INFORMATION Security

Computer Security Concepts

• Integrity - Assets can be modified by authorized parties only

• Availability - Assets be available to authorized parties

• Confidentiality - Requires information in a computer system only be accessible by authorized parties. Individuals set their own privacy requirements.

Addl. requirements:

• Authenticity - Requires that a computer system be able to verify the identity of a user

• Accountability - Requires the detection and tracing of a security breach to a responsible party.

Computer Security: The protection afforded to an automated information system in order to attain the applicable objectives of preserving the integrity, availability and confidentiality of information system resources (i.e. hardware, software, firmware, information/data, and telecommunications)

Threats and Attacks

Threats and Assets

Security Threats to Assets

Communication Lines and Networks

Passive Attacks– Release of message contents - a telephone conversation, an electronic mail message,

a transferred file, etc.

– Traffic analysis - encryption can mask the contents but message size, transmission frequency, location and id of communicating hosts can still be extracted

Communication Lines and Networks

Active Attacks– Replay : passive capture of a data unit and its

retransmission to produce an unauthorized effect

– Masquerade : one entity pretends to be a different entity (e.g. try to login as someone else)

– Modification of messages some portion of a legitimate message is altered, or messages are delayed or reordered

– Denial of service prevents or inhibits the normal use or management of communications facilities (Disable or overload with messages)

Intruder Behavior PatternsHackers

Criminals

Insider attacks

Backdoor (Trapdoor)• Entry point into a program that allows someone who is aware of trapdoor to gain access

Anyone watched the movie War Games ?• used by programmers to be able to debug and test programs while skipping a lengthy

setup/authentication process during development– Avoids necessary setup and authentication– Ensures that there is a method of activating program if something wrong with the authentication

procedure

Logic Bomb• Code embedded in a legitimate program that is set to “explode” when certain conditions

are met• Presence or absence of certain files, particular day of the week, particular user running

application• One of the oldest types of program threat, predating viruses and worms

Trojan Horse• Useful program that contains hidden code that when invoked performs some unwanted

or harmful function– Can be installed through software downloads, bundling, email attachments, websites with

executable content, etc. Trojan-type malware is on the rise, accounting for 83-percent of the global malware.

Malicious Software (malware)

VirusesProgram that can “infect” other programs by modifying them in such a way that the infected program can infect other programs

Any virus stories?

Virus Stages

• Dormant phase: Virus is idle

• Propagation phase: Virus places an identical copy of itself into other programs or into certain system areas on the disk

• Triggering phase: Virus is activated to perform the function (usually harmful)

• Execution phase: Function is performed

Macro Viruses• macro - an executable program embedded in a word document or other type of file• Easily spread; platform independent; infects documents, not the .exe

E-mail Virus• Activated when recipient opens the e-mail attachment (e.g. Melissa virus). A new version

that came out in 1999 was activated by opening the e-mail itself.

• Sends itself to everyone on the mailing list of the infected user

A SIMPLE VIRUS

A COMPRESSION VIRUS

Viruses

Classification by Target• Boot sector infector - Infects boot record and spreads when system is booted from the

disk containing the virus

• File infector - Infects executable files

• Macro virus - Infects files with macro code that is interpreted by an application

Classification by concealment strategy• Encrypted virus – a portion of the virus encrypts its main body and stores the key with

itself. When an infected program is executed, the virus decrypt itself and then replicates. At each replication, a different random key is selected making the detection more difficult.

• Stealth - Designed to hide itself from detection by antivirus software. May use compression

• Polymorphic - Mutates with every infection, making detection by the “signature” of the virus impossible

• Metamorphic – same as polymorphic, but rewrites itself completely making the detection even more difficult. May change functionality as well as appearance.

WormsExhibits similar characteristics as an e-mail virus, but worm does not need a host

program and it is not passive, it actively seeks out more machines to infect via• Electronic mail facility: A worm mails a copy of itself to other systems• Remote execution: A worm executes a copy of itself on another system• Remote log-in: A worm logs on to a remote system as a user and then copies itself from one

system to the other

Bots (Zombie or drone)• Program that secretly takes over another Internet-attached computer and uses it to launch

attacks that are difficult to trace to the bot’s creator• planted on hundreds of computers belonging to unsuspecting third parties and then used to

overwhelm a target Web site by launching an overwhelming onslaught of Internet traffic• The collection of bots acting in a coordinated manner is called botnet

Uses of Bots• DDoS (Distributed Denial of Service attacks), spamming, sniffing traffic on a compromised

machine, keylogging, spreading new malware, manipulating online polls/games/clicks for ads (every bot has a distinct IP address), etc.

Malicious Software (cont.)

BOTS

Bots (Zombie or drone)• Program that secretly takes over another Internet-attached computer and uses it to launch attacks

that are difficult to trace to the bot’s creator

Remote Control Facility• A worm propagates and activates itself, whereas a bot is controlled from a central facility• Once a communication path is established, the control module can activate the bots in host

machines (which are taken hostage). For greater flexibility, the control module can instruct the bots to download a file from an internet site and execute it. This way, a bot can be used for different kinds of attacks.

Constructing the Attack Network3 things needed: (1) attack software (2) a large number of vulnerable machines

(3) locating these machines (scanning or fingerprinting). Scanning is generally done in a nested (or recursive) manner.

Scanning strategies:• Random – check random IP addresses for vulnerability (generates suspicious internet traffic)• Hit list – a long list is compiled a priori. Each infected machine is given a partial list to infect

generates less internet traffic and therefore makes it more difficult to detect.• Topological – uses information contained on an infected machine to find more hosts to scan• Local subnet – if a host could be infected behind a firewall, that host could be used to infect others

on the same subnet (all behind the same firewall).

**here ROOTKITS

Rootkit• Malware which consists of a set of programs designed to take fundamental control of a

computer system and hide the fact that a system has been compromised

• Typically, rootkits act to obscure their presence on the system through subversion or evasion of standard OS security mechanisms.

• Techniques used to accomplish this can include concealing running processes from monitoring programs, or hiding files or system data from the OS

• Often, they are Trojans as well, thus fooling users into believing they are safe to run on their systems.

• Rootkits may also install a "back door" in a system by replacing the login mechanism (such as /bin/login) with an executable that steals a login combination, which is used to access the system illegally.

• With root access, an attacker has complete control of the system to do anything

Rootkit Installation

• Usually via a Trojan horse. A user is induced to load a Trojan horse which then installs the rootkit.

• Another means of rootkit installation is by hacker activity which is a rather lengthy process.

Terminology of Malicious Programs

Terminology of Malicious Programs

Authentication

Authentication

• Basis for most type of access control and accountability

Identification & Verification:

presenting an id to the security system and generating authentication info

Means of authentication• Something the individual knows – password, PIN, answers to a set of questions

• Something the individual possesses – electronic keycards, smart cards, keys

• Something the individual is (static biometrics) – fingerprint, retina, face

• Something the individual does (dynamic biometrics) – voice pattern, handwriting, typing rhythm, etc.

Accuracy

Cos

t

Password Selection

• Computer generated passwords– Users have difficulty remembering them; Need to write it down– Have history of poor acceptance

• Reactive password checking strategy– System periodically runs its own password cracker to find guessable

passwords. It cancels passwords that are guessed and notifies user

• Proactive password checker– The system checks at the time of selection if the password is allowable– With guidance from the system, users can select memorable passwords

that are difficult to guess

Password Protection via Hashing• Salt is different for each user (random). Advantages are:

• duplicates appear differently in password file; hence it is impossible to guess if a user has used the same password on different systems.

• Increases the difficulty of guessing the passwords offline. If salt is b-bits, the number of possible passwords increased by 2b

UNIX Implementation•uses crypt(3) (based on DES) for hashing•12-bit salt + 56-bit (8 char) password fed into crypt(3) which generates a 64-bit output. The result is stored as 11 char’s.•Crypt(3) uses 25 iterations. Therefore, very slow and discourages cracking.•A 2003 study reports that a supercomputer can crack 50 million passwords in 80 minutes SCARY!•New versions are much more secure!

Access Control

• Discretionary access control (DAC) – based on the ID of the requestor. Traditional.

• Mandatory access control (MAC) – compares security labels (of critical system resources)

with security clearances. Used in the military. Unlike with DAC, users cannot override or modify this policy, either accidentally or intentionally

• Role-based access control (RBAC) – based on the roles that users have within the system.

There are rules stating what accesses are allowed to users in given roles. Widely used

Discretionary access control

(DAC)

Access Control

• A separate access control module is associated with each type of object

• An access attempt triggers the following steps:• S0 issues a request for X

• A message (S0, , X) is sent to the controller for X

• Controller checks if is in A[S0, X]. If so, allows access, otherwise a warning is issued

Role-Based Access Control (RBAC)

• Widespread commercial use

• A user may be assigned multiple roles

• Each role has certain access rights

• A role can also be treated as an object, hence it allows role hierarchies

Intrusion Detection Systems (IDS)

• Host-based IDS: Monitors the characteristics of a single host and the events occurring within that host for suspicious activity

• Network-based IDS: Monitors network traffic for particular segments and analyzes network, transport, and application protocols to identify suspicious activity

IDS comprises three logical components:

• Sensors – to collect data. Input types: network packets, log files, sys. call traces • Analyzers – receive input from sensors. Responsible for intrusion detection• User interface – may be a manager, director, or console

Basic Principles:• Early detection – very important to confine the damage• An effective IDS can serve as a deterrent (thus discouraging intrusion attempts)• Intrusion detection enables data collection about intrusion techniques which, in turn, can be

used to strengthen intrusion prevention measures.

Intrusion Detection

• Assumption: the behavior of the intruder differs from the legitimate user. • But, there is overlap. A loose interpretation of intruder may lead to false positives ; on

the other hand, a tight interpretation may lead to false negatives (risky!)

Host-Based Intrusion Detection

• Can detect both external and internal intrusions which is not possible with network-based IDSs or firewalls.

General approaches:

• Anomaly detection – Collect data related to the behavior of legitimate users over a period of time. Then, apply statistical tests to determine if the observed behavior is not legitimate– Threshold detection: defines thresholds for the freq. of occurrence for various events– Profile based: a profile of normal activity is developed for each user; used to detect changes

• Signature detection: define a set of rules that applies to an intruder’s behaviorSignature-based IDS monitors packets in the network, and compares them with pre-configured and pre-determined attack patterns, known as signatures

• Audit records– Native audit records

• All OSs include accounting software that collects information on user activity– Detection-specific audit records

• Generate audit records containing only that information required by the IDSDisadvantage: two accounting packages run on the system

Malware Defense

Antivirus Approaches – (1) Detection (2) Identification (3) Removal

As virus arms race has evolved, antivirus software have grown more complex.Two sophisticated ones are: Generic Decryption and Digital Immune System

Generic Decryption (GD)

Contains three essential parts:

• CPU emulator– Instructions in an executable file are interpreted by the emulator rather than the

processor in a controlled environment. If the code includes a decryption routine, it is also interpreted and the virus is exposed. Virus itself does the decryption for the antivirus program (GD)

• Virus signature scanner– Scan target code looking for known virus signatures

• Emulation control module– Controls the execution of the target code. Periodically, it interrupts the interpretation to

scan the target code for virus signatures

Digital Immune System• Developed by IBM (refined by Symantec) – general purpose emulation and virus

detection system• Motivation: rising threat of Internet-based virus propagation

– Integrated mail systems (e.g. MS Outlook, Lotus Notes)– Mobile-program system (e.g. Java and ActiveX allow programs to move on their own)

1. Each PC runs a monitoring program to detect unusual behavior

2. Encrypt the sample and forward to VAM

3. Analyze the sample in a safe environment via emulation

4. Prescription is sent back to Adm.Machine

5.-6. Forwarded to the infected client as well as the other PCs on the same network

7. All subscribers receive regular antivirus updates

Behavior-Blocking Software

Rootkit Countermeasures

• Rootkits can be extraordinarily difficult to detect and neutralize, particularly so for kernel-level rootkits.

• Many of the administrative tools that could be used to detect a rootkit can be compromised by the rootkit itself

• There are always new rootkits and modified versions of existing rootkits that display novel signatures. For these cases, a system needs to look for behaviors that could indicate the presence of a rootkit, such as the interception of system calls or a keylogger interacting with a keyboard driver. Such behavior detection is far from straightforward. For example, antivirus software typically intercepts system calls.

• Another approach is to conduct a file integrity check (e.g. freeware RootkitRevealer from SysInternals). This package compares the results of a system scan using APIs with the actual view of storage using instructions that do not go through an API. Because a rootkit conceals itself by modifying the view of storage seen by admin. calls, RootkitRevealer catches the discrepancy.

• If a kernel-level rootkit is detected, an entire new OS install is needed.