Upload
geraldine-stevenson
View
226
Download
0
Tags:
Embed Size (px)
Citation preview
Framework
Chapter 1
Panko, Corporate Computer and Network SecurityCopyright 2002 Prentice-Hall
2
Figure 1-1: CSI/FBI Computer Crime and Security Survey
How Bad is the Threat?
Survey conducted by the Computer Security Institute (http://www.gocsi.com).
Based on replies from 503 U.S. Computer Security Professionals.
If fewer than 20 firms reported quantified dollar losses, data for the threat are not shown.
3
Figure 1-1: CSI/FBI Computer Crime and Security Survey
Threat Percent Reporting
an Incident 1997
Percent Reporting
an Incident 2002
Average Annual
Loss per Firm
(x1000) 1997
Average Annual
Loss per Firm
(x1000) 2002
Viruses 82% 85% $76 $283
Laptop Theft
58% 65% $38 $89
4
Figure 1-1: CSI/FBI Computer Crime and Security Survey
Threat Percent Reporting
an Incident 1997
Percent Reporting
an Incident 2002
Average Annual
Loss per Firm
(x1000) 1997
Average Annual
Loss per Firm
(x1000) 2002
Denial of Service
24% 40% $77 $297
System Penetration
20% 40% $132 $226
Unauthorized Access by Insiders
40% 38% NA NA
5
Figure 1-1: CSI/FBI Computer Crime and Security Survey
Threat Percent Reporting
an Incident 1997
Percent Reporting
an Incident 2002
Average Annual
Loss per Firm
(x1000) 1997
Average Annual
Loss per Firm
(x1000) 2002
Theft of Intellectual Property
20% 20% $954 $6,571
Financial Fraud
12% 12% $958 $4,632
Sabotage 14% 8% $164 $541
6
Figure 1-1: CSI/FBI Computer Crime and Security Survey
Threat Percent Reporting
an Incident 1997
Percent Reporting
an Incident 2002
Average Annual
Loss per Firm
(x1000) 1997
Average Annual
Loss per Firm
(x1000) 2002
Telecom Fraud
27% 9% NA NA
Telecom Eaves-dropping
11% 6% NA NA
Active Wiretap
3% 1% NA NA
7
Figure 1-2: Other Empirical Attack Data
Riptech
Analyzed 5.5 billion firewall log entries in 300 firms in five-month period
Detected 128,678 attacks—an annual rate of 1,000 per firm
Only 39% of attacks after viruses were removed were directed at individual firms
8
Figure 1-2: Other Empirical Attack Data
Riptech
23% of all firms experienced a highly aggressive attack in a 6-month period
Only one percent of all attacks, highly aggressive attacks are 26 times more likely to do severe damage than even moderately sophisticated aggressive attacks
9
Figure 1-2: Other Empirical Attack Data
SecurityFocus Data from 10,000 firms in 2001
Attack Frequency
129 million network scanning probes (13,000 per firm)
29 million website attacks (3,000 per firm)
6 million denial-of-service attacks (600 per firm)
10
Figure 1-2: Other Empirical Attack Data
SecurityFocus Attack Targets
31 million Windows-specific attacks 22 million UNIX/LINUX attacks 7 million Cisco IOS attacks All operating systems are attacked!
11
Figure 1-2: Other Empirical Attack Data
U.K. Department of Trade and Industry
Two-thirds of U.K. firms surveyed lost less than $15,000 from their worst incident
But 4% lost more than $725,000
12
Figure 1-2: Other Empirical Attack Data
MessageLabs
One in every 200 to 400 e-mail messages is infected
Most e-mail users are sent infected e-mail several times each year
The percentage of e-mails that are infected is rising
13
Figure 1-2: Other Empirical Attack Data
Honeynet project
Fake networks set up for adversaries to attack
To understand how adversaries attack
Windows 98 PC with open shares and no password compromised 5 times in 4 days
LINUX PCs took 3 days on average to compromise
14
Figure 1-3: Attack Trends
Growing Incident Frequency Incidents reported to the Computer Emergency
Response Team/Coordination Center
1997: 2,134
1998: 3,474 (75% growth from the year before)
1999: 9,859 (164% growth from the year before)
2000: 21,756 (121% growth from the year before)
2001: 52,658 (142% growth from the year before)
Tomorrow?
15
Figure 1-3: Attack Trends
Growing Randomness in Victim Selection
In the past, large firms were targeted
Now, targeting is increasingly random
No more security through obscurity for small firms and individuals
16
Figure 1-3: Attack Trends
Growing Malevolence
Most early attacks were not malicious
Malicious attacks are becoming the norm
17
Figure 1-3: Attack Trends
Growing Attack Automation
Attacks are automated, rather than humanly-directed
Essentially, viruses and worms are attack robots that travel among computers
Attack many computers in minutes or hours
18
Figure 1-4: Framework for Attackers
Elite Hackers
Hacking: intentional access without authorization or in excess of authorization
Cracking versus hacking
Technical expertise and dogged persistence
Use attack scripts to automate actions, but this is not the essence of what they do
19
Figure 1-4: Framework for Attackers
Elite Hackers
White hat hackers This is still illegal Break into system but notify firm or vendor of
vulnerability
Black hat hackers Do not hack to find and report vulnerabilities Gray hat hackers go back and forth between
the two ways of hacking
20
Figure 1-4: Framework for Attackers
Elite Hackers
Hack but with code of ethics Codes of conduct are often amoral “Do no harm,” but delete log files, destroy
security settings, etc. Distrust of evil businesses and government Still illegal
Deviant psychology and hacker groups to reinforce deviance
21
Figure 1-4: Framework for Attackers
Virus Writers and Releasers
Virus writers versus virus releasers
Only releasing viruses is punishable
22
Figure 1-4: Framework for Attackers
Script Kiddies
Use prewritten attack scripts (kiddie scripts)
Viewed as lamers and script kiddies
Large numbers make dangerous
Noise of kiddie script attacks masks more sophisticated attacks
23
Figure 1-4: Framework for Attackers
Criminals
Many attackers are ordinary garden-variety criminals
Credit card and identity theft
Stealing trade secrets (intellectual property)
Extortion
24
Figure 1-4: Framework for Attackers
Corporate Employees
Have access and knowledge
Financial theft
Theft of trade secrets (intellectual property)
Sabotage
Consultants and contractors
IT and security staff are biggest danger
25
Figure 1-4: Framework for Attackers
Cyberterrorism and Cyberwar
New level of danger
Infrastructure destruction
Attacks on IT infrastructure
Use IT to establish physical infrastructure (energy, banks, etc.)
26
Figure 1-4: Framework for Attackers
Cyberterrorism and Cyberwar
Simultaneous multi-pronged attacks
Cyberterrorists by terrorist groups versus cyberwar by national governments
Amateur information warfare
27
Figure 1-5: Framework for Attacks
Attacks
Physical AccessAttacks
--Wiretapping
Server HackingVandalism
Dialog Attacks--
EavesdroppingImpersonation
Message Alteration
PenetrationAttacks
Social Engineering--
Opening AttachmentsPassword Theft
Information Theft
Scanning(Probing) Break-in
Denial ofService
Malware--
VirusesWorms
28
Figure 1-6: Attacks and Defenses (Study Figure)
Access Control
Access control is the body of strategies and practices that a company uses to prevent improper access
Prioritize assets
Specify access control technology and procedures for each asset
Test the protection
29
Figure 1-6: Attacks and Defenses (Study Figure)
Site Access Attacks and Defenses
Wiretaps (including wireless LANs intrusions
Hacking servers with physical access
30
Figure 1-6: Attacks and Defenses (Study Figure)
Social Engineering
Tricking an employee into giving out information or taking an action that reduces security or harms a system
Opening an e-mail attachment that may contain a virus
Asking for a password claming to be someone with rights to know it
Asking for a file to be sent to you
31
Figure 1-6: Attacks and Defenses (Study Figure)
Social Engineering Defenses
Training
Enforcement through sanctions (punishment)
32
Figure 1-6: Attacks and Defenses (Study Figure)
Dialog Attacks and Defenses Eavesdropping
Encryption for Confidentiality
Imposters and Authentication
Cryptographic Systems
33
Figure 1-7: Eavesdropping on a Dialog
Client PCBob Server
Alice
Dialog
Attacker (Eve) interceptsand reads messages
Hello
Hello
34
Figure 1-8: Encryption for Confidentiality
Client PCBob
ServerAlice
Attacker (Eve) interceptsbut cannot read
“100100110001”
EncryptedMessage
“100100110001”
Original Message
“Hello”
Decrypted Message
“Hello”
35
Figure 1-9: Impersonation and Authentication
Client PCBob
ServerAlice
Attacker(Eve)
I’m Bob
Prove it!(Authenticate Yourself)
36
Figure 1-10: Message Alteration
Client PCBob
ServerAlice
Dialog
Attacker (Eve) interceptsand alters messages
Balance =$1
Balance =$1 Balance =
$1,000,000
Balance =$1,000,000
37
Figure 1-11: Secure Dialog System
Client PCBob Server
Alice
Secure Dialog
Attacker cannot read messages, alter
messages, or impersonate
Automatically HandlesNegation of Security Options
AuthenticationEncryption
Integrity
38
Figure 1-12: Network Penetration Attacks and Firewalls
AttackPacket
Internet
Attacker
HardenedClient PC
HardenedServer Internal
CorporateNetwork
Passed Packet
DroppedPacket
InternetFirewall
Log File
39
Figure 1-13: Scanning (Probing) Attacks
Attack Packets to172.16.99.1, 172.16.99.2, etc.
Internet
Attacker
Corporate Network
Host172.16.99.1
Host172.16.99.2
I’m Here
I’m Here
40
Figure 1-14: Single-Message Break-In Attack
1.Single Break-In Packet
2.Server
Taken OverBy Single Message
Attacker
41
Figure 1-15: Denial-of-Service (DoS) Flooding Attack
Message Flood
ServerOverloaded ByMessage Flood
Attacker
42
Figure 1-16: Intrusion Detection System (IDS)
1.Suspicious
Packet
Internet
Attacker
NetworkAdministrator
HardenedServer
Corporate Network
2. SuspiciousPacket Passed
3. LogSuspicious
Packet
4. Alarm IntrusionDetectionSystem (IDS)
Log File
43
Figure 1-17: Security Management
Security is a Primarily a Management Issue, not a Technology Issue
Top-to-Bottom Commitment Top-management commitment
Operational execution
Enforcement
44
Figure 1-17: Security Management
Comprehensive Security Closing all avenues of attack
Asymmetrical warfare Attacker only has to find one opening
Defense in depth Attacker must get past several defenses to
succeed
Security audits Run attacks against your own network
45
Figure 1-17: Security Management
General Security Goals (CIA) Confidentiality
Attackers cannot read messages if they intercept them
Integrity If attackers change messages, this will be
detected
Availability System is able to server users
46
Figure 1-18: The Plan—Protect—Respond Cycle
Planning Need for comprehensive security (no gaps)
Risk analysis (see Figure 1-19)
Enumerating threats
Threat severity = estimated cost of attack X probability of attack
Value of protection = threat severity – cost of countermeasure
Prioritize countermeasures by value of prioritization
47
Figure 1-19: Threat Severity Analysis
Step Threat
1
2
3
4
5
Cost if attack succeeds
Probability of occurrence
Threat severity
Countermeasure cost
Value of protection
Apply countermeasure?
Priority
6
7
A
$500,000
80%
$400,000
$100,000
$300,000
Yes
1
B
$10,000
20%
$2,000
$3,000
($1,000)
No
NA
C
$100,000
5%
$5,000
$2,000
$3,000
Yes
2
D
$10,000
70%
$7,000
$20,000
($13,000)
No
NA
48
Figure 1-18: The Plan—Protect—Respond Cycle
Planning Security policies drive subsequent specific
actions (see Figure 1-20)
Selecting technology
Procedures to make technology effective
The testing of technology and procedures
49
Figure 1-20: Policy-Driven Technology, Procedures, and Testing
Policy
Technology(Firewall,Hardened
Webserver)
Procedures(Configuration,
Passwords,Etc.)
Protection Testing(Test Security)Attempt to Connect to
Unauthorized Webserver
Only allow authorized personnel to use accounting webserver
50
Figure 1-18: The Plan—Protect—Respond Cycle
Protecting
Installing protections: firewalls, IDSs, host hardening, etc.
Updating protections as the threat environment changes
Testing protections: security audits
51
Figure 1-18: The Plan—Protect—Respond Cycle
Responding
Planning for response (Computer Emergency Response Team)
Incident detection and determination
Procedures for reporting suspicious situations
Determination that an attack really is occurring
Description of the attack to guide subsequent actions
52
Figure 1-18: The Plan—Protect—Respond Cycle
Responding
Containment Recovery Containment: stop the attack Repair the damage
Punishment Forensics Prosecution Employee Punishment
Fixing the vulnerability that allowed the attack