Embed Size (px)
Citation preview
1
IMS3110 INFORMATION SYSTEMS SECURITY
Week 2
IS SECURITY –Threats, Breaches and vulnerabilities
Lecturer: Sue FosterIMS3110
Weekly IS Security topics
BCP and disaster recoveryPresentation 7&8
Business continuity plans (BCP) and disaster recovery19 September10
Security policies etcPresentation 6
Security policies and procedures12 September9
Security design Presentation 5
Security design http://www.cert.org/archive/html/protect-critical -
systems.html
5 September8
E – commerce – internet securityPresentation 4
Internet security cont/d29 August7
Risk analysis Presentation 3
E-commerce - Internet security 22 August6
Risk managementAssignment 1 due = 5%Risk analysis 15 August5
IS Security access controls Presentation 1&2 (7.5%)
Risk management8 August4
Breaches, threats, vulnerabilitiesIS Security – access controlsAndrew Dixon – librarian – talk on accessing databases
and electronic journals, referencing internet sources etc.
Andrew is SIMS contact person at the library
1 August3
Introduction to IS security and the goals of IS Security
Presentations will be conducted in tutorials
IS Security – frameworkBreaches, threats, vulnerabilities
25 July2
No Tutorial this weekAssignment 1&2 handed out
Brief overview of the unit and unit outline Introduction to IS Security in organisations
18 July1
Tutorials Assessment Lecture TopicsDate (week beginning)Week
IMS3110
Assignments 1 and 2
l ASSIGNMENT 1 (5%)– Due Date: Week 5 beginning Monday, 15 August
– Overview of Assignment 2– Word count=1000 words
l ASSIGNMENT 2 (20%)– Due Date: Friday, 26 September – 5 pm – Option 1, 2 or 3 – 3000 words approx– Structured from Assignment 1
IMS3110
Lecture Objectives
l Know and understand threat classification scheme
l Know and understand the different types of threats
l Appreciate the possible complexity and severity of breaches
l Understand IS vulnerability to threats l Reflect on the CIA framework for all security
threats, breaches, vulnerabilities
2
IMS3110
Key Terms
l Threats Malicious codel Breaches Salami slicingl Vulnerabilities Wormsl Virus Trapdoors/backdoorl Hackers Controlsl Trojan horse Passwordsl CIA Denial of Servicel bomb
IMS3110
Threats
l Threats are possible attacks on targets such as information resources causing the system to lose confidentiality, integrity or availability (loss of CIA)
l Some threats manifest themselves in accidental occurrences and others are purposeful.
– Eg all hackers represent a potential danger or threat to an unprotected or vulnerable information system
(Whitman & Mattord, 2003)
IMS3110
Security Threats
l Availability– Denial of Service– Sabotage– Forces of nature
l Confidentiality/Privacy– Sniffing– Eavesdropping– Theft– Espionage
l Unauthorised access and data collection
l Integrity/Authenticity– Data/Message Tampering
l Identity– Masquerading
l Intellectual Property– Fraud– Piracy– Copyright infringement
ConfidentialityConfidentiality
IntegrityIntegrity AvailabilityAvailability
IMS3110
The goals of security are to provide:
ConfidentialityConfidentialityPrivacyPrivacy
IntegrityIntegrity AvailabilityAvailability
Accountability??
Non-repudiationAuthentication
3
IMS3110
Confidentiality
l Confidential data should only be accessed by authorised individuals
– How do we ensure this?l Data should be classified on a confidentiality
rating1 highly classified - 5 general use
l Authorised User Access should also be classified accordingly
l Ensures data integrity
IMS3110
Data Integrity
Whitman & Mattord (2003) state that “The quality or state of being whole, complete and uncorrupted .
Integrity of information is threatened when information is exposed to corruption, damage, destruction, modification or other disruption of its authentic state” p13
Data should be:– Correct – without error– Timely – up to date– Available as required
l http://gcn.com/23_20/security/26695-1.html
IMS3110
Government Computer News (GCN.com)07/26/04; Vol. 23 No. 20 Los Alamos cracks down on security By Wllson P. Dizard III GCN Staff
IMS3110
Availability
Whitman et al (2003) state, “Availability enables users who need to access to information to do so without interference or obstruction and to receive it in the required format. (p10)
– The property of being accessible and useable (without delay) upon demand by an AUTHORISED entity
– There should be no denial of service
4
IMS3110
Vulnerabilities
l A vulnerability is a weakness or fault in a system or protection mechanism that exposes information to attack or damage.
l Vulnerabilities can range from a flaw in a software package, to an unprotected system port or an unlocked door.
– (Whitman & Mattord, 2003 p29)
IMS3110
Vulnerabilities
l A vulnerability is a weakness in existing controls which might be exploited– Involves a possible threat to a target DUE
TO INADEQUATE CONTROLS
l Eg a hacker can illegally access a program and change the code:– Threat: the hacker – Threat type: Modifications– Target: program – Possibility: “can” due to ..
Inadequate access controls being in place
IMS3110
The Core Issues
THREATS
INFORMATION SYSTEM SECURITYDATA SECURITY =
Confidentiality, availability, integrity, Authenticity
BREACHES
Information system
VULNERABILITIES
IMS3110
"Laws of Vulnerabilities Gerhard Eschelbeck, chief technology officer, Qualys (2003)
l Companies have made significant strides in patching against vulnerabilities that threaten the perimeter, but fixing internal flaws is still a big problem, a researcher said Wednesday as he prepared to present his findings at the Black Hat security meetings in Las Vegas.
l At last year's annual Black Hat gathering, Gerhard Eschelbeck, the chief technology officer of Qualys, laid out what he dubbed the "Laws of Vulnerabilities," a number of observations about security flaws' behavior.
l Basing his research on statistical analysis of some 1.24 million vulnerabilities scanned over an 18-month period, Eschelbeck noted then that critical vulnerabilities, such as those exploited by Slammer, Code Red, and last summer's MSBlast, have a "half -life" of 30 days. In other words, about 50 percent of the vulnerable systems were patched within the first 30 days of a vulnerability's disclosure.
2004. l His revised research -- now based on a look at over 4 million critical vulnerabilities
collected from a two -and- a- half -year period -- points to a significant drop in half -life of threats to enterprises' perimeters.
l "The half -life went down from 30 days to just 21," said Eschelbeck. "That's a dramatic improvement."
Retrieved on 30 July 2004 and located athttp://www.internetweek.com/allStories/showArticle.jhtml?articleID=26100503
5
IMS3110
Hackers, Crackers and all that jazz
l Hackers– White hats– Black hats
l Script kiddiesl Crackers
Hacker Support Groups
DefConhttp://www.defcon.org/
Largest hacking convention in the world
Reference: http://rootprompt.org/article.php3?article=756
IMS3110
Hackers
l What are they?l What is the difference between white
hat hackers and black hat hackers?
IMS3110
Crackers
l Explore systems for the pure technical challenge
l Hobbyl Exploit systems without permission
– Data disclosure– Accidental damage
CIA!!!
IMS3110
Security Breach
A breach:l The disclosure, l modification or l destruction of a system’s information
resources– Data– Software– Hardware
6
IMS3110
Study in 2004 BY Computer Security Institute/FBI (CSI/FBI)
l 90% OF RESPONDENT ORGANISATIONS DETECTED COMPUTER SECURITY BREACHES WITHIN THE LAST 12 months
l 80% of these lost money to computer breaches up to $456m
l Internet attacks rose from 70% (2001) to 74% (2002)
IMS3110
Breaches To IS
l Breaches of information system security occurs when malicious code or unauthorised user:
– Gain unauthorised use of, or access to a computer system
– Copy or modify data and/or programs in the system, or release its information
– Destroy hardware, software, or data or lock the computer from proper user access
IMS3110
4,677 Viruses In First Six Months of 2004 by W. David Gardner, TechWeb News
(InternetWeek.comJuly 28, 2004, 12:00 PM EDT
l A firm specializing in the development of anti- virus and anti-spam software stated 4,677 new viruses were written in the firstsix months of 2004 -- an increase of 21 percent over the same period last year.
l The major viruses were Sasser, which had a 26.1 percent share of viruses, and variations of the Netsky virus, said Sophos analyst Graham Cluley.
l "About 70 percent of infected computers were infected by one German student," said Cluley.
l The student, 17 years old when he created the viruses, is awaiting trial in Germany. The teenager has been charged with writing both viruses.
IMS3110
SASSER WORM http://www.microsoft.com/security/incident/sasser.mspx
Virus Alert Severity Ratings – RED
l Published: June 18, 2004l The Sasser worm (W32.Sasser. And its variants is
circulating on the Internet. l This worm exploits the Local Security Authority
Subsystem Service (LSASS) issue that was addressed by the security update released on April 13 in conjunction with Microsoft Security Bulletin MS04-011.
7
IMS3110
Microsoft Virus Alert Severity Ratings – REDhttp://www.microsoft.com/security/incident/virus_severity_ratings.mspx
CRITICALA vulnerability related to Microsoft
software has been found, or an update is unavailable; two or more vectors of infection are known;
a new vector of infection is possible; the distribution potential is high; unique data destruction can occur; and a significant disruption of service has occurred.
IMS3110
Mydoom Worm
l The Mydoomworm installs a "back door" on infected computers, which virus writers can use to gain access to your PC. Variants of Mydoom are spreading to computers that have been infected with Mydoom.A.
l Microsoft urges you to take action to remove these worms and to help keep your computer safe from malicious intrusions.
IMS3110
The Blaster Worm
l The Blaster worm and its variants exploit a security issue related to the Remote Procedure Call (RPC) function.
l To help protect against this issue, Microsoft recommends that customers install the update released on September 10, 2003, in conjunction with Microsoft Security Bulletin MS03-039.
IMS3110
What is a worm??
Worms are malicious programs that replicate themselves constantly without requiring another program
Worms can continue replicating until they completely fill available resources; memory, hard drive space etc
CODE RED, NIMDA (ADMIN), SIRCAM AND KLEZ
Can use a variety of distribution vectors to programmatically distribute the virus – Polymorphic threat
8
IMS3110
Famous Breach: Internet Worm
l Spread on Internet, causing $100 million damagel Clogged memory but did not modify files or datal Cornell Commission reported on the incidentl Robert Morris was convicted in 1990 on one count of
the 1986 Computer Fraud and Abuse Act (New York)
l Increased public awareness of security problems (Eisenberg et al, 1989)
IMS3110
Significance Of The Case
l Used as a precedent for future hacker casesl Robert Morris was imprisonedl Commission set up by Cornell University
highlighted many controversial issuesl Liability placed with Cornell University for not
having adequate controls in place
IMS3110
Threat Classification
threats are grouped by activities:12 general categories organised into five main
groups:1 Inadvertent acts2 Deliberate acts3 Acts of God4 Technical failures5 Management failures
IMS3110
How Does This Help
l By examining each threat category in turn management can most effectively protect its information through policy, education and training, and technology controls.
l Each organisation should prioritise the real and present dangers based on its particular security situation, strategy and the exposure levels of its assets.
9
IMS3110
Threats To Information Security
Threat Group 5: Management failures
Equipment failureBugs, code problems, unknown loopholesAntiquated or outdated technologies
Threat Group 4: Technical failuresØTechnical hardware failures or errorsØTechnical software failures or errorsØTechnological obsolescence
Fire, flood, earthquake, lightningThreat Group 3: Acts of GodØForces of nature
Unauthorised access and/or data collectionBlackmail of information disclosureDestruction of systems or informationIllegal confiscation of equip or informationMalicious code, Viruses, worms, denial of service
Threat Group 2: Deliberate ActsØDeliberate acts of espionage or trespassØDeliberate acts of information extortionØDeliberate acts of sabotage or vandalismØDeliberate acts of theftØDeliberate software attacks
Accidents employee mistakesThreat Group 1: Inadvertent ActsActs of Human Error or failuresDeviations in quality of service by service providers
ExamplesCategories of threat
IMS3110
Deliberate Or Accidental
l Deliberate threats:– Attacks which are carried out intentionally eg an
unhappy employee installing a “logic bomb” in code, set to execute and destroy files, etc after their departure
l Accidental:– Unintentional attacks eg keying in a transaction
incorrectly
IMS3110
Interruption
l Following a threat attack, an information resource becomes damaged or inaccessible for a while.
l Typically information normally available from a source cannot be communicated to the desired destination, eg inability to access customer information
IMS3110
Interception
l An outsider gains access to the system in order to view data
l Enables an outsider to acquire and use internal data for their own advantage
l Eg intercept and decode electronic emissions
10
IMS3110
Modification
l An unauthorised person (insider or outsider) changes an information resource
– Eg Salami attack (slicing off portions of someone else’s data out of a record and accumulating it elsewhere to be used later)
IMS3110
Fabrication
l New data or transactions are entered into the system, having value to the perpetrator of the crime as a method of inserting incorrect information into the system in order to produce substantial errors
l Eg introduce a false withdrawal of funds transaction
IMS3110
THREAT TARGET AREAS
1. Physical securityHeating, ventilation
2. Natural hazardsFire, Flood
3. Hardware and software faults
Power/ equiment failureMalicious code
4. Media damage or destruction
Lack of an effective electronic records management process
5. Electromagnetic emanationsEavesdropping
6. Telecommunications compromise
Wire taps, traffic analysis
7. PeopleInside/Fraudoutside threats/Hackers
8. Data PrivacyData matching/profilingDisclosure of email
IMS3110
Malicious Code
Malicious code is a general term for programs that, when executed, would cause undesired results on a system. Users of the system usually are not aware of the program until they discover the damage:
l Virusesl Wormsl Trojan Horsesl Bombsl Trapdoorsl Salami slicing
11
IMS3110
Viruses
l Programs that replicate themselves, infecting programs or disks and damaging programs and /or data.
l Most companies encounter viruses. l Virus controls include:
– passwords– regular backups– antivirus programs
IMS3110
Trojan Horses
l program fragments that hide, and perform a disguised function.
l They can:– capture passwords, – disguise the introductions of viruses and worms;– spoof (trick) an individual into giving away access rights, file
ownership or other privileges– masquerade as someone else.
l A variation called the Trojan mule destroys itself after it has quietly completed its task
IMS3110
Bombs
l These are variants of the Trojan Horse. They are activated when a date, event or condition occurs, or when a period of time has elapsed after a given date event or condition.
l Typically they destroy data, programs or both.
l However they may take other malicious actions or send nasty messages.
IMS3110
Trapdoors
defined as: unauthorised undocumented code in the source document, that gives special privileges to certain users. (see SDLC phases – documentation)
l They are typically created during software development to facilitate such things as monitoring program performance, testing its features and making corrections and improvements in the code.
l Unfortunately they are not always removed at the end of software development. They may then be accidentally discovered and exploited by third parties.
BACKDOORSVirus leaves a trapdoor for a hacker to enter
12
IMS3110
Conclusion
l We have touched on the issues threatening information security and the impacts to information systems.
l As you can see the threats are multiplying exponentially and IT staff are finding it more and more difficult to keep up with the changes.
IMS3110
Revision Questions
l Briefly explain the concept of an information system security breach.
– How can security development be improved?
l Describe three major threats to an information system and discuss the impact these threats will have on the system and to the organisation in general
IMS3110
References
l Eisenberg et al, (1989) “The Cornell Commission: On Morris and the Worm” CACM, Vol 32, No 6
l Lock, K., Carr, H. H., & Warkentin, (1992) “Threats to information Systems: Today’s Reality, Yesterday’s Understanding”, MIS Quarterly, Vol 16 No 2, June
l Warman, A. R. (1993) “Computer Security Within Organisations”, MacMillan Information Systems Series, Ch. 1
l Whitman, M. E., & Mattord , H.J. (2003). Principles of Information Security. Canada: Thomson Learning, Inc.
IMS3110
Interesting Websites
Retrieved on July 2005 Located at:l http://www.microsoft.com/australia/security/e
ducators/default.aspxl http://www.securitypipeline.com/news/26100
463;jsessionid=TF2NU1PS24QQAQSNDBGCKHY
l Internetweek.com
