Week 1: Threat landscape

About the course

Your journey into the world of cyber security and protecting your digital life has been organised into eight weeks of study. The first three weeks focus on understanding the basics of cyber security. This includes an exploration of the security threat landscape, together with some of the basic techniques for protecting your computers and your online information.

You’ll then look ‘under the hood’, exploring some of the technologies that underpin the internet and cyber security. This will include gaining an understanding of how computers are connected in a network and how the data transmitted across that network is kept secure.

In the final two weeks of the course, you’ll look at what can be done if you suffer a successful cyber security attack and how to develop an action plan. As part of this, you’ll learn about both the legal and technical aspects of recovering from an attack.

This course will not only help you take steps to protect yourself online, such as how to create a strong password, but also provide an overview of cyber security from the security threat landscape to how the internet works. It will also provide a foundation for further study of this important discipline.

To test your knowledge you can try the end-of-week practice and end-of-course compulsory badge quizzes.

The Open University would really appreciate a few minutes of your time to tell us about yourself and your expectations for the course before you begin, in our optional start-of-course survey. Participation will be completely confidential and we will not pass on your details to others.

Behind the numbers

Cyber security is definitely one of those areas where you need to evaluate the validity of any information you find online before accepting it. The UK government regularly publishes surveys of cyber security breaches. In 2019, 32% of businesses identified cyber security breaches or attacks in the previous 12 months. Medium (over 50 employees) and large businesses (over 250 employees) were particularly at risk with 60% reporting attacks. The report also notes that attacks may be under reported and the true cost and impact of cyber security breaches may be undervalued. It also notes that some businesses may not be aware that they have been attacked (Department for Digital, Culture, Media and Sport, 2019).

By far the largest number of attacks reported are fraudulent emails, or fraudulent websites. Phishing attacks have resulted in the most disruptive and expensive breaches in the past 12 months. Specialist security firms also publish regular reports on the current cyber security situation. TrendMicro reports blocking 26,804,076,261 threats in the first half of 2019 (TrendMicro, 2019). Again, the largest proportion contained in emails. Sophos also reports spam emails as the biggest source of attacks and warns that ransomware is increasing and can be the most destructive (Sophos, 2019).

Statista is a business that focuses on collecting and presenting statistics on a huge variety of subjects. Some of these reports are free of charge. For example, it reports that over 446.5 million records were exposed by data breaches in the United States in 2018 (Statista, 2018).

Let’s get started by learning some of the basic terminology used when discussing cyber security.

CIA

The guiding principles behind information security are summed up in the acronym CIA (and we’re pretty sure there’s a joke in there somewhere), standing for confidentiality, integrity and availability.

We want our information to:

• be read by only the right people (confidentiality)
• only be changed by authorised people or processes (integrity)
• be available to read and use whenever we want (availability).

It is important to be able to distinguish between these three aspects of security. So let’s look at an example.

So how do the principles of CIA apply to the Equifax case? Quite obviously, confidentiality was violated: unauthorised people could read the data. However, authorised users still had full access to the data, so it remained available; and the data was not changed, so its integrity was preserved.

Information assets

Time for another definition. When talking about valuable data we use the term ‘information assets’. In the Equifax case, the information assets were the data about people and their financial records collected by Equifax.

When we consider security of online communications and services, we also need two additional concepts: ‘authentication’ and ‘non-repudiation’.

When we receive a message, we want to be confident that it really came from the person we think it came from. Similarly, before an online service allows a user to access their data, it is necessary to verify the identity of the user. This is known as authentication.

Non-repudiation is about ensuring that users cannot deny knowledge of sending a message or performing some online activity at some later point in time. For example, in an online banking system the user cannot be allowed to claim that they didn’t send a payment to a recipient after the bank has transferred the funds to the recipient’s account.

Malware

Finally, there are a number of terms associated with software that attempts to harm computers in different ways. Collectively these are known as ‘malware’ (a contraction of malicious software).

Depending on what the malware does, different terms are used to in relation to malware. For example:

• ransomware is malware that demands payment in order to refrain from doing some harmful action or to undo the effects of the harmful action
• spyware records the activities of the user, such as the passwords they type into the computer, and transmits this information to the person who wrote the malware
• botnets are created using malware that allows an attacker to control a group of computers and use them to gather personal information or launch attacks against others, such as for sending spam emails or flooding a website with so many requests for content that the server cannot cope, called a denial-of-service attack.

You’ll learn more about malware in Week 3.

Now that you understand some of the basic concepts and terminology, you’ll use this knowledge to study real examples of cyber security breaches.

Phishing

It may be surprising that many cyber security breaches do not result from technical failures. In fact, it is commonplace for attackers to exploit the goodwill and trust of people to gain access to systems, using a form of attack that is known as ‘social engineering’. Pretending to be technical support personnel or crafting emails that ask for usernames and passwords are common forms of social engineering attacks. You may have heard the term ‘phishing’ used to describe these kinds of emails. Phishing is a form of social engineering. In the video, course guide Cory explains how it happened to him.

Phishing emails can use your real details and passwords to make you think that the attacker is a real contact that you already know, or to make you think that they have more information than they actually do to panic you into clicking on a message. The criminals get your email address and password data etc. from breaches of many online databases.

In October 2019, over 30,000 aggressive phishing emails an hour were being sent out to email addresses where a password was known: https://www.bbc.co.uk/ news/ technology-50065713

In January 2019, Troy Hunt, a security professional, published details of a database being used by criminals that contained 773 million records and over 21 million unique passwords.

To check if your account has been part of a data breach that included your email address visit https://haveibeenpwned.com. To check if a password that you use has also been found in a data breach visit https://haveibeenpwned.com/ Passwords. Don’t type in a complete password to start with. Type in the first few characters and click ‘pwned?’ If it doesn’t come up, your password is safe. If it does get a match, add the next character and check again. If you have typed in the complete password and get a match it is time to change your password!

Of interest, check the password 123456789. How many times has that been seen?!

In a later week in the course you’ll study how to create secure passwords.

In the next section you’ll find out about three high profile cyber security breaches.

Attacking online identities

Adobe Systems is one of the more important companies in the digital economy. Its software is used to produce, publish and present an enormous amount of material – chances are your favourite magazines and books were laid out with Adobe software.

Over the years, Adobe had stored the names, addresses and credit card information of tens of millions of users on its servers. Then, in October 2013, Adobe admitted that data from 2.9 million accounts had been stolen. Later, that number was revised to 38 million accounts, but when the data file was found on the internet it contained no less than 153 million user accounts. Much of this data could be read and soon copies of the stolen accounts were in wide circulation. It also became clear that the people who had stolen user data had also gained access to Adobe’s development servers – program code, potentially worth billions of dollars, had also been stolen.

Adobe was forced to change the log in details of every one of its users and to greatly improve its own security. And, of course, users sued Adobe for not protecting their information.

You can check to see if your email address was included in this information that was stolen by visiting: https://haveibeenpwned.com/ and entering your email address into the email input box.

Is Adobe alone, or are other companies holding valuable data but not protecting it properly?

Fast forward to 2019

• A huge database of 49 million Instagram accounts was exposed online without any password protection (TechCrunch, 2019a).
• A database containing hundreds of millions of phone numbers linked to Facebook accounts was left exposed online (TechCrunch, 2019b).
• Personal data of the entire population of Ecuador was available online – 20.8 million records, some including bank balance (ZDNet, 2019).

Attacking industrial systems

Not many people want a uranium centrifuge, but those that do, really want a uranium centrifuge. The centrifuge was developed after the Second World War for enriching uranium so that it can be used either for generating nuclear power, or, as the heart of a nuclear weapon.

Under international treaty it is not illegal for countries to slightly enrich uranium for nuclear energy, but high levels of enrichment are forbidden to all but a handful of countries. As a consequence, centrifuge technology is tightly controlled, but still, centrifuges have gradually spread around the world. Most recently they have been developed by Iran, ostensibly for that country’s legal civil nuclear programme; but it is sometimes suspected it might possibly be for the development of an Iranian nuclear bomb.

In the summer of 2010, a new piece of malicious software for the Microsoft Windows operating system was discovered by an antivirus company in Belarus. The software was dissected and found to attack a very specific set of computer-controlled high-speed motors manufactured by Siemens. Left unchecked, the software, dubbed ‘Stuxnet’, would rapidly increase and decrease the speed of the motors causing irreparable damage to whatever was connected to them – among other things, uranium centrifuges.

The very specific nature of the systems targeted by Stuxnet make many believe that it was developed specifically to disrupt the Iranian uranium enrichment programme. By the autumn of 2010, reports were appearing that the Iranian centrifuge programme was in trouble. The Israeli paper Haaretz reported that Iran’s centrifuges had not only produced less uranium than the previous year, but that the entire programme had been forced to stop and start several times because of technical problems. Other sources reported that Iran had been forced to remove large numbers of damaged centrifuges from its enrichment plant.

In 2016, there was a serious cyber attack on the Ukrainian power grid (Ars Technica, 2019). Recent analysis has provided much more detail about how it was carried out. It would appear that the intention was to disable safety monitoring equipment in such a way that the operators would not be aware that important safety equipment had also been turned off. This could have caused catastrophic damage when operators attempted to restore power. The target was a known vulnerability in a piece of Siemens equipment known as a Siprotec protective relay. A security patch was available but may not have been installed.

In 2017, there was an incident at a Saudi oil refinery, Petro Rabigh, when malware shut down the plant. A report by Dragos, updated in 2019, suggested that the malware was probing the plant’s industrial control systems when it accidentally triggered the shutdown. In 2019, Dragos reports that the same group behind this malware was probing industrial control systems within the electrical transmission networks in the US and Europe-wide. They have named this threat XENOTIME (Dragos, 2019).

In 2019, a week after suffering a crippling ransomware infection by LockerGoga, Norwegian aluminum producer Norsk Hydro estimates that total losses from the incident had already reached $40 million. It is not clear whether Norsk Hydro was specifically targeted, or whether this was the result of a random infection, but it illustrates the risk to industrial operations from attacks on the IT infrastructure.

Attacking specific targets

In December 2013, the American retailer Target announced that hackers had stolen data belonging to 40 million customers. The attack had begun in late November and continued for several weeks before it was detected. By then it had compromised more than 110 million accounts, including unencrypted credit and debit card information as well as encrypted PIN data. By February 2014, American banks had replaced more than 17 million credit and debit cards at a cost of more than $172 million. The amount of fraud linked to the attack is unknown, as is the damage to Target’s reputation.

Target was not the first major retailer to be hit by hackers, but this attack was different from most; the weakness that allowed the attackers into the Target computers lay outside of the company. The hackers had gained access through computers belonging to one of Target’s heating, ventilation and air conditioning services (HVAC) contractors. Like many large organisations, Target allows other companies to access its internal networks, to submit bills and exchange contracts.

The hack appears to have begun when an employee of the HVAC company received an email from one of their trusted partners. In fact, the email was fake and contained malicious software. Unlike traditional spam email, this message had been targeted at a very specific audience – the HVAC company. It was what is known as ’spear phishing’.

Once the email had been opened, the hidden software went to work and retrieved the HVAC company’s Target network authorisations, allowing them to log on to their real objective. In an ideal system, the HVAC company’s authorisations should have restricted them to a network responsible solely for billing and contracts, but, like a lot of big organisations, Target used a single network for all of its data, allowing the attackers to eventually locate, and steal, customer data.

The Target attack is an example of an advanced persistent threat. Rather than attempting to attack the retailer directly, the hackers had chosen an external company which was much less likely to have the resources to detect and defend against an attack. Their spear phishing email was directly targeted at the contractor, lulling them into a false sense of security and allowing the malware to retrieve the logon credentials needed to attack Target itself.

In 2017, Target had to pay a settlement of $18,500,000 and agree to make the following changes to significantly improve its security.

• Develop and maintain a comprehensive information security program
• Maintain software and encryption programs to safeguard people’s personal information
• Separate its cardholder data from the rest of its computer network
• Rigorously control who has access to the network
• Regularly bring in an independent and well-qualified third party to conduct regular, comprehensive security assessments of its security measures.
• Hire an executive officer to run its new security program and serve as a security advisor to the CEO and the board of directors.

You don’t need to be a huge company to be specifically targeted by criminal hackers

An employee responsible for handling the company finances knew that a meeting to finalise the acquisition of another company was in progress. He received the email: ‘Hey, the deal is done. Please wire $8m to this account to finalise the acquisition ASAP. Needs to be done before the end of the day. Thanks.’ The employee thought nothing of it and sent the funds over, ticking it off his list of jobs before heading home. But alarm bells started to ring when the company that was being acquired called to ask why it had not received the money. An investigation began - $8m was most definitely sent, but where to?

The criminal hacker clearly new of the meeting in progress. Most likely by intercepting emails over several days or weeks to look for an opportunity for an attack. For the rest of the report see https://www.bbc.co.uk/ news/ technology-49857948

Even private individuals have been attacked in this way – again the most likely method of attack is by intercepting emails. Perhaps by sitting in a car outside the victims house and snooping on the data transmitted through home router wireless networks (WiFi) that have not been password protected, or perhaps by snooping the WiFi traffic of a local tradesman or estate agent, waiting for emails that show that an invoice is about to be sent. The hacker then sends an identical invoice, but with a different account to receive the payment.

Government sites

• National Cyber Security Centre

News sites

The best places to get started are the major media outlets, most of whom employ technology journalists. These sites will give you readable information intended for as wide an audience as possible. Many of them are updated several times a day, but they will only consider ‘newsworthy’ events such as a major hack or virus outbreak, and some will only cover news in a particular country – so you may need to look at a variety of sites:

• BBC News Technology
• Guardian Online Technology
• The Telegraph Internet security
• Bloomberg Cyber security

Technology sites

Many sites devoted to technology will cover aspects of security on a regular basis. Most of the sites below cover other topics, so you might need to use their search functions to find relevant information.

• Wired – Threat level
• Computer Weekly
• The Hacker News
• Info-Security magazine

Information security companies

There are a large number of companies selling security software to home users and to businesses. Almost all of them maintain regularly updated websites explaining new and emerging security threats and how they can be overcome.

Much of this information is technical and aimed at administrators responsible for large computer systems, but the introductory material is often quite easily understood. These sites can be the best to use when a new security issue is identified.

• Sophos labs
• Microsoft
• Apple

Blogs

• Krebs On Security Brian Krebs is an American journalist and investigative reporter. He is best known for his coverage of profit-seeking cybercriminals. His interest grew after a computer worm locked him out of his own computer in 2001.
• Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon’s.
• Bruce Schneier is an internationally renowned security technologist who writes a monthly newsletter, called ‘Crypt-o-gram’. He provides commentary and insights into critical security issues of the day. The content of this blog can be accessed in multiple forms, including a podcast and an email newsletter.
• Troy Hunt provides analyses of different system breaches and useful hints on how to avoid being attacked.

Questions to consider

Remember that earlier this week we classified security issues under three headings. We want our information to:

• be read by only the right people (confidentiality)
• only be changed by authorised people or processes (integrity)
• be available to read and use whenever we want (availability).