Chapter 1 Introduction and Security Trends

1
Chapter 1 Introduction andSecurity Trends
2
Learning Objectives

• By the end of this sessions, students should be
  able to-
• Understand the meaning of security in computer
  systems
• Understand security problems associated with
  computer systems
• Define and explain general security concepts
• Define and differentiate various methods of
  defense to secure computer systems

3
Sub-topics

• 1.1 What Does Secure Mean?
• 1.2 The Security Problem
• 1.3 General Security Concepts
• 1.4 Methods of Defense

4
1.1What Does Secure Mean?
5

• What secure mean to you? Security?
• Example Banks in the American Wild West
• Protection? What things to protect?
• How to commit a crime?
• Protecting valuables.
• Protecting money vs protecting information.
• Things to be protected.
• Why? the end result of computer breached
• How?

6
Characteristics of computer intrusion

• Computer
• As a tool to commit a crime
• As a target of a crime
• As a repository and database for information
  hiding
• Computing system a collection of hardware,
  software, storage media, data, network and
  people.
• Often some parts are mistakenly assume not
  valuable.
• Weakest point principle of easiest penetration.
• Security specialist must consider all possible
  means of penetration.
• No attack is out of bounds.

7
1.2The Security Problem
8
Yesterday and today

• Fifty years ago
• Few people had access to a computer system or a
  network
• Securing these systems was easier.
• Companies did not conduct business over the
  Internet.
• Today, companies rely on the Internet to operate
  and conduct business.

9

• Networks are used to transfer vast amounts of
  money in the form of bank transactions or credit
  card purchases.
• When money is transferred via networks, people
  try to take advantage of the environment to
  conduct fraud or theft.
• There are various ways to attack computers and
  networks to take advantage of what has made
  shopping, banking, investment, and leisure
  pursuits a matter of dragging and clicking for
  many people.
• Identity theft is common today.

10
Security incidents

• By examining some of the crimes that have been
  committed over the last dozen or so years, we
  can
• Understand the threats and the security issues
  that surround the computer systems and networks.
• FBI statistics reported on book (2005)
• Of all the computer crimes, only 1 are detected,
  and 7 of the detected crimes are reported.
• Jail sentences, which are usually short-term,
  amount to only 3.
• A 75 increase per year has been reported in
  computer intrusions.
• Computer crime has increased to 36.

11
The Morris Worm (November 1988)

• Robert Morris, a graduate of Cornell University,
  released The Internet Worm (or the Morris Worm).
• The worm infected 10 percent of the machines
  (approximately 6,000) connected to the Internet
  at that time.
• The virus caused an estimated 100 million in
  damage, though this number has been the subject
  of wide debate.

12
Citibank and Vladamir Levin (June October 1994)

• From June 1994 through October, Vladimir Levin,
  of St. Petersburg, made a number of bank
  transfers.
• When he and his accomplices were caught, they had
  transferred an estimated 10 million.
• Eventually all but about 400,000 was recovered.
• Levin reportedly accomplished the break-ins by
  dialing into Citibanks cash management system.

13
Kevin Mitnick (February 1995)

• Kevin Mitnicks computer activities occurred over
  a number of years from the 1980s through 1990s.
  
• Mitnick admitted to having gained unauthorized
  access to a number of computer systems belonging
  to companies such as Motorola, Novell, Fujitsu,
  and Sun Microsystems.

14
Omega Engineering Timothy Lloyd (July 1996)

• On July 30, 1996, a software time bomb at Omega
  Engineering deleted all design and production
  programs of the company. This severely damaged
  the small company forcing the layoff of 80
  employees.
• The program was traced back to Timothy Lloyd who
  had left it in retaliation for his dismissal.

15
Jester and the Worcester Airport (March 1997)

• In March 1997, airport services to the FAA
  control tower as well as emergency services at
  the Worcester Airport and the community of
  Rutland, Massachusetts, were cut off for six
  hours.
• This disruption occurred as a result of a series
  of commands sent by a teenage computer hacker
  who went by the name of jester.
• The individual gained unauthorized access to the
  loop carrier system operated by NYNEX.

16
Melissa Virus (March 1999)

• Melissa is the best known of the early macro type
  of virus that attaches itself to documents, which
  contain programs with a limited macro programming
  capability.
• The virus was written and released by David
  Smith.
• This virus infected about a million computers and
  caused an estimated 80 million in damages.

17

• This virus clogged networks with the traffic and
  caused problems for e-mail servers worldwide.
• It attached itself to Microsoft Word 97 and Word
  2000 documents.
• Whenever a file was opened, a macro caused it to
  infect the current host and also sent itself to
  the first fifty addresses in the individuals
  address book.
• To avoid infection by Melissa, users should not
  open the attached file.

18
Love Letter Worm (May 2000)

• The worm spread via e-mail with the subject line
  ILOVEYOU.
• The number of infected machines worldwide may
  have been as high as 45 million.
• Similar to the Melissa virus, the Love Letter
  Worm spread via attachment to e-mails. In this
  case, instead of utilizing macros, the
  attachments were VBScript programs.

19
Code-Red Worm (2001)

• On July 19, 2001, over 350,000 computers
  connected to the Internet were infected by the
  Code-Red worm. The incident took only 14 hours to
  occur.
• Damages caused by the worm (including variations
  of the worm released on later dates) exceeded
  2.5 billion.
• The vulnerability exploited by the Code-Red worm
  had been known for a month.

20
Adil Yahya Zakaria Shakour (Aug 2001-May 2002)

• Shakour accessed several computers without
  authorization, including
• Eglin Air Force Base (where he defaced the web
  site)
• Accenture (a Chicago-based management consulting
  and technology services company)
• Sandia National Laboratories (a Department of
  Energy facility)
• Cheaptaxforms.com
• At Cheaptaxforms.com, Shakour obtained credit
  card and personal information, which he used to
  purchase items worth over 7,000 for his own use.

21
Slammer Worm (2003)

• The Slammer virus was released on Saturday,
  January 25, 2003.
• It exploited a buffer-overflow vulnerability in
  computers running Microsoft's SQL Server or
  Microsoft SQL Server Desktop Engine.
• This vulnerability was not new.
• It had been discovered in July 2002.
• Microsoft had released a patch for the
  vulnerability even before it was announced.
• By the next day, the worm had infected at least
  120,000 hosts and caused network outages and
  disruption of airline flights, elections, and
  ATMs.

22
Security trends

• The biggest change in security over the last 30
  years has been the change in the computing
  environment.
• Large mainframes are replaced by highly
  interconnected networks of much smaller systems.
• Security has switched from a closed environment
  to one in which computer can be accessed from
  almost anywhere.

23

• The type of individual who attacks a computer
  system or a network has also evolved over the
  last 30 years.
• The rise of non-affiliated intruders, including
  script-kiddies, has greatly increased the
  number of individuals who probe organizations
  looking for vulnerabilities to exploit.
• Another trend that has occurred is as the level
  of sophistication of attacks has increased, the
  level of knowledge necessary to exploit
  vulnerabilities has decreased.

24

• One of the best-known security surveys is the
  joint survey conducted annually by the Computer
  Security Institute (CSI) and the FBI.
• The two most frequent types of attacks have
  remained constant with viruses and insider abuse
  of net access being the most common.

25

• The number of organizations that have reported
  unauthorized use of their computer systems has
  been declining slowly (from 70 in 2000 to 56 in
  2003).
• The number of organizations that have reported
  attacks from Internet connections has increased
  (from 59 in 2000 to 78 in 2003).
• Organizations citing independent hackers as a
  likely source of attacks have also increased
  (from 77 in 2000 to 82 in 2003).

26

• With the exception of Denial-of-Service attacks
  and telecom frauds, all categories had recorded a
  steady increase from 2000 through 2002, but then
  took a sharp decline in 2003.
• The average loss as a result of theft of
  proprietary information hit a high of 6.57
  million in 2002 but was only 2.70 million in
  2003.
• Financial fraud plunged from 4.63 million in
  2002 to 328 thousand in 2003.
• Today's statistics?

27
1.3General Security Concepts
28
Security Goals

• Computer security addressing 3 aspects
• Confidentiality ensures that computer-related
  assets are accessed only by authorized parties.
• Integrity assets can be modified only by
  authorized parties in authorized ways.
• Availability assets are accessible to
  authorized parties at appropriate times.
• The 3 goals can be independent, can be overlap
  and mutually exclusive.

29
Relationship between the 3 goals
Secure
30
Confidentiality

• Only authorized people or systems can access
  protected data.
• Who determine which people or systems are
  authorized?
• By accessing data is it mean can access a
  single bit? Or the whole data?
• Can someone authorized disclose those data to
  other parties?
• Example?

31
Loss of Confidentiality
Secret
Interception
32
Integrity

• If we have preserved the integrity of an item, we
  may mean
• Precise
• Accurate
• Unmodified
• Modified only in acceptable ways
• Modified only by authorized people
• Modified only by authorized processes
• Consistent
• Internally consistent
• Meaningful and usable

33
Loss of Integrity
Ideal route of the message
Actual route of the message
Transfer 100
Transfer 1000
Modification
34
Availability

• Applies both to data and to services (information
  and to information processing).
• A data item, service or system is available if
• Timely response to request
• Resources are allocated fairly
• Can be used easily in the way it was intended to
  be used
• Concurrency is controlled simultaneous access,
  deadlock and exclusive access.

35
Attack on availability(denial of service)
Interruption
36
Authentication

• Some mechanism to prove that you are who you
  claim to be.
• 3 general methods to verify identity
• Something you know
• Something you have
• Something you are
• Problem? Weakness? How?

37
Absence of authentication
X
I am user
Fabrication
38
Access Control

• The ability of a subject (such as an individual
  or a process running on a computer system) to
  interact with an object (such as a file or
  hardware device).
• To prevent unauthorized access.
• It may be confused with authentication.
• Example
• Log in to e-community
• What authentication applied?
• Where access control plays it roles?

39
1.4Methods of Defense
40

• Basic concepts to deal with harm
• Prevent it block attack or close the vulnerable
• Deter it make the attack harder but not
  impossible
• Deflect it make another target more attractive
• Detect it as it happens or after the attack
• Recover - from its effects
• More than one of the above can be done at once.
• Why? Example?

41
Controls or countermeasures

• Use a combination of controls to secure valuable
  resources.
• Selection of controls value, effort of an
  intruder, cost compare with risk of loss, easy to
  use or implement.

42
Encryption

• We want to protect hardware, software and data
  valuable resources.
• Make the data useless by scrambling or encoding
  it.
• Use encryption hard for an intruder to find
  data useful.
• It address
• confidentiality data cannot be read easily if
  not knowing the encoding used
• integrity data cannot be read generally cannot
  easily be changed in a meaningful manner
• and nullify the value of interception,
  modification or fabrication.

43
Software controls

• Programs are second facet of computer security.
• Programs must be secure, developed and
  maintained
• Internal program controls part of program that
  enforce security restrictions e.g. limitations in
  a database
• Independent control programs application
  programs e.g. password checker, intrusion
  detection utilities, virus scanner, firewall and
  others
• Development controls quality standards which a
  program is designed, coded, tested and maintained
  to prevent software faults from exploitable
  vulnerabilities

44
Hardware controls

• Hardware devices
• Hardware or smart card implementations of
  encryption
• Locks or cables limiting access or deterring
  theft
• Devices to verify users identities
• Firewalls
• Intrusion detection systems
• Circuit boards that control access to storage
  media

45

• Policies and procedures
• e.g. Frequent changes of passwords
• After establishment of policies - training and
  administration
• Physical controls
• Locks on doors
• Guards at entry points
• Backup copies of important software and data
• Physical site planning that reduces risk of
  natural disasters

46
Learning Objectives

• By the end of this sessions, students should be
  able to-
• Understand the meaning of security in computer
  systems
• Understand security problems associated with
  computer systems
• Define and explain general security concepts
• Define and differentiate various methods of
  defense to secure computer systems

47

• QA
• Thank you.