Defining Computer Security As applied to cybertechnology, security can be thought of in terms of...
-
Upload
jerome-white -
Category
Documents
-
view
213 -
download
0
Transcript of Defining Computer Security As applied to cybertechnology, security can be thought of in terms of...
Defining Computer Security As applied to cybertechnology, security
can be thought of in terms of various measures designed to protect against:
(i) unauthorized access to computer systems
(ii) alteration of data that resides in and is transmitted between computer systems
(iii) disruption, vandalism, and sabotage of computers systems and networks.
One way to overcome cybercrimes
Defining Computer Security (continued) A computer is secure
"if you can depend on it and its software behaves as you expect."
According to this definition, at least two conditions must be satisfied: (a) you can depend on your computer (i.e., it is
reliable and available) (b) your computer system's software does what it is
supposed to do.
Defining Computer Security (continued) Kizza (1998) argues that computer security
involves three elements: Confidentiality; Integrity; Availability.
Confidentiality focuses on protecting against un- authorized disclosure of information to third parties.
Integrity can be understood as preventing unauthorized modification of files.
Availability means preventing unauthorized withholding of information from those who need it when they need it.
Two Distinct Aspects of Computer Security The expression “computer security" is
sometimes used ambiguously. In one sense, "computer security" refers to
concerns related to a computer system's vulnerability to attacks involving system hardware and software resources from "malicious programs" (viruses and worms).
This aspect of computer security can be referred to as system security.
Two Distinct Aspects of Computer Security Another sense of "computer security" is
concerned with vulnerability to unauthorized access and modification of data.
The data can be either: (a) resident in one or more disk drives
or databases in a computer system; (b) transmitted between two or more
computer systems. We call this “data security.”
InformationSource
InformationDestination
NormalFlow
CodeBlue – Security Controls
Red – Threats Goal
Masquerade
Authenticity
Modification
Integrity
Interception
Confidentially
Interruption
Availability
Non-Repudiation
Capture
Authorization
Escalation
Identity Theft
Identification
Covering Tracks
Accountability
Access/availability Scene Characteristics
Ensure that network elements do not provide information pertaining to the end-users network activities (eg. Users geographic location, websites visited, content etc.) to unauthorised personnel.Privacy
Ensure that access to end-user data resident in in offline storage devices by authorised personnel and devices cannot be denied. Availability
Protect end-user data that is transiting a network element or communications link or is resident in offline storage devices against unauthorised modification, deletion, creation and replication.Data Integrity
Ensure that end-user data that is transiting a network element or communications link is not diverted or intercepted as it flows between the end points (without an authorised access)
Communication Security
Protect end-user data that is transiting a network element or communications link, or is resident in an offline storage device against unauthorised access or viewing. Techniques used to address access control may contribute to providing data confidentiality for end-user data.
Data Confidentiality
Provide a record identifying each individual or device that accessed end-user data that is transiting a network element or communications link, or is resident in offline devices and that the action was performed. The record is to be used as proof of access to end-user data.
Non-Repudiation
Verify the identity of the person or device attempting to access end-user data that is transiting a network element of communications link or is resident in an offline storage device.
Authentication techniques may be required as part of Access Control.Authentication
Ensure that only authorised personnel or devices are allowed access to end-user data that is transiting a network element or communications link or is resident in an offline storage device. Access Control
Security ObjectivesSecurity
Dimension
Ensure that network elements do not provide information pertaining to the end-users network activities (eg. Users geographic location, websites visited, content etc.) to unauthorised personnel.Privacy
Ensure that access to end-user data resident in in offline storage devices by authorised personnel and devices cannot be denied. Availability
Protect end-user data that is transiting a network element or communications link or is resident in offline storage devices against unauthorised modification, deletion, creation and replication.Data Integrity
Ensure that end-user data that is transiting a network element or communications link is not diverted or intercepted as it flows between the end points (without an authorised access)
Communication Security
Protect end-user data that is transiting a network element or communications link, or is resident in an offline storage device against unauthorised access or viewing. Techniques used to address access control may contribute to providing data confidentiality for end-user data.
Data Confidentiality
Provide a record identifying each individual or device that accessed end-user data that is transiting a network element or communications link, or is resident in offline devices and that the action was performed. The record is to be used as proof of access to end-user data.
Non-Repudiation
Verify the identity of the person or device attempting to access end-user data that is transiting a network element of communications link or is resident in an offline storage device.
Authentication techniques may be required as part of Access Control.Authentication
Ensure that only authorised personnel or devices are allowed access to end-user data that is transiting a network element or communications link or is resident in an offline storage device. Access Control
Security ObjectivesSecurity
Dimension
ITU-T X.800 Threat Model(simplified)
XX
XX
5 - Interruption (an attack on availability):
– Interruption of services. Network becomes unavailable or unusable
4 - Disclosure (an attack on confidentiality):
– Unauthorized access to an asset
3 - Removal (an attack on availability):
– Theft, removal or loss of information and/or other resources
2 - Corruption (an attack on integrity):
– Unauthorized tampering with an asset
1 - Destruction (an attack on availability):
– Destruction of information and/or network resources
5 - Interruption (an attack on availability):
– Interruption of services. Network becomes unavailable or unusable
4 - Disclosure (an attack on confidentiality):
– Unauthorized access to an asset
3 - Removal (an attack on availability):
– Theft, removal or loss of information and/or other resources
2 - Corruption (an attack on integrity):
– Unauthorized tampering with an asset
1 - Destruction (an attack on availability):
– Destruction of information and/or network resources
Computer Security and Computer Crime Computer security issues often overlap
with issues analyzed under the topic of computer crime.
Virtually every violation of security involving cybertechnology is also criminal in nature.
So only cyber specific crimes are involved in cyber security not cyber related crimes.
But not every instance of crime in cyberspace necessarily involves a breach or violation of security.
Computer Security Issues as Distinct from Computer Crime Some computer-related crimes have no
direct implications for computer security. An individual can use a personal computer
to: Make unauthorized copies of software
programs; Stalk a victim in cyberspace; Elicit sex with young children; Distribute child pornography; Engage in illegal gambling activities.
None of these kinds of crimes are a direct result of insecure computer systems.
Security as Related to Privacy Cyber-related issues involving privacy and
security often overlap. Some important distinctions can be drawn.
Privacy concerns often arise because on-line users are concerned about losing control over ways in which personal information about them can be accessed by organizations (especially by businesses and government agencies).
Securing personal information stored in computer databases is an important element in helping individuals to achieve and maintain their privacy.
The objectives of privacy would seem compatible with, and even complementary to, security.
Security as Related to Privacy (continued) Privacy and security concerns can be
thought of as two sides of a single coin, where each side complements and completes the other.
Many people wish to control who has information about them, and how that information is accessed by others.
Who is doing and what is doing ,How is doing
How Do Security Issues Raise Ethical Concerns? To realize autonomy, individuals need to
be able to have some access control over how information about them is gathered and used.
Computer security can help users realize this goal. Disclosing privacy is unethical.
Personal privacy also requires that certain kinds of information stored in electronic databases be kept confidential. Secure computers are needed to ensure this.
BACK DOORS …. Are accounts left by manufacturers and
vendors on devices that allow them to bypass a locked-out or clueless system administrator in case of emergency. Every network device comes shipped with more than one default username and password, and these built-in accounts offer administrative privileges to anyone who finds them.
Virus spread
A small malicious executable program. The definition of virus is a program that can be broken into 3 functional parts Replication Concealment Bomb
The combination of these three attributes makes the collective program a virus
Cont…. A virus adds a small piece of code
to the beginning of the file so that when file is executed, the virus is loaded into to memory before the actual application
Replication A virus must include some method of
replication, I.e., some way to reproduce or duplicate itself.
When a virus reproduces itself in a file, the result is sometimes referred as an “Infection”
Replication occurs when the virus is loaded into memory and has access to CPU cycles
A virus cant spread by existing on a hard disk and an infected file must be executed in order for a virus to become active
Method of Replicating Resident replicating virus: A resident replicating
virus, once loaded into memory, waits for other programs to be executed and then infects them.
Nonresident replicating virus: A nonresident replicating virus selects one or more executable files on disk and directly infects them without waiting for them to be processed in memory.
Companion virus: A virus which facilities the loading of the virus code without actually infecting the existing file.
It makes advantage of default OS order of executing file e.g., windows first tries to execute a file with .com extension, then .exe extension, and the finally a .bat extension
File Infection The method of replication can be the result
of file infection or boot sector replication. File infection relies on the virus’s ability to
attach itself to a file. In theory, any type of file is vulnerable to attack.
Attackers tend to focus, however, on files that provide some form of access to CPU cycles. This access can be through direct execution or through some secondary application processing the code.
Contd.. Some viruses have even embedded
themselves in raw source-code files. When the code is eventually compiled, the virus becomes capable of accessing CPU cycles, thus replicating even further.
The most popular type of infection affects direct executable files like .com, .exe, .pif, or .bat file extensions
Boot Sector Replication Boot sector virus infect the system
area of the disk that is read when the disk is initially accessed or booted.
This area can include the MBR, the OS boot sector or both.
Concealment
To facilitate replication, a virus must have one or more methods of masking its existence. If a running virus simply show up on your Windows Taskbar, you’d see a problem right away.
Stealth allows a virus t hide the modifications made to a file or boot sector.
Small Footprint Viruses tend to be small. Even a large
virus can be less than 2KB in size.This small footprint makes it far easier for the virus to conceal itself on the local storage media and while it is running in memory. Resides in space between two stored files
To ensure that a virus is as small as possible, most virus are coded in assembly language.
Polymorphic Virus A polymorphic virus can change its virus
signature from infected file to infected while still remaining operational.
Many virus scanners detect a virus by searching for signature code.
Since a polymorphic virus can change its appearance between infections, it is far more difficult to detect.
One way to produce a polymorphic virus is to include a variety of encryption schemes that use different decryption routines
Social engineering viruses Social-engineering viruses meet all the
criteria of a normal virus, except they rely on people to spread the infection, not a computer. A good example of a social engineering virus is the Good Times virus hoax that has circulated on the Internet for many years. This e-mail message announces that a dangerous virus is being circulated via e-mail and has the ability to wipe out all the files on your computer. This message even claims that the virus’s existence has been confirmed. People concerned that their friends may be attacked by this virus then forward the hoax to every person in their address books
Bomb Our virus has successfully replicated
itself and avoided detection. The question now becomes, What will the virus do next? Most viruses are programmed to wait for a specific event. This event can be almost anything…….including the arrival of a specific date, the infection of a specific number of files, or even he detection of a predetermined activity.
Worms Traditionally, a computer worm was
considered an application that could replicate itself via a permanent or a dial-up network connection.
Unlike a virus, which seeds itself within the computer’s hard disk or file system, a worm is a self-supporting program. Not need to attach it with some file.
A typical worm maintains only a functional copy of itself in active memory; it does not even write itself to disk.
The Vampire Worm, The Great Internet Worm, The Wank Worm
Trojan Horse An application that hides a nasty surprise Process or Function that Performs an
activity that user is unaware of TROJANS are programs that look like
ordinary software, but actually perform unintended (and sometimes malicious) actions behind the scenes when launched.
Replace network services. Does not replicates
An E-mail virus I LOVE YOU are considered to be Trojan Horse
How Trojan Horses are Different From Viruses Does not replicate or attach itself to a file Is a stand alone application that had its
bomb included from the original source code
Unix Trojan can replace Telnet Server process (Telnetd)
Quietly records all logon names and passwords that authenticate to the system
Are immediately destructive
Dos Attack On the Internet, a denial of service (DoS)
attack is an incident in which a user or organization is deprived of the services of a resource they would normally expect to have. In a Denial of Service (DoS) attack, the attacker sends a stream of requests to a service on the server machine in the hope of exhausting all resources like "memory" or consuming all processor capacity.
E.g. Ping of broad cast, Smurf ,Ping of death, Teardrop attack
Other Dos Attacks are FTP Bounce Attacks Port Scanning Attack Ping Flooding Attack Smurf Attack SYN Flooding Attack IP Fragmentation/Overlapping Fragment Attack IP Sequence Prediction Attack DNS Cache Poisoning SNMP Attack Send Mail Attack
Ping broadcast - A ping request packet is sent to a broadcast
network address where there are many hosts. The source address is shown in the packet to be the IP address of the computer to be attacked. If the router to the network passes the ping broadcast, all computers on the network will respond with a ping reply to the attacked system. The attacked system will be flooded with ping responses which will cause it to be unable to operate on the network for some time, and may even cause it to lock up.
Cont….. Ping of death - An oversized ICMP
datagram can crash IP devices that were made before 1996.
Smurf - An attack where a ping request is sent to a broadcast network address with the sending address spoofed so many ping replies will come back to the victim and overload the ability of the victim to process the replies.
Teardrop Attack This type of denial of service attack exploits the way
that the Internet Protocol (IP) requires a packet that is too large for the next router to handle be divided into fragments. The fragment packet identifies an offset to the beginning of the first packet that enables the entire packet to be reassembled by the receiving system. In the teardrop attack, the attacker's IP puts a confusing offset value in the second or later fragment. If the receiving operating system does not have a plan for this situation, it can cause the system to crash
Session hijacking An attacker may watch a session open
on a network. Once authentication is complete, they may attack the client computer to disable it, and use IP spoofing to claim to be the client who was just authenticated and steal the session.
By lunching ICMP flood on server and then acting like a server.
DNS Poisoning DNS poisoning - This is an attack
where DNS information is falsified. This attack can succeed under the right conditions, but may not be real practical as an attack form. The attacker will send incorrect DNS information eg incorrect IP address which can cause traffic to be diverted.
SNIFFING Is the interception of data packets
traversing a network . An example of active intrusion is when PACKET SNIFFING is used for IP SPOOFING
IP spoofing - An attacker may fake their IP address so the receiver thinks it is sent from a location that it is not actually from. This may cause some operating systems such as Windows to crash or lock up.
Similarly DNS poisoning is used for server spoofing.
Attacks on Different Layers
IP Attacks ICMP Attacks Routing Attacks TCP Attacks Application Layer Attacks
Security Countermeasures Security countermeasures act as an action,
device, procedure, technique or other measure that reduces the vulnerability of a threat to a computer system.
We have come to rely increasingly on countermeasures.
Many security analysts believe that countermeasures would not be as necessary as they currently are if better security features were built into computer systems.
Implementating Security Unique to each individual
user/company and system Solution should contain three
components for completeness Prevention (Access control measures) Detection (Fire walls, IDS, Virus scanners) Reaction (disaster mode and severity) Recovery (Network disaster management
sys)
Types of Security Countermeasures
Firewalls (Pix fire wall) Anti-Virus Software Encryption Tools Anonymity Tools IDS VPN’s Access control Honey pot
Firewall Technology A firewall is a system or combination of
systems that enforces a boundary between two or more networks.
Firewalls help to secure systems not only from unauthorized access to information in databases, but also help prevent unwanted and unauthorized communication into or out of a privately owned network. Proxy and Pix Fire walls A firewall is a "blockage" between an
internal privately owned network and an external network, which is not assumed to be secure.
Define IDS IDS has all been about analyzing network
traffic to look for evidence of attack. IDS is also about scanning access logs
and analyzing the characteristics of files to see if they have been compromised.
IDS have thousands of attack pattern saved in their database. So they match them with ordinary traffic to detect malicious traffic.
IDS may be hardware based or software based, e.g. SNORT
Functions of IDS Monitoring and analyzing both user and
system activities Analyzing system configurations and
vulnerabilities Assessing system and file integrity Ability to recognize patterns typical of
attacks Analysis of abnormal activity patterns Tracking user policy violations
Types of IDS Network Intrusion Detection Systems
(NIDS) (Snort, zone alarm) Host Intrusion Detection Systems (HIDS) System Integrity Verifier (SIV) Tripwire Log File Monitor (LFM) Honeypot: A fake deception server to
trace and misleading the cracker. production and research honeypots.
VPN Virtual private network is a private
network that uses links across private or public networks e.g. internet
You must have PPTP tunneling protocol or L2TP layer two tunneling protocol to support VPN, both are automatically installed on WIN 2003 server.
Configure a VPN server on WIN 2003 server
Make a VPN client and connect via VPN.
Access Control (ACL) Access Control will not remove or
even detect the existence of a infected program
However, it will help your system to resist for infection by enabling intelligent permissions on files in a multi-user operating system environment on user-by-user basis
Attribute manipulation (ACE) To protect files form virus infection,
early DOS computer users set their executable file permissions to read-only.
If the file could not be modified, a virus would be unable to infect it.
Virus programmers responded by adding code to the virus and reset the attributes to their original values
This method of protection is of little value against today’s viruses.
Attribute manipulation If the administrator level privileges
are required to change a file’s permission, the virus can’t change these attributes when run form a regular user account
Checksum Verification using FCS
Checksum or CRC is a Mathematical verification of the data within a file.
Cannot actually detect file infection but it can only look for changes
Error detection and error correction
Process Monitoring Process monitoring observe system
activity and intercepts anything that looks suspicious
E.g., by enabling BIOS antivirus, it will intercepts all write attempts to MBR.
Problem is that virus and normal programs share a lot of similar attributes, thus enabling the difficulties to detect viruses
Virus Scanners/Detectors The most popular way of detecting viruses is
the use of virus-scanning software. Use signature file to locate viruses in infected
file. A signature file is simply a database that lists
all the know viruses, along with their attributes
Anti-virus software is designed to "inoculate" computer systems against viruses, worms, and other malicious programs.
Virus scanners can only detect known viruses
Cont….. Typically used in conjunction with
firewall technology to protect individual computer systems as well as network domains in universities, and governmental and commercial organizations.
Types of Virus Scanners On Demand
Must be initialized on demand manually or through some automatic process
System will contract virus before it is detected
Memory Resident Are programs that runs at the back ground of
a system Can identify a virus before it infects the
system
Encryption Tools
Encryption is the technique used to convert the information in a message composed in ordinary text ("plain text"), into "ciphertext."
The use of data encryption or cryptography techniques in communicating sensitive information is not new.
Types of Encryption
In private-key encryption, both parties use the same encryption algorithm and the same private key.
Public cryptography uses two keys: one public and the other private.
Terminology plaintext - the original message ciphertext - the coded message cipher - algorithm for transforming plaintext to
ciphertext key - info used in cipher known only to sender/receiver encipher (encrypt) - converting plaintext to ciphertext decipher (decrypt) - recovering ciphertext from
plaintext cryptography - study of encryption principles/methods cryptanalysis (codebreaking) - the study of
principles/ methods of deciphering ciphertext without knowing key
cryptology - the field of both cryptography and cryptanalysis
Encryption If A wishes to communicate with B, A
uses B's public key to encode the message.
That message can then only be decoded with B's private key, which is secret.
Similarly when B responds to A, B uses A's public key to encrypt the message.
Certificates and digital signatures
Anonymity Tools Users want to secure the integrity and confi-
dentiality of their electronic communications.
They also wish to protect their identity while engaging in on-line activities.
Anonymity tools such as the Anonymizer, and pseudonymity agents such as Lucent's Personalized Web Assistant, enable users to roam the Web either anonymously or pseudonymously.
Anonymity Tools (Continued) An individual is anonymous in
cyberspace when that person is able to navigate the Internet is a way that his or her personal identity is not revealed. e.g., the user cannot be identified
beyond certain technical information such as the user's IP (Internet protocol) address, ISP, and so forth.
Tradeoffs Involving Computer Security
Can total security in cyberspace be achieved? More secure computer systems might also result in
products that are more expensive. Would consumers be willing to spend more money for
securer computer systems? The costs associated with computer security can be
measured both in monetary and non-monetary terms (such as convenience and flexibility) because more secure systems might also be less user-friendly. It is an avoidance approach conflict. one way
we need anonymity on internet and on other way we want security in terms of cybercrimes.
Cont….. Seeking perfect security would
make a system useless, because "anything worth doing requires some risk."
Computer Security and Risk Analysis What is the acceptable level of risk in
computer systems? How can we assess it?
Risk can be understood and assessed in terms of the net result of the impacts of five elements:
Assets; Threats; Vulnerabilities; Impact; Safeguards.