Syllabus

1
Unit 1 Class overview, general security concept,
threats and defenses

• Syllabus
• What is Security?
• CSI/FBI Computer Crime and Security Survey
• Attackers and Attacks
• Layered Security Architecture
• In class exercise Comparing a bank and a
  cyber-bank

2
Welcome

• Syllabus
• Grading
• 4 Homeworks (40) Mostly Research Oriented, 1
  design homework
• Hw 1-10 Hw 2-5 Hw3-10 Hw4-15
• 5 Home-Lab Exercises or term paper 20.
• Mid Term Exam Closed book -15
• Final Exam Closed book - 15
• Class Participation 10

3
What is Security?

• Like in non-Cyber real world Security is used
  to secure, protect, prevent bad things to happen
  (or try to).
• From Webster
• Function nounInflected Form(s) plural
  -tiesDate 15th century1 the quality or state
  of being secure as a freedom from danger
  SAFETY b freedom from fear or anxiety c
  freedom from the prospect of being laid off
  security2 a something given, deposited, or
  pledged to make certain the fulfillment of an
  obligation b SURETY3 an evidence of debt or
  of ownership (as a stock certificate or bond)4 a
  something that secures PROTECTION b (1)
  measures taken to guard against espionage or
  sabotage, crime, attack, or escape (2) an
  organization or department whose task is security

4
What is Security?

• Security Activities Are based on 3 Types of
  Actions
• Prevent Put protection measures/system to
  protect assets and prevent unauthorized access.
• Detect Detect if an asset has been compromised,
  when, by whom and gather information on the type
  of breach committed, activities and evidence
  logs.
• Act/React Take measure to recover from attack
  and prevent same type of attacks or prevent
  attack in progress.

5
Figure 1-1 CSI/FBI Computer Crime and Security
Survey

• How Bad is the Threat?
• Survey conducted by the Computer Security
  Institute (http//www.gocsi.com).
• Based on replies from 503 U.S. Computer Security
  Professionals.
• If fewer than 20 firms reported quantified dollar
  losses, data for the threat are not shown.
• Note All figures are from the optional text by
  Panko

6
Figure 1-1 CSI/FBI Computer Crime and Security
Survey
7
Figure 1-1 CSI/FBI Computer Crime and Security
Survey
8
Figure 1-1 CSI/FBI Computer Crime and Security
Survey
9
Figure 1-1 CSI/FBI Computer Crime and Security
Survey
10
Figure 1-2 Other Empirical Attack Data

• Riptech
• Analyzed 5.5 billion firewall log entries in 300
  firms in five-month period
• Detected 128,678 attacksan annual rate of 1,000
  per firm
• Only 39 of attacks after viruses were removed
  were directed at individual firms

11
Figure 1-2 Other Empirical Attack Data

• Riptech
• 23 of all firms experienced a highly aggressive
  attack in a 6-month period
• Only one percent of all attacks, highly
  aggressive attacks, are 26 times more likely to
  do severe damage than even moderately
  sophisticated aggressive attacks

12
Figure 1-2 Other Empirical Attack Data

• SecurityFocus
• Attack Targets
• 31 million Windows-specific attacks
• 22 million UNIX/LINUX attacks
• 7 million Cisco IOS attacks
• All operating systems are attacked!

13
Figure 1-3 Attack Trends

• Growing Incident Frequency
• Incidents reported to the Computer Emergency
  Response Team/Coordination Center
• 1997 2,134
• 1998 3,474 (75 growth from the year before)
• 1999 9,859 (164 growth from the year before)
• 2000 21,756 (121 growth from the year before)
• 2001 52,658 (142 growth from the year before)
• Tomorrow? . Well CERT decided to stop counting
  as of 6/2004!!

14
Figure 1-3 Attack Trends

• Growing Randomness in Victim Selection
• In the past, large firms were targeted
• Now, targeting is increasingly random
• No more security through obscurity for small
  firms and individuals

15
Figure 1-3 Attack Trends

• Growing Malevolence
• Most early attacks were not malicious
• Malicious attacks are becoming the norm

16
Figure 1-3 Attack Trends

• Growing Attack Automation
• Attacks are automated, rather than
  humanly-directed
• Essentially, viruses and worms are attack robots
  that travel among computers
• Attack many computers in minutes or hours

17
Who are the Attackers???

• Elite Hackers
• White hat hackers
• This is still illegal
• Break into system but notify firm or vendor of
  vulnerability
• Black hat hackers
• Do not hack to find and report vulnerabilities
• Gray hat hackers go back and forth between the
  two ways of hacking
• Hack but with code of ethics
• Codes of conduct are often amoral
• Do no harm, but delete log files, destroy
  security settings, etc.
• Distrust of evil businesses and government
• Still illegal
• Deviant psychology and hacker groups to reinforce
  deviance

18
Who are the Attackers???

• Virus Writers and Releasers
• Virus writers versus virus releasers
• Only releasing viruses is punishable

19
Who are the Attackers???

• Script Kiddies
• Use prewritten attack scripts (kiddie scripts)
• Viewed as lamers and script kiddies
• Large numbers make dangerous
• Noise of kiddie script attacks masks more
  sophisticated attacks

20
Who are the Attackers???

• Criminals
• Many attackers are ordinary garden-variety
  criminals
• Credit card and identity theft
• Side note on threat to Credit Card . How do
  attacker capture credit card information? Via
  Sniffing traffic?
• How many of the audience have worries when
  shopping online? How many of the audience ever
  used a credit card to pay for a restaurant meal?
• Stealing trade secrets (intellectual property)
• Extortion

21
Who are the Attackers???

• Corporate Employees
• Have access and knowledge
• Financial theft
• Theft of trade secrets (intellectual property)
• Sabotage
• Consultants and contractors
• IT and security staff are biggest danger

22
Who are the Attackers???

• Cyberterrorism and Cyberwar
• New level of danger
• Infrastructure destruction
• Attacks on IT infrastructure
• Use IT to establish physical infrastructure
  (energy, banks, etc.)
• Simultaneous multi-pronged attacks
• Cyberterrorists by terrorist groups versus
  cyberwar by national governments
• Amateur information warfare

23
Very good Illustration of Attacks and Attackers

• http//grc.com/dos/grcdos.htm
• Non credit assignment Read the full article.
  Note all material in non credit assignments is
  can be present in quizz and exams.

24
Framework for Attacks
Attacks
Social Engineering -- Opening Attachments Password
Theft Information Theft
Physical Access Attacks -- Wiretapping Server
Hacking Vandalism
Dialog Attacks -- Eavesdropping Impersonation Mess
age Alteration
Penetration Attacks
Malware -- Viruses Worms
Denial of Service
Scanning (Probing)
Break-in
25
Figure 1-6 Attacks and Defenses (Study Figure)

• Physical Attacks Access Control
• Access control is the body of strategies and
  practices that a company uses to prevent improper
  access
• Prioritize assets
• Specify access control technology and procedures
  for each asset
• This can be electronic use access control to
  prevent certain traffic in
• This can be physical use locks to prevent
  physical access to devices.
• JP side note If an attacker gains physical
  access to a device that device IS (or should be
  considered) compromised no EXCEPTION!!!
• A quote from my favorite little threat Philippe
  Labruyere, 6 years old, spilling orange juice on
  my computer I win, you loose, game over (it
  was over a Pokemon card game that I played while
  my laptop was on next to us and he played a
  deadly headbutt attack on my Pikachu, spilling
  his drink) Let me know if I go way off-topic
  here
• Test the protection but dont spill Orange Juice
  on it

26
Figure 1-6 Attacks and Defenses (Study Figure)

• Site Access Attacks and Defenses
• Wiretaps (including wireless LANs intrusions
• Hacking servers with physical access

27
Figure 1-6 Attacks and Defenses (Study Figure)

• A slight variation of access attack Social
  Engineering
• Tricking an employee into giving out information
  or taking an action that reduces security or
  harms a system
• Opening an e-mail attachment that may contain a
  virus
• Asking for a password claming to be someone with
  rights to know it
• Asking for a file to be sent to you

28
Figure 1-6 Attacks and Defenses (Study Figure)

• Social Engineering Defenses
• Training
• Enforcement through sanctions (punishment)

29
Figure 1-6 Attacks and Defenses (Study Figure)

• Dialog Attacks and Defenses
• Eavesdropping
• Encryption for Confidentiality
• Imposters and Authentication
• Cryptographic Systems

30
Figure 1-7 Eavesdropping on a Dialog
Dialog
Hello
Client PC Bob
Server Alice
Hello
Attacker (Eve) intercepts and reads messages
31
Figure 1-8 Encryption for Confidentiality
Encrypted Message 100100110001
Client PC Bob
Server Alice
100100110001
Attacker (Eve) intercepts but cannot read
Original Message Hello
Decrypted Message Hello
32
Figure 1-9 Impersonation and Authentication
Im Bob
Prove it! (Authenticate Yourself)
Attacker (Eve)
Server Alice
33
Figure 1-10 Message Alteration
Dialog
Balance 1,000,000
Balance 1
Server Alice
Balance 1
Balance 1,000,000
Attacker (Eve) intercepts and alters messages
34
Figure 1-11 Secure Dialog System
Secure Dialog
Client PC Bob
Server Alice
Automatically Handles Negation of Security
Options Authentication Encryption Integrity
Attacker cannot read messages, alter messages,
or impersonate
35
Figure 1-12 Network Penetration Attacks and
Firewalls
Attack Packet
Internet Firewall
Hardened Client PC
Internet
Attacker
Internal Corporate Network
Log File
36
Figure 1-13 Scanning (Probing) Attacks
Reply from172.16.99.1
Probe Packets to 172.16.99.1, 172.16.99.2, etc.
Host 172.16.99.1
Internet
Attacker
No Host 172.16.99.2
Results 172.16.99.1 is reachable 172.16.99.2 is
not reachable
No Reply
Corporate Network
37
Figure 1-14 Single-Message Break-In Attack
1. Single Break-In Packet
2. Server Taken Over By Single Message
Attacker
38
Figure 1-15 Denial-of-Service (DoS) Flooding
Attack
Message Flood
Server Overloaded By Message Flood
Attacker
39
Figure 1-16 Intrusion Detection System (IDS)
1. Suspicious Packet
Intrusion Detection System (IDS)
4. Alarm
Network Administrator
2. Suspicious Packet Passed
Internet
Attacker
3. Log Suspicious Packet
Corporate Network
Log File
40
What Are the Types of Security Threats?

• Service Disruption and Interruption
• Compromise the service Availability
• Interception
• Compromise the service Confidentiality
• Modification
• Compromise the service Integrity
• Fabrication
• Compromise the service Authenticity
• Often you will see the security services
  summarized into 3 categories C.I.A
• Confidentiality
• Integrity
• Availability
• In this model, authenticity is a subset of
  integrity

41
What Are the Types of Security Threats?

• These different Threats can be subject to two
  types of possible attacks Passive and Active.
• Passive Attacks
• Attacks that do not require modification of the
  data.
• Active Attacks
• Attacks that do require modification of the data
  or the data flow.
• Which one is harder to notice? (yes I know it is
  a silly question it used to be a 0.05 Euro
  question but now it is downgrade to a 0.01
  question)

42
Layered Security Architecture

• As we have seen in previous slides, security
  services that must be provided are numerous and
  diverse.
• Similarly to the real-world bank, our web
  servers, our networks can have many
  vulnerabilities and these vulnerabilities can be
  located in many layers of the architecture.
• We need to practice a security in-depth
  approach.
• Security consideration and services must be
  present in each and every level of components.
• Rule When analyzing the quality of your security
  infrastructure, always assume that 1 full
  security layer/functionality will entirely fail.
  
• Are you still secured? What are your areas of
  vulnerabilities?
• How long would it take for you to detect the
  failure?
• Vulnerabilities and security services involve all
  7 layers of the OSI model.
• Security also is greatly dependant on the OSIs
  Layer 8.
• The balance between the threat to a system and
  the security services deployed is very
  Asymmetric You need to defend each and every
  aspects to be successful An attacker often
  needs to mitigate one aspect to be successful.
• Lets look at an example of an e-Commerce site
  and try to discuss what can go wrong and where.

43
Layered Security Architecture
My-store.com E-Commerce Infrastructure
Internet Users
Internet
ISP DNS
Mail relay
Outside DNS
Inside DNS
Intruder,
Router
threat,,
opponent
Database Server
Firewall
l
Ethernet
Firewall
E-Comm - Web
Router
Inside Mail Server
WAN Links to Remote
Offices
44
Layered Security Architecture

• Areas that can go wrong
• Incorrect firewall configuration.
• Web and back-end server not hardened
• Known vulnerabilities
• Default account/passwords
• Lack of granularity in security
• Lack of logging and auditing
• Back-end database server servers accept any
  requests from any sources.
• Lack of intrusion detection system.
• Lack of integrity checking tools.
• Router forward packets improperly.
• Unnecessary protocols and services running.
• Improper patching and update of patches.
• Bugs and vulnerabilities in third-party
  software/applications.
• Bugs and vulnerabilities in in-house developed
  applications.
• Bugs and vulnerabilities in toolkits used to
  build in-house applications.
• Improper implementation of an application, test
  userID not cleaned out, developers userID not
  cleaned out.
• Presence of Trojans, Malware and backdoors.
• How do I know the remote offices do not represent
  a threat?

45
Layered Security Architecture

• To prevent attacks, an enterprise need to build a
  complete and comprehensive security architecture
  using tools, methods and techniques that
  individually target some threats and work in an
  integrated fashion to provide a complete
  enterprise framework for secure computing.
• One missing piece or aspect may endanger the
  whole infrastructure. Example if you do not
  have virus protection, can an intruder bypass
  your firewalls?
• The goal of this class will be to present the
  aspects that most impact network security within
  that framework.
• Example of these tools and methods are presented
  in next slides.

46
Security Architecture Components Examples

• Firewall with packet/traffic filtering
• Provides protection by preventing prohibited
  traffic to pass.
• Acts at layer 3 or 4 of OSI
• Combats many attacks Spoofing, unauthorized
  access.
• Network Intrusion Detection systems
• Monitor network activities for specific patterns
  or abnormal trends in traffic
• Act at layer 3-7 of OSI
• Allow alerting (and prevent in some case) in case
  of identification of known attacks.
• Optical Fiber Links
• Implement data transfer via optical signals.
• Layer 1 of OSI
• Protects from sniffing via electromagnetic leaks
  and interference via EMI by implementing links.
  Also reduce risks of undetected tapping of
  transmission media.

47
Security Architecture Components Examples

• Implement IPSEC on traffic
• Provides encryption of data over the wire.
• Acts at layer 3 of OSI
• Prevent eavesdropping and provide anti-replay and
  traffic authentication.
• Intermediate Mail server with virus scanning
• Intercept all mail traffic and perform virus scan
  as well as content filtering
• Layer 7 of OSI
• Preserve integrity of infrastructure by
  preventing downloads of virus. Content filtering
  also help prevent unauthorized dissemination of
  proprietary data or offensive language.
• Enforcement of prohibition of password disclosure
  via disciplinary actions.
• Publicize to all employee the strict prohibition
  to share passwords. Enforce it by warning system
  and, if repeated violation, suspension.
• Layer 8 of OSI
• Protects from sniffing via electromagnetic leaks
  and interference via EMI by implementing links.
  Also reduce risks of undetected tapping of
  transmission media.

48
Security Architecture Components Examples

• Application development follows strict security
  models and strict, documented, security testing
  procedures
• Provides a method to limit the potential of
  security vulnerabilities in software developed
• Acts at layer 7 (and 8) of OSI
• Reduce risk of bugs and validate security models
  in an application by basing it on a well-proven
  model.
• Network/vulnerability scanner is run weekly
• Perform weekly scan on all devices
• Layer 3-7 of OSI
• Preserve integrity of infrastructure by
  identifying newly discovered vulnerabilities or
  unauthorized configuration changes. Also help
  identified unnecessary services.
• Many more aspects not included here.

49
Other References and Useful Resources

• CERT www.cert.org
• SANS www.sans.org
• CIAC - http//www.ciac.org/ciac/
• NSA Guidelines - http//nsa2.www.conxion.com/
• Security Portal - http//securityportal.com/

50
Examples and ComparisonBank vs Cyber-bank

• The following slides present an illustration to
  compare a real bank to a cyber bank.
• If time permits we will discuss it during the
  first class.
• If time does not permit (which really would be a
  surprise if we do have time), students are
  encouraged to think about these aspects we will
  discuss them next week.

51
Examples and ComparisonBank vs Cyber-bank

• During business hours, doors are open anybody
  can get in and open a new checking account or get
  a lock box.
• 1. ID and SS is required to open account
  Verification on it is performed.
• 2. Security camera captures all activities.
• 3. After opening a lock box, you are given a safe
  key, which can only be used with the key from a
  bank staff.

• Cyberbank The web site is available and can be
  access by all. All Internet public can access a
  page to open an account.
• 1.
• 2.
• 3.

52
Examples and ComparisonBank vs Cyber-bank

• You come in to get access to your lock box.
• 1. You show proper credential to be allowed into
  the vault
• 2. The vault is protected by bars and locks.
• 3. While in the vault, you access your lock box
  with a bank staff key and yours
• 4. Your belonging have been protected in a safe
  lock box
• 5. All Activities are monitored and recorded

• Cyberbank The web site is available and a
  user/customer wants to access his account
  information.
• 1.
• 2.
• 3.
• 4.
• 5.

53
Examples and ComparisonBank vs Cyber-bank

• At night, no access except security guard are
  allowed
• 1. Security guards make regular sentry
• 2. All activities are recorded
• 3. All doors are locked

• Cyberbank The customer portion of the web site
  is not available (maybe for backups,
  maintenance).
• 1.
• 2.
• 3.

54
Examples and ComparisonBank vs Cyber-bank

• Someone stole your key and try to access to your
  lock box
• 1. Before you alert the bank, someone tries to
  get to your lock box
• a. An additional form of ID may be required
  before giving access
• b. If access granted, activity is monitored
• 2. You alerted the bank
• a. The bank may deny access
• b. The bank may fake access while police is
  alerted.

• Cyberbank Your credentials got compromised!
• 1.
• a.
• b.
• 2.
• a.
• b.
• Note an important difference This is more
  similar to someone making a duplicate of your
  key. How do you know your key was lost?

55
Examples and ComparisonBank vs Cyber-bank

• The safe have been compromised
• 1. Notice Someone Accessed the Safe Note what
  if copies of documents were made.
• 2. Alert
• 3. Investigate
• 4. Prosecute

• Cyberbank
• 1.
• 2.
• 3.
• 4.

56
Examples and ComparisonBank vs Cyber-bank

• Someone tries to prevent you to access your safe
• 1. By a group of people that line up to get
  access but are turned down because they are not
  bank customers.
• 2. By the fact that someone sabotaged the safe
  door making opening and closing slow.
• 3. By a group of people faking a bank robbery
  and creating a large police force to be deployed
  that slows down regular process.
• 4. By sending a notice on the mail that the bank
  branch has moved to new address where they did
  setup a cardboard bank that looks the same as
  your regular bank.

• Cyberbank
• 1.
• 2.
• 3.
• 4.