[MUSIC] So we want to identify threats. We'll look at some of the more common types of threats, how we prevent them. We'll start looking at in this module and then we'll look at the hardware in Module 3, we have to support that. So common types of threats, identifying threats and preventing threats. Spoofing, now, we've talked about spoofing. We said if you hijack somebody's address, their Mac address at layer 2 or their IP address at layer 3, what you may be able to do is present yourself as that device or that subject. We can maybe even steal the HTTP session. HTTP is a really old protocol, doesn't support session data. And so, what we added with different ways to create session management, to distinguish your connection from my connection. And this session is sometimes stored in what we call a cookie. A cookie is a very tiny file that's stored as part of your browser data, as part of your temporary Internet files. And this has a unique ID referencing you. So if you go to any commerce site and it says hello Simon, that's typically because it has a cookie remembering you from the last time you logged in. Well, what happens if you can get somebody's machine and copy that small cookie file and then paste it into your own temporary Internet files, potentially you can hijack their session. And there's lots of different approaches for session hijacking, stealing cookies is one of them. So this idea of spoofing, impersonating somebody else, it exists in the real world as well and they're in the image you see the idea of an Identity Badge. Something I've done. Printing your own ID Badges, replace that person, use that person's name, but your own photograph, really simple attack. So this is a platform that enables man-in-the middle attacks. A man-in-the middle is somebody in between two parties. And with this, you can compromise confidentiality, you can read the information, you can alter the information. You can change the integrity or you can even drop the information, you can prevent it moving forward, which is an availability attack. So this is a platform for anything attacking the CDI or DA, pretty much. So session hijacking, man-in-the middle attacks, both outcomes of spoofing. It's not the spoofing itself, if you can impersonate somebody then you can perform potentially a man-in-the middle attack or a spoof or a session hijacking attack. So spoofing enables those. A phishing, this is a form of social engineering technically. What we're trying to do is to catch somebody, to trick somebody. We have the idea of phishing which is where we send maybe an email trying to trick lots of people at once versus spear phishing, which is a much more targeted attack. To do spear phishing, so phishing very common see email saying, you have a parcel or you have a delivery, open this or an invoice, please open this attachment. And they're trying to trick you to open a malicious piece of software or a link to a malicious piece of software, very popular attack via email right now. And this is one of the most popular vectors for deploying ransomware. Spear phishing, if we're going to target attack, we need to target an attack, we need to know a little bit about the person we're targeting to make it more relevant to them. While OSI is the process of gaining that information, Open Source Intelligence. Just think what we could find about people really quickly. Let's just reflect on this. We could look at the company website. If we're attacking a company, we could find out who the major players are in that company, who the Chief Financial Officer is, who can approve transactions? Then we can look at, who that Chief Financial Officer reports into or works with. So we could maybe spoof an email from somebody that the CFO works with, to the CFO. We don't need to stop there, we can find their telephone number, we can go to some sites that show their professional history, where they studied, what they studied. We can start to build up information about them. We can then go to some of the social media sites looking at where they've been on holiday? Where they live? The amount of information we can find through OSI is staggering, absolutely staggering. We even have Open Source Facial Recognition platforms. Now, if you have a photograph of something you can try and track back, some amazing capability. It's very powerful and you can tailor an attack to that individual. If you find out that there are away on and you'll leave, you can track where they are. Send a message from that person saying, I'm enjoying my holiday here in this country and can you please approve the these transactions for me? That's an attack I've actually seen. In that case, it nearly worked. But there is a case [INAUDIBLE] lost around I think it's €23 million to one of these spear phishing attacks. Significant amount of capability because they can be so smart, they can be so well tailored. I've seen these spear phishing attacks actually have the signatures of the people that they're impersonating. They've managed to find on the internet somewhere in open publications maybe in a company brochure, what that individual signature looks like. And they attached that to a pdf for a word document authorizing a transaction. It's pretty, pretty powerful. The idea of password re-use. Human beings are not good at remembering passwords. And the advice in the 1970s from somebody called Bill Burr was to use very difficult to remember passwords and to change them monthly. So they have to be long complex, human beings if we give long complex passwords that change monthly, what are they going to do? Probably they're going to write them down and they will be much more likely to re-use them. So password re-use can be a big problem, if there's a password breach. Or when there is a password breach. If you use 20 or 30 different systems across the Internet and one of those systems is compromised and you've reused that that set of credentials across all 20 or 30 services, an attacker can replay those passwords across all popular services. This is called password stuffing. An attacker gets your user name or email address and a password from an existing breach, and then tries that combination maybe with your email provider, maybe with a multimedia streaming platform. What about your home webcams? There have been attacks targeting people's home webcams using passwords, user names from existing breaches. Remarkably effective and it really shouldn't be. Modern password advice is actually that we have pass phrases, things that are easier to remember. So perhaps four different words connected together. Four random words with a number added on and that we change them less often. Fake portals, lots of applications out there that will create a portal, a web page that looks like a social media log in page or the log in page to your email. And these are really easy to create. Partly because to enable them it's running an application and so somebody sending some of these phishing emails, what they will do is try to create a fake portal with the idea of tricking the user to log in. Hey, your account has been compromised, sending an email like that. Please click here to change your password and by logging in, you're actually logging into a fake portal releasing, divulging your password. So the role of email and the user here is is critical. Phishing is most commonly undertaken via email, most common vector for attack and it's the most successful at the moment for deploying ransomware. Known threats can be prevented. We'll look at some of the technologies a little bit later based on recognizing characteristics of the threat. It's not 100% effective. But zero day threats that we looked at in the earlier chapters. These can be difficult to protect automatically or technically because we haven't identified they've not been categorized yet. So the role of the user here becomes critical, when we talked about defense in depth back in chapter 2, we said the role of the user is important and we can make them a stronger part of our protection through training. And this is one of the big benefits we have arising from training in that it can help prevent phishing attacks. It can help make phishing attacks less successful. I'm looking at DoS, Denial of Service attacks or more likely what we see these days is DDoS, a Distributed Denial of Service attack. Denial of Service is pretty easy to undertake, its one point of attack trying to overload the capability of one resource. So somebody sending too many web requests, for example to a web server. But this is easy to prevent. If you're being attacked by a Denial of Service attack, you can recognize that and you can block the attacker, there's only one attacker. Distributed Denial of Service attacks are much more difficult to deal with, much more complex to block. The idea of a Distributed Denial of Service attack here is that there is a network of devices usually that have been compromised by the attacker and they are orchestrating an attack using all of them. So they form an army of compromised devices or a network of bots, a botnet. So these devices, these can be Internet of things devices, compromised computers, effectively devices that the attacker controls. And from their point of control, they tell all the devices, thousands, tens of thousands of devices to attack a single target. Now, these bots across the network are usually geographically dispersed across all main continents. And for that reason, it's not simple to block them, you can't block a single point of attack, you can't block a single geography. What we typically try to do, is to outpace the attack. So we use something called Content Distribution Networks. These are local photocopies or local replicas of our data. So we stage multiple copies of our content. So if we have a website, we can have a copy of that in each country globally. Now, this Distributed Denial of Service attack, instead of if we had say ten thousand bots all attacking one web server. Now, those ten thousand bots would be attacking the local replicas that we've got globally. So these content distribution networks are very popular for this reason. We have seen though, just something to be aware of, we all rely, most large organizations rely on these Content Distribution Networks to help make services more available, to make them faster. But if one of those big Content Distribution Networks goes offline, then it affects lots of services. And we've seen this, there have been two big Content Distribution Network outages in the past couple of years. And each time it happens, it takes down maybe 15, 20% of web-based services, huge amounts of the Internet suddenly go dark, go offline. So it can be a challenge to manage availability. So the reason attackers commonly undertake Distributed Denial of Service attacks might be to attack a competitor more commonly. It is used as a method of extortion,. You can actually hire people to undertake these attacks as well. This is part of structured organized crime. If you look at the Wikipedia entry for the Russian Business Network, you can hire them for a few 100, a few $1000 each month to undertake an attack, pretty nefarious. But again, that linked crime prevalent in these attacks. [MUSIC]
