Security / Level 2 / Correct answers

Scenario 1

The other day on the evening news you heard the presenter talking about this new Internet threat called ‘botnets’. Despite this name looking like something coming from a science fiction book, this is a serious problem for many users.

How can botnets affect you?

Answer:

Someone could take control of my computer and use it as part of a botnet.

Botnets are networks of infected computers that can be used for cyber-criminal activities. Botnets also have implications for ordinary users. For example, by using malware, criminals can attempt to take control of your devices (computer, mobile) and use them as part of a botnet.

More on botnets in this ENISA report:

https://www.enisa.europa.eu/activities/Resilience-and-CIIP/critical-applications/botnets/botnets-10-tough-questions.

Scenario 2

Cookies are small information items stored in users’ PCs and used widely by online service providers to run their services, capture user preferences (language, layout, credentials, etc.), identify users for shopping list purposes, etc. Any web site can issue cookies, which are stored on the user PCs. Cookies have positive functions such as storing preferences and settings and avoiding the need to repeatedly have to identify yourself.

However cookies also raise some security and privacy concerns, for example…

Answer:

The collection of private information as well as the risk that someone could impersonate me.

Cookies could raise the following security and privacy concerns:

  • Collection of private information on user preferences, visited sites, statistics.
  • Modified information (e.g. search results).
  • Impersonation of users leading to malicious logon into accounts (e.g. banking, e-mail, etc.).

Scenario 3

One of your friends has recently been a victim of a social engineering attack since someone has stolen her username and password for accessing her work email. This name, ‘social engineering’ looks quite strange to you as it puts together engineering with social issues.

What does social engineering mean in a security context?

Answer:

It is a form of social deception focussed on information gathering, fraud, or system access.

Social engineering is indeed a complex form of social deception through which the attacker manipulates a victim with malicious intent for information gathering, fraud, or system access.

Scenario 4

You consider yourself an ‘experienced’ user of mobile technologies. You have your own smartphone with which you navigate the Internet and use several apps to get updates for local services, weather, etc., and to find additional services, e.g., locating the best restaurant in the local area. Often you receive prompts for installing new apps on your device.

To ensure your device and data remain secure and safe, when you install a new app it is good practice to…. 

Answer:

Scrutinize permission requests when using or installing smartphone apps.

It is important to check what the permission requests are when installing new software on mobile devices, e.g. a request to access your sensitive data. You should also consider that many pre-installed apps have access to personal and sensitive data.

Scenario 5

When you travel for work you often need to use open Wi-Fi networks, e.g. at train stations or coffee shops. However, you are aware that there might be dangers with such open networks.

In order to protect your communication over these public networks you always…

Answer:

Use a Virtual Private Network or VPN. 

A Virtual Private Network (VPN) extends the protection of a private network over a public network: it is like a private tunnel that ensures the security and privacy of your communication from one end to the other.

Scenario 6

The other day you were watching the news and you heard a journalist talking about a new type of cyber-threat. Essentially criminals seem to be able to use malicious software to restrict access to the computer system or personal files of users. Later criminals demand a payment in order for the restriction to be removed.

What is the name of this new emerging threat?

Answer:

Ransomware.

Ransomware are an emerging family of malicious software used by attackers to restrict access to computer systems or data. For instance a ransomware can restrict access to user’s file by using encryptions. The attackers requires then a “ransom” to be paid for opening up again (decrypting) the file.

For more information about the diffusion and the level of threat related with ransomware (and other threats), you can consult the ENISA Threat Landscape Report, available here: https://www.enisa.europa.eu/activities/risk-management/evolving-threat-environment/enisa-threat-landscape/enisa-threat-landscape-2014

Scenario 7

Reputation is the aggregated opinion that people in general have about someone or something based on past behaviour. Online reputation systems make it possible to use reputation online. Internet users may join these systems to gain trust in the individuals they interact with online, for example a seller on an e-commerce website. An online market is the most common application for online reputation systems, for instance the amazon 5-stars system. Reputation systems may be target of attacks by malicious entities willing to exploit trust relationships.

Which of the following is a common attack to online reputation systems?

Answer:

Sybil Attack.

In the Sybil attack the attacker creates multiple identities (i.e. multiple accounts/profile) in an online service and exploits them in order to manipulate a reputation score. For example, these multiple accounts can be used to provide positive reputation feedback to a fraudulent seller designated account, whose reputation increases in an untruthful way. This untruthful reputation can later be used by the fraudulent seller to exploit or fraud other users. Other attacks to reputation systems include things such as: ballot stuffing, extortions, bad mouthing or collusion. See for more information the ENISA Report https://www.enisa.europa.eu/publications/archive/reputation-based-systems-a-security-analysis and also the Wikipedia article https://en.wikipedia.org/wiki/Sybil_attack

Scenario 8

In 2014 the Security community discovered a fatal programming error in one the most popular mechanism – the so called OpenSSL – that is used to create secure and encrypted communication with web sites. The OpenSSL is commonly used for example in e-commerce websites or online banking, to allow a secure communication between the user and the service computers.

What is the popular name which was given to this fatal programming error?

Answer:

Heartbleed. 

The Heartbleed bug was first announced on the 07th April on the website

http://heartbleed.com/ by the company Codenomicon. The website sates “The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users”. Several popular online services were affected and users were suggested to change their password, see for a list http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/

See for more information also the ENISA Flash Note: Heartbleed - A wake-up call https://www.enisa.europa.eu/publications/flash-notes/flash-note-heartbleed-a-wake-up-call

Scenario 9

As a consequence of the proliferation of social technologies and the internet use in general, huge collections of data have been created, coming from possible different sources. This concentration is called Big Data, and can be analysed with novel techniques in order to identify trends. However, Big Data can also open the door to cyberattacks and privacy issues and the ENISA Threat Landscape Report presents some of them.

Which of the following options is considered by the report as an increased threat for general users due to big data?

Answer:

Identity Theft. 

This answer is correct in the context of the scenario. Identity theft is the act of stealing someone’s identity. The ENISA Threat Landscape 2014 Report, available here

https://www.enisa.europa.eu/activities/risk-management/evolving-threat-environment/enisa-threat-landscape/enisa-threat-landscape-2014 discusses a number of emerging threat related with big data such as the possibility for attackers to better deploy malware, based on information gathered with Big Data. Also Identity Theft is mentioned as an emerging attack where the increased discovery of information within Big Data will facilitate identity theft by malicious attackers. 

Scenario 10

You receive an e-mail from your bank telling you there is a problem with your account. The e-mail provides instructions and a link so you can log in to your account and fix the problem.

What type of attack could this be?

Answer:

Social engineering.

Social engineering (within the perspective of information security), is the psychological manipulation of individuals so that they either divulge sensitive information, or perform some action that aids the perpetrator in their malicious activities.  It is in essence a type of confidence trick for the purpose of information gathering, fraud, or system access.