This work is licensed under a Creative Commons license

Attribution-NonCommercial-NoDerivatives 4.0 International (CC BY-NC-ND 4.0)

You are free to:

• Share — copy and redistribute the material in any medium or format.

Under the following terms:

• Attribution — You must give appropriate credit, provide a link to the license, and indicate if changes were made. You may do so in any reasonable manner, but not in any way that suggests the licensor endorses you or your use.
• NonCommercial — You may not use the material for commercial purposes.
• NoDerivatives — If you remix, transform, or build upon the material, you may not distribute the modified material.

Introduction To Cybersecurity

History & Foundations

Simone Aonzo, Ph.D.

History & Foundations – Topics

1. History
2. Security Goals
3. Computer Security Policies and Attacks
4. Vulnerability, Threat, Exploit, and Risk

[1/4] History

1950-60s: Phreaking & ARPANET

• 1950s: The phone phreaks
• Phreaking: culture of people who experiment with telecommunication systems, such as equipment and systems connected to public telephone networks
• 1960s: Big Bang
• MIT Tech Model Railroad Club – first hacking club
• First example of ethical hacking in the industry
• IBM welcomed a group of students to try out a newly designed computer
• They gained access to various parts of the system
• Defensive mindset: computers requires security measures
• Development of cybersecurity strategies
• Smaller computers → more adoption in companies
• From physical security to software security: the use of passwords
• [1969] Advanced Research Projects Agency Network (ARPANET)

1970s: Computer security is born

• Bob Thomas developed Creeper, the first computer worm
• Ray Tomlinson (the inventor of email) developed Reaper, the first antivirus
• Protection Analysis Project
• Electronic Systems Division (ESD) of the U.S. Air Force + ARPA + …
• Identifying vulnerabilities in software + network and host security
• First scientific papers examining ways to provide security
• [1977] Encryption is standardized
• Data Encryption Standard (DES) by IBM + NSA
• Replaced in 2001 👏
• [1979] Kevin Mitnick at 16 yo hacked into The Ark
• Computer at the Digital Equipment Corporation for developing operating systems
• All it took was a phone call – social engineering
• Arrested and jailed

WarGames – 1983 film

• David Lightman is a young hacker
• He unwittingly accesses a United States military supercomputer
• A computer gifted with artificial intelligence
• He leads the supercomputer to activate the real nation's nuclear arsenal
• … no spoiler 🙊
• President Ronald Reagan saw the movie and asked his security advisors
• “The hacking I saw in the movie could be real?”
• Yes! 😱

1980s: Cybersecurity goes mainstream

• High-profile cyber attacks against AT&T, National CSS, and other major institutions
• Middle of the Cold War → threats from other governments
• [1985] “The orange book” by U.S. Department of Defense
• Guidelines to security for computers
• Marcus Hess 🇩🇪 hacked into networks of military and industrial computers
• United States, Europe and East Asia
• Sold the information to the Soviet KGB
• Discovered by Clifford Stoll, who set up a honeypot 🍯 for Hess
• “Data” that appears to be a legitimate and valuable for attackers
• While it is actually isolated and monitored for analyzing the attackers

1980s: The beginning of the malware era

• [1987] First commercial antivirus products – competing claims
• VirusScan by John McAfee 🇺🇸
• NOD antivirus by Peter Paško, Rudolf Hrubý, and Miroslav Trnka 🇨🇿
• “Antivirus” for Atari ST by Andreas Lüning and Kai Figge 🇩🇪
• [1987] Cascade virus: notable for using an encryption algorithm to avoid being detected
• It had the effect of making text on the screen fall down
• Caused a serious incident in IBM's Belgian office
• Impetus for IBM's antivirus product development
• [1988] Vienna virus: a self-replicating program that corrupts files
• Earliest documented “in the wild” virus removals by Bernd Fix 🇩🇪
• [1988] Morris worm: exploited several vulnerabilities of targeted systems
• Experiment of a student (Morris) to determine the size of the internet
• … it took several days for the Internet to return to normal!
• [1988] A researcher at a NASA 🚀 developed the first firewall 🔥🧱

The 1990s: The Internet age begins

• Cyberspace was no longer the sole domain of companies and the military
• Microsoft released multiple versions of Windows focusing on individual customers
• [1990] The first polymorphic virus: Chameleon
• Programmed to repeatedly mutate its appearance on each infection
• [1995] Secure Socket Layer (SSL) → HTTPS
• It helped to protect with activities like online purchases
• Many internet users eagerly adopted email as a new communication form
• Predictably, so did cybercriminals
• [1999] Melissa virus – Word document with macro
• Emailed copies of itself to the first 50 email addresses in Microsoft Outlook
• Spread like wildfire: $80 million in total damage
• [2000] ILOVEYOU – VBScript “LOVE-LETTER-FOR-YOU.TXT.vbs”
• Email message with the subject "ILOVEYOU"
• Infected > 50M computers – The Pentagon and the CIA shut down their email systems

The 2000s: Cyber security

• People were becoming more wary of email attachments
• Malicious web pages with malware or remote exploits targeting the browser
• Social Engineering (e.g., phishing)
• Department of Homeland Security → National Cyber Security Division 🇺🇸
• The world recognized that cybersecurity was now an issue of global significance
• [2002] The Onion Routing (TOR) network
• Free and open-source software for enabling anonymous communication
• [2003] Anonymous – a decentralized international hacktivist collective
• Cyberattacks against several governments, corporations and Church of Scientology
• [2005] Albert Gonzales (mastermind) group
• Credit card theft and reselling of more than 170 million card and ATMs
• SQL injection 💉 to deploy backdoors on several corporate systems
• Packet sniffing (specifically, ARP Spoofing) to steal data

The 2000s: A new level of connectivity and payments

• [2007] Apple iPhone - Pocket-sized internet-connected computer
• Mobile security. Vastly increases the potential attack surface for hackers
• [2007] Cyberattacks on Estonia 🇪🇪
• Included ATMs and credit card systems 😵
• Amid the country's disagreement with 🇷🇺 about the Bronze Soldier of Tallinn
• No evidence linking the cyber-attacks to the Kremlin (attribution problem)
• ⇒ [2009-12] Tallinn Manual
• How international law applies to cyber conflicts/warfare
• [2009] Bitcoin (BTC)
• Implementation of a highly available, public, and decentralized ledger
• Public ⇒ no privacy involved
• BTC transactions are verified by network nodes through cryptography and recorded in a public distributed ledger called a blockchain
• Money exchange 😈😇 without a central authority, e.g., banks

The 2010s: Conflict in cyberspace

• [2010] Stuxnet worm for targeting SCADA system uncovered
• Disrupted Iran’s nuclear program by interfering with centrifuges for uranium enrichment
• [2011] TOR + BTC = Silk Road darknet market
• [2013] Edward Snowden leaked highly classified information from NSA
• Mass surveillance programs (e.g., PRISM)
• [2014] Lazarus Group 🇰🇵 attack against Sony Pictures
• “The Interview” comedy movie depicted a plot against Kim Jong-un
• [2014] Monero (XMR) – Privacy-enhancing cryptocurrency
• [2016] Russian 🇷🇺 influence on the US 🇺🇸 presidential election
• [2016-18] Lazarus Group 🇰🇵 theft of cryptocurrencies from exchanges
• Taiwanese Bitfinex ($60M) and Japanese Coincheck ($534M)
• [2018] General Data Protection Regulation (GDPR)
• Guidelines for the collection and processing of personal information from individuals
• Consumer rights that allowed consumers to request, manage, and delete their data

The 2020s: From cyber war to land war

• [Dec 2019] Covid-19 → Remote work
• Millions of people connecting to company networks from their own homes
• Sophos: “more than half of businesses were hit by ransomware attacks in 2020 alone”
• Covid-related phishing attacks
• [May 2021] Colonial Pipeline 🇺🇸 ransomware + data theft
• Billing network offline → the price of gas had spiked
• Chaotic scenes across the East Coast as Americans rushed to fill up their cars
• [Feb 2022] Land War 🇷🇺 → 🇺🇦
• However, Ukraine was under attack in cyberspace even before
• [2014] “Revolution of Dignity” → Presidential election hack implanting fake results
• [2016] Notorious Russian hackers (known as Sandworm) targeted an electrical station
• A unique malware to interact with circuit breakers and cause a blackout in Kyiv
• [2017] Worm-ransomware attacks (NotPetya)
• Ukrainian organizations (banks, ministries, newspapers and electricity firms)
• Worm ⇒ the whole world has been infected (e.g., Maersk)

Future? Educated guesses🔮

• Internet of Things (IoT)
• The letter “S” in IoT stands for “Security” 🤣
• Russo-Ukrainian land war is showing a limited impact of the “cyber-side”
• Information warfare (both now and in the past) has proven to be very effective
• Spreading of disinformation to demoralize or manipulate the public opinion
• Heterogeneous technologies ⇒ it is hard to hack them all
• Artificial Intelligence
• Scale much better than humans
• How much do we want to delegate our decisions to machines?
• Generative AI is revolutionizing both offense and defense

Suggested (Non-Technical) Books 📖

• [1989] “The Cuckoo's Egg” by Clifford Stoll
• [2000] “The Code Book” by Simon Singh
• [2011] “Ghost In The Wires” by Kevin Mitnick
• [2018] “Social Engineering: The Science of Human Hacking” by Christopher Hadnagy
• [2019] “Sandworm” by Andy Greenberg
• [2019] “Cult of the Dead Cow” by Joseph Menn
• [2021] “This Is How They Tell Me the World Ends” by Nicole Perlroth
• [2022] “Tracers in the Dark” by Andy Greenberg
• [2023] “Fancy Bear Goes Phishing” by Scott J. Shapiro

[2/4] Security Goals

Information Security (Cherdantseva and Hilton, 2013)

• Multidisciplinary area of study and professional activity
• Concerned with the development and implementation of security mechanisms of all available types (technical, organizational, human-oriented and legal)
• To keep information in all its locations (within and outside the organization's perimeter) and, consequently, information systems, where information is created, processed, stored, transmitted and destroyed, free from threats
• Threats to information systems may be categorized
• A corresponding security goal may be defined for each category of threats
• A set of security goals, identified as a result of a threat analysis, should be revised periodically to ensure its adequacy and conformance with the evolving environment

Security Goals

1. Confidentiality
2. Integrity
3. Availability
4. Authorization
5. Authentication
6. Accountability
7. Non-repudiation

… Privacy 🤔

​

Security Goals – Confidentiality

The property of information remaining accessible only to authorized parties

• Whether stored (at rest) or in transit (in motion)
• A common technical means is data encryption
• Involving keyed cryptographic algorithms
• Access to a secret key allows information recovery from encrypted data
• Confidentiality can also be provided by procedural means
• E.g., by allowing offline storage media to be physically accessed only by authorized individuals

Security Goals – Integrity

The property of data, software or hardware remaining unaltered

• Assuring the accuracy and completeness of data over its lifecycle
• Must not be tampered with, and must be correct, authentic, and reliable
• Cryptographic hashes are a mechanism for detecting integrity violations
• Not just data or software
• Hardware integrity
• Integrity of people (E.g., bribery or blackmail)

Security Goals – Availability

The property of information, services and computing resources remaining accessible for authorized use

• This requires protection from intentional deletion and disruption
• E.g., Denial of Service (DoS) attacks aiming to overwhelm resources
• But not only, outages and natural disasters have to be considered

Security Goals – Authorization

The property of computing resources being accessible only by authorized entities

• Authorized entities ↔ approved by the resource owner
• To authorize ↔ To define an access policy
• E.g., Accountants can read employees' salaries but only the personnel manager can change it
• Authorized access is achieved through access control mechanisms
• The agents representing users, communicating entities, or system processes are called principals
• A principal has associated privileges specifying the resources it is authorized to access
• Problem: the identity of a principal must be verified ⇒ Authentication

Security Goals – Authentication

The act of proving/verifying the identity of a principal

• Identity: set of characteristics or attributes that uniquely describe a principal
• Authentication factors
• Knowledge: something the principal knows (e.g., password)
• Ownership: something the principal has (e.g., device)
• Inherence: something the user is or does (e.g., biometric identifiers)
• Multi-factor authentication involves two or more authentication factors
• Can be used to verify authenticity 👉

Authenticity

The assurance that an exchange of information is from the source it claims to be

• Requires a proof of identity → Authentication
• Authentication is the process of verifying that source
• ⇒ we verify Authenticity through Authentication
• Very often involves Integrity
• Authentication Tag
• “Short” information used to verify the Authenticity and Integrity of a message
• E.g., Authenticated Encryption (AE)
• Simultaneously assure confidentiality, Authenticity and Integrity

Security Goals – Accountability

The state of principals being answerable for past actions

• Holds principals responsible for their actions
• Involves tracing an action back to the individual or entity that took it
• E.g., audit logs
• Records that capture all the events and activities occurring on a computer system

​

Security Goals – Non-Repudiation

The property of proving (with legal validity) occurrence/non-occurrence of an event or participation/non-participation of one or more principals in an event

• Digital Signatures are the most common method
• A cryptographic scheme for verifying the authenticity and integrity data
• Used to implement Electronic Signatures (that have legal significance!)
• Problem: how to mitigate the risk of people repudiating their own signatures?
• Involve a Trusted Third Party

Privacy

The right of an individual to control the collection, use, and disclosure of their personal information

• E.g., financial, medical records, and online activity
• Violations affect the individual (e.g., anxiety, reputation and discrimination)
• Several laws and regulations protect privacy
• General Data Protection Regulation (GDPR) in the European Union 🇪🇺
• California Consumer Privacy Act (CCPA) in the United States 🇺🇸
• Requires a combination of technical, organizational, and legal measures
• In order to ensure privacy, one must first ensure security, but…
• Security ⇏ Privacy
• Anonymity: one’s actions or involvement are not linkable to an identity

[3/4] Computer Security Policies and Attacks

Computer Security

Computer security protects assets

• Information, software, hardware, and communications services
• Data manipulation allows control of many physical-world assets
• Security is formally defined relative to a security policy
• Specifies the design intent of a system’s rules and practices
• What is, and is not (supposed to be) allowed

“This computer is secure”

A formal security policy precisely defines each possible system state as either

• Authorized (secure) or Unauthorized (non-secure)
• System actions (e.g., input/output or data transfer) cause state transitions
• A security policy is violated if the system moves into an unauthorized state

​

​

​

Policy and Countermeasures

A security policy allows a determination of when a security violation has occurred

• Does not preclude such violations
• Controls and countermeasures are needed
• AKA monitors and security mechanisms
• To support and enforce security policies

Threat Agents and Attack Vectors

Secure against whom and from what types of attacks?

• An attack is the deliberate execution of one of more steps intended to cause a security violation
• Attacks exploit specific system characteristics called vulnerabilities
• Design flaws, implementation flaws, and deployment or configuration issues
• The threat agent behind a potential attack is called an adversary
• It is an attacker once a threat is activated into an actual attack
• A threat is any combination of circumstances and entities to harm assets
• Attack vectors are specific methods by which attacks are carried out

House security policy – A non technical example

Consider a simple security policy

• No one is allowed in the house unless accompanied by a family member
• Only family members are authorized to remove physical objects from the house

Therefore:

• An unaccompanied stranger in the house is a security violation
• An unlocked back door is a vulnerability
• The threat is the existence of a stranger motivated to profit by stealing an asset and selling it
• A stranger entering through such a door, and removing a television, is an attack
• The stranger is the attacker
• The attack vector is entry through the unlocked door
• The installation of CCTV cameras is a way of monitoring
• Connecting them with an audible alarm system is a security mechanism

[4/4] Vulnerability, Threat, Exploit, and Risk

Vulnerability, Threat, Exploit, and Risk

Vulnerability

Threat

Risk

Exploit

Vulnerability

• RFC 4949
• "A flaw or weakness in a system's design, implementation, or operation and management that could be exploited to violate the system's security policy"
• MITRE's Common Weakness Enumeration (CWE) https://cwe.mitre.org/
• Memory corruption flaws
• Misconfiguration
• Design and architecture flaws
• Missing audit features
• Weak / guessable / default passwords
• …
• CWE ≠ CVE (Common Vulnerabilities and Exposures) https://cve.mitre.org/
• Lists specific flaws in a specific piece of software
• E.g., CVE-2021-44228 (Log4Shell)
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2021-44228

​

Threat

An agent or actor that can cause harm

• Could be human
• Bad guy on the keyboard with intent to cause harm
• A user who accidently clicked the wrong button
• Could be code → Malware
• A threat does not have to be intentional, it could be accidental
• What if a web app scanner "clicked" on a delete button?
• …
• Advanced Persistent Threat (APT)
• Advanced: stealthy threat actor, typically a nation state or state-sponsored group
• Persistent: creates a persistent presence within the targeted perimeter

Advanced Persistent Threat (APT)

Crouching Yeti (Russia), Epic Turla (Russia), Darkhotel (Unknown)

Kaspersky

Fancy Bear (Russia), Deep Panda (China) and Charming Kitten (Iran)�CrowdStrike

Where Threats Can Come From

Exploit

Code or technique that takes advantage of a vulnerability to cause unintended or unanticipated behavior

For example

• Vulnerability: a web server that allows the upload of all kinds of files
• Exploit: uploading a web shell to a web server

Classification

• Remote: works over a network
• Local: requires prior access to the vulnerable system

Exploit Types… and payouts 🤑

Source (Feb 2023) https://zerodium.com/program.html

Risk

The expected loss due to harmful future events, relative to an implied set of assets and over a fixed time period

• R = T · V · C
• Probability that particular Threats are instantiated by attackers in a given period
• Difficult to estimate
• The existence of Vulnerabilities.
• The Cost or impact of a successful attack
• May be rewritten to combine T and V into a variable Probability
• R = P · C
• Many times the risk number comes down to expert opinion based on the individual's or team's knowledge and experience

Be careful: expert predictions FAIL

The world is too complicated to be predicted with accuracy (e.g., market predictions)

• “Fooled by Randomness” by risk analyst PhD Nassim Nicholas Taleb
• We can understand randomness intellectually
• Countless experiments have shown that we do not get it intuitively
• “Thinking, Fast and Slow” by psychologist PhD Daniel Kahneman
• Judgements are generally the products of non-conscious systems that operate quickly
• Then it passes its approximations to consciousness, which slowly and deliberately adjust them
• Overconfidence is a universal human (evolutionary) trait
• Encourages people to take action and makes them more resilient in the face of setbacks
• “Victims of Groupthink” by psychologist PhD Irving Janis
• Deviating too far from consensus leaves one feeling potentially ostracized from the group, with the risk that one may be terminated – economist PhD Robert Shiller
• Confirmation bias
• The tendency to search for, interpret, favor, and recall information in a way that confirms or supports one's prior beliefs or values

Risk Reduction

Risk is where a threat, vulnerability, and exploit overlap

• Risk reduction ⇒ threat/vulnerability/exploit reduction
• Examples
• Preventing the threat from accessing the system
• Disable SSH password authentication
• Removing/hiding sensitive data from the system
• Password hashing
• Hardening ⇒ reducing attack surface
• Disable unnecessary services
• Using a Web Application Firewall (WAF) to prevent an exploit from working
• Automated patch management
• …

​

Analyze threats, vulnerabilities, and risks

Quantitative Assessment

Attempt to estimate numbers and $$$ amounts

1. Estimate potential losses
• Single Loss Expectancy (SLE) = Asset Value * Exposure Factor
• Exposure Factor → Percent of damage that a realized threat would have on a specific asset
2. Conduct a threat analysis
• Determine the likelihood of an unwanted event
• Annual Rate of Occurrence (ARO) → How many times is this expected to happen in one year?
3. Determine annual loss expectancy
• Annual Loss Expectancy (ALE) = SLE * ARO

Qualitative Assessment

Qualitative assessment is scenario driven and does not attempt to assign $$$ values to components of the risk analysis

​

E.g., NIST 800-26 uses the CIA triad

• Low
• Minor inconvenience that could be tolerated for a short period of time.
• Medium
• Could result in damage that needs a moderate amount of money to repair.
• High
• Would result in loss of goodwill between the company and clients or employees
• Could result in a legal action or fine, or cause the company to lose revenue or earnings