1

Assignment # 1

Mahbubur Rahman

Identify most recent different types of software-based and hardware attacks (recent means - 2000 afterwards). Explain the attacks and explain how those attacks could have been prevented. Information security is one of the most leading and important global issues in the world. Information security can be defined as which protects the integrity, confidentiality and availability of information on the devices that store, manipulate and transmit the information through products, people and procedures (Ciampa, 2000). In todays world, information is the driving force behind almost everything. Almost all the organizations are heavily reliant on information management. An information rich business organization can perform in a much greater extent than an organization which lacks important and timely information. As information has become so valuable, the threat for illegal acquisition of information has magnified exponentially. This upsurge in information theft can be attributed to its multifarious usage and ever rising value in attaining personal benefit. Even competing organizations sometime get involved in attacking other organizations to attain valuable and secret information about its competitors to gain unfair advantage. In order to gain unauthorized access to confidential information the target device needs to be compromised. This can be done through different mechanisms. Mostly it can be divided into two categories: Software based attack Hardware based attack

Mostly the software based attacks are much more prevalent. The software attacks also infect the hardware in some cases. Sometimes hardware such as removable drives is used as a medium in carrying out an attack on a target. Most of the times these attacks are conducted for profit purpose. Also there are some instances where these attacks are carried out for destructive purposes. Either way the attacks are harmful for the operation of those companies. There are different types of methods that can be used in order to initiate a software based attack on any target. These vary according to their characteristics and purpose. Malware are the most common form of attacks. It basically stands for malicious software. By the word malicious, its purpose can be assumed. It is used to attack a computer system without the consent or knowledge of the owner of the system. It then infects, spreads, accesses the system and performs different unauthorized actions which are harmful for the system in concern. Some of the common malwares include viruses, worms, trojans, rootkits, spyware, adware, botnets etc. Hardware based attacks can be carried out through basic input output system or through USB drives. The most prevalent is the use of removable drives in initiating an attack through USB drives. Other forms of physical form of attack can be launched by dumpster diving or tailgating.

Assignment # 1

Mahbubur Rahman

Some of the recent (post 2000) software and hardware based attacks stirred up security measures all around the world. These attacks cost the companies both financially and in terms of reputation. 1. TJ Maxx Security Breach: It was one of the most talked about security breach in the post 2000 ere. It happened in 2007; almost 94 million credit card information of TJ Maxx customers was stolen from the database. There are differing opinions on how the security breach was made. Mainly the security measures taken by the company was not in line with the prevailing methods. It lacked in the encryption of credit card information both before and after the transaction made. 2. Stuxnet: The stuxnet worm was developed to attack the nuclear development program in Iran. But it not only affected Iran, it spread to other countries as well. It replicated and spread on the network affecting millions of computers and technological devices, mostly of Siemens. 3. Monster.com: Almost 1.3 million resumes of potential job seekers were stolen from the online job posting site monster.com in august 2007. It was done through sending spam and phishing emails to employees to reveal confidential information to hack into the system. 4. Fidelity National Information Services: In July 2007 an employee of the FIS stole 3.2 million customer records including, credit card numbers, banking and personal information from the company. 5. CardSystems Solutions: Using a trojan, hackers broke into the CardSystems database and accessed almost 40 million credit card information. The trojan accessed and collected all the information and placed all the data in zip format and sent it back to the hacker through a file transfer protocol (FTP). 6. ESTsoft: Personal information of almost 35 million South Korean people was exposed due to the malware infection by hackers in the company server. It revealed the names, phone numbers, date of birth, street address etc. to the hackers. 7. US Power Plant: There is a new malicious virus that halted the operations of a nuclear power plant for three weeks. The virus infected the system through the use of a removable USB drive. This happened in Fall of 2012. 8. Love Bug: The love bug or I love you virus cost over 10 billion USD in the year 2000. It usually came in as an attachment in a file and once opened it replicated itself in the computer and made it virtually unusable. It affected jpeg and mp3 files and redirected the browser to specific websites. It also sent out passwords or other personal information to the attacker. All of the aforementioned attacks were either software based or hardware based. Most of the incidents involved the use of malicious software either through the internet or through the use of a removable drive.

Assignment # 1

Mahbubur Rahman

Malwares that affect the systems can perform various actions based on the characteristics of the program. It can, Infect the system and wipe out everything on the systems Make the system unusable Replicate into other programs or even in other computers (worms) Collect information by key strokes or any other mechanism and send it back to the attacker Advertise as performing one particular activity but actually does something else (Trojans) Hide other malicious software from the system (rootkits) Lie dormant and undetectable in the system and activates on the fulfillment of certain logic or event Enable attackers to access the system through backdoor

Prevention is better than cure. In case of TJ Maxx the security breach cost could have climbed up to 1 billion USD. If it had taken proper preventive measures, things of this nature might not have happened. Prevention against these forms attacks is a difficult process. This is because of several reasons such as The tools that are used to attack a system is easily available and understandable. Skills required to launch an attack is easy to grasp. The increased speed of attack. Faster detection of vulnerabilities in the system or protective measures. Attacks can be made from different directions or distributed attacks can be launched. Delay in fixing the vulnerabilities when discovered.

Apart from all these difficulties in defending against attacks there are several precautionary measures that can be taken to mitigate the risk of such attack. These measures may not fully protect the system from attacks, but it will give enough time to react on an attack and solve the vulnerability before the attack is fully effective. There are five fundamental principles of security in defending against software or hardware based attacks. These principles are discussed in view of the attacks mentioned earlier. 1. Layering: It basically means multiple instances of security measures applied on a layered basis. That is, if one layer of security is breached there will be other instances of security that needs to be broken in order to access the ultimate system. In case of TJ Maxx, the absence of firewall and other security measures made way for the intruders to access the information. If it had multiple layers of security it would have gotten an early warning before the actual intrusion occurred. 2. Limiting: Limiting by its meaning implies the restrictive use of anything. In terms of information systems, limiting is generally meant restricting the access to confidential information and technologies to some specific number of people. Not all should be granted access to information which is critical. Also the type of actions that can be performed on those information should also be limited based on the needs of that user. In the case of Fidelity National

Assignment # 1

Mahbubur Rahman

Information Services, it did not limit the access level to specific users, resulting in almost all employees accessing the private information of its customers. The company should have enforced a policy for gaining access to that information and should have required security clearance before getting access. 3. Diversity: Diversity is something which is close to layering. It can be related to layering through the use of different layers, not just multiple layers. Most all in one security software come in multiple layers but if the attacker knows the vulnerability of that particular software package it may break into it easily. If the different layers of security are diverse in nature and source it may be difficult for the attacker to obtain knowledge about the vulnerability of different software. This can be applied to basically all types of security breach incidents, not just the aforementioned. 4. Obscurity: Obscurity generally means note revealing the type of systems or software used to the public. In the case of Monster.com, the attacker sent phishing and spam emails which led to different sites that required the user to submit different personal and technical information. Also accessing those websites resulted in installation of malwares based on the system it used. As the attacker got to know the system that the user operated, it became easy to find the vulnerabilities of that particular system. If the attacker hadnt known the system information of Monster.com it wouldnt have accessed that information. 5. Simplicity: A system should be complex enough for the outsiders and simple enough to only the ones who have access to it so that it could be operated with ease. Basically the system should involve expertise that are developed in-house rather than outsourced, so that the expertise does not get expressed in the public. One of the employees of TJ Maxx publicly discussed the vulnerabilities of the system which made it easy for the outsiders to attack the system. Apart from these there are several hardware related issues as well. These involve, 1. Removable Disk Usage: There should be a policy for using removable disks in the company system. Most of the hardware based attackers leave removable disks in certain locations such as parking lots, cafs etc. with the intention that people will pick it up and use it on their computer which will result in spreading the malware in that disk drive. In the case of FIS this restriction may have helped in preventing the mishap. 2. Properly Discarding Confidential Documents: Sometimes the attackers look for information in the garbage as some companies do not discard information properly. All unused documents should be shredded before they are discarded. Sometimes involuntary discarding results in leaking information to outsiders, even attackers. 3. Continuously Updating the System: Old systems which have been out there for a while are more susceptive by the attackers. If the system and its software are updated frequently with necessary protection against developing threats, its more protected against attacks. Attacks against information systems have grown exponentially over the years and it will continuously grow in the advent of newer technological development. Having subsequent protective measures is imperative to be safe in this volatile technological environment.

Assignment # 1

Mahbubur Rahman

References: 1. The 15 worst data security breaches of the 21st Century, accessed January, 2013 http://www.csoonline.com/article/700263/the-15-worst-data-security-breaches-of-the21st-century 2. 10 Massive Security Breaches accessed January, 2013 http://www.informationweek.com/security/attacks/10-massive-securitybreaches/229300675?pgno=1 3. "Love-Bug" virus damage estimated at $10 billion accessed January, 2013 https://www.wsws.org/en/articles/2000/05/bug-m10.html 4. Malicious Virus Shuttered US Power Plant accessed January, 2013 http://www.voanews.com/content/us-power-plant-computer-virus/1585452.html 5. Ciampa, Mark (2012), Security + Guide to Network Security Fundamentals