1 / 45

Perspectives of Information Security Technology PITS CE54002-M

Vulnerabilities/ Threats/Attacks/Risks. Identify and understand the threats posed to information security Identify and understand the more common attacks associated with those threatsCountermeasures. Sept 2010. Slide 2. Vulnerabilities/ Threats/Attacks/Risks. The presence of a wall crack is a Vu

tanuja
Download Presentation

Perspectives of Information Security Technology PITS CE54002-M

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

    1. Perspectives of Information Security Technology (PITS) CE54002-M Week 2 Sept 2010 Slide 1

    2. Vulnerabilities/ Threats/Attacks/Risks Identify and understand the threats posed to information security Identify and understand the more common attacks associated with those threats Countermeasures Sept 2010 Slide 2

    3. Vulnerabilities/ Threats/Attacks/Risks The presence of a wall crack is a Vulnerability. Ex. Absence of antivirus software Technological vulnerabilities Configuration vulnerabilities Security policy vulnerabilities Crossing the water to the right is a Threat to the man. Ex. The existence of a particular virus for example Sept 2010 Slide 3

    4. Risk Occurs when a threat and a corresponding vulnerability both exist a particular virus on a system without antivirus software Somebody or another system destroyed the wall is an Attack Ex. (Computer) sending an overwhelming set of messages to another system to block it. Sept 2010 Slide 4

    5. Understanding Risk

    6. Managing Risks

    7. Risk Management The process of assessing and quantifying risk and establishing an acceptable level of risk for the organization Risk Analysis Threats Vulnerabilities Countermeasures Risk can be mitigated, but cannot be eliminated Sept 2010 Slide 7

    8. Risk Assessment Risk assessment involves determining the likelihood that the vulnerability is a risk to the organization Each vulnerability can be ranked by the scale Sometimes calculating anticipated losses can be helpful in determining the impact of a vulnerability Sept 2010 Slide 8

    9. Asset Identification link Categories of assets Information Assets (people, hardware, software, systems) Supporting Assets (facilities, utilities, services) Critical Assets (can be either of those listed above) Attributes of the assets need to be compiled Determine each item’s relative value How much revenue/profit does it generate? What is the cost to replace it? How difficult would it be to replace? How quickly can it be replaced?

    10. Vulnerability Analysis Defining and classifying network or system resources Assigning relative levels of importance to the resources Use vulnerability assessment procedures to collect intelligence about networks (internal and public facing), platforms (servers, desktop) Identifying potential threats to each resource Developing a strategy to deal with the most serious potential problems first Defining and implementing ways to minimize the consequences if an attack occurs Reporting on the status of vulnerabilities and remediation procedures Sept 2010 Slide 10

    11. Vulnerability Analysis Foortprinting Enable attackers to complete a profile of an organisation’s security posture Footprinting is a useful exercise for an organisation to do themselves Gather initial information Determine the network range Identify active machines Scanning Discover open ports and access points Fingerprint the operating system Uncover services on ports Map the network Sept 2010 Slide 11

    12. Footprinting check list (How To) We can perhaps derive a checklist of what to footprint Scope of what to footprint? The whole organisation e.g. BP or a subsidiary With more electronic interchange between companies/branches and subsidiaries there is more opportunity for a smaller scope Internet main “www” site Examine the information freely available about the company/organisation Examine the HTML source for comments This could be automated by purchasing a shareware product like Teleport Pro which can crawl through a site (a web spider) Look for internal resources via a web browser Outlook Web Access (OWA) is a good example https://owa.rackspace.com/login.htm gets me to a web page with email and password VPNs are another good example…..we discuss SSL VPNs along with remote access later in the module Sept 2010 Slide 12

    13. Scanning The terms security scanner, vulnerability scanner, and security vulnerability scanner all mean roughly the same thing. Any such system may also be called just a scanner in the context of network security. Vulnerability scanners frequently include port scanning which ports are open, which are closed, and which are filtered (meaning that there is no reply at all from the remote host). Vulnerability scanners are tools available as free Internet downloads and as commercial products These tools compare the asset against a database of known vulnerabilities and produce a discovery report that exposes the vulnerability and assesses its severity Sept 2010 Slide 13

    14. What does scanning achieve? A vulnerability scanner scans a specified set of ports on a remote host and tries to test the service at each port for its known vulnerabilities. Nessus is a remote security scanner, meaning that it is typically run on one machine to scan all the services by a remote machine in order to determine whether the latter is safeguarded against all known security exploits. According to the information posted at http://www.nessus.org: Nessus is the world's most popular vulnerability scanner that is used in over 75,000 organizations world-wide. The Nessus vulnerability scanning system consists of a server and a client. The server performs the actual testing while the client provides configuration and reporting functionality I cannot show you this today but we can refer to the above website Sept 2010 Slide 14

    15. Security vulnerabilities Tend to involve insiders Tend to involve human behavior Sometimes result from unwarranted assumptions Often are due to design errors or incomplete understanding of a system or technology Sept 2010 Slide 15

    16. Vulnerabilities in Development Life Cycle System conceptualization: Miss-assessment of the technology. Requirements definition: Erroneous, incomplete, or inconsistent requirements. System design: Fundamental misconceptions or flaws. Implementation: Various errors. Support systems: Faulty or poor tools. System analysis: False assumptions or erroneous models. Testing: Incomplete or erroneous testing. Evolution: Sloppy maintenance and upgrades. Decommission: Premature removal; removal of components used elsewhere. Sept 2010 Slide 16

    17. Sept 2010 Slide 17

    18. Acts of Human Error or Failure Includes acts performed without malicious intent Inexperience Improper training Incorrect assumptions Employees are among the greatest threats to data Revelation of classified data Entry of erroneous data Accidental data deletion or modification Data storage in unprotected areas Failure to protect information Many of these threats can be prevented with controls Sept 2010 Slide 18

    19. Deliberate Acts of Espionage or Trespass Access of protected information by unauthorized individuals Competitive intelligence (legal) vs. industrial espionage (illegal) Shoulder surfing occurs anywhere a person accesses confidential information Controls let trespassers know they are encroaching on organization’s cyberspace Hackers uses skill, guile, or fraud to bypass controls protecting others’ information Physical theft is controlled relatively easily Electronic theft is more complex problem; evidence of crime not readily apparent Sept 2010 Slide 19

    20. Deviations in Quality of Service Includes situations where products or services not delivered as expected Information system depends on many interdependent support systems Internet service, communications, and power irregularities dramatically affect availability of information and systems Internet service provider (ISP) failures can considerably undermine availability of information Outsourced Web hosting provider assumes responsibility for all Internet services as well as hardware and Web site operating system software Sept 2010 Slide 20

    21. The relationship between an information asset, the threats to it and their outcomes Sept 2010 Slide 21

    22. Sept 2010 Slide 22

    23. Attacks Act or action that exploits vulnerability (i.e., an identified weakness) in controlled system Accomplished by threat agent which damages or steals organization’s information Sept 2010 Slide 23

    24. Attacks (continued) Malicious code: execution of viruses, worms, Trojan horses, and active Web scripts with intent to destroy or steal information Back door: gaining access to system or network using known or previously unknown/newly discovered access mechanism Password crack: attempting to reverse/ calculate a password Brute force: trying every possible combination of options of a password Dictionary: uses commonly used passwords (i.e., the dictionary) to guide guesses Sept 2010 24

    25. Attacks (continued) Denial-of-service (DoS): attacker sends large number of connection or information requests to a target Target system cannot handle successfully along with other, legitimate service requests May result in system crash or inability to perform ordinary functions Distributed denial-of-service (DDoS): coordinated stream of requests is launched against target from many locations simultaneously http://www.zdnet.com/blog/security/coordinated-russia-vs-georgia-cyber-attack-in-progress/1670 http://www.computerweekly.com/Articles/2009/03/13/235262/Kids-responsible-for-Estonia-attack.htm Spoofing: technique used to gain unauthorized access; intruder assumes a trusted IP address Man-in-the-middle: attacker monitors network packets, modifies them, and inserts them back into network Sept 2010 Slide 25

    26. Attacks (continued) Mail bombing: also a DoS; attacker routes large quantities of e-mail to target Sniffers: program or device that monitors data traveling over network; can be used both for legitimate purposes and for stealing information from a network Social engineering: using social skills to convince people to reveal access credentials or other valuable information to attacker Buffer overflow: application error occurring when more data is sent to a buffer than can be handled Timing attack: works by exploring contents of a Web browser’s cache to create malicious cookie Sept 2010 Slide 26

    27. Malware (Malicious Code) Malware is any software that runs on a computer system without that system’s owner’s permission purpose inimical to the owner’s interests. Common parlance just tends to talk about computer viruses – but Malware types include: Worms Viruses Trojans Rootkits Keyloggers Botnets Sept 2010 Slide 27

    28. Heterogeneous approach Opposite of mono OS Many organisation run networks having all machines running one particular OS one particular hardware platform this makes it much easier for malware to be written and also eases it’s spread. Sept 2010 Slide 28

    29. Adware, Spyware and rootkits Adware Adware is a variant of malware which usually consists of advertising popup windows when a particular kind of activity is initiated on the computer Spyware Spyware is a more insidious variant which exists for two main reasons – to harvest personal information from a user in order to carry out an identity theft, or to seize control of an individual’s computer A rootkit is a collection of software and other artefacts that work together to conceal the presence of other software, processes or files. Sept 2010 Slide 29

    30. Keyloggers, Botnets Software (or hardware) that can record keystrokes entered by a user at a computer terminal/keyboard. Might be benign or at least sanctioned by management as a monitoring tool. Might be malicious. A possible payload of a Trojan, virus or worm. A botnet is a collection compromised computers under the control of someone not the legitimate users of the computers. Often used for mass spamming – one of the aims of a number of viruses/worms/trojans is to establish a botnet. Sept 2010 Slide 30

    31. Botnets continued Creating botnets has got easier with widespread availability of bot construction toolkits Argobot, Phatbot, XtremBot, etc etc A botnet would be constructed quietly and unobtrusively then activated by a central command server sending out an appropriate signal. Sept 2010 Slide 31

    32. The Virus A small program written to alter the way a computer operates, without the permission or knowledge of the user. A virus must meet two criteria:  It must execute itself. It often places its own code in the path of execution of another program. It must replicate itself. For example, it may replace other executable files with a copy of the virus infected file. Example from Wikipedia entry Win32/Simile aka Etap is from March 2002 – written by “Mental Driller”. It is an example of a metamorphic computer virus. When first executed checks current date. If host file imports User32.dll then on 17th march/june/September/December display a message. Then rebuilds itself (this is the metamorphic bit), then searches for new executables to infect. Sept 2010 Slide 32

    33. The Worm A worm is a type of virus that can spread without attaching itself to an existing program, which means it can self-replicate and distribute itself without needing email as a primary carrier. One of the most common methods of worm spread is instant messaging using the Internet Relay Chat (IRC) protocol. MyDoom was a particularly invasive worm in early 2004. Sept 2010 Slide 33

    34. Propagation is the problem Worms have proved to be able to infect large numbers of computers very rapidly. It turns out that models used in (real) epidemic modelling provide good fits to computer virus and worm propagation. But even simple models have the power to scare: Worm infects first computer. (1 computer infected.) Copies itself to two new computers. (3 computers infected.) Each of these new copies in turn send themselves to two new computers. (7 computers infected.) Next generation 15, then 31 computers infected. This very simple model does not take account of older worms still propagating. Sept 2010 Slide 34

    35. The Trojan Software programs that hide their true nature, and reveal their designed nature only when activated. It has become a common term for something hidden within something else in computer software terms a virus hidden inside an apparently benign program. Antivirus programs are typically configured to detect Trojans and the term is used commonly to refer to non-replicating malicious programs. Trojans are frequently disguised as helpful, interesting or necessary pieces of software, such as readme.exe files often included with shareware or freeware packages. Sept 2010 Slide 35

    36. Sept 2010 Slide 36

    37. Spam and Phishing Spam Unwanted email Similar abuses occur on other media eg mobile phone messaging spam blog spam junk fax transmissions http://voices.washingtonpost.com/securityfix/2008/11/spam_volumes_drop_by_23_after.html Phishing Unwanted email which pretends to be something else to trick you into replying and divulging personal information – e.g. a request from a bank to confirm details Sept 2010 Slide 37

    38. Security through Obscurity Use secrecy (of design, implementation, etc.) to provide security Theoretical or actual security vulnerabilities Owners or designers believe that the flaws are not known, and that attackers are unlikely to find them. The opposite is security by design Should you disclose any vulnerability you find? Cisco vulnerability disclosure controversy TCP Vulnerabilities in Multiple IOS-Based Cisco Products If customers don't know about the holes, they can't put pressure on the vendors to fix them real-world projects include elements of both strategies Sept 2010 Slide 38

    39. Swire’s Model From: Peter Swire Whether it is a good idea to be open about your defences or keep them hidden will depend on the relative values of five measures: E: effectiveness of defensive feature at stopping first attack N: number of attacks L: extent that an attacker learns from previous attacks C: extent of communication between attackers A: extent to which defenders can alter defensive feature before the next attack The value of “hiddenness” varies directly with E and A but inversely with N,L and C. Sept 2010 Slide 39

    40. Security by Obscurity is Bad When the values of N,L,C are large compared to A then the value of keeping things hidden is low (the value of E doesn’t have much effect here). This is basically the case with cryptography as used to protect internet communications and e-commerce. When attacking a cryptosystem an attacker has basically unlimited attacks (high N) can potentially learn a lot from each attack (high L) can rapidly disseminate this learning (high C) On the other hand whilst your cryptosystem may have a high E, it will have a low (possibly very low) A. Hence security by obscurity is bad. Note that a similar analysis shows why keeping your keys secret is a good idea. Sept 2010 Slide 40

    41. Security by Obscurity is Good Consider some camouflaged machine guns guarding a mountain pass. Attacker typically will have low N (how many of his troops are expendable?) possible high L, value of C is difficult to guesstimate The defenders tactic has high E high A – machine guns can be readily moved. Hence security by obscurity is good. Finding a good functional relationship between the various values for particular situations would be nice..... Sept 2010 Slide 41

    42. Countermeasures Spam countermeasures are Technical: filtering Legal, enact laws banning it: make sufficient funds available to law enforcement agencies Political: negotiate with countries not having or enforcing anti-spam legislation. Antivirus software now typically covers many different kinds of malware including worms and trojans often bundled with further security functions such as personal firewall Antivirus relies heavily on virus signature files to defeat infection, but will also use other techniques such as heuristics (predictive behaviour) to prevent ‘zero day’ attacks (i.e. definition unknown) Sept 2010 Slide 42

    43. Countermeasures For an individual PC: Close down all programs running on the computer Disconnect computer from network if on a company network Check that your antivirus software is running and up to date Run a full antivirus system scan Check running processes on PC and investigate anything suspicious After all that: If you are no longer experiencing symptoms, reconnect to network Ensure antivirus software is configured to continually scan and update Use Windows Safe Mode for any of the above if system is unusable Sept 2010 Slide 43

    44. Countermeasures Current anti-malware practises revolve around running firewalls running anti-malware software hygienic surfing Anti-malware depends on obtaining a copy of the malware malware would be analysed on a special (unconnected) machine or even a virtual machine (though there are some ways that malware can attempt to detect whether it is running on a virtual machine or not.) generating a signature for the malware scanning relevant files for the presence of the signature. This is “after-the-event” disinfection rather than “before-the-event” immunisation. Sept 2010 Slide 44

    45. Countermeasures New approaches: Preda et al 2005: A Semantics Based Approach to Malware Detection look for behaviour rather than static signatures Sidiroglou, Keromytis 2005: Countering Network Worms Through Automatic patch generation speed up patch generation and provide vaccination against zero-day worms Sept 2010 Slide 45

    46. Summary: What steps can be taken? Key to vulnerability protection is up to date software protection Same as your home PC, a business needs to threat this like an employee Staff training and awareness New threats emerging all the time Sept 2010 Slide 46

More Related