Privacy - not readable

1
Objectives of Data Security (relative to
unauthorized persons)
Privacy - not readable Permanent - not
alterable (can't edit, delete) Reliable -
(changes detectable) But the data must be
accessible to persons authorized to Read,
edit, add, delete Probably over a network,
possibly over the Internet.
1
2
Attacks, Services, and Mechanisms
Security Attack Any action that compromises
the security of information. Security
Mechanism A mechanism that is designed to
detect, prevent, or recover from a security
attack. Security Service A service that
enhances the security of data processing systems
and information transfers. A security service
makes use of one or more security mechanisms.
2
3
3
3
4
4
5
Security Services
Confidentiality (privacy) Authentication (who
created or sent the data) Integrity (has not
been altered) Non-repudiation (the order is
final) Access control (prevent misuse of
resources) Availability (permanence,
non-erasure) - Denial of Service Attacks -
Virus that deletes files
5
6
Viruses, Worms, and Trojan Horses
Virus - code that copies itself into other
programs Payload - harmful things it does, after
it has had time to spread. Worm - a program that
replicates itself across the network (usually
riding on email messages or attached documents
(e.g., macro viruses). Trojan Horse -
instructions in an otherwise good program that
cause bad things to happen (sending your data or
password to an attacker over the net). Logic Bomb
- malicious code that activates on an event
(e.g., date). Trap Door (or Back Door) -
undocumented entry point written into code for
debugging that can allow unwanted users.
6
7
Virus Protection
Have a well-known virus protection program,
configured to scan disks and downloads
automatically for known viruses. Do not execute
programs (or "macro's") from unknown sources
(e.g., PS files, HyperCard files, MS Office
documents, Java, ...), if you can help it. Avoid
the most common operating systems and email
programs, if possible.
7
8
Password Gathering
Look under keyboard, telephone etc. Look in the
Rolodex under X and Z Call up pretending to
from micro-support, and ask for it. Snoop a
network and watch the plaintext passwords go
by. Tap a phone line - but this requires a very
special modem. Use a Trojan Horse program to
record key stokes.
8
9
The Stages of a Network Intrusion
1. Scan the network to locate which IP
addresses are in use, what operating system
is in use, what TCP or UDP ports are open
(being listened to by Servers). 2. Run
Exploit scripts against open ports 3. Get
access to Shell program which is suid (has
root privileges). 4. Download from Hacker Web
site special versions of systems files that will
let Cracker have free access in the future
without his cpu time or disk storage space being
noticed by auditing programs. 5. Use IRC
(Internet Relay Chat) to invite friends to the
feast.
9
10
Web Server
Browser
Application
Application
Router-Firewall can drop packets based on source
or destination, ip address and/or port
Layer
Layer
(HTTP)
(HTTP)
Port 31337
Port 80
Transport
Transport
Layer
Layer
(TCP,UDP)
(TCP,UDP)
Segment No.
Segment No.
Network
Network
Layer (IP)
Layer (IP)
IP Address 130.207.22.5
IP Address 24.88.15.22
Network
Network
Layer
Layer
Token Ring
E'net Data
Token Ring
E'net Data
Link Layer
Link Layer
Data-Link Layer
Data Link Layer
Token Ring
Ethernet
Token Ring
E'net Phys.
Phys. Layer
Phys. Layer
Layer
Phys. Layer
10
11
Policy No outside Web access. Outside
connections to Public Web Server Only.
Prevent Web-Radios from eating up the available
bandwidth. Prevent your network from being
used for a Smuft DoS attack. Prevent your network
from being tracerouted or scanned.
Firewall Setting Drop all outgoing
packets to any IP, Port 80 Drop all incoming
TCP SYN packets to any IP except 130207244.203,
port 80 Drop all incoming UDP packets - except
DNS and Router Broadcasts. Drop all ICMP
packets going to a broadcast address
(130.207.255.255 or 130.207.0.0). Drop all
incoming ICMP, UDP, or TCP echo-request packets,
drop all packets with TTL lt 5.
11
12
PGP (Pretty Good Privacy) -gt GPG
From "PGP Freeware for MacOS, User's Guide"
Version 6.5, Network Associates, Inc., www.pgp.com
12
13
Access Control
Today almost all systems are protected only by a
simple password that is typed in, or sent over a
network in the clear.Techniques for guessing
passwords 1. Try default passwords. 2. Try all
short words, 1 to 3 characters long. 3. Try all
the words in an electronic dictionary(60,000). 4.
Collect information about the users hobbies,
family names, birthday, etc. 5. Try users phone
number, social security number, street address,
etc. 6. Try all license plate numbers
(123XYZ). Prevention Enforce good password
selection (c0p31an6)
13
14
Kerberos
14