Cybersecurity Incident
Cybersecurity Incident
Cybersecurity Incident: Complete the following using the course text, professional journal articles, or other reputable resources (NO WIKIPEDIA or BLOGS).
· Find a recent cybersecurity incident. A good resource for this may be the FBI, CERT, CISA, SANS, Verizon DataBreach reports and etc.
· Write an attack case study about the incident. Make sure to include all five steps listed in the text (Overview, Perpetrator, Attack Scenario, Risk Management, and References).
Paper Requirements:
· Format: Microsoft Word
· Font: Arial, 12-Point, Double-Space (or equivalent)
· Citation Style: APA or MLA (The point is to use a style that makes your document readable and give credit to the sources you used.)
Length Requirements:
· 2–3 pages
· Coversheet
· List of References Page.
· Proofread – Edit for spelling, grammar, punctuation, etc.
· Use only course text, professional journal articles, or other reputable resources.
Chapter 2 Controlling a Computer
Chapter 2 Overview
Overview of the general strategies for controlling access
Buffer overflow: a well-known technique for subverting computer software
Introduction to attack scenarios and case studies
Mechanisms typically used to control access within a computer
Security planning: describing the protections needed and how to implement them
CPU Hardware: Motherboard
Left: © iStockphoto/Thinkstock; Middle: © Péter Gudella/Dreamstime.com; Right: Courtesy of Dr. Richard Smith.
Programs
Data resides in RAM
Numbers and other coded data
Examined and modified by programs
Stored in consecutively numbered locations
Programs are lists of instructions
Instructions reside in RAM
Each is a single arithmetic operation or comparison
Stored in consecutively numbered locations
Executing a Machine Instruction
Left: Courtesy of Dr. Richard Smith; Right: © iStockphoto/Thinkstock
Organizing RAM into “Sections”
Control sections
Contain instructions to execute
Contain unchanging data
Data sections
Contain variables that change
Contain “free form” RAM
Buffers, stacks
Control and Data Sections
Functions, Procedures, Subroutines
We break programs into pieces
A piece with a particular job = function or procedure or subroutine, all roughly the same
One function can execute another function
PC is pointed to the called function’s address
We save the current function’s “state”
Saving the variables and the caller’s PC
Saved in RAM, often on a “stack”
One Function Calls Another Function
We save the program counter in the “calling function”
We execute the instructions in the “called function”
At the end of the “called function” we restore the program counter
This returns the CPU to where the “calling function” left off
Processes
A program is a group of instructions
A process is a running program
Its PC is, or can be, changing
It has some RAM with instructions and data
Windows example
Run two command shells
One program, two processes
Looking at processes with the Task Manager
List Applications; List Processes
Switching Processes
The “dispatcher” procedure in the operating system (OS) switches running processes
Stops (pauses) one process and starts another
Save the PC for the stopped process
Save other CPU data from the stopped process
Locate the “saved state” for the one to start
Load up the saved CPU data for the process
Load the PC with the starting process’s PC value
The Operating System
Dispatching and process management is only one of its many tasks.
RAM management – assigns RAM to active processes and manages free RAM
I/O management – handles external devices
File management – hard drives & mass storage
User interface management – keyboards and GUIs
Network protocols – connect to other computers
Buffer Overflow: The Morris Worm
Morris Worm – first major Internet worm
1988 – disabled about 10% of Internet computers
Used several attacks
Buffer overflow vulnerability
A program fails to keep track of its input
The input data modifies RAM that it shouldn’t
Attacker can take over the computer if the wrong RAM gets modified
The “finger” Program
Retrieved information about other users
Rarely used today
Command “finger jsl@bu.edu”
Retrieved information about JSL at BU.EDU
If the sender typed too many letters, like:
finger jsl@bu.eduXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX and so on… the program overflowed a buffer
What Overflows?
It Overflows the Stack
When we call another procedure, we must save the PC and the current procedure’s working variables inside the CPU
We save the information on a last-in first-out block of RAM called the stack
If a storage area on the stack is overrun, the data may modify the saved PC
When the procedure is finished, it jumps back to the wrong instructions in RAM
The Stack Overflow
The Worm Connection
Why Does the Shellcode Work?
Programs execute from a control section
The stack is in the data section
If the computer has data execution prevention (DEP), it only executes instructions in a control section
Not all systems – or programs – can use DEP
The Worm Released
Released in October 1988
Promptly infected 10% of Internet computers
The worm was designed to infect each computer once
The restricting code did not work
Each computer was infected hundreds of times
Infected computers became unusable
Spread nationwide between 9pm and 11pm
Fighting the Worm
Telephone lines were not affected
Analysts shared information by phone
Many were at a meeting in Berkeley, fortunately
As sites cleaned themselves up, they shared status and defensive data via email
Site cleanup was tricky – a “clean” computer had to be hardened against the worm or it would be infected all over again
Security Alerts and Coordination
The worm incident helped create the Computer Emergency Response Team (CERT)
First nationwide, multi-organization computer security team – tracked and reported problems
Today, reports are tracked by the Common Vulnerability Enumeration (CVE)
Numerous public and private security organizations, like the “Internet Storm Center”
Studying Cyber Attacks
A systematic analysis, based on attack reports
Attack scenarios
May study potential or actual attacks
Elements are all based on recorded attacks
Attack case studies
Report actual attacks
A scenario that includes threat agent data
