Topics:
1. Introduction to Cybersecurity
2. Network Theory
3. Threat Modelling Analysis and Social Engineering
4. Critical Infrastructures
5. Cyberwar and Infowar
6. Asymmetric Warfare
7. Cyberweapons: Stuxnet and others
8. Information Warfare and Psychological Ops
9. Digital battlefield
10. Military applications of Artificial Intelligence; Lethal Autonomous Weapons Systems
11. NSA leaks & CIA leaks
12. Surveillance
13. Myths and Reality of Cybercrime
14. Privacy & Data Protection
15. Cyber Arms Control & Disarmament
16. Tor and Dark Web
Raw data is abundantly available online. Opensource intelligence (OSINT) to analyze Big Data but
also other sources such as SNA, Social Engineering (acquire ways of penetrating networks through
à
users unknowingly), attack tools (phishing and spear phishing email containing a link that will
inject a malware), Sentiment Analysis (used mainly in marketing or political communication), Web
Scraping (extract data from browsers), “Dark Web” (web pages are not indexed by web engines and
tend to sell illegal resources). Every layer produces data that are expressed in different formats.
Roughly speaking we can group these data as more ‘technical’ (1-7) and ‘social’ (8-10). You can
extract information from each one of these layers with different methodologies. We will limit our
analysis to the social dimension. Packets are the necessary information to make sense of everything
that travels the net. Threat modeling is a semi-formal technique that is used to understand threats
against your system (it contains a mathematical element but is not preponderant). Threat and risk are
often used interchangeably but this is incorrect. For threat we indicate the actor whereas a risk is the
probability of a bad thing happening, multiplied by its impact. Threat modeling might be better
understood as risk modeling. It has to do more on social layer because there is always an actor behind
a risk. Can be used to create an abstraction of the system, profiles of potential attackers (goals and
methods). It is useful because: it increases awareness in the organization, help focus resources, better
security assessment, may help bridging techies and generic staff. It usually involves algorithms (set
of instructions to do something).
Social Network Analysis (SNA): examine interactions and the structural constraints between nodes,
flows of resources and information. It comprises a paradigm (graph theory, relational theories of
social interaction) and a methodology (mainly descriptive statistics: measures of centrality, density,
transitivity, reciprocity and brokerage). For examples see the research on social movements (Diani –
McAdam. 2002), on social capital (Lin, 2001), on virtual communities (Adamic – Glance, 2005) and
th
on Florentine politics in the 15 century (Breiger – Pattinson, 1986). ccording to Wasserman and
Faust (1994, pp 17-21) ‘a social network consists of a finite set or sets of actors and the relation or
relations defined on them.
Terminology:
- Actors: discreet individual, corporate, or collective social units.
- Social ties: linkage or relationship between actors. Dyad if the actors are two; Triad if the
actors are three.
- Group: collection of all actors on which ties are to be measured
- Relation: collection of ties of a specific kind among members of a group
Particularities of SNA according to Wasserman and Faust (1994, ch.1):
- Actors and actions are considered to be interdependent linked by social/relational ties through
which resources (material and nonmaterial) flow
- The network structural environment provides opportunities for and constraints on individual
actions
- Structure (sociopolitical, economic…) as lasting patterns of relations among actors
Data types in Network Analysis:
- Attribute data: properties, qualities, or characteristics of agents (Scott, 1991). Measured as
values of particular variables (income, education…).
- Relational data: properties and qualities related on the contacts, ties and connections which
link one agent to another.
- Ideational data: related to meanings and motive definitions.
These data are often collected together. SNA provides a tool for the graphical representation of
relations integrating structure and agency. Analysis of terrorist network (9/11): the network was
à
sparces and the nodes were distant minimizes damages to the network if a cell member is captured.
à
Strength of weak ties distant ties are important for finding resources or information (Granovetter,
1973). A low redundancy in ties is linked to resource payoffs. Redundancy can be effective with
nonmaterial resources (social bonds and social capital). Structural holes and the relative payoffs for
brokers, consultants, and gatekeepers in bridging holes between agents (Burt, 1992).
Threat Model vocabulary:
- Threat: actions/activities that potentially can harm computers/networks or some other
organization’s assets.
- Attack: actual realization of threat.
- Vulnerability: weakness or opening that may allow a threat to become an attack (not
necessarily a defect).
- Risk: probability that the vulnerability is found and it is exploited.
- Risk management: all activities/actions undertaken to control or reduce the risk (preventive).
- Mitigation: actions/activities undertaken to reduce the effects/consequences of the attack
(post-event).
- Threat modeling: identifying/assessing threats, understanding threats-to-assets, developing
strategies for responding.
Not all users have privileges within the network to access or undertake actions.
Methodology:
- Thinking who your attacker can be and your asset
Attack surface: what can the attacker attack?
o Attack Vectors: probable means of attack.
o § You can collect as much data as possible on how secure your system is and,
on the attackers, (BD).
Example:
- Someone with physical access to a system/data and with unlimited time
- Provided that certain security measures are taken
- Who has access? What privileges? Assets?
- Worst possible outcome?
CIA’s Cybersecurity as a set of rules to guarantee:
- Confidentiality: only authorized users can access specific computers/data
- Integrity: data stored can only be modified by authorized users
- Availability: data and systems should be promptly available everywhere to authorized users
Types of attackers:
- Amateurs: opportunistic attackers
- Hackers: non malicious
- Crackers: malicious
- Insiders
- Hacktivists
- Cyber-terrorists
- Large organization/corporations and structured networks (private companies, organized
crime, specialized organizations serving government – cyber mercenaries)
- Nation-state cyber-warriors: more resources à
Worst menaces classified in APT (Advanced Persistent Threat) numerical classification.
Botnet: numbers of computers controlled externally to launch an attack a DoS or DDoS that force a
lot of traffic into a computer that cannot process.
The main motivation is related to cybercrime, the rest is cyber espionage and warfare
Crypto AG:
- Swiss cryptography firms that sold its equipment to governments and militaries after WWII.
Secretly controlled by CIA and after 2018 sold
- Selling backdoor crypto equipment to benefit the US. UK and defense intelligence
- Reveled on Feb 11, 2020, by media
-
Stuxnet warm designed for sabotage and that's the target is a specific industrial process and actually
target a particular subsystem of a scale industrial control system (ICS) of a specific producer which
is Simmons so once injected spread silently through a windows infrastructure looking for a specific
PLC programmable logic controller to reprogram/alter the functionality of this PLC while at the same
time showing normal running condition to the monitoring system. It was first reported in mid-June
2010, and it is defined as a military grade cyber weapon with the goal to hit and produce real world
physical targets so through virtual cyber through the virtual cyber war world you produce physical
damages on physical systems operating the machinery, implies deep insider knowledge so this is a
mixture of cyber war, cyber weapon technology and intelligence. The goal of Stuxnet was to be able
to disrupt the production mechanism of the centrifuges used in an in a uranium enrichment facility in
Iran. Stuxnet placed itself in between the two so intercept the communications between the PLC and
the industrial control system, to modify the PLC internal code and to change the operational
parameters, it hides the piercing infection through a rootkit functionality. Stuxnet lives and operates
in two different environments: the windows environment and the plc environment where the payload
is parachuted, injected and executed. A warm is a segment of code able to replicate and travel
autonomously through the networks without human intervention, the difference with viruses is that
the virus to activate and to move around the network needs some kind of human activity while warms
are completely autonomous and usually contain a payload to attack the specified target. An example
of one of the first words appeared on the networks, Code Red (2001), incredible capability to travel
networks. Worms go around by themselves and there are many cases in which they ended up in
nuclear power plants for example. In 2003 Slammer Warm has been able to enter a nuclear power
plant in Ohio and disable for a few hours the safety monitoring system; in 2008 in Georgia there was
an automatic shutdown of the nuclear power plant after the application of a software update to a single
computer; in 2014 a South Korean nuclear power plant was hacked to access blueprints of reactors
floor Maps and other internal information (this is very likely an intelligence operation). Critical
infrastructures like distribution of electricity production and distribution of electricity pipelines water
chemical and food production are controlled by software (Industrial Control Systems). SCADA
stands for Supervisory Control and Data Acquisition controls very dispersed assets to centralise data
acquisition and control overcritical system operations. At the lowest level there are PLCs
(Programmable Logic Controllers), low level devices controlling real world processes at the interface
between the virtual world and the real world (ex: sensors actuators, pumps…). SCADA general
architecture have control centres with human interfaces for the operators to control the framework,
and communication links through many different technologies (cable, radio links, satellite links…)
and remote sites where you can have local intelligence sensors, remote telemetry units
Stuxnet is specialised for ICSs which are becoming more and more vulnerable infrastructures because
of their underlying layer of ICT of cyber and digital technologies. These control systems for large
infrastructures historically used to be more isolated than they are now, closed environments, less
effective and flexible but probably a bit safer. Now tendency to start connecting SCADA systems to
the general network, convergence between control networks and component corporate networks,
SCADA components are being standardised, extensive use of ICT protocols. Each one of them come
with its vulnerabilities (ex: the monitoring framework communicating with remote devices without
any encryption). Afterwards, it's difficult to take control again of the device, in some cases had to be
rebooted or power cycled but in case of industrial frameworks and systems you may not be able, or
you may don't want to power cycle something important. Stuxnet is a cyber weapon, probably the
first Stuxnet infection was caused by USB key and it's very likely that the person who plugged the
USB key with the Stuxnet inside into the first computer of the local area network of the plant was not
even aware of injecting the warm (not clear whether that was done on purpose). Immediately Stuxnet
instals on that machine a rootkit so that it hides files and activities on that machine, it tries to connect
to a Command and Control (C&C) server - if he finds a way out to the external - if it doesn't the
Stuxnet is completely autonomous, from that point on it infects all USB keys inserted into that
machine then it starts spreading this to the enterprise network, starts spreading to all the nodes through
print servers and file services. It doesn't do this very quickly - the warm is stealthier, even more
difficult to figure out what's going. Then establishes a Peer-to-Peer network (P2P) for self-update and
again tries to access a Command-and-Control server external if it if it finds one. It it's what the military
terms is called a “fire and forget launching” it does everything by itself completely autonomous you
don't even have to tell where the target is the weapon goes and look for the target. Infects any new
USB flash drive inserted on any computer at that level then it goes down in depth so through databases
network and printer and file shares. It spreads through windows vulnerabilities but also vulnerabilities
of the Siemens software and goes down one step-by-step, start infecting all the machines at that level
and proceeds infecting 7 project files which are project files of the industrial control system until it
gets at the very bottom here to the PLCs and starts fingerprinting them – infecting only the one
necessary applying the payload (15,000 lines of code). So, what it does is to replace the
communication library used by the control system with the Stuxnet library. The new library is able
to control the communication between PLC’s input values from sensors and give fake pre-recorded
data to the legitimate monitoring programme. The functionality of the inserted code was varying the
rotational speed of the centrifuges slowly over a month. It uses 7 different propagation mechanisms
to propagate, in addition establishing a peer to peer in connexion to C&C servers to download and
execute code update, rootkit on the windows infrastructure and a rootkit at the PLC level so it not
only hides itself and the activity in the files on the windows infrastructure, but it does the same at the
lower level. NSA jumps the air gap by having a transceiver planted inside the USB key connecting
short a short distance to a different station.
- Duqu (2011) a remote access Trojan, not self-replicating similar to Stuxnet but targeting computers
rather than ICSs, more an information gathering worm, so it had a back door recording keystrokes
and system information (cyber reconnaissance) unless it was a precursor of something. The targets
were limited, and it was designed to destroy itself after 36 days.
- Flame (2012) was optimised for espionage and was mainly found in Iran and the Middle East
apparently. Large and complex espionage capabilities: recording voice Skype conversations
screenshots keyboard activity network traffic. No automatic replication propagation, it had a self-
destruct module to eliminate traces
- Gauss (2012) a nation state sponsored banking Trojan to get information and monitor bank accounts
and money flow. The main distribution is in the Middle East.
- Shamoon (2012) sabotage on Saudi oil-company Aramco
- Red October (2013) it's an advanced cyber espionage network targeting diplomatic and
governmental agencies and scientific research organisations. Contained more than thousand modules
for advanced infections. Most of the tasks as one-time events so you get a DLL code for the specific
task from an attacker server, executed in memory and then it's immediately discarded. It used targeted
email to specific persons and through attachment Reg October was able to be injected, undetected for
more than five years, relying on Java exploit for infection. It goes very slowly at the beginning; it
gathers information for a few days then module deployment and compromises and a resurrection
module if you update the system or if the C&C servers are shutdown you can regain control over the
previously infected machine with a simple email.
Logic bombs you can implant things that wait for specific conditions before activating.
Possibly a cyber-attack on the electric power grid in Ukraine causing a blackout (2016), Steel mill
Scarica il documento per vederlo tutto.
Scarica il documento per vederlo tutto.
Scarica il documento per vederlo tutto.
Scarica il documento per vederlo tutto.
Scarica il documento per vederlo tutto.
-
Cybersecurity
-
CyberSecurity
-
Cookies cybersecurity e cybercrime
-
Appunti di Secure Cloud Computing (Cybersecurity and Cloud)
- Risolvere un problema di matematica
- Riassumere un testo
- Tradurre una frase
- E molto altro ancora...
Per termini, condizioni e privacy, visita la relativa pagina.