View
671
Download
0
Category
Tags:
Preview:
DESCRIPTION
Citation preview
TDC 377, Fundamentals of Network Security , Spring 2006
1-1
Unit 1: Class overview, general security concept, threats and defenses
Syllabus What is Security? CSI/FBI Computer Crime and Security
Survey Attackers and Attacks Layered Security Architecture
TDC 377, Fundamentals of Network Security , Spring 2006
1-2
What is Security?
Like in non-Cyber “real” world: Security is used to secure, protect, prevent bad things to happen (or try to).
From Webster: Function: noun
Inflected Form(s): plural -tiesDate: 15th century1 : the quality or state of being secure : as a : freedom from danger : SAFETY b : freedom from fear or anxiety c : freedom from the prospect of being laid off <job security>2 a : something given, deposited, or pledged to make certain the fulfillment of an obligation b : SURETY3 : an evidence of debt or of ownership (as a stock certificate or bond)4 a : something that secures : PROTECTION b (1) : measures taken to guard against espionage or sabotage, crime, attack, or escape (2) : an organization or department whose task is security
TDC 377, Fundamentals of Network Security , Spring 2006
1-3
What is Security?
Security Activities Are based on 3 Types of Actions: Prevent: Put protection measures/system to protect
assets and prevent unauthorized access. Detect: Detect if an asset has been
compromised, when, by whom and gather information on the type of breach committed, activities and evidence logs.
Act/React: Take measure to recover from attack and prevent same type of attacks or prevent attack in progress.
TDC 377, Fundamentals of Network Security , Spring 2006
1-4
CSI/FBI Computer Crime and Security Survey How Bad is the Threat? Survey conducted by the Computer
Security Institute (http://www.gocsi.com) annually.
Based on replies from 700 U.S. Computer Security Professionals in 2005.
TDC 377, Fundamentals of Network Security , Spring 2006
1-5
TDC 377, Fundamentals of Network Security , Spring 2006
1-6
Websites incidents have increased dramatically
TDC 377, Fundamentals of Network Security , Spring 2006
1-7
• General trend of losses is down except for “unauthorized access to information”, and “theft of proprietary information”
TDC 377, Fundamentals of Network Security , Spring 2006
1-8
Other Key Findings of the CSI/FBI survey Outsourcing of computer security activities
is quite low Use of cyber insurance remain low Concern of negative publicity decline in
reporting intrusions to law enforcement Significant number of organization conduct
some form of economic evaluation of their security expenditures
TDC 377, Fundamentals of Network Security , Spring 2006
1-9
Other Key Findings of the CSI/FBI survey (contd.) Over 87% of the organizations conduct
security audits, up from 82 percent in 2004’s survey.
The Sarbanes-Oxley Act has begun to have impact on information security in more industry sectors than last year.
Most respondents view security awareness training as important. However respondents from all sectors do not believe their organizations invests enough in it.
TDC 377, Fundamentals of Network Security , Spring 2006
1-10
Other Empirical Attack Data
SecurityFocus Attack Targets
31 million Windows-specific attacks 22 million UNIX/LINUX attacks 7 million Cisco IOS attacks All operating systems are attacked!
TDC 377, Fundamentals of Network Security , Spring 2006
1-11
Attack Trends Growing Incident Frequency
Incidents reported to the Computer Emergency Response Team/Coordination Center (CERT)
1997: 2,134 1998: 3,474 (75% growth from the year before) 1999: 9,859 (164% growth from the year before) 2000: 21,756 (121% growth from the year before) 2001: 52,658 (142% growth from the year before) Tomorrow? …. Well CERT decided to stop counting as
of 6/2004!!
TDC 377, Fundamentals of Network Security , Spring 2006
1-12
Attack Trends
Growing Randomness in Victim Selection
In the past, large firms were targeted
Now, targeting is increasingly random
No more security through obscurity for small firms and individuals
TDC 377, Fundamentals of Network Security , Spring 2006
1-13
Attack Trends
Growing Malevolence
Most early attacks were not malicious
Malicious attacks are becoming the norm
TDC 377, Fundamentals of Network Security , Spring 2006
1-14
Attack Trends
Growing Attack Automation
Attacks are automated, rather than humanly-directed
Essentially, viruses and worms are attack robots that travel among computers
Attack many computers in minutes or hours
TDC 377, Fundamentals of Network Security , Spring 2006
1-15
Who are the Attackers??? Elite Hackers
White hat hackers This is still illegal Break into system but notify firm or vendor of vulnerability
Black hat hackers Do not hack to find and report vulnerabilities Gray hat hackers go back and forth between the two ways of
hacking
Hack but with code of ethics Codes of conduct are often amoral “Do no harm,” but delete log files, destroy security settings, etc. Distrust of evil businesses and government Still illegal
Deviant psychology and hacker groups to reinforce deviance
TDC 377, Fundamentals of Network Security , Spring 2006
1-16
Who are the Attackers???
Virus Writers and Releasers
Virus writers versus virus releasers
Only releasing viruses is punishable
TDC 377, Fundamentals of Network Security , Spring 2006
1-17
Who are the Attackers???
Script Kiddies
Use prewritten attack scripts (kiddie scripts)
Viewed as lamers and script kiddies
Large numbers make dangerous
Noise of kiddie script attacks masks more sophisticated attacks
TDC 377, Fundamentals of Network Security , Spring 2006
1-18
Who are the Attackers???
Criminals
Many attackers are ordinary garden-variety criminals
Credit card and identity theft
Side note on threat to Credit Card #. How do attacker capture credit card information? Via “Sniffing” traffic?
How many of the audience have worries when shopping online? How many of the audience ever used a credit card to pay for a restaurant meal?
Stealing trade secrets (intellectual property)
Extortion
TDC 377, Fundamentals of Network Security , Spring 2006
1-19
Who are the Attackers??? Corporate Employees
Have access and knowledge
Financial theft
Theft of trade secrets (intellectual property)
Sabotage
Consultants and contractors
IT and security staff are biggest danger
TDC 377, Fundamentals of Network Security , Spring 2006
1-20
Who are the Attackers???
Cyberterrorism and Cyberwar
New level of danger
Infrastructure destruction Attacks on IT infrastructure Use IT to establish physical infrastructure (energy, banks, etc.)
Simultaneous multi-pronged attacks
Cyberterrorists by terrorist groups versus cyberwar by national governments
Amateur information warfare
TDC 377, Fundamentals of Network Security , Spring 2006
1-21
Very good Illustration of Attacks and Attackers http://grc.com/dos/grcdos.htm
Non credit assignment: Read the full article. Note: all material in “non credit assignments” can be present in exams.
TDC 377, Fundamentals of Network Security , Spring 2006
1-22
Framework for Attacks
Attacks
Physical AccessAttacks
--Wiretapping
Server HackingVandalism
Dialog Attacks--
EavesdroppingImpersonation
Message Alteration
PenetrationAttacks
Social Engineering--
Opening AttachmentsPassword Theft
Information Theft
Scanning(Probing) Break-in
Denial ofService
Malware--
VirusesWorms
TDC 377, Fundamentals of Network Security , Spring 2006
1-23
Attacks and Defenses (Refer to previous diagram)
Physical Attacks: Access Control
Access control is the body of strategies and practices that a company uses to prevent improper access
Prioritize assets
Specify access control technology and procedures for each asset
This can be electronic: use access control to prevent certain traffic in
This can be physical: use locks to prevent physical access to devices.
If an attacker gains physical access to a device: that device IS (or should be considered) compromised: no EXCEPTION!!!
Test the protection.
TDC 377, Fundamentals of Network Security , Spring 2006
1-24
Attacks and Defenses (contd.)
Site Access Attacks and Defenses
Wiretaps (including wireless LANs intrusions
Hacking servers with physical access
TDC 377, Fundamentals of Network Security , Spring 2006
1-25
Attacks and Defenses (contd.) A slight variation of access attack: Social
Engineering
Tricking an employee into giving out information or taking an action that reduces security or harms a system
Opening an e-mail attachment that may contain a virus
Asking for a password claming to be someone with rights to know it
Asking for a file to be sent to you
TDC 377, Fundamentals of Network Security , Spring 2006
1-26
Attacks and Defenses (contd.)
Social Engineering Defenses
Training
Enforcement through sanctions (punishment)
TDC 377, Fundamentals of Network Security , Spring 2006
1-27
Attacks and Defenses (contd.)
Dialog Attacks and Defenses Eavesdropping Encryption for Confidentiality Imposters and Authentication Cryptographic Systems
TDC 377, Fundamentals of Network Security , Spring 2006
1-28
Eavesdropping on a Dialog
Client PCBob Server
Alice
Dialog
Attacker (Eve) interceptsand reads messages
Hello
Hello
TDC 377, Fundamentals of Network Security , Spring 2006
1-29
Encryption for Confidentiality
Client PCBob
ServerAlice
Attacker (Eve) interceptsbut cannot read
“100100110001”
EncryptedMessage
“100100110001”
Original Message
“Hello”
Decrypted Message
“Hello”
TDC 377, Fundamentals of Network Security , Spring 2006
1-30
Impersonation and Authentication
Client PCBob
ServerAlice
Attacker(Eve)
I’m Bob
Prove it!(Authenticate Yourself)
TDC 377, Fundamentals of Network Security , Spring 2006
1-31
Message Alteration
Client PCBob
ServerAlice
Dialog
Attacker (Eve) interceptsand alters messages
Balance =$1
Balance =$1 Balance =
$1,000,000
Balance =$1,000,000
TDC 377, Fundamentals of Network Security , Spring 2006
1-32
Secure Dialog System
Client PCBob Server
Alice
Secure Dialog
Attacker cannot read messages, alter
messages, or impersonate
Automatically HandlesNegation of Security Options
AuthenticationEncryption
Integrity
TDC 377, Fundamentals of Network Security , Spring 2006
1-33
Network Penetration Attacks and Firewalls
AttackPacket
Internet
Attacker
HardenedClient PC
HardenedServer Internal
CorporateNetwork
Passed Packet
DroppedPacket
InternetFirewall
Log File
TDC 377, Fundamentals of Network Security , Spring 2006
1-34
Scanning (Probing) Attacks
Probe Packets to172.16.99.1, 172.16.99.2, etc.
Internet
Attacker
Corporate Network
Host172.16.99.1
No Host172.16.99.2 No Reply
Reply from172.16.99.1
Results172.16.99.1 is reachable172.16.99.2 is not reachable…
TDC 377, Fundamentals of Network Security , Spring 2006
1-35
Single-Message Break-In Attack
1.Single Break-In Packet
2.Server
Taken OverBy Single Message
Attacker
TDC 377, Fundamentals of Network Security , Spring 2006
1-36
Denial-of-Service (DoS) Flooding Attack
Message Flood
ServerOverloaded ByMessage Flood
Attacker
TDC 377, Fundamentals of Network Security , Spring 2006
1-37
Intrusion Detection System (IDS)
1.Suspicious
Packet
Internet
Attacker
NetworkAdministrator
HardenedServer
Corporate Network
2. SuspiciousPacket Passed
3. LogSuspicious
Packet
4. Alarm IntrusionDetectionSystem (IDS)
Log File
TDC 377, Fundamentals of Network Security , Spring 2006
1-38
What Are the Types of Security Threats? Service Disruption and Interruption
Compromise the service Availability Interception
Compromise the service Confidentiality Modification
Compromise the service Integrity Fabrication
Compromise the service Authenticity Often you will see the security services summarized into 3 categories: C.I.A:
Confidentiality Integrity Availability In this model, authenticity is a subset of integrity
TDC 377, Fundamentals of Network Security , Spring 2006
1-39
What Are the Types of Security Threats? These different Threats can be subject to two
types of possible attacks: Passive and Active. Passive Attacks
Attacks that do not require modification of the data. Active Attacks
Attacks that do require modification of the data or the data flow.
Which one is harder to notice? (yes I know it’s obvious…)
TDC 377, Fundamentals of Network Security , Spring 2006
1-40
Layered Security Architecture As we have seen in previous slides, security services that must be
provided are numerous and diverse. Similarly to the “real-world” bank, our web servers, our networks can have
many vulnerabilities and these vulnerabilities can be located in many layers of the architecture.
We need to practice a “security in-depth” approach. Security consideration and services must be present in each and every level of
components. Rule: When analyzing the quality of your security infrastructure, always
assume that 1 full security layer/functionality will entirely fail. Are you still secured? What are your areas of vulnerabilities? How long would it take for you to detect the failure?
Vulnerabilities and security services involve all 7 layers of the OSI model. Security also is greatly dependant on the OSI’s “Layer 8”.
The balance between the threat to a system and the security services deployed is very Asymmetric: You need to defend each and every aspects to be successful – An attacker often needs to mitigate one aspect to be successful.
Let’s look at an example of an e-Commerce site and try to discuss what can go wrong and where.
TDC 377, Fundamentals of Network Security , Spring 2006
1-41
Layered Security Architecture
Firewalll
Internet
Router
My-store.com E-Commerce Infrastructure
Ethernet
Mail relayOutside DNS Inside DNS
Inside Mail Server
ISP DNSInternet Users
Intruder,threat,,opponent
E-Comm - Web
Firewall
Database Server
Router
WAN Links to RemoteOffices
TDC 377, Fundamentals of Network Security , Spring 2006
1-42
Layered Security Architecture Areas that can “go wrong”:
Incorrect firewall configuration. Web and back-end server not hardened:
Known vulnerabilities Default account/passwords Lack of granularity in security Lack of logging and auditing
Back-end database server servers accept any requests from any sources. Lack of intrusion detection system. Lack of integrity checking tools. Router forward packets improperly. Unnecessary protocols and services running. Improper patching and update of patches. Bugs and vulnerabilities in third-party software/applications. Bugs and vulnerabilities in in-house developed applications. Bugs and vulnerabilities in toolkits used to build in-house applications. Improper implementation of an application, test userID not cleaned out, developers userID
not cleaned out. Presence of Trojans, Malware and backdoors. How do I know the remote offices do not represent a threat?
And I am sure we can add a lot more to the list…
TDC 377, Fundamentals of Network Security , Spring 2006
1-43
Layered Security Architecture
To prevent attacks, an enterprise need to build a complete and comprehensive security architecture using tools, methods and techniques that individually target some threats and work in an integrated fashion to provide a complete enterprise framework for secure computing.
One missing “piece” or aspect may endanger the whole infrastructure. Example: if you do not have virus protection, can an intruder bypass your firewalls?
The goal of this class will be to present the aspects that most impact network security within that framework.
Example of these tools and methods are presented in Unit 2.
TDC 377, Fundamentals of Network Security , Spring 2006
1-44
Other References and Useful Resources
CERT – www.cert.orgSANS – www.sans.orgCIAC - http://www.ciac.org/ciac/NSA Guidelines - http://www.nsa.gov/snac/
Recommended