Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Unit 1


Published on

  • Be the first to comment

  • Be the first to like this

Unit 1

  1. 1. <ul><li>Syllabus </li></ul><ul><li>What is Security? </li></ul><ul><li>CSI/FBI Computer Crime and Security Survey </li></ul><ul><li>Attackers and Attacks </li></ul><ul><li>Layered Security Architecture </li></ul>Unit 1: Class overview, general security concept, threats and defenses
  2. 2. What is Security? <ul><li>Like in non-Cyber “real” world: Security is used to secure, protect, prevent bad things to happen (or try to). </li></ul><ul><li>From Webster: </li></ul><ul><ul><li>Function: noun Inflected Form(s): plural -ties Date: 15th century 1 : the quality or state of being secure : as a : freedom from danger : SAFETY b : freedom from fear or anxiety c : freedom from the prospect of being laid off <job security > 2 a : something given, deposited, or pledged to make certain the fulfillment of an obligation b : SURETY 3 : an evidence of debt or of ownership (as a stock certificate or bond) 4 a : something that secures : PROTECTION b (1) : measures taken to guard against espionage or sabotage, crime, attack, or escape (2) : an organization or department whose task is security </li></ul></ul>
  3. 3. What is Security? <ul><li>Security Activities Are based on 3 Types of Actions: </li></ul><ul><ul><li>Prevent: Put protection measures/system to protect assets and prevent unauthorized access. </li></ul></ul><ul><ul><li>Detect: Detect if an asset has been compromised, when, by whom and gather information on the type of breach committed, activities and evidence logs. </li></ul></ul><ul><ul><li>Act/React: Take measure to recover from attack and prevent same type of attacks or prevent attack in progress. </li></ul></ul>
  4. 4. CSI/FBI Computer Crime and Security Survey <ul><li>How Bad is the Threat? </li></ul><ul><li>Survey conducted by the Computer Security Institute ( ) annually. </li></ul><ul><ul><li>Based on replies from 700 U.S. Computer Security Professionals in 2005. </li></ul></ul>
  5. 6. <ul><li>Websites incidents have increased dramatically </li></ul>
  6. 7. <ul><li>General trend of losses is down except for “unauthorized access to information”, and “theft of proprietary information” </li></ul>
  7. 8. Other Key Findings of the CSI/FBI survey <ul><li>Outsourcing of computer security activities is quite low </li></ul><ul><li>Use of cyber insurance remain low </li></ul><ul><li>Concern of negative publicity  decline in reporting intrusions to law enforcement </li></ul><ul><li>Significant number of organization conduct some form of economic evaluation of their security expenditures </li></ul>
  8. 9. Other Key Findings of the CSI/FBI survey (contd.) <ul><li>Over 87% of the organizations conduct security audits, up from 82 percent in 2004’s survey. </li></ul><ul><li>The Sarbanes-Oxley Act has begun to have impact on information security in more industry sectors than last year. </li></ul><ul><li>Most respondents view security awareness training as important. However respondents from all sectors do not believe their organizations invests enough in it. </li></ul>
  9. 10. Other Empirical Attack Data <ul><li>SecurityFocus </li></ul><ul><ul><li>Attack Targets </li></ul></ul><ul><ul><ul><li>31 million Windows-specific attacks </li></ul></ul></ul><ul><ul><ul><li>22 million UNIX/LINUX attacks </li></ul></ul></ul><ul><ul><ul><li>7 million Cisco IOS attacks </li></ul></ul></ul><ul><ul><ul><li>All operating systems are attacked! </li></ul></ul></ul>
  10. 11. Attack Trends <ul><li>Growing Incident Frequency </li></ul><ul><ul><li>Incidents reported to the Computer Emergency Response Team/Coordination Center (CERT) </li></ul></ul><ul><ul><li>1997: 2,134 </li></ul></ul><ul><ul><li>1998: 3,474 (75% growth from the year before) </li></ul></ul><ul><ul><li>1999: 9,859 (164% growth from the year before) </li></ul></ul><ul><ul><li>2000: 21,756 (121% growth from the year before) </li></ul></ul><ul><ul><li>2001: 52,658 (142% growth from the year before) </li></ul></ul><ul><ul><li>Tomorrow? …. Well CERT decided to stop counting as of 6/2004!! </li></ul></ul>
  11. 12. Attack Trends <ul><li>Growing Randomness in Victim Selection </li></ul><ul><ul><li>In the past, large firms were targeted </li></ul></ul><ul><ul><li>Now, targeting is increasingly random </li></ul></ul><ul><ul><li>No more security through obscurity for small firms and individuals </li></ul></ul>
  12. 13. Attack Trends <ul><li>Growing Malevolence </li></ul><ul><ul><li>Most early attacks were not malicious </li></ul></ul><ul><ul><li>Malicious attacks are becoming the norm </li></ul></ul>
  13. 14. Attack Trends <ul><li>Growing Attack Automation </li></ul><ul><ul><li>Attacks are automated, rather than humanly-directed </li></ul></ul><ul><ul><li>Essentially, viruses and worms are attack robots that travel among computers </li></ul></ul><ul><ul><li>Attack many computers in minutes or hours </li></ul></ul>
  14. 15. Who are the Attackers??? <ul><li>Elite Hackers </li></ul><ul><ul><li>White hat hackers </li></ul></ul><ul><ul><ul><li>This is still illegal </li></ul></ul></ul><ul><ul><ul><li>Break into system but notify firm or vendor of vulnerability </li></ul></ul></ul><ul><ul><li>Black hat hackers </li></ul></ul><ul><ul><ul><li>Do not hack to find and report vulnerabilities </li></ul></ul></ul><ul><ul><ul><li>Gray hat hackers go back and forth between the two ways of hacking </li></ul></ul></ul><ul><ul><li>Hack but with code of ethics </li></ul></ul><ul><ul><ul><li>Codes of conduct are often amoral </li></ul></ul></ul><ul><ul><ul><li>“ Do no harm,” but delete log files, destroy security settings, etc. </li></ul></ul></ul><ul><ul><ul><li>Distrust of evil businesses and government </li></ul></ul></ul><ul><ul><ul><li>Still illegal </li></ul></ul></ul><ul><ul><li>Deviant psychology and hacker groups to reinforce deviance </li></ul></ul>
  15. 16. Who are the Attackers??? <ul><li>Virus Writers and Releasers </li></ul><ul><ul><li>Virus writers versus virus releasers </li></ul></ul><ul><ul><li>Only releasing viruses is punishable </li></ul></ul>
  16. 17. Who are the Attackers??? <ul><li>Script Kiddies </li></ul><ul><ul><li>Use prewritten attack scripts (kiddie scripts) </li></ul></ul><ul><ul><li>Viewed as lamers and script kiddies </li></ul></ul><ul><ul><li>Large numbers make dangerous </li></ul></ul><ul><ul><li>Noise of kiddie script attacks masks more sophisticated attacks </li></ul></ul>
  17. 18. Who are the Attackers??? <ul><li>Criminals </li></ul><ul><ul><li>Many attackers are ordinary garden-variety criminals </li></ul></ul><ul><ul><li>Credit card and identity theft </li></ul></ul><ul><ul><ul><li>Side note on threat to Credit Card #. How do attacker capture credit card information? Via “Sniffing” traffic? </li></ul></ul></ul><ul><ul><ul><li>How many of the audience have worries when shopping online? How many of the audience ever used a credit card to pay for a restaurant meal? </li></ul></ul></ul><ul><ul><li>Stealing trade secrets (intellectual property) </li></ul></ul><ul><ul><li>Extortion </li></ul></ul>
  18. 19. Who are the Attackers??? <ul><li>Corporate Employees </li></ul><ul><ul><li>Have access and knowledge </li></ul></ul><ul><ul><li>Financial theft </li></ul></ul><ul><ul><li>Theft of trade secrets (intellectual property) </li></ul></ul><ul><ul><li>Sabotage </li></ul></ul><ul><ul><li>Consultants and contractors </li></ul></ul><ul><ul><li>IT and security staff are biggest danger </li></ul></ul>
  19. 20. Who are the Attackers??? <ul><li>Cyberterrorism and Cyberwar </li></ul><ul><ul><li>New level of danger </li></ul></ul><ul><ul><li>Infrastructure destruction </li></ul></ul><ul><ul><ul><li>Attacks on IT infrastructure </li></ul></ul></ul><ul><ul><ul><li>Use IT to establish physical infrastructure (energy, banks, etc.) </li></ul></ul></ul><ul><ul><li>Simultaneous multi-pronged attacks </li></ul></ul><ul><ul><li>Cyberterrorists by terrorist groups versus cyberwar by national governments </li></ul></ul><ul><ul><li>Amateur information warfare </li></ul></ul>
  20. 21. Very good Illustration of Attacks and Attackers <ul><li> </li></ul><ul><li>Non credit assignment: Read the full article. Note: all material in “non credit assignments” can be present in exams. </li></ul>
  21. 22. Framework for Attacks Attacks Physical Access Attacks -- Wiretapping Server Hacking Vandalism Dialog Attacks -- Eavesdropping Impersonation Message Alteration Penetration Attacks Social Engineering -- Opening Attachments Password Theft Information Theft Scanning (Probing) Break-in Denial of Service Malware -- Viruses Worms
  22. 23. Attacks and Defenses (Refer to previous diagram) <ul><li>Physical Attacks: Access Control </li></ul><ul><ul><li>Access control is the body of strategies and practices that a company uses to prevent improper access </li></ul></ul><ul><ul><li>Prioritize assets </li></ul></ul><ul><ul><li>Specify access control technology and procedures for each asset </li></ul></ul><ul><ul><li>This can be electronic: use access control to prevent certain traffic in </li></ul></ul><ul><ul><li>This can be physical: use locks to prevent physical access to devices. </li></ul></ul><ul><ul><ul><li>If an attacker gains physical access to a device: that device IS (or should be considered) compromised: no EXCEPTION!!! </li></ul></ul></ul><ul><ul><li>Test the protection. </li></ul></ul>
  23. 24. Attacks and Defenses (contd.) <ul><li>Site Access Attacks and Defenses </li></ul><ul><ul><li>Wiretaps (including wireless LANs intrusions </li></ul></ul><ul><ul><li>Hacking servers with physical access </li></ul></ul>
  24. 25. Attacks and Defenses (contd.) <ul><li>A slight variation of access attack: Social Engineering </li></ul><ul><ul><li>Tricking an employee into giving out information or taking an action that reduces security or harms a system </li></ul></ul><ul><ul><li>Opening an e-mail attachment that may contain a virus </li></ul></ul><ul><ul><li>Asking for a password claming to be someone with rights to know it </li></ul></ul><ul><ul><li>Asking for a file to be sent to you </li></ul></ul>
  25. 26. Attacks and Defenses (contd.) <ul><li>Social Engineering Defenses </li></ul><ul><ul><li>Training </li></ul></ul><ul><ul><li>Enforcement through sanctions (punishment) </li></ul></ul>
  26. 27. Attacks and Defenses (contd.) <ul><li>Dialog Attacks and Defenses </li></ul><ul><ul><li>Eavesdropping </li></ul></ul><ul><ul><li>Encryption for Confidentiality </li></ul></ul><ul><ul><li>Imposters and Authentication </li></ul></ul><ul><ul><li>Cryptographic Systems </li></ul></ul>
  27. 28. Eavesdropping on a Dialog Client PC Bob Server Alice Dialog Attacker (Eve) intercepts and reads messages Hello Hello
  28. 29. Encryption for Confidentiality Client PC Bob Server Alice Attacker (Eve) intercepts but cannot read “ 100100110001” Encrypted Message “ 100100110001” Original Message “ Hello” Decrypted Message “ Hello”
  29. 30. Impersonation and Authentication Server Alice Attacker (Eve) I’m Bob Prove it! (Authenticate Yourself) Client PC Bob
  30. 31. Message Alteration Server Alice Dialog Attacker (Eve) intercepts and alters messages Balance = $1 Balance = $1 Balance = $1,000,000 Balance = $1,000,000 Client PC Bob
  31. 32. Secure Dialog System Client PC Bob Server Alice Secure Dialog Attacker cannot read messages, alter messages, or impersonate Automatically Handles Negation of Security Options Authentication Encryption Integrity
  32. 33. Network Penetration Attacks and Firewalls Attack Packet Internet Attacker Hardened Client PC Internal Corporate Network Internet Firewall Log File Hardened Server Passed Packet Dropped Packet
  33. 34. Scanning (Probing) Attacks Probe Packets to,, etc. Internet Attacker Corporate Network Host No Host No Reply Reply from Results is reachable is not reachable …
  34. 35. Single-Message Break-In Attack 1. Single Break-In Packet 2. Server Taken Over By Single Message Attacker
  35. 36. Denial-of-Service (DoS) Flooding Attack Message Flood Server Overloaded By Message Flood Attacker
  36. 37. Intrusion Detection System (IDS) 1. Suspicious Packet Internet Attacker Network Administrator Corporate Network 2. Suspicious Packet Passed 3. Log Suspicious Packet 4. Alarm Intrusion Detection System (IDS) Log File Hardened Server
  37. 38. What Are the Types of Security Threats? <ul><li>Service Disruption and Interruption </li></ul><ul><ul><li>Compromise the service Availability </li></ul></ul><ul><li>Interception </li></ul><ul><ul><li>Compromise the service Confidentiality </li></ul></ul><ul><li>Modification </li></ul><ul><ul><li>Compromise the service Integrity </li></ul></ul><ul><li>Fabrication </li></ul><ul><ul><li>Compromise the service Authenticity </li></ul></ul><ul><li>Often you will see the security services summarized into 3 categories: C.I.A: </li></ul><ul><ul><li>Confidentiality </li></ul></ul><ul><ul><li>Integrity </li></ul></ul><ul><ul><li>Availability </li></ul></ul><ul><ul><li>In this model, authenticity is a subset of integrity </li></ul></ul>
  38. 39. What Are the Types of Security Threats? <ul><li>These different Threats can be subject to two types of possible attacks: Passive and Active. </li></ul><ul><li>Passive Attacks </li></ul><ul><ul><li>Attacks that do not require modification of the data. </li></ul></ul><ul><li>Active Attacks </li></ul><ul><ul><li>Attacks that do require modification of the data or the data flow. </li></ul></ul><ul><li>Which one is harder to notice? (yes I know it’s obvious…) </li></ul>
  39. 40. Layered Security Architecture <ul><li>As we have seen in previous slides, security services that must be provided are numerous and diverse. </li></ul><ul><li>Similarly to the “real-world” bank, our web servers, our networks can have many vulnerabilities and these vulnerabilities can be located in many layers of the architecture. </li></ul><ul><li>We need to practice a “security in-depth” approach. </li></ul><ul><ul><li>Security consideration and services must be present in each and every level of components. </li></ul></ul><ul><ul><li>Rule: When analyzing the quality of your security infrastructure, always assume that 1 full security layer/functionality will entirely fail. </li></ul></ul><ul><ul><ul><li>Are you still secured? What are your areas of vulnerabilities? </li></ul></ul></ul><ul><ul><ul><li>How long would it take for you to detect the failure? </li></ul></ul></ul><ul><ul><li>Vulnerabilities and security services involve all 7 layers of the OSI model. </li></ul></ul><ul><ul><li>Security also is greatly dependant on the OSI’s “Layer 8”. </li></ul></ul><ul><li>The balance between the threat to a system and the security services deployed is very Asymmetric: You need to defend each and every aspects to be successful – An attacker often needs to mitigate one aspect to be successful. </li></ul><ul><li>Let’s look at an example of an e-Commerce site and try to discuss what can go wrong and where. </li></ul>
  40. 41. Layered Security Architecture Firewall l Internet Router E-Commerce Infrastructure Ethernet Mail relay Outside DNS Inside DNS Inside Mail Server ISP DNS Internet Users Intruder, threat,, opponent E-Comm - Web Firewall Database Server Router WAN Links to Remote Offices
  41. 42. Layered Security Architecture <ul><li>Areas that can “go wrong”: </li></ul><ul><ul><li>Incorrect firewall configuration. </li></ul></ul><ul><ul><li>Web and back-end server not hardened: </li></ul></ul><ul><ul><ul><li>Known vulnerabilities </li></ul></ul></ul><ul><ul><ul><li>Default account/passwords </li></ul></ul></ul><ul><ul><ul><li>Lack of granularity in security </li></ul></ul></ul><ul><ul><ul><li>Lack of logging and auditing </li></ul></ul></ul><ul><ul><li>Back-end database server servers accept any requests from any sources. </li></ul></ul><ul><ul><li>Lack of intrusion detection system. </li></ul></ul><ul><ul><li>Lack of integrity checking tools. </li></ul></ul><ul><ul><li>Router forward packets improperly. </li></ul></ul><ul><ul><li>Unnecessary protocols and services running. </li></ul></ul><ul><ul><li>Improper patching and update of patches. </li></ul></ul><ul><ul><li>Bugs and vulnerabilities in third-party software/applications. </li></ul></ul><ul><ul><li>Bugs and vulnerabilities in in-house developed applications. </li></ul></ul><ul><ul><li>Bugs and vulnerabilities in toolkits used to build in-house applications. </li></ul></ul><ul><ul><li>Improper implementation of an application, test userID not cleaned out, developers userID not cleaned out. </li></ul></ul><ul><ul><li>Presence of Trojans, Malware and backdoors. </li></ul></ul><ul><ul><li>How do I know the remote offices do not represent a threat? </li></ul></ul><ul><li>And I am sure we can add a lot more to the list… </li></ul>
  42. 43. Layered Security Architecture <ul><li>To prevent attacks, an enterprise need to build a complete and comprehensive security architecture using tools, methods and techniques that individually target some threats and work in an integrated fashion to provide a complete enterprise framework for secure computing. </li></ul><ul><li>One missing “piece” or aspect may endanger the whole infrastructure. Example: if you do not have virus protection, can an intruder bypass your firewalls? </li></ul><ul><li>The goal of this class will be to present the aspects that most impact network security within that framework. </li></ul><ul><li>Example of these tools and methods are presented in Unit 2. </li></ul>
  43. 44. Other References and Useful Resources <ul><ul><li>CERT – </li></ul></ul><ul><ul><li>SANS – </li></ul></ul><ul><ul><li>CIAC - </li></ul></ul><ul><ul><li>NSA Guidelines - </li></ul></ul>