Network and Systems Security

Introduction in computer security

Objectives

List and discuss recent trends in computer security

Describe simple steps to take to minimize the possibility of an
attack on a system
Describe various types of threats that exist for computers and
networks
Discuss recent computer crimes that have been committed
Define basic terms associated with computer and information
security.
Identify the basic approaches to computer and information
security.
Distinguish among various methods to implement access controls.
Describe methods used to verify the identity and authenticity of an
individual.
Recognize some of the basic models used to implement security
in operating systems.

The security problem



Fifty years ago, computers and data were

uncommon.
Computer hardware was a high-value item and
security was mainly a physical issue.
Now, personal computers are ubiquitous and
portable, making them much more difficult to
secure physically.
Computers are often connected to the Internet.
The value of the data on computers often exceeds
the value of the equipment.

The Security Problem



Electronic crime can take a number of different

forms, but the ones we will examine here fall
into two basic categories:
1.

Crimes in which the computer was the

target

2.

Incidents in which a computer was used

to perpetrate the act

Virus activity also existed prior to 1988, having

started in the early 1980s.

Sample of Security Incidents

The Morris Worm (November 1988)

Citibank and Vladimir Levin (JuneOctober 1994)

Kevin Mitnick (February 1995)

Omega Engineering and Timothy Lloyd (July 1996)

Worcester Airport and Jester (March 1997)

Solar Sunrise (February 1998)

The Melissa Virus (March 1999)

The Love Letter Virus (May 2000)

The Code Red Worm (2001)

Adil Yahya Zakaria Shakour (August 2001May 2002)

The Slammer Worm (2003)

U.S. Electric Power Grid (19972009)

Conficker (20082009)

Fiber Cable Cut (2009)

Threats to Security


Internal vs. external

Elite hackers vs. script kiddies

Unstructured threats to highly structured

threats

Viruses and Worms



It is important to draw a distinction between the writers of

malware and those who release it.
Viruses have no useful purpose.
Viruses and worms are the most common problem that an
organization faces.
Antivirus software and system patching can eliminate the
largest portion of this threat.
Viruses and worms generally are non-discriminating threats.
Viruses are easily detected and generally not the tool of
choice for highly structured attacks.

Malware


Viruses and worms are just two types of

malware threats.
The term malware comes from malicious
software.
Malware is software that has a nefarious
purpose, designed to cause problems to an
individual (for example, identity theft) or
your system.

Intruders


Hackers are individuals who conduct this activity.

Hacking is not what Hollywood would have you believe.

Hacking is the act of deliberately accessing computer

systems and networks without authorization.

Unstructured threats are conducted over short periods

of time (lasting at most a few months), do not involve a
large number of individuals, have little financial backing,
and are accomplished by insiders or outsiders who do
not seek collusion with insiders.

Types of Intruders


10

Script kiddies are individuals who do not have the technical

expertise to develop scripts or discover new vulnerabilities.
They have enough understanding of computer systems to
download and run scripts that others have developed.
Script writers are those people who are capable of writing
scripts to exploit known vulnerabilities. These individuals are
much more technically competent than script kiddies and
account for an estimated 8 to 12 percent of malicious Internet
activity.
Elite hackers are those highly technical individuals, who not
only have the ability to write scripts that exploit vulnerabilities
but also are capable of discovering new vulnerabilities. This
group is the smallest of the lot, however, and is responsible for,
at most, only 1 to 2 percent of intrusive activity.

11

Insiders


12

Insiders are more dangerous in many respects

than outside intruders because they have the
access and knowledge necessary to cause
immediate damage to an organization.
Attacks by insiders are often the result of
employees who have become disgruntled with
their organization and are looking for ways to
disrupt operations.
It is also possible that an attack by an insider
may be an accident and not intended as an attack
at all.

Criminal Organizations


13

As financial transactions over the Internet

increased, criminal organizations followed the
money.
Fraud, extortion, theft, embezzlement, and forgery
all take place in an electronic environment.
A structured threat is characterized by a greater
amount of planning, longer time to conduct the
attack, and more financial backing than in an
unstructured attack.

Terrorist and Information Warfare



14

Computer systems are important assets that

nations depend upon. As such, they are now
targets of unfriendly foreign powers.
Information warfare is the warfare conducted
against the information and information processing
equipment used by an adversary.
Information warfare is a highly structured threat.

Critical Infrastructures


15

During warfare, nations may choose targets

other than the opposing army.
Critical infrastructures are those whose
loss or impairment would have severe
repercussions on society. These include
water, electricity, oil and gas refineries,
banking, and telecommunications.
Terrorists may also target these critical
infrastructures.

Security Trends


16

The trend has been away from large mainframes to smaller

personal computers.
As the level of sophistication of attacks has increased, the level of
knowledge necessary to exploit vulnerabilities has decreased.
The percent of organizations experiencing security incidents has
declined (from 46 percent in 2007 to
43 percent in 2008).
Four types of attacks are on the rise

Unauthorized access

Theft/loss of proprietary information

Misuse of web applications

DNS attacks

The average loss due to theft of proprietary information was $5.69

million in 2007.
The average loss due to financial fraud was
$21.12 million in 2007.

Avenues of Attack





17

There are two general reasons a particular system is attacked:

It is specifically targeted.

It is a target of opportunity.

Equipment may be targeted because of the organization it

belongs to or for political reasons.
These attacks are decided before the software or equipment of
the target is known.
A hacktivist is a hacker who uses their skills for political purposes.
Targets of opportunity attacks are conducted against a site
that has software vulnerable to a specific exploit.
In these instances, the attackers are not targeting the
organization, instead they are targeting a vulnerable device that
happens to belong to the organization.
Targeted attacks specifically targeted attacks generally are
more difficult and take more time than targets of opportunity.

The Steps in an Attack

Step
1
Profiling

2
3 Finger
printing
4

18

Gather
Check the SEC EDGAR web site
information on the (www.sec.gov/edgar.shtml), whois look up, google
target
organization
Determine
systems available

Ping sweep with nmap or superscan

Determine the
OS and open
ports

Nmap or superscan, banner grab

Discover
applicable
exploits
Execute exploit

Search web sites for vulnerabilities and exploits

that exist for the OSes and services discovered
Systematically execute exploits

Minimizing Possible Avenues of Attack

System
hardening

Patching

Limiting
information

19

Involves reducing the services that are running on the

system

Ensures that your operating system and applications are

up-to-date

Makes it more difficult for an attacker to develop the attack

by limiting the information available about your
organization

Types of Attacks


If successful, an attack may produce one or more

of the following:

Loss of confidentiality information is disclosed to

individuals not authorized to see it.

Loss of integrity information is modified by

individuals not authorized to change it.

20

Loss of availability information or the system

processing it are not available for use by
authorized users when they need the information.

Basic Terms


Hacking

Media has now redefined the term as a person

who attempts to gain unauthorized access to
computer systems or networks.

Phreaking

21

Previously used as a term for a person who had a

deep understanding of computers and networks.
He or she would see how things worked in their
separate parts (or hack them).

Hacking of the systems and computers used by

phone companies

The CIA of Security

CIA


Confidentiality

Integrity

Availability

Additional Concepts

22

Authentication

Nonrepudiation

Auditability

The Operational Method of Computer

Security


Protection = Prevention

Protection = Prevention + (Detection +

Response)

23

Previous model

Includes operational aspects

Sample Technologies in the Operational

Model of Computer Security

24

Security Principles

Security approaches

Least privilege

Separation of duties

Implicit deny

Job rotation

Layered security

Defense in depth

Security through obscurity

Keep it simple

25

Security Approaches


Ignore Security Issues

Host Security

Each computer is locked down individually.

Maintaining an equal and high level of security
amongst all computers is difficult and usually
ends in failure.

Network Security

26

Security is simply what exists on the system out

of the box.

Controlling access to internal computers from

external entities

Least Privilege


27

Least privilege means a subject (user, application,

or process) should have only the necessary rights
and privileges to perform its task with no additional
permissions.
By limiting an object's privilege, we limit the
amount of harm that can be caused.
For example, a person should not be logged in as
an administratorthey should be logged in with a
regular user account, and change their context to
do administrative duties.

Separation of Duties


For any given task, more than one individual

needs to be involved.
Applicable to physical environments as well as
network and host security.

No single individual can abuse the system.

Potential drawback is the cost.

28

Time Tasks take longer

Money Must pay two people instead of one

Implicit Deny


29

If a particular situation is not covered by

any of the rules, then access can not be
granted.
Any individual without proper authorization
cannot be granted access.
The alternative to implicit deny is to allow
access unless a specific rule forbids it.

Job Rotation


30

The rotation of individuals through different tasks

and duties in the organization's IT department.
The individuals gain a better perspective of all the
elements of how the various parts of the IT
department can help or hinder the organization.
Prevents a single point of failure, where only one
employee knows mission critical job tasks.

Layered Security


31

Layered security implements different

access controls and utilizing various tools
and devices within a security system on
multiple levels.
Compromising the system would take
longer and cost more than its worth.
Potential downside is the amount of work it
takes to create and then maintain the
system.

Diversity of Defense


32

This concept complements the layered

security approach.
Diversity of defense involves making
different layers of security dissimilar.
Even if attackers know how to get through
a system that compromises one layer; they
may not know how to get through the next
layer that employs a different system of
security.

Security Through Obscurity



33

Security through obscurity states that the

security is effective if the environment and
protection mechanisms are confusing or
supposedly not generally known.
The concepts only objective is to hide an
object (not to implement a security control
to protect the object).
Its not effective.

Keep It Simple


34

The simple security rule is the practice of

keeping security processes and tools is
simple and elegant.
Security processes and tools should be
simple to use, simple to administer, and
easy to troubleshoot.
A system should only run the services that
it needs to provide and no more.

Security Topics

35

Access control

Authentication

Social engineering

Access Control


36

Access control is a term used to define a

variety of protection schemes.
This is a term sometimes used to refer to
all security features used to prevent
unauthorized access to a computer system
or network.
Its often confused with authentication.

Authentication


37

Authentication deals with verifying the identity of a

subject while access control deals with the ability
of a subject (individual or process running on a
computer system) to interact with an object (file or
hardware device).
Three types of authentication

Something you know (password)

Something you have (token or card)

Something you are ( biometric)

Access Control vs. Authentication



38

Authentication This proves that you (subject)

are who you say you are.
Access control This deals with the ability of a
subject to interact with an object.
Once an individual has been authenticated,
access controls then regulate what the individual
can actually do on the system.
Digital certificates This is an attachment to a
message, and is used for authentication. It can
also be used for encryption.

Authentication and Access Control

Policies


Group policy

Password policy

39

By organizing users into groups, a policy can be

made that will apply to all users in that group.

Passwords are the most common

authentication mechanism.
Should specify: character set, length,
complexity, frequency of change and how it is
assigned.

Social Engineering


40

Social engineering is the process of convincing an individual

to provide confidential information or access to an
unauthorized individual.
Social engineering is one of the most successful methods
that attackers have used to gain access to computer
systems and networks.
The technique relies on an aspect to security that can be
easily overlooked: people.
Most people have an inherent desire to be helpful or avoid
confrontation. Social engineers exploit this fact.
Social engineers will gather seemingly useless bits of
information, that when put together, divulge other sensitive
information. This is data aggregation.

Security Policies & Procedures



41

Policy High-level statements created by

management that lay out the organization's
positions on particular issues
Security policy High-level statement that
outlines both what security means to the
organization and the organization's goals for
security
Procedure General step-by-step instructions
that dictate exactly how employees are expected
to act in a given situation or to accomplish a
specific task

Acceptable Use Policy



The acceptable use policy outlines the

behaviors that are considered appropriate
when using a companys resources.
Internet use policy

E-mail usage policy

42

This covers the broad subject of Internet usage.

This details whether non-work e-mail traffic is

allowed at all or severely restricted.

Different Security Policies



Change management policy

Classification of information policy

This establishes different categories of information

and the requirements for handling each category.

Due care and due diligence

43

This ensures proper procedures are followed

when modifications to the IT infrastructure are
made.

Due care is the standard of care a reasonable

person is expected to exercise in all situations
Due diligence is the standard of care a business is
expected to exercise in preparation for a business
transaction.

Different Security Policies



Due process policy

Need-to-know policy

This policy reflects both the principle of need to

know and the principle of least privilege.

Disposal and destruction policy

44

Due process guarantees fundamental fairness,

justice and liberty in relation to an individuals
rights.

This policy outlines the methods for destroying

discarded sensitive information.

Service Level Agreements



45

Service level agreements are contractual

agreements between entities that describe
specificed levels of service, and guarantee
the level of service.

A web service provider might guarantee

99.99% uptime.

Penalties for not providing the service are

included.

Human Resources Policies



Employee hiring and promotions

Hiring Background checks, reference checks, drug

testing

Promotions Periodic reviews, drug checks, change of

privileges

Retirement, separation, and termination of an employee

Mandatory vacation

46

Determine the risk to information, consider limiting

access and/or revoking access

An employee that never takes time off may be involved

in nefarious activities and does not want anyone to find
out.

Security Models


Confidentiality models

47

Bell-LaPadula security model

Integrity models

Biba model

Clark-Wilson model

Bell-LaPadula Security Model



48

Two principles

Simple security rule (no read up)

The *-property (pronounced "star

property") principle (no write down)

Objective Protect confidentiality

Biba Model


49

Two principles based on integrity levels

Low-water policy (no write up)

Ring policy (no read down)

Objective Protect integrity

Clark-Wilson Model


Uses transactions as a basis for rules

Two levels of integrity

Constrained data items (CDI)



Unconstrained data items (UDI)



Not subject to integrity controls

Two types of processes

50

Subject to integrity controls

integrity verification processes (IVPs)

transformation processes (TPs)

Model Summary
Model
BellLaPadula

Biba

Objective

Policies

Confidentiality

No read up
No write down

Integrity

No read down
No write up

Clark-Wilson

Integrity

Two levels of integrity UDI and CDI

IVP monitor TP (Transformation
Processes)

51

Summary









52

List and discuss recent trends in computer security

Describe simple steps to take to minimize the possibility of an
attack on a system
Describe various types of threats that exist for computers and
networks
Discuss recent computer crimes that have been committed
Define basic terms associated with computer and information
security.
Identify the basic approaches to computer and information
security.
Distinguish among various methods to implement access controls.
Describe methods used to verify the identity and authenticity of an
individual.
Recognize some of the basic models used to implement security
in operating systems.

References


53

[princ00] Principles of Computer Security: CompTIA Security+ and Beyound, Second Edition, Wm. Arthur Conklin, et. al.,
McGraw Hill, 2010
[spr00] The Spread of the Code-Red Worm
http://www.caida.org/research/security/code-red/coderedv2_analysis.xml
[time00] Timeline of Computer Viruses and Worms
http://en.wikipedia.org/wiki/Notable_computer_viruses_and_worms
[what00] The What, Why, and How of the 1988 Internet Worm (Morris Worm)
http://snowplow.org/tom/worm/worm.html
[conf00] The Inside Story of the Conficker Worm
http://www.newscientist.com/article/mg20227121.500-the-inside-story-of-the-conficker-worm.html
[love00] "No 'sorry' from Love Bug author"
http://www.theregister.co.uk/2005/05/11/love_bug_author/
[priv00] Least privilege
http://www.infoworld.com/d/security-central/computer-security-why-have-least-privilege-398
[priv01] Least privilege
http://www.ibm.com/developerworks/linux/library/l-sppriv.html?ca=dgr-lnxw04Privileges
[poli00] Policies Templates
http://www.sans.org/security-resources/policies/
[pbs00] PBS "Cyber War"
http://www.pbs.org/wgbh/pages/frontline/shows/cyberwar/
[war00] 60 Minutes "Cyber War"
http://www.cbsnews.com/stories/2009/11/06/60minutes/main5555565.shtml
[defe00] Defense-in-depth program introduces availability, confidentiality, integrity, authentication, and nonrepudiation
integrated into government. http://niatec.info/mediacontent/InTodaysWorld.wmv
[mccu00] Introduces the McCumber model in a humorous manner
http://niatec.info/mediacontent/The%20Cube.WMV