Embed Size (px)
Citation preview
1
1 Introduction
1.1 What is “Internet Security”?
• Definition of Information / IT / Internet security
• Worldwide criminal potential in the Internet
• Security elements
1.2 Security Risks
• Security risk analysis (assets, threats, vulnerabilites)
1.3 Threats
• Hacker profiles (vandals, script kiddies, trespassers, thieves, spies)
• Attack sophistication vs. Intruder knowledge
• Vandalism
• Internet security threat situation in 2010
• Organized crime and the underground economy
• DoS and DDoS attacks
• Spying and cyber sabotage in the national interest
1.4 Vulnerabilities
• Vulnerabilites and exposures
• Common vulnerabilities and exposures databases
1.5 Security Measures
• Types of security measures (organize, protect, filter, combine,
monitor and control)
• The security life cycle
2
3
4
The Internet is a global system with
• local law (e.g. computer security, data protection law)
• with various techno-political environments
• with an almost unlimited number of „guests“
Key points in the Internet situation are
• increased complexity
• increased dependency (as a person, as a company, as a state)
• increased difficulty to separate (network sections, users)
References to Internet statistics
• Internet domain survey host count: 850 million (July 2011)
http://www.isc.org/ds/
• Worldwide Internet users: 2„095 million (March 2011)
http://www.internetworldstats.com/stats.htm
5
Write down all aspects of Internet Security - What do common people mean by
the term „security“.
6
7
8
9
Das Bedrohungspotenzial (threat) und die Schwachstellen der Abwehrmassnahmen
(vulnerabilities) bestimmen die Gefahr (Wahrscheinlichkeit eines Schadenfalls). Ziel
ist es, die Höhe des Schadens bzw. die bedrohten Werte (assets) und die
Wahrscheinlichkeit für das Eintreten eines Schadens für verschiedene Situationen
abschätzen zu können. Das Risiko ist das Produkt aus „Wahrscheinlichkeit eines
Schadenfalls“ mal „Schadensumme“. Allerdings kann das Risiko selten in Franken
angegeben werden; ein Vergleich bzw. ein Abwägen der Risiken in verschiedenen
Situationen ist aber meistens möglich.
Das Risiko kann auf verschiedene Arten reduziert werden. Man kann versuchen die
Bedrohung und/oder den eintretenden Schaden zu reduzieren. In der Regel wird
aber vor allem versucht, den Erfolg eines Angriffs (bzw. einer Bedrohung) durch
Schutzmassnahmen zu reduzieren (security protection measures). Die Kosten für
diese Schutzmassnahmen werden normalerweise umso grösser, je höher der
Schutzgrad ist. Der Schaden sollte entsprechend umso kleiner werden, je höher der
Schutzgrad ist. Die resultierenden Gesamtkosten dürften demnach bei einem
bestimmten Schutzgrad minimal werden.
ROSI: Return On Security Investment
10
11
A set of “profiles” of various participants in the hacker community, is derived from actual data
gathered by Microsoft researchers and engineers who are working with national law enforcement
agencies in the US. They are based on numerous real-life incidents where the perpetrators are either
known or reasonably well-guessed. The threat situation can be structured by various levels of
“motivation” (from “Curiosity” to “National Interest”) and “expertise and resources” (from the entry-
level “Script-Kiddy” to the formidable “Specialist”).
•The “Vandal” is the person who, for example. hacks into a poorly-protected Web site and defaces the
content. In terms of total hacking effort – in other words, the total number of participants, total hours
spent and so on – Vandals constitute the largest group, or area of activity.
•“Trespassers” are more capable than Vandals and they‟re motivated by ego and a sense of personal
fame. Their intentions are relatively benign, but they can cause significant problems. The hackers
who create many of the worms and viruses that make news usually fall into this category. Because
their attacks create huge amounts of traffic and sometimes Denial of Service attacks, their actions
can result in serious material damage to computer users, businesses and other organizations.
However, they often do not include seriously harmful “payloads” that destroy data or enable theft.
•The “Author” is the highly-capable hacker who has the tools and expertise to reverse-engineer a
patch and write exploit code, or find vulnerabilities in security software, hardware, or processes.
Authors are generally motivated by ego, ideology, and/or personal fame. Authors create the building
blocks for criminal hackers. The tools and code they produce are usually made readily available to
the less-sophisticated, meaning that the Vandals and the Script-Kiddies are able to cause a lot more
trouble with less work.
•The “Thieves” are people who are in it for the money, and they include organized crime syndicates
from around the world. Thieves are active and effective in hacking into corporate and enterprise
systems, sometimes to steal information that has monetary value (such as credit card numbers),
sometimes to divert cash into their accounts, and sometimes to extort payments to prevent their
systems or data from being exposed to the public. It‟s impossible to calculate the losses caused by
thieves because their work is often not publicly reported.. Cyber-theft is the fastest-growing threat in
security. The Thieves benefit from the author‟s efforts.
•The “Spies,” who work on behalf of governments, are highly skilled, and have virtually unlimited
resources. And the largest expenditures on protection – building strong defenses – are made, not
surprisingly, by the Spies.
Source: Microsoft
12
Source: Tim Shimeall, CERT Centers, Software Engineering Institute,
© 2002 by Carnegie Mellon University
13
14
15
Source: Symantec Internet Security Threat Report XVI, April 2011
16
Source: Symantec Internet Security Threat Report XVI, April 2011
17
Source: Symantec Internet Security Threat Report XVI, April 2011
18
Source: Symantec Internet Security Threat Report XVI, April 2011
19
New malicious code threats
One result that Symantec has drawn from the observance of increased
professionalization in the underground economy is that the coordination of
specialized and, in some cases, competitive groups for the production and
distribution of items such as customized malicious code and phishing kits has led to
a dramatic increase in the general proliferation of malicious code.
A prime example of this type of underground professional organization is the
Russian Business Network (RBN). The RBN reputedly specializes in the distribution
of malicious code, hosting malicious websites, and other malicious activity. The
RBN has been credited with creating approximately half of the phishing incidents
that occurred worldwide in 2008.
With the increasing adaptability of malicious code developers and their ability to
evade detection, Symantec also expects that overt attack activities will either be
abandoned or pushed further underground. This has already been seen with the
use of HTTP and P2P communication channels in threats such as Downadup.
Because of the distributed nature of these control channels, it is much more difficult
to disable an entire network and locate the individual or group behind the attacks.
The focus of threats in 2008 continued to be aimed at exploiting end users for profit,
and attackers have continued to evolve and refine their abilities for online fraud.
While some criminal groups have come and gone, other large organizations persist
and continue to consolidate their activities. These pseudo-corporations and their up-
and-coming competitors will likely remain at the forefront of malicious activity in the
coming year.
Source: Symantec Global Internet Security Threat Report XIV, April 2009
20
Source: Symantec Internet Security Threat Report XV, April 2010
21
Source: Symantec Internet Security Threat Report XV, April 2010
22
Source: Symantec Internet Security Threat Report XVI, April 2011
23
Source: Symantec Internet Security Threat Report XVI, April 2011
24
Source: Symantec Internet Security Threat Report XVI, April 2011
25
Source: Slide courtesy of Prof. Dr. Marc Rennhard, ZHAW
26
27
General Principle of a DDoS Attack
The attacker planning a DDoS attack identifies and infiltrates numerous computers
and networks (using vulnerabilities) and installs and hides DDoS attack tools in
them. These computers are named zombies because they lie asleep until they are
wakened. Since it would be difficult for a single attacker to control, say, 50‟000
zombies, handlers are used, which are basically an additional hierarchy level to
control a large number of zombies. One way for the attacker to get handlers is to
pick some of the zombies he has compromised before.
When starting the attack, the attacker communicates with the handlers, which in
turn each send commands to a troop of zombie computers, which triggers the
zombies to start the actual attack on the target.
Many DDoS attacks are even more automated. The attacker writes a virus or worm
and starts spreading it. The malware contains the attack code and also a fixed time
at which to trigger the attack. The advantage is that the attacker does not have to
actively trigger the attack, which makes it easier for him to hide his traces. On the
other hand, it gives the attacker much less control over the zombies, which makes it
virtually impossible to change the attack time or target once the malware has been
spread.
Source: Slide courtesy of Prof. Dr. Marc Rennhard, ZHAW
28
29
30
31
32
Infomation on Stuxnet
http://en.wikipedia.org/wiki/Stuxnet
33
34
Examples of universal vulnerabilities include:
• remote command execution as root or user „nobody“
• world-writeable password file (modification of system-critical data)
• default password (remote command execution or other access)
• denial of service problems that allow an attacker to cause a Blue Screen of Death
• denial of service by flooding a network
• gaining root access or execution of malicious code via buffer overflows
Examples of exposures include:
• running services such as finger (useful for information gathering)
• running services that are common attack points (e.g., HTTP, FTP, or SMTP)
• use of applications or services that can be successfully attacked by brute force
(e.g., use of trivially broken encryption, or a small key space)
35
CVE Common Vulnerabilities and Exposures
CERT Computer Emergency Response Team
National Vulnerability Database (NIST) http://nvd.nist.gov
NVD is a comprehensive cyber security vulnerability database that integrates all
publicly available U.S. Government vulnerability resources and provides references
to industry resources. It is based on and synchronized with the CVE vulnerability
naming standard.
CERT Coordination Center (US-CERT) www.cert.org
Established in 1988, the CERT Coordination Center is a center of Internet security
expertise, located at the Software Engineering Institute, a federally funded research
and development center operated by Carnegie Mellon University (CMU).
SWITCH-CERT www.switch.ch/security/
Funded by the Swiss Confederation and those Swiss Cantons where a university is
located, our constituency consists of the Swiss research network (called SWITCH),
the member organizations of SWITCH, and their respective networks.
National Infrastructure Security Co-ordination Centre (NISCC)
www.niscc.gov.uk
NISCC was set up in 1999 and is an inter-departmental centre drawing on
contributions from across government. Defence, Central Government Policy, Trade,
the Intelligence Agencies and Law Enforcement all contribute expertise and effort.
36
37
38
39
IT Security Standards
• IT-Grundschutzhandbuch
Bundesamt für Sicherheit in der Informationstechnik (BSI)
www.bsi.bund.de
• Orange Book
US Department of Defense (DoD)
www.dynamoo.com/orange/summary.htm
• BS 7799 Information Security Standard
British Standards Institution (BSI)
www.bsigroup.com
Ausführlicheres Beispiel in Zusammenhang mit Internet-Einsatz:
1. Definition von Zielen zur Anwendung des Internet
2. Durchführung einer Risikoanalyse
3. Entwicklung einer Internet-Policy
4. Bestimmung angemessener Massnahmen
5. Implementierung der Massnahmen
6. Prüfung der umgesetzten Massnahmen
7. Aufrechterhaltung der umgesetzten Massnahmen
