1. Unit 1: Class overview, general security concept, threats and defenses
Syllabus
What is Security?
CSI/FBI Computer Crime and Security Survey
Attackers and Attacks
Layered Security Architecture
In class exercise: Comparing a bank and a cyber-bank

2. What is Security?
Like in non-Cyber “real” world: Security is used to secure, protect, prevent bad things to happen (or try to).
From Webster:
Function: noun Inflected Form(s): plural -ties Date: 15th century 1 : the quality or state of being secure : as a : freedom from danger : SAFETY b : freedom from fear or anxiety c : freedom from the prospect of being laid off <job security> 2 a : something given, deposited, or pledged to make certain the fulfillment of an obligation b : SURETY 3 : an evidence of debt or of ownership (as a stock certificate or bond) 4 a : something that secures : PROTECTION b (1) : measures taken to guard against espionage or sabotage, crime, attack, or escape (2) : an organization or department whose task is security

3. What is Security? Security Activities Are based on 3 Types of Actions:
Prevent: Put protection measures/system to protect assets and prevent unauthorized access.
Detect: Detect if an asset has been compromised, when, by whom and gather information on the type of breach committed, activities and evidence logs.
Act/React: Take measure to recover from attack and prevent same type of attacks or prevent attack in progress.

4. CSI/FBI Computer Crime and Security Survey
How Bad is the Threat?
Survey conducted by the Computer Security Institute ( annually.
Based on replies from 700 U.S. Computer Security Professionals in

6. Websites incidents have increased dramatically

7. General trend of losses is down except for “unauthorized access to information”, and “theft of proprietary information”

8. Other Key Findings of the CSI/FBI survey
Outsourcing of computer security activities is quite low
Use of cyber insurance remain low
Concern of negative publicity  decline in reporting intrusions to law enforcement
Significant number of organization conduct some form of economic evaluation of their security expenditures

9. Other Key Findings of the CSI/FBI survey (contd.)
Over 87% of the organizations conduct security audits, up from 82 percent in 2004’s survey.
The Sarbanes-Oxley Act has begun to have impact on information security in more industry sectors than last year.
Most respondents view security awareness training as important. However respondents from all sectors do not believe their organizations invests enough in it.

10. Other Empirical Attack Data
SecurityFocus
Attack Targets
31 million Windows-specific attacks
22 million UNIX/LINUX attacks
7 million Cisco IOS attacks
All operating systems are attacked!

11. Attack Trends Growing Incident Frequency
Incidents reported to the Computer Emergency Response Team/Coordination Center (CERT)
1997: 2,134
1998: 3,474 (75% growth from the year before)
1999: 9,859 (164% growth from the year before)
2000: 21,756 (121% growth from the year before)
2001: 52,658 (142% growth from the year before)
Tomorrow? …. Well CERT decided to stop counting as of 6/2004!!

12. Attack Trends Growing Randomness in Victim Selection
In the past, large firms were targeted
Now, targeting is increasingly random
No more security through obscurity for small firms and individuals

13. Attack Trends Growing Malevolence
Most early attacks were not malicious
Malicious attacks are becoming the norm

14. Attack Trends Growing Attack Automation
Attacks are automated, rather than humanly-directed
Essentially, viruses and worms are attack robots that travel among computers
Attack many computers in minutes or hours

15. Who are the Attackers??? Elite Hackers White hat hackers
This is still illegal
Break into system but notify firm or vendor of vulnerability
Black hat hackers
Do not hack to find and report vulnerabilities
Gray hat hackers go back and forth between the two ways of hacking
Hack but with code of ethics
Codes of conduct are often amoral
“Do no harm,” but delete log files, destroy security settings, etc.
Distrust of evil businesses and government
Still illegal
Deviant psychology and hacker groups to reinforce deviance

16. Who are the Attackers??? Virus Writers and Releasers
Virus writers versus virus releasers
Only releasing viruses is punishable

17. Who are the Attackers??? Script Kiddies
Use prewritten attack scripts (kiddie scripts)
Viewed as lamers and script kiddies
Large numbers make dangerous
Noise of kiddie script attacks masks more sophisticated attacks

18. Who are the Attackers??? Criminals
Many attackers are ordinary garden-variety criminals
Credit card and identity theft
Side note on threat to Credit Card #. How do attacker capture credit card information? Via “Sniffing” traffic?
How many of the audience have worries when shopping online? How many of the audience ever used a credit card to pay for a restaurant meal?
Stealing trade secrets (intellectual property)
Extortion

19. Who are the Attackers??? Corporate Employees Have access and knowledge
Financial theft
Theft of trade secrets (intellectual property)
Sabotage
Consultants and contractors
IT and security staff are biggest danger

20. Who are the Attackers??? Cyberterrorism and Cyberwar
New level of danger
Infrastructure destruction
Attacks on IT infrastructure
Use IT to establish physical infrastructure (energy, banks, etc.)
Simultaneous multi-pronged attacks
Cyberterrorists by terrorist groups versus cyberwar by national governments
Amateur information warfare

21. Very good Illustration of Attacks and Attackers
Non credit assignment: Read the full article. Note: all material in “non credit assignments” can be present in exams.

22. Framework for Attacks Attacks Physical Access Attacks -- Wiretapping
Server Hacking
Vandalism
Social Engineering --
Opening Attachments
Password Theft
Information Theft
Dialog Attacks --
Eavesdropping
Impersonation
Message Alteration
Penetration
Attacks
Malware --
Viruses
Worms
Denial of
Service
Scanning
(Probing)
Break-in

23. Attacks and Defenses (Refer to previous diagram)
Physical Attacks: Access Control
Access control is the body of strategies and practices that a company uses to prevent improper access
Prioritize assets
Specify access control technology and procedures for each asset
This can be electronic: use access control to prevent certain traffic in
This can be physical: use locks to prevent physical access to devices.
If an attacker gains physical access to a device: that device IS (or should be considered) compromised: no EXCEPTION!!!
Test the protection.
Golden eye

24. Attacks and Defenses (contd.)
Site Access Attacks and Defenses
Wiretaps (including wireless LANs intrusions
Hacking servers with physical access

25. Attacks and Defenses (contd.)
A slight variation of access attack: Social Engineering
Tricking an employee into giving out information or taking an action that reduces security or harms a system
Opening an attachment that may contain a virus
Asking for a password claming to be someone with rights to know it
Asking for a file to be sent to you

26. Attacks and Defenses (contd.)
Social Engineering Defenses
Training
Enforcement through sanctions (punishment)

27. Attacks and Defenses (contd.)
Dialog Attacks and Defenses
Eavesdropping
Encryption for Confidentiality
Imposters and Authentication
Cryptographic Systems

28. Eavesdropping on a Dialog
Hello
Client PC
Bob
Server
Alice
Hello
Attacker (Eve) intercepts
and reads messages

29. Encryption for Confidentiality
Encrypted
Message
“ ”
Client PC
Bob
Server
Alice
“ ”
Attacker (Eve) intercepts
but cannot read
Original
Message
“Hello”
Decrypted
Message
“Hello”

30. Impersonation and Authentication
I’m Bob
Client PC
Bob
Prove it!
(Authenticate Yourself)
Attacker
(Eve)
Server
Alice

31. Attacker (Eve) intercepts
Message Alteration
Dialog
Client PC
Bob
Balance =
$1,000,000
Balance = $1
Server
Alice
Balance = $1
Balance =
$1,000,000
Attacker (Eve) intercepts
and alters messages

32. Secure Dialog System Secure Dialog Client PC Bob Server Alice
Automatically Handles
Negation of Security Options
Authentication
Encryption
Integrity
Attacker cannot
read messages, alter
messages, or impersonate

33. Network Penetration Attacks and Firewalls
Passed Packet
Attack
Packet
Internet
Firewall
Hardened
Client PC
Internet
Attacker
Hardened
Server
Dropped
Packet
Internal
Corporate
Network
Log File

34. Scanning (Probing) Attacks
Reply from
Probe Packets to
, , etc.
Host
Internet
Attacker
No Host
Results
is reachable
is not reachable …
No Reply
Corporate Network

35. Single-Message Break-In Attack1.
Single Break-In Packet 2.
Server
Taken Over
By Single Message
Attacker

36. Denial-of-Service (DoS) Flooding Attack
Message Flood
Server
Overloaded By
Message Flood
Attacker

37. Intrusion Detection System (IDS)1.
Suspicious
Packet
Intrusion
Detection
System (IDS)
4. Alarm
Network
Administrator
2. Suspicious
Packet Passed
Internet
Attacker
Hardened
Server
3. Log
Suspicious
Packet
Corporate Network
Log File

38. What Are the Types of Security Threats?
Service Disruption and Interruption
Compromise the service Availability
Interception
Compromise the service Confidentiality
Modification
Compromise the service Integrity
Fabrication
Compromise the service Authenticity
Often you will see the security services summarized into 3 categories: C.I.A:
Confidentiality
Integrity
Availability
In this model, authenticity is a subset of integrity

39. What Are the Types of Security Threats?
These different Threats can be subject to two types of possible attacks: Passive and Active.
Passive Attacks
Attacks that do not require modification of the data.
Active Attacks
Attacks that do require modification of the data or the data flow.
Which one is harder to notice? (yes I know it’s obvious…)

40. Layered Security Architecture
As we have seen in previous slides, security services that must be provided are numerous and diverse.
Similarly to the “real-world” bank, our web servers, our networks can have many vulnerabilities and these vulnerabilities can be located in many layers of the architecture.
We need to practice a “security in-depth” approach.
Security consideration and services must be present in each and every level of components.
Rule: When analyzing the quality of your security infrastructure, always assume that 1 full security layer/functionality will entirely fail.
Are you still secured? What are your areas of vulnerabilities?
How long would it take for you to detect the failure?
Vulnerabilities and security services involve all 7 layers of the OSI model.
Security also is greatly dependant on the OSI’s “Layer 8”.
The balance between the threat to a system and the security services deployed is very Asymmetric: You need to defend each and every aspects to be successful – An attacker often needs to mitigate one aspect to be successful.
Let’s look at an example of an e-Commerce site and try to discuss what can go wrong and where.

41. Layered Security Architecture
My-store.com E-Commerce Infrastructure
Internet Users
Internet
ISP DNS
Mail relay
Outside DNS
Intruder,
Inside DNS
Router
threat,,
opponent
Firewall
Database Server l
Ethernet
Firewall
E-Comm - Web
Router
Inside Mail Server
WAN Links to Remote
Offices

42. Layered Security Architecture
Areas that can “go wrong”:
Incorrect firewall configuration.
Web and back-end server not hardened:
Known vulnerabilities
Default account/passwords
Lack of granularity in security
Lack of logging and auditing
Back-end database server servers accept any requests from any sources.
Lack of intrusion detection system.
Lack of integrity checking tools.
Router forward packets improperly.
Unnecessary protocols and services running.
Improper patching and update of patches.
Bugs and vulnerabilities in third-party software/applications.
Bugs and vulnerabilities in in-house developed applications.
Bugs and vulnerabilities in toolkits used to build in-house applications.
Improper implementation of an application, test userID not cleaned out, developers userID not cleaned out.
Presence of Trojans, Malware and backdoors.
How do I know the remote offices do not represent a threat?
And I am sure we can add a lot more to the list…

43. Layered Security Architecture
To prevent attacks, an enterprise need to build a complete and comprehensive security architecture using tools, methods and techniques that individually target some threats and work in an integrated fashion to provide a complete enterprise framework for secure computing.
One missing “piece” or aspect may endanger the whole infrastructure. Example: if you do not have virus protection, can an intruder bypass your firewalls?
The goal of this class will be to present the aspects that most impact network security within that framework.
Example of these tools and methods are presented in next slides.

44. Security Architecture Components Examples
Firewall with packet/traffic filtering
Provides protection by preventing prohibited traffic to pass.
Acts at layer 3 or 4 of OSI
Combats many attacks – Spoofing, unauthorized access.
Network Intrusion Detection systems
Monitor network activities for specific patterns or abnormal trends in traffic
Act at layer 3-7 of OSI
Allow alerting (and prevent in some case) in case of identification of known attacks.
Optical Fiber Links
Implement data transfer via optical signals.
Layer 1 of OSI
Protects from sniffing via electromagnetic leaks and interference via EMI by implementing links. Also reduce risks of undetected tapping of transmission media.

45. Security Architecture Components Examples
Implement IPSEC on traffic
Provides encryption of data over the wire.
Acts at layer 3 of OSI
Prevent eavesdropping and provide anti-replay and traffic authentication.
Intermediate Mail server with virus scanning
Intercept all mail traffic and perform virus scan as well as content filtering
Layer 7 of OSI
Preserve integrity of infrastructure by preventing downloads of virus. Content filtering also help prevent unauthorized dissemination of proprietary data or offensive language.
Enforcement of prohibition of password disclosure via disciplinary actions.
Publicize to all employee the strict prohibition to share passwords. Enforce it by warning system and, if repeated violation, suspension.
Layer 8 of OSI
Protects from sniffing via electromagnetic leaks and interference via EMI by implementing links. Also reduce risks of undetected tapping of transmission media.

46. Security Architecture Components Examples
Application development follows strict security models and strict, documented, security testing procedures
Provides a method to limit the potential of security vulnerabilities in software developed
Acts at layer 7 (and 8) of OSI
Reduce risk of bugs and validate security models in an application by basing it on a well-proven model.
Network/vulnerability scanner is run weekly
Perform weekly scan on all devices
Layer 3-7 of OSI
Preserve integrity of infrastructure by identifying newly discovered vulnerabilities or unauthorized configuration changes. Also help identified unnecessary services.
Many more aspects not included here.

47. Other References and Useful Resources
CERT –
SANS –
CIAC -
NSA Guidelines -

48. Examples and Comparison Bank vs Cyber-bank
The following slides present an illustration to compare a “real” bank to a “cyber bank”.
If time permits we will discuss it during the first class.
If time does not permit (which really would be a surprise if we do have time), students are encouraged to think about these aspects: we will discuss them next week.

49. Examples and Comparison Bank vs Cyber-bank
During business hours, doors are open; anybody can get in and open a new checking account or get a lock box.
1. ID and SS# is required to open account – Verification on it is performed.
2. Security camera captures all activities.
3. After opening a lock box, you are given a safe key, which can only be used with the key from a bank staff.
Cyberbank – The web site is available and can be access by all. All Internet public can access a page to open an account. 1. 2. 3.

50. Examples and Comparison Bank vs Cyber-bank
You come in to get access to your lock box.
1. You show proper credential to be allowed into the vault
2. The vault is protected by bars and locks.
3. While in the vault, you access your lock box with a bank staff key and yours
4. Your belonging have been protected in a safe lock box
5. All Activities are monitored and recorded
Cyberbank – The web site is available and a user/customer wants to access his account information. 1. 2. 3. 4. 5.

51. Examples and Comparison Bank vs Cyber-bank
At night, no access except security guard are allowed
1. Security guards make regular sentry
2. All activities are recorded
3. All doors are locked
Cyberbank – The customer portion of the web site is not available (maybe for backups, maintenance). 1. 2. 3.

52. Examples and Comparison Bank vs Cyber-bank
Someone stole your key and try to access to your lock box
1. Before you alert the bank, someone tries to get to your lock box
a. An additional form of ID may be required before giving access
b. If access granted, activity is monitored
2. You alerted the bank
a. The bank may deny access
b. The bank may fake access while police is alerted.
Cyberbank – Your credentials got compromised! 1. a. b. 2.
Note an important difference: This is more similar to someone making a duplicate of your key. How do you know your key was lost?

53. Examples and Comparison Bank vs Cyber-bank
The safe have been compromised
1. Notice Someone Accessed the Safe – Note: what if “copies” of documents were made.
2. Alert
3. Investigate
4. Prosecute
Cyberbank – 1. 2. 3. 4.

54. Examples and Comparison Bank vs Cyber-bank
Someone tries to prevent you to access your safe
1. By a group of people that line up to get access but are turned down because they are not bank customers.
2. By the fact that someone sabotaged the safe door making opening and closing slow.
3. By a group of people “faking” a bank robbery and creating a large police force to be deployed that slows down regular process.
4. By sending a notice on the mail that the bank branch has moved to new address where they did setup a cardboard bank that looks the same as your regular bank.
Cyberbank – 1. 2. 3. 4.