CSIT302 Cybersecurity

Week 3 – Tutorial
Lecturer: Dr Zuoxia Yu
Email: zyu@uow.edu.au
Office: 3.116

1
Cybersecurity Challenges
• Viruses, malware, and Trojans
• Lack of diligence and untrained employees
• Phishing and social engineering
• Targeted attack
• Crypto and ransomware
• Government-sponsored cyberattacks (data as a weapon)

2
Cybersecurity Challenges
• Targeted attack
ØThe attacker has a specific target in mind when he/she starts to create a plan
of attack. During this initial phase, the attacker will spend a lot of time and
resources to perform public reconnaissance to obtain the necessary
information to carry out the attack.
ØAnother attribute for the targeted attack is the longevity, or the amount of
time that they maintain persistent access to the target's network. The intent
is to continue moving laterally across the network, compromising different
systems until the goal is reached.

3
Cybersecurity Challenges
• Government-sponsored cyber attacks (data as a weapon)
ØThe intent is to steal information that can be used against the hacked party.
ØThe private sector should not ignore the signs of this attack.
ØOrganizations start to invest more in threat
intelligence, machine learning, and
analytics to protect their assets.

4
 Comparison of Different Malwares
• Virus vs Worms vs Trojan

*https://www.aic.gov.au/publications/htcb/htcb10
5
Stuxnet
• Stuxnet is one of the most famous examples of a targeted and government-
sponsored cyber attack.
• Stuxnet is only a 500 KB computer worm. It infected the software of at
least 14 industrial sites in Iran, including a uranium-enrichment plant.
• This computer worm was at first identified by the security company
VirusBlokAda in mid-June 2010. The first variant of the worm appeared in
June 2009.
• Its current name is derived from a combination of some keywords in the
software (".stub" and "mrxnet.sys").
• Stuxnet known to be the first worm that attacks and destroys essential
physical infrastructures.

6
Stuxnet
• Stuxnet attacks a target system in three phases
ØFirst, it targeted Microsoft Windows machines and networks, repeatedly
replicating itself.
ü Spread through USB thumb drive, then it uses four zero-day vulnerabilities for the
propagation.
ØThen, it sought out Siemens Step7 software, which is also Windows-based
and used to program industrial control systems that operate equipment (e.g.,
centrifuges).
ü Stuxnet infects project files belonging to Siemens' WinCC/PCS 7 control software.
ü It intercepts communications between the WinCC software running under Windows and
the target Siemens PLC devices
ØFinally, it compromised the programmable logic controllers (PLC) .
ü The target is specific - Siemens S7-300 system and its associated modules.

7
Stuxnet
• A zero-day vulnerability is a computer-software vulnerability that is
unknown to, or unaddressed by, those who should be interested in
mitigating the vulnerability (including the vendor of the target
software) and is being actively exploited in the wild.

8
How Stuxnet worked

Source: https://spectrum.ieee.org/telecom/security/the-real-story-of-stuxnet

9
How Stuxnet worked

Source: https://spectrum.ieee.org/telecom/security/the-real-story-of-stuxnet

10
Flame
• Flame is known as a precursor to Stuxnet. It is highly linked to Stuxnet
and known to be developed by the same hacking group.
• Flame was 20 MB in total, or some 40 times as big as Stuxnet.
• Flame is a cybersurveillance tool. Its purpose was merely to spy on
people.
• Spread over USB sticks, it could infect printers shared over the same
network.
• Once Flame had compromised a machine, it could stealthily search
for keywords on top-secret PDF files, then make and transmit a
summary of the document—all without being detected.

11
Flame
• Flame is a very sophisticated worm.
ØData’s sent off in smaller chunks: Flame didn’t simply transmit the
information it harvested all at once to its command-and-control server,
because network managers might notice that sudden outflow.
ØFlame could exchange data with any Bluetooth-enabled device: the attackers
could steal information or install other malware not only within Bluetooth’s
standard 30-meter range but also farther out (about 2km) using Bluetooth
rifle.
ØOne of the propagation technique is Windows 7 update: A user would think
she was simply downloading a legitimate patch from Microsoft, only to install
Flame instead.

12
Flame and Stuxnet
• They are state-sponsored cyber weapons.
ØStuxnet uses a certificate signed by a reliable company Realtek, and Flame is
also recoginzed the update of Microsoft Windows 7 update.
ØMultiple zero-day vulnerabilities are used in those malware. Particularly,
some of those vulnerabilities is used also by the Equation Group.
ØIt has specific targets which is the centrifuge used for uranium-enrichment.

13
Information for Quiz 1
• You can take a quiz at Moodle from 10:30 am on 18th March 2024.
• The open time of the quiz is from 10:30 am to 11:40am. (You could
only attempt quiz between this time period.)
• Duration: 40 minutes
• The quiz will have 6-8 questions to answer. Each question will require
a short explanation. The answer must be sufficient to get the full
marks and be written in your own language.
• Quiz 1 is worth 10% of the final mark.
• Reference Materials: Week 1,2,3 lectures and tutorials

14
Q1)
• Explain the three entities of CIA Triad.
ØConfidentiality: Keep information secret/private from those who are not
authorised.
ØIntegrity: Keep information in a format that retains its original purpose and
meaning.
ØAvailability: Keep information and resources available to those legitimate.

15
Q2)
• Explain the Multifactor Authentication (MFA) and provide an
example.
ØUsing multiple factors for the authentication. For examples, Australian
electronic government (my.gov.au) requires ID/Password + One-time
password. One-time password is delivered through a registered mobile
number after a user is authenticated by ID/Password.
ØOther factors which can be used for the authentication are biometric
information such as finger prints, Irises, face recognitions and voices.

16
Q3)
• Explain the kill switch of WannaCry.
ØThe researcher obtained a copy of the malware, which he analyzed and
discovered a reference to a specific unregistered domain. He registered this
domain and inadvertently paused the spread of the worm-like attack.
ØThis is because WannaCry attempts to connect to the web domain. If it does
connect, the malware will cease the attack, believing it is being run in an
antivirus “sandbox” environment. The registration of the website triggered
the malware’s kill switch.

17
Q4)
• Explain what Shadow IT is in regard to cybersecurity.
ØUsers are consuming many apps that may not be secure. The traditional
network security approaches to support apps are not designed to protect
data in Software as a Service (Saas) apps, and worse. They don't give IT
managers the visibility they need to know how employees are using SaaS
apps. “You can't protect something you don't know you have.”

18
Q5)
• Explain the two metrics that evaluate the performance of the Red
Team.
ØMean Time to Compromise (MTTC): This starts counting from the minute
that the Red Team initiated the attack to the moment that they were able to
successfully compromise the target
ØMean Time to Privilege Escalation (MTTP): This starts at the same point as
the previous metric, but goes all the way to full compromise, which is the
moment that the Red Team has administrative privilege on the target

19
Q6)
• Explain cloud-computing-related aspects that are included in IR life
cycles (Preparation, Detection and Containment).
ØPreparation needs to update the contact list to include the cloud provider
contact information, on-call process, and so on.
ØDetection includes the cloud provider solution for detection in order to assist
you during the investigation.
ØContainment revisits the cloud provider capabilities to isolate an incident
(e.g, isolate compromised VM for the others)

20
Q7)
• What is the six levers of Social Engineering? Give an example of the
attack that uses at least one of the levers (and specify which lever is
used for the attack).
ØReciprocation, scarcity, consistency, liking, authority and validation.
ØExample of the attack:
ü Attackers to clone the known vendor of an IT team and deliver malware-infected
electronics. à The consistency was used to this attack.

21