310 likes | 453 Views
INTRO DUCTION. BCIS 4630 Fundamentals of IT Security. Dr. Andy Wu. Introduction. What do we protect CIA Know thy enemy Hackers Script kiddies Hacker motivation The battle field Trend in attackers Tough job for good guys. Price of Security Breaches. Loss of customer good will
E N D
INTRODUCTION BCIS 4630 Fundamentals of IT Security Dr. Andy Wu
Introduction • What do we protect • CIA • Know thy enemy • Hackers • Script kiddies • Hacker motivation • The battle field • Trend in attackers • Tough job for good guys
Price of Security Breaches • Loss of customer good will • Bad publicity • Interruption of production / downtime • Loss of sales/business • Litigation (wasting a lot of time and money) • Competitors taking upper hand • Etc., etc. • All means – loss of profit
Downtime Is Costly Source: Shon Harris et al, Gray Hat Hacking
Information Is What We (They) Are After • Information is a strategic asset to an organization. • IT enables organizations to transform business practices and achieve competitive advantage. • IT is only the means to deliver information. • In this course I will use the terms “information security”, “information systems security”, “IT security”, “computer security” interchangeably. • But bear in mind our ultimate goal is to protect valuable information.
Confidentiality • The protection of information within systems so that unauthorized people, programs, and processes cannot access that information. • Sensitive information is protected against unauthorized disclosure. • Encryption is a primary tool to ensure confidentiality.
Integrity • The protection of information or processes from intentional or accidental unauthorized changes. • Integrity ≠Business accuracy, logicalness, relevance, ethicalness, etc. of information • Integrity = No unauthorized alteration
Protecting Integrity • Need to protect the process or program used to manipulate information, e.g., • Air traffic control systems • Social Security and welfare systems • Payroll systems • Examples in database management systems • Entity integrity • Referential integrity • Transaction and rollback • Cryptography (hash functions) is an important tool to verify integrity.
Availability • The assurance that information and systems are accessible by authorized users whenever needed. • Protected against denial-of-service (DoS) attacks and vandalism • Protected against losses stemming from natural disasters or human errors and actions (this type probably is more common) • Time can be of the essence for many information-related activities.
DAD Triad • Disclosure • Unauthorized individuals gain access to confidential information • Alteration • Data is modified through some unauthorized mechanism • Denial • Authorized users cannot gain access to a system for legitimate purposes • DAD activities may be malicious or accidental
Non-Repudiation • Prevents the parties to a transaction from subsequently denying involvement in the transaction. • Someone cannot deny that she did send a message, sign an electronic contract, etc. • Public-key encryption (digital signature to be exact) is instrumental to achieving non-repudiation.
Hacking • The act of deliberately accessing computer systems and networks without authorization is called “hacking”. • The term may also be used to refer to the act of exceeding one’s authority in a system.
Typical Hacker • Young male in late 20s. • Dress is causal, intellectual or humorous slogan T-shirts, jeans, running shoes, etc. • “Outdoorsy”: hiking boots, khakis, chamois shirts, etc. • Hates business attire. • Reads Scientific American and Smithsonian • Attracted to ethnic, spicy, oriental, exotic foods • Anti-physical and avoid sports • If any, almost always self-competitive and intellectual, involving concentration, stamina, and micro-motor skills Source: Schell et al. The Hacking of America.
Hacker Myths and Truths • Myth: Hackers are computer addicts • Truth: They’re more like “heavy users” • Myth: Hackers have odd sleeping patterns • Truth: 79% sleep sometime 12AM-8AM, for an average of 6.26 hours • Hackers communicate only with their computers, not with other people • Truth: Hackers spend considerable time during the week communicating with their colleagues. Source: Schell et al. The Hacking of America.
Hacker Myths and Truths • Myth: Hackers are a threat to network administrators • Truth: Hacker convention attendees have considerable white hat skill sets. • Divided views on hiring hackers as security professionals. • Myth: Hackers are creative. • Truth: This seems to be true.
Script Kiddies • Download and run tools that others have developed. • May not even know why and how the tools work. • Generally not as interested in attacking specific targets. • Look for any people or organizations that may not have patched a newly discovered vulnerability. • At least 85 to 90% of the individuals conducting “unfriendly” activities on the Internet are probably accomplished by these individuals. • Do not underestimate the potential damage they can inflict despite their lower level of technical sophistication. These kids ain’t cute!
Traditional Hacker Motivations • Feeling of addiction • The urge of curiosity • Boredom with education system • Enjoyment of feeling of power • Peer recognition • Political acts • What is missing? Source: Taylor, Paul, Hackers: Crime in the Digital Sublime.
Hacker Motivation • “Sutton’s Law” • Alarming change: the serious attackers are out for specific purposes with certain types of damage or fraud in mind. • Some of them are becoming part of or are hired by the cyber-equivalent of the mafia.
Alarming Trend Source: CERT
Change in Hacker Characteristics • A the level of sophistication of attacks has increased, the level of knowledge necessary to exploit vulnerabilities has decreased. • The rise of non-affiliated intruders, including “script-kiddies,” has greatly increased the number of individuals who probe organizations looking for vulnerabilities to exploit.
What Does It Take to Be Secure • Information security is more than a technical issue. It also involves: • Human • Organization • It is a lot more than what the IT department can handle alone.
Taking Perspective on Security • You have to be secure in all bases, whereas an attacker only has to be real good at one thing to be successful. • Your security is only as good as its weakest link. • People is the weakest link in security.
Code-Red Worm (July 2001) • On July 19, 2001, over 350,000 computers connected to the Internet were infected by the Code-Red worm. The incident took only 14 hours to occur. • Damages caused by the worm (including variations of the worm released on later dates) exceeded $2.5 billion. • The vulnerability exploited by the Code-Red worm had been known for a month.
Slammer Worm (January 2003) • It exploited a buffer-overflow vulnerability in computers running Microsoft's SQL Server or Microsoft SQL Server Desktop Engine. • This vulnerability was not new. It had been discovered in July 2002. • Microsoft had released a patch for the vulnerability even before it was announced.
Security Is No Free Lunch • Security can be looked at as a tradeoff between risks and benefits. • Cost of implementing the security mechanism • Tradeoff involves security versus costs of implementation, user convenience, business goals, etc.
Security Doesn’t Get Invited for Parties • An important tradeoff involves user convenience • People are not born security-minded. They may not appreciate your help. • Security often is an inconvenience to users. • If your security measures inconvenience them enough, they will bypass or even undermine them. • If users go out of their way to circumvent security, the system may be even more vulnerable.