Lesson 1Introduction and Security Trends

1
Lesson 1-Introduction and Security Trends
2
Security
If you know the enemy and know yourself, you
need not fear the result of a hundred battles. If
you know yourself but not the enemy, for every
victory gained you will also suffer a defeat. If
you know neither the enemy nor yourself, you will
succumb in every battle.
-- Sun Tzu - The Art of War
3
Understanding Network Security

• Network security
• Process by which digital information assets are
  protected from unauthorized destruction,
  alteration or disclosure.
• Provides assurance that the network performs
  critical functions correctly without harmful
  side-effects.
• Goals - CIA
• Protect Confidentiality unauthorized disclosure
• Maintain Integrity unauthorized alteration
• Assure Availability data not available

4
Yesterday and Today

• Fifty years ago
• Few people had access to a computer system or a
  network
• Companies did not conduct business over the
  Internet.
• Today, companies rely on the Internet to operate
  and conduct business.
• Terrorists have targeted people and physical
  structures.
• The average citizens are more likely to be the
  target of a computer attack than they are to be
  the direct victim of a terrorist attack.
  Cyberterrorism is different.

5
Security Problem

• As of the first of 2006
• 150,000 virus outbreaks in 2005.
• The anti-virus market reached 3.7 billion in
  annual revenue last year, and the newer,
  faster-growing anti-spyware segment more than
  doubled from the year before to 97 million.
• Phishing and keystroke logging has generated
  losses of 2.75 billion (8/2/05)
• In 2005 phishing along costs 2.65 Billion.
• One of the best-known security surveys is the
  joint survey conducted annually by the Computer
  Security Institute (CSI) and the FBI.
• Electronic crime can take different forms
• Crimes in which the computer is the target of the
  attack.
• Incidents in which the computer is a means of
  perpetrating a criminal act (for example, conduct
  bank fraud).

6
History

• Crimes in which computers was targeted and
  incidents in which computers were used to commit
  crimes.
• Morris Worm Nov. 1988 - infected 10 percent of
  the machines (approximately 6,000) connected to
  the Internet at that time. The virus caused an
  estimated 100 million in damage, though this
  number has been the subject of wide debate.
• Citibank and Vladimir Levin June Oct 1994 -
  they had transferred an estimated 10 million
  before getting caught. Eventually all but about
  400,000 was recovered. Levin reportedly
  accomplished the break-ins by dialing into
  Citibanks cash management system.
• Kevin Mitnick Feb 1995 - Mitnick admitted to
  having gained unauthorized access to a number of
  computer systems belonging to companies such as
  Motorola, Novell, Fujitsu, and Sun Microsystems.
• Omega Engineering and Timothy Lloyd Jul 1996 -
  On July 30, 1996, a software time bomb at Omega
  Engineering deleted all design and production
  programs of the company. This severely damaged
  the small company forcing the layoff of 80
  employees.

7
History

• Jester and the Worcester Airport Mar 1997 - In
  March 1997, airport services to the FAA control
  tower as well as emergency services at the
  Worcester Airport and the community of Rutland,
  Massachusetts, were cut off for six hours. This
  disruption occurred as a result of a series of
  commands sent by a teenage computer hacker who
  went by the name of jester. The individual
  gained unauthorized access to the loop carrier
  system operated by NYNEX.
• Solar Sunrise Feb 1998 - During a period of
  increased tensions between the United States and
  Iraq and subsequent military preparations, a
  series of computer intrusions occurred at a
  number of military installations in the United
  States. Over 500 domain name servers were
  compromised during the attacks. It was difficult
  to track the actual origin of the attacks. This
  was because the attackers made a number of hops
  between different systems, averaging eight
  systems before reaching the target. The attackers
  eventually turned out to be two teenagers from
  California and their mentor in Israel.

8
History

• Melissa Virus Mar 1999 - Melissa is the best
  known of the early macro type of virus which
  attached itself to Microsoft Word 97 and Word
  2000 documents. . The virus was written and
  released by David Smith. This virus infected
  about a million computers and caused an estimated
  80 million in damages. This virus clogged
  networks with the traffic and caused problems for
  e-mail servers worldwide. Whenever a file was
  opened, a macro caused it to infect the current
  host and also sent itself to the first fifty
  addresses in the individuals address book.
• Love Letter Worm May 2000 The worm spread via
  e-mail with the subject line ILOVEYOU. The
  number of infected machines worldwide may have
  been as high as 45 million. Similar to the
  Melissa virus, the Love Letter Worm spread via
  attachment to e-mails. In this case, instead of
  utilizing macros, the attachments were VBScript
  programs.
• Code-Red Worm 2001 - On July 19, 2001, over
  350,000 computers connected to the Internet were
  infected by the Code-Red worm. The incident took
  only 14 hours to occur. Damages caused by the
  worm (including variations of the worm released
  on later dates) exceeded 2.5 billion. The
  vulnerability exploited by the Code-Red worm had
  been known for a month.

9
History

• Adil Yahzy Shakour Aug 2001 May 2002 -
  Shakour accessed several computers without
  authorization, including Eglin Air Force Base
  (where he defaced the web site), Accenture (a
  Chicago-based management consulting and
  technology services company), Sandia National
  Laboratories (a Department of Energy facility),
  Cheaptaxforms.com At Cheaptaxforms.com. Shakour
  obtained credit card and personal information,
  which he used to purchase items worth over 7,000
  for his own use.
• Slammer Worm 2003 - The Slammer virus was
  released on Saturday, January 25, 2003. It
  exploited a buffer-overflow vulnerability in
  computers running Microsoft's SQL Server or
  Microsoft SQL Server Desktop Engine. This
  vulnerability was not new. It had been
  discovered in July 2002. Microsoft had released
  a patch for the vulnerability even before it was
  announced. By the next day, the worm had infected
  at least 120,000 hosts and caused network outages
  and disruption of airline flights, elections, and
  ATMs. Slammer-infected hosts generated 1TB of
  worm-related traffic every second. .The worm
  doubled in the number of infected hosts every 8
  seconds. It took less than ten minutes to reach
  global proportions and infect 90 percent of the
  possible hosts it could infect.

10
Phishing

• Phishing is a form of social engineering,
  characterized by attempts to fraudulently acquire
  sensitive information, such as passwords and
  credit card details, by masquerading as a
  trustworthy person or business in an apparently
  official electronic communication, such as an
  email or an instant message
• In its simplest form, phishing involves sending
  out fake e-mail messages that ask recipients to
  enter personal information, such as bank account
  numbers, PINs or credit card numbers, into forms
  on Web sites that are designed to mimic bank or
  e-commerce sites.
• Many fake sites are online for just two or three
  days, and most of the actual phishing activity
  takes place in the first 24 hours after messages
  are sent, experts say.

11
Malware

• The term Malware (malicious code) is software
  designed for a nefarious purpose and may cause
  damage by
• Deleting all files.
• Performs undesirable tasks without your knowledge
  or permission!
• Modifying Operating System and PCs settings
• Creating a backdoor in the system to grant access
  to unauthorized individuals.
• Although there is no official breakdown, we can
  divide malware into several broad categories
  adware, spyware, hijackers, toolbars, phishing,
  rootkits, viruses, worms, trojan horses, data
  mining and dialers.
• It is very common for people to use the words
  adware, spyware, and malware interchangeably
• Anti-virus software doesnt protect you

12
Infectious Malware - Virus

• A virus is a type of malicious code that
  replicates by attaching itself to an authorized
  piece of executable code.
• File Infector
• Boot Sector
• Macro (Microsoft Viruses)
• Stealth and polymorphic virus
• The program virus attaches itself to executable
  files.
• The virus is attached in such a way that it
  executes before the program.
• Avoiding Viruses
• Good PC Practices
• Antivirus Software

13
Infectious Malware - Worms

• A worm is a code that attempts to penetrate
  networks and computer systems and creates a copy
  of itself
• Reproduction of a worm, unlike a virus, does not
  rely on the attachment of the virus to another
  piece of code or a file.
• The blurring of the distinction between viruses
  and worms has come about because of the
  attachment of malicious code to e-mail.
• The important distinction, however, is whether
  the code has to attach itself to something else
  (a virus), or if it can survive on its own (a
  worm).

14
Concealment Malware - Trojan Horses

• A Trojan horse (Trojan) is a stand-alone program
  that must be copied or installed by the user and
  appears to do one thing but hides another
  action.
• The challenge for the attacker is enticing the
  user to copy and run the program.
• To prevent a Trojan from entering a system is
• Never run software if unsure of its origin,
  security, and integrity.
• Use antivirus programs to detect and prevent the
  installation of known Trojans.

15
Malware for profit

• spyware, botnets, loggers, and dialers
• Botnets are harder to trace - Botnets are
  networks of computers infected with code that
  allows hackers to control them. Once grouped
  together, a botnet is illegally used to send
  spam, propagate viruses, and carry out DDOS
  (distributed denial of service) attacks aimed at
  causing a Web site to crash.
• Keyloggers - Keep track of all your keystrokes
  and can record credit card information,
  passwords, addresses, etc.
• Dialers - Programs that use a computer or modem
  to dial out to a toll number or internet site,
  typically to accrue charges. Dialers can be
  installed with or without a users explicit
  knowledge, and may perform their dialing activity
  without a users specific consent prior to
  dialing.

16
Malware for Profit - Spyware

• Spyware
• Generally gets on PC through Freeware or
  Shareware also email or instant message, or by
  someone with access to a user's computer.
• A program that sends information from your
  computer to another location on the Internet
  without your knowledge and without your explicit
  consent. They then sell the use of this
  information to advertisers who can purchase the
  opportunity to make ads pop up.
• Automatically starts each time you start your
  computer
• Runs in the background where you cant see it
• Some people believe that Spyware has advantages,
  like delivering wanted advertisements to you
  while you are surfing the net sort of like TV
• Data analysis of Spyware data (your personal
  information) is now a big thriving enterprise
• Tracks web site visits
• Has an autoupdate feature that updates
  automatically.

17
Spyware Symptoms

• Top 10 Symptoms of Spyware
• Slow Computer Peformance. 
• System instability - PC freezes up, reboots, or
  loses information.
• New Toolbars, links, menus or buttons. 
• New Shortcuts on your Desktop or system tray. 
• Hijacked Homepage. 
• Hijacked Search results. 
• New page cannot be displayed landing page. 
• Abnormal increase in pop-ups. 
• Unusual number of hyperlinks.
• Ending up on unknown websites.

18
Active Spyware

• Websearch Toolbar
• Hotbar
• CoolWeb Toolbar
• My Search Toolbar
• Tro.DesktopScam
• E-Zula
• Comet Cursor

• Bonzai Buddy
• Jupiter
• Double Click
• Alexz
• Adware.cmdService
• SaveNow
• YourSiteBar

19
Statistics

• 8 out of 10 PCs are infected with some sort of
  Spyware, with an average of 24.4 spies per PC
  scanned.
• Microsoft estimates that 50 of all PC crashes
  are due to spyware.
• Dell reports that 20 of all technical support
  calls involve spyware.
• The growth of Spyware is exponential
• 50 of all Free Sofware is bundled with spyware
• Data Mining companies pay a lot of to the
  smaller developers to include spyware with their
  products
• This offer is very enticing for small companies,
  it helps them survive

20
Spyware Data Mining/Trackware

• Data MinerThe application is designed to collect
  information about the user and does so actively.
  This may or may not include transmission of the
  information to a remote server, the information
  collected is disclosed to the user via privacy
  policy and/or licensing (EULA). The EULA is where
  they ask you for permission to install their
  software and by checking OK - you have given
  them permission to do this and often more.
• AdwareThis is content that is designed to
  display advertising to the user that may not be
  expected or wanted. While some also categorize
  advertising applications that may include
  tracking features or capabilities as Adware, we
  place them within more descriptive categories
  such as Trackware or Data Miner to provide more
  information to the user. Adware is generally
  innocuous and consumers may want to remove this
  content if they no longer wish to receive the
  advertising content. They may wish to keep them
  though if the programs are required for the use
  of a host application.

21
Concealment Malware -Rootkits

• Rootkits
• It's a stealthing approach and virtually
  undetectable. A program can be loaded on your
  hard drive and running in the system, and no
  matter what you do, you can't see it. Essentially
  it modifies the way the OS itself works by
  compromising the kernel.
• How does it get into the PC?
• Downloadable spyware and malware, freeware, file
  sharing systems, stuff you can have it on your
  system right now...
• How can the PC be protected?
• Rootkits are a hard-to-detect-and-remove
  technology and none of the anti-spyware
  technology, Ad-Aware or Spybot Search Destroy
  are effective.
• Microsoft is developing a project called
  Ghostbuster
• RootkitRevealer at sysinternals.com
• Latest issue of Phrack mag and rootkit.com are
  full of rootkit source code
• Can be used for legitimate reasons.

22
Summary of Effects

• Collection of Data from your PC without your
  consent
• Execution of Malicious code without your
  knowledge
• Collects data pertaining to your habitual use and
  sells it to marketing companies
• Makes it impossible to remove their software by
  standard methods and sometimes not at all
• Performs other undesirable tasks on your PC such
  as using your PC as a go between other PCs and
  their servers
• Control Panel will not open up or take 5-10
  minutes to open
• Internet Explorer can stop working or not access
  particular websites.
• Some even keep you from accessing Microsoft.com
• You change your Home Page and when you reboot it
  has changed back to an Adult Links Pornographic
  Site

23
Protection

• Adaware
• Spybot Search and Destroy
• Hijack This
• Activate Cox spam filters and install Spyware and
  Popup blockers
• PC Magazine
• Microsoft has a removal tool
• Before adding any other Spyware Detection and
  Removal programs always check the Rogue
  Anti-Spyware List for programs known to be
  misleading, mistaken, or just outright
  "Foistware". You will find the list here
  http//www.spywarewarrior.com/rogue_anti-spyware.h
  tm

24
Threats

• Viruses and worms
• Are generally not written by employees of
  organizations.
• Are expected to be the most common problem that
  an organization will face as thousands of them
  have been created.
• Are also generally non-discriminating threats
  that are released on the Internet and are not
  targeted at a specific organization.

25
Threats to Security

• The act of deliberately accessing computer
  systems and networks without authorization or
  exceeding ones authority is called hacking.
• There are a number of ways to break down the
  various threats.
• To break down threats, users need to
• Categorize external threats versus internal
  threats.
• Examine the various levels of sophistication of
  the attacks from script kiddies to elite
  hackers.
• Examine the level of organization for the various
  threats from unstructured to highly structured
  threats.

26
Levels of Sophistication

• Intruders are very patient as it takes
  persistence and determination to gain access to a
  system.
• Insiders
• Are more dangerous than outside intruders.
• Have the access and knowledge necessary to cause
  immediate damage to an organization..
• Besides employees, insiders also include a number
  of other individuals who have physical access to
  facilities.

27
Levels of Sophistication

• Unstructured Threats newbies with hacking
  tools.
• Attacks are generally conducted over short
  periods of time (3 months)
• Small number of individuals with little
  financial backing.
• They do not include collusion with insiders.
• Script Kiddies At the low end technically are
  script kiddies.
• Dont have the technical expertise to develop
  scripts or discover new vulnerabilities in
  software.
• They have just enough understanding of computer
  systems to be able to download and run scripts
  that others have developed.

28
Levels of Sophistication

• Sophisticated Intruders - These individuals are
  capable of writing scripts to exploit known
  vulnerabilities.
• They are more technically competent than script
  kiddies.
• They account for an estimated 8 to 12 of the
  individuals conducting intrusive activity on the
  Internet.
• Elite hackers are highly technical individuals
  and are able to
• Write scripts that exploit vulnerabilities.
• Discover new vulnerabilities.
• This group is the smallest accounting for only 1
  to 2 of the individuals conducting intrusive
  activity.

29
Structured Threat

• Criminal Organizations
• Criminal activity on the Internet at its most
  basic is not different than criminal activity in
  the physical world.
• A difference between criminal groups and the
  average hacker is the level of organization
  that criminal elements may employ in their
  attack.
• Attacks by criminal organizations can fall into
  the structured threat category, which is
  characterized by
• Planning.
• Long period of time to conduct the activity.
• More financial backing.
• Corruption of or collusion with insiders.

30
Highly Structured Threats

• Highly structured threats are characterized by
• A long period of preparation (years is not
  uncommon).
• Tremendous financial backing.
• A large and organized group of attackers.
• These threats subvert insiders, and attempts to
  plant individuals inside before an attack.
• In information warfare, military forces are
  certainly still a key target
• Other likely targets can be infrastructures that
  a nation relies on for its daily existence.
• Terrorist organizations can also accomplish
  information warfare.

31
Critical Infrastructure

• Critical infrastructures are those
  infrastructures whose loss would have a severe
  detrimental impact on a nation. Examples
• Water.
• Electricity.
• Oil and gas refineries and distribution.
• Banking and finance.
• Telecommunications.

32
Security Trends

• The biggest change in security over the last 30
  years has been the change in the computing
  environment.
• Large mainframes are replaced by pc networks
• Access can be from the outside
• The type of attacker has changed, non-affiliated
  intruders, including script-kiddies.
• As the level of sophistication of attacks has
  increased, the level of knowledge necessary to
  exploit vulnerabilities has decreased.

33
Avenues of Attack

• The two most frequent types of attacks
• viruses and insider abuse.
• 2 general reasons a particular computer system is
  attacked
• it is either specifically targeted by the
  attacker, not because of the hardware or software
  the organization is running but for some other
  reason, such as a political reason hacktivism.
• or it is an opportunistic target, is conducted
  against a site that has hardware or software that
  is vulnerable to a specific exploit.
• Targeted attacks are more difficult and take more
  time than attacks on a target of opportunity.

34
The Steps in an Attack

• The steps an attacker takes are similar to the
  ones that a security consultant performing a
  penetration test would take.
• gather as much information about the organization
  as possible.
• determine what target systems are available and
  active.
• ping sweep, sends an ICMP echo request to the
  target machine.
• perform a port scan to identify the open ports,
  which indicates the services running on the
  target machine.
• Determine OS refer to page 18 of The Google
  Hacking Guide for an example
• An attacker can search for known vulnerabilities
  and tools that exploit them, download the
  information and tools, and then use them against
  a site.
• If the exploits do not work, other, less
  system-specific, attacks may be attempted.

35
Minimizing Avenues of Attack

• Understanding the steps an attacker takes help
  guard against attacks.
• ensure that all patches for the operating system
  and the applications are installed.
• limit the services running on a system.
• provide as little information as possible on an
  organization and its computing resources.