Date post: | 02-Mar-2018 |
Category: |
Documents |
Upload: | deepak-pandey |
View: | 215 times |
Download: | 0 times |
of 77
7/26/2019 unit5_system_security.pdf
1/77
UNIT5 SYSTEMSECURITY
Intruder
Intrusion
detection
system
Virusandrelatedthreats Countermeasures
Firewalls
design
principles
Trusted
systems
Practicalimplementationofcryptography
andsecurity
Slides CourtesyofWilliamStallings,Cryptography&NetworkSecurity,PearsonEducation,4thEdition
7/26/2019 unit5_system_security.pdf
2/77
Chapter1Intruders
Intrusiondetectionsystem
7/26/2019 unit5_system_security.pdf
3/77
Intruders
significantissuefornetworkedsystemsis
hostileor
unwanted
access
eithervianetworkorlocal
canidentify
classes
of
intruders:
masquerader
misfeasor
clandestineuser
varyinglevelsofcompetence
7/26/2019 unit5_system_security.pdf
4/77
Intruders
clearlyagrowingpublicizedproblem
fromWily
Hacker
in
1986/87
toclearlyescalatingCERTstats
mayseem
benign,
but
still
cost
resources
mayusecompromisedsystemtolaunchother
attacks
awarenessofintrudershasledtothe
developmentofCERTs
7/26/2019 unit5_system_security.pdf
5/77
IntrusionTechniques
aimtogainaccessand/orincreaseprivileges
onasystem
basicattackmethodology
targetacquisitionandinformationgathering
initialaccess
privilegeescalation
coveringtracks
keygoaloftenistoacquirepasswords
sothenexerciseaccessrightsofowner
7/26/2019 unit5_system_security.pdf
6/77
PasswordGuessing
oneofthemostcommonattacks
attackerknowsalogin(fromemail/webpageetc)
thenattemptstoguesspasswordforit
defaults,shortpasswords,commonwordsearches
userinfo
(variations
on
names,
birthday,
phone,
common
words/interests)
exhaustivelysearchingallpossiblepasswords
checkby
login
or
against
stolen
password
file
successdependsonpasswordchosenbyuser
surveys
show
many
users
choose
poorly
7/26/2019 unit5_system_security.pdf
7/77
PasswordCapture
anotherattackinvolvespasswordcapture
watchingover
shoulder
as
password
is
entered
usingatrojanhorseprogramtocollect
monitoringaninsecurenetworklogin
eg.telnet,
FTP,
web,
extractingrecordedinfoaftersuccessfullogin(web
history/cache,lastnumberdialedetc)
usingvalid
login/password
can
impersonate
user
usersneedtobeeducatedtousesuitable
precautions/countermeasures
7/26/2019 unit5_system_security.pdf
8/77
IntrusionDetection
inevitablywillhavesecurityfailures
soneed
also
to
detect
intrusions
so
can
blockifdetectedquickly
actas
deterrent
collectinfotoimprovesecurity
assumeintruderwillbehavedifferentlytoa
legitimateuser
butwillhaveimperfectdistinctionbetween
7/26/2019 unit5_system_security.pdf
9/77
ApproachestoIntrusion
Detection statisticalanomalydetection
thresholdprofilebased
rulebased
detection
anomaly
penetrationidentification
7/26/2019 unit5_system_security.pdf
10/77
AuditRecords
fundamentaltoolforintrusiondetection
nativeaudit
records
partofallcommonmultiuserO/S
alreadypresent
for
use
maynothaveinfowantedindesiredform
detectionspecificauditrecords
createdspecificallytocollectwantedinfo
atcostofadditionaloverheadonsystem
7/26/2019 unit5_system_security.pdf
11/77
StatisticalAnomalyDetection
thresholddetection
countoccurrences
of
specific
event
over
time
ifexceedreasonablevalueassumeintrusion
alone
is
a
crude
&
ineffective
detector profilebased
characterizepastbehaviorofusers
detectsignificantdeviationsfromthis
profileusuallymultiparameter
7/26/2019 unit5_system_security.pdf
12/77
AuditRecordAnalysis
foundationofstatisticalapproaches
analyzerecords
to
get
metrics
over
time
counter,gauge,intervaltimer,resourceuse
usevarious
tests
on
these
to
determine
if
currentbehaviorisacceptable
mean&standarddeviation,multivariate,markov
process,timeseries,operational
keyadvantageisnopriorknowledgeused
7/26/2019 unit5_system_security.pdf
13/77
RuleBasedIntrusionDetection
observeeventsonsystem&applyrulesto
decide
if
activity
is
suspicious
or
not rulebasedanomalydetection
analyzehistoricalauditrecordstoidentifyusage
patterns&
auto
generate
rules
for
them
thenobservecurrentbehavior&matchagainstrulestoseeifconforms
likestatisticalanomalydetectiondoesnotrequirepriorknowledgeofsecurityflaws
7/26/2019 unit5_system_security.pdf
14/77
RuleBasedIntrusionDetection
rulebasedpenetrationidentification
usesexpert
systems
technology
withrulesidentifyingknownpenetration,
weakness
patterns,
or
suspicious
behaviorcompareauditrecordsorstatesagainstrules
rulesusuallymachine&O/Sspecific
rulesare
generated
by
experts
who
interview
&
codifyknowledgeofsecurityadmins
qualitydepends
on
how
well
this
is
done
7/26/2019 unit5_system_security.pdf
15/77
BaseRateFallacy
practicallyanintrusiondetectionsystem
needsto
detect
asubstantial
percentage
of
intrusionswithfewfalsealarms
iftoofewintrusionsdetected>falsesecurity
iftoomanyfalsealarms>ignore/wastetime
thisisveryhardtodo
existingsystemsseemnottohaveagoodrecord
7/26/2019 unit5_system_security.pdf
16/77
DistributedIntrusionDetection
traditionalfocusisonsinglesystems
buttypically
have
networked
systems
moreeffectivedefensehastheseworking
togetherto
detect
intrusions
issues
dealing
with
varying
audit
record
formatsintegrity&confidentialityofnetworkeddata
centralizedordecentralizedarchitecture
7/26/2019 unit5_system_security.pdf
17/77
DistributedIntrusion
Detection
Architecture
7/26/2019 unit5_system_security.pdf
18/77
DistributedIntrusion
Detection Agent
Implementation
7/26/2019 unit5_system_security.pdf
19/77
Honeypots
decoysystemstolureattackers
awayfromaccessingcriticalsystems
tocollectinformationoftheiractivities
toencourageattackertostayonsystemso
administrator
can
respond arefilledwithfabricatedinformation
instrumentedtocollectdetailedinformationon
attackers
activities
singleormultiplenetworkedsystems
cfIETF
Intrusion
Detection
WG
standards
7/26/2019 unit5_system_security.pdf
20/77
Summary
haveconsidered:
problemof
intrusion
intrusiondetection(statistical&rulebased)
password
management
7/26/2019 unit5_system_security.pdf
21/77
Chapter2VirusesandOther
Malicious
Content
Virusandrelatedthreats Countermeasures
7/26/2019 unit5_system_security.pdf
22/77
VirusesandOther
MaliciousContent
computerviruseshavegotalotofpublicity
oneof
afamily
of
malicious
software
effectsusuallyobvious
havefigured
in
news
reports,
fiction,
movies
(oftenexaggerated)
gettingmore
attention
than
deserve
areaconcernthough
7/26/2019 unit5_system_security.pdf
23/77
MaliciousSoftware
7/26/2019 unit5_system_security.pdf
24/77
BackdoororTrapdoor
secretentrypointintoaprogram
allowsthose
who
know
access
bypassing
usual
securityprocedures
havebeencommonlyusedbydevelopers
athreatwhenleftinproductionprogramsallowingexploitedbyattackers
veryhard
to
block
in
O/S
requiresgoods/wdevelopment&update
7/26/2019 unit5_system_security.pdf
25/77
LogicBomb
oneofoldesttypesofmalicioussoftware
codeembedded
in
legitimate
program
activatedwhenspecifiedconditionsmet
egpresence/absence
of
some
file
particulardate/time
particularuser
whentriggeredtypicallydamagesystem
modify/deletefiles/disks,haltmachine,etc
7/26/2019 unit5_system_security.pdf
26/77
TrojanHorse
programwithhiddensideeffects
which
is
usually
superficially
attractive eggame,s/wupgradeetc
whenrunperformssomeadditionaltasks
allowsattacker
to
indirectly
gain
access
they
do
not
have
directly
oftenusedtopropagateavirus/wormorinstalla
backdoor orsimplytodestroydata
7/26/2019 unit5_system_security.pdf
27/77
Zombie
programwhichsecretlytakesoveranother
networkedcomputer
thenusesittoindirectlylaunchattacks
oftenused
to
launch
distributed
denial
of
service(DDoS)attacks
exploitsknownflawsinnetworksystems
7/26/2019 unit5_system_security.pdf
28/77
Viruses
apieceofselfreplicatingcodeattachedto
someother
code
cfbiologicalvirus
both
propagates
itself
&
carries
a
payloadcarriescodetomakecopiesofitself
aswellascodetoperformsomecoverttask
7/26/2019 unit5_system_security.pdf
29/77
VirusOperation
virusphases:
dormant waiting
on
trigger
event
propagation replicatingtoprograms/disks
triggering byeventtoexecutepayload
execution ofpayload
detailsusuallymachine/OSspecific
exploitingfeatures/weaknesses
7/26/2019 unit5_system_security.pdf
30/77
VirusStructure
programV:=
{gotomain;
1234567;subroutineinfectexecutable:= {loop:
file:=getrandomexecutablefile;
if
(first
line
of
file
=
1234567)
then
goto
loopelseprependVtofile;}
subroutinedodamage:= {whateverdamageistobedone}
subroutinetriggerpulled:={returntrueifconditionholds}
main:main
program
:= {infect
executable;
iftriggerpulledthendodamage;
gotonext;}
next:}
7/26/2019 unit5_system_security.pdf
31/77
TypesofViruses
canclassifyonbasisofhowtheyattack
parasiticvirus
memoryresidentvirus
bootsector
virus
stealth
polymorphicvirus
metamorphicvirus
7/26/2019 unit5_system_security.pdf
32/77
MacroVirus
macrocodeattachedtosomedatafile
interpretedbyprogramusingfile eg
Word/Excel
macros
esp.usingautocommand&commandmacros
codeisnowplatformindependent
isamajor
source
of
new
viral
infections
blurdistinctionbetweendataandprogramfiles
classictradeoff:"easeofuse"vs"security
haveimprovingsecurityinWordetc arenolongerdominantvirusthreat
7/26/2019 unit5_system_security.pdf
33/77
EmailVirus
spreadusingemailwithattachmentcontainingamacrovirus
cfMelissa
triggeredwhenuseropensattachment
orworse
even
when
viewed
by
using
scriptingfeaturesinmailagent
hencepropagateveryquickly
usuallytargetedatMicrosoftOutlookmailagent&Word/Exceldocuments
needbetter
O/S
&
application
security
7/26/2019 unit5_system_security.pdf
34/77
7/26/2019 unit5_system_security.pdf
35/77
WormOperation
wormphaseslikethoseofviruses:
dormantpropagation
searchforothersystemstoinfect
establishconnection
to
target
remote
system
replicateselfontoremotesystem
triggering
execution
7/26/2019 unit5_system_security.pdf
36/77
MorrisWorm
bestknownclassicworm
releasedby
Robert
Morris
in
1988
targetedUnixsystems
usingseveral
propagation
techniques
simplepasswordcrackingoflocalpwfile
exploit
bug
in
finger
daemonexploitdebugtrapdoorinsendmaildaemon
ifanyattacksucceedsthenreplicatedself
7/26/2019 unit5_system_security.pdf
37/77
RecentWormAttacks
newspateofattacksfrommid2001
CodeRedusedMSIISbug
probesrandom
IPs
for
systems
running
IIS
hadtriggertimefordenialofserviceattack
2nd waveinfected360000serversin14hours
CodeRed
2
installedbackdoor
Nimdamultipleinfectionmechanisms
SQL
Slammer
attacked
MS
SQL
server Sobig.fattackedopenproxyservers
Mydoommassemailworm+backdoor
7/26/2019 unit5_system_security.pdf
38/77
WormTechology
multiplatform
multiexploit ultrafastspreading
polymorphic
metamorphic
transportvehicles
zeroday
exploit
7/26/2019 unit5_system_security.pdf
39/77
VirusCountermeasures
bestcountermeasureisprevention
butin
general
not
possible
henceneedtodooneormoreof:
detection
ofviruses
in
infected
system
identificationofspecificinfectingvirus
removealrestoringsystemtocleanstate
7/26/2019 unit5_system_security.pdf
40/77
AntiVirusSoftware
firstgeneration scannerusesvirussignaturetoidentifyvirus
orchange
in
length
of
programs
secondgeneration usesheuristicrulestospotviralinfection
or
uses
crypto
hash
of
program
to
spot
changes thirdgeneration
memoryresidentprogramsidentifyvirusbyactions
fourth
generation
packageswithavarietyofantivirustechniques
egscanning&activitytraps,accesscontrols
arms
race
continues
7/26/2019 unit5_system_security.pdf
41/77
AdvancedAntiVirus
Techniques genericdecryption
useCPU
simulator
to
check
program
signature
&
behaviorbeforeactuallyrunningit
digitalimmunesystem(IBM)
generalpurposeemulation&virusdetection
anyvirusenteringorgiscaptured,analyzed,
detection/shieldingcreated
for
it,
removed
7/26/2019 unit5_system_security.pdf
42/77
DigitalImmuneSystem
7/26/2019 unit5_system_security.pdf
43/77
BehaviorBlockingSoftware
integratedwithhostO/S
monitorsprogram
behavior
in
real
time
egfileaccess,diskformat,executablemods,
systemsettingschanges,networkaccess
forpossiblymaliciousactions
ifdetectedcanblock,terminate,orseekok
hasadvantageoverscanners
butmaliciouscoderunsbeforedetection
7/26/2019 unit5_system_security.pdf
44/77
DistributedDenialofServiceAttacks(DDoS)
Distributed
Denial
of
Service
(DDoS)
attacks
formasignificantsecuritythreat
makingnetworkedsystemsunavailable
byfloodingwithuselesstraffic
usinglargenumbersofzombies
growingsophisticationofattacks
defensetechnologiesstrugglingtocope
7/26/2019 unit5_system_security.pdf
45/77
DistributedDenialofService
Attacks(DDoS)
7/26/2019 unit5_system_security.pdf
46/77
ContructingtheDDoSAttackNetwork
mustinfectlargenumberofzombies
needs:
1. softwaretoimplementtheDDoSattack
2. anunpatched
vulnerability
on
many
systems
3. scanningstrategytofindvulnerablesystems
random,
hit
list,
topological,
local
subnet
7/26/2019 unit5_system_security.pdf
47/77
DDoSCountermeasures
threebroadlinesofdefense:
1. attackprevention&preemption(before)
2. attackdetection&filtering(during)
3. attacksource
traceback
&
ident
(after)
hugerangeofattackpossibilities
hence
evolving
countermeasures
7/26/2019 unit5_system_security.pdf
48/77
Summary
haveconsidered:
variousmalicious
programs
trapdoor,logicbomb,trojanhorse,zombie
viruses
worms
countermeasures
distributeddenial
of
service
attacks
7/26/2019 unit5_system_security.pdf
49/77
Chapter3Firewalls
7/26/2019 unit5_system_security.pdf
50/77
Introduction
seenevolutionofinformationsystems
noweveryonewanttobeontheInternet
andtointerconnectnetworks
haspersistentsecurityconcerns
canteasily
secure
every
system
in
org
typicallyuseaFirewall
toprovideperimeterdefence
aspart
of
comprehensive
security
strategy
7/26/2019 unit5_system_security.pdf
51/77
WhatisaFirewall?
achokepointofcontrolandmonitoring
interconnectsnetworks
with
differing
trust
imposesrestrictionsonnetworkservices
onlyauthorizedtrafficisallowed
auditingandcontrollingaccess
canimplementalarmsforabnormalbehavior
provideNAT
&
usage
monitoring
implementVPNsusingIPSec
mustbe
immune
to
penetration
7/26/2019 unit5_system_security.pdf
52/77
FirewallLimitations
cannotprotectfromattacksbypassingit
egsneaker
net,
utility
modems,
trusted
organisations,trustedservices(egSSL/SSH)
cannotprotectagainstinternalthreats
egdisgruntledorcolludingemployees
cannotprotectagainsttransferofallvirus
infectedprograms
or
files
becauseofhugerangeofO/S&filetypes
7/26/2019 unit5_system_security.pdf
53/77
Firewalls PacketFilters
simplest,fastestfirewallcomponent
foundationof
any
firewall
system
examineeachIPpacket(nocontext)and
permit
or
deny
according
to
rules
hencerestrictaccesstoservices(ports)
possible
default
policiesthatnotexpresslypermittedisprohibited
thatnotexpresslyprohibitedispermitted
7/26/2019 unit5_system_security.pdf
54/77
Firewalls PacketFilters
7/26/2019 unit5_system_security.pdf
55/77
Firewalls PacketFilters
7/26/2019 unit5_system_security.pdf
56/77
AttacksonPacketFilters
IPaddressspoofing
fake
source
address
to
be
trustedaddfiltersonroutertoblock
sourceroutingattacks
attackersets
aroute
other
than
default
blocksourceroutedpackets
tinyfragment
attacks
splitheaderinfooverseveraltinypackets
eitherdiscardorreassemblebeforecheck
Fi ll St t f l
7/26/2019 unit5_system_security.pdf
57/77
Firewalls Stateful
Packet
Filters traditionalpacketfiltersdonotexamine
higherlayercontext
iematchingreturnpacketswithoutgoingflow
statefulpacketfiltersaddressthisneed
theyexamine
each
IP
packet
in
context
keeptrackofclientserversessions
checkeach
packet
validly
belongs
to
one
hencearebetterabletodetectboguspacketsoutofcontext
Fi ll A li ti
7/26/2019 unit5_system_security.pdf
58/77
FirewallsApplication
Level
Gateway
(or
Proxy) haveapplicationspecificgateway/proxy
hasfull
access
to
protocol
userrequestsservicefromproxy
proxyvalidates
request
as
legal
thenactionsrequestandreturnsresulttouser
canlog/audittrafficatapplicationlevel
needseparateproxiesforeachservice
someservicesnaturallysupportproxying
othersare
more
problematic
Fi ll A li ti
7/26/2019 unit5_system_security.pdf
59/77
FirewallsApplication
Level
Gateway
(or
Proxy)
Fi ll Ci it L l
7/26/2019 unit5_system_security.pdf
60/77
FirewallsCircuitLevel
Gateway relaystwoTCPconnections
imposessecurity
by
limiting
which
such
connectionsareallowed
once
created
usually
relays
traffic
without
examiningcontents
typicallyusedwhentrustinternalusersby
allowinggeneral
outbound
connections
SOCKSiscommonlyused
Fi ll Ci it L l
7/26/2019 unit5_system_security.pdf
61/77
FirewallsCircuitLevel
Gateway
7/26/2019 unit5_system_security.pdf
62/77
BastionHost
highlysecurehostsystem
runs
circuit
/
application
level
gateways
orprovidesexternallyaccessibleservices
potentiallyexposedto"hostile"elements
henceis
secured
to
withstand
this
hardenedO/S,essentialservices,extraauth
proxiessmall,secure,independent,nonprivileged
maysupport
2or
more
net
connections
maybetrustedtoenforcepolicyoftrustedseparationbetweenthesenetconnections
7/26/2019 unit5_system_security.pdf
63/77
FirewallConfigurations
7/26/2019 unit5_system_security.pdf
64/77
FirewallConfigurations
7/26/2019 unit5_system_security.pdf
65/77
FirewallConfigurations
7/26/2019 unit5_system_security.pdf
66/77
AccessControl
givensystemhasidentifiedauser
determinewhatresourcestheycanaccess
generalmodelisthatofaccessmatrixwith
subjectactiveentity(user,process)
object
passiveentity
(file
or
resource)
accessright wayobjectcanbeaccessed
candecompose
by
columnsasaccesscontrollists
rowsas
capability
tickets
7/26/2019 unit5_system_security.pdf
67/77
AccessControlMatrix
7/26/2019 unit5_system_security.pdf
68/77
TrustedComputerSystems
informationsecurityisincreasinglyimportant
havevarying
degrees
of
sensitivity
of
information
cfmilitaryinfoclassifications:confidential,secretetc
subjects(peopleorprograms)havevaryingrightsof
accessto
objects
(information)
knownasmultilevelsecurity
subjects
have
maximum&
currentsecurity
level
objectshaveafixedsecuritylevelclassification
wanttoconsiderwaysofincreasingconfidencein
systemsto
enforce
these
rights
7/26/2019 unit5_system_security.pdf
69/77
BellLaPadula(BLP)Model
oneofthemostfamoussecuritymodels
implementedasmandatorypoliciesonsystem
hastwokeypolicies:
noreadup(simplesecurityproperty)
asubject
can
only
read/write
an
object
if
the
current
securitylevelofthesubjectdominates(>=)theclassificationoftheobject
no
write
down(*
property) asubjectcanonlyappend/writetoanobjectifthecurrentsecuritylevelofthesubjectisdominatedby(
7/26/2019 unit5_system_security.pdf
70/77
ReferenceMonitor
7/26/2019 unit5_system_security.pdf
71/77
EvaluatedComputerSystems
governmentscanevaluateITsystems
againstarange
of
standards:
TCSEC,IPSECandnowCommonCriteria
define
a
number
of
levels
of
evaluation
with
increasinglystringentchecking
havepublishedlistsofevaluatedproducts
thoughaimedatgovernment/defenseuse
canbeusefulinindustryalso
7/26/2019 unit5_system_security.pdf
72/77
CommonCriteria
internationalinitiativespecifyingsecurity
requirements
&
defining
evaluation
criteria incorporatesearlierstandards
egCSEC, ITSEC, CTCPEC (Canadian), Federal (US)
specifies standards for
evaluation criteria
methodology for application of criteria
administrative procedures for evaluation, certificationand accreditation schemes
7/26/2019 unit5_system_security.pdf
73/77
CommonCriteria
defines setofsecurityrequirements
haveaTarget
Of
Evaluation
(TOE)
requirementsfallintwocategories
functional
assurance
bothorganisedinclassesoffamilies&
components
7/26/2019 unit5_system_security.pdf
74/77
CommonCriteriaRequirements
Functional Requirements
security audit, crypto support, communications,user data protection, identification &authentication, security management, privacy,
protection of trusted security functions,resource utilization, TOE access, trusted path
Assurance Requirements
configurationmanagement,
delivery
&
operation,
development,guidancedocuments,lifecyclesupport,tests,vulnerabilityassessment,assurance
maintenance
7/26/2019 unit5_system_security.pdf
75/77
CommonCriteria
7/26/2019 unit5_system_security.pdf
76/77
CommonCriteria
7/26/2019 unit5_system_security.pdf
77/77
Summary
haveconsidered:
firewallstypesoffirewalls
configurations
accesscontrol
trustedsystems
commoncriteria