Syllabus - PowerPoint PPT Presentation

1 / 56
About This Presentation
Title:

Syllabus

Description:

CSI/FBI Computer Crime and Security Survey. Attackers and Attacks. Layered Security Architecture ... by the Computer Security Institute (http://www.gocsi. ... – PowerPoint PPT presentation

Number of Views:549
Avg rating:3.0/5.0
Slides: 57
Provided by: ValuedGate2228
Category:
Tags: csi | syllabus

less

Transcript and Presenter's Notes

Title: Syllabus


1
Unit 1 Class overview, general security concept,
threats and defenses
  • Syllabus
  • What is Security?
  • CSI/FBI Computer Crime and Security Survey
  • Attackers and Attacks
  • Layered Security Architecture
  • In class exercise Comparing a bank and a
    cyber-bank

2
Welcome
  • Syllabus
  • Grading
  • 4 Homeworks (40) Mostly Research Oriented, 1
    design homework
  • Hw 1-10 Hw 2-5 Hw3-10 Hw4-15
  • 5 Home-Lab Exercises or term paper 20.
  • Mid Term Exam Closed book -15
  • Final Exam Closed book - 15
  • Class Participation 10

3
What is Security?
  • Like in non-Cyber real world Security is used
    to secure, protect, prevent bad things to happen
    (or try to).
  • From Webster
  • Function nounInflected Form(s) plural
    -tiesDate 15th century1 the quality or state
    of being secure as a freedom from danger
    SAFETY b freedom from fear or anxiety c
    freedom from the prospect of being laid off
    security2 a something given, deposited, or
    pledged to make certain the fulfillment of an
    obligation b SURETY3 an evidence of debt or
    of ownership (as a stock certificate or bond)4 a
    something that secures PROTECTION b (1)
    measures taken to guard against espionage or
    sabotage, crime, attack, or escape (2) an
    organization or department whose task is security

4
What is Security?
  • Security Activities Are based on 3 Types of
    Actions
  • Prevent Put protection measures/system to
    protect assets and prevent unauthorized access.
  • Detect Detect if an asset has been compromised,
    when, by whom and gather information on the type
    of breach committed, activities and evidence
    logs.
  • Act/React Take measure to recover from attack
    and prevent same type of attacks or prevent
    attack in progress.

5
Figure 1-1 CSI/FBI Computer Crime and Security
Survey
  • How Bad is the Threat?
  • Survey conducted by the Computer Security
    Institute (http//www.gocsi.com).
  • Based on replies from 503 U.S. Computer Security
    Professionals.
  • If fewer than 20 firms reported quantified dollar
    losses, data for the threat are not shown.
  • Note All figures are from the optional text by
    Panko

6
Figure 1-1 CSI/FBI Computer Crime and Security
Survey
7
Figure 1-1 CSI/FBI Computer Crime and Security
Survey
8
Figure 1-1 CSI/FBI Computer Crime and Security
Survey
9
Figure 1-1 CSI/FBI Computer Crime and Security
Survey
10
Figure 1-2 Other Empirical Attack Data
  • Riptech
  • Analyzed 5.5 billion firewall log entries in 300
    firms in five-month period
  • Detected 128,678 attacksan annual rate of 1,000
    per firm
  • Only 39 of attacks after viruses were removed
    were directed at individual firms

11
Figure 1-2 Other Empirical Attack Data
  • Riptech
  • 23 of all firms experienced a highly aggressive
    attack in a 6-month period
  • Only one percent of all attacks, highly
    aggressive attacks, are 26 times more likely to
    do severe damage than even moderately
    sophisticated aggressive attacks

12
Figure 1-2 Other Empirical Attack Data
  • SecurityFocus
  • Attack Targets
  • 31 million Windows-specific attacks
  • 22 million UNIX/LINUX attacks
  • 7 million Cisco IOS attacks
  • All operating systems are attacked!

13
Figure 1-3 Attack Trends
  • Growing Incident Frequency
  • Incidents reported to the Computer Emergency
    Response Team/Coordination Center
  • 1997 2,134
  • 1998 3,474 (75 growth from the year before)
  • 1999 9,859 (164 growth from the year before)
  • 2000 21,756 (121 growth from the year before)
  • 2001 52,658 (142 growth from the year before)
  • Tomorrow? . Well CERT decided to stop counting
    as of 6/2004!!

14
Figure 1-3 Attack Trends
  • Growing Randomness in Victim Selection
  • In the past, large firms were targeted
  • Now, targeting is increasingly random
  • No more security through obscurity for small
    firms and individuals

15
Figure 1-3 Attack Trends
  • Growing Malevolence
  • Most early attacks were not malicious
  • Malicious attacks are becoming the norm

16
Figure 1-3 Attack Trends
  • Growing Attack Automation
  • Attacks are automated, rather than
    humanly-directed
  • Essentially, viruses and worms are attack robots
    that travel among computers
  • Attack many computers in minutes or hours

17
Who are the Attackers???
  • Elite Hackers
  • White hat hackers
  • This is still illegal
  • Break into system but notify firm or vendor of
    vulnerability
  • Black hat hackers
  • Do not hack to find and report vulnerabilities
  • Gray hat hackers go back and forth between the
    two ways of hacking
  • Hack but with code of ethics
  • Codes of conduct are often amoral
  • Do no harm, but delete log files, destroy
    security settings, etc.
  • Distrust of evil businesses and government
  • Still illegal
  • Deviant psychology and hacker groups to reinforce
    deviance

18
Who are the Attackers???
  • Virus Writers and Releasers
  • Virus writers versus virus releasers
  • Only releasing viruses is punishable

19
Who are the Attackers???
  • Script Kiddies
  • Use prewritten attack scripts (kiddie scripts)
  • Viewed as lamers and script kiddies
  • Large numbers make dangerous
  • Noise of kiddie script attacks masks more
    sophisticated attacks

20
Who are the Attackers???
  • Criminals
  • Many attackers are ordinary garden-variety
    criminals
  • Credit card and identity theft
  • Side note on threat to Credit Card . How do
    attacker capture credit card information? Via
    Sniffing traffic?
  • How many of the audience have worries when
    shopping online? How many of the audience ever
    used a credit card to pay for a restaurant meal?
  • Stealing trade secrets (intellectual property)
  • Extortion

21
Who are the Attackers???
  • Corporate Employees
  • Have access and knowledge
  • Financial theft
  • Theft of trade secrets (intellectual property)
  • Sabotage
  • Consultants and contractors
  • IT and security staff are biggest danger

22
Who are the Attackers???
  • Cyberterrorism and Cyberwar
  • New level of danger
  • Infrastructure destruction
  • Attacks on IT infrastructure
  • Use IT to establish physical infrastructure
    (energy, banks, etc.)
  • Simultaneous multi-pronged attacks
  • Cyberterrorists by terrorist groups versus
    cyberwar by national governments
  • Amateur information warfare

23
Very good Illustration of Attacks and Attackers
  • http//grc.com/dos/grcdos.htm
  • Non credit assignment Read the full article.
    Note all material in non credit assignments is
    can be present in quizz and exams.

24
Framework for Attacks
Attacks
Social Engineering -- Opening Attachments Password
Theft Information Theft
Physical Access Attacks -- Wiretapping Server
Hacking Vandalism
Dialog Attacks -- Eavesdropping Impersonation Mess
age Alteration
Penetration Attacks
Malware -- Viruses Worms
Denial of Service
Scanning (Probing)
Break-in
25
Figure 1-6 Attacks and Defenses (Study Figure)
  • Physical Attacks Access Control
  • Access control is the body of strategies and
    practices that a company uses to prevent improper
    access
  • Prioritize assets
  • Specify access control technology and procedures
    for each asset
  • This can be electronic use access control to
    prevent certain traffic in
  • This can be physical use locks to prevent
    physical access to devices.
  • JP side note If an attacker gains physical
    access to a device that device IS (or should be
    considered) compromised no EXCEPTION!!!
  • A quote from my favorite little threat Philippe
    Labruyere, 6 years old, spilling orange juice on
    my computer I win, you loose, game over (it
    was over a Pokemon card game that I played while
    my laptop was on next to us and he played a
    deadly headbutt attack on my Pikachu, spilling
    his drink) Let me know if I go way off-topic
    here
  • Test the protection but dont spill Orange Juice
    on it

26
Figure 1-6 Attacks and Defenses (Study Figure)
  • Site Access Attacks and Defenses
  • Wiretaps (including wireless LANs intrusions
  • Hacking servers with physical access

27
Figure 1-6 Attacks and Defenses (Study Figure)
  • A slight variation of access attack Social
    Engineering
  • Tricking an employee into giving out information
    or taking an action that reduces security or
    harms a system
  • Opening an e-mail attachment that may contain a
    virus
  • Asking for a password claming to be someone with
    rights to know it
  • Asking for a file to be sent to you

28
Figure 1-6 Attacks and Defenses (Study Figure)
  • Social Engineering Defenses
  • Training
  • Enforcement through sanctions (punishment)

29
Figure 1-6 Attacks and Defenses (Study Figure)
  • Dialog Attacks and Defenses
  • Eavesdropping
  • Encryption for Confidentiality
  • Imposters and Authentication
  • Cryptographic Systems

30
Figure 1-7 Eavesdropping on a Dialog
Dialog
Hello
Client PC Bob
Server Alice
Hello
Attacker (Eve) intercepts and reads messages
31
Figure 1-8 Encryption for Confidentiality
Encrypted Message 100100110001
Client PC Bob
Server Alice
100100110001
Attacker (Eve) intercepts but cannot read
Original Message Hello
Decrypted Message Hello
32
Figure 1-9 Impersonation and Authentication
Im Bob
Prove it! (Authenticate Yourself)
Attacker (Eve)
Server Alice
33
Figure 1-10 Message Alteration
Dialog
Balance 1,000,000
Balance 1
Server Alice
Balance 1
Balance 1,000,000
Attacker (Eve) intercepts and alters messages
34
Figure 1-11 Secure Dialog System
Secure Dialog
Client PC Bob
Server Alice
Automatically Handles Negation of Security
Options Authentication Encryption Integrity
Attacker cannot read messages, alter messages,
or impersonate
35
Figure 1-12 Network Penetration Attacks and
Firewalls
Attack Packet
Internet Firewall
Hardened Client PC
Internet
Attacker
Internal Corporate Network
Log File
36
Figure 1-13 Scanning (Probing) Attacks
Reply from172.16.99.1
Probe Packets to 172.16.99.1, 172.16.99.2, etc.
Host 172.16.99.1
Internet
Attacker
No Host 172.16.99.2
Results 172.16.99.1 is reachable 172.16.99.2 is
not reachable
No Reply
Corporate Network
37
Figure 1-14 Single-Message Break-In Attack
1. Single Break-In Packet
2. Server Taken Over By Single Message
Attacker
38
Figure 1-15 Denial-of-Service (DoS) Flooding
Attack
Message Flood
Server Overloaded By Message Flood
Attacker
39
Figure 1-16 Intrusion Detection System (IDS)
1. Suspicious Packet
Intrusion Detection System (IDS)
4. Alarm
Network Administrator
2. Suspicious Packet Passed
Internet
Attacker
3. Log Suspicious Packet
Corporate Network
Log File
40
What Are the Types of Security Threats?
  • Service Disruption and Interruption
  • Compromise the service Availability
  • Interception
  • Compromise the service Confidentiality
  • Modification
  • Compromise the service Integrity
  • Fabrication
  • Compromise the service Authenticity
  • Often you will see the security services
    summarized into 3 categories C.I.A
  • Confidentiality
  • Integrity
  • Availability
  • In this model, authenticity is a subset of
    integrity

41
What Are the Types of Security Threats?
  • These different Threats can be subject to two
    types of possible attacks Passive and Active.
  • Passive Attacks
  • Attacks that do not require modification of the
    data.
  • Active Attacks
  • Attacks that do require modification of the data
    or the data flow.
  • Which one is harder to notice? (yes I know it is
    a silly question it used to be a 0.05 Euro
    question but now it is downgrade to a 0.01
    question)

42
Layered Security Architecture
  • As we have seen in previous slides, security
    services that must be provided are numerous and
    diverse.
  • Similarly to the real-world bank, our web
    servers, our networks can have many
    vulnerabilities and these vulnerabilities can be
    located in many layers of the architecture.
  • We need to practice a security in-depth
    approach.
  • Security consideration and services must be
    present in each and every level of components.
  • Rule When analyzing the quality of your security
    infrastructure, always assume that 1 full
    security layer/functionality will entirely fail.
  • Are you still secured? What are your areas of
    vulnerabilities?
  • How long would it take for you to detect the
    failure?
  • Vulnerabilities and security services involve all
    7 layers of the OSI model.
  • Security also is greatly dependant on the OSIs
    Layer 8.
  • The balance between the threat to a system and
    the security services deployed is very
    Asymmetric You need to defend each and every
    aspects to be successful An attacker often
    needs to mitigate one aspect to be successful.
  • Lets look at an example of an e-Commerce site
    and try to discuss what can go wrong and where.

43
Layered Security Architecture
My-store.com E-Commerce Infrastructure
Internet Users
Internet
ISP DNS
Mail relay
Outside DNS
Inside DNS
Intruder,
Router
threat,,
opponent
Database Server
Firewall
l
Ethernet
Firewall
E-Comm - Web
Router
Inside Mail Server
WAN Links to Remote
Offices
44
Layered Security Architecture
  • Areas that can go wrong
  • Incorrect firewall configuration.
  • Web and back-end server not hardened
  • Known vulnerabilities
  • Default account/passwords
  • Lack of granularity in security
  • Lack of logging and auditing
  • Back-end database server servers accept any
    requests from any sources.
  • Lack of intrusion detection system.
  • Lack of integrity checking tools.
  • Router forward packets improperly.
  • Unnecessary protocols and services running.
  • Improper patching and update of patches.
  • Bugs and vulnerabilities in third-party
    software/applications.
  • Bugs and vulnerabilities in in-house developed
    applications.
  • Bugs and vulnerabilities in toolkits used to
    build in-house applications.
  • Improper implementation of an application, test
    userID not cleaned out, developers userID not
    cleaned out.
  • Presence of Trojans, Malware and backdoors.
  • How do I know the remote offices do not represent
    a threat?

45
Layered Security Architecture
  • To prevent attacks, an enterprise need to build a
    complete and comprehensive security architecture
    using tools, methods and techniques that
    individually target some threats and work in an
    integrated fashion to provide a complete
    enterprise framework for secure computing.
  • One missing piece or aspect may endanger the
    whole infrastructure. Example if you do not
    have virus protection, can an intruder bypass
    your firewalls?
  • The goal of this class will be to present the
    aspects that most impact network security within
    that framework.
  • Example of these tools and methods are presented
    in next slides.

46
Security Architecture Components Examples
  • Firewall with packet/traffic filtering
  • Provides protection by preventing prohibited
    traffic to pass.
  • Acts at layer 3 or 4 of OSI
  • Combats many attacks Spoofing, unauthorized
    access.
  • Network Intrusion Detection systems
  • Monitor network activities for specific patterns
    or abnormal trends in traffic
  • Act at layer 3-7 of OSI
  • Allow alerting (and prevent in some case) in case
    of identification of known attacks.
  • Optical Fiber Links
  • Implement data transfer via optical signals.
  • Layer 1 of OSI
  • Protects from sniffing via electromagnetic leaks
    and interference via EMI by implementing links.
    Also reduce risks of undetected tapping of
    transmission media.

47
Security Architecture Components Examples
  • Implement IPSEC on traffic
  • Provides encryption of data over the wire.
  • Acts at layer 3 of OSI
  • Prevent eavesdropping and provide anti-replay and
    traffic authentication.
  • Intermediate Mail server with virus scanning
  • Intercept all mail traffic and perform virus scan
    as well as content filtering
  • Layer 7 of OSI
  • Preserve integrity of infrastructure by
    preventing downloads of virus. Content filtering
    also help prevent unauthorized dissemination of
    proprietary data or offensive language.
  • Enforcement of prohibition of password disclosure
    via disciplinary actions.
  • Publicize to all employee the strict prohibition
    to share passwords. Enforce it by warning system
    and, if repeated violation, suspension.
  • Layer 8 of OSI
  • Protects from sniffing via electromagnetic leaks
    and interference via EMI by implementing links.
    Also reduce risks of undetected tapping of
    transmission media.

48
Security Architecture Components Examples
  • Application development follows strict security
    models and strict, documented, security testing
    procedures
  • Provides a method to limit the potential of
    security vulnerabilities in software developed
  • Acts at layer 7 (and 8) of OSI
  • Reduce risk of bugs and validate security models
    in an application by basing it on a well-proven
    model.
  • Network/vulnerability scanner is run weekly
  • Perform weekly scan on all devices
  • Layer 3-7 of OSI
  • Preserve integrity of infrastructure by
    identifying newly discovered vulnerabilities or
    unauthorized configuration changes. Also help
    identified unnecessary services.
  • Many more aspects not included here.

49
Other References and Useful Resources
  • CERT www.cert.org
  • SANS www.sans.org
  • CIAC - http//www.ciac.org/ciac/
  • NSA Guidelines - http//nsa2.www.conxion.com/
  • Security Portal - http//securityportal.com/

50
Examples and ComparisonBank vs Cyber-bank
  • The following slides present an illustration to
    compare a real bank to a cyber bank.
  • If time permits we will discuss it during the
    first class.
  • If time does not permit (which really would be a
    surprise if we do have time), students are
    encouraged to think about these aspects we will
    discuss them next week.

51
Examples and ComparisonBank vs Cyber-bank
  • During business hours, doors are open anybody
    can get in and open a new checking account or get
    a lock box.
  • 1. ID and SS is required to open account
    Verification on it is performed.
  • 2. Security camera captures all activities.
  • 3. After opening a lock box, you are given a safe
    key, which can only be used with the key from a
    bank staff.
  • Cyberbank The web site is available and can be
    access by all. All Internet public can access a
    page to open an account.
  • 1.
  • 2.
  • 3.

52
Examples and ComparisonBank vs Cyber-bank
  • You come in to get access to your lock box.
  • 1. You show proper credential to be allowed into
    the vault
  • 2. The vault is protected by bars and locks.
  • 3. While in the vault, you access your lock box
    with a bank staff key and yours
  • 4. Your belonging have been protected in a safe
    lock box
  • 5. All Activities are monitored and recorded
  • Cyberbank The web site is available and a
    user/customer wants to access his account
    information.
  • 1.
  • 2.
  • 3.
  • 4.
  • 5.

53
Examples and ComparisonBank vs Cyber-bank
  • At night, no access except security guard are
    allowed
  • 1. Security guards make regular sentry
  • 2. All activities are recorded
  • 3. All doors are locked
  • Cyberbank The customer portion of the web site
    is not available (maybe for backups,
    maintenance).
  • 1.
  • 2.
  • 3.

54
Examples and ComparisonBank vs Cyber-bank
  • Someone stole your key and try to access to your
    lock box
  • 1. Before you alert the bank, someone tries to
    get to your lock box
  • a. An additional form of ID may be required
    before giving access
  • b. If access granted, activity is monitored
  • 2. You alerted the bank
  • a. The bank may deny access
  • b. The bank may fake access while police is
    alerted.
  • Cyberbank Your credentials got compromised!
  • 1.
  • a.
  • b.
  • 2.
  • a.
  • b.
  • Note an important difference This is more
    similar to someone making a duplicate of your
    key. How do you know your key was lost?

55
Examples and ComparisonBank vs Cyber-bank
  • The safe have been compromised
  • 1. Notice Someone Accessed the Safe Note what
    if copies of documents were made.
  • 2. Alert
  • 3. Investigate
  • 4. Prosecute
  • Cyberbank
  • 1.
  • 2.
  • 3.
  • 4.

56
Examples and ComparisonBank vs Cyber-bank
  • Someone tries to prevent you to access your safe
  • 1. By a group of people that line up to get
    access but are turned down because they are not
    bank customers.
  • 2. By the fact that someone sabotaged the safe
    door making opening and closing slow.
  • 3. By a group of people faking a bank robbery
    and creating a large police force to be deployed
    that slows down regular process.
  • 4. By sending a notice on the mail that the bank
    branch has moved to new address where they did
    setup a cardboard bank that looks the same as
    your regular bank.
  • Cyberbank
  • 1.
  • 2.
  • 3.
  • 4.
Write a Comment
User Comments (0)
About PowerShow.com