest-malware-threats-of-2017.html https://www.infosecurity-magazine.com/malware/

These are widely provide by companies working in IT security as well as by private individuals and activist groups, and are constantly being updated as new threats surface.

Threats that might have specific interest on Permanent TSB Group Holdings plc -

Worms: Computer worms are malicious software that’s replicating itself in order to spread around other computers through a network connection. The initial infection of one system can happen through multiple ways, it can be an infected file attached to an e-mail or a malicious download from the internet, for example. Once infected, a worm can scan the network for vulnerable hosts and starts to spread through the network. Worms are mostly used to install a backdoor in the target which allows it to be controlled remotely. Networks of multiple machines infected by a worm are also referred to as botnets and can be used for multiple malicious purposes like DoS attacks, sending spam or to consume bandwidth of the network itself resulting in it being slower than expected. Most worms have been created only to spread across systems but not changing it. Through consuming bandwidth they can still cause considerable damage by increasing network traffic." There are multiple precautions you can take in order to protect yourself from worms. As they’re using security flaws in the system, all software should be kept up-to-date and all security updates available for the operating system and applications should be installed. Also anti-virus and antispyware applications are advised to be used and kept up-to-date. These can also be used to remove infected files from a system. Most applications offer an auto-update function which can be used. A firewall should also be used on devices where available. Most operating systems offer a built-in firewall which can be enabled, however, there are also 3rd party firewalls available.2

R00145533

3

-

Phishing: The attempt of obtaining sensitive information, for example, credit card information or login credentials is called phishing.3 Phishing can cause a high risk and immense damage to individuals and companies depending on what details or whose credentials have been stolen. Login credentials can be used to access internal systems and perform certain actions (Examples include: transferring funds, amending internal documentation, …), be able to access internal information, customer information and procedures or monitoring activity in the company. The more access the compromised account has the higher the risk and damage. However, not only the amount of access a certain individual has but also the systems the individual has access to should be taken into consideration. As an example, a web developer that has access to the companies website code and is able to amend links to reroute visitors to a different website than the intended can cause a chain-reaction, which would allow gathering sensitive information from those visitors which are redirected to that website. There are different types of phishing. Spear Phishing attacks are usually executed via an e-mail which is masked as an official e-mail from a company, social network or authority redirecting to a website infected with malware.4 Clone phishing is an attack in which a previously sent communication is resent to the original recipient which is either cloned or almost identical to the previous communication claiming to be an updated version in which, for example, links and/or attachments are amended to a malicious version of these. Usually, the sender is masked and claiming to be the original sender.5 Whaling is targeting high-profile individuals, celebrities, company executives and is usually also performed via an e-mail or by a website specifically created for this attack which are highly customized, with the targets name, job title, and additional information to look like they are from a trusted source or claiming to be the original website. Those are usually harder to discover as normal phishing attacks.6 A phishing attack would happen on the human attack surface as it requires a user to enter his details on a malicious web form or reply to an e-mail with the information requested. The risk of phishing attacks can be minimized by implementing multiple IT security measures. In addition to a local spam filter on the receiving device, a server-side spam filter and pre-scan before delivering the e-mail to the recipient can be integrated and filtering those e-mails. Also, an anti-virus system or website scanner which evaluates the risk of the link or attachment can reduce the risk of opening a malicious file or website. Using multi-factor authentication would prevent the attacker from accessing information or systems even if they know login and password another layer of authentication, like a code text message authentication to a previously registered phone number, which needs to be entered.

-

Viruses: Viruses are malicious software that replicates itself, when executed, on a system by inserting it’s own code into files and applications. Viruses also use security flaws in the system for initially infecting a system. Viruses are commonly used to corrupt files and operating systems resulting in billions of dollars worth economic damage every year in causing system failures, slowing down computers by using system resources and corrupting data." Viruses replicate themselves every time an infected file is opened and will then infect other files and are distributed via different ways. The most common way nowadays will most likely be via e-mail as an attachment. The user opens the infected e-mail attachment and infects the system with the virus. From there the virus will start corrupting other files on the system." The most common protection against viruses would be, as for worms as well, to install an antivirus software onto the system, keep it up date and perform regular scans of the system. Also

R00145533

4

software installed on the system should be kept up-to-date as well as the system itself to have the latest security vulnerabilities fixed. Antivirus software can also be used to remove viruses from an infected system. Another way of removing viruses is restoring the system to a previous, noninfected, state from a previously created backup. Some operating systems have a built-in function to have backups created automatically.7" -

Keystroke logging: Keystroke logging, also referred to as keylogging, is the act of recording keyboard entries on a computer. Keyloggers can either be software or a piece of hardware physically connected to a computer and keyboard." Keyloggers don’t work the way as other malware does as it’s goal is not to corrupt files or the system as opposed to viruses, worms, etc. The sole purpose of a keylogger is to log the keys typed on the keyboard. This can be especially harmful when typing logins, passwords or internal information as they can be exposed to non-authorized individuals through this." Hardware-based keyloggers require physical access to a device to be installed as they need to be connected to the device and keyboard itself." Countermeasures for software-based keyloggers are for example anti-virus programs as mentioned earlier but there is also specific software, so called anti keylogger, which is specifically designed to detect keyloggers comparing their code against a database of known keyloggers. These are usually more effective than anti-virus software as some anti-virus software might consider some keyloggers as legitimate software. There are way more countermeasures for those, for example, one time passwords, automatic form filler applications, physical security tokens, using an on-screen keyboard and way more. The usability on them is very diverse.8

-

Denial-of-service attacks: The goal of a Denial-of-service attack, also called DoS attack, is to make a certain network resource unavailable in sending superfluous requests to the resources to prevent it from fulfilling legitimate service requests. Attacks can mostly be distinguished in between attacks wanting to crash the service or significantly slowing it down. Any service offered via a network resource can be affected, for example payment services, online shops, online banking, etc." Making these services unavailable can have a huge impact on the company if it’s relying on these services as they won’t be able to process legitimate requests and can result in monetary loss for the company offering the service." Preventing DoS attacks usually involves multiple tools, a tool to detect a DoS attack and to classify the incoming traffic and tools to block incoming traffic that’s illegitimate and allow legitimate traffic to come through. There’s so called application front end hardware which can be placed in the network before traffic reaches the server. The hardware analyzes the data packets attempting to get through to the server and classifies them as priority, regular, or dangerous. Black- or sinkholing routes traffic to a specified IP address which analyzes traffic and rejects the bad packages. Simple attacks can be avoided by using a firewall and denying all incoming traffic from a certain indicators like IP address or based on protocols.9

-

Backdoors: A backdoor is considered a method of bypassing authentication or encryption in a computer system. Backdoors can be implemented in the software, can be a separate program or can be implanted in the firmware of a devices hardware. Some backdoors are left intentionally in a piece of software to recover data and widely known. For example, in case a user is forgetting his password the manufacturer might be able to reset it and give the user access to his data. Backdoors are also used in the process of developing software to prevent data loss in case of a

R00145533

5

system failure. Some of these might not be removed with the release of the software and can cause a security risk then. Hidden backdoors are not actively causing damage to a system, however, an attacker using a backdoor can get access to sensitive data which can cause an immense amount of damage. This can include all data that’s stored on a system or data that’s currently used with a certain application with a backdoor built-in. Once a system has been compromised with a back door, the most efficient and easiest way to remove it is to build it up from a clean installation again and transferring data back over. All applications should be left out in this case and a known-good clean installer should be used to reinstall applications. Some backdoors, for example those in operating systems, can only removed through a patch by the developer. To speed up the process these should be reported. If the backdoor is linked to a certain function in the system, this should be deactivated, if possible and only be activated again after a the issue has been patched.10 -

Trojan horse: Trojan horses are malicious software programs misleading the user about it’s true intend. They’re mostly spread using social engineering, for example as an e-mail attachment which claims to be a a routine form for example. Trojan horses usually don’t attempt to inject themselves into files or propagate themselves. Trojan horses can enable the attacker to have access to files stored on the system, similar to backdoors mentioned earlier and can also infect other devices over the network. Trojan horses are used mostly with the same intend like a backdoor, to access files stored on a system or attempting to take control of the system itself.11

-

Exploits: An exploit is, when a piece of software, data or a certain commands take advantage of a vulnesrabitliy or bug in a software to gain data access or control over a system. There are local exploits for which prior access to the system is needed and remote exploits that communicate with the vulnerable system via a network. As soon as they become known to the owner of the software, the vulnerabilities are mostly removed through a software updated or a patch for the piece of software affected. Exploits that are only known to the people that found them are referred to as zero day exploits. Unless actively looking through the code and actively attempting to find a vulnesrabitliy. As in most cases, having all software updates and security updates installed is one of the best precautions to take.12

As described above, most of the malware threads attempt to either gather control of a system, or accessing data stored on there. This can have an immersive impact on the company as the customers data, their financials and company documentation might be accessed, modified or deleted.

Use of Ransomware in Online Attacks Ransomware is a malicious software that, for example blocks the access to your system or encrypts your files and makes them inaccessible unless a ransom is paid. Ransomeware attacks can be carried out in using a Trojan which masks a malicious file as a legitimate one. This can be a download from the internet, an e-mail attachment, visiting websites with malicious code or through security exploits in vulnerable software. These attacks happen when an infected file has been downloaded or an infected website has been opened.13!

R00145533

6

Section 2 - Footprint of Permanent TSB Group Holdings plc What is Footprinting?14 Footprinting is considered one of the pre-attack phases in which an individual gathers information about computer systems, network environments and entities they belong to using multiple tools and technologies to perform an attack on these computer systems. Footprinting is a non-intrusive way of gathering information without accessing non-public information about the object/company/etc. It is usually used to find the best way to start an attack on a certain system. Information gathered during footprinting can be, but is not limited to: - Domain Name - IP Addresses - Namespaces - Employee Information - Phone Numbers - E-Mails - Job Information - Location There are multiple methods to gather information about a certain system. Possible methods are: -

WHOIS: WHOIS is a service to get domain name information about a domain. This includes the owner, the registrar, dates of registration and expiry, renewal, name server, contact information about the owner. The following screenshot from www.whois.com provides information about Permanent TSB Group Holdings plc.

R00145533

7

-

Finding IP Addresses: The ping command can be used in the command prompt on multiple operating systems (best examples are macOS, Windows, Linux OS). The command and outcome will look similar to the below:

Using the domain name the ping will try to reach the host and the result will measure the time the host needed to reply from the IP from the moment the request is sent. In this case the IP address of Permanent TSB Group Holdings plc is 107.154.112.20. The IP address is the actual website address behind the domain name. -

Finding the host company: Using the IP address found via the ping command a search can be run where the hosting company is based. Running a search through a service like ip2location.com can show the name of the hosting company, it’s location and further information about the company itself.

The company hosting the website http://www.permanenttsbgroup.ie is Incapsula Inc. based in Redwood, CA, United States. Their website is http://incapsula.com. -

Traceroute: Traceroute is a tool to find the path between your system and the target on the network. This shows through which servers you’re being forwarded to get to requested resource. This is the result of a traceroute to www.permanenttsbgroup.ie:

R00145533

8

-

Social Media Profiles: From researching the company I found multiple social media profiles they have created to keep in touch with customers, provide services, offer jobs and provide information about themselves." " Facebook: https://www.facebook.com/Permanent-tsb-557742141060618/ " Twitter: https://twitter.com/askpermanenttsb ! Instagram: https://www.instagram.com/permanenttsb/! YouTube: https://www.youtube.com/permanenttsb! Google+: https://plus.google.com/u/0/107866003271315680985 ! LinkedIn: https://www.linkedin.com/company/47294/ ! ! As seen above, there’s an account on most major social media platforms providing information about when the company. Also they’re providing information of currently ongoing issues with their systems, useful tips how to use their services and information that might currently be relevant to customers. However, the company is mentioning that financial data should not be disclosed via social media." " Their Facebook profile is offering live chat service, providing the customer care phone number and a link to the official website with some basic information in which sector the company is working in."

R00145533

9

On Twitter the company is also providing customer service via direct replies to customer tweets or personal messages."

The company Instagram profile provides pictures of their employees about sponsorships and recent events."

The YouTube channel of the company provides short video clips about their products. Also videos of property viewings are available on there."

The company is having a Google+ profile. However, this appears to be blank."

R00145533

10

On LinkedIn the company is providing a couple more information being more specific about their specialit...