Framework - PowerPoint PPT Presentation

1 / 87

About This Presentation

Title:

Framework

Description:

Videos, music, photographs. Software. Private databases. 31. Criminal Identity Theft ... Amateur information warfare. 54. Attack Techniques. Attacks ... – PowerPoint PPT presentation

Number of Views:204

Avg rating:3.0/5.0

Slides: 88

Provided by: rp95

Category:

more less

Transcript and Presenter's Notes

Title: Framework

1
Framework
2
Outline

What is security ?
Why do we need to be concerned ?
How bad is the threat ?
Attack Trends
Classes of attacks
Who are the attackers ?
Attack Techniques
Security Management

3
Security What is it?

About the protection of assets
Really a business issue
Involves
Prevention
Detection
Reaction

4
Computing Security

Deals with the prevention, detection and recovery
of unauthorized actions by users of computer
networks and systems
About maintaining
Secrecy
Accuracy
Availability

5
Why do we need to be concerned about security?

Economic loss
Intellectual Property loss
Privacy and Identity Theft
National Security

6
CSI/FBI Computer Crime and Security Survey

Survey conducted by the Computer Security
Institute
Based on replies from 503 U.S. Computer Security
Professionals.
If fewer than 20 firms reported quantified dollar
losses, data for the threat are not shown.
Does not show number of incidents per firm

7
CSI/FBI Computer Crime and Security Survey
8
CSI/FBI Computer Crime and Security Survey
9
CSI/FBI Computer Crime and Security Survey
10
CSI/FBI Computer Crime and Security Survey
11
Other Empirical Attack Data

Riptech
Analyzed 5.5 billion firewall log entries in 300
firms in five-month period (July-Dec 2001)
Detected 128,678 attacksan annual rate of 1,000
per firm
Only 39 of attacks after viruses were removed
were directed at individual firms

12
Other Empirical Attack Data

Riptech
23 of all firms experienced a highly aggressive
attack in a 6-month period
Only one percent of all attacks, highly
aggressive attacks are 26 times more likely to do
severe damage than even moderately sophisticated
aggressive attacks

13
Other Empirical Attack Data

SecurityFocus
Data from 10,000 firms in 2001
Attack Frequency
129 million network scanning probes (13,000 per
firm)
29 million website attacks (3,000 per firm)
6 million denial-of-service attacks (600 per firm)

14
Other Empirical Attack Data

SecurityFocus
Attack Targets
31 million Windows-specific attacks
22 million UNIX/LINUX attacks
7 million Cisco IOS attacks
All operating systems are attacked!

15
Other Empirical Attack Data

U.K. Department of Trade and Industry
Two-thirds of U.K. firms surveyed lost less than
15,000 from their worst incident
But 4 lost more than 725,000

16
Other Empirical Attack Data

MessageLabs
One in every 200 to 400 e-mail messages is
infected
Most e-mail users are sent infected e-mail
several times each year
The percentage of e-mails that are infected is
rising

17
Other Empirical Attack Data

Honeynet project
Fake networks set up for adversaries to attack
To understand how adversaries attack
Windows 98 PC with open shares and no password
compromised 5 times in 4 days
LINUX PCs took 3 days on average to compromise

18
Attack Trends

Growing Incident Frequency
Incidents reported to the Computer Emergency
Response Team/Coordination Center
1997 2,134
1998 3,474 (75 growth from the year before)
1999 9,859 (164 growth from the year before)
2000 21,756 (121 growth from the year before)
2001 52,658 (142 growth from the year before)
2002 82,094
2003 76,404 (Q1-Q2)

19
(No Transcript)
20
Attack Trends Victim Selection

Growing Randomness in Victim Selection
In the past, large firms were targeted
Now, targeting is increasingly random
No more security through obscurity for small
firms and individuals

21
Attack Trends - Malevolence

Growing Malevolence
Most early attacks were not malicious
Malicious attacks are becoming the norm

22
Attack Trends

Growing Attack Automation
Attacks are automated, rather than
humanly-directed
Essentially, viruses and worms are attack robots
that travel among computers
Attack many computers in minutes or hours

23
Why is this happening

Emergence of systems since WW II
Properties of systems
Complex
Systems interact with each other
Systems have emergent properties
Systems have bugs
Systems are very very difficult to secure

24
Why are attacks more challenging in cyberspace

Automation
Action at a distance
Technique Propagation

25
Classes of Attacks

Criminal
Privacy
Publicity

26
Criminal - Fraud

1 a DECEIT, TRICKERY specifically
intentional perversion of truth in order to
induce another to part with something of value or
to surrender a legal right b an act of
deceiving or misrepresenting TRICK2 a a
person who is not what he or she pretends to be
IMPOSTOR also one who defrauds CHEAT b one
that is not what it seems or is represented to be

Modern financial systems subject to
Checks
Credit cards
ATM networks
E-commerce
E-payment systems

28
Criminal - Scams

a fraudulent or deceptive act or operation
National Consumers League says 5 most common
online scams are
Sale of Internet Services
Sale of general services
Auctions
Pyramid or multilevel marketing schemes
Business opportunities

29
Criminal - Destructive

Work of
Terrorists
Employees
Hackers
Types
Malware
DOS or DDOS

30
Criminal Intellectual Property Theft

Trade secrets and company databases
Electronic versions of
Books, magazines, newspapers
Videos, music, photographs
Software
Private databases

31
Criminal Identity Theft

300,00 credit cards stolen at CD Universe
Identity theft has reached epidemic proportions
and is the top consumer fraud complaint in
America
Losses to consumers and institutions due to
identity theft totaled 745 million in 1997,
according to the U.S. Secret Service.

32
Criminal Identity Theft

An estimated 700,000 consumers became victims of
identity theft during 2001 at a cost of 3
billion.
Estimate of 900,000 for 2002.

33
Criminal Brand Theft

Virtual Identity for businesses
More important now that anyone can set up a Web
site
Via domain names
Rerouting communication via DNS attacks

34
Privacy

Not necessarily criminal
In U.S. data about individuals is not owned by
individual
Owned by data collector and can be sold without
knowledge or consent of individual
Hiring a private investigator to collect data is
legal

Two types
Targeted
Stalking (person)
Industrial espionage (company)
Spying (country)
Data harvesting
Harness power of correlation
Search of multiple databases

36
Privacy - Surveillance

Powerful directional microphones
Micro cameras and wireless microphones
Cell phone tracking
Surveillance cameras in public places
Search email, telephone conversations, images for
patterns

Buying behavior on Web sites
Credit card purchases
Travel information
GPS locators

38
Privacy - Databases

Before the 60s privacy violation was only about
surveillance
Computers with large databases evolved in the 60s
Networked computers allow data to be shared
Large credit databases
Experian
TransUnion
Equifax

Data from purchases, health information,
lifestyle information can be correlated
Web purchases and surfing habits can be captured

40
Privacy Traffic Analysis

Study of communication patterns
Who communicates with whom
When
For how long
Were replies sent
Patterns
Chain of command

41
Privacy Massive Electronic Surveillance

ECHELON automated global interception system
Intercepts 3 billion communications each day
Phone
Email
Internet downloads
Satellite transmissions

42
Publicity

How can I get my name in the newspaper by
attacking the system
Attacks are malicious or criminal
Sometimes motivated by desire to fix the system
Can be costly if public buying behavior altered

Can become criminal of others exploit the
revealed vulnerability with criminal intent
Web page defacing in vogue

44
Publicity Denial of Service

Very popular because of media coverage
Goal is to stop something from working
Communication system (cell, landline)
Computers/networks
Alarm systems
Military systems

45
Who are the Attackers ?

Elite Hackers
Hacking intentional access without authorization
or in excess of authorization
Cracking versus hacking
Technical expertise and dogged persistence
Use attack scripts to automate actions, but this
is not the essence of what they do

46
Who are the Attackers

Elite Hackers
White hat hackers
This is still illegal unless hired by owner of
system
Break into system but notify firm or vendor of
vulnerability
Black hat hackers
Do not hack to find and report vulnerabilities
Gray hat hackers go back and forth between the
two ways of hacking

47
Who are the Attackers

Elite Hackers
Hack but with code of ethics
Codes of conduct are often amoral
Do no harm, but delete log files, destroy
security settings, etc.
Distrust of evil businesses and government
Still illegal
Deviant psychology and hacker groups to reinforce
deviance

48
Who are the Attackers

Virus Writers and Releasers
Virus writers versus virus releasers
Only releasing viruses is punishable

49
Who are the Attackers

Script Kiddies
Use prewritten attack scripts (kiddie scripts)
Viewed as lamers and script kiddies
Large numbers make dangerous
Noise of kiddie script attacks masks more
sophisticated attacks

50
Who are the Attackers

Criminals
Many attackers are ordinary garden-variety
criminals
Credit card and identity theft
Stealing trade secrets (intellectual property)
Extortion

51
Who are the Attackers

Corporate Employees
Have access and knowledge
Financial theft
Theft of trade secrets (intellectual property)
Sabotage
Consultants and contractors
IT and security staff are biggest danger

52
Who are the Attackers

Cyberterrorism and Cyberwar
New level of danger
Infrastructure destruction
Attacks on IT infrastructure
Use IT to establish physical infrastructure
(energy, banks, etc.)

53
Who are the Attackers

Cyberterrorism and Cyberwar
Simultaneous multi-pronged attacks
Cyberterrorists by terrorist groups versus
cyberwar by national governments
Amateur information warfare

54
Attack Techniques
Attacks
Social Engineering -- Opening Attachments Password
Theft Information Theft
Physical Access Attacks -- Wiretapping Server
Hacking Vandalism
Dialog Attacks -- Eavesdropping Impersonation Mess
age Alteration
Penetration Attacks
Malware -- Viruses Worms
Denial of Service
Scanning (Probing)
Break-in
55
Access Control Attacks and Defenses

Access control is the body of strategies and
practices that a company uses to prevent improper
access
Prioritize assets
Specify access control technology and procedures
for each asset
Test the protection

56
Access Control Attacks and Defenses

Site Access Attacks and Defenses
Wiretaps (including wireless LANs intrusions
Driveby hacking of wireless networks
Hacking servers with physical access

57
Dialog Attacks and Defenses

Eavesdropping
Encryption for Confidentiality
Imposters and Authentication
Cryptographic Systems

58
Eavesdropping on a Dialog
Dialog
Hello
Client PC Bob
Server Alice
Hello
Attacker (Eve) intercepts and reads messages
59
Encryption for Confidentiality
Encrypted Message 100100110001
Client PC Bob
Server Alice
100100110001
Attacker (Eve) intercepts but cannot read
Original Message Hello
Decrypted Message Hello
60
Impersonation and Authentication
Im Bob
Prove it! (Authenticate Yourself)
Attacker (Eve)
Server Alice
61
Message Alteration
Dialog
Balance 1,000,000
Balance 1
Server Alice
Balance 1
Balance 1,000,000
Attacker (Eve) intercepts and alters messages
62
Secure Dialog System
Secure Dialog
Client PC Bob
Server Alice
Automatically Handles Negation of Security
Options Authentication Encryption Integrity
Attacker cannot read messages, alter messages,
or impersonate
63
Penetration Attacks and Defenses

Scanning
Break-in
Denial of services
Malware

64
Scanning (Probing) Attacks
Attack Packets to 172.16.99.1, 172.16.99.2, etc.
Im Here
Host 172.16.99.1
Internet
Attacker
Im Here
Corporate Network
65
Single-Message Break-In Attack
1. Single Break-In Packet
2. Server Taken Over By Single Message
Attacker
66
Denial-of-Service (DoS) Flooding Attack
Message Flood
Server Overloaded By Message Flood
Attacker
67
Penetration Defenses

Firewalls
Intrusion Detection Systems
Malware scanning systems
Hardening Servers

68
Network Penetration Attacks and Firewalls
Attack Packet
Internet Firewall
Hardened Client PC
Internet
Attacker
Internal Corporate Network
Log File
69
Intrusion Detection System (IDS)
1. Suspicious Packet
Intrusion Detection System (IDS)
4. Alarm
Network Administrator
2. Suspicious Packet Passed
Internet
Attacker
3. Log Suspicious Packet
Corporate Network
Log File
70
Firewalls Versus IDSs

Firewalls
Actually drop attack packets
This requires clear evidence of being attack
packets
IDSs
Log but then pass suspicious packets
Log even if evidence is weak
Products on the Market Often Blur This Distinction

71
Social Engineering Attacks and Defenses

Tricking an employee into giving out information
or taking an action that reduces security or
harms a system
Opening an e-mail attachment that may contain a
virus
Asking for a password claming to be someone with
rights to know it
Asking for a file to be sent to you

72
Social Engineering Attacks and Defenses

Training
Enforcement through sanctions (punishment)

73
Security Management

Security is a Primarily a Management Issue, not a
Technology Issue
Top-to-Bottom Commitment
Top-management commitment
Operational execution
Enforcement

74
Security Management

Comprehensive Security
Closing all avenues of attack
Asymmetrical warfare
Attacker only has to find one opening
Defense in depth
Attacker must get past several defenses to
succeed
Security audits
Run attacks against your own network

75
Security Management

General Security Goals (CIA)
Confidentiality
Attackers cannot read messages if they intercept
them
Integrity
If attackers change messages, this will be
detected
Availability
System is able to server users

76
The PlanProtectRespond Cycle
Plan
Protect
Respond
77
The PlanProtectRespond Cycle Planning

Planning
Need for comprehensive security
Risk analysis
Enumerating threats
Threat severity estimated cost of attack X
probability of attack
Value of protection threat severity cost of
countermeasure
Prioritize countermeasures by value of
prioritization

78
Threat Severity Analysis
79
The PlanProtectRespond Cycle Planning

Security policies drive subsequent specific
actions
Selecting technology
Procedures to make technology effective
The testing of technology and procedures

80
Policy-Driven Technology, Procedures, and Testing
Only allow authorized personnel to use accounting
webserver
Policy
Technology (Firewall, Hardened Webserver)
Procedures (Configuration, Passwords, Etc.)
Protection
Testing (Test Security)
Attempt to Connect to Unauthorized Webserver
81
The PlanProtectRespond Cycle Protecting

Installing protections firewalls, IDSs, host
hardening, etc.
Updating protections as the threat environment
changes
Testing protections security audits

82
The PlanProtectRespond Cycle Responding

Planning for response (Computer Emergency
Response Team)
Incident detection and determination
Procedures for reporting suspicious situations
Determination that an attack really is occurring
Description of the attack to guide subsequent
actions

83
The PlanProtectRespond Cycle Responding

Containment Recovery
Containment stop the attack
Repair the damage
Punishment
Forensics
Prosecution
Employee Punishment
Fixing the vulnerability that allowed the attack

84
Recap

Threats are considerable today
Threats will be worse tomorrow, so plan for
tomorrows threat environment
There are many threats from many attackers
Technology can reduce threats
Firewalls
IDSs
Etc.

85
Recap

However, security is primarily a management
issue without strong management and processes,
technology will do nothing
Management cooperation
Employee diligence
Procedures
Enforcement
Plan-Protect-Respond Cycle

86
The Book