channel. ✦ While I’m introducing myself and this talk… ✦ … scribble down words, phrases, etc. that have tripped you up when you’ve read or listened to something infosec-related. ✦ Even if you looked it up and now understand it—write it down! ✦ With luck, I’ll have anticipated at least some of these. If not… we have a starter for Q&A! ✦ THERE IS NO SUCH THING AS A WRONG OR SILLY WORD/PHRASE. This is 101-space.
preservationist, privacy researcher, and speaker. ✦ I teach a broad selection of technology- and ethics-related courses to undergraduates and graduate students. ✦ You can find out more at https://dsalo.info/teaching and https:// speakerdeck.com/dsalo (contains both conference talks and class decks—conference talks have pretty slides; class decks don’t). ✦ I’m very, very, very, VERY new to infosec. ✦ I got there through the standard librarian’s interest in privacy, AND through digital preservation’s use of digital forensics techniques. ✦ (And yes, I will define “digital forensics” for you shortly!)
that isn’t broadly understood outside that community ✦ Could be a professional community (as with infosec, or for that matter librarianship), also called a “community of practice” ✦ Could be a community of choice, such as a hobby community ✦ Jargon is not bad! ✦ Can speed up communication, make it more precise ✦ … But jargon can be a barrier to those new to the community. ✦ (Sometimes, it must be said, intentionally.)
about it is how militaristic some of it is. Ugh. ✦ I won’t even be able to get through what jargon I know (as a relative n00b) today. ✦ I’ll get as far as I can in 20-25 minutes, then post my slides to my Speakerdeck. ✦ https://speakerdeck.com/dsalo ✦ And I’ll be around all day on IntroSecCon Discord (@Dorothea) and Twitter (@LibSkrat). ✦ Feel free to ask me stuff, and it’s fine to DM, too.
you learn without getting stuck. ✦ Like any field, information security has developed a set of terminology that can be… non-obvious to outsiders. ✦ I’m an infosec outsider too! I definitely get frustrated by this. ✦ It’s usually not that the concepts are all that hard (though they can be). It’s that they refer to things or repurpose words in an unfamiliar way. ✦ Did I miss something? Please ask about it! ✦ I’m on the conference Discord, and I’m @LibSkrat on Twitter. @ me!
✦ Not the same as THREAT MODELING, which roughly means infosec risk assessment ✦ You could sit around and wait for your security systems to alert you something’s weird. ✦ If there’s a brand-new threat, though, or just an unfamiliar or especially-clever one, your systems won’t necessarily warn on it. ✦ Or you could actively go looking for weird stuff! That’s THREAT HUNTING. ✦ It’s sometimes done with machine-learning tools, particularly ones that look for users acting out-of-character for them on local systems (because it’s not the user; it’s an attacker who’s broken into the user’s account).
gathering trustworthy evidence related to a security incident (such as a breach or attack) ✦ ATTRIBUTION: = “whodunit?” for a security incident ✦ Several flavors: ✦ MEDIA FORENSICS: Gathering evidence from physical storage devices (hard drives, storage cards, flash drives, tapes, diskettes…) ✦ MEMORY FORENSICS: Gathering evidence from a device’s RAM or equivalent ✦ NETWORK FORENSICS: Network-traffic and network-log analysis ✦ MOBILE FORENSICS: … exactly what it sounds like ✦ CLOUD FORENSICS: HAHAHAHAHAHAHAHA okay, yeah, this is hard
doesn’t mean spooks. ✦ It’s shorthand for an infosec model suggesting how you know something is(n’t) secure. ✦ C: Confidentiality ✦ Do only the people who should have access actually have access? ✦ Data breach? Confidentiality FAIL. ✦ I: Integrity ✦ Is the information in the system unaltered from its intended state? ✦ Defaced website? Integrity FAIL. ✦ A: Availability ✦ Can the system do what it needs to do for those who need it? ✦ System down? Availability FAIL.
(for the record, SYSTEM in infosec may refer to “a technology system,” but more often it carries the broader meaning “a whole constellation of people, technology, design, and process.”) ✦ For a system of any real complexity, or any system that includes people, you… can’t. ✦ But you can at least stress-test systems and see if they hold up! ✦ That’s what PENETRATION TESTING (PENTESTING for short) is: a prearranged attempt to break into a system, aimed at testing best-practice compliance and locating weak spots before an attacker does
Red Team are the attackers trying to break into the system (REDTEAMER is near-synonymous with “pentester”) ✦ Redteamers may be the organization’s own security employees, but commonly they’re contractors. ✦ the Blue Team are the system’s defenders trying to keep the Red Team out ✦ These are almost always the organization’s own security folks. ✦ The Purple Team (uncommon): Red and Blue teams working together to strengthen a system
much as possible about the target system (including its people!) by searching online everywhere EXCEPT inside the actual target ✦ DuckDuckGo, yes, but also LinkedIn, social media, directories… ✦ A variety of “RECON[NAISSANCE],” the process of researching a target before attempting to break in ✦ GOOGLE DORKING: Using specialized web-search syntax to hunt potential ways in. ✦ Google Hacking Database: https://www.exploit-db.com/google- hacking-database
“how much does the pentester know about the system before the pentest starts?” ✦ White: everything. Black: nothing. Gray: some things, not everything ✦ PHYSICAL PENTESTING: Evaluating the security of a physical facility: gates, doors, locks, security systems, security procedures, PEOPLE… ✦ SOCIAL ENGINEERING: Conning people into making security errors. Common in both physical and network-based pentests; sometimes off-limits.
as an attack: ✦ Step 1: RECON[NAISSANCE] and preparation ✦ Step 2: SCANNING: locating as many devices and as much software on the target’s network and systems as possible ✦ Step 3: Attack! Er, I mean, do your best to access the target system(s). ✦ Step 4: MIGRATION: hopping from one device/system/network to another ✦ Step 5: PRIVILEGE ESCALATION: gaining additional power to do things on/to a system ✦ Meanwhile: PERSISTENCE: avoiding getting kicked off the system, and OBFUSCATION: hiding your presence from defenders ✦ Step 6: Get the LOOT: the goal of the pentest
every CTF is set up like a pentest, but many are. ✦ You try to accomplish certain pentesting-like goals in a system deliberately set up to make those goals achievable (though not necessarily easy).
code/hardware behavior ✦ VULNERABILITY: a bug that is a security problem for a given piece of software or hardware ✦ Bugs can be non-security-related. So all vulnerabilities are bugs, but not all bugs are vulnerabilities. ✦ PATCH: a programmed fix for a bug ✦ SECURITY PATCH: a programmed fix for one or more vulnerabilities ✦ EXPLOIT: A security attack that leverages a particular vulnerability ✦ ZERO-DAY [EXPLOIT]: An exploit that is so new there is no patch for the vulnerability it leverages; in fact, the Good Folks may not even know the vulnerability exists. Very dangerous!
do with negotiating or agreeing on anything! ✦ COMPROMISE (verb and noun): A successful attack on someone’s/something’s security ✦ “Eve compromised Alice’s email” = “Eve attacked Alice’s email account successfully [and read Alice’s email when she shouldn’t have].” ✦ “There are thousands of compromised systems” = “We know thousands of systems have been successfully attacked.” ✦ PWN (verb): To compromise someone/something ✦ PWNING (noun): A compromise. “What a terrible pwning!” ✦ Comes from gaming; to “own” someone is to thoroughly defeat them.
Often created to let the (supposed) Good Folks in while excluding Bad Folks ✦ TSA-compliant suitcase locks, the Clipper chip, etc. ✦ There is no such thing as a vulnerability that only Good People can use. Backdoors are bad security! Oppose them!
Spearphishing: Phishing a specific person (as opposed to mass- broadcast spam phishing) ✦ Catfishing: Phishing with romance as the hook ✦ Smishing: Phishing by text message/SMS ✦ BUSINESS EMAIL COMPROMISE (BEC): Usually, spearphishing someone who controls money ✦ Fake invoices, gift card requests from “the boss,” requests for confidential employee information—several exploitation modes here ✦ 419 SCAMS: “I have lots of money but need you to give me some!”
✦ [DATA] EXFILTRATION: Theft. Attacker made a copy of data that they shouldn’t have had access to. ✦ PII: Personally Identifiable Information. Your name, ID number (SSN, driver’s license number, student ID number, passport number, etc), race/ethnicity, gender, birth date—personal info about you, basically. ✦ PII tends to be more protected, legally, than other kinds of information about you (for example, your web-browsing habits). ✦ [WEB] SHELL: The ability to interact with a pwned machine and run commands on it. ✦ REMOTE CODE EXECUTION [BUG/VULNERABILITY]: A vulnerability that lets a (remote) attacker run their own software on the pwned machine. Very bad!
in a false crime report so that law enforcement responds in force to an innocent person’s home ✦ This has gotten innocent people KILLED, okay? DO NOT. ✦ [DISTRIBUTED] DENIAL-OF-SERVICE attack (DDoS): Bringing down a networked service with excess traffic
to mess with a system and/or its security ✦ There are LOTS of kinds of malware! Some characteristics often used to classify them: ✦ What they target: “Windows malware” “Android malware” “browser malware” ✦ How they spread and/or infect targets: virus/worm/Trojan ✦ What they do (often “-ware”): ransomware/adware/spyware ✦ While you’re new, I don’t think it makes sense to memorize all the different kinds of malware. ✦ That’s a “figure it out if/when you need to” kind of thing.
that encrypts your data and asks you to pay for the decryption key ✦ More recent ransomware strains also EXFILTRATE (steal) data. ✦ SPYWARE: malware that reports out somewhere on the activities performed on the device, without the device’s user(s) knowing ✦ KEYLOGGER: Spyware that sends every keystroke typed (including on a mobile’s “keyboard”) somewhere ✦ Malware that adds ENDPOINTS (devices) to botnets ✦ BOTNET: A group of devices, often huge, that has been compromised such that an external device (“COMMAND-AND-CONTROL [SERVER], C2, C&C”) can make the compromised devices do bad things (such as send spam, or try to overwhelm a website)
mystery novel ✦ More than that, really: also the what, to whom, how, and why. ✦ Unlike mystery novels, you may never know whodunit. ✦ If the attacker is good at obfuscation, they won’t leave enough clues for you to track the attack back to them. ✦ Many techniques exist to camouflage or fake the origin of an attack coming from the Internet. ✦ The actual person typing on the keyboard to attack you may be the least of it!
of buzzwords. ✦ Originally: targeted threats from well-resourced, well-trained actors—like, “entire countries.” ✦ The kind of threat where they just never stop—if one attack doesn’t work, they try another until something does. ✦ Some organized hacking/data-exfiltration groups, like Anonymous or Wikileaks, have been considered APTs. Also terrorists, corporations. ✦ Now: broadened to “threats too tough for ordinary prevention efforts to stop.” ✦ Expert obfuscators: can hide from detection systems, logs, etc. ✦ Leverage a small breach to compromise systems further, stay in longer ✦ Definitely not doing it “for the lulz:” have specific target(s), goal(s)
under a given security system’s purview ✦ Could be a phone, tablet, laptop, desktop, server, network switch or router, Internet of Things gadget… ✦ ENDPOINT VISIBILITY: can security folks diagnose what’s going on with/inside the endpoint? ✦ “We don’t have visibility into the endpoint’s storage” = “We can’t figure out what data/information is on this device [probably because it’s encrypted].” ✦ (The word “visibility” gets used with other systems too; same idea.)
to compromise you. ✦ A function of: ✦ How many different systems / software / platforms you’re using (more systems, more problems!) ✦ How exposed to the open Internet you and your systems are ✦ How sensible your (physical, digital/online, and human) security practices are ✦ Whether your systems / software / platforms are common attack targets ✦ Whether YOU are a particularly desirable or common attack target
defense against exploits originating from outside. ✦ DEFENSE IN DEPTH: Don’t just have a firewall! ✦ When you only have a firewall, if it gets pwned (or an attack comes from inside) you’re in bad trouble. Have more defenses! Such as… ✦ INTRUSION DETECTION/PREVENTION SYSTEMS (IDS, IPS): Pretty much what they sound like. ✦ An IDS tries to notice attempted exploits, based on rules for what they might look like. When it sees one, it raises an alarm for human beings to evaluate. ✦ An IPS goes one step further: when it sees an attempted exploit, it stops it. (Which can be a problem if the IPS is incorrect!)
that a given software program / system keeps about what happens on or to it. ✦ As you can imagine, a whole lot of logs pile up, and 999 out of 1000 lines in a log are innocuous. How do you find that 1000th line? ✦ Security information and event management (SIEM) system: one-stop log-analysis shopping ✦ Aggregates logs (IDS logs, IPS logs, regular system and network logs) ✦ Looks through them for anything suspicious ✦ Reports out