Your lecturersPedagogic contract

Security?

5MMSSI - Information Systems Security0 - Introduction

Fabien Duchene1

Karim Hossen1

1Laboratoire d’Informatique de Grenoble, VASCO teamGrenoble Institute of Technology - Ensimag

firstname.name@imag.fr

2011-2012Fabien Duchene, Karim Hossen 5MMSSI-0-Introduction 1/39

Your lecturersPedagogic contract

Security?

Outline

Your lecturersFabien DucheneKarim Hossen

Pedagogic contractAfter that course...EthicsWhat is expected from you?Resources

Security?Why?What?Basic definitions

Fabien Duchene, Karim Hossen 5MMSSI-0-Introduction 2/39

Your lecturersPedagogic contract

Security?Fabien DucheneKarim Hossen

Fabien DucheneInformation Security

I 2011: PhD student, LIG, FranceI 2010: Implementer, Pentester, Trainer Sogeti-ESEC, FranceI 2009: Security Engineering Intern, Microsoft, France

TeachingI 2010-2011: 4MMSR-Network Security, Ensimag, FranceI 2011: MS PKI ADCS 2008 R2, Sogeti-ESEC, FranceI 2010: Forefront, Microsoft TechDays 2010, Paris, France

http://car-online.fr/en/spaces/fabien duchene/PGP fingerprint: 8C16 9A97 BD01 19DC BA51 7361 60AC 98E9 E77D 3800

Fabien Duchene, Karim Hossen 5MMSSI-0-Introduction 3/39

Your lecturersPedagogic contract

Security?Fabien DucheneKarim Hossen

Karim Hossen

CareerI 2011: PhD student, LIG, FranceI 2010: *** confidential ***I 2009: Automatic differentiation, INRIA, TROPICS

TeachingI 2010-2011: 4MMCAWEB - conceiving web application,

Ensimag

Fabien Duchene, Karim Hossen 5MMSSI-0-Introduction 4/39

Your lecturersPedagogic contract

Security?

After that course...EthicsWhat is expected from you?Resources

After that course...You will be able to (non exhaustive list):

I find and exploit basic vulnerabilities in an application (eg:Android, web, ...)

I quote some legal issues regarding IT securityI perform a risk analysis with methods such as EBIOS or

MEHARII discuss and manipulate various security topics: Identity

Federation, Wireless security, three factors authentication,role-based access control, encryption, ddos, html5, ipsec...

I perform forensics and reverse engineering on systemsI explain how iOS does prevent applications not from the Apple

Store to be loadedI apprehend new IT security concepts in a large distributed

corporate environmentFabien Duchene, Karim Hossen 5MMSSI-0-Introduction 5/39

Your lecturersPedagogic contract

Security?

After that course...EthicsWhat is expected from you?Resources

Ethics

If you find a vulnerability in an application/system/network that isNOT yours

I Do not exploit it (prosecution)I Report it responsiblyI Be patient and comprehensive. Patching or correcting a

configuration is a matter of risk management

Fabien Duchene, Karim Hossen 5MMSSI-0-Introduction 6/39

Your lecturersPedagogic contract

Security?

After that course...EthicsWhat is expected from you?Resources

Review the courses

Requirements:I operating systems (4MMSEPS2 ”Systeme d’exploitation et

programmation concurrente”)I networks and protocols (3MMRTEL ”Introduction aux

Reseaux de Communication”)I applied probability (3MMPA1 ”Probabilites appliquees”)I assembly software (3MMCEP ”Conception et exploitation des

processeurs” / ”Logiciel de base”)

Fabien Duchene, Karim Hossen 5MMSSI-0-Introduction 7/39

Your lecturersPedagogic contract

Security?

After that course...EthicsWhat is expected from you?Resources

What is expected from you?I BEFORE a lecture: (30 min / week)

I read and understand the slides (prepare questions)I read some IT security news

I DURING: actively and efficiently participateI take notes (some content is missing in your slide version)I ask questions ... but also provide answers!

I AFTER: (2H/week)I memorize and perform oral feedback ... both the very same

day we had lecture!I ExercisesI Practical assessments: 5/20 (1H30/week) (2 p./group) 1

I Final examination 2

I Final challenge: 5/20 3 (individual mark)I Written examination: 10/20

1Correction: the very next session by a randomly chosen student group2documents: only 1 two-sided A4 page allowed3knowledge from the practical assessments required

Fabien Duchene, Karim Hossen 5MMSSI-0-Introduction 8/39

Your lecturersPedagogic contract

Security?

After that course...EthicsWhat is expected from you?Resources

ResourcesAt Ensimag

I Your lecturersI Ensiwiki:

I 5MMSSII SecurIMAGI A career in information security

Several tools / information sources

I HacktualitiesI “MISC” french infosec magazineI RSS, twitter (watch out selecting feeds you trust...)I a feed Fabien likes: http://paper.li/corelanc0d3r

Fabien Duchene, Karim Hossen 5MMSSI-0-Introduction 9/39

Your lecturersPedagogic contract

Security?

Why?What?Basic definitions

Cyberwarfare

4

I suspected chinese attack for Paris G20 files 5

I 200+ non-legitimate certificates certificates issued byDiginotar CAs 6 7

I Stuxnet targeted industrial iranian nuclear plants 8 9

4[Wikipedia 2011a] cyberwarfare5[BBC 2011] Cyber attack on France targeted Paris G20 files6[F-Secure 2011] DigiNotar Hacked by Black.Spook and Iranian Hackers7[community 2011] Chromium Code Reviews8[Wikipedia 2011b] Stuxnet9[Nicolas Falliere and (Symantec) 2011] W32.Stuxnet Dossier

Fabien Duchene, Karim Hossen 5MMSSI-0-Introduction 10/39

Your lecturersPedagogic contract

Security?

Why?What?Basic definitions

Underground economy I

10

Fabien Duchene, Karim Hossen 5MMSSI-0-Introduction 11/39

Your lecturersPedagogic contract

Security?

Why?What?Basic definitions

Underground economy II“Cybercrime is costing more than the drugs trade” 11

I cybercrime in 2011I worldwide: $114 billion ; 431 million victimsI USA: $32 billion, china: $25 billionI France e1 billion (9 million victims)

I porn:I botnet: . 9,4 million USD for the Zeus botnet 12 Such

botnets usually combine spam and phishing.

10[Wired 2011] Crime, organized11[Symantec 2011] Norton Cybercrime report 201112[CLUSIF 2011] Panorama de la Cyber-criminalite - Annee 2010

Fabien Duchene, Karim Hossen 5MMSSI-0-Introduction 12/39

Your lecturersPedagogic contract

Security?

Why?What?Basic definitions

Business survivability I

Threats to business reputation

Fabien Duchene, Karim Hossen 5MMSSI-0-Introduction 13/39

Your lecturersPedagogic contract

Security?

Why?What?Basic definitions

Business survivability III Sony Pictures: Lulzsec published usernames, passwordsI Yale university got 43.000 social security number stolen

Figure: Average number of identities exposed per data breach

Fabien Duchene, Karim Hossen 5MMSSI-0-Introduction 14/39

Your lecturersPedagogic contract

Security?

Why?What?Basic definitions

Business survivability IIIRevenge

I Employes: fired ones, hating their boss

LegalsI PCI-DSS: electronic transactions 13

I Sarbanes-Oxley act14: auditor independenceI California law15 : notify individual when Personally

Identifiable Information know or believed to have been stolen

13[LLC 2010] PCI-DSS v214[Sarbanes-Oxley Act] Sarbanes-Oxley Act15[Senator 2002] California law - amending SB 1386

Fabien Duchene, Karim Hossen 5MMSSI-0-Introduction 15/39

Your lecturersPedagogic contract

Security?

Why?What?Basic definitions

Hacktivism I16

Some actions (2009..2011)

I Wikileaks:I Anonymous: 17

I DDoS: paypal, mastercard, twitter, Tunisian gvtI RiotsI Information release “leakflood”

I Lulzsec: CIA website DDos, Sony passwords leakage (APT +SQLi), Nintendo, X-Factor, pron.com

Fabien Duchene, Karim Hossen 5MMSSI-0-Introduction 16/39

Your lecturersPedagogic contract

Security?

Why?What?Basic definitions

Hacktivism II

18

Is this bad?I Militantism, protestsI Dangerous by some aspects:

I some actions considered as cyber-criminalityI governments fear civil disobedience

16[Hacktivism] Hacktivism17[Anonymous (hacktivist group)] Anonymous (hacktivist group)18[CLUSIF 2011] Panorama de la Cyber-criminalite - Annee 2010Fabien Duchene, Karim Hossen 5MMSSI-0-Introduction 17/39

Your lecturersPedagogic contract

Security?

Why?What?Basic definitions

Security? I

Some security definitionsI “situation in which sbdy feels protected from dangerousness”

... relative!I absolute security does not existI “security is a journey not a destination”I “”I “The only truly secure system is one that is powered off, cast

in a block of concrete and sealed in a lead-lined room witharmed guards - and even then I have my doubts” 19

Fabien Duchene, Karim Hossen 5MMSSI-0-Introduction 18/39

Your lecturersPedagogic contract

Security?

Why?What?Basic definitions

Security? II

Security is not about technologies ONLY[(Microsoft) 2004] Notions fondamentales desecurite

Fabien Duchene, Karim Hossen 5MMSSI-0-Introduction 19/39

Your lecturersPedagogic contract

Security?

Why?What?Basic definitions

Security? IIIThe attacker vs defender unevenness

I 1. The defender has to protect all assets ; the attacker is freeto choose the weakest one

I 2. the defender can only protect what he knows / is aware of ;the attacker can search for any vulnerable assets

I 3. the defender has to be constantly vigilante ; the attackercan attack at any time

I 4. the defender has to respect the rules (esp. law, moneylimits) ; the attacker can do anything

19[Spafford 1989] Quotable SpafFabien Duchene, Karim Hossen 5MMSSI-0-Introduction 20/39

Your lecturersPedagogic contract

Security?

Why?What?Basic definitions

The 10 security lawsI If a bad guy ... 20

I 1. can persuade you to run his program on...I 2. can alter the operating system on...I 3. has unrestricted physical access to ...I 4. can upload programs to

... your computer/website, it is not yours anymore!I 5: Weak passwords trump strong securityI 6: A computer is only as secure as the administrator is

trustworthyI 7: Encrypted data is only as (if not less) secure as the

decryption keyI 8: An out-of-date malware scanner is only marginally better

than no scanner at allI 9: Absolute anonymity isn’t practical, in real life or on the

WebI 10: Technology is not a panacea: ..people and procedures20[The 10 immuable security laws] The 10 immuable security lawsFabien Duchene, Karim Hossen 5MMSSI-0-Introduction 21/39

Your lecturersPedagogic contract

Security?

Why?What?Basic definitions

security goals/objectives/properties II confidentiality (data): 21

I availability (system):I integrity (data):I authenticity (data):I freshness (data):I traceability (action):I non-repudiation (action):I privacy (identity):

21[SPaCiOS 2011] Analysis of the relevant concepts used in the case studies:applicable security concepts, security goals and attack behaviors

Fabien Duchene, Karim Hossen 5MMSSI-0-Introduction 22/39

Your lecturersPedagogic contract

Security?

Why?What?Basic definitions

threat related vocabulary

I threat: if happens invalidate at least one security goalI vulnerability: property of a system that permits a threat to

happenI exploit: of a vulnerabilityI attack: 1+ exploit(s)I countermeasure: protects from threatsI hardening: implementing countermeasures in a systemI security policy:

Fabien Duchene, Karim Hossen 5MMSSI-0-Introduction 23/39

Your lecturersPedagogic contract

Security?

Why?What?Basic definitions

Vulnerabilities impact classificationFrom the STRIDE classification22 23 .. in terms of impact!

I spoofing: usurpation of a legitimate user credentialI tampering: alteration (modification or destruction) of data or

systemI repudiation: unability to prove that an action has been

performedI information disclosure: leak of information (data, or system

configuration)I denial of service: inability of the system to serve legitimate

usersI elevation of privilege: gain of additional rights allowing the

attacker to perform additional actions22STRIDE = enjambee23[Microsoft 2005] STRIDE threat model

Fabien Duchene, Karim Hossen 5MMSSI-0-Introduction 24/39

AppendixReferences

Bonus slides0 - introduction summary5MMSSI - information systems security index

0 - introduction summary

I pedagogic contrat: student behavior, practical assessmentsI infosec motivations: cybercrime, cyberwar, competitors,

business reputation, hacktivismI security properties: confidentiality, integrity, availability,

freshness..I basic security definitions: security policy, threat,

vulnerability, exploit, attack ...

Fabien Duchene, Karim Hossen 5MMSSI-0-Introduction 25/39

AppendixReferences

Bonus slides0 - introduction summary5MMSSI - information systems security index

“5MMSSI - information systems security” index

I 1 - Selection of vulnerabilities and attacksI 2 - Security management: risk, legals, ethicsI 3 - Cryptography and applicationsI 4 - Security testing techniquesI 5 - Diverse security mechanisms: end-point, network, servers

Fabien Duchene, Karim Hossen 5MMSSI-0-Introduction 26/39

AppendixReferences

Bonus slides

Ari Takanen Jared DeMott, Charlie Miller (2008). Fuzzing forSoftware Security Testing and Quality Assurance.BBC (2011). Cyber attack on France targeted Paris G20 files.http://www.bbc.co.uk/news/business-12662596.CLUSIF (2011). Panorama de la Cyber-criminalite - Annee 2010.http://www.clusif.asso.fr/fr/production/ouvrages/pdf/CLUSIF-2011-Panorama-Cybercriminalite-annee-2010.pdf.community, Open source (2011). Chromium Code Reviews.http://codereview.chromium.org/7791032/diff/2001/net/base/x509_certificate.cc.Ensiwiki (2011). A career in information security.http://ensiwiki.ensimag.fr/index.php/A_career_in_Information_Security.

Fabien Duchene, Karim Hossen 5MMSSI-0-Introduction 27/39

AppendixReferences

Bonus slides

F-Secure (2011). DigiNotar Hacked by Black.Spook and IranianHackers. http://www.f-secure.com/weblog/archives/00002228.html.LLC, PCI Security Standards Council (2010). PCI-DSS v2. https://www.pcisecuritystandards.org/documents/pci_dss_v2.pdf.Microsoft (2005). STRIDE threat model.http://msdn.microsoft.com/library/ms954176.aspx.(Microsoft), Cyril Voisin (2004). Notions fondamentales desecurite.(Microsoft), Technet. The 10 immuable security laws. http://technet.microsoft.com/en-us/library/cc722487.aspx.

Fabien Duchene, Karim Hossen 5MMSSI-0-Introduction 28/39

AppendixReferences

Bonus slides

Nicolas Falliere, Liam O Murchu and Eric Chien (Symantec)(2011). W32.Stuxnet Dossier. http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf.Nikam, Rajesh (2011). Introduction to Malware & MalwareAnalysis. http://chmag.in/article/sep2011/introduction-malware-malware-analysis.Senator (2002). California law - amending SB 1386.http://info.sen.ca.gov/pub/01-02/bill/sen/sb_1351-1400/sb_1386_bill_20020926_chaptered.html.SPaCiOS (2011). Analysis of the relevant concepts used in thecase studies: applicable security concepts, security goals and attackbehaviors. http://www.spacios.eu.Spafford, Eugene H. (1989). Quotable Spaf.http://spaf.cerias.purdue.edu/quotes.html.

Fabien Duchene, Karim Hossen 5MMSSI-0-Introduction 29/39

AppendixReferences

Bonus slides

Symantec (2011). Norton Cybercrime report 2011.http://www.symantec.com/about/news/resources/press_kits/detail.jsp?pkid=threat_report_16.Wikipedia. Anonymous (hacktivist group).https://secure.wikimedia.org/wikipedia/en/wiki/Anonymous(group).wikipedia. Hacktivism. https://secure.wikimedia.org/wikipedia/en/wiki/Hacktivism.Wikipedia. Sarbanes-Oxley Act. https://secure.wikimedia.org/wikipedia/en/wiki/Sarbanes\OT1\textendashOxley_Act.— (2011a). cyberwarfare.https://secure.wikimedia.org/wikipedia/en/wiki/Cyberwarfare.

Fabien Duchene, Karim Hossen 5MMSSI-0-Introduction 30/39

AppendixReferences

Bonus slides

Wikipedia (2011b). Stuxnet. https://secure.wikimedia.org/wikipedia/en/wiki/Stuxnet.Wired (2011). Crime, organized. Available at http://www.wired.com/magazine/2011/01/ff_orgchart_crime/.

Fabien Duchene, Karim Hossen 5MMSSI-0-Introduction 31/39

AppendixReferences

Bonus slides

Some Information Security jobs

I hacker 24

I security researcher / vulnerability analystsI penetration tester / auditors 25

I software security testersI IT security:

I IT security mechanisms implementerI CISO (Chief Information Security Officer)

24[Ari Takanen 2008] Fuzzing for Software Security Testing and QualityAssurance

25[Ensiwiki 2011] A career in information securityFabien Duchene, Karim Hossen 5MMSSI-0-Introduction 32/39

AppendixReferences

Bonus slides

Phishing

(.. of course some kind of money benefit would then be derived)

some phishing examplesI email from the XXX bank you have to change your passwordI some welfare service sent you some money (eg: “french CAF”)I paypal urge you to log on to your account

Fabien Duchene, Karim Hossen 5MMSSI-0-Introduction 33/39

AppendixReferences

Bonus slides

Spam

How they earn generate money?I promoting fake drugs, porn websitesI phishingI traffic broker to exploit vulnerabilities in browser (goal:

trojan installation for instance to participate in a botnet)

Fabien Duchene, Karim Hossen 5MMSSI-0-Introduction 34/39

AppendixReferences

Bonus slides

Botnet

dd

Fabien Duchene, Karim Hossen 5MMSSI-0-Introduction 35/39

AppendixReferences

Bonus slides

Scamming

I some rich guy from a far away country has no children andwants to give you 10 million USD but you first have to send100USD to him

Fabien Duchene, Karim Hossen 5MMSSI-0-Introduction 36/39

AppendixReferences

Bonus slides

Common misconceptions - best dummies quotes

“Our corporation is secure because...”I firewall, IDS/IPSI checksums thus integrity guaranteedI no networks connected to the internet

Fabien Duchene, Karim Hossen 5MMSSI-0-Introduction 37/39

AppendixReferences

Bonus slides

MALicious softWARES (malwares) categorization I26

I virus: self-replicating program injecting into a “host” (script,process...)

I worm: autonomous self-replicating programI trojan hose: apparently useful software but with hidden

malicious functionalitiesI spyware: gathers personal or confidential information without

the user consent and sends them to a remote serverI backdoor: permits remote code execution on the victim’s

computer and opens a communication channel to which theattacker connects

Fabien Duchene, Karim Hossen 5MMSSI-0-Introduction 38/39

AppendixReferences

Bonus slides

MALicious softWARES (malwares) categorization III hacktool: tools used by attackers to get access to the system.

hacktools try to exploit vulnerabilitiesI rootkit: actively hides from the OS, usually has the ability to

interact at a low level (I/O such as keyboard, mouse, display..)I rogue application: “fake” application which pose themselves

as security solutions (eg: faking malware detections). Usuallymislead user to pay for a pretended removal of malwares.

26[Nikam 2011] Introduction to Malware & Malware AnalysisFabien Duchene, Karim Hossen 5MMSSI-0-Introduction 39/39