Explain why it is incorrect to describe any type of malware as a virus.
Different types of malware each have their own characteristics, which differentiates them. Some exhibit behaviours of two or more of the different types.
Describe two characteristics unique to a computer virus.
computer viruses are self replicating
typically ‘attach’ themselves to another file
spread to other computers by some user interaction: clicking a link / download a file.
Describe two methods by which viruses can spread.
USB flash drives: if a drive is infected, then any computer it connects to is at risk
Email users are tricked into downloading attachments by clicking on a link.
The most common method of spreading viruses is on the internet
Describe two symptoms that may suggest a computer system has been compromised malware.
The computer is displaying a lot of error messages, or unwanted pop-up windows.
The machine suddenly begins to slow down, taking a longer time to respond.
You noticed that files are disappearing with no explanation.
You are suddenly unable to access a program that worked previously.
Backing storage seems active but the computer is idle. A virus running in the background.
Computer ignores commands, or does something unexpected, eg the wrong appl loads.
If the machine reboots or shuts down at random, this is a sign that a virus could be at work.
In the context of computer viruses, explain what is meant by the term replication.
Viruses depend on human interaction to replication and spreading, eg clicking on a malicious link or running a program which the virus has infected.
Computer viruses often use camouflage to evade detection. Describe two camouflage techniques that a virus may employ and explain why this makes it more difficult for anti-virus software to detect it.
insert ‘dummy’ lines into their code so they do not resemble a known virus in the anti-virus software database. Change the order of code execution, makes them difficult to detect.
Explain how a file virus differs from a boot sector virus.
File viruses attach themselves program (.exe) files, virus runs when the program runs
Boot sector code on backing storage is loaded and executed at startup, so virus gets in 1st
Anti-malware software makes use of various techniques to detect malware.
Describe how each of the following techniques operates:
Signature detection
bit pattern of virus code matches with database of known malware
Heuristic detection
anti-virus monitors virus behavior, tries to identify suspicious activity based on examples of previous malware
Checksum
since virus alters program code the checksum calculation for the file will be different
Describe how a Trojan differs from a virus
Trojans typically do not self-replicate, looks like legitimate software but contains malware
Exercise 2: Malware 2 (Level 5)
Trojans are often used to create a backdoor into a computer system. Explain what is meant by a backdoor and how an attacker might use it.
A Backdoor Trojan gains access to a computer system and alters the system to allow hackers and cyber criminals to gain access, eg by disabling a security feature, esp network security
Describe how a worm operates, and how it differs from a virus.
They replicate working copies of themselves but spread by exploiting a vulnerability on the target system and do not rely on human action, use network connections.
Describe two examples of spyware and describe how each might be used by criminals.
a keylogger is hardware/software to record the keystrokes a user enters. Criminal can collect sensitive data like passwords from keylogger
Webcam hijacks allow perpetrators to secretly turn on a user's webcam/microphone on PC or mobile device and capture video/audio
What is a ‘drive-by-download’?
Visit (‘drive by’) a web page, without stopping to click or accept any software, but malware downloads in the background to the device, exploits browser security.
It is essential to ensure users have strong passwords. State three characteristics of a strong password.
long password, upper/lower case + number+ special characters, use different passwords
Some users have difficulty remembering many different passwords, and can be tempted into using the same password for several accounts. Explain why this practice carries risk.
if hacker discovers the password than all accounts are vulnerable
Criminals make use of various techniques to 'crack' passwords and gain access to users' accounts. Describe two of these techniques.
dictionary attack, brute force attempt all known passwords
social engineering: email link to fake login, get user to submit account and password
Biometric systems are being used increasingly in place of passwords. Name and describe two methods of biometric authentication.
finger-print pattern scanner eg on phone
face recognition, phones
iris scan (eye scan)
voice pattern recognition
Describe how a DDOS attack makes use of a botnet to attack a computer system or website.
bot is code on very many infected zombie machines (botnet), user is unaware, criminal remotely instructs all bots to send simultaneous requests to server which is overwhelmed
Describe how Ransomware operates.
malware encrypts or threatens to delete files unless a large sum of money paid to attackers
Exercise 3: Advanced Persistent Threat (Level 6)
Use the internet to research an example of an advanced persistent threat. You should then create a short presentation on your findings.
This link can't be embedded.
Some points you may wish to include:
Nature of the threat
Sykipot APT malware family leverages flaws in Adobe Reader and Acrobat, spear phishing attack that included links and malicious attachments
Target
UK and US government agencies, defense contractors and telecommunications companies
How an APT differs from a conventional cyber threat
methods that have been customized to the target and carried out (undetected) over a much longer timeframe, high degree of and coordination necessary to breach high-value targets (intellectual property, military plans) and are initiated to steal data, focus on establishing multiple points of compromise, hackers retain access even if the malicious activity is discovered and incident response is triggered
Exercise 4: Social Engineering (Level 5)
Describe three characteristics that would suggest an e-mail might be an attempt at phishing.
AMBIGUOUS GREETING Phishing e-mails tend not to address users by name
POOR SPELLING OR GRAMMAR criminals’ first language is not English
TEMPTING OFFER/SENSE OF URGENCY make an offer that seems too good to be true
UNTRUSTWORTHY LINKS: apparent hyperlink destination goes to a different malicious site
Describe the difference between phishing and spear phishing.
Spear-phishing attack is targeted at a specific individual rather than a generic mass mail-shot to thousands of users, spear-phishing text is crafted to appear genuine to one target
Explain what is meant by e-mail spoofing.
forging an e-mail header so it appears to originate from someone else
Describe what is meant by dumpster-diving and outline one method that could be employed to protect individuals and organisations from falling prey to it.
raiding the waste of companies, or individuals, aim of finding discarded documents that contain valuable information eg bank statement
shred confidential papers before disposal
Describe how a watering-hole attack operates.
attacker observes the websites often visited by a victim, and infects those sites with malware
Give an example of how psychological manipulation can be used by malicious individuals to gain unauthorised access to computer systems or data.
attacker creates a trusted relationship with human target and exploits it to bypass security
asking target to help in a contrived emergency or coercing target to “bend the rule”
Outline two methods an organisation could employ to make their company less susceptible to social engineering attacks.
Staff training so people are aware of the risks and techniques to cope, disciplinary action
Policies to reduce opportunities: ban use of USB flash drives, restrict access to files
Give two reasons why criminals might prefer to make use of social-engineering techniques instead of hacking computer systems.
no special technical skills are required, less time consuming, less expensive
Explain what is meant by the term ‘baiting’.
use a false promise to get attention through a victim's greed or curiosity, click a link
Describe two methods individuals can employ to prevent falling victim to a social engineering attack.
take a social engineering awareness course
develop good cyber hygiene habits
Exercise 5: Biometric Security Methods (Level 4)
Biometric authentication makes use of physical attributes (such as fingerprint/retina) to authenticate users.
This link can't be embedded.
Use the internet to investigate another type of biometric authentication. You should then write a brief summary of how it operates. You should consider the following points in your response:
How does it operate?
camera projects and analyses over 30,000 invisible infrared dots to create a 3-D map of a face, works in the dark, coped with glasses, makeup, hats
How secure is this method?
data (mathematical representations of your face) is encrypted and protected with a key available only to the Secure Enclave, not stored in the cloud, locks after 5 false attempts, probability of another face unlocking a phone is 1 : 1,000,000 and Touch ID at 1 : 50,000
Speed of response
Almost instant
Comparison with other authentication methods
Convenient, small size, harder to hack (iris scan and fingerprint can be spoofed)
Exercise 6: Cyber Resilience (Level 6)
Explain what is meant by cyber resilience.
how well and how quickly an organisation could recover from a successful cyber attack.
Cyber attacks are often analysed in terms of their effect on the ‘CIA’ of sensitive data. Summarise what is meant by this.
C (confidentiality): if sensitive information is compromised
I (integrity): if data has been damaged or destroyed, corrupted, made inaccurate
A (availability): if users, clients can still get access to data they need
Describe what is meant by a tabletop exercise and how it is beneficial for organisations to participate in these.
employees work through a hypothetical real-world scenario, attack simulation
the company can reflect upon the drill in order to improve their reaction strategies
Explain why it is important that software patches be installed as soon as they become available.
the update/patch removes an existing code vulnerability to latest threats
It is important for organisations to ensure they have a robust backup system in operation.
Describe what is meant by a full backup.
complete copy of all files, stored elsewhere, very time consuming, weekly/ monthly
Describe what is meant by an incremental backup.
copy of changes only, unchanged data not copied, done hourly/ daily
A company that takes thousands of online orders per day operates a backup strategy whereby they take a full backup of their data every Sunday.
Explain why this backup strategy is insufficient.
On a Saturday they have M-Sat data unsaved and at risk of loss
Describe how this could be improved.
keep incremental or differential backup at least once a day, perhaps hourly
Intrusion detection is a useful part of a wider cyber security strategy. Describe how a honey-pot might be used as part of an Intrusion Detection system.
fake sensitive data on isolated and highly monitored part of organisation network
hackers are lured to this decoy site and unauthorised access is immediately detected
organisation could study hackers methods without alerting them
Staff training is one of the most important elements of a cyber security strategy. Describe three practices an organisation should consider as part of their staff training programme.
social engineering awareness, basic cyber hygiene, data security methods, password practice, updates on scams
Two-factor authentication is a feature available on many online services. Explain how two-factor authentication protects users against cyber attacks.
something you know / have
bankcard + PIN, password security code messaged to trusted phone / email, approved device ID + security code
Exercise 7a: Cybercrime Investigation (Level 6)
Part A: Historical example of cybercrime 9
Use the internet to investigate a historical example of cybercrime. For the purposes of this exercise, you should focus on cybercrime that took place prior to the year 2005.
Your research should attempt to find the following information, if applicable:
Type of cybercrime
unauthorised access to military computer systems, theft of data by teenagers
Malware used (Virus/Trojan/Worm)
spyware: programme called a "Sniffer" had been installed on one of their computer networks
Behaviour of malware; how did the malware operate?
captured passwords
Did the attack compromise data confidentiality/integrity/availability? Or a combination of the three?
confidentiality: passwords
Primary method of infection/spreading
Techniques used (DDOS attack/Insider attack, etc)
captured passwords of military personnel
Target of the crime (did the malware target a particular individual/organisation/sector? Or was it indiscriminate?
sensitive USAF, NASA, and NATO military establishments
Motivation of criminals (financial gain? revenge?)
searching for evidence of anti-gravity propulsion systems that they saw as proof of the existence of UFOs and the secret exploitation of alien technology
Impact of attack:
Financial
Reputational
Social/political
hacked his way into a research facility in Korea, and dumped the contents of the Korean Atomic Research Institute's database on the USAF system
Effects on victims/other consequences
Final outcome: Were the perpetrators brought to justice? If so, what was the outcome?
What law(s) were broken? Has any remedial action been taken as a result of the attack, for example, changes in the law or company policies?
"Datastream Cowboy" was prosecuted in 1996 for offences under the Computer Misuse Act
When you have collated your research, you should then present your findings in the form of a written report.
Exercise 7b: Cybercrime Investigation (Level 6)
Part B: Contemporary example of cybercrime
Use the internet to investigate a recent example of cybercrime. For the purposes of this exercise, you should focus on cybercrime that took place on, or after, the year 2005.
Your research should attempt to find the following information, if applicable:
Type of cybercrime
government (USA and Israel) sponsored cyber attack on an enemy state (Iran), digital weapon
Malware used (Virus/Trojan/Worm)
worm called STUXNET
Behaviour of malware; how did the malware operate?
designed to cause physical damage to electro-mechanical equipment controlled by computers
Did the attack compromise data confidentiality/integrity/availability? Or a combination of the three?
availability of machines as they had been physically damaged through malfunction
Primary method of infection/spreading
infected USB drive, propagates across the network on Windows OS, scanning for Siemens Step7 software on computers controlling an electro mechanical machine
Techniques used (DDOS attack/Insider attack, etc)
worm infection
Target of the crime (did the malware target a particular individual/organisation/sector? Or was it indiscriminate?
Very carefully customized and configured to affect the only kind of machines used in Iranian nuclear research although other devices in other countries were hit by the worm
Motivation of criminals (financial gain? revenge?)
To severely disrupt nuclear research by Iran.
Impact of attack:
Financial
Reputational
Social/political
Attempted to delay Iran’s development of nuclear weapons. Stuxnet reportedly ruined almost one-fifth of Iran's nuclear centrifuges
Want to print your doc? This is not the way.
Try clicking the ⋯ next to your doc name or using a keyboard shortcut (
e-hacking ws responses