Internet Security 1 ( IntSi1 )
description
Transcript of Internet Security 1 ( IntSi1 )
ITA, 19.09.2011, 1-Introduction.pptx 1
Internet Security 1 (IntSi1)
Prof. Dr. Peter HeinzmannProf. Dr. Andreas Steffen
Institute for Internet Technologies and Applications (ITA)
1 Introduction
ITA, 19.09.2011, 1-Introduction.pptx 2
Internet Security 1 (IntSi1)
1.1 What is Internet Security?
ITA, 19.09.2011, 1-Introduction.pptx 3
Definition of Information Security
• Information Security (ISO/IEC 27001:2005)• Preservation of confidentiality, integrity and availability of
information; in addition, other properties such as authenticity, accountability, non-repudiation and reliability can also be involved.
• Information Security (Wikipedia) = IT Security• Information security means protecting information and
information systems from unauthorized access, use, disclosure, disruption, modification, or destruction.
• IT Security• IT Security is a subset of Information Security and is
concerned with the protection of computers and/or protecting information by meansof computers.
• Internet Security (Wikipedia)• Internet Security is a branch of Computer Security specifically
related to the Internet. Its objective is to establish rules and measures to use against attacks over the Internet.
ITA, 19.09.2011, 1-Introduction.pptx 4
xyz.ch
2095 Mio Internet users (March'11) vs. 850 Mio hosts (July'11)
ISPPrivateHomes
Business,Administration
Commerce, Shops
Worldwide Criminal Potential in the Internet
ITA, 19.09.2011, 1-Introduction.pptx 5
• ?• ? • ? • ?
What do you expect from Internet Security?
ITA, 19.09.2011, 1-Introduction.pptx 6
Security Elements: The CIA Triad + Extensions• Confidentiality
Valuable information or sensitive data must be protected from unauthorized access.
• IntegrityData must be protected from getting accidentally or mischievouslychanged either in its storage location or during transmission.
• AvailabilityIn a global business environment the server and communications infrastructure must be available on a 24/7 basis.• AuthenticityIn any electronic transaction the true identity of the communication partners (hosts/users) should be verifiable.
• Accountability (Non-Repudiation)There should be a provable association between anelectronic transaction and the entity which initiated it.
ITA, 19.09.2011, 1-Introduction.pptx 7
Identifying the Security Elements
Availability waiting
for response
Integrityprotects data
against change
Confidentiality
keep information
secret
Authenticationverifies the
host
SSL/TLSmakes it all
possible
ITA, 19.09.2011, 1-Introduction.pptx 8
Internet Security 1 (IntSi1)
1.2 Security Risks
ITA, 19.09.2011, 1-Introduction.pptx 9
ThreatsVulnerabilities
Assets, Values
Security measures
Data
Cost of incidents
Overall cost
Cost ofsecurity measures
unprotected high level protection
Security level
Value of systemto be protected
Cost
Security Risk Analysis
Risk = Value Threat Vulnerability
ITA, 19.09.2011, 1-Introduction.pptx 10
Internet Security 1 (IntSi1)
1.3 Security Threats
ITA, 19.09.2011, 1-Introduction.pptx 11
National Interest
PersonalProfit
PersonalEgo
Curiosity Author
Thief
Trespasser
Hacker / Expert
Vandal
Script Kiddy
Mot
ivat
ion
Expertise and ResourcesProfessional
Spy
Vandals, Script Kiddies, Thieves and Spies
ITA, 19.09.2011, 1-Introduction.pptx 12
Attack Sophistication vs. Intruder Knowledge
High
Low
1980 1985 1990 1995 2000
Intruders
TechnicalKnowledge
“stealth” / advanced scanning
techniquesdenial of service
exploiting known vulnerabilities
disabling audits
automated probes/scans
AttackSophistication
Cross site scripting
password guessingself-replicating code
password cracking
back doors
hijacking sessions
sweepers
sniffers
packet spoofing
GUI
www attacks
Tools
burglaries
network mgmt. diagnostics
distributedattack tools
Staged
Auto Coordinated
ITA, 19.09.2011, 1-Introduction.pptx 13
Vandalism - Web Defacing
ITA, 19.09.2011, 1-Introduction.pptx 14
Vandalism - Web Defacing
ITA, 19.09.2011, 1-Introduction.pptx 15
Internet Security Threat Situation in 2010
Source: Symantec
ITA, 19.09.2011, 1-Introduction.pptx 16
Internet Security Threat Situation in 2010
Source: Symantec
ITA, 19.09.2011, 1-Introduction.pptx 17
Trojan Horse hidden in Android App
Source: Symantec
ITA, 19.09.2011, 1-Introduction.pptx 18
The Year 2010 in Numbers
Source: Symantec
ITA, 19.09.2011, 1-Introduction.pptx 19
Global Threat Situation Today
Source: Symantec
• New malicious code threats
ITA, 19.09.2011, 1-Introduction.pptx 20
Global Threat Situation Today
• Top Web-based attacks
Source: Symantec
ITA, 19.09.2011, 1-Introduction.pptx 21
Global Threat Situation Today
• Web browser plugin vulnerabilities
Source: Symantec
ITA, 19.09.2011, 1-Introduction.pptx 22
Global Threat Situation Today
• Malicious activity by country
Source: Symantec
ITA, 19.09.2011, 1-Introduction.pptx 23
Global Threat Situation Today
Source: Symantec
ITA, 19.09.2011, 1-Introduction.pptx 24
The Underground Economy
January 2010fraud of 1600$
Source: Symantec
• Goods and services available for sale in the underground economy
ITA, 19.09.2011, 1-Introduction.pptx 25
Denial of Service Attacks
• A Denial of Service (DoS) attack against a computer system makes the service unavailable to legitimate users.
• DoS is usually attempted by consuming CPU time, memory or network bandwidth of the target system or network.
• The original DoS attacks usually exploited bugs in a target platform• e.g. by sending malformed packets to a host (Ping of Death,
Winnuke) in order to crash the system.• Other classic DoS attacks
• SYN flood: send TCP connection requests with spoofed source IP addresses quickly causing the server to reach its maximum number of half-open connections (counter measures: SYN cookies)
• Smurf attack: send ICMP ping requests to an IP broadcast address using the IP source address of the target which then receives allICMP ping replies.
• Today, assuming correctly configured hosts and networks, the threat from a single host to bring down a server is rather small.
ITA, 19.09.2011, 1-Introduction.pptx 26
Denial of Service – Ping Attack with IP Spoofing
CorporateNetwork
Victim
Internet
Attacker
pings to broadcast address of corporate network with spoofed source address of victim
Firewall
ITA, 19.09.2011, 1-Introduction.pptx 27
Distributed Denial of Service Attacks (DDoS)
TargetAttack
er
Zombie
Zombie
Zombie
Zombie
Handler
Handler
Control & Command
Attack TrafficAvailable DDoS Tools:Trinoo, Tribe Flood Network, Stacheldraht
ITA, 19.09.2011, 1-Introduction.pptx 28
Vulnerability of amazon.com’s Internet Business
● Net sales in 2Q 2011: ● 9’910’000’000 $US
● Lost business due to one hour off the Internet● 4’600’000 $US
● U.S. Server Outage on June 6, 2008● 2 hour downtime due to human error
ITA, 19.09.2011, 1-Introduction.pptx 29
Novartis – a Global Player
ITA, 19.09.2011, 1-Introduction.pptx 30
Many Hops to www.novartis.com
traceroute to www.novartis.com (164.109.68.201)
1 edugw.zhwin.ch (160.85.160.1) Winterthur 2 intfw.zhwin.ch (160.85.111.1) 3 winfh1.zhwin.ch (160.85.105.1) 4 swiEZ2-G2-9.switch.ch (130.59.36.157) Zurich 5 swiIX1-10GE-1-1.switch.ch (130.59.36.250) 6 zch-b1-geth3-1.telia.net (213.248.79.189) 7 ffm-bb1-pos0-3-3.telia.net (213.248.79.185) Frankfurt 8 prs-bb1-pos7-0-0.telia.net (213.248.64.110) Paris 9 ldn-bb1-pos7-2-0.telia.net (213.248.64.10) London10 nyk-bb1-pos0-2-0.telia.net (213.248.65.90) New York11 nyk-b1-link.telia.net (213.248.82.14)12 POS3-1.IG4.NYC4.ALTER.NET (208.192.177.29)13 0.so-2-3-0.XL2.NYC4.ALTER.NET (152.63.19.242)14 0.so-6-0-0.XL2.DCA6.ALTER.NET (152.63.38.74) Washington, D.C.15 0.so-7-0-0.GW6.DCA6.ALTER.NET (152.63.41.225)16 digex-gw.customer.alter.net (157.130.214.102)17 gigabitethernet1-0.dca2c-fcor-rt2.netsrv.digex.net (164.109.3.10)18 vlan28.dca2c-fdisc-sw1-msfc1.netsrv.digex.net (164.109.3.166)19 164.109.92.14 (164.109.92.14)20 164.109.68.201 (164.109.68.201)
ITA, 19.09.2011, 1-Introduction.pptx 31
Emerging Challenges
• Mobile Devices• Loss of confidential data
• Embedded Systems• About 8 billion microcontrollers sold in 2006 • Usually no or only marginal security mechanisms
• Ubiquitous (pervasive) Computing• RFID (profiling)
• Home Automation• Controllable over the Internet
ITA, 19.09.2011, 1-Introduction.pptx 32
Stuxnet attacks Industrial Control Equipment
• Targeted at Siemens Supervisory Control and Data Acquisition systems that control and monitor specific industrial processes.
• Stuxnet includes a Programmable Logic Controller (PLC) rootkit.
• Designed by a team of 5-10 professionalsand meant to sabotage the Iranianuranium enrichment facility at Natanz.
ITA, 19.09.2011, 1-Introduction.pptx 33
Internet Security 1 (IntSi1)
1.4 Vulnerabilites
ITA, 19.09.2011, 1-Introduction.pptx 34
Vulnerabilities and Exposures
• A universal vulnerability is a state in a computing system(or set of systems) which either:• allows an attacker to execute commands as another user • allows an attacker to access data that is contrary to the
specified access restrictions for that data • allows an attacker to pose as another entity • allows an attacker to conduct a denial of service
• An exposure is a state in a computing system (or set of systems) which is not a universal vulnerability, but either:• allows an attacker to conduct information gathering activities • allows an attacker to hide activities • includes a capability that behaves as expected, but can be
easily compromised • is a primary point of entry that an attacker may attempt to
use togain access to the system or data
• is considered a problem according to some reasonable security policySource: www.cve.mitre.org/about/terminology.html
ITA, 19.09.2011, 1-Introduction.pptx 35
Common Vulnerabilities and Exposures Database
ITA, 19.09.2011, 1-Introduction.pptx 36
NIST Statistics on Vulnerabilities with High Severity
ITA, 19.09.2011, 1-Introduction.pptx 37
Internet Security 1 (IntSi1)
1.5 Security Measures
ITA, 19.09.2011, 1-Introduction.pptx 38
Security Measures
• Organize (Plan) Set up a security policy, build awareness, analyze and classify security risks, decide on and implement security measures, define responsibilities, train staff periodically.
• Protect (Do)Encrypt stored data and transmitted information, use authentication in order to insure data integrity, install patches, use and periodically check data backup mechanisms.
• Filter (Do)Limit physical access to systems and data by using strong authentication for users and hosts. Filter traffic by using firewalls and virus scanners.
• Combine (Do)Combine multiple security measures (multilevel / in-depth security)
• Monitor and Control (Act)detect attacks (Intrusion Detection Systems, Honey Pot), run periodic security checks (Tiger Teams), react and correct.
ITA, 19.09.2011, 1-Introduction.pptx 39
Security Life Cycle
1: Security Policy(Why?) 2: Risk Analysis
3: Define measures5: Control measures
4: Implement measures