1-1/29 Copyright © 2006 M. E. Kabay. All rights reserved. 08:15-09:00 INFORMATION WARFARE Part 1:...

Preview:

Citation preview

1-1/29 Copyright © 2006 M. E. Kabay. All rights reserved. 08:15-09:00

INFORMATION WARFARE

Part 1: Fundamentals

Advanced Course in Engineering2006 Cyber Security Boot Camp

Air Force Research Laboratory Information Directorate, Rome, NY

M. E. Kabay, PhD, CISSP-ISSMPAssoc. Prof. Information Assurance

Program Direction, MSIA & BSIA Division of Business & Management, Norwich University

Northfield, Vermont mailto:mkabay@norwich.edu V: 802.479.7937

1-2/29 Copyright © 2006 M. E. Kabay. All rights reserved. 08:15-09:00

Topics

08:00-08:15 Introductions & Overview08:15-09:00 Fundamental Concepts09:05-10:25 INFOWAR Theory10:35-11:55 Case Histories & Scenarios

1-3/29 Copyright © 2006 M. E. Kabay. All rights reserved. 08:15-09:00

Part 1: Fundamental Concepts

Fundamental Elements of INFOSECSources of Damage to ITRisk CategoriesTaxonomy for Computer Incidents

1-4/29 Copyright © 2006 M. E. Kabay. All rights reserved. 08:15-09:00

Fundamental Elements of INFOSEC:

Protect the 6 atomic elements of information security (not just 3):

ConfidentialityPossession or controlIntegrityAuthenticityAvailabilityUtility

C-I-A

1-5/29 Copyright © 2006 M. E. Kabay. All rights reserved. 08:15-09:00

Confidentiality

Restricting access to dataProtecting against unauthorized disclosure of

existence of dataE.g., allowing industrial spy to deduce

nature of clientele by looking at directory names

Protecting against unauthorized disclosure of details of dataE.g., allowing 13-yr old girl to examine

HIV+ records in Florida clinic

1-6/29 Copyright © 2006 M. E. Kabay. All rights reserved. 08:15-09:00

Possession

Control over informationPreventing physical contact with data

E.g., case of thief who recorded ATM PINs by radio (but never looked at them)

Preventing copying or unauthorized use of intellectual propertyE.g., violations by software pirates

1-7/29 Copyright © 2006 M. E. Kabay. All rights reserved. 08:15-09:00

Integrity

Internal consistency, validity, fitness for useAvoiding physical corruption

E.g., database pointers trashed or data garbled

Avoiding logical corruptionE.g., inconsistencies between order header

total sale & sum of costs of details

1-8/29 Copyright © 2006 M. E. Kabay. All rights reserved. 08:15-09:00

Authenticity

Correspondence to intended meaningAvoiding nonsense

E.g., part number field actually contains cost

Avoiding fraudE.g., sender’s name on e-mail is changed

to someone else’s

1-9/29 Copyright © 2006 M. E. Kabay. All rights reserved. 08:15-09:00

Availability

Timely access to dataAvoid delays

E.g., prevent system crashes & arrange for recovery plans

Avoid inconvenienceE.g., prevent mislabelling of files

1-10/29 Copyright © 2006 M. E. Kabay. All rights reserved. 08:15-09:00

Utility

Usefulness for specific purposesAvoid conversion to less useful form

E.g., replacing dollar amounts by foreign currency equivalent

Prevent impenetrable codingE.g., employee encrypts source code and

"forgets" decryption key

1-11/29 Copyright © 2006 M. E. Kabay. All rights reserved. 08:15-09:00

Rough Guesses About Sources of Damage to IT

See CSH4 (Computer Security Handbook, 4th ed): Ch 4, “Studies and Surveys of Computer Crime.”Also http://www2.norwich.edu/mkabay/methodology/crime_stats_methods.htm

1-12/29 Copyright © 2006 M. E. Kabay. All rights reserved. 08:15-09:00

Risk Categories*

Physical Attempts to gain control (physical intrusion)

Electronic Attempts to gain control (malicious hacking)

Execution of Arbitrary Code (viruses, trojans, Active-x, Java, ...)

Spoofing (lying about who you are -- users, sites, devices)

Eavesdropping (sniffing, wiretapping of data, passwords ...)

________

* ICSA Risk Framework

1-13/29 Copyright © 2006 M. E. Kabay. All rights reserved. 08:15-09:00

Risk Categories (Cont’d)

Lack of Knowledge / Awareness (admin., users, outside errors)

Lack of Trust, Confidence (IT, users, disgruntled… )

Denial of service (down time: electronic DOS, disasters, reliable)

Exploitation of User by Site (privacy, swindles….)

Exploitation the data subject (privacy, confidentiality, non-user)

Lack of Interoperability

1-14/29 Copyright © 2006 M. E. Kabay. All rights reserved. 08:15-09:00

Taxonomy for Computer Security Incidents What is a Common Descriptive Language? What is a Taxonomy? Why a Language/Taxonomy for Computer Crime? The Model as a Whole Actions Targets Events Vulnerability Tool Unauthorized Result Objectives Attackers

1-15/29 Copyright © 2006 M. E. Kabay. All rights reserved. 08:15-09:00

What is a Common Descriptive Language?

Set of terms that experts agree on in a fieldClear definitions to the extent possible

PreciseUnambiguousEasy to determine in the field

A common language does not necessarily imply a causal or structural model

Provides means of communication among experts

Supports analysis

1-16/29 Copyright © 2006 M. E. Kabay. All rights reserved. 08:15-09:00

What is a Taxonomy?

Structure relating terms in the common language

Permits classification of phenomenaExpresses (a) model(s) of the underlying

phenomenaSupports hypothesis-buildingSupports collection and analysis of statistical

information

1-17/29 Copyright © 2006 M. E. Kabay. All rights reserved. 08:15-09:00

Why a Language/Taxonomy for Computer Crime?Field of information assurance growing

More peopleLess common experienceGrowing variability in meaning of terms

What’s wrong with ambiguous terminology?Can cause confusion – talking at cross-

purposesCan mislead investigators and othersWastes time in clarification time after timeInterferes with data-gatheringMakes comparisons and tests difficult or

impossible

1-18/29 Copyright © 2006 M. E. Kabay. All rights reserved. 08:15-09:00

The Model as a Whole(See full-page printout at end)

1-19/29 Copyright © 2006 M. E. Kabay. All rights reserved. 08:15-09:00

Actions

Probe / scanFloodAuthenticate / Bypass / SpoofRead / Copy / StealModify / Delete

1-20/29 Copyright © 2006 M. E. Kabay. All rights reserved. 08:15-09:00

Targets

Analyze the following real cases and identify the target(s) in the events:

A criminal inserts a Trojan Horse into a production system; it logs keystrokes

A criminal hacker defaces a Web pageAn attacker launches millions of

spurious packets addressed to a particular e-commerce server

The Morris Worm of November 1988 takes down 9,000 computers on the Internet

1-21/29 Copyright © 2006 M. E. Kabay. All rights reserved. 08:15-09:00

Events

An event consists of an action taken against a target

Analyze the following events in these terms:An 8-year-old kid examines all

the ports on a Web server to see if any are unprotected

A dishonest employee makes copies on a Zip disk of secret formulas for a new product

A saboteur cuts the cables linking a company network to the Internet

1-22/29 Copyright © 2006 M. E. Kabay. All rights reserved. 08:15-09:00

Vulnerability

Vulnerability = a weaknessDistinguish among vulnerabilities

due toDesignImplementationConfiguration

See National Vulnerability Database Thousands of vulnerabilities Classified by platform and version

1-23/29 Copyright © 2006 M. E. Kabay. All rights reserved. 08:15-09:00

National Vulnerability DBhttp://nvd.nist.gov/

1-24/29 Copyright © 2006 M. E. Kabay. All rights reserved. 08:15-09:00

Tool

Means of exploiting a vulnerabilityWidely available on InternetExchanged at hacker meetings

2600L0pht (defunct)

Discussed and demonstrated at black-hat and gray-hat conferencesDEFCON – Las VegasHACTIC – Netherlands

Many exploits usable by script kiddies and other poorly-trained hackers

1-25/29 Copyright © 2006 M. E. Kabay. All rights reserved. 08:15-09:00

Unauthorized Result

Many possible results; e.g., consider results of these attacks:

Someone installs a Remote Access Trojan called BO2K on a target system

An e-mail-enabled worm (e.g., KLEZ) sends a copy of a confidential document to 592 strangers

The Stacheldraht DDoS tool completely interdicts access to an e-commerce site

A secret program installed by an employee uses all the “excess” CPU cycles in a corporate network for prime-number calculations

1-26/29 Copyright © 2006 M. E. Kabay. All rights reserved. 08:15-09:00

Objectives

Characteristics of the human beings involved in the attack

Different objectives and define different labelsCriminal hackingIndustrial espionageIndustrial sabotageInformation warfare

1-27/29 Copyright © 2006 M. E. Kabay. All rights reserved. 08:15-09:00

AttackersWide range of attributesSubject of chapter 6 in CSH4

Skill

IdeologyGain

1-28/29 Copyright © 2006 M. E. Kabay. All rights reserved. 08:15-09:00

The Model as a Whole (again)

1-29/29 Copyright © 2006 M. E. Kabay. All rights reserved. 08:15-09:00

Resume at 09:05:03

Recommended