Syllabus

1
Unit 1 Class overview, general security concept,
threats and defenses

• Syllabus
• What is Security?
• CSI/FBI Computer Crime and Security Survey
• Attackers and Attacks
• Layered Security Architecture

2
What is Security?

• Like in non-Cyber real world Security is used
  to secure, protect, prevent bad things to happen
  (or try to).
• From Webster
• Function nounInflected Form(s) plural
  -tiesDate 15th century1 the quality or state
  of being secure as a freedom from danger
  SAFETY b freedom from fear or anxiety c
  freedom from the prospect of being laid off ltjob
  securitygt2 a something given, deposited, or
  pledged to make certain the fulfillment of an
  obligation b SURETY3 an evidence of debt or
  of ownership (as a stock certificate or bond)4 a
  something that secures PROTECTION b (1)
  measures taken to guard against espionage or
  sabotage, crime, attack, or escape (2) an
  organization or department whose task is security

3
What is Security?

• Security Activities Are based on 3 Types of
  Actions
• Prevent Put protection measures/system to
  protect assets and prevent unauthorized access.
• Detect Detect if an asset has been compromised,
  when, by whom and gather information on the type
  of breach committed, activities and evidence
  logs.
• Act/React Take measure to recover from attack
  and prevent same type of attacks or prevent
  attack in progress.

4
Types of security
Computer Security The application of hardware,
firmware and software security features to a
computer system in order to protect against, or
prevent, the unauthorized disclosure,
manipulation, deletion of information.

• Scope usually limited to a single computer
• Protection from the bad guys

• Examples of Problems
• Viruses and Trojans
• Key loggers
• Unauthorized tampering

5
Types of security
Information Security The protection of
information against unauthorized disclosure,
transfer, modification, or destruction, whether
accidental or intentional.

• - Scope the entire application, even across a
  network.
• - Protection from
• The bad guys
• Careless good guys
• Loophole in security policies

• Examples of Problems
• Badly designed applications
• Unsecured databases

6
Types of security
Network Security Protection of networks and
their services from unauthorized modification,
destruction, or disclosure. It provides assurance
the network performs its critical functions
correctly and there are no harmful side-effects.

• Scope network components and applications
• Protection from the bad guys

• Examples of Problems
• Viruses and worms Code Red, SoBig, Blaster
• Denial of Service (DoS) attacks
• Distributed Denial of Service (DDOS) attacks

7
CSI/FBI Computer Crime and Security Survey

• How Bad is the Threat?
• Survey conducted by the Computer Security
  Institute (http//www.gocsi.com) annually.
• 11th Annual
• Based on replies from 616 U.S. Computer Security
  Professionals in 2006.

8
(No Transcript)
9

• Websites incidents continues to plague
  organizations

10

• General trend of losses is down for the 4th
  consecutive year even though this years
  percentage drop is the smallest.
• Fewer respondents were willing to report their
  losses this year.

11
Other Key Findings of the CSI/FBI survey

• Outsourcing of computer security activities is
  quite low. 61 of respondents do not outsource
  any computer security functions.
• Use of cyber insurance remain low
• The multi-year decline in reporting intrusions to
  law enforcement has reversed (from 20 to 25).
  Negative publicity is still a concern.
• Significant number of organization conduct some
  form of economic evaluation of their security
  expenditures. Up from last year.

12
Other Key Findings of the CSI/FBI survey (contd.)

• Over 80 of the organizations conduct security
  audit.
• The impact of the Sarbanes-Oxley Act continues to
  be substantial
• Most respondents view security awareness training
  as important. However respondents from all
  sectors do not believe their organizations
  invests enough in it.

13
Other Empirical Attack Data

• SecurityFocus http//www.securityfocus.com/
• Attack Targets
• 31 million Windows-specific attacks
• 22 million UNIX/LINUX attacks
• 7 million Cisco IOS attacks
• All operating systems are attacked!

14
Attack Trends

• Growing Incident Frequency
• Incidents reported to the Computer Emergency
  Response Team/Coordination Center (CERT)
• http//www.cert.org/
• 1997 2,134
• 1998 3,474 (75 growth from the year before)
• 1999 9,859 (164 growth from the year before)
• 2000 21,756 (121 growth from the year before)
• 2001 52,658 (142 growth from the year before)
• Tomorrow? . Well CERT decided to stop counting
  as of 6/2004!!

15
Attack Trends

• Growing Randomness in Victim Selection
• In the past, large firms were targeted
• Now, targeting is increasingly random
• No more security through obscurity for small
  firms and individuals

16
Attack Trends

• Growing Malevolence
• Most early attacks were not malicious
• Malicious attacks are becoming the norm

17
Attack Trends

• Growing Attack Automation
• Attacks are automated, rather than
  humanly-directed
• Essentially, viruses and worms are attack robots
  that travel among computers
• Attack many computers in minutes or hours

18
Attack sophistication progress (source CERT)
19
Who are the Attackers???

• Elite Hackers
• White hat hackers
• This is still illegal
• Break into system but notify firm or vendor of
  vulnerability
• Black hat hackers
• Do not hack to find and report vulnerabilities
• Gray hat hackers go back and forth between the
  two ways of hacking
• Hack but with code of ethics
• Codes of conduct are often amoral
• Do no harm, but delete log files, destroy
  security settings, etc.
• Distrust of evil businesses and government
• Still illegal
• Deviant psychology and hacker groups to reinforce
  deviance

20
Who are the Attackers???

• Virus Writers and Releasers
• Virus writers versus virus releasers
• Only releasing viruses is punishable

21
Who are the Attackers???

• Script Kiddies
• Use prewritten attack scripts (kiddie scripts)
• Viewed as lamers and script kiddies
• Large numbers make dangerous
• Noise of kiddie script attacks masks more
  sophisticated attacks

22
Who are the Attackers???

• Criminals
• Many attackers are ordinary garden-variety
  criminals
• Credit card and identity theft
• Side note on threat to Credit Card . How do
  attacker capture credit card information? Via
  Sniffing traffic?
• How many of the audience have worries when
  shopping online? How many of the audience ever
  used a credit card to pay for a restaurant meal?
• Stealing trade secrets (intellectual property)
• Extortion

23
Who are the Attackers???

• Corporate Employees
• Have access and knowledge
• Financial theft
• Theft of trade secrets (intellectual property)
• Sabotage
• Consultants and contractors
• IT and security staff are biggest danger

24
Who are the Attackers???

• Cyberterrorism and Cyberwar
• New level of danger
• Infrastructure destruction
• Attacks on IT infrastructure
• Use IT to establish physical infrastructure
  (energy, banks, etc.)
• Simultaneous multi-pronged attacks
• Cyberterrorists by terrorist groups versus
  cyberwar by national governments
• Amateur information warfare

25
Very good Illustration of Attacks and Attackers

• http//grc.com/dos/grcdos.htm
• Non credit assignment Read the full article.
  Note all material in non credit assignments
  can be present in exams.

26
What are the types of attacks?
27
Framework for Attacks
Attacks
Social Engineering -- Opening Attachments Password
Theft Information Theft
Physical Access Attacks -- Wiretapping Server
Hacking Vandalism
Dialog Attacks -- Eavesdropping Impersonation Mess
age Alteration
Penetration Attacks
Malware -- Viruses Worms
Denial of Service
Scanning (Probing)
Break-in
28
Attacks and Defenses (Refer to previous diagram)

• Physical Attacks Access Control
• Access control is the body of strategies and
  practices that a company uses to prevent improper
  access
• Prioritize assets
• Specify access control technology and procedures
  for each asset
• This can be electronic use access control to
  prevent certain traffic in
• This can be physical use locks to prevent
  physical access to devices.
• If an attacker gains physical access to a device
  that device IS (or should be considered)
  compromised no EXCEPTION!!!
• Test the protection.

29
Attacks and Defenses (contd.)

• Site Access Attacks and Defenses
• Wiretaps (including wireless LANs intrusions
• Hacking servers with physical access

30
Attacks and Defenses (contd.)

• A slight variation of access attack Social
  Engineering
• Tricking an employee into giving out information
  or taking an action that reduces security or
  harms a system
• Opening an e-mail attachment that may contain a
  virus
• Asking for a password claming to be someone with
  rights to know it
• Asking for a file to be sent to you

31
Attacks and Defenses (contd.)

• Social Engineering Defenses
• Training
• Enforcement through sanctions (punishment)

32
Attacks and Defenses (contd.)

• Dialog Attacks and Defenses
• Eavesdropping
• Encryption for Confidentiality
• Imposters and Authentication
• Cryptographic Systems

33
Eavesdropping on a Dialog
Dialog
Hello
Client PC Bob
Server Alice
Hello
Attacker (Eve) intercepts and reads messages
34
Encryption for Confidentiality
Encrypted Message 100100110001
Client PC Bob
Server Alice
100100110001
Attacker (Eve) intercepts but cannot read
Original Message Hello
Decrypted Message Hello
35
Impersonation and Authentication
Im Bob
Prove it! (Authenticate Yourself)
Attacker (Eve)
Server Alice
36
Message Alteration
Dialog
Balance 1,000,000
Balance 1
Server Alice
Balance 1
Balance 1,000,000
Attacker (Eve) intercepts and alters messages
37
Secure Dialog System
Secure Dialog
Client PC Bob
Server Alice
Automatically Handles Negation of Security
Options Authentication Encryption Integrity
Attacker cannot read messages, alter messages,
or impersonate
38
Network Penetration Attacks and Firewalls
Attack Packet
Internet Firewall
Hardened Client PC
Internet
Attacker
Internal Corporate Network
Log File
39
Scanning (Probing) Attacks
Reply from172.16.99.1
Probe Packets to 172.16.99.1, 172.16.99.2, etc.
Host 172.16.99.1
Internet
Attacker
No Host 172.16.99.2
Results 172.16.99.1 is reachable 172.16.99.2 is
not reachable
No Reply
Corporate Network
40
Single-Message Break-In Attack
1. Single Break-In Packet
2. Server Taken Over By Single Message
Attacker
41
Denial-of-Service (DoS) Flooding Attack
Message Flood
Server Overloaded By Message Flood
Attacker
42
Intrusion Detection System (IDS)
1. Suspicious Packet
Intrusion Detection System (IDS)
4. Alarm
Network Administrator
2. Suspicious Packet Passed
Internet
Attacker
3. Log Suspicious Packet
Corporate Network
Log File
43
What Are the Types of Security Threats?

• Service Disruption and Interruption
• Compromise the service Availability
• Interception
• Compromise the service Confidentiality
• Modification
• Compromise the service Integrity
• Fabrication
• Compromise the service Authenticity
• Often you will see the security services
  summarized into 3 categories C.I.A
• Confidentiality
• Integrity
• Availability
• In this model, authenticity is a subset of
  integrity

44
What Are the Types of Security Threats?

• These different Threats can be subject to two
  types of possible attacks Passive and Active.
• Passive Attacks
• Attacks that do not require modification of the
  data.
• Active Attacks
• Attacks that do require modification of the data
  or the data flow.
• Which one is harder to notice? (yes I know its
  obvious)

45
Layered Security Architecture

• As we have seen in previous slides, security
  services that must be provided are numerous and
  diverse.
• Similarly to the real-world bank, our web
  servers, our networks can have many
  vulnerabilities and these vulnerabilities can be
  located in many layers of the architecture.
• We need to practice a security in-depth
  approach.
• Security consideration and services must be
  present in each and every level of components.
• Rule When analyzing the quality of your security
  infrastructure, always assume that 1 full
  security layer/functionality will entirely fail.
  
• Are you still secured? What are your areas of
  vulnerabilities?
• How long would it take for you to detect the
  failure?
• Vulnerabilities and security services involve all
  7 layers of the OSI model.
• Security also is greatly dependant on the OSIs
  Layer 8.
• The balance between the threat to a system and
  the security services deployed is very
  Asymmetric You need to defend each and every
  aspects to be successful An attacker often
  needs to mitigate one aspect to be successful.
• Lets look at an example of an e-Commerce site
  and try to discuss what can go wrong and where.

46
Layered Security Architecture
My-store.com E-Commerce Infrastructure
Internet Users
Internet
ISP DNS
Mail relay
Outside DNS
Inside DNS
Intruder,
Router
threat,,
opponent
Database Server
Firewall
l
Ethernet
Firewall
E-Comm - Web
Router
Inside Mail Server
WAN Links to Remote
Offices
47
Layered Security Architecture

• Areas that can go wrong
• Incorrect firewall configuration.
• Web and back-end server not hardened
• Known vulnerabilities
• Default account/passwords
• Lack of granularity in security
• Lack of logging and auditing
• Back-end database server servers accept any
  requests from any sources.
• Lack of intrusion detection system.
• Lack of integrity checking tools.
• Router forward packets improperly.
• Unnecessary protocols and services running.
• Improper patching and update of patches.
• Bugs and vulnerabilities in third-party
  software/applications.
• Bugs and vulnerabilities in in-house developed
  applications.
• Bugs and vulnerabilities in toolkits used to
  build in-house applications.
• Improper implementation of an application, test
  userID not cleaned out, developers userID not
  cleaned out.
• Presence of Trojans, Malware and backdoors.
• How do I know the remote offices do not represent
  a threat?

48
Layered Security Architecture

• To prevent attacks, an enterprise need to build a
  complete and comprehensive security architecture
  using tools, methods and techniques that
  individually target some threats and work in an
  integrated fashion to provide a complete
  enterprise framework for secure computing.
• One missing piece or aspect may endanger the
  whole infrastructure. Example if you do not
  have virus protection, can an intruder bypass
  your firewalls?
• The goal of this class will be to present the
  aspects that most impact network security within
  that framework.
• Example of these tools and methods are presented
  in next slides.

49
Security Architecture Components Examples

• Firewall with packet/traffic filtering
• Provides protection by preventing prohibited
  traffic to pass.
• Acts at layer 3 or 4 of OSI
• Combats many attacks Spoofing, unauthorized
  access.
• Network Intrusion Detection systems
• Monitor network activities for specific patterns
  or abnormal trends in traffic
• Act at layer 3-7 of OSI
• Allow alerting (and prevent in some case) in case
  of identification of known attacks.
• Optical Fiber Links
• Implement data transfer via optical signals.
• Layer 1 of OSI
• Protects from sniffing via electromagnetic leaks
  and interference via EMI by implementing links.
  Also reduce risks of undetected tapping of
  transmission media.

50
Security Architecture Components Examples

• Implement IPSEC on traffic
• Provides encryption of data over the wire.
• Acts at layer 3 of OSI
• Prevent eavesdropping and provide anti-replay and
  traffic authentication.
• Intermediate Mail server with virus scanning
• Intercept all mail traffic and perform virus scan
  as well as content filtering
• Layer 7 of OSI
• Preserve integrity of infrastructure by
  preventing downloads of virus. Content filtering
  also help prevent unauthorized dissemination of
  proprietary data or offensive language.
• Enforcement of prohibition of password disclosure
  via disciplinary actions.
• Publicize to all employee the strict prohibition
  to share passwords. Enforce it by warning system
  and, if repeated violation, suspension.
• Layer 8 of OSI

51
Security Architecture Components Examples

• Application development follows strict security
  models and strict, documented, security testing
  procedures
• Provides a method to limit the potential of
  security vulnerabilities in software developed
• Acts at layer 7 (and 8) of OSI
• Reduce risk of bugs and validate security models
  in an application by basing it on a well-proven
  model.
• Network/vulnerability scanner is run weekly
• Perform weekly scan on all devices
• Layer 3-7 of OSI
• Preserve integrity of infrastructure by
  identifying newly discovered vulnerabilities or
  unauthorized configuration changes. Also help
  identified unnecessary services.
• Many more aspects not included here.

52
Other References and Useful Resources

• CERT http//www.cert.org
• SANS http//www.sans.org
• CIAC - http//www.ciac.org/ciac/
• NSA Guidelines - http//www.nsa.gov/snac/