Isys20261 lecture 03


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Isys20261 lecture 03

  1. 1. Computer Security Management(ISYS20261)Lecture 3 – Attackers Module Leader: Dr Xiaoqi Ma School of Science and Technology
  2. 2. The story so far …• Security requirements: – Confidentiality – Integrity – Availability• Information related assets: – data – software – hardware• Need to be protect assets from harm• Threat: possible source of harm to an assetComputer Security ManagementPage 2
  3. 3. Remember definitions?• Harm – Something happens to an asset that we do not want to happen• Threat – Possible source of harm• Attack – Threatening event (instance of a threat)• Attacker – Someone or something that mounts a threat• Vulnerability – Weakness in the system (asset) that makes an attack more likely to successes• Risk – Possibility that a threat will affect the business or organisationComputer Security ManagementPage 3
  4. 4. Last week …• Six basic types of harm• A threat is a possible source of harm• A threat exploits vulnerabilities in a system• We need to satisfy our information security requirements• Need to put controls in place to defend ourselvesComputer Security ManagementPage 4
  5. 5. Defend against whom?• Malicious entity (human or computer program) that tries to compromise information security requirements (CIA)• Might attempt to: – discover secrets, – corrupt data, – spoof the identity of a message sender or receiver, – or force system downtime.• Attacker differ in – Motivation – Ability – Resources – Readiness to assume risk• We need to know what type of attacker we are facing to select effective security measuresComputer Security ManagementPage 5
  6. 6. Attack sophistication vs. attacker technical Auto Coordinatedknowledge Cross site scripting Tools “stealth” / advanced High scanning techniques packet spoofing denial of service Staged sniffers distributed attack tools Intruder sweepers www attacks Knowledge automated probes/scans GUI back doors disabling audits network mgmt. diagnostics hijacking burglaries sessionsAttack exploiting known vulnerabilitiesSophistication password cracking self-replicating code password guessing Intruders Low 1980 1985 1990 1995 2000Computer Security ManagementPage 6
  7. 7. Types of attackers (A. Sasse, based onSchneier, 2003)• Opportunist• Emotional attacker• Cold intellectual attacker• Terrorist• InsiderComputer Security ManagementPage 7
  8. 8. Opportunist• Most common type of attacker• Spots and seizes an opportunity• Convinced they will not get caught• Highly risk-averseComputer Security ManagementPage 8
  9. 9. Emotional attacker• Wants to make a statement• Accepts high level of risk• Motivation: – Revenge – Just for fun – Cries for helpComputer Security ManagementPage 9
  10. 10. Cold intellectual attacker• Professional who attacks for personal material gain• High skill level• Has resources available• Highly risk-aversive• Might use insiders to carry out attacksComputer Security ManagementPage 10
  11. 11. Terrorist• Wants to make a statement or intimidate• Wants to gain visibility• Accepts high risk• Not deterred by sophisticated countermeasures• Might see countermeasures as challengeComputer Security ManagementPage 11
  12. 12. Insider• Employees are still one of the biggest threats to corporate IT security both through malicious and accidental actions.• “Statistics show that 70 per cent of fraud is perpetrated by staff rather than by external people or events. We invest up to 90 per cent of our security resources on controls and monitoring against internal threats." (Mitsubishi UFJ Securities International, 2008)• Insider are often tricked into the attack by a third party, e.g. through social engineeringComputer Security ManagementPage 12
  13. 13. Insider (2)• Unwitting pawn for another insider or outsider• Insider intents to perpetrate or facilitate the attack, alone or in collusion with other parties, e.g. – Forced to carry out the attack, e.g. through blackmail, hostage – Groomed to carry out the attack, e.g. lonely person befriended by somebody they will now do anything for – Motivated by expected personal gainComputer Security ManagementPage 13
  14. 14. Insider attackers• Age 18-59• 42% female• Variety of positions – 31% service – 23% admin – 19% professional – 23% technical• 17% have sysadmin/root access• 15% regarded as difficult to manage• 19% perceived by others as disgruntled employees• 27% had come to attention of a supervisor and/or co-worker prior to the incident• 27% had prior arrestsComputer Security ManagementPage 14
  15. 15. Types of insider attacks• Leaking of information: – insider copies information and using it for own purpose• Data or service theft: – Removal of data or software• Tampering with data or system – Changing data or software in the system or tampering with procedures• Sabotage – Changing data or software in the system so that the system does not work properly (might not be immediately apparent)• Vandalism – Immediately visible and usually aimed to stop the system from workingComputer Security ManagementPage 15
  16. 16. Precursors of insider attacks• Deliberate markers – To make a statement• Meaningful errors – Attacker makes error whilst trying to cover their tracks by deleting logfiles• Preparatory behaviour – Collecting information, testing countermeasures, checking permissions• Correlated usage pattern – might reveal a systematic attempt to collect information• Verbal behaviour – E.g. hints to friends, threats, unhappiness with the organisation …• Personality traits – Introversion, loners …Computer Security ManagementPage 16
  17. 17. Motivation• Material gain• Revenge• Improve position within the organisation• Improve esteem in the eyes of others• Thrill-seekingComputer Security ManagementPage 17
  18. 18. Means of attacks• In 87% of the cases: insider employed simple, legitimate user commands to carry out attack• In 78% of the cases: authorised users• In 43% of the cases: attacker used their own username and password!• 26% used someone else’s account (unattended terminal with open user account or social engineering)• 70% exploited vulnerabilities in systems and/or procedures• 39% were unaware of organisation’s technical security measure!Computer Security ManagementPage 18