Syllabus

1
Unit 1 Class overview, general security concept,
threats and defenses

• Syllabus
• What is Security?
• CSI/FBI Computer Crime and Security Survey
• Attackers and Attacks
• Layered Security Architecture

2
What is Security?

• Like in non-Cyber real world Security is used
  to secure, protect, prevent bad things to happen
  (or try to).
• From Webster
• Function nounInflected Form(s) plural
  -tiesDate 15th century1 the quality or state
  of being secure as a freedom from danger
  SAFETY b freedom from fear or anxiety c
  freedom from the prospect of being laid off
  security2 a something given, deposited, or
  pledged to make certain the fulfillment of an
  obligation b SURETY3 an evidence of debt or
  of ownership (as a stock certificate or bond)4 a
  something that secures PROTECTION b (1)
  measures taken to guard against espionage or
  sabotage, crime, attack, or escape (2) an
  organization or department whose task is security

3
What is Security?

• Security Activities Are based on 3 Types of
  Actions
• Prevent Put protection measures/system to
  protect assets and prevent unauthorized access.
• Detect Detect if an asset has been compromised,
  when, by whom and gather information on the type
  of breach committed, activities and evidence
  logs.
• Act/React Take measure to recover from attack
  and prevent same type of attacks or prevent
  attack in progress.

4
CSI/FBI Computer Crime and Security Survey

• How Bad is the Threat?
• Survey conducted by the Computer Security
  Institute (http//www.gocsi.com) annually.
• Based on replies from 700 U.S. Computer Security
  Professionals in 2005.

5
(No Transcript)
6

• Websites incidents have increased dramatically

7

• General trend of losses is down except for
  unauthorized access to information, and theft
  of proprietary information

8
Other Key Findings of the CSI/FBI survey

• Outsourcing of computer security activities is
  quite low
• Use of cyber insurance remain low
• Concern of negative publicity ? decline in
  reporting intrusions to law enforcement
• Significant number of organization conduct some
  form of economic evaluation of their security
  expenditures

9
Other Key Findings of the CSI/FBI survey (contd.)

• Over 87 of the organizations conduct security
  audits, up from 82 percent in 2004s survey.
• The Sarbanes-Oxley Act has begun to have impact
  on information security in more industry sectors
  than last year.
• Most respondents view security awareness training
  as important. However respondents from all
  sectors do not believe their organizations
  invests enough in it.

10
Other Empirical Attack Data

• SecurityFocus
• Attack Targets
• 31 million Windows-specific attacks
• 22 million UNIX/LINUX attacks
• 7 million Cisco IOS attacks
• All operating systems are attacked!

11
Attack Trends

• Growing Incident Frequency
• Incidents reported to the Computer Emergency
  Response Team/Coordination Center (CERT)
• 1997 2,134
• 1998 3,474 (75 growth from the year before)
• 1999 9,859 (164 growth from the year before)
• 2000 21,756 (121 growth from the year before)
• 2001 52,658 (142 growth from the year before)
• Tomorrow? . Well CERT decided to stop counting
  as of 6/2004!!

12
Attack Trends

• Growing Randomness in Victim Selection
• In the past, large firms were targeted
• Now, targeting is increasingly random
• No more security through obscurity for small
  firms and individuals

13
Attack Trends

• Growing Malevolence
• Most early attacks were not malicious
• Malicious attacks are becoming the norm

14
Attack Trends

• Growing Attack Automation
• Attacks are automated, rather than
  humanly-directed
• Essentially, viruses and worms are attack robots
  that travel among computers
• Attack many computers in minutes or hours

15
Who are the Attackers???

• Elite Hackers
• White hat hackers
• This is still illegal
• Break into system but notify firm or vendor of
  vulnerability
• Black hat hackers
• Do not hack to find and report vulnerabilities
• Gray hat hackers go back and forth between the
  two ways of hacking
• Hack but with code of ethics
• Codes of conduct are often amoral
• Do no harm, but delete log files, destroy
  security settings, etc.
• Distrust of evil businesses and government
• Still illegal
• Deviant psychology and hacker groups to reinforce
  deviance

16
Who are the Attackers???

• Virus Writers and Releasers
• Virus writers versus virus releasers
• Only releasing viruses is punishable

17
Who are the Attackers???

• Script Kiddies
• Use prewritten attack scripts (kiddie scripts)
• Viewed as lamers and script kiddies
• Large numbers make dangerous
• Noise of kiddie script attacks masks more
  sophisticated attacks

18
Who are the Attackers???

• Criminals
• Many attackers are ordinary garden-variety
  criminals
• Credit card and identity theft
• Side note on threat to Credit Card . How do
  attacker capture credit card information? Via
  Sniffing traffic?
• How many of the audience have worries when
  shopping online? How many of the audience ever
  used a credit card to pay for a restaurant meal?
• Stealing trade secrets (intellectual property)
• Extortion

19
Who are the Attackers???

• Corporate Employees
• Have access and knowledge
• Financial theft
• Theft of trade secrets (intellectual property)
• Sabotage
• Consultants and contractors
• IT and security staff are biggest danger

20
Who are the Attackers???

• Cyberterrorism and Cyberwar
• New level of danger
• Infrastructure destruction
• Attacks on IT infrastructure
• Use IT to establish physical infrastructure
  (energy, banks, etc.)
• Simultaneous multi-pronged attacks
• Cyberterrorists by terrorist groups versus
  cyberwar by national governments
• Amateur information warfare

21
Very good Illustration of Attacks and Attackers

• http//grc.com/dos/grcdos.htm
• Non credit assignment Read the full article.
  Note all material in non credit assignments
  can be present in exams.

22
Framework for Attacks
Attacks
Social Engineering -- Opening Attachments Password
Theft Information Theft
Physical Access Attacks -- Wiretapping Server
Hacking Vandalism
Dialog Attacks -- Eavesdropping Impersonation Mess
age Alteration
Penetration Attacks
Malware -- Viruses Worms
Denial of Service
Scanning (Probing)
Break-in
23
Attacks and Defenses (Refer to previous diagram)

• Physical Attacks Access Control
• Access control is the body of strategies and
  practices that a company uses to prevent improper
  access
• Prioritize assets
• Specify access control technology and procedures
  for each asset
• This can be electronic use access control to
  prevent certain traffic in
• This can be physical use locks to prevent
  physical access to devices.
• If an attacker gains physical access to a device
  that device IS (or should be considered)
  compromised no EXCEPTION!!!
• Test the protection.

24
Attacks and Defenses (contd.)

• Site Access Attacks and Defenses
• Wiretaps (including wireless LANs intrusions
• Hacking servers with physical access

25
Attacks and Defenses (contd.)

• A slight variation of access attack Social
  Engineering
• Tricking an employee into giving out information
  or taking an action that reduces security or
  harms a system
• Opening an e-mail attachment that may contain a
  virus
• Asking for a password claming to be someone with
  rights to know it
• Asking for a file to be sent to you

26
Attacks and Defenses (contd.)

• Social Engineering Defenses
• Training
• Enforcement through sanctions (punishment)

27
Attacks and Defenses (contd.)

• Dialog Attacks and Defenses
• Eavesdropping
• Encryption for Confidentiality
• Imposters and Authentication
• Cryptographic Systems

28
Eavesdropping on a Dialog
Dialog
Hello
Client PC Bob
Server Alice
Hello
Attacker (Eve) intercepts and reads messages
29
Encryption for Confidentiality
Encrypted Message 100100110001
Client PC Bob
Server Alice
100100110001
Attacker (Eve) intercepts but cannot read
Original Message Hello
Decrypted Message Hello
30
Impersonation and Authentication
Im Bob
Prove it! (Authenticate Yourself)
Attacker (Eve)
Server Alice
31
Message Alteration
Dialog
Balance 1,000,000
Balance 1
Server Alice
Balance 1
Balance 1,000,000
Attacker (Eve) intercepts and alters messages
32
Secure Dialog System
Secure Dialog
Client PC Bob
Server Alice
Automatically Handles Negation of Security
Options Authentication Encryption Integrity
Attacker cannot read messages, alter messages,
or impersonate
33
Network Penetration Attacks and Firewalls
Attack Packet
Internet Firewall
Hardened Client PC
Internet
Attacker
Internal Corporate Network
Log File
34
Scanning (Probing) Attacks
Reply from172.16.99.1
Probe Packets to 172.16.99.1, 172.16.99.2, etc.
Host 172.16.99.1
Internet
Attacker
No Host 172.16.99.2
Results 172.16.99.1 is reachable 172.16.99.2 is
not reachable
No Reply
Corporate Network
35
Single-Message Break-In Attack
1. Single Break-In Packet
2. Server Taken Over By Single Message
Attacker
36
Denial-of-Service (DoS) Flooding Attack
Message Flood
Server Overloaded By Message Flood
Attacker
37
Intrusion Detection System (IDS)
1. Suspicious Packet
Intrusion Detection System (IDS)
4. Alarm
Network Administrator
2. Suspicious Packet Passed
Internet
Attacker
3. Log Suspicious Packet
Corporate Network
Log File
38
What Are the Types of Security Threats?

• Service Disruption and Interruption
• Compromise the service Availability
• Interception
• Compromise the service Confidentiality
• Modification
• Compromise the service Integrity
• Fabrication
• Compromise the service Authenticity
• Often you will see the security services
  summarized into 3 categories C.I.A
• Confidentiality
• Integrity
• Availability
• In this model, authenticity is a subset of
  integrity

39
What Are the Types of Security Threats?

• These different Threats can be subject to two
  types of possible attacks Passive and Active.
• Passive Attacks
• Attacks that do not require modification of the
  data.
• Active Attacks
• Attacks that do require modification of the data
  or the data flow.
• Which one is harder to notice? (yes I know its
  obvious)

40
Layered Security Architecture

• As we have seen in previous slides, security
  services that must be provided are numerous and
  diverse.
• Similarly to the real-world bank, our web
  servers, our networks can have many
  vulnerabilities and these vulnerabilities can be
  located in many layers of the architecture.
• We need to practice a security in-depth
  approach.
• Security consideration and services must be
  present in each and every level of components.
• Rule When analyzing the quality of your security
  infrastructure, always assume that 1 full
  security layer/functionality will entirely fail.
  
• Are you still secured? What are your areas of
  vulnerabilities?
• How long would it take for you to detect the
  failure?
• Vulnerabilities and security services involve all
  7 layers of the OSI model.
• Security also is greatly dependant on the OSIs
  Layer 8.
• The balance between the threat to a system and
  the security services deployed is very
  Asymmetric You need to defend each and every
  aspects to be successful An attacker often
  needs to mitigate one aspect to be successful.
• Lets look at an example of an e-Commerce site
  and try to discuss what can go wrong and where.

41
Layered Security Architecture
My-store.com E-Commerce Infrastructure
Internet Users
Internet
ISP DNS
Mail relay
Outside DNS
Inside DNS
Intruder,
Router
threat,,
opponent
Database Server
Firewall
l
Ethernet
Firewall
E-Comm - Web
Router
Inside Mail Server
WAN Links to Remote
Offices
42
Layered Security Architecture

• Areas that can go wrong
• Incorrect firewall configuration.
• Web and back-end server not hardened
• Known vulnerabilities
• Default account/passwords
• Lack of granularity in security
• Lack of logging and auditing
• Back-end database server servers accept any
  requests from any sources.
• Lack of intrusion detection system.
• Lack of integrity checking tools.
• Router forward packets improperly.
• Unnecessary protocols and services running.
• Improper patching and update of patches.
• Bugs and vulnerabilities in third-party
  software/applications.
• Bugs and vulnerabilities in in-house developed
  applications.
• Bugs and vulnerabilities in toolkits used to
  build in-house applications.
• Improper implementation of an application, test
  userID not cleaned out, developers userID not
  cleaned out.
• Presence of Trojans, Malware and backdoors.
• How do I know the remote offices do not represent
  a threat?

43
Layered Security Architecture

• To prevent attacks, an enterprise need to build a
  complete and comprehensive security architecture
  using tools, methods and techniques that
  individually target some threats and work in an
  integrated fashion to provide a complete
  enterprise framework for secure computing.
• One missing piece or aspect may endanger the
  whole infrastructure. Example if you do not
  have virus protection, can an intruder bypass
  your firewalls?
• The goal of this class will be to present the
  aspects that most impact network security within
  that framework.
• Example of these tools and methods are presented
  in Unit 2.

44
Other References and Useful Resources

• CERT www.cert.org
• SANS www.sans.org
• CIAC - http//www.ciac.org/ciac/
• NSA Guidelines - http//www.nsa.gov/snac/