CSSLP Tutorial: Part Five is about how to identify who our adversaries are and from where are they attacking.
There are a few terms we use to describe from which direction the attack is coming. Some of these terms are: script kiddies, hacker, elites, state-sponsored, or government-approved cyberattacks, or other attackers.
CSSLP Tutorial: The first term, ScriptKiddies, is a rather derogatory term.
In the field, it means someone who has no real talent and instead of writing their own codes, they will do a google search and then copy-paste the job. This amalgamation of this paste job then unleashes viruses, malware, and so on. They’re not really smart enough to have written the code themselves. Hackers tend to throw the term around when insulting each other or someone who may publish inelegant or unintelligent code. Whether or not they have a high or low skill set, they represent a threat to our system. The ScriptKiddies don’t understand to the fullest extent of the damage the code can cause. In some cases, they may even be more of a dangerous threat than some of the others because they don’t really know what’s going to happen because of their lack of understanding. They may or may not have malicious intent but they really don’t know enough to fully understand the ramifications of their actions.
CSSLP Tutorial: The second term, more commonly known among lay persons, is hacker.
Unfortunately, in most recent times, hacker has been used to reflect a more negative connotation. However, the term when as used by people in the field is a more neutral term. The term originally meant someone who is very good at coding and has a certain talent for taking apart computers and putting them back together again. This could mean conceptually or it could also mean in terms of the actual hardware. So, it could be in terms of the programming, It also could be in reference to taking the actual tower apart to identify problems associated with the computer’s hardware. They have a more delicate understanding about the elegance and beauty of singularly crafted code.
CSSLP Tutorial: There’s actually several kinds of hackers so the term is actually a neutral term.
There’s white hat and black hat hackers. They are all really good at what they do. The white hat hackers have permissions within the organization, are supported by the organization with permissions in such a way to help spot problems and strengthen the organization’s security mechanisms. On the other hand, black hat hackers are the ones who use their talent with ill intent. There’s yet a third group who are somewhat in the middle and are called gray hat hackers. If you’ve ever played a character in Dungeons & Dragons that had a Chaotically Good moral alignment, then that is very similar to the politics of the gray hat hacker. They will find a mechanism that is easy to exploit and tell the original person about it with the intention being that the original person would fix the open, gaping hole in security. If the vendor doesn’t respond to their good will or belittles them and ignores them, then they might release that information out on the web and then the vendor faces the potential threat from others who may not be so nice, as in black hats or elites or even ScriptKiddies who want to have a little fun. The gray hat hackers are basically good but tend to hold personal freedom and welfare above all else. They don’t like it when others try to push folks around in the name of the law or authority.
CSSLP Tutorial: The last group is the elite, sometimes referred to simply at the “Lite” (with pronunciation of Leet).
They have formed what’s known as LiteSpeak which is where there are certain types of characters on the keyboard being used to substitute for words, phrases or other symbols. They have a very high skill set and a very high intelligence about themselves. They are probably the most talented in the world of coding. They are several magnitudes more capable than even the best hackers.
CSSLP Tutorial: Now that the different groups of terms have been defined, next is the type of attacks.
Some are highly structured, just structured, or not structured at all. It has to do with the skill set of the attack. You could also look to see if the attack is targeting your group on purpose. Sometimes, it’s just a matter of collateral or the fact that your downwind from their actual target and get caught up in the mess. Sometimes, it is just random and the attack uses whatever system that is out there. So you do have a certain responsibility to protect your system every single time you connect the internet. There was a new crockpot out in the market recently, where you used internet access to turn it on remotely, while you were still at the workplace. The problem is, it didn’t have any protection nor any encryption codes or anything. So, the owners could hack into people’s personal computer systems via their crockpot. Since it was hooked to the smart phone technology as the device which signals for the crockpot to turn on, which then was hooked into the computer system. Any device that connects to the the internet, even if at a distance must have protections, so that you are able to protect your system.
CSSLP Tutorial: Other adversaries include those alleged cyberattacks
Like from Russia of the DNC or from North Korea of Sony Corporation, at the state or other government level. For example, the Seth Rogen movie “The Interview” which was made at Sony parodied the North Korean leader, Kim Jong-un. Within a month of its release date around Christmas of 2014, alleged state-supported hackers cranked out emails, showing details of the inner workings of the politics of the corporation that rankled high players However, generally it is difficult to prosecute terrorists when they are from another state or government. This part of Part Five was about the various types of adversaries or attackers that can damage our system. In addition to adversarial types, a lot of features to take into consideration as we determine how much protection is necessary.
CSSLP Tutorial: In addition to understanding the attackers,
Lots of it also depends on how valuable the data or system is, who it be valuable to, and you would benefit from it. Other factors to consider are: what are the possible threats, what are strengths and weaknesses of the system and who out there would want to tap into my system. All of these factors are a part of the decision-making process as to what types of security measures as well as how much of defensive coding needs to be used.
To summarize, this section of the first module,
There’s six basic concepts you have learned. There are security basics, CIA, I tripleA of access controls, three basic principles of security code, and security/access control models. Last, we discussed potential threats to your system. As a reminder of security basics, we discussed very general concepts of some security tenets. The CIA triad includes confidentiality integrity, and availability. The I triple A which identify, authenticate, authorize, and account or audit. Account and audit can be used interchangeably because in this case, they basically mean the same thing. There were quite a few of basic security principles. There’s tons, but here the three described are the most important
In review, three important ones were a) to keep code open so peers can review your work, b) keep the security mechanisms and coding sequences simple, and c) rather than applying the bandaid to the security later, keep programming where it’s fully integrated into the architecture of the system.
There was a discussion over three security models as well as three access control models. The three system architecture models discussed were the Bell-Lapadula, the Biba, and the Clark-Wilson model. The access control models even though diverse goals and means of obtaining goals, can all be explained, if you understand the level the subject has in relation to the object (or resources). For example, the discretionary model is where the subject dominates the object. Mandatory model is where the object makes the decisions because the assigned labels determines access. The last access model is similar to the first except no individual user account is used. Instead, the rights and permissions are decided based on functionality. Last, we discussed adversaries and attacks on your system with some basic terminology as well as a short discussion over preventative measures.