The need for security

1
The need for security
2
Need for security

• Business needs
• Technology needs
• Different types of threats
• Different types of attacks

3
Business needs

• Evaluate the organizations dependence on
  information system
• Protect the organizations ability to function
• Facilitate the running of necessary applications
• Protect data storage
• Safeguard technology assets

4
Business needs

• Commitment should be from both the top level
  management as well as the IT management
• Protecting information is more a management issue
  than a technology issue
• Develop InfoSec policies that will not hinder
  business functions
• Develop applications that can be integrated with
  the business functions (e.g., use of IM in
  addition to email)

5
Business needs

• Protect data in motion as well as data in rest
• Protection might involve using encryption for all
  communications. This could lead to the use of
  digital certificates and digital signatures as an
  optional authentication mechanism

6
Technology needs

• IT needs physical security for its equipments
• IT works with many different units of the
  organization with differing needs and so it must
  have input in selecting hardware needs of units
  at a general level in order to provide security
  across the network
• IT should be the principal agent in providing
  outside connectivity to any unit within the
  organization

7
Threats

• Different types of threats faced by an
  information system are
• Inadvertent acts
• Deliberate acts
• Acts of God
• Technical failures
• Management failures

8
Threats

• Inadvertent acts constitute actions that are
  unintentional
• E.g., an employee forwards the email to the wrong
  person because names are very similar in the
  distribution list
• Accidental erasure of a file
• Misplacement of information stored in a disk or
  paper

9
Threats

• Deliberate acts involve actions by disgruntled
  employees who want to disrupt the workflow
• Information leak or theft by an employee because
  they do not agree with organizational policy
• Unauthorized access by internal as well as
  external people to computer systems
• Acts of espionage for monetary gain
• Blackmail
• Vandalism
• Sabotage

10
Threats

• Acts of God include natural disasters such as
  tornado, lightning, earthquake, and flood
• Fire would be considered under this category even
  though it is not an act of God in most cases.
  The types of fires that happen due to electrical
  or other malfunctions would fall under this
  category where as vandalism would not.

11
Technical Failures

• Hardware failures
• Intel Pentium II chip had a known flaw that Intel
  tried to suppress but failed
• Intel Xeon chip also had bugs
• Software failures
• This is the most common kind today
• Microsoft added to the lexicon the word service
  pack for a while and now it is called patch as it
  has become an almost daily routine as new bugs in
  software are detected based on some form of attack

12
Management Failures

• Lack of planning for technology upgrade for
  security
• Lack of foresight for potential vulnerabilities
  in organizations information system security
• E.g., Symantec discontinued a version of its
  legacy system anti-virus software with sufficient
  advance notice. Failure to plan to upgrade
  anti-virus software could cause the organization
  great harm

13
Attacks

• An exploit is a technique to compromise a system
• A vulnerability is an identified weakness of a
  controlled system
• An attack is a deliberate act that exploits
  vulnerability
• A malicious code is one that intentionally
  destroys or steals information
• Examples of malicious code are
• Virus
• Worm
• Trojan horse
• Active web scripts (cookies)
• Nimda virus of September 2001

14
Attacks

• There are six attack vectors. Nimda virus used
  five of these six vectors for a very rapid spread
  of the virus
• Attack replication vectors
• 1. IP scan and attack
• Infected system scans random or local range of IP
  addresses and launches attacks based on known
  vulnerabilities in applications such as SQL Server

15
Attacks

• 2. Web browsing
• Any web system with write access privilege
  infects files of type .html, .asp, .cgi, etc and
  in turn infect other systems that access these
  files
• 3. Virus
• One infected machine infects certain common
  executable or script files
• Spreads by user activation without their
  knowledge
• 4. Shares
• Exploit known vulnerabilities in file systems by
  accessing all drives to which it has share access
  and copy the viral component

16
Attacks

• 5. Mass mail
• Send email attachments containing the virus to
  all addresses in the distribution list of the
  infected system
• Outlook Express has been exploited this way
• 6. SNMP
• SNMP buffer overflow vulnerability has been
  exploited by application software errors
• Hoax is another form of an attack in which a real
  virus is attached to a message that identifies a
  particular virus information as a hoax

17
Attacks

• Back door
• Exploit a software designer feature to access a
  system remotely
• Designer intentionally blocks logging of access
  information through the back door
• Difficult to locate back door access because of
  lack of audit trail
• Password crack
• Reverse engineering a password validation
  mechanism to find the password from captured data
• The Service Account Manager (SAM) file contains a
  hashed value of the password. User tries several
  hashing algorithms by taking known value and
  hashing it to compare with the hashed value in SAM

18
Attacks

• Brute force
• Commonly applied to guess passwords of accounts
  with more administrative privileges
• Narrow the field of attack to certain user IDs
  only for maximum impact
• The SANS/FBI report covers potential
  countermeasures to brute force attack in its list
  of Top 20 most critical Internet vulnerabilities
• NISTs ICAT provides a short description of each
  vulnerability, a list of the characteristics of
  each vulnerability (e.g. associated attack range
  and damage potential), a list of the vulnerable
  software names and version numbers, and links to
  vulnerability advisory and patch information

19
Attacks

• Common Vulnerabilities and Exposures (CVE) is a
  list managed by Mitre corporation for the benefit
  of the Internet community of all known
  vulnerabilities around the world on all software
  and hardware
• CAN number is a pre-CVE classification once a
  vulnerability comes to light. CAN is an
  abbreviation for Candidate to indicate that it is
  being investigated as a possible CVE

20
Attacks

• Dictionary attack is a variation of brute force
  attack. This targets accounts with higher
  administrative privileges. Unlike a brute force
  attack, it does not use an exhaustive list but a
  predefined list of words to guess passwords
• Denial of Service (DoS) attack simply sends out a
  large number of requests for service to the
  target machine to overwhelm its capacity to
  handle other legitimate requests
• Distributed DoS (DDoS) attack involves using
  remotely located computers to launch a
  simultaneous DoS attack on a target system. The
  machines that participate in the DoS attack are
  called Zombies.
• DDoS is considered a weapon of mass destruction
  on the Internet

21
Attacks

• A countermeasure for DDoS attack has been
  developed by an industry and academic consortia,
  called the Consensus Roadmap for Defeating
  Distributed Denial of Service Attacks. Partners
  include CERT, SANS, CERIAS at Purdue University,
  and Microsoft
• Code Red worm was a DDoS attack aimed at the
  www.whitehouse.gov site. Today, Akamai
  corporation filters all traffic going to
  www.whitehouse.gov site.

22
Attacks

• Spoofing technique enables the user to pretend to
  be someone that they are not
• Spoofing occurs in multiple types
• Email spoofing
• Web spoofing
• IP spoofing
• In email spoofing, the recipient sees the spoofed
  address but the mail server has the original
  address
• Easy to accomplish.

23
Attacks

• In web spoofing, the web link is modified from
  what it should be.
• Example a link for Microsoft could be
  www.mysite.com
• Easy to accomplish
• In IP spoofing, the original IP address is
  replaced by a different IP address
• The spoofer has the malicious intent of fooling
  the firewall with a trusted IP
• IP spoofing costs corporations billions of
  dollars every year

24
Attacks

• Man-in-the-middle attack involves
• sniffing packets in transit to identify the
  encryption method
• remove the original message content and
  substitute new content without senders knowledge
  
• Receiver will not know the content change because
  the received packets will have the right checksum
  or CRC value

25
Attacks

• Mail bombing involves sending large volumes of
  email to the target, as in DoS attack
• Mail bombs take advantage of SMTP flaws
• Sniffer is a program or device that monitors data
  in transit
• Sniffer converts sequence of bits into readable
  text
• Snort is one of many sites that have free sniffer
  software

26
Attacks

• Social engineering involves convincing the target
  to part with confidential information
• Involves primarily people (unsuspecting)
• Occurs over phone (most common), in person
  (rare), or via email
• Overcomes all other preventive methods such as
  firewalls
• Buffer overflow attack causes great havoc
• Mostly caused by applications such as SQL Server

27
Attacks

• Buffer overflow attacks continue to be the
  biggest problem
• Examples
• SQL injection by web address exceeding 63
  characters
• res//an URL longer than 256 characters in IE 4.0
• Execute codes such as FooF that crash Pentium
  chips via buffer overflow

28
References

• SANS Top 20 vulnerabilities list
  http//www.sans.org/top20/
• Common Vulnerabilities and Exposures (CVE) number
  http//cve.mitre.org
• NIST glossary of vulnerabilities
  http//icat.nist.gov
• CAN listing (Candidate for CVE) of 2004 on a
  possible Denial of Service attack
  http//www.cve.mitre.org/cgi-bin/cvename.cgi?name
  CAN-2004-0079

29
References

• DDoS Countermeasure http//www.sans.org/dosstep/ro
  admap.php
• Sniffer software http//www.snort.org
• Social engineering http//www.secretservice.gov/al
  ert419.shtml