60
Lecture 1: Introduction to Computer Security Mrs Z.Codabux-Rossan
| Date post: | 03-Mar-2015 |
| Category: |
Documents |
| Upload: | wazeer-jomeer |
| View: | 168 times |
| Download: | 0 times |
�
������������ ���
�������
Lecture 1: Introduction to Computer Security
Mrs Z.Codabux-Rossan
�
������
� Introduction
� Security Timeline
� Computer Security
� Security Approaches
� Goals of Computer Security
� Security Attacks
� Popular Threats and Attacks
� Types of Attackers
�
���� ���� ���� �����
� Almost every month �
� High-profile case of computer security failure reported in media. This gives the impression that security problems are prevalent.
� Viruses, worms spread on Internet; Cyber-terrorism (e.g. Sabotage, Website defacement and denial of service); Industrial espionage (hacking corporate networks), etc…
� . . . But the high frequency of security faults and incidents reported, e.g., on BugTraq and CERT, testify many security problems in widely deployed systems.
�
��� ����������� � �
Source: CERT
!
��"��� ��� ���#����$ ���%
CSI/FBI Computer Crime and Security Survey(2006)
%
��"��� ��� ���#����$ ���&
CSI/FBI Computer Crime and Security Survey(2008)
Virus – 50%Insider abuse – 44%Laptop theft – 42%Unauthorized access – 29%
'
��"��� ��� ���#����$ ���(
� Financial fraud (19.5%, over 12% in 2008);
� Malware infection (64.3% over 50% in 2008);
� Denials of service (29.2%, over 21% in 2008),
� Password sniffing (17.3%, over 9% in 2008)
� Web site defacement (13.5% over 6% in 2008).
� Wireless exploits (7.6%, down from 14% in 2008)
� Instant messaging abuse (7.6%, down from 21%).
&
)������
Malware (Malicious Software) includes computer viruses, worms, trojan horses, spyware, dishonest adware, scareware, crimeware, most rootkits, and other malicious and unwanted software or program.
Define underlined key terms.
(
���*
Scareware comprises several classes of scam software with malicious payloads, or of limited or no benefit, that are sold to consumers via certain unethical marketing practices. The selling approach uses social engineering to cause shock, anxiety, or the perception of a threat, generally directed at an unsuspecting user. Some forms of spyware and adware also use scareware tactics. A tactic frequently used by criminals involves convincing users that a virus has infected their computer, then suggesting that they download (and pay for) fake antivirus software to remove it. Usually the virus is entirely fictional and the software is non-functional or malware itself.
Spyware is software that installs components on a computer for the purpose of recording Web surfing habits (primarily for marketing purposes). Spyware sends this information to its author or to other interested parties when the computer is online. Spyware often downloads with items identified as 'free downloads' and does not notify the user of its existence or ask for permission to install the components.
Adware is software that displays advertising banners on Web browsers such as Internet Explorer and Mozilla Firefox. Adware programs often create unwanted effects on a system, such as annoying popup ads and the general degradation in either network connection or system performance.
Crimeware is designed to perpetrate identity theft in order to access a computer user's online accounts at financial services companies and online retailers for the purpose of taking funds from those accounts or completing unauthorized transactions that enrich the thief controlling the crimeware. Crimeware also often has the intent to export confidential or sensitive information from a network for financial exploitation.
��
��� ����������+����
CSI/FBI Computer Crime and Security Survey (2008)
��
��� �����"���
� Security attacks begin in 1950s and security mechanisms were designed for operating systems since the beginning.
� Early attackers were near the machines.
� Now the Internet allows millions of anonymous attackers to target any connected system.
��
��� �����"�����(%�$�('�
� 1960 Memory protection hardware: partitioning, virtual memory.
� 1962 File access controls in multiple-access systems.
� 1967 One-way functions to protect passwords.
� 1968 Multics security kernel (BLP model)
� 1969–89 ARPANET Internet; TCP/IP in 1977.Infamously, ARPANET was built to withstand nuclear attack but was nearly crippled in 1988 by the Morris Internet Worm. ARPANET assumed centralised administration which no longer applies in the Internet: a dramatic example of a change in environment invalidating security.
��
��� �����"�����('�$�((�
� 1975 Unix-Unix copy protocol (UUCP) and mail trapdoors� 1976 Public-key cryptography and digital signatures
� 1978 RSA public-key cryptosystem.� 1978 First vulnerability study of passwords (intelligent search).� 1978 E-cash protocols invented by David Chaum.� 1983 Distributed domain naming system (DNS), vulnerable
to spoofing.� 1984 Viruses receive attention of researchers.
� 1985 Advanced password schemes.� 1986 Wily hacker attack (Clifford Stoll’s “Stalking...”)� 1988 Internet Worm: 6,000 computers (10% of Internet).
� 1988 Distributed authentication realised in Kerberos.� 1989 Pretty Good Privacy (PGP) and Privacy Enhanced Mail
(PEM).
��
��� �����"�����((�$����
� 1990 Anonymous remailers (protocols prevent tracing)� 1993 Packet spoofing; firewalls; network sniffing.� 1994 Netscape designs SSL v1.0 (revised 1995).� 1996 SYN flooding. Java exploits. Web-site hacking.� 1997 DNSSec security extension for DNS proposed.� 1998 Script kiddies’ scanner tools. IPSec proposals.� 1999 First DDoS attacks. DVD encryption broken� 2000 VBscript worm ILOVEYOU (0.5 – 8 million
infections). Cult of the Dead Cow’s Back Orifice 2000 Trojan.
�!
��� �����"��������$ ,��
� 2001 Code Red, Nimbda worm infects Microsoft IIS.
� 2002 Palladium; chipped XBox blocked from online play.
� 2003 W32/Blaster worm. Debian and FSF are cracked.
� 2004 First mobile phone virus Cabir
� 2005 Flaws in SHA-1. Sony’s “rootkit” with broken DRM.
� 2006 RFID cracks. Microsoft Vista released; vulnerabilities discovered.
� 2007 Data breaches: TJX Inc (94m), UK HMRC (24m). iPhonereleased & cracked.
� 2008 Kaminsky discovers major DNS flaws. CIA reports power utility cyber-extortion. Oyster Cards cloned and UK e-passports faked.
�%
��� �����"��������$ ,��
� 2009 Conficker virus
iPhone worm
DoS attacks on social networks (Twitter, Facebook)
Numerous data breaches
Hacktivism
TJX Hacker indicted
BT & Phorm
“Privacy” at Facebook, Google, . . .
Cloud computing
�'
��"��� ��� ���
� Security is about protecting assets.
� Computer Security concerns assets of computer systems: the information and services they provide.
� Just as real-world physical security systems vary in their security provision (e.g., a building may be secure against certain kinds of attack, but not all), so computer security systems provide different kinds and amounts of security.
�&
��"��� ��� ���
� The protection afforded to an automated information system in order to attain the applicable objectives of preserving the integrity, availability and confidentiality of information system resources (includes hardware, software, firmware, information/data, and telecommunications)
Source: NIST Computer Security Handbook [NIST95]
�(
��� �����- ��� ����
� Policies – defines how a company approaches security, how employees should handle security, and how certain situations should be addressed.
� People – weakest link. Most corporate security relies on the password a user chooses – easy to crack.
� Technology – means to implement the policies
��
��� ������ �����
� Data security
� Data security is the means of ensuring that data is kept safe from corruption and that access to it is suitably controlled.
� Computer Security
� The objective of computer security includes protection of information and property from theft, corruption, or natural disaster, while allowing the information and property to remain accessible and productive to its intended users.
� Network Security
� Protect the network and the network-accessible resources from unauthorized access, consistent and continuous monitoring and measurement of its effectiveness
��
.�����-��� ���
� Prevention
� Prevent attackers from violating security policy
� Detection
� Detect attackers’ violation of security policy
� Recovery
� Stop attack, assess and repair damage
� Continue to function correctly even if attack succeeds
��
��"�������-��"��� ��� ���
� Confidentiality
� Avoidance of the unauthorized disclosure of information.
� E.g. using cryptography
� Integrity
� The property that information has not been altered in an unauthorized way.
� E.g. using digital signature
� Availability
� Ensuring timely and reliable access to and use of information
� Denial of service attacks are attempts to block availability.
��
��"�������-��"��� ��� ���
� Authenticity
� The property of being genuine and being able to be verified and trusted / assurance that communicating entity is the one claimed
� Confidence in the validity of a transmission, a message, or message originator
� Accountability
� Ability to track or audit what an individual or entity is doing on a network/system
� Non-Repudiation
� Neither sender or receiver of a message be able to deny the transmission
��
�/�"����-��� ���01�� "���
1. Confidentiality – student grades
2. Integrity – patient information
3. Availability – authentication service
�!
�/�"����-��� ���01�� "���
� Confidentiality� Student grade information is an asset whose confidentiality
is considered to be highly important by students. Grade information should only be available to students, their parents, and employees that require the information to do their job.
� Student enrollment information may have a moderate confidentiality rating. This information is seen by more people on a daily basis, is less likely to be targeted than grade information, and results in less damage if disclosed.
� Directory information, such as lists of students or faculty or departmental lists, may be assigned a low confidentiality rating or indeed no rating. This information is typically freelyavailable to the public and published on a school's Web site.
�%
�/�"����-��� ���01�� "���
� Integrity
� Consider a hospital patient's allergy information stored in a database. The doctor should be able to trust that the information is correct and current. Now suppose that an employee (e.g., a nurse) who is authorized to view and update this information deliberately falsifies the data to cause harm to the hospital. The database needs to be restored to a trusted basis quickly, and it should be possible to trace the error back to the person responsible.
� Patient allergy information is an example of an asset with a high requirement for integrity.
� Inaccurate information could result in serious harm or death to a patient and expose the hospital to massive liability.
�'
�/�"����-��� ���01�� "���
� Availability� The more critical a component or service, the higher is
the level of availability required. Consider a system that provides authentication services for critical systems, applications, and devices.
� An interruption of service results in the inability for customers to access computing resources and staff to access the resources they need to perform critical tasks.
� The loss of the service translates into a large financial loss in lost employee productivity and potential customer loss.
�&
�������-��� ���
� Security attack - Any action that compromises the security of information owned by an organization.
� Security mechanism - A process (or a device incorporating such a process) that is designed to detect, prevent, or recover from a security attack.
� Security service - A processing or communication service that enhances the security of the data processing systems and the information transfers of an organization. The services are intended to counter security attacks, and they make use of one or more security mechanisms to provide the service.
�(
�������-��� ���
� Threat - A potential for violation of security, which exists when there is a circumstance, capability, action, or event that couldbreach security and cause harm. That is, a threat is a possible danger that might exploit a vulnerability.
� Attack - An assault on system security that derives from an intelligent threat; that is, an intelligent act that is a deliberate attempt (especially in the sense of a method or technique) to evade security services and violate the security policy of a system.
� Vulnerability – inherent weakness in design, configuration, implementation or management of a network or system that renders it susceptible to a threat
��
�����-�������
� Interception – unauthorized party gain access to an asset� loss of confidentiality
� Fabrication – intruder inserts spurious message to a communication or adds records to a database� absence of proper authentication
� Modification – unauthorized party gain access and tampers an asset� loss of message integrity
� Interruption – asset lost, unavailable or unusable� availability of resources in danger
��
2����3�������
� A passive attack attempts to learn or make use of information from the system but does not affect system resources.
� Passive attacks are in the nature of eavesdropping on, or monitoring of transmissions.
� The goal of the opponent is to obtain information that is being transmitted.
� Two types of passive attacks are:
� Release of message contents
� Traffic analysis - monitor traffic flow to determine location and identity of communicating hosts and could observe the frequency and length of messages being exchanged
� These attacks are difficult to detect because they do not involve any alteration of the data.
��
2����3�������
��
����3�������
� Active attacks involve some modification of the data stream or the creation of a false stream and can be subdivided into four categories:� masquerade of one entity as some other /impersonation� replay previous messages� modify/alter (part of) messages in transit to produce an unauthorized effect� denial of service - prevents or inhibits the normal use or management of
communications facilities
� Active attacks present the opposite characteristics of passive attacks. Whereas passive attacks are difficult to detect, measures are available to prevent their success. � On the other hand, it is quite difficult to prevent active attacks absolutely,
because of the wide variety of potential physical, software, and network vulnerabilities.
� Instead, the goal is to detect active attacks and to recover from any disruption or delays caused by them.
��
����3�������
�!
2����� �� ����� �������
� Eavesdropping: the interception of information intended for someone else during its transmission over a communication channel.
� Computers could be protected from eavesdropping by using strong encryption techniques and secure procedures to communicate with servers like SSL.
A B
Eavesdropper
�%
2����� �� ����� �������
� Alteration/Modification: unauthorized modification of information.
� Example: the man-in-the-middle attack, where a network stream is intercepted, modified, and retransmitted.
�'
2����� �� ����� �������
� Denial-of-service: the interruption or degradation of a data service or information access.
� Example: email spam, to the degree that it is meant to simply fill up a mail queue and slow down an email server.
� Methods to launch DoS:
� Buffer overflows
� SYN attacks
� Teardrop attacks
� Ping of death attack
� Smurf attack
� Land attack
�&
)������
Distinguish between
� Buffer overflows
� SYN attacks
� Teardrop attacks
� Ping of death attack
� Smurf attack
� Land attack
�(
2����� �� ����� �������
� Repudiation: the denial of a commitment or data receipt.
� This involves an attempt to back out of a contract or a protocol that requires the different parties to provide receipts acknowledging that data has been received.
��
2����� �� ����� �������
� Masquerading/Spoofing: the fabrication of information that is supposed to be from someone who is not actually the author.
��
2����� �� ����� �������
� Correlation and traceback: the integration of multiple data sources and information flows to determine the source of a particular data stream or piece of information.
��
4����������-�*�
Activated by a trigger
��
5��� �� � � �� ��
� Secret entry point into a program
� Allows those who is aware of it to gain access by bypassing usual security procedures
� Have been commonly used by developers
� to debug and test programs
� But a threat when left in production programs being exploited by attackers
� Very hard to block in O/S
� Requires good s/w development & software update activities.
��
#�+��5�"6
� One of oldest types of malicious software
� Code embedded in legitimate program
� Activated when specified conditions met
� eg presence/absence of some file
� particular date/time
� particular user
� When triggered typically damage system
� modify/delete files/disks, halt machine, etc
�!
� �7��8� �
� Program with hidden side-effects
� Which is usually superficially attractive� eg game, utility, s/w upgrade etc
� When run performs some additional tasks� allows attacker to indirectly gain access they do
not have directly
� Often used to propagate a virus/worm or install a backdoor
� Or simply to destroy data
�%
�� ��� � �
� Trojans currently have largest infection potential
� Often exploit browser vulnerabilities
� Typically used to download other malware in multi-stage attacks
Source:Symantec Internet Security Threat Report, April 2009
�'
9� ���
� Piece of software that infects programs
� By modifying them to include a copy of the virus (attaches itself to the program )
� so it executes secretly when host program is run
� Once a virus is executing, it can perform any function, such as erasing files and programs.
� Specific to operating system and hardware
� taking advantage of their details and weaknesses
�&
2�����-�3� ��
� Dormant phase: The virus is idle. The virus will eventually be activated by some event, such as a date, the presence of another program or file, or the capacity of the disk exceeding some limit. Not all viruses have this stage.
� Propagation phase: The virus places an identical copy of itself into other programs or into certain system areas on the disk. Each infected program will now contain a clone of the virus, which will itself enter a propagation phase.
� Triggering phase: The virus is activated to perform the function for which it wasintended. As with the dormant phase, the triggering phase can be caused by a variety of system events, including a count of the number of times that this copy of the virus has made copies of itself.
� Execution phase: The function is performed, which may be harmless, e.g. a message on the screen, or damaging, e.g. the destruction of programs and data files
�(
:� "�
� Replicating program that propagates over networks� using email, remote exec, remote login
� Once active within a system, a network worm can behave as a computer virus or bacteria, or it could implant Trojan horse programs or perform any number of disruptive or destructive actions.
� Has phases like a virus:� dormant, propagation, triggering, execution� propagation phase: searches for other systems, connects
to it, copies self to it and runs
� May disguise itself as a system process� Fist implemented by Xerox Palo Alto labs in 1980’s
!�
,��� �6�� ,�����-� 3���������
;,,��<� Distributed Denial of Service (DDoS) attacks form a significant
security threat to corporations
� Making networked systems unavailable
� By “flooding” with useless traffic so that legitimate users can no longer gain access to those resources
� Using large numbers of “zombies” (compromised hosts)
� Growing sophistication of attacks in recent years
� More difficult to trace to the real attackers
� Defense technologies struggling to cope
*flooding – sending more data/packets to a resource than it can handle
!�
��� �����1��
� Vulnerability scanner� A vulnerability scanner is a tool used to quickly check computers on a
network for known weaknesses. � Hackers also commonly use port scanners. These check to see which
ports on a specified computer are "open" or available to access the computer, and sometimes will detect what program or service is listening on that port, and its version number.
� Password cracking� Password cracking is the process of recovering passwords from data
that has been stored in or transmitted by a computer system. A common approach is to repeatedly try guesses for the password.
� Packet sniffer� A packet sniffer is an application that captures data packets, which can
be used to capture passwords and other data in transit over the network.
!�
��� �����1��
� Spoofing attack� A spoofing attack involves one program, system, or website successfully
masquerading as another by falsifying data and thereby being treated as a trusted system by a user or another program.
� The purpose of this is usually to fool programs, systems, or users into revealing confidential information, such as user names and passwords, to the attacker.
� Rootkit� A rootkit is designed to conceal the compromise of a computer's
security, and can represent any of a set of programs which work to subvert control of an operating system from its legitimate operators. Usually, a rootkit will obscure its installation and attempt to prevent its removal through a subversion of standard system security. Rootkits may include replacements for system binaries so that it becomes impossible for the legitimate user to detect the presence of the intruder on the system by looking at process tables.
!�
��� �����1��
� Social engineering� Social engineering is the art of getting persons to reveal sensitive
information about a system. This is usually done by impersonating someone or by convincing people to believe you have permissions to obtain such information.
� Key loggers� A key logger is a tool designed to record ('log') every keystroke on an
affected machine for later retrieval. Its purpose is usually to allow the user of this tool to gain access to confidential information typed on the affected machine, such as a user's password or other private data.
� Some key loggers uses virus-, trojan-, and rootkit-like methods to remain active and hidden.
� However, some key loggers are used in legitimate ways and sometimes to even enhance computer security. As an example, a business might have a key logger on a computer used at a Point of Sale and data collected by the key logger could be used for catching employee fraud.
!�
)������
What is the difference between a virus, a worm and a trojan horse?
!!
���*
� A computer virus attaches itself to a program or file enabling it to spread from one computer to another, leaving infections as it travels. Almost all viruses are attached to an executable file, which means the virus may exist on your computer but it actually cannot infect your computer unless you run or open the malicious program. It is important to note that a virus cannot be spread without a human action, (such as running an infected program) to keep it going. People continue the spread of a computer virus, mostly unknowingly, by sharing infecting files or sending e-mails with viruses as attachments in the e-mail.
� A worm is similar to a virus by design and is considered to be a sub-class of a virus. Worms spread from computer to computer, but unlike a virus, it has the capability to travel without any human action. A worm takes advantage of file or information transport features on your system, which is what allows it to travel unaided. The biggest danger with a worm is its capability to replicate itself on your system, so rather than your computer sending out a single worm, it could send out hundreds or thousands of copies of itself, creating a huge devastating effect. One example would be for a worm to send a copy of itself to everyone listed in your e-mail address book.
� The Trojan Horse, at first glance will appear to be useful software but will actually do damage once installed or run on your computer. Those on the receiving end of a Trojan Horse are usually tricked into opening them because they appear to be receiving legitimate software or files from a legitimate source. When a Trojan is activated on your computer, the results can vary. Some Trojans are designed to be more annoying than malicious (like changing your desktop, adding silly active desktop icons) or they can cause serious damage by deleting files and destroying information on your system. Trojans are also known to create a backdoor on your computer that gives malicious users access to your system, possibly allowing confidential or personal information to be compromised. Unlike viruses and worms, Trojans do not reproduce by infecting other files nor do they self-replicate.
!%
�����-������ �
� Hackers
� White hats
� Black hats
� Gray hats
� Blue hats
� Script kiddies
� Neophyte
� Hacktivist
!'
�����-������ �
� White hat� A white hat hacker breaks security for non-malicious reasons, for instance testing their
own security system. This classification also includes individuals who perform penetration tests and vulnerability assessments within a contractual agreement. Often, this type of 'white hat' hacker is called an ethical hacker.
� Black hat� A black hat hacker, sometimes called a cracker, is someone who breaks computer
security without authorization or uses technology (usually a computer, phone system or network) for malicious reasons such as vandalism, credit card fraud, identity theft, piracy, or other types of illegal activity.
� Grey hat� A grey hat hacker is a combination of a Black Hat and a White Hat Hacker. A Grey Hat
Hacker may surf the internet and hack into a computer system for the sole purpose of notifying the administrator that their system has been hacked, for example. Then they may offer to repair their system for a small fee.
� Blue hat� A blue hat hacker is someone outside computer security consulting firms who is used
to bug test a system prior to its launch, looking for exploits so they can be closed.
!&
�����-������ �
� Script Kiddie� A script kiddie is a non-expert who breaks into computer systems by
using pre-packaged automated tools written by others, usually with little understanding of the underlying concept
� Neophyte� A neophyte, or "newbie" is someone who is new to hacking and has
almost no knowledge or experience of the workings of technology, and hacking.
� Hacktivist� A hacktivist is a hacker who utilizes technology to announce a social,
ideological, religious, or political message. In general, most hacktivisminvolves website defacement or denial-of-service attacks. In more extreme cases, hacktivism is used as tool for cyberterrorism.
!(
)�������
Suppose the author of an online banking software system has programmed in a secret feature so that program emails him the account information for any account whose balance has just gone over $10,000.
What kind of attack is this and what are some of its risks?
%�
)�������
1. Enciphering an income tax return will prevent anyone from reading it. If the owner needs to see the return, it must be deciphered. Only the possessor of the cryptographic key can enter it into a deciphering program. However, if someone else can read the key when it is entered into the program, the --------------- of the tax return has been compromised.
2. A newspaper may print information obtained from a leak at the White House but attribute it to the wrong source. The information is printed as received (preserving ----------------), but its source is incorrect (corrupting ----------------------).
3. Suppose Anne has compromised a bank's secondary system server, which supplies bank account balances. When anyone else asks that server for information, Anne can supply any information she desires. Merchants validate checks by contacting the bank's primary balance server. If a merchant gets no response, the secondary server will be asked to supply the data. Anne's colleague prevents merchants from contacting the primary balance server, so all merchant queries go to the secondary server. Anne will never have a check turned down, regardless of her actual account balance. Notice that if the bank had only one server (the primary one), this scheme would not work. The merchant would be unable to validate the check. - ---------------
What security concept is being compromised in each scenario?
