1

Network and Systems Security Network and Systems Security

Introduction in computer security
Introduction in computer security
2
List and discuss recent trends in computer security
Describe simple steps to take to minimize the possibility of an
attack on a system
Describe various types of threats that exist for computers and
networks
Discuss recent computer crimes that have been committed
Define basic terms associated with computer and information
security.
Identify the basic approaches to computer and information
security.
Distinguish among various methods to implement access controls.
Describe methods used to verify the identity and authenticity of an
individual.
Recognize some of the basic models used to implement security
in operating systems.
Objectives
3
The security problem
Fifty years ago, computers and data were
uncommon.
Computer hardware was a high-value item and
security was mainly a physical issue.
Now, personal computers are ubiquitous and
portable, making them much more difficult to
secure physically.
Computers are often connected to the Internet.
The value of the data on computers often exceeds
the value of the equipment.
4
The Security Problem
Electronic crime can take a number of different
forms, but the ones we will examine here fall
into two basic categories:
1. Crimes in which the computer was the
target
2. Incidents in which a computer was used
to perpetrate the act
Virus activity also existed prior to 1988, having
started in the early 1980s.
5
Sample of Security Incidents
The Morris Worm (November 1988)
Citibank and Vladimir Levin (JuneOctober 1994)
Kevin Mitnick (February 1995)
Omega Engineering and Timothy Lloyd (July 1996)
Worcester Airport and Jester (March 1997)
Solar Sunrise (February 1998)
The Melissa Virus (March 1999)
The Love Letter Virus (May 2000)
The Code Red Worm (2001)
Adil Yahya Zakaria Shakour (August 2001May 2002)
The Slammer Worm (2003)
U.S. Electric Power Grid (19972009)
Conficker (20082009)
Fiber Cable Cut (2009)
6
Threats to Security
Internal vs. external
Elite hackers vs. script kiddies
Unstructured threats to highly structured
threats
7
Viruses and Worms
It is important to draw a distinction between the writers of
malware and those who release it.
Viruses have no useful purpose.
Viruses and worms are the most common problem that an
organization faces.
Antivirus software and system patching can eliminate the
largest portion of this threat.
Viruses and worms generally are non-discriminating threats.
Viruses are easily detected and generally not the tool of
choice for highly structured attacks.
8
Malware
Viruses and worms are just two types of
malware threats.
The term malware comes from malicious
software.
Malware is software that has a nefarious
purpose, designed to cause problems to an
individual (for example, identity theft) or
your system.
9
Intruders
Hacking is the act of deliberately accessing computer
systems and networks without authorization.
Hackers are individuals who conduct this activity.
Hacking is not what Hollywood would have you believe.
Unstructured threats are conducted over short periods
of time (lasting at most a few months), do not involve a
large number of individuals, have little financial backing,
and are accomplished by insiders or outsiders who do
not seek collusion with insiders.
10
Types of Intruders
Script kiddies are individuals who do not have the technical
expertise to develop scripts or discover new vulnerabilities.
They have enough understanding of computer systems to
download and run scripts that others have developed.
Script writers are those people who are capable of writing
scripts to exploit known vulnerabilities. These individuals are
much more technically competent than script kiddies and
account for an estimated 8 to 12 percent of malicious Internet
activity.
Elite hackers are those highly technical individuals, who not
only have the ability to write scripts that exploit vulnerabilities
but also are capable of discovering new vulnerabilities. This
group is the smallest of the lot, however, and is responsible for,
at most, only 1 to 2 percent of intrusive activity.
11
12
Insiders
Insiders are more dangerous in many respects
than outside intruders because they have the
access and knowledge necessary to cause
immediate damage to an organization.
Attacks by insiders are often the result of
employees who have become disgruntled with
their organization and are looking for ways to
disrupt operations.
It is also possible that an attack by an insider
may be an accident and not intended as an attack
at all.
13
Criminal Organizations
As financial transactions over the Internet
increased, criminal organizations followed the
money.
Fraud, extortion, theft, embezzlement, and forgery
all take place in an electronic environment.
A structured threat is characterized by a greater
amount of planning, longer time to conduct the
attack, and more financial backing than in an
unstructured attack.
14
Terrorist and Information Warfare
Computer systems are important assets that
nations depend upon. As such, they are now
targets of unfriendly foreign powers.
Information warfare is the warfare conducted
against the information and information processing
equipment used by an adversary.
Information warfare is a highly structured threat.
15
Critical Infrastructures
During warfare, nations may choose targets
other than the opposing army.
Critical infrastructures are those whose
loss or impairment would have severe
repercussions on society. These include
water, electricity, oil and gas refineries,
banking, and telecommunications.
Terrorists may also target these critical
infrastructures.
16
Security Trends
The trend has been away from large mainframes to smaller
personal computers.
As the level of sophistication of attacks has increased, the level of
knowledge necessary to exploit vulnerabilities has decreased.
The percent of organizations experiencing security incidents has
declined (from 46 percent in 2007 to
43 percent in 2008).
Four types of attacks are on the rise
Unauthorized access
Theft/loss of proprietary information
Misuse of web applications
DNS attacks
The average loss due to theft of proprietary information was $5.69
million in 2007.
The average loss due to financial fraud was
$21.12 million in 2007.
17
Avenues of Attack
There are two general reasons a particular system is attacked:
It is specifically targeted.
It is a target of opportunity.
Equipment may be targeted because of the organization it
belongs to or for political reasons.
These attacks are decided before the software or equipment of
the target is known.
A hacktivist is a hacker who uses their skills for political purposes.
Targets of opportunity attacks are conducted against a site
that has software vulnerable to a specific exploit.
In these instances, the attackers are not targeting the
organization, instead they are targeting a vulnerable device that
happens to belong to the organization.
Targeted attacks specifically targeted attacks generally are
more difficult and take more time than targets of opportunity.
18
The Steps in an Attack
Step
1
Profiling
Gather
information on the
target
organization
Check the SEC EDGAR web site
(www.sec.gov/edgar.shtml), whois look up, google
2 Determine
systems available
Ping sweep with nmap or superscan
3 Finger
printing
Determine the
OS and open
ports
Nmap or superscan, banner grab
4 Discover
applicable
exploits
Search web sites for vulnerabilities and exploits
that exist for the OSes and services discovered
5 Execute exploit Systematically execute exploits
19
Minimizing Possible Avenues of Attack
System
hardening
Involves reducing the services that are running on the
system
Patching Ensures that your operating system and applications are
up-to-date
Limiting
information
Makes it more difficult for an attacker to develop the attack
by limiting the information available about your
organization
20
Types of Attacks
If successful, an attack may produce one or more
of the following:
Loss of confidentiality information is disclosed to
individuals not authorized to see it.
Loss of integrity information is modified by
individuals not authorized to change it.
Loss of availability information or the system
processing it are not available for use by
authorized users when they need the information.
21
Basic Terms
Hacking
Previously used as a term for a person who had a
deep understanding of computers and networks.
He or she would see how things worked in their
separate parts (or hack them).
Media has now redefined the term as a person
who attempts to gain unauthorized access to
computer systems or networks.
Phreaking
Hacking of the systems and computers used by
phone companies
22
The CIA of Security
CIA
Confidentiality
Integrity
Availability
Additional Concepts
Authentication
Nonrepudiation
Auditability
23
The Operational Method of Computer
Security
Protection = Prevention
Previous model
Protection = Prevention + (Detection +
Response)
Includes operational aspects
24
Sample Technologies in the Operational
Model of Computer Security
25
Security Principles
Security approaches
Least privilege
Separation of duties
Implicit deny
Job rotation
Layered security
Defense in depth
Security through obscurity
Keep it simple
26
Security Approaches
Ignore Security Issues
Security is simply what exists on the system out
of the box.
Host Security
Each computer is locked down individually.
Maintaining an equal and high level of security
amongst all computers is difficult and usually
ends in failure.
Network Security
Controlling access to internal computers from
external entities
27
Least Privilege
Least privilege means a subject (user, application,
or process) should have only the necessary rights
and privileges to perform its task with no additional
permissions.
By limiting an object's privilege, we limit the
amount of harm that can be caused.
For example, a person should not be logged in as
an administratorthey should be logged in with a
regular user account, and change their context to
do administrative duties.
28
Separation of Duties
For any given task, more than one individual
needs to be involved.
Applicable to physical environments as well as
network and host security.
No single individual can abuse the system.
Potential drawback is the cost.
Time Tasks take longer
Money Must pay two people instead of one
29
Implicit Deny
If a particular situation is not covered by
any of the rules, then access can not be
granted.
Any individual without proper authorization
cannot be granted access.
The alternative to implicit deny is to allow
access unless a specific rule forbids it.
30
Job Rotation
The rotation of individuals through different tasks
and duties in the organization's IT department.
The individuals gain a better perspective of all the
elements of how the various parts of the IT
department can help or hinder the organization.
Prevents a single point of failure, where only one
employee knows mission critical job tasks.
31
Layered Security
Layered security implements different
access controls and utilizing various tools
and devices within a security system on
multiple levels.
Compromising the system would take
longer and cost more than its worth.
Potential downside is the amount of work it
takes to create and then maintain the
system.
32
Diversity of Defense
This concept complements the layered
security approach.
Diversity of defense involves making
different layers of security dissimilar.
Even if attackers know how to get through
a system that compromises one layer; they
may not know how to get through the next
layer that employs a different system of
security.
33
Security Through Obscurity
Security through obscurity states that the
security is effective if the environment and
protection mechanisms are confusing or
supposedly not generally known.
The concepts only objective is to hide an
object (not to implement a security control
to protect the object).
Its not effective.
34
Keep It Simple
The simple security rule is the practice of
keeping security processes and tools is
simple and elegant.
Security processes and tools should be
simple to use, simple to administer, and
easy to troubleshoot.
A system should only run the services that
it needs to provide and no more.
35
Security Topics
Access control
Authentication
Social engineering
36
Access Control
Access control is a term used to define a
variety of protection schemes.
This is a term sometimes used to refer to
all security features used to prevent
unauthorized access to a computer system
or network.
Its often confused with authentication.
37
Authentication
Authentication deals with verifying the identity of a
subject while access control deals with the ability
of a subject (individual or process running on a
computer system) to interact with an object (file or
hardware device).
Three types of authentication
Something you know (password)
Something you have (token or card)
Something you are ( biometric)
38
Access Control vs. Authentication
Authentication This proves that you (subject)
are who you say you are.
Access control This deals with the ability of a
subject to interact with an object.
Once an individual has been authenticated,
access controls then regulate what the individual
can actually do on the system.
Digital certificates This is an attachment to a
message, and is used for authentication. It can
also be used for encryption.
39
Authentication and Access Control
Policies
Group policy
By organizing users into groups, a policy can be
made that will apply to all users in that group.
Password policy
Passwords are the most common
authentication mechanism.
Should specify: character set, length,
complexity, frequency of change and how it is
assigned.
40
Social Engineering
Social engineering is the process of convincing an individual
to provide confidential information or access to an
unauthorized individual.
Social engineering is one of the most successful methods
that attackers have used to gain access to computer
systems and networks.
The technique relies on an aspect to security that can be
easily overlooked: people.
Most people have an inherent desire to be helpful or avoid
confrontation. Social engineers exploit this fact.
Social engineers will gather seemingly useless bits of
information, that when put together, divulge other sensitive
information. This is data aggregation.
41
Security Policies & Procedures
Policy High-level statements created by
management that lay out the organization's
positions on particular issues
Security policy High-level statement that
outlines both what security means to the
organization and the organization's goals for
security
Procedure General step-by-step instructions
that dictate exactly how employees are expected
to act in a given situation or to accomplish a
specific task
42
Acceptable Use Policy
The acceptable use policy outlines the
behaviors that are considered appropriate
when using a companys resources.
Internet use policy
This covers the broad subject of Internet usage.
E-mail usage policy
This details whether non-work e-mail traffic is
allowed at all or severely restricted.
43
Different Security Policies
Change management policy
This ensures proper procedures are followed
when modifications to the IT infrastructure are
made.
Classification of information policy
This establishes different categories of information
and the requirements for handling each category.
Due care and due diligence
Due care is the standard of care a reasonable
person is expected to exercise in all situations
Due diligence is the standard of care a business is
expected to exercise in preparation for a business
transaction.
44
Different Security Policies
Due process policy
Due process guarantees fundamental fairness,
justice and liberty in relation to an individuals
rights.
Need-to-know policy
This policy reflects both the principle of need to
know and the principle of least privilege.
Disposal and destruction policy
This policy outlines the methods for destroying
discarded sensitive information.
45
Service Level Agreements
Service level agreements are contractual
agreements between entities that describe
specificed levels of service, and guarantee
the level of service.
A web service provider might guarantee
99.99% uptime.
Penalties for not providing the service are
included.
46
Human Resources Policies
Employee hiring and promotions
Hiring Background checks, reference checks, drug
testing
Promotions Periodic reviews, drug checks, change of
privileges
Retirement, separation, and termination of an employee
Determine the risk to information, consider limiting
access and/or revoking access
Mandatory vacation
An employee that never takes time off may be involved
in nefarious activities and does not want anyone to find
out.
47
Security Models
Confidentiality models
Bell-LaPadula security model
Integrity models
Biba model
Clark-Wilson model
48
Bell-LaPadula Security Model
Two principles
Simple security rule (no read up)
The *-property (pronounced "star
property") principle (no write down)
Objective Protect confidentiality
49
Biba Model
Two principles based on integrity levels
Low-water policy (no write up)
Ring policy (no read down)
Objective Protect integrity
50
Clark-Wilson Model
Uses transactions as a basis for rules
Two levels of integrity
Constrained data items (CDI)
Subject to integrity controls
Unconstrained data items (UDI)
Not subject to integrity controls
Two types of processes
integrity verification processes (IVPs)
transformation processes (TPs)
51
Model Summary
Model Objective Policies
Bell-
LaPadula
Confidentiality No read up
No write down
Biba Integrity No read down
No write up
Clark-Wilson Integrity Two levels of integrity UDI and CDI
IVP monitor TP (Transformation
Processes)
52
Summary
List and discuss recent trends in computer security
Describe simple steps to take to minimize the possibility of an
attack on a system
Describe various types of threats that exist for computers and
networks
Discuss recent computer crimes that have been committed
Define basic terms associated with computer and information
security.
Identify the basic approaches to computer and information
security.
Distinguish among various methods to implement access controls.
Describe methods used to verify the identity and authenticity of an
individual.
Recognize some of the basic models used to implement security
in operating systems.
53
[princ00] Principles of Computer Security: CompTIA Security+ and Beyound, Second Edition, Wm. Arthur Conklin, et. al.,
McGraw Hill, 2010
[spr00] The Spread of the Code-Red Worm
http://www.caida.org/research/security/code-red/coderedv2_analysis.xml
[time00] Timeline of Computer Viruses and Worms
http://en.wikipedia.org/wiki/Notable_computer_viruses_and_worms
[what00] The What, Why, and How of the 1988 Internet Worm (Morris Worm)
http://snowplow.org/tom/worm/worm.html
[conf00] The Inside Story of the Conficker Worm
http://www.newscientist.com/article/mg20227121.500-the-inside-story-of-the-conficker-worm.html
[love00] "No 'sorry' from Love Bug author"
http://www.theregister.co.uk/2005/05/11/love_bug_author/
[priv00] Least privilege
http://www.infoworld.com/d/security-central/computer-security-why-have-least-privilege-398
[priv01] Least privilege
http://www.ibm.com/developerworks/linux/library/l-sppriv.html?ca=dgr-lnxw04Privileges
[poli00] Policies Templates
http://www.sans.org/security-resources/policies/
[pbs00] PBS "Cyber War"
http://www.pbs.org/wgbh/pages/frontline/shows/cyberwar/
[war00] 60 Minutes "Cyber War"
http://www.cbsnews.com/stories/2009/11/06/60minutes/main5555565.shtml
[defe00] Defense-in-depth program introduces availability, confidentiality, integrity, authentication, and nonrepudiation
integrated into government. http://niatec.info/mediacontent/InTodaysWorld.wmv
[mccu00] Introduces the McCumber model in a humorous manner
http://niatec.info/mediacontent/The%20Cube.WMV
References