1

Network and Systems SecurityNetwork and Systems Security

Introduction in computer securityIntroduction in computer security

2

� List and discuss recent trends in computer security

� Describe simple steps to take to minimize the possibility of an attack on a system

� Describe various types of threats that exist for computers and networks

� Discuss recent computer crimes that have been committed

� Define basic terms associated with computer and information security.

� Identify the basic approaches to computer and information security.

� Distinguish among various methods to implement access controls.

� Describe methods used to verify the identity and authenticity of an individual.

� Recognize some of the basic models used to implement security in operating systems.

Objectives

3

The security problem� Fifty years ago, computers and data were

uncommon.

� Computer hardware was a high-value item and security was mainly a physical issue.

� Now, personal computers are ubiquitous and portable, making them much more difficult to secure physically.

� Computers are often connected to the Internet.

� The value of the data on computers often exceeds the value of the equipment.

4

The Security Problem� Electronic crime can take a number of different

forms, but the ones we will examine here fall into two basic categories:

1. Crimes in which the computer was the target

2. Incidents in which a computer was used to perpetrate the act

� Virus activity also existed prior to 1988, having started in the early 1980s.

5

Sample of Security Incidents� The Morris Worm (November 1988)

� Citibank and Vladimir Levin (June–October 1994)

� Kevin Mitnick (February 1995)

� Omega Engineering and Timothy Lloyd (July 1996)

� Worcester Airport and “Jester” (March 1997)

� Solar Sunrise (February 1998)

� The Melissa Virus (March 1999)

� The Love Letter Virus (May 2000)

� The Code Red Worm (2001)

� Adil Yahya Zakaria Shakour (August 2001–May 2002)

� The Slammer Worm (2003)

� U.S. Electric Power Grid (1997–2009)

� Conficker (2008–2009)

� Fiber Cable Cut (2009)

6

Threats to Security� Internal vs. external

� Elite hackers vs. script kiddies

� Unstructured threats to highly structured threats

7

Viruses and Worms� It is important to draw a distinction between the writers of

malware and those who release it.

� Viruses have no useful purpose.

� Viruses and worms are the most common problem that an organization faces.

� Antivirus software and system patching can eliminate the largest portion of this threat.

� Viruses and worms generally are non-discriminating threats.

� Viruses are easily detected and generally not the tool of choice for highly structured attacks.

8

Malware� Viruses and worms are just two types of

malware threats.

� The term “malware” comes from “malicious software.”

� Malware is software that has a nefarious purpose, designed to cause problems to an individual (for example, identity theft) or your system.

9

Intruders� Hacking is the act of deliberately accessing computer

systems and networks without authorization.

� Hackers are individuals who conduct this activity.

� Hacking is not what Hollywood would have you believe.

� Unstructured threats are conducted over short periods of time (lasting at most a few months), do not involve a large number of individuals, have little financial backing, and are accomplished by insiders or outsiders who do not seek collusion with insiders.

10

Types of Intruders� Script kiddies are individuals who do not have the technical

expertise to develop scripts or discover new vulnerabilities. They have enough understanding of computer systems to download and run scripts that others have developed.

� Script writers are those people who are capable of writing scripts to exploit known vulnerabilities. These individuals are much more technically competent than script kiddies and account for an estimated 8 to 12 percent of malicious Internet activity.

� Elite hackers are those highly technical individuals, who not only have the ability to write scripts that exploit vulnerabilities but also are capable of discovering new vulnerabilities. This group is the smallest of the lot, however, and is responsible for, at most, only 1 to 2 percent of intrusive activity.

11

12

Insiders� Insiders are more dangerous in many respects

than outside intruders because they have the access and knowledge necessary to cause immediate damage to an organization.

� Attacks by insiders are often the result of employees who have become disgruntled with their organization and are looking for ways to disrupt operations.

� It is also possible that an “attack” by an insider may be an accident and not intended as an attack at all.

13

Criminal Organizations� As financial transactions over the Internet

increased, criminal organizations followed the money.

� Fraud, extortion, theft, embezzlement, and forgery all take place in an electronic environment.

� A structured threat is characterized by a greater amount of planning, longer time to conduct the attack, and more financial backing than in an unstructured attack.

14

Terrorist and Information Warfare� Computer systems are important assets that

nations depend upon. As such, they are now targets of unfriendly foreign powers.

� Information warfare is the warfare conducted against the information and information processing equipment used by an adversary.

� Information warfare is a highly structured threat.

15

Critical Infrastructures� During warfare, nations may choose targets

other than the opposing army.

� Critical infrastructures are those whose loss or impairment would have severe repercussions on society. These include water, electricity, oil and gas refineries, banking, and telecommunications.

� Terrorists may also target these critical infrastructures.

16

Security Trends� The trend has been away from large mainframes to smaller

personal computers.

� As the level of sophistication of attacks has increased, the level of knowledge necessary to exploit vulnerabilities has decreased.

� The percent of organizations experiencing security incidents hasdeclined (from 46 percent in 2007 to 43 percent in 2008).

� Four types of attacks are on the rise

− Unauthorized access

− Theft/loss of proprietary information

− Misuse of web applications

− DNS attacks

� The average loss due to theft of proprietary information was $5.69 million in 2007.

� The average loss due to financial fraud was $21.12 million in 2007.

17

Avenues of Attack� There are two general reasons a particular system is attacked:

− It is specifically targeted.

− It is a target of opportunity.

� Equipment may be targeted because of the organization it belongs to or for political reasons.

� These attacks are decided before the software or equipment of the target is known.

� A hacktivist is a hacker who uses their skills for political purposes.

� Targets of opportunity – attacks are conducted against a site that has software vulnerable to a specific exploit.In these instances, the attackers are not targeting the organization, instead they are targeting a vulnerable device that happens to belong to the organization.

� Targeted attacks – specifically targeted attacks generally are more difficult and take more time than targets of opportunity.

18

The Steps in an Attack

Step

1 Profiling

Gather information on the target organization

Check the SEC EDGAR web site (www.sec.gov/edgar.shtml), whois look up, google

2 Determine systems available

Ping sweep with nmap or superscan

3 Finger printing

Determine the OS and open ports

Nmap or superscan, banner grab

4 Discover applicable exploits

Search web sites for vulnerabilities and exploits that exist for the OSes and services discovered

5 Execute exploit Systematically execute exploits

19

Minimizing Possible Avenues of Attack

System hardening

Involves reducing the services that are running on the system

Patching Ensures that your operating system and applications are up-to-date

Limiting information

Makes it more difficult for an attacker to develop the attack

by limiting the information available about your organization

20

Types of Attacks� If successful, an attack may produce one or more

of the following:

− Loss of confidentiality – information is disclosed to individuals not authorized to see it.

− Loss of integrity – information is modified by individuals not authorized to change it.

− Loss of availability – information or the system processing it are not available for use by authorized users when they need the information.

21

Basic Terms� Hacking

− Previously used as a term for a person who had a deep understanding of computers and networks. He or she would see how things worked in their separate parts (or hack them).

− Media has now redefined the term as a person who attempts to gain unauthorized access to computer systems or networks.

� Phreaking

− Hacking of the systems and computers used by phone companies

22

The CIA of SecurityCIA

� Confidentiality

� Integrity

� Availability

Additional Concepts

� Authentication

� Nonrepudiation

� Auditability

23

The Operational Method of Computer Security

� Protection = Prevention

− Previous model

� Protection = Prevention + (Detection + Response)

− Includes operational aspects

24

Sample Technologies in the Operational Model of Computer Security

25

Security Principles

� Security approaches

� Least privilege

� Separation of duties

� Implicit deny

� Job rotation

� Layered security

� Defense in depth

� Security through obscurity

� Keep it simple

26

Security Approaches� Ignore Security Issues

− Security is simply what exists on the system “out of the box.”

� Host Security

− Each computer is “locked down” individually.

− Maintaining an equal and high level of security amongst all computers is difficult and usually ends in failure.

� Network Security

− Controlling access to internal computers from external entities

27

Least Privilege� Least privilege means a subject (user, application,

or process) should have only the necessary rights and privileges to perform its task with no additional permissions.

� By limiting an object's privilege, we limit the amount of harm that can be caused.

� For example, a person should not be logged in as an administrator—they should be logged in with a regular user account, and change their context to do administrative duties.

28

Separation of Duties

� For any given task, more than one individual needs to be involved.

� Applicable to physical environments as well as network and host security.

� No single individual can abuse the system.

� Potential drawback is the cost.

− Time – Tasks take longer

− Money – Must pay two people instead of one

29

Implicit Deny� If a particular situation is not covered by

any of the rules, then access can not be granted.

� Any individual without proper authorization cannot be granted access.

� The alternative to implicit deny is to allow access unless a specific rule forbids it.

30

Job Rotation� The rotation of individuals through different tasks

and duties in the organization's IT department.

� The individuals gain a better perspective of all the elements of how the various parts of the IT department can help or hinder the organization.

� Prevents a single point of failure, where only one employee knows mission critical job tasks.

31

Layered Security� Layered security implements different

access controls and utilizing various tools and devices within a security system on multiple levels.

� Compromising the system would take longer and cost more than its worth.

� Potential downside is the amount of work it takes to create and then maintain the system.

32

Diversity of Defense� This concept complements the layered

security approach.

� Diversity of defense involves making different layers of security dissimilar.

� Even if attackers know how to get through a system that compromises one layer; they may not know how to get through the next layer that employs a different system of security.

33

Security Through Obscurity� Security through obscurity states that the

security is effective if the environment and protection mechanisms are confusing or supposedly not generally known.

� The concept’s only objective is to hide an object (not to implement a security control to protect the object).

� It’s not effective.

34

Keep It Simple� The simple security rule is the practice of

keeping security processes and tools is simple and elegant.

� Security processes and tools should be simple to use, simple to administer, and easy to troubleshoot.

� A system should only run the services that it needs to provide and no more.

35

Security Topics� Access control

� Authentication

� Social engineering

36

Access Control� Access control is a term used to define a

variety of protection schemes.

� This is a term sometimes used to refer to all security features used to prevent unauthorized access to a computer system or network.

� It’s often confused with authentication.

37

Authentication� Authentication deals with verifying the identity of a

subject while access control deals with the ability of a subject (individual or process running on a computer system) to interact with an object (file or hardware device).

� Three types of authentication

− Something you know (password)

− Something you have (token or card)

− Something you are ( biometric)

38

Access Control vs. Authentication� Authentication – This proves that you (subject)

are who you say you are.

� Access control – This deals with the ability of a subject to interact with an object.

� Once an individual has been authenticated, access controls then regulate what the individual can actually do on the system.

� Digital certificates – This is an attachment to a message, and is used for authentication. It can also be used for encryption.

39

Authentication and Access Control Policies

� Group policy

− By organizing users into groups, a policy can be made that will apply to all users in that group.

� Password policy

− Passwords are the most common authentication mechanism.

− Should specify: character set, length, complexity, frequency of change and how it is assigned.

40

Social Engineering� Social engineering is the process of convincing an individual

to provide confidential information or access to an unauthorized individual.

� Social engineering is one of the most successful methods that attackers have used to gain access to computer systems and networks.

� The technique relies on an aspect to security that can be easily overlooked: people.

� Most people have an inherent desire to be helpful or avoid confrontation. Social engineers exploit this fact.

� Social engineers will gather seemingly useless bits of information, that when put together, divulge other sensitive information. This is “data aggregation.”

41

Security Policies & Procedures� Policy – High-level statements created by

management that lay out the organization's positions on particular issues

� Security policy – High-level statement that outlines both what security means to the organization and the organization's goals for security

� Procedure – General step-by-step instructions that dictate exactly how employees are expected to act in a given situation or to accomplish a specific task

42

Acceptable Use Policy� The acceptable use policy outlines the

behaviors that are considered appropriate when using a company’s resources.

� Internet use policy

− This covers the broad subject of Internet usage.

� E-mail usage policy

− This details whether non-work e-mail traffic is allowed at all or severely restricted.

43

Different Security Policies� Change management policy

− This ensures proper procedures are followed when modifications to the IT infrastructure are made.

� Classification of information policy

− This establishes different categories of information and the requirements for handling each category.

� Due care and due diligence

− Due care is the standard of care a reasonable person is expected to exercise in all situations

− Due diligence is the standard of care a business is expected to exercise in preparation for a business transaction.

44

Different Security Policies� Due process policy

− Due process guarantees fundamental fairness, justice and liberty in relation to an individual’s rights.

� Need-to-know policy

− This policy reflects both the principle of need to know and the principle of least privilege.

� Disposal and destruction policy

− This policy outlines the methods for destroying discarded sensitive information.

45

Service Level Agreements� Service level agreements are contractual

agreements between entities that describe specificed levels of service, and guarantee the level of service.

− A web service provider might guarantee 99.99% uptime.

− Penalties for not providing the service are included.

46

Human Resources Policies� Employee hiring and promotions

− Hiring – Background checks, reference checks, drug testing

− Promotions – Periodic reviews, drug checks, change of privileges

� Retirement, separation, and termination of an employee

− Determine the risk to information, consider limiting access and/or revoking access

� Mandatory vacation

− An employee that never takes time off may be involved in nefarious activities and does not want anyone to find out.

47

Security Models� Confidentiality models

− Bell-LaPadula security model

� Integrity models

− Biba model

− Clark-Wilson model

48

Bell-LaPadula Security Model� Two principles

− Simple security rule (“no read up”)

− The *-property (pronounced "star property") principle (“no write down”)

� Objective – Protect confidentiality

49

Biba Model� Two principles based on integrity levels

− Low-water policy (“no write up”)

− Ring policy (“no read down”)

� Objective – Protect integrity

50

Clark-Wilson Model� Uses transactions as a basis for rules

� Two levels of integrity

− Constrained data items (CDI)

� Subject to integrity controls

− Unconstrained data items (UDI)

� Not subject to integrity controls

� Two types of processes

− integrity verification processes (IVPs)

− transformation processes (TPs)

51

Model SummaryModel Objective Policies

Bell-LaPadula

Confidentiality No read up

No write down

Biba Integrity No read down

No write up

Clark-Wilson Integrity Two levels of integrity – UDI and CDI

IVP monitor TP (Transformation Processes)

52

Summary� List and discuss recent trends in computer security

� Describe simple steps to take to minimize the possibility of an attack on a system

� Describe various types of threats that exist for computers and networks

� Discuss recent computer crimes that have been committed

� Define basic terms associated with computer and information security.

� Identify the basic approaches to computer and information security.

� Distinguish among various methods to implement access controls.

� Describe methods used to verify the identity and authenticity of an individual.

� Recognize some of the basic models used to implement security in operating systems.

53

� [princ00] Principles of Computer Security: CompTIA Security+ and Beyound, Second Edition, Wm. Arthur Conklin, et. al., McGraw Hill, 2010

� [spr00] The Spread of the Code-Red Worm http://www.caida.org/research/security/code-red/coderedv2_analysis.xml

� [time00] Timeline of Computer Viruses and Worms http://en.wikipedia.org/wiki/Notable_computer_viruses_and_worms

� [what00] The What, Why, and How of the 1988 Internet Worm (Morris Worm) http://snowplow.org/tom/worm/worm.html

� [conf00] The Inside Story of the Conficker Worm http://www.newscientist.com/article/mg20227121.500-the-inside-story-of-the-conficker-worm.html

� [love00] "No 'sorry' from Love Bug author" http://www.theregister.co.uk/2005/05/11/love_bug_author/

� [priv00] Least privilege http://www.infoworld.com/d/security-central/computer-security-why-have-least-privilege-398

� [priv01] Least privilege http://www.ibm.com/developerworks/linux/library/l-sppriv.html?ca=dgr-lnxw04Privileges

� [poli00] Policies – Templates http://www.sans.org/security-resources/policies/

� [pbs00] PBS "Cyber War"http://www.pbs.org/wgbh/pages/frontline/shows/cyberwar/

� [war00] 60 Minutes "Cyber War"http://www.cbsnews.com/stories/2009/11/06/60minutes/main5555565.shtml

� [defe00] Defense-in-depth program introduces availability, confidentiality, integrity, authentication, and nonrepudiation integrated into government. http://niatec.info/mediacontent/InTodaysWorld.wmv

� [mccu00] Introduces the McCumber model in a humorous mannerhttp://niatec.info/mediacontent/The%20Cube.WMV

References