2. 2
Need for security
Information is a strategic resource
A significant portion of organizational budget
is spent on managing information
Have several security related objectives
• Confidentiality (secrecy) - protect info value
• Integrity - protect info accuracy
• Availability - ensure info delivery
3. 3
What is Security?
Security is the protection of assets. The three
main aspects are:
• Prevention
• Detection
• Re-action
4. 4
Some differences between traditional
security and information security
• Information can be stolen - but you still have it
• Confidential information may be copied and
sold - but the theft might not be detected
• The criminals may be on the other side of the
world
6. 6
What is Security?
“Deals with the prevention and detection of
unauthorised actions by users of a computer
system.”
“The protection afforded to an automated
information system in order to attain the
applicable objectives of preserving the integrity,
availability, and confidentiality of information
system resources (includes hardware, software,
firmware, information/data, and
telecommunications).”
7. 7
Security basics
• Data ConfidentialityData Confidentiality ––protection of data from
unauthorized disclosure. (Secrecy)
• Data IntegrityData Integrity -- assurance that data received is as sent
by an authorized entity. (Trust worthiness)
• AvailabilityAvailability –– resource accessible/usable
• AuthenticationAuthentication -- assurance that communicating entity is
the one claimed
– have both peer-entity & data origin authentication
• Access ControlAccess Control -- prevention of the unauthorized use of a
resource
8. 8
Confidentiality
Preserving authorized restrictions on information
access and disclosure
Protecting personal privacy and proprietary
information
Loss of confidentiality is the unauthorized
disclosure of information.
9. 9
Integrity
Guarding against improper information modification
or destruction
Loss of integrity is the unauthorized modification or
destruction of information.
BA
Attacker
Modifies data
10. 10
Availability
Ensuring timely and reliable access to and use of
information
Loss of availability is the disruption of access to
or use of information
Assures that systems work promptly and service
is not denied to authorized users
11. 11
Authentication
Authentication is the process of verifying
communicating entity is the one who claim to be.
Authenticity is the property of being genuine, valid
or trusted.
Authentication helps to establish proof of identities.
Authentication gives confidence in the validity of
transmission, a message, or originator.
The task of authentication mechanism is to make
sure that only valid user is admitted.
12. 12
Authentication Method
Something you know
Authentication based on users remembrance Ex.
Username and password
Something you have
Authentication based on some thing that user needs
to carry Ex. Access card,
Something you are
Authentication based on humans unique physical
characteristics. Biometrics.
13. 13
Access Control
Access is the ability of a subject to interact with
an object.
It is ability to specify, control and limit the access
to the host system or application, which prevents
unauthorized use to access or modify data or
resources
prevention of the unauthorized use of a resource
14. 14
Non Repudiation
Nonrepudiation prevents either sender or receiver
from denying a transmitted message.
Thus, when a message is sent, the receiver can
prove that the alleged sender in fact sent the
message.
Similarly, when a message is received, the sender
can prove that the alleged receiver in fact
received the message
15. 15
Authorization
Authorization is a process of verifying that a
known person has the authority to perform
certain operation.
Authorization cannot occur without
authentication.
16. 16
Example of Security
Low
• Loss should have a limited effect on Org
operations, assets or individuals
• Cause degradation in mission capability
• Reduce effectiveness of function
• Minor damage to assets
• Minor functional loss
• Minor harm to individual
17. 17
Example of Security
Moderate
• Loss should have a serious effect on Org
operations, assets or individuals
• Cause significant degradation in mission
capability
• significantly reduce effectiveness of
function
• significant damage to assets
• significant functional loss
• significant harm to individual
18. 18
Example of Security
High
• Loss should have a sever effect on Org
operations, assets or individuals
• Cause sever degradation in mission
capability
• Organization is not able to perform one or
more primary function
• major damage to assets
• Major functional loss
• Major harm to individual
19. 19
Challenges for Security
• Not simple, major requirement of CIA,
• While designing security mechanism
consider potential attack.
• Security mechanism is complex
• It is necessary to decide where to use
them (physical / logical).
• Involves more than one
protocol/algorithm, problem of secret
information (encryption key)
20. 20
Challenges for Security
• War between attacker and admin/designer
• Problem of human tendency, security
investment until failure
• Need regular, constant monitoring
• It is essential to add security at time of
designing rather than after design.
• Security is often afterthought (consider at
design time)
• Tendency, strong security is obstacle
21. 21
Model for Security
Security means protecting assets, and assets are
Hardware
Software
Data
Communication facilities and networks
Following are possible vulnerabilities
Data can be Corrupted.
Data can be leak.
Data can be unavailable.
22. 22
Risk and Threat Analysis
• Risk
• Risk is some incident or attack that can
cause damage to system.
• An attack is done by sequence of actions
like, Exploiting weak points
23. 23
Risk and Threat Analysis
• Risk analysis is review of data gathered
and analysis of risk
• Risk assessment team determine asset
values, system criticality, likely threats,
and existence of vulnerabilities.
• Risk calculations
Risk = Assets X Threats X Vulnerabilities
24. 24
Risk and Threat Analysis
Assets
• Those items that an organization wishes
to protect.
• Asset can be any data, device or other
component that support information
related security.
• Assets can be hardware, software,
confidential information.
• Valuing of assets scope and guide
security risk assessment
25. 25
Risk and Threat Analysis
Threats
• An undesired event that may result in loss,
disclosure or damage to org asset.
• Threat is potential for violation of security
• When exist there is circumstance, capability,
action or event could breach security
• Threat can identified by damage done in asset.
– Spoofing identity of users
– Information may be disclosure
– User get more privileges
26. 26
Risk and Threat Analysis
Vulnerability
• Vulnerability is a weakness in the information
infrastructure of org.
• It will accidentally or intentionally damage the
asset
• Vulnerabilities can be
– Programs with unnecessary privilege
– Accounts default password not changed
– Program with known faults.
– Weak access control
– Weak firewall.
28. 28
VirusesViruses
• Piece of software that infects programs
– Modifying them to include a copy of the virus
– So it executes secretly when host program is run
• Specific to operating system and hardware
– Taking advantage of their details and weaknesses
• A typical virus goes through phases of:
– Dormant
– Propagation
– Triggering
– Execution
29. 29
Virus
• A virus attaches itself to program and
propagates copies of itself to other programs.
• The essential component of virus is set of
instruction which, when executed, spreads
itself to other, previously unaffected, programs
or files.
• performs two functions:
I. It copies itself into previously uninfected programs
or files.
II. it executes whatever other instructions the virus
author included in.
30. 30
Virus
• It may damage by replicating itself and taking up
system resources, disk space, CPU time, or network
connection.
• A virus is a program that can pass on malicious code
to other non-malicious program by modifying them.
• The term ‘virus’ was coined acts like biological virus
• A virus can be either transient or resident.
– A transient virus has a life that depends on the life of its
host;
– The virus runs when its attached program executes and
terminates when its attached program ends.
– A resident virus locates itself in memory, then it can
remain active or be activated as a stand alone program,
even after its attached program ends.
32. 32
Types of VirusesTypes of Viruses
Can classify on basis of how they attack
• Parasitic virus
-Attaches itself to executable files and replicates
• memory-resident virus
-Lodges in the main memory and infects every
program that executes.
• Boot sector virus
-Infects a boot record and spreads when the
system is booted from the disk
33. 33
Virus types
• Stealth Virus
– A stealth virus is one which hides the modification it has
made in the file or boot record
– By monitoring the system functions used by programs to
read files or physical blocks from storage media
– undetected by anti viral programs
• Polymorphic Virus
– A polymorphic virus is one which produces varied and
fully operational copies of itself, in an attempt to avoid
signature detection.
34. 34
Macro VirusMacro Virus
• Became very common in mid-1990s since
– Platform independent
– Infect documents
– Easily spread
• Exploit macro capability of office apps
– Executable program embedded in office doc
– Often a form of Basic
• More recent releases include protection
• Recognized by many anti-virus programs
35. 35
Virus StructureVirus Structure
• Components:
– Infection mechanism - enables replication
– Trigger - event that makes payload activate
– Payload - what it does, malicious activity
• Pre appended / post appended / embedded
• When infected program invoked, executes
virus code then original program code
36. 36
Phases of VirusPhases of Virus
a typical virus goes through phases of:a typical virus goes through phases of:
DormantDormant
PropagationPropagation
TriggeringTriggering
ExecutionExecution
37. 37
Triggers of the Virus Attacks
Attacks begin upon the occurrence of a certain event
On a certain Date/ time of year.
At a certain time of day
When a certain job is run
After cloning itself n times
when a certain combination of keystrokes occurs
When a computer is restarted.
The virus code must put itself into a position to either
start itself when the computer is turned on, or when a
specific program is run
38. 38
Protection against viruses
1. Education
2. Backup and recovery procedures
3. Isolate software libraries
4. Implement software library management
procedures
5. Develop a virus alert procedure
39. 39
Worm
• A worm is a program that can replicate itself
• It is a malicious s/w which does not require a
host program for its execution.
• Replicating program that propagates over net
but not infecting program
(does not attach itself to a program)
• worm is non destructive
• A worm can harm a computer system by filling
main memory with its replicated copies.
40. 40
Worm
• Worm is able to send multiple copies of itself
to other computer on network
• A worm can harm a network and consume
network bandwidth.
• Has phases like a virus:
– Dormant, propagation, triggering, execution
– Propagation phase: searches for other systems,
connects to it, copies self to it and runs
41. 41
Some Worm AttacksSome Worm Attacks
• Code Red
– July 2001 exploiting MS IIS bug
– probes random IP address, does DDoS attack
• Code Red II variant includes backdoor
• SQL Slammer
– early 2003, attacks MS SQL Server
• Mydoom
– mass-mailing e-mail worm that appeared in 2004
– installed remote access backdoor in infected systems
• Warezov family of worms
– scan for e-mail addresses, send in attachment
42. Virus vs Worm
Virus Worm
A piece of code that attaches itself to
other program
A malicious program that spread
automatically
Virus modifies code Worm does not modify code
Some viruses cannot replicate itself It can replicate itself
Virus is destructive in nature Worm is non destructive
Aim of virus is to infect other
program stored on computer system
Aim of worm is to make computer or
network unusable
Virus infect files Worm does not infect other files but it
occupies memory space by
replication
Virus may need trigger for execution Worm does not need any trigger.
42
43. 43
Insiders
• More dangerous than outside intruders
• Most difficult to detect and prevent
• Have access and knowledge to cause
immediate damage to an organization.
• Have knowledge of the security systems in
place and will be better able to avoid
detection.
• Employees are not the only insiders but there
are other people who have access like
contractors or partners.
44. 44
Insiders
For Preventing Insider attacker
• Enforce least privilege, allow access to
resources that employee need to do their job
• Set logs to see what users access and what
commands they are entering.
• Protect sensitive resources with strong
authentication
• Upon termination, delete employees computer
and network access.
45. 45
Intruders
• Hacking means act of accessing computer
system/n/w without authorization. (includes
authorized users)
• Intruders are extremely patience since the
process to gain access is requires persistence and
dogged determination
• If first attack gets fail they try in different angle
(search for another possible vulnerability)
• Second attack may be blocked/fail, they try for
third and so on till they get vulnerability or
access
46. 46
Intruders
Levels
•At low end the individuals who are not technically
experts to develop new script or find new vulnerability
•They use readymade scripts (downloaded) for known
vulnerability
•Next level, the peoples who are capable of writing
scripts to exploit known vulnerabilities.
•8 to 12 % malicious internet activity
•Top end, called elite hackers.
•Capable of writing scripts that exploit vulnerability.
•Also capable of discovering new vulnerabilities.
47. 47
Intruders
• Often referred to as a hacker or cracker
• Three classes of intruders:
– Masquerader: An individual who is not authorized to
use the computer and who penetrates a system’s access
controls to exploit a legitimate user’s account
– Misfeasor: A legitimate user who accesses data,
programs, or resources for which such access is not
authorized, or who is authorized for such access but
misuses his or her privileges
– Clandestine user: An individual who seizes
supervisory control of the system and uses this control
to evade auditing and access controls or to suppress
audit collection
48. 48
Intruders Insiders
Intruders are authorized or
unauthorized users who are
trying to access the system or
network
Insiders are authorized users
who try to access system or
network for which he is
unauthorized
Intruders are hackers or
crackers
Insiders are not hackers
Intruders are illegal users Insiders are legal user
Intruders are less dangerous Insiders are more dangerous
Intruders have to study or gain
knowledge about security
system
Insiders have a knowledge
about the security system.
Intruders do not have access
to system
Insiders have easy access to
system
Many security mechanisms are
used to protect from intrudes
There is no such mechanism
to protect system from insider
49. 49
Criminal organizations
• Organized groups of hackers now a threat
– Corporation / government / loosely affiliated gangs
– Typically young
– Often target credit cards on e-commerce server
• Criminal activities on the internet same as
criminal activities in physical world
– Fraud, extortion, theft, forgery
• Criminal hackers usually have specific targets
• Once penetrated act quickly and get out
• IDS / IPS help but less effective
• Sensitive data needs strong protection
50. 50
Terrorists and Information Warfare
• Nations are dependent on computer and
network
• Information is conducted against information
and information processing equipments.
• It is highly structured threat/attack
• It requires a longer period of penetration, large
financial backing, and large organized group
of attackers
• Military forces are key target
51. 51
Avenues of Attack
• The two most frequent types of attacks:
– viruses and insider abuse.
• 2 general reasons a particular computer system is
attacked:
– It is either specifically targeted by the attacker, not because
of the hardware or software the organization is running but
for some other reason, such as a political reason
– Or it is an opportunistic target, is conducted against a site
that has hardware or software that is vulnerable to a
specific exploit.
• Targeted attacks are more difficult and take more
time than attacks on a target of opportunity
52. 52
The Steps in an Attack
• The steps an attacker takes are similar to the ones that a
security consultant performing a penetration test would take.
– gather as much information about the organization as
possible.
– determine what target systems are available and active.
1.ping sweep, sends an ICMP echo request to the target machine.
2.perform a port scan to identify the open ports, which indicates
the services running on the target machine.
3.Determine OS – refer
• An attacker can search for known vulnerabilities and tools that
exploit them, download the information and tools, and then use
them against a site.
• If the exploits do not work, other, less system-specific, attacks
may be attempted.
54. 54
Passive AttacksPassive Attacks
• Eavesdropping on transmissions
• Attacker aims to obtain information in transit
– Release of possibly sensitive/confidential message
contents
– Traffic analysis which monitors frequency and
length of messages to get info on senders
• Does not perform any modification to data.
• Difficult to detect
• Can be prevented using encryption
56. 56
Passive Attacks TypesPassive Attacks Types
• Release of Message contents
– A confidential message should be accessed by
authorized user otherwise a message is released
against our wishes
• Traffic analysis
– Attacker may try to find out similarities between
encodes message for some clues regarding
communication
57. 57
Active AttacksActive Attacks
• The contents of original message are modified by the
attacker
• These attacks can not be prevented easily.
• Types of active attack
• Interruption:
• Modification
• Fabrication.
58. 58
Active AttacksActive Attacks
• Masquerade
– pretending to be a different entity
• Replay
• Modification of messages
• Denial of service
• Easy to detect
– Detection may lead to deterrent
• Hard to prevent
– Focus on detection and recovery
60. 60
Denial of Service Attack
• Attacker is attempting to deny authorized users
access to specific information.
• Aim of DOS attack is to prevent access to target
system.
• Denial-of-service (DoS) attack aims at
disrupting the authorized use of networks,
systems, or applications.
60
61. 61
SYN Flooding Attack
• Used to prevent to prevent services to the
system.
• Takes advantage of trusted relationship of TCP
SYN
SYN+ACK
ACK
TCP 3 Way Handshake
61
62. 62
SYN Flooding Attack
• The attacker sends fake request of communication
• Each of these requests will be answered by the
target system, which then waits for the third part
of the handshake.
• Since the requests are fake the target will wait for
responses that will never come.
• The target system will drop these connections
after a specific time-out period
62
63. 63
SYN Flooding Attack
SYN
With Fake IP address
SYN+ACK
SYN Flooding Attack
Attacker
Target
Response to
Fake IP address
Reserve
Connection
Wait for
ACK
63
64. 64
SYN Flooding Attack
• If the attacker sends requests faster than the time-
out period eliminates them, the system will quickly
be filled with requests.
• The number of connections a system can support is
finite, when more requests come in than can be
processed, the system will soon be reserving all its
connections for fake requests.
• Any further requests are simply dropped
64
65. 65
Ping of Death (POD) Attack
• In the POD attack, the attacker sends an Internet
Control Message Protocol (ICMP) ping packet
equal to, or exceeding 64KB.
• Certain systems were not able to handle this size of
packet, and the system would hang or crash.
65
66. 66
Distributed Denial of Service
Attack
• DoS attacks are conducted using single system
• A DOS attack employing multiple attacking
systems is known as a distributed denial of service
(DDOS) attack
• The goal of a DDOS attack is the same: to deny
the use of or access to a specific service or system.
• Aim of DDOS is to overwhelm the target with
traffic from many different systems.
66
68. 68
Distributed Denial of Service
Attack
• A network of attack agents (Zombies) created by
attacker.
• When zombies/agent receives command attacker,
the agents commence sending a specific type of
traffic against the target.
• Systems are compromised and DDOS S/W agent is
installed
• Sleep zombies are activated after receiving attack
command.
68
69. 69
Backdoor and TrapdoorsBackdoor and Trapdoors
• Secret entry point into a program
• Allows those who know access bypassing
usual security procedures
• Have been commonly used by developers
• A threat when left in production programs
allowing exploited by attackers
• Avery hard to block in O/S
• Requires good s/w development & update
70. 70
Sniffing
• It is software or hardware that is used to observe
traffic as it passes through a network on shared
broadcast media.
• used to view all traffic or target specific protocol,
service, or string of characters like logins.
• Some network sniffers are not just designed to
observe the all traffic but also modify the traffic.
• Network administrators use sniffers for monitoring
traffic.
70
72. Spoofing
• Spoofing
– A sophisticated way to authenticate one machine to another
by using forged packets
– Misrepresenting the sender of a message to cause the
human recipient to behave a certain way
• Two critical issues for internetworked systems
– Trust
– Authentication
• Authentication is less critical when there is more trust
• A computer can be authenticated by its IP address, IP
host address, or MAC address
• TCP/IP has a basic flaw that allows IP spoofing
• Trust and authentication have an inverse relationship
• Initial authentication is based on the source address in
trust relationships
• Most fields in a TCP header can be changed (forged)
72
73. 73
Man_In_The_Middle Attack (MITM(
• A Man_in_The_Middle attack generally occurs when
attacker are able to place themselves in the middle of two
other hosts that are communicating in order to view
and/or modify the traffic.
Host 1 Host 2
Communication appears to be direct
Communication
actually sent to
attacker
Attacker relays
message to dest.
host
Attacker
73
74. 74
Man_In_The_Middle Attack (MITM(
• This is done by ensuring that all communication going to
or from the target host routed through the attacker host.
• The attacker can observe all traffic before relaying it and
can actually modify or block traffic.
• To the target host it appears that communication is
occurring normally, since all expected replies are
received
• A MITM attack can only be successful when the attacker
can impersonate each endpoint to the satisfaction of the
other.
74
75. 75
Replay Attack
• A replay attack is a form of network attack in which a
valid data transmission is maliciously or fraudulently
repeated or delayed.
• A replay attack is an attack where the attacker captures a
portion of a comm. between two parties and retransmits
it after some time.
• A best way to prevent replay attacks is with encryption,
cryptographic authentication and time stamps.
75
76. 76
Malware
• The term malware also known as malicious code.
• Malware refers to S/W that has been designed for some
nefarious purpose.
• Designed to cause damage to a system such as deleting
all files,
• It may be designed to create a backdoor in the system in
order to grant access to unauthorized users.
• Different types of malicious S/W, such as viruses,
worms, Trojan horse, logic bomb.
• Malicious code runs under the users authority.
• Malicious code can read, write, modify, append or even
delete data or files without users permission.
77. 77
Logic BombLogic Bomb
• One of oldest types of malicious software
• Code embedded in legitimate program
• Activated when specified conditions met
– eg presence/absence of some file
– particular date/time
– particular user
• When triggered typically damage system
– modify/delete files/disks
78. 78
Trojan HorseTrojan Horse
• Program with hidden side-effects
• Which is usually superficially attractive
– eg game, s/w upgrade etc
• When run performs some additional tasks
– allows attacker to indirectly gain access they do
not have directly
• Often used to propagate a virus/worm or
install a backdoor
• Or simply to destroy data
79. 79
ZombieZombie
• Program which secretly takes over another
networked computer
• Then uses it to indirectly launch attacks
• Often used to launch distributed denial of
service (DDoS) attacks
• Exploits known flaws in network systems