Download Cyber security Assignment and more Assignments Computer Security in PDF only on Docsity!
Omkar Ajit Kadam BEIT 2 Roll No. 90 CSL Assignment 1
- Illustrate human based social engineering techniques to acquire information. Ans: Social Engineering Techniques Types of Social Engineering a) Human-based Social Engineering: Gathers sensitive information by interaction. b) Computer-based Social Engineering: Social engineering is carried out with the help of computers. c) Mobile-based Social Engineering: It is carried out with the help of mobile applications.
- Human-based Social Engineering: Impersonation
- It is most common human-based social engineering technique where attacker pretends to be someone legitimate or authorized person.
- Attackers may impersonate a legitimate or authorized person either personally or using a communication medium such as phone, email, etc.
- Impersonation helps attackers in tricking a target to reveal sensitive information.
- Posing as a legitimate end user: Give identity and ask for the sensitive information.
- Posing as an important user: Posing as a VIP of a target company, valuable customer, etc.
- Posing as technical support: Call as technical support staff and request IDs and passwords to retrieve data. a) Impersonation Scenario: Over-Helpfulness of Help Desk Help desks are mostly vulnerable to social engineering as they are in place explicitly to help. Attacker calls a company's help desk, pretends to be someone in a position of authority or relevance and tries to extract sensitive information out of the help desk. b) Impersonation Scenario: Third-party Authorization Attacker obtains the name of the authorized employee of target organization who has access to the information he/she wants. Attacker then call to the target organization where information is stored and claims that particular employee has requested that information be provided. c)Impersonation Scenario: Tech Support Attacker pretends to be technical support staff of target organization's software vendors or contractors. He/she may then claim user ID and password for troubleshooting problem in the organization.
d)Impersonation Scenario: Internal Employee/Client/Vendor Attacker dressed in business attire or appropriate uniform enters into target building claiming to be a contractor, client, or service personnel. He/she may then look for passwords stuck on terminals, search information or documents on desks or eavesdrop confidential conversations. e) Impersonation Scenario: Repairman: Attacker may pretend to be telephone repairman or computer technician and enters into target organization. He/she may then plant a snooping device or gain hidden passwords during activities associated with their duties.
- Human-based Social Engineering: Eavesdropping and Shoulder Surfing Eavesdropping: o Eavesdropping or unauthorized listening of conversations or reading of messages. o Interception of audio, video, or written communication. o It can be done using communication channels such as telephone lines, email, instant messaging, etc. Shoulder Surfing: o Shoulder surfing uses direct observation techniques such as looking over someone's shoulder to get information such as passwords, PINs, account numbers, etc. o Shoulder surfing can also be done from a longer distance with the aid of vision enhancing devices such as binoculars to obtain sensitive information.
- Human-based Social Engineering: Dumpster Diving Dumpster Diving: Dumpster diving is looking for treasure in someone else's trash. Human-based Social Engineering: Reverse Social Engineering, Piggybacking, and Tailgating Reverse Social Engineering: o A situation in which an attacker presents himself as an authority and the target seeks his advice offering the information that he needs. o Reverse social engineering attack involves sabotage, marketing, and tech support. Piggybacking: o "I forgot my ID badge at home. Please help me." o An authorized person allows (intentionally or unintentionally) an unauthorized person to pass through a secure door. Tailgating:
- Victim downloads the malicious application on his/her phone.
- Attacker can now access second authentication factor sent to the victim from the bank via SMS. Mobile-based Social Engineering: Using SMS
- Tracy received an SMS text message, ostensibly from the security department at XIM Bank.
- It claimed to be urgent and that Tracy should call the phone number in the SMS immediately. Worried, she called to check on her account.
- She called thinking it was a XIM Bank customer service number, and it was a recording asking to provide her credit card or debit card number.
- Predictably, Tracy revealed the sensitive information due to the fraudulent texts. Insider Attack Spying: o If a competitor wants to cause damage to your organization, steal critical secrets, or put you out of business, they just have to find a job opening, prepare someone to pass the interview, have that person hired, and they will be in the organization. Revenge: o It takes only one disgruntled person to take revenge and your company is compromised. Insider Attack: o An inside attack is easy to launch. o Prevention is difficult. o The inside attacker can easily succeed. Disgruntled Employee An employee may become disgruntled towards the company when he/she is disrespected, frustrated with their job, having conflicts with the management, not satisfied with employment benefits, issued an employment termination notice, transferred, demoted, etc. Disgruntled employees may pass company secrets and intellectual property to competitors for monetary benefits. Preventing Insider Threats: Separation and rotation of duties
Least privilege Controlled access Logging and auditing Legal policies Archive critical data Common Social Engineering Targets and Defense Strategies Social Engineering Targets Attack Techniques Defense Strategies Front office and help desk Eavesdropping, shoulder surfing, impersonation, persuasion, and intimidation Train employees/help desk to never reveal passwords or other information by phone Perimeter security Impersonation, fake IDs, piggy backing, etc. Implement strict badge, token or biometric authentication, employee training, and security guards Office Shoulder surfing, eavesdropping, Ingratiation, etc. Employee training, best practices and checklists for using passwords Escort all guests Phone (help desk) Impersonation, Intimidation, and persuasion on help desk calls Employee training, enforce policies for the help desk Mail room Theft, damage or forging of mails Lock and monitor mail room, employee training Machine room/Phone closet Attempting to gain access, remove equipment, and/or attach a protocol analyzer to grab the confidential data Keep phone closets, server rooms, etc. locked at all times and keep updated inventory on equipment
- Discuss safety and security measures while using the computer in a cyber cafe. Ans: a. Don't save your login information. Always log out of websites by clicking "log out" on the site. It's not enough to simply close the browser window or type in another address. Many programs (especially social networking websites, web-based email, and instant
- Draw and explain how Botnets are used for gainful purposes. Ans: The word ‘botnet’ is a combination of two words, ‘robot’ and ‘network.’ Here, a cybercriminal who performs the role of a botmaster uses Trojan viruses to breach the security of several computers and connect them into a network for malicious purposes. Each computer on the network acts as a ‘bot’ and is controlled by a scammer to transmit malware or spam or malicious content in order to launch the attack. A botnet is also known as a Zombie Army as the computers involved are being controlled by someone other than their owner. The origin of botnets was mainly to serve as a tool in internet relay chat (IRC) channels. Eventually, spammers exploited the vulnerabilities present in IRC networks and developed bots. This was intentionally done to perform malicious activities such as keystroke logging, password theft, etc. Botnet Structure: The structure of the botnet usually takes one of two forms: Client-server model or Peer-to- peer model. 1) Client-server model: In the client-server botnet structure, a basic network is established with one server acting as a botmaster. The botmaster controls the transmission of information from each client to establish command and control (C&C) of the client devices. The client-server model works with the help of special software and allows the botmaster to maintain control. This model
has a few drawbacks such as it can be located easily and has only one control point. In this model, if the server is destroyed, the botnet perishes. 2) Peer-to-peer: To overcome the drawback of relying on one centralized server, botnets have evolved. New botnets are interconnected in the form of peer-to-peer structure. In the P2P botnet model, each connected device works independently as a client and a server, coordinating among each other to update and transmit information between them. The P2P botnet structure is stronger because of the absence of a single centralized control.
One of the biggest DDoS botnet attacks of the year was IoT-related and used the Mirai botnet virus. The virus targeted and controlled tens of thousands of less protected internet devices and turned them into bots to launch a DDoS attack. Mirai spawned many derivatives and continued to expand, making the attack more complex. It changed the threat landscape forever in terms of the techniques used. 2)Spamming and Traffic Monitoring: A bot can be used as a sniffer to identify the presence of sensitive data in the infected machines or zombies. It can also locate competitor botnets if installed in the same machine and can be hijacked by the commander. Some bots may offer to open a SOCKS v4/v5 proxy (generic proxy protocol for TCP /IP based network). When the SOCKS proxy is enabled on a compromised machine, it can be used for various purposes like spamming. Bots use a packet sniffer to watch for the information or data been passed by the compromised machine. The sniffer can retrieve sensitive information such as a username and password.
Grum is the type of spam which is hard to detect as it infects files used by Autorun registries. This botnet has attracted the researches as it is relatively small with only 600,000 members but accounts for 40 billion spam-emails per day which is approximately 25% of the total spam emails. 3)Keylogging: With the help of keylogger, it becomes easy for a botmaster to retrieve sensitive information and steal data. Using a keylogger program, an attacker can gather only the keys typed that come in the sequence of interesting words like PayPal, Yahoo, etc. A kind of spyware identified as OSX/XSLCmd ported from Windows to OS X includes keylogging and screen capture capabilities.
- Mass Identity Theft: Different kinds of bots can be mixed to perform large-scale identity theft which is one of the fastest growing crimes. [7] Spam emails are sent by bots to direct the traffic towards fake websites representing bots to harvest personal data. Bots can be used to appear as a legitimate company and ask the user to submit personal details like bank account password, credit card details, taxation details, etc. Mass identity theft can be performed using phishing emails that trick victims into entering login credentials on websites like eBay, Amazon, or even their banks.
- Pay-per-click abuse: Google’s AdSense program allows websites to display Google advertisements and thereby earn money from them. Google pays money to the website owners on the basis of the number of clicks their advertisements gather. Compromised machines are used to automatically click on a site, inflating the number of clicks sent to the company with the ad.
3. Loss of control over end user actions When companies are in the dark about workers using cloud services, those employees can be doing just about anything and no one would know—until it’s too late. For instance, a salesperson who is about to resign from the company could download a report of all customer contacts, upload the data to a personal cloud storage service, and then access that information once she is employed by a competitor. The preceding example is actually one of the more common insider threats today. 4. Malware infections that unleash a targeted attack Cloud services can be used as a vector of data exfiltration. Skyhigh uncovered a novel data exfiltration technique whereby attackers encoded sensitive data into video files and uploaded them to YouTube. We’ve also detected malware that exfiltrates sensitive data via a private Twitter account 140 characters at a time. In the case of the Dyre malware variant, cyber criminals used file sharing services to deliver the malware to targets using phishing attacks. 5. Contractual breaches with customers or business partners Contracts among business parties often restrict how data is used and who is authorized to access it. When employees move restricted data into the cloud without authorization, the business contracts may be violated and legal action could ensue. Consider the example of a cloud service that maintains the right to share all data uploaded to the service with third parties in its terms and conditions, thereby breaching a confidentiality agreement the company made with a business partner. 6. Diminished customer trust Data breaches inevitably result in diminished trust by customers. In one of the larges breaches of payment card data ever, cyber criminals stole over 40 million customer credit and debit card numbers from Target. The breach led customers to stay away from Target stores, and led to a loss of business for the company, which ultimately impacted the company’s revenue. See number 9 below. 7. Data breach requiring disclosure and notification to victims If sensitive or regulated data is put in the cloud and a breach occurs, the company may be required to disclose the breach and send notifications to potential victims. Certain regulations such as HIPAA and HITECH in the healthcare industry and the EU Data Protection Directive require these disclosures. Following legally-mandated breach disclosures, regulators can levy fines against a company and it’s not uncommon for consumers whose data was compromised to file lawsuits. 8. Increased customer churn If customers even suspect that their data is not fully protected by enterprise-grade security controls, they may take their business elsewhere to a company they can trust. A growing chorus of critics are instructing consumers to avoid cloud companies who do not protect customer privacy.
9. Revenue losses News of the Target data breach made headlines and many consumers stayed away from Target stores over the busy holiday season, leading to a 46% drop in the company’s quarterly profit. The company estimated the breach ultimate cost $148 million. As a result, the CIO and CEO resigned and many are now calling for increased oversight by the board of directors over cyber security programs. According to the Ponemon BYOC study, a majority (64 percent) of respondents say their companies can’t confirm if their employees are using their own cloud in the workplace. Trust us—they are. In order to reduce the risks of unmanaged cloud usage, companies first need visibility into the cloud services in use by their employees. They need to understand what data is being uploaded to which cloud services and by whom. With this information, IT teams can begin to enforce corporate data security, compliance, and governance policies to protect corporate data in the cloud. The cloud is here to stay, and companies must balance the risks of cloud services with the clear benefits they bring. 5.Define cybercrime and give its global perspective. Ans: Cybercrime is criminal activity that either targets or uses a computer, a computer network or a networked device. Most, but not all, cybercrime is committed by cybercriminals or hackers who want to make money. Cybercrime is carried out by individuals or organizations. Some cybercriminals are organized, use advanced techniques and are highly technically skilled. Others are novice hackers. Rarely, cybercrime aims to damage computers for reasons other than profit. These could be political or personal. Types of cybercrime: Here are some specific examples of the different types of cybercrime: Email and internet fraud. Identity fraud (where personal information is stolen and used). Theft of financial or card payment data. Theft and sale of corporate data. Cyberextortion (demanding money to prevent a threatened attack). Ransomware attacks (a type of cyberextortion). Cryptojacking (where hackers mine cryptocurrency using resources they do not own). Cyberespionage (where hackers access government or company data). Most cybercrime falls under two main categories: Criminal activity that targets Criminal activity that uses computers to commit other crimes.
businesses and the international community must, therefore, proactively help users' access information on how to protect themselves. Given the promises and challenges in the extended enterprise scenario, organizations in the international community have a special role in sharing information on good practices, and creating open and accessible enterprise information flow channels for exchanging of ideas in a collaborative manner. International cooperation at the levels of government, industry, consumer, business and technical groups to allow a global and coordinated approach to achieving global cyber security is the key. 6.How will you classify cybercrime? Ans: Cyber-crimes are classified based on the subject of the crime, the person or organization against whom the crime is committed, and the temporal nature of the crimes committed online.Based on the subject of the crime, cybercrimes are classified into three broad groups:
- Crimes against individuals – These are committed against individuals or their properties. Some examples are: Email harassment Cyber-stalking Spreading obscene material Unauthorized access or control over the computer system Indecent exposure Spoofing via email Fraud and also cheating Further, crimes against individual property like computer vandalism and transmitting a virus. Also, trespassing online and intellectual property-related crimes. Further, internet time thefts are also included.
- Crimes against organizations – Some examples of cyber crimes against organizations are:
Possessing unauthorized information Cyber terrorism against a government organization Distributing pirated software
- Crimes against society – Some examples of crimes against society are: Polluting the youth through indecent exposure Trafficking Financial crimes Selling illegal articles Online Gambling Forgery Apart from the ones listed above, crimes like hacking, denial of service attacks, e-mail bombing, etc. are also present in cyberspace. Provisions of Cyber Crimes in the IT Act, 2000 The sections of the IT Act, 2000 pertaining to cybercrimes are as follows:
- Section 43 – Penalty for damage to a computer, computer system, etc.: This section applies if any person, without the permission of the owner or the person in charge of a computer, system, or network – Accesses such computer, network or system. Copies, downloads or extracts any data or information from such computer, network or system (this also includes the information or data stored in a removable storage medium). Also, introduces or causes any computer containment or virus into such computer, network or system. Further, he damages any computer, system or data or any other programs residing in them. Disrupts or causes disruption of any such computer, system or network. Also, denies or causes the denial of access to an authorized person to such computer, system or network. Provides any assistance to anyone to facilitate access to such a computer, system or network contrary to the provisions of the Act and its rules. Also, charges the services availed of by one person to the account of another by tampering with such computer, system or network.
6)Section 44 – Failure to furnish information, returns, etc. This section applies to a person who Fails to furnish any document, return or report to the Controller or the Certifying Authority Fails to file returns or furnish any information as per the regulations or fails to furnish them in time Does not maintain the books of account or records Penalty – The following penalties apply: A monetary fine of up to one lakh and fifty thousand rupees for each such failure A fine of up to five thousand rupees for every day if the failure continues A fine of up to ten thousand rupees for every day if the failure continues 7)Section 45 – Residuary Penalty: This section applies to a person who contravenes any rules under the IT Act, 2000, especially those for which there are no special provisions. Penalty – A compensation of up to twenty-five thousand rupees to the affected person. 8)Section 71 – Misrepresentation: This section applies to a person who makes any misrepresentation to or even suppresses any material fact from the Controller or Certifying Authority to obtain the license or a digital signature certificate. Penalty – Imprisonment of up to two years or a fine of up to one lakh rupees, also both in some cases. 9)Section 72 – Breach of confidentiality and privacy: This section applies to a person with secured access to any electronic record, information, or any other material, discloses it to another person without consent. Penalty – Imprisonment of up to two years or a fine of up to one lakh rupees, also both in some cases. 10)Section 73 – Publishing a Digital Certificate with incorrect details: This section applies to a person who publishes a digital certificate with the knowledge that –
The Certifying Authority listed in the certificate has not issued it The subscriber listed in the certificate has not accepted it It is a revoked or suspended certificate Penalty – Imprisonment of up to two years or a fine of up to one lakh rupees, also both in some cases. 11)Section 74 – Publication with a fraudulent purpose: This section applies to a person who knowingly creates, publishes or makes available a digital signature for fraudulent purposes. Penalty – Imprisonment of up to two years or a fine of up to one lakh rupees, also both in some cases. 12)Section 85 – Company Offences: (1) This section applies to a company who commits a contravention to the provisions of the Act. In such cases, all the people who were in charge and responsible for the company’s conduct of business as well as the company are guilty of the contravention. Further, those responsible are liable for punishment. However, if a person is not aware of any such contravention, then he is not liable. (2) Notwithstanding anything contained in the sub-section (1), if it is proved that the contravention was with the consent of, or due to the negligence of any director, manager or any other officer, then such people are also held liable. For the purposes of this section, “company” means any body corporate and also includes a firm or other association of individuals. 7.What are modern techniques of credit card fraud? Ans: 1)Traditional Techniques: The traditional and the first type of credit card fraud is paper-based-application fraud, wherein a criminal use stolen or fake documents such as utility bills and bank statements that can build up useful personally Identifiable Information (PII) to open an account in someone else's name. Application fraud can be divided into
1. ID theft: Where an individual pretends to be someone else.
