480 likes | 644 Views
Network Security Threats to the E-Learner. Steven Furnell Network Research Group University of Plymouth United Kingdom. Overview. Introduction Threats facing e-learners What e-learners need to know Addressing the problems Conclusions. Introduction.
E N D
Network SecurityThreats to the E-Learner Steven Furnell Network Research Group University of Plymouth United Kingdom
Overview Introduction Threats facing e-learners What e-learners need to know Addressing the problems Conclusions
Introduction • The Internet has always had a reputation for being unsafe • Increasing range of threats and scams that specifically target the end-user community • affects both domestic and workplace contexts • Users can represent attractive targets • lack of technical knowledge, and occasional gullibility, can make them vulnerable • attackers hunt the easy prey!
Introduction • Many threats not only affect online users, but specifically target them • Represents a clear concern • for users themselves, who do not wish to become victims • for institutions, if their users should unwittingly cause or facilitate a security breach • Important to ensure that users do not undermine the attempts to protect them
yoursystem@risk Spam Phishing Denial of Service Virus Hacking Identity Theft Worms Trojan Horses Spyware
Spam • Junk email that is, at the least, an annoyance • Can also lead to other problems: • can cause embarrassment and offence as a result of their frequently dubious subject matter • users can waste time looking at it or be tricked into scams • Can easy receive several hundred kilobytes of spam per day • costly if downloading on a slow link and/or paying by the byte
Spam Over 66% of email traffic in the last month (MessageLabs)
Spam examples • Many messages give themselves away as being unlikely to be legitimate simply from the titles: • Don't Buy Vi-gra • you can't beat our RX • She wants a better sex? All you need's here! • Put your property on the front page • St0ck Market Standout? • Horny pills - low price • I am really happy I got this nice thing on-line! • The Ultimate pharmacy • 仛弌夛偄偺婫愡両仛
Spam examples • Others, however, could be mistaken for something legitimate . . . • FYI • You computer are INFECTED • Urgent and confidential • Dear Sir • Re [5]: • Some users may still get suspicious because of unknown sender, but others may be fooled
Bogus Qualifications • Trust in the e-learning provider is vital for both e-learners and prospective employers • Bogus qualifications can already be obtained via the Internet • may lead to suspicion and adverse publicity • undermine the credibility of legitimate e-learning courses / providers • Consider the following, received via email . . .
Phishing • Another threat typically initiated via email • Attempts to dupe users into divulging sensitive information • Current attacks have tended to target personal data relating to the user • e.g. bank account and credit card details • However, similar techniques could target information to compromise an institution • e.g. passwords and institutional details
Going phishing. . . and a bogus website 55,643 new sites in April 2007 11,121 in April 2006 (Anti-Phishing Working Group)
Spyware • Parasitic software that invades users’ privacy • Can divulge details of browsing habits and other sensitive details from target system • captured information can be transmitted to a 3rd party • puts both personal and corporate data at risk of abuse • One of the most prominent threats in recent years • 6 out of 10 home PCs are infected (AOL/NCSA 2005)
Spyware • One of the most prominent threats in recent years • Market for anti-spyware products predicted to grow from $12M in 2003 to $305M by 2008 (source: IDC)
Malware • Viruses, worms and Trojan horses • Over 231,540 known strains • over 8,830 in Mar 2007 • Commonly targets end-users • bogus email attachments • infected web pages • peer-to-peer file sharing • Once run, the malware may then target the user in other ways • e.g. stealing their data or hijacking their system
Malware Evolution • Many early viruses were more of a nuisance than actually harmful The Ambulance virus (1990)
Less reliance upon users Early 1990s Relied upon people to exchange disks between systems, to spread boot sector and file viruses Mid 1990s A move towards macro viruses, which enabled the malware to be embedded in files that users were more likely to exchange with each other Late 1990s The appearance of automated mass mailing functionality, removing the reliance upon users to manually send infected files Today Avoiding the need to dupe the user into opening an infected email attachment, by exploiting vulnerabilities that enable infection without user intervention
Chances of avoiding malware 1 in 790 messages infected 1 in 68 messages infected
Slammer / Sapphire Worm • Fastest spreading worm • Exploited a known vulnerability in the software (patch already released by Microsoft in July 2002) • Not destructive – its only aim was to spread • Infected systems doubled every 8.5 seconds • 90% of vulnerable systems got infected in just 10 minutes
The Spread of a WormSapphire / Slammer 2003 25 Jan 2003 - 05:29:00 / 0 victims
The Spread of a Worm31 Minutes Later 25 Jan 2003 - 06:00:00 / 74,855 victims
Slammer: The end result • Ultimately infected over 120,000 systems • Volume of Slammer traffic affected many people: • Brought down the entire telecommunications service in South Korea • Disrupted over 13,000 Bank of America cash machines • degraded performance by up to 30% in the Asia-Pacific region and by 10% in the US • Disruptive effects estimated to have cost up to $1.2bn
Hacking • Hackers may target an end-user system for various reasons: • a soft option for some mischief • a convenient file repository • a platform for attacking other systems • Users can also be targeted as sources of sensitive information • social engineering
Hacking • Hackers may enter by many means • may use one of the other threats as an entry mechanism • e.g. phishing for a password, using malware to open a backdoor • May achieve unlimited control over the compromised system • exposing the user to a full range of confidentiality, integrity and availability impacts
Examples of what hackers doWebsite Defacement – December 1996 One of 20 defacements recorded that year
Examples of what hackers doWebsite Defacement – June 2003 One of 1000s of defacements recorded that month
Impacts and ease of avoidance • The threats are not of equal magnitude • differing potential to trouble end-users • Likelihood of avoiding the impact is often different to avoiding the threat • e.g. Spam • extremely prevalent but generally easy to prevent it becoming a real problem to users • avoiding the impact will be related to security safeguards and user awareness
Impacts and ease of avoidance Impact avoidance Hard Hacking Malware Med Spyware Phishing Easy Spam - + Potential impact
Impacts and ease of avoidance • Spyware • Easier to avoid than malware • often installed from an explicit user action (e.g. installing free software of dubious origin) • Often harder to eradicate once installed • Malware • Harder to avoid – more attack vectors • Greater range of potential impacts
What e-learners need to know • Why the threats might affect them, and what the impacts could be • Possible contexts in which each threat can be encountered • Capabilities of any technological safeguards in use (i.e. the level of protection provided)
Understanding the threat • Need to appreciate how a threat could harm them • what could spyware determine from their activities? • what could malware damage or steal? • Also need to appreciate why they would be targeted • may otherwise assume that there is no reason for it to happen (e.g. little to offer compared to bigger targets) • Choice of target depends upon the attacker’s motives • a vulnerable end-user system may be much more convenient than a hardened corporate server • e.g. many botnet participants are compromised user systems
Understanding the attack vectors • Email is still the main (visible) route • BUT other avenues are also vulnerable and getting used • e.g. Instant Messaging is now a viable option for both malware infection and phishing attempts • however, without advice to contrary, users may feel they are safe as long as they are not using email • Threats are becoming more complex in terms of the tricks they use to dupe users • heightens the need for awareness amongst the possible victims
Understanding the protection • Users are presented with a potentially confusing array of technologies • anti-virus, anti-spyware, anti-spam, personal firewall, etc. • Need to understand how they relate to the threats • In some cases, aspects are clear from the names, but not always . . .
Understanding the protection • Malware protection is provided by software conventionally referred to as anti-virus • Some users may wonder if additional software is needed for worms and Trojan horses • Others may over-estimate protection and assume that AV will handle all malicious code, such as spyware
Understanding the protection • The name of the technology does not always indicate the threats it deals with • Users’ own perception may be inaccurate • A firewall “blocks suspicious Internet traffic” • But it doesn’t block spam or phishing messages, which most users would consider suspicious
What we need to protect us . . . Anti- Spam Anti- Phishing Intrusion Detection Anti-virus Passwords Anti- Spyware Personal Firewall Auto Updates Backup
Use security technologies • Essential to deploy and maintain appropriate protection on end-user systems • Potentially troublesome for domestic users • knowing what it is supposed to do • problems configuring and using it • Users must feel like the beneficiaries of the technologies rather than the victims • explain and train
Increase awareness • Problems relating to users’ understanding can be addressed via awareness-raising • Potential unwillingness to devote resources • e.g. impacts of phishing affect the individual rather than the institution • However, any security awareness is good • making users more threat-aware could increase their caution in other contexts • Some threats are harder to educate against • malware cannot be defeated by awareness alone . . . • . . . but a clear understanding of infection vectors can still help
Evidencing the problem • Presenting specific evidence can help to persuade and convince • Security administrators could assess users’ reactions to the threats: • would they freely reply to an email that requests sensitive information? • would they open unsolicited email attachments from an unknown source? • Preferable to find out under controlled conditions than via a genuine breach • Findings could be presented back to the users
Conclusions • E-learners can clearly find themselves on the receiving end of a number of targeted threats • New threats are likely to emerge in the future, alongside new end-user Internet services • No single solution • appropriate technologies and suitable awareness initiatives are required • combined approaches will help to prevent users from being such easy prey
Prof. Steven Furnellsfurnell@plymouth.ac.ukNetwork Research Groupwww.network-research-group.org