Unit 1: Class overview, general security concept, threats and defenses Syllabus What is Security? CSI/FBI Computer Crime and Security Survey Attackers and Attacks Layered Security Architecture In class exercise: Comparing a bank and a cyber-bank

What is Security? Like in non-Cyber “real” world: Security is used to secure, protect, prevent bad things to happen (or try to). From Webster: Function: noun Inflected Form(s): plural -ties Date: 15th century 1 : the quality or state of being secure : as a : freedom from danger : SAFETY b : freedom from fear or anxiety c : freedom from the prospect of being laid off <job security> 2 a : something given, deposited, or pledged to make certain the fulfillment of an obligation b : SURETY 3 : an evidence of debt or of ownership (as a stock certificate or bond) 4 a : something that secures : PROTECTION b (1) : measures taken to guard against espionage or sabotage, crime, attack, or escape (2) : an organization or department whose task is security

What is Security? Security Activities Are based on 3 Types of Actions: Prevent: Put protection measures/system to protect assets and prevent unauthorized access. Detect: Detect if an asset has been compromised, when, by whom and gather information on the type of breach committed, activities and evidence logs. Act/React: Take measure to recover from attack and prevent same type of attacks or prevent attack in progress.

CSI/FBI Computer Crime and Security Survey How Bad is the Threat? Survey conducted by the Computer Security Institute (http://www.gocsi.com) annually. Based on replies from 700 U.S. Computer Security Professionals in 2005.

Websites incidents have increased dramatically

General trend of losses is down except for “unauthorized access to information”, and “theft of proprietary information”

Other Key Findings of the CSI/FBI survey Outsourcing of computer security activities is quite low Use of cyber insurance remain low Concern of negative publicity  decline in reporting intrusions to law enforcement Significant number of organization conduct some form of economic evaluation of their security expenditures

Other Key Findings of the CSI/FBI survey (contd.) Over 87% of the organizations conduct security audits, up from 82 percent in 2004’s survey. The Sarbanes-Oxley Act has begun to have impact on information security in more industry sectors than last year. Most respondents view security awareness training as important. However respondents from all sectors do not believe their organizations invests enough in it.

Other Empirical Attack Data SecurityFocus Attack Targets 31 million Windows-specific attacks 22 million UNIX/LINUX attacks 7 million Cisco IOS attacks All operating systems are attacked!

Attack Trends Growing Incident Frequency Incidents reported to the Computer Emergency Response Team/Coordination Center (CERT) 1997: 2,134 1998: 3,474 (75% growth from the year before) 1999: 9,859 (164% growth from the year before) 2000: 21,756 (121% growth from the year before) 2001: 52,658 (142% growth from the year before) Tomorrow? …. Well CERT decided to stop counting as of 6/2004!!

Attack Trends Growing Randomness in Victim Selection In the past, large firms were targeted Now, targeting is increasingly random No more security through obscurity for small firms and individuals

Attack Trends Growing Malevolence Most early attacks were not malicious Malicious attacks are becoming the norm

Attack Trends Growing Attack Automation Attacks are automated, rather than humanly-directed Essentially, viruses and worms are attack robots that travel among computers Attack many computers in minutes or hours

Who are the Attackers??? Elite Hackers White hat hackers This is still illegal Break into system but notify firm or vendor of vulnerability Black hat hackers Do not hack to find and report vulnerabilities Gray hat hackers go back and forth between the two ways of hacking Hack but with code of ethics Codes of conduct are often amoral “Do no harm,” but delete log files, destroy security settings, etc. Distrust of evil businesses and government Still illegal Deviant psychology and hacker groups to reinforce deviance

Who are the Attackers??? Virus Writers and Releasers Virus writers versus virus releasers Only releasing viruses is punishable

Who are the Attackers??? Script Kiddies Use prewritten attack scripts (kiddie scripts) Viewed as lamers and script kiddies Large numbers make dangerous Noise of kiddie script attacks masks more sophisticated attacks

Who are the Attackers??? Criminals Many attackers are ordinary garden-variety criminals Credit card and identity theft Side note on threat to Credit Card #. How do attacker capture credit card information? Via “Sniffing” traffic? How many of the audience have worries when shopping online? How many of the audience ever used a credit card to pay for a restaurant meal? Stealing trade secrets (intellectual property) Extortion

Who are the Attackers??? Corporate Employees Have access and knowledge Financial theft Theft of trade secrets (intellectual property) Sabotage Consultants and contractors IT and security staff are biggest danger

Who are the Attackers??? Cyberterrorism and Cyberwar New level of danger Infrastructure destruction Attacks on IT infrastructure Use IT to establish physical infrastructure (energy, banks, etc.) Simultaneous multi-pronged attacks Cyberterrorists by terrorist groups versus cyberwar by national governments Amateur information warfare

Very good Illustration of Attacks and Attackers http://grc.com/dos/grcdos.htm Non credit assignment: Read the full article. Note: all material in “non credit assignments” can be present in exams.

Framework for Attacks Attacks Physical Access Attacks -- Wiretapping Server Hacking Vandalism Social Engineering -- Opening Attachments Password Theft Information Theft Dialog Attacks -- Eavesdropping Impersonation Message Alteration Penetration Attacks Malware -- Viruses Worms Denial of Service Scanning (Probing) Break-in

Attacks and Defenses (Refer to previous diagram) Physical Attacks: Access Control Access control is the body of strategies and practices that a company uses to prevent improper access Prioritize assets Specify access control technology and procedures for each asset This can be electronic: use access control to prevent certain traffic in This can be physical: use locks to prevent physical access to devices. If an attacker gains physical access to a device: that device IS (or should be considered) compromised: no EXCEPTION!!! Test the protection. Golden eye

Attacks and Defenses (contd.) Site Access Attacks and Defenses Wiretaps (including wireless LANs intrusions Hacking servers with physical access

Attacks and Defenses (contd.) A slight variation of access attack: Social Engineering Tricking an employee into giving out information or taking an action that reduces security or harms a system Opening an e-mail attachment that may contain a virus Asking for a password claming to be someone with rights to know it Asking for a file to be sent to you

Attacks and Defenses (contd.) Social Engineering Defenses Training Enforcement through sanctions (punishment)

Attacks and Defenses (contd.) Dialog Attacks and Defenses Eavesdropping Encryption for Confidentiality Imposters and Authentication Cryptographic Systems

Eavesdropping on a Dialog Hello Client PC Bob Server Alice Hello Attacker (Eve) intercepts and reads messages

Encryption for Confidentiality Encrypted Message “100100110001” Client PC Bob Server Alice “100100110001” Attacker (Eve) intercepts but cannot read Original Message “Hello” Decrypted Message “Hello”

Impersonation and Authentication I’m Bob Client PC Bob Prove it! (Authenticate Yourself) Attacker (Eve) Server Alice

Attacker (Eve) intercepts Message Alteration Dialog Client PC Bob Balance = $1,000,000 Balance = $1 Server Alice Balance = $1 Balance = $1,000,000 Attacker (Eve) intercepts and alters messages

Secure Dialog System Secure Dialog Client PC Bob Server Alice Automatically Handles Negation of Security Options Authentication Encryption Integrity Attacker cannot read messages, alter messages, or impersonate

Network Penetration Attacks and Firewalls Passed Packet Attack Packet Internet Firewall Hardened Client PC Internet Attacker Hardened Server Dropped Packet Internal Corporate Network Log File

Scanning (Probing) Attacks Reply from 172.16.99.1 Probe Packets to 172.16.99.1, 172.16.99.2, etc. Host 172.16.99.1 Internet Attacker No Host 172.16.99.2 Results 172.16.99.1 is reachable 172.16.99.2 is not reachable … No Reply Corporate Network

Single-Message Break-In Attack 1. Single Break-In Packet 2. Server Taken Over By Single Message Attacker

Denial-of-Service (DoS) Flooding Attack Message Flood Server Overloaded By Message Flood Attacker

Intrusion Detection System (IDS) 1. Suspicious Packet Intrusion Detection System (IDS) 4. Alarm Network Administrator 2. Suspicious Packet Passed Internet Attacker Hardened Server 3. Log Suspicious Packet Corporate Network Log File

What Are the Types of Security Threats? Service Disruption and Interruption Compromise the service Availability Interception Compromise the service Confidentiality Modification Compromise the service Integrity Fabrication Compromise the service Authenticity Often you will see the security services summarized into 3 categories: C.I.A: Confidentiality Integrity Availability In this model, authenticity is a subset of integrity

What Are the Types of Security Threats? These different Threats can be subject to two types of possible attacks: Passive and Active. Passive Attacks Attacks that do not require modification of the data. Active Attacks Attacks that do require modification of the data or the data flow. Which one is harder to notice? (yes I know it’s obvious…)

Layered Security Architecture As we have seen in previous slides, security services that must be provided are numerous and diverse. Similarly to the “real-world” bank, our web servers, our networks can have many vulnerabilities and these vulnerabilities can be located in many layers of the architecture. We need to practice a “security in-depth” approach. Security consideration and services must be present in each and every level of components. Rule: When analyzing the quality of your security infrastructure, always assume that 1 full security layer/functionality will entirely fail. Are you still secured? What are your areas of vulnerabilities? How long would it take for you to detect the failure? Vulnerabilities and security services involve all 7 layers of the OSI model. Security also is greatly dependant on the OSI’s “Layer 8”. The balance between the threat to a system and the security services deployed is very Asymmetric: You need to defend each and every aspects to be successful – An attacker often needs to mitigate one aspect to be successful. Let’s look at an example of an e-Commerce site and try to discuss what can go wrong and where.

Layered Security Architecture My-store.com E-Commerce Infrastructure Internet Users Internet ISP DNS Mail relay Outside DNS Intruder, Inside DNS Router threat,, opponent Firewall Database Server l Ethernet Firewall E-Comm - Web Router Inside Mail Server WAN Links to Remote Offices

Layered Security Architecture Areas that can “go wrong”: Incorrect firewall configuration. Web and back-end server not hardened: Known vulnerabilities Default account/passwords Lack of granularity in security Lack of logging and auditing Back-end database server servers accept any requests from any sources. Lack of intrusion detection system. Lack of integrity checking tools. Router forward packets improperly. Unnecessary protocols and services running. Improper patching and update of patches. Bugs and vulnerabilities in third-party software/applications. Bugs and vulnerabilities in in-house developed applications. Bugs and vulnerabilities in toolkits used to build in-house applications. Improper implementation of an application, test userID not cleaned out, developers userID not cleaned out. Presence of Trojans, Malware and backdoors. How do I know the remote offices do not represent a threat? And I am sure we can add a lot more to the list…

Layered Security Architecture To prevent attacks, an enterprise need to build a complete and comprehensive security architecture using tools, methods and techniques that individually target some threats and work in an integrated fashion to provide a complete enterprise framework for secure computing. One missing “piece” or aspect may endanger the whole infrastructure. Example: if you do not have virus protection, can an intruder bypass your firewalls? The goal of this class will be to present the aspects that most impact network security within that framework. Example of these tools and methods are presented in next slides.

Security Architecture Components Examples Firewall with packet/traffic filtering Provides protection by preventing prohibited traffic to pass. Acts at layer 3 or 4 of OSI Combats many attacks – Spoofing, unauthorized access. Network Intrusion Detection systems Monitor network activities for specific patterns or abnormal trends in traffic Act at layer 3-7 of OSI Allow alerting (and prevent in some case) in case of identification of known attacks. Optical Fiber Links Implement data transfer via optical signals. Layer 1 of OSI Protects from sniffing via electromagnetic leaks and interference via EMI by implementing links. Also reduce risks of undetected tapping of transmission media.

Security Architecture Components Examples Implement IPSEC on traffic Provides encryption of data over the wire. Acts at layer 3 of OSI Prevent eavesdropping and provide anti-replay and traffic authentication. Intermediate Mail server with virus scanning Intercept all mail traffic and perform virus scan as well as content filtering Layer 7 of OSI Preserve integrity of infrastructure by preventing downloads of virus. Content filtering also help prevent unauthorized dissemination of proprietary data or offensive language. Enforcement of prohibition of password disclosure via disciplinary actions. Publicize to all employee the strict prohibition to share passwords. Enforce it by warning system and, if repeated violation, suspension. Layer 8 of OSI Protects from sniffing via electromagnetic leaks and interference via EMI by implementing links. Also reduce risks of undetected tapping of transmission media.

Security Architecture Components Examples Application development follows strict security models and strict, documented, security testing procedures Provides a method to limit the potential of security vulnerabilities in software developed Acts at layer 7 (and 8) of OSI Reduce risk of bugs and validate security models in an application by basing it on a well-proven model. Network/vulnerability scanner is run weekly Perform weekly scan on all devices Layer 3-7 of OSI Preserve integrity of infrastructure by identifying newly discovered vulnerabilities or unauthorized configuration changes. Also help identified unnecessary services. Many more aspects not included here.

Other References and Useful Resources CERT – www.cert.org SANS – www.sans.org CIAC - http://www.ciac.org/ciac/ NSA Guidelines - http://www.nsa.gov/snac/

Examples and Comparison Bank vs Cyber-bank The following slides present an illustration to compare a “real” bank to a “cyber bank”. If time permits we will discuss it during the first class. If time does not permit (which really would be a surprise if we do have time), students are encouraged to think about these aspects: we will discuss them next week.

Examples and Comparison Bank vs Cyber-bank During business hours, doors are open; anybody can get in and open a new checking account or get a lock box. 1. ID and SS# is required to open account – Verification on it is performed. 2. Security camera captures all activities. 3. After opening a lock box, you are given a safe key, which can only be used with the key from a bank staff. Cyberbank – The web site is available and can be access by all. All Internet public can access a page to open an account. 1. 2. 3.

Examples and Comparison Bank vs Cyber-bank You come in to get access to your lock box. 1. You show proper credential to be allowed into the vault 2. The vault is protected by bars and locks. 3. While in the vault, you access your lock box with a bank staff key and yours 4. Your belonging have been protected in a safe lock box 5. All Activities are monitored and recorded Cyberbank – The web site is available and a user/customer wants to access his account information. 1. 2. 3. 4. 5.

Examples and Comparison Bank vs Cyber-bank At night, no access except security guard are allowed 1. Security guards make regular sentry 2. All activities are recorded 3. All doors are locked Cyberbank – The customer portion of the web site is not available (maybe for backups, maintenance). 1. 2. 3.

Examples and Comparison Bank vs Cyber-bank Someone stole your key and try to access to your lock box 1. Before you alert the bank, someone tries to get to your lock box a. An additional form of ID may be required before giving access b. If access granted, activity is monitored 2. You alerted the bank a. The bank may deny access b. The bank may fake access while police is alerted. Cyberbank – Your credentials got compromised! 1. a. b. 2. Note an important difference: This is more similar to someone making a duplicate of your key. How do you know your key was lost?

Examples and Comparison Bank vs Cyber-bank The safe have been compromised 1. Notice Someone Accessed the Safe – Note: what if “copies” of documents were made. 2. Alert 3. Investigate 4. Prosecute Cyberbank – 1. 2. 3. 4.

Examples and Comparison Bank vs Cyber-bank Someone tries to prevent you to access your safe 1. By a group of people that line up to get access but are turned down because they are not bank customers. 2. By the fact that someone sabotaged the safe door making opening and closing slow. 3. By a group of people “faking” a bank robbery and creating a large police force to be deployed that slows down regular process. 4. By sending a notice on the mail that the bank branch has moved to new address where they did setup a cardboard bank that looks the same as your regular bank. Cyberbank – 1. 2. 3. 4.