Framework

1
Framework

• Chapter 1
• Dr. Cheng-Sheng Chen
• Revised from Panko, Corporate Computer and
  Network Security (http//pankosecurity.com/Edition
  1Classic/default.htm)

2
Chapter 1 A Framework - Learning Objectives
(1/2)

• Corporations at Risk
• Trends in security incidents
• Types of attacks and defenses
• Why Security is primary a management issue, not a
  technology issue ?
• The importance of top-to-bottom commitment and
  comprehensive security

3
Chapter 1 A Framework - Learning Objectives
(2/2)

• The core security goals confidentiality,
  integrity, and availability
• The Plan-Protect-Respond (PPR) cycle.
• How corporate IT security is distinguished from
  military security

4
Figure 1-1 CSI/FBI Computer Crime and Security
Survey

• Survey conducted by the Computer Security
  Institute (http//www.gocsi.com).
• Based on replies from 503 U.S. Computer Security
  Professionals.
• If fewer than 20 firms reported quantified dollar
  losses, data for the threat are not shown.

5
Figure 1-1 CSI/FBI Computer Crime and Security
Survey
6
Figure 1-1 CSI/FBI Computer Crime and Security
Survey
7
Figure 1-1 CSI/FBI Computer Crime and Security
Survey
8
Figure 1-1 CSI/FBI Computer Crime and Security
Survey
9
Figure 1-2 Other Empirical Attack Data

• Riptech
• Analyzed 5.5 billion firewall log entries in 300
  firms in five-month period
• Detected 128,678 attacksan annual rate of 1,000
  per firm
• Only 39 of attacks after viruses were removed
  were directed at individual firms

10
Figure 1-2 Other Empirical Attack Data

• SecurityFocus
• Data from 10,000 firms in 2001
• Attack Frequency
• 129 million network scanning probes (13,000 per
  firm)
• 29 million website attacks (3,000 per firm)
• 6 million denial-of-service attacks (600 per firm)

11
Figure 1-2 Other Empirical Attack Data

• SecurityFocus
• Attack Targets
• 31 million Windows-specific attacks
• 22 million UNIX/LINUX attacks
• 7 million Cisco IOS attacks
• All operating systems are attacked!

12
Figure 1-2 Other Empirical Attack Data

• Honeynet project
• Networks set up for adversaries to attack
• Windows 98 PC with open shares and no password
  compromised 5 times in 4 days
• LINUX PCs took 3 days on average to compromise

13
Figure 1-3 Attack Trends

• Growing Incident Frequency
• Incidents reported to the Computer Emergency
  Response Team/Coordination Center
• 1997 2,134
• 1998 3,474 (75 growth from previous year)
• 1999 9,859 (164 growth)
• 2000 21,756 (121 growth)
• 2001 52,658 (142 growth)
• Tomorrow?

14
Figure 1-3 Attack Trends

• Growing Randomness in Victim Selection
• In the past, large firms were targeted
• Now, targeting is increasingly random
• No more security through obscurity for small
  firms and individuals

15
Figure 1-3 Attack Trends

• Growing Malevolence (??,??)
• Most early attacks were not malicious
• Malicious attacks are becoming the norm

16
Figure 1-3 Attack Trends

• Growing Attack Automation
• Attacks are automated, rather than
  humanly-directed
• Essentially, viruses and worms are attack robots
  that travel among computers
• Attack many computers in minutes or hours

17
Figure 1-4 Framework for Attackers

• Elite Hackers
• Hacking intentional access without authorization
  or in excess of authorization (??)
• Some call this cracking, not hacking, which they
  equate to any skilled computer use
• Characterized by technical expertise and dogged
  persistence, not just a bag of tools
• Use attack scripts to automate actions, but this
  is not the essence of what they do
• Deviants and often part of hacker groups that
  reinforce deviant behavior

18
Figure 1-4 Framework for Attackers

• You may hear the terms white hat (good guys)
  and black hat bad guys
• Black hat hackers break in for their own purposes
• White hat can mean multiple things
• Strictest Hack only by invitation as part of
  vulnerability testing
• Some who hack without permission but report
  vulnerabilities (not for pay) also call
  themselves white hat hackers

19
Figure 1-4 Framework for Attackers

• You will also hear the term ethical hacker
• Some hack only by invitation as part of
  vulnerability testing
• Others hack without invitation but have a code
  of ethics
• Do no damage or limited damage
• Some hacker codes allow considerable
  victimization (??, ??)

20
Figure 1-4 Framework for Attackers

• Hats, Ethical Codes of Conduct, and Criminality
• If hack without explicit authorization, it is
  criminal
• Motive for hacking is not part of the lawonly
  intentionally accessing without authorization or
  in excess of authorization

21
Figure 1-4 Framework for Attackers

• Elite Hackers
• Ethical hackers or white hat hackers
• Hack only by invitation is the best definition
• Some hackers with marginal codes of ethics use
  these terms
• Justify if they tell victims about break-ins
• Codes of conduct are often amoral
• Do no harm, but delete log files, destroy
  security settings, etc.
• Distrust of evil businesses and government
• Deviants and hacker groups

22
Figure 1-4 Framework for Attackers

• Virus Writers and Releasers
• Virus writers versus virus releasers
• Only releasing viruses is punishable

23
Figure 1-4 Framework for Attackers

• Script Kiddies
• Use pre-written attack scripts (kiddie scripts)
• Viewed as lamers and script kiddies
• Large numbers make dangerous
• Noise of kiddie script attacks masks more
  sophisticated attacks

24
Figure 1-4 Framework for Attackers

• Criminals
• Many attackers are ordinary garden-variety
  criminals
• Credit card and identity theft
• Stealing trade secrets (intellectual property)
• Extortion

25
Figure 1-4 Framework for Attackers

• Employees, Consultants, and Contractors
• Have access and knowledge
• Financial theft
• Theft of trade secrets (intellectual property)
• Sabotage
• IT and security staff
• Consultants

26
Figure 1-4 Framework for Attackers

• Cyberterrorism and Cyberwar
• New level of danger
• Infrastructure destruction
• IT Infrastructure
• Use IT to damage physical infrastructure
• Cyberterrorists versus cyberwar by national
  governments
• Amateur information warfare is also a danger

27
Figure 1-5 Framework for Attacks
Attacks
Social Engineering -- Opening Attachments Password
Theft Information Theft
Physical Access Attacks -- Wiretapping Server
Hacking Vandalism
Dialog Attacks -- Eavesdropping Impersonation Mess
age Alteration
Penetration Attacks
Malware -- Viruses Worms
Denial of Service
Scanning (Probing)
Break-in
28
Figure 1-6 Social Engineering Attacks and
Defenses

• Social Engineering
• Tricking an employee into giving out information
  or taking an action that reduces security or
  harms a system
• Opening an e-mail attachment that may contain a
  virus
• Asking for a password claiming to be someone with
  rights to know it
• Asking for a file to be sent to you

29
Figure 1-6 Social Engineering Attacks and
Defenses

• Social Engineering Defenses
• Training
• Enforcement through sanctions (punishment)

30
Figure 1-7 Eavesdropping on a Dialog
Dialog
Hello
Client PC Bob
Server Alice
Hello
Attacker (Eve) intercepts and reads messages
31
Figure 1-8 Encryption for Confidentiality
Encrypted Message 100100110001
Client PC Bob
Server Alice
100100110001
Attacker (Eve) intercepts but cannot read
Original Message Hello
Decrypted Message Hello
32
Figure 1-9 Impersonation and Authentication
Im Bob
Prove it! (Authenticate Yourself)
Attacker (Eve)
Server Alice
33
Figure 1-10 Message Alteration
Dialog
Balance 1,000,000
Balance 1
Server Alice
Balance 1
Balance 1,000,000
Attacker (Eve) intercepts and alters messages
34
Figure 1-11 Secure Dialog System
Secure Dialog
Client PC Bob
Server Alice
Automatically Handles Negation of Security
Options Authentication Encryption Integrity
Attacker cannot read messages, alter messages,
or impersonate
35
Figure 1-12 Network Penetration Attacks and
Firewalls
Attack Packet
Internet Firewall
Hardened Client PC
Internet
Attacker
Internal Corporate Network
Log File
36
Figure 1-13 Scanning (Probing) Attacks
Reply from172.16.99.1
Probe Packets to 172.16.99.1, 172.16.99.2, etc.
Host 172.16.99.1
Internet
Attacker
No Host 172.16.99.2
Results 172.16.99.1 is reachable 172.16.99.2 is
not reachable
No Reply
Corporate Network
37
Figure 1-14 Single-Message Break-In Attack
1. Single Break-In Packet
2. Server Taken Over By Single Message
Attacker
38
Figure 1-15 Denial-of-Service (DoS) Flooding
Attack
Message Flood
Server Overloaded By Message Flood
Attacker
39
Figure 1-16 Intrusion Detection System
1. Suspicious Packet
Intrusion Detection System
4. Alarm
Network Administrator
Internet
Attacker
3. Log Packet
Corporate Network
Log File
40
Figure 1-17 Security Management

• Security is a Primarily a Management Issue, not a
  Technology Issue
• Top-to-Bottom Commitment (??/??)
• Top-management commitment
• Operational execution
• Enforcement

41
Figure 1-17 Security Management

• General Security Goals (CIA)
• Confidentiality
• Attackers cannot read messages if they intercept
  them
• Integrity
• If attackers change messages, this will be
  detected
• Availability
• System is able to server users

42
Figure 1-17 Security Management

• Comprehensive (?????) Security
• Closing all avenues (??) of attack
• Asymmetrical warfare (??)
• Attacker only has to find one opening
• Defense in depth
• Attacker must get past several defenses to
  succeed
• Security audits
• Run attacks against your own network

43
Figure 1-18 The PlanProtectRespond Cycle

• Planning
• Security policies drive subsequent specific
  actions
• ???????? p2p ?? (i.e., ??????), ????(or ??),
• Access control
• Technical security architectures
• Tools for comprehensive security (firewalls,
  etc.)
• Central management
• Awareness and procedure training
• Punishment

44
Figure 1-18 The PlanProtectRespond Cycle

• Protecting
• Installing protections firewalls, IDSs/IDPs,
  host hardening, etc.
• Updating protections as the threat environment
  changes
• Testing protections security audits

45
Figure 1-18 The PlanProtectRespond Cycle

• Responding
• Planning for response (Computer Emergency
  Response Team)
• Incident detection and determination
• Procedures for reporting suspicious situations
• Determination that an attack really is occurring
• Description of the attack

46
Figure 1-18 The PlanProtectRespond Cycle

• Responding
• Recovery
• The first priority
• Stop the attack
• Repair the damage
• Punishment
• Forensics (??)
• Prosecution (????)
• Employee Punishment (????)
• Fixing the vulnerability that allowed the attack

47
Figure 1-19 Threat Severity Analysis

• Planning
• Need for comprehensive security (no gaps)
• Risk analysis
• Enumerating threats
• Threat severity estimated cost of attack X
  probability of attack
• Value of protection threat severity cost of
  countermeasure
• Prioritize countermeasures by value of protection

48
Figure 1-19 Threat Severity Analysis
49
Examples of Security Problems

• Herbert Pierre-Louis Sabotage (??/??) by a
  Disgruntled (?????) Employee
• Washington Leung Cyberframing (??????) a Female
  Employee who Spurned (?? ?? ??) Him
• Two-programmers A Denial-of-Service Attacks by
  IT Employee
• Two Accounts Financial Theft Through Procedure
  Exploitation
• Cisco Systems Employee Theft of Trade Secrets by
  Employee for Personal Benefit

50
Examples of Security Problems (cont.)

• Paralegal Employee Theft of Trade Secrets to
  Sell Them (??? -gt ??)
• Patrick McKenna Computer Sabotage and Damage of
  Reputation
• Eric Burns Website Hacking and Defacement
  (e.g., Web Bandit)
• Raymond Torricelli Hacking to Make Money from
  Stolen Computer Resources
• Vasilly Gorshkov Credit Card Theft by Hacker

51
Topics Covered

• Attacks
• CSI/FBI Survey, etc. many types of attacks
  against many types of systems
• Growing attack frequency
• Growing randomness in victim selection (nobody is
  safe)
• Growing malevolence
• Growing attack automation

52
Topics Covered

• Attackers
• Elite hackers
• Characterized by technical expertise and dogged
  persistence, not just a bag of tools
• Virus writers and releasers
• Script kiddies limited but numerous
• Criminals are growing rapidly
• Employees, Consultants, and Contractors
• Cyberterrorism (??????) and Cyberwar

53
Topics Covered
Attacks
Social Engineering -- Opening Attachments Password
Theft Information Theft
Physical Access Attacks -- Wiretapping Server
Hacking Vandalism
Dialog Attacks -- Eavesdropping Impersonation Mess
age Alteration
Penetration Attacks
Malware -- Viruses Worms
Denial of Service
Scanning (Probing)
Break-in
54
Topics Covered

• Dialog Security
• Eavesdropping (??) is thwarted by encryption for
  confidentiality
• Impersonation (????) is thwarted by cryptographic
  authentication (????)
• Authentication techniques also bring message
  integrity
• Secure dialog systems provide all of these
  protections automatically

55
Topics Covered

• Penetration Attacks and Defenses
• Penetration Attacks
• Scanning
• Break-in (hacking) attacks
• Denial-of-Service attacks
• Defenses
• Firewalls (actually drop attack packets)
• Intrusion detection systems (only give warnings)
• Intrusion Prevention System (e.g., IPS/IDP)

56
Topics Covered

• Security Management
• Security is a Primarily a Management Issue, not a
  Technology Issue
• Top-to-Bottom Commitment
• Comprehensive security
• CIA Confidentiality, integrity, and availability
• Risk analysis

57
Topics Covered

• The Plan-Protect-Respond Cycle
• Planning
• Security policies drive subsequent specific
  actions
• Access control
• Technical security architectures
• Awareness and procedure training
• Punishment

58
Topics Covered

• Protecting
• Installing protections firewalls, IDP/IPSs, host
  hardening, etc.
• Updating protections as the threat environment
  changes
• Testing protections security audits

59
Topics Covered

• Responding
• Planning for response (Computer Emergency
  Response Team)
• GSNcert, TWcert, etc.
• Incident detection and determination
• Recovery
• Punishment
• Fixing the vulnerability that allowed the attack