The Need for Security

1
The Need for Security

• Principles of Information Security
• Chapter 2

2
Chapter Objectives

• Explain the business need for security.
• Describe the responsibility of an organization's
  general management and IT management for a
  successful information security program.
• Identify threats to information security and
  common attacks associated with those threats.
• Differentiate between threats to information
  systems and attacks against the information
  systems.

3
Introduction

• The primary mission of information security is to
  ensure that systems and their contents remain the
  same.

4
4 Important Functions of Information Security

• Protect the ability to function.
• Enable the safe operation of applications.
• Protect data.
• Safeguard technology assets.

5
Protecting the Functionality of the Organization

• Shared responsibility between general management
  and IT managment
• Set security policy in compliance with legal
  requirements.
• Not really a technology issue
• Address information security in terms of
• Business impact
• Cost of business interruption

6
Enabling Safe Operation

• Organization requires integrated, efficient, and
  capable applications.
• Technologically complex.
• Must protect critical applications
• Operating system platforms
• Electronic mail
• Instant messaging
• Infrastructure developed by
• outsourcing to a service provider
• develop internally
• Protection of the infrastructure must be overseen
  by management.

7
Protecting Data

• Data provides
• Record of transactions (e.g., banking)
• Ability to deliver value to customers
• Enable creation and movement of goods and
  services.
• Data in motion (online transactions)
• Data at rest (not online transaction)
• Information systems must support these
  transactions.

8
Safeguarding Technology Assets

• Must have secure infrastructure services based on
  the size and scope of the enterprise.
• Smaller businesses may require less protection.
• Email and personal encryption.
• Additional services required for larger
  businesses.
• Public Key Infrastructure (PKI) - more complex
• Needs change as network grows.

9
Threats

• Requirements to protect information
• Be familiar with
• The information to be protected
• The systems that store, transport and process it
• Know the threats you face
• An object, person, or entity that represents a
  constant danger to an asset.

10
12 General Categories of Threat

• Acts of human error or failure mistakes,
  sloppiness
• Compromises to intellectual property - piracy,
  licensing
• Deliberate acts of espionage or trespass
• shoulder surfing, hacking, script kiddies,
  cracker, phreaker
• Deliberate acts of information extortion -
  demanding a ransom
• Deliberate acts of sabotage or vandalism
• damage reputation, cyberactivist, cyberterrorism
• Deliberate acts of theft - difficult to detect
• Deliberate software attacks
• malware, virus, worm, trojan horses, back door,
  hoaxes
• Forces of nature - fire, flood, earthquake,
  lightning, storms, etc.
• Deviations in quality or service - service
  disruptions
• Technical hardware failures or errors - hardware
  defects
• Technical software failures or errors -
  accidental or intentional flaws
• Technological obsolescence - unreliable and
  untrustworthy

11
The Endless Game of Cat and Mouse Meet the Cast

• Hackers versus crackers
• White hats, black hats, all the shades of gray,
  and mysterious color changing
• Conferences?
• Web sites?
• Drills?
• http//www.safepatrolsolutions.com/papers/Crackers
  .pdf

12
Meet the Players

• Top 10
• And the others
• From http//www.pbs.org/wgbh/pages/frontline/shows
  /hackers/
• And where they congregate do NOT go there
  unless you want to risk catching something
• http//phrack.com, .

13
Attacks

• At act or action that takes advantage of a
  vulnerability to compromise a controlled system.
  Accomplished by a threat agent that damages or
  steals information or physical assets.
• Vulnerability
• an identified weakness in a controlled system,
  where controls are not present or no longer
  effective.
• Attacks exist when a specific action occurs that
  may cause a potential loss.
• Question how will the attacker identify
  weakness and/or know what to attack?

14
Well-Known Types of Attack Against Controlled
Systems

• Spoofing
• Man-in-the-Middle
• Spam
• Mail Bombing
• Sniffers
• Social Engineering
• Buffer Overflow
• Timing Attack

• Malicious Code
• Hoaxes
• Back Doors
• Password Crack
• Brute Force
• Dictionary
• Denial-of-Service (DoS)
• Distributed Denial-of-Service (DDoS)

Of course, any of these attacks can be
distributed, and/or coming from a botnet.
15
Malicious Code

• Viruses, worms, Trojan horses, active web
  scripts.
• State-of-the-art
• Polymorphic or multivector worm
• CERT, Symantec, etc. warnings
• Known attack vectors
• IP scan and attack
• web browsing
• Virus
• unprotected shares
• mass mail
• SNMP

16
Hoaxes

• Transmit a virus hoax with a real virus attached.
• More readily transmitted by trusting users!

17
Back Doors

• Use known or previously discovered access
  mechanism to gain access to a system or network
  resource.
• May be left by system designers or maintenance
  staff.
• Referred to as trap doors.
• Hard to detect --- may be exempt from usual audit
  logging procedures.

18
Password Crack

• Reverse calculate a password.
• Component of many dictionary attacks.
• Security Account Manager (SAM) file is accessible
• contains hashed representation of the user's
  password.
• a guessed password can be hashed using the same
  algorithm and compared to the stored hash version
  of the real password.

19
Brute Force Attack

• AKA, password attack
• Try every possible combination of options for a
  password.
• Easier, if passwords are easy to guess or default
  passwords.
• Avoid using easy to guess passwords --- and don't
  use default passwords.
• Rarely used, if basic security precautions have
  been implemented (e.g., complex passwords)

20
Dictionary Attack

• Use a list of commonly used passwords (i.e., a
  dictionary) instead of random combinations.
• Takes less time to crack than a brute force
  attack.
• Use electronic dictionaries to enforce use of
  (more) complex passwords.

21
Denial of Service (DoS)Distributed Denial of
Service (DDoS)

• Overload target with requests
• Many different flavors
• TCP SYN flood attack send many TCP connection
  requests.
• Send million emails or faxes and clog the server
• DDoS
• Often uses compromised machines (called zombies,
  from a botnet) to attack the target system.
• The most difficult to defend against.
• No controls that any single organization can
  apply.
• Some cooperative efforts among service providers.
• MyDoom worm attack.

22
Spoofing

• Technique of sending messages to a computer using
  a source IP address that indicates the messages
  are coming from a trusted host.
• Must find an IP address for a trusted host.
• Must modify packet headers for the attack
  messages.
• Routers and firewalls can protect against
  spoofing attacks.

23
Man-in-the-Middle Attack

• AKA, TCP hijacking attack
• Attacker "sniffs" packets from the network,
  modifies them, then inserts them back into the
  network.
• Uses IP spoofing to impersonate another entity on
  the network.
• Allows the attacker to
• eavesdrop, change, delete, reroute, add, forge,
  or divert data.
• Spoofing involves the interception of an
  encryption key exchange, which enables the
  hijacker to act as an eavesdropper (transparent
  to the network).

24
Spam

• Unsolicited commercial email.
• Has been used as a vector for malicious code
  attacks.
• Wastes computer and human resources i.e. it is a
  DOS attack
• Methods to counteract spam
• Delete offending messages
• Use filtering technologies to stem the flow

25
Mail Bombing

• Email denial-of-service attack.
• Send large emails with forged headers
• Mechanisms
• Social engineering
• SMTP flaws

26
Sniffers

• AKA, packet sniffers.
• A program or device that can monitor data
  traveling over a network.
• Use for legitimate network management functions
  or maliciously.
• Unauthorized sniffers are dangerous to security.
• Virtually impossible to detect.
• Can be inserted anywhere.

27
Social Engineering

• The process of using social skills to persuade
  people to reveal access credentials or other
  valuable information.
• Over the phone Hey, Joe, this is Andy from
  department C. Aaron (the boss) told me to ask you
  to give me the XYZ plans, the customers is
  demanding we fix the bugs by tomorrow.
• Over the phone or in person, to the secretarial
  support
• May involve impersonating someone higher in the
  organizational hierarchy (requesting
  information).
• Hey, Joe, this is Aaron (the boss). What was the
  .
• Tailgating, shoulder surfing, etc.
• May be a scam --- Nigerian banking, etc.

28
Physical (illegal) access

• War Driving driving around trying to catch a
  signal
• Wireless without encryption
• Non-wireless el.magn. radiation
• Garbage Diving looking through disposed
  documents
• Tapping any cable that is not optical. Or, at
  exposed locations (switches, control panels, etc.)

29
Buffer Overflow

• Buffer is a term for data storage, on logical
  level (often called queue in networking)
• Buffers are used for many different reasons for
  example, to temporarily store networking data
  when waiting to be processed, etc.
• Buffers are often implemented as arrays in code
• Arrays typically have fixed size
• A buffer overflow is a programming error that
  occurs when more data is sent to a buffer than it
  can handle AND the programmer did not specify
  what happens in that special case
• Attacker can take advantage of this programming
  error to cause unintended side effects.

30
Timing Attack

• Something bad happens when a certain time is
  reached
• Many different flavors. Examples
• Explores web browser's cache.
• Allows web designer to develop malicious cookie
  to be stored on user's system.
• Could allow designer to collect information on
  how to access password-protected sites.

31
Port Scanning

• http//www.pctopsecurity.com/types-of-attacks/port
  -scan-attack Port scan sees which ports are
  available, which OS you are using,
• http//www.softpanorama.org/Security/IDS/port_scan
  _detectors.shtml A view from the trenches
• http//www.cipherdyne.org/psad/ A tool to detect
  port scans

32

• Review http//www.scribd.com/doc/20138373/CCNA-Sec
  urity-Chapter-1-assessment
• Challenge go through the PCWeek Hack on p.47 and
  try to understand each step the attacker took.