Upload
rebecca-rogers
View
304
Download
4
Tags:
Embed Size (px)
Citation preview
Computer Security Concepts
The NIST Computer Security Handbook [NIST95] defines the term computer security as:
“The protection afforded to an automated information system in order to attain the applicable objectives of preserving the integrity, availability, and confidentiality of information system resources (includes hardware, software, firmware, information/data, and telecommunications).”
Table 18.1
Threat Consequences, and the Types
of Threat Actions That Cause Each
Consequence
(Based on RFC 2828)
Communication Lines and NetworksPassive attacks
Attempts to learn or make use of information from the system but does not affect system resourcesAre in the nature of eavesdropping on, or monitoring of, transmissionsGoal of attacker is to obtain information that is being transmittedDifficult to detect because they do not involve any alteration of the dataEmphasis is on prevention rather than detection
Two types:Release of message contents
Prevent an opponent from learning the contents of a transmissionTraffic analysis
Encrypting the contents of a message so even if an opponent captures the message, they cannot extract the information
Communication Lines and NetworksActive attacks
Involve some modification of the data stream or the creation of a false streamGoal is to detect them and to recover from any disruption or delays
Four categories:ReplayMasqueradeModification of messagesDenial of service
Intrusion ExamplesPerforming a remote root compromise of an e-mail serverDefacing a Web server Guessing and cracking passwordsCopying a database containing credit card numbersViewing sensitive data without authorizationRunning a packet sniffer on a workstation to capture usernames and passwordsUsing a permission error on an anonymous FTP server to distribute pirated software and music filesDialing into an unsecured modem and gaining internal network accessPosing as an executive, calling the help desk, resetting the executive’s e-mail password, and learning the new passwordUsing an unattended, logged-in workstation without permission
Intruder Behavior PatternsHackers
Organized group of intruders who hack into a computer for the thrill or for status
CriminalsUsually have specific targets or classes of targets in mindFrequently Eastern European or Southeast Asian groups who do business on the WebOnce a site is penetrated, the attacker acts quickly, scooping up as much valuable information as possible and exiting
Insider AttacksDifficult to detect and preventEmployees have access to and knowledge of the structure and content of databasesCan be motivated by revenge or a feeling of entitlement
Malicious Software
MalwareMalicious software that exploits system vulnerabilitiesDesigned to cause damage to or use up the resources of a target computerFrequently concealed within or masquerades as legitimate software
Two categoriesThose that need a host programThose that are independent (parasitic)
May or may not replicate
Malicious Programs
Back door (also known as a trap door)Secret entry point into a program that allows someone who is aware of the back door to gain access without going through the usual security access proceduresA maintenance hook is a backdoor inserted by a programmer to aid in testing and debugging
Logic BombOne of the oldest types of program threatsCode embedded in some legitimate program that is set to “explode” when certain conditions are met
Malicious ProgramsTrojan Horse
A useful, or apparently useful, program or command procedure containing hidden code that, when invoked, performs some unwanted or harmful functionCan be used to accomplish functions indirectly that an unauthorized user could not accomplish directly
Viruses Software that can “infect” other programs by modifying them
The modification includes injecting the original program with a routine to make copies of the virus program, which can then go on to infect other programs
Virus has three parts:Infection mechanism
The means by which a virus spreads, enabling it to replicateAlso referred to as the infection vector
TriggerThe event or condition that determines when the payload is activated or delivered
PayloadWhat the virus does, besides spreadingMay involve damage or may involve benign but noticeable activity
Virus Classifications by Target
Boot sector infectorInfects a master boot record and spreads when a system is booted from the disk containing the virus
File infectorInfects files that the operating system or shell considers to be executable
Macro virusInfects files with macro code that is interpreted by an application
Virus Kits
Enables a relative novice to quickly create a number of different virusesTend to be less sophisticated than viruses designed from scratchThe sheer number of new viruses that can be generated using a toolkit creates a problem for antivirus schemes
Macro Viruses
In the mid 1990’s became by far the most prevalent type of virusThreatening because:
A macro virus is platform independentMacro viruses infect documents, not executable portions of codeMacro viruses are easily spreadTraditional file system access controls are of limited use in preventing their spread
Is an executable program embedded in a word processing document or other type of file
WormsPrograms that can replicate themselves and send copies from computer to computer across network connectionsIn addition to propagation the worm usually performs some unwanted functionActively seek out more machines to infect and each machine that is infected serves as an automated launching pad for attacks on other machinesA network worm:
Exhibits the same characteristics as a computer virusMay attempt to determine if a system has previously been infected before copying itself
BotsAlso know as a zombie or droneProgram that secretly takes another Internet-attached computer, then uses it to launch attacks that are difficult to trace to the bot’s creatorA botnet is a collection of bots capable of coordinating attacks
Uses of Bots
Distributed denial-of-service attacksSpammingSniffing trafficKeyloggingSpreading new malware
Installing advertisement add-ons and browser helper objects (BHOs)Attacking IRC chat networksManipulating online polls/games
Remote Control Facility
Is what distinguishes a bot from a wormA worm propagates itself and activates itself, whereas a bot is controlled from some central facility
A typical means of implementation is on an IRC server
All bots join a specific channel on this server and treat incoming messages as commands
Once a communications path is established between a control module and the bots, the control module can activate the bots
Constructing a Network Attack
Software to carry out the attack must be able to run on a large number of machines and remain concealedThe attack must be aware of a vulnerability that many system administrators have failed to noticeA strategy for locating vulnerable machines must be implemented
This is known as scanning or fingerprinting
Credential Theft, Keyloggers, and Spyware
KeyloggerCaptures keystrokes on the infected machine to allow an attacker to monitor this sensitive information
SpywareSubverts the compromised machine to allow monitoring of a wide range of activity on the system
May include monitoring the history and content of browsing activityRedirecting certain Web page request to fake sites controlled by the attackerDynamically modifying data exchanged between the browser and certain Web sites of interest
Phishing and Identity TheftPhishing
Exploits social engineering to leverage user’s trust by masquerading as communications from a trusted sourceSpam e-mail may direct a user to a fake Web site controlled by the attacker, or to complete some enclosed form and return to an e-mail accessible to the attacker, which is used to gather a range of private, personal information on the user
Spear-phishingE-mail claiming to be from a trusted source, however, the recipients are carefully researched by the attacker and each e-mail is carefully crafted to suit its recipient specifically, often quoting a range of information to convince them of its authenticity
Summary Computer security concepts
Threats and attacks
Threats and assets
Intruder behavior patterns
Intrusion techniques
Viruses
Worms
Bots
Spam
Computer security trends
Chapter 18: Computer and Network Security Threats
Malicious software Back door Logic bomb Trojan horse Mobile code Multiple-threat malware
Credential theft, keyloggers, and spyware
Phishing and identity theft
Reconnaissance and espionage