Date post: | 14-Nov-2014 |
Category: |
Education |
Upload: | reddhi-basu |
View: | 336 times |
Download: | 1 times |
SYSTEM SECURITY
Antarleena Sikdar [530]
Reddhi Basu [559]
Anjan Karmakar [562]
Presented By
The Security Problemamp
User Authentication
The Security Problem
Protection is strictly an internal problem But Security on the other hand requires not only an adequate protection system but also consideration of the external environment within which the system operatesWe say that a system is Secure if its resources are used and accessed as intended under all circumstances Unfortunately total security can not be achieved Nonetheless we must have mechanisms to make security breaches a rare occurrence rather than a norm
Security violations of the system can be categorized as ndashIntentionalAccidental
It is easier to protect against accidental misuse than against intentional misuse
A few terms
Intruder and Cracker Those attempting to breach the securityThreat The potential for a security violation such as the discovery of a vulnerabilityAttack The attempt to break security
Several forms of Intentional and Accidental security violationsBreach of confidentiality This type of violation involves unauthorized reading of data or theft of information Capturing secret data from a system or a data stream such as credit card information or identity information for identity theft can result directly in money for the intruder
Breach of integrity This violation involves unauthorized modification of data Such attacks can for example result in passing of liability to an innocent party or modification of the source code of an important commercial application
Several forms of Intentional and Accidental security violationsBreach of availability This violation involves unauthorized destruction of data Web-site defacement is a common example of this type of security breach
Theft of service This violation involves unauthorized use of resources
Denial of service This violation involves preventing legitimate use of the system These attacks are sometimes accidental
Methods for breaching security
Attackers use several methods in their attempts to breach securityA The most common is Masquerading in which one participant in a
communication pretends to be someone else(another host or a person)By masquerading attackers breach authentication the correctness of identification they can gain access that they would not normally be allowed or escalate their privileges- obtain privileges to which they would not normally be entitled
B Another common attack is to replay a captured exchange of data A Replay Attack consists of the malicious or fraudulent repeat of a valid data transmission Sometimes the replay comprises of the entire attack- for example in a repeat of a request to transfer money But frequently it is done along with message modification again to escalate privileges
C Yet another kind of attack is the man-in-the-middle attack in which the attacker sits in the data flow of a communication masquerading as the sender to the receiver and vice versa In a network communication a man in the middle attack may be preceded by a session hijacking in which an active communication session is intercepted
To protect a system we must take security measures at four levels1)Physical The site or sites containing the computer systems must be physically secured against armed or superstitious entry by intruders
2)Human Authorization must be done carefully to assure that only appropriate users have access to the system
3)Operating System The system must protect itself from accidental or purposeful security breaches
4)Network Much computer data in modern systems travels over private leased lines shared lines like the internet wireless connections or dial-up lines Intercepting these data could be just as harmful as breaking into a computer and interruption of communications could constitute a remote denial-of-service attack diminishing users use of and trust in the system
User Authentication
If a system can not authenticate a user then authenticating that a message came from the user is pointlessThus a major security problem for operating systems is user authenticationSo how do we determine whether a users identity is authentic
Generally user authentication is based on one or more of three things1)The users possession of something- a card or a key2)The users knowledge of something- a user identifier and a password3)An attribute of the user- fingerprint retina pattern or signature
Authentication using Passwords
The most commmon approach to authenticate a user identity is the use of Passwords When the user identifies himself by user ID or account name he is asked for a passowrdIf the user-supplied password matches the password stored in the system the system assumes that the account is being accessed by the owner of the account
Different passwords may be associated with different access rights But in practice most systems require only one password for a user to gain full rights
Passwords [Contd]
Passwords may be associated with different access rights But in practice most systems require only one password for a user to gain full rights
Unfortunately passwords can often be guessed accidentally exposed sniffed or illegally transferred from an authorized user to an unauthorized one
Password Vulnerabilities
There are three common ways to guess a password
1 One way is for the intruder to know the user or to have information about the user All too frequently people use obvious information as their passwords
2 The other way is to use brute force trying enumeration- or all possible combinations of valid password characters until the password is found Short passwords are especially vulnerable to this methodEnumeration is less successful where systems allow longer passwords that include both uppercase and lowercase letters along with all numbers and punctuation characters
3Passwords can also be exposed as a result of visual or electronic monitoring
Encrypted Passwords
One problem with all these approaches is the difficulty of keeping the passwords secret within the computerUNIX system uses encryption to avoid the necessity of keeping its password list secret
Each user has a password The system contains a function that is extremely difficult-impossible to invert but easy to compute This function is used to encode all the passwords Only encoded passwords are stored When a user presents a password it is encoded and compared against the stored encoded password Even if the stored encoded password be seen it can not be decoded so the password cant be determined Thus the password file does not need to be kept secret
One-Time PasswordsThis approach can be generalized to the use of an algorithm as a password The algorithm might be an integer function for example The system selects a random integer and presents it to the user The user applies a function and replies with the correct result The system also applies the same function If the two results match access is allowed
BiometricsYet another variation on the use of passwords for authentication involves the use of biometric measures Palm or hand readers are commonly used to secure physical access These readers match stored parameters against what is being read from hand-reader pads The parameters can include temperature maps finger length finger width and line patterns But devices for biometric measures are currently too large and expensive to be used for normal computer authentication
PROGRAM AND SYSTEM THREATS
Trojan Horse
Trojan Horse
bull A Trojan horse is a code segment that misuses its environment
bull A Trojan is a type of malware that masquerades as a legitimate file or helpful program possibly with the purpose of granting a hacker unauthorized access to a computer
bull According to a survey conducted by BitDefender from January to June 2009 Trojan-type malware is on the rise accounting for 83-percent of the global malware detected in the world
Trojan Horse
bull Long search paths such as are common on UNIX systems exacerbate the Trojan horse problem For instance the use of ldquordquo character in a search path tells the shell to include the current directory in the search So if an user A has ldquordquo in his search path has set his current directory to user Brsquos directory and enters a normal system command the command would be executed from user Brsquos directory instead The program would run on user Brsquos domain allowing the program to do anything that the user is allowed to do including deleting files
A Trojan may give a hacker remote access to a targeted computer system Operations that could be performed by a hacker on a targeted computer system may include
Use of the machine as part of a botnet (eg to perform automated spamming or to distribute Denial-of-Service attacks)
Electronic Money theft Data Theft(eg retrieving passwords or credit card
information) Installation of software including third-party malware Downloading or uploading of files on the users
computer Modification deletion of files Crashing the Computer Anonymizing Internet Viewing
Popular Trojan Horses
NetbusSubseven or Sub7Y3K Remote Administration Tool Back OrificeBeastZeusThe Blackhole Exploit KitFlashback Trojan
Login Emulator
An unsuspecting user logs in at a terminal and notices that he has apparently mistyped his password He tries again and is successful What has happened is that his authentication key and password have been stolen by the login emulator that was left running on the terminal by the thief The emulator stored away the password printed out a login error message and exited the user was then provided with a genuine login prompt
Trapdoor
Trapdoor
Trap Door is a type of security breach where the designer of a program or a system leaves a hole in the software that only he is capable of using
A Trap Door is a secret entry point into a program that allows someone to gain access without normal methods of access authentication
Trapdoors can be included in the compiler as well The compiler could generate standard object code as well as a trapdoor regardless of the source code being compiled
Trapdoors pose a difficult problem since to detect them we have to analyze all the source code for all components of a system
Examples of Trapdoor
Programmers have been arrested for embezzling from banks by including rounding errors in their code and having the occasional half cents credited to their accounts This account crediting can add up to a large sum of money considering the number of transactions that a large bank executes
Stack and Buffer Overflow
Stack and Buffer OverflowStack or buffer overflow is the most common way for an attacker outside of the system on a network or dial-up connection to gain unauthorized access to the target system This be used by the unauthorised user for privilege escalation
Buffer overflow attacks are especially pernicious as it can be run within a system and travel over allowed communications channels They can even bypass the security added by firewalls
Stack and Buffer Overflow
The attacker exploits a bug in the program The bug can be a simple case of poor programming in which the programmer neglected to code bounds checking on an input field In this case the attacker sends more data than the program was expecting Using trial and error or by examination of the source code of the attacked program if it is available the attacker determines the vulnerability and writes a program to do the following1 Overflow an input field command line argument of input
buffer until it writes into the stack2 Overwrite the current return address on the stack with the
address of the exploit code loaded in the next step3 Write a simple setoff code for the next space in the stack
that includes the commands that the attacker wishes to execute (eg spawn a shell)
Viruses
Computer Viruses
A virus is a fragment of code embedded in a legitimate program unlike a worm which is structured as a complete standalone program
Spread Of Viruses
Viruses are spread by users downloading viral programs from public bulletin boards or exchanging disks containing an infectionExchange of Microsoft Office documents are a common form of virus transmission these days because these documents contain so-called macros which are Visual Basic programs
Creeper Virus
The Creeper virus was first detected on ARPANET Creeper was an experimental self-replicating program written by Bob Thomas at BBN Technologies in 1971 Creeper used the ARPANET to infect DEC PDP-10 computers running the TENEX operating system Creeper gained access via the ARPANET and copied itself to the remote system where the message Im the creeper catch me if you can was displayed The Reaper program was created to delete Creeper
Michelangelo Virus
On March 6 1992 the 517th birthday of Michelangelo the Michelangelo virus was scheduled to erase infected hard disk files But because of the extensive popularity surrounding the virus most sites had detected and destroyed the virus before it was activated so it caused little or no damage
Love Bug Virus
In 2000 the Love Bug became very widespread It appeared to be a love note sent by the friend of the receiver Once invoked by opening the Virtual Basic script it propagated by sending itself to the first users in userrsquos email contact list It just clogged userrsquos inbox and email systems but was relatively harmless
Worms
Worms
A worm is a process that uses the spawn mechanism to clobber system performance The worm spawns copies of itself using up system resources and perhaps locking out system use by all other processes
Worms Spread
independently of human action
usually by utilizing a security hole in a piece of software
by scanning a network for another machine that has a specific security hole and copies itself to the new machine using the security hole
Morris Worm
Robert Tappan Morris is an American computer scientist best known for creating the Morris Worm in 1988 considered the first computer worm on Internet - and subsequently becoming the first person convicted under Computer Fraud and Abuse Act
Working of the Morris Worm
Denial of Service
Denial Of Service
Denial of service does not involve stealing of resources or gaining information but rather disabling legitimate use of a system or facilty
It is easier than breaking into a machineThey are network basedThey fall into 2 categories
1 An attack that uses so many facility resources that in essence no work can be done
2 An attack that disrupts the network facility of the computer
It is impossible to prevent Denial of Service attacks Frequently it is difficult to determine if a system slowdown is due to surge in use or an attack
Implementing Security Defences
Implementing Security DefencesMAJOR Techniques
Defense in DepthSecurity PolicyVulnerability AssessmentIntrusion DetectionVirus Protection
Cryptography as a Security Tool1048708 Broadest security tool available1048708 Source and destination of messages cannot be trusted withoutcryptography1048708 Means to constrain potential senders (sources) and or receivers(destinations) of messages1048708 Based on secrets (keys)Operating
Symmetric and Asymmetric Encryption
Security Policy
A computer security policy defines the goals and elements of an organizations computer systems The definition can be highly formal or informal Security policies are enforced by organizational policies or security mechanisms A technical implementation defines whether a computer system is secure or insecure These formal policy models can be categorized into the core security principles of Confidentiality Integrity and Availability
Formal policy modelsConfidentiality policy modelIntegrity policies modelHybrid policy model
Vulnerablity Assessment
A vulnerability assessment is the process of identifying quantifying and prioritizing (or ranking) the vulnerabilities in a system Examples of systems for which vulnerability assessments are performed include but are not limited to information technology systems energy supply systems water supply systems transportation systems and communication systems Assessments are typically performed according to the following steps Cataloging assets and capabilities (resources) in a system Assigning quantifiable value (or at least rank order) and importance to those resources Identifying the vulnerabilities or threats to each resource Mitigating or eliminating the most serious vulnerabilities for the most valuable resources
An intrusion detection system (IDS) is a device or software application that monitors network or system activities for malicious activities or policy violations and produces reports to a Management Station
Some systems may attempt to stop an intrusion attempt but this is neither required nor expected of a monitoring system Intrusion detection and prevention systems (IDPS) are primarily focused on identifying possible incidents logging information about them and reporting attempts
In addition organizations use IDPSes for other purposes such as identifying problems with security policies documenting existing threats and deterring individuals from violating security policies
Intrusion Detection
Intrusion Detection [Contd]All Intrusion Detection Systems use one of two detection techniques
Statistical anomaly-based IDSA statistical anomaly-based IDS determines normal network activity like what sort of bandwidth is generally used what protocols are used what ports and devices generally connect to each other- and alert the administrator or user when traffic is detected which is anomalous(not normal)
Signature-based IDSSignature based IDS monitors packets in the Network and compares with pre-configured and pre-determined attack patterns known as signatures The issue is that there will be lag between the new threat discovered and Signature being applied in IDS for detecting the threat During this lag time your IDS will be unable to identify the threat
Virus ProtectionThe problem of viruses can be dealt with by using antivirus software They work by searching all the programs on a system for the specific pattern of instructions known to make up a virus When they find a known pattern they remove the instructions disinfecting the programThe best protection against virus is the method of safe computing purchasing unopened software from vendor and avoiding free or pirated copies from public sources or disk exchange
Anti-Virus FunctionsProtection
Antivirus software can provide real-time protection meaning it can prevent unwanted processes from accessing your computer while you surf the Internet Cleanup
Antivirus software allows you to scan your computer for viruses and other unwanted programs and provides you with the tools to get rid of them Alerts
Antivirus programs can alert you when something is trying to access your computer or when something in your computer is trying to access something on the Internet Updates
Antivirus programs can update themselves keeping your computers protection up to date without you having to manually update it Further Protection
If an antivirus software finds an infected file that cannot be deleted it can quarantine the file so that it cannot infect other files or programs on your computer
Some Common Anti-Viruses
What is a FIREWALL
A choke point of control and monitoring Interconnects networks with differing trustImposes restrictions on network services
bull only authorized traffic is allowed Auditing and controlling access
bull can implement alarms for abnormal behaviorItself immune to penetrationProvides perimeter defence
Firewalls Arenrsquot Perfect
Useless against attacks from the insidebull Evildoer exists on insidebull Malicious code is executed on an internal machine
Organizations with greater insider threatbull Banks and Military
Protection must exist at each layerbull Assess risks of threats at every layer
Cannot protect against transfer of all virus infected programs or files
bull because of huge range of OS amp file typesCan be spoofed and Tunneled
Bibliography
Book Operating System Concepts [Galvin Silverschatz Gagne]Websites wwwgooglecom
wwwwikipediacom Pictures Google images
Thank You
The Security Problemamp
User Authentication
The Security Problem
Protection is strictly an internal problem But Security on the other hand requires not only an adequate protection system but also consideration of the external environment within which the system operatesWe say that a system is Secure if its resources are used and accessed as intended under all circumstances Unfortunately total security can not be achieved Nonetheless we must have mechanisms to make security breaches a rare occurrence rather than a norm
Security violations of the system can be categorized as ndashIntentionalAccidental
It is easier to protect against accidental misuse than against intentional misuse
A few terms
Intruder and Cracker Those attempting to breach the securityThreat The potential for a security violation such as the discovery of a vulnerabilityAttack The attempt to break security
Several forms of Intentional and Accidental security violationsBreach of confidentiality This type of violation involves unauthorized reading of data or theft of information Capturing secret data from a system or a data stream such as credit card information or identity information for identity theft can result directly in money for the intruder
Breach of integrity This violation involves unauthorized modification of data Such attacks can for example result in passing of liability to an innocent party or modification of the source code of an important commercial application
Several forms of Intentional and Accidental security violationsBreach of availability This violation involves unauthorized destruction of data Web-site defacement is a common example of this type of security breach
Theft of service This violation involves unauthorized use of resources
Denial of service This violation involves preventing legitimate use of the system These attacks are sometimes accidental
Methods for breaching security
Attackers use several methods in their attempts to breach securityA The most common is Masquerading in which one participant in a
communication pretends to be someone else(another host or a person)By masquerading attackers breach authentication the correctness of identification they can gain access that they would not normally be allowed or escalate their privileges- obtain privileges to which they would not normally be entitled
B Another common attack is to replay a captured exchange of data A Replay Attack consists of the malicious or fraudulent repeat of a valid data transmission Sometimes the replay comprises of the entire attack- for example in a repeat of a request to transfer money But frequently it is done along with message modification again to escalate privileges
C Yet another kind of attack is the man-in-the-middle attack in which the attacker sits in the data flow of a communication masquerading as the sender to the receiver and vice versa In a network communication a man in the middle attack may be preceded by a session hijacking in which an active communication session is intercepted
To protect a system we must take security measures at four levels1)Physical The site or sites containing the computer systems must be physically secured against armed or superstitious entry by intruders
2)Human Authorization must be done carefully to assure that only appropriate users have access to the system
3)Operating System The system must protect itself from accidental or purposeful security breaches
4)Network Much computer data in modern systems travels over private leased lines shared lines like the internet wireless connections or dial-up lines Intercepting these data could be just as harmful as breaking into a computer and interruption of communications could constitute a remote denial-of-service attack diminishing users use of and trust in the system
User Authentication
If a system can not authenticate a user then authenticating that a message came from the user is pointlessThus a major security problem for operating systems is user authenticationSo how do we determine whether a users identity is authentic
Generally user authentication is based on one or more of three things1)The users possession of something- a card or a key2)The users knowledge of something- a user identifier and a password3)An attribute of the user- fingerprint retina pattern or signature
Authentication using Passwords
The most commmon approach to authenticate a user identity is the use of Passwords When the user identifies himself by user ID or account name he is asked for a passowrdIf the user-supplied password matches the password stored in the system the system assumes that the account is being accessed by the owner of the account
Different passwords may be associated with different access rights But in practice most systems require only one password for a user to gain full rights
Passwords [Contd]
Passwords may be associated with different access rights But in practice most systems require only one password for a user to gain full rights
Unfortunately passwords can often be guessed accidentally exposed sniffed or illegally transferred from an authorized user to an unauthorized one
Password Vulnerabilities
There are three common ways to guess a password
1 One way is for the intruder to know the user or to have information about the user All too frequently people use obvious information as their passwords
2 The other way is to use brute force trying enumeration- or all possible combinations of valid password characters until the password is found Short passwords are especially vulnerable to this methodEnumeration is less successful where systems allow longer passwords that include both uppercase and lowercase letters along with all numbers and punctuation characters
3Passwords can also be exposed as a result of visual or electronic monitoring
Encrypted Passwords
One problem with all these approaches is the difficulty of keeping the passwords secret within the computerUNIX system uses encryption to avoid the necessity of keeping its password list secret
Each user has a password The system contains a function that is extremely difficult-impossible to invert but easy to compute This function is used to encode all the passwords Only encoded passwords are stored When a user presents a password it is encoded and compared against the stored encoded password Even if the stored encoded password be seen it can not be decoded so the password cant be determined Thus the password file does not need to be kept secret
One-Time PasswordsThis approach can be generalized to the use of an algorithm as a password The algorithm might be an integer function for example The system selects a random integer and presents it to the user The user applies a function and replies with the correct result The system also applies the same function If the two results match access is allowed
BiometricsYet another variation on the use of passwords for authentication involves the use of biometric measures Palm or hand readers are commonly used to secure physical access These readers match stored parameters against what is being read from hand-reader pads The parameters can include temperature maps finger length finger width and line patterns But devices for biometric measures are currently too large and expensive to be used for normal computer authentication
PROGRAM AND SYSTEM THREATS
Trojan Horse
Trojan Horse
bull A Trojan horse is a code segment that misuses its environment
bull A Trojan is a type of malware that masquerades as a legitimate file or helpful program possibly with the purpose of granting a hacker unauthorized access to a computer
bull According to a survey conducted by BitDefender from January to June 2009 Trojan-type malware is on the rise accounting for 83-percent of the global malware detected in the world
Trojan Horse
bull Long search paths such as are common on UNIX systems exacerbate the Trojan horse problem For instance the use of ldquordquo character in a search path tells the shell to include the current directory in the search So if an user A has ldquordquo in his search path has set his current directory to user Brsquos directory and enters a normal system command the command would be executed from user Brsquos directory instead The program would run on user Brsquos domain allowing the program to do anything that the user is allowed to do including deleting files
A Trojan may give a hacker remote access to a targeted computer system Operations that could be performed by a hacker on a targeted computer system may include
Use of the machine as part of a botnet (eg to perform automated spamming or to distribute Denial-of-Service attacks)
Electronic Money theft Data Theft(eg retrieving passwords or credit card
information) Installation of software including third-party malware Downloading or uploading of files on the users
computer Modification deletion of files Crashing the Computer Anonymizing Internet Viewing
Popular Trojan Horses
NetbusSubseven or Sub7Y3K Remote Administration Tool Back OrificeBeastZeusThe Blackhole Exploit KitFlashback Trojan
Login Emulator
An unsuspecting user logs in at a terminal and notices that he has apparently mistyped his password He tries again and is successful What has happened is that his authentication key and password have been stolen by the login emulator that was left running on the terminal by the thief The emulator stored away the password printed out a login error message and exited the user was then provided with a genuine login prompt
Trapdoor
Trapdoor
Trap Door is a type of security breach where the designer of a program or a system leaves a hole in the software that only he is capable of using
A Trap Door is a secret entry point into a program that allows someone to gain access without normal methods of access authentication
Trapdoors can be included in the compiler as well The compiler could generate standard object code as well as a trapdoor regardless of the source code being compiled
Trapdoors pose a difficult problem since to detect them we have to analyze all the source code for all components of a system
Examples of Trapdoor
Programmers have been arrested for embezzling from banks by including rounding errors in their code and having the occasional half cents credited to their accounts This account crediting can add up to a large sum of money considering the number of transactions that a large bank executes
Stack and Buffer Overflow
Stack and Buffer OverflowStack or buffer overflow is the most common way for an attacker outside of the system on a network or dial-up connection to gain unauthorized access to the target system This be used by the unauthorised user for privilege escalation
Buffer overflow attacks are especially pernicious as it can be run within a system and travel over allowed communications channels They can even bypass the security added by firewalls
Stack and Buffer Overflow
The attacker exploits a bug in the program The bug can be a simple case of poor programming in which the programmer neglected to code bounds checking on an input field In this case the attacker sends more data than the program was expecting Using trial and error or by examination of the source code of the attacked program if it is available the attacker determines the vulnerability and writes a program to do the following1 Overflow an input field command line argument of input
buffer until it writes into the stack2 Overwrite the current return address on the stack with the
address of the exploit code loaded in the next step3 Write a simple setoff code for the next space in the stack
that includes the commands that the attacker wishes to execute (eg spawn a shell)
Viruses
Computer Viruses
A virus is a fragment of code embedded in a legitimate program unlike a worm which is structured as a complete standalone program
Spread Of Viruses
Viruses are spread by users downloading viral programs from public bulletin boards or exchanging disks containing an infectionExchange of Microsoft Office documents are a common form of virus transmission these days because these documents contain so-called macros which are Visual Basic programs
Creeper Virus
The Creeper virus was first detected on ARPANET Creeper was an experimental self-replicating program written by Bob Thomas at BBN Technologies in 1971 Creeper used the ARPANET to infect DEC PDP-10 computers running the TENEX operating system Creeper gained access via the ARPANET and copied itself to the remote system where the message Im the creeper catch me if you can was displayed The Reaper program was created to delete Creeper
Michelangelo Virus
On March 6 1992 the 517th birthday of Michelangelo the Michelangelo virus was scheduled to erase infected hard disk files But because of the extensive popularity surrounding the virus most sites had detected and destroyed the virus before it was activated so it caused little or no damage
Love Bug Virus
In 2000 the Love Bug became very widespread It appeared to be a love note sent by the friend of the receiver Once invoked by opening the Virtual Basic script it propagated by sending itself to the first users in userrsquos email contact list It just clogged userrsquos inbox and email systems but was relatively harmless
Worms
Worms
A worm is a process that uses the spawn mechanism to clobber system performance The worm spawns copies of itself using up system resources and perhaps locking out system use by all other processes
Worms Spread
independently of human action
usually by utilizing a security hole in a piece of software
by scanning a network for another machine that has a specific security hole and copies itself to the new machine using the security hole
Morris Worm
Robert Tappan Morris is an American computer scientist best known for creating the Morris Worm in 1988 considered the first computer worm on Internet - and subsequently becoming the first person convicted under Computer Fraud and Abuse Act
Working of the Morris Worm
Denial of Service
Denial Of Service
Denial of service does not involve stealing of resources or gaining information but rather disabling legitimate use of a system or facilty
It is easier than breaking into a machineThey are network basedThey fall into 2 categories
1 An attack that uses so many facility resources that in essence no work can be done
2 An attack that disrupts the network facility of the computer
It is impossible to prevent Denial of Service attacks Frequently it is difficult to determine if a system slowdown is due to surge in use or an attack
Implementing Security Defences
Implementing Security DefencesMAJOR Techniques
Defense in DepthSecurity PolicyVulnerability AssessmentIntrusion DetectionVirus Protection
Cryptography as a Security Tool1048708 Broadest security tool available1048708 Source and destination of messages cannot be trusted withoutcryptography1048708 Means to constrain potential senders (sources) and or receivers(destinations) of messages1048708 Based on secrets (keys)Operating
Symmetric and Asymmetric Encryption
Security Policy
A computer security policy defines the goals and elements of an organizations computer systems The definition can be highly formal or informal Security policies are enforced by organizational policies or security mechanisms A technical implementation defines whether a computer system is secure or insecure These formal policy models can be categorized into the core security principles of Confidentiality Integrity and Availability
Formal policy modelsConfidentiality policy modelIntegrity policies modelHybrid policy model
Vulnerablity Assessment
A vulnerability assessment is the process of identifying quantifying and prioritizing (or ranking) the vulnerabilities in a system Examples of systems for which vulnerability assessments are performed include but are not limited to information technology systems energy supply systems water supply systems transportation systems and communication systems Assessments are typically performed according to the following steps Cataloging assets and capabilities (resources) in a system Assigning quantifiable value (or at least rank order) and importance to those resources Identifying the vulnerabilities or threats to each resource Mitigating or eliminating the most serious vulnerabilities for the most valuable resources
An intrusion detection system (IDS) is a device or software application that monitors network or system activities for malicious activities or policy violations and produces reports to a Management Station
Some systems may attempt to stop an intrusion attempt but this is neither required nor expected of a monitoring system Intrusion detection and prevention systems (IDPS) are primarily focused on identifying possible incidents logging information about them and reporting attempts
In addition organizations use IDPSes for other purposes such as identifying problems with security policies documenting existing threats and deterring individuals from violating security policies
Intrusion Detection
Intrusion Detection [Contd]All Intrusion Detection Systems use one of two detection techniques
Statistical anomaly-based IDSA statistical anomaly-based IDS determines normal network activity like what sort of bandwidth is generally used what protocols are used what ports and devices generally connect to each other- and alert the administrator or user when traffic is detected which is anomalous(not normal)
Signature-based IDSSignature based IDS monitors packets in the Network and compares with pre-configured and pre-determined attack patterns known as signatures The issue is that there will be lag between the new threat discovered and Signature being applied in IDS for detecting the threat During this lag time your IDS will be unable to identify the threat
Virus ProtectionThe problem of viruses can be dealt with by using antivirus software They work by searching all the programs on a system for the specific pattern of instructions known to make up a virus When they find a known pattern they remove the instructions disinfecting the programThe best protection against virus is the method of safe computing purchasing unopened software from vendor and avoiding free or pirated copies from public sources or disk exchange
Anti-Virus FunctionsProtection
Antivirus software can provide real-time protection meaning it can prevent unwanted processes from accessing your computer while you surf the Internet Cleanup
Antivirus software allows you to scan your computer for viruses and other unwanted programs and provides you with the tools to get rid of them Alerts
Antivirus programs can alert you when something is trying to access your computer or when something in your computer is trying to access something on the Internet Updates
Antivirus programs can update themselves keeping your computers protection up to date without you having to manually update it Further Protection
If an antivirus software finds an infected file that cannot be deleted it can quarantine the file so that it cannot infect other files or programs on your computer
Some Common Anti-Viruses
What is a FIREWALL
A choke point of control and monitoring Interconnects networks with differing trustImposes restrictions on network services
bull only authorized traffic is allowed Auditing and controlling access
bull can implement alarms for abnormal behaviorItself immune to penetrationProvides perimeter defence
Firewalls Arenrsquot Perfect
Useless against attacks from the insidebull Evildoer exists on insidebull Malicious code is executed on an internal machine
Organizations with greater insider threatbull Banks and Military
Protection must exist at each layerbull Assess risks of threats at every layer
Cannot protect against transfer of all virus infected programs or files
bull because of huge range of OS amp file typesCan be spoofed and Tunneled
Bibliography
Book Operating System Concepts [Galvin Silverschatz Gagne]Websites wwwgooglecom
wwwwikipediacom Pictures Google images
Thank You
The Security Problem
Protection is strictly an internal problem But Security on the other hand requires not only an adequate protection system but also consideration of the external environment within which the system operatesWe say that a system is Secure if its resources are used and accessed as intended under all circumstances Unfortunately total security can not be achieved Nonetheless we must have mechanisms to make security breaches a rare occurrence rather than a norm
Security violations of the system can be categorized as ndashIntentionalAccidental
It is easier to protect against accidental misuse than against intentional misuse
A few terms
Intruder and Cracker Those attempting to breach the securityThreat The potential for a security violation such as the discovery of a vulnerabilityAttack The attempt to break security
Several forms of Intentional and Accidental security violationsBreach of confidentiality This type of violation involves unauthorized reading of data or theft of information Capturing secret data from a system or a data stream such as credit card information or identity information for identity theft can result directly in money for the intruder
Breach of integrity This violation involves unauthorized modification of data Such attacks can for example result in passing of liability to an innocent party or modification of the source code of an important commercial application
Several forms of Intentional and Accidental security violationsBreach of availability This violation involves unauthorized destruction of data Web-site defacement is a common example of this type of security breach
Theft of service This violation involves unauthorized use of resources
Denial of service This violation involves preventing legitimate use of the system These attacks are sometimes accidental
Methods for breaching security
Attackers use several methods in their attempts to breach securityA The most common is Masquerading in which one participant in a
communication pretends to be someone else(another host or a person)By masquerading attackers breach authentication the correctness of identification they can gain access that they would not normally be allowed or escalate their privileges- obtain privileges to which they would not normally be entitled
B Another common attack is to replay a captured exchange of data A Replay Attack consists of the malicious or fraudulent repeat of a valid data transmission Sometimes the replay comprises of the entire attack- for example in a repeat of a request to transfer money But frequently it is done along with message modification again to escalate privileges
C Yet another kind of attack is the man-in-the-middle attack in which the attacker sits in the data flow of a communication masquerading as the sender to the receiver and vice versa In a network communication a man in the middle attack may be preceded by a session hijacking in which an active communication session is intercepted
To protect a system we must take security measures at four levels1)Physical The site or sites containing the computer systems must be physically secured against armed or superstitious entry by intruders
2)Human Authorization must be done carefully to assure that only appropriate users have access to the system
3)Operating System The system must protect itself from accidental or purposeful security breaches
4)Network Much computer data in modern systems travels over private leased lines shared lines like the internet wireless connections or dial-up lines Intercepting these data could be just as harmful as breaking into a computer and interruption of communications could constitute a remote denial-of-service attack diminishing users use of and trust in the system
User Authentication
If a system can not authenticate a user then authenticating that a message came from the user is pointlessThus a major security problem for operating systems is user authenticationSo how do we determine whether a users identity is authentic
Generally user authentication is based on one or more of three things1)The users possession of something- a card or a key2)The users knowledge of something- a user identifier and a password3)An attribute of the user- fingerprint retina pattern or signature
Authentication using Passwords
The most commmon approach to authenticate a user identity is the use of Passwords When the user identifies himself by user ID or account name he is asked for a passowrdIf the user-supplied password matches the password stored in the system the system assumes that the account is being accessed by the owner of the account
Different passwords may be associated with different access rights But in practice most systems require only one password for a user to gain full rights
Passwords [Contd]
Passwords may be associated with different access rights But in practice most systems require only one password for a user to gain full rights
Unfortunately passwords can often be guessed accidentally exposed sniffed or illegally transferred from an authorized user to an unauthorized one
Password Vulnerabilities
There are three common ways to guess a password
1 One way is for the intruder to know the user or to have information about the user All too frequently people use obvious information as their passwords
2 The other way is to use brute force trying enumeration- or all possible combinations of valid password characters until the password is found Short passwords are especially vulnerable to this methodEnumeration is less successful where systems allow longer passwords that include both uppercase and lowercase letters along with all numbers and punctuation characters
3Passwords can also be exposed as a result of visual or electronic monitoring
Encrypted Passwords
One problem with all these approaches is the difficulty of keeping the passwords secret within the computerUNIX system uses encryption to avoid the necessity of keeping its password list secret
Each user has a password The system contains a function that is extremely difficult-impossible to invert but easy to compute This function is used to encode all the passwords Only encoded passwords are stored When a user presents a password it is encoded and compared against the stored encoded password Even if the stored encoded password be seen it can not be decoded so the password cant be determined Thus the password file does not need to be kept secret
One-Time PasswordsThis approach can be generalized to the use of an algorithm as a password The algorithm might be an integer function for example The system selects a random integer and presents it to the user The user applies a function and replies with the correct result The system also applies the same function If the two results match access is allowed
BiometricsYet another variation on the use of passwords for authentication involves the use of biometric measures Palm or hand readers are commonly used to secure physical access These readers match stored parameters against what is being read from hand-reader pads The parameters can include temperature maps finger length finger width and line patterns But devices for biometric measures are currently too large and expensive to be used for normal computer authentication
PROGRAM AND SYSTEM THREATS
Trojan Horse
Trojan Horse
bull A Trojan horse is a code segment that misuses its environment
bull A Trojan is a type of malware that masquerades as a legitimate file or helpful program possibly with the purpose of granting a hacker unauthorized access to a computer
bull According to a survey conducted by BitDefender from January to June 2009 Trojan-type malware is on the rise accounting for 83-percent of the global malware detected in the world
Trojan Horse
bull Long search paths such as are common on UNIX systems exacerbate the Trojan horse problem For instance the use of ldquordquo character in a search path tells the shell to include the current directory in the search So if an user A has ldquordquo in his search path has set his current directory to user Brsquos directory and enters a normal system command the command would be executed from user Brsquos directory instead The program would run on user Brsquos domain allowing the program to do anything that the user is allowed to do including deleting files
A Trojan may give a hacker remote access to a targeted computer system Operations that could be performed by a hacker on a targeted computer system may include
Use of the machine as part of a botnet (eg to perform automated spamming or to distribute Denial-of-Service attacks)
Electronic Money theft Data Theft(eg retrieving passwords or credit card
information) Installation of software including third-party malware Downloading or uploading of files on the users
computer Modification deletion of files Crashing the Computer Anonymizing Internet Viewing
Popular Trojan Horses
NetbusSubseven or Sub7Y3K Remote Administration Tool Back OrificeBeastZeusThe Blackhole Exploit KitFlashback Trojan
Login Emulator
An unsuspecting user logs in at a terminal and notices that he has apparently mistyped his password He tries again and is successful What has happened is that his authentication key and password have been stolen by the login emulator that was left running on the terminal by the thief The emulator stored away the password printed out a login error message and exited the user was then provided with a genuine login prompt
Trapdoor
Trapdoor
Trap Door is a type of security breach where the designer of a program or a system leaves a hole in the software that only he is capable of using
A Trap Door is a secret entry point into a program that allows someone to gain access without normal methods of access authentication
Trapdoors can be included in the compiler as well The compiler could generate standard object code as well as a trapdoor regardless of the source code being compiled
Trapdoors pose a difficult problem since to detect them we have to analyze all the source code for all components of a system
Examples of Trapdoor
Programmers have been arrested for embezzling from banks by including rounding errors in their code and having the occasional half cents credited to their accounts This account crediting can add up to a large sum of money considering the number of transactions that a large bank executes
Stack and Buffer Overflow
Stack and Buffer OverflowStack or buffer overflow is the most common way for an attacker outside of the system on a network or dial-up connection to gain unauthorized access to the target system This be used by the unauthorised user for privilege escalation
Buffer overflow attacks are especially pernicious as it can be run within a system and travel over allowed communications channels They can even bypass the security added by firewalls
Stack and Buffer Overflow
The attacker exploits a bug in the program The bug can be a simple case of poor programming in which the programmer neglected to code bounds checking on an input field In this case the attacker sends more data than the program was expecting Using trial and error or by examination of the source code of the attacked program if it is available the attacker determines the vulnerability and writes a program to do the following1 Overflow an input field command line argument of input
buffer until it writes into the stack2 Overwrite the current return address on the stack with the
address of the exploit code loaded in the next step3 Write a simple setoff code for the next space in the stack
that includes the commands that the attacker wishes to execute (eg spawn a shell)
Viruses
Computer Viruses
A virus is a fragment of code embedded in a legitimate program unlike a worm which is structured as a complete standalone program
Spread Of Viruses
Viruses are spread by users downloading viral programs from public bulletin boards or exchanging disks containing an infectionExchange of Microsoft Office documents are a common form of virus transmission these days because these documents contain so-called macros which are Visual Basic programs
Creeper Virus
The Creeper virus was first detected on ARPANET Creeper was an experimental self-replicating program written by Bob Thomas at BBN Technologies in 1971 Creeper used the ARPANET to infect DEC PDP-10 computers running the TENEX operating system Creeper gained access via the ARPANET and copied itself to the remote system where the message Im the creeper catch me if you can was displayed The Reaper program was created to delete Creeper
Michelangelo Virus
On March 6 1992 the 517th birthday of Michelangelo the Michelangelo virus was scheduled to erase infected hard disk files But because of the extensive popularity surrounding the virus most sites had detected and destroyed the virus before it was activated so it caused little or no damage
Love Bug Virus
In 2000 the Love Bug became very widespread It appeared to be a love note sent by the friend of the receiver Once invoked by opening the Virtual Basic script it propagated by sending itself to the first users in userrsquos email contact list It just clogged userrsquos inbox and email systems but was relatively harmless
Worms
Worms
A worm is a process that uses the spawn mechanism to clobber system performance The worm spawns copies of itself using up system resources and perhaps locking out system use by all other processes
Worms Spread
independently of human action
usually by utilizing a security hole in a piece of software
by scanning a network for another machine that has a specific security hole and copies itself to the new machine using the security hole
Morris Worm
Robert Tappan Morris is an American computer scientist best known for creating the Morris Worm in 1988 considered the first computer worm on Internet - and subsequently becoming the first person convicted under Computer Fraud and Abuse Act
Working of the Morris Worm
Denial of Service
Denial Of Service
Denial of service does not involve stealing of resources or gaining information but rather disabling legitimate use of a system or facilty
It is easier than breaking into a machineThey are network basedThey fall into 2 categories
1 An attack that uses so many facility resources that in essence no work can be done
2 An attack that disrupts the network facility of the computer
It is impossible to prevent Denial of Service attacks Frequently it is difficult to determine if a system slowdown is due to surge in use or an attack
Implementing Security Defences
Implementing Security DefencesMAJOR Techniques
Defense in DepthSecurity PolicyVulnerability AssessmentIntrusion DetectionVirus Protection
Cryptography as a Security Tool1048708 Broadest security tool available1048708 Source and destination of messages cannot be trusted withoutcryptography1048708 Means to constrain potential senders (sources) and or receivers(destinations) of messages1048708 Based on secrets (keys)Operating
Symmetric and Asymmetric Encryption
Security Policy
A computer security policy defines the goals and elements of an organizations computer systems The definition can be highly formal or informal Security policies are enforced by organizational policies or security mechanisms A technical implementation defines whether a computer system is secure or insecure These formal policy models can be categorized into the core security principles of Confidentiality Integrity and Availability
Formal policy modelsConfidentiality policy modelIntegrity policies modelHybrid policy model
Vulnerablity Assessment
A vulnerability assessment is the process of identifying quantifying and prioritizing (or ranking) the vulnerabilities in a system Examples of systems for which vulnerability assessments are performed include but are not limited to information technology systems energy supply systems water supply systems transportation systems and communication systems Assessments are typically performed according to the following steps Cataloging assets and capabilities (resources) in a system Assigning quantifiable value (or at least rank order) and importance to those resources Identifying the vulnerabilities or threats to each resource Mitigating or eliminating the most serious vulnerabilities for the most valuable resources
An intrusion detection system (IDS) is a device or software application that monitors network or system activities for malicious activities or policy violations and produces reports to a Management Station
Some systems may attempt to stop an intrusion attempt but this is neither required nor expected of a monitoring system Intrusion detection and prevention systems (IDPS) are primarily focused on identifying possible incidents logging information about them and reporting attempts
In addition organizations use IDPSes for other purposes such as identifying problems with security policies documenting existing threats and deterring individuals from violating security policies
Intrusion Detection
Intrusion Detection [Contd]All Intrusion Detection Systems use one of two detection techniques
Statistical anomaly-based IDSA statistical anomaly-based IDS determines normal network activity like what sort of bandwidth is generally used what protocols are used what ports and devices generally connect to each other- and alert the administrator or user when traffic is detected which is anomalous(not normal)
Signature-based IDSSignature based IDS monitors packets in the Network and compares with pre-configured and pre-determined attack patterns known as signatures The issue is that there will be lag between the new threat discovered and Signature being applied in IDS for detecting the threat During this lag time your IDS will be unable to identify the threat
Virus ProtectionThe problem of viruses can be dealt with by using antivirus software They work by searching all the programs on a system for the specific pattern of instructions known to make up a virus When they find a known pattern they remove the instructions disinfecting the programThe best protection against virus is the method of safe computing purchasing unopened software from vendor and avoiding free or pirated copies from public sources or disk exchange
Anti-Virus FunctionsProtection
Antivirus software can provide real-time protection meaning it can prevent unwanted processes from accessing your computer while you surf the Internet Cleanup
Antivirus software allows you to scan your computer for viruses and other unwanted programs and provides you with the tools to get rid of them Alerts
Antivirus programs can alert you when something is trying to access your computer or when something in your computer is trying to access something on the Internet Updates
Antivirus programs can update themselves keeping your computers protection up to date without you having to manually update it Further Protection
If an antivirus software finds an infected file that cannot be deleted it can quarantine the file so that it cannot infect other files or programs on your computer
Some Common Anti-Viruses
What is a FIREWALL
A choke point of control and monitoring Interconnects networks with differing trustImposes restrictions on network services
bull only authorized traffic is allowed Auditing and controlling access
bull can implement alarms for abnormal behaviorItself immune to penetrationProvides perimeter defence
Firewalls Arenrsquot Perfect
Useless against attacks from the insidebull Evildoer exists on insidebull Malicious code is executed on an internal machine
Organizations with greater insider threatbull Banks and Military
Protection must exist at each layerbull Assess risks of threats at every layer
Cannot protect against transfer of all virus infected programs or files
bull because of huge range of OS amp file typesCan be spoofed and Tunneled
Bibliography
Book Operating System Concepts [Galvin Silverschatz Gagne]Websites wwwgooglecom
wwwwikipediacom Pictures Google images
Thank You
A few terms
Intruder and Cracker Those attempting to breach the securityThreat The potential for a security violation such as the discovery of a vulnerabilityAttack The attempt to break security
Several forms of Intentional and Accidental security violationsBreach of confidentiality This type of violation involves unauthorized reading of data or theft of information Capturing secret data from a system or a data stream such as credit card information or identity information for identity theft can result directly in money for the intruder
Breach of integrity This violation involves unauthorized modification of data Such attacks can for example result in passing of liability to an innocent party or modification of the source code of an important commercial application
Several forms of Intentional and Accidental security violationsBreach of availability This violation involves unauthorized destruction of data Web-site defacement is a common example of this type of security breach
Theft of service This violation involves unauthorized use of resources
Denial of service This violation involves preventing legitimate use of the system These attacks are sometimes accidental
Methods for breaching security
Attackers use several methods in their attempts to breach securityA The most common is Masquerading in which one participant in a
communication pretends to be someone else(another host or a person)By masquerading attackers breach authentication the correctness of identification they can gain access that they would not normally be allowed or escalate their privileges- obtain privileges to which they would not normally be entitled
B Another common attack is to replay a captured exchange of data A Replay Attack consists of the malicious or fraudulent repeat of a valid data transmission Sometimes the replay comprises of the entire attack- for example in a repeat of a request to transfer money But frequently it is done along with message modification again to escalate privileges
C Yet another kind of attack is the man-in-the-middle attack in which the attacker sits in the data flow of a communication masquerading as the sender to the receiver and vice versa In a network communication a man in the middle attack may be preceded by a session hijacking in which an active communication session is intercepted
To protect a system we must take security measures at four levels1)Physical The site or sites containing the computer systems must be physically secured against armed or superstitious entry by intruders
2)Human Authorization must be done carefully to assure that only appropriate users have access to the system
3)Operating System The system must protect itself from accidental or purposeful security breaches
4)Network Much computer data in modern systems travels over private leased lines shared lines like the internet wireless connections or dial-up lines Intercepting these data could be just as harmful as breaking into a computer and interruption of communications could constitute a remote denial-of-service attack diminishing users use of and trust in the system
User Authentication
If a system can not authenticate a user then authenticating that a message came from the user is pointlessThus a major security problem for operating systems is user authenticationSo how do we determine whether a users identity is authentic
Generally user authentication is based on one or more of three things1)The users possession of something- a card or a key2)The users knowledge of something- a user identifier and a password3)An attribute of the user- fingerprint retina pattern or signature
Authentication using Passwords
The most commmon approach to authenticate a user identity is the use of Passwords When the user identifies himself by user ID or account name he is asked for a passowrdIf the user-supplied password matches the password stored in the system the system assumes that the account is being accessed by the owner of the account
Different passwords may be associated with different access rights But in practice most systems require only one password for a user to gain full rights
Passwords [Contd]
Passwords may be associated with different access rights But in practice most systems require only one password for a user to gain full rights
Unfortunately passwords can often be guessed accidentally exposed sniffed or illegally transferred from an authorized user to an unauthorized one
Password Vulnerabilities
There are three common ways to guess a password
1 One way is for the intruder to know the user or to have information about the user All too frequently people use obvious information as their passwords
2 The other way is to use brute force trying enumeration- or all possible combinations of valid password characters until the password is found Short passwords are especially vulnerable to this methodEnumeration is less successful where systems allow longer passwords that include both uppercase and lowercase letters along with all numbers and punctuation characters
3Passwords can also be exposed as a result of visual or electronic monitoring
Encrypted Passwords
One problem with all these approaches is the difficulty of keeping the passwords secret within the computerUNIX system uses encryption to avoid the necessity of keeping its password list secret
Each user has a password The system contains a function that is extremely difficult-impossible to invert but easy to compute This function is used to encode all the passwords Only encoded passwords are stored When a user presents a password it is encoded and compared against the stored encoded password Even if the stored encoded password be seen it can not be decoded so the password cant be determined Thus the password file does not need to be kept secret
One-Time PasswordsThis approach can be generalized to the use of an algorithm as a password The algorithm might be an integer function for example The system selects a random integer and presents it to the user The user applies a function and replies with the correct result The system also applies the same function If the two results match access is allowed
BiometricsYet another variation on the use of passwords for authentication involves the use of biometric measures Palm or hand readers are commonly used to secure physical access These readers match stored parameters against what is being read from hand-reader pads The parameters can include temperature maps finger length finger width and line patterns But devices for biometric measures are currently too large and expensive to be used for normal computer authentication
PROGRAM AND SYSTEM THREATS
Trojan Horse
Trojan Horse
bull A Trojan horse is a code segment that misuses its environment
bull A Trojan is a type of malware that masquerades as a legitimate file or helpful program possibly with the purpose of granting a hacker unauthorized access to a computer
bull According to a survey conducted by BitDefender from January to June 2009 Trojan-type malware is on the rise accounting for 83-percent of the global malware detected in the world
Trojan Horse
bull Long search paths such as are common on UNIX systems exacerbate the Trojan horse problem For instance the use of ldquordquo character in a search path tells the shell to include the current directory in the search So if an user A has ldquordquo in his search path has set his current directory to user Brsquos directory and enters a normal system command the command would be executed from user Brsquos directory instead The program would run on user Brsquos domain allowing the program to do anything that the user is allowed to do including deleting files
A Trojan may give a hacker remote access to a targeted computer system Operations that could be performed by a hacker on a targeted computer system may include
Use of the machine as part of a botnet (eg to perform automated spamming or to distribute Denial-of-Service attacks)
Electronic Money theft Data Theft(eg retrieving passwords or credit card
information) Installation of software including third-party malware Downloading or uploading of files on the users
computer Modification deletion of files Crashing the Computer Anonymizing Internet Viewing
Popular Trojan Horses
NetbusSubseven or Sub7Y3K Remote Administration Tool Back OrificeBeastZeusThe Blackhole Exploit KitFlashback Trojan
Login Emulator
An unsuspecting user logs in at a terminal and notices that he has apparently mistyped his password He tries again and is successful What has happened is that his authentication key and password have been stolen by the login emulator that was left running on the terminal by the thief The emulator stored away the password printed out a login error message and exited the user was then provided with a genuine login prompt
Trapdoor
Trapdoor
Trap Door is a type of security breach where the designer of a program or a system leaves a hole in the software that only he is capable of using
A Trap Door is a secret entry point into a program that allows someone to gain access without normal methods of access authentication
Trapdoors can be included in the compiler as well The compiler could generate standard object code as well as a trapdoor regardless of the source code being compiled
Trapdoors pose a difficult problem since to detect them we have to analyze all the source code for all components of a system
Examples of Trapdoor
Programmers have been arrested for embezzling from banks by including rounding errors in their code and having the occasional half cents credited to their accounts This account crediting can add up to a large sum of money considering the number of transactions that a large bank executes
Stack and Buffer Overflow
Stack and Buffer OverflowStack or buffer overflow is the most common way for an attacker outside of the system on a network or dial-up connection to gain unauthorized access to the target system This be used by the unauthorised user for privilege escalation
Buffer overflow attacks are especially pernicious as it can be run within a system and travel over allowed communications channels They can even bypass the security added by firewalls
Stack and Buffer Overflow
The attacker exploits a bug in the program The bug can be a simple case of poor programming in which the programmer neglected to code bounds checking on an input field In this case the attacker sends more data than the program was expecting Using trial and error or by examination of the source code of the attacked program if it is available the attacker determines the vulnerability and writes a program to do the following1 Overflow an input field command line argument of input
buffer until it writes into the stack2 Overwrite the current return address on the stack with the
address of the exploit code loaded in the next step3 Write a simple setoff code for the next space in the stack
that includes the commands that the attacker wishes to execute (eg spawn a shell)
Viruses
Computer Viruses
A virus is a fragment of code embedded in a legitimate program unlike a worm which is structured as a complete standalone program
Spread Of Viruses
Viruses are spread by users downloading viral programs from public bulletin boards or exchanging disks containing an infectionExchange of Microsoft Office documents are a common form of virus transmission these days because these documents contain so-called macros which are Visual Basic programs
Creeper Virus
The Creeper virus was first detected on ARPANET Creeper was an experimental self-replicating program written by Bob Thomas at BBN Technologies in 1971 Creeper used the ARPANET to infect DEC PDP-10 computers running the TENEX operating system Creeper gained access via the ARPANET and copied itself to the remote system where the message Im the creeper catch me if you can was displayed The Reaper program was created to delete Creeper
Michelangelo Virus
On March 6 1992 the 517th birthday of Michelangelo the Michelangelo virus was scheduled to erase infected hard disk files But because of the extensive popularity surrounding the virus most sites had detected and destroyed the virus before it was activated so it caused little or no damage
Love Bug Virus
In 2000 the Love Bug became very widespread It appeared to be a love note sent by the friend of the receiver Once invoked by opening the Virtual Basic script it propagated by sending itself to the first users in userrsquos email contact list It just clogged userrsquos inbox and email systems but was relatively harmless
Worms
Worms
A worm is a process that uses the spawn mechanism to clobber system performance The worm spawns copies of itself using up system resources and perhaps locking out system use by all other processes
Worms Spread
independently of human action
usually by utilizing a security hole in a piece of software
by scanning a network for another machine that has a specific security hole and copies itself to the new machine using the security hole
Morris Worm
Robert Tappan Morris is an American computer scientist best known for creating the Morris Worm in 1988 considered the first computer worm on Internet - and subsequently becoming the first person convicted under Computer Fraud and Abuse Act
Working of the Morris Worm
Denial of Service
Denial Of Service
Denial of service does not involve stealing of resources or gaining information but rather disabling legitimate use of a system or facilty
It is easier than breaking into a machineThey are network basedThey fall into 2 categories
1 An attack that uses so many facility resources that in essence no work can be done
2 An attack that disrupts the network facility of the computer
It is impossible to prevent Denial of Service attacks Frequently it is difficult to determine if a system slowdown is due to surge in use or an attack
Implementing Security Defences
Implementing Security DefencesMAJOR Techniques
Defense in DepthSecurity PolicyVulnerability AssessmentIntrusion DetectionVirus Protection
Cryptography as a Security Tool1048708 Broadest security tool available1048708 Source and destination of messages cannot be trusted withoutcryptography1048708 Means to constrain potential senders (sources) and or receivers(destinations) of messages1048708 Based on secrets (keys)Operating
Symmetric and Asymmetric Encryption
Security Policy
A computer security policy defines the goals and elements of an organizations computer systems The definition can be highly formal or informal Security policies are enforced by organizational policies or security mechanisms A technical implementation defines whether a computer system is secure or insecure These formal policy models can be categorized into the core security principles of Confidentiality Integrity and Availability
Formal policy modelsConfidentiality policy modelIntegrity policies modelHybrid policy model
Vulnerablity Assessment
A vulnerability assessment is the process of identifying quantifying and prioritizing (or ranking) the vulnerabilities in a system Examples of systems for which vulnerability assessments are performed include but are not limited to information technology systems energy supply systems water supply systems transportation systems and communication systems Assessments are typically performed according to the following steps Cataloging assets and capabilities (resources) in a system Assigning quantifiable value (or at least rank order) and importance to those resources Identifying the vulnerabilities or threats to each resource Mitigating or eliminating the most serious vulnerabilities for the most valuable resources
An intrusion detection system (IDS) is a device or software application that monitors network or system activities for malicious activities or policy violations and produces reports to a Management Station
Some systems may attempt to stop an intrusion attempt but this is neither required nor expected of a monitoring system Intrusion detection and prevention systems (IDPS) are primarily focused on identifying possible incidents logging information about them and reporting attempts
In addition organizations use IDPSes for other purposes such as identifying problems with security policies documenting existing threats and deterring individuals from violating security policies
Intrusion Detection
Intrusion Detection [Contd]All Intrusion Detection Systems use one of two detection techniques
Statistical anomaly-based IDSA statistical anomaly-based IDS determines normal network activity like what sort of bandwidth is generally used what protocols are used what ports and devices generally connect to each other- and alert the administrator or user when traffic is detected which is anomalous(not normal)
Signature-based IDSSignature based IDS monitors packets in the Network and compares with pre-configured and pre-determined attack patterns known as signatures The issue is that there will be lag between the new threat discovered and Signature being applied in IDS for detecting the threat During this lag time your IDS will be unable to identify the threat
Virus ProtectionThe problem of viruses can be dealt with by using antivirus software They work by searching all the programs on a system for the specific pattern of instructions known to make up a virus When they find a known pattern they remove the instructions disinfecting the programThe best protection against virus is the method of safe computing purchasing unopened software from vendor and avoiding free or pirated copies from public sources or disk exchange
Anti-Virus FunctionsProtection
Antivirus software can provide real-time protection meaning it can prevent unwanted processes from accessing your computer while you surf the Internet Cleanup
Antivirus software allows you to scan your computer for viruses and other unwanted programs and provides you with the tools to get rid of them Alerts
Antivirus programs can alert you when something is trying to access your computer or when something in your computer is trying to access something on the Internet Updates
Antivirus programs can update themselves keeping your computers protection up to date without you having to manually update it Further Protection
If an antivirus software finds an infected file that cannot be deleted it can quarantine the file so that it cannot infect other files or programs on your computer
Some Common Anti-Viruses
What is a FIREWALL
A choke point of control and monitoring Interconnects networks with differing trustImposes restrictions on network services
bull only authorized traffic is allowed Auditing and controlling access
bull can implement alarms for abnormal behaviorItself immune to penetrationProvides perimeter defence
Firewalls Arenrsquot Perfect
Useless against attacks from the insidebull Evildoer exists on insidebull Malicious code is executed on an internal machine
Organizations with greater insider threatbull Banks and Military
Protection must exist at each layerbull Assess risks of threats at every layer
Cannot protect against transfer of all virus infected programs or files
bull because of huge range of OS amp file typesCan be spoofed and Tunneled
Bibliography
Book Operating System Concepts [Galvin Silverschatz Gagne]Websites wwwgooglecom
wwwwikipediacom Pictures Google images
Thank You
Several forms of Intentional and Accidental security violationsBreach of confidentiality This type of violation involves unauthorized reading of data or theft of information Capturing secret data from a system or a data stream such as credit card information or identity information for identity theft can result directly in money for the intruder
Breach of integrity This violation involves unauthorized modification of data Such attacks can for example result in passing of liability to an innocent party or modification of the source code of an important commercial application
Several forms of Intentional and Accidental security violationsBreach of availability This violation involves unauthorized destruction of data Web-site defacement is a common example of this type of security breach
Theft of service This violation involves unauthorized use of resources
Denial of service This violation involves preventing legitimate use of the system These attacks are sometimes accidental
Methods for breaching security
Attackers use several methods in their attempts to breach securityA The most common is Masquerading in which one participant in a
communication pretends to be someone else(another host or a person)By masquerading attackers breach authentication the correctness of identification they can gain access that they would not normally be allowed or escalate their privileges- obtain privileges to which they would not normally be entitled
B Another common attack is to replay a captured exchange of data A Replay Attack consists of the malicious or fraudulent repeat of a valid data transmission Sometimes the replay comprises of the entire attack- for example in a repeat of a request to transfer money But frequently it is done along with message modification again to escalate privileges
C Yet another kind of attack is the man-in-the-middle attack in which the attacker sits in the data flow of a communication masquerading as the sender to the receiver and vice versa In a network communication a man in the middle attack may be preceded by a session hijacking in which an active communication session is intercepted
To protect a system we must take security measures at four levels1)Physical The site or sites containing the computer systems must be physically secured against armed or superstitious entry by intruders
2)Human Authorization must be done carefully to assure that only appropriate users have access to the system
3)Operating System The system must protect itself from accidental or purposeful security breaches
4)Network Much computer data in modern systems travels over private leased lines shared lines like the internet wireless connections or dial-up lines Intercepting these data could be just as harmful as breaking into a computer and interruption of communications could constitute a remote denial-of-service attack diminishing users use of and trust in the system
User Authentication
If a system can not authenticate a user then authenticating that a message came from the user is pointlessThus a major security problem for operating systems is user authenticationSo how do we determine whether a users identity is authentic
Generally user authentication is based on one or more of three things1)The users possession of something- a card or a key2)The users knowledge of something- a user identifier and a password3)An attribute of the user- fingerprint retina pattern or signature
Authentication using Passwords
The most commmon approach to authenticate a user identity is the use of Passwords When the user identifies himself by user ID or account name he is asked for a passowrdIf the user-supplied password matches the password stored in the system the system assumes that the account is being accessed by the owner of the account
Different passwords may be associated with different access rights But in practice most systems require only one password for a user to gain full rights
Passwords [Contd]
Passwords may be associated with different access rights But in practice most systems require only one password for a user to gain full rights
Unfortunately passwords can often be guessed accidentally exposed sniffed or illegally transferred from an authorized user to an unauthorized one
Password Vulnerabilities
There are three common ways to guess a password
1 One way is for the intruder to know the user or to have information about the user All too frequently people use obvious information as their passwords
2 The other way is to use brute force trying enumeration- or all possible combinations of valid password characters until the password is found Short passwords are especially vulnerable to this methodEnumeration is less successful where systems allow longer passwords that include both uppercase and lowercase letters along with all numbers and punctuation characters
3Passwords can also be exposed as a result of visual or electronic monitoring
Encrypted Passwords
One problem with all these approaches is the difficulty of keeping the passwords secret within the computerUNIX system uses encryption to avoid the necessity of keeping its password list secret
Each user has a password The system contains a function that is extremely difficult-impossible to invert but easy to compute This function is used to encode all the passwords Only encoded passwords are stored When a user presents a password it is encoded and compared against the stored encoded password Even if the stored encoded password be seen it can not be decoded so the password cant be determined Thus the password file does not need to be kept secret
One-Time PasswordsThis approach can be generalized to the use of an algorithm as a password The algorithm might be an integer function for example The system selects a random integer and presents it to the user The user applies a function and replies with the correct result The system also applies the same function If the two results match access is allowed
BiometricsYet another variation on the use of passwords for authentication involves the use of biometric measures Palm or hand readers are commonly used to secure physical access These readers match stored parameters against what is being read from hand-reader pads The parameters can include temperature maps finger length finger width and line patterns But devices for biometric measures are currently too large and expensive to be used for normal computer authentication
PROGRAM AND SYSTEM THREATS
Trojan Horse
Trojan Horse
bull A Trojan horse is a code segment that misuses its environment
bull A Trojan is a type of malware that masquerades as a legitimate file or helpful program possibly with the purpose of granting a hacker unauthorized access to a computer
bull According to a survey conducted by BitDefender from January to June 2009 Trojan-type malware is on the rise accounting for 83-percent of the global malware detected in the world
Trojan Horse
bull Long search paths such as are common on UNIX systems exacerbate the Trojan horse problem For instance the use of ldquordquo character in a search path tells the shell to include the current directory in the search So if an user A has ldquordquo in his search path has set his current directory to user Brsquos directory and enters a normal system command the command would be executed from user Brsquos directory instead The program would run on user Brsquos domain allowing the program to do anything that the user is allowed to do including deleting files
A Trojan may give a hacker remote access to a targeted computer system Operations that could be performed by a hacker on a targeted computer system may include
Use of the machine as part of a botnet (eg to perform automated spamming or to distribute Denial-of-Service attacks)
Electronic Money theft Data Theft(eg retrieving passwords or credit card
information) Installation of software including third-party malware Downloading or uploading of files on the users
computer Modification deletion of files Crashing the Computer Anonymizing Internet Viewing
Popular Trojan Horses
NetbusSubseven or Sub7Y3K Remote Administration Tool Back OrificeBeastZeusThe Blackhole Exploit KitFlashback Trojan
Login Emulator
An unsuspecting user logs in at a terminal and notices that he has apparently mistyped his password He tries again and is successful What has happened is that his authentication key and password have been stolen by the login emulator that was left running on the terminal by the thief The emulator stored away the password printed out a login error message and exited the user was then provided with a genuine login prompt
Trapdoor
Trapdoor
Trap Door is a type of security breach where the designer of a program or a system leaves a hole in the software that only he is capable of using
A Trap Door is a secret entry point into a program that allows someone to gain access without normal methods of access authentication
Trapdoors can be included in the compiler as well The compiler could generate standard object code as well as a trapdoor regardless of the source code being compiled
Trapdoors pose a difficult problem since to detect them we have to analyze all the source code for all components of a system
Examples of Trapdoor
Programmers have been arrested for embezzling from banks by including rounding errors in their code and having the occasional half cents credited to their accounts This account crediting can add up to a large sum of money considering the number of transactions that a large bank executes
Stack and Buffer Overflow
Stack and Buffer OverflowStack or buffer overflow is the most common way for an attacker outside of the system on a network or dial-up connection to gain unauthorized access to the target system This be used by the unauthorised user for privilege escalation
Buffer overflow attacks are especially pernicious as it can be run within a system and travel over allowed communications channels They can even bypass the security added by firewalls
Stack and Buffer Overflow
The attacker exploits a bug in the program The bug can be a simple case of poor programming in which the programmer neglected to code bounds checking on an input field In this case the attacker sends more data than the program was expecting Using trial and error or by examination of the source code of the attacked program if it is available the attacker determines the vulnerability and writes a program to do the following1 Overflow an input field command line argument of input
buffer until it writes into the stack2 Overwrite the current return address on the stack with the
address of the exploit code loaded in the next step3 Write a simple setoff code for the next space in the stack
that includes the commands that the attacker wishes to execute (eg spawn a shell)
Viruses
Computer Viruses
A virus is a fragment of code embedded in a legitimate program unlike a worm which is structured as a complete standalone program
Spread Of Viruses
Viruses are spread by users downloading viral programs from public bulletin boards or exchanging disks containing an infectionExchange of Microsoft Office documents are a common form of virus transmission these days because these documents contain so-called macros which are Visual Basic programs
Creeper Virus
The Creeper virus was first detected on ARPANET Creeper was an experimental self-replicating program written by Bob Thomas at BBN Technologies in 1971 Creeper used the ARPANET to infect DEC PDP-10 computers running the TENEX operating system Creeper gained access via the ARPANET and copied itself to the remote system where the message Im the creeper catch me if you can was displayed The Reaper program was created to delete Creeper
Michelangelo Virus
On March 6 1992 the 517th birthday of Michelangelo the Michelangelo virus was scheduled to erase infected hard disk files But because of the extensive popularity surrounding the virus most sites had detected and destroyed the virus before it was activated so it caused little or no damage
Love Bug Virus
In 2000 the Love Bug became very widespread It appeared to be a love note sent by the friend of the receiver Once invoked by opening the Virtual Basic script it propagated by sending itself to the first users in userrsquos email contact list It just clogged userrsquos inbox and email systems but was relatively harmless
Worms
Worms
A worm is a process that uses the spawn mechanism to clobber system performance The worm spawns copies of itself using up system resources and perhaps locking out system use by all other processes
Worms Spread
independently of human action
usually by utilizing a security hole in a piece of software
by scanning a network for another machine that has a specific security hole and copies itself to the new machine using the security hole
Morris Worm
Robert Tappan Morris is an American computer scientist best known for creating the Morris Worm in 1988 considered the first computer worm on Internet - and subsequently becoming the first person convicted under Computer Fraud and Abuse Act
Working of the Morris Worm
Denial of Service
Denial Of Service
Denial of service does not involve stealing of resources or gaining information but rather disabling legitimate use of a system or facilty
It is easier than breaking into a machineThey are network basedThey fall into 2 categories
1 An attack that uses so many facility resources that in essence no work can be done
2 An attack that disrupts the network facility of the computer
It is impossible to prevent Denial of Service attacks Frequently it is difficult to determine if a system slowdown is due to surge in use or an attack
Implementing Security Defences
Implementing Security DefencesMAJOR Techniques
Defense in DepthSecurity PolicyVulnerability AssessmentIntrusion DetectionVirus Protection
Cryptography as a Security Tool1048708 Broadest security tool available1048708 Source and destination of messages cannot be trusted withoutcryptography1048708 Means to constrain potential senders (sources) and or receivers(destinations) of messages1048708 Based on secrets (keys)Operating
Symmetric and Asymmetric Encryption
Security Policy
A computer security policy defines the goals and elements of an organizations computer systems The definition can be highly formal or informal Security policies are enforced by organizational policies or security mechanisms A technical implementation defines whether a computer system is secure or insecure These formal policy models can be categorized into the core security principles of Confidentiality Integrity and Availability
Formal policy modelsConfidentiality policy modelIntegrity policies modelHybrid policy model
Vulnerablity Assessment
A vulnerability assessment is the process of identifying quantifying and prioritizing (or ranking) the vulnerabilities in a system Examples of systems for which vulnerability assessments are performed include but are not limited to information technology systems energy supply systems water supply systems transportation systems and communication systems Assessments are typically performed according to the following steps Cataloging assets and capabilities (resources) in a system Assigning quantifiable value (or at least rank order) and importance to those resources Identifying the vulnerabilities or threats to each resource Mitigating or eliminating the most serious vulnerabilities for the most valuable resources
An intrusion detection system (IDS) is a device or software application that monitors network or system activities for malicious activities or policy violations and produces reports to a Management Station
Some systems may attempt to stop an intrusion attempt but this is neither required nor expected of a monitoring system Intrusion detection and prevention systems (IDPS) are primarily focused on identifying possible incidents logging information about them and reporting attempts
In addition organizations use IDPSes for other purposes such as identifying problems with security policies documenting existing threats and deterring individuals from violating security policies
Intrusion Detection
Intrusion Detection [Contd]All Intrusion Detection Systems use one of two detection techniques
Statistical anomaly-based IDSA statistical anomaly-based IDS determines normal network activity like what sort of bandwidth is generally used what protocols are used what ports and devices generally connect to each other- and alert the administrator or user when traffic is detected which is anomalous(not normal)
Signature-based IDSSignature based IDS monitors packets in the Network and compares with pre-configured and pre-determined attack patterns known as signatures The issue is that there will be lag between the new threat discovered and Signature being applied in IDS for detecting the threat During this lag time your IDS will be unable to identify the threat
Virus ProtectionThe problem of viruses can be dealt with by using antivirus software They work by searching all the programs on a system for the specific pattern of instructions known to make up a virus When they find a known pattern they remove the instructions disinfecting the programThe best protection against virus is the method of safe computing purchasing unopened software from vendor and avoiding free or pirated copies from public sources or disk exchange
Anti-Virus FunctionsProtection
Antivirus software can provide real-time protection meaning it can prevent unwanted processes from accessing your computer while you surf the Internet Cleanup
Antivirus software allows you to scan your computer for viruses and other unwanted programs and provides you with the tools to get rid of them Alerts
Antivirus programs can alert you when something is trying to access your computer or when something in your computer is trying to access something on the Internet Updates
Antivirus programs can update themselves keeping your computers protection up to date without you having to manually update it Further Protection
If an antivirus software finds an infected file that cannot be deleted it can quarantine the file so that it cannot infect other files or programs on your computer
Some Common Anti-Viruses
What is a FIREWALL
A choke point of control and monitoring Interconnects networks with differing trustImposes restrictions on network services
bull only authorized traffic is allowed Auditing and controlling access
bull can implement alarms for abnormal behaviorItself immune to penetrationProvides perimeter defence
Firewalls Arenrsquot Perfect
Useless against attacks from the insidebull Evildoer exists on insidebull Malicious code is executed on an internal machine
Organizations with greater insider threatbull Banks and Military
Protection must exist at each layerbull Assess risks of threats at every layer
Cannot protect against transfer of all virus infected programs or files
bull because of huge range of OS amp file typesCan be spoofed and Tunneled
Bibliography
Book Operating System Concepts [Galvin Silverschatz Gagne]Websites wwwgooglecom
wwwwikipediacom Pictures Google images
Thank You
Several forms of Intentional and Accidental security violationsBreach of availability This violation involves unauthorized destruction of data Web-site defacement is a common example of this type of security breach
Theft of service This violation involves unauthorized use of resources
Denial of service This violation involves preventing legitimate use of the system These attacks are sometimes accidental
Methods for breaching security
Attackers use several methods in their attempts to breach securityA The most common is Masquerading in which one participant in a
communication pretends to be someone else(another host or a person)By masquerading attackers breach authentication the correctness of identification they can gain access that they would not normally be allowed or escalate their privileges- obtain privileges to which they would not normally be entitled
B Another common attack is to replay a captured exchange of data A Replay Attack consists of the malicious or fraudulent repeat of a valid data transmission Sometimes the replay comprises of the entire attack- for example in a repeat of a request to transfer money But frequently it is done along with message modification again to escalate privileges
C Yet another kind of attack is the man-in-the-middle attack in which the attacker sits in the data flow of a communication masquerading as the sender to the receiver and vice versa In a network communication a man in the middle attack may be preceded by a session hijacking in which an active communication session is intercepted
To protect a system we must take security measures at four levels1)Physical The site or sites containing the computer systems must be physically secured against armed or superstitious entry by intruders
2)Human Authorization must be done carefully to assure that only appropriate users have access to the system
3)Operating System The system must protect itself from accidental or purposeful security breaches
4)Network Much computer data in modern systems travels over private leased lines shared lines like the internet wireless connections or dial-up lines Intercepting these data could be just as harmful as breaking into a computer and interruption of communications could constitute a remote denial-of-service attack diminishing users use of and trust in the system
User Authentication
If a system can not authenticate a user then authenticating that a message came from the user is pointlessThus a major security problem for operating systems is user authenticationSo how do we determine whether a users identity is authentic
Generally user authentication is based on one or more of three things1)The users possession of something- a card or a key2)The users knowledge of something- a user identifier and a password3)An attribute of the user- fingerprint retina pattern or signature
Authentication using Passwords
The most commmon approach to authenticate a user identity is the use of Passwords When the user identifies himself by user ID or account name he is asked for a passowrdIf the user-supplied password matches the password stored in the system the system assumes that the account is being accessed by the owner of the account
Different passwords may be associated with different access rights But in practice most systems require only one password for a user to gain full rights
Passwords [Contd]
Passwords may be associated with different access rights But in practice most systems require only one password for a user to gain full rights
Unfortunately passwords can often be guessed accidentally exposed sniffed or illegally transferred from an authorized user to an unauthorized one
Password Vulnerabilities
There are three common ways to guess a password
1 One way is for the intruder to know the user or to have information about the user All too frequently people use obvious information as their passwords
2 The other way is to use brute force trying enumeration- or all possible combinations of valid password characters until the password is found Short passwords are especially vulnerable to this methodEnumeration is less successful where systems allow longer passwords that include both uppercase and lowercase letters along with all numbers and punctuation characters
3Passwords can also be exposed as a result of visual or electronic monitoring
Encrypted Passwords
One problem with all these approaches is the difficulty of keeping the passwords secret within the computerUNIX system uses encryption to avoid the necessity of keeping its password list secret
Each user has a password The system contains a function that is extremely difficult-impossible to invert but easy to compute This function is used to encode all the passwords Only encoded passwords are stored When a user presents a password it is encoded and compared against the stored encoded password Even if the stored encoded password be seen it can not be decoded so the password cant be determined Thus the password file does not need to be kept secret
One-Time PasswordsThis approach can be generalized to the use of an algorithm as a password The algorithm might be an integer function for example The system selects a random integer and presents it to the user The user applies a function and replies with the correct result The system also applies the same function If the two results match access is allowed
BiometricsYet another variation on the use of passwords for authentication involves the use of biometric measures Palm or hand readers are commonly used to secure physical access These readers match stored parameters against what is being read from hand-reader pads The parameters can include temperature maps finger length finger width and line patterns But devices for biometric measures are currently too large and expensive to be used for normal computer authentication
PROGRAM AND SYSTEM THREATS
Trojan Horse
Trojan Horse
bull A Trojan horse is a code segment that misuses its environment
bull A Trojan is a type of malware that masquerades as a legitimate file or helpful program possibly with the purpose of granting a hacker unauthorized access to a computer
bull According to a survey conducted by BitDefender from January to June 2009 Trojan-type malware is on the rise accounting for 83-percent of the global malware detected in the world
Trojan Horse
bull Long search paths such as are common on UNIX systems exacerbate the Trojan horse problem For instance the use of ldquordquo character in a search path tells the shell to include the current directory in the search So if an user A has ldquordquo in his search path has set his current directory to user Brsquos directory and enters a normal system command the command would be executed from user Brsquos directory instead The program would run on user Brsquos domain allowing the program to do anything that the user is allowed to do including deleting files
A Trojan may give a hacker remote access to a targeted computer system Operations that could be performed by a hacker on a targeted computer system may include
Use of the machine as part of a botnet (eg to perform automated spamming or to distribute Denial-of-Service attacks)
Electronic Money theft Data Theft(eg retrieving passwords or credit card
information) Installation of software including third-party malware Downloading or uploading of files on the users
computer Modification deletion of files Crashing the Computer Anonymizing Internet Viewing
Popular Trojan Horses
NetbusSubseven or Sub7Y3K Remote Administration Tool Back OrificeBeastZeusThe Blackhole Exploit KitFlashback Trojan
Login Emulator
An unsuspecting user logs in at a terminal and notices that he has apparently mistyped his password He tries again and is successful What has happened is that his authentication key and password have been stolen by the login emulator that was left running on the terminal by the thief The emulator stored away the password printed out a login error message and exited the user was then provided with a genuine login prompt
Trapdoor
Trapdoor
Trap Door is a type of security breach where the designer of a program or a system leaves a hole in the software that only he is capable of using
A Trap Door is a secret entry point into a program that allows someone to gain access without normal methods of access authentication
Trapdoors can be included in the compiler as well The compiler could generate standard object code as well as a trapdoor regardless of the source code being compiled
Trapdoors pose a difficult problem since to detect them we have to analyze all the source code for all components of a system
Examples of Trapdoor
Programmers have been arrested for embezzling from banks by including rounding errors in their code and having the occasional half cents credited to their accounts This account crediting can add up to a large sum of money considering the number of transactions that a large bank executes
Stack and Buffer Overflow
Stack and Buffer OverflowStack or buffer overflow is the most common way for an attacker outside of the system on a network or dial-up connection to gain unauthorized access to the target system This be used by the unauthorised user for privilege escalation
Buffer overflow attacks are especially pernicious as it can be run within a system and travel over allowed communications channels They can even bypass the security added by firewalls
Stack and Buffer Overflow
The attacker exploits a bug in the program The bug can be a simple case of poor programming in which the programmer neglected to code bounds checking on an input field In this case the attacker sends more data than the program was expecting Using trial and error or by examination of the source code of the attacked program if it is available the attacker determines the vulnerability and writes a program to do the following1 Overflow an input field command line argument of input
buffer until it writes into the stack2 Overwrite the current return address on the stack with the
address of the exploit code loaded in the next step3 Write a simple setoff code for the next space in the stack
that includes the commands that the attacker wishes to execute (eg spawn a shell)
Viruses
Computer Viruses
A virus is a fragment of code embedded in a legitimate program unlike a worm which is structured as a complete standalone program
Spread Of Viruses
Viruses are spread by users downloading viral programs from public bulletin boards or exchanging disks containing an infectionExchange of Microsoft Office documents are a common form of virus transmission these days because these documents contain so-called macros which are Visual Basic programs
Creeper Virus
The Creeper virus was first detected on ARPANET Creeper was an experimental self-replicating program written by Bob Thomas at BBN Technologies in 1971 Creeper used the ARPANET to infect DEC PDP-10 computers running the TENEX operating system Creeper gained access via the ARPANET and copied itself to the remote system where the message Im the creeper catch me if you can was displayed The Reaper program was created to delete Creeper
Michelangelo Virus
On March 6 1992 the 517th birthday of Michelangelo the Michelangelo virus was scheduled to erase infected hard disk files But because of the extensive popularity surrounding the virus most sites had detected and destroyed the virus before it was activated so it caused little or no damage
Love Bug Virus
In 2000 the Love Bug became very widespread It appeared to be a love note sent by the friend of the receiver Once invoked by opening the Virtual Basic script it propagated by sending itself to the first users in userrsquos email contact list It just clogged userrsquos inbox and email systems but was relatively harmless
Worms
Worms
A worm is a process that uses the spawn mechanism to clobber system performance The worm spawns copies of itself using up system resources and perhaps locking out system use by all other processes
Worms Spread
independently of human action
usually by utilizing a security hole in a piece of software
by scanning a network for another machine that has a specific security hole and copies itself to the new machine using the security hole
Morris Worm
Robert Tappan Morris is an American computer scientist best known for creating the Morris Worm in 1988 considered the first computer worm on Internet - and subsequently becoming the first person convicted under Computer Fraud and Abuse Act
Working of the Morris Worm
Denial of Service
Denial Of Service
Denial of service does not involve stealing of resources or gaining information but rather disabling legitimate use of a system or facilty
It is easier than breaking into a machineThey are network basedThey fall into 2 categories
1 An attack that uses so many facility resources that in essence no work can be done
2 An attack that disrupts the network facility of the computer
It is impossible to prevent Denial of Service attacks Frequently it is difficult to determine if a system slowdown is due to surge in use or an attack
Implementing Security Defences
Implementing Security DefencesMAJOR Techniques
Defense in DepthSecurity PolicyVulnerability AssessmentIntrusion DetectionVirus Protection
Cryptography as a Security Tool1048708 Broadest security tool available1048708 Source and destination of messages cannot be trusted withoutcryptography1048708 Means to constrain potential senders (sources) and or receivers(destinations) of messages1048708 Based on secrets (keys)Operating
Symmetric and Asymmetric Encryption
Security Policy
A computer security policy defines the goals and elements of an organizations computer systems The definition can be highly formal or informal Security policies are enforced by organizational policies or security mechanisms A technical implementation defines whether a computer system is secure or insecure These formal policy models can be categorized into the core security principles of Confidentiality Integrity and Availability
Formal policy modelsConfidentiality policy modelIntegrity policies modelHybrid policy model
Vulnerablity Assessment
A vulnerability assessment is the process of identifying quantifying and prioritizing (or ranking) the vulnerabilities in a system Examples of systems for which vulnerability assessments are performed include but are not limited to information technology systems energy supply systems water supply systems transportation systems and communication systems Assessments are typically performed according to the following steps Cataloging assets and capabilities (resources) in a system Assigning quantifiable value (or at least rank order) and importance to those resources Identifying the vulnerabilities or threats to each resource Mitigating or eliminating the most serious vulnerabilities for the most valuable resources
An intrusion detection system (IDS) is a device or software application that monitors network or system activities for malicious activities or policy violations and produces reports to a Management Station
Some systems may attempt to stop an intrusion attempt but this is neither required nor expected of a monitoring system Intrusion detection and prevention systems (IDPS) are primarily focused on identifying possible incidents logging information about them and reporting attempts
In addition organizations use IDPSes for other purposes such as identifying problems with security policies documenting existing threats and deterring individuals from violating security policies
Intrusion Detection
Intrusion Detection [Contd]All Intrusion Detection Systems use one of two detection techniques
Statistical anomaly-based IDSA statistical anomaly-based IDS determines normal network activity like what sort of bandwidth is generally used what protocols are used what ports and devices generally connect to each other- and alert the administrator or user when traffic is detected which is anomalous(not normal)
Signature-based IDSSignature based IDS monitors packets in the Network and compares with pre-configured and pre-determined attack patterns known as signatures The issue is that there will be lag between the new threat discovered and Signature being applied in IDS for detecting the threat During this lag time your IDS will be unable to identify the threat
Virus ProtectionThe problem of viruses can be dealt with by using antivirus software They work by searching all the programs on a system for the specific pattern of instructions known to make up a virus When they find a known pattern they remove the instructions disinfecting the programThe best protection against virus is the method of safe computing purchasing unopened software from vendor and avoiding free or pirated copies from public sources or disk exchange
Anti-Virus FunctionsProtection
Antivirus software can provide real-time protection meaning it can prevent unwanted processes from accessing your computer while you surf the Internet Cleanup
Antivirus software allows you to scan your computer for viruses and other unwanted programs and provides you with the tools to get rid of them Alerts
Antivirus programs can alert you when something is trying to access your computer or when something in your computer is trying to access something on the Internet Updates
Antivirus programs can update themselves keeping your computers protection up to date without you having to manually update it Further Protection
If an antivirus software finds an infected file that cannot be deleted it can quarantine the file so that it cannot infect other files or programs on your computer
Some Common Anti-Viruses
What is a FIREWALL
A choke point of control and monitoring Interconnects networks with differing trustImposes restrictions on network services
bull only authorized traffic is allowed Auditing and controlling access
bull can implement alarms for abnormal behaviorItself immune to penetrationProvides perimeter defence
Firewalls Arenrsquot Perfect
Useless against attacks from the insidebull Evildoer exists on insidebull Malicious code is executed on an internal machine
Organizations with greater insider threatbull Banks and Military
Protection must exist at each layerbull Assess risks of threats at every layer
Cannot protect against transfer of all virus infected programs or files
bull because of huge range of OS amp file typesCan be spoofed and Tunneled
Bibliography
Book Operating System Concepts [Galvin Silverschatz Gagne]Websites wwwgooglecom
wwwwikipediacom Pictures Google images
Thank You
Methods for breaching security
Attackers use several methods in their attempts to breach securityA The most common is Masquerading in which one participant in a
communication pretends to be someone else(another host or a person)By masquerading attackers breach authentication the correctness of identification they can gain access that they would not normally be allowed or escalate their privileges- obtain privileges to which they would not normally be entitled
B Another common attack is to replay a captured exchange of data A Replay Attack consists of the malicious or fraudulent repeat of a valid data transmission Sometimes the replay comprises of the entire attack- for example in a repeat of a request to transfer money But frequently it is done along with message modification again to escalate privileges
C Yet another kind of attack is the man-in-the-middle attack in which the attacker sits in the data flow of a communication masquerading as the sender to the receiver and vice versa In a network communication a man in the middle attack may be preceded by a session hijacking in which an active communication session is intercepted
To protect a system we must take security measures at four levels1)Physical The site or sites containing the computer systems must be physically secured against armed or superstitious entry by intruders
2)Human Authorization must be done carefully to assure that only appropriate users have access to the system
3)Operating System The system must protect itself from accidental or purposeful security breaches
4)Network Much computer data in modern systems travels over private leased lines shared lines like the internet wireless connections or dial-up lines Intercepting these data could be just as harmful as breaking into a computer and interruption of communications could constitute a remote denial-of-service attack diminishing users use of and trust in the system
User Authentication
If a system can not authenticate a user then authenticating that a message came from the user is pointlessThus a major security problem for operating systems is user authenticationSo how do we determine whether a users identity is authentic
Generally user authentication is based on one or more of three things1)The users possession of something- a card or a key2)The users knowledge of something- a user identifier and a password3)An attribute of the user- fingerprint retina pattern or signature
Authentication using Passwords
The most commmon approach to authenticate a user identity is the use of Passwords When the user identifies himself by user ID or account name he is asked for a passowrdIf the user-supplied password matches the password stored in the system the system assumes that the account is being accessed by the owner of the account
Different passwords may be associated with different access rights But in practice most systems require only one password for a user to gain full rights
Passwords [Contd]
Passwords may be associated with different access rights But in practice most systems require only one password for a user to gain full rights
Unfortunately passwords can often be guessed accidentally exposed sniffed or illegally transferred from an authorized user to an unauthorized one
Password Vulnerabilities
There are three common ways to guess a password
1 One way is for the intruder to know the user or to have information about the user All too frequently people use obvious information as their passwords
2 The other way is to use brute force trying enumeration- or all possible combinations of valid password characters until the password is found Short passwords are especially vulnerable to this methodEnumeration is less successful where systems allow longer passwords that include both uppercase and lowercase letters along with all numbers and punctuation characters
3Passwords can also be exposed as a result of visual or electronic monitoring
Encrypted Passwords
One problem with all these approaches is the difficulty of keeping the passwords secret within the computerUNIX system uses encryption to avoid the necessity of keeping its password list secret
Each user has a password The system contains a function that is extremely difficult-impossible to invert but easy to compute This function is used to encode all the passwords Only encoded passwords are stored When a user presents a password it is encoded and compared against the stored encoded password Even if the stored encoded password be seen it can not be decoded so the password cant be determined Thus the password file does not need to be kept secret
One-Time PasswordsThis approach can be generalized to the use of an algorithm as a password The algorithm might be an integer function for example The system selects a random integer and presents it to the user The user applies a function and replies with the correct result The system also applies the same function If the two results match access is allowed
BiometricsYet another variation on the use of passwords for authentication involves the use of biometric measures Palm or hand readers are commonly used to secure physical access These readers match stored parameters against what is being read from hand-reader pads The parameters can include temperature maps finger length finger width and line patterns But devices for biometric measures are currently too large and expensive to be used for normal computer authentication
PROGRAM AND SYSTEM THREATS
Trojan Horse
Trojan Horse
bull A Trojan horse is a code segment that misuses its environment
bull A Trojan is a type of malware that masquerades as a legitimate file or helpful program possibly with the purpose of granting a hacker unauthorized access to a computer
bull According to a survey conducted by BitDefender from January to June 2009 Trojan-type malware is on the rise accounting for 83-percent of the global malware detected in the world
Trojan Horse
bull Long search paths such as are common on UNIX systems exacerbate the Trojan horse problem For instance the use of ldquordquo character in a search path tells the shell to include the current directory in the search So if an user A has ldquordquo in his search path has set his current directory to user Brsquos directory and enters a normal system command the command would be executed from user Brsquos directory instead The program would run on user Brsquos domain allowing the program to do anything that the user is allowed to do including deleting files
A Trojan may give a hacker remote access to a targeted computer system Operations that could be performed by a hacker on a targeted computer system may include
Use of the machine as part of a botnet (eg to perform automated spamming or to distribute Denial-of-Service attacks)
Electronic Money theft Data Theft(eg retrieving passwords or credit card
information) Installation of software including third-party malware Downloading or uploading of files on the users
computer Modification deletion of files Crashing the Computer Anonymizing Internet Viewing
Popular Trojan Horses
NetbusSubseven or Sub7Y3K Remote Administration Tool Back OrificeBeastZeusThe Blackhole Exploit KitFlashback Trojan
Login Emulator
An unsuspecting user logs in at a terminal and notices that he has apparently mistyped his password He tries again and is successful What has happened is that his authentication key and password have been stolen by the login emulator that was left running on the terminal by the thief The emulator stored away the password printed out a login error message and exited the user was then provided with a genuine login prompt
Trapdoor
Trapdoor
Trap Door is a type of security breach where the designer of a program or a system leaves a hole in the software that only he is capable of using
A Trap Door is a secret entry point into a program that allows someone to gain access without normal methods of access authentication
Trapdoors can be included in the compiler as well The compiler could generate standard object code as well as a trapdoor regardless of the source code being compiled
Trapdoors pose a difficult problem since to detect them we have to analyze all the source code for all components of a system
Examples of Trapdoor
Programmers have been arrested for embezzling from banks by including rounding errors in their code and having the occasional half cents credited to their accounts This account crediting can add up to a large sum of money considering the number of transactions that a large bank executes
Stack and Buffer Overflow
Stack and Buffer OverflowStack or buffer overflow is the most common way for an attacker outside of the system on a network or dial-up connection to gain unauthorized access to the target system This be used by the unauthorised user for privilege escalation
Buffer overflow attacks are especially pernicious as it can be run within a system and travel over allowed communications channels They can even bypass the security added by firewalls
Stack and Buffer Overflow
The attacker exploits a bug in the program The bug can be a simple case of poor programming in which the programmer neglected to code bounds checking on an input field In this case the attacker sends more data than the program was expecting Using trial and error or by examination of the source code of the attacked program if it is available the attacker determines the vulnerability and writes a program to do the following1 Overflow an input field command line argument of input
buffer until it writes into the stack2 Overwrite the current return address on the stack with the
address of the exploit code loaded in the next step3 Write a simple setoff code for the next space in the stack
that includes the commands that the attacker wishes to execute (eg spawn a shell)
Viruses
Computer Viruses
A virus is a fragment of code embedded in a legitimate program unlike a worm which is structured as a complete standalone program
Spread Of Viruses
Viruses are spread by users downloading viral programs from public bulletin boards or exchanging disks containing an infectionExchange of Microsoft Office documents are a common form of virus transmission these days because these documents contain so-called macros which are Visual Basic programs
Creeper Virus
The Creeper virus was first detected on ARPANET Creeper was an experimental self-replicating program written by Bob Thomas at BBN Technologies in 1971 Creeper used the ARPANET to infect DEC PDP-10 computers running the TENEX operating system Creeper gained access via the ARPANET and copied itself to the remote system where the message Im the creeper catch me if you can was displayed The Reaper program was created to delete Creeper
Michelangelo Virus
On March 6 1992 the 517th birthday of Michelangelo the Michelangelo virus was scheduled to erase infected hard disk files But because of the extensive popularity surrounding the virus most sites had detected and destroyed the virus before it was activated so it caused little or no damage
Love Bug Virus
In 2000 the Love Bug became very widespread It appeared to be a love note sent by the friend of the receiver Once invoked by opening the Virtual Basic script it propagated by sending itself to the first users in userrsquos email contact list It just clogged userrsquos inbox and email systems but was relatively harmless
Worms
Worms
A worm is a process that uses the spawn mechanism to clobber system performance The worm spawns copies of itself using up system resources and perhaps locking out system use by all other processes
Worms Spread
independently of human action
usually by utilizing a security hole in a piece of software
by scanning a network for another machine that has a specific security hole and copies itself to the new machine using the security hole
Morris Worm
Robert Tappan Morris is an American computer scientist best known for creating the Morris Worm in 1988 considered the first computer worm on Internet - and subsequently becoming the first person convicted under Computer Fraud and Abuse Act
Working of the Morris Worm
Denial of Service
Denial Of Service
Denial of service does not involve stealing of resources or gaining information but rather disabling legitimate use of a system or facilty
It is easier than breaking into a machineThey are network basedThey fall into 2 categories
1 An attack that uses so many facility resources that in essence no work can be done
2 An attack that disrupts the network facility of the computer
It is impossible to prevent Denial of Service attacks Frequently it is difficult to determine if a system slowdown is due to surge in use or an attack
Implementing Security Defences
Implementing Security DefencesMAJOR Techniques
Defense in DepthSecurity PolicyVulnerability AssessmentIntrusion DetectionVirus Protection
Cryptography as a Security Tool1048708 Broadest security tool available1048708 Source and destination of messages cannot be trusted withoutcryptography1048708 Means to constrain potential senders (sources) and or receivers(destinations) of messages1048708 Based on secrets (keys)Operating
Symmetric and Asymmetric Encryption
Security Policy
A computer security policy defines the goals and elements of an organizations computer systems The definition can be highly formal or informal Security policies are enforced by organizational policies or security mechanisms A technical implementation defines whether a computer system is secure or insecure These formal policy models can be categorized into the core security principles of Confidentiality Integrity and Availability
Formal policy modelsConfidentiality policy modelIntegrity policies modelHybrid policy model
Vulnerablity Assessment
A vulnerability assessment is the process of identifying quantifying and prioritizing (or ranking) the vulnerabilities in a system Examples of systems for which vulnerability assessments are performed include but are not limited to information technology systems energy supply systems water supply systems transportation systems and communication systems Assessments are typically performed according to the following steps Cataloging assets and capabilities (resources) in a system Assigning quantifiable value (or at least rank order) and importance to those resources Identifying the vulnerabilities or threats to each resource Mitigating or eliminating the most serious vulnerabilities for the most valuable resources
An intrusion detection system (IDS) is a device or software application that monitors network or system activities for malicious activities or policy violations and produces reports to a Management Station
Some systems may attempt to stop an intrusion attempt but this is neither required nor expected of a monitoring system Intrusion detection and prevention systems (IDPS) are primarily focused on identifying possible incidents logging information about them and reporting attempts
In addition organizations use IDPSes for other purposes such as identifying problems with security policies documenting existing threats and deterring individuals from violating security policies
Intrusion Detection
Intrusion Detection [Contd]All Intrusion Detection Systems use one of two detection techniques
Statistical anomaly-based IDSA statistical anomaly-based IDS determines normal network activity like what sort of bandwidth is generally used what protocols are used what ports and devices generally connect to each other- and alert the administrator or user when traffic is detected which is anomalous(not normal)
Signature-based IDSSignature based IDS monitors packets in the Network and compares with pre-configured and pre-determined attack patterns known as signatures The issue is that there will be lag between the new threat discovered and Signature being applied in IDS for detecting the threat During this lag time your IDS will be unable to identify the threat
Virus ProtectionThe problem of viruses can be dealt with by using antivirus software They work by searching all the programs on a system for the specific pattern of instructions known to make up a virus When they find a known pattern they remove the instructions disinfecting the programThe best protection against virus is the method of safe computing purchasing unopened software from vendor and avoiding free or pirated copies from public sources or disk exchange
Anti-Virus FunctionsProtection
Antivirus software can provide real-time protection meaning it can prevent unwanted processes from accessing your computer while you surf the Internet Cleanup
Antivirus software allows you to scan your computer for viruses and other unwanted programs and provides you with the tools to get rid of them Alerts
Antivirus programs can alert you when something is trying to access your computer or when something in your computer is trying to access something on the Internet Updates
Antivirus programs can update themselves keeping your computers protection up to date without you having to manually update it Further Protection
If an antivirus software finds an infected file that cannot be deleted it can quarantine the file so that it cannot infect other files or programs on your computer
Some Common Anti-Viruses
What is a FIREWALL
A choke point of control and monitoring Interconnects networks with differing trustImposes restrictions on network services
bull only authorized traffic is allowed Auditing and controlling access
bull can implement alarms for abnormal behaviorItself immune to penetrationProvides perimeter defence
Firewalls Arenrsquot Perfect
Useless against attacks from the insidebull Evildoer exists on insidebull Malicious code is executed on an internal machine
Organizations with greater insider threatbull Banks and Military
Protection must exist at each layerbull Assess risks of threats at every layer
Cannot protect against transfer of all virus infected programs or files
bull because of huge range of OS amp file typesCan be spoofed and Tunneled
Bibliography
Book Operating System Concepts [Galvin Silverschatz Gagne]Websites wwwgooglecom
wwwwikipediacom Pictures Google images
Thank You
To protect a system we must take security measures at four levels1)Physical The site or sites containing the computer systems must be physically secured against armed or superstitious entry by intruders
2)Human Authorization must be done carefully to assure that only appropriate users have access to the system
3)Operating System The system must protect itself from accidental or purposeful security breaches
4)Network Much computer data in modern systems travels over private leased lines shared lines like the internet wireless connections or dial-up lines Intercepting these data could be just as harmful as breaking into a computer and interruption of communications could constitute a remote denial-of-service attack diminishing users use of and trust in the system
User Authentication
If a system can not authenticate a user then authenticating that a message came from the user is pointlessThus a major security problem for operating systems is user authenticationSo how do we determine whether a users identity is authentic
Generally user authentication is based on one or more of three things1)The users possession of something- a card or a key2)The users knowledge of something- a user identifier and a password3)An attribute of the user- fingerprint retina pattern or signature
Authentication using Passwords
The most commmon approach to authenticate a user identity is the use of Passwords When the user identifies himself by user ID or account name he is asked for a passowrdIf the user-supplied password matches the password stored in the system the system assumes that the account is being accessed by the owner of the account
Different passwords may be associated with different access rights But in practice most systems require only one password for a user to gain full rights
Passwords [Contd]
Passwords may be associated with different access rights But in practice most systems require only one password for a user to gain full rights
Unfortunately passwords can often be guessed accidentally exposed sniffed or illegally transferred from an authorized user to an unauthorized one
Password Vulnerabilities
There are three common ways to guess a password
1 One way is for the intruder to know the user or to have information about the user All too frequently people use obvious information as their passwords
2 The other way is to use brute force trying enumeration- or all possible combinations of valid password characters until the password is found Short passwords are especially vulnerable to this methodEnumeration is less successful where systems allow longer passwords that include both uppercase and lowercase letters along with all numbers and punctuation characters
3Passwords can also be exposed as a result of visual or electronic monitoring
Encrypted Passwords
One problem with all these approaches is the difficulty of keeping the passwords secret within the computerUNIX system uses encryption to avoid the necessity of keeping its password list secret
Each user has a password The system contains a function that is extremely difficult-impossible to invert but easy to compute This function is used to encode all the passwords Only encoded passwords are stored When a user presents a password it is encoded and compared against the stored encoded password Even if the stored encoded password be seen it can not be decoded so the password cant be determined Thus the password file does not need to be kept secret
One-Time PasswordsThis approach can be generalized to the use of an algorithm as a password The algorithm might be an integer function for example The system selects a random integer and presents it to the user The user applies a function and replies with the correct result The system also applies the same function If the two results match access is allowed
BiometricsYet another variation on the use of passwords for authentication involves the use of biometric measures Palm or hand readers are commonly used to secure physical access These readers match stored parameters against what is being read from hand-reader pads The parameters can include temperature maps finger length finger width and line patterns But devices for biometric measures are currently too large and expensive to be used for normal computer authentication
PROGRAM AND SYSTEM THREATS
Trojan Horse
Trojan Horse
bull A Trojan horse is a code segment that misuses its environment
bull A Trojan is a type of malware that masquerades as a legitimate file or helpful program possibly with the purpose of granting a hacker unauthorized access to a computer
bull According to a survey conducted by BitDefender from January to June 2009 Trojan-type malware is on the rise accounting for 83-percent of the global malware detected in the world
Trojan Horse
bull Long search paths such as are common on UNIX systems exacerbate the Trojan horse problem For instance the use of ldquordquo character in a search path tells the shell to include the current directory in the search So if an user A has ldquordquo in his search path has set his current directory to user Brsquos directory and enters a normal system command the command would be executed from user Brsquos directory instead The program would run on user Brsquos domain allowing the program to do anything that the user is allowed to do including deleting files
A Trojan may give a hacker remote access to a targeted computer system Operations that could be performed by a hacker on a targeted computer system may include
Use of the machine as part of a botnet (eg to perform automated spamming or to distribute Denial-of-Service attacks)
Electronic Money theft Data Theft(eg retrieving passwords or credit card
information) Installation of software including third-party malware Downloading or uploading of files on the users
computer Modification deletion of files Crashing the Computer Anonymizing Internet Viewing
Popular Trojan Horses
NetbusSubseven or Sub7Y3K Remote Administration Tool Back OrificeBeastZeusThe Blackhole Exploit KitFlashback Trojan
Login Emulator
An unsuspecting user logs in at a terminal and notices that he has apparently mistyped his password He tries again and is successful What has happened is that his authentication key and password have been stolen by the login emulator that was left running on the terminal by the thief The emulator stored away the password printed out a login error message and exited the user was then provided with a genuine login prompt
Trapdoor
Trapdoor
Trap Door is a type of security breach where the designer of a program or a system leaves a hole in the software that only he is capable of using
A Trap Door is a secret entry point into a program that allows someone to gain access without normal methods of access authentication
Trapdoors can be included in the compiler as well The compiler could generate standard object code as well as a trapdoor regardless of the source code being compiled
Trapdoors pose a difficult problem since to detect them we have to analyze all the source code for all components of a system
Examples of Trapdoor
Programmers have been arrested for embezzling from banks by including rounding errors in their code and having the occasional half cents credited to their accounts This account crediting can add up to a large sum of money considering the number of transactions that a large bank executes
Stack and Buffer Overflow
Stack and Buffer OverflowStack or buffer overflow is the most common way for an attacker outside of the system on a network or dial-up connection to gain unauthorized access to the target system This be used by the unauthorised user for privilege escalation
Buffer overflow attacks are especially pernicious as it can be run within a system and travel over allowed communications channels They can even bypass the security added by firewalls
Stack and Buffer Overflow
The attacker exploits a bug in the program The bug can be a simple case of poor programming in which the programmer neglected to code bounds checking on an input field In this case the attacker sends more data than the program was expecting Using trial and error or by examination of the source code of the attacked program if it is available the attacker determines the vulnerability and writes a program to do the following1 Overflow an input field command line argument of input
buffer until it writes into the stack2 Overwrite the current return address on the stack with the
address of the exploit code loaded in the next step3 Write a simple setoff code for the next space in the stack
that includes the commands that the attacker wishes to execute (eg spawn a shell)
Viruses
Computer Viruses
A virus is a fragment of code embedded in a legitimate program unlike a worm which is structured as a complete standalone program
Spread Of Viruses
Viruses are spread by users downloading viral programs from public bulletin boards or exchanging disks containing an infectionExchange of Microsoft Office documents are a common form of virus transmission these days because these documents contain so-called macros which are Visual Basic programs
Creeper Virus
The Creeper virus was first detected on ARPANET Creeper was an experimental self-replicating program written by Bob Thomas at BBN Technologies in 1971 Creeper used the ARPANET to infect DEC PDP-10 computers running the TENEX operating system Creeper gained access via the ARPANET and copied itself to the remote system where the message Im the creeper catch me if you can was displayed The Reaper program was created to delete Creeper
Michelangelo Virus
On March 6 1992 the 517th birthday of Michelangelo the Michelangelo virus was scheduled to erase infected hard disk files But because of the extensive popularity surrounding the virus most sites had detected and destroyed the virus before it was activated so it caused little or no damage
Love Bug Virus
In 2000 the Love Bug became very widespread It appeared to be a love note sent by the friend of the receiver Once invoked by opening the Virtual Basic script it propagated by sending itself to the first users in userrsquos email contact list It just clogged userrsquos inbox and email systems but was relatively harmless
Worms
Worms
A worm is a process that uses the spawn mechanism to clobber system performance The worm spawns copies of itself using up system resources and perhaps locking out system use by all other processes
Worms Spread
independently of human action
usually by utilizing a security hole in a piece of software
by scanning a network for another machine that has a specific security hole and copies itself to the new machine using the security hole
Morris Worm
Robert Tappan Morris is an American computer scientist best known for creating the Morris Worm in 1988 considered the first computer worm on Internet - and subsequently becoming the first person convicted under Computer Fraud and Abuse Act
Working of the Morris Worm
Denial of Service
Denial Of Service
Denial of service does not involve stealing of resources or gaining information but rather disabling legitimate use of a system or facilty
It is easier than breaking into a machineThey are network basedThey fall into 2 categories
1 An attack that uses so many facility resources that in essence no work can be done
2 An attack that disrupts the network facility of the computer
It is impossible to prevent Denial of Service attacks Frequently it is difficult to determine if a system slowdown is due to surge in use or an attack
Implementing Security Defences
Implementing Security DefencesMAJOR Techniques
Defense in DepthSecurity PolicyVulnerability AssessmentIntrusion DetectionVirus Protection
Cryptography as a Security Tool1048708 Broadest security tool available1048708 Source and destination of messages cannot be trusted withoutcryptography1048708 Means to constrain potential senders (sources) and or receivers(destinations) of messages1048708 Based on secrets (keys)Operating
Symmetric and Asymmetric Encryption
Security Policy
A computer security policy defines the goals and elements of an organizations computer systems The definition can be highly formal or informal Security policies are enforced by organizational policies or security mechanisms A technical implementation defines whether a computer system is secure or insecure These formal policy models can be categorized into the core security principles of Confidentiality Integrity and Availability
Formal policy modelsConfidentiality policy modelIntegrity policies modelHybrid policy model
Vulnerablity Assessment
A vulnerability assessment is the process of identifying quantifying and prioritizing (or ranking) the vulnerabilities in a system Examples of systems for which vulnerability assessments are performed include but are not limited to information technology systems energy supply systems water supply systems transportation systems and communication systems Assessments are typically performed according to the following steps Cataloging assets and capabilities (resources) in a system Assigning quantifiable value (or at least rank order) and importance to those resources Identifying the vulnerabilities or threats to each resource Mitigating or eliminating the most serious vulnerabilities for the most valuable resources
An intrusion detection system (IDS) is a device or software application that monitors network or system activities for malicious activities or policy violations and produces reports to a Management Station
Some systems may attempt to stop an intrusion attempt but this is neither required nor expected of a monitoring system Intrusion detection and prevention systems (IDPS) are primarily focused on identifying possible incidents logging information about them and reporting attempts
In addition organizations use IDPSes for other purposes such as identifying problems with security policies documenting existing threats and deterring individuals from violating security policies
Intrusion Detection
Intrusion Detection [Contd]All Intrusion Detection Systems use one of two detection techniques
Statistical anomaly-based IDSA statistical anomaly-based IDS determines normal network activity like what sort of bandwidth is generally used what protocols are used what ports and devices generally connect to each other- and alert the administrator or user when traffic is detected which is anomalous(not normal)
Signature-based IDSSignature based IDS monitors packets in the Network and compares with pre-configured and pre-determined attack patterns known as signatures The issue is that there will be lag between the new threat discovered and Signature being applied in IDS for detecting the threat During this lag time your IDS will be unable to identify the threat
Virus ProtectionThe problem of viruses can be dealt with by using antivirus software They work by searching all the programs on a system for the specific pattern of instructions known to make up a virus When they find a known pattern they remove the instructions disinfecting the programThe best protection against virus is the method of safe computing purchasing unopened software from vendor and avoiding free or pirated copies from public sources or disk exchange
Anti-Virus FunctionsProtection
Antivirus software can provide real-time protection meaning it can prevent unwanted processes from accessing your computer while you surf the Internet Cleanup
Antivirus software allows you to scan your computer for viruses and other unwanted programs and provides you with the tools to get rid of them Alerts
Antivirus programs can alert you when something is trying to access your computer or when something in your computer is trying to access something on the Internet Updates
Antivirus programs can update themselves keeping your computers protection up to date without you having to manually update it Further Protection
If an antivirus software finds an infected file that cannot be deleted it can quarantine the file so that it cannot infect other files or programs on your computer
Some Common Anti-Viruses
What is a FIREWALL
A choke point of control and monitoring Interconnects networks with differing trustImposes restrictions on network services
bull only authorized traffic is allowed Auditing and controlling access
bull can implement alarms for abnormal behaviorItself immune to penetrationProvides perimeter defence
Firewalls Arenrsquot Perfect
Useless against attacks from the insidebull Evildoer exists on insidebull Malicious code is executed on an internal machine
Organizations with greater insider threatbull Banks and Military
Protection must exist at each layerbull Assess risks of threats at every layer
Cannot protect against transfer of all virus infected programs or files
bull because of huge range of OS amp file typesCan be spoofed and Tunneled
Bibliography
Book Operating System Concepts [Galvin Silverschatz Gagne]Websites wwwgooglecom
wwwwikipediacom Pictures Google images
Thank You
User Authentication
If a system can not authenticate a user then authenticating that a message came from the user is pointlessThus a major security problem for operating systems is user authenticationSo how do we determine whether a users identity is authentic
Generally user authentication is based on one or more of three things1)The users possession of something- a card or a key2)The users knowledge of something- a user identifier and a password3)An attribute of the user- fingerprint retina pattern or signature
Authentication using Passwords
The most commmon approach to authenticate a user identity is the use of Passwords When the user identifies himself by user ID or account name he is asked for a passowrdIf the user-supplied password matches the password stored in the system the system assumes that the account is being accessed by the owner of the account
Different passwords may be associated with different access rights But in practice most systems require only one password for a user to gain full rights
Passwords [Contd]
Passwords may be associated with different access rights But in practice most systems require only one password for a user to gain full rights
Unfortunately passwords can often be guessed accidentally exposed sniffed or illegally transferred from an authorized user to an unauthorized one
Password Vulnerabilities
There are three common ways to guess a password
1 One way is for the intruder to know the user or to have information about the user All too frequently people use obvious information as their passwords
2 The other way is to use brute force trying enumeration- or all possible combinations of valid password characters until the password is found Short passwords are especially vulnerable to this methodEnumeration is less successful where systems allow longer passwords that include both uppercase and lowercase letters along with all numbers and punctuation characters
3Passwords can also be exposed as a result of visual or electronic monitoring
Encrypted Passwords
One problem with all these approaches is the difficulty of keeping the passwords secret within the computerUNIX system uses encryption to avoid the necessity of keeping its password list secret
Each user has a password The system contains a function that is extremely difficult-impossible to invert but easy to compute This function is used to encode all the passwords Only encoded passwords are stored When a user presents a password it is encoded and compared against the stored encoded password Even if the stored encoded password be seen it can not be decoded so the password cant be determined Thus the password file does not need to be kept secret
One-Time PasswordsThis approach can be generalized to the use of an algorithm as a password The algorithm might be an integer function for example The system selects a random integer and presents it to the user The user applies a function and replies with the correct result The system also applies the same function If the two results match access is allowed
BiometricsYet another variation on the use of passwords for authentication involves the use of biometric measures Palm or hand readers are commonly used to secure physical access These readers match stored parameters against what is being read from hand-reader pads The parameters can include temperature maps finger length finger width and line patterns But devices for biometric measures are currently too large and expensive to be used for normal computer authentication
PROGRAM AND SYSTEM THREATS
Trojan Horse
Trojan Horse
bull A Trojan horse is a code segment that misuses its environment
bull A Trojan is a type of malware that masquerades as a legitimate file or helpful program possibly with the purpose of granting a hacker unauthorized access to a computer
bull According to a survey conducted by BitDefender from January to June 2009 Trojan-type malware is on the rise accounting for 83-percent of the global malware detected in the world
Trojan Horse
bull Long search paths such as are common on UNIX systems exacerbate the Trojan horse problem For instance the use of ldquordquo character in a search path tells the shell to include the current directory in the search So if an user A has ldquordquo in his search path has set his current directory to user Brsquos directory and enters a normal system command the command would be executed from user Brsquos directory instead The program would run on user Brsquos domain allowing the program to do anything that the user is allowed to do including deleting files
A Trojan may give a hacker remote access to a targeted computer system Operations that could be performed by a hacker on a targeted computer system may include
Use of the machine as part of a botnet (eg to perform automated spamming or to distribute Denial-of-Service attacks)
Electronic Money theft Data Theft(eg retrieving passwords or credit card
information) Installation of software including third-party malware Downloading or uploading of files on the users
computer Modification deletion of files Crashing the Computer Anonymizing Internet Viewing
Popular Trojan Horses
NetbusSubseven or Sub7Y3K Remote Administration Tool Back OrificeBeastZeusThe Blackhole Exploit KitFlashback Trojan
Login Emulator
An unsuspecting user logs in at a terminal and notices that he has apparently mistyped his password He tries again and is successful What has happened is that his authentication key and password have been stolen by the login emulator that was left running on the terminal by the thief The emulator stored away the password printed out a login error message and exited the user was then provided with a genuine login prompt
Trapdoor
Trapdoor
Trap Door is a type of security breach where the designer of a program or a system leaves a hole in the software that only he is capable of using
A Trap Door is a secret entry point into a program that allows someone to gain access without normal methods of access authentication
Trapdoors can be included in the compiler as well The compiler could generate standard object code as well as a trapdoor regardless of the source code being compiled
Trapdoors pose a difficult problem since to detect them we have to analyze all the source code for all components of a system
Examples of Trapdoor
Programmers have been arrested for embezzling from banks by including rounding errors in their code and having the occasional half cents credited to their accounts This account crediting can add up to a large sum of money considering the number of transactions that a large bank executes
Stack and Buffer Overflow
Stack and Buffer OverflowStack or buffer overflow is the most common way for an attacker outside of the system on a network or dial-up connection to gain unauthorized access to the target system This be used by the unauthorised user for privilege escalation
Buffer overflow attacks are especially pernicious as it can be run within a system and travel over allowed communications channels They can even bypass the security added by firewalls
Stack and Buffer Overflow
The attacker exploits a bug in the program The bug can be a simple case of poor programming in which the programmer neglected to code bounds checking on an input field In this case the attacker sends more data than the program was expecting Using trial and error or by examination of the source code of the attacked program if it is available the attacker determines the vulnerability and writes a program to do the following1 Overflow an input field command line argument of input
buffer until it writes into the stack2 Overwrite the current return address on the stack with the
address of the exploit code loaded in the next step3 Write a simple setoff code for the next space in the stack
that includes the commands that the attacker wishes to execute (eg spawn a shell)
Viruses
Computer Viruses
A virus is a fragment of code embedded in a legitimate program unlike a worm which is structured as a complete standalone program
Spread Of Viruses
Viruses are spread by users downloading viral programs from public bulletin boards or exchanging disks containing an infectionExchange of Microsoft Office documents are a common form of virus transmission these days because these documents contain so-called macros which are Visual Basic programs
Creeper Virus
The Creeper virus was first detected on ARPANET Creeper was an experimental self-replicating program written by Bob Thomas at BBN Technologies in 1971 Creeper used the ARPANET to infect DEC PDP-10 computers running the TENEX operating system Creeper gained access via the ARPANET and copied itself to the remote system where the message Im the creeper catch me if you can was displayed The Reaper program was created to delete Creeper
Michelangelo Virus
On March 6 1992 the 517th birthday of Michelangelo the Michelangelo virus was scheduled to erase infected hard disk files But because of the extensive popularity surrounding the virus most sites had detected and destroyed the virus before it was activated so it caused little or no damage
Love Bug Virus
In 2000 the Love Bug became very widespread It appeared to be a love note sent by the friend of the receiver Once invoked by opening the Virtual Basic script it propagated by sending itself to the first users in userrsquos email contact list It just clogged userrsquos inbox and email systems but was relatively harmless
Worms
Worms
A worm is a process that uses the spawn mechanism to clobber system performance The worm spawns copies of itself using up system resources and perhaps locking out system use by all other processes
Worms Spread
independently of human action
usually by utilizing a security hole in a piece of software
by scanning a network for another machine that has a specific security hole and copies itself to the new machine using the security hole
Morris Worm
Robert Tappan Morris is an American computer scientist best known for creating the Morris Worm in 1988 considered the first computer worm on Internet - and subsequently becoming the first person convicted under Computer Fraud and Abuse Act
Working of the Morris Worm
Denial of Service
Denial Of Service
Denial of service does not involve stealing of resources or gaining information but rather disabling legitimate use of a system or facilty
It is easier than breaking into a machineThey are network basedThey fall into 2 categories
1 An attack that uses so many facility resources that in essence no work can be done
2 An attack that disrupts the network facility of the computer
It is impossible to prevent Denial of Service attacks Frequently it is difficult to determine if a system slowdown is due to surge in use or an attack
Implementing Security Defences
Implementing Security DefencesMAJOR Techniques
Defense in DepthSecurity PolicyVulnerability AssessmentIntrusion DetectionVirus Protection
Cryptography as a Security Tool1048708 Broadest security tool available1048708 Source and destination of messages cannot be trusted withoutcryptography1048708 Means to constrain potential senders (sources) and or receivers(destinations) of messages1048708 Based on secrets (keys)Operating
Symmetric and Asymmetric Encryption
Security Policy
A computer security policy defines the goals and elements of an organizations computer systems The definition can be highly formal or informal Security policies are enforced by organizational policies or security mechanisms A technical implementation defines whether a computer system is secure or insecure These formal policy models can be categorized into the core security principles of Confidentiality Integrity and Availability
Formal policy modelsConfidentiality policy modelIntegrity policies modelHybrid policy model
Vulnerablity Assessment
A vulnerability assessment is the process of identifying quantifying and prioritizing (or ranking) the vulnerabilities in a system Examples of systems for which vulnerability assessments are performed include but are not limited to information technology systems energy supply systems water supply systems transportation systems and communication systems Assessments are typically performed according to the following steps Cataloging assets and capabilities (resources) in a system Assigning quantifiable value (or at least rank order) and importance to those resources Identifying the vulnerabilities or threats to each resource Mitigating or eliminating the most serious vulnerabilities for the most valuable resources
An intrusion detection system (IDS) is a device or software application that monitors network or system activities for malicious activities or policy violations and produces reports to a Management Station
Some systems may attempt to stop an intrusion attempt but this is neither required nor expected of a monitoring system Intrusion detection and prevention systems (IDPS) are primarily focused on identifying possible incidents logging information about them and reporting attempts
In addition organizations use IDPSes for other purposes such as identifying problems with security policies documenting existing threats and deterring individuals from violating security policies
Intrusion Detection
Intrusion Detection [Contd]All Intrusion Detection Systems use one of two detection techniques
Statistical anomaly-based IDSA statistical anomaly-based IDS determines normal network activity like what sort of bandwidth is generally used what protocols are used what ports and devices generally connect to each other- and alert the administrator or user when traffic is detected which is anomalous(not normal)
Signature-based IDSSignature based IDS monitors packets in the Network and compares with pre-configured and pre-determined attack patterns known as signatures The issue is that there will be lag between the new threat discovered and Signature being applied in IDS for detecting the threat During this lag time your IDS will be unable to identify the threat
Virus ProtectionThe problem of viruses can be dealt with by using antivirus software They work by searching all the programs on a system for the specific pattern of instructions known to make up a virus When they find a known pattern they remove the instructions disinfecting the programThe best protection against virus is the method of safe computing purchasing unopened software from vendor and avoiding free or pirated copies from public sources or disk exchange
Anti-Virus FunctionsProtection
Antivirus software can provide real-time protection meaning it can prevent unwanted processes from accessing your computer while you surf the Internet Cleanup
Antivirus software allows you to scan your computer for viruses and other unwanted programs and provides you with the tools to get rid of them Alerts
Antivirus programs can alert you when something is trying to access your computer or when something in your computer is trying to access something on the Internet Updates
Antivirus programs can update themselves keeping your computers protection up to date without you having to manually update it Further Protection
If an antivirus software finds an infected file that cannot be deleted it can quarantine the file so that it cannot infect other files or programs on your computer
Some Common Anti-Viruses
What is a FIREWALL
A choke point of control and monitoring Interconnects networks with differing trustImposes restrictions on network services
bull only authorized traffic is allowed Auditing and controlling access
bull can implement alarms for abnormal behaviorItself immune to penetrationProvides perimeter defence
Firewalls Arenrsquot Perfect
Useless against attacks from the insidebull Evildoer exists on insidebull Malicious code is executed on an internal machine
Organizations with greater insider threatbull Banks and Military
Protection must exist at each layerbull Assess risks of threats at every layer
Cannot protect against transfer of all virus infected programs or files
bull because of huge range of OS amp file typesCan be spoofed and Tunneled
Bibliography
Book Operating System Concepts [Galvin Silverschatz Gagne]Websites wwwgooglecom
wwwwikipediacom Pictures Google images
Thank You
Authentication using Passwords
The most commmon approach to authenticate a user identity is the use of Passwords When the user identifies himself by user ID or account name he is asked for a passowrdIf the user-supplied password matches the password stored in the system the system assumes that the account is being accessed by the owner of the account
Different passwords may be associated with different access rights But in practice most systems require only one password for a user to gain full rights
Passwords [Contd]
Passwords may be associated with different access rights But in practice most systems require only one password for a user to gain full rights
Unfortunately passwords can often be guessed accidentally exposed sniffed or illegally transferred from an authorized user to an unauthorized one
Password Vulnerabilities
There are three common ways to guess a password
1 One way is for the intruder to know the user or to have information about the user All too frequently people use obvious information as their passwords
2 The other way is to use brute force trying enumeration- or all possible combinations of valid password characters until the password is found Short passwords are especially vulnerable to this methodEnumeration is less successful where systems allow longer passwords that include both uppercase and lowercase letters along with all numbers and punctuation characters
3Passwords can also be exposed as a result of visual or electronic monitoring
Encrypted Passwords
One problem with all these approaches is the difficulty of keeping the passwords secret within the computerUNIX system uses encryption to avoid the necessity of keeping its password list secret
Each user has a password The system contains a function that is extremely difficult-impossible to invert but easy to compute This function is used to encode all the passwords Only encoded passwords are stored When a user presents a password it is encoded and compared against the stored encoded password Even if the stored encoded password be seen it can not be decoded so the password cant be determined Thus the password file does not need to be kept secret
One-Time PasswordsThis approach can be generalized to the use of an algorithm as a password The algorithm might be an integer function for example The system selects a random integer and presents it to the user The user applies a function and replies with the correct result The system also applies the same function If the two results match access is allowed
BiometricsYet another variation on the use of passwords for authentication involves the use of biometric measures Palm or hand readers are commonly used to secure physical access These readers match stored parameters against what is being read from hand-reader pads The parameters can include temperature maps finger length finger width and line patterns But devices for biometric measures are currently too large and expensive to be used for normal computer authentication
PROGRAM AND SYSTEM THREATS
Trojan Horse
Trojan Horse
bull A Trojan horse is a code segment that misuses its environment
bull A Trojan is a type of malware that masquerades as a legitimate file or helpful program possibly with the purpose of granting a hacker unauthorized access to a computer
bull According to a survey conducted by BitDefender from January to June 2009 Trojan-type malware is on the rise accounting for 83-percent of the global malware detected in the world
Trojan Horse
bull Long search paths such as are common on UNIX systems exacerbate the Trojan horse problem For instance the use of ldquordquo character in a search path tells the shell to include the current directory in the search So if an user A has ldquordquo in his search path has set his current directory to user Brsquos directory and enters a normal system command the command would be executed from user Brsquos directory instead The program would run on user Brsquos domain allowing the program to do anything that the user is allowed to do including deleting files
A Trojan may give a hacker remote access to a targeted computer system Operations that could be performed by a hacker on a targeted computer system may include
Use of the machine as part of a botnet (eg to perform automated spamming or to distribute Denial-of-Service attacks)
Electronic Money theft Data Theft(eg retrieving passwords or credit card
information) Installation of software including third-party malware Downloading or uploading of files on the users
computer Modification deletion of files Crashing the Computer Anonymizing Internet Viewing
Popular Trojan Horses
NetbusSubseven or Sub7Y3K Remote Administration Tool Back OrificeBeastZeusThe Blackhole Exploit KitFlashback Trojan
Login Emulator
An unsuspecting user logs in at a terminal and notices that he has apparently mistyped his password He tries again and is successful What has happened is that his authentication key and password have been stolen by the login emulator that was left running on the terminal by the thief The emulator stored away the password printed out a login error message and exited the user was then provided with a genuine login prompt
Trapdoor
Trapdoor
Trap Door is a type of security breach where the designer of a program or a system leaves a hole in the software that only he is capable of using
A Trap Door is a secret entry point into a program that allows someone to gain access without normal methods of access authentication
Trapdoors can be included in the compiler as well The compiler could generate standard object code as well as a trapdoor regardless of the source code being compiled
Trapdoors pose a difficult problem since to detect them we have to analyze all the source code for all components of a system
Examples of Trapdoor
Programmers have been arrested for embezzling from banks by including rounding errors in their code and having the occasional half cents credited to their accounts This account crediting can add up to a large sum of money considering the number of transactions that a large bank executes
Stack and Buffer Overflow
Stack and Buffer OverflowStack or buffer overflow is the most common way for an attacker outside of the system on a network or dial-up connection to gain unauthorized access to the target system This be used by the unauthorised user for privilege escalation
Buffer overflow attacks are especially pernicious as it can be run within a system and travel over allowed communications channels They can even bypass the security added by firewalls
Stack and Buffer Overflow
The attacker exploits a bug in the program The bug can be a simple case of poor programming in which the programmer neglected to code bounds checking on an input field In this case the attacker sends more data than the program was expecting Using trial and error or by examination of the source code of the attacked program if it is available the attacker determines the vulnerability and writes a program to do the following1 Overflow an input field command line argument of input
buffer until it writes into the stack2 Overwrite the current return address on the stack with the
address of the exploit code loaded in the next step3 Write a simple setoff code for the next space in the stack
that includes the commands that the attacker wishes to execute (eg spawn a shell)
Viruses
Computer Viruses
A virus is a fragment of code embedded in a legitimate program unlike a worm which is structured as a complete standalone program
Spread Of Viruses
Viruses are spread by users downloading viral programs from public bulletin boards or exchanging disks containing an infectionExchange of Microsoft Office documents are a common form of virus transmission these days because these documents contain so-called macros which are Visual Basic programs
Creeper Virus
The Creeper virus was first detected on ARPANET Creeper was an experimental self-replicating program written by Bob Thomas at BBN Technologies in 1971 Creeper used the ARPANET to infect DEC PDP-10 computers running the TENEX operating system Creeper gained access via the ARPANET and copied itself to the remote system where the message Im the creeper catch me if you can was displayed The Reaper program was created to delete Creeper
Michelangelo Virus
On March 6 1992 the 517th birthday of Michelangelo the Michelangelo virus was scheduled to erase infected hard disk files But because of the extensive popularity surrounding the virus most sites had detected and destroyed the virus before it was activated so it caused little or no damage
Love Bug Virus
In 2000 the Love Bug became very widespread It appeared to be a love note sent by the friend of the receiver Once invoked by opening the Virtual Basic script it propagated by sending itself to the first users in userrsquos email contact list It just clogged userrsquos inbox and email systems but was relatively harmless
Worms
Worms
A worm is a process that uses the spawn mechanism to clobber system performance The worm spawns copies of itself using up system resources and perhaps locking out system use by all other processes
Worms Spread
independently of human action
usually by utilizing a security hole in a piece of software
by scanning a network for another machine that has a specific security hole and copies itself to the new machine using the security hole
Morris Worm
Robert Tappan Morris is an American computer scientist best known for creating the Morris Worm in 1988 considered the first computer worm on Internet - and subsequently becoming the first person convicted under Computer Fraud and Abuse Act
Working of the Morris Worm
Denial of Service
Denial Of Service
Denial of service does not involve stealing of resources or gaining information but rather disabling legitimate use of a system or facilty
It is easier than breaking into a machineThey are network basedThey fall into 2 categories
1 An attack that uses so many facility resources that in essence no work can be done
2 An attack that disrupts the network facility of the computer
It is impossible to prevent Denial of Service attacks Frequently it is difficult to determine if a system slowdown is due to surge in use or an attack
Implementing Security Defences
Implementing Security DefencesMAJOR Techniques
Defense in DepthSecurity PolicyVulnerability AssessmentIntrusion DetectionVirus Protection
Cryptography as a Security Tool1048708 Broadest security tool available1048708 Source and destination of messages cannot be trusted withoutcryptography1048708 Means to constrain potential senders (sources) and or receivers(destinations) of messages1048708 Based on secrets (keys)Operating
Symmetric and Asymmetric Encryption
Security Policy
A computer security policy defines the goals and elements of an organizations computer systems The definition can be highly formal or informal Security policies are enforced by organizational policies or security mechanisms A technical implementation defines whether a computer system is secure or insecure These formal policy models can be categorized into the core security principles of Confidentiality Integrity and Availability
Formal policy modelsConfidentiality policy modelIntegrity policies modelHybrid policy model
Vulnerablity Assessment
A vulnerability assessment is the process of identifying quantifying and prioritizing (or ranking) the vulnerabilities in a system Examples of systems for which vulnerability assessments are performed include but are not limited to information technology systems energy supply systems water supply systems transportation systems and communication systems Assessments are typically performed according to the following steps Cataloging assets and capabilities (resources) in a system Assigning quantifiable value (or at least rank order) and importance to those resources Identifying the vulnerabilities or threats to each resource Mitigating or eliminating the most serious vulnerabilities for the most valuable resources
An intrusion detection system (IDS) is a device or software application that monitors network or system activities for malicious activities or policy violations and produces reports to a Management Station
Some systems may attempt to stop an intrusion attempt but this is neither required nor expected of a monitoring system Intrusion detection and prevention systems (IDPS) are primarily focused on identifying possible incidents logging information about them and reporting attempts
In addition organizations use IDPSes for other purposes such as identifying problems with security policies documenting existing threats and deterring individuals from violating security policies
Intrusion Detection
Intrusion Detection [Contd]All Intrusion Detection Systems use one of two detection techniques
Statistical anomaly-based IDSA statistical anomaly-based IDS determines normal network activity like what sort of bandwidth is generally used what protocols are used what ports and devices generally connect to each other- and alert the administrator or user when traffic is detected which is anomalous(not normal)
Signature-based IDSSignature based IDS monitors packets in the Network and compares with pre-configured and pre-determined attack patterns known as signatures The issue is that there will be lag between the new threat discovered and Signature being applied in IDS for detecting the threat During this lag time your IDS will be unable to identify the threat
Virus ProtectionThe problem of viruses can be dealt with by using antivirus software They work by searching all the programs on a system for the specific pattern of instructions known to make up a virus When they find a known pattern they remove the instructions disinfecting the programThe best protection against virus is the method of safe computing purchasing unopened software from vendor and avoiding free or pirated copies from public sources or disk exchange
Anti-Virus FunctionsProtection
Antivirus software can provide real-time protection meaning it can prevent unwanted processes from accessing your computer while you surf the Internet Cleanup
Antivirus software allows you to scan your computer for viruses and other unwanted programs and provides you with the tools to get rid of them Alerts
Antivirus programs can alert you when something is trying to access your computer or when something in your computer is trying to access something on the Internet Updates
Antivirus programs can update themselves keeping your computers protection up to date without you having to manually update it Further Protection
If an antivirus software finds an infected file that cannot be deleted it can quarantine the file so that it cannot infect other files or programs on your computer
Some Common Anti-Viruses
What is a FIREWALL
A choke point of control and monitoring Interconnects networks with differing trustImposes restrictions on network services
bull only authorized traffic is allowed Auditing and controlling access
bull can implement alarms for abnormal behaviorItself immune to penetrationProvides perimeter defence
Firewalls Arenrsquot Perfect
Useless against attacks from the insidebull Evildoer exists on insidebull Malicious code is executed on an internal machine
Organizations with greater insider threatbull Banks and Military
Protection must exist at each layerbull Assess risks of threats at every layer
Cannot protect against transfer of all virus infected programs or files
bull because of huge range of OS amp file typesCan be spoofed and Tunneled
Bibliography
Book Operating System Concepts [Galvin Silverschatz Gagne]Websites wwwgooglecom
wwwwikipediacom Pictures Google images
Thank You
Passwords [Contd]
Passwords may be associated with different access rights But in practice most systems require only one password for a user to gain full rights
Unfortunately passwords can often be guessed accidentally exposed sniffed or illegally transferred from an authorized user to an unauthorized one
Password Vulnerabilities
There are three common ways to guess a password
1 One way is for the intruder to know the user or to have information about the user All too frequently people use obvious information as their passwords
2 The other way is to use brute force trying enumeration- or all possible combinations of valid password characters until the password is found Short passwords are especially vulnerable to this methodEnumeration is less successful where systems allow longer passwords that include both uppercase and lowercase letters along with all numbers and punctuation characters
3Passwords can also be exposed as a result of visual or electronic monitoring
Encrypted Passwords
One problem with all these approaches is the difficulty of keeping the passwords secret within the computerUNIX system uses encryption to avoid the necessity of keeping its password list secret
Each user has a password The system contains a function that is extremely difficult-impossible to invert but easy to compute This function is used to encode all the passwords Only encoded passwords are stored When a user presents a password it is encoded and compared against the stored encoded password Even if the stored encoded password be seen it can not be decoded so the password cant be determined Thus the password file does not need to be kept secret
One-Time PasswordsThis approach can be generalized to the use of an algorithm as a password The algorithm might be an integer function for example The system selects a random integer and presents it to the user The user applies a function and replies with the correct result The system also applies the same function If the two results match access is allowed
BiometricsYet another variation on the use of passwords for authentication involves the use of biometric measures Palm or hand readers are commonly used to secure physical access These readers match stored parameters against what is being read from hand-reader pads The parameters can include temperature maps finger length finger width and line patterns But devices for biometric measures are currently too large and expensive to be used for normal computer authentication
PROGRAM AND SYSTEM THREATS
Trojan Horse
Trojan Horse
bull A Trojan horse is a code segment that misuses its environment
bull A Trojan is a type of malware that masquerades as a legitimate file or helpful program possibly with the purpose of granting a hacker unauthorized access to a computer
bull According to a survey conducted by BitDefender from January to June 2009 Trojan-type malware is on the rise accounting for 83-percent of the global malware detected in the world
Trojan Horse
bull Long search paths such as are common on UNIX systems exacerbate the Trojan horse problem For instance the use of ldquordquo character in a search path tells the shell to include the current directory in the search So if an user A has ldquordquo in his search path has set his current directory to user Brsquos directory and enters a normal system command the command would be executed from user Brsquos directory instead The program would run on user Brsquos domain allowing the program to do anything that the user is allowed to do including deleting files
A Trojan may give a hacker remote access to a targeted computer system Operations that could be performed by a hacker on a targeted computer system may include
Use of the machine as part of a botnet (eg to perform automated spamming or to distribute Denial-of-Service attacks)
Electronic Money theft Data Theft(eg retrieving passwords or credit card
information) Installation of software including third-party malware Downloading or uploading of files on the users
computer Modification deletion of files Crashing the Computer Anonymizing Internet Viewing
Popular Trojan Horses
NetbusSubseven or Sub7Y3K Remote Administration Tool Back OrificeBeastZeusThe Blackhole Exploit KitFlashback Trojan
Login Emulator
An unsuspecting user logs in at a terminal and notices that he has apparently mistyped his password He tries again and is successful What has happened is that his authentication key and password have been stolen by the login emulator that was left running on the terminal by the thief The emulator stored away the password printed out a login error message and exited the user was then provided with a genuine login prompt
Trapdoor
Trapdoor
Trap Door is a type of security breach where the designer of a program or a system leaves a hole in the software that only he is capable of using
A Trap Door is a secret entry point into a program that allows someone to gain access without normal methods of access authentication
Trapdoors can be included in the compiler as well The compiler could generate standard object code as well as a trapdoor regardless of the source code being compiled
Trapdoors pose a difficult problem since to detect them we have to analyze all the source code for all components of a system
Examples of Trapdoor
Programmers have been arrested for embezzling from banks by including rounding errors in their code and having the occasional half cents credited to their accounts This account crediting can add up to a large sum of money considering the number of transactions that a large bank executes
Stack and Buffer Overflow
Stack and Buffer OverflowStack or buffer overflow is the most common way for an attacker outside of the system on a network or dial-up connection to gain unauthorized access to the target system This be used by the unauthorised user for privilege escalation
Buffer overflow attacks are especially pernicious as it can be run within a system and travel over allowed communications channels They can even bypass the security added by firewalls
Stack and Buffer Overflow
The attacker exploits a bug in the program The bug can be a simple case of poor programming in which the programmer neglected to code bounds checking on an input field In this case the attacker sends more data than the program was expecting Using trial and error or by examination of the source code of the attacked program if it is available the attacker determines the vulnerability and writes a program to do the following1 Overflow an input field command line argument of input
buffer until it writes into the stack2 Overwrite the current return address on the stack with the
address of the exploit code loaded in the next step3 Write a simple setoff code for the next space in the stack
that includes the commands that the attacker wishes to execute (eg spawn a shell)
Viruses
Computer Viruses
A virus is a fragment of code embedded in a legitimate program unlike a worm which is structured as a complete standalone program
Spread Of Viruses
Viruses are spread by users downloading viral programs from public bulletin boards or exchanging disks containing an infectionExchange of Microsoft Office documents are a common form of virus transmission these days because these documents contain so-called macros which are Visual Basic programs
Creeper Virus
The Creeper virus was first detected on ARPANET Creeper was an experimental self-replicating program written by Bob Thomas at BBN Technologies in 1971 Creeper used the ARPANET to infect DEC PDP-10 computers running the TENEX operating system Creeper gained access via the ARPANET and copied itself to the remote system where the message Im the creeper catch me if you can was displayed The Reaper program was created to delete Creeper
Michelangelo Virus
On March 6 1992 the 517th birthday of Michelangelo the Michelangelo virus was scheduled to erase infected hard disk files But because of the extensive popularity surrounding the virus most sites had detected and destroyed the virus before it was activated so it caused little or no damage
Love Bug Virus
In 2000 the Love Bug became very widespread It appeared to be a love note sent by the friend of the receiver Once invoked by opening the Virtual Basic script it propagated by sending itself to the first users in userrsquos email contact list It just clogged userrsquos inbox and email systems but was relatively harmless
Worms
Worms
A worm is a process that uses the spawn mechanism to clobber system performance The worm spawns copies of itself using up system resources and perhaps locking out system use by all other processes
Worms Spread
independently of human action
usually by utilizing a security hole in a piece of software
by scanning a network for another machine that has a specific security hole and copies itself to the new machine using the security hole
Morris Worm
Robert Tappan Morris is an American computer scientist best known for creating the Morris Worm in 1988 considered the first computer worm on Internet - and subsequently becoming the first person convicted under Computer Fraud and Abuse Act
Working of the Morris Worm
Denial of Service
Denial Of Service
Denial of service does not involve stealing of resources or gaining information but rather disabling legitimate use of a system or facilty
It is easier than breaking into a machineThey are network basedThey fall into 2 categories
1 An attack that uses so many facility resources that in essence no work can be done
2 An attack that disrupts the network facility of the computer
It is impossible to prevent Denial of Service attacks Frequently it is difficult to determine if a system slowdown is due to surge in use or an attack
Implementing Security Defences
Implementing Security DefencesMAJOR Techniques
Defense in DepthSecurity PolicyVulnerability AssessmentIntrusion DetectionVirus Protection
Cryptography as a Security Tool1048708 Broadest security tool available1048708 Source and destination of messages cannot be trusted withoutcryptography1048708 Means to constrain potential senders (sources) and or receivers(destinations) of messages1048708 Based on secrets (keys)Operating
Symmetric and Asymmetric Encryption
Security Policy
A computer security policy defines the goals and elements of an organizations computer systems The definition can be highly formal or informal Security policies are enforced by organizational policies or security mechanisms A technical implementation defines whether a computer system is secure or insecure These formal policy models can be categorized into the core security principles of Confidentiality Integrity and Availability
Formal policy modelsConfidentiality policy modelIntegrity policies modelHybrid policy model
Vulnerablity Assessment
A vulnerability assessment is the process of identifying quantifying and prioritizing (or ranking) the vulnerabilities in a system Examples of systems for which vulnerability assessments are performed include but are not limited to information technology systems energy supply systems water supply systems transportation systems and communication systems Assessments are typically performed according to the following steps Cataloging assets and capabilities (resources) in a system Assigning quantifiable value (or at least rank order) and importance to those resources Identifying the vulnerabilities or threats to each resource Mitigating or eliminating the most serious vulnerabilities for the most valuable resources
An intrusion detection system (IDS) is a device or software application that monitors network or system activities for malicious activities or policy violations and produces reports to a Management Station
Some systems may attempt to stop an intrusion attempt but this is neither required nor expected of a monitoring system Intrusion detection and prevention systems (IDPS) are primarily focused on identifying possible incidents logging information about them and reporting attempts
In addition organizations use IDPSes for other purposes such as identifying problems with security policies documenting existing threats and deterring individuals from violating security policies
Intrusion Detection
Intrusion Detection [Contd]All Intrusion Detection Systems use one of two detection techniques
Statistical anomaly-based IDSA statistical anomaly-based IDS determines normal network activity like what sort of bandwidth is generally used what protocols are used what ports and devices generally connect to each other- and alert the administrator or user when traffic is detected which is anomalous(not normal)
Signature-based IDSSignature based IDS monitors packets in the Network and compares with pre-configured and pre-determined attack patterns known as signatures The issue is that there will be lag between the new threat discovered and Signature being applied in IDS for detecting the threat During this lag time your IDS will be unable to identify the threat
Virus ProtectionThe problem of viruses can be dealt with by using antivirus software They work by searching all the programs on a system for the specific pattern of instructions known to make up a virus When they find a known pattern they remove the instructions disinfecting the programThe best protection against virus is the method of safe computing purchasing unopened software from vendor and avoiding free or pirated copies from public sources or disk exchange
Anti-Virus FunctionsProtection
Antivirus software can provide real-time protection meaning it can prevent unwanted processes from accessing your computer while you surf the Internet Cleanup
Antivirus software allows you to scan your computer for viruses and other unwanted programs and provides you with the tools to get rid of them Alerts
Antivirus programs can alert you when something is trying to access your computer or when something in your computer is trying to access something on the Internet Updates
Antivirus programs can update themselves keeping your computers protection up to date without you having to manually update it Further Protection
If an antivirus software finds an infected file that cannot be deleted it can quarantine the file so that it cannot infect other files or programs on your computer
Some Common Anti-Viruses
What is a FIREWALL
A choke point of control and monitoring Interconnects networks with differing trustImposes restrictions on network services
bull only authorized traffic is allowed Auditing and controlling access
bull can implement alarms for abnormal behaviorItself immune to penetrationProvides perimeter defence
Firewalls Arenrsquot Perfect
Useless against attacks from the insidebull Evildoer exists on insidebull Malicious code is executed on an internal machine
Organizations with greater insider threatbull Banks and Military
Protection must exist at each layerbull Assess risks of threats at every layer
Cannot protect against transfer of all virus infected programs or files
bull because of huge range of OS amp file typesCan be spoofed and Tunneled
Bibliography
Book Operating System Concepts [Galvin Silverschatz Gagne]Websites wwwgooglecom
wwwwikipediacom Pictures Google images
Thank You
Password Vulnerabilities
There are three common ways to guess a password
1 One way is for the intruder to know the user or to have information about the user All too frequently people use obvious information as their passwords
2 The other way is to use brute force trying enumeration- or all possible combinations of valid password characters until the password is found Short passwords are especially vulnerable to this methodEnumeration is less successful where systems allow longer passwords that include both uppercase and lowercase letters along with all numbers and punctuation characters
3Passwords can also be exposed as a result of visual or electronic monitoring
Encrypted Passwords
One problem with all these approaches is the difficulty of keeping the passwords secret within the computerUNIX system uses encryption to avoid the necessity of keeping its password list secret
Each user has a password The system contains a function that is extremely difficult-impossible to invert but easy to compute This function is used to encode all the passwords Only encoded passwords are stored When a user presents a password it is encoded and compared against the stored encoded password Even if the stored encoded password be seen it can not be decoded so the password cant be determined Thus the password file does not need to be kept secret
One-Time PasswordsThis approach can be generalized to the use of an algorithm as a password The algorithm might be an integer function for example The system selects a random integer and presents it to the user The user applies a function and replies with the correct result The system also applies the same function If the two results match access is allowed
BiometricsYet another variation on the use of passwords for authentication involves the use of biometric measures Palm or hand readers are commonly used to secure physical access These readers match stored parameters against what is being read from hand-reader pads The parameters can include temperature maps finger length finger width and line patterns But devices for biometric measures are currently too large and expensive to be used for normal computer authentication
PROGRAM AND SYSTEM THREATS
Trojan Horse
Trojan Horse
bull A Trojan horse is a code segment that misuses its environment
bull A Trojan is a type of malware that masquerades as a legitimate file or helpful program possibly with the purpose of granting a hacker unauthorized access to a computer
bull According to a survey conducted by BitDefender from January to June 2009 Trojan-type malware is on the rise accounting for 83-percent of the global malware detected in the world
Trojan Horse
bull Long search paths such as are common on UNIX systems exacerbate the Trojan horse problem For instance the use of ldquordquo character in a search path tells the shell to include the current directory in the search So if an user A has ldquordquo in his search path has set his current directory to user Brsquos directory and enters a normal system command the command would be executed from user Brsquos directory instead The program would run on user Brsquos domain allowing the program to do anything that the user is allowed to do including deleting files
A Trojan may give a hacker remote access to a targeted computer system Operations that could be performed by a hacker on a targeted computer system may include
Use of the machine as part of a botnet (eg to perform automated spamming or to distribute Denial-of-Service attacks)
Electronic Money theft Data Theft(eg retrieving passwords or credit card
information) Installation of software including third-party malware Downloading or uploading of files on the users
computer Modification deletion of files Crashing the Computer Anonymizing Internet Viewing
Popular Trojan Horses
NetbusSubseven or Sub7Y3K Remote Administration Tool Back OrificeBeastZeusThe Blackhole Exploit KitFlashback Trojan
Login Emulator
An unsuspecting user logs in at a terminal and notices that he has apparently mistyped his password He tries again and is successful What has happened is that his authentication key and password have been stolen by the login emulator that was left running on the terminal by the thief The emulator stored away the password printed out a login error message and exited the user was then provided with a genuine login prompt
Trapdoor
Trapdoor
Trap Door is a type of security breach where the designer of a program or a system leaves a hole in the software that only he is capable of using
A Trap Door is a secret entry point into a program that allows someone to gain access without normal methods of access authentication
Trapdoors can be included in the compiler as well The compiler could generate standard object code as well as a trapdoor regardless of the source code being compiled
Trapdoors pose a difficult problem since to detect them we have to analyze all the source code for all components of a system
Examples of Trapdoor
Programmers have been arrested for embezzling from banks by including rounding errors in their code and having the occasional half cents credited to their accounts This account crediting can add up to a large sum of money considering the number of transactions that a large bank executes
Stack and Buffer Overflow
Stack and Buffer OverflowStack or buffer overflow is the most common way for an attacker outside of the system on a network or dial-up connection to gain unauthorized access to the target system This be used by the unauthorised user for privilege escalation
Buffer overflow attacks are especially pernicious as it can be run within a system and travel over allowed communications channels They can even bypass the security added by firewalls
Stack and Buffer Overflow
The attacker exploits a bug in the program The bug can be a simple case of poor programming in which the programmer neglected to code bounds checking on an input field In this case the attacker sends more data than the program was expecting Using trial and error or by examination of the source code of the attacked program if it is available the attacker determines the vulnerability and writes a program to do the following1 Overflow an input field command line argument of input
buffer until it writes into the stack2 Overwrite the current return address on the stack with the
address of the exploit code loaded in the next step3 Write a simple setoff code for the next space in the stack
that includes the commands that the attacker wishes to execute (eg spawn a shell)
Viruses
Computer Viruses
A virus is a fragment of code embedded in a legitimate program unlike a worm which is structured as a complete standalone program
Spread Of Viruses
Viruses are spread by users downloading viral programs from public bulletin boards or exchanging disks containing an infectionExchange of Microsoft Office documents are a common form of virus transmission these days because these documents contain so-called macros which are Visual Basic programs
Creeper Virus
The Creeper virus was first detected on ARPANET Creeper was an experimental self-replicating program written by Bob Thomas at BBN Technologies in 1971 Creeper used the ARPANET to infect DEC PDP-10 computers running the TENEX operating system Creeper gained access via the ARPANET and copied itself to the remote system where the message Im the creeper catch me if you can was displayed The Reaper program was created to delete Creeper
Michelangelo Virus
On March 6 1992 the 517th birthday of Michelangelo the Michelangelo virus was scheduled to erase infected hard disk files But because of the extensive popularity surrounding the virus most sites had detected and destroyed the virus before it was activated so it caused little or no damage
Love Bug Virus
In 2000 the Love Bug became very widespread It appeared to be a love note sent by the friend of the receiver Once invoked by opening the Virtual Basic script it propagated by sending itself to the first users in userrsquos email contact list It just clogged userrsquos inbox and email systems but was relatively harmless
Worms
Worms
A worm is a process that uses the spawn mechanism to clobber system performance The worm spawns copies of itself using up system resources and perhaps locking out system use by all other processes
Worms Spread
independently of human action
usually by utilizing a security hole in a piece of software
by scanning a network for another machine that has a specific security hole and copies itself to the new machine using the security hole
Morris Worm
Robert Tappan Morris is an American computer scientist best known for creating the Morris Worm in 1988 considered the first computer worm on Internet - and subsequently becoming the first person convicted under Computer Fraud and Abuse Act
Working of the Morris Worm
Denial of Service
Denial Of Service
Denial of service does not involve stealing of resources or gaining information but rather disabling legitimate use of a system or facilty
It is easier than breaking into a machineThey are network basedThey fall into 2 categories
1 An attack that uses so many facility resources that in essence no work can be done
2 An attack that disrupts the network facility of the computer
It is impossible to prevent Denial of Service attacks Frequently it is difficult to determine if a system slowdown is due to surge in use or an attack
Implementing Security Defences
Implementing Security DefencesMAJOR Techniques
Defense in DepthSecurity PolicyVulnerability AssessmentIntrusion DetectionVirus Protection
Cryptography as a Security Tool1048708 Broadest security tool available1048708 Source and destination of messages cannot be trusted withoutcryptography1048708 Means to constrain potential senders (sources) and or receivers(destinations) of messages1048708 Based on secrets (keys)Operating
Symmetric and Asymmetric Encryption
Security Policy
A computer security policy defines the goals and elements of an organizations computer systems The definition can be highly formal or informal Security policies are enforced by organizational policies or security mechanisms A technical implementation defines whether a computer system is secure or insecure These formal policy models can be categorized into the core security principles of Confidentiality Integrity and Availability
Formal policy modelsConfidentiality policy modelIntegrity policies modelHybrid policy model
Vulnerablity Assessment
A vulnerability assessment is the process of identifying quantifying and prioritizing (or ranking) the vulnerabilities in a system Examples of systems for which vulnerability assessments are performed include but are not limited to information technology systems energy supply systems water supply systems transportation systems and communication systems Assessments are typically performed according to the following steps Cataloging assets and capabilities (resources) in a system Assigning quantifiable value (or at least rank order) and importance to those resources Identifying the vulnerabilities or threats to each resource Mitigating or eliminating the most serious vulnerabilities for the most valuable resources
An intrusion detection system (IDS) is a device or software application that monitors network or system activities for malicious activities or policy violations and produces reports to a Management Station
Some systems may attempt to stop an intrusion attempt but this is neither required nor expected of a monitoring system Intrusion detection and prevention systems (IDPS) are primarily focused on identifying possible incidents logging information about them and reporting attempts
In addition organizations use IDPSes for other purposes such as identifying problems with security policies documenting existing threats and deterring individuals from violating security policies
Intrusion Detection
Intrusion Detection [Contd]All Intrusion Detection Systems use one of two detection techniques
Statistical anomaly-based IDSA statistical anomaly-based IDS determines normal network activity like what sort of bandwidth is generally used what protocols are used what ports and devices generally connect to each other- and alert the administrator or user when traffic is detected which is anomalous(not normal)
Signature-based IDSSignature based IDS monitors packets in the Network and compares with pre-configured and pre-determined attack patterns known as signatures The issue is that there will be lag between the new threat discovered and Signature being applied in IDS for detecting the threat During this lag time your IDS will be unable to identify the threat
Virus ProtectionThe problem of viruses can be dealt with by using antivirus software They work by searching all the programs on a system for the specific pattern of instructions known to make up a virus When they find a known pattern they remove the instructions disinfecting the programThe best protection against virus is the method of safe computing purchasing unopened software from vendor and avoiding free or pirated copies from public sources or disk exchange
Anti-Virus FunctionsProtection
Antivirus software can provide real-time protection meaning it can prevent unwanted processes from accessing your computer while you surf the Internet Cleanup
Antivirus software allows you to scan your computer for viruses and other unwanted programs and provides you with the tools to get rid of them Alerts
Antivirus programs can alert you when something is trying to access your computer or when something in your computer is trying to access something on the Internet Updates
Antivirus programs can update themselves keeping your computers protection up to date without you having to manually update it Further Protection
If an antivirus software finds an infected file that cannot be deleted it can quarantine the file so that it cannot infect other files or programs on your computer
Some Common Anti-Viruses
What is a FIREWALL
A choke point of control and monitoring Interconnects networks with differing trustImposes restrictions on network services
bull only authorized traffic is allowed Auditing and controlling access
bull can implement alarms for abnormal behaviorItself immune to penetrationProvides perimeter defence
Firewalls Arenrsquot Perfect
Useless against attacks from the insidebull Evildoer exists on insidebull Malicious code is executed on an internal machine
Organizations with greater insider threatbull Banks and Military
Protection must exist at each layerbull Assess risks of threats at every layer
Cannot protect against transfer of all virus infected programs or files
bull because of huge range of OS amp file typesCan be spoofed and Tunneled
Bibliography
Book Operating System Concepts [Galvin Silverschatz Gagne]Websites wwwgooglecom
wwwwikipediacom Pictures Google images
Thank You
Encrypted Passwords
One problem with all these approaches is the difficulty of keeping the passwords secret within the computerUNIX system uses encryption to avoid the necessity of keeping its password list secret
Each user has a password The system contains a function that is extremely difficult-impossible to invert but easy to compute This function is used to encode all the passwords Only encoded passwords are stored When a user presents a password it is encoded and compared against the stored encoded password Even if the stored encoded password be seen it can not be decoded so the password cant be determined Thus the password file does not need to be kept secret
One-Time PasswordsThis approach can be generalized to the use of an algorithm as a password The algorithm might be an integer function for example The system selects a random integer and presents it to the user The user applies a function and replies with the correct result The system also applies the same function If the two results match access is allowed
BiometricsYet another variation on the use of passwords for authentication involves the use of biometric measures Palm or hand readers are commonly used to secure physical access These readers match stored parameters against what is being read from hand-reader pads The parameters can include temperature maps finger length finger width and line patterns But devices for biometric measures are currently too large and expensive to be used for normal computer authentication
PROGRAM AND SYSTEM THREATS
Trojan Horse
Trojan Horse
bull A Trojan horse is a code segment that misuses its environment
bull A Trojan is a type of malware that masquerades as a legitimate file or helpful program possibly with the purpose of granting a hacker unauthorized access to a computer
bull According to a survey conducted by BitDefender from January to June 2009 Trojan-type malware is on the rise accounting for 83-percent of the global malware detected in the world
Trojan Horse
bull Long search paths such as are common on UNIX systems exacerbate the Trojan horse problem For instance the use of ldquordquo character in a search path tells the shell to include the current directory in the search So if an user A has ldquordquo in his search path has set his current directory to user Brsquos directory and enters a normal system command the command would be executed from user Brsquos directory instead The program would run on user Brsquos domain allowing the program to do anything that the user is allowed to do including deleting files
A Trojan may give a hacker remote access to a targeted computer system Operations that could be performed by a hacker on a targeted computer system may include
Use of the machine as part of a botnet (eg to perform automated spamming or to distribute Denial-of-Service attacks)
Electronic Money theft Data Theft(eg retrieving passwords or credit card
information) Installation of software including third-party malware Downloading or uploading of files on the users
computer Modification deletion of files Crashing the Computer Anonymizing Internet Viewing
Popular Trojan Horses
NetbusSubseven or Sub7Y3K Remote Administration Tool Back OrificeBeastZeusThe Blackhole Exploit KitFlashback Trojan
Login Emulator
An unsuspecting user logs in at a terminal and notices that he has apparently mistyped his password He tries again and is successful What has happened is that his authentication key and password have been stolen by the login emulator that was left running on the terminal by the thief The emulator stored away the password printed out a login error message and exited the user was then provided with a genuine login prompt
Trapdoor
Trapdoor
Trap Door is a type of security breach where the designer of a program or a system leaves a hole in the software that only he is capable of using
A Trap Door is a secret entry point into a program that allows someone to gain access without normal methods of access authentication
Trapdoors can be included in the compiler as well The compiler could generate standard object code as well as a trapdoor regardless of the source code being compiled
Trapdoors pose a difficult problem since to detect them we have to analyze all the source code for all components of a system
Examples of Trapdoor
Programmers have been arrested for embezzling from banks by including rounding errors in their code and having the occasional half cents credited to their accounts This account crediting can add up to a large sum of money considering the number of transactions that a large bank executes
Stack and Buffer Overflow
Stack and Buffer OverflowStack or buffer overflow is the most common way for an attacker outside of the system on a network or dial-up connection to gain unauthorized access to the target system This be used by the unauthorised user for privilege escalation
Buffer overflow attacks are especially pernicious as it can be run within a system and travel over allowed communications channels They can even bypass the security added by firewalls
Stack and Buffer Overflow
The attacker exploits a bug in the program The bug can be a simple case of poor programming in which the programmer neglected to code bounds checking on an input field In this case the attacker sends more data than the program was expecting Using trial and error or by examination of the source code of the attacked program if it is available the attacker determines the vulnerability and writes a program to do the following1 Overflow an input field command line argument of input
buffer until it writes into the stack2 Overwrite the current return address on the stack with the
address of the exploit code loaded in the next step3 Write a simple setoff code for the next space in the stack
that includes the commands that the attacker wishes to execute (eg spawn a shell)
Viruses
Computer Viruses
A virus is a fragment of code embedded in a legitimate program unlike a worm which is structured as a complete standalone program
Spread Of Viruses
Viruses are spread by users downloading viral programs from public bulletin boards or exchanging disks containing an infectionExchange of Microsoft Office documents are a common form of virus transmission these days because these documents contain so-called macros which are Visual Basic programs
Creeper Virus
The Creeper virus was first detected on ARPANET Creeper was an experimental self-replicating program written by Bob Thomas at BBN Technologies in 1971 Creeper used the ARPANET to infect DEC PDP-10 computers running the TENEX operating system Creeper gained access via the ARPANET and copied itself to the remote system where the message Im the creeper catch me if you can was displayed The Reaper program was created to delete Creeper
Michelangelo Virus
On March 6 1992 the 517th birthday of Michelangelo the Michelangelo virus was scheduled to erase infected hard disk files But because of the extensive popularity surrounding the virus most sites had detected and destroyed the virus before it was activated so it caused little or no damage
Love Bug Virus
In 2000 the Love Bug became very widespread It appeared to be a love note sent by the friend of the receiver Once invoked by opening the Virtual Basic script it propagated by sending itself to the first users in userrsquos email contact list It just clogged userrsquos inbox and email systems but was relatively harmless
Worms
Worms
A worm is a process that uses the spawn mechanism to clobber system performance The worm spawns copies of itself using up system resources and perhaps locking out system use by all other processes
Worms Spread
independently of human action
usually by utilizing a security hole in a piece of software
by scanning a network for another machine that has a specific security hole and copies itself to the new machine using the security hole
Morris Worm
Robert Tappan Morris is an American computer scientist best known for creating the Morris Worm in 1988 considered the first computer worm on Internet - and subsequently becoming the first person convicted under Computer Fraud and Abuse Act
Working of the Morris Worm
Denial of Service
Denial Of Service
Denial of service does not involve stealing of resources or gaining information but rather disabling legitimate use of a system or facilty
It is easier than breaking into a machineThey are network basedThey fall into 2 categories
1 An attack that uses so many facility resources that in essence no work can be done
2 An attack that disrupts the network facility of the computer
It is impossible to prevent Denial of Service attacks Frequently it is difficult to determine if a system slowdown is due to surge in use or an attack
Implementing Security Defences
Implementing Security DefencesMAJOR Techniques
Defense in DepthSecurity PolicyVulnerability AssessmentIntrusion DetectionVirus Protection
Cryptography as a Security Tool1048708 Broadest security tool available1048708 Source and destination of messages cannot be trusted withoutcryptography1048708 Means to constrain potential senders (sources) and or receivers(destinations) of messages1048708 Based on secrets (keys)Operating
Symmetric and Asymmetric Encryption
Security Policy
A computer security policy defines the goals and elements of an organizations computer systems The definition can be highly formal or informal Security policies are enforced by organizational policies or security mechanisms A technical implementation defines whether a computer system is secure or insecure These formal policy models can be categorized into the core security principles of Confidentiality Integrity and Availability
Formal policy modelsConfidentiality policy modelIntegrity policies modelHybrid policy model
Vulnerablity Assessment
A vulnerability assessment is the process of identifying quantifying and prioritizing (or ranking) the vulnerabilities in a system Examples of systems for which vulnerability assessments are performed include but are not limited to information technology systems energy supply systems water supply systems transportation systems and communication systems Assessments are typically performed according to the following steps Cataloging assets and capabilities (resources) in a system Assigning quantifiable value (or at least rank order) and importance to those resources Identifying the vulnerabilities or threats to each resource Mitigating or eliminating the most serious vulnerabilities for the most valuable resources
An intrusion detection system (IDS) is a device or software application that monitors network or system activities for malicious activities or policy violations and produces reports to a Management Station
Some systems may attempt to stop an intrusion attempt but this is neither required nor expected of a monitoring system Intrusion detection and prevention systems (IDPS) are primarily focused on identifying possible incidents logging information about them and reporting attempts
In addition organizations use IDPSes for other purposes such as identifying problems with security policies documenting existing threats and deterring individuals from violating security policies
Intrusion Detection
Intrusion Detection [Contd]All Intrusion Detection Systems use one of two detection techniques
Statistical anomaly-based IDSA statistical anomaly-based IDS determines normal network activity like what sort of bandwidth is generally used what protocols are used what ports and devices generally connect to each other- and alert the administrator or user when traffic is detected which is anomalous(not normal)
Signature-based IDSSignature based IDS monitors packets in the Network and compares with pre-configured and pre-determined attack patterns known as signatures The issue is that there will be lag between the new threat discovered and Signature being applied in IDS for detecting the threat During this lag time your IDS will be unable to identify the threat
Virus ProtectionThe problem of viruses can be dealt with by using antivirus software They work by searching all the programs on a system for the specific pattern of instructions known to make up a virus When they find a known pattern they remove the instructions disinfecting the programThe best protection against virus is the method of safe computing purchasing unopened software from vendor and avoiding free or pirated copies from public sources or disk exchange
Anti-Virus FunctionsProtection
Antivirus software can provide real-time protection meaning it can prevent unwanted processes from accessing your computer while you surf the Internet Cleanup
Antivirus software allows you to scan your computer for viruses and other unwanted programs and provides you with the tools to get rid of them Alerts
Antivirus programs can alert you when something is trying to access your computer or when something in your computer is trying to access something on the Internet Updates
Antivirus programs can update themselves keeping your computers protection up to date without you having to manually update it Further Protection
If an antivirus software finds an infected file that cannot be deleted it can quarantine the file so that it cannot infect other files or programs on your computer
Some Common Anti-Viruses
What is a FIREWALL
A choke point of control and monitoring Interconnects networks with differing trustImposes restrictions on network services
bull only authorized traffic is allowed Auditing and controlling access
bull can implement alarms for abnormal behaviorItself immune to penetrationProvides perimeter defence
Firewalls Arenrsquot Perfect
Useless against attacks from the insidebull Evildoer exists on insidebull Malicious code is executed on an internal machine
Organizations with greater insider threatbull Banks and Military
Protection must exist at each layerbull Assess risks of threats at every layer
Cannot protect against transfer of all virus infected programs or files
bull because of huge range of OS amp file typesCan be spoofed and Tunneled
Bibliography
Book Operating System Concepts [Galvin Silverschatz Gagne]Websites wwwgooglecom
wwwwikipediacom Pictures Google images
Thank You
One-Time PasswordsThis approach can be generalized to the use of an algorithm as a password The algorithm might be an integer function for example The system selects a random integer and presents it to the user The user applies a function and replies with the correct result The system also applies the same function If the two results match access is allowed
BiometricsYet another variation on the use of passwords for authentication involves the use of biometric measures Palm or hand readers are commonly used to secure physical access These readers match stored parameters against what is being read from hand-reader pads The parameters can include temperature maps finger length finger width and line patterns But devices for biometric measures are currently too large and expensive to be used for normal computer authentication
PROGRAM AND SYSTEM THREATS
Trojan Horse
Trojan Horse
bull A Trojan horse is a code segment that misuses its environment
bull A Trojan is a type of malware that masquerades as a legitimate file or helpful program possibly with the purpose of granting a hacker unauthorized access to a computer
bull According to a survey conducted by BitDefender from January to June 2009 Trojan-type malware is on the rise accounting for 83-percent of the global malware detected in the world
Trojan Horse
bull Long search paths such as are common on UNIX systems exacerbate the Trojan horse problem For instance the use of ldquordquo character in a search path tells the shell to include the current directory in the search So if an user A has ldquordquo in his search path has set his current directory to user Brsquos directory and enters a normal system command the command would be executed from user Brsquos directory instead The program would run on user Brsquos domain allowing the program to do anything that the user is allowed to do including deleting files
A Trojan may give a hacker remote access to a targeted computer system Operations that could be performed by a hacker on a targeted computer system may include
Use of the machine as part of a botnet (eg to perform automated spamming or to distribute Denial-of-Service attacks)
Electronic Money theft Data Theft(eg retrieving passwords or credit card
information) Installation of software including third-party malware Downloading or uploading of files on the users
computer Modification deletion of files Crashing the Computer Anonymizing Internet Viewing
Popular Trojan Horses
NetbusSubseven or Sub7Y3K Remote Administration Tool Back OrificeBeastZeusThe Blackhole Exploit KitFlashback Trojan
Login Emulator
An unsuspecting user logs in at a terminal and notices that he has apparently mistyped his password He tries again and is successful What has happened is that his authentication key and password have been stolen by the login emulator that was left running on the terminal by the thief The emulator stored away the password printed out a login error message and exited the user was then provided with a genuine login prompt
Trapdoor
Trapdoor
Trap Door is a type of security breach where the designer of a program or a system leaves a hole in the software that only he is capable of using
A Trap Door is a secret entry point into a program that allows someone to gain access without normal methods of access authentication
Trapdoors can be included in the compiler as well The compiler could generate standard object code as well as a trapdoor regardless of the source code being compiled
Trapdoors pose a difficult problem since to detect them we have to analyze all the source code for all components of a system
Examples of Trapdoor
Programmers have been arrested for embezzling from banks by including rounding errors in their code and having the occasional half cents credited to their accounts This account crediting can add up to a large sum of money considering the number of transactions that a large bank executes
Stack and Buffer Overflow
Stack and Buffer OverflowStack or buffer overflow is the most common way for an attacker outside of the system on a network or dial-up connection to gain unauthorized access to the target system This be used by the unauthorised user for privilege escalation
Buffer overflow attacks are especially pernicious as it can be run within a system and travel over allowed communications channels They can even bypass the security added by firewalls
Stack and Buffer Overflow
The attacker exploits a bug in the program The bug can be a simple case of poor programming in which the programmer neglected to code bounds checking on an input field In this case the attacker sends more data than the program was expecting Using trial and error or by examination of the source code of the attacked program if it is available the attacker determines the vulnerability and writes a program to do the following1 Overflow an input field command line argument of input
buffer until it writes into the stack2 Overwrite the current return address on the stack with the
address of the exploit code loaded in the next step3 Write a simple setoff code for the next space in the stack
that includes the commands that the attacker wishes to execute (eg spawn a shell)
Viruses
Computer Viruses
A virus is a fragment of code embedded in a legitimate program unlike a worm which is structured as a complete standalone program
Spread Of Viruses
Viruses are spread by users downloading viral programs from public bulletin boards or exchanging disks containing an infectionExchange of Microsoft Office documents are a common form of virus transmission these days because these documents contain so-called macros which are Visual Basic programs
Creeper Virus
The Creeper virus was first detected on ARPANET Creeper was an experimental self-replicating program written by Bob Thomas at BBN Technologies in 1971 Creeper used the ARPANET to infect DEC PDP-10 computers running the TENEX operating system Creeper gained access via the ARPANET and copied itself to the remote system where the message Im the creeper catch me if you can was displayed The Reaper program was created to delete Creeper
Michelangelo Virus
On March 6 1992 the 517th birthday of Michelangelo the Michelangelo virus was scheduled to erase infected hard disk files But because of the extensive popularity surrounding the virus most sites had detected and destroyed the virus before it was activated so it caused little or no damage
Love Bug Virus
In 2000 the Love Bug became very widespread It appeared to be a love note sent by the friend of the receiver Once invoked by opening the Virtual Basic script it propagated by sending itself to the first users in userrsquos email contact list It just clogged userrsquos inbox and email systems but was relatively harmless
Worms
Worms
A worm is a process that uses the spawn mechanism to clobber system performance The worm spawns copies of itself using up system resources and perhaps locking out system use by all other processes
Worms Spread
independently of human action
usually by utilizing a security hole in a piece of software
by scanning a network for another machine that has a specific security hole and copies itself to the new machine using the security hole
Morris Worm
Robert Tappan Morris is an American computer scientist best known for creating the Morris Worm in 1988 considered the first computer worm on Internet - and subsequently becoming the first person convicted under Computer Fraud and Abuse Act
Working of the Morris Worm
Denial of Service
Denial Of Service
Denial of service does not involve stealing of resources or gaining information but rather disabling legitimate use of a system or facilty
It is easier than breaking into a machineThey are network basedThey fall into 2 categories
1 An attack that uses so many facility resources that in essence no work can be done
2 An attack that disrupts the network facility of the computer
It is impossible to prevent Denial of Service attacks Frequently it is difficult to determine if a system slowdown is due to surge in use or an attack
Implementing Security Defences
Implementing Security DefencesMAJOR Techniques
Defense in DepthSecurity PolicyVulnerability AssessmentIntrusion DetectionVirus Protection
Cryptography as a Security Tool1048708 Broadest security tool available1048708 Source and destination of messages cannot be trusted withoutcryptography1048708 Means to constrain potential senders (sources) and or receivers(destinations) of messages1048708 Based on secrets (keys)Operating
Symmetric and Asymmetric Encryption
Security Policy
A computer security policy defines the goals and elements of an organizations computer systems The definition can be highly formal or informal Security policies are enforced by organizational policies or security mechanisms A technical implementation defines whether a computer system is secure or insecure These formal policy models can be categorized into the core security principles of Confidentiality Integrity and Availability
Formal policy modelsConfidentiality policy modelIntegrity policies modelHybrid policy model
Vulnerablity Assessment
A vulnerability assessment is the process of identifying quantifying and prioritizing (or ranking) the vulnerabilities in a system Examples of systems for which vulnerability assessments are performed include but are not limited to information technology systems energy supply systems water supply systems transportation systems and communication systems Assessments are typically performed according to the following steps Cataloging assets and capabilities (resources) in a system Assigning quantifiable value (or at least rank order) and importance to those resources Identifying the vulnerabilities or threats to each resource Mitigating or eliminating the most serious vulnerabilities for the most valuable resources
An intrusion detection system (IDS) is a device or software application that monitors network or system activities for malicious activities or policy violations and produces reports to a Management Station
Some systems may attempt to stop an intrusion attempt but this is neither required nor expected of a monitoring system Intrusion detection and prevention systems (IDPS) are primarily focused on identifying possible incidents logging information about them and reporting attempts
In addition organizations use IDPSes for other purposes such as identifying problems with security policies documenting existing threats and deterring individuals from violating security policies
Intrusion Detection
Intrusion Detection [Contd]All Intrusion Detection Systems use one of two detection techniques
Statistical anomaly-based IDSA statistical anomaly-based IDS determines normal network activity like what sort of bandwidth is generally used what protocols are used what ports and devices generally connect to each other- and alert the administrator or user when traffic is detected which is anomalous(not normal)
Signature-based IDSSignature based IDS monitors packets in the Network and compares with pre-configured and pre-determined attack patterns known as signatures The issue is that there will be lag between the new threat discovered and Signature being applied in IDS for detecting the threat During this lag time your IDS will be unable to identify the threat
Virus ProtectionThe problem of viruses can be dealt with by using antivirus software They work by searching all the programs on a system for the specific pattern of instructions known to make up a virus When they find a known pattern they remove the instructions disinfecting the programThe best protection against virus is the method of safe computing purchasing unopened software from vendor and avoiding free or pirated copies from public sources or disk exchange
Anti-Virus FunctionsProtection
Antivirus software can provide real-time protection meaning it can prevent unwanted processes from accessing your computer while you surf the Internet Cleanup
Antivirus software allows you to scan your computer for viruses and other unwanted programs and provides you with the tools to get rid of them Alerts
Antivirus programs can alert you when something is trying to access your computer or when something in your computer is trying to access something on the Internet Updates
Antivirus programs can update themselves keeping your computers protection up to date without you having to manually update it Further Protection
If an antivirus software finds an infected file that cannot be deleted it can quarantine the file so that it cannot infect other files or programs on your computer
Some Common Anti-Viruses
What is a FIREWALL
A choke point of control and monitoring Interconnects networks with differing trustImposes restrictions on network services
bull only authorized traffic is allowed Auditing and controlling access
bull can implement alarms for abnormal behaviorItself immune to penetrationProvides perimeter defence
Firewalls Arenrsquot Perfect
Useless against attacks from the insidebull Evildoer exists on insidebull Malicious code is executed on an internal machine
Organizations with greater insider threatbull Banks and Military
Protection must exist at each layerbull Assess risks of threats at every layer
Cannot protect against transfer of all virus infected programs or files
bull because of huge range of OS amp file typesCan be spoofed and Tunneled
Bibliography
Book Operating System Concepts [Galvin Silverschatz Gagne]Websites wwwgooglecom
wwwwikipediacom Pictures Google images
Thank You
PROGRAM AND SYSTEM THREATS
Trojan Horse
Trojan Horse
bull A Trojan horse is a code segment that misuses its environment
bull A Trojan is a type of malware that masquerades as a legitimate file or helpful program possibly with the purpose of granting a hacker unauthorized access to a computer
bull According to a survey conducted by BitDefender from January to June 2009 Trojan-type malware is on the rise accounting for 83-percent of the global malware detected in the world
Trojan Horse
bull Long search paths such as are common on UNIX systems exacerbate the Trojan horse problem For instance the use of ldquordquo character in a search path tells the shell to include the current directory in the search So if an user A has ldquordquo in his search path has set his current directory to user Brsquos directory and enters a normal system command the command would be executed from user Brsquos directory instead The program would run on user Brsquos domain allowing the program to do anything that the user is allowed to do including deleting files
A Trojan may give a hacker remote access to a targeted computer system Operations that could be performed by a hacker on a targeted computer system may include
Use of the machine as part of a botnet (eg to perform automated spamming or to distribute Denial-of-Service attacks)
Electronic Money theft Data Theft(eg retrieving passwords or credit card
information) Installation of software including third-party malware Downloading or uploading of files on the users
computer Modification deletion of files Crashing the Computer Anonymizing Internet Viewing
Popular Trojan Horses
NetbusSubseven or Sub7Y3K Remote Administration Tool Back OrificeBeastZeusThe Blackhole Exploit KitFlashback Trojan
Login Emulator
An unsuspecting user logs in at a terminal and notices that he has apparently mistyped his password He tries again and is successful What has happened is that his authentication key and password have been stolen by the login emulator that was left running on the terminal by the thief The emulator stored away the password printed out a login error message and exited the user was then provided with a genuine login prompt
Trapdoor
Trapdoor
Trap Door is a type of security breach where the designer of a program or a system leaves a hole in the software that only he is capable of using
A Trap Door is a secret entry point into a program that allows someone to gain access without normal methods of access authentication
Trapdoors can be included in the compiler as well The compiler could generate standard object code as well as a trapdoor regardless of the source code being compiled
Trapdoors pose a difficult problem since to detect them we have to analyze all the source code for all components of a system
Examples of Trapdoor
Programmers have been arrested for embezzling from banks by including rounding errors in their code and having the occasional half cents credited to their accounts This account crediting can add up to a large sum of money considering the number of transactions that a large bank executes
Stack and Buffer Overflow
Stack and Buffer OverflowStack or buffer overflow is the most common way for an attacker outside of the system on a network or dial-up connection to gain unauthorized access to the target system This be used by the unauthorised user for privilege escalation
Buffer overflow attacks are especially pernicious as it can be run within a system and travel over allowed communications channels They can even bypass the security added by firewalls
Stack and Buffer Overflow
The attacker exploits a bug in the program The bug can be a simple case of poor programming in which the programmer neglected to code bounds checking on an input field In this case the attacker sends more data than the program was expecting Using trial and error or by examination of the source code of the attacked program if it is available the attacker determines the vulnerability and writes a program to do the following1 Overflow an input field command line argument of input
buffer until it writes into the stack2 Overwrite the current return address on the stack with the
address of the exploit code loaded in the next step3 Write a simple setoff code for the next space in the stack
that includes the commands that the attacker wishes to execute (eg spawn a shell)
Viruses
Computer Viruses
A virus is a fragment of code embedded in a legitimate program unlike a worm which is structured as a complete standalone program
Spread Of Viruses
Viruses are spread by users downloading viral programs from public bulletin boards or exchanging disks containing an infectionExchange of Microsoft Office documents are a common form of virus transmission these days because these documents contain so-called macros which are Visual Basic programs
Creeper Virus
The Creeper virus was first detected on ARPANET Creeper was an experimental self-replicating program written by Bob Thomas at BBN Technologies in 1971 Creeper used the ARPANET to infect DEC PDP-10 computers running the TENEX operating system Creeper gained access via the ARPANET and copied itself to the remote system where the message Im the creeper catch me if you can was displayed The Reaper program was created to delete Creeper
Michelangelo Virus
On March 6 1992 the 517th birthday of Michelangelo the Michelangelo virus was scheduled to erase infected hard disk files But because of the extensive popularity surrounding the virus most sites had detected and destroyed the virus before it was activated so it caused little or no damage
Love Bug Virus
In 2000 the Love Bug became very widespread It appeared to be a love note sent by the friend of the receiver Once invoked by opening the Virtual Basic script it propagated by sending itself to the first users in userrsquos email contact list It just clogged userrsquos inbox and email systems but was relatively harmless
Worms
Worms
A worm is a process that uses the spawn mechanism to clobber system performance The worm spawns copies of itself using up system resources and perhaps locking out system use by all other processes
Worms Spread
independently of human action
usually by utilizing a security hole in a piece of software
by scanning a network for another machine that has a specific security hole and copies itself to the new machine using the security hole
Morris Worm
Robert Tappan Morris is an American computer scientist best known for creating the Morris Worm in 1988 considered the first computer worm on Internet - and subsequently becoming the first person convicted under Computer Fraud and Abuse Act
Working of the Morris Worm
Denial of Service
Denial Of Service
Denial of service does not involve stealing of resources or gaining information but rather disabling legitimate use of a system or facilty
It is easier than breaking into a machineThey are network basedThey fall into 2 categories
1 An attack that uses so many facility resources that in essence no work can be done
2 An attack that disrupts the network facility of the computer
It is impossible to prevent Denial of Service attacks Frequently it is difficult to determine if a system slowdown is due to surge in use or an attack
Implementing Security Defences
Implementing Security DefencesMAJOR Techniques
Defense in DepthSecurity PolicyVulnerability AssessmentIntrusion DetectionVirus Protection
Cryptography as a Security Tool1048708 Broadest security tool available1048708 Source and destination of messages cannot be trusted withoutcryptography1048708 Means to constrain potential senders (sources) and or receivers(destinations) of messages1048708 Based on secrets (keys)Operating
Symmetric and Asymmetric Encryption
Security Policy
A computer security policy defines the goals and elements of an organizations computer systems The definition can be highly formal or informal Security policies are enforced by organizational policies or security mechanisms A technical implementation defines whether a computer system is secure or insecure These formal policy models can be categorized into the core security principles of Confidentiality Integrity and Availability
Formal policy modelsConfidentiality policy modelIntegrity policies modelHybrid policy model
Vulnerablity Assessment
A vulnerability assessment is the process of identifying quantifying and prioritizing (or ranking) the vulnerabilities in a system Examples of systems for which vulnerability assessments are performed include but are not limited to information technology systems energy supply systems water supply systems transportation systems and communication systems Assessments are typically performed according to the following steps Cataloging assets and capabilities (resources) in a system Assigning quantifiable value (or at least rank order) and importance to those resources Identifying the vulnerabilities or threats to each resource Mitigating or eliminating the most serious vulnerabilities for the most valuable resources
An intrusion detection system (IDS) is a device or software application that monitors network or system activities for malicious activities or policy violations and produces reports to a Management Station
Some systems may attempt to stop an intrusion attempt but this is neither required nor expected of a monitoring system Intrusion detection and prevention systems (IDPS) are primarily focused on identifying possible incidents logging information about them and reporting attempts
In addition organizations use IDPSes for other purposes such as identifying problems with security policies documenting existing threats and deterring individuals from violating security policies
Intrusion Detection
Intrusion Detection [Contd]All Intrusion Detection Systems use one of two detection techniques
Statistical anomaly-based IDSA statistical anomaly-based IDS determines normal network activity like what sort of bandwidth is generally used what protocols are used what ports and devices generally connect to each other- and alert the administrator or user when traffic is detected which is anomalous(not normal)
Signature-based IDSSignature based IDS monitors packets in the Network and compares with pre-configured and pre-determined attack patterns known as signatures The issue is that there will be lag between the new threat discovered and Signature being applied in IDS for detecting the threat During this lag time your IDS will be unable to identify the threat
Virus ProtectionThe problem of viruses can be dealt with by using antivirus software They work by searching all the programs on a system for the specific pattern of instructions known to make up a virus When they find a known pattern they remove the instructions disinfecting the programThe best protection against virus is the method of safe computing purchasing unopened software from vendor and avoiding free or pirated copies from public sources or disk exchange
Anti-Virus FunctionsProtection
Antivirus software can provide real-time protection meaning it can prevent unwanted processes from accessing your computer while you surf the Internet Cleanup
Antivirus software allows you to scan your computer for viruses and other unwanted programs and provides you with the tools to get rid of them Alerts
Antivirus programs can alert you when something is trying to access your computer or when something in your computer is trying to access something on the Internet Updates
Antivirus programs can update themselves keeping your computers protection up to date without you having to manually update it Further Protection
If an antivirus software finds an infected file that cannot be deleted it can quarantine the file so that it cannot infect other files or programs on your computer
Some Common Anti-Viruses
What is a FIREWALL
A choke point of control and monitoring Interconnects networks with differing trustImposes restrictions on network services
bull only authorized traffic is allowed Auditing and controlling access
bull can implement alarms for abnormal behaviorItself immune to penetrationProvides perimeter defence
Firewalls Arenrsquot Perfect
Useless against attacks from the insidebull Evildoer exists on insidebull Malicious code is executed on an internal machine
Organizations with greater insider threatbull Banks and Military
Protection must exist at each layerbull Assess risks of threats at every layer
Cannot protect against transfer of all virus infected programs or files
bull because of huge range of OS amp file typesCan be spoofed and Tunneled
Bibliography
Book Operating System Concepts [Galvin Silverschatz Gagne]Websites wwwgooglecom
wwwwikipediacom Pictures Google images
Thank You
Trojan Horse
Trojan Horse
bull A Trojan horse is a code segment that misuses its environment
bull A Trojan is a type of malware that masquerades as a legitimate file or helpful program possibly with the purpose of granting a hacker unauthorized access to a computer
bull According to a survey conducted by BitDefender from January to June 2009 Trojan-type malware is on the rise accounting for 83-percent of the global malware detected in the world
Trojan Horse
bull Long search paths such as are common on UNIX systems exacerbate the Trojan horse problem For instance the use of ldquordquo character in a search path tells the shell to include the current directory in the search So if an user A has ldquordquo in his search path has set his current directory to user Brsquos directory and enters a normal system command the command would be executed from user Brsquos directory instead The program would run on user Brsquos domain allowing the program to do anything that the user is allowed to do including deleting files
A Trojan may give a hacker remote access to a targeted computer system Operations that could be performed by a hacker on a targeted computer system may include
Use of the machine as part of a botnet (eg to perform automated spamming or to distribute Denial-of-Service attacks)
Electronic Money theft Data Theft(eg retrieving passwords or credit card
information) Installation of software including third-party malware Downloading or uploading of files on the users
computer Modification deletion of files Crashing the Computer Anonymizing Internet Viewing
Popular Trojan Horses
NetbusSubseven or Sub7Y3K Remote Administration Tool Back OrificeBeastZeusThe Blackhole Exploit KitFlashback Trojan
Login Emulator
An unsuspecting user logs in at a terminal and notices that he has apparently mistyped his password He tries again and is successful What has happened is that his authentication key and password have been stolen by the login emulator that was left running on the terminal by the thief The emulator stored away the password printed out a login error message and exited the user was then provided with a genuine login prompt
Trapdoor
Trapdoor
Trap Door is a type of security breach where the designer of a program or a system leaves a hole in the software that only he is capable of using
A Trap Door is a secret entry point into a program that allows someone to gain access without normal methods of access authentication
Trapdoors can be included in the compiler as well The compiler could generate standard object code as well as a trapdoor regardless of the source code being compiled
Trapdoors pose a difficult problem since to detect them we have to analyze all the source code for all components of a system
Examples of Trapdoor
Programmers have been arrested for embezzling from banks by including rounding errors in their code and having the occasional half cents credited to their accounts This account crediting can add up to a large sum of money considering the number of transactions that a large bank executes
Stack and Buffer Overflow
Stack and Buffer OverflowStack or buffer overflow is the most common way for an attacker outside of the system on a network or dial-up connection to gain unauthorized access to the target system This be used by the unauthorised user for privilege escalation
Buffer overflow attacks are especially pernicious as it can be run within a system and travel over allowed communications channels They can even bypass the security added by firewalls
Stack and Buffer Overflow
The attacker exploits a bug in the program The bug can be a simple case of poor programming in which the programmer neglected to code bounds checking on an input field In this case the attacker sends more data than the program was expecting Using trial and error or by examination of the source code of the attacked program if it is available the attacker determines the vulnerability and writes a program to do the following1 Overflow an input field command line argument of input
buffer until it writes into the stack2 Overwrite the current return address on the stack with the
address of the exploit code loaded in the next step3 Write a simple setoff code for the next space in the stack
that includes the commands that the attacker wishes to execute (eg spawn a shell)
Viruses
Computer Viruses
A virus is a fragment of code embedded in a legitimate program unlike a worm which is structured as a complete standalone program
Spread Of Viruses
Viruses are spread by users downloading viral programs from public bulletin boards or exchanging disks containing an infectionExchange of Microsoft Office documents are a common form of virus transmission these days because these documents contain so-called macros which are Visual Basic programs
Creeper Virus
The Creeper virus was first detected on ARPANET Creeper was an experimental self-replicating program written by Bob Thomas at BBN Technologies in 1971 Creeper used the ARPANET to infect DEC PDP-10 computers running the TENEX operating system Creeper gained access via the ARPANET and copied itself to the remote system where the message Im the creeper catch me if you can was displayed The Reaper program was created to delete Creeper
Michelangelo Virus
On March 6 1992 the 517th birthday of Michelangelo the Michelangelo virus was scheduled to erase infected hard disk files But because of the extensive popularity surrounding the virus most sites had detected and destroyed the virus before it was activated so it caused little or no damage
Love Bug Virus
In 2000 the Love Bug became very widespread It appeared to be a love note sent by the friend of the receiver Once invoked by opening the Virtual Basic script it propagated by sending itself to the first users in userrsquos email contact list It just clogged userrsquos inbox and email systems but was relatively harmless
Worms
Worms
A worm is a process that uses the spawn mechanism to clobber system performance The worm spawns copies of itself using up system resources and perhaps locking out system use by all other processes
Worms Spread
independently of human action
usually by utilizing a security hole in a piece of software
by scanning a network for another machine that has a specific security hole and copies itself to the new machine using the security hole
Morris Worm
Robert Tappan Morris is an American computer scientist best known for creating the Morris Worm in 1988 considered the first computer worm on Internet - and subsequently becoming the first person convicted under Computer Fraud and Abuse Act
Working of the Morris Worm
Denial of Service
Denial Of Service
Denial of service does not involve stealing of resources or gaining information but rather disabling legitimate use of a system or facilty
It is easier than breaking into a machineThey are network basedThey fall into 2 categories
1 An attack that uses so many facility resources that in essence no work can be done
2 An attack that disrupts the network facility of the computer
It is impossible to prevent Denial of Service attacks Frequently it is difficult to determine if a system slowdown is due to surge in use or an attack
Implementing Security Defences
Implementing Security DefencesMAJOR Techniques
Defense in DepthSecurity PolicyVulnerability AssessmentIntrusion DetectionVirus Protection
Cryptography as a Security Tool1048708 Broadest security tool available1048708 Source and destination of messages cannot be trusted withoutcryptography1048708 Means to constrain potential senders (sources) and or receivers(destinations) of messages1048708 Based on secrets (keys)Operating
Symmetric and Asymmetric Encryption
Security Policy
A computer security policy defines the goals and elements of an organizations computer systems The definition can be highly formal or informal Security policies are enforced by organizational policies or security mechanisms A technical implementation defines whether a computer system is secure or insecure These formal policy models can be categorized into the core security principles of Confidentiality Integrity and Availability
Formal policy modelsConfidentiality policy modelIntegrity policies modelHybrid policy model
Vulnerablity Assessment
A vulnerability assessment is the process of identifying quantifying and prioritizing (or ranking) the vulnerabilities in a system Examples of systems for which vulnerability assessments are performed include but are not limited to information technology systems energy supply systems water supply systems transportation systems and communication systems Assessments are typically performed according to the following steps Cataloging assets and capabilities (resources) in a system Assigning quantifiable value (or at least rank order) and importance to those resources Identifying the vulnerabilities or threats to each resource Mitigating or eliminating the most serious vulnerabilities for the most valuable resources
An intrusion detection system (IDS) is a device or software application that monitors network or system activities for malicious activities or policy violations and produces reports to a Management Station
Some systems may attempt to stop an intrusion attempt but this is neither required nor expected of a monitoring system Intrusion detection and prevention systems (IDPS) are primarily focused on identifying possible incidents logging information about them and reporting attempts
In addition organizations use IDPSes for other purposes such as identifying problems with security policies documenting existing threats and deterring individuals from violating security policies
Intrusion Detection
Intrusion Detection [Contd]All Intrusion Detection Systems use one of two detection techniques
Statistical anomaly-based IDSA statistical anomaly-based IDS determines normal network activity like what sort of bandwidth is generally used what protocols are used what ports and devices generally connect to each other- and alert the administrator or user when traffic is detected which is anomalous(not normal)
Signature-based IDSSignature based IDS monitors packets in the Network and compares with pre-configured and pre-determined attack patterns known as signatures The issue is that there will be lag between the new threat discovered and Signature being applied in IDS for detecting the threat During this lag time your IDS will be unable to identify the threat
Virus ProtectionThe problem of viruses can be dealt with by using antivirus software They work by searching all the programs on a system for the specific pattern of instructions known to make up a virus When they find a known pattern they remove the instructions disinfecting the programThe best protection against virus is the method of safe computing purchasing unopened software from vendor and avoiding free or pirated copies from public sources or disk exchange
Anti-Virus FunctionsProtection
Antivirus software can provide real-time protection meaning it can prevent unwanted processes from accessing your computer while you surf the Internet Cleanup
Antivirus software allows you to scan your computer for viruses and other unwanted programs and provides you with the tools to get rid of them Alerts
Antivirus programs can alert you when something is trying to access your computer or when something in your computer is trying to access something on the Internet Updates
Antivirus programs can update themselves keeping your computers protection up to date without you having to manually update it Further Protection
If an antivirus software finds an infected file that cannot be deleted it can quarantine the file so that it cannot infect other files or programs on your computer
Some Common Anti-Viruses
What is a FIREWALL
A choke point of control and monitoring Interconnects networks with differing trustImposes restrictions on network services
bull only authorized traffic is allowed Auditing and controlling access
bull can implement alarms for abnormal behaviorItself immune to penetrationProvides perimeter defence
Firewalls Arenrsquot Perfect
Useless against attacks from the insidebull Evildoer exists on insidebull Malicious code is executed on an internal machine
Organizations with greater insider threatbull Banks and Military
Protection must exist at each layerbull Assess risks of threats at every layer
Cannot protect against transfer of all virus infected programs or files
bull because of huge range of OS amp file typesCan be spoofed and Tunneled
Bibliography
Book Operating System Concepts [Galvin Silverschatz Gagne]Websites wwwgooglecom
wwwwikipediacom Pictures Google images
Thank You
Trojan Horse
bull A Trojan horse is a code segment that misuses its environment
bull A Trojan is a type of malware that masquerades as a legitimate file or helpful program possibly with the purpose of granting a hacker unauthorized access to a computer
bull According to a survey conducted by BitDefender from January to June 2009 Trojan-type malware is on the rise accounting for 83-percent of the global malware detected in the world
Trojan Horse
bull Long search paths such as are common on UNIX systems exacerbate the Trojan horse problem For instance the use of ldquordquo character in a search path tells the shell to include the current directory in the search So if an user A has ldquordquo in his search path has set his current directory to user Brsquos directory and enters a normal system command the command would be executed from user Brsquos directory instead The program would run on user Brsquos domain allowing the program to do anything that the user is allowed to do including deleting files
A Trojan may give a hacker remote access to a targeted computer system Operations that could be performed by a hacker on a targeted computer system may include
Use of the machine as part of a botnet (eg to perform automated spamming or to distribute Denial-of-Service attacks)
Electronic Money theft Data Theft(eg retrieving passwords or credit card
information) Installation of software including third-party malware Downloading or uploading of files on the users
computer Modification deletion of files Crashing the Computer Anonymizing Internet Viewing
Popular Trojan Horses
NetbusSubseven or Sub7Y3K Remote Administration Tool Back OrificeBeastZeusThe Blackhole Exploit KitFlashback Trojan
Login Emulator
An unsuspecting user logs in at a terminal and notices that he has apparently mistyped his password He tries again and is successful What has happened is that his authentication key and password have been stolen by the login emulator that was left running on the terminal by the thief The emulator stored away the password printed out a login error message and exited the user was then provided with a genuine login prompt
Trapdoor
Trapdoor
Trap Door is a type of security breach where the designer of a program or a system leaves a hole in the software that only he is capable of using
A Trap Door is a secret entry point into a program that allows someone to gain access without normal methods of access authentication
Trapdoors can be included in the compiler as well The compiler could generate standard object code as well as a trapdoor regardless of the source code being compiled
Trapdoors pose a difficult problem since to detect them we have to analyze all the source code for all components of a system
Examples of Trapdoor
Programmers have been arrested for embezzling from banks by including rounding errors in their code and having the occasional half cents credited to their accounts This account crediting can add up to a large sum of money considering the number of transactions that a large bank executes
Stack and Buffer Overflow
Stack and Buffer OverflowStack or buffer overflow is the most common way for an attacker outside of the system on a network or dial-up connection to gain unauthorized access to the target system This be used by the unauthorised user for privilege escalation
Buffer overflow attacks are especially pernicious as it can be run within a system and travel over allowed communications channels They can even bypass the security added by firewalls
Stack and Buffer Overflow
The attacker exploits a bug in the program The bug can be a simple case of poor programming in which the programmer neglected to code bounds checking on an input field In this case the attacker sends more data than the program was expecting Using trial and error or by examination of the source code of the attacked program if it is available the attacker determines the vulnerability and writes a program to do the following1 Overflow an input field command line argument of input
buffer until it writes into the stack2 Overwrite the current return address on the stack with the
address of the exploit code loaded in the next step3 Write a simple setoff code for the next space in the stack
that includes the commands that the attacker wishes to execute (eg spawn a shell)
Viruses
Computer Viruses
A virus is a fragment of code embedded in a legitimate program unlike a worm which is structured as a complete standalone program
Spread Of Viruses
Viruses are spread by users downloading viral programs from public bulletin boards or exchanging disks containing an infectionExchange of Microsoft Office documents are a common form of virus transmission these days because these documents contain so-called macros which are Visual Basic programs
Creeper Virus
The Creeper virus was first detected on ARPANET Creeper was an experimental self-replicating program written by Bob Thomas at BBN Technologies in 1971 Creeper used the ARPANET to infect DEC PDP-10 computers running the TENEX operating system Creeper gained access via the ARPANET and copied itself to the remote system where the message Im the creeper catch me if you can was displayed The Reaper program was created to delete Creeper
Michelangelo Virus
On March 6 1992 the 517th birthday of Michelangelo the Michelangelo virus was scheduled to erase infected hard disk files But because of the extensive popularity surrounding the virus most sites had detected and destroyed the virus before it was activated so it caused little or no damage
Love Bug Virus
In 2000 the Love Bug became very widespread It appeared to be a love note sent by the friend of the receiver Once invoked by opening the Virtual Basic script it propagated by sending itself to the first users in userrsquos email contact list It just clogged userrsquos inbox and email systems but was relatively harmless
Worms
Worms
A worm is a process that uses the spawn mechanism to clobber system performance The worm spawns copies of itself using up system resources and perhaps locking out system use by all other processes
Worms Spread
independently of human action
usually by utilizing a security hole in a piece of software
by scanning a network for another machine that has a specific security hole and copies itself to the new machine using the security hole
Morris Worm
Robert Tappan Morris is an American computer scientist best known for creating the Morris Worm in 1988 considered the first computer worm on Internet - and subsequently becoming the first person convicted under Computer Fraud and Abuse Act
Working of the Morris Worm
Denial of Service
Denial Of Service
Denial of service does not involve stealing of resources or gaining information but rather disabling legitimate use of a system or facilty
It is easier than breaking into a machineThey are network basedThey fall into 2 categories
1 An attack that uses so many facility resources that in essence no work can be done
2 An attack that disrupts the network facility of the computer
It is impossible to prevent Denial of Service attacks Frequently it is difficult to determine if a system slowdown is due to surge in use or an attack
Implementing Security Defences
Implementing Security DefencesMAJOR Techniques
Defense in DepthSecurity PolicyVulnerability AssessmentIntrusion DetectionVirus Protection
Cryptography as a Security Tool1048708 Broadest security tool available1048708 Source and destination of messages cannot be trusted withoutcryptography1048708 Means to constrain potential senders (sources) and or receivers(destinations) of messages1048708 Based on secrets (keys)Operating
Symmetric and Asymmetric Encryption
Security Policy
A computer security policy defines the goals and elements of an organizations computer systems The definition can be highly formal or informal Security policies are enforced by organizational policies or security mechanisms A technical implementation defines whether a computer system is secure or insecure These formal policy models can be categorized into the core security principles of Confidentiality Integrity and Availability
Formal policy modelsConfidentiality policy modelIntegrity policies modelHybrid policy model
Vulnerablity Assessment
A vulnerability assessment is the process of identifying quantifying and prioritizing (or ranking) the vulnerabilities in a system Examples of systems for which vulnerability assessments are performed include but are not limited to information technology systems energy supply systems water supply systems transportation systems and communication systems Assessments are typically performed according to the following steps Cataloging assets and capabilities (resources) in a system Assigning quantifiable value (or at least rank order) and importance to those resources Identifying the vulnerabilities or threats to each resource Mitigating or eliminating the most serious vulnerabilities for the most valuable resources
An intrusion detection system (IDS) is a device or software application that monitors network or system activities for malicious activities or policy violations and produces reports to a Management Station
Some systems may attempt to stop an intrusion attempt but this is neither required nor expected of a monitoring system Intrusion detection and prevention systems (IDPS) are primarily focused on identifying possible incidents logging information about them and reporting attempts
In addition organizations use IDPSes for other purposes such as identifying problems with security policies documenting existing threats and deterring individuals from violating security policies
Intrusion Detection
Intrusion Detection [Contd]All Intrusion Detection Systems use one of two detection techniques
Statistical anomaly-based IDSA statistical anomaly-based IDS determines normal network activity like what sort of bandwidth is generally used what protocols are used what ports and devices generally connect to each other- and alert the administrator or user when traffic is detected which is anomalous(not normal)
Signature-based IDSSignature based IDS monitors packets in the Network and compares with pre-configured and pre-determined attack patterns known as signatures The issue is that there will be lag between the new threat discovered and Signature being applied in IDS for detecting the threat During this lag time your IDS will be unable to identify the threat
Virus ProtectionThe problem of viruses can be dealt with by using antivirus software They work by searching all the programs on a system for the specific pattern of instructions known to make up a virus When they find a known pattern they remove the instructions disinfecting the programThe best protection against virus is the method of safe computing purchasing unopened software from vendor and avoiding free or pirated copies from public sources or disk exchange
Anti-Virus FunctionsProtection
Antivirus software can provide real-time protection meaning it can prevent unwanted processes from accessing your computer while you surf the Internet Cleanup
Antivirus software allows you to scan your computer for viruses and other unwanted programs and provides you with the tools to get rid of them Alerts
Antivirus programs can alert you when something is trying to access your computer or when something in your computer is trying to access something on the Internet Updates
Antivirus programs can update themselves keeping your computers protection up to date without you having to manually update it Further Protection
If an antivirus software finds an infected file that cannot be deleted it can quarantine the file so that it cannot infect other files or programs on your computer
Some Common Anti-Viruses
What is a FIREWALL
A choke point of control and monitoring Interconnects networks with differing trustImposes restrictions on network services
bull only authorized traffic is allowed Auditing and controlling access
bull can implement alarms for abnormal behaviorItself immune to penetrationProvides perimeter defence
Firewalls Arenrsquot Perfect
Useless against attacks from the insidebull Evildoer exists on insidebull Malicious code is executed on an internal machine
Organizations with greater insider threatbull Banks and Military
Protection must exist at each layerbull Assess risks of threats at every layer
Cannot protect against transfer of all virus infected programs or files
bull because of huge range of OS amp file typesCan be spoofed and Tunneled
Bibliography
Book Operating System Concepts [Galvin Silverschatz Gagne]Websites wwwgooglecom
wwwwikipediacom Pictures Google images
Thank You
Trojan Horse
bull Long search paths such as are common on UNIX systems exacerbate the Trojan horse problem For instance the use of ldquordquo character in a search path tells the shell to include the current directory in the search So if an user A has ldquordquo in his search path has set his current directory to user Brsquos directory and enters a normal system command the command would be executed from user Brsquos directory instead The program would run on user Brsquos domain allowing the program to do anything that the user is allowed to do including deleting files
A Trojan may give a hacker remote access to a targeted computer system Operations that could be performed by a hacker on a targeted computer system may include
Use of the machine as part of a botnet (eg to perform automated spamming or to distribute Denial-of-Service attacks)
Electronic Money theft Data Theft(eg retrieving passwords or credit card
information) Installation of software including third-party malware Downloading or uploading of files on the users
computer Modification deletion of files Crashing the Computer Anonymizing Internet Viewing
Popular Trojan Horses
NetbusSubseven or Sub7Y3K Remote Administration Tool Back OrificeBeastZeusThe Blackhole Exploit KitFlashback Trojan
Login Emulator
An unsuspecting user logs in at a terminal and notices that he has apparently mistyped his password He tries again and is successful What has happened is that his authentication key and password have been stolen by the login emulator that was left running on the terminal by the thief The emulator stored away the password printed out a login error message and exited the user was then provided with a genuine login prompt
Trapdoor
Trapdoor
Trap Door is a type of security breach where the designer of a program or a system leaves a hole in the software that only he is capable of using
A Trap Door is a secret entry point into a program that allows someone to gain access without normal methods of access authentication
Trapdoors can be included in the compiler as well The compiler could generate standard object code as well as a trapdoor regardless of the source code being compiled
Trapdoors pose a difficult problem since to detect them we have to analyze all the source code for all components of a system
Examples of Trapdoor
Programmers have been arrested for embezzling from banks by including rounding errors in their code and having the occasional half cents credited to their accounts This account crediting can add up to a large sum of money considering the number of transactions that a large bank executes
Stack and Buffer Overflow
Stack and Buffer OverflowStack or buffer overflow is the most common way for an attacker outside of the system on a network or dial-up connection to gain unauthorized access to the target system This be used by the unauthorised user for privilege escalation
Buffer overflow attacks are especially pernicious as it can be run within a system and travel over allowed communications channels They can even bypass the security added by firewalls
Stack and Buffer Overflow
The attacker exploits a bug in the program The bug can be a simple case of poor programming in which the programmer neglected to code bounds checking on an input field In this case the attacker sends more data than the program was expecting Using trial and error or by examination of the source code of the attacked program if it is available the attacker determines the vulnerability and writes a program to do the following1 Overflow an input field command line argument of input
buffer until it writes into the stack2 Overwrite the current return address on the stack with the
address of the exploit code loaded in the next step3 Write a simple setoff code for the next space in the stack
that includes the commands that the attacker wishes to execute (eg spawn a shell)
Viruses
Computer Viruses
A virus is a fragment of code embedded in a legitimate program unlike a worm which is structured as a complete standalone program
Spread Of Viruses
Viruses are spread by users downloading viral programs from public bulletin boards or exchanging disks containing an infectionExchange of Microsoft Office documents are a common form of virus transmission these days because these documents contain so-called macros which are Visual Basic programs
Creeper Virus
The Creeper virus was first detected on ARPANET Creeper was an experimental self-replicating program written by Bob Thomas at BBN Technologies in 1971 Creeper used the ARPANET to infect DEC PDP-10 computers running the TENEX operating system Creeper gained access via the ARPANET and copied itself to the remote system where the message Im the creeper catch me if you can was displayed The Reaper program was created to delete Creeper
Michelangelo Virus
On March 6 1992 the 517th birthday of Michelangelo the Michelangelo virus was scheduled to erase infected hard disk files But because of the extensive popularity surrounding the virus most sites had detected and destroyed the virus before it was activated so it caused little or no damage
Love Bug Virus
In 2000 the Love Bug became very widespread It appeared to be a love note sent by the friend of the receiver Once invoked by opening the Virtual Basic script it propagated by sending itself to the first users in userrsquos email contact list It just clogged userrsquos inbox and email systems but was relatively harmless
Worms
Worms
A worm is a process that uses the spawn mechanism to clobber system performance The worm spawns copies of itself using up system resources and perhaps locking out system use by all other processes
Worms Spread
independently of human action
usually by utilizing a security hole in a piece of software
by scanning a network for another machine that has a specific security hole and copies itself to the new machine using the security hole
Morris Worm
Robert Tappan Morris is an American computer scientist best known for creating the Morris Worm in 1988 considered the first computer worm on Internet - and subsequently becoming the first person convicted under Computer Fraud and Abuse Act
Working of the Morris Worm
Denial of Service
Denial Of Service
Denial of service does not involve stealing of resources or gaining information but rather disabling legitimate use of a system or facilty
It is easier than breaking into a machineThey are network basedThey fall into 2 categories
1 An attack that uses so many facility resources that in essence no work can be done
2 An attack that disrupts the network facility of the computer
It is impossible to prevent Denial of Service attacks Frequently it is difficult to determine if a system slowdown is due to surge in use or an attack
Implementing Security Defences
Implementing Security DefencesMAJOR Techniques
Defense in DepthSecurity PolicyVulnerability AssessmentIntrusion DetectionVirus Protection
Cryptography as a Security Tool1048708 Broadest security tool available1048708 Source and destination of messages cannot be trusted withoutcryptography1048708 Means to constrain potential senders (sources) and or receivers(destinations) of messages1048708 Based on secrets (keys)Operating
Symmetric and Asymmetric Encryption
Security Policy
A computer security policy defines the goals and elements of an organizations computer systems The definition can be highly formal or informal Security policies are enforced by organizational policies or security mechanisms A technical implementation defines whether a computer system is secure or insecure These formal policy models can be categorized into the core security principles of Confidentiality Integrity and Availability
Formal policy modelsConfidentiality policy modelIntegrity policies modelHybrid policy model
Vulnerablity Assessment
A vulnerability assessment is the process of identifying quantifying and prioritizing (or ranking) the vulnerabilities in a system Examples of systems for which vulnerability assessments are performed include but are not limited to information technology systems energy supply systems water supply systems transportation systems and communication systems Assessments are typically performed according to the following steps Cataloging assets and capabilities (resources) in a system Assigning quantifiable value (or at least rank order) and importance to those resources Identifying the vulnerabilities or threats to each resource Mitigating or eliminating the most serious vulnerabilities for the most valuable resources
An intrusion detection system (IDS) is a device or software application that monitors network or system activities for malicious activities or policy violations and produces reports to a Management Station
Some systems may attempt to stop an intrusion attempt but this is neither required nor expected of a monitoring system Intrusion detection and prevention systems (IDPS) are primarily focused on identifying possible incidents logging information about them and reporting attempts
In addition organizations use IDPSes for other purposes such as identifying problems with security policies documenting existing threats and deterring individuals from violating security policies
Intrusion Detection
Intrusion Detection [Contd]All Intrusion Detection Systems use one of two detection techniques
Statistical anomaly-based IDSA statistical anomaly-based IDS determines normal network activity like what sort of bandwidth is generally used what protocols are used what ports and devices generally connect to each other- and alert the administrator or user when traffic is detected which is anomalous(not normal)
Signature-based IDSSignature based IDS monitors packets in the Network and compares with pre-configured and pre-determined attack patterns known as signatures The issue is that there will be lag between the new threat discovered and Signature being applied in IDS for detecting the threat During this lag time your IDS will be unable to identify the threat
Virus ProtectionThe problem of viruses can be dealt with by using antivirus software They work by searching all the programs on a system for the specific pattern of instructions known to make up a virus When they find a known pattern they remove the instructions disinfecting the programThe best protection against virus is the method of safe computing purchasing unopened software from vendor and avoiding free or pirated copies from public sources or disk exchange
Anti-Virus FunctionsProtection
Antivirus software can provide real-time protection meaning it can prevent unwanted processes from accessing your computer while you surf the Internet Cleanup
Antivirus software allows you to scan your computer for viruses and other unwanted programs and provides you with the tools to get rid of them Alerts
Antivirus programs can alert you when something is trying to access your computer or when something in your computer is trying to access something on the Internet Updates
Antivirus programs can update themselves keeping your computers protection up to date without you having to manually update it Further Protection
If an antivirus software finds an infected file that cannot be deleted it can quarantine the file so that it cannot infect other files or programs on your computer
Some Common Anti-Viruses
What is a FIREWALL
A choke point of control and monitoring Interconnects networks with differing trustImposes restrictions on network services
bull only authorized traffic is allowed Auditing and controlling access
bull can implement alarms for abnormal behaviorItself immune to penetrationProvides perimeter defence
Firewalls Arenrsquot Perfect
Useless against attacks from the insidebull Evildoer exists on insidebull Malicious code is executed on an internal machine
Organizations with greater insider threatbull Banks and Military
Protection must exist at each layerbull Assess risks of threats at every layer
Cannot protect against transfer of all virus infected programs or files
bull because of huge range of OS amp file typesCan be spoofed and Tunneled
Bibliography
Book Operating System Concepts [Galvin Silverschatz Gagne]Websites wwwgooglecom
wwwwikipediacom Pictures Google images
Thank You
A Trojan may give a hacker remote access to a targeted computer system Operations that could be performed by a hacker on a targeted computer system may include
Use of the machine as part of a botnet (eg to perform automated spamming or to distribute Denial-of-Service attacks)
Electronic Money theft Data Theft(eg retrieving passwords or credit card
information) Installation of software including third-party malware Downloading or uploading of files on the users
computer Modification deletion of files Crashing the Computer Anonymizing Internet Viewing
Popular Trojan Horses
NetbusSubseven or Sub7Y3K Remote Administration Tool Back OrificeBeastZeusThe Blackhole Exploit KitFlashback Trojan
Login Emulator
An unsuspecting user logs in at a terminal and notices that he has apparently mistyped his password He tries again and is successful What has happened is that his authentication key and password have been stolen by the login emulator that was left running on the terminal by the thief The emulator stored away the password printed out a login error message and exited the user was then provided with a genuine login prompt
Trapdoor
Trapdoor
Trap Door is a type of security breach where the designer of a program or a system leaves a hole in the software that only he is capable of using
A Trap Door is a secret entry point into a program that allows someone to gain access without normal methods of access authentication
Trapdoors can be included in the compiler as well The compiler could generate standard object code as well as a trapdoor regardless of the source code being compiled
Trapdoors pose a difficult problem since to detect them we have to analyze all the source code for all components of a system
Examples of Trapdoor
Programmers have been arrested for embezzling from banks by including rounding errors in their code and having the occasional half cents credited to their accounts This account crediting can add up to a large sum of money considering the number of transactions that a large bank executes
Stack and Buffer Overflow
Stack and Buffer OverflowStack or buffer overflow is the most common way for an attacker outside of the system on a network or dial-up connection to gain unauthorized access to the target system This be used by the unauthorised user for privilege escalation
Buffer overflow attacks are especially pernicious as it can be run within a system and travel over allowed communications channels They can even bypass the security added by firewalls
Stack and Buffer Overflow
The attacker exploits a bug in the program The bug can be a simple case of poor programming in which the programmer neglected to code bounds checking on an input field In this case the attacker sends more data than the program was expecting Using trial and error or by examination of the source code of the attacked program if it is available the attacker determines the vulnerability and writes a program to do the following1 Overflow an input field command line argument of input
buffer until it writes into the stack2 Overwrite the current return address on the stack with the
address of the exploit code loaded in the next step3 Write a simple setoff code for the next space in the stack
that includes the commands that the attacker wishes to execute (eg spawn a shell)
Viruses
Computer Viruses
A virus is a fragment of code embedded in a legitimate program unlike a worm which is structured as a complete standalone program
Spread Of Viruses
Viruses are spread by users downloading viral programs from public bulletin boards or exchanging disks containing an infectionExchange of Microsoft Office documents are a common form of virus transmission these days because these documents contain so-called macros which are Visual Basic programs
Creeper Virus
The Creeper virus was first detected on ARPANET Creeper was an experimental self-replicating program written by Bob Thomas at BBN Technologies in 1971 Creeper used the ARPANET to infect DEC PDP-10 computers running the TENEX operating system Creeper gained access via the ARPANET and copied itself to the remote system where the message Im the creeper catch me if you can was displayed The Reaper program was created to delete Creeper
Michelangelo Virus
On March 6 1992 the 517th birthday of Michelangelo the Michelangelo virus was scheduled to erase infected hard disk files But because of the extensive popularity surrounding the virus most sites had detected and destroyed the virus before it was activated so it caused little or no damage
Love Bug Virus
In 2000 the Love Bug became very widespread It appeared to be a love note sent by the friend of the receiver Once invoked by opening the Virtual Basic script it propagated by sending itself to the first users in userrsquos email contact list It just clogged userrsquos inbox and email systems but was relatively harmless
Worms
Worms
A worm is a process that uses the spawn mechanism to clobber system performance The worm spawns copies of itself using up system resources and perhaps locking out system use by all other processes
Worms Spread
independently of human action
usually by utilizing a security hole in a piece of software
by scanning a network for another machine that has a specific security hole and copies itself to the new machine using the security hole
Morris Worm
Robert Tappan Morris is an American computer scientist best known for creating the Morris Worm in 1988 considered the first computer worm on Internet - and subsequently becoming the first person convicted under Computer Fraud and Abuse Act
Working of the Morris Worm
Denial of Service
Denial Of Service
Denial of service does not involve stealing of resources or gaining information but rather disabling legitimate use of a system or facilty
It is easier than breaking into a machineThey are network basedThey fall into 2 categories
1 An attack that uses so many facility resources that in essence no work can be done
2 An attack that disrupts the network facility of the computer
It is impossible to prevent Denial of Service attacks Frequently it is difficult to determine if a system slowdown is due to surge in use or an attack
Implementing Security Defences
Implementing Security DefencesMAJOR Techniques
Defense in DepthSecurity PolicyVulnerability AssessmentIntrusion DetectionVirus Protection
Cryptography as a Security Tool1048708 Broadest security tool available1048708 Source and destination of messages cannot be trusted withoutcryptography1048708 Means to constrain potential senders (sources) and or receivers(destinations) of messages1048708 Based on secrets (keys)Operating
Symmetric and Asymmetric Encryption
Security Policy
A computer security policy defines the goals and elements of an organizations computer systems The definition can be highly formal or informal Security policies are enforced by organizational policies or security mechanisms A technical implementation defines whether a computer system is secure or insecure These formal policy models can be categorized into the core security principles of Confidentiality Integrity and Availability
Formal policy modelsConfidentiality policy modelIntegrity policies modelHybrid policy model
Vulnerablity Assessment
A vulnerability assessment is the process of identifying quantifying and prioritizing (or ranking) the vulnerabilities in a system Examples of systems for which vulnerability assessments are performed include but are not limited to information technology systems energy supply systems water supply systems transportation systems and communication systems Assessments are typically performed according to the following steps Cataloging assets and capabilities (resources) in a system Assigning quantifiable value (or at least rank order) and importance to those resources Identifying the vulnerabilities or threats to each resource Mitigating or eliminating the most serious vulnerabilities for the most valuable resources
An intrusion detection system (IDS) is a device or software application that monitors network or system activities for malicious activities or policy violations and produces reports to a Management Station
Some systems may attempt to stop an intrusion attempt but this is neither required nor expected of a monitoring system Intrusion detection and prevention systems (IDPS) are primarily focused on identifying possible incidents logging information about them and reporting attempts
In addition organizations use IDPSes for other purposes such as identifying problems with security policies documenting existing threats and deterring individuals from violating security policies
Intrusion Detection
Intrusion Detection [Contd]All Intrusion Detection Systems use one of two detection techniques
Statistical anomaly-based IDSA statistical anomaly-based IDS determines normal network activity like what sort of bandwidth is generally used what protocols are used what ports and devices generally connect to each other- and alert the administrator or user when traffic is detected which is anomalous(not normal)
Signature-based IDSSignature based IDS monitors packets in the Network and compares with pre-configured and pre-determined attack patterns known as signatures The issue is that there will be lag between the new threat discovered and Signature being applied in IDS for detecting the threat During this lag time your IDS will be unable to identify the threat
Virus ProtectionThe problem of viruses can be dealt with by using antivirus software They work by searching all the programs on a system for the specific pattern of instructions known to make up a virus When they find a known pattern they remove the instructions disinfecting the programThe best protection against virus is the method of safe computing purchasing unopened software from vendor and avoiding free or pirated copies from public sources or disk exchange
Anti-Virus FunctionsProtection
Antivirus software can provide real-time protection meaning it can prevent unwanted processes from accessing your computer while you surf the Internet Cleanup
Antivirus software allows you to scan your computer for viruses and other unwanted programs and provides you with the tools to get rid of them Alerts
Antivirus programs can alert you when something is trying to access your computer or when something in your computer is trying to access something on the Internet Updates
Antivirus programs can update themselves keeping your computers protection up to date without you having to manually update it Further Protection
If an antivirus software finds an infected file that cannot be deleted it can quarantine the file so that it cannot infect other files or programs on your computer
Some Common Anti-Viruses
What is a FIREWALL
A choke point of control and monitoring Interconnects networks with differing trustImposes restrictions on network services
bull only authorized traffic is allowed Auditing and controlling access
bull can implement alarms for abnormal behaviorItself immune to penetrationProvides perimeter defence
Firewalls Arenrsquot Perfect
Useless against attacks from the insidebull Evildoer exists on insidebull Malicious code is executed on an internal machine
Organizations with greater insider threatbull Banks and Military
Protection must exist at each layerbull Assess risks of threats at every layer
Cannot protect against transfer of all virus infected programs or files
bull because of huge range of OS amp file typesCan be spoofed and Tunneled
Bibliography
Book Operating System Concepts [Galvin Silverschatz Gagne]Websites wwwgooglecom
wwwwikipediacom Pictures Google images
Thank You
Popular Trojan Horses
NetbusSubseven or Sub7Y3K Remote Administration Tool Back OrificeBeastZeusThe Blackhole Exploit KitFlashback Trojan
Login Emulator
An unsuspecting user logs in at a terminal and notices that he has apparently mistyped his password He tries again and is successful What has happened is that his authentication key and password have been stolen by the login emulator that was left running on the terminal by the thief The emulator stored away the password printed out a login error message and exited the user was then provided with a genuine login prompt
Trapdoor
Trapdoor
Trap Door is a type of security breach where the designer of a program or a system leaves a hole in the software that only he is capable of using
A Trap Door is a secret entry point into a program that allows someone to gain access without normal methods of access authentication
Trapdoors can be included in the compiler as well The compiler could generate standard object code as well as a trapdoor regardless of the source code being compiled
Trapdoors pose a difficult problem since to detect them we have to analyze all the source code for all components of a system
Examples of Trapdoor
Programmers have been arrested for embezzling from banks by including rounding errors in their code and having the occasional half cents credited to their accounts This account crediting can add up to a large sum of money considering the number of transactions that a large bank executes
Stack and Buffer Overflow
Stack and Buffer OverflowStack or buffer overflow is the most common way for an attacker outside of the system on a network or dial-up connection to gain unauthorized access to the target system This be used by the unauthorised user for privilege escalation
Buffer overflow attacks are especially pernicious as it can be run within a system and travel over allowed communications channels They can even bypass the security added by firewalls
Stack and Buffer Overflow
The attacker exploits a bug in the program The bug can be a simple case of poor programming in which the programmer neglected to code bounds checking on an input field In this case the attacker sends more data than the program was expecting Using trial and error or by examination of the source code of the attacked program if it is available the attacker determines the vulnerability and writes a program to do the following1 Overflow an input field command line argument of input
buffer until it writes into the stack2 Overwrite the current return address on the stack with the
address of the exploit code loaded in the next step3 Write a simple setoff code for the next space in the stack
that includes the commands that the attacker wishes to execute (eg spawn a shell)
Viruses
Computer Viruses
A virus is a fragment of code embedded in a legitimate program unlike a worm which is structured as a complete standalone program
Spread Of Viruses
Viruses are spread by users downloading viral programs from public bulletin boards or exchanging disks containing an infectionExchange of Microsoft Office documents are a common form of virus transmission these days because these documents contain so-called macros which are Visual Basic programs
Creeper Virus
The Creeper virus was first detected on ARPANET Creeper was an experimental self-replicating program written by Bob Thomas at BBN Technologies in 1971 Creeper used the ARPANET to infect DEC PDP-10 computers running the TENEX operating system Creeper gained access via the ARPANET and copied itself to the remote system where the message Im the creeper catch me if you can was displayed The Reaper program was created to delete Creeper
Michelangelo Virus
On March 6 1992 the 517th birthday of Michelangelo the Michelangelo virus was scheduled to erase infected hard disk files But because of the extensive popularity surrounding the virus most sites had detected and destroyed the virus before it was activated so it caused little or no damage
Love Bug Virus
In 2000 the Love Bug became very widespread It appeared to be a love note sent by the friend of the receiver Once invoked by opening the Virtual Basic script it propagated by sending itself to the first users in userrsquos email contact list It just clogged userrsquos inbox and email systems but was relatively harmless
Worms
Worms
A worm is a process that uses the spawn mechanism to clobber system performance The worm spawns copies of itself using up system resources and perhaps locking out system use by all other processes
Worms Spread
independently of human action
usually by utilizing a security hole in a piece of software
by scanning a network for another machine that has a specific security hole and copies itself to the new machine using the security hole
Morris Worm
Robert Tappan Morris is an American computer scientist best known for creating the Morris Worm in 1988 considered the first computer worm on Internet - and subsequently becoming the first person convicted under Computer Fraud and Abuse Act
Working of the Morris Worm
Denial of Service
Denial Of Service
Denial of service does not involve stealing of resources or gaining information but rather disabling legitimate use of a system or facilty
It is easier than breaking into a machineThey are network basedThey fall into 2 categories
1 An attack that uses so many facility resources that in essence no work can be done
2 An attack that disrupts the network facility of the computer
It is impossible to prevent Denial of Service attacks Frequently it is difficult to determine if a system slowdown is due to surge in use or an attack
Implementing Security Defences
Implementing Security DefencesMAJOR Techniques
Defense in DepthSecurity PolicyVulnerability AssessmentIntrusion DetectionVirus Protection
Cryptography as a Security Tool1048708 Broadest security tool available1048708 Source and destination of messages cannot be trusted withoutcryptography1048708 Means to constrain potential senders (sources) and or receivers(destinations) of messages1048708 Based on secrets (keys)Operating
Symmetric and Asymmetric Encryption
Security Policy
A computer security policy defines the goals and elements of an organizations computer systems The definition can be highly formal or informal Security policies are enforced by organizational policies or security mechanisms A technical implementation defines whether a computer system is secure or insecure These formal policy models can be categorized into the core security principles of Confidentiality Integrity and Availability
Formal policy modelsConfidentiality policy modelIntegrity policies modelHybrid policy model
Vulnerablity Assessment
A vulnerability assessment is the process of identifying quantifying and prioritizing (or ranking) the vulnerabilities in a system Examples of systems for which vulnerability assessments are performed include but are not limited to information technology systems energy supply systems water supply systems transportation systems and communication systems Assessments are typically performed according to the following steps Cataloging assets and capabilities (resources) in a system Assigning quantifiable value (or at least rank order) and importance to those resources Identifying the vulnerabilities or threats to each resource Mitigating or eliminating the most serious vulnerabilities for the most valuable resources
An intrusion detection system (IDS) is a device or software application that monitors network or system activities for malicious activities or policy violations and produces reports to a Management Station
Some systems may attempt to stop an intrusion attempt but this is neither required nor expected of a monitoring system Intrusion detection and prevention systems (IDPS) are primarily focused on identifying possible incidents logging information about them and reporting attempts
In addition organizations use IDPSes for other purposes such as identifying problems with security policies documenting existing threats and deterring individuals from violating security policies
Intrusion Detection
Intrusion Detection [Contd]All Intrusion Detection Systems use one of two detection techniques
Statistical anomaly-based IDSA statistical anomaly-based IDS determines normal network activity like what sort of bandwidth is generally used what protocols are used what ports and devices generally connect to each other- and alert the administrator or user when traffic is detected which is anomalous(not normal)
Signature-based IDSSignature based IDS monitors packets in the Network and compares with pre-configured and pre-determined attack patterns known as signatures The issue is that there will be lag between the new threat discovered and Signature being applied in IDS for detecting the threat During this lag time your IDS will be unable to identify the threat
Virus ProtectionThe problem of viruses can be dealt with by using antivirus software They work by searching all the programs on a system for the specific pattern of instructions known to make up a virus When they find a known pattern they remove the instructions disinfecting the programThe best protection against virus is the method of safe computing purchasing unopened software from vendor and avoiding free or pirated copies from public sources or disk exchange
Anti-Virus FunctionsProtection
Antivirus software can provide real-time protection meaning it can prevent unwanted processes from accessing your computer while you surf the Internet Cleanup
Antivirus software allows you to scan your computer for viruses and other unwanted programs and provides you with the tools to get rid of them Alerts
Antivirus programs can alert you when something is trying to access your computer or when something in your computer is trying to access something on the Internet Updates
Antivirus programs can update themselves keeping your computers protection up to date without you having to manually update it Further Protection
If an antivirus software finds an infected file that cannot be deleted it can quarantine the file so that it cannot infect other files or programs on your computer
Some Common Anti-Viruses
What is a FIREWALL
A choke point of control and monitoring Interconnects networks with differing trustImposes restrictions on network services
bull only authorized traffic is allowed Auditing and controlling access
bull can implement alarms for abnormal behaviorItself immune to penetrationProvides perimeter defence
Firewalls Arenrsquot Perfect
Useless against attacks from the insidebull Evildoer exists on insidebull Malicious code is executed on an internal machine
Organizations with greater insider threatbull Banks and Military
Protection must exist at each layerbull Assess risks of threats at every layer
Cannot protect against transfer of all virus infected programs or files
bull because of huge range of OS amp file typesCan be spoofed and Tunneled
Bibliography
Book Operating System Concepts [Galvin Silverschatz Gagne]Websites wwwgooglecom
wwwwikipediacom Pictures Google images
Thank You
Login Emulator
An unsuspecting user logs in at a terminal and notices that he has apparently mistyped his password He tries again and is successful What has happened is that his authentication key and password have been stolen by the login emulator that was left running on the terminal by the thief The emulator stored away the password printed out a login error message and exited the user was then provided with a genuine login prompt
Trapdoor
Trapdoor
Trap Door is a type of security breach where the designer of a program or a system leaves a hole in the software that only he is capable of using
A Trap Door is a secret entry point into a program that allows someone to gain access without normal methods of access authentication
Trapdoors can be included in the compiler as well The compiler could generate standard object code as well as a trapdoor regardless of the source code being compiled
Trapdoors pose a difficult problem since to detect them we have to analyze all the source code for all components of a system
Examples of Trapdoor
Programmers have been arrested for embezzling from banks by including rounding errors in their code and having the occasional half cents credited to their accounts This account crediting can add up to a large sum of money considering the number of transactions that a large bank executes
Stack and Buffer Overflow
Stack and Buffer OverflowStack or buffer overflow is the most common way for an attacker outside of the system on a network or dial-up connection to gain unauthorized access to the target system This be used by the unauthorised user for privilege escalation
Buffer overflow attacks are especially pernicious as it can be run within a system and travel over allowed communications channels They can even bypass the security added by firewalls
Stack and Buffer Overflow
The attacker exploits a bug in the program The bug can be a simple case of poor programming in which the programmer neglected to code bounds checking on an input field In this case the attacker sends more data than the program was expecting Using trial and error or by examination of the source code of the attacked program if it is available the attacker determines the vulnerability and writes a program to do the following1 Overflow an input field command line argument of input
buffer until it writes into the stack2 Overwrite the current return address on the stack with the
address of the exploit code loaded in the next step3 Write a simple setoff code for the next space in the stack
that includes the commands that the attacker wishes to execute (eg spawn a shell)
Viruses
Computer Viruses
A virus is a fragment of code embedded in a legitimate program unlike a worm which is structured as a complete standalone program
Spread Of Viruses
Viruses are spread by users downloading viral programs from public bulletin boards or exchanging disks containing an infectionExchange of Microsoft Office documents are a common form of virus transmission these days because these documents contain so-called macros which are Visual Basic programs
Creeper Virus
The Creeper virus was first detected on ARPANET Creeper was an experimental self-replicating program written by Bob Thomas at BBN Technologies in 1971 Creeper used the ARPANET to infect DEC PDP-10 computers running the TENEX operating system Creeper gained access via the ARPANET and copied itself to the remote system where the message Im the creeper catch me if you can was displayed The Reaper program was created to delete Creeper
Michelangelo Virus
On March 6 1992 the 517th birthday of Michelangelo the Michelangelo virus was scheduled to erase infected hard disk files But because of the extensive popularity surrounding the virus most sites had detected and destroyed the virus before it was activated so it caused little or no damage
Love Bug Virus
In 2000 the Love Bug became very widespread It appeared to be a love note sent by the friend of the receiver Once invoked by opening the Virtual Basic script it propagated by sending itself to the first users in userrsquos email contact list It just clogged userrsquos inbox and email systems but was relatively harmless
Worms
Worms
A worm is a process that uses the spawn mechanism to clobber system performance The worm spawns copies of itself using up system resources and perhaps locking out system use by all other processes
Worms Spread
independently of human action
usually by utilizing a security hole in a piece of software
by scanning a network for another machine that has a specific security hole and copies itself to the new machine using the security hole
Morris Worm
Robert Tappan Morris is an American computer scientist best known for creating the Morris Worm in 1988 considered the first computer worm on Internet - and subsequently becoming the first person convicted under Computer Fraud and Abuse Act
Working of the Morris Worm
Denial of Service
Denial Of Service
Denial of service does not involve stealing of resources or gaining information but rather disabling legitimate use of a system or facilty
It is easier than breaking into a machineThey are network basedThey fall into 2 categories
1 An attack that uses so many facility resources that in essence no work can be done
2 An attack that disrupts the network facility of the computer
It is impossible to prevent Denial of Service attacks Frequently it is difficult to determine if a system slowdown is due to surge in use or an attack
Implementing Security Defences
Implementing Security DefencesMAJOR Techniques
Defense in DepthSecurity PolicyVulnerability AssessmentIntrusion DetectionVirus Protection
Cryptography as a Security Tool1048708 Broadest security tool available1048708 Source and destination of messages cannot be trusted withoutcryptography1048708 Means to constrain potential senders (sources) and or receivers(destinations) of messages1048708 Based on secrets (keys)Operating
Symmetric and Asymmetric Encryption
Security Policy
A computer security policy defines the goals and elements of an organizations computer systems The definition can be highly formal or informal Security policies are enforced by organizational policies or security mechanisms A technical implementation defines whether a computer system is secure or insecure These formal policy models can be categorized into the core security principles of Confidentiality Integrity and Availability
Formal policy modelsConfidentiality policy modelIntegrity policies modelHybrid policy model
Vulnerablity Assessment
A vulnerability assessment is the process of identifying quantifying and prioritizing (or ranking) the vulnerabilities in a system Examples of systems for which vulnerability assessments are performed include but are not limited to information technology systems energy supply systems water supply systems transportation systems and communication systems Assessments are typically performed according to the following steps Cataloging assets and capabilities (resources) in a system Assigning quantifiable value (or at least rank order) and importance to those resources Identifying the vulnerabilities or threats to each resource Mitigating or eliminating the most serious vulnerabilities for the most valuable resources
An intrusion detection system (IDS) is a device or software application that monitors network or system activities for malicious activities or policy violations and produces reports to a Management Station
Some systems may attempt to stop an intrusion attempt but this is neither required nor expected of a monitoring system Intrusion detection and prevention systems (IDPS) are primarily focused on identifying possible incidents logging information about them and reporting attempts
In addition organizations use IDPSes for other purposes such as identifying problems with security policies documenting existing threats and deterring individuals from violating security policies
Intrusion Detection
Intrusion Detection [Contd]All Intrusion Detection Systems use one of two detection techniques
Statistical anomaly-based IDSA statistical anomaly-based IDS determines normal network activity like what sort of bandwidth is generally used what protocols are used what ports and devices generally connect to each other- and alert the administrator or user when traffic is detected which is anomalous(not normal)
Signature-based IDSSignature based IDS monitors packets in the Network and compares with pre-configured and pre-determined attack patterns known as signatures The issue is that there will be lag between the new threat discovered and Signature being applied in IDS for detecting the threat During this lag time your IDS will be unable to identify the threat
Virus ProtectionThe problem of viruses can be dealt with by using antivirus software They work by searching all the programs on a system for the specific pattern of instructions known to make up a virus When they find a known pattern they remove the instructions disinfecting the programThe best protection against virus is the method of safe computing purchasing unopened software from vendor and avoiding free or pirated copies from public sources or disk exchange
Anti-Virus FunctionsProtection
Antivirus software can provide real-time protection meaning it can prevent unwanted processes from accessing your computer while you surf the Internet Cleanup
Antivirus software allows you to scan your computer for viruses and other unwanted programs and provides you with the tools to get rid of them Alerts
Antivirus programs can alert you when something is trying to access your computer or when something in your computer is trying to access something on the Internet Updates
Antivirus programs can update themselves keeping your computers protection up to date without you having to manually update it Further Protection
If an antivirus software finds an infected file that cannot be deleted it can quarantine the file so that it cannot infect other files or programs on your computer
Some Common Anti-Viruses
What is a FIREWALL
A choke point of control and monitoring Interconnects networks with differing trustImposes restrictions on network services
bull only authorized traffic is allowed Auditing and controlling access
bull can implement alarms for abnormal behaviorItself immune to penetrationProvides perimeter defence
Firewalls Arenrsquot Perfect
Useless against attacks from the insidebull Evildoer exists on insidebull Malicious code is executed on an internal machine
Organizations with greater insider threatbull Banks and Military
Protection must exist at each layerbull Assess risks of threats at every layer
Cannot protect against transfer of all virus infected programs or files
bull because of huge range of OS amp file typesCan be spoofed and Tunneled
Bibliography
Book Operating System Concepts [Galvin Silverschatz Gagne]Websites wwwgooglecom
wwwwikipediacom Pictures Google images
Thank You
Trapdoor
Trapdoor
Trap Door is a type of security breach where the designer of a program or a system leaves a hole in the software that only he is capable of using
A Trap Door is a secret entry point into a program that allows someone to gain access without normal methods of access authentication
Trapdoors can be included in the compiler as well The compiler could generate standard object code as well as a trapdoor regardless of the source code being compiled
Trapdoors pose a difficult problem since to detect them we have to analyze all the source code for all components of a system
Examples of Trapdoor
Programmers have been arrested for embezzling from banks by including rounding errors in their code and having the occasional half cents credited to their accounts This account crediting can add up to a large sum of money considering the number of transactions that a large bank executes
Stack and Buffer Overflow
Stack and Buffer OverflowStack or buffer overflow is the most common way for an attacker outside of the system on a network or dial-up connection to gain unauthorized access to the target system This be used by the unauthorised user for privilege escalation
Buffer overflow attacks are especially pernicious as it can be run within a system and travel over allowed communications channels They can even bypass the security added by firewalls
Stack and Buffer Overflow
The attacker exploits a bug in the program The bug can be a simple case of poor programming in which the programmer neglected to code bounds checking on an input field In this case the attacker sends more data than the program was expecting Using trial and error or by examination of the source code of the attacked program if it is available the attacker determines the vulnerability and writes a program to do the following1 Overflow an input field command line argument of input
buffer until it writes into the stack2 Overwrite the current return address on the stack with the
address of the exploit code loaded in the next step3 Write a simple setoff code for the next space in the stack
that includes the commands that the attacker wishes to execute (eg spawn a shell)
Viruses
Computer Viruses
A virus is a fragment of code embedded in a legitimate program unlike a worm which is structured as a complete standalone program
Spread Of Viruses
Viruses are spread by users downloading viral programs from public bulletin boards or exchanging disks containing an infectionExchange of Microsoft Office documents are a common form of virus transmission these days because these documents contain so-called macros which are Visual Basic programs
Creeper Virus
The Creeper virus was first detected on ARPANET Creeper was an experimental self-replicating program written by Bob Thomas at BBN Technologies in 1971 Creeper used the ARPANET to infect DEC PDP-10 computers running the TENEX operating system Creeper gained access via the ARPANET and copied itself to the remote system where the message Im the creeper catch me if you can was displayed The Reaper program was created to delete Creeper
Michelangelo Virus
On March 6 1992 the 517th birthday of Michelangelo the Michelangelo virus was scheduled to erase infected hard disk files But because of the extensive popularity surrounding the virus most sites had detected and destroyed the virus before it was activated so it caused little or no damage
Love Bug Virus
In 2000 the Love Bug became very widespread It appeared to be a love note sent by the friend of the receiver Once invoked by opening the Virtual Basic script it propagated by sending itself to the first users in userrsquos email contact list It just clogged userrsquos inbox and email systems but was relatively harmless
Worms
Worms
A worm is a process that uses the spawn mechanism to clobber system performance The worm spawns copies of itself using up system resources and perhaps locking out system use by all other processes
Worms Spread
independently of human action
usually by utilizing a security hole in a piece of software
by scanning a network for another machine that has a specific security hole and copies itself to the new machine using the security hole
Morris Worm
Robert Tappan Morris is an American computer scientist best known for creating the Morris Worm in 1988 considered the first computer worm on Internet - and subsequently becoming the first person convicted under Computer Fraud and Abuse Act
Working of the Morris Worm
Denial of Service
Denial Of Service
Denial of service does not involve stealing of resources or gaining information but rather disabling legitimate use of a system or facilty
It is easier than breaking into a machineThey are network basedThey fall into 2 categories
1 An attack that uses so many facility resources that in essence no work can be done
2 An attack that disrupts the network facility of the computer
It is impossible to prevent Denial of Service attacks Frequently it is difficult to determine if a system slowdown is due to surge in use or an attack
Implementing Security Defences
Implementing Security DefencesMAJOR Techniques
Defense in DepthSecurity PolicyVulnerability AssessmentIntrusion DetectionVirus Protection
Cryptography as a Security Tool1048708 Broadest security tool available1048708 Source and destination of messages cannot be trusted withoutcryptography1048708 Means to constrain potential senders (sources) and or receivers(destinations) of messages1048708 Based on secrets (keys)Operating
Symmetric and Asymmetric Encryption
Security Policy
A computer security policy defines the goals and elements of an organizations computer systems The definition can be highly formal or informal Security policies are enforced by organizational policies or security mechanisms A technical implementation defines whether a computer system is secure or insecure These formal policy models can be categorized into the core security principles of Confidentiality Integrity and Availability
Formal policy modelsConfidentiality policy modelIntegrity policies modelHybrid policy model
Vulnerablity Assessment
A vulnerability assessment is the process of identifying quantifying and prioritizing (or ranking) the vulnerabilities in a system Examples of systems for which vulnerability assessments are performed include but are not limited to information technology systems energy supply systems water supply systems transportation systems and communication systems Assessments are typically performed according to the following steps Cataloging assets and capabilities (resources) in a system Assigning quantifiable value (or at least rank order) and importance to those resources Identifying the vulnerabilities or threats to each resource Mitigating or eliminating the most serious vulnerabilities for the most valuable resources
An intrusion detection system (IDS) is a device or software application that monitors network or system activities for malicious activities or policy violations and produces reports to a Management Station
Some systems may attempt to stop an intrusion attempt but this is neither required nor expected of a monitoring system Intrusion detection and prevention systems (IDPS) are primarily focused on identifying possible incidents logging information about them and reporting attempts
In addition organizations use IDPSes for other purposes such as identifying problems with security policies documenting existing threats and deterring individuals from violating security policies
Intrusion Detection
Intrusion Detection [Contd]All Intrusion Detection Systems use one of two detection techniques
Statistical anomaly-based IDSA statistical anomaly-based IDS determines normal network activity like what sort of bandwidth is generally used what protocols are used what ports and devices generally connect to each other- and alert the administrator or user when traffic is detected which is anomalous(not normal)
Signature-based IDSSignature based IDS monitors packets in the Network and compares with pre-configured and pre-determined attack patterns known as signatures The issue is that there will be lag between the new threat discovered and Signature being applied in IDS for detecting the threat During this lag time your IDS will be unable to identify the threat
Virus ProtectionThe problem of viruses can be dealt with by using antivirus software They work by searching all the programs on a system for the specific pattern of instructions known to make up a virus When they find a known pattern they remove the instructions disinfecting the programThe best protection against virus is the method of safe computing purchasing unopened software from vendor and avoiding free or pirated copies from public sources or disk exchange
Anti-Virus FunctionsProtection
Antivirus software can provide real-time protection meaning it can prevent unwanted processes from accessing your computer while you surf the Internet Cleanup
Antivirus software allows you to scan your computer for viruses and other unwanted programs and provides you with the tools to get rid of them Alerts
Antivirus programs can alert you when something is trying to access your computer or when something in your computer is trying to access something on the Internet Updates
Antivirus programs can update themselves keeping your computers protection up to date without you having to manually update it Further Protection
If an antivirus software finds an infected file that cannot be deleted it can quarantine the file so that it cannot infect other files or programs on your computer
Some Common Anti-Viruses
What is a FIREWALL
A choke point of control and monitoring Interconnects networks with differing trustImposes restrictions on network services
bull only authorized traffic is allowed Auditing and controlling access
bull can implement alarms for abnormal behaviorItself immune to penetrationProvides perimeter defence
Firewalls Arenrsquot Perfect
Useless against attacks from the insidebull Evildoer exists on insidebull Malicious code is executed on an internal machine
Organizations with greater insider threatbull Banks and Military
Protection must exist at each layerbull Assess risks of threats at every layer
Cannot protect against transfer of all virus infected programs or files
bull because of huge range of OS amp file typesCan be spoofed and Tunneled
Bibliography
Book Operating System Concepts [Galvin Silverschatz Gagne]Websites wwwgooglecom
wwwwikipediacom Pictures Google images
Thank You
Trapdoor
Trap Door is a type of security breach where the designer of a program or a system leaves a hole in the software that only he is capable of using
A Trap Door is a secret entry point into a program that allows someone to gain access without normal methods of access authentication
Trapdoors can be included in the compiler as well The compiler could generate standard object code as well as a trapdoor regardless of the source code being compiled
Trapdoors pose a difficult problem since to detect them we have to analyze all the source code for all components of a system
Examples of Trapdoor
Programmers have been arrested for embezzling from banks by including rounding errors in their code and having the occasional half cents credited to their accounts This account crediting can add up to a large sum of money considering the number of transactions that a large bank executes
Stack and Buffer Overflow
Stack and Buffer OverflowStack or buffer overflow is the most common way for an attacker outside of the system on a network or dial-up connection to gain unauthorized access to the target system This be used by the unauthorised user for privilege escalation
Buffer overflow attacks are especially pernicious as it can be run within a system and travel over allowed communications channels They can even bypass the security added by firewalls
Stack and Buffer Overflow
The attacker exploits a bug in the program The bug can be a simple case of poor programming in which the programmer neglected to code bounds checking on an input field In this case the attacker sends more data than the program was expecting Using trial and error or by examination of the source code of the attacked program if it is available the attacker determines the vulnerability and writes a program to do the following1 Overflow an input field command line argument of input
buffer until it writes into the stack2 Overwrite the current return address on the stack with the
address of the exploit code loaded in the next step3 Write a simple setoff code for the next space in the stack
that includes the commands that the attacker wishes to execute (eg spawn a shell)
Viruses
Computer Viruses
A virus is a fragment of code embedded in a legitimate program unlike a worm which is structured as a complete standalone program
Spread Of Viruses
Viruses are spread by users downloading viral programs from public bulletin boards or exchanging disks containing an infectionExchange of Microsoft Office documents are a common form of virus transmission these days because these documents contain so-called macros which are Visual Basic programs
Creeper Virus
The Creeper virus was first detected on ARPANET Creeper was an experimental self-replicating program written by Bob Thomas at BBN Technologies in 1971 Creeper used the ARPANET to infect DEC PDP-10 computers running the TENEX operating system Creeper gained access via the ARPANET and copied itself to the remote system where the message Im the creeper catch me if you can was displayed The Reaper program was created to delete Creeper
Michelangelo Virus
On March 6 1992 the 517th birthday of Michelangelo the Michelangelo virus was scheduled to erase infected hard disk files But because of the extensive popularity surrounding the virus most sites had detected and destroyed the virus before it was activated so it caused little or no damage
Love Bug Virus
In 2000 the Love Bug became very widespread It appeared to be a love note sent by the friend of the receiver Once invoked by opening the Virtual Basic script it propagated by sending itself to the first users in userrsquos email contact list It just clogged userrsquos inbox and email systems but was relatively harmless
Worms
Worms
A worm is a process that uses the spawn mechanism to clobber system performance The worm spawns copies of itself using up system resources and perhaps locking out system use by all other processes
Worms Spread
independently of human action
usually by utilizing a security hole in a piece of software
by scanning a network for another machine that has a specific security hole and copies itself to the new machine using the security hole
Morris Worm
Robert Tappan Morris is an American computer scientist best known for creating the Morris Worm in 1988 considered the first computer worm on Internet - and subsequently becoming the first person convicted under Computer Fraud and Abuse Act
Working of the Morris Worm
Denial of Service
Denial Of Service
Denial of service does not involve stealing of resources or gaining information but rather disabling legitimate use of a system or facilty
It is easier than breaking into a machineThey are network basedThey fall into 2 categories
1 An attack that uses so many facility resources that in essence no work can be done
2 An attack that disrupts the network facility of the computer
It is impossible to prevent Denial of Service attacks Frequently it is difficult to determine if a system slowdown is due to surge in use or an attack
Implementing Security Defences
Implementing Security DefencesMAJOR Techniques
Defense in DepthSecurity PolicyVulnerability AssessmentIntrusion DetectionVirus Protection
Cryptography as a Security Tool1048708 Broadest security tool available1048708 Source and destination of messages cannot be trusted withoutcryptography1048708 Means to constrain potential senders (sources) and or receivers(destinations) of messages1048708 Based on secrets (keys)Operating
Symmetric and Asymmetric Encryption
Security Policy
A computer security policy defines the goals and elements of an organizations computer systems The definition can be highly formal or informal Security policies are enforced by organizational policies or security mechanisms A technical implementation defines whether a computer system is secure or insecure These formal policy models can be categorized into the core security principles of Confidentiality Integrity and Availability
Formal policy modelsConfidentiality policy modelIntegrity policies modelHybrid policy model
Vulnerablity Assessment
A vulnerability assessment is the process of identifying quantifying and prioritizing (or ranking) the vulnerabilities in a system Examples of systems for which vulnerability assessments are performed include but are not limited to information technology systems energy supply systems water supply systems transportation systems and communication systems Assessments are typically performed according to the following steps Cataloging assets and capabilities (resources) in a system Assigning quantifiable value (or at least rank order) and importance to those resources Identifying the vulnerabilities or threats to each resource Mitigating or eliminating the most serious vulnerabilities for the most valuable resources
An intrusion detection system (IDS) is a device or software application that monitors network or system activities for malicious activities or policy violations and produces reports to a Management Station
Some systems may attempt to stop an intrusion attempt but this is neither required nor expected of a monitoring system Intrusion detection and prevention systems (IDPS) are primarily focused on identifying possible incidents logging information about them and reporting attempts
In addition organizations use IDPSes for other purposes such as identifying problems with security policies documenting existing threats and deterring individuals from violating security policies
Intrusion Detection
Intrusion Detection [Contd]All Intrusion Detection Systems use one of two detection techniques
Statistical anomaly-based IDSA statistical anomaly-based IDS determines normal network activity like what sort of bandwidth is generally used what protocols are used what ports and devices generally connect to each other- and alert the administrator or user when traffic is detected which is anomalous(not normal)
Signature-based IDSSignature based IDS monitors packets in the Network and compares with pre-configured and pre-determined attack patterns known as signatures The issue is that there will be lag between the new threat discovered and Signature being applied in IDS for detecting the threat During this lag time your IDS will be unable to identify the threat
Virus ProtectionThe problem of viruses can be dealt with by using antivirus software They work by searching all the programs on a system for the specific pattern of instructions known to make up a virus When they find a known pattern they remove the instructions disinfecting the programThe best protection against virus is the method of safe computing purchasing unopened software from vendor and avoiding free or pirated copies from public sources or disk exchange
Anti-Virus FunctionsProtection
Antivirus software can provide real-time protection meaning it can prevent unwanted processes from accessing your computer while you surf the Internet Cleanup
Antivirus software allows you to scan your computer for viruses and other unwanted programs and provides you with the tools to get rid of them Alerts
Antivirus programs can alert you when something is trying to access your computer or when something in your computer is trying to access something on the Internet Updates
Antivirus programs can update themselves keeping your computers protection up to date without you having to manually update it Further Protection
If an antivirus software finds an infected file that cannot be deleted it can quarantine the file so that it cannot infect other files or programs on your computer
Some Common Anti-Viruses
What is a FIREWALL
A choke point of control and monitoring Interconnects networks with differing trustImposes restrictions on network services
bull only authorized traffic is allowed Auditing and controlling access
bull can implement alarms for abnormal behaviorItself immune to penetrationProvides perimeter defence
Firewalls Arenrsquot Perfect
Useless against attacks from the insidebull Evildoer exists on insidebull Malicious code is executed on an internal machine
Organizations with greater insider threatbull Banks and Military
Protection must exist at each layerbull Assess risks of threats at every layer
Cannot protect against transfer of all virus infected programs or files
bull because of huge range of OS amp file typesCan be spoofed and Tunneled
Bibliography
Book Operating System Concepts [Galvin Silverschatz Gagne]Websites wwwgooglecom
wwwwikipediacom Pictures Google images
Thank You
Examples of Trapdoor
Programmers have been arrested for embezzling from banks by including rounding errors in their code and having the occasional half cents credited to their accounts This account crediting can add up to a large sum of money considering the number of transactions that a large bank executes
Stack and Buffer Overflow
Stack and Buffer OverflowStack or buffer overflow is the most common way for an attacker outside of the system on a network or dial-up connection to gain unauthorized access to the target system This be used by the unauthorised user for privilege escalation
Buffer overflow attacks are especially pernicious as it can be run within a system and travel over allowed communications channels They can even bypass the security added by firewalls
Stack and Buffer Overflow
The attacker exploits a bug in the program The bug can be a simple case of poor programming in which the programmer neglected to code bounds checking on an input field In this case the attacker sends more data than the program was expecting Using trial and error or by examination of the source code of the attacked program if it is available the attacker determines the vulnerability and writes a program to do the following1 Overflow an input field command line argument of input
buffer until it writes into the stack2 Overwrite the current return address on the stack with the
address of the exploit code loaded in the next step3 Write a simple setoff code for the next space in the stack
that includes the commands that the attacker wishes to execute (eg spawn a shell)
Viruses
Computer Viruses
A virus is a fragment of code embedded in a legitimate program unlike a worm which is structured as a complete standalone program
Spread Of Viruses
Viruses are spread by users downloading viral programs from public bulletin boards or exchanging disks containing an infectionExchange of Microsoft Office documents are a common form of virus transmission these days because these documents contain so-called macros which are Visual Basic programs
Creeper Virus
The Creeper virus was first detected on ARPANET Creeper was an experimental self-replicating program written by Bob Thomas at BBN Technologies in 1971 Creeper used the ARPANET to infect DEC PDP-10 computers running the TENEX operating system Creeper gained access via the ARPANET and copied itself to the remote system where the message Im the creeper catch me if you can was displayed The Reaper program was created to delete Creeper
Michelangelo Virus
On March 6 1992 the 517th birthday of Michelangelo the Michelangelo virus was scheduled to erase infected hard disk files But because of the extensive popularity surrounding the virus most sites had detected and destroyed the virus before it was activated so it caused little or no damage
Love Bug Virus
In 2000 the Love Bug became very widespread It appeared to be a love note sent by the friend of the receiver Once invoked by opening the Virtual Basic script it propagated by sending itself to the first users in userrsquos email contact list It just clogged userrsquos inbox and email systems but was relatively harmless
Worms
Worms
A worm is a process that uses the spawn mechanism to clobber system performance The worm spawns copies of itself using up system resources and perhaps locking out system use by all other processes
Worms Spread
independently of human action
usually by utilizing a security hole in a piece of software
by scanning a network for another machine that has a specific security hole and copies itself to the new machine using the security hole
Morris Worm
Robert Tappan Morris is an American computer scientist best known for creating the Morris Worm in 1988 considered the first computer worm on Internet - and subsequently becoming the first person convicted under Computer Fraud and Abuse Act
Working of the Morris Worm
Denial of Service
Denial Of Service
Denial of service does not involve stealing of resources or gaining information but rather disabling legitimate use of a system or facilty
It is easier than breaking into a machineThey are network basedThey fall into 2 categories
1 An attack that uses so many facility resources that in essence no work can be done
2 An attack that disrupts the network facility of the computer
It is impossible to prevent Denial of Service attacks Frequently it is difficult to determine if a system slowdown is due to surge in use or an attack
Implementing Security Defences
Implementing Security DefencesMAJOR Techniques
Defense in DepthSecurity PolicyVulnerability AssessmentIntrusion DetectionVirus Protection
Cryptography as a Security Tool1048708 Broadest security tool available1048708 Source and destination of messages cannot be trusted withoutcryptography1048708 Means to constrain potential senders (sources) and or receivers(destinations) of messages1048708 Based on secrets (keys)Operating
Symmetric and Asymmetric Encryption
Security Policy
A computer security policy defines the goals and elements of an organizations computer systems The definition can be highly formal or informal Security policies are enforced by organizational policies or security mechanisms A technical implementation defines whether a computer system is secure or insecure These formal policy models can be categorized into the core security principles of Confidentiality Integrity and Availability
Formal policy modelsConfidentiality policy modelIntegrity policies modelHybrid policy model
Vulnerablity Assessment
A vulnerability assessment is the process of identifying quantifying and prioritizing (or ranking) the vulnerabilities in a system Examples of systems for which vulnerability assessments are performed include but are not limited to information technology systems energy supply systems water supply systems transportation systems and communication systems Assessments are typically performed according to the following steps Cataloging assets and capabilities (resources) in a system Assigning quantifiable value (or at least rank order) and importance to those resources Identifying the vulnerabilities or threats to each resource Mitigating or eliminating the most serious vulnerabilities for the most valuable resources
An intrusion detection system (IDS) is a device or software application that monitors network or system activities for malicious activities or policy violations and produces reports to a Management Station
Some systems may attempt to stop an intrusion attempt but this is neither required nor expected of a monitoring system Intrusion detection and prevention systems (IDPS) are primarily focused on identifying possible incidents logging information about them and reporting attempts
In addition organizations use IDPSes for other purposes such as identifying problems with security policies documenting existing threats and deterring individuals from violating security policies
Intrusion Detection
Intrusion Detection [Contd]All Intrusion Detection Systems use one of two detection techniques
Statistical anomaly-based IDSA statistical anomaly-based IDS determines normal network activity like what sort of bandwidth is generally used what protocols are used what ports and devices generally connect to each other- and alert the administrator or user when traffic is detected which is anomalous(not normal)
Signature-based IDSSignature based IDS monitors packets in the Network and compares with pre-configured and pre-determined attack patterns known as signatures The issue is that there will be lag between the new threat discovered and Signature being applied in IDS for detecting the threat During this lag time your IDS will be unable to identify the threat
Virus ProtectionThe problem of viruses can be dealt with by using antivirus software They work by searching all the programs on a system for the specific pattern of instructions known to make up a virus When they find a known pattern they remove the instructions disinfecting the programThe best protection against virus is the method of safe computing purchasing unopened software from vendor and avoiding free or pirated copies from public sources or disk exchange
Anti-Virus FunctionsProtection
Antivirus software can provide real-time protection meaning it can prevent unwanted processes from accessing your computer while you surf the Internet Cleanup
Antivirus software allows you to scan your computer for viruses and other unwanted programs and provides you with the tools to get rid of them Alerts
Antivirus programs can alert you when something is trying to access your computer or when something in your computer is trying to access something on the Internet Updates
Antivirus programs can update themselves keeping your computers protection up to date without you having to manually update it Further Protection
If an antivirus software finds an infected file that cannot be deleted it can quarantine the file so that it cannot infect other files or programs on your computer
Some Common Anti-Viruses
What is a FIREWALL
A choke point of control and monitoring Interconnects networks with differing trustImposes restrictions on network services
bull only authorized traffic is allowed Auditing and controlling access
bull can implement alarms for abnormal behaviorItself immune to penetrationProvides perimeter defence
Firewalls Arenrsquot Perfect
Useless against attacks from the insidebull Evildoer exists on insidebull Malicious code is executed on an internal machine
Organizations with greater insider threatbull Banks and Military
Protection must exist at each layerbull Assess risks of threats at every layer
Cannot protect against transfer of all virus infected programs or files
bull because of huge range of OS amp file typesCan be spoofed and Tunneled
Bibliography
Book Operating System Concepts [Galvin Silverschatz Gagne]Websites wwwgooglecom
wwwwikipediacom Pictures Google images
Thank You
Stack and Buffer Overflow
Stack and Buffer OverflowStack or buffer overflow is the most common way for an attacker outside of the system on a network or dial-up connection to gain unauthorized access to the target system This be used by the unauthorised user for privilege escalation
Buffer overflow attacks are especially pernicious as it can be run within a system and travel over allowed communications channels They can even bypass the security added by firewalls
Stack and Buffer Overflow
The attacker exploits a bug in the program The bug can be a simple case of poor programming in which the programmer neglected to code bounds checking on an input field In this case the attacker sends more data than the program was expecting Using trial and error or by examination of the source code of the attacked program if it is available the attacker determines the vulnerability and writes a program to do the following1 Overflow an input field command line argument of input
buffer until it writes into the stack2 Overwrite the current return address on the stack with the
address of the exploit code loaded in the next step3 Write a simple setoff code for the next space in the stack
that includes the commands that the attacker wishes to execute (eg spawn a shell)
Viruses
Computer Viruses
A virus is a fragment of code embedded in a legitimate program unlike a worm which is structured as a complete standalone program
Spread Of Viruses
Viruses are spread by users downloading viral programs from public bulletin boards or exchanging disks containing an infectionExchange of Microsoft Office documents are a common form of virus transmission these days because these documents contain so-called macros which are Visual Basic programs
Creeper Virus
The Creeper virus was first detected on ARPANET Creeper was an experimental self-replicating program written by Bob Thomas at BBN Technologies in 1971 Creeper used the ARPANET to infect DEC PDP-10 computers running the TENEX operating system Creeper gained access via the ARPANET and copied itself to the remote system where the message Im the creeper catch me if you can was displayed The Reaper program was created to delete Creeper
Michelangelo Virus
On March 6 1992 the 517th birthday of Michelangelo the Michelangelo virus was scheduled to erase infected hard disk files But because of the extensive popularity surrounding the virus most sites had detected and destroyed the virus before it was activated so it caused little or no damage
Love Bug Virus
In 2000 the Love Bug became very widespread It appeared to be a love note sent by the friend of the receiver Once invoked by opening the Virtual Basic script it propagated by sending itself to the first users in userrsquos email contact list It just clogged userrsquos inbox and email systems but was relatively harmless
Worms
Worms
A worm is a process that uses the spawn mechanism to clobber system performance The worm spawns copies of itself using up system resources and perhaps locking out system use by all other processes
Worms Spread
independently of human action
usually by utilizing a security hole in a piece of software
by scanning a network for another machine that has a specific security hole and copies itself to the new machine using the security hole
Morris Worm
Robert Tappan Morris is an American computer scientist best known for creating the Morris Worm in 1988 considered the first computer worm on Internet - and subsequently becoming the first person convicted under Computer Fraud and Abuse Act
Working of the Morris Worm
Denial of Service
Denial Of Service
Denial of service does not involve stealing of resources or gaining information but rather disabling legitimate use of a system or facilty
It is easier than breaking into a machineThey are network basedThey fall into 2 categories
1 An attack that uses so many facility resources that in essence no work can be done
2 An attack that disrupts the network facility of the computer
It is impossible to prevent Denial of Service attacks Frequently it is difficult to determine if a system slowdown is due to surge in use or an attack
Implementing Security Defences
Implementing Security DefencesMAJOR Techniques
Defense in DepthSecurity PolicyVulnerability AssessmentIntrusion DetectionVirus Protection
Cryptography as a Security Tool1048708 Broadest security tool available1048708 Source and destination of messages cannot be trusted withoutcryptography1048708 Means to constrain potential senders (sources) and or receivers(destinations) of messages1048708 Based on secrets (keys)Operating
Symmetric and Asymmetric Encryption
Security Policy
A computer security policy defines the goals and elements of an organizations computer systems The definition can be highly formal or informal Security policies are enforced by organizational policies or security mechanisms A technical implementation defines whether a computer system is secure or insecure These formal policy models can be categorized into the core security principles of Confidentiality Integrity and Availability
Formal policy modelsConfidentiality policy modelIntegrity policies modelHybrid policy model
Vulnerablity Assessment
A vulnerability assessment is the process of identifying quantifying and prioritizing (or ranking) the vulnerabilities in a system Examples of systems for which vulnerability assessments are performed include but are not limited to information technology systems energy supply systems water supply systems transportation systems and communication systems Assessments are typically performed according to the following steps Cataloging assets and capabilities (resources) in a system Assigning quantifiable value (or at least rank order) and importance to those resources Identifying the vulnerabilities or threats to each resource Mitigating or eliminating the most serious vulnerabilities for the most valuable resources
An intrusion detection system (IDS) is a device or software application that monitors network or system activities for malicious activities or policy violations and produces reports to a Management Station
Some systems may attempt to stop an intrusion attempt but this is neither required nor expected of a monitoring system Intrusion detection and prevention systems (IDPS) are primarily focused on identifying possible incidents logging information about them and reporting attempts
In addition organizations use IDPSes for other purposes such as identifying problems with security policies documenting existing threats and deterring individuals from violating security policies
Intrusion Detection
Intrusion Detection [Contd]All Intrusion Detection Systems use one of two detection techniques
Statistical anomaly-based IDSA statistical anomaly-based IDS determines normal network activity like what sort of bandwidth is generally used what protocols are used what ports and devices generally connect to each other- and alert the administrator or user when traffic is detected which is anomalous(not normal)
Signature-based IDSSignature based IDS monitors packets in the Network and compares with pre-configured and pre-determined attack patterns known as signatures The issue is that there will be lag between the new threat discovered and Signature being applied in IDS for detecting the threat During this lag time your IDS will be unable to identify the threat
Virus ProtectionThe problem of viruses can be dealt with by using antivirus software They work by searching all the programs on a system for the specific pattern of instructions known to make up a virus When they find a known pattern they remove the instructions disinfecting the programThe best protection against virus is the method of safe computing purchasing unopened software from vendor and avoiding free or pirated copies from public sources or disk exchange
Anti-Virus FunctionsProtection
Antivirus software can provide real-time protection meaning it can prevent unwanted processes from accessing your computer while you surf the Internet Cleanup
Antivirus software allows you to scan your computer for viruses and other unwanted programs and provides you with the tools to get rid of them Alerts
Antivirus programs can alert you when something is trying to access your computer or when something in your computer is trying to access something on the Internet Updates
Antivirus programs can update themselves keeping your computers protection up to date without you having to manually update it Further Protection
If an antivirus software finds an infected file that cannot be deleted it can quarantine the file so that it cannot infect other files or programs on your computer
Some Common Anti-Viruses
What is a FIREWALL
A choke point of control and monitoring Interconnects networks with differing trustImposes restrictions on network services
bull only authorized traffic is allowed Auditing and controlling access
bull can implement alarms for abnormal behaviorItself immune to penetrationProvides perimeter defence
Firewalls Arenrsquot Perfect
Useless against attacks from the insidebull Evildoer exists on insidebull Malicious code is executed on an internal machine
Organizations with greater insider threatbull Banks and Military
Protection must exist at each layerbull Assess risks of threats at every layer
Cannot protect against transfer of all virus infected programs or files
bull because of huge range of OS amp file typesCan be spoofed and Tunneled
Bibliography
Book Operating System Concepts [Galvin Silverschatz Gagne]Websites wwwgooglecom
wwwwikipediacom Pictures Google images
Thank You
Stack and Buffer OverflowStack or buffer overflow is the most common way for an attacker outside of the system on a network or dial-up connection to gain unauthorized access to the target system This be used by the unauthorised user for privilege escalation
Buffer overflow attacks are especially pernicious as it can be run within a system and travel over allowed communications channels They can even bypass the security added by firewalls
Stack and Buffer Overflow
The attacker exploits a bug in the program The bug can be a simple case of poor programming in which the programmer neglected to code bounds checking on an input field In this case the attacker sends more data than the program was expecting Using trial and error or by examination of the source code of the attacked program if it is available the attacker determines the vulnerability and writes a program to do the following1 Overflow an input field command line argument of input
buffer until it writes into the stack2 Overwrite the current return address on the stack with the
address of the exploit code loaded in the next step3 Write a simple setoff code for the next space in the stack
that includes the commands that the attacker wishes to execute (eg spawn a shell)
Viruses
Computer Viruses
A virus is a fragment of code embedded in a legitimate program unlike a worm which is structured as a complete standalone program
Spread Of Viruses
Viruses are spread by users downloading viral programs from public bulletin boards or exchanging disks containing an infectionExchange of Microsoft Office documents are a common form of virus transmission these days because these documents contain so-called macros which are Visual Basic programs
Creeper Virus
The Creeper virus was first detected on ARPANET Creeper was an experimental self-replicating program written by Bob Thomas at BBN Technologies in 1971 Creeper used the ARPANET to infect DEC PDP-10 computers running the TENEX operating system Creeper gained access via the ARPANET and copied itself to the remote system where the message Im the creeper catch me if you can was displayed The Reaper program was created to delete Creeper
Michelangelo Virus
On March 6 1992 the 517th birthday of Michelangelo the Michelangelo virus was scheduled to erase infected hard disk files But because of the extensive popularity surrounding the virus most sites had detected and destroyed the virus before it was activated so it caused little or no damage
Love Bug Virus
In 2000 the Love Bug became very widespread It appeared to be a love note sent by the friend of the receiver Once invoked by opening the Virtual Basic script it propagated by sending itself to the first users in userrsquos email contact list It just clogged userrsquos inbox and email systems but was relatively harmless
Worms
Worms
A worm is a process that uses the spawn mechanism to clobber system performance The worm spawns copies of itself using up system resources and perhaps locking out system use by all other processes
Worms Spread
independently of human action
usually by utilizing a security hole in a piece of software
by scanning a network for another machine that has a specific security hole and copies itself to the new machine using the security hole
Morris Worm
Robert Tappan Morris is an American computer scientist best known for creating the Morris Worm in 1988 considered the first computer worm on Internet - and subsequently becoming the first person convicted under Computer Fraud and Abuse Act
Working of the Morris Worm
Denial of Service
Denial Of Service
Denial of service does not involve stealing of resources or gaining information but rather disabling legitimate use of a system or facilty
It is easier than breaking into a machineThey are network basedThey fall into 2 categories
1 An attack that uses so many facility resources that in essence no work can be done
2 An attack that disrupts the network facility of the computer
It is impossible to prevent Denial of Service attacks Frequently it is difficult to determine if a system slowdown is due to surge in use or an attack
Implementing Security Defences
Implementing Security DefencesMAJOR Techniques
Defense in DepthSecurity PolicyVulnerability AssessmentIntrusion DetectionVirus Protection
Cryptography as a Security Tool1048708 Broadest security tool available1048708 Source and destination of messages cannot be trusted withoutcryptography1048708 Means to constrain potential senders (sources) and or receivers(destinations) of messages1048708 Based on secrets (keys)Operating
Symmetric and Asymmetric Encryption
Security Policy
A computer security policy defines the goals and elements of an organizations computer systems The definition can be highly formal or informal Security policies are enforced by organizational policies or security mechanisms A technical implementation defines whether a computer system is secure or insecure These formal policy models can be categorized into the core security principles of Confidentiality Integrity and Availability
Formal policy modelsConfidentiality policy modelIntegrity policies modelHybrid policy model
Vulnerablity Assessment
A vulnerability assessment is the process of identifying quantifying and prioritizing (or ranking) the vulnerabilities in a system Examples of systems for which vulnerability assessments are performed include but are not limited to information technology systems energy supply systems water supply systems transportation systems and communication systems Assessments are typically performed according to the following steps Cataloging assets and capabilities (resources) in a system Assigning quantifiable value (or at least rank order) and importance to those resources Identifying the vulnerabilities or threats to each resource Mitigating or eliminating the most serious vulnerabilities for the most valuable resources
An intrusion detection system (IDS) is a device or software application that monitors network or system activities for malicious activities or policy violations and produces reports to a Management Station
Some systems may attempt to stop an intrusion attempt but this is neither required nor expected of a monitoring system Intrusion detection and prevention systems (IDPS) are primarily focused on identifying possible incidents logging information about them and reporting attempts
In addition organizations use IDPSes for other purposes such as identifying problems with security policies documenting existing threats and deterring individuals from violating security policies
Intrusion Detection
Intrusion Detection [Contd]All Intrusion Detection Systems use one of two detection techniques
Statistical anomaly-based IDSA statistical anomaly-based IDS determines normal network activity like what sort of bandwidth is generally used what protocols are used what ports and devices generally connect to each other- and alert the administrator or user when traffic is detected which is anomalous(not normal)
Signature-based IDSSignature based IDS monitors packets in the Network and compares with pre-configured and pre-determined attack patterns known as signatures The issue is that there will be lag between the new threat discovered and Signature being applied in IDS for detecting the threat During this lag time your IDS will be unable to identify the threat
Virus ProtectionThe problem of viruses can be dealt with by using antivirus software They work by searching all the programs on a system for the specific pattern of instructions known to make up a virus When they find a known pattern they remove the instructions disinfecting the programThe best protection against virus is the method of safe computing purchasing unopened software from vendor and avoiding free or pirated copies from public sources or disk exchange
Anti-Virus FunctionsProtection
Antivirus software can provide real-time protection meaning it can prevent unwanted processes from accessing your computer while you surf the Internet Cleanup
Antivirus software allows you to scan your computer for viruses and other unwanted programs and provides you with the tools to get rid of them Alerts
Antivirus programs can alert you when something is trying to access your computer or when something in your computer is trying to access something on the Internet Updates
Antivirus programs can update themselves keeping your computers protection up to date without you having to manually update it Further Protection
If an antivirus software finds an infected file that cannot be deleted it can quarantine the file so that it cannot infect other files or programs on your computer
Some Common Anti-Viruses
What is a FIREWALL
A choke point of control and monitoring Interconnects networks with differing trustImposes restrictions on network services
bull only authorized traffic is allowed Auditing and controlling access
bull can implement alarms for abnormal behaviorItself immune to penetrationProvides perimeter defence
Firewalls Arenrsquot Perfect
Useless against attacks from the insidebull Evildoer exists on insidebull Malicious code is executed on an internal machine
Organizations with greater insider threatbull Banks and Military
Protection must exist at each layerbull Assess risks of threats at every layer
Cannot protect against transfer of all virus infected programs or files
bull because of huge range of OS amp file typesCan be spoofed and Tunneled
Bibliography
Book Operating System Concepts [Galvin Silverschatz Gagne]Websites wwwgooglecom
wwwwikipediacom Pictures Google images
Thank You
Stack and Buffer Overflow
The attacker exploits a bug in the program The bug can be a simple case of poor programming in which the programmer neglected to code bounds checking on an input field In this case the attacker sends more data than the program was expecting Using trial and error or by examination of the source code of the attacked program if it is available the attacker determines the vulnerability and writes a program to do the following1 Overflow an input field command line argument of input
buffer until it writes into the stack2 Overwrite the current return address on the stack with the
address of the exploit code loaded in the next step3 Write a simple setoff code for the next space in the stack
that includes the commands that the attacker wishes to execute (eg spawn a shell)
Viruses
Computer Viruses
A virus is a fragment of code embedded in a legitimate program unlike a worm which is structured as a complete standalone program
Spread Of Viruses
Viruses are spread by users downloading viral programs from public bulletin boards or exchanging disks containing an infectionExchange of Microsoft Office documents are a common form of virus transmission these days because these documents contain so-called macros which are Visual Basic programs
Creeper Virus
The Creeper virus was first detected on ARPANET Creeper was an experimental self-replicating program written by Bob Thomas at BBN Technologies in 1971 Creeper used the ARPANET to infect DEC PDP-10 computers running the TENEX operating system Creeper gained access via the ARPANET and copied itself to the remote system where the message Im the creeper catch me if you can was displayed The Reaper program was created to delete Creeper
Michelangelo Virus
On March 6 1992 the 517th birthday of Michelangelo the Michelangelo virus was scheduled to erase infected hard disk files But because of the extensive popularity surrounding the virus most sites had detected and destroyed the virus before it was activated so it caused little or no damage
Love Bug Virus
In 2000 the Love Bug became very widespread It appeared to be a love note sent by the friend of the receiver Once invoked by opening the Virtual Basic script it propagated by sending itself to the first users in userrsquos email contact list It just clogged userrsquos inbox and email systems but was relatively harmless
Worms
Worms
A worm is a process that uses the spawn mechanism to clobber system performance The worm spawns copies of itself using up system resources and perhaps locking out system use by all other processes
Worms Spread
independently of human action
usually by utilizing a security hole in a piece of software
by scanning a network for another machine that has a specific security hole and copies itself to the new machine using the security hole
Morris Worm
Robert Tappan Morris is an American computer scientist best known for creating the Morris Worm in 1988 considered the first computer worm on Internet - and subsequently becoming the first person convicted under Computer Fraud and Abuse Act
Working of the Morris Worm
Denial of Service
Denial Of Service
Denial of service does not involve stealing of resources or gaining information but rather disabling legitimate use of a system or facilty
It is easier than breaking into a machineThey are network basedThey fall into 2 categories
1 An attack that uses so many facility resources that in essence no work can be done
2 An attack that disrupts the network facility of the computer
It is impossible to prevent Denial of Service attacks Frequently it is difficult to determine if a system slowdown is due to surge in use or an attack
Implementing Security Defences
Implementing Security DefencesMAJOR Techniques
Defense in DepthSecurity PolicyVulnerability AssessmentIntrusion DetectionVirus Protection
Cryptography as a Security Tool1048708 Broadest security tool available1048708 Source and destination of messages cannot be trusted withoutcryptography1048708 Means to constrain potential senders (sources) and or receivers(destinations) of messages1048708 Based on secrets (keys)Operating
Symmetric and Asymmetric Encryption
Security Policy
A computer security policy defines the goals and elements of an organizations computer systems The definition can be highly formal or informal Security policies are enforced by organizational policies or security mechanisms A technical implementation defines whether a computer system is secure or insecure These formal policy models can be categorized into the core security principles of Confidentiality Integrity and Availability
Formal policy modelsConfidentiality policy modelIntegrity policies modelHybrid policy model
Vulnerablity Assessment
A vulnerability assessment is the process of identifying quantifying and prioritizing (or ranking) the vulnerabilities in a system Examples of systems for which vulnerability assessments are performed include but are not limited to information technology systems energy supply systems water supply systems transportation systems and communication systems Assessments are typically performed according to the following steps Cataloging assets and capabilities (resources) in a system Assigning quantifiable value (or at least rank order) and importance to those resources Identifying the vulnerabilities or threats to each resource Mitigating or eliminating the most serious vulnerabilities for the most valuable resources
An intrusion detection system (IDS) is a device or software application that monitors network or system activities for malicious activities or policy violations and produces reports to a Management Station
Some systems may attempt to stop an intrusion attempt but this is neither required nor expected of a monitoring system Intrusion detection and prevention systems (IDPS) are primarily focused on identifying possible incidents logging information about them and reporting attempts
In addition organizations use IDPSes for other purposes such as identifying problems with security policies documenting existing threats and deterring individuals from violating security policies
Intrusion Detection
Intrusion Detection [Contd]All Intrusion Detection Systems use one of two detection techniques
Statistical anomaly-based IDSA statistical anomaly-based IDS determines normal network activity like what sort of bandwidth is generally used what protocols are used what ports and devices generally connect to each other- and alert the administrator or user when traffic is detected which is anomalous(not normal)
Signature-based IDSSignature based IDS monitors packets in the Network and compares with pre-configured and pre-determined attack patterns known as signatures The issue is that there will be lag between the new threat discovered and Signature being applied in IDS for detecting the threat During this lag time your IDS will be unable to identify the threat
Virus ProtectionThe problem of viruses can be dealt with by using antivirus software They work by searching all the programs on a system for the specific pattern of instructions known to make up a virus When they find a known pattern they remove the instructions disinfecting the programThe best protection against virus is the method of safe computing purchasing unopened software from vendor and avoiding free or pirated copies from public sources or disk exchange
Anti-Virus FunctionsProtection
Antivirus software can provide real-time protection meaning it can prevent unwanted processes from accessing your computer while you surf the Internet Cleanup
Antivirus software allows you to scan your computer for viruses and other unwanted programs and provides you with the tools to get rid of them Alerts
Antivirus programs can alert you when something is trying to access your computer or when something in your computer is trying to access something on the Internet Updates
Antivirus programs can update themselves keeping your computers protection up to date without you having to manually update it Further Protection
If an antivirus software finds an infected file that cannot be deleted it can quarantine the file so that it cannot infect other files or programs on your computer
Some Common Anti-Viruses
What is a FIREWALL
A choke point of control and monitoring Interconnects networks with differing trustImposes restrictions on network services
bull only authorized traffic is allowed Auditing and controlling access
bull can implement alarms for abnormal behaviorItself immune to penetrationProvides perimeter defence
Firewalls Arenrsquot Perfect
Useless against attacks from the insidebull Evildoer exists on insidebull Malicious code is executed on an internal machine
Organizations with greater insider threatbull Banks and Military
Protection must exist at each layerbull Assess risks of threats at every layer
Cannot protect against transfer of all virus infected programs or files
bull because of huge range of OS amp file typesCan be spoofed and Tunneled
Bibliography
Book Operating System Concepts [Galvin Silverschatz Gagne]Websites wwwgooglecom
wwwwikipediacom Pictures Google images
Thank You
Viruses
Computer Viruses
A virus is a fragment of code embedded in a legitimate program unlike a worm which is structured as a complete standalone program
Spread Of Viruses
Viruses are spread by users downloading viral programs from public bulletin boards or exchanging disks containing an infectionExchange of Microsoft Office documents are a common form of virus transmission these days because these documents contain so-called macros which are Visual Basic programs
Creeper Virus
The Creeper virus was first detected on ARPANET Creeper was an experimental self-replicating program written by Bob Thomas at BBN Technologies in 1971 Creeper used the ARPANET to infect DEC PDP-10 computers running the TENEX operating system Creeper gained access via the ARPANET and copied itself to the remote system where the message Im the creeper catch me if you can was displayed The Reaper program was created to delete Creeper
Michelangelo Virus
On March 6 1992 the 517th birthday of Michelangelo the Michelangelo virus was scheduled to erase infected hard disk files But because of the extensive popularity surrounding the virus most sites had detected and destroyed the virus before it was activated so it caused little or no damage
Love Bug Virus
In 2000 the Love Bug became very widespread It appeared to be a love note sent by the friend of the receiver Once invoked by opening the Virtual Basic script it propagated by sending itself to the first users in userrsquos email contact list It just clogged userrsquos inbox and email systems but was relatively harmless
Worms
Worms
A worm is a process that uses the spawn mechanism to clobber system performance The worm spawns copies of itself using up system resources and perhaps locking out system use by all other processes
Worms Spread
independently of human action
usually by utilizing a security hole in a piece of software
by scanning a network for another machine that has a specific security hole and copies itself to the new machine using the security hole
Morris Worm
Robert Tappan Morris is an American computer scientist best known for creating the Morris Worm in 1988 considered the first computer worm on Internet - and subsequently becoming the first person convicted under Computer Fraud and Abuse Act
Working of the Morris Worm
Denial of Service
Denial Of Service
Denial of service does not involve stealing of resources or gaining information but rather disabling legitimate use of a system or facilty
It is easier than breaking into a machineThey are network basedThey fall into 2 categories
1 An attack that uses so many facility resources that in essence no work can be done
2 An attack that disrupts the network facility of the computer
It is impossible to prevent Denial of Service attacks Frequently it is difficult to determine if a system slowdown is due to surge in use or an attack
Implementing Security Defences
Implementing Security DefencesMAJOR Techniques
Defense in DepthSecurity PolicyVulnerability AssessmentIntrusion DetectionVirus Protection
Cryptography as a Security Tool1048708 Broadest security tool available1048708 Source and destination of messages cannot be trusted withoutcryptography1048708 Means to constrain potential senders (sources) and or receivers(destinations) of messages1048708 Based on secrets (keys)Operating
Symmetric and Asymmetric Encryption
Security Policy
A computer security policy defines the goals and elements of an organizations computer systems The definition can be highly formal or informal Security policies are enforced by organizational policies or security mechanisms A technical implementation defines whether a computer system is secure or insecure These formal policy models can be categorized into the core security principles of Confidentiality Integrity and Availability
Formal policy modelsConfidentiality policy modelIntegrity policies modelHybrid policy model
Vulnerablity Assessment
A vulnerability assessment is the process of identifying quantifying and prioritizing (or ranking) the vulnerabilities in a system Examples of systems for which vulnerability assessments are performed include but are not limited to information technology systems energy supply systems water supply systems transportation systems and communication systems Assessments are typically performed according to the following steps Cataloging assets and capabilities (resources) in a system Assigning quantifiable value (or at least rank order) and importance to those resources Identifying the vulnerabilities or threats to each resource Mitigating or eliminating the most serious vulnerabilities for the most valuable resources
An intrusion detection system (IDS) is a device or software application that monitors network or system activities for malicious activities or policy violations and produces reports to a Management Station
Some systems may attempt to stop an intrusion attempt but this is neither required nor expected of a monitoring system Intrusion detection and prevention systems (IDPS) are primarily focused on identifying possible incidents logging information about them and reporting attempts
In addition organizations use IDPSes for other purposes such as identifying problems with security policies documenting existing threats and deterring individuals from violating security policies
Intrusion Detection
Intrusion Detection [Contd]All Intrusion Detection Systems use one of two detection techniques
Statistical anomaly-based IDSA statistical anomaly-based IDS determines normal network activity like what sort of bandwidth is generally used what protocols are used what ports and devices generally connect to each other- and alert the administrator or user when traffic is detected which is anomalous(not normal)
Signature-based IDSSignature based IDS monitors packets in the Network and compares with pre-configured and pre-determined attack patterns known as signatures The issue is that there will be lag between the new threat discovered and Signature being applied in IDS for detecting the threat During this lag time your IDS will be unable to identify the threat
Virus ProtectionThe problem of viruses can be dealt with by using antivirus software They work by searching all the programs on a system for the specific pattern of instructions known to make up a virus When they find a known pattern they remove the instructions disinfecting the programThe best protection against virus is the method of safe computing purchasing unopened software from vendor and avoiding free or pirated copies from public sources or disk exchange
Anti-Virus FunctionsProtection
Antivirus software can provide real-time protection meaning it can prevent unwanted processes from accessing your computer while you surf the Internet Cleanup
Antivirus software allows you to scan your computer for viruses and other unwanted programs and provides you with the tools to get rid of them Alerts
Antivirus programs can alert you when something is trying to access your computer or when something in your computer is trying to access something on the Internet Updates
Antivirus programs can update themselves keeping your computers protection up to date without you having to manually update it Further Protection
If an antivirus software finds an infected file that cannot be deleted it can quarantine the file so that it cannot infect other files or programs on your computer
Some Common Anti-Viruses
What is a FIREWALL
A choke point of control and monitoring Interconnects networks with differing trustImposes restrictions on network services
bull only authorized traffic is allowed Auditing and controlling access
bull can implement alarms for abnormal behaviorItself immune to penetrationProvides perimeter defence
Firewalls Arenrsquot Perfect
Useless against attacks from the insidebull Evildoer exists on insidebull Malicious code is executed on an internal machine
Organizations with greater insider threatbull Banks and Military
Protection must exist at each layerbull Assess risks of threats at every layer
Cannot protect against transfer of all virus infected programs or files
bull because of huge range of OS amp file typesCan be spoofed and Tunneled
Bibliography
Book Operating System Concepts [Galvin Silverschatz Gagne]Websites wwwgooglecom
wwwwikipediacom Pictures Google images
Thank You
Computer Viruses
A virus is a fragment of code embedded in a legitimate program unlike a worm which is structured as a complete standalone program
Spread Of Viruses
Viruses are spread by users downloading viral programs from public bulletin boards or exchanging disks containing an infectionExchange of Microsoft Office documents are a common form of virus transmission these days because these documents contain so-called macros which are Visual Basic programs
Creeper Virus
The Creeper virus was first detected on ARPANET Creeper was an experimental self-replicating program written by Bob Thomas at BBN Technologies in 1971 Creeper used the ARPANET to infect DEC PDP-10 computers running the TENEX operating system Creeper gained access via the ARPANET and copied itself to the remote system where the message Im the creeper catch me if you can was displayed The Reaper program was created to delete Creeper
Michelangelo Virus
On March 6 1992 the 517th birthday of Michelangelo the Michelangelo virus was scheduled to erase infected hard disk files But because of the extensive popularity surrounding the virus most sites had detected and destroyed the virus before it was activated so it caused little or no damage
Love Bug Virus
In 2000 the Love Bug became very widespread It appeared to be a love note sent by the friend of the receiver Once invoked by opening the Virtual Basic script it propagated by sending itself to the first users in userrsquos email contact list It just clogged userrsquos inbox and email systems but was relatively harmless
Worms
Worms
A worm is a process that uses the spawn mechanism to clobber system performance The worm spawns copies of itself using up system resources and perhaps locking out system use by all other processes
Worms Spread
independently of human action
usually by utilizing a security hole in a piece of software
by scanning a network for another machine that has a specific security hole and copies itself to the new machine using the security hole
Morris Worm
Robert Tappan Morris is an American computer scientist best known for creating the Morris Worm in 1988 considered the first computer worm on Internet - and subsequently becoming the first person convicted under Computer Fraud and Abuse Act
Working of the Morris Worm
Denial of Service
Denial Of Service
Denial of service does not involve stealing of resources or gaining information but rather disabling legitimate use of a system or facilty
It is easier than breaking into a machineThey are network basedThey fall into 2 categories
1 An attack that uses so many facility resources that in essence no work can be done
2 An attack that disrupts the network facility of the computer
It is impossible to prevent Denial of Service attacks Frequently it is difficult to determine if a system slowdown is due to surge in use or an attack
Implementing Security Defences
Implementing Security DefencesMAJOR Techniques
Defense in DepthSecurity PolicyVulnerability AssessmentIntrusion DetectionVirus Protection
Cryptography as a Security Tool1048708 Broadest security tool available1048708 Source and destination of messages cannot be trusted withoutcryptography1048708 Means to constrain potential senders (sources) and or receivers(destinations) of messages1048708 Based on secrets (keys)Operating
Symmetric and Asymmetric Encryption
Security Policy
A computer security policy defines the goals and elements of an organizations computer systems The definition can be highly formal or informal Security policies are enforced by organizational policies or security mechanisms A technical implementation defines whether a computer system is secure or insecure These formal policy models can be categorized into the core security principles of Confidentiality Integrity and Availability
Formal policy modelsConfidentiality policy modelIntegrity policies modelHybrid policy model
Vulnerablity Assessment
A vulnerability assessment is the process of identifying quantifying and prioritizing (or ranking) the vulnerabilities in a system Examples of systems for which vulnerability assessments are performed include but are not limited to information technology systems energy supply systems water supply systems transportation systems and communication systems Assessments are typically performed according to the following steps Cataloging assets and capabilities (resources) in a system Assigning quantifiable value (or at least rank order) and importance to those resources Identifying the vulnerabilities or threats to each resource Mitigating or eliminating the most serious vulnerabilities for the most valuable resources
An intrusion detection system (IDS) is a device or software application that monitors network or system activities for malicious activities or policy violations and produces reports to a Management Station
Some systems may attempt to stop an intrusion attempt but this is neither required nor expected of a monitoring system Intrusion detection and prevention systems (IDPS) are primarily focused on identifying possible incidents logging information about them and reporting attempts
In addition organizations use IDPSes for other purposes such as identifying problems with security policies documenting existing threats and deterring individuals from violating security policies
Intrusion Detection
Intrusion Detection [Contd]All Intrusion Detection Systems use one of two detection techniques
Statistical anomaly-based IDSA statistical anomaly-based IDS determines normal network activity like what sort of bandwidth is generally used what protocols are used what ports and devices generally connect to each other- and alert the administrator or user when traffic is detected which is anomalous(not normal)
Signature-based IDSSignature based IDS monitors packets in the Network and compares with pre-configured and pre-determined attack patterns known as signatures The issue is that there will be lag between the new threat discovered and Signature being applied in IDS for detecting the threat During this lag time your IDS will be unable to identify the threat
Virus ProtectionThe problem of viruses can be dealt with by using antivirus software They work by searching all the programs on a system for the specific pattern of instructions known to make up a virus When they find a known pattern they remove the instructions disinfecting the programThe best protection against virus is the method of safe computing purchasing unopened software from vendor and avoiding free or pirated copies from public sources or disk exchange
Anti-Virus FunctionsProtection
Antivirus software can provide real-time protection meaning it can prevent unwanted processes from accessing your computer while you surf the Internet Cleanup
Antivirus software allows you to scan your computer for viruses and other unwanted programs and provides you with the tools to get rid of them Alerts
Antivirus programs can alert you when something is trying to access your computer or when something in your computer is trying to access something on the Internet Updates
Antivirus programs can update themselves keeping your computers protection up to date without you having to manually update it Further Protection
If an antivirus software finds an infected file that cannot be deleted it can quarantine the file so that it cannot infect other files or programs on your computer
Some Common Anti-Viruses
What is a FIREWALL
A choke point of control and monitoring Interconnects networks with differing trustImposes restrictions on network services
bull only authorized traffic is allowed Auditing and controlling access
bull can implement alarms for abnormal behaviorItself immune to penetrationProvides perimeter defence
Firewalls Arenrsquot Perfect
Useless against attacks from the insidebull Evildoer exists on insidebull Malicious code is executed on an internal machine
Organizations with greater insider threatbull Banks and Military
Protection must exist at each layerbull Assess risks of threats at every layer
Cannot protect against transfer of all virus infected programs or files
bull because of huge range of OS amp file typesCan be spoofed and Tunneled
Bibliography
Book Operating System Concepts [Galvin Silverschatz Gagne]Websites wwwgooglecom
wwwwikipediacom Pictures Google images
Thank You
Creeper Virus
The Creeper virus was first detected on ARPANET Creeper was an experimental self-replicating program written by Bob Thomas at BBN Technologies in 1971 Creeper used the ARPANET to infect DEC PDP-10 computers running the TENEX operating system Creeper gained access via the ARPANET and copied itself to the remote system where the message Im the creeper catch me if you can was displayed The Reaper program was created to delete Creeper
Michelangelo Virus
On March 6 1992 the 517th birthday of Michelangelo the Michelangelo virus was scheduled to erase infected hard disk files But because of the extensive popularity surrounding the virus most sites had detected and destroyed the virus before it was activated so it caused little or no damage
Love Bug Virus
In 2000 the Love Bug became very widespread It appeared to be a love note sent by the friend of the receiver Once invoked by opening the Virtual Basic script it propagated by sending itself to the first users in userrsquos email contact list It just clogged userrsquos inbox and email systems but was relatively harmless
Worms
Worms
A worm is a process that uses the spawn mechanism to clobber system performance The worm spawns copies of itself using up system resources and perhaps locking out system use by all other processes
Worms Spread
independently of human action
usually by utilizing a security hole in a piece of software
by scanning a network for another machine that has a specific security hole and copies itself to the new machine using the security hole
Morris Worm
Robert Tappan Morris is an American computer scientist best known for creating the Morris Worm in 1988 considered the first computer worm on Internet - and subsequently becoming the first person convicted under Computer Fraud and Abuse Act
Working of the Morris Worm
Denial of Service
Denial Of Service
Denial of service does not involve stealing of resources or gaining information but rather disabling legitimate use of a system or facilty
It is easier than breaking into a machineThey are network basedThey fall into 2 categories
1 An attack that uses so many facility resources that in essence no work can be done
2 An attack that disrupts the network facility of the computer
It is impossible to prevent Denial of Service attacks Frequently it is difficult to determine if a system slowdown is due to surge in use or an attack
Implementing Security Defences
Implementing Security DefencesMAJOR Techniques
Defense in DepthSecurity PolicyVulnerability AssessmentIntrusion DetectionVirus Protection
Cryptography as a Security Tool1048708 Broadest security tool available1048708 Source and destination of messages cannot be trusted withoutcryptography1048708 Means to constrain potential senders (sources) and or receivers(destinations) of messages1048708 Based on secrets (keys)Operating
Symmetric and Asymmetric Encryption
Security Policy
A computer security policy defines the goals and elements of an organizations computer systems The definition can be highly formal or informal Security policies are enforced by organizational policies or security mechanisms A technical implementation defines whether a computer system is secure or insecure These formal policy models can be categorized into the core security principles of Confidentiality Integrity and Availability
Formal policy modelsConfidentiality policy modelIntegrity policies modelHybrid policy model
Vulnerablity Assessment
A vulnerability assessment is the process of identifying quantifying and prioritizing (or ranking) the vulnerabilities in a system Examples of systems for which vulnerability assessments are performed include but are not limited to information technology systems energy supply systems water supply systems transportation systems and communication systems Assessments are typically performed according to the following steps Cataloging assets and capabilities (resources) in a system Assigning quantifiable value (or at least rank order) and importance to those resources Identifying the vulnerabilities or threats to each resource Mitigating or eliminating the most serious vulnerabilities for the most valuable resources
An intrusion detection system (IDS) is a device or software application that monitors network or system activities for malicious activities or policy violations and produces reports to a Management Station
Some systems may attempt to stop an intrusion attempt but this is neither required nor expected of a monitoring system Intrusion detection and prevention systems (IDPS) are primarily focused on identifying possible incidents logging information about them and reporting attempts
In addition organizations use IDPSes for other purposes such as identifying problems with security policies documenting existing threats and deterring individuals from violating security policies
Intrusion Detection
Intrusion Detection [Contd]All Intrusion Detection Systems use one of two detection techniques
Statistical anomaly-based IDSA statistical anomaly-based IDS determines normal network activity like what sort of bandwidth is generally used what protocols are used what ports and devices generally connect to each other- and alert the administrator or user when traffic is detected which is anomalous(not normal)
Signature-based IDSSignature based IDS monitors packets in the Network and compares with pre-configured and pre-determined attack patterns known as signatures The issue is that there will be lag between the new threat discovered and Signature being applied in IDS for detecting the threat During this lag time your IDS will be unable to identify the threat
Virus ProtectionThe problem of viruses can be dealt with by using antivirus software They work by searching all the programs on a system for the specific pattern of instructions known to make up a virus When they find a known pattern they remove the instructions disinfecting the programThe best protection against virus is the method of safe computing purchasing unopened software from vendor and avoiding free or pirated copies from public sources or disk exchange
Anti-Virus FunctionsProtection
Antivirus software can provide real-time protection meaning it can prevent unwanted processes from accessing your computer while you surf the Internet Cleanup
Antivirus software allows you to scan your computer for viruses and other unwanted programs and provides you with the tools to get rid of them Alerts
Antivirus programs can alert you when something is trying to access your computer or when something in your computer is trying to access something on the Internet Updates
Antivirus programs can update themselves keeping your computers protection up to date without you having to manually update it Further Protection
If an antivirus software finds an infected file that cannot be deleted it can quarantine the file so that it cannot infect other files or programs on your computer
Some Common Anti-Viruses
What is a FIREWALL
A choke point of control and monitoring Interconnects networks with differing trustImposes restrictions on network services
bull only authorized traffic is allowed Auditing and controlling access
bull can implement alarms for abnormal behaviorItself immune to penetrationProvides perimeter defence
Firewalls Arenrsquot Perfect
Useless against attacks from the insidebull Evildoer exists on insidebull Malicious code is executed on an internal machine
Organizations with greater insider threatbull Banks and Military
Protection must exist at each layerbull Assess risks of threats at every layer
Cannot protect against transfer of all virus infected programs or files
bull because of huge range of OS amp file typesCan be spoofed and Tunneled
Bibliography
Book Operating System Concepts [Galvin Silverschatz Gagne]Websites wwwgooglecom
wwwwikipediacom Pictures Google images
Thank You
Michelangelo Virus
On March 6 1992 the 517th birthday of Michelangelo the Michelangelo virus was scheduled to erase infected hard disk files But because of the extensive popularity surrounding the virus most sites had detected and destroyed the virus before it was activated so it caused little or no damage
Love Bug Virus
In 2000 the Love Bug became very widespread It appeared to be a love note sent by the friend of the receiver Once invoked by opening the Virtual Basic script it propagated by sending itself to the first users in userrsquos email contact list It just clogged userrsquos inbox and email systems but was relatively harmless
Worms
Worms
A worm is a process that uses the spawn mechanism to clobber system performance The worm spawns copies of itself using up system resources and perhaps locking out system use by all other processes
Worms Spread
independently of human action
usually by utilizing a security hole in a piece of software
by scanning a network for another machine that has a specific security hole and copies itself to the new machine using the security hole
Morris Worm
Robert Tappan Morris is an American computer scientist best known for creating the Morris Worm in 1988 considered the first computer worm on Internet - and subsequently becoming the first person convicted under Computer Fraud and Abuse Act
Working of the Morris Worm
Denial of Service
Denial Of Service
Denial of service does not involve stealing of resources or gaining information but rather disabling legitimate use of a system or facilty
It is easier than breaking into a machineThey are network basedThey fall into 2 categories
1 An attack that uses so many facility resources that in essence no work can be done
2 An attack that disrupts the network facility of the computer
It is impossible to prevent Denial of Service attacks Frequently it is difficult to determine if a system slowdown is due to surge in use or an attack
Implementing Security Defences
Implementing Security DefencesMAJOR Techniques
Defense in DepthSecurity PolicyVulnerability AssessmentIntrusion DetectionVirus Protection
Cryptography as a Security Tool1048708 Broadest security tool available1048708 Source and destination of messages cannot be trusted withoutcryptography1048708 Means to constrain potential senders (sources) and or receivers(destinations) of messages1048708 Based on secrets (keys)Operating
Symmetric and Asymmetric Encryption
Security Policy
A computer security policy defines the goals and elements of an organizations computer systems The definition can be highly formal or informal Security policies are enforced by organizational policies or security mechanisms A technical implementation defines whether a computer system is secure or insecure These formal policy models can be categorized into the core security principles of Confidentiality Integrity and Availability
Formal policy modelsConfidentiality policy modelIntegrity policies modelHybrid policy model
Vulnerablity Assessment
A vulnerability assessment is the process of identifying quantifying and prioritizing (or ranking) the vulnerabilities in a system Examples of systems for which vulnerability assessments are performed include but are not limited to information technology systems energy supply systems water supply systems transportation systems and communication systems Assessments are typically performed according to the following steps Cataloging assets and capabilities (resources) in a system Assigning quantifiable value (or at least rank order) and importance to those resources Identifying the vulnerabilities or threats to each resource Mitigating or eliminating the most serious vulnerabilities for the most valuable resources
An intrusion detection system (IDS) is a device or software application that monitors network or system activities for malicious activities or policy violations and produces reports to a Management Station
Some systems may attempt to stop an intrusion attempt but this is neither required nor expected of a monitoring system Intrusion detection and prevention systems (IDPS) are primarily focused on identifying possible incidents logging information about them and reporting attempts
In addition organizations use IDPSes for other purposes such as identifying problems with security policies documenting existing threats and deterring individuals from violating security policies
Intrusion Detection
Intrusion Detection [Contd]All Intrusion Detection Systems use one of two detection techniques
Statistical anomaly-based IDSA statistical anomaly-based IDS determines normal network activity like what sort of bandwidth is generally used what protocols are used what ports and devices generally connect to each other- and alert the administrator or user when traffic is detected which is anomalous(not normal)
Signature-based IDSSignature based IDS monitors packets in the Network and compares with pre-configured and pre-determined attack patterns known as signatures The issue is that there will be lag between the new threat discovered and Signature being applied in IDS for detecting the threat During this lag time your IDS will be unable to identify the threat
Virus ProtectionThe problem of viruses can be dealt with by using antivirus software They work by searching all the programs on a system for the specific pattern of instructions known to make up a virus When they find a known pattern they remove the instructions disinfecting the programThe best protection against virus is the method of safe computing purchasing unopened software from vendor and avoiding free or pirated copies from public sources or disk exchange
Anti-Virus FunctionsProtection
Antivirus software can provide real-time protection meaning it can prevent unwanted processes from accessing your computer while you surf the Internet Cleanup
Antivirus software allows you to scan your computer for viruses and other unwanted programs and provides you with the tools to get rid of them Alerts
Antivirus programs can alert you when something is trying to access your computer or when something in your computer is trying to access something on the Internet Updates
Antivirus programs can update themselves keeping your computers protection up to date without you having to manually update it Further Protection
If an antivirus software finds an infected file that cannot be deleted it can quarantine the file so that it cannot infect other files or programs on your computer
Some Common Anti-Viruses
What is a FIREWALL
A choke point of control and monitoring Interconnects networks with differing trustImposes restrictions on network services
bull only authorized traffic is allowed Auditing and controlling access
bull can implement alarms for abnormal behaviorItself immune to penetrationProvides perimeter defence
Firewalls Arenrsquot Perfect
Useless against attacks from the insidebull Evildoer exists on insidebull Malicious code is executed on an internal machine
Organizations with greater insider threatbull Banks and Military
Protection must exist at each layerbull Assess risks of threats at every layer
Cannot protect against transfer of all virus infected programs or files
bull because of huge range of OS amp file typesCan be spoofed and Tunneled
Bibliography
Book Operating System Concepts [Galvin Silverschatz Gagne]Websites wwwgooglecom
wwwwikipediacom Pictures Google images
Thank You
Love Bug Virus
In 2000 the Love Bug became very widespread It appeared to be a love note sent by the friend of the receiver Once invoked by opening the Virtual Basic script it propagated by sending itself to the first users in userrsquos email contact list It just clogged userrsquos inbox and email systems but was relatively harmless
Worms
Worms
A worm is a process that uses the spawn mechanism to clobber system performance The worm spawns copies of itself using up system resources and perhaps locking out system use by all other processes
Worms Spread
independently of human action
usually by utilizing a security hole in a piece of software
by scanning a network for another machine that has a specific security hole and copies itself to the new machine using the security hole
Morris Worm
Robert Tappan Morris is an American computer scientist best known for creating the Morris Worm in 1988 considered the first computer worm on Internet - and subsequently becoming the first person convicted under Computer Fraud and Abuse Act
Working of the Morris Worm
Denial of Service
Denial Of Service
Denial of service does not involve stealing of resources or gaining information but rather disabling legitimate use of a system or facilty
It is easier than breaking into a machineThey are network basedThey fall into 2 categories
1 An attack that uses so many facility resources that in essence no work can be done
2 An attack that disrupts the network facility of the computer
It is impossible to prevent Denial of Service attacks Frequently it is difficult to determine if a system slowdown is due to surge in use or an attack
Implementing Security Defences
Implementing Security DefencesMAJOR Techniques
Defense in DepthSecurity PolicyVulnerability AssessmentIntrusion DetectionVirus Protection
Cryptography as a Security Tool1048708 Broadest security tool available1048708 Source and destination of messages cannot be trusted withoutcryptography1048708 Means to constrain potential senders (sources) and or receivers(destinations) of messages1048708 Based on secrets (keys)Operating
Symmetric and Asymmetric Encryption
Security Policy
A computer security policy defines the goals and elements of an organizations computer systems The definition can be highly formal or informal Security policies are enforced by organizational policies or security mechanisms A technical implementation defines whether a computer system is secure or insecure These formal policy models can be categorized into the core security principles of Confidentiality Integrity and Availability
Formal policy modelsConfidentiality policy modelIntegrity policies modelHybrid policy model
Vulnerablity Assessment
A vulnerability assessment is the process of identifying quantifying and prioritizing (or ranking) the vulnerabilities in a system Examples of systems for which vulnerability assessments are performed include but are not limited to information technology systems energy supply systems water supply systems transportation systems and communication systems Assessments are typically performed according to the following steps Cataloging assets and capabilities (resources) in a system Assigning quantifiable value (or at least rank order) and importance to those resources Identifying the vulnerabilities or threats to each resource Mitigating or eliminating the most serious vulnerabilities for the most valuable resources
An intrusion detection system (IDS) is a device or software application that monitors network or system activities for malicious activities or policy violations and produces reports to a Management Station
Some systems may attempt to stop an intrusion attempt but this is neither required nor expected of a monitoring system Intrusion detection and prevention systems (IDPS) are primarily focused on identifying possible incidents logging information about them and reporting attempts
In addition organizations use IDPSes for other purposes such as identifying problems with security policies documenting existing threats and deterring individuals from violating security policies
Intrusion Detection
Intrusion Detection [Contd]All Intrusion Detection Systems use one of two detection techniques
Statistical anomaly-based IDSA statistical anomaly-based IDS determines normal network activity like what sort of bandwidth is generally used what protocols are used what ports and devices generally connect to each other- and alert the administrator or user when traffic is detected which is anomalous(not normal)
Signature-based IDSSignature based IDS monitors packets in the Network and compares with pre-configured and pre-determined attack patterns known as signatures The issue is that there will be lag between the new threat discovered and Signature being applied in IDS for detecting the threat During this lag time your IDS will be unable to identify the threat
Virus ProtectionThe problem of viruses can be dealt with by using antivirus software They work by searching all the programs on a system for the specific pattern of instructions known to make up a virus When they find a known pattern they remove the instructions disinfecting the programThe best protection against virus is the method of safe computing purchasing unopened software from vendor and avoiding free or pirated copies from public sources or disk exchange
Anti-Virus FunctionsProtection
Antivirus software can provide real-time protection meaning it can prevent unwanted processes from accessing your computer while you surf the Internet Cleanup
Antivirus software allows you to scan your computer for viruses and other unwanted programs and provides you with the tools to get rid of them Alerts
Antivirus programs can alert you when something is trying to access your computer or when something in your computer is trying to access something on the Internet Updates
Antivirus programs can update themselves keeping your computers protection up to date without you having to manually update it Further Protection
If an antivirus software finds an infected file that cannot be deleted it can quarantine the file so that it cannot infect other files or programs on your computer
Some Common Anti-Viruses
What is a FIREWALL
A choke point of control and monitoring Interconnects networks with differing trustImposes restrictions on network services
bull only authorized traffic is allowed Auditing and controlling access
bull can implement alarms for abnormal behaviorItself immune to penetrationProvides perimeter defence
Firewalls Arenrsquot Perfect
Useless against attacks from the insidebull Evildoer exists on insidebull Malicious code is executed on an internal machine
Organizations with greater insider threatbull Banks and Military
Protection must exist at each layerbull Assess risks of threats at every layer
Cannot protect against transfer of all virus infected programs or files
bull because of huge range of OS amp file typesCan be spoofed and Tunneled
Bibliography
Book Operating System Concepts [Galvin Silverschatz Gagne]Websites wwwgooglecom
wwwwikipediacom Pictures Google images
Thank You
Worms
Worms
A worm is a process that uses the spawn mechanism to clobber system performance The worm spawns copies of itself using up system resources and perhaps locking out system use by all other processes
Worms Spread
independently of human action
usually by utilizing a security hole in a piece of software
by scanning a network for another machine that has a specific security hole and copies itself to the new machine using the security hole
Morris Worm
Robert Tappan Morris is an American computer scientist best known for creating the Morris Worm in 1988 considered the first computer worm on Internet - and subsequently becoming the first person convicted under Computer Fraud and Abuse Act
Working of the Morris Worm
Denial of Service
Denial Of Service
Denial of service does not involve stealing of resources or gaining information but rather disabling legitimate use of a system or facilty
It is easier than breaking into a machineThey are network basedThey fall into 2 categories
1 An attack that uses so many facility resources that in essence no work can be done
2 An attack that disrupts the network facility of the computer
It is impossible to prevent Denial of Service attacks Frequently it is difficult to determine if a system slowdown is due to surge in use or an attack
Implementing Security Defences
Implementing Security DefencesMAJOR Techniques
Defense in DepthSecurity PolicyVulnerability AssessmentIntrusion DetectionVirus Protection
Cryptography as a Security Tool1048708 Broadest security tool available1048708 Source and destination of messages cannot be trusted withoutcryptography1048708 Means to constrain potential senders (sources) and or receivers(destinations) of messages1048708 Based on secrets (keys)Operating
Symmetric and Asymmetric Encryption
Security Policy
A computer security policy defines the goals and elements of an organizations computer systems The definition can be highly formal or informal Security policies are enforced by organizational policies or security mechanisms A technical implementation defines whether a computer system is secure or insecure These formal policy models can be categorized into the core security principles of Confidentiality Integrity and Availability
Formal policy modelsConfidentiality policy modelIntegrity policies modelHybrid policy model
Vulnerablity Assessment
A vulnerability assessment is the process of identifying quantifying and prioritizing (or ranking) the vulnerabilities in a system Examples of systems for which vulnerability assessments are performed include but are not limited to information technology systems energy supply systems water supply systems transportation systems and communication systems Assessments are typically performed according to the following steps Cataloging assets and capabilities (resources) in a system Assigning quantifiable value (or at least rank order) and importance to those resources Identifying the vulnerabilities or threats to each resource Mitigating or eliminating the most serious vulnerabilities for the most valuable resources
An intrusion detection system (IDS) is a device or software application that monitors network or system activities for malicious activities or policy violations and produces reports to a Management Station
Some systems may attempt to stop an intrusion attempt but this is neither required nor expected of a monitoring system Intrusion detection and prevention systems (IDPS) are primarily focused on identifying possible incidents logging information about them and reporting attempts
In addition organizations use IDPSes for other purposes such as identifying problems with security policies documenting existing threats and deterring individuals from violating security policies
Intrusion Detection
Intrusion Detection [Contd]All Intrusion Detection Systems use one of two detection techniques
Statistical anomaly-based IDSA statistical anomaly-based IDS determines normal network activity like what sort of bandwidth is generally used what protocols are used what ports and devices generally connect to each other- and alert the administrator or user when traffic is detected which is anomalous(not normal)
Signature-based IDSSignature based IDS monitors packets in the Network and compares with pre-configured and pre-determined attack patterns known as signatures The issue is that there will be lag between the new threat discovered and Signature being applied in IDS for detecting the threat During this lag time your IDS will be unable to identify the threat
Virus ProtectionThe problem of viruses can be dealt with by using antivirus software They work by searching all the programs on a system for the specific pattern of instructions known to make up a virus When they find a known pattern they remove the instructions disinfecting the programThe best protection against virus is the method of safe computing purchasing unopened software from vendor and avoiding free or pirated copies from public sources or disk exchange
Anti-Virus FunctionsProtection
Antivirus software can provide real-time protection meaning it can prevent unwanted processes from accessing your computer while you surf the Internet Cleanup
Antivirus software allows you to scan your computer for viruses and other unwanted programs and provides you with the tools to get rid of them Alerts
Antivirus programs can alert you when something is trying to access your computer or when something in your computer is trying to access something on the Internet Updates
Antivirus programs can update themselves keeping your computers protection up to date without you having to manually update it Further Protection
If an antivirus software finds an infected file that cannot be deleted it can quarantine the file so that it cannot infect other files or programs on your computer
Some Common Anti-Viruses
What is a FIREWALL
A choke point of control and monitoring Interconnects networks with differing trustImposes restrictions on network services
bull only authorized traffic is allowed Auditing and controlling access
bull can implement alarms for abnormal behaviorItself immune to penetrationProvides perimeter defence
Firewalls Arenrsquot Perfect
Useless against attacks from the insidebull Evildoer exists on insidebull Malicious code is executed on an internal machine
Organizations with greater insider threatbull Banks and Military
Protection must exist at each layerbull Assess risks of threats at every layer
Cannot protect against transfer of all virus infected programs or files
bull because of huge range of OS amp file typesCan be spoofed and Tunneled
Bibliography
Book Operating System Concepts [Galvin Silverschatz Gagne]Websites wwwgooglecom
wwwwikipediacom Pictures Google images
Thank You
Worms
A worm is a process that uses the spawn mechanism to clobber system performance The worm spawns copies of itself using up system resources and perhaps locking out system use by all other processes
Worms Spread
independently of human action
usually by utilizing a security hole in a piece of software
by scanning a network for another machine that has a specific security hole and copies itself to the new machine using the security hole
Morris Worm
Robert Tappan Morris is an American computer scientist best known for creating the Morris Worm in 1988 considered the first computer worm on Internet - and subsequently becoming the first person convicted under Computer Fraud and Abuse Act
Working of the Morris Worm
Denial of Service
Denial Of Service
Denial of service does not involve stealing of resources or gaining information but rather disabling legitimate use of a system or facilty
It is easier than breaking into a machineThey are network basedThey fall into 2 categories
1 An attack that uses so many facility resources that in essence no work can be done
2 An attack that disrupts the network facility of the computer
It is impossible to prevent Denial of Service attacks Frequently it is difficult to determine if a system slowdown is due to surge in use or an attack
Implementing Security Defences
Implementing Security DefencesMAJOR Techniques
Defense in DepthSecurity PolicyVulnerability AssessmentIntrusion DetectionVirus Protection
Cryptography as a Security Tool1048708 Broadest security tool available1048708 Source and destination of messages cannot be trusted withoutcryptography1048708 Means to constrain potential senders (sources) and or receivers(destinations) of messages1048708 Based on secrets (keys)Operating
Symmetric and Asymmetric Encryption
Security Policy
A computer security policy defines the goals and elements of an organizations computer systems The definition can be highly formal or informal Security policies are enforced by organizational policies or security mechanisms A technical implementation defines whether a computer system is secure or insecure These formal policy models can be categorized into the core security principles of Confidentiality Integrity and Availability
Formal policy modelsConfidentiality policy modelIntegrity policies modelHybrid policy model
Vulnerablity Assessment
A vulnerability assessment is the process of identifying quantifying and prioritizing (or ranking) the vulnerabilities in a system Examples of systems for which vulnerability assessments are performed include but are not limited to information technology systems energy supply systems water supply systems transportation systems and communication systems Assessments are typically performed according to the following steps Cataloging assets and capabilities (resources) in a system Assigning quantifiable value (or at least rank order) and importance to those resources Identifying the vulnerabilities or threats to each resource Mitigating or eliminating the most serious vulnerabilities for the most valuable resources
An intrusion detection system (IDS) is a device or software application that monitors network or system activities for malicious activities or policy violations and produces reports to a Management Station
Some systems may attempt to stop an intrusion attempt but this is neither required nor expected of a monitoring system Intrusion detection and prevention systems (IDPS) are primarily focused on identifying possible incidents logging information about them and reporting attempts
In addition organizations use IDPSes for other purposes such as identifying problems with security policies documenting existing threats and deterring individuals from violating security policies
Intrusion Detection
Intrusion Detection [Contd]All Intrusion Detection Systems use one of two detection techniques
Statistical anomaly-based IDSA statistical anomaly-based IDS determines normal network activity like what sort of bandwidth is generally used what protocols are used what ports and devices generally connect to each other- and alert the administrator or user when traffic is detected which is anomalous(not normal)
Signature-based IDSSignature based IDS monitors packets in the Network and compares with pre-configured and pre-determined attack patterns known as signatures The issue is that there will be lag between the new threat discovered and Signature being applied in IDS for detecting the threat During this lag time your IDS will be unable to identify the threat
Virus ProtectionThe problem of viruses can be dealt with by using antivirus software They work by searching all the programs on a system for the specific pattern of instructions known to make up a virus When they find a known pattern they remove the instructions disinfecting the programThe best protection against virus is the method of safe computing purchasing unopened software from vendor and avoiding free or pirated copies from public sources or disk exchange
Anti-Virus FunctionsProtection
Antivirus software can provide real-time protection meaning it can prevent unwanted processes from accessing your computer while you surf the Internet Cleanup
Antivirus software allows you to scan your computer for viruses and other unwanted programs and provides you with the tools to get rid of them Alerts
Antivirus programs can alert you when something is trying to access your computer or when something in your computer is trying to access something on the Internet Updates
Antivirus programs can update themselves keeping your computers protection up to date without you having to manually update it Further Protection
If an antivirus software finds an infected file that cannot be deleted it can quarantine the file so that it cannot infect other files or programs on your computer
Some Common Anti-Viruses
What is a FIREWALL
A choke point of control and monitoring Interconnects networks with differing trustImposes restrictions on network services
bull only authorized traffic is allowed Auditing and controlling access
bull can implement alarms for abnormal behaviorItself immune to penetrationProvides perimeter defence
Firewalls Arenrsquot Perfect
Useless against attacks from the insidebull Evildoer exists on insidebull Malicious code is executed on an internal machine
Organizations with greater insider threatbull Banks and Military
Protection must exist at each layerbull Assess risks of threats at every layer
Cannot protect against transfer of all virus infected programs or files
bull because of huge range of OS amp file typesCan be spoofed and Tunneled
Bibliography
Book Operating System Concepts [Galvin Silverschatz Gagne]Websites wwwgooglecom
wwwwikipediacom Pictures Google images
Thank You
Morris Worm
Robert Tappan Morris is an American computer scientist best known for creating the Morris Worm in 1988 considered the first computer worm on Internet - and subsequently becoming the first person convicted under Computer Fraud and Abuse Act
Working of the Morris Worm
Denial of Service
Denial Of Service
Denial of service does not involve stealing of resources or gaining information but rather disabling legitimate use of a system or facilty
It is easier than breaking into a machineThey are network basedThey fall into 2 categories
1 An attack that uses so many facility resources that in essence no work can be done
2 An attack that disrupts the network facility of the computer
It is impossible to prevent Denial of Service attacks Frequently it is difficult to determine if a system slowdown is due to surge in use or an attack
Implementing Security Defences
Implementing Security DefencesMAJOR Techniques
Defense in DepthSecurity PolicyVulnerability AssessmentIntrusion DetectionVirus Protection
Cryptography as a Security Tool1048708 Broadest security tool available1048708 Source and destination of messages cannot be trusted withoutcryptography1048708 Means to constrain potential senders (sources) and or receivers(destinations) of messages1048708 Based on secrets (keys)Operating
Symmetric and Asymmetric Encryption
Security Policy
A computer security policy defines the goals and elements of an organizations computer systems The definition can be highly formal or informal Security policies are enforced by organizational policies or security mechanisms A technical implementation defines whether a computer system is secure or insecure These formal policy models can be categorized into the core security principles of Confidentiality Integrity and Availability
Formal policy modelsConfidentiality policy modelIntegrity policies modelHybrid policy model
Vulnerablity Assessment
A vulnerability assessment is the process of identifying quantifying and prioritizing (or ranking) the vulnerabilities in a system Examples of systems for which vulnerability assessments are performed include but are not limited to information technology systems energy supply systems water supply systems transportation systems and communication systems Assessments are typically performed according to the following steps Cataloging assets and capabilities (resources) in a system Assigning quantifiable value (or at least rank order) and importance to those resources Identifying the vulnerabilities or threats to each resource Mitigating or eliminating the most serious vulnerabilities for the most valuable resources
An intrusion detection system (IDS) is a device or software application that monitors network or system activities for malicious activities or policy violations and produces reports to a Management Station
Some systems may attempt to stop an intrusion attempt but this is neither required nor expected of a monitoring system Intrusion detection and prevention systems (IDPS) are primarily focused on identifying possible incidents logging information about them and reporting attempts
In addition organizations use IDPSes for other purposes such as identifying problems with security policies documenting existing threats and deterring individuals from violating security policies
Intrusion Detection
Intrusion Detection [Contd]All Intrusion Detection Systems use one of two detection techniques
Statistical anomaly-based IDSA statistical anomaly-based IDS determines normal network activity like what sort of bandwidth is generally used what protocols are used what ports and devices generally connect to each other- and alert the administrator or user when traffic is detected which is anomalous(not normal)
Signature-based IDSSignature based IDS monitors packets in the Network and compares with pre-configured and pre-determined attack patterns known as signatures The issue is that there will be lag between the new threat discovered and Signature being applied in IDS for detecting the threat During this lag time your IDS will be unable to identify the threat
Virus ProtectionThe problem of viruses can be dealt with by using antivirus software They work by searching all the programs on a system for the specific pattern of instructions known to make up a virus When they find a known pattern they remove the instructions disinfecting the programThe best protection against virus is the method of safe computing purchasing unopened software from vendor and avoiding free or pirated copies from public sources or disk exchange
Anti-Virus FunctionsProtection
Antivirus software can provide real-time protection meaning it can prevent unwanted processes from accessing your computer while you surf the Internet Cleanup
Antivirus software allows you to scan your computer for viruses and other unwanted programs and provides you with the tools to get rid of them Alerts
Antivirus programs can alert you when something is trying to access your computer or when something in your computer is trying to access something on the Internet Updates
Antivirus programs can update themselves keeping your computers protection up to date without you having to manually update it Further Protection
If an antivirus software finds an infected file that cannot be deleted it can quarantine the file so that it cannot infect other files or programs on your computer
Some Common Anti-Viruses
What is a FIREWALL
A choke point of control and monitoring Interconnects networks with differing trustImposes restrictions on network services
bull only authorized traffic is allowed Auditing and controlling access
bull can implement alarms for abnormal behaviorItself immune to penetrationProvides perimeter defence
Firewalls Arenrsquot Perfect
Useless against attacks from the insidebull Evildoer exists on insidebull Malicious code is executed on an internal machine
Organizations with greater insider threatbull Banks and Military
Protection must exist at each layerbull Assess risks of threats at every layer
Cannot protect against transfer of all virus infected programs or files
bull because of huge range of OS amp file typesCan be spoofed and Tunneled
Bibliography
Book Operating System Concepts [Galvin Silverschatz Gagne]Websites wwwgooglecom
wwwwikipediacom Pictures Google images
Thank You
Working of the Morris Worm
Denial of Service
Denial Of Service
Denial of service does not involve stealing of resources or gaining information but rather disabling legitimate use of a system or facilty
It is easier than breaking into a machineThey are network basedThey fall into 2 categories
1 An attack that uses so many facility resources that in essence no work can be done
2 An attack that disrupts the network facility of the computer
It is impossible to prevent Denial of Service attacks Frequently it is difficult to determine if a system slowdown is due to surge in use or an attack
Implementing Security Defences
Implementing Security DefencesMAJOR Techniques
Defense in DepthSecurity PolicyVulnerability AssessmentIntrusion DetectionVirus Protection
Cryptography as a Security Tool1048708 Broadest security tool available1048708 Source and destination of messages cannot be trusted withoutcryptography1048708 Means to constrain potential senders (sources) and or receivers(destinations) of messages1048708 Based on secrets (keys)Operating
Symmetric and Asymmetric Encryption
Security Policy
A computer security policy defines the goals and elements of an organizations computer systems The definition can be highly formal or informal Security policies are enforced by organizational policies or security mechanisms A technical implementation defines whether a computer system is secure or insecure These formal policy models can be categorized into the core security principles of Confidentiality Integrity and Availability
Formal policy modelsConfidentiality policy modelIntegrity policies modelHybrid policy model
Vulnerablity Assessment
A vulnerability assessment is the process of identifying quantifying and prioritizing (or ranking) the vulnerabilities in a system Examples of systems for which vulnerability assessments are performed include but are not limited to information technology systems energy supply systems water supply systems transportation systems and communication systems Assessments are typically performed according to the following steps Cataloging assets and capabilities (resources) in a system Assigning quantifiable value (or at least rank order) and importance to those resources Identifying the vulnerabilities or threats to each resource Mitigating or eliminating the most serious vulnerabilities for the most valuable resources
An intrusion detection system (IDS) is a device or software application that monitors network or system activities for malicious activities or policy violations and produces reports to a Management Station
Some systems may attempt to stop an intrusion attempt but this is neither required nor expected of a monitoring system Intrusion detection and prevention systems (IDPS) are primarily focused on identifying possible incidents logging information about them and reporting attempts
In addition organizations use IDPSes for other purposes such as identifying problems with security policies documenting existing threats and deterring individuals from violating security policies
Intrusion Detection
Intrusion Detection [Contd]All Intrusion Detection Systems use one of two detection techniques
Statistical anomaly-based IDSA statistical anomaly-based IDS determines normal network activity like what sort of bandwidth is generally used what protocols are used what ports and devices generally connect to each other- and alert the administrator or user when traffic is detected which is anomalous(not normal)
Signature-based IDSSignature based IDS monitors packets in the Network and compares with pre-configured and pre-determined attack patterns known as signatures The issue is that there will be lag between the new threat discovered and Signature being applied in IDS for detecting the threat During this lag time your IDS will be unable to identify the threat
Virus ProtectionThe problem of viruses can be dealt with by using antivirus software They work by searching all the programs on a system for the specific pattern of instructions known to make up a virus When they find a known pattern they remove the instructions disinfecting the programThe best protection against virus is the method of safe computing purchasing unopened software from vendor and avoiding free or pirated copies from public sources or disk exchange
Anti-Virus FunctionsProtection
Antivirus software can provide real-time protection meaning it can prevent unwanted processes from accessing your computer while you surf the Internet Cleanup
Antivirus software allows you to scan your computer for viruses and other unwanted programs and provides you with the tools to get rid of them Alerts
Antivirus programs can alert you when something is trying to access your computer or when something in your computer is trying to access something on the Internet Updates
Antivirus programs can update themselves keeping your computers protection up to date without you having to manually update it Further Protection
If an antivirus software finds an infected file that cannot be deleted it can quarantine the file so that it cannot infect other files or programs on your computer
Some Common Anti-Viruses
What is a FIREWALL
A choke point of control and monitoring Interconnects networks with differing trustImposes restrictions on network services
bull only authorized traffic is allowed Auditing and controlling access
bull can implement alarms for abnormal behaviorItself immune to penetrationProvides perimeter defence
Firewalls Arenrsquot Perfect
Useless against attacks from the insidebull Evildoer exists on insidebull Malicious code is executed on an internal machine
Organizations with greater insider threatbull Banks and Military
Protection must exist at each layerbull Assess risks of threats at every layer
Cannot protect against transfer of all virus infected programs or files
bull because of huge range of OS amp file typesCan be spoofed and Tunneled
Bibliography
Book Operating System Concepts [Galvin Silverschatz Gagne]Websites wwwgooglecom
wwwwikipediacom Pictures Google images
Thank You
Denial of Service
Denial Of Service
Denial of service does not involve stealing of resources or gaining information but rather disabling legitimate use of a system or facilty
It is easier than breaking into a machineThey are network basedThey fall into 2 categories
1 An attack that uses so many facility resources that in essence no work can be done
2 An attack that disrupts the network facility of the computer
It is impossible to prevent Denial of Service attacks Frequently it is difficult to determine if a system slowdown is due to surge in use or an attack
Implementing Security Defences
Implementing Security DefencesMAJOR Techniques
Defense in DepthSecurity PolicyVulnerability AssessmentIntrusion DetectionVirus Protection
Cryptography as a Security Tool1048708 Broadest security tool available1048708 Source and destination of messages cannot be trusted withoutcryptography1048708 Means to constrain potential senders (sources) and or receivers(destinations) of messages1048708 Based on secrets (keys)Operating
Symmetric and Asymmetric Encryption
Security Policy
A computer security policy defines the goals and elements of an organizations computer systems The definition can be highly formal or informal Security policies are enforced by organizational policies or security mechanisms A technical implementation defines whether a computer system is secure or insecure These formal policy models can be categorized into the core security principles of Confidentiality Integrity and Availability
Formal policy modelsConfidentiality policy modelIntegrity policies modelHybrid policy model
Vulnerablity Assessment
A vulnerability assessment is the process of identifying quantifying and prioritizing (or ranking) the vulnerabilities in a system Examples of systems for which vulnerability assessments are performed include but are not limited to information technology systems energy supply systems water supply systems transportation systems and communication systems Assessments are typically performed according to the following steps Cataloging assets and capabilities (resources) in a system Assigning quantifiable value (or at least rank order) and importance to those resources Identifying the vulnerabilities or threats to each resource Mitigating or eliminating the most serious vulnerabilities for the most valuable resources
An intrusion detection system (IDS) is a device or software application that monitors network or system activities for malicious activities or policy violations and produces reports to a Management Station
Some systems may attempt to stop an intrusion attempt but this is neither required nor expected of a monitoring system Intrusion detection and prevention systems (IDPS) are primarily focused on identifying possible incidents logging information about them and reporting attempts
In addition organizations use IDPSes for other purposes such as identifying problems with security policies documenting existing threats and deterring individuals from violating security policies
Intrusion Detection
Intrusion Detection [Contd]All Intrusion Detection Systems use one of two detection techniques
Statistical anomaly-based IDSA statistical anomaly-based IDS determines normal network activity like what sort of bandwidth is generally used what protocols are used what ports and devices generally connect to each other- and alert the administrator or user when traffic is detected which is anomalous(not normal)
Signature-based IDSSignature based IDS monitors packets in the Network and compares with pre-configured and pre-determined attack patterns known as signatures The issue is that there will be lag between the new threat discovered and Signature being applied in IDS for detecting the threat During this lag time your IDS will be unable to identify the threat
Virus ProtectionThe problem of viruses can be dealt with by using antivirus software They work by searching all the programs on a system for the specific pattern of instructions known to make up a virus When they find a known pattern they remove the instructions disinfecting the programThe best protection against virus is the method of safe computing purchasing unopened software from vendor and avoiding free or pirated copies from public sources or disk exchange
Anti-Virus FunctionsProtection
Antivirus software can provide real-time protection meaning it can prevent unwanted processes from accessing your computer while you surf the Internet Cleanup
Antivirus software allows you to scan your computer for viruses and other unwanted programs and provides you with the tools to get rid of them Alerts
Antivirus programs can alert you when something is trying to access your computer or when something in your computer is trying to access something on the Internet Updates
Antivirus programs can update themselves keeping your computers protection up to date without you having to manually update it Further Protection
If an antivirus software finds an infected file that cannot be deleted it can quarantine the file so that it cannot infect other files or programs on your computer
Some Common Anti-Viruses
What is a FIREWALL
A choke point of control and monitoring Interconnects networks with differing trustImposes restrictions on network services
bull only authorized traffic is allowed Auditing and controlling access
bull can implement alarms for abnormal behaviorItself immune to penetrationProvides perimeter defence
Firewalls Arenrsquot Perfect
Useless against attacks from the insidebull Evildoer exists on insidebull Malicious code is executed on an internal machine
Organizations with greater insider threatbull Banks and Military
Protection must exist at each layerbull Assess risks of threats at every layer
Cannot protect against transfer of all virus infected programs or files
bull because of huge range of OS amp file typesCan be spoofed and Tunneled
Bibliography
Book Operating System Concepts [Galvin Silverschatz Gagne]Websites wwwgooglecom
wwwwikipediacom Pictures Google images
Thank You
Denial Of Service
Denial of service does not involve stealing of resources or gaining information but rather disabling legitimate use of a system or facilty
It is easier than breaking into a machineThey are network basedThey fall into 2 categories
1 An attack that uses so many facility resources that in essence no work can be done
2 An attack that disrupts the network facility of the computer
It is impossible to prevent Denial of Service attacks Frequently it is difficult to determine if a system slowdown is due to surge in use or an attack
Implementing Security Defences
Implementing Security DefencesMAJOR Techniques
Defense in DepthSecurity PolicyVulnerability AssessmentIntrusion DetectionVirus Protection
Cryptography as a Security Tool1048708 Broadest security tool available1048708 Source and destination of messages cannot be trusted withoutcryptography1048708 Means to constrain potential senders (sources) and or receivers(destinations) of messages1048708 Based on secrets (keys)Operating
Symmetric and Asymmetric Encryption
Security Policy
A computer security policy defines the goals and elements of an organizations computer systems The definition can be highly formal or informal Security policies are enforced by organizational policies or security mechanisms A technical implementation defines whether a computer system is secure or insecure These formal policy models can be categorized into the core security principles of Confidentiality Integrity and Availability
Formal policy modelsConfidentiality policy modelIntegrity policies modelHybrid policy model
Vulnerablity Assessment
A vulnerability assessment is the process of identifying quantifying and prioritizing (or ranking) the vulnerabilities in a system Examples of systems for which vulnerability assessments are performed include but are not limited to information technology systems energy supply systems water supply systems transportation systems and communication systems Assessments are typically performed according to the following steps Cataloging assets and capabilities (resources) in a system Assigning quantifiable value (or at least rank order) and importance to those resources Identifying the vulnerabilities or threats to each resource Mitigating or eliminating the most serious vulnerabilities for the most valuable resources
An intrusion detection system (IDS) is a device or software application that monitors network or system activities for malicious activities or policy violations and produces reports to a Management Station
Some systems may attempt to stop an intrusion attempt but this is neither required nor expected of a monitoring system Intrusion detection and prevention systems (IDPS) are primarily focused on identifying possible incidents logging information about them and reporting attempts
In addition organizations use IDPSes for other purposes such as identifying problems with security policies documenting existing threats and deterring individuals from violating security policies
Intrusion Detection
Intrusion Detection [Contd]All Intrusion Detection Systems use one of two detection techniques
Statistical anomaly-based IDSA statistical anomaly-based IDS determines normal network activity like what sort of bandwidth is generally used what protocols are used what ports and devices generally connect to each other- and alert the administrator or user when traffic is detected which is anomalous(not normal)
Signature-based IDSSignature based IDS monitors packets in the Network and compares with pre-configured and pre-determined attack patterns known as signatures The issue is that there will be lag between the new threat discovered and Signature being applied in IDS for detecting the threat During this lag time your IDS will be unable to identify the threat
Virus ProtectionThe problem of viruses can be dealt with by using antivirus software They work by searching all the programs on a system for the specific pattern of instructions known to make up a virus When they find a known pattern they remove the instructions disinfecting the programThe best protection against virus is the method of safe computing purchasing unopened software from vendor and avoiding free or pirated copies from public sources or disk exchange
Anti-Virus FunctionsProtection
Antivirus software can provide real-time protection meaning it can prevent unwanted processes from accessing your computer while you surf the Internet Cleanup
Antivirus software allows you to scan your computer for viruses and other unwanted programs and provides you with the tools to get rid of them Alerts
Antivirus programs can alert you when something is trying to access your computer or when something in your computer is trying to access something on the Internet Updates
Antivirus programs can update themselves keeping your computers protection up to date without you having to manually update it Further Protection
If an antivirus software finds an infected file that cannot be deleted it can quarantine the file so that it cannot infect other files or programs on your computer
Some Common Anti-Viruses
What is a FIREWALL
A choke point of control and monitoring Interconnects networks with differing trustImposes restrictions on network services
bull only authorized traffic is allowed Auditing and controlling access
bull can implement alarms for abnormal behaviorItself immune to penetrationProvides perimeter defence
Firewalls Arenrsquot Perfect
Useless against attacks from the insidebull Evildoer exists on insidebull Malicious code is executed on an internal machine
Organizations with greater insider threatbull Banks and Military
Protection must exist at each layerbull Assess risks of threats at every layer
Cannot protect against transfer of all virus infected programs or files
bull because of huge range of OS amp file typesCan be spoofed and Tunneled
Bibliography
Book Operating System Concepts [Galvin Silverschatz Gagne]Websites wwwgooglecom
wwwwikipediacom Pictures Google images
Thank You
Implementing Security Defences
Implementing Security DefencesMAJOR Techniques
Defense in DepthSecurity PolicyVulnerability AssessmentIntrusion DetectionVirus Protection
Cryptography as a Security Tool1048708 Broadest security tool available1048708 Source and destination of messages cannot be trusted withoutcryptography1048708 Means to constrain potential senders (sources) and or receivers(destinations) of messages1048708 Based on secrets (keys)Operating
Symmetric and Asymmetric Encryption
Security Policy
A computer security policy defines the goals and elements of an organizations computer systems The definition can be highly formal or informal Security policies are enforced by organizational policies or security mechanisms A technical implementation defines whether a computer system is secure or insecure These formal policy models can be categorized into the core security principles of Confidentiality Integrity and Availability
Formal policy modelsConfidentiality policy modelIntegrity policies modelHybrid policy model
Vulnerablity Assessment
A vulnerability assessment is the process of identifying quantifying and prioritizing (or ranking) the vulnerabilities in a system Examples of systems for which vulnerability assessments are performed include but are not limited to information technology systems energy supply systems water supply systems transportation systems and communication systems Assessments are typically performed according to the following steps Cataloging assets and capabilities (resources) in a system Assigning quantifiable value (or at least rank order) and importance to those resources Identifying the vulnerabilities or threats to each resource Mitigating or eliminating the most serious vulnerabilities for the most valuable resources
An intrusion detection system (IDS) is a device or software application that monitors network or system activities for malicious activities or policy violations and produces reports to a Management Station
Some systems may attempt to stop an intrusion attempt but this is neither required nor expected of a monitoring system Intrusion detection and prevention systems (IDPS) are primarily focused on identifying possible incidents logging information about them and reporting attempts
In addition organizations use IDPSes for other purposes such as identifying problems with security policies documenting existing threats and deterring individuals from violating security policies
Intrusion Detection
Intrusion Detection [Contd]All Intrusion Detection Systems use one of two detection techniques
Statistical anomaly-based IDSA statistical anomaly-based IDS determines normal network activity like what sort of bandwidth is generally used what protocols are used what ports and devices generally connect to each other- and alert the administrator or user when traffic is detected which is anomalous(not normal)
Signature-based IDSSignature based IDS monitors packets in the Network and compares with pre-configured and pre-determined attack patterns known as signatures The issue is that there will be lag between the new threat discovered and Signature being applied in IDS for detecting the threat During this lag time your IDS will be unable to identify the threat
Virus ProtectionThe problem of viruses can be dealt with by using antivirus software They work by searching all the programs on a system for the specific pattern of instructions known to make up a virus When they find a known pattern they remove the instructions disinfecting the programThe best protection against virus is the method of safe computing purchasing unopened software from vendor and avoiding free or pirated copies from public sources or disk exchange
Anti-Virus FunctionsProtection
Antivirus software can provide real-time protection meaning it can prevent unwanted processes from accessing your computer while you surf the Internet Cleanup
Antivirus software allows you to scan your computer for viruses and other unwanted programs and provides you with the tools to get rid of them Alerts
Antivirus programs can alert you when something is trying to access your computer or when something in your computer is trying to access something on the Internet Updates
Antivirus programs can update themselves keeping your computers protection up to date without you having to manually update it Further Protection
If an antivirus software finds an infected file that cannot be deleted it can quarantine the file so that it cannot infect other files or programs on your computer
Some Common Anti-Viruses
What is a FIREWALL
A choke point of control and monitoring Interconnects networks with differing trustImposes restrictions on network services
bull only authorized traffic is allowed Auditing and controlling access
bull can implement alarms for abnormal behaviorItself immune to penetrationProvides perimeter defence
Firewalls Arenrsquot Perfect
Useless against attacks from the insidebull Evildoer exists on insidebull Malicious code is executed on an internal machine
Organizations with greater insider threatbull Banks and Military
Protection must exist at each layerbull Assess risks of threats at every layer
Cannot protect against transfer of all virus infected programs or files
bull because of huge range of OS amp file typesCan be spoofed and Tunneled
Bibliography
Book Operating System Concepts [Galvin Silverschatz Gagne]Websites wwwgooglecom
wwwwikipediacom Pictures Google images
Thank You
Implementing Security DefencesMAJOR Techniques
Defense in DepthSecurity PolicyVulnerability AssessmentIntrusion DetectionVirus Protection
Cryptography as a Security Tool1048708 Broadest security tool available1048708 Source and destination of messages cannot be trusted withoutcryptography1048708 Means to constrain potential senders (sources) and or receivers(destinations) of messages1048708 Based on secrets (keys)Operating
Symmetric and Asymmetric Encryption
Security Policy
A computer security policy defines the goals and elements of an organizations computer systems The definition can be highly formal or informal Security policies are enforced by organizational policies or security mechanisms A technical implementation defines whether a computer system is secure or insecure These formal policy models can be categorized into the core security principles of Confidentiality Integrity and Availability
Formal policy modelsConfidentiality policy modelIntegrity policies modelHybrid policy model
Vulnerablity Assessment
A vulnerability assessment is the process of identifying quantifying and prioritizing (or ranking) the vulnerabilities in a system Examples of systems for which vulnerability assessments are performed include but are not limited to information technology systems energy supply systems water supply systems transportation systems and communication systems Assessments are typically performed according to the following steps Cataloging assets and capabilities (resources) in a system Assigning quantifiable value (or at least rank order) and importance to those resources Identifying the vulnerabilities or threats to each resource Mitigating or eliminating the most serious vulnerabilities for the most valuable resources
An intrusion detection system (IDS) is a device or software application that monitors network or system activities for malicious activities or policy violations and produces reports to a Management Station
Some systems may attempt to stop an intrusion attempt but this is neither required nor expected of a monitoring system Intrusion detection and prevention systems (IDPS) are primarily focused on identifying possible incidents logging information about them and reporting attempts
In addition organizations use IDPSes for other purposes such as identifying problems with security policies documenting existing threats and deterring individuals from violating security policies
Intrusion Detection
Intrusion Detection [Contd]All Intrusion Detection Systems use one of two detection techniques
Statistical anomaly-based IDSA statistical anomaly-based IDS determines normal network activity like what sort of bandwidth is generally used what protocols are used what ports and devices generally connect to each other- and alert the administrator or user when traffic is detected which is anomalous(not normal)
Signature-based IDSSignature based IDS monitors packets in the Network and compares with pre-configured and pre-determined attack patterns known as signatures The issue is that there will be lag between the new threat discovered and Signature being applied in IDS for detecting the threat During this lag time your IDS will be unable to identify the threat
Virus ProtectionThe problem of viruses can be dealt with by using antivirus software They work by searching all the programs on a system for the specific pattern of instructions known to make up a virus When they find a known pattern they remove the instructions disinfecting the programThe best protection against virus is the method of safe computing purchasing unopened software from vendor and avoiding free or pirated copies from public sources or disk exchange
Anti-Virus FunctionsProtection
Antivirus software can provide real-time protection meaning it can prevent unwanted processes from accessing your computer while you surf the Internet Cleanup
Antivirus software allows you to scan your computer for viruses and other unwanted programs and provides you with the tools to get rid of them Alerts
Antivirus programs can alert you when something is trying to access your computer or when something in your computer is trying to access something on the Internet Updates
Antivirus programs can update themselves keeping your computers protection up to date without you having to manually update it Further Protection
If an antivirus software finds an infected file that cannot be deleted it can quarantine the file so that it cannot infect other files or programs on your computer
Some Common Anti-Viruses
What is a FIREWALL
A choke point of control and monitoring Interconnects networks with differing trustImposes restrictions on network services
bull only authorized traffic is allowed Auditing and controlling access
bull can implement alarms for abnormal behaviorItself immune to penetrationProvides perimeter defence
Firewalls Arenrsquot Perfect
Useless against attacks from the insidebull Evildoer exists on insidebull Malicious code is executed on an internal machine
Organizations with greater insider threatbull Banks and Military
Protection must exist at each layerbull Assess risks of threats at every layer
Cannot protect against transfer of all virus infected programs or files
bull because of huge range of OS amp file typesCan be spoofed and Tunneled
Bibliography
Book Operating System Concepts [Galvin Silverschatz Gagne]Websites wwwgooglecom
wwwwikipediacom Pictures Google images
Thank You
Cryptography as a Security Tool1048708 Broadest security tool available1048708 Source and destination of messages cannot be trusted withoutcryptography1048708 Means to constrain potential senders (sources) and or receivers(destinations) of messages1048708 Based on secrets (keys)Operating
Symmetric and Asymmetric Encryption
Security Policy
A computer security policy defines the goals and elements of an organizations computer systems The definition can be highly formal or informal Security policies are enforced by organizational policies or security mechanisms A technical implementation defines whether a computer system is secure or insecure These formal policy models can be categorized into the core security principles of Confidentiality Integrity and Availability
Formal policy modelsConfidentiality policy modelIntegrity policies modelHybrid policy model
Vulnerablity Assessment
A vulnerability assessment is the process of identifying quantifying and prioritizing (or ranking) the vulnerabilities in a system Examples of systems for which vulnerability assessments are performed include but are not limited to information technology systems energy supply systems water supply systems transportation systems and communication systems Assessments are typically performed according to the following steps Cataloging assets and capabilities (resources) in a system Assigning quantifiable value (or at least rank order) and importance to those resources Identifying the vulnerabilities or threats to each resource Mitigating or eliminating the most serious vulnerabilities for the most valuable resources
An intrusion detection system (IDS) is a device or software application that monitors network or system activities for malicious activities or policy violations and produces reports to a Management Station
Some systems may attempt to stop an intrusion attempt but this is neither required nor expected of a monitoring system Intrusion detection and prevention systems (IDPS) are primarily focused on identifying possible incidents logging information about them and reporting attempts
In addition organizations use IDPSes for other purposes such as identifying problems with security policies documenting existing threats and deterring individuals from violating security policies
Intrusion Detection
Intrusion Detection [Contd]All Intrusion Detection Systems use one of two detection techniques
Statistical anomaly-based IDSA statistical anomaly-based IDS determines normal network activity like what sort of bandwidth is generally used what protocols are used what ports and devices generally connect to each other- and alert the administrator or user when traffic is detected which is anomalous(not normal)
Signature-based IDSSignature based IDS monitors packets in the Network and compares with pre-configured and pre-determined attack patterns known as signatures The issue is that there will be lag between the new threat discovered and Signature being applied in IDS for detecting the threat During this lag time your IDS will be unable to identify the threat
Virus ProtectionThe problem of viruses can be dealt with by using antivirus software They work by searching all the programs on a system for the specific pattern of instructions known to make up a virus When they find a known pattern they remove the instructions disinfecting the programThe best protection against virus is the method of safe computing purchasing unopened software from vendor and avoiding free or pirated copies from public sources or disk exchange
Anti-Virus FunctionsProtection
Antivirus software can provide real-time protection meaning it can prevent unwanted processes from accessing your computer while you surf the Internet Cleanup
Antivirus software allows you to scan your computer for viruses and other unwanted programs and provides you with the tools to get rid of them Alerts
Antivirus programs can alert you when something is trying to access your computer or when something in your computer is trying to access something on the Internet Updates
Antivirus programs can update themselves keeping your computers protection up to date without you having to manually update it Further Protection
If an antivirus software finds an infected file that cannot be deleted it can quarantine the file so that it cannot infect other files or programs on your computer
Some Common Anti-Viruses
What is a FIREWALL
A choke point of control and monitoring Interconnects networks with differing trustImposes restrictions on network services
bull only authorized traffic is allowed Auditing and controlling access
bull can implement alarms for abnormal behaviorItself immune to penetrationProvides perimeter defence
Firewalls Arenrsquot Perfect
Useless against attacks from the insidebull Evildoer exists on insidebull Malicious code is executed on an internal machine
Organizations with greater insider threatbull Banks and Military
Protection must exist at each layerbull Assess risks of threats at every layer
Cannot protect against transfer of all virus infected programs or files
bull because of huge range of OS amp file typesCan be spoofed and Tunneled
Bibliography
Book Operating System Concepts [Galvin Silverschatz Gagne]Websites wwwgooglecom
wwwwikipediacom Pictures Google images
Thank You
Security Policy
A computer security policy defines the goals and elements of an organizations computer systems The definition can be highly formal or informal Security policies are enforced by organizational policies or security mechanisms A technical implementation defines whether a computer system is secure or insecure These formal policy models can be categorized into the core security principles of Confidentiality Integrity and Availability
Formal policy modelsConfidentiality policy modelIntegrity policies modelHybrid policy model
Vulnerablity Assessment
A vulnerability assessment is the process of identifying quantifying and prioritizing (or ranking) the vulnerabilities in a system Examples of systems for which vulnerability assessments are performed include but are not limited to information technology systems energy supply systems water supply systems transportation systems and communication systems Assessments are typically performed according to the following steps Cataloging assets and capabilities (resources) in a system Assigning quantifiable value (or at least rank order) and importance to those resources Identifying the vulnerabilities or threats to each resource Mitigating or eliminating the most serious vulnerabilities for the most valuable resources
An intrusion detection system (IDS) is a device or software application that monitors network or system activities for malicious activities or policy violations and produces reports to a Management Station
Some systems may attempt to stop an intrusion attempt but this is neither required nor expected of a monitoring system Intrusion detection and prevention systems (IDPS) are primarily focused on identifying possible incidents logging information about them and reporting attempts
In addition organizations use IDPSes for other purposes such as identifying problems with security policies documenting existing threats and deterring individuals from violating security policies
Intrusion Detection
Intrusion Detection [Contd]All Intrusion Detection Systems use one of two detection techniques
Statistical anomaly-based IDSA statistical anomaly-based IDS determines normal network activity like what sort of bandwidth is generally used what protocols are used what ports and devices generally connect to each other- and alert the administrator or user when traffic is detected which is anomalous(not normal)
Signature-based IDSSignature based IDS monitors packets in the Network and compares with pre-configured and pre-determined attack patterns known as signatures The issue is that there will be lag between the new threat discovered and Signature being applied in IDS for detecting the threat During this lag time your IDS will be unable to identify the threat
Virus ProtectionThe problem of viruses can be dealt with by using antivirus software They work by searching all the programs on a system for the specific pattern of instructions known to make up a virus When they find a known pattern they remove the instructions disinfecting the programThe best protection against virus is the method of safe computing purchasing unopened software from vendor and avoiding free or pirated copies from public sources or disk exchange
Anti-Virus FunctionsProtection
Antivirus software can provide real-time protection meaning it can prevent unwanted processes from accessing your computer while you surf the Internet Cleanup
Antivirus software allows you to scan your computer for viruses and other unwanted programs and provides you with the tools to get rid of them Alerts
Antivirus programs can alert you when something is trying to access your computer or when something in your computer is trying to access something on the Internet Updates
Antivirus programs can update themselves keeping your computers protection up to date without you having to manually update it Further Protection
If an antivirus software finds an infected file that cannot be deleted it can quarantine the file so that it cannot infect other files or programs on your computer
Some Common Anti-Viruses
What is a FIREWALL
A choke point of control and monitoring Interconnects networks with differing trustImposes restrictions on network services
bull only authorized traffic is allowed Auditing and controlling access
bull can implement alarms for abnormal behaviorItself immune to penetrationProvides perimeter defence
Firewalls Arenrsquot Perfect
Useless against attacks from the insidebull Evildoer exists on insidebull Malicious code is executed on an internal machine
Organizations with greater insider threatbull Banks and Military
Protection must exist at each layerbull Assess risks of threats at every layer
Cannot protect against transfer of all virus infected programs or files
bull because of huge range of OS amp file typesCan be spoofed and Tunneled
Bibliography
Book Operating System Concepts [Galvin Silverschatz Gagne]Websites wwwgooglecom
wwwwikipediacom Pictures Google images
Thank You
Vulnerablity Assessment
A vulnerability assessment is the process of identifying quantifying and prioritizing (or ranking) the vulnerabilities in a system Examples of systems for which vulnerability assessments are performed include but are not limited to information technology systems energy supply systems water supply systems transportation systems and communication systems Assessments are typically performed according to the following steps Cataloging assets and capabilities (resources) in a system Assigning quantifiable value (or at least rank order) and importance to those resources Identifying the vulnerabilities or threats to each resource Mitigating or eliminating the most serious vulnerabilities for the most valuable resources
An intrusion detection system (IDS) is a device or software application that monitors network or system activities for malicious activities or policy violations and produces reports to a Management Station
Some systems may attempt to stop an intrusion attempt but this is neither required nor expected of a monitoring system Intrusion detection and prevention systems (IDPS) are primarily focused on identifying possible incidents logging information about them and reporting attempts
In addition organizations use IDPSes for other purposes such as identifying problems with security policies documenting existing threats and deterring individuals from violating security policies
Intrusion Detection
Intrusion Detection [Contd]All Intrusion Detection Systems use one of two detection techniques
Statistical anomaly-based IDSA statistical anomaly-based IDS determines normal network activity like what sort of bandwidth is generally used what protocols are used what ports and devices generally connect to each other- and alert the administrator or user when traffic is detected which is anomalous(not normal)
Signature-based IDSSignature based IDS monitors packets in the Network and compares with pre-configured and pre-determined attack patterns known as signatures The issue is that there will be lag between the new threat discovered and Signature being applied in IDS for detecting the threat During this lag time your IDS will be unable to identify the threat
Virus ProtectionThe problem of viruses can be dealt with by using antivirus software They work by searching all the programs on a system for the specific pattern of instructions known to make up a virus When they find a known pattern they remove the instructions disinfecting the programThe best protection against virus is the method of safe computing purchasing unopened software from vendor and avoiding free or pirated copies from public sources or disk exchange
Anti-Virus FunctionsProtection
Antivirus software can provide real-time protection meaning it can prevent unwanted processes from accessing your computer while you surf the Internet Cleanup
Antivirus software allows you to scan your computer for viruses and other unwanted programs and provides you with the tools to get rid of them Alerts
Antivirus programs can alert you when something is trying to access your computer or when something in your computer is trying to access something on the Internet Updates
Antivirus programs can update themselves keeping your computers protection up to date without you having to manually update it Further Protection
If an antivirus software finds an infected file that cannot be deleted it can quarantine the file so that it cannot infect other files or programs on your computer
Some Common Anti-Viruses
What is a FIREWALL
A choke point of control and monitoring Interconnects networks with differing trustImposes restrictions on network services
bull only authorized traffic is allowed Auditing and controlling access
bull can implement alarms for abnormal behaviorItself immune to penetrationProvides perimeter defence
Firewalls Arenrsquot Perfect
Useless against attacks from the insidebull Evildoer exists on insidebull Malicious code is executed on an internal machine
Organizations with greater insider threatbull Banks and Military
Protection must exist at each layerbull Assess risks of threats at every layer
Cannot protect against transfer of all virus infected programs or files
bull because of huge range of OS amp file typesCan be spoofed and Tunneled
Bibliography
Book Operating System Concepts [Galvin Silverschatz Gagne]Websites wwwgooglecom
wwwwikipediacom Pictures Google images
Thank You
An intrusion detection system (IDS) is a device or software application that monitors network or system activities for malicious activities or policy violations and produces reports to a Management Station
Some systems may attempt to stop an intrusion attempt but this is neither required nor expected of a monitoring system Intrusion detection and prevention systems (IDPS) are primarily focused on identifying possible incidents logging information about them and reporting attempts
In addition organizations use IDPSes for other purposes such as identifying problems with security policies documenting existing threats and deterring individuals from violating security policies
Intrusion Detection
Intrusion Detection [Contd]All Intrusion Detection Systems use one of two detection techniques
Statistical anomaly-based IDSA statistical anomaly-based IDS determines normal network activity like what sort of bandwidth is generally used what protocols are used what ports and devices generally connect to each other- and alert the administrator or user when traffic is detected which is anomalous(not normal)
Signature-based IDSSignature based IDS monitors packets in the Network and compares with pre-configured and pre-determined attack patterns known as signatures The issue is that there will be lag between the new threat discovered and Signature being applied in IDS for detecting the threat During this lag time your IDS will be unable to identify the threat
Virus ProtectionThe problem of viruses can be dealt with by using antivirus software They work by searching all the programs on a system for the specific pattern of instructions known to make up a virus When they find a known pattern they remove the instructions disinfecting the programThe best protection against virus is the method of safe computing purchasing unopened software from vendor and avoiding free or pirated copies from public sources or disk exchange
Anti-Virus FunctionsProtection
Antivirus software can provide real-time protection meaning it can prevent unwanted processes from accessing your computer while you surf the Internet Cleanup
Antivirus software allows you to scan your computer for viruses and other unwanted programs and provides you with the tools to get rid of them Alerts
Antivirus programs can alert you when something is trying to access your computer or when something in your computer is trying to access something on the Internet Updates
Antivirus programs can update themselves keeping your computers protection up to date without you having to manually update it Further Protection
If an antivirus software finds an infected file that cannot be deleted it can quarantine the file so that it cannot infect other files or programs on your computer
Some Common Anti-Viruses
What is a FIREWALL
A choke point of control and monitoring Interconnects networks with differing trustImposes restrictions on network services
bull only authorized traffic is allowed Auditing and controlling access
bull can implement alarms for abnormal behaviorItself immune to penetrationProvides perimeter defence
Firewalls Arenrsquot Perfect
Useless against attacks from the insidebull Evildoer exists on insidebull Malicious code is executed on an internal machine
Organizations with greater insider threatbull Banks and Military
Protection must exist at each layerbull Assess risks of threats at every layer
Cannot protect against transfer of all virus infected programs or files
bull because of huge range of OS amp file typesCan be spoofed and Tunneled
Bibliography
Book Operating System Concepts [Galvin Silverschatz Gagne]Websites wwwgooglecom
wwwwikipediacom Pictures Google images
Thank You
Intrusion Detection [Contd]All Intrusion Detection Systems use one of two detection techniques
Statistical anomaly-based IDSA statistical anomaly-based IDS determines normal network activity like what sort of bandwidth is generally used what protocols are used what ports and devices generally connect to each other- and alert the administrator or user when traffic is detected which is anomalous(not normal)
Signature-based IDSSignature based IDS monitors packets in the Network and compares with pre-configured and pre-determined attack patterns known as signatures The issue is that there will be lag between the new threat discovered and Signature being applied in IDS for detecting the threat During this lag time your IDS will be unable to identify the threat
Virus ProtectionThe problem of viruses can be dealt with by using antivirus software They work by searching all the programs on a system for the specific pattern of instructions known to make up a virus When they find a known pattern they remove the instructions disinfecting the programThe best protection against virus is the method of safe computing purchasing unopened software from vendor and avoiding free or pirated copies from public sources or disk exchange
Anti-Virus FunctionsProtection
Antivirus software can provide real-time protection meaning it can prevent unwanted processes from accessing your computer while you surf the Internet Cleanup
Antivirus software allows you to scan your computer for viruses and other unwanted programs and provides you with the tools to get rid of them Alerts
Antivirus programs can alert you when something is trying to access your computer or when something in your computer is trying to access something on the Internet Updates
Antivirus programs can update themselves keeping your computers protection up to date without you having to manually update it Further Protection
If an antivirus software finds an infected file that cannot be deleted it can quarantine the file so that it cannot infect other files or programs on your computer
Some Common Anti-Viruses
What is a FIREWALL
A choke point of control and monitoring Interconnects networks with differing trustImposes restrictions on network services
bull only authorized traffic is allowed Auditing and controlling access
bull can implement alarms for abnormal behaviorItself immune to penetrationProvides perimeter defence
Firewalls Arenrsquot Perfect
Useless against attacks from the insidebull Evildoer exists on insidebull Malicious code is executed on an internal machine
Organizations with greater insider threatbull Banks and Military
Protection must exist at each layerbull Assess risks of threats at every layer
Cannot protect against transfer of all virus infected programs or files
bull because of huge range of OS amp file typesCan be spoofed and Tunneled
Bibliography
Book Operating System Concepts [Galvin Silverschatz Gagne]Websites wwwgooglecom
wwwwikipediacom Pictures Google images
Thank You
Virus ProtectionThe problem of viruses can be dealt with by using antivirus software They work by searching all the programs on a system for the specific pattern of instructions known to make up a virus When they find a known pattern they remove the instructions disinfecting the programThe best protection against virus is the method of safe computing purchasing unopened software from vendor and avoiding free or pirated copies from public sources or disk exchange
Anti-Virus FunctionsProtection
Antivirus software can provide real-time protection meaning it can prevent unwanted processes from accessing your computer while you surf the Internet Cleanup
Antivirus software allows you to scan your computer for viruses and other unwanted programs and provides you with the tools to get rid of them Alerts
Antivirus programs can alert you when something is trying to access your computer or when something in your computer is trying to access something on the Internet Updates
Antivirus programs can update themselves keeping your computers protection up to date without you having to manually update it Further Protection
If an antivirus software finds an infected file that cannot be deleted it can quarantine the file so that it cannot infect other files or programs on your computer
Some Common Anti-Viruses
What is a FIREWALL
A choke point of control and monitoring Interconnects networks with differing trustImposes restrictions on network services
bull only authorized traffic is allowed Auditing and controlling access
bull can implement alarms for abnormal behaviorItself immune to penetrationProvides perimeter defence
Firewalls Arenrsquot Perfect
Useless against attacks from the insidebull Evildoer exists on insidebull Malicious code is executed on an internal machine
Organizations with greater insider threatbull Banks and Military
Protection must exist at each layerbull Assess risks of threats at every layer
Cannot protect against transfer of all virus infected programs or files
bull because of huge range of OS amp file typesCan be spoofed and Tunneled
Bibliography
Book Operating System Concepts [Galvin Silverschatz Gagne]Websites wwwgooglecom
wwwwikipediacom Pictures Google images
Thank You
Anti-Virus FunctionsProtection
Antivirus software can provide real-time protection meaning it can prevent unwanted processes from accessing your computer while you surf the Internet Cleanup
Antivirus software allows you to scan your computer for viruses and other unwanted programs and provides you with the tools to get rid of them Alerts
Antivirus programs can alert you when something is trying to access your computer or when something in your computer is trying to access something on the Internet Updates
Antivirus programs can update themselves keeping your computers protection up to date without you having to manually update it Further Protection
If an antivirus software finds an infected file that cannot be deleted it can quarantine the file so that it cannot infect other files or programs on your computer
Some Common Anti-Viruses
What is a FIREWALL
A choke point of control and monitoring Interconnects networks with differing trustImposes restrictions on network services
bull only authorized traffic is allowed Auditing and controlling access
bull can implement alarms for abnormal behaviorItself immune to penetrationProvides perimeter defence
Firewalls Arenrsquot Perfect
Useless against attacks from the insidebull Evildoer exists on insidebull Malicious code is executed on an internal machine
Organizations with greater insider threatbull Banks and Military
Protection must exist at each layerbull Assess risks of threats at every layer
Cannot protect against transfer of all virus infected programs or files
bull because of huge range of OS amp file typesCan be spoofed and Tunneled
Bibliography
Book Operating System Concepts [Galvin Silverschatz Gagne]Websites wwwgooglecom
wwwwikipediacom Pictures Google images
Thank You
Some Common Anti-Viruses
What is a FIREWALL
A choke point of control and monitoring Interconnects networks with differing trustImposes restrictions on network services
bull only authorized traffic is allowed Auditing and controlling access
bull can implement alarms for abnormal behaviorItself immune to penetrationProvides perimeter defence
Firewalls Arenrsquot Perfect
Useless against attacks from the insidebull Evildoer exists on insidebull Malicious code is executed on an internal machine
Organizations with greater insider threatbull Banks and Military
Protection must exist at each layerbull Assess risks of threats at every layer
Cannot protect against transfer of all virus infected programs or files
bull because of huge range of OS amp file typesCan be spoofed and Tunneled
Bibliography
Book Operating System Concepts [Galvin Silverschatz Gagne]Websites wwwgooglecom
wwwwikipediacom Pictures Google images
Thank You
What is a FIREWALL
A choke point of control and monitoring Interconnects networks with differing trustImposes restrictions on network services
bull only authorized traffic is allowed Auditing and controlling access
bull can implement alarms for abnormal behaviorItself immune to penetrationProvides perimeter defence
Firewalls Arenrsquot Perfect
Useless against attacks from the insidebull Evildoer exists on insidebull Malicious code is executed on an internal machine
Organizations with greater insider threatbull Banks and Military
Protection must exist at each layerbull Assess risks of threats at every layer
Cannot protect against transfer of all virus infected programs or files
bull because of huge range of OS amp file typesCan be spoofed and Tunneled
Bibliography
Book Operating System Concepts [Galvin Silverschatz Gagne]Websites wwwgooglecom
wwwwikipediacom Pictures Google images
Thank You
Firewalls Arenrsquot Perfect
Useless against attacks from the insidebull Evildoer exists on insidebull Malicious code is executed on an internal machine
Organizations with greater insider threatbull Banks and Military
Protection must exist at each layerbull Assess risks of threats at every layer
Cannot protect against transfer of all virus infected programs or files
bull because of huge range of OS amp file typesCan be spoofed and Tunneled
Bibliography
Book Operating System Concepts [Galvin Silverschatz Gagne]Websites wwwgooglecom
wwwwikipediacom Pictures Google images
Thank You
Bibliography
Book Operating System Concepts [Galvin Silverschatz Gagne]Websites wwwgooglecom
wwwwikipediacom Pictures Google images
Thank You
Thank You