390 likes | 579 Views
Internet Security 1 ( IntSi1 ). 1 Introduction. Prof. Dr. Peter Heinzmann Prof. Dr. Andreas Steffen Institute for Internet Technologies and Applications (ITA). Internet Security 1 ( IntSi1 ). 1.1 What is Internet Security?. Definition of Information Security.
E N D
Internet Security 1 (IntSi1) 1 Introduction Prof. Dr. Peter HeinzmannProf. Dr. Andreas SteffenInstitute for Internet Technologies and Applications (ITA)
Internet Security 1 (IntSi1) 1.1 WhatisInternet Security?
Definition of Information Security • InformationSecurity(ISO/IEC 27001:2005) • Preservation of confidentiality, integrity and availability of information; in addition, other properties such as authenticity, accountability, non-repudiation and reliability can also be involved. • InformationSecurity(Wikipedia) = IT Security • Information securitymeansprotectinginformation and informationsystemsfromunauthorizedaccess, use, disclosure, disruption, modification, ordestruction. • IT Security • IT Security is a subset of Information Security and isconcernedwiththeprotection of computersand/orprotectinginformationbymeansof computers. • Internet Security (Wikipedia) • Internet Security is a branchof Computer Security specificallyrelatedtothe Internet. Itsobjectiveistoestablishrulesandmeasurestouseagainstattacksoverthe Internet.
2095 Mio Internet users (March'11) vs. 850 Miohosts(July'11) Worldwide Criminal Potential in the Internet Commerce, Shops ISP PrivateHomes xyz.ch Business, Administration
What do youexpectfromInternet Security? • ? • ? • ? • ?
Security Elements: The CIA Triad + Extensions • ConfidentialityValuableinformationor sensitive data must beprotectedfromunauthorizedaccess. • IntegrityData must beprotectedfromgettingaccidentallyormischievouslychangedeither in itsstoragelocationorduringtransmission. • AvailabilityIn a global businessenvironmenttheserverandcommunicationsinfrastructure must beavailable on a 24/7 basis. • AuthenticityIn any electronic transactionthetrueidentityofthecommunicationpartners (hosts/users) shouldbeverifiable. • Accountability (Non-Repudiation)Thereshouldbe a provableassociationbetweenanelectronic transactionandtheentitywhichinitiated it.
Identifying the Security Elements Authenticationverifies the host Availability waiting for response Integrityprotects data against change SSL/TLSmakes it allpossible Confidentialitykeep information secret
Internet Security 1 (IntSi1) 1.2 Security Risks
Cost Value of system to be protected Overall cost Cost of security measures Cost of incidents Security level unprotected high level protection Security Risk Analysis Risk = Value ThreatVulnerability Assets, Values Data Security measures Threats Vulnerabilities
Internet Security 1 (IntSi1) 1.3 Security Threats
Spy Thief Trespasser Vandal Author Script Kiddy Hacker / Expert Professional Vandals, Script Kiddies, Thieves and Spies National Interest PersonalProfit Motivation PersonalEgo Curiosity Expertise and Resources
Auto Coordinated Tools Cross site scripting “stealth” / advanced scanning techniques Staged packet spoofing denial of service Technical Knowledge distributed attack tools sniffers sweepers www attacks automated probes/scans GUI back doors network mgmt. diagnostics disabling audits Attack Sophistication hijacking sessions burglaries exploiting known vulnerabilities password cracking self-replicating code Intruders password guessing Attack Sophistication vs. Intruder Knowledge High Low 2000 1980 1985 1990 1995
Internet Security Threat Situation in 2010 Source: Symantec
Internet Security Threat Situation in 2010 Source: Symantec
TrojanHorsehidden in AndroidApp Source: Symantec
The Year 2010 in Numbers Source: Symantec
Global Threat Situation Today • New malicious code threats Source: Symantec
Global Threat Situation Today • Top Web-based attacks Source: Symantec
Global Threat Situation Today • Web browser plugin vulnerabilities Source: Symantec
Global Threat Situation Today • Malicious activity by country Source: Symantec
Global Threat Situation Today Source: Symantec
The Underground Economy • Goodsandservicesavailableforsale in theundergroundeconomy Source: Symantec January 2010 fraud of 1600$
Denial of Service Attacks • A Denial of Service (DoS) attackagainst a computersystemmakestheserviceunavailable to legitimateusers. • DoSisusuallyattemptedbyconsumingCPU time, memoryornetworkbandwidth of thetargetsystemornetwork. • The original DoSattacksusuallyexploitedbugs in a targetplatform • e.g. bysendingmalformedpackets to a host (Ping of Death, Winnuke) in order to crashthe system. • OtherclassicDoSattacks • SYN flood: send TCP connectionrequestswithspoofedsource IP addressesquicklycausingtheserver to reachitsmaximumnumber of half-openconnections (countermeasures: SYN cookies) • Smurfattack: send ICMP pingrequests to an IP broadcastaddressusingthe IP sourceaddress of thetargetwhichthenreceives allICMP pingreplies. • Today, assumingcorrectlyconfiguredhosts and networks, thethreatfrom a singlehostto bring down a serverisrathersmall.
Firewall pings to broadcast address of corporate network with spoofed source address of victim Denialof Service – Ping Attackwith IP Spoofing Internet CorporateNetwork Victim Attacker
DistributedDenial of Service Attacks (DDoS) Handler Handler Attacker Target AttackTraffic Zombie Zombie Zombie Zombie Control & Command AvailableDDoS Tools:Trinoo, TribeFloodNetwork, Stacheldraht
Vulnerability of amazon.com’s Internet Business • Net sales in 2Q 2011: • 9’910’000’000 $US • Lost business due to one hour off the Internet • 4’600’000 $US • U.S. Server Outage on June 6, 2008 • 2 hour downtime due to human error
Many Hops to www.novartis.com traceroute to www.novartis.com (164.109.68.201) 1 edugw.zhwin.ch (160.85.160.1) Winterthur 2 intfw.zhwin.ch (160.85.111.1) 3 winfh1.zhwin.ch (160.85.105.1) 4 swiEZ2-G2-9.switch.ch (130.59.36.157) Zurich 5 swiIX1-10GE-1-1.switch.ch (130.59.36.250) 6 zch-b1-geth3-1.telia.net (213.248.79.189) 7 ffm-bb1-pos0-3-3.telia.net (213.248.79.185) Frankfurt 8 prs-bb1-pos7-0-0.telia.net (213.248.64.110) Paris 9 ldn-bb1-pos7-2-0.telia.net (213.248.64.10) London 10 nyk-bb1-pos0-2-0.telia.net (213.248.65.90) New York 11 nyk-b1-link.telia.net (213.248.82.14) 12 POS3-1.IG4.NYC4.ALTER.NET (208.192.177.29) 13 0.so-2-3-0.XL2.NYC4.ALTER.NET (152.63.19.242) 14 0.so-6-0-0.XL2.DCA6.ALTER.NET (152.63.38.74) Washington, D.C. 15 0.so-7-0-0.GW6.DCA6.ALTER.NET (152.63.41.225) 16 digex-gw.customer.alter.net (157.130.214.102) 17 gigabitethernet1-0.dca2c-fcor-rt2.netsrv.digex.net (164.109.3.10) 18 vlan28.dca2c-fdisc-sw1-msfc1.netsrv.digex.net (164.109.3.166) 19 164.109.92.14 (164.109.92.14) 20 164.109.68.201 (164.109.68.201)
EmergingChallenges • Mobile Devices • Loss of confidential data • Embedded Systems • About8 billionmicrocontrollerssold in 2006 • Usually no oronly marginal securitymechanisms • Ubiquitous (pervasive) Computing • RFID (profiling) • Home Automation • Controllableoverthe Internet
Stuxnetattacks Industrial Control Equipment • Targeted at Siemens Supervisory Control and Data Acquisition systems that control and monitor specific industrial processes. • Stuxnet includes a Programmable Logic Controller (PLC) rootkit. • Designed by a team of 5-10 professionalsand meant to sabotage the Iranianuranium enrichment facility at Natanz.
Internet Security 1 (IntSi1) 1.4 Vulnerabilites
Vulnerabilities and Exposures • A universal vulnerability is a state in a computing system(or set of systems) which either: • allows an attacker to execute commands as another user • allows an attacker to access data that is contrary to the specified access restrictions for that data • allows an attacker to pose as another entity • allows an attacker to conduct a denial of service • An exposure is a state in a computing system (or set of systems) which is not a universal vulnerability, but either: • allows an attacker to conduct information gathering activities • allows an attacker to hide activities • includes a capability that behaves as expected, but can be easily compromised • is a primary point of entry that an attacker may attempt to use togain access to the system or data • is considered a problem according to some reasonable security policy Source: www.cve.mitre.org/about/terminology.html
Internet Security 1 (IntSi1) 1.5 Security Measures
Security Measures • Organize(Plan)Set up a securitypolicy, buildawareness, analyzeandclassifysecurityrisks, decide on andimplementsecuritymeasures, defineresponsibilities, trainstaffperiodically. • Protect (Do)Encryptstoreddataandtransmittedinformation, useauthentication in order toinsuredataintegrity, installpatches, useandperiodically check databackupmechanisms. • Filter (Do)Limit physicalaccesstosystemsanddatabyusing strong authenticationforusersandhosts. Filter trafficbyusingfirewallsandvirusscanners. • Combine (Do)Combine multiple securitymeasures (multilevel / in-depthsecurity) • Monitor andControl(Act)detectattacks (Intrusion Detection Systems, Honey Pot), runperiodicsecuritychecks (Tiger Teams), reactandcorrect.
1: Security Policy (Why?) 2: Risk Analysis 3: Define measures 5: Control measures 4: Implement measures Security Life Cycle