* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download Figure 6-1
Information security wikipedia , lookup
Cyberwarfare wikipedia , lookup
Distributed firewall wikipedia , lookup
Cyber-security regulation wikipedia , lookup
Wireless security wikipedia , lookup
Antivirus software wikipedia , lookup
Security-focused operating system wikipedia , lookup
Cracking of wireless networks wikipedia , lookup
Computer virus wikipedia , lookup
Cyberattack wikipedia , lookup
Unix security wikipedia , lookup
Computer and network surveillance wikipedia , lookup
Computer security wikipedia , lookup
Defining Computer Security As applied to cybertechnology, security can be thought of in terms of various measures designed to protect against: (i) unauthorized access to computer systems (ii) alteration of data that resides in and is transmitted between computer systems (iii) disruption, vandalism, and sabotage of computers systems and networks. One way to overcome cybercrimes Defining Computer Security (continued) A computer is secure "if you can depend on it and its software behaves as you expect." According to this definition, at least two conditions must be satisfied: (a) you can depend on your computer (i.e., it is reliable and available) (b) your computer system's software does what it is supposed to do. Defining Computer Security (continued) Kizza (1998) argues that computer security involves three elements: Confidentiality; Integrity; Availability. Confidentiality focuses on protecting against unauthorized disclosure of information to third parties. Integrity can be understood as preventing unauthorized modification of files. Availability means preventing unauthorized withholding of information from those who need it when they need it. Cont…… Reliability Safety Two Distinct Aspects of Computer Security The expression “computer security" is sometimes used ambiguously. In one sense, "computer security" refers to concerns related to a computer system's vulnerability to attacks involving system hardware and software resources from "malicious programs" (viruses and worms). This aspect of computer security can be referred to as system security. Two Distinct Aspects of Computer Security Another sense of "computer security" is concerned with vulnerability to unauthorized access and modification of data. The data can be either: (a) resident in one or more disk drives or databases in a computer system; (b) transmitted between two or more computer systems. We call this “data security.” Computer Security Computer Security System Security Data Security Resident Data Transmitted Data Access/availability Scene Characteristics Normal Flow Information Source Information Destination Code Blue – Security Controls Red – Threats Goal Masquerade Interception Authenticity Confidentially Non-Repudiation Modification Interruption Escalation Covering Tracks Integrity Availability Authorization Accountability Capture Identity Theft Identification Security Dimension Security Objectives Access Control Ensure that only authorised personnel or devices are allowed access to end-user data that is transiting a network element or communications link or is resident in an offline storage device. Authentication Verify the identity of the person or device attempting to access end-user data that is transiting a network element of communications link or is resident in an offline storage device. Authentication techniques may be required as part of Access Control. Non-Repudiation Provide a record identifying each individual or device that accessed end-user data that is transiting a network element or communications link, or is resident in offline devices and that the action was performed. The record is to be used as proof of access to end-user data. Data Confidentiality Protect end-user data that is transiting a network element or communications link, or is resident in an offline storage device against unauthorised access or viewing. Techniques used to address access control may contribute to providing data confidentiality for end-user data. Communication Security Ensure that end-user data that is transiting a network element or communications link is not diverted or intercepted as it flows between the end points (without an authorised access) Data Integrity Protect end-user data that is transiting a network element or communications link or is resident in offline storage devices against unauthorised modification, deletion, creation and replication. Availability Ensure that access to end-user data resident in in offline storage devices by authorised personnel and devices cannot be denied. Privacy Ensure that network elements do not provide information pertaining to the end-users network activities (eg. Users geographic location, websites visited, content etc.) to unauthorised personnel. ITU-T X.800 Threat Model (simplified) 1 - Destruction (an attack on availability): – Destruction of information and/or network resources X 2 - Corruption (an attack on integrity): – Unauthorized tampering with an asset 3 - Removal (an attack on availability): – Theft, removal or loss of information and/or other resources 4 - Disclosure (an attack on confidentiality): – Unauthorized access to an asset 5 - Interruption (an attack on availability): – Interruption of services. Network becomes unavailable or unusable X Computer Security and Computer Crime Computer security issues often overlap with issues analyzed under the topic of computer crime. Virtually every violation of security involving cybertechnology is also criminal in nature. So only cyber specific crimes are involved in cyber security not cyber related crimes. But not every instance of crime in cyberspace necessarily involves a breach or violation of security. Computer Security Issues as Distinct from Computer Crime Some computer-related crimes have no direct implications for computer security. An individual can use a personal computer to: Make unauthorized copies of software programs; Stalk a victim in cyberspace; Elicit sex with young children; Distribute child pornography; Engage in illegal gambling activities. None of these kinds of crimes are a direct result of insecure computer systems. Security as Related to Privacy Cyber-related issues involving privacy and security often overlap. Some important distinctions can be drawn. Privacy concerns often arise because on-line users are concerned about losing control over ways in which personal information about them can be accessed by organizations (especially by businesses and government agencies). Securing personal information stored in computer databases is an important element in helping individuals to achieve and maintain their privacy. The objectives of privacy would seem compatible with, and even complementary to, security. Security as Related to Privacy (continued) Privacy and security concerns can be thought of as two sides of a single coin, where each side complements and completes the other. Many people wish to control who has information about them, and how that information is accessed by others. Who is doing and what is doing ,How is doing How Do Security Issues Raise Ethical Concerns? To realize autonomy, individuals need to be able to have some access control over how information about them is gathered and used. Computer security can help users realize this goal. Disclosing privacy is unethical. Personal privacy also requires that certain kinds of information stored in electronic databases be kept confidential. Secure computers are needed to ensure this. BACK DOORS …. Are accounts left by manufacturers and vendors on devices that allow them to bypass a locked-out or clueless system administrator in case of emergency. Every network device comes shipped with more than one default username and password, and these built-in accounts offer administrative privileges to anyone who finds them. Virus spread A small malicious executable program. The definition of virus is a program that can be broken into 3 functional parts Replication Concealment Bomb The combination of these three attributes makes the collective program a virus Cont…. A virus adds a small piece of code to the beginning of the file so that when file is executed, the virus is loaded into to memory before the actual application Replication A virus must include some method of replication, I.e., some way to reproduce or duplicate itself. When a virus reproduces itself in a file, the result is sometimes referred as an “Infection” Replication occurs when the virus is loaded into memory and has access to CPU cycles A virus cant spread by existing on a hard disk and an infected file must be executed in order for a virus to become active Method of Replicating Resident replicating virus: A resident replicating virus, once loaded into memory, waits for other programs to be executed and then infects them. Nonresident replicating virus: A nonresident replicating virus selects one or more executable files on disk and directly infects them without waiting for them to be processed in memory. Companion virus: A virus which facilities the loading of the virus code without actually infecting the existing file. It makes advantage of default OS order of executing file e.g., windows first tries to execute a file with .com extension, then .exe extension, and the finally a .bat extension File Infection The method of replication can be the result of file infection or boot sector replication. File infection relies on the virus’s ability to attach itself to a file. In theory, any type of file is vulnerable to attack. Attackers tend to focus, however, on files that provide some form of access to CPU cycles. This access can be through direct execution or through some secondary application processing the code. Contd.. Some viruses have even embedded themselves in raw source-code files. When the code is eventually compiled, the virus becomes capable of accessing CPU cycles, thus replicating even further. The most popular type of infection affects direct executable files like .com, .exe, .pif, or .bat file extensions Boot Sector Replication Boot sector virus infect the system area of the disk that is read when the disk is initially accessed or booted. This area can include the MBR, the OS boot sector or both. Concealment To facilitate replication, a virus must have one or more methods of masking its existence. If a running virus simply show up on your Windows Taskbar, you’d see a problem right away. Stealth allows a virus t hide the modifications made to a file or boot sector. Small Footprint Viruses tend to be small. Even a large virus can be less than 2KB in size.This small footprint makes it far easier for the virus to conceal itself on the local storage media and while it is running in memory. Resides in space between two stored files To ensure that a virus is as small as possible, most virus are coded in assembly language. Polymorphic Virus A polymorphic virus can change its virus signature from infected file to infected while still remaining operational. Many virus scanners detect a virus by searching for signature code. Since a polymorphic virus can change its appearance between infections, it is far more difficult to detect. One way to produce a polymorphic virus is to include a variety of encryption schemes that use different decryption routines Social engineering viruses Social-engineering viruses meet all the criteria of a normal virus, except they rely on people to spread the infection, not a computer. A good example of a social engineering virus is the Good Times virus hoax that has circulated on the Internet for many years. This e-mail message announces that a dangerous virus is being circulated via e-mail and has the ability to wipe out all the files on your computer. This message even claims that the virus’s existence has been confirmed. People concerned that their friends may be attacked by this virus then forward the hoax to every person in their address books Bomb Our virus has successfully replicated itself and avoided detection. The question now becomes, What will the virus do next? Most viruses are programmed to wait for a specific event. This event can be almost anything…….including the arrival of a specific date, the infection of a specific number of files, or even he detection of a predetermined activity. Worms Traditionally, a computer worm was considered an application that could replicate itself via a permanent or a dial-up network connection. Unlike a virus, which seeds itself within the computer’s hard disk or file system, a worm is a selfsupporting program. Not need to attach it with some file. A typical worm maintains only a functional copy of itself in active memory; it does not even write itself to disk. The Vampire Worm, The Great Internet Worm, The Wank Worm Trojan Horse An application that hides a nasty surprise Process or Function that Performs an activity that user is unaware of TROJANS are programs that look like ordinary software, but actually perform unintended (and sometimes malicious) actions behind the scenes when launched. Replace network services. Does not replicates An E-mail virus I LOVE YOU are considered to be Trojan Horse How Trojan Horses are Different From Viruses Does not replicate or attach itself to a file Is a stand alone application that had its bomb included from the original source code Unix Trojan can replace Telnet Server process (Telnetd) Quietly records all logon names and passwords that authenticate to the system Are immediately destructive Dos Attack On the Internet, a denial of service (DoS) attack is an incident in which a user or organization is deprived of the services of a resource they would normally expect to have. In a Denial of Service (DoS) attack, the attacker sends a stream of requests to a service on the server machine in the hope of exhausting all resources like "memory" or consuming all processor capacity. E.g. Ping of broad cast, Smurf ,Ping of death, Teardrop attack Other Dos Attacks are FTP Bounce Attacks Port Scanning Attack Ping Flooding Attack Smurf Attack SYN Flooding Attack IP Fragmentation/Overlapping Fragment Attack IP Sequence Prediction Attack DNS Cache Poisoning SNMP Attack Send Mail Attack Ping broadcast - A ping request packet is sent to a broadcast network address where there are many hosts. The source address is shown in the packet to be the IP address of the computer to be attacked. If the router to the network passes the ping broadcast, all computers on the network will respond with a ping reply to the attacked system. The attacked system will be flooded with ping responses which will cause it to be unable to operate on the network for some time, and may even cause it to lock up. Cont….. Ping of death - An oversized ICMP datagram can crash IP devices that were made before 1996. Smurf - An attack where a ping request is sent to a broadcast network address with the sending address spoofed so many ping replies will come back to the victim and overload the ability of the victim to process the replies. Teardrop Attack This type of denial of service attack exploits the way that the Internet Protocol (IP) requires a packet that is too large for the next router to handle be divided into fragments. The fragment packet identifies an offset to the beginning of the first packet that enables the entire packet to be reassembled by the receiving system. In the teardrop attack, the attacker's IP puts a confusing offset value in the second or later fragment. If the receiving operating system does not have a plan for this situation, it can cause the system to crash Brute force Attack on encryption Exhaustive encryption key search Session hijacking An attacker may watch a session open on a network. Once authentication is complete, they may attack the client computer to disable it, and use IP spoofing to claim to be the client who was just authenticated and steal the session. By lunching ICMP flood on server and then acting like a server. DNS Poisoning DNS poisoning - This is an attack where DNS information is falsified. This attack can succeed under the right conditions, but may not be real practical as an attack form. The attacker will send incorrect DNS information eg incorrect IP address which can cause traffic to be diverted. SNIFFING Is the interception of data packets traversing a network . An example of active intrusion is when PACKET SNIFFING is used for IP SPOOFING IP spoofing - An attacker may fake their IP address so the receiver thinks it is sent from a location that it is not actually from. This may cause some operating systems such as Windows to crash or lock up. Similarly DNS poisoning is used for server spoofing. Attacks on Different Layers IP Attacks ICMP Attacks Routing Attacks TCP Attacks Application Layer Attacks Security Countermeasures Security countermeasures act as an action, device, procedure, technique or other measure that reduces the vulnerability of a threat to a computer system. We have come to rely increasingly on countermeasures. Many security analysts believe that countermeasures would not be as necessary as they currently are if better security features were built into computer systems. Implementating Security Unique to each individual user/company and system Solution should contain three components for completeness Prevention (Access control measures) Detection (Fire walls, IDS, Virus scanners) Reaction (disaster mode and severity) Recovery (Network disaster management sys) Types of Security Countermeasures Firewalls (Pix fire wall) Anti-Virus Software Encryption Tools Anonymity Tools IDS VPN’s Access control Honey pot Firewall Technology A firewall is a system or combination of systems that enforces a boundary between two or more networks. Firewalls help to secure systems not only from unauthorized access to information in databases, but also help prevent unwanted and unauthorized communication into or out of a privately owned network. Proxy and Pix Fire walls A firewall is a "blockage" between an internal privately owned network and an external network, which is not assumed to be secure. Define IDS IDS has all been about analyzing network traffic to look for evidence of attack. IDS is also about scanning access logs and analyzing the characteristics of files to see if they have been compromised. IDS have thousands of attack pattern saved in their database. So they match them with ordinary traffic to detect malicious traffic. IDS may be hardware based or software based, e.g. SNORT Functions of IDS Monitoring and analyzing both user and system activities Analyzing system configurations and vulnerabilities Assessing system and file integrity Ability to recognize patterns typical of attacks Analysis of abnormal activity patterns Tracking user policy violations Types of IDS Network Intrusion Detection Systems (NIDS) (Snort, zone alarm) Host Intrusion Detection Systems (HIDS) System Integrity Verifier (SIV) Tripwire Log File Monitor (LFM) Honeypot: A fake deception server to trace and misleading the cracker. production and research honeypots. VPN Virtual private network is a private network that uses links across private or public networks e.g. internet You must have PPTP tunneling protocol or L2TP layer two tunneling protocol to support VPN, both are automatically installed on WIN 2003 server. Configure a VPN server on WIN 2003 server Make a VPN client and connect via VPN. Preventive Measures Access Control Checksum Verification Process Monitoring Virus Scanners Access Control (ACL) Access Control will not remove or even detect the existence of a infected program However, it will help your system to resist for infection by enabling intelligent permissions on files in a multi-user operating system environment on user-by-user basis Attribute manipulation (ACE) To protect files form virus infection, early DOS computer users set their executable file permissions to read-only. If the file could not be modified, a virus would be unable to infect it. Virus programmers responded by adding code to the virus and reset the attributes to their original values This method of protection is of little value against today’s viruses. Attribute manipulation If the administrator level privileges are required to change a file’s permission, the virus can’t change these attributes when run form a regular user account Checksum Verification using FCS Checksum or CRC is a Mathematical verification of the data within a file. Cannot actually detect file infection but it can only look for changes Error detection and error correction Process Monitoring Process monitoring observe system activity and intercepts anything that looks suspicious E.g., by enabling BIOS antivirus, it will intercepts all write attempts to MBR. Problem is that virus and normal programs share a lot of similar attributes, thus enabling the difficulties to detect viruses Virus Scanners/Detectors The most popular way of detecting viruses is the use of virus-scanning software. Use signature file to locate viruses in infected file. A signature file is simply a database that lists all the know viruses, along with their attributes Anti-virus software is designed to "inoculate" computer systems against viruses, worms, and other malicious programs. Virus scanners can only detect known viruses Cont….. Typically used in conjunction with firewall technology to protect individual computer systems as well as network domains in universities, and governmental and commercial organizations. Types of Virus Scanners On Demand Must be initialized on demand manually or through some automatic process System will contract virus before it is detected Memory Resident Are programs that runs at the back ground of a system Can identify a virus before it infects the system Encryption Tools Encryption is the technique used to convert the information in a message composed in ordinary text ("plain text"), into "ciphertext." The use of data encryption or cryptography techniques in communicating sensitive information is not new. Types of Encryption In private-key encryption, both parties use the same encryption algorithm and the same private key. Public cryptography uses two keys: one public and the other private. Terminology plaintext - the original message ciphertext - the coded message cipher - algorithm for transforming plaintext to ciphertext key - info used in cipher known only to sender/receiver encipher (encrypt) - converting plaintext to ciphertext decipher (decrypt) - recovering ciphertext from plaintext cryptography - study of encryption principles/methods cryptanalysis (codebreaking) - the study of principles/ methods of deciphering ciphertext without knowing key cryptology - the field of both cryptography and cryptanalysis Encryption If A wishes to communicate with B, A uses B's public key to encode the message. That message can then only be decoded with B's private key, which is secret. Similarly when B responds to A, B uses A's public key to encrypt the message. Certificates and digital signatures Anonymity Tools Users want to secure the integrity and confidentiality of their electronic communications. They also wish to protect their identity while engaging in on-line activities. Anonymity tools such as the Anonymizer, and pseudonymity agents such as Lucent's Personalized Web Assistant, enable users to roam the Web either anonymously or pseudonymously. Anonymity Tools (Continued) An individual is anonymous in cyberspace when that person is able to navigate the Internet is a way that his or her personal identity is not revealed. e.g., the user cannot be identified beyond certain technical information such as the user's IP (Internet protocol) address, ISP, and so forth. Tradeoffs Involving Computer Security Can total security in cyberspace be achieved? More secure computer systems might also result in products that are more expensive. Would consumers be willing to spend more money for securer computer systems? The costs associated with computer security can be measured both in monetary and non-monetary terms (such as convenience and flexibility) because more secure systems might also be less user-friendly. It is an avoidance approach conflict. one way we need anonymity on internet and on other way we want security in terms of cybercrimes. Cont….. Seeking perfect security would make a system useless, because "anything worth doing requires some risk." Computer Security and Risk Analysis What is the acceptable level of risk in computer systems? How can we assess it? Risk can be understood and assessed in terms of the net result of the impacts of five elements: Assets; Threats; Vulnerabilities; Impact; Safeguards. Thank You