Unit 1

TDC 377, Fundamentals of Network Security , Spring 2006

1-1

Unit 1: Class overview, general security concept, threats and defenses

Syllabus What is Security? CSI/FBI Computer Crime and Security

Survey Attackers and Attacks Layered Security Architecture


1-2

What is Security?

Like in non-Cyber “real” world: Security is used to secure, protect, prevent bad things to happen (or try to).

From Webster: Function: noun

Inflected Form(s): plural -tiesDate: 15th century1 : the quality or state of being secure : as a : freedom from danger : SAFETY b : freedom from fear or anxiety c : freedom from the prospect of being laid off <job security>2 a : something given, deposited, or pledged to make certain the fulfillment of an obligation b : SURETY3 : an evidence of debt or of ownership (as a stock certificate or bond)4 a : something that secures : PROTECTION b (1) : measures taken to guard against espionage or sabotage, crime, attack, or escape (2) : an organization or department whose task is security


1-3

What is Security?

Security Activities Are based on 3 Types of Actions: Prevent: Put protection measures/system to protect

assets and prevent unauthorized access. Detect: Detect if an asset has been

compromised, when, by whom and gather information on the type of breach committed, activities and evidence logs.

Act/React: Take measure to recover from attack and prevent same type of attacks or prevent attack in progress.


1-4

CSI/FBI Computer Crime and Security Survey How Bad is the Threat? Survey conducted by the Computer

Security Institute (http://www.gocsi.com) annually.

Based on replies from 700 U.S. Computer Security Professionals in 2005.


1-5


1-6

Websites incidents have increased dramatically


1-7

• General trend of losses is down except for “unauthorized access to information”, and “theft of proprietary information”


1-8

Other Key Findings of the CSI/FBI survey Outsourcing of computer security activities

is quite low Use of cyber insurance remain low Concern of negative publicity decline in

reporting intrusions to law enforcement Significant number of organization conduct

some form of economic evaluation of their security expenditures


1-9

Other Key Findings of the CSI/FBI survey (contd.) Over 87% of the organizations conduct

security audits, up from 82 percent in 2004’s survey.

The Sarbanes-Oxley Act has begun to have impact on information security in more industry sectors than last year.

Most respondents view security awareness training as important. However respondents from all sectors do not believe their organizations invests enough in it.


1-10

Other Empirical Attack Data

SecurityFocus Attack Targets

31 million Windows-specific attacks 22 million UNIX/LINUX attacks 7 million Cisco IOS attacks All operating systems are attacked!


1-11

Attack Trends Growing Incident Frequency

Incidents reported to the Computer Emergency Response Team/Coordination Center (CERT)

1997: 2,134 1998: 3,474 (75% growth from the year before) 1999: 9,859 (164% growth from the year before) 2000: 21,756 (121% growth from the year before) 2001: 52,658 (142% growth from the year before) Tomorrow? …. Well CERT decided to stop counting as

of 6/2004!!


1-12

Attack Trends

Growing Randomness in Victim Selection

In the past, large firms were targeted

Now, targeting is increasingly random

No more security through obscurity for small firms and individuals


1-13

Attack Trends

Growing Malevolence

Most early attacks were not malicious

Malicious attacks are becoming the norm


1-14

Attack Trends

Growing Attack Automation

Attacks are automated, rather than humanly-directed

Essentially, viruses and worms are attack robots that travel among computers

Attack many computers in minutes or hours


1-15

Who are the Attackers??? Elite Hackers

White hat hackers This is still illegal Break into system but notify firm or vendor of vulnerability

Black hat hackers Do not hack to find and report vulnerabilities Gray hat hackers go back and forth between the two ways of

hacking

Hack but with code of ethics Codes of conduct are often amoral “Do no harm,” but delete log files, destroy security settings, etc. Distrust of evil businesses and government Still illegal

Deviant psychology and hacker groups to reinforce deviance


1-16

Who are the Attackers???

Virus Writers and Releasers

Virus writers versus virus releasers

Only releasing viruses is punishable


1-17


Script Kiddies

Use prewritten attack scripts (kiddie scripts)

Viewed as lamers and script kiddies

Large numbers make dangerous

Noise of kiddie script attacks masks more sophisticated attacks


1-18


Criminals

Many attackers are ordinary garden-variety criminals

Credit card and identity theft

Side note on threat to Credit Card #. How do attacker capture credit card information? Via “Sniffing” traffic?

How many of the audience have worries when shopping online? How many of the audience ever used a credit card to pay for a restaurant meal?

Stealing trade secrets (intellectual property)

Extortion


1-19

Who are the Attackers??? Corporate Employees

Have access and knowledge

Financial theft

Theft of trade secrets (intellectual property)

Sabotage

Consultants and contractors

IT and security staff are biggest danger


1-20


Cyberterrorism and Cyberwar

New level of danger

Infrastructure destruction Attacks on IT infrastructure Use IT to establish physical infrastructure (energy, banks, etc.)

Simultaneous multi-pronged attacks

Cyberterrorists by terrorist groups versus cyberwar by national governments

Amateur information warfare


1-21

Very good Illustration of Attacks and Attackers http://grc.com/dos/grcdos.htm

Non credit assignment: Read the full article. Note: all material in “non credit assignments” can be present in exams.


1-22

Framework for Attacks

Attacks

Physical AccessAttacks

--Wiretapping

Server HackingVandalism

Dialog Attacks--

EavesdroppingImpersonation

Message Alteration

PenetrationAttacks

Social Engineering--

Opening AttachmentsPassword Theft

Information Theft

Scanning(Probing) Break-in

Denial ofService

Malware--

VirusesWorms


1-23

Attacks and Defenses (Refer to previous diagram)

Physical Attacks: Access Control

Access control is the body of strategies and practices that a company uses to prevent improper access

Prioritize assets

Specify access control technology and procedures for each asset

This can be electronic: use access control to prevent certain traffic in

This can be physical: use locks to prevent physical access to devices.

If an attacker gains physical access to a device: that device IS (or should be considered) compromised: no EXCEPTION!!!

Test the protection.


1-24

Attacks and Defenses (contd.)

Site Access Attacks and Defenses

Wiretaps (including wireless LANs intrusions

Hacking servers with physical access


1-25

Attacks and Defenses (contd.) A slight variation of access attack: Social

Engineering

Tricking an employee into giving out information or taking an action that reduces security or harms a system

Opening an e-mail attachment that may contain a virus

Asking for a password claming to be someone with rights to know it

Asking for a file to be sent to you


1-26


Social Engineering Defenses

Training

Enforcement through sanctions (punishment)


1-27


Dialog Attacks and Defenses Eavesdropping Encryption for Confidentiality Imposters and Authentication Cryptographic Systems


1-28

Eavesdropping on a Dialog

Client PCBob Server

Alice

Dialog

Attacker (Eve) interceptsand reads messages

Hello

Hello


1-29

Encryption for Confidentiality

Client PCBob

ServerAlice

Attacker (Eve) interceptsbut cannot read

“100100110001”

EncryptedMessage

“100100110001”

Original Message

“Hello”

Decrypted Message

“Hello”


1-30

Impersonation and Authentication

Client PCBob

ServerAlice

Attacker(Eve)

I’m Bob

Prove it!(Authenticate Yourself)


1-31

Message Alteration

Client PCBob

ServerAlice

Dialog

Attacker (Eve) interceptsand alters messages

Balance =$1

Balance =$1 Balance =

$1,000,000

Balance =$1,000,000


1-32

Secure Dialog System

Client PCBob Server

Alice

Secure Dialog

Attacker cannot read messages, alter

messages, or impersonate

Automatically HandlesNegation of Security Options

AuthenticationEncryption

Integrity


1-33

Network Penetration Attacks and Firewalls

AttackPacket

Internet

Attacker

HardenedClient PC

HardenedServer Internal

CorporateNetwork

Passed Packet

DroppedPacket

InternetFirewall

Log File


1-34

Scanning (Probing) Attacks

Probe Packets to172.16.99.1, 172.16.99.2, etc.

Internet

Attacker

Corporate Network

Host172.16.99.1

No Host172.16.99.2 No Reply

Reply from172.16.99.1

Results172.16.99.1 is reachable172.16.99.2 is not reachable…


1-35

Single-Message Break-In Attack

1.Single Break-In Packet

2.Server

Taken OverBy Single Message

Attacker


1-36

Denial-of-Service (DoS) Flooding Attack

Message Flood

ServerOverloaded ByMessage Flood

Attacker


1-37

Intrusion Detection System (IDS)

1.Suspicious

Packet

Internet

Attacker

NetworkAdministrator

HardenedServer

Corporate Network

2. SuspiciousPacket Passed

3. LogSuspicious

Packet

4. Alarm IntrusionDetectionSystem (IDS)

Log File


1-38

What Are the Types of Security Threats? Service Disruption and Interruption

Compromise the service Availability Interception

Compromise the service Confidentiality Modification

Compromise the service Integrity Fabrication

Compromise the service Authenticity Often you will see the security services summarized into 3 categories: C.I.A:

Confidentiality Integrity Availability In this model, authenticity is a subset of integrity


1-39

What Are the Types of Security Threats? These different Threats can be subject to two

types of possible attacks: Passive and Active. Passive Attacks

Attacks that do not require modification of the data. Active Attacks

Attacks that do require modification of the data or the data flow.

Which one is harder to notice? (yes I know it’s obvious…)


1-40

Layered Security Architecture As we have seen in previous slides, security services that must be

provided are numerous and diverse. Similarly to the “real-world” bank, our web servers, our networks can have

many vulnerabilities and these vulnerabilities can be located in many layers of the architecture.

We need to practice a “security in-depth” approach. Security consideration and services must be present in each and every level of

components. Rule: When analyzing the quality of your security infrastructure, always

assume that 1 full security layer/functionality will entirely fail. Are you still secured? What are your areas of vulnerabilities? How long would it take for you to detect the failure?

Vulnerabilities and security services involve all 7 layers of the OSI model. Security also is greatly dependant on the OSI’s “Layer 8”.

The balance between the threat to a system and the security services deployed is very Asymmetric: You need to defend each and every aspects to be successful – An attacker often needs to mitigate one aspect to be successful.

Let’s look at an example of an e-Commerce site and try to discuss what can go wrong and where.


1-41

Layered Security Architecture

Firewalll

Internet

Router

My-store.com E-Commerce Infrastructure

Ethernet

Mail relayOutside DNS Inside DNS

Inside Mail Server

ISP DNSInternet Users

Intruder,threat,,opponent

E-Comm - Web

Firewall

Database Server

Router

WAN Links to RemoteOffices


1-42

Layered Security Architecture Areas that can “go wrong”:

Incorrect firewall configuration. Web and back-end server not hardened:

Known vulnerabilities Default account/passwords Lack of granularity in security Lack of logging and auditing

Back-end database server servers accept any requests from any sources. Lack of intrusion detection system. Lack of integrity checking tools. Router forward packets improperly. Unnecessary protocols and services running. Improper patching and update of patches. Bugs and vulnerabilities in third-party software/applications. Bugs and vulnerabilities in in-house developed applications. Bugs and vulnerabilities in toolkits used to build in-house applications. Improper implementation of an application, test userID not cleaned out, developers userID

not cleaned out. Presence of Trojans, Malware and backdoors. How do I know the remote offices do not represent a threat?

And I am sure we can add a lot more to the list…


1-43

Layered Security Architecture

To prevent attacks, an enterprise need to build a complete and comprehensive security architecture using tools, methods and techniques that individually target some threats and work in an integrated fashion to provide a complete enterprise framework for secure computing.

One missing “piece” or aspect may endanger the whole infrastructure. Example: if you do not have virus protection, can an intruder bypass your firewalls?

The goal of this class will be to present the aspects that most impact network security within that framework.

Example of these tools and methods are presented in Unit 2.


1-44

Other References and Useful Resources

CERT – www.cert.orgSANS – www.sans.orgCIAC - http://www.ciac.org/ciac/NSA Guidelines - http://www.nsa.gov/snac/

Date post:	02-Nov-2014
Category:	Documents
Upload:	networkingcentral
View:	669 times
Download:	0 times

Unit 1

Documents