4. Types of Attacks
Let’s talk a little bit about the types of attacks. Not all attacks are computer attacks. There are numerous human attacks. It’s very, very common to get a phone call. Oh, this is the help desk, and we’re going to be changing our database server around a little bit. and I’m going to send you something. And when you click on it, please enter your username and password. What that user doesn’t realise is that the call was not from the help desk. That was somebody from the inside or outside. Basically, social engineering is a person telling them to expect something, and then they send them something by email, and you double-click it, and they put in their username and password. The user thinks that they won’t have access to the database if they don’t do this. They don’t know. Of course they don’t know. They don’t know how to manage a server. And they put in the username and password, and that thing collects them, and then that person gets them.
Or, as is common, this is so-and-so’s CIO or another high-level executive. And we want to make sure that you are conforming with our password policy. You have to make sure that your password policy is at least eight characters long and has three different types. And I need to know for a fact that you’re complying with it. So please tell me what your password is to make sure that you’re not in trouble. And then people will give it one of those things. This is where user education is just as important. The one thing we have to educate users on for social engineering is that no one is supposed to know their password except them. Nobody ever. I mean, there are online websites where you need help, and then they can look up your password and then send it to you, but no one is supposed to know. Just be able to know your password, okay? No matter who they are or how high their rank is, they’re not supposed to know your password. And we need to educate people that there are very specific protocols. So when we hire that new finance director or whatever, she goes right into a meeting, and I already know from working in the help desk that our standard is that everyone gets the same starting password and they’re supposed to change it right away, but she’s too busy and went straight to a meeting. And I already know that we have a naming convention for people’s log-ons. It’s always the first initial, last name, firstname, last initial, or whatever the case may be. I can also log in as her. So we need to educate people. Hey, when you’re ready, log on immediately. Change your password immediately. No one’s ever supposed to know it. I can reset it for you, but you need to change it immediately. So we have these procedures, and as an IS auditor, we’re looking to see if they’re following these procedures. I knew a manager for her entire tenure who never changed her password. She kept the default starting password that everyone is given at the start.
She kept it the whole time—until she left that position. And there weren’t controls in place to force her to change her password when she first logged on or to force her to change it on a regular basis. So we have attacks that aren’t just technical, like the one I’m scanning, but there are also many social engineering attacks. How many times have you gotten an email saying, “Help me! I’m stranded in another country?” And can you just help me? And I’m stuck without my passport. And it’s usually someone you know well; however, this email was sent by a virus or worm. I mean, I’ve had plenty of these come in handy for me; I got stuck; I went to a conference; I’m stranded; DA DA DA. And I’m thinking to myself, “Why are they sending the email to me?” They don’t know me well enough to ask me for that. Or you get these even more devious Nigerian scams, right? Well, I’m so and so, and they make themselves look like an important person, or I’m some relative of a deposed leader or something, and I’ve got all this money. Can you please help me get it out? Finally, they’re making it appear as if they’re laundering money through you so they can keep a cut. There was never any money. They’re basically just repeatedly emptying your bank account. Even legitimate vulnerability scanning tools have this capability for demonstrating social engineering. You get an email saying, “Win a free downloadable MP3 or a free something; just click this.” Congratulations! You’ve won something. This is no joke; you’ve won something. Just click this. And they press the button. And what they don’t realise is that when they’ve clicked it, their browser then makes a connection to a malicious site in the background. They are unaware of it, and the malicious site proceeds to collect private information or download tools to hack the machine, or whatever.
So social engineering is significant, and it can be as simple as shoulder surfing. When someone’s typing their username and password, I can just kind of be looking over there or looking over their shoulder to see what they type, or I can even be dumpster diving and going through. It’s amazing. I’ve seen people and businesses take old checks and simply throw them beneath a stairwell because they haven’t had time to shred or dispose of them, or I’ve seen boxes of sensitive financial documents sitting out by the dumpster. So there’s a social and human component to the attack, as well as a technical component in which I import scanning and then try to break into a service or guess someone’s password. Here’s another one for the human-based attacks. This was actually a social experiment by some high school kids. I’m not going to tell you what district or anything, but the kids basically did a survey, a survey of staff, teachers, administrators, and the like. Oh, what’s your spouse’s name? How many kids do you have? What are their names? Do you have any pets? And then they went and saw if they could log on as those people using birthdays, pet names, kids’ names, and spouses’ names. And it doesn’t take long to figure that out, either, because people use things they can remember. So the education needed to prevent the human-based attack is a big one. Then, for the technology-based attack, it’s a matter of you yourself doing your own vulnerability scans. And like I said, there are free ones and paid ones, or you can pay somebody to do your own vulnerability scans to see what needs to be shored up. You need this patch.
Oh, you’ve got that open port; you’ve got services running; you’ve got default accounts with no password or weak passwords; and there’s a whole bunch of things, and there are whole classes just on ethical hacking. So that’s something that you, as an IS auditor, will probably be involved in. To look for those vulnerabilities, to look for human vulnerabilities, which all boil down to a lack of proper training, ignorance, and a failure to follow procedure as it should, In addition, look at the technical aspects to see if whoever you’re auditing is doing these things as part of their due diligence and care. Now, in terms of computer crime, the United States classified it a while ago, and I’d like to share a website with you. You can actually go to the FBI website and see information about computer crimes. Cybercrime is investigated by the FBI and the Secret Service. And you can go right here, even to the FBI’s website, and you can see about cyber threats and scams—some common ones, some email scams and warnings. They’ll even show you some cybercrime fugitives here, and they’ll give you information about them.
You can also go to Sans.org and see the most common vulnerabilities at that time. So when we scroll down to Sans.org, we can see information about it. We can then get information; we can see security awareness; they have information about penetration testing. There is also, of course, all the information that you need as an IS auditor and also when you’re doing IS management as well. So there are numerous places to visit. ISC Squared is another place where you can go to get free resources to find out what the latest vulnerabilities are. So, like, right here, we can see the 20 critical security controls and the top 25 software errors. Part of an information security manager’s due diligence responsibilities include staying educated and up to date on what’s going on and knowing what the latest trends are, because these trends will change constantly and will be updated when there is an incident. And it’s not going to be a matter of if; it will be a matter of when. when there is an incident. Another question is, what is the incident response? Part of doing due diligence and due care is having a good incident response plan in place, having the ability to respond, having a method and a procedure, and that includes communications. If there’s a major incident, you don’t want people shouting down the hall. You only want certain people, and you want them to communicate in a certain way. And you certainly don’t want the receptionist telling the news media something. So there has to be a very clear protocol.
If there’s a major incident, then everybody stays quiet, and you refer to the public information officer or whoever is supposed to handle it; the CEO or whoever is going to be the person who can speak authoritatively to the news. So you need to make sure that you have the incident response capability, that you have a team that has the expertise to deal with this, and that you have procedures in place. The last thing you want to know is why you shut down the computer. Now all of the processes that we were running on it are off. They’re gone, and we can’t prove anything. Oh, well, I didn’t want it to spread. No. If there’s a major incident going on, isolate it; don’t shut it down. We’ll need to do some immediate live forensics here; unplug it from the network, sure, but don’t just turn off the power. So you need to educate people in their whole classes, just from an IT perspective, on how to deal with this. As an IS auditor, we want to know: do they have these procedures in place for what they determined was adequate for them? Have they trained their people?
If we were to just go up and ask somebody, “Hey, if there was a major virus incident, what do you do?” Or, hey, if there was a major security breach and it showed up in the newspaper, what do you do? And so we need to know that they have incident response plans in place. They have trained people, they have procedures, and everybody knows, from the receptionist to the janitor to the CEO, what their role is in this and what they’re supposed to do and not do. It’s part of knowing that they did their due diligence. As a result, we must have incident response capability. We have to know that all business functions are covered, including the critical ones, and we have to know how to contain damage without damaging evidence. So these are all parts of the incident response capability. If this is a mom-and-pop donut shop, we probably don’t care so much. We’re worried about money being stolen out of the till or financial records, and maybe some private HR records. We probably don’t mind talking to the news media about people’s medical records or anything else. So, as part of your incident response process, you must ensure that you have something in place for all of these. And again, it depends on the organization. A large organisation had better have all of this.
They’d better have the ability to detect. They’d better be able to have the ability to initiate an incident response and escalate it depending on how bad it is and who to contact and who not to talk to. They need a way to record what’s going on and record who said what, who saw it first, and when did it happen? What did you actually see? Because if you’re going in forensically, you’re going to interview people. When did you see it, and at what time? And what did you see? And is there any other material evidence that supports what you’re saying right now? Were you looking at a log? Do you have something you can show me to corroborate what you just said? So then they have to have the ability to evaluate and contain, eradicate, and control the damage, to escalate and respond to recover data and processes, and to recover business operations and maintain continuity, to close the whole incident and do the one really important thing: the post-incident review. Okay, folks, what did we learn from this?
A large organisation will insist that after every project, whether it be a normal project or an incident, we have a debrief. What did we learn? And if we didn’t learn anything, then we didn’t do a very good job. And there are some organisations that, if a midlevel manager after a project says, “I didn’t learn anything,” they might even fire the guy for not doing the job because we’re always looking for ways to improve process so that post-incident reviews can help prevent it from happening again. Now, in reality, we can make all kinds of recommendations. Will upper management act on it? It’s up to them. They may have a thing where they say it, but we don’t have the budget to do what you recommended. But as part of our due diligence, we’ve got to make sure that we make those recommendations, and if we don’t, then this will happen again. Because guess who they’re going to start blaming? They say, “Well, this happened before.” Why did it happen? Well, yeah, but there were these recommendations. They were documented, but they weren’t acted on. As an IS auditor, we want to see all of that. And so we want to see the lessons learned. And when we are looking at their incident response, we want to see that they have accounted for each of these phases of incident response. The next thing we’re going to do is have a lot of fun with cryptography.
5. Cryptography
Let’s take a look at cryptography. It seems like a mysterious process to so many people. But really, what’s going on is that we are concealing something that was out in the open before. And cryptography really has three parts to it. It has what we call “plain text” or “clear text.” Now, that doesn’t mean it’s text; it means that it is an unencrypted something—a file folder, a network, a packet—that was not encrypted. We then run that thing through a mathematical formula called an algorithm. An algorithm does something to it. So the algorithm could be as simple as shifting X number of characters to the left. That would be like a super-simple algorithm. But what is x? That’s the missing part. That’s something called the key. The key is anything that can be converted to a set of numbers. It could be a word, a phrase, or an image. If we can convert it to numbers, that’s the key. And you take that clear text, that unencrypted thing, and you run it through an algorithm, and the key tells it how much to do something. So if the algorithm is to shift the letters over x number of letters and the algorithm, or the key, is one, then we would shift all the letters over one.
So A would become B, B would become C, and C would become D. That’s a really simple example of cryptography. So we’re going to start with unprotected data. As we can see in the diagram, we ran it through encryption, and now it’s protected. This is the most assured way of protecting the confidentiality of data: to actually encrypt it. So, even if they get past the operating system—even if they log on to someone else’s computer—they hack past the operating system. Even if they get past the application, the data itself is encrypted. And that’s the whole concept behind Bit Locker when you’re encrypting whole drives or sending things that have been encrypted in email. So we have the protected data; if we ever need to get to the data, we need to decrypt. So we might encrypt a transmission; it’s encrypted here; it travels; it’s encrypted; and at the very end, it becomes decrypted so they can access the transmission and the data in a decrypted format. And when we decrypt it, it becomes unprotected. You can see the potential here as an auditor; are we encrypting? But is there anywhere from here to here that the encryption process is not working? Like, is it encrypted here but then sent in clear text, or is it transmitted in an unencrypted format but stored in clear text? So we have to look at whether it has ever been decrypted at any point. So we start out with encryption on our desktop here, and we’ve got this clear text file or document. We run it through an algorithm—a mathematical formula.
We apply a key, which is basically an integer that tells the algorithm how much to shift something, and we end up with ciphertext. I’d like to actually demo this. If you’ve never actually seen the before-and-after encryption, it’s actually quite fun. I’m going to use a well-known little tool so you can actually see the encryption process. This is a little tool that is used in the security community. It’s free, and it has some well-known hashing or encryption algorithms. It has Rhindal, which is now the basis for the advanced encryption standard AES. It has blowfish; it has ideas for fish. and we’re just going to encrypt something. I’m just going to create a text file right here on the desktop. And I’m just going to put a very simple sort of sentence in it. I’m just going to call this before, and I’m going to open it up.
And this is clear text, period. So this is my unencrypted clear text file. I’m going to save it, and I’m going to run this thing through an encryption algorithm. And I’ll pick Rhindoll, which is basically what was chosen for the advanced encryption standard AES, which is the successor to Des. And so let’s browse for the before file. Now that this tool creates encrypted copies, let’s browse for them on the desktop. Let’s go down and find it where it was before. Okay, now that I’ve got this loaded, it’s going to create an encrypted copy. This particular tool does not encrypt the original. So we’re going to call this thing after, and we’re going to put in a passphrase here, which will be turned into a secret number, which is actually an uppercase S. And let’s encrypt the file. Let me click “encrypt file” down here. Click it. File encrypted. Okay. And I can see over here that this is the encrypted copy. Let me bring it over so we can take a look at it. Here it is here.I’m going to open it up with a text editor. So let’s open it up with Notepad, which is how we originally created it. And now you can see the encrypted version. I’d like to point something out about ciphertext. Look closely. You’ll notice that none of these characters appear to be repeated. One of the things about cryptography is that a good encryption algorithm tries to take something that is unencrypted and turn it into something with no repeat patterns, which is basically why encrypted files and compression don’t work too well together. Compression looks for repeat patterns so that it can just have a shortcut to represent a whole bunch of repeat patterns. In encryption, you try to have no repeated patterns. Have you ever played those word puzzle games where you’re looking for repeat patterns and you kind of figure out what the letters are? So you look for the most common ones, like the letter E or the letter A, or you look for single words. Just one. It’s got to be A or I? Well, that’s kind of one way. We would approach trying to break code by looking for repeating patterns. Notice there are no repeat patterns here.
If we compare this cypher text to the original, let’s compare the two together here. Do you notice something else? Do you notice that the original is only this long, and yet the ciphertext, the encrypted version, is this long? You see, one thing you need to be aware of is that when you encrypt things, be they network packets, files, or whatever, you almost always make them bigger. Just the very nature of trying to have no repeat patterns is going to make it bigger. From a system administrator’s perspective, that takes more disc space. From a network administrator’s perspective, that adds more traffic when you send encrypted packets across the network. As an IS auditor, we are interested in whether they are using encryption where it is important and where it is required, despite their claim. And the next thing is, what algorithm are they using? In this case, we used Rhindoll, and also, are they protecting the keys so nobody except authorised people know the actual keys? So we now know with encryption that you start with something in clear text or unencrypted, you run it through an algorithm, and you use a key, which could be anything that is ultimately reduced to a number. And out of that comes ciphertext. The next thing we’re going to look at are three sorts of approaches to encryption: symmetric, asymmetric, and hashing.
6. Encryption
There are three approaches to encryption: symmetric, asymmetric, and hashing. With symmetric encryption, the same key is used to encrypt and decrypt. With asymmetric, you take two keys, and with hashing, you’re not really encrypting so much as using an algorithm to produce a result. Let’s start with symmetry. Now, remember in the previous part I showed a demonstration on how I encrypted something? We’re going to now decrypt that thing, and we’re going to use the same key. So we’re going to use symmetric encryption here.
So here we are. We have the same tool, and we have the before and after. We took a look, and just so you can see, we’re going to take the after file and we’re going to use the same key. And the key was the word “secret” with a capital S. We’re going to run it through the same algorithm as Rhindoll, and we’re going to see the results just so that we’re not tempted. This before I file, I’m going to get rid of I’m going to throw away trash. But let’s take a look at it just so we don’t forget. I’m opening up before you, and there it is. This is clear text. Let me now delete the file so that there’s no accident that we might open the wrong one. I deleted it, and I’m now going to decrypt the after file. We’ll take another look at that, opening it with a notepad, and there it is. That is our ciphertext, which we will decrypt.
So let me browse now, let me browse for the after text, and let me put in the same secret passphrase, and the output will be new. So here we go. Let’s decrypt the file now that it’s been decrypted. Click OK; here it is over here, and let’s open it up. Open it with a text editor, and there it is. That is our original. That’s an example of symmetric key encryption using the same key to encrypt and decrypt. Just for fun, let’s actually see what would happen if we were to run this encryption using a different passphrase. We know what we expect it to look like. We expect it to come out like this. This is clear text. What if I put in a whole different passphrase here? I’ll just put in something else, like “hello,” and let’s decrypt it and call it “New 2,” and let’s go take a look. Let’s decrypt the file. Incorrect passphrase. Click OK. It knew, didn’t it? Let’s open it up and see what happens. Nothing. So when you use symmetric encryption, you’ve got to use the same algorithm and the same key. Why not run it through a different algorithm, but this time with the correct pass raise, just for fun? So we used the wrong key and got nothing. Let’s do a whole different algorithm, but with the right key. Let’s see what happens. Let’s close this up and do file encryption instead. Let’s choose blowfish here. So blowfish, and let’s go after that. So here’s after, and I’m going to use the correct passphrase, “secret,” but the algorithm is totally different, and we’re going to call this new three, and let’s see what happens. Let’s decrypt the incorrect passphrase. Actually, it’s not an incorrect passphrase but an incorrect algorithm. Let me double-click it and try to open it up. So if you use symmetric encryption, whatever you encrypt with, you’ve got to decrypt with.
The problem with that method is that you need to tell other people, “I am using Rhine Doll, I’m using Blowfish, I’m using Idea, I’m using whatever, I’m using Des.” And you got to give them the password,the passphrase, the key ahead of time. And this is a problem. So what do you do about that? Because we’ve seen plenty of movies with behind-the-scenes battles before the Cold War or World War I or something like that. If anyone discovers the password, or the key, we’re in big trouble because everything we’ve done will be compromised. And so you’ve seen movies where the key was some passphrase or password that was inscribed on the bottom of an iron skillet that was covered with soot kind of thing. You’re at risk with symmetric encryption. The nice thing about symmetric encryption is that it’s very, very fast. The downside is that you have to somehow communicate ahead of time what the algorithm is and what the key is. So you’re giving up convenience and speed for a security flaw because what happens if the key is compromised or otherwise compromised? Well, the next thing we need to talk about is something called asymmetric encryption. and I’m going to talk about that next.
