The impossible job

the primary goal of security cannot be to eliminate all threats.

Management may need to be educated about this concept, because they may not realize that this is a tenet of the security
profession.

Every defender performs a risk assessment by choosing which threats to defend against, which to insure against, and
which to ignore.

Mitigation is the process of defense, transference is the process of insurance, and acceptance is deciding that the risk does
not require any action.
 The Weakest Link
For example, a potential burglar who is trying to break into
a house may start with the front door. If the front door lock
is too difficult to pick, the burglar may try side doors, back
doors, and other entrances.

If the burglar can’t get through any of those, he may try to

open a window. If they’re all locked, he may try to break
one. If the windows are unbreakable or barred, he may try
to find other weaknesses. If the doors, windows, roof, and
basement are all impenetrable, adetermined burglar may try
to cut a hole in the wall with a chainsaw. In what order will
the burglar try these attacks? Usually, from the easiest to
the hardest. The weakest link will attract the greatest
number of attacks.
 Strategy and Tactics
A security strategy is the definition of all the architecture and policy components that make up a complete plan for defense,
detection, and deterrence.

Security tactics are the day-to- day practices of the individuals and technologies assigned to the protection of assets.

Both are equally important, and a successful security program needs to be both strategic and tactical in nature. With a well-defined
strategic plan driving tactical operations, the security effort will have the best chance for success.
 Strategy and Tactics
Strategic planning can proceed on weekly, monthly, quarterly, and yearly bases, and should be considered an ongoing
endeavor.
 Business Processes vs. Technical Controls
● In security, there is no magic bullet. In this sense, a magic bullet means a single security device, product, or
technology that provides complete protection against all threats.

● Some security products are marketed as “security-in-a-box” solutions that provide all the security a company
needs.
 Business Processes vs. Technical Controls

● Organizations that place technical controls on their network without

accompanying business processes have not recognized that computers
are tools for accomplishing specific objectives, and that tools should be
considered within a business process in order to be effective.

● For example, purchasing a database does not solve the problem of how to
manage customer data. Customer data management is a business process that
can be facilitated by a database. Likewise, buying a firewall doesn’t
magically provide security.
Business Processes vs. Technical Controls
 Business Processes vs. Technical Controls
The security practitioner must attempt to understand the underlying business processes and data flows in order to solve
the security challenge.

This requires time and effort, but it’s necessary for success. And the sooner the security practitioner is included in the
project planning process, the more successful the security solution will be.
 Business Processes vs. Technical Controls
Make these assumptions when considering security:

• You can never be 100 percent secure.

• You can, however, manage the risk to your assets.

• You have many tools to choose from to manage risk. Used properly, these tools can help you achieve your risk
management objectives.
 Introduction
● The objective of a security program is to mitigate risks.

● Mitigating risks does not mean eliminating them; it means reducing them to an acceptable level.
 Threat definition
A threat is a statement indicating that you will cause harm to or create some other kind of negative
consequences for someone, especially to pressure them to do something or not to do something.

A bank robber who says he’ll shoot the bank teller if they don’t hand over the money is making a threat.
Telling a bully that you’ll punch them if they don’t stop bothering your little brother is a threat. A death
threat involves telling someone that they will be killed.
 Threat definition
● Evaluating threats is an important part of risk analysis.
● Threats can take many forms, and in order to be successful, a security strategy must be comprehensive enough to
manage the most significant threats.
● Security professionals know that many real-world threats come from inside the organization, which is why just
building a wall around your trusted interior is not good enough.
● Regardless of the breakdown for your particular organization, you need to make sure your security controls focus
on the right threats. To avoid overlooking important threat sources, you need to consider all types of threats. This
consideration should take into account the following aspects of threats:
 Threat definition

• Threat vectors

• Threat sources and targets

• Types of attacks

• Malicious mobile code

• Advanced Persistent Threats (APTs)

• Manual attacks
 Threat Vectors

● A threat vector is a term used to describe where a threat originates and the path it
takes to reach a target.
● An example of a threat vector is an e-mail message sent from outside the
organization to an inside employee, containing an irresistible subject line along
with an executable attachment that happens to be a Trojan program, which will
compromise the recipient’s computer if opened.
Threat vectors
 Threat vectors

One reputable source for conducting and publishing the results of this type of survey is
the Computer Security Institute (CSI), which identifies particular threat vectors and
their frequency.

Figure shows some threat vectors from CSI’s 2010 survey. This illustrates the nature of
threats found in the real world.
 Threat vectors

● Insider threat vectors take many forms.

● For example, Trojan programs and viruses compromise computers on the trusted
internal network.
● Trojan programs are covertly installed pieces of software that perform functions
with the privileges of authorized users, but unknown to those users.
● Common functions of Trojans include stealing data and passwords, providing
remote access and/or monitoring to someone outside the trusted network, or
performing specific functions such as spamming.
 Threat vectors

● Viruses typically arrive in documents, executable files, and e-mail.

● A risk analysis that includes consideration of all major threat vectors helps ensure
that the security controls will be effective against the real risks to the organization.
 Threat Sources and Targets

as a security practitioner, you need to understand how attacks work so that you can
select the best countermeasures for defense.
 Types of Attacks

Any computer that is accessible from the Internet will be attacked. It will constantly be
probed by attackers and malicious programs intending to exploit vulnerabilities.

If you don’t keep up with patches and take appropriate countermeasures, your
computer will surely be compromised within a short amount of time.
 Types of attacks

People sometimes criticize Microsoft for making insecure products and recommend
using other, “safer” products. While Microsoft products include their fair share of
vulnerabilities, you won’t find any popular product from any manufacturer that hasn’t
been hacked.
 Types of attacks

● Attacks can take the form of automated, malicious, mobile code traveling along
networks looking for exploit opportunities, or they can take the form of manual
attempts by an attacker.
● An attacker may even use an automated program to find vulnerable hosts and then
manually attack the victims.
● The most successful attacks, in terms of numbers of compromised computers, are
always from completely automated programs.
● A single automated attack, exploiting a single system vulnerability, can
compromise millions of computers in less than a minute.
 Malicious Mobile Code

There are three generally recognized variants of malicious mobile code: viruses, worms, and

Trojans. In addition, many malware programs have components that act like two or more of

these types, which are called hybrid threats or mixed threats.

The lifecycle of malicious mobile code looks like this:

1. Find

2. Exploit

3. Infect

4. Repeat
 Malicious Mobile Code

Automated attacks are often very good at their exploit and only die down over time as
patches close holes and technology passes them by. But if given the chance to spread,
they will.

The Code Red worm, which attacks unpatched Microsoft Internet Information Services
(IIS) servers, was released on July 16, 2001.

There are even frequent reports of floppy disk boot sector viruses from the late 1980s
and early 1990s still spreading today even though you won’t find a floppy disk on most
computers anymore.
 Computer Viruses

A virus is a self-replicating program that uses other host files or code to replicate.

A virus infection is simply another way of saying the virus made a copy of itself
(replicated) and placed its code in the host in such a way that it will always be executed
when the host is executed.

Viruses can infect program files, boot sectors, hard drive partition tables, data files,
memory, macro routines, and scripting files.
 Anatomy of a Virus

The damage routine of a virus (or really of any malware program) is called the
payload.

At the very least, a “harmless” virus takes up CPU cycles and storage space.

The payload routine may be mischievous in nature, generating strange sounds,

unusual graphics, or pop-up text messages.
 Anatomy of a Virus

There are even viruses that infect spreadsheets, changing numeric zeros into letter O’s,
making the cell’s numeric contents become text and, consequently, have a value of
zero.

The spreadsheet owner may think the spreadsheet is adding up the figures correctly, but
the hidden O will make column and row sums add up incorrectly.
 Anatomy of a virus

If the virus executes, does its damage, and terminates until the next time it is executed,
it is known as a nonresident virus.

A nonresident virus may, for example, look for and infect five EXE files on the hard
disk and then terminate until the next time an infected file is executed.
 Anatomy of a virus

If the virus stays in memory after it is executed, it is called a memory-resident virus.

Memory-resident viruses are also able to manipulate the operating system in order to
hide from administrators and inspection tools. These are called stealth viruses.
 Anatomy of a virus

If the virus overwrites the host code with its own code, effectively destroying much of
the original contents, it is called an overwriting virus.
 Anatomy of a virus
● If the virus inserts itself into the host code, moving the original code around so the host
programming still remains and is executed after the virus code, the virus is called a
parasitic virus.
● Viruses that copy themselves to the beginning of the file are called prepending viruses ,
and viruses placing themselves at the end of a file are called appending viruses.
● Viruses appearing in the middle of a host file are labeled mid-infecting viruses.
● The modified host code doesn’t always have to be a file—it can be a disk boot sector or
partition table, in which case the virus is called a boot sector or partition table virus,
respectively.
A Brief History of Viruses

The Next Evolution of Viruses

 Computer Worms

● A computer worm uses its own coding to replicate, although it may rely on the
existence of other related code to do so.

● The key to a worm is that it does not directly modify other host code to replicate.

● A worm may travel the Internet trying one or more exploits to compromise a
computer, and if successful, it then writes itself to the computer and begins
replicating again.
 Computer worms

An example of an Internet worm is Bugbear. Bugbear was released in June 2003,

arriving as a file attachment in a bogus e-mail. In unpatched Outlook Express systems,
it can execute while the user is simply previewing the message. In most cases, it
requires that the end user execute the file attachment. Once launched, it infects the PC,
harvests e-mail addresses from the user’s e-mail system, and sends itself out to new
recipients.
 E-Mail Worms

● They appear in people’s inboxes as messages and file attachments from friends,
strangers, and companies.
● They pose as pornography, cute games, official patches from Microsoft, or
unofficial applications found in the digital marketplace.
● There cannot be a computer user in the world who has not been warned multiple
times against opening unexpected e-mail attachments, but often the attachments
are simply irresistible.
 E-Mail Worms

● Internet e-mail worms are very popular with attackers because they can be very
hard to track.
● After the malicious authors create the worm, they can use one of the many
anonymous e-mail services to launch it. They might use an Internet cafe terminal
that they paid for with cash to release the worm, further complicating tracking.
● Most of time, they send out the infected e-mail to an unmoderated mailing list so
that the worm is distributed to thousands of unsuspecting users. The user is
enticed to execute the worm.
 Trojans
A Trojan Horse (Trojan) is a type of malware that disguises itself as legitimate code or
software.

Once inside the network, attackers are able to carry out any action that a legitimate user could
perform, such as exporting files, modifying data, deleting files or otherwise altering the
contents of the device.

Trojans may be packaged in downloads for games, tools, apps or even software patches.
 Trojans

● Many people are infected by Trojans for months and years without realizing it.
● If the Trojan simply starts its malicious actions and doesn’t pretend to be a
legitimate program, it’s called a direct-action Trojan.

An example of a direct-action Trojan is JS.ExitW. It can be downloaded and activated

when unsuspecting users browse malicious web sites.
Remote Access Trojans
 RAT

● RATs have even been known to record video and audio from the host computer’s
web camera and microphone.
● Imagine malware that is capable of recording every conversation made near the
PC. Surely confidential business meetings have been recorded.
 Zombie Trojans and DDoS Attacks

Zombies can be used to conduct distributed denial-of-service (DDoS)

attacks, a term which refers to the orchestrated flooding of target websites by
large numbers of computers at once.
 Malicious HTML
Pure HTML coding can be malicious when it breaks browser security zones or when it can access local system files.

For example, the user may believe they are visiting a legitimate web site, when in fact an attacker has hijacked their
browser session and the user is inputting confidential information into an attacker site.

HTML coding often includes script languages with more functionality and complex active content. Script languages, like
JavaScript and VBScript, can easily access local resources without a problem. That’s why most e-mail worms are coded
in VBScript.
 Advanced Persistent Threats (APTs)

● An advanced persistent threat (APT) is a prolonged and targeted cyberattack in which an intruder
gains access to a network and remains undetected for an extended period of time.
● APT attacks are initiated to steal data rather than cause damage to the target organization's network.
● The goal of most APT attacks is to achieve and maintain ongoing access to the targeted network
rather than to get in and out as quickly as possible. Because a great deal of effort and resources can
go into carrying out APT attacks, hackers typically select high-value targets, such as nation-states
and large corporations, with the goal of stealing information over a long period of time.
Manual Attacks