Which is the Cuckoo's Egg?

1
Which is the Cuckoo's Egg?

• 45 million
• Quebec
• Drug arrest
• Hacking scam
• Poland, Brazil, Manitoba, and the United States
• Age 17 to 26
• Computer network

2
Cuckoo's Egg

• Drug arrest
• Canada police have broken up a major
  international computer-hacking network
• Target unprotected personal computers around the
  world
• Police arrested 16 people age between 17 and 26
• Online to attack and gain control of as many as
  one million computers worldwide

3

Csilla Farkas Associate Professor Dept. of
Computer Science and Engineering University of
South Carolina farkas_at_cse.sc.edu http//www.cse.s
c.edu/farkas
4
Financial Loss
Dollar Amount Losses by Type
Total Loss (2006) 53,494,290 CSI/FBI Computer
Crime and Security Survey Computer Security
Institute
5
Security Protection
6
What is Wrong with the Following Specification?

• The CEO of ReallySecure Inc. instructed the
  system administrator of the organizations
  computing resources to implement security
  mechanisms, including
• Hardware firewall
• Authentication mechanisms
• Access control
• Secure communication
• Encryption capabilities

7
Risk Management Framework (Business Context)
8
Understand the Business Context

• Who cares?
• Identify business goals, priorities and
  circumstances, e.g.,
• Increasing revenue
• Meeting service-level agreements
• Reducing development cost
• Generating high return investment
• Identify security risk to consider

9
Identify Business and Technical Risks

• Why should business care?
• Business risk
• Direct threat
• Indirect threat
• Consequences
• Financial loss
• Loss of reputation
• Violation of customer or regulatory constraints
• Liability
• Tying technical risks to the business context in
  a meaningful way

10
Synthesize and Rank the Risks

• What should be done first?
• Prioritization of identified risks based on
  business goals
• Allocating resources
• Risk metrics
• Risk likelihood
• Risk impact
• Risk severity
• Number of emerging risks

11
Define the Risk Mitigation Strategy

• How to mitigate risks?
• Available technology and resources
• Constrained by the business context what can the
  organization afford, integrate, and understand
• Need validation techniques

12
Carry Out Fixes and Validate

• Perform actions defined in the previous stage
• Measure completeness against the risk
  mitigation strategy
• Progress against risk
• Remaining risks
• Assurance of mechanisms
• Testing

13
Measuring and Reporting

• Continuous and consistent identification and
  storage of risk information over time
• Maintain risk information at all stages of risk
  management
• Establish measurements, e.g.,
• Number of risks, severity of risks, cost of
  mitigation, etc.

14
What is Being Protected, Why, and How?

• Risk assessment

15
Security Objectives
16
Security Tradeoffs
Security
Functionality
COST
Ease of Use
17
Achieving Security

• Policy
• What to protect?
• Mechanism
• How to protect?
• Assurance
• How good is the protection?

18
Policy
Organizational policy
Information systems policy
19
Security by Obscurity

• Hide inner working of the system
• Bad idea!
• Vendor independent open standard
• Widespread computer knowledge

20
Security by Legislation

• Instruct users how to behave
• Not good enough!
• Important
• Only enhance security
• Targets only some of the security problems

21
Security Mechanism

• Prevention
• Detection
• Tolerance and Recovery

22
IdentificationAuthentication
23
Authentication

• Allows an entity (a user or a system) to prove
  its identity to another entity
• Typically, the entity whose identity is verified
  reveals knowledge of some secret S to the
  verifier
• Strong authentication the entity reveals
  knowledge of S to the verifier without revealing
  S to the verifier

24
User Authentication

• What the user knows
• Password, personal information
• What the user possesses
• Physical key, ticket, passport, token, smart card
• What the user is (biometrics)
• Fingerprints, voiceprint, signature dynamics

25
Access Control
26
Access Control

• Protection objects system resources for which
  protection is desirable
• Memory, file, directory, hardware resource,
  software resources, etc.
• Subjects active entities requesting accesses to
  resources
• User, owner, program, etc.
• Access mode type of access
• Read, write, execute

27
Access Control

• Access control components
• Access control policy specifies the authorized
  accesses of a system
• Access control mechanism implements and enforces
  the policy
• Separation of components allows to
• Define access requirements independently from
  implementation
• Compare different policies
• Implement mechanisms that can enforce a wide
  range of policies

28
Closed v.s. Open Systems
Closed system
Open System
(minimum privilege)
(maximum privilege)
Access requ.
Access requ.
Allowed accesses
Disallowed accesses
Exists Rule?
Exists Rule?
yes
no
yes
no
Access denied
Access permitted
Access permitted
Access denied
29
Firewalls
30
Traffic Control Firewall
External Network
31
Firewall Objectives

• Keep intruders, malicious code and unwanted
  traffic or information out
• Keep proprietary and sensitive information in

Proprietary data
External attacks
32

• Cryptography
• - Secret-Key Encryption
• - Public-Key Encryption
• - Cryptographic Protocols

33
Insecure communications
Confidential
34
Encryption and Decryption
Plaintext
Ciphertext
Plaintext
Encryption
Decryption
35
Conventional (Secret Key) Cryptosystem
Plaintext
Ciphertext
Plaintext
Encryption
Decryption
Sender
Recipient
K
CE(K,M) MD(K,C)
K needs secure channel
36
Public Key Cryptosystem
Recipients public Key (Kpub)
Recipients private Key (Kpriv)
Plaintext
Ciphertext
Plaintext
Encryption
Decryption
Sender
Recipient
CE(Kpub,M) MD(Kpriv,C)
Kpub needs reliable channel
37
Cryptographic Protocols

• Messages should be transmitted to destination
• Only the recipient should see it
• Only the recipient should get it
• Proof of the senders identity
• Message shouldnt be corrupted in transit
• Message should be sent/received once only

38
Detection/Response
39
Misuse Prevention

• Prevention techniques first line of defense
• Secure local and network resources
• Techniques cryptography, identification,
  authentication, authorization, access control,
  security filters, etc.

Problem Losses occur!
40
Intrusion Management

• Intrusion Prevention protect system resources
• Intrusion Detection (second line of defense)
  discriminate intrusion attempts from normal
  system usage
• Intrusion Recovery cost effective recovery models

41
Anomaly versus Misuse
Non-intrusive use
Intrusive use
Looks like NORMAL behavior
False negative Non-anomalous but Intrusive
activities
Does NOT look Like NORMAL behavior
False positive Non-intrusive but Anomalous
activities
like
42
Malicious Code Detection

• Virus and Worm
• Programming Flaws
• Application Specific Code
• Distributed, heterogeneous platforms
• Complex applications
• Security Applications vs. Secure Applications
• Build security into the system

43
Response/Tolerance
44
Incident Response

• Federal Communications Commission Computer
  Security Incident Response Guide, 2001,
  http//csrc.nist.gov/fasp/FASPDocs/incident-respon
  se/Incident-Response-Guide.pdf
• Incident Response Team, R. Nellis,
  http//www.rochissa.org/downloads/presentations/In
  cidence20Response20Teams.ppt
• NIST special publications, http//csrc.nist.gov/pu
  blications/nistpubs/index.html

45
Intrusion Recovery

• Actions to avoid further loss from intrusion
• Terminate intrusion and protect against
  reoccurrence
• Law enforcement
• Enhance defensive security
• Reconstructive methods based on
• Time period of intrusion
• Changes made by legitimate users during the
  effected period
• Regular backups, audit trail based detection of
  effected components, semantic based recovery,
  minimal roll-back for recovery

46
What is Survivability?

• To decide whether a computer system is
  survivable, you must first decide what
  survivable means.

47
Effect Modeling and Vulnerability Detection
Seriously effected components
Weakly effected component
Cascading effects
Not effected components
48
Due Care and Liability

• Organizational liability for misuse
• US Federal Sentencing Guidelines chief executive
  officer and top management are responsible for
  fraud, theft, and antivirus violations committed
  by insiders or outsiders using the companys
  resources.
• Fines and penalties
• Base fine
• Culpability score (95-400)
• Good faith efforts written policies, procedures,
  security awareness program, disciplinary
  standards, monitoring and auditing, reporting,
  and cooperation with investigations

49
How to Respond?
50
How to Respond?
51
How to Respond?
52
Roles and Responsibilities

• User
• Vigilant for unusual behavior
• Report incidents
• Manager
• Awareness training
• Policies and procedures
• System administration
• Install safeguards
• Monitor system
• Respond to incidents, including preservation of
  evidences

53
Computer Incident Response Team

• Assist in handling security incidents
• Formal
• Informal
• Incident reporting and dissemination of incident
  information
• Computer Security Officer
• Coordinate computer security efforts
• Others law enforcement coordinator,
  investigative support, media relations, etc.

54
Incident Response Process 1.

• Preparation
• Baseline Protection
• Planning and guidance
• Roles and Responsibilities Training
• Incident response team

55
Incident Response Process 2.

• Identification and assessment
• Symptoms
• Nature of incident
• Identify perpetrator, origin and extent of attack
• Can be done during attack or after the attack
• Gather evidences
• Key stroke monitoring, honey nets, system logs,
  network traffic, etc.
• Legislations on Monitoring!
• Report on preliminary findings

56
Incident Response Process 3.

• Containment
• Reduce the chance of spread of incident
• Determine sensitive data
• Terminate suspicious connections, personnel,
  applications, etc.
• Move critical computing services
• Handle human aspects, e.g., perception
  management, panic, etc.

57
Incident Response Process 4.

• Eradication
• Determine and remove cause of incident if
  economically feasible
• Improve defenses, software, hardware, middleware,
  physical security, etc.
• Increase awareness and training
• Perform vulnerability analysis

58
Incident Response Process 5.

• Recovery
• Determine course of action
• Reestablish system functionality
• Reporting and notifications
• Documentation of incident handling and evidence
  preservation

59
Follow Up Procedures

• Incident evaluation
• Quality of incident (preparation, time to
  response, tools used, evaluation of response,
  etc.)
• Cost of incident (monetary cost, disruption, lost
  data, hardware damage, etc.)
• Preparing report
• Revise policies and procedures

60
Questions?