Estratto del documento

Topics:

1. Introduction to Cybersecurity

2. Network Theory

3. Threat Modelling Analysis and Social Engineering

4. Critical Infrastructures

5. Cyberwar and Infowar

6. Asymmetric Warfare

7. Cyberweapons: Stuxnet and others

8. Information Warfare and Psychological Ops

9. Digital battlefield

10. Military applications of Artificial Intelligence; Lethal Autonomous Weapons Systems

11. NSA leaks & CIA leaks

12. Surveillance

13. Myths and Reality of Cybercrime

14. Privacy & Data Protection

15. Cyber Arms Control & Disarmament

16. Tor and Dark Web

Raw data is abundantly available online. Opensource intelligence (OSINT) to analyze Big Data but

also other sources such as SNA, Social Engineering (acquire ways of penetrating networks through

à

users unknowingly), attack tools (phishing and spear phishing email containing a link that will

inject a malware), Sentiment Analysis (used mainly in marketing or political communication), Web

Scraping (extract data from browsers), “Dark Web” (web pages are not indexed by web engines and

tend to sell illegal resources). Every layer produces data that are expressed in different formats.

Roughly speaking we can group these data as more ‘technical’ (1-7) and ‘social’ (8-10). You can

extract information from each one of these layers with different methodologies. We will limit our

analysis to the social dimension. Packets are the necessary information to make sense of everything

that travels the net. Threat modeling is a semi-formal technique that is used to understand threats

against your system (it contains a mathematical element but is not preponderant). Threat and risk are

often used interchangeably but this is incorrect. For threat we indicate the actor whereas a risk is the

probability of a bad thing happening, multiplied by its impact. Threat modeling might be better

understood as risk modeling. It has to do more on social layer because there is always an actor behind

a risk. Can be used to create an abstraction of the system, profiles of potential attackers (goals and

methods). It is useful because: it increases awareness in the organization, help focus resources, better

security assessment, may help bridging techies and generic staff. It usually involves algorithms (set

of instructions to do something).

Social Network Analysis (SNA): examine interactions and the structural constraints between nodes,

flows of resources and information. It comprises a paradigm (graph theory, relational theories of

social interaction) and a methodology (mainly descriptive statistics: measures of centrality, density,

transitivity, reciprocity and brokerage). For examples see the research on social movements (Diani –

McAdam. 2002), on social capital (Lin, 2001), on virtual communities (Adamic – Glance, 2005) and

th

on Florentine politics in the 15 century (Breiger – Pattinson, 1986). ccording to Wasserman and

Faust (1994, pp 17-21) ‘a social network consists of a finite set or sets of actors and the relation or

relations defined on them.

Terminology:

- Actors: discreet individual, corporate, or collective social units.

- Social ties: linkage or relationship between actors. Dyad if the actors are two; Triad if the

actors are three.

- Group: collection of all actors on which ties are to be measured

- Relation: collection of ties of a specific kind among members of a group

Particularities of SNA according to Wasserman and Faust (1994, ch.1):

- Actors and actions are considered to be interdependent linked by social/relational ties through

which resources (material and nonmaterial) flow

- The network structural environment provides opportunities for and constraints on individual

actions

- Structure (sociopolitical, economic…) as lasting patterns of relations among actors

Data types in Network Analysis:

- Attribute data: properties, qualities, or characteristics of agents (Scott, 1991). Measured as

values of particular variables (income, education…).

- Relational data: properties and qualities related on the contacts, ties and connections which

link one agent to another.

- Ideational data: related to meanings and motive definitions.

These data are often collected together. SNA provides a tool for the graphical representation of

relations integrating structure and agency. Analysis of terrorist network (9/11): the network was

à

sparces and the nodes were distant minimizes damages to the network if a cell member is captured.

à

Strength of weak ties distant ties are important for finding resources or information (Granovetter,

1973). A low redundancy in ties is linked to resource payoffs. Redundancy can be effective with

nonmaterial resources (social bonds and social capital). Structural holes and the relative payoffs for

brokers, consultants, and gatekeepers in bridging holes between agents (Burt, 1992).

Threat Model vocabulary:

- Threat: actions/activities that potentially can harm computers/networks or some other

organization’s assets.

- Attack: actual realization of threat.

- Vulnerability: weakness or opening that may allow a threat to become an attack (not

necessarily a defect).

- Risk: probability that the vulnerability is found and it is exploited.

- Risk management: all activities/actions undertaken to control or reduce the risk (preventive).

- Mitigation: actions/activities undertaken to reduce the effects/consequences of the attack

(post-event).

- Threat modeling: identifying/assessing threats, understanding threats-to-assets, developing

strategies for responding.

Not all users have privileges within the network to access or undertake actions.

Methodology:

- Thinking who your attacker can be and your asset

Attack surface: what can the attacker attack?

o Attack Vectors: probable means of attack.

o § You can collect as much data as possible on how secure your system is and,

on the attackers, (BD).

Example:

- Someone with physical access to a system/data and with unlimited time

- Provided that certain security measures are taken

- Who has access? What privileges? Assets?

- Worst possible outcome?

CIA’s Cybersecurity as a set of rules to guarantee:

- Confidentiality: only authorized users can access specific computers/data

- Integrity: data stored can only be modified by authorized users

- Availability: data and systems should be promptly available everywhere to authorized users

Types of attackers:

- Amateurs: opportunistic attackers

- Hackers: non malicious

- Crackers: malicious

- Insiders

- Hacktivists

- Cyber-terrorists

- Large organization/corporations and structured networks (private companies, organized

crime, specialized organizations serving government – cyber mercenaries)

- Nation-state cyber-warriors: more resources à

Worst menaces classified in APT (Advanced Persistent Threat) numerical classification.

Botnet: numbers of computers controlled externally to launch an attack a DoS or DDoS that force a

lot of traffic into a computer that cannot process.

The main motivation is related to cybercrime, the rest is cyber espionage and warfare

Crypto AG:

- Swiss cryptography firms that sold its equipment to governments and militaries after WWII.

Secretly controlled by CIA and after 2018 sold

- Selling backdoor crypto equipment to benefit the US. UK and defense intelligence

- Reveled on Feb 11, 2020, by media

-

Stuxnet warm designed for sabotage and that's the target is a specific industrial process and actually

target a particular subsystem of a scale industrial control system (ICS) of a specific producer which

is Simmons so once injected spread silently through a windows infrastructure looking for a specific

PLC programmable logic controller to reprogram/alter the functionality of this PLC while at the same

time showing normal running condition to the monitoring system. It was first reported in mid-June

2010, and it is defined as a military grade cyber weapon with the goal to hit and produce real world

physical targets so through virtual cyber through the virtual cyber war world you produce physical

damages on physical systems operating the machinery, implies deep insider knowledge so this is a

mixture of cyber war, cyber weapon technology and intelligence. The goal of Stuxnet was to be able

to disrupt the production mechanism of the centrifuges used in an in a uranium enrichment facility in

Iran. Stuxnet placed itself in between the two so intercept the communications between the PLC and

the industrial control system, to modify the PLC internal code and to change the operational

parameters, it hides the piercing infection through a rootkit functionality. Stuxnet lives and operates

in two different environments: the windows environment and the plc environment where the payload

is parachuted, injected and executed. A warm is a segment of code able to replicate and travel

autonomously through the networks without human intervention, the difference with viruses is that

the virus to activate and to move around the network needs some kind of human activity while warms

are completely autonomous and usually contain a payload to attack the specified target. An example

of one of the first words appeared on the networks, Code Red (2001), incredible capability to travel

networks. Worms go around by themselves and there are many cases in which they ended up in

nuclear power plants for example. In 2003 Slammer Warm has been able to enter a nuclear power

plant in Ohio and disable for a few hours the safety monitoring system; in 2008 in Georgia there was

an automatic shutdown of the nuclear power plant after the application of a software update to a single

computer; in 2014 a South Korean nuclear power plant was hacked to access blueprints of reactors

floor Maps and other internal information (this is very likely an intelligence operation). Critical

infrastructures like distribution of electricity production and distribution of electricity pipelines water

chemical and food production are controlled by software (Industrial Control Systems). SCADA

stands for Supervisory Control and Data Acquisition controls very dispersed assets to centralise data

acquisition and control overcritical system operations. At the lowest level there are PLCs

(Programmable Logic Controllers), low level devices controlling real world processes at the interface

between the virtual world and the real world (ex: sensors actuators, pumps…). SCADA general

architecture have control centres with human interfaces for the operators to control the framework,

and communication links through many different technologies (cable, radio links, satellite links…)

and remote sites where you can have local intelligence sensors, remote telemetry units

Stuxnet is specialised for ICSs which are becoming more and more vulnerable infrastructures because

of their underlying layer of ICT of cyber and digital technologies. These control systems for large

infrastructures historically used to be more isolated than they are now, closed environments, less

effective and flexible but probably a bit safer. Now tendency to start connecting SCADA systems to

the general network, convergence between control networks and component corporate networks,

SCADA components are being standardised, extensive use of ICT protocols. Each one of them come

with its vulnerabilities (ex: the monitoring framework communicating with remote devices without

any encryption). Afterwards, it's difficult to take control again of the device, in some cases had to be

rebooted or power cycled but in case of industrial frameworks and systems you may not be able, or

you may don't want to power cycle something important. Stuxnet is a cyber weapon, probably the

first Stuxnet infection was caused by USB key and it's very likely that the person who plugged the

USB key with the Stuxnet inside into the first computer of the local area network of the plant was not

even aware of injecting the warm (not clear whether that was done on purpose). Immediately Stuxnet

instals on that machine a rootkit so that it hides files and activities on that machine, it tries to connect

to a Command and Control (C&C) server - if he finds a way out to the external - if it doesn't the

Stuxnet is completely autonomous, from that point on it infects all USB keys inserted into that

machine then it starts spreading this to the enterprise network, starts spreading to all the nodes through

print servers and file services. It doesn't do this very quickly - the warm is stealthier, even more

difficult to figure out what's going. Then establishes a Peer-to-Peer network (P2P) for self-update and

again tries to access a Command-and-Control server external if it if it finds one. It it's what the military

terms is called a “fire and forget launching” it does everything by itself completely autonomous you

don't even have to tell where the target is the weapon goes and look for the target. Infects any new

USB flash drive inserted on any computer at that level then it goes down in depth so through databases

network and printer and file shares. It spreads through windows vulnerabilities but also vulnerabilities

of the Siemens software and goes down one step-by-step, start infecting all the machines at that level

and proceeds infecting 7 project files which are project files of the industrial control system until it

gets at the very bottom here to the PLCs and starts fingerprinting them – infecting only the one

necessary applying the payload (15,000 lines of code). So, what it does is to replace the

communication library used by the control system with the Stuxnet library. The new library is able

to control the communication between PLC’s input values from sensors and give fake pre-recorded

data to the legitimate monitoring programme. The functionality of the inserted code was varying the

rotational speed of the centrifuges slowly over a month. It uses 7 different propagation mechanisms

to propagate, in addition establishing a peer to peer in connexion to C&C servers to download and

execute code update, rootkit on the windows infrastructure and a rootkit at the PLC level so it not

only hides itself and the activity in the files on the windows infrastructure, but it does the same at the

lower level. NSA jumps the air gap by having a transceiver planted inside the USB key connecting

short a short distance to a different station.

- Duqu (2011) a remote access Trojan, not self-replicating similar to Stuxnet but targeting computers

rather than ICSs, more an information gathering worm, so it had a back door recording keystrokes

and system information (cyber reconnaissance) unless it was a precursor of something. The targets

were limited, and it was designed to destroy itself after 36 days.

- Flame (2012) was optimised for espionage and was mainly found in Iran and the Middle East

apparently. Large and complex espionage capabilities: recording voice Skype conversations

screenshots keyboard activity network traffic. No automatic replication propagation, it had a self-

destruct module to eliminate traces

- Gauss (2012) a nation state sponsored banking Trojan to get information and monitor bank accounts

and money flow. The main distribution is in the Middle East.

- Shamoon (2012) sabotage on Saudi oil-company Aramco

- Red October (2013) it's an advanced cyber espionage network targeting diplomatic and

governmental agencies and scientific research organisations. Contained more than thousand modules

for advanced infections. Most of the tasks as one-time events so you get a DLL code for the specific

task from an attacker server, executed in memory and then it's immediately discarded. It used targeted

email to specific persons and through attachment Reg October was able to be injected, undetected for

more than five years, relying on Java exploit for infection. It goes very slowly at the beginning; it

gathers information for a few days then module deployment and compromises and a resurrection

module if you update the system or if the C&C servers are shutdown you can regain control over the

previously infected machine with a simple email.

Logic bombs you can implant things that wait for specific conditions before activating.

Possibly a cyber-attack on the electric power grid in Ukraine causing a blackout (2016), Steel mill

Anteprima
Vedrai una selezione di 7 pagine su 26
Cybersecurity And Cybercrime - Appunti Pag. 1 Cybersecurity And Cybercrime - Appunti Pag. 2
Anteprima di 7 pagg. su 26.
Scarica il documento per vederlo tutto.
Cybersecurity And Cybercrime - Appunti Pag. 6
Anteprima di 7 pagg. su 26.
Scarica il documento per vederlo tutto.
Cybersecurity And Cybercrime - Appunti Pag. 11
Anteprima di 7 pagg. su 26.
Scarica il documento per vederlo tutto.
Cybersecurity And Cybercrime - Appunti Pag. 16
Anteprima di 7 pagg. su 26.
Scarica il documento per vederlo tutto.
Cybersecurity And Cybercrime - Appunti Pag. 21
Anteprima di 7 pagg. su 26.
Scarica il documento per vederlo tutto.
Cybersecurity And Cybercrime - Appunti Pag. 26
1 su 26
D/illustrazione/soddisfatti o rimborsati
Acquista con carta o PayPal
Scarica i documenti tutte le volte che vuoi
Dettagli
SSD
Scienze matematiche e informatiche INF/01 Informatica

I contenuti di questa pagina costituiscono rielaborazioni personali del Publisher pax_ale di informazioni apprese con la frequenza delle lezioni di Cybersecurity and Cybercrime e studio autonomo di eventuali libri di riferimento in preparazione dell'esame finale o della tesi. Non devono intendersi come materiale ufficiale dell'università Università degli Studi di Bologna o del prof Siroli Giacomello.
Appunti correlati Invia appunti e guadagna

Domande e risposte

Hai bisogno di aiuto?
Chiedi alla community