2
Introduction and Overview
CPSC6128 - Network Security 3
Network Security•Most topics in Computer Science are focused on
-achieving a desired behavior
•Computer and Network Security is focused on -preventing undesired behavior
• So-Need to think differently-Paranoia is actually a good thing!-Enemy is going to try and find an input or state in your system which allows for a circumvention of protection measures.
CPSC6128 - Network Security 4
Think Differently•Security Mindset
-What is the system designed to do? -What is the proper operation?
The system is typically larger than just the computer or network. However for the purposes of this course we will focus on these parts. (Others, physical, human behavior)
-What are the vulnerabilities in the system?
-How can this system be attacked?
-How can the system be defended?
-Is the cost of the defense worth it? -Important concept!
CPSC6128 - Network Security 5
CIA - You will see this in many textbooks•Confidentiality
-keeping information secret•Integrity
-insuring that the information is genuine and hasn’t been tampered with.•Availability
-insuring that the system is always available.•Also add Authenticity
-determining the origin of data-Type of Integrity-Good way to frame the problem. But security is far more complex.
Security Objectives
Confidentiality Availability
Integrity
CPSC6128 - Network Security
Simplistic View on Password Authentication
6
Password
CPSC6128 - Network Security
Reality – Larger System in Play
7
Password
Password Recovery:Prompt for High School
Social Networks
Social Engineering
Attacker
CPSC6128 - Network Security
Another Example – Attack on Wired Magazine Writer 2012 Attacker’s goal was to take the targets twitter handle @mat
Could directly attacker Twitter’s authentication but…
Attacker found from the Twitter page the personal home page of the account holder
There he found his gmail address
Went to Google’s account recovery page
The recovery page showed that he had an alternate email ending in @me.com
Attacker knew he could recover a @me.com email with just the billing address and last four digits of the associated credit card
8
CPSC6128 - Network Security
Cont. Attacker could get credit card info from a “loophole” in Amazon
Call Amazon and tell them you are the account holder and want to add a credit card. To do this the attacker just needs the email and billing address of the account holder.
Got billing address since the victim registerd a domain name for his website.
Call back Amazon and indicate you lost access to your email account. Provide name, address and the new cc#
Amazon sends account info to new email address held by attacker
9
CPSC6128 - Network Security
Cont.
Attacker then could login and see last four digits of original cc#.
Went back to Apple and took over @me and iCould account (which are linked)
Since @me was recovery email from Google and Twitter the attacker now took over those accounts as well.
Wiped victims computer remotely using iCloud “feature”
What are the bounds of this security system?
10
CPSC6128 - Network Security
When some says “Their Network is Secure”What does this mean?
Definition of Security – “Freedom from Risk or Danger” Random House Unabridged Dictionary
Is it 100% protected against every conceivable threat?No
Is it impossible to attack and compromiseNo
Most of the time it means:The network has been designed so as to maintain an acceptable level of risk.
11
CPSC6128 - Network Security 12
Security is an Engineering Trade-off•The objective is
-typically not to make the system secure against every threat.
•Instead the goal is to -optimize the security of the system given certain constraints
- (cost, end user usability, information sensitivity)
CPSC6128 - Network Security 13
Security is an Ongoing Process - not a product
•If a vendor comes to you and says that their “box” will secure your network - run!
•Security requires not only technical countermeasures and tools but processes and procedures.
•Once a tool, process or procedure is put in place, it must be continuously revisited.
•SECURITY IS -PRIMARILY ABOUT RISK MANAGEMENT
CPSC6128 - Network Security 14
Some Important Definitions•Vulnerability
-a weakness or “hole” in software, hardware or system -which would allow an attacker to gain unauthorized access.
•Threat -Threats typically take advantage of vulnerabilities, such as
-Attacker accessing a SQL database without proper authorization. -A user deleting data by mistake.
•Attack
-An attempt to exploit a vulnerability
•Risk-the probability of the threat taking advantage of the vulnerability -((Threat x Vulnerability)/Countermeasures)) x Value = Risk)
•Countermeasure -a process, procedure, product, software which mitigates the risk.
CPSC6128 - Network Security 15
Reference: ISC2
Threat Agent Threat Vulnerability
Risk
AssetExposureSafeguard
Gives Rise to a Exploits
Leads to
Can DamageCauses an
can bemitigated by
Affects behavior of
THREAT MODELING
16
CPSC6128 - Network Security
Threat ModelingUnderstand what the attack goals are
Understand who the attackers are What is their motivation? How much funding? Skill Level? Adversity to Risk?
Understand what attacks are likely to occur
Understand the security assumptions of a system
Understand where to best spend a security budget
17
CPSC6128 - Network Security
STRIDE Model• Threats are classified into six classes based on their effect :
-Spoofing -Using someone else’s credentials to gain access to otherwise inaccessible assets.
-Tampering-Changing data to mount an attack.
-Repudiation -Occurs when a user denies performing an action, but the target of the action has no way to
prove otherwise.
-Information disclosure -The disclosure of information to a user who does not have permission to see it.
-Denial of service -Reducing the ability of valid users to access resources.
-Elevation of privilege-Occurs when an unprivileged user gains privileged status.
CPSC6128 - Network Security
Threat Trees• Start with each abstract threat and then iteratively refine description
carefully and gradually
• Collection of threat trees gives you threat forest
Threat
Sub-threat
CPSC6128 - Network Security
Example
Hospital Computer System Threats
Patient Medical Information Non-Patient Medical Information
Life Threatening Non Life Threatening
Disclosure Integrity DOS D I DOS
Billing Non-Billing
MaliciousDeveloper
Non-MaliciousDeveloper
MD NMD
CPSC6128 - Network Security
Using Threat Trees For Risk Calculation• Relationship between threats can be
-Conjunctive (AND) or -Disjunctive (OR).
• Nodes -can be labeled with level of effort, risk, criticality etc.
• Labels -can be propagated from leaves to root in obvious manner.
OR
Effort = Moderate
Effort = Moderate Effort = High
CPSC6128 - Network Security
Ranking Threats – Threat MatrixThreat Existence Capability History Intensions Targeting
Severe X X X X X
High X X X X
Elevated X X X
Guarded X X
Low X
22
CPSC6128 - Network Security
RISK ASSESSMENT
23
CPSC6128 - Network Security
Risk Assessment• Assessment
-measures the impact of an event, and the probability of an event (threat agent exploiting a vulnerability)
• Quantitative (objective) and Qualitative (subjective) approaches
• Quantitative approach:-Compute expected monetary value (impact) of loss for all “events”-Compute the probability of each type of expected loss
• Qualitative approach-use Low, Medium, High; ratings, or -other categorical scales
CPSC6128 - Network Security
Risk Management• Accept the risk
-Risk is low but costly to mitigate - worth accepting. Monitor.
• Transfer the risk -Transfer to somebody else via insurance, warnings etc.
• Remove the risk -Remove the system component or feature associated with the risk if the
feature is not worth the risk.
• Mitigate the risk -Reduce the risk with countermeasures.
• The understanding of risks -leads to policies, specifications and requirements-Appropriate security mechanisms are then developed and implemented
CPSC6128 - Network Security 26
Quantitative - Security Cost Risk Assessment•Exposure Factor (EF)
-Percentage of asset loss caused by identified threat
•Single Loss Expectancy (SLE) -Asset Value * Exposure Factor
•Annualized Rate of Occurrence (ARO)-Estimated frequency a threat will occur within a year
•Annualized Loss Expectancy (ALE)-Single Loss Expectancy * Annualized Rate of Occurrence
CPSC6128 - Network Security 27
Example:•Fire Damage to a building:
-Asset Value: value of the building - $750,000-Single Loss Expectancy (SLE: Asset Value x Exposure Factor) - $250,000 (damage caused by the fire)-Annualized Rate of Occurrence (ARO) - .05 (5% change every year that there will be a fire)-Annualized Loss Expectancy (ALE: $250,000 x .05) = $12,500
•So does a fire alarm system which costs $5000 to install and maintain yearly worth it?
•YES - Fire Alarm Cost < ALE
CPSC6128 - Network Security 28
Network Security Example:•Credit Card database stolen from online retailer via SQL injection:
-Asset Value-Here the asset value is a bit nebulous so it sometimes is better to focus on the SLE
-Single Loss Expectancy (SLE)-If the database is stolen and/or damaged, how much is it going to cost the company in PCI fines, lost business, consulting fees for security, etc. $1M is not unreasonable for a medium sized retailer.
-Annualized Rate of Occurrence (ARO)-Can get this information from network consulting organizations or your insurance company. 5%
CPSC6128 - Network Security 29
Network Security Example (Cont.)
-Annualized Loss Expectancy (ALE)= $1Mx.05=$50,000
•So does a web firewall which costs $24K make sense? Most likely, YES
CPSC6128 - Network Security
Quantitative: Useful or Not?
• Pro:
-Objective, independent process
-Credibility for audit, management (especially corporate management)
-Solid basis for evaluating cost/benefit of countermeasures
-Quantitative risk assessment is the basis for insurance, risk managed portfolios, etc.
CPSC6128 - Network Security
Quantitative: Useful or Not?
• Cons
-In most cases, it is difficult to enumerate all types of events and get meaningful data on probability and impact
-Very time consuming, costly to do right
-Many unknowns may give a false sense of control
-Not reliable for “rare” events or “unthinkable” impacts
CPSC6128 - Network Security
Qualitative Approach• Establish classes of loss values (“impact”), such as
-Low, medium, high-Under $10K-between $10K and $1M-over $1M (used by at least one company)
-Type of loss -compromise of credit card #-compromise of SSN-compromise of highly personal data)
-Minor injury-Significant injuries-Loss of life-Large scale loss of life
-Rank ordering
CPSC6128 - Network Security
Qualitative Approach (Cont.)
• Establish classes of likelihood of compromise-Low, medium, high likelihood
• Decide on a risk management approach to -each combination of (class of loss, likelihood of loss)
• Focus on -medium to high loss and/or medium to high likelihood items
CPSC6128 - Network Security
Qualitative Approach
• DoD classified information:
-CONFIDENTIAL -“shall be applied to information, the unauthorized disclosure of which reasonably could be
expected to cause damage to the national security”
-SECRET -“shall be applied to information, the unauthorized disclosure of which reasonably could be
expected to cause serious damage to the national security”
-TOP SECRET -“shall be applied to information, the unauthorized disclosure of which reasonably could be
expected to cause exceptionally grave damage to the national security”
CPSC6128 - Network Security
THINK LIKE AN ATTACKER
35
CPSC6128 - Network Security
Attack TreeAnother way
to visualize the current security posture of a system
Helps to identify the most vulnerable areas of the system and where to apply resources.
A method of building a database which describes the security state of the system
36
CPSC6128 - Network Security
Attack Tree – How does it Work?Represents
the attacks and countermeasures as part of a tree structure
Root node is the goal of the attack. In a complex system there is probably many root nodes or
goals.
Leaf nodes are the attacks
37
CPSC6128 - Network Security
Basic Attack Tree - Example
38
CPSC6128 - Network Security
AND Nodes OR Nodes“OR” nodes
Represent different ways of achieving the same goalExample: to break into a house you can pick the lock or break the window
“AND” nodes Represent different steps in achieving a single outcome
Example: to enter a window you need to break the windows AND climb through the opening.
39
CPSC6128 - Network Security
Boolean Node ValuesOnce the tree is created
Boolean values can be assigned to each node.
Example: probable vs. improbable Possible vs. impossible
40
CPSC6128 - Network Security
Possible vs. Impossible Node Values
41
CPSC6128 - Network Security
Other Possible Boolean Node Values
Easy vs. Not Easy
Expensive vs. Not Expensive
Intrusive vs. Non-Intrusive
Legal vs. Illegal
42
CPSC6128 - Network Security
Special Equipment Needed
43
CPSC6128 - Network Security
Continuous Node Values
Cost in $ to attack or defend
Time cost to achieve goal
Cost in resources to attack or defend
44
CPSC6128 - Network Security
Cost of an Attack
45
CPSC6128 - Network Security
Cheapest Attack
46
CPSC6128 - Network Security
Attacks Less than $100K
47
CPSC6128 - Network Security
Cheapest Attack Requiring No Special Equipment
48
CPSC6128 - Network Security
Applying a Countermeasure – Cheapest NSE now $60K? (20K)
49
CPSC6128 - Network Security
Tree Construction
1) Identify Attack Goals Each Goal is a separate Attack Tree
2) Identify attacks against these goals
3) A database of attack trees can be developed and reused (plugged in)
50
CPSC6128 - Network Security
Example – ACME Enterprises
51
CPSC6128 - Network Security
ACME High Level Attack Tree
52
CPSC6128 - Network Security
ACME – Expansion of Node
53
54
CURRENT STATE OF NETWORK
SECURITY
CPSC6128 - Network Security 55
Malicious Code EvolutionMorris1988
Love Bug 2000
Code Red 2001
Slammer 2003
MyDoom 2004
Zotob 2005
RPC DNS2007
MS08-0672008
Probe Scan for Fingerd N/A Scan
for IIS N/A N/AScan for
MS Directory Services
Scan or Endpoint Mapper
Scan for MS Directory
Services
PenetrateBuffer
Overflow in Fingerd
Arrive as Email
Attachment
Buffer Overflow
in IIS
Buffer Overflow in
SQL and MSDE
Arrive as Email
Attachment
Buffer Overflow in UPNP Service
Buffer Overflow in RPC Service
Buffer Overflow in Server Service
Mapped and Removable
Drives
PersistExecute Script to
Download Code
Create Executables
and Edit Registry
Execute Script
to Download Code
N/ACreate
Executables and Edit Registry
Create Files, Edit Registry,
Download Code
Execute Payload to Download
Code
Create FilesModify RegistryDownload CodeDNS HookingKill Processes
Hot Patch
PropagateLook for
Addresses and Spread to New Victim
Open Address Book
and Email Copies
Pick New Addresses
and Spread to New Victim
Pick New Addresses
and Spread to New Victim
Open Address Book and
Email Copies
FTP and TFTP Services, Search
for Addresses and Spread to
New Victim
Look for Addresses
and Spread to New Victim
Peer-to-Peer C&C
HTTP C&CNetwork ShareWeb Listener
ParalyzeLots of
Processes Slow System
Worm Spreads
Lots of Threads
Slow System
Lots of Packets
Slow NetworkWorm
Spreads
Delete Registry Keys
and Files, Terminate Processes
Worm/Trojan Spreads
Worm Spreads
CPSC6128 - Network Security 56
Changing Motivation
20052002 2003 2004 2006 2007
Notoriety
Fame
Money/Organized Crime
Netsky, Bagle,SQL Slammer
Zotob
2008 2013
Conficker
MyDoom
Nation States
Stuxnet
2009
CPSC6128 - Network Security 57
CPSC6128 - Network Security 58
Bots for Sale$$$
CPSC6128 - Network Security 59
CyberWarfare/Hacktivism
2007
Estonian government, banking, and media websites attacked
2008 2009
Kyrgyzstan ISPs Hit By
DDoS Attack
Estonian Cyberwar Russian-Georgian Conflict
Georgian government websites defaced or shut down. Attacks sourced from US and Russia
Whitehouse Attacks
Unclassified emails exfiltrated through servers in Russia and China
JSF Breach
Terabytes of JSF design and electronics systems stolen
US Power Grid Penetrated
• Future conflicts more likely to include Internet component• Botnet activity likely to increase during conflicts• Cyber-commands forming to counter threat
2010
Google Attack
CPSC6128 - Network Security
Need to Stay Current!Infragard
http://www.nym-infragard.us
High Technology Crime Investigation Association http://www.htcia.org/
NY/NJ Electronic Crimes Task Force http://www.secretservice.gov/ectf_newyork.shtml
IEEE – Security and Privacy Magazine
60
CPSC6128 - Network Security 61
Next Class•Attack Methods Part 1