ABOUT CYBER SECURITY

Technology has covered almost all facets of today’s world. From dusk to dawn, we are engaged
digitally. From Smartphone at home to meet all our daily needs, to making a fund transfer, to
ordering a refill of grocery, everything is just a click away. A typical day at work place involves
dealing with desktops/laptops connecting to intranet/internet servers. A relaxed weekend at dine-
in will involve the attender taking customer's order through a tablet and the customer paying the
bill through Credit/Debit card. All these transactions involve accessing the internet. Hence it
becomes important that everyone is aware of the risks involved in using digital data and its
protection. Cyber Security is the protection of internet-connected systems, including hardware,
software and data, from cyber attacks.

Since majority of the cyber attacks are reported through web applications, it is imperative that
web application designers are aware of the common mistakes, to avoid during building
and maintaining of web applications.

In this course we will learn about various cyber-attacks, the reasons behind such attacks and the
guidelines to avoid them. It is recommended that web application developers are aware of the
Top 10 web application mistakes suggested by OWASP (Open Web Application Security
Project). This course will explain each of these mistakes and its counter measure. We will also
understand the concept of threat modelling and tools that help in designing secure web
applications.

TODAY’S DIGITAL WORLD

Online applications these days can be accessed through desktops, laptops, cell phones, etc. These
applications are highly inter-connected. Their ease of access makes them vulnerable. For
instance, using the same cell phone a user can update his status on a social media website and
can transfer funds online the next minute. He/she might also use the same cell phone to access
their Aadhaar card details. To top it all, he/she might use the same email account for registering
in various banking, social networking applications etc.

A weak password to this account is a temptation for hackers, as by gaining access to this gmail
account they might be able to access other applications linked with this account. Also, a spam
mail can be sent through this account to lure a user to disclose confidential information that
might help the attacker to intrude into his/her banking application. A vulnerable email account
can make other applications vulnerable too.

Vulnerability is a quality or state of being exposed to the possibility of being attacked or harmed.
In IT systems, vulnerability may exist due to a flaw in a computer, human error, flaw in a
network etc. Many cases on attacks have been reported in the recent past.
RECENT CYBER ATTACKS

CASE 1
What was it all about?

In May 2017, WannaCry ransomware attack targeted computers with Windows operating system
by encrypting data and demanding ransom payments in the Bitcoin cryptocurrency.

How was the attack carried out?

WannaCry propagated through an exploit (named EternalBlue) in systems having older versions
of Windows. This exploit was released by a hacker group named The Shadow Brokers a few
months prior to the attack.

Microsoft had discovered this vulnerability and had released security updates in April 2017 for
all the windows versions (except Windows XP and Windows Server 2003) to fix the exploit.

The organizations that had not installed Microsoft's security update or were using older Windows
systems (Windows XP and Windows Server 2003) were affected by the attack.

What was its impact?

 The attack was estimated to have affected more than 200,000 computers across 150
countries, with total damages ranging from hundreds of millions to billions of dollars
 One of the largest agencies affected by this attack was the National Health Service. Up to
70,000 devices(including computers, MRI scanners, blood-storage refrigerators and
operation theatre equipment) belonging to hospitals in England and Scotland
were affected

CASE 2
What was it all about?

Uber’s CEO, Dara Khosrowshahi, stated that hackers stole personal data of nearly 57 million
Uber users. This personal data included names, phone numbers, email addresses, debit/credit
card numbers of customers and also, license numbers of the drivers serving the company.

How was the attack carried out?

Hackers hacked into Uber's account on GitHub. GitHub is a site that many engineers and
companies use to store code of IT projects.

From Uber’s GitHub account, they found the username and password that gave access to Ubers'
data stored in a third party cloud server.

Developers accidentally left the login credentials in code which was uploaded to GitHub and
hence, the hackers successfully got access to the Uber’s server.

What was its impact?

 Uber faced lawsuits filed by many users as their personal data was leaked
 Uber allegedly paid $100,000 ransom to hackers to get the data deleted
CASE 3
What was it all about?

On February 2016, hackers fraudulently issued instructions via SWIFT (Society for Worldwide
Interbank Financial Telecommunication) network to withdraw US$ 951 billion from the
accounts of Bangladesh Bank(the central bank of Bangladesh) at the Federal Reserve Bank of
New York.

Five transactions were initiated by the hackers, totally worth $101 million.

How was the attack carried out?

Exploiting on Bangladesh Central Bank’s security, the hackers attempted to steal the money
from Bangladesh central bank's account held with the Federal Reserve Bank of New York.

The hackers were able to compromise Bangladesh Bank’s network. They observed how the
transfers were done, and gained access to the bank's credentials for payment transfers. Using
these credentials, they authorized about thirty five requests to the Federal Reserve Bank of New
York to transfer funds from the Bangladesh Bank account to accounts in Sri Lanka and
Philippines.

Later, it was identified that they used a malware named Dridex to execute the attack. This
malware specializes in stealing bank credentials from Microsoft Word.

What was its impact?

 Out of thirty five transaction requests, five transactions were traced in which hackers had
successfully managed to transfer $20 million to Sri Lanka and $81 million to Philippines
 Later, at the request of Bangladesh Bank, The Federal Reserve Bank of New York
blocked the remaining thirty transactions, amounting to $850 million

CASE 4
What was it all about?

Indian debit card breach took place in October 2016.

It was estimated 3.2 million debit cards were compromised. Major Indian banks including SBI,
HDFC, ICICI, YES Bank and Axis Bank were among the worst hit.

How was the attack carried out?

Reportedly, the breach was not the result of direct attack on the banks instead it was due to a
malware injected in ATMs and Point-of-Sale (POS) terminals. The malware was injected into the
payment gateway network of Hitachi Payment Systems which facilitates a transaction either
from an ATM or an online payment gateway.

What was its impact?

 Complaints from customers on unauthorized debits were reported

 Subsequently, resulted in one of the biggest card replacement drive in India's banking
history
 SBI announced the blocking and replacement of almost 600,000 debit cards
GENERIC CONCLUSION ABOUT ATTACKS

These examples show that the cyber-attacks are not limited to IT sector. Every organization
reliant on IT for pursuing their mission – education, government, military, healthcare, retail
etc needs to protect itself from such attacks.

Cyber attacks have increased to such a large extent that even a minute flaw in the system can
cost a lot as we have seen in some of the discussed attacks.

Hackers have keen interest in vulnerabilities existing in an organization or in any information

system. Carelessness of employees or organization is one of the main reasons due to which a
system becomes vulnerable.

Financial gain is one of the main motive behind these attacks but it is not the only motive.
Attacks might just happen to cause chaos within the organization. In some of the cases, hackers
have hacked into the system just to pacify their intellectual quest.

The number of attacks is increasing day by day. Let us see the impact of such attacks.

IMPACT OF CYBER ATTACKS

Once organizations are attacked by hackers, the organization gets affected in multiple ways.

Following are the commonly seen impact on businesses after a cyber attack.

 Organization name hits the headlines: As the news about the breach hits the headline,
it adversely harms the reputation of the organization hence its market value goes down
 Loss in business: The main causes of loss in business are due to loss of customers,
reputation/brand damage, revealing of trade secrets, strategies and plans, etc
 Legal penalties: The data leaked due to the breach may contain customers’ personal data
(who have put their trust in the organization). This may force the customers to file
lawsuits for breach of privacy
 Regular functioning crippled: The cyber-attack has the potential of affecting the regular
functioning, for instance, email systems going down, automated payroll processing going
down, network outage etc
 Defamation: Confidential email leaks, internal communication leak etc. may defame an
organization or a person

Hence, it becomes very important to ensure security of assets, information, people etc. Let us
understand the basics of Cyber security.
WHY CYBER SECURITY

Cyber attacks are a great threat to global economy as well as to our personal data.

In 2015, a computer security group Veracode reported that defending UK businesses against
cyber-attacks and repairing the damage done by hackers costs businesses £34 billion per year.

There are two important aspects that needs to be protected:

1. Information: Customer's data, source code, design documents, financial reports,

employee records, intellectual property, etc
2. Information systems: Computers, Networks, cables etc

A good Cyber security approach plays a vital role in minimizing and controlling
damage, recovering from a Cyber-breach and its consequences.

WHAT IS CYBER SECURITY

Cyber Security is a set of techniques used to protect systems, networks, and applications
from attacks, damage or unauthorized access emerging from internet.

These attacks are usually aimed at accessing, changing, or destroying sensitive information;
extorting money from users; or interrupting normal business processes.

With comparatively more devices than people around, implementation of effective Cyber
Security measures is a challenge in today's world.

According to Forbes, the IT security spending is expected to reach around $170 billion on Cyber
Security solutions by the year 2020.
CATEGORIES OF ATTACK

An IT company SSV Limited is managing a banking application for one of its leading client ZSC
Bank. Sensitive data like finger prints, account numbers, passwords, login ids and phone
numbers of customers of ZSC Bank are stored in a database server managed by the database
team of the company. The application team of the company handles the user interfaces. Inputs
from the user are taken through an HTML form.

A malicious hacker attacked the website of ZSC bank with the help of an insider (Bank Teller)
and demanded a ransom. Failing to pay the ransom might lead the company to compromise on
the confidentiality aspect of the data that was stolen.

Also, the bank started getting the following complaints from customers.

 Unauthorized fund transactions taking place in their accounts

 Non delivery of messages for transactions and usual bank updates

The bank immediately reported the issue to their vendor SSV Limited.

Table details the analysis of the attack prepared by the SSV team.
Category of
Incident A Generalized View
Attack
The hacker got access to the bank's database
Information
server which resulted in leak of sensitive Personal data leak
disclosure
information of it's customers
The hacker updated the phone number of few Unauthorized alteration of
Tampering
customers personal data
The hacker then flooded the website with fake
traffic thereby bringing the application and the
Website made unavailable Denial of
database server down. The customers as well as
for legitimate users Service
the application team were unable to access the
website
The default password of a default user account
Attacker pretends to be an
(that gets created during server installation) was
authentic user Spoofing
never changed, aiding the hacker to login to the
(impersonation)
database as this user
Before updating the phone number the privilege A user performs an action Elevation of
of the default user account was not verified due to excess privilege privilege
Bank needs to verify if the
The insider (Bank Teller) executes some
Bank Teller is falsely
unauthorized fund transfers and later denies these Repudiation
denying the action
fund transfers
(repudiation)

These attacks violate basic Objectives and Services of Cyber Security.

CYBER SECURITY OBJECTIVES AND SERVICES

This table is a mapping between the attack category listed in the previous scenario to their
corresponding security objective/service that got violated.
Objective or
Category of
Incident A Genarlized View Service
attack
Violated
The hacker got access to the bank's
database server which resulted in Information
Personal data leak Confidentiality
leak of sensitive information of it's disclosure
customers
The hacker updated the phone Unauthorized alteration
Tampering Integrity
number of few customers of personal data
The hacker then flooded the website
with fake traffic thereby bringing the
Website made
application and the database server Denial of
unavailable for Availability
down. The customers as well as the Service
legitimate users
application team were unable to
access the website
The default password of a default
user account (that gets created Attacker pretends to be
during server installation) was never an authentic user Spoofing Authentication
changed, aiding the hacker to login (impersonation)
to the database as this user
Before updating the phone number A user performs an
Elevation of
the privilege of the default user action due to excess Authorization
privilege
account was not verified privilege
Bank needs to verify if
The insider (Bank Teller) executes
the Bank Teller is
some unauthorized fund transfers Repudiation Accounting
falsely denying the
and later denies these fund transfers
action (repudiation)

Each of these attacks violate a specific desired property of security. These properties are termed
as security objectives. Security objectives are also known as security goals, characteristics of
information and information systems.
The three standard pillars (Security Objectives) of Cyber security are:

1. Confidentiality

 Makes sure that data remains private and confidential. It should not be viewed by
unauthorized people through any means

2. Integrity

 Assures that data is protected from accidental or any deliberate modification

3. Availability

 Ensures timely and reliable access to information and its use.

These three principles are together called as the CIA (Confidentiality, Integrity and Availability)
triad. An alternate way of referring CIA is through DAD (Disclosure, Alteration and Denial)
triad.

There are three more important concepts in information security to support these pillars known
as AAA (Authentication, Authorization and Accounting) services. These services are used to
support the CIA principles.

1. Authentication

 Authentication is verifying an identity

2. Authorization

 Authorization is determining whether a particular user is allowed to access a particular

resource or function

3. Accounting (Non-repudiation)

 Accounting includes two other components - auditing & non-repudiation

o Auditing is recording a log of activities of a user in a system
o Accounting refers to reviewing the log file to check for violations and hold users
answerable to their actions. It includes non-repudiation

Having learnt about the objectives and services of Cyber Security, let us get familiar with other
commonly referred Terms of Cyber Security.
OTHER TERMS OF CYBER SECURITY

Apart from the CIA Objectives and the AAA services, you must also be aware of
some frequently referred terms in Cyber Security space.

 Asset
 Vulnerability
 Exploit
 Threat
 Threat Agent
 Risk
 Attack Vectors
 Control

Asset

Anything that has value to an organization or person including computing device, information
technology (IT) system, IT network, IT circuit, software (both an installed instance and a
physical instance), virtual computing platform (common in cloud and virtualized computing),
and related hardware (e.g., locks, cabinets, keyboards) are termed as assets.

Information asset

Information or data that has economic value to the organization is termed as Information asset.
It has the following features.

 It is a part of the organization's identity

 It may be highly confidential(top secret)
 It may also include
o Information about people and procedures
o Software or hardware details
o Networking elements

E.g. Confidential emails, identity information, system data, bank transactions, newly developed
design schema of a project, etc are a few to be named under information assets of an
organization.

Vulnerability

A flaw or weakness in system security procedures, design, implementation, or internal controls

that might result in a security breach is termed as Vulnerability.

E.g. Software bugs, Inefficient controls, Hardware flaws, Human errors

Exploit

An exploit is a piece of software or a sequence of commands that takes advantage of a

vulnerability to cause unintended or unanticipated behavior to occur on a computer software
or hardware.

E.g. Computer virus, malware or flooding of requests to the server by a bot.

Threat

Threat is any potential danger that is associated with the exploitation of a vulnerability. A threat
is an undesirable event that can happen to assets.

E.g. An organization running on windows operating system was targeted and blocked until a
ransom of $300 was credited to hackers account to unlock the data. Threat here is the leak of
data.

Threat agent

Threat agent is a term used to represent an individual or group that can cause a threat.

It is important to identify who would want to exploit the assets of a company (capabilities), and
how they might utilize those (intentions) against the company.

Threat agent = Capabilities + Intentions + Past activities

E.g. The threat agent in the above example is a hacker.

Risk

Risk is a function of likelihood of a given threat agent exploiting a particular vulnerability, and
the resulting impact of the adverse event on the organization.

Risk = Likelihood * Impact

 Likelihood is the probability of occurrence of the threat.

 Impact is the magnitude of harm that could be caused by the threat. Impact can be a
business impact or a technical impact.

Need for Risk to be calculated

Risk needs to be calculated to estimate the impact that will occur to the organization
(monetary/technical/reputation) if a vulnerability is exploited by a threat agent. Moreover, some
industry standards and government regulations mandate calculation of risk. By calculating risk
for every application, organizations can prioritize which application needs more and/or
immediate attention for security enhancements.

Attack vector aka paths

Attackers can potentially find many different paths to cause a harm to business through their
application. Each of these paths represents a risk that may, or may not be serious enough to
warrant attention.

Paths could be easy or hard to exploit. Sometimes, these paths are trivial to find and exploit and
sometimes they are extremely difficult. Similarly, the harm that is caused may lead to any or no
consequence.
Controls

Control is a mitigation to protect the asset from risks.

E.g. The organizations would not have faced WannaCry ransomware attack if the latest
Microsoft patches were updated to systems running Windows O.S released the previous week.

In today's digital era, most of the communication is over the internet. Critical transactions like
money exchange, shopping on the internet (web transactions). Communication between devices
such as phones, fridges, cars, elevators, ACs (Internet of Things).

Cyber security is a basic need in every communication or transactions as communication over

internet can also be leveraged for spreading viruses and malware. Personal data, identity can be
stolen during transits. Knowledge and testing of CIA and AAA principles is very important
while designing, coding or testing applications.

MYTHS AROUND CYBER SECURITY

There are lot of myths that are commonly associated with Cyber Security which are very
different from the facts.

Myth 1: “Digital and physical security are separate systems”

Reality: The world is moving towards automation and artificial intelligence. Most physical
devices such as Bio-metric systems, CCTV cameras, smart watches etc. are connected and
controlled digitally. Hackers can affect even physical infrastructure causing catastrophic levels of
damage to physical resources.

Myth 2: “Cyber security is just an IT issue”

Reality: Once data is digitized, it has to be protected whether it is in the data center or
employees’ mobile phone.

Myth 3: “Protecting yourself is good enough.”

Reality: Organizations must have an eye on everything and everyone. Third parties from
subcontractors to subsidiaries, vendors and accounting firms, etc. can be a threat vector.

Myth 4: “Going back to paper minimizes risk.”

Reality: One can’t know if paper copies of data have been unlawfully copied or removed.

Myth 5: “Using antivirus software is enough.”

Reality: Hackers have found multiple ways to intrude into antivirus software and hide their own
attacks in a system, in many cases for an average of six months. With the advent of
ransomware, the time frame from infection to damage has become almost instantaneous.

Myth 6: “We have a firewall. We’re in good shape.”

Reality: Firewall is used to allow expected traffic in and restrict all remaining traffic. This is
done by creating Access Control Lists (ACL's). However, most cyber security assessments
depict that the greatest cyber threats are associated with the behavior of authorized users of the
systems allowed inside the firewall.
WHAT NEEDS TO BE SECURED

As we know by now, Cyber Security is not just about installing the latest anti-virus or having a
strong firewall, it is ensuring that all the aspects of your organization are well secured.

Any IT organization comprises of the following security layers.

 Information Security- is about protecting the information that is valuable to the

organization. It is about protection of information in all its form – electronic, printed,
hand written, verbal etc. This applies to all aspects of safeguarding or protecting data, in
whatever form within the organization
o E.g. protection of intellectual property, trade secrets, email communications,
blood group of employees, etc from being leaked or tampered
 Network Security- is about ensuring the availability of networks and confidentiality and
integrity of data flowing within the network. The organization’s network is a trusted
zone. Traffic entering the Intranet (trusted zone) from the Internet (untrusted zone) must
be carefully scrutinized. There should be mechanisms to prevent malicious traffic from
entering the network
o E.g. use of firewall to control all inbound and outbound traffic in the network
 Hosts' Security- is about taking specified measures to protect the host (Operating
System) from threats, viruses, worms, malware or remote hacker intrusions. OS security
looks up to all the preventive control techniques, which safeguards the computer assets
capable of being stolen, edited or deleted
o E.g. installation of antivirus.
 Application Security - is ensuring that the web applications are developed following the
secure design and coding guidelines. It involves preventing the security bugs and flaws in
any application.
o E.g. building applications which can block injection attacks, etc.
 Human(People) Security - is about creating and leveraging awareness among employees
to become cautious about sharing sensitive information, downloading an attachment from
unauthorized sources and handling organization's resource as per policies
o E.g. protecting organization from phishing emails sent to employees by creating
awareness, etc.

Information security basically covers every aspect of an organization's security including people.
On the other hand, Cyber security is ensuring security of digital assets from threats emerging
from internet. Hence host, network and application security comes under the purview of Cyber
security.
One can envision Cyber Security as a subset of Information Security.

Table shows the risks involved and controls suggested for each layer
Who/What makes this
Layers Risks Controls
layer
Users
Social engineering, Awareness, Education,
(Employees,customers,
People spear phishing, Training, Identity
contractors), developers,
unnecessary access Governance
administrators helpdesk
Web applications (internal
OWASP Top 10, SANS Threat modeling, Secure
Application & public), software
Top 25 Dangerous coding, Secure Testing
Software components (frameworks,
Software Errors (VA)
libraries), DBs
Infrastructure Security :
Theft, Malware (Virus.
Anti-Virus, Intrusion
Ransomware, Worm,
Network Detection System,
Trojan Horse),
Desktops, Laptops, System Firewall, SIEM, ENdpoint
Intrusion, Data Leak,
Hosts software (Operating Security, Data Leak
Denial of Service,
System), Mobiles. Protection (DLP),
Sabotage, Man in the
Information Encryption, Digital
Middle Attack,
SIgnature, Digital
Spoofing
Certificates

Majority of the Cyber attacks target the web applications in an organization rather than
its network. Attacking a network is tedious for any hacker as most of the organizations have a
firewall in place which is very difficult to penetrate. Hence, it is important to gain an
understanding on how to build secure web applications and fix vulnerabilities present in existing
web applications.

Note: In this course, we will be focusing on web Application Security.

Let us understand what happens when web Application Security is not given a thought.