CP5603 Lecture 11 2011-09-27 Revision

8/4/2019 CP5603 Lecture 11 2011-09-27 Revision

1/70

CP5603E-Security

Lecture 11Revision

Tuesday 27 September 2011


2/70

Last lecture is only revision, will be quick.

Final exam! Check the exam timetable.

Final Exam


3/70

Internet History

1957: Russia launches Sputnik.

U.S. Government creates the Defense

Advanced Research Projects Agency (DARPA).

1967: starts to develop a datanetwork that can survive a

nuclear war.

A mesh of connections

so that as bases get nuked, network traffic

can travel around the damage.


4/70

Key Security Concepts

The CIA Triad

If its secret, you cant get to it or change it.

If you can get to it or change it, its not secret.


5/70

5

Balancing Security and Access


6/70

5 Most Common Passwords

0

0.05

0.1

0.15

0.2

0.25

% of all accounts


7/70

Passwords Are Encrypted

Encryption: the original password getsmessed up, so nobody can read it.

This happens when a password is saved to

disk or sent over a network.


8/70

Sniffing Encrypted Passwords

Internet Bank User Internet Bank Web Site

Intruder

Encrypted Password Encrypted Password


9/70

What Is IP Spoofing?

To spoof = to pretend to be someone else.

IP spoofing you pretend to be another computer,

take over their IP number.

Pretend to be 2 other computers.

All traffic between the two

computers can be routed

through your computer.

Example: firewall and the email

server so you can read emails.


10/70

Source: www.ethereal.com


11/70

Dictionary-Based Password Crackers

No way to turn an encrypted password backinto the password.

But you can encrypt any word

encrypted word = encrypted password? Encrypt every word in the dictionary!

There is free software to do this.

Then compare encrypted password to encrypted

dictionary word.

If you find a match, you are in!


12/70


Encrypted password: A5Ibo25Gj

Encrypt every word in the dictionary!

Aardman Y5iR4Bz2

Aardvark 8Ip5TyUkl

Abba tL519vh59

Abcama Q0h2nv8s

Petunia

A5Ibo25Gj Yes!


13/70


Word lists can be from:A dictionary.

List of names of people and places.

All the words on the victims hard drive. Software will also:

Add numbers to the front and

back of each word.

Do upper / lower case.

petunia, petunia1, 1petunia, Petunia,

Petunia1, 1Petunia, etc.


14/70

FBI Dictionary-Based Cracker

The FBI has a program for findingpasswords:

Uses all the words on the victims criminals

hard drive. Has a 50% success rate.

Runs as a screensaver, so all the idle office

PCs are running it. So dont use a password that is

similar to any word in in any

file or email.


15/70

Threats and Attacks


16/7016

Threats Threat: an object, person, or other entity

that represents a constant danger to anasset

Management must be informed of the

different threats facing the organization

The 2006 CSI/FBI survey found:

72 percent of organizations reported cyber

security breaches within the last 12 months

52 percent of respondents identified

unauthorized computer use


17/7017

Threats to Information Security


18/7018

Figure 2-1 Acts of Human Error or Failure


19/7019

New York City with no electricity


20/7020

Attacks

Act or action that exploits a vulnerability(i.e., a weakness) in a controlled system

Accomplished by a threat agent thatdamages or steals the organizationsinformation


21/70

Types of AttacksWe can distinguish 2 types of attacks:

Active attack: attempts to alter systemresources or affect their operation

Passive attack: attempts to learn or

make use of information from thesystem, but does not change a system

Can also classify attacks by their origin:

Inside attack: Initiated by an entityinside the organization (an "insider).

Outside attack: Initiated from outside

the organization (an outsider).


22/70

A Passive Attack: the USS Jimmy Carter


23/70

USS Jimmy Carter

A submarine with a gap in the pressure hull.

Lets it land on top of an undersea cable

and pull the cable inside, to attach a listening

device to the cable.

http://news.zdnet.com/2100-9595_22-529826.html

How legal is this?

Should you go to jail for

copying DVDs?


24/70

24


25/70

25

Figure 2-9 - Denial-of-Service Attacks


26/70

26


27/70

27

Figure 2-11 - Man-in-the-Middle


28/70

Laws, Ethics, Policies


29/70

29

The Differences Between Laws and Ethics

1. Laws: rules that mandate or prohibitcertain actions or behaviours.

Enforced by violence!

Even if you didnt know the law.

2. Ethics: define socially acceptablebehavior.

Not really enforced.

Except by social pressure.

You might not be invited to the best dinners.


30/70

30

The Differences Between Policy and Law

Another difference:

Law if you didnt know the law,you still go to prison.

Policy if you didnt know thepolicy, its okay.


31/70

31

The Differences Between Policy and Law

Do you think itsokay to go to jailfor breaking a law

you didnt know?

Every week,

50 pages ofnew laws arecreated inAustralia.


32/70

32

Digital Millennium Copyright Act (DMCA)

A law from the U.S. Federal government.

Supposed to reduce piracy and copyright

infringement.


33/70

In the U.S., its illegal to break

technology-based protection.

Even if bought a legal copy, you

Cant copy a DVD that you bought.

Cant possess open-source software forplaying a DVD that you bought.

Cant play your legal DVD with Linux.

Linux distributions used in the U.S. dont

come with DVD playing software.

Is this fair?

Digital Millennium Copyright Act


34/70

34

Risk Control Strategies

Once ranked vulnerability risk worksheetcomplete, must choose one of four strategies to

control each risk:

1. Apply safeguards (avoidance)

2. Transfer the risk (transference)

3. Reduce impact (mitigation)

4. Understand consequences and accept risk

(acceptance)


35/70

35

1. Avoidance

Attempts to prevent exploitation of the

vulnerability

Preferred approach; accomplished through

countering threats, removing asset

vulnerabilities, limiting asset access, and adding

protective safeguards

Three common methods of risk avoidance:

1. Application of policy

2. Training and education

3. Applying technology


36/70

36

2. Transference

Control approach that attempts to shift risk to otherassets, processes, or organizations

If lacking, organization should hire individuals/firmsthat provide security management and

administration expertise

Organization may then transfer risk associated with

management of complex systems to another

organization experienced in dealing with those risks


37/70

37

3. Mitigation

Attempts to reduce impact of vulnerabilityexploitation through planning and preparation

Approach includes three types of plans:

Incident response plan (IRP)

Disaster recovery plan (DRP)

Business continuity plan (BCP)


38/70

38

3. Mitigation (continued)

DRP is most common mitigation procedure

The actions to take while incident is in progress is

defined in IRP

BCP encompasses continuation of business

activities if catastrophic event occurs


39/70

39

4. Acceptance

Doing nothing to protect a vulnerability andaccepting the outcome of its exploitation

Valid only when the particular function, service,

information, or asset does not justify cost of

protection use cost-benefit?

Risk appetite describes the degree to whichorganization is willing to accept risk as trade-off to

the expense of applying controls


40/70

40

4. Acceptance: Dinosaurs and Meteors

There is a tiny chance that your nuclear reactor

will destroy the city. Should you turn it off?


41/70

Acceptance: Risk MatrixFrequency of Losses helps quantify probability

4 - Catastroph ic C B A A

3 - C ritical D C B A

2 - Ma rginal D D C B

1 - Negligable D D D C

1- U nlikely 2 - Occasion al 3 - Pro bab le 4 - Fr equ ent

I n c re a s in g F r e q u e n c y

In

creasing

Conseque

nce

EFU Risk Management


42/70

42

Key Technology Components

Firewall: device that selectively discriminates

against information flowing into or out oforganization

Demilitarized Zone (DMZ): no-mans landbetween inside and outside networks where some

organizations place Web servers

Intrusion Detection Systems (IDSs): in effort to

detect unauthorized activity within inner network,

or on individual machines, organization may wish

to implement an IDS


43/70

43

Figure 5-18 Key Components


44/70

44


45/70

45

137.219.16.23


46/70

46

Dual-Connection Routers

The filtering routers have 2 connections: External filtering router:

Public IP address is 137.219.16.23

DMZ IP address is 10.10.10.2

Internal filtering router:

DMZ IP address is 10.10.10.3

Local IP address is 192.168.2.1

User PCs have addresses in 192.168.*.*with gateway 192.168.2.1 to the Internet.


47/70

47

Port numbers go up to 65536.

1024 and above are open to any program.

Usually for replies from servers.

N t k B d IDPS (NIDPS)


48/70

48

Network-Based IDPS (NIDPS)

Resides on a computer or appliance connected to

segment of an organizations network. Separate from any computer used for work.

Looks for signs of attacks

When examining packets, the

NIDPS looks for attack patterns.

Installed at a place in the network where it watchestraffic going in and out of particular segment.

e.g., between the web server and the gateway.


49/70

49


50/70

Access Control


51/70

51

Need 2 Or More Access Controls

Any single access control device can be defeated:

Fingerprint: point a gun at their head and tell them

to swipe their finger.

Password can be copied.

Security guard can be bribed.

With 2 access control devices, then its much harder

to defeat both of them at the same time.


52/70

Biometrics: Accuracy and Cost

Accurate results cost more money.


53/70

53


54/70

Encryption

Plaintext the original information.

Ciphertext mixed up, to make it unreadable.

A cipher is another word for a code.

Encryption algorithms are complicated

but you need a key to encrypt

and a key to decrypt.

DecryptionNetworkEncryptionplaintext plaintextciphertextciphertext

Shared Secret-Key

Sender Receiver


55/70

Caesar Cipher

A type of substitution cipher:

Each letter in the plaintext is replaced by aletter some fixed number of positions down thealphabet.

For example, with a shift (or key) of 3A D

B E

C F and so on.Plain: ABCDEFGHIJKLMNOPQRSTUVWXYZ

Cipher: DEFGHIJKLMNOPQRSTUVWXYZABC

Plaintext: THE QUICK BROWN FOX JUMPS OVER THE LAZY DOG

Ciphertext: WKH TXLFN EURZQ IRA MXPSV RYHU WKH ODCB GRJ


56/70

56

Cipher Methods (continued)

Cryptosystems typically made up of algorithms,

data handling techniques, and procedures

Substitution cipher: substitute one value for

another

Monoalphabetic substitution: uses only one

alphabet

Polyalphabetic substitution: more advanced; uses

two or more alphabets

Vigenre cipher: advanced cipher type that uses

simple polyalphabeticcode; made up of 26 distinct

cipher alphabets


57/70

57

Vigenre

cipher:

Uses all 26

possible

substitutes.

Polyalphabetic

A different onefor each letter.

E ti


58/70

Encryption

The sender encrypts the messages using a key before

sending them out to the network The receiver uses the corresponding key to decrypt.

If the keys are secret, nobody else can read messages.

Problem: how to distribute keys? You need a trusted third party to send the keys.

E ti /D ti K


59/70

Encryption/Decryption Keys

Public-key cipher two different keys: A private key for you.

A public key for everyone else.

Public-key encryption gets around the key problem!

You never send the private key.

Only send the public key. You can tell everyone about the public key.

Put it on your business card.

P bli K E ti /D ti


60/70

Public-Key Encryption/Decryption

Advantage

Easy to distribute public key

More scalable with less keys, 2N keys for N users

Disadvantage

Complex algorithm (very CPU intensive, but not really a problemfor modern computers)

Still need authentication for the public key (phone to check)

plaintext

plaintextciphertextciphertext

ReceiversPublic

Sender

Receiver

To the public

ReceiversPrivate

DecryptionNetworkEncryption

P bli K C fid ti lit


61/70

Public-Key Confidentiality

John sends to Sueencrypt with Sues public key.

Sue use her private key to decrypt.

P bli K A thentication


62/70

Public-KeyAuthentication

Authentication how do you know that John really

sent this message?

1. John encrypts a message using his private key.

i.e., John signs the message.

2. John sends the encrypted message to Sue.3. Sue decrypts the received message using Johns

public key.

Everyone can decrypt the message since Johnspublic key is knownnot confidential!

Everyone knows that the message can only besent by John, since only John knows his own

Authentication + Confidentiality


63/70

Authentication + Confidentiality

To provide both

authentication andconfidentiality, youneed to encrypt twice.

You use your private

key and someoneelses public key.

Creates a uniqueshared key.

Two ways tocreate the sharedkey.


64/70

64

Hybrid Cryptography Systems

Pure asymmetric key encryption not widely used

Use asymmetric encryption to share a unique, once-

only symetric key hybrid.

Diffie-Hellman Key Exchange method:

most common hybrid system; provided foundation for subsequent

developments in public-key encryption


65/70

65

Physical Security

Seven major sources of physical loss:1. Extreme temperature (e.g., fires)

2. Gases

3. Liquids

4. Living organisms (insects, fungus)

5. Projectiles (e.g., bullets, falling objects)

6. Movement

7. Energy anomalies


66/70

66

This Happens More Often Than Crocodiles

The most commonphysicalsecurity problem.


67/70

67

Fire Security and Safety

Fires cause more property damage, personalinjury, and death than any other physical threat.

Not guns or flood or lightning or crocodiles.

C


68/70

68

Heating, Ventilation, and Air Conditioning

Areas within heating, ventilation, and airconditioning (HVAC) systems that can causedamage to information systems include:

Temperature

Filtration (e.g., dust)

Humidity

Static electricity

E Sh ff


69/70

69

Emergency Shutoff

Important physical security feature:

an off switch.

Most computer roomsand wiring closets have

an emergency poweroff button.

E i thi lik thi


70/70

Exam is something like this

15 multiple-choice questions 15 marks

10 short-answer questions 35 marks

120 minutes (plus 10 minutes for reading)

120 minutes 50 marks

= 2.4 minutes per mark. Allow about 35 minutes for multiple choice

and 85 minutes for the short answer.

CP5603 Lecture 11 2011-09-27 Revision

Documents

Transcript of CP5603 Lecture 11 2011-09-27 Revision