Upload
mr100sp
View
882
Download
0
Tags:
Embed Size (px)
Citation preview
Lesson 1-Introduction and Security Trends
Background
Terrorists have targeted people and physical structures.
– The average citizens are more likely to be the target of an
attack on their computers than they are to be the direct victim
of a terrorist attack.
Background
This presentation addresses the issues surrounding why
people should be concerned about computer and network
security.
It also introduces a number of issues involved in securing
computers and networks from a variety of threats utilizing
different attacks.
Objectives
Upon completion of this lesson, the students will be able to:
– List and discuss the recent trends in computer security.
– Describe simple steps to minimize the possibility of an attack
on a system.
– Describe the various types of threats that exist for computers
and networks.
– Discuss recent computer crimes that have been committed.
Yesterday and Today
Fifty years ago:
– Few people had access to a computer system or a network
– Securing these systems was easier.
– Companies did not conduct business over the Internet.
Today, companies rely on the Internet to operate and
conduct business.
The Security Problem
Networks are used to transfer vast amounts of money in
the form of bank transactions or credit card purchases.
When money is transferred via networks, people try to take
advantage of the environment to conduct fraud or theft.
Comparisons
Comparisons indicate that:
– Average bank robbery amounts to $2,500.
– Average bank fraud amounts to $25,000.
– Average computer crime amounts to $500,000.
– Computer crime loss amounts to $5 - $10 billion annually.
The Security Problem
There are various ways to attack computers and networks
to take advantage of what has made shopping, banking,
investment, and leisure pursuits a matter of “dragging and
clicking” for many people.
– Identity theft is common today.
Security Incidents
By examining some of the crimes that have been
committed over the last dozen or so years, we can:
– Understand the threats and the security issues that surround
the computer systems and networks.
F.B.I. Statistics
Of all the computer crimes, only 1% are detected, and 7%
of the detected crimes are reported.
Jail sentences, which are usually short-term, amount to only
3%.
A 75% increase per year has been reported in computer
intrusions.
Computer crime has increased to 36%.
Security Incidents
Electronic crime can take different forms.
The two categories of electronic crimes are:
– Crimes in which the computer is the target of the attack.
– Incidents in which the computer is a means of perpetrating a
criminal act.
The Morris Worm (November 1988)
Robert Morris, a graduate of Cornell University, released
The Internet Worm (or the Morris Worm).
– The worm infected 10 percent of the machines (approximately
6,000) connected to the Internet at that time.
– The virus caused an estimated $100 million in damage, though
this number has been the subject of wide debate.
Citibank and Vladamir Levin (June – October 1994)
From June 1994 through October, Vladimir Levin, of
St. Petersburg, made a number of bank transfers.
– When he and his accomplices were caught, they had
transferred an estimated $10 million.
– Eventually all but about $400,000 was recovered.
– Levin reportedly accomplished the break-ins by dialing into
Citibank’s cash management system.
Kevin Mitnick (February 1995)
Kevin Mitnick’s computer activities occurred over a number
of years from the 1980’s through 1990’s.
– Mitnick admitted to having gained unauthorized access to a
number of computer systems belonging to companies such as
Motorola, Novell, Fujitsu, and Sun Microsystems.
Omega Engineering Timothy Lloyd (July 1996)
On July 30, 1996, a software “time bomb” at Omega
Engineering deleted all design and production programs of
the company. This severely damaged the small company
forcing the layoff of 80 employees.
The program was traced back to Timothy Lloyd who had left
it in retaliation for his dismissal.
Jester and the Worcester Airport (March 1997)
In March 1997, airport services to the FAA control tower as
well as emergency services at the Worcester Airport and
the community of Rutland, Massachusetts, were cut off for
six hours.
This disruption occurred as a result of a series of commands
sent by a teenage computer “hacker” who went by the
name of “jester.”
The individual gained unauthorized access to the “loop
carrier system” operated by NYNEX.
Solar Sunrise (February 1998)
During a period of increased tensions between the United
States and Iraq and subsequent military preparations, a
series of computer intrusions occurred at a number of
military installations in the United States.
Over 500 domain name servers were compromised during
the attacks.
Solar Sunrise (February 1998)
It was difficult to track the actual origin of the attacks. This
was because the attackers made a number of “hops”
between different systems, averaging eight systems before
reaching the target.
The attackers eventually turned out to be two teenagers
from California and their mentor in Israel.
Melissa Virus (March 1999)
Melissa is the best known of the early macro type of virus
that attaches itself to documents, which contain programs
with a limited macro programming capability.
The virus was written and released by David Smith.
This virus infected about a million computers and caused an
estimated $80 million in damages.
Melissa Virus (March 1999)
This virus clogged networks with the traffic and caused
problems for e-mail servers worldwide.
It attached itself to Microsoft Word 97 and Word 2000
documents.
Whenever a file was opened, a macro caused it to infect the
current host and also sent itself to the first fifty addresses
in the individual’s address book.
To avoid infection by Melissa, users should not open the
attached file.
Love Letter Worm (May 2000)
The worm spread via e-mail with the subject line
“ILOVEYOU.”
The number of infected machines worldwide may have
been as high as 45 million.
Similar to the Melissa virus, the Love Letter Worm spread
via attachment to e-mails. In this case, instead of utilizing
macros, the attachments were VBScript programs.
Code-Red Worm (2001)
On July 19, 2001, over 350,000 computers connected to the
Internet were infected by the Code-Red worm. The incident
took only 14 hours to occur.
Damages caused by the worm (including variations of the
worm released on later dates) exceeded $2.5 billion.
The vulnerability exploited by the Code-Red worm had been
known for a month.
Adil Yahya Zakaria Shakour (Aug 2001-May 2002)
Shakour accessed several computers without authorization,
including:
– Eglin Air Force Base (where he defaced the web site)
– Accenture (a Chicago-based management consulting and
technology services company)
– Sandia National Laboratories (a Department of Energy facility)
– Cheaptaxforms.com
At Cheaptaxforms.com, Shakour obtained credit card and
personal information, which he used to purchase items
worth over $7,000 for his own use.
Slammer Worm (2003)
The Slammer virus was released on Saturday, January 25,
2003.
It exploited a buffer-overflow vulnerability in computers
running Microsoft's SQL Server or Microsoft SQL Server
Desktop Engine.
– This vulnerability was not new.
– It had been discovered in July 2002.
– Microsoft had released a patch for the vulnerability even
before it was announced.
Slammer Worm (2003)
By the next day, the worm had infected at least 120,000
hosts and caused network outages and disruption of airline
flights, elections, and ATMs.
Slammer Worm (2003)
Slammer-infected hosts generated 1TB of worm-related
traffic every second.
– The worm doubled in the number of infected hosts every 8
seconds.
It took less than ten minutes to reach global proportions
and infect 90 percent of the possible hosts it could infect.
Threats to Security
In a highly networked world, new threats have developed.
There are a number of ways to break down the various
threats.
Breaking Down Threats
To break down threats, users need to:
– Categorize external threats versus internal threats.
– Examine the various levels of sophistication of the attacks
from “script kiddies” to “elite hackers.”
– Examine the level of organization for the various threats from
unstructured to highly structured threats.
Viruses and Worms
Employees in an organization may not follow certain
practices or procedures because of which an organization
may be exposed to viruses and worms.
However, organizations generally do not have to worry
about their employees writing or releasing viruses and
worms.
Viruses and Worms
Viruses and worms:
Are expected to be the most common problem that an
organization will face as thousands of them have been
created.
Are also generally non-discriminating threats that are
released on the Internet and are not targeted at a specific
organization.
Hacking
The act of deliberately accessing computer systems and
networks without authorization is called “hacking”.
The term may also be used to refer to the act of exceeding
one’s authority in a system.
Intruders are very patient as it takes persistence and
determination to gain access to a system.
Unstructured Threats
Attacks by individuals or even small groups of attackers fall
into the unstructured threat category.
Attacks at this level are generally conducted over short
periods of time (lasting at most a few months).
They do not involve a large number of individuals, and have
little financial backing.
They do not include collusion with insiders.
Intruders
Intruders, or those who are attempting to conduct an
intrusion, are of various types and have varying degrees of
sophistication.
Script Kiddies
At the low end technically are script kiddies.
They do not have the technical expertise to develop scripts
or discover new vulnerabilities in software.
They have just enough understanding of computer systems
to be able to download and run scripts that others have
developed.
Script Kiddies
Script kiddies are generally not as interested in attacking
specific targets.
Script kiddies look for any organization that may not have
patched a newly discovered vulnerability for which they
have located a script to exploit.
At least 85 to 90% of the individuals conducting
“unfriendly” activities on the Internet are probably
accomplished by these individuals.
Sophisticated Intruders
These individuals are capable of writing scripts to exploit
known vulnerabilities.
They are more technically competent than script kiddies.
They account for an estimated 8 to 12% of the individuals
conducting intrusive activity on the Internet.
Elite Hackers
Elite hackers are highly technical individuals and are able
to:
– Write scripts that exploit vulnerabilities.
– Discover new vulnerabilities.
This group is the smallest accounting for only 1 to 2% of the
individuals conducting intrusive activity.
Insider Threats
Insiders:
Are more dangerous than outside intruders.
Have the access and knowledge necessary to cause
immediate damage to an organization.
Insider Threats
Most security is designed to protect against outside
intruders and thus lies at the boundary between the
organization and the rest of the world.
Besides employees, insiders also include a number of other
individuals who have physical access to facilities.
Criminal Organizations
Criminal activity on the Internet at its most basic is not
different than criminal activity in the physical world.
A difference between criminal groups and the “average”
hacker is the level of organization that criminal elements
may employ in their attack.
Structured Threats
Attacks by criminal organizations can fall into the
structured threat category, which is characterized by:
– Planning.
– Long period of time to conduct the activity.
– More financial backing.
– Corruption of or collusion with insiders.
Terrorists and Information Warfare
As nations become dependent on computer systems and
networks, essential elements of the society might become a
target.
They might be attacked by organizations or nations
determined to adversely affect another nation.
Terrorists and Information Warfare
Many nations today have developed to some extent the
capability to conduct information warfare.
Information warfare is warfare conducted against
information and the information-processing equipment used
by an adversary.
Highly Structured Threats
Highly structured threats are characterized by:
– A long period of preparation (years is not uncommon).
– Tremendous financial backing.
– A large and organized group of attackers.
These threats may not only include attempts to subvert
insiders, but also include attempts to plant individuals
inside potential targets before an attack.
Highly Structured Threats
In information warfare, military forces are certainly still a
key target
Other likely targets can be the various infrastructures that a
nation relies on for its daily existence.
Critical Infrastructure
Critical infrastructures are those infrastructures whose loss
would have a severe detrimental impact on a nation.
Examples:
– Water.
– Electricity.
– Oil and gas refineries and distribution.
– Banking and finance.
– Telecommunications.
Information Warfare
Many countries have already developed a capability to
conduct information warfare.
Terrorist organizations can also accomplish information
warfare.
Terrorist organizations are highly structured threats that:
– Are willing to conduct long-term operations.
– Have tremendous financial support.
– Have a large and organized group of attackers.
Security Trends
The biggest change in security over the last 30 years has
been the change in the computing environment.
Large mainframes are replaced by highly interconnected
networks of much smaller systems.
Security has switched from a closed environment to one in
which computer can be accessed from almost anywhere.
Profile of Individuals
The type of individual who attacks a computer system or a
network has also evolved over the last 30 years.
– The rise of non-affiliated intruders, including “script-kiddies,”
has greatly increased the number of individuals who probe
organizations looking for vulnerabilities to exploit.
Important Trend
Another trend that has occurred is: as the level of
sophistication of attacks has increased, the level of
knowledge necessary to exploit vulnerabilities has
decreased.
Security Studies
One of the best-known security surveys is the joint survey
conducted annually by the Computer Security Institute (CSI)
and the FBI.
Security Studies
The number of organizations that have reported
unauthorized use of their computer systems has been
declining slowly (from 70% in 2000 to 56% in 2003).
The number of organizations that have reported attacks
from Internet connections has increased (from 59% in 2000
to 78% in 2003).
Organizations citing independent hackers as a likely source
of attacks have also increased (from 77% in 2000 to 82% in
2003).
Two Common Attacks
The two most frequent types of attacks have remained
constant with viruses and insider abuse of net access being
the most common.
A Steady Increase
With the exception of Denial-of-Service attacks and telecom
frauds, all categories had recorded a steady increase from
2000 through 2002, but then took a sharp decline in 2003.
A Decline in Loss
The average loss as a result of theft of proprietary
information hit a high of $6.57 million in 2002 but was only
$2.70 million in 2003.
Financial fraud plunged from $4.63 million in 2002 to $328
thousand in 2003.
Avenues of Attack
When a computer system is attacked, it is either specifically
targeted by the attacker, or it is an opportunistic target.
Specific Target
In the first case, the attacker chooses the target not
because of the hardware or software the organization is
running but for some other reason, such as a political
reason.
Target of Opportunity
The second type of attack, an attack against a target of
opportunity, is conducted against a site that has hardware
or software that is vulnerable to a specific exploit.
The attackers, in this case, are not targeting the
organization. Instead, they have learned of a vulnerability
and are looking for an organization with this vulnerability
that they can exploit.
Target of Opportunity
Targeted attacks are more difficult and take more time than
attacks on a target of opportunity.
– The second type of attack relies on the fact that with any piece
of widely distributed software, there will almost always be
somebody who has not patched the system.
The Steps in an Attack
The steps an attacker takes in attempting to penetrate a
targeted network are similar to the ones that a security
consultant performing a penetration test would take.
The attacker will need to gather as much information about
the organization as possible.
Perform a Ping Sweep
The first step in the technical part of an attack is often to
determine what target systems are available and active.
This is often done with a ping sweep, which sends a “ping”
(an ICMP echo request) to the target machine. If the
machine responds, it is reachable.
Perform a Port Scan
The next step is to perform a port scan. This will help
identify the ports that are open, which gives an indication
of the services running on the target machine.
Determine the Operating System
After determining the services available, the attacker needs
to determine the operating system running on the target
machine and specific application programs.
Sources of Information
There are numerous web sites that provide information on
vulnerabilities in specific application programs and
operating systems.
Sources of Information
In addition to information about specific vulnerabilities,
some sites may also provide tools that can be used to
exploit vulnerabilities.
An attacker can search for known vulnerabilities and tools
that exploit them, download the information and tools, and
then use them against a site.
Administrative Mistake
The attack may be successful if the administrator for the
targeted system has not installed the correct patch.
The attacker will move on to the next possible vulnerability
if the patch has been installed.
The General Process
There are different ways in which a system can be
attacked.
– Gathering as much information as possible about the target
(using both electronic and non-electronic means).
– Gathering information about possible exploits based on the
information about the system, and then systematically
attempting to use each exploit.
If It Does Not Work
If the exploits do not work, other, less system-specific,
attacks may be attempted.
Minimizing Avenues of Attack
Understanding the steps an attacker will take enables to
limit the exposure of the system and minimize the avenues
an attacker might possibly exploit.
Minimizing Avenues of Attack
The first step an administrator can take to minimize the
possible attacks is to ensure that all patches for the
operating system and the applications are installed.
The second step an administrator can take is to limit the
services running on a system.
Another step that can be taken to minimize the possible
avenues of attack is to provide as little information as
possible on an organization and its computing resources.
Types of Attacks
There are a number of ways that a computer system or a
network can be attacked.
Attacks can result in one of a few general consequences:
– A loss of confidentiality where information is disclosed to
unauthorized individuals.
– A loss of integrity where information is modified by
unauthorized individuals.
– A loss of availability where information or the systems
processing it are not available for authorized users.