CS423523 - PowerPoint PPT Presentation

1 / 38
About This Presentation
Title:

CS423523

Description:

Conficker worm spikes, infects 1.1 million PCs in 24 hours ... ' Conficker worm is back with a vengeance, infecting over one million systems in ... – PowerPoint PPT presentation

Number of Views:240
Avg rating:3.0/5.0
Slides: 39
Provided by: CarolT155
Category:

less

Transcript and Presenter's Notes

Title: CS423523


1
CSCD 434
Lecture 2 Spring 2009 Computer Security
Overview
2
Overview
  • Security Defined
  • Traditional and Modern
  • Confidentiality, Integrity, Availability
  • Other views
  • Threats to Computer Systems
  • How bad is it?
  • Vulnerabilities
  • Defined, Statistics
  • Examples

3
Traditional View Security
  • Department of Defense (NSA, Others)?
  • Dates back to the 1960's
  • Multi-user systems, mainframes
  • Shared access for users with different clearances
  • Top-secret, secret, confidential, unclassified
  • TS, S, C, U
  • Most concerned with keeping secrets, away from
    nation states level of adversaries
  • China, Russia, Eastern Europe

4
Traditional View Security
  • Military dominated computer security originally
  • Obsessed with confidentiality
  • Funded research tried to prove multiple access
    environment in which secrets could remain secret
    in presence of unclassified people
  • Concerned with detecting covert channels where
    spies or insiders would signal each other

5
Modern View of Security
  • 1. Computers are all connected and
    interdependent
  • This codependency magnifies effects of any
    failures
  • Conficker worm spikes, infects 1.1 million PCs in

    vengeance, infecting over one million systems in
    the past 24 hours ... scans networks for weakly
    protected machines and actively attempts to
    spread itself via USB thumb drives

6
Modern View of Security
  • Other Examples
  • Slammer worm, 2003, infected 75,000 computers in
    11 minutes, continued to scan 55 million
    computers / sec
  • Blaster worm, 2003, infected 138,000 in first 4
    hours, and over 1.4 million computers worldwide

7
Modern View of Security
  • 2. Computing today is very homogeneous
  • A single architecture and a handful of OS's
    dominate
  • In biology, homogeneous populations are in danger
  • A single disease or virus can wipe them out
    because they all share the same weakness
  • The disease only needs a vector to travel among
    hosts
  • Computers are the animals ... think cows
  • Internet provides the infection vector ... virus
    that sickens cows ... Mad Cow disease

8
Security Defined
  • System Secure if
  • Has these properties
  • Confidentiality
  • Integrity
  • Availability
  • C.I.A

9
Confidentiality Defined
  • Confidentiality
  • Data must only be accessed, used, copied, or
    disclosed by persons who have been authorized
  • To access, use, copy, or disclose information
  • Ensuring information is not accessed by
    unauthorized users

10
Confidentiality Example
  • Communication between two people should not be
    compromised

Threats
We have made an important discovery
Eavesdropping, packet sniffing, illegal copying
network
11
Integrity Defined
  • Integrity
  • Data must not be
  • Created
  • Changed, or
  • Deleted without authorization
  • Ensuring that information is not altered by
    unauthorized persons

12
Integrity Defined
  • Messages should be received as originally intended

Threats
Intercept messages, tamper, release again
I love you darling!!
I dont want to see you again
network
13
Availability Defined
  • Availability
  • Systems used to process information and the
    network used to deliver the information are
    functioning correctly when the information is
    needed.
  • The opposite of availability is denial of service
    (DOS)?

14
Availability Example
  • Disrupting communications completely

Threats
Overwhelm or crash servers, disrupt infrastructure
network
15
CIA
  • While a good way to measure system security
  • DOD environment
  • Not sufficient for modern computers
  • Computers these days are complex
  • Many more layers of applications and uses
  • More difficult to both define and measure security

16
Simple View Computer Security
  • You have something you want to protect
  • You have someone or something you want
  • to protect it from
  • You are willing to expend effort and
  • resources in order to protect it

17
Other Views
Best considered a process, not a state Risk
Do Assessment, manage risk, mitigate what can't
be managed Need to identify whats Good
Enough Security is a tradeoff, can't protect
everything
18
ATM Machine Example
  • ATM machine
  • User asks for cash, spits it out
  • Door opens, user takes cash, door closes
  • What happens if user doesnt take cash?

19
ATM Machine Example
  • Assumption if this happens, subsequent user
    shouldnt get cash that doesnt belong to him
  • All following transactions, machine refuses to
    open door
  • Cash could go to wrong user
  • Creates a DoS for rest of users

20
Security Protocols Difficult
  • Hard to get security protocols right
  • Designers dont anticipate everything that could
    go wrong
  • However, users or attackers find the flaw
  • Even something seemingly simple can have flaws

21
US Tax System Example
  • Tax refunds, how hard is that?
  • Algorithm for processing form
  • Verify identity of form filled out by a given
    person
  • Verify income and with-holding are correct
  • If these two steps ok amount of Withholding
    tax owed
  • then send person refund check
  • What could go wrong?

22
US Tax System Example
  • Except, no provision for not issuing duplicate
    checks
  • Person could file for multiple refund checks
    under this system
  • And, that happened for a while
  • Was eventually caught

23
Computer Security Threats
24
Threats to Computer Security
  • So, what are the threats?
  • Passive
  • Sniffing of data
  • Viewing of information physical
  • Over your shoulder, taking pictures of screens
  • Dumpster diving
  • Social Engineering
  • Active
  • Interception of data, injection of data
  • Virus, worm, trojan horse program
  • DOS or DDOS

25
Is Security that Bad?
26
Is Security that Bad?
27
Security Seems to be Bad
  • CERT identified
  • Just under 200 vulnerabilities in 1995
  • Reported 3,784 in 2003
  • Which increased to 7,236 in 2007
  • An increase of over 3600 percent in 12 years
  • CERT's counts are considered conservative and the
    actual number of vulnerabilities is likely higher!

28
Why do threats succeed?
  • Vulnerabilities !!!
  • Vulnerabilities !!!
  • Vulnerabilities !!!
  • Vulnerabilities !!!
  • Vulnerabilities !!!

Is it because hackers are so smart, or is it just
too easy?
29
Vulnerability Defined
  • What is a security vulnerability?
  • A vulnerability is an error or weakness in a
    component that allows it to be attacked
  • Typically, something that runs in an OS or other
    application
  • If exploited, each vulnerability can potentially
    compromise the system or network

30
Vulnerabilities Explained
  • Software vulnerabilities are highly specific
  • Classic vulnerability affects a single feature of
    one release of a software product installed under
    a specific operating system
  • Out of trillions of lines of code running in
    networked systems,
  • A vulnerability may exist in a single line.
  • Like a unique grain of sand in a mile-long beach
    ...
  • As the number of network components grows every
    year, so do the number of vulnerabilities

31
Vulnerability Example
  • CVE-2005-3641
  • Oracle Databases running on Windows XP with
    Simple File Sharing enabled, allows remote
    attackers to bypass authentication by supplying a
    valid username.
  • Impact
  • CVSS Severity 7.0 (High)
  • Range Remotely exploitable
  • Authentication Not required to exploit
  • Impact Type Provides unauthorized access, Allows
    partial confidentiality, integrity, and
    availability violation , Allows disruption of
    service
  • For a database of common vulnerabilities and
    exposures, visit http//icat.nist.gov/icat.cfm

32
Vulnerabilities
  • True or False?
  • Vulnerabilities that lead to system security
    breaches are a result of sloppy or ignorant
    programmers producing bad, error-prone code

33
Vulnerabilities
  • If previous statement isnt true,
  • What causes vulnerabilities?
  • Software is one cause
  • Bugs, coding errors or incomplete specifications
    that didnt account for security
  • Network protocols bad design
  • Incorrect assumptions about protocols and how
    they would be used classic example is TCP/IP
  • Human error
  • Social engineering and human ignorance
  • Physical access
  • Insecure premises allowing unauthorized access

34
Human Vulnerabilities
  • Social Engineering
  • Alive and well in spite of lots of publicity
  • Email Scams
  • Investment schemes in African economy
  • Nigerian uncle has died intestate Need to
    transfer 8M to US with your assistance. You will
    get 10 of funds, need your bank info to initiate
    the transfer
  • Phishing
  • Want to get your money!!
  • Your paypal account needs updating, please enter
    your username and password

35
Improving Security
  • Design it in from the beginning
  • Security is typically an afterthought still
  • People more concerned with performance and nice
    features than security, want to sell products
  • Microsoft ??
  • Security is often seen as something users dont
    want hinders their use of the system
  • Must create security requirements that need to be
    met along with other requirements

36
Security is Hard
  • Security hard to define
  • Without good definition, almost impossible to
    achieve
  • One way to think of security,
  • Consider system states
  • Think of security of a system as its ability to
    stay in good states
  • Be wary of anyone who says they have built a
    secure system
  • How do they know?

37
Security is Hard
  • Beware of those who sell you a secure system
  • Its not magic!!!
  • Constant vigilence, constant flux to just
    maintain status quo
  • We truly are in a war with real adversaries
  • Don't often win, either ... learn the tools that
    help

38
The End
  • Next Time
  • TCP/IP Vulnerabilities
  • Read 1. TCP/IP Article Steve Bellovin and
  • 2. BGP Article - Ola Nordstrom and Constantinos
    Dovrolis
Write a Comment
User Comments (0)
About PowerShow.com