This is Week 1 of Course V in the Google IT Support Professional Certificate Program from coursera.org.
Introduction to IT Security
This course will orient the student with the fundamentals of IT security, without which the entire world would grind to a halt in a spectacularly embarrassing fashion. Even with security measures in place, attacks and breaches are commonplace.
We’ll learn common attacks, how to identify threats and what to do about them.
Already did this.
How to use Discussion Forums
Get to Know Your Classmates
Discussion: Meet and Greet
Howdy folks I’m from Massachusetts and we’re known as the rootin’est tootin’est IT students in all tarnation! Yee…how?
The CIA Triad
What do you think, they’ll make a lame joke about the real CIA? Well, he tried and failed, somehow. This CIA is a security concept regarding data and computer systems:
- Confidentiality means keeping things hidden from unauthorized users or entities. This principal is the motivation for having passwords.
- Integrity means data remains accurate and un-changed, either by accident or malicious attack.
- Availability means that the information we control can be accessed by those who need it.
These properties form the CIA Triad, which is a model used to guide creation of security policies. Preventing attacks is crucial in organizations and in your personal life, and the CIA Triad can help guide your efforts against attack.
Essential Security Terms
Here’s some terminology used throughout this course, which will need to be understood. I would like to point out that this is true in any field, especially a technical one such as IT.
Risk: “The possibility of suffering a loss in the event of an attack on the system.” The lock screen on your phone mitigates the risk of compromise if your phone is lost or stolen. Risk is greater without the lock screen activated.
Vulnerability: “A flaw in the system that could be exploited to compromise the system.” This could be something known or unknown to you, and may have bene created deliberately to serve another purpose or is an unintended result of another action.
0-day vulnerability: “A vulnerability that is not known to the software developer or vendor, but is known to an attacker.” This refers to the zero days that developers have had to respond to an attack or a vulnerability.
Exploit: “Software that is used to take advantage of a security bug or vulnerability.”
Threat: “The possibility of danger that could exploit a vulnerability.” Not all attackers will attack you, but any attacker with the ability to attack you is a threat.
Hacker: “Someone who attempts to break into or exploit a system.” There are two types of hacker often referred to—“black hat” and “white hat.” Black hats will exploit systems for malicious purposes, and white hats will simulate attacks in order to find vulnerabilities so that owners can address them.
Attack: “An actual attempt at causing harm to a system.”
Every system will be attacked. All you can do is learn how to harden systems to resist attacks.
Malware is software that can be used to obtain sensitive information, delete or modify files, or otherwise harm or compromise systems. Common forms of malware are viruses, worms, rootkits, trojans, adware, and spyware.
Viruses are the most well-known form of malware. (Although I don’t think they are common anymore—they have been supplanted by money-making adware and ransomware.) Computer viruses attach themselves to executable files, then, when that program runs and accesses other files, the virus can attach itself to those files and “infect” them.
Worms are similar to viruses, except that they can “live on their own” and propagate through channels such as a network. The famous I Love You worm, or Love Bug, spread through email, using a fake “love note” to spread the worm via peoples’ contact lists. It infected millions of Windows machines.
Adware is software that displays ads and collects data. It is everywhere and you see it all day long. (I really like uBlock Origin.) It may do a lot more, too, like make your computer run like crap or steal personal information.
Trojans are malware that are disguised as one thing but do something else. A program may say it is a gift from the Greeks, but really it is full of murderous soldier who will kill you while you sleep and end the war. Trojans will have to be executed by the user, who thinks they are opening a legitimate program.
Spyware is malware that monitors your behavior or actions like web traffic or camera usage and passes that along to an attacker. A keylogger is common spyware that records every keystroke that is made on a target system.
Ransomware is used in an attack that holds your system or your data “hostage” until you pay the ransom. (This violates the Availability principal of the CIA Triad from earlier.) Remember WannaCry? That was a massive ransomware attack.
More on malware…
Malware can also be used to steal computing power, getting the machine to do the attackers’ bidding. When a machine is compromised in this way, it is called a bot. When an attacker controls a group of machines in this way, it is called a botnet. A botnet is “designed to utilize the power of the internet-connected machines to perform some distributed function.”
A backdoor is a way of getting into a system if other ways are “not allowed.” This seems like a half-assed definition, but okay… attackers will often install backdoors after gaining access to a system, and wants to continue having access to the system.
Rootkits are tools that will be used to make admin-level modifications to a system. Rootkits are hard to detect because they appear to be part of the system. Their processes may not appear in task manager, for example.
A logic bomb is malware that is intentionally installed and set to run at a certain time or after a certain event.
Reading: Malicious Software
Here is some reading material on malware. (It is actually just an article about a logic bomb attack from 2006.)
A simple but damaging form of network attack is a DNS Cache Poisoning Attack. This attack submits a false DNS record and tricks a DNS server into directing traffic to a compromised DNS server. It will then issue false addresses and send you to compromised websites.
A Man-in-the-middle attack places an attacker between two hosts that think they are still communicating directly with each other. A common form of this attack is a session hijacking or cookie hijacking, when an attacker is able to use an authentication token after the initial user has logged off, allowing the attacker to appear to be the verified user.
A Rogue AP (access point) is an access point that has been installed on a network without the knowledge of the network administrator. This can allow an attacker to gain man-in-the-middle capabilities, and often without having to gain access to a secure network, but only to a less secure AP.
An Evil Twin attack involves an attacker setting up an identical network to the one a target is trying to connect to, which allows them to monitor any traffic.
The presenter here makes a Harry Potter joke, which is delivered poorly and doesn’t make sense. It is one of those jokes where the premise is “Hey, do a Harry Potter joke here,” and the writer is like, “uh, okay… but I don’t know what that is…”
No, I’m not going to repeat the joke.
Reading: Network Attacks
A network attack news story.
A denial-of-service (DoS) attack prevents access to a service for legitimate users by overwhelming the network or server. Imagine a website that can only handle x number of requests. A DoS attack tries to send more than x number of requests, overwhelming the system.
The Ping of Death (POD) is a ping that has been constructed so that it is larger than what internet protocol was designed for, creating a buffer overflow and possible system crash on the target, which can then potentially allow the execution of malicious code.
A ping flood sends a large number of ICMP echo requests, which will demand a reply from the target. If it can’t keep up with the number of requests it can be taken down.
A SYN flood is similar, using SYN packets to bombard a server which must send SYN-ACK messages. The attacker does not respond with the appropriate ACK message, so the server keeps the connection open, which uses resources. A SYN flood is also called a half-open attack.
Attackers can also use multiple machines for DoS attacks. This is called a distributed denial-of-service attack, or DDoS. These attacks often use botnets for largescale attacks.
Reading: DDoS Attacks
Read about a big DDoS attack against a DNS service provider.
Injection attacks are those that involve malicious code being inserted into other programs. Imagine someone putting a milkshake in your gas tank! Crazy! This is the best explanation they can come up with. Injection attacks can be mitigated with adherence to certain software development concepts and best practices.
Cross-site scripting attacks (XSS) are a type of injection attack where “malicious code targets the user of the service.” This could be a malicious script embedded in a website that tricks a user into running the script.
An SQL injection attack targets an entire website that is using an SQL database.
Password attacks use software to try to guess a user’s password. A common type of attack is a brute force attack, that tries different passwords until the correct one is found. This can take a long time. Those stupid CAPTCHA things help prevent brute force password attacks.
A dictionary attack uses a set of words often used in passwords. That means it is better to use passwords that do not have common words in them.
Social engineering is a type of attack, or part of an attack, that relies on interactions with humans instead of computers. This is because humans will always be the weakest link in any security system.
Attackers will try to get a victim to reveal information or do something that serves their purposes in the attack. Phishing attacks are a very common form of social engineering attack, such as a fake email that looks real saying your bank account has been hacked, you need to follow a link to enter your password to secure it.
Spear phishing targets a specific person or group of people, and will contain personal information like names to gain the trust of the victim.
Spoofing is when a source appears to be something else—like when you receive an email with a misleading sender address.
Baiting is when an attacker sets something out for a victim to find, like a malware-installing USB drive in the hope that a victim will plug it into their machine.
Tailgaiting is when an attacker gains access to a restricted location by following someone else in.
Discussion: Malicious Software and Attacks
I did a great job on all the quizzes and I’ll check back in next week.