Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Session 10 – More Cyber Security EECS 4482 2016 1 Today’s Outline Cyber risks Identity management Internet security Email security PC security Mobile security Payment card security EECS 4482 2016 2 Cyber Risks Virus Identity theft Hacking Scam Pornography Ransomware EECS 4482 2016 3 Virus Can spread by email in the form of an email attachment or a web link (URL), like www.abc.com. Also can be spread when using someone’s memory disk. EECS 4482 2016 4 Virus A common virus is one that harvests email addresses from an infected computer and uses one of the addresses to send an email to a bunch of other addresses fetched from the infected computer. So when you receive such a message, that does not necessarily mean the sender’s computer is infected. EECS 4482 2016 5 Internet Worm A variant of virus that does not require you to click any thing. If your computer has the weakness targeted by the worm, it will be infected. The worm travels on the Internet. Once infected, your computer will be very slow and it may be used as a zombie to send the worm around the Internet. EECS 4482 2016 6 Internet Worm It can be used to disable web sites such as what happened in Sept to CNN, Netflex, Paypal and Twitter. Once your computer has up-to-date antivirus software, the worm will be removed but can come back until your computer receives the necessary fix (update) from Apple or Microsoft (pushed to your computer automatically) EECS 4482 2016 7 EECS 4482 2016 8 Identity theft Phishing Password cracking Virus that copies your identity information or monitors your keystrokes. EECS 4482 2016 9 Phishing Email purporting to be from your bank asking you to click a link to update your account info like password. Banks do not send email to customers except to remind them that their statements are ready for viewing, and customers would have to sign in to view, instead of clicking a link from the email. Check the URL provided with right click. 10 EECS 4482 2016 Hacking Every computer connected to the Internet faces this risk even if you are not using the browser or checking email. Hacking is largely automated and your computer, once hacked, may be used to hack other computers. Hackers can copy or change your info like email passwords, delete files or plant malicious programs. EECS 4482 2016 11 Scam Email enticing people to put up a small sum for large gain, like buying material to work at home. Or email that asks for help saying your friend is in distress. Just delete, or call your friend or his/her family. EECS 4482 2016 12 Child pornography Storing, sending or active viewing is criminal. Exercise caution when text or graphic starts to bother you. A quick way to avoid incrimination is to shut down the computer immediately. EECS 4482 2016 13 EECS 4482 2016 14 Password Should not be shared Should be changed by user Should be changed frequently and upon compromise (suspected unauthorized disclosure) EECS 4482 2016 15 EECS 4482 2016 16 Password Long, at least 8 characters Alphanumeric and include at least 1 upper case letter Hashed (one-way scrambling) by operating system EECS 4482 2016 17 Password Cracking Methods by Hackers Dictionary attacks – try scrambling the common names and all dictionary words Brute force – try scrambling all possible combinations of characters, most time consuming Systematic deduction – try name followed by month, etc. Hacker community has tables of hashes, called rainbow tables to help in cracking. EECS 4482 2016 18 Passwords An 8-letter password is 676 times stronger than a 6-letter password. A user chosen 6- character alphanumeric Word password can be cracked in an hour. A 6-character alphanumeric password is 7 times stronger than a 6-letter password. A completely random 8-character, case sensitive, alphanumeric password takes a modern PC 6 months to crack. EECS 4482 2016 19 PIN Change regularly. Do not use as your PC or phone password. Use different PINs for debit and credit cards. EECS 4482 2016 20 EECS 4482 2016 21 OS Confiruation Controlled by a system administrator. A system administrator has full control of a computer and must therefore be closely monitored by management, think of Snowden. Organizations should have a standard blue print for each OS to ensure consistency. EECS 4482 2016 22 System Administrator Control Careful screening before hiring, e.g., criminal record check, psychology test. Rotation of duties among servers. Segregation of duties, e.g.., an SA must not also be a DBA. Use vendor supplied tools to generate reports on SA activities for frequent management review. EECS 4482 2016 23 User Control General users should not be given root access to the operating system. General users should not be given administrative privilege to their computers so that they cannot change OS setting and cannot install programs. This helps to prevent virus spreading, copyright infringement and hacking. EECS 4482 2016 24 Patching A patch is a fix from an operating system vendor to cover a security hole used by hackers. A security hole is also called a vulnerability, it is made up of a service, port, combination thereof, or the way some services can be combined to achieve successful hacking. EECS 4482 2016 25 Patching Organizations should procure patching tools to check for updates from OS vendors, test the updates and then automatically distribute the updates to servers, workstations and laptops. Patching should also apply to organization owned smart phones. Devices should be checked by the organization network for up to date EECS 4482 2016 26 Access Control Access control lists (ACL) can be set up in an OS to restrict access by applications and those users who have direct access an OS. An ACL will define the subject (application), object (data and OS services etc.) and the type of access (read, write, delete). Most business users access don’t need 27 EECS 4482 2016 Browser Security Ordinary users without local administration privilege can change browser security and privacy settings. This means more monitoring and education are required. The web usage policy should indicate what options should not be turned on. EECS 4482 2016 28 Modern OS Security Features Anti-virus software, firewall and full hard drive encryption now come standard with commercial PC operating systems. EECS 4482 2016 29 Windows Action Center It allows the user to schedule Windows updates so that updates will be downloaded and implemented automatically. Organizations should disable this function and instead, let the domain controller (server) oversee this function. EECS 4482 2016 30 Windows Action Center Locking down users to prevent them from installing programs. Defining user access rights as guest, folder owner, administrator (full access), and specific user (requiring logon account). Defining access control lists for folders and files. EECS 4482 2016 31 Windows Action Center Data Execution Prevention feature that prevents buffer overflow by marking certain memory pages intended for data as non-executable. This feature is turned on by default in Windows XP and later versions of Windows. Protected Media Path to protect digital rights management through denying access of digitally righted material by unauthorized applications. This prevents the copying of programs that can only be executed. EECS 4482 2016 32 Active Directory This hierarchical access authentication and authorization structure has replaced the function of the primary domain controllers and backup domain controllers in authentication and authorization. It has the following features: Central location for network administration and security Information security and single sign-on for user access to networked resources The ability to scale up or down easily Standardizing access to application data Synchronization of directory updates across servers EECS 4482 2016 33 Password Salting Most operating systems add a bit string to the raw password before hashing to make it difficult to crack. Unix uses a 12 bit random salt each time a password is created or changed. Windows salts passwords only for offline access to compensate for the lack of Active Directory authentication. EECS 4482 2016 34 File Permissions on Critical Files Unix controls access to files, programs, and all other resources via file permissions. Unix permission are controlled by three categories: Owner, Group, and World Each category has the ability to either READ, WRITE, and/or EXECUTE Unix files or resources Ex. –rwxr-x--x EECS 4482 2016 35 Syslog The syslog utility allows systems administrators to log various events occurring on the Unix system. If Syslog is configured correctly, Unix can log many security events without the use of a third party plug-in. EECS 4482 2016 36 Mainframe Operating System z/OS has weaker security than Windows and Unix because its predecessors, Multiple Virtual Storage and Virtual Memory, were developed well before the Internet and not designed to mitigate the risk of hacking. RACF should be installed to provide commercial grade security for Z series servers. EECS 4482 2016 37 Resource Access Control Facility (RACF) RACF provides user authentication, resource access control, security logging and audit reporting. It is much more granular than operating system security. For example, it makes available 254 security levels (labels) that can be assigned to each resource object. A label indicates the users or objects that can access a resource and how. A resource object may be a data table (file), a program, a workstation, an ATM or another network device. The type of access may be read, write, delete. EECS 4482 2016 38 RACF Each user has a profile that controls that user in terms of access allowed and binds the user to security policies like password change frequency, password length. A user may also be restricted by day of week and time of day. An administrator has full access. An “auditor” in RACF has full read access, including generating reports on access, EECS 4482 2016 39 profiles and history log. Penetration Testing Self hacking, should be done periodically by large organizations. EECS 4482 2016 40 Penetration Testing Map the network, i.e., studying the network to identify entry points including IP addresses. One might argue that this does not simulate hacking because a hacker would not have this information. If the penetration tester wants to be more objective and to simulate an actual hack more closely, s/he may decide not to rely on internal documentation of the network and instead, use external scanning, Internet research and social engineering. EECS 4482 2016 41 Penetration Testing Probe the network by using automated commands like ping to find out what ports are open on each web server. Use security scanning software to scan web server for loopholes, e.g., unpatched operating system. Try to hack into a system to view confidential information. There are automated tools available on the Internet and within the hacker community EECS 4482 2016 42 Obtain system administrator IDs and passwords of servers. Obtain firewall, IDS and IPS rules. Inject a small amount of bogus traffic to test the firewall and intrusion prevention system. There are automated tools available on the Internet and within the hacker community. Shows attempts and ability to cause denial-of-service attack, defacement or changing data. Report deficiencies to management and make recommendations for improvements. EECS 4482 2016 43 Conclusion PC and PC based server security continues to be improved by their vendors. Recently made available features include full hard disk encryption, application firewall and integrated malicious software features including anti-virus. In security, the weakest link is people, including people’s commitment to defining strong policies and complying with policies. Organizations should have tight operating system images for desktops and servers across the enterprise to comply with their policies. User access rights should be limited to their job functions and users should not be given administrator privilege to their desktops and laptops. System administrators should be controlled with thorough reference check, criminal record check before hiring and periodically thereafter, rotation of duties among servers, limiting the servers they support, limiting their other duties and regular management review of the system logs using software products to turn system logs into meaningful management reports. EECS 4482 2016 44 EECS 4482 2016 45