68-520 Intrusion Detection, Response, & Recovery

1. 68-520Intrusion Detection, Response, & Recovery Matthew A. Kwiatkowski mattk@anl.gov

2. Welcome • Instructor:Matt A. Kwiatkowski MSIS • Email: mattk@anl.gov • Office Hours: • Before/After Class • Email

3. Syllabus • Let’s go over it!

4. Grading Scale 92%+ : A 90-91%: A- 87-89%: B+ 83-86%: B 80-82%: B- 77-79%: C+ 73-76%: C 70-72%: C- 65-69%: D+ 60-64%: D Below 60% : FNote: This may change to your advantage

5. Class Introduction • What is your Networking/Security knowledge? • Where are you at in your Lewis career? • What are you most looking forward to in the class?

6. What is Security? • Like in non-Cyber “real” world: Security is used to secure, protect, prevent bad things to happen (or try to). • From Webster: • Function: nounInflected Form(s): plural-tiesDate: 15th century1: the quality or state of being secure : as a: freedom from danger : SAFETYb: freedom from fear or anxiety c: freedom from the prospect of being laid off <job security>2 a: something given, deposited, or pledged to make certain the fulfillment of an obligation b: SURETY3: an evidence of debt or of ownership (as a stock certificate or bond)4 a: something that secures: PROTECTIONb (1) : measures taken to guard against espionage or sabotage, crime, attack, or escape (2) : an organization or department whose task is security

7. What is Security? • Security Activities Are based on 3 Types of Actions: • Prevent: Put protection measures/system to protect assets and prevent unauthorized access. • Detect: Detect if an asset has been compromised, when, by whom and gather information on the type of breach committed, activities and evidence logs. • Act/React: Take measure to recover from attack and prevent same type of attacks or prevent attack in progress.

8. Figure 1-1: CSI/FBI Computer Crime and Security Survey • How Bad is the Threat? • Survey conducted by the Computer Security Institute (http://www.gocsi.com). • Based on replies from 503 U.S. Computer Security Professionals. • If fewer than 20 firms reported quantified dollar losses, data for the threat are not shown.

9. Figure 1-1: CSI/FBI Computer Crime and Security Survey

10. Figure 1-1: CSI/FBI Computer Crime and Security Survey

11. Figure 1-1: CSI/FBI Computer Crime and Security Survey

12. Figure 1-1: CSI/FBI Computer Crime and Security Survey

13. Figure 1-1: CSI/FBI Computer Crime and Security Survey

14. Figure 1-2: Other Empirical Attack Data • Riptech • Analyzed 5.5 billion firewall log entries in 300 firms in five-month period • Detected 128,678 attacks—an annual rate of 1,000 per firm • Only 39% of attacks after viruses were removed were directed at individual firms

15. Figure 1-2: Other Empirical Attack Data • Riptech • 23% of all firms experienced a highly aggressive attack in a 6-month period • Only one percent of all attacks, highly aggressive attacks, are 26 times more likely to do severe damage than even moderately sophisticated aggressive attacks

16. Real Life Numbers (IDS Blocks)

17. Figure 1-2: Other Empirical Attack Data • SecurityFocus • Attack Targets • 31 million Windows-specific attacks • 22 million UNIX/LINUX attacks • 7 million Cisco IOS attacks • All operating systems are attacked!

18. Figure 1-3: Attack Trends • Growing Incident Frequency • Incidents reported to the Computer Emergency Response Team/Coordination Center • 1997: 2,134 • 1998: 3,474 • 1999: 9,859 • 2000: 21,756 • 2001: 52,658 • 2002: 82,094 • 2003: 137,529

19. Figure 1-3: Attack Trends • Growing Randomness in Victim Selection • In the past, large firms were targeted • Now, targeting is increasingly random • No more security through obscurity for small firms and individuals • Appears that anyone on the Internet is now a target (Malware, Spyware, etc) • http://seclists.org/lists/alldas/2002/Oct/

20. Figure 1-3: Attack Trends • Growing Malevolence • Most early attacks were not malicious • Malicious attacks are becoming the norm • Identity Theft is a simple process to follow • How many of our family members are just not aware? • Wireless, Bluetooth, cell phones

21. Figure 1-3: Attack Trends • Growing Attack Automation • Attacks are automated, rather than humanly-directed • Essentially, viruses and worms are attack robots that travel among computers • Attack many computers in minutes or hours, mass destruction. • We have yet to see the Internet really fall to its knees.

22. Who are the Attackers??? • Elite Hackers • White hat hackers • This is still illegal • Break into system but notify firm or vendor of vulnerability • Black hat hackers • Do not hack to find and report vulnerabilities • Gray hat hackers go back and forth between the two ways of hacking • Hack but with code of ethics • Codes of conduct are often amoral • “Do no harm,” but delete log files, destroy security settings, etc. • Distrust of evil businesses and government • Still illegal • Deviant psychology and hacker groups to reinforce deviance

23. One of the First • Kevin Mitnick • http://www.kevinmitnick.com/ • Radio Shack • Universities • Dumpster Diving • Social Engineering • How do you break into a phone switch? • http://www.2600.com/ • http://www.hackfaq.org/telephony-06.shtml • I wonder what he would say today about how hacking has taken off?

24. Who are the Attackers??? • Virus Writers and Releasers • Virus writers versus virus releasers • Someone finds an exploit in code, writes their own code to exploit the system. • It all starts with a human! • Only releasing viruses is punishable

25. Who are the Attackers??? • Script Kiddies • Use prewritten attack scripts (kiddie scripts) • Viewed as lamers and script kiddies • Large numbers make dangerous • Noise of kiddie script attacks masks more sophisticated attacks

26. Who are the Attackers??? • Criminals • Many attackers are ordinary garden-variety criminals • Credit card and identity theft • Side note on threat to Credit Card #. How do attacker capture credit card information? Via “Sniffing” traffic? • How many of the audience have worries when shopping online? How many of the audience ever used a credit card to pay for a restaurant meal? How many have connected to Starbucks WiFi? • Stealing trade secrets (intellectual property) • Extortion

27. Who are the Attackers??? • Corporate Employees • Have access and knowledge • Financial theft • Theft of trade secrets (intellectual property) • Sabotage • Consultants and contractors • IT and Security staff are biggest danger 

28. Who are the Attackers??? • Cyberterrorism and Cyberwar • New level of danger • Infrastructure destruction • Attacks on IT infrastructure • Use IT to establish physical infrastructure (energy, banks, etc.) • Simultaneous multi-pronged attacks • Cyberterrorists by terrorist groups versus cyberwar by national governments • Amateur information warfare

29. Framework for Attacks Attacks Social Engineering -- Opening Attachments Password Theft Information Theft Physical Access Attacks -- Wiretapping Server Hacking Vandalism Dialog Attacks -- Eavesdropping Impersonation Message Alteration Penetration Attacks Malware -- Viruses Worms Denial of Service Scanning (Probing) Break-in

30. Figure 1-6: Attacks and Defenses (Study Figure) • Physical Attacks: Access Control • Access control is the body of strategies and practices that a company uses to prevent improper access • Prioritize assets • Specify access control technology and procedures for each asset • This can be electronic: use access control to prevent certain traffic in • This can be physical: use locks to prevent physical access to devices. • side note: If an attacker gains physical access to a device: that device IS (or should be considered) compromised: no EXCEPTION!!!

31. Figure 1-6: Attacks and Defenses (Study Figure) • Site Access Attacks and Defenses • Wiretaps (including wireless LANs intrusions • War-Driving (sitting outside a parking lot) • War-Dialing (Modem) • Hacking servers with physical access

32. Figure 1-6: Attacks and Defenses (Study Figure) • A slight variation of access attack: Social Engineering • Tricking an employee into giving out information or taking an action that reduces security or harms a system • Opening an e-mail attachment that may contain a virus • Asking for a password claming to be someone with rights to know it • Asking for a file to be sent to you • Sending a CD with a nice label, and an enticing title • Sending cool mem sticks as Holiday presents.

33. Figure 1-6: Attacks and Defenses (Study Figure) • Social Engineering Defenses • Training, Training and More Training • Enforcement through sanctions (punishment) • Becoming smarter from past mistakes or those of others.

34. Figure 1-6: Attacks and Defenses (Study Figure) • Dialog Attacks and Defenses • Eavesdropping • Encryption for Confidentiality • Imposters and Authentication • Cryptographic Systems

35. Figure 1-7: Eavesdropping on a Dialog Dialog Hello Client PC Bob Server Alice Hello Attacker (Eve) intercepts and reads messages

36. Figure 1-8: Encryption for Confidentiality Encrypted Message “100100110001” Client PC Bob Server Alice “100100110001” Attacker (Eve) intercepts but cannot read Original Message “Hello” Decrypted Message “Hello”

37. Client PC Bob Figure 1-9: Impersonation and Authentication I’m Bob Prove it! (Authenticate Yourself) Attacker (Eve) Server Alice

38. Client PC Bob Figure 1-10: Message Alteration Dialog Balance = $1,000,000 Balance = $1 Server Alice Balance = $1 Balance = $1,000,000 Attacker (Eve) intercepts and alters messages

39. Figure 1-11: Secure Dialog System Secure Dialog Client PC Bob Server Alice Automatically Handles Negation of Security Options Authentication Encryption Integrity Attacker cannot read messages, alter messages, or impersonate

40. Passed Packet Dropped Packet Hardened Server Figure 1-12: Network Penetration Attacks and Firewalls Attack Packet Internet Firewall Hardened Client PC Internet Attacker Internal Corporate Network Log File

41. Figure 1-14: Single-Message Break-In Attack 1. Single Break-In Packet 2. Server Taken Over By Single Message Attacker

42. Figure 1-15: Denial-of-Service (DoS) Flooding Attack Message Flood Server Overloaded By Message Flood Attacker

43. Hardened Server Figure 1-16: Intrusion Detection System (IDS) 1. Suspicious Packet Intrusion Detection System (IDS) 4. Alarm Network Administrator 2. Suspicious Packet Passed Internet Attacker 3. Log Suspicious Packet Corporate Network Log File

44. What Are the Types of Security Threats? • Service Disruption and Interruption • Compromise the service Availability • Interception • Compromise the service Confidentiality • Modification • Compromise the service Integrity • Fabrication • Compromise the service Authenticity • Often you will see the security services summarized into 3 categories: C.I.A: • Confidentiality • Integrity • Availability • In this model, authenticity is a subset of integrity

45. What Are the Types of Security Threats? • These different Threats can be subject to two types of possible attacks: Passive and Active. • Passive Attacks • Attacks that do not require modification of the data. • Layered Systems will need to notice • Active Attacks • Attacks that do require modification of the data or the data flow. • User will need to notice

46. Other References and Useful Resources • CERT – www.cert.org • SANS – www.sans.org • CIAC - http://www.ciac.org/ciac/ • NSA Guidelines - http://nsa2.www.conxion.com/ • Security Portal - http://securityportal.com/