unit5_system_security.pdf

7/26/2019 unit5_system_security.pdf

1/77

UNIT5 SYSTEMSECURITY

Intruder

Intrusion

detection

system

Virusandrelatedthreats Countermeasures

Firewalls

design

principles

Trusted

systems

Practicalimplementationofcryptography

andsecurity

Slides CourtesyofWilliamStallings,Cryptography&NetworkSecurity,PearsonEducation,4thEdition


2/77

Chapter1Intruders

Intrusiondetectionsystem


3/77

Intruders

significantissuefornetworkedsystemsis

hostileor

unwanted

access

eithervianetworkorlocal

canidentify

classes

of

intruders:

masquerader

misfeasor

clandestineuser

varyinglevelsofcompetence


4/77

Intruders

clearlyagrowingpublicizedproblem

fromWily

Hacker

in

1986/87

toclearlyescalatingCERTstats

mayseem

benign,

but

still

cost

resources

mayusecompromisedsystemtolaunchother

attacks

awarenessofintrudershasledtothe

developmentofCERTs


5/77

IntrusionTechniques

aimtogainaccessand/orincreaseprivileges

onasystem

basicattackmethodology

targetacquisitionandinformationgathering

initialaccess

privilegeescalation

coveringtracks

keygoaloftenistoacquirepasswords

sothenexerciseaccessrightsofowner


6/77

PasswordGuessing

oneofthemostcommonattacks

attackerknowsalogin(fromemail/webpageetc)

thenattemptstoguesspasswordforit

defaults,shortpasswords,commonwordsearches

userinfo

(variations

on

names,

birthday,

phone,

common

words/interests)

exhaustivelysearchingallpossiblepasswords

checkby

login

or

against

stolen

password

file

successdependsonpasswordchosenbyuser

surveys

show

many

users

choose

poorly


7/77

PasswordCapture

anotherattackinvolvespasswordcapture

watchingover

shoulder

as

password

is

entered

usingatrojanhorseprogramtocollect

monitoringaninsecurenetworklogin

eg.telnet,

FTP,

web,

email

extractingrecordedinfoaftersuccessfullogin(web

history/cache,lastnumberdialedetc)

usingvalid

login/password

can

impersonate

user

usersneedtobeeducatedtousesuitable

precautions/countermeasures


8/77

IntrusionDetection

inevitablywillhavesecurityfailures

soneed

also

to

detect

intrusions

so

can

blockifdetectedquickly

actas

deterrent

collectinfotoimprovesecurity

assumeintruderwillbehavedifferentlytoa

legitimateuser

butwillhaveimperfectdistinctionbetween


9/77

ApproachestoIntrusion

Detection statisticalanomalydetection

thresholdprofilebased

rulebased

detection

anomaly

penetrationidentification


10/77

AuditRecords

fundamentaltoolforintrusiondetection

nativeaudit

records

partofallcommonmultiuserO/S

alreadypresent

for

use

maynothaveinfowantedindesiredform

detectionspecificauditrecords

createdspecificallytocollectwantedinfo

atcostofadditionaloverheadonsystem


11/77

StatisticalAnomalyDetection

thresholddetection

countoccurrences

of

specific

event

over

time

ifexceedreasonablevalueassumeintrusion

alone

is

a

crude

&

ineffective

detector profilebased

characterizepastbehaviorofusers

detectsignificantdeviationsfromthis

profileusuallymultiparameter


12/77

AuditRecordAnalysis

foundationofstatisticalapproaches

analyzerecords

to

get

metrics

over

time

counter,gauge,intervaltimer,resourceuse

usevarious

tests

on

these

to

determine

if

currentbehaviorisacceptable

mean&standarddeviation,multivariate,markov

process,timeseries,operational

keyadvantageisnopriorknowledgeused


13/77

RuleBasedIntrusionDetection

observeeventsonsystem&applyrulesto

decide

if

activity

is

suspicious

or

not rulebasedanomalydetection

analyzehistoricalauditrecordstoidentifyusage

patterns&

auto

generate

rules

for

them

thenobservecurrentbehavior&matchagainstrulestoseeifconforms

likestatisticalanomalydetectiondoesnotrequirepriorknowledgeofsecurityflaws


14/77

RuleBasedIntrusionDetection

rulebasedpenetrationidentification

usesexpert

systems

technology

withrulesidentifyingknownpenetration,

weakness

patterns,

or

suspicious

behaviorcompareauditrecordsorstatesagainstrules

rulesusuallymachine&O/Sspecific

rulesare

generated

by

experts

who

interview

&

codifyknowledgeofsecurityadmins

qualitydepends

on

how

well

this

is

done


15/77

BaseRateFallacy

practicallyanintrusiondetectionsystem

needsto

detect

asubstantial

percentage

of

intrusionswithfewfalsealarms

iftoofewintrusionsdetected>falsesecurity

iftoomanyfalsealarms>ignore/wastetime

thisisveryhardtodo

existingsystemsseemnottohaveagoodrecord


16/77

DistributedIntrusionDetection

traditionalfocusisonsinglesystems

buttypically

have

networked

systems

moreeffectivedefensehastheseworking

togetherto

detect

intrusions

issues

dealing

with

varying

audit

record

formatsintegrity&confidentialityofnetworkeddata

centralizedordecentralizedarchitecture


17/77

DistributedIntrusion

Detection

Architecture


18/77

DistributedIntrusion

Detection Agent

Implementation


19/77

Honeypots

decoysystemstolureattackers

awayfromaccessingcriticalsystems

tocollectinformationoftheiractivities

toencourageattackertostayonsystemso

administrator

can

respond arefilledwithfabricatedinformation

instrumentedtocollectdetailedinformationon

attackers

activities

singleormultiplenetworkedsystems

cfIETF

Intrusion

Detection

WG

standards


20/77

Summary

haveconsidered:

problemof

intrusion

intrusiondetection(statistical&rulebased)

password

management


21/77

Chapter2VirusesandOther

Malicious

Content

Virusandrelatedthreats Countermeasures


22/77

VirusesandOther

MaliciousContent

computerviruseshavegotalotofpublicity

oneof

afamily

of

malicious

software

effectsusuallyobvious

havefigured

in

news

reports,

fiction,

movies

(oftenexaggerated)

gettingmore

attention

than

deserve

areaconcernthough


23/77

MaliciousSoftware


24/77

BackdoororTrapdoor

secretentrypointintoaprogram

allowsthose

who

know

access

bypassing

usual

securityprocedures

havebeencommonlyusedbydevelopers

athreatwhenleftinproductionprogramsallowingexploitedbyattackers

veryhard

to

block

in

O/S

requiresgoods/wdevelopment&update


25/77

LogicBomb

oneofoldesttypesofmalicioussoftware

codeembedded

in

legitimate

program

activatedwhenspecifiedconditionsmet

egpresence/absence

of

some

file

particulardate/time

particularuser

whentriggeredtypicallydamagesystem

modify/deletefiles/disks,haltmachine,etc


26/77

TrojanHorse

programwithhiddensideeffects

which

is

usually

superficially

attractive eggame,s/wupgradeetc

whenrunperformssomeadditionaltasks

allowsattacker

to

indirectly

gain

access

they

do

not

have

directly

oftenusedtopropagateavirus/wormorinstalla

backdoor orsimplytodestroydata


27/77

Zombie

programwhichsecretlytakesoveranother

networkedcomputer

thenusesittoindirectlylaunchattacks

oftenused

to

launch

distributed

denial

of

service(DDoS)attacks

exploitsknownflawsinnetworksystems


28/77

Viruses

apieceofselfreplicatingcodeattachedto

someother

code

cfbiologicalvirus

both

propagates

itself

&

carries

a

payloadcarriescodetomakecopiesofitself

aswellascodetoperformsomecoverttask


29/77

VirusOperation

virusphases:

dormant waiting

on

trigger

event

propagation replicatingtoprograms/disks

triggering byeventtoexecutepayload

execution ofpayload

detailsusuallymachine/OSspecific

exploitingfeatures/weaknesses


30/77

VirusStructure

programV:=

{gotomain;

1234567;subroutineinfectexecutable:= {loop:

file:=getrandomexecutablefile;

if

(first

line

of

file

=

1234567)

then

goto

loopelseprependVtofile;}

subroutinedodamage:= {whateverdamageistobedone}

subroutinetriggerpulled:={returntrueifconditionholds}

main:main

program

:= {infect

executable;

iftriggerpulledthendodamage;

gotonext;}

next:}


31/77

TypesofViruses

canclassifyonbasisofhowtheyattack

parasiticvirus

memoryresidentvirus

bootsector

virus

stealth

polymorphicvirus

metamorphicvirus


32/77

MacroVirus

macrocodeattachedtosomedatafile

interpretedbyprogramusingfile eg

Word/Excel

macros

esp.usingautocommand&commandmacros

codeisnowplatformindependent

isamajor

source

of

new

viral

infections

blurdistinctionbetweendataandprogramfiles

classictradeoff:"easeofuse"vs"security

haveimprovingsecurityinWordetc arenolongerdominantvirusthreat


33/77

EmailVirus

spreadusingemailwithattachmentcontainingamacrovirus

cfMelissa

triggeredwhenuseropensattachment

orworse

even

when

mail

viewed

by

using

scriptingfeaturesinmailagent

hencepropagateveryquickly

usuallytargetedatMicrosoftOutlookmailagent&Word/Exceldocuments

needbetter

O/S

&

application

security


34/77


35/77

WormOperation

wormphaseslikethoseofviruses:

dormantpropagation

searchforothersystemstoinfect

establishconnection

to

target

remote

system

replicateselfontoremotesystem

triggering

execution


36/77

MorrisWorm

bestknownclassicworm

releasedby

Robert

Morris

in

1988

targetedUnixsystems

usingseveral

propagation

techniques

simplepasswordcrackingoflocalpwfile

exploit

bug

in

finger

daemonexploitdebugtrapdoorinsendmaildaemon

ifanyattacksucceedsthenreplicatedself


37/77

RecentWormAttacks

newspateofattacksfrommid2001

CodeRedusedMSIISbug

probesrandom

IPs

for

systems

running

IIS

hadtriggertimefordenialofserviceattack

2nd waveinfected360000serversin14hours

CodeRed

2

installedbackdoor

Nimdamultipleinfectionmechanisms

SQL

Slammer

attacked

MS

SQL

server Sobig.fattackedopenproxyservers

Mydoommassemailworm+backdoor


38/77

WormTechology

multiplatform

multiexploit ultrafastspreading

polymorphic

metamorphic

transportvehicles

zeroday

exploit


39/77

VirusCountermeasures

bestcountermeasureisprevention

butin

general

not

possible

henceneedtodooneormoreof:

detection

ofviruses

in

infected

system

identificationofspecificinfectingvirus

removealrestoringsystemtocleanstate


40/77

AntiVirusSoftware

firstgeneration scannerusesvirussignaturetoidentifyvirus

orchange

in

length

of

programs

secondgeneration usesheuristicrulestospotviralinfection

or

uses

crypto

hash

of

program

to

spot

changes thirdgeneration

memoryresidentprogramsidentifyvirusbyactions

fourth

generation

packageswithavarietyofantivirustechniques

egscanning&activitytraps,accesscontrols

arms

race

continues


41/77

AdvancedAntiVirus

Techniques genericdecryption

useCPU

simulator

to

check

program

signature

&

behaviorbeforeactuallyrunningit

digitalimmunesystem(IBM)

generalpurposeemulation&virusdetection

anyvirusenteringorgiscaptured,analyzed,

detection/shieldingcreated

for

it,

removed


42/77

DigitalImmuneSystem


43/77

BehaviorBlockingSoftware

integratedwithhostO/S

monitorsprogram

behavior

in

real

time

egfileaccess,diskformat,executablemods,

systemsettingschanges,networkaccess

forpossiblymaliciousactions

ifdetectedcanblock,terminate,orseekok

hasadvantageoverscanners

butmaliciouscoderunsbeforedetection


44/77

DistributedDenialofServiceAttacks(DDoS)

Distributed

Denial

of

Service

(DDoS)

attacks

formasignificantsecuritythreat

makingnetworkedsystemsunavailable

byfloodingwithuselesstraffic

usinglargenumbersofzombies

growingsophisticationofattacks

defensetechnologiesstrugglingtocope


45/77

DistributedDenialofService

Attacks(DDoS)


46/77

ContructingtheDDoSAttackNetwork

mustinfectlargenumberofzombies

needs:

1. softwaretoimplementtheDDoSattack

2. anunpatched

vulnerability

on

many

systems

3. scanningstrategytofindvulnerablesystems

random,

hit

list,

topological,

local

subnet


47/77

DDoSCountermeasures

threebroadlinesofdefense:

1. attackprevention&preemption(before)

2. attackdetection&filtering(during)

3. attacksource

traceback

&

ident

(after)

hugerangeofattackpossibilities

hence

evolving

countermeasures


48/77

Summary

haveconsidered:

variousmalicious

programs

trapdoor,logicbomb,trojanhorse,zombie

viruses

worms

countermeasures

distributeddenial

of

service

attacks


49/77

Chapter3Firewalls


50/77

Introduction

seenevolutionofinformationsystems

noweveryonewanttobeontheInternet

andtointerconnectnetworks

haspersistentsecurityconcerns

canteasily

secure

every

system

in

org

typicallyuseaFirewall

toprovideperimeterdefence

aspart

of

comprehensive

security

strategy


51/77

WhatisaFirewall?

achokepointofcontrolandmonitoring

interconnectsnetworks

with

differing

trust

imposesrestrictionsonnetworkservices

onlyauthorizedtrafficisallowed

auditingandcontrollingaccess

canimplementalarmsforabnormalbehavior

provideNAT

&

usage

monitoring

implementVPNsusingIPSec

mustbe

immune

to

penetration


52/77

FirewallLimitations

cannotprotectfromattacksbypassingit

egsneaker

net,

utility

modems,

trusted

organisations,trustedservices(egSSL/SSH)

cannotprotectagainstinternalthreats

egdisgruntledorcolludingemployees

cannotprotectagainsttransferofallvirus

infectedprograms

or

files

becauseofhugerangeofO/S&filetypes


53/77

Firewalls PacketFilters

simplest,fastestfirewallcomponent

foundationof

any

firewall

system

examineeachIPpacket(nocontext)and

permit

or

deny

according

to

rules

hencerestrictaccesstoservices(ports)

possible

default

policiesthatnotexpresslypermittedisprohibited

thatnotexpresslyprohibitedispermitted


54/77



55/77



56/77

AttacksonPacketFilters

IPaddressspoofing

fake

source

address

to

be

trustedaddfiltersonroutertoblock

sourceroutingattacks

attackersets

aroute

other

than

default

blocksourceroutedpackets

tinyfragment

attacks

splitheaderinfooverseveraltinypackets

eitherdiscardorreassemblebeforecheck

Fi ll St t f l


57/77

Firewalls Stateful

Packet

Filters traditionalpacketfiltersdonotexamine

higherlayercontext

iematchingreturnpacketswithoutgoingflow

statefulpacketfiltersaddressthisneed

theyexamine

each

IP

packet

in

context

keeptrackofclientserversessions

checkeach

packet

validly

belongs

to

one

hencearebetterabletodetectboguspacketsoutofcontext

Fi ll A li ti


58/77

FirewallsApplication

Level

Gateway

(or

Proxy) haveapplicationspecificgateway/proxy

hasfull

access

to

protocol

userrequestsservicefromproxy

proxyvalidates

request

as

legal

thenactionsrequestandreturnsresulttouser

canlog/audittrafficatapplicationlevel

needseparateproxiesforeachservice

someservicesnaturallysupportproxying

othersare

more

problematic

Fi ll A li ti


59/77

FirewallsApplication

Level

Gateway

(or

Proxy)

Fi ll Ci it L l


60/77

FirewallsCircuitLevel

Gateway relaystwoTCPconnections

imposessecurity

by

limiting

which

such

connectionsareallowed

once

created

usually

relays

traffic

without

examiningcontents

typicallyusedwhentrustinternalusersby

allowinggeneral

outbound

connections

SOCKSiscommonlyused

Fi ll Ci it L l


61/77

FirewallsCircuitLevel

Gateway


62/77

BastionHost

highlysecurehostsystem

runs

circuit

/

application

level

gateways

orprovidesexternallyaccessibleservices

potentiallyexposedto"hostile"elements

henceis

secured

to

withstand

this

hardenedO/S,essentialservices,extraauth

proxiessmall,secure,independent,nonprivileged

maysupport

2or

more

net

connections

maybetrustedtoenforcepolicyoftrustedseparationbetweenthesenetconnections


63/77

FirewallConfigurations


64/77



65/77



66/77

AccessControl

givensystemhasidentifiedauser

determinewhatresourcestheycanaccess

generalmodelisthatofaccessmatrixwith

subjectactiveentity(user,process)

object

passiveentity

(file

or

resource)

accessright wayobjectcanbeaccessed

candecompose

by

columnsasaccesscontrollists

rowsas

capability

tickets


67/77

AccessControlMatrix


68/77

TrustedComputerSystems

informationsecurityisincreasinglyimportant

havevarying

degrees

of

sensitivity

of

information

cfmilitaryinfoclassifications:confidential,secretetc

subjects(peopleorprograms)havevaryingrightsof

accessto

objects

(information)

knownasmultilevelsecurity

subjects

have

maximum&

currentsecurity

level

objectshaveafixedsecuritylevelclassification

wanttoconsiderwaysofincreasingconfidencein

systemsto

enforce

these

rights


69/77

BellLaPadula(BLP)Model

oneofthemostfamoussecuritymodels

implementedasmandatorypoliciesonsystem

hastwokeypolicies:

noreadup(simplesecurityproperty)

asubject

can

only

read/write

an

object

if

the

current

securitylevelofthesubjectdominates(>=)theclassificationoftheobject

no

write

down(*

property) asubjectcanonlyappend/writetoanobjectifthecurrentsecuritylevelofthesubjectisdominatedby(


70/77

ReferenceMonitor


71/77

EvaluatedComputerSystems

governmentscanevaluateITsystems

againstarange

of

standards:

TCSEC,IPSECandnowCommonCriteria

define

a

number

of

levels

of

evaluation

with

increasinglystringentchecking

havepublishedlistsofevaluatedproducts

thoughaimedatgovernment/defenseuse

canbeusefulinindustryalso


72/77

CommonCriteria

internationalinitiativespecifyingsecurity

requirements

&

defining

evaluation

criteria incorporatesearlierstandards

egCSEC, ITSEC, CTCPEC (Canadian), Federal (US)

specifies standards for

evaluation criteria

methodology for application of criteria

administrative procedures for evaluation, certificationand accreditation schemes


73/77

CommonCriteria

defines setofsecurityrequirements

haveaTarget

Of

Evaluation

(TOE)

requirementsfallintwocategories

functional

assurance

bothorganisedinclassesoffamilies&

components


74/77

CommonCriteriaRequirements

Functional Requirements

security audit, crypto support, communications,user data protection, identification &authentication, security management, privacy,

protection of trusted security functions,resource utilization, TOE access, trusted path

Assurance Requirements

configurationmanagement,

delivery

&

operation,

development,guidancedocuments,lifecyclesupport,tests,vulnerabilityassessment,assurance

maintenance


75/77

CommonCriteria


76/77

CommonCriteria


77/77

Summary

haveconsidered:

firewallstypesoffirewalls

configurations

accesscontrol

trustedsystems

commoncriteria

Date post:	02-Mar-2018
Category:	Documents
Upload:	deepak-pandey
View:	215 times
Download:	0 times

unit5_system_security.pdf

Documents