Framework Chapter 1 Panko, Corporate Computer and Network Security Copyright 2002 Prentice-Hall
2 Figure 1-1: CSI/FBI Computer Crime and Security Survey How Bad is the Threat? Survey conducted by the Computer Security Institute ( Based on replies from 503 U.S. Computer Security Professionals. If fewer than 20 firms reported quantified dollar losses, data for the threat are not shown.
3 Figure 1-1: CSI/FBI Computer Crime and Security Survey ThreatPercent Reporting an Incident 1997 Percent Reporting an Incident 2002 Average Annual Loss per Firm (x1000) 1997 Average Annual Loss per Firm (x1000) 2002 Viruses82%85%$76$283 Laptop Theft 58%65%$38$89
4 Figure 1-1: CSI/FBI Computer Crime and Security Survey ThreatPercent Reporting an Incident 1997 Percent Reporting an Incident 2002 Average Annual Loss per Firm (x1000) 1997 Average Annual Loss per Firm (x1000) 2002 Denial of Service 24%40%$77$297 System Penetration 20%40%$132$226 Unauthorized Access by Insiders 40%38%NA
5 Figure 1-1: CSI/FBI Computer Crime and Security Survey ThreatPercent Reporting an Incident 1997 Percent Reporting an Incident 2002 Average Annual Loss per Firm (x1000) 1997 Average Annual Loss per Firm (x1000) 2002 Theft of Intellectual Property 20% $954$6,571 Financial Fraud 12% $958$4,632 Sabotage14%8%$164$541
6 Figure 1-1: CSI/FBI Computer Crime and Security Survey ThreatPercent Reporting an Incident 1997 Percent Reporting an Incident 2002 Average Annual Loss per Firm (x1000) 1997 Average Annual Loss per Firm (x1000) 2002 Telecom Fraud 27%9%NA Telecom Eaves- dropping 11%6%NA Active Wiretap 3%1%NA
7 Figure 1-2: Other Empirical Attack Data Riptech Analyzed 5.5 billion firewall log entries in 300 firms in five-month period Detected 128,678 attacks—an annual rate of 1,000 per firm Only 39% of attacks after viruses were removed were directed at individual firms
8 Figure 1-2: Other Empirical Attack Data Riptech 23% of all firms experienced a highly aggressive attack in a 6-month period Only one percent of all attacks, highly aggressive attacks are 26 times more likely to do severe damage than even moderately sophisticated aggressive attacks
9 Figure 1-2: Other Empirical Attack Data SecurityFocus Data from 10,000 firms in 2001 Attack Frequency 129 million network scanning probes (13,000 per firm) 29 million website attacks (3,000 per firm) 6 million denial-of-service attacks (600 per firm)
10 Figure 1-2: Other Empirical Attack Data SecurityFocus Attack Targets 31 million Windows-specific attacks 22 million UNIX/LINUX attacks 7 million Cisco IOS attacks All operating systems are attacked!
11 Figure 1-2: Other Empirical Attack Data U.K. Department of Trade and Industry Two-thirds of U.K. firms surveyed lost less than $15,000 from their worst incident But 4% lost more than $725,000
12 Figure 1-2: Other Empirical Attack Data MessageLabs One in every 200 to 400 messages is infected Most users are sent infected several times each year The percentage of s that are infected is rising
13 Figure 1-2: Other Empirical Attack Data Honeynet project Fake networks set up for adversaries to attack To understand how adversaries attack Windows 98 PC with open shares and no password compromised 5 times in 4 days LINUX PCs took 3 days on average to compromise
14 Figure 1-3: Attack Trends Growing Incident Frequency Incidents reported to the Computer Emergency Response Team/Coordination Center 1997: 2,134 1998: 3,474 (75% growth from the year before) 1999: 9,859 (164% growth from the year before) 2000: 21,756 (121% growth from the year before) 2001: 52,658 (142% growth from the year before) Tomorrow?
15 Figure 1-3: Attack Trends Growing Randomness in Victim Selection In the past, large firms were targeted Now, targeting is increasingly random No more security through obscurity for small firms and individuals
16 Figure 1-3: Attack Trends Growing Malevolence Most early attacks were not malicious Malicious attacks are becoming the norm
17 Figure 1-3: Attack Trends Growing Attack Automation Attacks are automated, rather than humanly- directed Essentially, viruses and worms are attack robots that travel among computers Attack many computers in minutes or hours
18 Figure 1-4: Framework for Attackers Elite Hackers Hacking: intentional access without authorization or in excess of authorization Cracking versus hacking Technical expertise and dogged persistence Use attack scripts to automate actions, but this is not the essence of what they do
19 Figure 1-4: Framework for Attackers Elite Hackers White hat hackers This is still illegal Break into system but notify firm or vendor of vulnerability Black hat hackers Do not hack to find and report vulnerabilities Gray hat hackers go back and forth between the two ways of hacking
20 Figure 1-4: Framework for Attackers Elite Hackers Hack but with code of ethics Codes of conduct are often amoral “Do no harm,” but delete log files, destroy security settings, etc. Distrust of evil businesses and government Still illegal Deviant psychology and hacker groups to reinforce deviance
21 Figure 1-4: Framework for Attackers Virus Writers and Releasers Virus writers versus virus releasers Only releasing viruses is punishable
22 Figure 1-4: Framework for Attackers Script Kiddies Use prewritten attack scripts (kiddie scripts) Viewed as lamers and script kiddies Large numbers make dangerous Noise of kiddie script attacks masks more sophisticated attacks
23 Figure 1-4: Framework for Attackers Criminals Many attackers are ordinary garden-variety criminals Credit card and identity theft Stealing trade secrets (intellectual property) Extortion
24 Figure 1-4: Framework for Attackers Corporate Employees Have access and knowledge Financial theft Theft of trade secrets (intellectual property) Sabotage Consultants and contractors IT and security staff are biggest danger
25 Figure 1-4: Framework for Attackers Cyberterrorism and Cyberwar New level of danger Infrastructure destruction Attacks on IT infrastructure Use IT to establish physical infrastructure (energy, banks, etc.)
26 Figure 1-4: Framework for Attackers Cyberterrorism and Cyberwar Simultaneous multi-pronged attacks Cyberterrorists by terrorist groups versus cyberwar by national governments Amateur information warfare
27 Figure 1-5: Framework for Attacks Attacks Physical Access Attacks -- Wiretapping Server Hacking Vandalism Dialog Attacks -- Eavesdropping Impersonation Message Alteration Penetration Attacks Social Engineering -- Opening Attachments Password Theft Information Theft Scanning (Probing) Break-in Denial of Service Malware -- Viruses Worms
28 Figure 1-6: Attacks and Defenses (Study Figure) Access Control Access control is the body of strategies and practices that a company uses to prevent improper access Prioritize assets Specify access control technology and procedures for each asset Test the protection
29 Figure 1-6: Attacks and Defenses (Study Figure) Site Access Attacks and Defenses Wiretaps (including wireless LANs intrusions Hacking servers with physical access
30 Figure 1-6: Attacks and Defenses (Study Figure) Social Engineering Tricking an employee into giving out information or taking an action that reduces security or harms a system Opening an attachment that may contain a virus Asking for a password claming to be someone with rights to know it Asking for a file to be sent to you
31 Figure 1-6: Attacks and Defenses (Study Figure) Social Engineering Defenses Training Enforcement through sanctions (punishment)
32 Figure 1-6: Attacks and Defenses (Study Figure) Dialog Attacks and Defenses Eavesdropping Encryption for Confidentiality Imposters and Authentication Cryptographic Systems
33 Figure 1-7: Eavesdropping on a Dialog Client PC Bob Server Alice Dialog Attacker (Eve) intercepts and reads messages Hello
34 Figure 1-8: Encryption for Confidentiality Client PC Bob Server Alice Attacker (Eve) intercepts but cannot read “ ” Encrypted Message “ ” Original Message “Hello” Decrypted Message “Hello”
35 Figure 1-9: Impersonation and Authentication Client PC Bob Server Alice Attacker (Eve) I’m Bob Prove it! (Authenticate Yourself)
36 Figure 1-10: Message Alteration Client PC Bob Server Alice Dialog Attacker (Eve) intercepts and alters messages Balance = $1 Balance = $1 Balance = $1,000,000 Balance = $1,000,000
37 Figure 1-11: Secure Dialog System Client PC Bob Server Alice Secure Dialog Attacker cannot read messages, alter messages, or impersonate Automatically Handles Negation of Security Options Authentication Encryption Integrity
38 Figure 1-12: Network Penetration Attacks and Firewalls Attack Packet Internet Attacker Hardened Client PC Hardened Server Internal Corporate Network Passed Packet Dropped Packet Internet Firewall Log File
39 Figure 1-13: Scanning (Probing) Attacks Attack Packets to , , etc. Internet Attacker Corporate Network Host Host I’m Here
40 Figure 1-14: Single-Message Break-In Attack 1. Single Break-In Packet 2. Server Taken Over By Single Message Attacker
41 Figure 1-15: Denial-of-Service (DoS) Flooding Attack Message Flood Server Overloaded By Message Flood Attacker
42 Figure 1-16: Intrusion Detection System (IDS) 1. Suspicious Packet Internet Attacker Network Administrator Hardened Server Corporate Network 2. Suspicious Packet Passed 3. Log Suspicious Packet 4. Alarm Intrusion Detection System (IDS) Log File
43 Figure 1-17: Security Management Security is a Primarily a Management Issue, not a Technology Issue Top-to-Bottom Commitment Top-management commitment Operational execution Enforcement
44 Figure 1-17: Security Management Comprehensive Security Closing all avenues of attack Asymmetrical warfare Attacker only has to find one opening Defense in depth Attacker must get past several defenses to succeed Security audits Run attacks against your own network
45 Figure 1-17: Security Management General Security Goals (CIA) Confidentiality Attackers cannot read messages if they intercept them Integrity If attackers change messages, this will be detected Availability System is able to server users
46 Figure 1-18: The Plan—Protect— Respond Cycle Planning Need for comprehensive security (no gaps) Risk analysis (see Figure 1-19) Enumerating threats Threat severity = estimated cost of attack X probability of attack Value of protection = threat severity – cost of countermeasure Prioritize countermeasures by value of prioritization
47 Figure 1-19: Threat Severity Analysis StepThreat Cost if attack succeeds Probability of occurrence Threat severity Countermeasure cost Value of protection Apply countermeasure? Priority 6 7 A $500,000 80% $400,000 $100,000 $300,000 Yes 1 B $10,000 20% $2,000 $3,000 ($1,000) No NA C $100,000 5% $5,000 $2,000 $3,000 Yes 2 D $10,000 70% $7,000 $20,000 ($13,000) No NA
48 Figure 1-18: The Plan—Protect— Respond Cycle Planning Security policies drive subsequent specific actions (see Figure 1-20) Selecting technology Procedures to make technology effective The testing of technology and procedures
49 Figure 1-20: Policy-Driven Technology, Procedures, and Testing Policy Technology (Firewall, Hardened Webserver) Procedures (Configuration, Passwords, Etc.) ProtectionTesting (Test Security) Attempt to Connect to Unauthorized Webserver Only allow authorized personnel to use accounting webserver
50 Figure 1-18: The Plan—Protect— Respond Cycle Protecting Installing protections: firewalls, IDSs, host hardening, etc. Updating protections as the threat environment changes Testing protections: security audits
51 Figure 1-18: The Plan—Protect— Respond Cycle Responding Planning for response (Computer Emergency Response Team) Incident detection and determination Procedures for reporting suspicious situations Determination that an attack really is occurring Description of the attack to guide subsequent actions
52 Figure 1-18: The Plan—Protect— Respond Cycle Responding Containment Recovery Containment: stop the attack Repair the damage Punishment Forensics Prosecution Employee Punishment Fixing the vulnerability that allowed the attack