cos 338 day 16. day 16 agenda capstone proposals overdue 3 accepted, 3 in mediation capstone...

COS 338

Day 16

DAY 16 Agenda

Capstone Proposals Overdue 3 accepted, 3 in mediation

Capstone progress reports still overdue I forgot to mark in calendar so I will grant a reprieve

Second capstone progress report over due Lab 5 write-up not graded

Will be corrected by next class

Assignment 5 Due Today we will begin discussing Security

Security

Chapter 9

Copyright 2004 Prentice-HallPanko’s Business Data Networks and Telecommunications, 5th edition

Trends in Computer and Network Security

Figure 9-1: CSI/FBI Survey

Survey conducted by the Computer Security Institute (www.gocsi.com).

Based on replies from 530 U.S. Computer Security Professionals.

If fewer than twenty firms reported quantified dollar losses, data for the threat are not shown.

Link to 2005 CSI/FBI Survey


Had at LeastOne SecurityIncident inThis Category(May HaveHad Several)

PercentReporting

anIncidentin 1997

PercentReporting

anIncidentin 2003

NumberReportingQuantified

Lossesin 2003

AverageReportedAnnual

Loss PerFirm

(1000s)in 1997


Loss PerFirm

(1000s)in 2003

Viruses 82% 82% 254 $76 $200

InsiderAbuse of NetAccess

NotAsked

80% 180 NotAsked

$136


Laptop Theft 58% 59% 250 $38 $47

UnauthorizedAccessby Insiders

40% 45% 72 NotAsked

$31


PercentReporting

anIncidentin 1997

PercentReporting

anIncidentin 2003


Lossesin 2003


Loss PerFirm

(1000s)in 1997


Loss PerFirm

(1000s)in 2003


Denial ofService

24% 42% 111 $77 $1,427

SystemPenetration

20% 36% 88 $132 $56

Sabotage 14% 21% 61 $164 $215


PercentReporting

anIncidentin 1997

PercentReporting

anIncidentin 2003


Lossesin 2003


Loss PerFirm

(1000s)in 1997


Loss PerFirm

(1000s)in 2003


Theft ofProprietaryInformation

20% 21% 61 $954 $2,700

FinancialFraud

12% 15% 61 $958 $329


PercentReporting

anIncidentin 1997

PercentReporting

anIncidentin 2003


Lossesin 2003


Loss PerFirm

(1000s)in 1997


Loss PerFirm

(1000s)in 2003


TelecomFraud

27% 10% 34 NotAsked

$50

TelecomEavesdropping

11% 6% 0 NotAsked

NotAsked

ActiveWiretap

3% 1% 0 NotAsked

NotAsked


PercentReporting

anIncidentin 1997

PercentReporting

anIncidentin 2003


Lossesin 2003


Loss PerFirm

(1000s)in 1997


Loss PerFirm

(1000s)in 2003


Conclusion Attacks are like multiple poisons

Several of them are fatal

Defense is difficult

Major Attacks

Viruses and Worms

Human Hacking (Break-Ins)

Denial-of-Service Attacks

Figure 9-2: Viruses and Worms

Viruses

Pieces of code that attach to other programs

Virus code executes when infected programs execute

Infect other programs on the computer

Spread to other computers by e-mail attachments, webpage downloads, etc.


Viruses

Many viruses spread themselves by sending fake e-mail messages with infected attachments

Antivirus programs are needed to scan arriving files

Users often fail to keep their computer antivirus programs up to date

Antivirus filtering on the e-mail server works even if users are negligent

How Viruses Work


Worms

Complete programs

Self-propagating worms identify victim hosts, jump to them, and install themselves

Can do this because hosts have vulnerabilities

Vendors develop patches for vulnerabilities but companies often fail to apply them


Worms Worms take advantage of specific vulnerabilities

Firewalls can stop many worms by forbidding access to most ports

E-mail worms can get around antivirus filtering

Famous Worms Morris worm – the first worm Code Red – went after IIS servers Melissa – e-mail worm Slammer - SQL worm Blaster – Windows RPC worm MyDoom – another e-mail worm that creates a BackDoor on your

computer


Blended Threats Combine the spreading characteristics of viruses

and worms

Payloads Programs that can do damage to infected hosts

Erase hard disks, send users to pornography sites if they mistype a URL

Trojan horses: exploitation programs disguise themselves as system files

Figure 9-3: Human Break-Ins (Hacking)

Human Break-Ins: Viruses and worms rely on one main attack method

Humans can keep trying different approaches until they succeed

Hacking Breaking into a computer

Hacking is intentionally using a computer resource without authorization or in excess of authorization

Prosecutable if do a certain amount of damage


Scanning Phase

Send attack probes to map the network and identify possible victim hosts

Like a robber casing a neighborhoodFinds active IP addresses Identifies type of computer at that address via

open ports, etc.

Nmap program is popular (Figure 9-4)

Figure 9-4: Nmap Scanning Output

IP Range to Scan

Type of Scan

Identified Host and

Open Ports


The Exploit The Term “Exploit” is Used in Two Ways

The actual break-inExploit is the program used to make the break-in

Super user accounts (administrator and root) can do anything

If application running with super user privileges is compromised, the attacker gains super user privileges


After the Break-In Become invisible by deleting log files

http://www.rootkit.com/

Create a backdoor (way to get back into the computer)

Backdoor account—account with a known password and super user privileges

Backdoor program—program to allow reentry; usually Trojanized

Do damage at leisure

Denial-of-Service (DoS) Attacks

Make a computer or network unavailable to users

An exploding threat

Rarely: sending a single message to bring down a computer

Usually: overload a victim with a flood of messages

Figure 9-5: Distributed Denial-of-Service (DDoS) Flooding Attack

Attacker1.34.150.37

AttackCommand

AttackCommand

Handler

Zombie

HandlerZombie

Victim60.168.47.47

Attack PacketZombie

AttackPacket

AttackCommand

AttackCommand

AttackCommand

AttackPacket

Attackers

Figure 9-6: Types of Attackers

Traditional attackers: Curious hackers

Disgruntled employees and ex-employees

Growing number of criminal attackers

Potential for far more massive attacks Cyberterror attacks by terrorists

Cyberwar by nations

Security Management

Figure 9-7: Planning Principles

Security is a Management Issue, Not a Technical Issue

Without good management, technology cannot be effective.

Like a car. If you don’t know how to drive, not likely to be able to use effectively.

Soldiers are not just given weapons. Must be trained extensively in tactics, etc.


Plan-Protect-Respond Cycle

Three phases endlessly repeating

Planning: preparing for defense

Protecting: implementing planned protections

Responding: stopping attacks and repairing damage when protections fail


Risk Analysis Cost of protections should not exceed probable

damage

Annual probability of damage

Damage from a successful incident (Say, $50,000)

Times the annual probability of success (say 10%)

Gives the probable annual loss ($5,000)


Risk Analysis Cost of protection

If a protection can reduce the annual probability of damage by a certain amount, up to this amount can be spent on the protection

ExampleProtection A can reduce the annual probability of

damage by 50% ($2,500) If Protection A costs $1,000 per year, use it. If Protection A costs $4,000 per year, don’t use it.


Comprehensive Security

Attacker is intelligent

Attacker only has to find one weakness

Firm needs comprehensive security to close all avenues of attack


Defense in Depth

Every protection breaks down sometimes

Attacker should have to break through several lines of defense to succeed

Providing this protection is called defense in depth

Defense2

Defense1

(fails)

Authentication

Figure 9-8: Authentication and Authorization

AuthenticationServer

Applicant

Applicant

1. Credentials(Password, etc.)

Verifier

Verifier


2. OK?


Applicant

Applicant

Verifier

Verifier



Applicant

Applicant

Verifier

Verifier

3. OK andAuthorizations



Applicant

Applicant4. Welcome

Verifier

Verifier

Figure 9-9: Password Authentication

Passwords Strings of characters

Typed to authenticate use of a username (account) on a computer

Benefits Ease of use for users (familiar)

Inexpensive because built into operating systems


Often weak (easy to crack) Word and name passwords are common

Can be cracked quickly with dictionary attack

Passwords should be complex Mix case, digits, and other keyboard characters

($, #, etc.)

Can only be cracked with brute force attacks (trying all possibilities)


Passwords should be long

Six to eight characters minimum

Each added character increases the brute force search time by a factor of up to 75

http://www.umfk.maine.edu/password/password.ppt

Figure 9-10: Digital Certificate Authentication

Digital Certificate

User gets secret private key and non-secret public key

Digital certificates give the name of a true party and his or her public key


Testing a Digital Signature

Applicant performs a calculation with his or her private key

Verifier tests calculation using the public key found in the true party’s digital certificate

If the test succeeds, the applicant must be the true party

Figure 9-11: Testing a Digital Signature

Digital Signature Digital Certificate

Authentication

Name of True PartyPublic Key of

True Party

Digital SignatureCreated with Private Key of

Applicant.Added to each

Message.


Strong Authentication The strongest method today

Expensive and Time-Consuming to Implement Software must be added to clients and servers, and

each computer must be configured

Expensive because there are so many clients in a firm


Client Weaknesses Sometimes, only server gets digital certificate

Client uses passwords or something else

Figure 9-11: Testing a Digital Signature

Verifier must test the digital signature with the public key of the true party.

If the test succeeds, the applicant must have the true party’s private key.

Only the true party should know this private key; so the applicant must be the true party.

Figure 9-12: Biometric Authentication

Biometric Authentication Based on bodily measurements

Promises to dramatically simplify authentication


Fingerprint Scanning Simple and inexpensive

Substantial error rate (misidentification)

Often can be fooled fairly easily by impostors

Dominates biometrics today


Iris Scanners Scan the iris (colored part

of the eye)

Irises are complex, so strong authentication

Expensive

(Do NOT shine light in your eyes; scanner is a camera.)


Face Recognition

Camera allows analysis of facial structure

Can be done surreptitiously—without the knowledge or consent of person being scanned

Very high error rate and easy to fool


Error Rates and Deception

Error and deception rates are higher than vendors claim

Usefulness of biometrics is uncertain

Firewalls, IDSs,and IPSs

Figure 9-13: Firewall Operation

Corporate Network The Internet

Log File

Arriving Packets

Permit (Pass)Legitimate

Packet

Deny(Drop)AttackPacket

Application Message

Application Message

ICMP MessageIP-H

IP-H

IP-H TCP-H

UDP-H

StaticPacketFilter

Firewall

Figure 9-14: Access Control List (ACL) for a Packet Filter Firewall

1. If destination IP address = 60.47.3.9 AND TCP destination port = 80 OR 443, PASS [connection to a public webserver]

2. If ICMP Type = 0, PASS [allow incoming echo reply messages]

3. If TCP destination port = 49153 AND 65535, PASS [allow incoming packets to ephemeral TCP port

numbers]

Figure 9-14: Access Control List (ACL) for a Packet Filter Firewall

4. If UDP destination port = 49153 AND 65535, PASS [allow incoming packets to ephemeral UDP port

numbers]

5. DENY ALL [deny all other packets]

Figure 9-15: Stateful Firewall Default Operation

Internal HostExternal

Host

Internally initiatedcommunication

is allowed.

Externallyinitiated

communicationis stopped.

X

Figure 9-16: Application Firewalls

Application Firewalls

Examine application layer messages in packets

Packet filter firewalls and stateful firewalls do not look at application messages at all

This makes them vulnerable to certain attacks


Application Fidelity

Requiring the application using a well-known port to be the application that is supposed to use that port

For instance, if an application uses Port 80, application firewall requires it to be HTTP, not a peer-to-peer file transfer program or something else

This is called enforcing application fidelity


Limited Content Filtering

Allow FTP Get commands but stop FTP Put commands

Do not allow HTTP connections to black-listed (banned) websites

E-mail application server may delete all attachments


Antivirus Scanning

Few application firewalls do antivirus filtering

Packets also must be passed through separate antivirus filtering programs

Figure 9-17: Defense in Depth with Firewalls

ClientwithHost

FirewallSoftware

Internet

ApplicationFirewalle-mail,HTTP,

etc.

MainFirewall:Stateful

InspectionFirewall

ScreeningBorder

Router withPacket Filter

FirewallSoftware Site

Figure 9-18: Firewalls

Log File

HardenedServer

IDS

HardenedClient PC

Network ManagementConsole

InternalCorporateNetwork

InternetFirewall

Allowed LegitimatePacket

LegitimateHost

LegitimatePacket

Attacker

Figure 9-18: Firewall

Log File

HardenedServer

IDS

HardenedClient PC



InternetFirewall

LegitimateHost

AttackerAttackPacket

DeniedAttackPacket

Figure 9-18: Intrusion Detection System (IDS)

Log File

IDS

HardenedClient

PC



IDS

LegitimateHost

AttackerAlarmAbout

SuspiciousPacket

Suspicious Packet

Hardened Server

SuspiciousPacket

Figure 9-18: Intrusion Prevention Systems (IPSs)

Firewalls stop simple attacks

IDSs can identify complex attacks involving multiple packets But many false positives (false alarms)

Intrusion prevention systems (IPSs) Like IDSs, can identify complex attacks

Unlike IDSs, also stop these attacks

Only allowed to stop clearer complex attacks

Figure 9-19: Cryptographic System (SSL/TLS)

Applicant(Customer Client)without Digital Certificate

Verifier(Merchant Webserver)with Digital Certificate

Provides Protection at Transport Layer

Protects all Application TrafficThat is SSL/TLS-Aware (Mostly HTTP)




1.Negotiation of Security Options (Brief)

2.Merchant Authenticates Self to Customer

Uses a Digital CertificateCustomer Authentication Is Optional and Uncommon




3.Client Generates Random Session Key

Client Sends to Server Encrypted by Merchant’s Public Key

4.Ongoing Communication with Confidentiality

and Merchant Digital Signatures


Perspective

Initial Hand-Shaking Phases are Very Brief (Milliseconds)

The Last Phase (Ongoing Communication) Is Almost All Total Communication

Encryption for Confidentiality

Figure 9-20: Symmetric Key Encryption and Public Key Encryption

Symmetric Key Encryption for Confidentiality

Message“Hello”

EncryptionMethod &

Key

SymmetricKey

Party A

Party B

InterceptorNetwork

Encrypted Message

Encryption uses anon-secret encryption method and

a secret key



Encrypted Message

SymmetricKey

Party A

Party B

InterceptorNetwork

Interceptor cannot readencrypted messages

Encrypted Message



Message“Hello”

EncryptionMethod &

Key

Encrypted Message Message“Hello”

DecryptionMethod &

Key

SymmetricKey

SameSymmetric

Key

Party A

Party B

InterceptorNetwork

Receiver decrypts the messageUsing the same encryption message

And the same symmetric key

Encrypted Message


Public Key Encryption for Confidentiality

EncryptedMessage

EncryptedMessage

Party A Party B

Encrypt withParty B’s Public Key

Decrypt withParty B’s Private Key

Decrypt withParty A’s Private Key

Encrypt withParty A’s Public Key

Note:Four keys are used to encryptand decrypt in both directions

Figure 9-21: Other Aspects of Protection

Hardening Servers and Client PCs

Setting up computers to protect themselves

Server HardeningPatch vulnerabilitiesMinimize applications running on each serverUse host firewallsBackup so that restoration is possible


Hardening Servers and Client PCs Client PC Hardening

As with servers, patching vulnerabilities, minimizing applications, having a firewall, and implementing backup

Also, a good antivirus program that is updated regularly

Client PC users often make errors or sabotage hardening techniques


Vulnerability Testing

Protections are difficult to set up correctly

Vulnerability testing is attacking your system yourself or through a consultant

There must be follow-up to fix vulnerabilities that are discovered

Incident Response

Dealing with attacks that succeed

Figure 9-22: Incident Response

Response Phases Detecting the attack

If not detected, damage will continue unabated

IDS or employee reports are common ways to detect attacks

Stopping the attackDepends on the attackReconfiguring firewalls may

work


Response Phase Repairing the damage

Sometimes as simple as running a cleanup utility

Sometimes, must reformat a server disk and reinstall software

Can be very expensive if the attacker has done much damage


Response Phase Punishing the attackers

Easier to punish employees than remote attackers

Forensic tools collect data in a manner suitable for legal proceedings


Major Attacks and CSIRTs

Major attacks cannot be handled by the on-duty staff

On-duty staff convenes the computer security incident response team (CSIRT)

CSIRT has people from security, IT, functional departments, and the legal department


Disasters

Natural and attacker-created disasters

Can stop business continuity (operation)

Data backup and recovery are crucial for disaster response

Dedicated backup facilities versus real-time backup between different sites


Disasters Business continuity recovery is broader

Protecting employees

Maintaining or reestablishing communication

Providing exact procedures to get the most crucial operations working again in correct order

Topics Covered

Topics Covered

A Wide Variety of Attacks Viruses and Worms

Hacking (Break-in)ScanningBreak-InExploitation (delete log files, create backdoors, do

damage)

Denial-of-Service (DoS) Attacks Employee misuse of the Internet Growing in frequency (and viciousness)

Topics Covered

A Wide Variety of Attackers Traditional Attackers

Wizard attackersEmployees and Ex-Employees

Criminals (Exploding)

Cyberterrorists and National Governments

Topics Covered

A Management Issue, not a Technical Issue Technology does not work automatically

Planning Risk analysis

Comprehensive security

Defense in depth

Topics Covered

Authentication and Authorization Authentication servers give consistency

Passwords (weak)

Digital signatures and digital certificatesHigh security but difficult to implement

Biometric authenticationCould eliminate passwordsError rates and deception

Topics Covered

Firewalls Drop and log packets

Packet filter firewalls and ACLs

Stateful firewalls (dominate for main firewalls today)

Application firewalls filter application contentUsually do NOT provide antivirus filtering

Defense in depth with multiple firewalls

IDSs to detect complex attacks

IPSs to stop some complex attacks

Topics Covered

Cryptographic Systems Negotiate security parameters

Authentication

Key exchange

Ongoing communication (dominates)

SSL/TLS Cryptographic system used in e-commerce

Protects HTTP communication

Topics Covered

Encryption for Confidentiality Symmetric key encryption

Both sides use the same symmetric keyDominates because fast and efficient

Public key encryptionEach side has a secret private key and a non-

secret public key

Topics Covered

Hardening Servers and Client PCs Patching vulnerabilities

Minimize applications

Host firewalls

Backup

Clients: antivirus filtering (users may sabotage)

Vulnerability Testing

Topics Covered

Incident Response

Detection, stopping, repair, punishment

CSIRTs for major attacks to big for the on-duty staff to handle

Disaster response and business continuity recovery

cos 338 day 16. day 16 agenda capstone proposals overdue 3 accepted, 3 in mediation capstone...

Documents

csifbi surveyhad

csifbi surveysurvey

csifbi surveyconclusionattacks

csifbi surveyfigure

csifbi surveytelecomfraud27

csifbi surveylaptop

computer security institute

wormsvirusesmany viruses