SWE308: Information Security

Lecture 2: Threats, Vulnerabilities, and Attacks

Dr Iftekhar Salam
iftekhar.salam@xmu.edu.my

Xiamen Univesity Malaysia

Iftekhar Salam (XMUM) SWE 308 1 / 57

Slide credits

Acknowledgment:
Some of the slides are adapted and enhanced from materials prepared by Dr Leonie
Simpson

Iftekhar Salam (XMUM) SWE 308 2 / 57

Presentation outline

1 Overview

2 Threats

3 Vulnerabilities

4 Attacks

5 Summary

Iftekhar Salam (XMUM) SWE 308 3 / 57

 Overview

Introduction
Information is an important asset for individuals and organisations
Information security is about protecting information assets from damage or harm.
For particular assets, security goals may be:
Confidentiality: preventing the unauthorised disclosure of information
Integrity: detecting the unauthorised modification or destruction of information
Availability: ensuring resources are accessible when required by an authorised entity

Figure: Problems Associated with Communication Over Insecure Channel

Iftekhar Salam (XMUM) SWE 308 4 / 57

 Overview

Introduction

Threat
Set of circumstances with the potential to cause harm to an asset by compromising
security goals
Vulnerability
Characteristic of or weakness in a system that could, if acted on by a threat, result in
harm to asset
Security incident
Occurs when threats and vulnerabilities coincide
Attack: when vulnerabilities are deliberately exploited

Iftekhar Salam (XMUM) SWE 308 5 / 57

 Overview

Introduction

Threat, Vulnerabilities, Security Incident and Attack: Example

Threat: Any danger to your phone that can breach the security goals?
Vulnerability: Any weaknesses that could be used to breach the security goals for
the above example?
Security incident: Any security incident related to your phone?
Attack: Any attack that can happen to your phone?

Iftekhar Salam (XMUM) SWE 308 6 / 57

 Overview

Introduction

Threat, Vulnerabilities, Security Incident and Attack: Example

Threat: Any danger to your phone that can breach the security goals?
Somebody can stole your phone (security goal?), can access the information in your
phone (security goal?), may drop your phone (security goal?)....
Vulnerability: Any weaknesses that could be used to breach the security goals for
the above example?
Lack of physical security, No password/lock-screen, people,.....
Security incident: Any security incident related to your phone?
Dropped your phone causing damage, .....
Attack: Any attack that can happen to your phone?
A thief stealing (deliberately exploiting the vulnerability) your phone! Your friend
looked into your assignment in your phone by accessing (deliberately exploiting the
vulnerability) to the device!

Iftekhar Salam (XMUM) SWE 308 7 / 57

 Overview

Introduction

Security concepts and relationships

Iftekhar Salam (XMUM) SWE 308 8 / 57

 Overview

Introduction

Consider threats and vulnerabilities for all components and interactions:

Iftekhar Salam (XMUM) SWE 308 9 / 57

 Threats

Threats

Threat sources:
External: threat source outside of the organisation
Examples include people who are not authorized to use your information systems
organised criminal groups, commercial competitor, nation state-sponsored groups,
political activist, ......
May need access to assets in order to cause harm (Physical and/or logical access)

Internal: threat source lies within the organisation

Examples include people who are authorized to use information systems, but might
use them in unauthorized manner: employees, contractors, clients, visitors, .......
May misuse systems or exceed their authorization
May damage systems accidentally

Iftekhar Salam (XMUM) SWE 308 10 / 57

 Threats

Threats

Threat type:
Natural event
Examples: Earthquake, Fire, Flood, Storm, Tornado, Tidal Wave, Extreme
Temperature, Vermin

Human action - Accidental (no intent to cause harm)

Examples: acts of negligence, errors, omissions

Human action - Deliberate (intended to cause harm)

Examples: Espionage, fraud, sabotage, theft

Iftekhar Salam (XMUM) SWE 308 11 / 57

 Threats

Threats

Natural events:
Potential for threat to occur may depend on physical location of the information
asset
Earthquake, fire, flood, thunder strokes
Historical data may be useful indicator
Examples:
?
Most likely results in compromise of:
Which security goal? Think CIA

Iftekhar Salam (XMUM) SWE 308 12 / 57

 Threats

Threats

Tornado damage, US March 2012:

“Deadly tornadoes leave U.S. towns wrecked” 1

1
www.cbc.ca/news/world/story/2012/03/02/tornadoes-us-south.html

Iftekhar Salam (XMUM) SWE 308 13 / 57

 Threats

Threats

Example: Haitian earthquake January 2010

Amnesty International report: “Haiti: After the Earthquake Initial Mission Findings
March 2010”. 2
Report claims related to files held at the Palais de Justice of Port-au-Prince include
that:
Haitian authorities failed to:
protect sensitive files and evidence held at the Palais de Justice
restrict access to other buildings of the judiciary after the quake
Amnesty International received reports that criminal files and judicial archives had
been stolen or burnt on site

2
www.amnesty.org/download/Documents/36000/amr360042010en.pdf

Iftekhar Salam (XMUM) SWE 308 14 / 57

 Threats

Threats

Human action - accidental

No intention to cause harm, but actions do have potential for harm
Examples include: accidental damage to equipment, change management errors,
configuration errors, loss of personnel, loss of property, misdirecting messages,
operational errors (such as inadvertent deletion of files or incorrect data entry),
programming errors, etc
Consider physical and logical assets
Security goals compromised depend on the accidental action and information asset
possible to compromise all goals

Iftekhar Salam (XMUM) SWE 308 15 / 57

 Threats

Threats

Example: Human action - accidental

G20 Summit, Brisbane November 2014
Personal details of world leaders accidentally revealed by G20 organisers3 4

3
www.theguardian.com/world/2015/mar/30/
personal-details-of-world-leaders-accidentally-revealed-by-g20-organisers
4
www.documentcloud.org/documents/1697616-g20-world-leaders-data-breach.html

Iftekhar Salam (XMUM) SWE 308 16 / 57

 Threats

Threats

Example: Human action - accidental

Prince William royal photo shoot, November 2012
Prince William photos accidentally reveal RAF password 5 6

5
https://nakedsecurity.sophos.com/2012/11/21/prince-william-photos-password/
6
https://www.theguardian.com/uk/2012/nov/20/prince-william-photos-mod-passwords

Iftekhar Salam (XMUM) SWE 308 17 / 57

 Threats

Threats

Human action - deliberate

Actions intended to cause harm to information assets
Examples include:
Eavesdropping, Espionage, Extortion, Fire, Fraud, Malicious code, Sabotage, Social
engineering, Theft, Vandalism
Consider physical and logical assets
Possible to compromise all security goals
Depends on the actions taken and the asset involved
For the examples listed above, determine the security goal most likely to be
compromised

Iftekhar Salam (XMUM) SWE 308 18 / 57

 Threats

Threats

Example: Human action - deliberate - Malware

Malicious software deliberately designed to breach security of computer based
information systems
Depending on payload, malware can compromise:
Confidentiality: For example, logging keystrokes to obtain passwords
Integrity: For example, corrupting data files
Availability: For example, by deleting data or application files
Increasing dependence on information and communications technologies (ICT)
operating over internet expands potential external sources with logical access

Iftekhar Salam (XMUM) SWE 308 19 / 57

 Threats

Threats
Human action - deliberate
Common malware types:
Viruses - programs with ability to replicate
Spreads by copying itself into other files (infecting) and is activated when these files are
opened or executables run
Worms - programs with ability to self replicate
Spreads from computer to computer without human interaction
Trojan horses - programs with known desirable properties and hidden undesirable
property
User downloads the program and knowingly uses desirable features
Undesirable feature runs without user knowledge
Watch: https://www.youtube.com/watch?v=YbiR6IMf5KQ

Iftekhar Salam (XMUM) SWE 308 20 / 57

 Threats

Threats

Example: Human action - deliberate

Target US data breach: 7 8
Malware on POS system used to extract credit card info
Some estimates:
40 million credit and debit cards stolen between 27/11/2013 and 15/12/2013
1-3 million: estimated number of cards stolen from Target, sold on black market and
then used for fraud
$200 million – cost to reissue half the stolen cards

7
https://www.smh.com.au/technology/
what-a-major-data-breach-costs-target-by-the-numbers-20140506-zr5ny.html
8
https://krebsonsecurity.com/2014/02/target-hackers-broke-in-via-hvac-company/

Iftekhar Salam (XMUM) SWE 308 21 / 57

 Threats

Computer and network assets, with examples of threats

Iftekhar Salam (XMUM) SWE 308 22 / 57

 Vulnerabilities

Vulnerabilities

Characteristics of or weaknesses in a system

that, if acted on by a threat, could cause harm to information assets
Consider the components of information system:
Property
People
Procedures
Vulnerabilities exist in all of these

Iftekhar Salam (XMUM) SWE 308 23 / 57

 Vulnerabilities

Vulnerabilities

Property includes:
Physical assets: buildings and contents
Hardware: computer systems, data communications devices, data storage devices
Software: Operating system, applications
Data: System and organisational data: files, databases, passwords, ......
Consider possible vulnerabilities for each
This list is by no means exhaustive, just some of the possibilities ......

Iftekhar Salam (XMUM) SWE 308 24 / 57

 Vulnerabilities

Vulnerabilities: property - physical assets

Aspects to consider include:
Location of information assets
In a geographical area that is:
Susceptible to natural disaster
Near storage of flammable or corrosive materials
Close to targets for disruption (may be collateral damage if neighbouring building is
target) embassy, military site
Easily accessed by outsiders?

Physical security mechanisms

Fences, walls, locks, gates, partitioning of internal space

Maintenance
of assets and perimeter protection

Monitoring and logging physical access

Use of suitable equipment for monitoring access to facilities and environmental
conditions
e.g., CCTV, Intrusion Detection/Alarm system
e.g., fire detection and automatic fire suppression system, etc

Iftekhar Salam (XMUM) SWE 308 25 / 57

 Vulnerabilities

Vulnerabilities: property - ICT hardware and software

Aspects to consider include:
Reliability and robustness of:
Asset: Susceptibility to environmental conditions (dust, heat, humidity)
Supporting infrastructure: Power supply, air conditioning, etc.

Redundancy
What happens if/when equipment fails?
Is there sufficient alternative resources?
e.g., Uninterruptible Power Supply (UPS)

Source of software:
authorised, legitimate, vendor supported?
downloading and installing

Testing of software:
Flaws (bugs) in software, e.g., buffer overflows, injections, .......
Need for patching and upgrading

Configuration/misconfiguration

Unprotected communications channels (wired or wireless)

Iftekhar Salam (XMUM) SWE 308 26 / 57

 Vulnerabilities

Vulnerabilities: people
Aspects to consider include
Employees:
Recruiting staff suitable for the position
Failure to check background is common

Monitoring access of people to property and processes

Disgruntled employees, clients or contractors can be threat source

Inadequate education of staff with respect to threats - for example, are staff aware of
policies regarding:
providing information by email or over phone
downloading software,
use of mobile devices,

Are there key personnel critical to organisation?

May be unavailable due to accident or illness, or other event (transport failure, natural
disaster)
May be uncooperative
Vulnerable if no back-up for these people
Especially if procedures they perform are undocumented
Others
Are security conditions included in contracts with consultants, contractors,
outsourcing?

Iftekhar Salam (XMUM) SWE 308 27 / 57

 Vulnerabilities

Vulnerabilities: Example

Example: People - recruiting failure

New Zealand intelligence failed on fantasist scientist 9

9
https://www.bbc.com/news/world-asia-pacific-12304651

Iftekhar Salam (XMUM) SWE 308 28 / 57

 Vulnerabilities

Vulnerabilities: processes
Aspects to consider include:
Access control and privilege management
Including keys, cards, passwords
Backup of files and systems
Business continuity plans
for recovery of information assets after disaster
Communications
Policy for acceptable use of communications systems
Example: confirmation for sending/receiving messages
Does it matter what the message is?
Example: Passwords - see: www.plaintextoffenders.com
Checks and balances:
People make mistakes: are there processes to detect, correct or reduce the impact of
errors?
Example: Separation of duties
Processes associated with staff joining/leaving organisation:
Clear statement of duties
Nondisclosure/confidentiality agreements
Software management processes and auditing
Application whitelisting?

Iftekhar Salam (XMUM) SWE 308 29 / 57

 Attacks

Security incidents and attacks

Security incidents:
If the threat involves deliberate human action, then incident is referred to as an
attack
Attacker: person who deliberately attempts to exploit a vulnerability to gain
unauthorized access, or perform unauthorized actions
Even if threat is not deliberate, the damage from the security incident can still be
extensive
Providing effective security for information assets requires understanding threats and
vulnerabilities
so that appropriate security measures can be used

Iftekhar Salam (XMUM) SWE 308 30 / 57

 Attacks

Attacks

Attack Types:
Passive
Attacker's goal is to obtain information
Attacker does not alter information system resources
No interaction by the attacker other than listening or observing
Difficult to detect; usually try to prevent the attack

Active
Attacker's goal may be to obtain, modify, replicate or fabricate information
Requires some action or interaction with the information system by the attacker
Usual approach is to try to detect attackers actions, recognise them as signs of attack
and recover

Iftekhar Salam (XMUM) SWE 308 31 / 57

 Attacks

Passive attacks

Eavesdropping:
Listening to the conversations of others without their knowledge or consent
Wiretapping
Eavesdropping over telephone network
Information can be obtained from:
the content of the conversations, and
knowing who is talking to who and when (traffic analysis)

Iftekhar Salam (XMUM) SWE 308 32 / 57

 Attacks

Passive attacks

Shoulder surfing
Watching the actions of others (especially at data entry) without their knowledge
or consent
Usually connected with entry of confidential information
PIN (for financial access at ATM)
Security code or password
Can also be for greater amounts of data
Use of mobile devices in insecure surroundings is vulnerability that can be exploited for
this attack

Iftekhar Salam (XMUM) SWE 308 33 / 57

 Attacks

Passive attacks

Network monitoring and eavesdropping

A packet sniffer or network analyzer can monitor network traffic
can be used for network maintenance (finding faults and traffic problems)
But can also be used to gain knowledge of confidential information
e.g passwords corresponding to user names

Confidential information should not be sent over untrusted networks without

protection
Example: when logging on to a remote resource, passwords should not be sent “in the
clear” (unencrypted)

Iftekhar Salam (XMUM) SWE 308 34 / 57

 Attacks

Active attacks

The NIST Computer Security Incident Handling Guide defines a DoS attack as:
An action that prevents or impairs the authorized use of networks, systems, or
applications by exhausting resources such as central processing units (CPU),
memory, bandwidth, and disk space

Denial of Service (DoS) Attack

Objective is to make an information asset or resource unavailable to authorized
users
Common methods are:
To overload the resource, so it cannot respond to legitimate requests
To damage the resource, so that it can not be used
To deliberately interrupt communications between users and resource, so that it can
not be accessed

Iftekhar Salam (XMUM) SWE 308 35 / 57

 Attacks

Active attacks

The NIST Computer Security Incident Handling Guide defines a DoS attack as:
An action that prevents or impairs the authorized use of networks, systems, or
applications by exhausting resources such as central processing units (CPU),
memory, bandwidth, and disk space

Denial of Service (DoS) Attack

Objective is to make an information asset or resource unavailable to authorized
users
Common methods are:
To overload the resource, so it cannot respond to legitimate requests
To damage the resource, so that it can not be used
To deliberately interrupt communications between users and resource, so that it can
not be accessed
Can you think of any DoS attack that you can perform?

Iftekhar Salam (XMUM) SWE 308 35 / 57

 Attacks

Active attacks

Distributed Denial of Service (DDoS) Attack

Objective is same as DoS attack: Breaches availability of information asset
Method:
Use multiple sources to make resource requests
Hope to overload resource, so it cannot respond to legitimate requests
Malware (e.g.virus) may be used to compromise many machines (they become bots
=> form botnet)
all have same target, and payload is activated at same time, to make simultaneous
resource request
resource requested cannot cope with the demand

Iftekhar Salam (XMUM) SWE 308 36 / 57

 Attacks

Active attacks

Example: Denial of Service (DoS) Attack

DoS and DDoS commonly applied to websites:
Many DDoS attacks on websites
Use of malware to compromise devices and generate traffic
Mirai malware used on IoT devices to attack Krebs site 10 11
DDos attacks on banks, online betting and gaming

Can also apply to telecommunications (TDoS)

May be used to prevent verification by phone of other actions (linked to other attacks)
Mirai malware in Nov 2016 attack on Deutsche Telekom

10
https://krebsonsecurity.com/tag/mirai/
11
https://krebsonsecurity.com/tag/mirai-botnet/

Iftekhar Salam (XMUM) SWE 308 37 / 57

 Attacks

Active attacks

Masquerade/Spoofing:
One entity pretends to be another in order to deceive others

Common spoofing attacks include:

Email address spoofing
Altering the sender information on email to trick recipients into thinking the message
is from another source
Webpage spoofing
Creating a fake webpage that looks like the page for a legitimate business to trick users
into giving up credentials they use at legitimate site
into downloading materials from an alternative site

Iftekhar Salam (XMUM) SWE 308 38 / 57

 Attacks

Active attacks
Phishing:
Attempts to gain information (especially credentials to enable access to other
resources) by masquerading as a legitimate organisation (Bank, eBay, PayPal)
Example: account details, PIN number, password
Usually involves
spoofed emails and/or web pages + social engineering

Iftekhar Salam (XMUM) SWE 308 39 / 57

 Attacks

Active attacks - Spear Phishing

Socially-aware attacks
Mine social relationships from public data
Phishing email appears to arrive from someone known to the victim
Use spoofed identity of trusted organization to gain trust
Urge victims to update or validate their account
Threaten to terminate the account if the victims not reply
Use gift or bonus as a bait
Security promises
Context-aware attacks
“Your bid on eBay has won!”
“The books on your Amazon wish list are on sale!”

Watch: https://www.youtube.com/watch?v=fZc2oXfz9Qs

Iftekhar Salam (XMUM) SWE 308 40 / 57

 Attacks

Active attacks

Social Engineering:
Using social skills to convince people to reveal information or permit access to
resources
Examples:
Claim to be new employee, manager’s assistant, maintenance person, etc and ask for
assistance in accessing resource to complete an urgent task:
I’ve lost my password and I have to finish this today ......
My swipe card doesn't work/left at home......
Tailgating - follow another person closely so that when they go into secure area you
can also get in without providing appropriate credentials

Iftekhar Salam (XMUM) SWE 308 41 / 57

 Attacks

Active attacks

Identity theft:
A crime where one person uses another person’s key personal information to
fraudulently impersonate them
The imposter gains a benefit:
Obtain advantages that the victim has:
access to certain locations or services,
get loans, spend on credit or debit cards,
use drivers license, medical care, etc
Avoid penalties incurred by imposter’s actions:
failing to make loan repayments or pay credit card bills,
using victim’s ID if caught speeding or other infringement, etc

Iftekhar Salam (XMUM) SWE 308 42 / 57

 Attacks

Active attacks

Identity Theft: Example

A WOMAN plans to fight traffic charges after claiming an identity theft resulted in
her being wrongly convicted of traffic offences. 12

12
www.sunshinecoastdaily.com.au/news/woman-to-fight-maroochydore-court/1301130/

Iftekhar Salam (XMUM) SWE 308 43 / 57

 Attacks

Active attacks

Identity Theft: Example

Victim may not be aware identity theft has occurred:
May not be aware of unauthorised use until bank statement/bill/ fine is delivered
Check your bank statements to make sure all transactions are yours
Attacker may alter address for statements, bills, so victim remains unaware of
compromise
Check your records at set intervals, even if not issued frequently by supplier

Iftekhar Salam (XMUM) SWE 308 44 / 57

 Attacks

Active attacks
Identity Theft: Example - Gaining personal information using Phishing E-mail

Iftekhar Salam (XMUM) SWE 308 45 / 57

 Attacks

Active attacks

Identity Theft - Information used to steal someone's identity can be gained by:
Dumpster diving (digging through rubbish bin contents)
Hardcopy items that reveal personal information: credit card receipts, pre-approved
credit forms, paperwork from other organisations etc
Raiding letterboxes
Mail may include unique identifiers such as Tax File Number
Social engineering
Phone calls, email messages, phishing scams:
Romance scams, fake jobs, fake lottery wins,
Personal web page, social networking sites
Sites that are public, but should not be, e.g., December 2011 Telstra customer
database exposure
Info that has been stolen and made available
Cupid media (online dating) hack in 2013
Using malware to compromise a user’s PC
trojan keystroke logger
Attacking databases holding personal information

Iftekhar Salam (XMUM) SWE 308 46 / 57

 Attacks

Active attacks

Man-in-the-Middle Attack (MITM)

An attacker (Carol) positions herself between two entities who wish to
communicate, say Alice and Bob.
Carol pretends to Alice she is Bob, and pretends to Bob she is Alice (spoofing).

Iftekhar Salam (XMUM) SWE 308 47 / 57

 Attacks

Active attacks

Man-in-the-Middle Attack (MITM)

Alice and Bob think they are communicating with each other.
However, all messages between them go via Carol, so Carol can control the
conversation
Could just monitor conversation (breach confidentiality)
Can also insert or modify information (breach integrity)

Iftekhar Salam (XMUM) SWE 308 48 / 57

 Attacks

Normal information flow

Iftekhar Salam (XMUM) SWE 308 49 / 57

 Attacks

MITM: Interception

Breach of which security goal?

Iftekhar Salam (XMUM) SWE 308 50 / 57

 Attacks

MITM: Interruption

Breach of which security goal?

Iftekhar Salam (XMUM) SWE 308 51 / 57

 Attacks

MITM: Modification

Breach of which security goal?

Iftekhar Salam (XMUM) SWE 308 52 / 57

 Attacks

MITM: Fabrication

Breach of which security goal?

Iftekhar Salam (XMUM) SWE 308 53 / 57

 Attacks

Active attacks

Replay attack:
This is where a valid data transmission is recorded, and re-transmitted at a later
date
Example:
Access to a system requires use of password, but password is encrypted during
transmission
Attacker records encrypted password, and replays this information in order to gain
access
Doesn't matter that attacker doesn't know the password – they can provide the
expected credential on request.

Iftekhar Salam (XMUM) SWE 308 54 / 57

 Summary

Case study: Ransomware

Threat: ?

Vulnerability: ?

Attack: ?

Control measures: ?

Iftekhar Salam (XMUM) SWE 308 55 / 57

 Summary

End of Lecture 2! ,
Summary
For information assets and their support systems:
Many threats and many vulnerabilities
To protect information assets need to understand:
Possible threats, existing vulnerabilities, and
Likelihood of threats and vulnerabilities coinciding
Security incidents occur - result in CIA breaches:
Called attacks if deliberate human action is involved
Lots of different types, lots of different targets
Severity depends on value and criticality of asset, and degree of compromise
Need to implement controls to achieve security goals
Watch:
www.khanacademy.org/computing/computer-science/internet-intro/
internet-works-intro/v/the-internet-cybersecurity-and-crime

Next week lecture - User authentication

Remember to do your quiz this week

Check Moodle announcement for the details

QUESTIONS?
Iftekhar Salam (XMUM) SWE 308 56 / 57
 Summary

Appendix: University’s vision and mission

1 Vision: Xiamen University Malaysia aspires to become a university with a distinct

global outlook, featuring first-class teaching and research, and embracing cultural
diversity.

2 Mission: To nurture young talents with dignity and wisdom, turning them into fine
citizens of the region who will contribute to the prosperity of the people and social
progress of Malaysia, China and Southeast Asia.

Iftekhar Salam (XMUM) SWE 308 57 / 57