Download Figure 6-1

Document related concepts

Information security wikipedia , lookup

Cyberwarfare wikipedia , lookup

Distributed firewall wikipedia , lookup

Cyber-security regulation wikipedia , lookup

Wireless security wikipedia , lookup

Antivirus software wikipedia , lookup

Malware wikipedia , lookup

Security-focused operating system wikipedia , lookup

Hacker wikipedia , lookup

Cracking of wireless networks wikipedia , lookup

Computer virus wikipedia , lookup

Cyberattack wikipedia , lookup

Unix security wikipedia , lookup

Computer and network surveillance wikipedia , lookup

Computer security wikipedia , lookup

Mobile security wikipedia , lookup

Cybercrime wikipedia , lookup

Cybercrime countermeasures wikipedia , lookup

Transcript
Defining Computer Security





As applied to cybertechnology, security can
be thought of in terms of various measures
designed to protect against:
(i) unauthorized access to computer systems
(ii) alteration of data that resides in and is
transmitted between computer systems
(iii) disruption, vandalism, and sabotage of
computers systems and networks.
One way to overcome cybercrimes
Defining Computer Security
(continued)

A computer is secure


"if you can depend on it and its software behaves
as you expect."
According to this definition, at least two
conditions must be satisfied:


(a) you can depend on your computer (i.e., it is
reliable and available)
(b) your computer system's software does what it
is supposed to do.
Defining Computer Security
(continued)

Kizza (1998) argues that computer security involves
three elements:






Confidentiality;
Integrity;
Availability.
Confidentiality focuses on protecting against unauthorized disclosure of information to third parties.
Integrity can be understood as preventing
unauthorized modification of files.
Availability means preventing unauthorized
withholding of information from those who need it
when they need it.
Cont……


Reliability
Safety
Two Distinct Aspects
of Computer Security



The expression “computer security" is
sometimes used ambiguously.
In one sense, "computer security" refers to
concerns related to a computer system's
vulnerability to attacks involving system
hardware and software resources from
"malicious programs" (viruses and worms).
This aspect of computer security can be
referred to as system security.
Two Distinct Aspects
of Computer Security





Another sense of "computer security" is
concerned with vulnerability to unauthorized
access and modification of data.
The data can be either:
(a) resident in one or more disk drives or
databases in a computer system;
(b) transmitted between two or more
computer systems.
We call this “data security.”
Computer Security
Computer Security
System Security
Data Security
Resident Data
Transmitted Data
Access/availability Scene
Characteristics
Normal
Flow
Information
Source
Information
Destination
Code
Blue – Security Controls
Red – Threats Goal
Masquerade
Interception
Authenticity
Confidentially
Non-Repudiation
Modification
Interruption
Escalation
Covering Tracks
Integrity
Availability
Authorization
Accountability
Capture
Identity Theft
Identification
Security
Dimension
Security Objectives
Access Control
Ensure that only authorised personnel or devices are allowed access to end-user data that is transiting a
network element or communications link or is resident in an offline storage device.
Authentication
Verify the identity of the person or device attempting to access end-user data that is transiting a network
element of communications link or is resident in an offline storage device.
Authentication techniques may be required as part of Access Control.
Non-Repudiation
Provide a record identifying each individual or device that accessed end-user data that is transiting a
network element or communications link, or is resident in offline devices and that the action was
performed. The record is to be used as proof of access to end-user data.
Data Confidentiality
Protect end-user data that is transiting a network element or communications link, or is resident in an
offline storage device against unauthorised access or viewing. Techniques used to address access
control may contribute to providing data confidentiality for end-user data.
Communication
Security
Ensure that end-user data that is transiting a network element or communications link is not diverted or
intercepted as it flows between the end points (without an authorised access)
Data Integrity
Protect end-user data that is transiting a network element or communications link or is resident in offline
storage devices against unauthorised modification, deletion, creation and replication.
Availability
Ensure that access to end-user data resident in in offline storage devices by authorised personnel and
devices cannot be denied.
Privacy
Ensure that network elements do not provide information pertaining to the end-users network activities
(eg. Users geographic location, websites visited, content etc.) to unauthorised personnel.
ITU-T X.800 Threat Model
(simplified)
1 - Destruction (an attack on availability):
– Destruction of information and/or network
resources
X
2 - Corruption (an attack on integrity):
– Unauthorized tampering with an asset
3 - Removal (an attack on availability):
– Theft, removal or loss of information and/or
other resources
4 - Disclosure (an attack on confidentiality):
– Unauthorized access to an asset
5 - Interruption (an attack on availability):
– Interruption of services. Network becomes
unavailable or unusable
X
Computer Security and
Computer Crime




Computer security issues often overlap with
issues analyzed under the topic of computer
crime.
Virtually every violation of security involving
cybertechnology is also criminal in nature.
So only cyber specific crimes are involved in
cyber security not cyber related crimes.
But not every instance of crime in cyberspace
necessarily involves a breach or violation of
security.
Computer Security Issues as
Distinct from Computer Crime


Some computer-related crimes have no direct
implications for computer security.
An individual can use a personal computer to:






Make unauthorized copies of software programs;
Stalk a victim in cyberspace;
Elicit sex with young children;
Distribute child pornography;
Engage in illegal gambling activities.
None of these kinds of crimes are a direct
result of insecure computer systems.
Security as Related to Privacy


Cyber-related issues involving privacy and security
often overlap.
Some important distinctions can be drawn.



Privacy concerns often arise because on-line users are
concerned about losing control over ways in which personal
information about them can be accessed by organizations
(especially by businesses and government agencies).
Securing personal information stored in computer databases
is an important element in helping individuals to achieve and
maintain their privacy.
The objectives of privacy would seem compatible with, and
even complementary to, security.
Security as Related to Privacy
(continued)



Privacy and security concerns can be thought
of as two sides of a single coin, where each
side complements and completes the other.
Many people wish to control who has
information about them, and how that
information is accessed by others.
Who is doing and what is doing ,How is doing
How Do Security Issues Raise
Ethical Concerns?



To realize autonomy, individuals need to be
able to have some access control over how
information about them is gathered and used.
Computer security can help users realize this
goal. Disclosing privacy is unethical.
Personal privacy also requires that certain
kinds of information stored in electronic
databases be kept confidential.

Secure computers are needed to ensure this.
BACK DOORS ….

Are accounts left by manufacturers and
vendors on devices that allow them to bypass
a locked-out or clueless system administrator
in case of emergency. Every network device
comes shipped with more than one default
username and password, and these built-in
accounts offer administrative privileges to
anyone who finds them.
Virus spread
A small malicious executable program.
The definition of virus is a program that
can be broken into 3 functional parts




Replication
Concealment
Bomb
The combination of these three
attributes makes the collective program
a virus
Cont….

A virus adds a small piece of code to
the beginning of the file so that when
file is executed, the virus is loaded into
to memory before the actual application
Replication




A virus must include some method of
replication, I.e., some way to reproduce or
duplicate itself.
When a virus reproduces itself in a file, the
result is sometimes referred as an “Infection”
Replication occurs when the virus is loaded
into memory and has access to CPU cycles
A virus cant spread by existing on a hard disk
and an infected file must be executed in
order for a virus to become active
Method of Replicating




Resident replicating virus: A resident replicating virus, once
loaded into memory, waits for other programs to be
executed and then infects them.
Nonresident replicating virus: A nonresident replicating
virus selects one or more executable files on disk and
directly infects them without waiting for them to be
processed in memory.
Companion virus: A virus which facilities the loading of the
virus code without actually infecting the existing file.
It makes advantage of default OS order of executing file
e.g., windows first tries to execute a file with .com
extension, then .exe extension, and the finally a .bat
extension
File Infection



The method of replication can be the result of
file infection or boot sector replication.
File infection relies on the virus’s ability to
attach itself to a file. In theory, any type of
file is vulnerable to attack.
Attackers tend to focus, however, on files that
provide some form of access to CPU cycles.
This access can be through direct execution
or through some secondary application
processing the code.
Contd..


Some viruses have even embedded
themselves in raw source-code files. When
the code is eventually compiled, the virus
becomes capable of accessing CPU cycles,
thus replicating even further.
The most popular type of infection affects
direct executable files like .com, .exe, .pif, or
.bat file extensions
Boot Sector Replication


Boot sector virus infect the system area
of the disk that is read when the disk is
initially accessed or booted.
This area can include the MBR, the OS
boot sector or both.
Concealment


To facilitate replication, a virus must
have one or more methods of masking
its existence. If a running virus simply
show up on your Windows Taskbar,
you’d see a problem right away.
Stealth allows a virus t hide the
modifications made to a file or boot
sector.
Small Footprint


Viruses tend to be small. Even a large
virus can be less than 2KB in size.This
small footprint makes it far easier for
the virus to conceal itself on the local
storage media and while it is running in
memory. Resides in space between two
stored files
To ensure that a virus is as small as
possible, most virus are coded in
assembly language.
Polymorphic Virus




A polymorphic virus can change its virus
signature from infected file to infected while
still remaining operational.
Many virus scanners detect a virus by
searching for signature code.
Since a polymorphic virus can change its
appearance between infections, it is far more
difficult to detect.
One way to produce a polymorphic virus is to
include a variety of encryption schemes that
use different decryption routines
Social engineering viruses

Social-engineering viruses meet all the criteria of
a normal virus, except they rely on people to
spread the infection, not a computer. A good
example of a social engineering virus is the Good
Times virus hoax that has circulated on the
Internet for many years. This e-mail message
announces that a dangerous virus is being
circulated via e-mail and has the ability to wipe
out all the files on your computer. This message
even claims that the virus’s existence has been
confirmed. People concerned that their friends
may be attacked by this virus then forward the
hoax to every person in their address books
Bomb

Our virus has successfully replicated itself and
avoided detection. The question now
becomes, What will the virus do next? Most
viruses are programmed to wait for a specific
event. This event can be almost
anything…….including the arrival of a specific
date, the infection of a specific number of
files, or even he detection of a predetermined
activity.
Worms




Traditionally, a computer worm was considered an
application that could replicate itself via a permanent
or a dial-up network connection.
Unlike a virus, which seeds itself within the
computer’s hard disk or file system, a worm is a selfsupporting program. Not need to attach it with some
file.
A typical worm maintains only a functional copy of
itself in active memory; it does not even write itself
to disk.
The Vampire Worm, The Great Internet Worm, The
Wank Worm
Trojan Horse





An application that hides a nasty surprise
Process or Function that Performs an activity that
user is unaware of
TROJANS are programs that look like ordinary
software, but actually perform unintended (and
sometimes malicious) actions behind the scenes
when launched.
Replace network services. Does not replicates
An E-mail virus I LOVE YOU are considered to be
Trojan Horse
How Trojan Horses are
Different From Viruses





Does not replicate or attach itself to a file
Is a stand alone application that had its bomb
included from the original source code
Unix Trojan can replace Telnet Server process
(Telnetd)
Quietly records all logon names and
passwords that authenticate to the system
Are immediately destructive
Dos Attack


On the Internet, a denial of service (DoS)
attack is an incident in which a user or
organization is deprived of the services of a
resource they would normally expect to have.
In a Denial of Service (DoS) attack, the
attacker sends a stream of requests to a
service on the server machine in the hope of
exhausting all resources like "memory" or
consuming all processor capacity.
E.g. Ping of broad cast, Smurf ,Ping of death,
Teardrop attack
Other Dos Attacks are










FTP Bounce Attacks
Port Scanning Attack
Ping Flooding Attack
Smurf Attack
SYN Flooding Attack
IP Fragmentation/Overlapping Fragment Attack
IP Sequence Prediction Attack
DNS Cache Poisoning
SNMP Attack
Send Mail Attack
Ping broadcast
 - A ping request packet is sent to a broadcast
network address where there are many hosts. The
source address is shown in the packet to be the IP
address of the computer to be attacked. If the router
to the network passes the ping broadcast, all
computers on the network will respond with a ping
reply to the attacked system. The attacked system
will be flooded with ping responses which will cause
it to be unable to operate on the network for some
time, and may even cause it to lock up.
Cont…..


Ping of death - An oversized ICMP
datagram can crash IP devices that were
made before 1996.
Smurf - An attack where a ping request is
sent to a broadcast network address with the
sending address spoofed so many ping replies
will come back to the victim and overload the
ability of the victim to process the replies.
Teardrop Attack

This type of denial of service attack exploits the way
that the Internet Protocol (IP) requires a packet that is
too large for the next router to handle be divided into
fragments. The fragment packet identifies an offset to
the beginning of the first packet that enables the
entire packet to be reassembled by the receiving
system. In the teardrop attack, the attacker's IP puts
a confusing offset value in the second or later
fragment. If the receiving operating system does not
have a plan for this situation, it can cause the system
to crash
Brute force


Attack on encryption
Exhaustive encryption key search
Session hijacking


An attacker may watch a session open on a
network. Once authentication is complete,
they may attack the client computer to
disable it, and use IP spoofing to claim to be
the client who was just authenticated and
steal the session.
By lunching ICMP flood on server and then
acting like a server.
DNS Poisoning

DNS poisoning - This is an attack where
DNS information is falsified. This attack can
succeed under the right conditions, but may
not be real practical as an attack form. The
attacker will send incorrect DNS information
eg incorrect IP address which can cause
traffic to be diverted.
SNIFFING



Is the interception of data packets traversing
a network . An example of active intrusion is
when PACKET SNIFFING is used for IP
SPOOFING
IP spoofing - An attacker may fake their IP
address so the receiver thinks it is sent from
a location that it is not actually from. This
may cause some operating systems such as
Windows to crash or lock up.
Similarly DNS poisoning is used for server
spoofing.
Attacks on Different Layers





IP Attacks
ICMP Attacks
Routing Attacks
TCP Attacks
Application Layer Attacks
Security Countermeasures



Security countermeasures act as an action,
device, procedure, technique or other
measure that reduces the vulnerability of a
threat to a computer system.
We have come to rely increasingly on
countermeasures.
Many security analysts believe that
countermeasures would not be as necessary
as they currently are if better security
features were built into computer systems.
Implementating Security


Unique to each individual user/company
and system
Solution should contain three components
for completeness




Prevention (Access control measures)
Detection (Fire walls, IDS, Virus scanners)
Reaction (disaster mode and severity)
Recovery (Network disaster management sys)
Types of Security
Countermeasures








Firewalls (Pix fire wall)
Anti-Virus Software
Encryption Tools
Anonymity Tools
IDS
VPN’s
Access control
Honey pot
Firewall Technology


A firewall is a system or combination of
systems that enforces a boundary between
two or more networks.
Firewalls help to secure systems not only
from unauthorized access to information in
databases, but also help prevent unwanted
and unauthorized communication into or out
of a privately owned network. Proxy and Pix
Fire walls

A firewall is a "blockage" between an internal
privately owned network and an external network,
which is not assumed to be secure.
Define IDS




IDS has all been about analyzing network
traffic to look for evidence of attack.
IDS is also about scanning access logs and
analyzing the characteristics of files to see if
they have been compromised.
IDS have thousands of attack pattern saved
in their database. So they match them with
ordinary traffic to detect malicious traffic.
IDS may be hardware based or software
based, e.g. SNORT
Functions of IDS






Monitoring and analyzing both user and
system activities
Analyzing system configurations and
vulnerabilities
Assessing system and file integrity
Ability to recognize patterns typical of attacks
Analysis of abnormal activity patterns
Tracking user policy violations
Types of IDS





Network Intrusion Detection Systems (NIDS)
(Snort, zone alarm)
Host Intrusion Detection Systems (HIDS)
System Integrity Verifier (SIV) Tripwire
Log File Monitor (LFM)
Honeypot: A fake deception server to trace
and misleading the cracker. production and
research honeypots.
VPN




Virtual private network is a private network
that uses links across private or public
networks e.g. internet
You must have PPTP tunneling protocol or
L2TP layer two tunneling protocol to support
VPN, both are automatically installed on WIN
2003 server.
Configure a VPN server on WIN 2003 server
Make a VPN client and connect via VPN.
Preventive Measures




Access Control
Checksum Verification
Process Monitoring
Virus Scanners
Access Control (ACL)


Access Control will not remove or even
detect the existence of a infected
program
However, it will help your system to
resist for infection by enabling
intelligent permissions on files in a
multi-user operating system
environment on user-by-user basis
Attribute manipulation (ACE)




To protect files form virus infection, early DOS
computer users set their executable file
permissions to read-only.
If the file could not be modified, a virus
would be unable to infect it.
Virus programmers responded by adding
code to the virus and reset the attributes to
their original values
This method of protection is of little value
against today’s viruses.
Attribute manipulation

If the administrator level privileges are
required to change a file’s permission,
the virus can’t change these attributes
when run form a regular user account
Checksum Verification using FCS



Checksum or CRC is a Mathematical
verification of the data within a file.
Cannot actually detect file infection but
it can only look for changes
Error detection and error correction
Process Monitoring



Process monitoring observe system
activity and intercepts anything that
looks suspicious
E.g., by enabling BIOS antivirus, it will
intercepts all write attempts to MBR.
Problem is that virus and normal
programs share a lot of similar
attributes, thus enabling the difficulties
to detect viruses
Virus Scanners/Detectors





The most popular way of detecting viruses is
the use of virus-scanning software.
Use signature file to locate viruses in infected
file.
A signature file is simply a database that lists
all the know viruses, along with their
attributes
Anti-virus software is designed to "inoculate"
computer systems against viruses, worms,
and other malicious programs.
Virus scanners can only detect known viruses
Cont…..

Typically used in conjunction with firewall
technology to protect individual computer
systems as well as network domains in
universities, and governmental and
commercial organizations.
Types of Virus Scanners

On Demand



Must be initialized on demand manually or
through some automatic process
System will contract virus before it is
detected
Memory Resident


Are programs that runs at the back ground
of a system
Can identify a virus before it infects the
system
Encryption Tools


Encryption is the technique used to convert
the information in a message composed in
ordinary text ("plain text"), into "ciphertext."
The use of data encryption or cryptography
techniques in communicating sensitive
information is not new.
Types of Encryption


In private-key encryption, both parties
use the same encryption algorithm and
the same private key.
Public cryptography uses two keys: one
public and the other private.
Terminology









plaintext - the original message
ciphertext - the coded message
cipher - algorithm for transforming plaintext to ciphertext
key - info used in cipher known only to sender/receiver
encipher (encrypt) - converting plaintext to ciphertext
decipher (decrypt) - recovering ciphertext from plaintext
cryptography - study of encryption principles/methods
cryptanalysis (codebreaking) - the study of principles/
methods of deciphering ciphertext without knowing key
cryptology - the field of both cryptography and cryptanalysis
Encryption




If A wishes to communicate with B, A uses
B's public key to encode the message.
That message can then only be decoded with
B's private key, which is secret.
Similarly when B responds to A, B uses A's
public key to encrypt the message.
Certificates and digital signatures
Anonymity Tools



Users want to secure the integrity and confidentiality of their electronic communications.
They also wish to protect their identity while
engaging in on-line activities.
Anonymity tools such as the Anonymizer, and
pseudonymity agents such as Lucent's
Personalized Web Assistant, enable users to
roam the Web either anonymously or
pseudonymously.
Anonymity Tools (Continued)

An individual is anonymous in cyberspace
when that person is able to navigate the
Internet is a way that his or her personal
identity is not revealed.
 e.g., the user cannot be identified beyond
certain technical information such as the
user's IP (Internet protocol) address, ISP,
and so forth.
Tradeoffs Involving Computer
Security




Can total security in cyberspace be achieved?
More secure computer systems might also result in products
that are more expensive.
Would consumers be willing to spend more money for securer
computer systems?
The costs associated with computer security can be measured
both in monetary and non-monetary terms (such as
convenience and flexibility) because more secure systems
might also be less user-friendly.
 It is an avoidance approach conflict. one way we
need anonymity on internet and on other way we
want security in terms of cybercrimes.
Cont…..

Seeking perfect security would make a
system useless, because "anything
worth doing requires some risk."
Computer Security and Risk
Analysis







What is the acceptable level of risk in
computer systems? How can we assess it?
Risk can be understood and assessed in
terms of the net result of the impacts of five
elements:
Assets;
Threats;
Vulnerabilities;
Impact;
Safeguards.
Thank You