DSC 101: Security

Topics

1. Components of Security2. States of Information3. Threats4. Attacks5. Malware6. Vulnerabilities

What is Security?

Security is the prevention of certain types of intentional actions from occurring in a system.– The actors who might attack a system are threats.

– Threats carry out attacks to compromise a system.

– Objects of attacks are assets.

Components of Security

Integrity

Confidentiality Availability

Confidentiality

Confidentiality is the avoidance of the unauthorized disclosure of information.

Examples where confidentiality is critical:– Personal information– Trade secrets– Military plans

Security Controls for Confidentiality

Access Control: rules and policies that limit access to certain people and/or systems.

– File permissions (which users can access)– Firewall settings (which IP addresses can access)

Encryption: transforming information so that it can only be read using a secret key.

– AES– SSL

Integrity

Integrity is the property that information has not be altered in an unauthorized way.

Examples where integrity is critical:– Operating system files– Software updates and downloads– Bank account records

Security Controls for Integrity

• Backups: periodic archiving of data. • Checksums: the computation of a function

that maps the contents of a file to a numerical value.

• Data correcting codes: methods for storing data in such a way that small changes can be easily detected and automatically corrected.

Availability

Availability is the property that information is accessible and modifiable in a timely fashion by those authorized to do so.

Examples where availability is critical:– E-commerce site– Authentication server for your network– Current stock quotes

Security Controls for Availability

Physical protections: infrastructure meant to keep information available even in the event of physical challenges.

– Backup generators– Disaster recovery site

Computational redundancies: computers and storage devices that serve as fallbacks in the case of failures.

– Backup tapes– RAID

States of Information

1. Storage: information in memory or disk that is not currently being accessed.

2. Processing: information currently being used by processor.

3. Transmission: information in transit between one node and another on a network.

Is your information protected in all three states?

Threats, Attacks, and VulnerabilitiesThreats are people who are able to take advantage of security vulnerabilities to attack systems.

– Criminals, hacktivists, spies, disgruntled employees.

Attacks are tools, programs, and methods used by threats to obtain assets from systems in violation of the security policy.

– Stuxnet, Dark Comet, AirCrack, John the Ripper

Vulnerabilities are weaknesses in a system that allow a threat to obtain access to information assets in violation of a system’s security policy.

(2719662)Vulnerabilities in Gadgets Could Allow Remote Code Execution

How are Digital Threats Different?

Automation– Salami Attack from Office Space.

Action at a Distance– Volodya Levin, from St. Petersburg, Russia, stole

over $10million from US Citibank. Arrested in London.

Technique Propagation– Criminals share attacks rapidly and globally.

Who are the threats?

IBM X-Force 2012 Trend and Risk Report

Threat Model

A threat model describes which threats exist to a system, their capabilities, history, intentions, and likely targets.

– Are you worried about broad or targeted threats?

– Are your threats able to develop their own tools or just use off the shelf tools?

– Do you keep enough data about historical incidents to know what your threats are?

Threat Model Examples

Example 1: Disgruntled Insider– Targeted attack on organization– Knows systems and information assets already– Attacks more likely to focus on DoS than theft

Example 2: Outsider, broad attack– Broad attack, looking for any vulnerable system.– Looking for one particular type of asset, which

your organization may or may not have.

Attacks and Exploits

An attack is an action taken by a threat to gain unauthorized access or to create unauthorized modification of assets.

– Spam– Phishing– Malware– Denial of Service

An exploit is a piece of software or a scripted set of actions that carry out an attack. Threats often turn attacks into exploits to automate compromising of systems.

Spam

Spam is the use of electronic messaging systems to send unsolicited bulk messages, especially advertising, indiscriminately.

– Mostly e-mail, but also– Blog and webforum comment spam,– Wiki spam,– IM spam, etc.

Over 90% of e-mail is spam!

Phishing E-mail

Phishing Site

Denial of Service

MalwareMalware, short for malicious software, is software designed to gain access to confidential information, disrupt computer operations, and/or gain access to private computer systems. Malware can be classified by how it infects systems:

– Trojan Horses – Viruses – Worms

Or by what assets it targets:– Ransomware– Spyware and adware– Backdoors– Rootkits– Botnets

How much malware is out there?

Trojan Horses

Trojan Horse Examples

Viruses

A computer virus is a type of malware that, when executed, replicates by inserting copies of itself (possibly modified) into other files. This process is called infecting.

Worms

A worm is a type of malware that spreads itself to other computers.

Ransomware

Spyware and Adware

Backdoors

Backdoor Example: Dark Comet

Rootkits• Execution Redirection• File Hiding• Process Hiding• Network Hiding• Backdoor

User Program

Rootkit

Operating System

Botnets

Vulnerabilities

Vulnerabilities can be found in any software:– PC: Office, Adobe Reader, web browsers– Server: Databases, DNS, mail server software,

web servers, web applications, etc.– Mobile: Mobile phone OS, mobile applications– Embedded: printers, routers, switches, VoIP

phones, cars, medical devices, TVs, etc.– Third party software: Web browser plugins, Ad

affiliate network JavaScript include files, Mobile ad libraries

Document Format Vulnerabilities

IBM X-Force 2012 Trend and Risk Report

Web Browser Vulnerabilities

IBM X-Force 2012 Trend and Risk Report

Embedded Vulnerabilities

Patches

A patch is a piece of data or software designed to fix a security vulnerability or bug.

– Administrator may have to apply manually.– Some vendors specify certain days to patch,

such as “Patch Tuesday,” the 2nd Tuesday of the month when MS releases updates.

– Increasingly software auto updates itself with current patches.

Vulnerability Timeline

Vulnerability Markets

Vulnerability Databases

Key Points

1. Components: confidentiality, integrity, availability2. States of Info: storage, communication, processing3. Definitions: threat, attack, and vulnerability4. Attacks: spam, phishing, DoS, and malware5. Vulnerabilities affect all software

– Not just PC or mobile software– Lifecycle: 0day, exploit, then patch and signatures

References1. Nate Anderson, Meet the men who spy on women through their webcams: The Remote

Administration Tool is the revolver of the Internet's Wild West. Ars Technica, http://arstechnica.com/tech-policy/2013/03/rat-breeders-meet-the-men-who-spy-on-women-through-their-webcams/, 2013.

2. Honeynet Project, Know Your Enemy, 2nd edition, Addison-Wesley, 2004. 3. IBM, X-Force 2012 Risk and Trends Report, 2013.4. Stuart McClure, Joel Scambray, and George Kurtz, Hacking Exposed, 5th edition, McGraw-

Hill, 2005. 5. Norton, Fake Antivirus,

http://www.nortonantiviruscenter.com/security-resource-center/fake-antivirus.html6. Ed Skoudis, Counter Hack Reloaded, Prentice Hall, 2006.7. Stuart Staniford, Vern Paxson, and Nicholas Weaver, "How to 0wn the Internet in Your

Spare Time," Proceedings of the 11th USENIX Security Symposium, 2002.