Embed Size (px)
Citation preview
5MMSSI - Information Systems Security0 - Introduction
Fabien Duchene1
Karim Hossen1
1Laboratoire d’Informatique de Grenoble, VASCO teamGrenoble Institute of Technology - Ensimag
2011-2012Fabien Duchene, Karim Hossen (LIG) 5MMSSI-0-Introduction 1/37 2011-2012 1 / 37
Outline
1 Your lecturersFabien DucheneKarim Hossen
2 Pedagogic contractAfter that course...EthicsWhat is expected from you?Resources
3 Security?Why?What?Basic definitions
Fabien Duchene, Karim Hossen (LIG) 5MMSSI-0-Introduction 2/37 2011-2012 2 / 37
Your lecturers Fabien Duchene
Fabien Duchene
Information Security2011: PhD student, LIG, France2010: Implementer, Pentester, Trainer Sogeti-ESEC, France2009: Security Engineering Intern, Microsoft, France
Teaching2010-2011: 4MMSR-Network Security, Ensimag, France2011: MS PKI ADCS 2008 R2, Sogeti-ESEC, France2010: Forefront, Microsoft TechDays 2010, Paris, France
http://car-online.fr/en/spaces/fabien duchene/PGP fingerprint: 8C16 9A97 BD01 19DC BA51 7361 60AC 98E9 E77D 3800
Fabien Duchene, Karim Hossen (LIG) 5MMSSI-0-Introduction 3/37 2011-2012 3 / 37
Your lecturers Karim Hossen
Karim Hossen
Career2011: PhD student, LIG, France2010: *** confidential ***2009: Automatic differentiation, INRIA, TROPICS
Teaching2010-2011: 4MMCAWEB - conceiving web application, Ensimag
Fabien Duchene, Karim Hossen (LIG) 5MMSSI-0-Introduction 4/37 2011-2012 4 / 37
Pedagogic contract After that course...
After that course...
You will be able to (non exhaustive list):find and exploit basic vulnerabilities in an application (eg: Android,web, ...)quote some legal issues regarding IT securityperform a risk analysis with methods such as EBIOS or MEHARIdiscuss and manipulate various security topics: Identity Federation,Wireless security, three factors authentication, role-based accesscontrol, encryption, ddos, html5, ipsec...perform forensics and reverse engineering on systemsexplain how iOS does prevent applications not from the Apple Storeto be loadedapprehend new IT security concepts in a large distributed corporateenvironment
Fabien Duchene, Karim Hossen (LIG) 5MMSSI-0-Introduction 5/37 2011-2012 5 / 37
Pedagogic contract Ethics
Ethics
If you find a vulnerability in an application/system/network that is NOTyours
Do not exploit it (prosecution)Report it responsiblyBe patient and comprehensive. Patching or correcting aconfiguration is a matter of risk management
Fabien Duchene, Karim Hossen (LIG) 5MMSSI-0-Introduction 6/37 2011-2012 6 / 37
Pedagogic contract What is expected from you?
Review the courses
Requirements:operating systems (4MMSEPS2 ”Systeme d’exploitation etprogrammation concurrente”)networks and protocols (3MMRTEL ”Introduction aux Reseaux deCommunication”)applied probability (3MMPA1 ”Probabilites appliquees”)assembly software (3MMCEP ”Conception et exploitation desprocesseurs” / ”Logiciel de base”)
Fabien Duchene, Karim Hossen (LIG) 5MMSSI-0-Introduction 7/37 2011-2012 7 / 37
Pedagogic contract What is expected from you?
What is expected from you?
BEFORE a lecture: (30 min / week)read and understand the slides (prepare questions)read some IT security news
DURING: actively and efficiently participatetake notes (some content is missing in your slide version)ask questions ... but also provide answers!
AFTER: (2H/week)memorize and perform oral feedback ... both the very same day wehad lecture!ExercisesPractical assessments: 5/20 (1H30/week) (2 p./group) 1
Final examination 2
Final challenge: 5/20 3 (individual mark)Written examination: 10/20
1Correction: the very next session by a randomly chosen student group2documents: only 1 two-sided A4 page allowed3knowledge from the practical assessments required
Fabien Duchene, Karim Hossen (LIG) 5MMSSI-0-Introduction 8/37 2011-2012 8 / 37
Pedagogic contract Resources
Resources
At EnsimagYour lecturersEnsiwiki:
5MMSSISecurIMAGA career in information security
Several tools / information sourcesHacktualities“MISC” french infosec magazineRSS, twitter (watch out selecting feeds you trust...)a feed Fabien likes: http://paper.li/corelanc0d3r
Fabien Duchene, Karim Hossen (LIG) 5MMSSI-0-Introduction 9/37 2011-2012 9 / 37
Security? Why?
Cyberwarfare
4
suspected chinese attack for Paris G20 files 5
200+ non-legitimate certificates certificates issued by Diginotar CAs 67
Stuxnet targeted industrial iranian nuclear plants 8 9
4[Wikipedia 2011a] cyberwarfare5[BBC 2011] Cyber attack on France targeted Paris G20 files6[F-Secure 2011] DigiNotar Hacked by Black.Spook and Iranian Hackers7[community 2011] Chromium Code Reviews8[Wikipedia 2011b] Stuxnet9[Nicolas Falliere and (Symantec) 2011] W32.Stuxnet Dossier
Fabien Duchene, Karim Hossen (LIG) 5MMSSI-0-Introduction 10/37 2011-2012 10 / 37
Security? Why?
Underground economy I
10
Fabien Duchene, Karim Hossen (LIG) 5MMSSI-0-Introduction 11/37 2011-2012 11 / 37
Security? Why?
Underground economy II
“Cybercrime is costing more than the drugs trade” 11
cybercrime in 2011worldwide: $114 billion ; 431 million victimsUSA: $32 billion, china: $25 billionFrance e1 billion (9 million victims)
porn:botnet: . 9,4 million USD for the Zeus botnet 12 Such botnetsusually combine spam and phishing.
10[Wired 2011] Crime, organized11[Symantec 2011] Norton Cybercrime report 201112[CLUSIF 2011] Panorama de la Cyber-criminalite - Annee 2010
Fabien Duchene, Karim Hossen (LIG) 5MMSSI-0-Introduction 12/37 2011-2012 12 / 37
Security? Why?
Business survivability I
Threats to business reputationSony Pictures: Lulzsec published usernames, passwordsYale university got 43.000 social security number stolen
Figure: Average number of identities exposed per data breach
Fabien Duchene, Karim Hossen (LIG) 5MMSSI-0-Introduction 13/37 2011-2012 13 / 37
Security? Why?
Business survivability II
RevengeEmployes: fired ones, hating their boss
LegalsPCI-DSS: electronic transactions a
Sarbanes-Oxley actb: auditor independenceCalifornia lawc : notify individual when Personally IdentifiableInformation know or believed to have been stolen
a[LLC 2010] PCI-DSS v2b[Sarbanes-Oxley Act] Sarbanes-Oxley Actc[Senator 2002] California law - amending SB 1386
Fabien Duchene, Karim Hossen (LIG) 5MMSSI-0-Introduction 14/37 2011-2012 14 / 37
Security? Why?
Hacktivism I
13
Some actions (2009..2011)Wikileaks:Anonymous: a
DDoS: paypal, mastercard, twitter, Tunisian gvtRiotsInformation release “leakflood”
Lulzsec: CIA website DDos, Sony passwords leakage (APT + SQLi),Nintendo, X-Factor, pron.com
a[Anonymous (hacktivist group)] Anonymous (hacktivist group)
Fabien Duchene, Karim Hossen (LIG) 5MMSSI-0-Introduction 15/37 2011-2012 15 / 37
Security? Why?
Hacktivism II
14
Is this bad?Militantism, protestsDangerous by some aspects:
some actions considered as cyber-criminalitygovernments fear civil disobedience
13[Hacktivism] Hacktivism14[CLUSIF 2011] Panorama de la Cyber-criminalite - Annee 2010
Fabien Duchene, Karim Hossen (LIG) 5MMSSI-0-Introduction 16/37 2011-2012 16 / 37
Security? What?
Security? I
Some security definitions“situation in which sbdy feels protected from dangerousness” ...relative!absolute security does not exist“security is a journey not a destination”“”“The only truly secure system is one that is powered off, cast in ablock of concrete and sealed in a lead-lined room with armed guards -and even then I have my doubts” a
a[Spafford 1989] Quotable Spaf
Fabien Duchene, Karim Hossen (LIG) 5MMSSI-0-Introduction 17/37 2011-2012 17 / 37
Security? What?
Security? II
Security is not about technologies ONLY[(Microsoft) 2004] Notions fondamentales de securite
Fabien Duchene, Karim Hossen (LIG) 5MMSSI-0-Introduction 18/37 2011-2012 18 / 37
Security? What?
Security? III
The attacker vs defender unevenness1. The defender has to protect all assets ; the attacker is free tochoose the weakest one2. the defender can only protect what he knows / is aware of ; theattacker can search for any vulnerable assets3. the defender has to be constantly vigilante ; the attacker canattack at any time4. the defender has to respect the rules (esp. law, money limits) ; theattacker can do anything
Fabien Duchene, Karim Hossen (LIG) 5MMSSI-0-Introduction 19/37 2011-2012 19 / 37
Security? What?
The 10 security laws
If a bad guy ... 15
1. can persuade you to run his program on...2. can alter the operating system on...3. has unrestricted physical access to ...4. can upload programs to
... your computer/website, it is not yours anymore!5: Weak passwords trump strong security6: A computer is only as secure as the administrator is trustworthy7: Encrypted data is only as (if not less) secure as the decryption key8: An out-of-date malware scanner is only marginally better than noscanner at all9: Absolute anonymity isn’t practical, in real life or on the Web10: Technology is not a panacea: ..people and procedures
15[The 10 immuable security laws] The 10 immuable security lawsFabien Duchene, Karim Hossen (LIG) 5MMSSI-0-Introduction 20/37 2011-2012 20 / 37
Security? Basic definitions
security goals/objectives/properties I
confidentiality (data): 16
availability (system):integrity (data):authenticity (data):freshness (data):traceability (action):non-repudiation (action):privacy (identity):
16[SPaCiOS 2011] Analysis of the relevant concepts used in the case studies:applicable security concepts, security goals and attack behaviorsFabien Duchene, Karim Hossen (LIG) 5MMSSI-0-Introduction 21/37 2011-2012 21 / 37
Security? Basic definitions
threat related vocabulary
threat: if happens invalidate at least one security goalvulnerability: property of a system that permits a threat to happenexploit: of a vulnerabilityattack: 1+ exploit(s)countermeasure: protects from threatshardening: implementing countermeasures in a systemsecurity policy:
Fabien Duchene, Karim Hossen (LIG) 5MMSSI-0-Introduction 22/37 2011-2012 22 / 37
Security? Basic definitions
Vulnerabilities impact classification
From the STRIDE classification17 18 .. in terms of impact!spoofing: usurpation of a legitimate user credentialtampering: alteration (modification or destruction) of data or systemrepudiation: unability to prove that an action has been performedinformation disclosure: leak of information (data, or systemconfiguration)denial of service: inability of the system to serve legitimate userselevation of privilege: gain of additional rights allowing the attackerto perform additional actions
17STRIDE = enjambee18[Microsoft 2005] STRIDE threat model
Fabien Duchene, Karim Hossen (LIG) 5MMSSI-0-Introduction 23/37 2011-2012 23 / 37
Appendix 0 - introduction summary
0 - introduction summary
pedagogic contrat: student behavior, practical assessmentsinfosec motivations: cybercrime, cyberwar, competitors, businessreputation, hacktivismsecurity properties: confidentiality, integrity, availability, freshness..basic security definitions: security policy, threat, vulnerability,exploit, attack ...
Fabien Duchene, Karim Hossen (LIG) 5MMSSI-0-Introduction 24/37 2011-2012 24 / 37
Appendix 5MMSSI - information systems security index
“5MMSSI - information systems security” index
1 - Selection of vulnerabilities and attacks2 - Security management: risk, legals, ethics3 - Cryptography and applications4 - Security testing techniques5 - Diverse security mechanisms: end-point, network, servers
Fabien Duchene, Karim Hossen (LIG) 5MMSSI-0-Introduction 25/37 2011-2012 25 / 37
Appendix For Further Reading
Ari Takanen Jared DeMott, Charlie Miller (2008). Fuzzing for SoftwareSecurity Testing and Quality Assurance.BBC (2011). Cyber attack on France targeted Paris G20 files.http://www.bbc.co.uk/news/business-12662596.CLUSIF (2011). Panorama de la Cyber-criminalite - Annee 2010. http://www.clusif.asso.fr/fr/production/ouvrages/pdf/CLUSIF-2011-Panorama-Cybercriminalite-annee-2010.pdf.community, Open source (2011). Chromium Code Reviews.http://codereview.chromium.org/7791032/diff/2001/net/base/x509_certificate.cc.Ensiwiki (2011). A career in information security.http://ensiwiki.ensimag.fr/index.php/A_career_in_Information_Security.F-Secure (2011). DigiNotar Hacked by Black.Spook and Iranian Hackers.http://www.f-secure.com/weblog/archives/00002228.html.
Fabien Duchene, Karim Hossen (LIG) 5MMSSI-0-Introduction 26/37 2011-2012 26 / 37
Appendix For Further Reading
LLC, PCI Security Standards Council (2010). PCI-DSS v2. https://www.pcisecuritystandards.org/documents/pci_dss_v2.pdf.Microsoft (2005). STRIDE threat model.http://msdn.microsoft.com/library/ms954176.aspx.(Microsoft), Cyril Voisin (2004). Notions fondamentales de securite.(Microsoft), Technet. The 10 immuable security laws.http://technet.microsoft.com/en-us/library/cc722487.aspx.Nicolas Falliere, Liam O Murchu and Eric Chien (Symantec) (2011).W32.Stuxnet Dossier.http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf.Nikam, Rajesh (2011). Introduction to Malware & Malware Analysis.http://chmag.in/article/sep2011/introduction-malware-malware-analysis.Senator (2002). California law - amending SB 1386.http://info.sen.ca.gov/pub/01-02/bill/sen/sb_1351-1400/sb_1386_bill_20020926_chaptered.html.
Fabien Duchene, Karim Hossen (LIG) 5MMSSI-0-Introduction 27/37 2011-2012 27 / 37
Appendix For Further Reading
SPaCiOS (2011). Analysis of the relevant concepts used in the casestudies: applicable security concepts, security goals and attack behaviors.http://www.spacios.eu.Spafford, Eugene H. (1989). Quotable Spaf.http://spaf.cerias.purdue.edu/quotes.html.Symantec (2011). Norton Cybercrime report 2011.http://www.symantec.com/about/news/resources/press_kits/detail.jsp?pkid=threat_report_16.Wikipedia. Anonymous (hacktivist group). https://secure.wikimedia.org/wikipedia/en/wiki/Anonymous(group).wikipedia. Hacktivism.https://secure.wikimedia.org/wikipedia/en/wiki/Hacktivism.Wikipedia. Sarbanes-Oxley Act.https://secure.wikimedia.org/wikipedia/en/wiki/Sarbanes\OT1\textendashOxley_Act.— (2011a). cyberwarfare.https://secure.wikimedia.org/wikipedia/en/wiki/Cyberwarfare.
Fabien Duchene, Karim Hossen (LIG) 5MMSSI-0-Introduction 28/37 2011-2012 28 / 37
Appendix For Further Reading
Wikipedia (2011b). Stuxnet.https://secure.wikimedia.org/wikipedia/en/wiki/Stuxnet.Wired (2011). Crime, organized. Available athttp://www.wired.com/magazine/2011/01/ff_orgchart_crime/.
Fabien Duchene, Karim Hossen (LIG) 5MMSSI-0-Introduction 29/37 2011-2012 29 / 37
Bonus slides
Some Information Security jobs
hacker 19
security researcher / vulnerability analystspenetration tester / auditors 20
software security testersIT security:
IT security mechanisms implementerCISO (Chief Information Security Officer)
19[Ari Takanen 2008] Fuzzing for Software Security Testing and QualityAssurance
20[Ensiwiki 2011] A career in information securityFabien Duchene, Karim Hossen (LIG) 5MMSSI-0-Introduction 30/37 2011-2012 30 / 37
Bonus slides
Phishing
(.. of course some kind of money benefit would then be derived)
some phishing examplesemail from the XXX bank you have to change your passwordsome welfare service sent you some money (eg: “french CAF”)paypal urge you to log on to your account
Fabien Duchene, Karim Hossen (LIG) 5MMSSI-0-Introduction 31/37 2011-2012 31 / 37
Bonus slides
Spam
How they earn generate money?promoting fake drugs, porn websitesphishingtraffic broker to exploit vulnerabilities in browser (goal: trojaninstallation for instance to participate in a botnet)
Fabien Duchene, Karim Hossen (LIG) 5MMSSI-0-Introduction 32/37 2011-2012 32 / 37
Bonus slides
Botnet
dd
Fabien Duchene, Karim Hossen (LIG) 5MMSSI-0-Introduction 33/37 2011-2012 33 / 37
Bonus slides
Scamming
some rich guy from a far away country has no children and wants togive you 10 million USD but you first have to send 100USD to him
Fabien Duchene, Karim Hossen (LIG) 5MMSSI-0-Introduction 34/37 2011-2012 34 / 37
Bonus slides
Common misconceptions - best dummies quotes
“Our corporation is secure because...”firewall, IDS/IPSchecksums thus integrity guaranteedno networks connected to the internet
Fabien Duchene, Karim Hossen (LIG) 5MMSSI-0-Introduction 35/37 2011-2012 35 / 37
Bonus slides
MALicious softWARES (malwares) categorization I
21
virus: self-replicating program injecting into a “host” (script,process...)worm: autonomous self-replicating programtrojan hose: apparently useful software but with hidden maliciousfunctionalitiesspyware: gathers personal or confidential information without theuser consent and sends them to a remote serverbackdoor: permits remote code execution on the victim’s computerand opens a communication channel to which the attacker connectshacktool: tools used by attackers to get access to the system.hacktools try to exploit vulnerabilities
Fabien Duchene, Karim Hossen (LIG) 5MMSSI-0-Introduction 36/37 2011-2012 36 / 37
Bonus slides
MALicious softWARES (malwares) categorization II
rootkit: actively hides from the OS, usually has the ability to interactat a low level (I/O such as keyboard, mouse, display..)rogue application: “fake” application which pose themselves assecurity solutions (eg: faking malware detections). Usually misleaduser to pay for a pretended removal of malwares.
21[Nikam 2011] Introduction to Malware & Malware AnalysisFabien Duchene, Karim Hossen (LIG) 5MMSSI-0-Introduction 37/37 2011-2012 37 / 37
![5MMSSI - Information Systems Security 0 - Introduction · 2011. 9. 21. · 10[Wired 2011] Crime, organized 11[Symantec 2011] Norton Cybercrime report 2011 12[CLUSIF 2011] Panorama](https://img.dokumen.tips/doc/110x75/613e79f069193359046d2544/5mmssi-information-systems-security-0-introduction-2011-9-21-10wired-2011.jpg)
