View
219
Download
0
Category
Tags:
Preview:
Citation preview
1 of 49E. GelbsteinA. Kamal
Information InsecurityPart I: The Problem
Next slide: PgDn or ClickPrevious slide: PgUpTo quit the presentation: Esc
Information Insecurity
Part I: The Problem
2 of 49E. GelbsteinA. Kamal
Information InsecurityPart I: The Problem
Next slide: PgDn or ClickPrevious slide: PgUpTo quit the presentation: Esc
Cyber-attacks are different
No need for physical contact with the victims
Easy to learn techniques and acquire tools
Small investment can cause massive economic damage
Many network operators and countries may
be involved
When done subtly it leaves few or no traces
Easy for the players to hide
Inadequate cyberspacelegislation
3 of 49E. GelbsteinA. Kamal
Information InsecurityPart I: The Problem
Next slide: PgDn or ClickPrevious slide: PgUpTo quit the presentation: Esc
Today’s Seven major threats
1. State sanctioned information warfare
2. Information counter-intelligence
3. Cyber-terrorism
4. Cyber-organized crime
5. Information sabotage
6. Cyber-crime
7. Cyber-hooliganism
4 of 49E. GelbsteinA. Kamal
Information InsecurityPart I: The Problem
Next slide: PgDn or ClickPrevious slide: PgUpTo quit the presentation: Esc
Cyberterror and Cyberwar
Question 1 What constitutes an act of war in Cyberspace?Question 2 What is cyber-terrorism?
Lack of definitions
Electromagnetic pulse Attack on military networks/ computers Attack on critical civilian infrastructure (electricity, water,transport, hospitals)
Disruption of civil systems (tax, social security, banking)Disinformation
not IF but WHEN
5 of 49E. GelbsteinA. Kamal
Information InsecurityPart I: The Problem
Next slide: PgDn or ClickPrevious slide: PgUpTo quit the presentation: Esc
Cybercriminals
Financial fraudTheft of intellectual property
Money launderingUnlicensed gambling
PornographyIdentity theft
Industrial (& other) espionageExtortion
and many other…
6 of 49E. GelbsteinA. Kamal
Information InsecurityPart I: The Problem
Next slide: PgDn or ClickPrevious slide: PgUpTo quit the presentation: Esc
Cyberhooligans
SpamSynchronised DOS attackHijacking a computerDisseminating virus/worm (without destructive payload)Redirecting website trafficWebsite SpoofingWebsite defacementActivating intrusion detection
7 of 49E. GelbsteinA. Kamal
Information InsecurityPart I: The Problem
Next slide: PgDn or ClickPrevious slide: PgUpTo quit the presentation: EscIt all started with the
invention of writing
Bronze Age cuneiformwriting on clay tablet
Accounting document in whichthe pictures represent goods and
the notches quantities
Mesopotamia ± 6,000 years agoMusée du Louvre, Paris
and the need to keep secrets
8 of 49E. GelbsteinA. Kamal
Information InsecurityPart I: The Problem
Next slide: PgDn or ClickPrevious slide: PgUpTo quit the presentation: Esc
Followed by more inventions
PaperPrinting
BooksLibraries
PhotographyPhonograph
PhotocopierScanner
Digital everythingGrowing ease of copying
(copyright issues)
making increasing use of
binary digits (bits)
9 of 49E. GelbsteinA. Kamal
Information InsecurityPart I: The Problem
Next slide: PgDn or ClickPrevious slide: PgUpTo quit the presentation: Esc
Cyberspace: the world of bitsWorld Wide Web
Deep WebIntranetsExtranets
Networks not usingInternet technologies
OECD’s “OLIS”Business to Business procurement (B2B)
Computer aided design done jointly by several companies
Satellite communicationsMilitary communicationsRailroad communicationsAir traffic controlNuclear utilities
400 million “users” and growing
10 of 49E. GelbsteinA. Kamal
Information InsecurityPart I: The Problem
Next slide: PgDn or ClickPrevious slide: PgUpTo quit the presentation: Esc
What do we do in cyberspace? Transaction
Process support
Publication
Analysis
E-commerceTreasury, funds transferStock ExchangesAirline reservationsProcurementMessaging
Usually Mission Critical
StatisticsData miningCredit ratingActuarial analysisBusiness IntelligenceSituation Analysis
Some may beMission Critical
Some may not beMission Critical
Factory automationAir traffic control
UtilitiesLogistics and tracking
Accounting and payrollKnowledge management
Office automationWire servicese-publishingInteractive databasesPublishing
Increasingly Mission Critical
ever expanding listsof possibilities
11 of 49E. GelbsteinA. Kamal
Information InsecurityPart I: The Problem
Next slide: PgDn or ClickPrevious slide: PgUpTo quit the presentation: Esc
The world of bits and atoms (1)
Scheduling: timetableScheduling: aircraft/ trains, etcScheduling: maintenanceScheduling: staff and crewsCalculating fuel requirementsTraffic ControlTicketing, fares and yield managementPassenger information systemsModeling and traffic reroutingetc.
12 of 49E. GelbsteinA. Kamal
Information InsecurityPart I: The Problem
Next slide: PgDn or ClickPrevious slide: PgUpTo quit the presentation: Esc
The world of bits and atoms (2)
Robotic systemsComputer assisted manufacturingMass customizationJust in time logisticsAssembly line monitoringQuality assurance and controlsetc.
13 of 49E. GelbsteinA. Kamal
Information InsecurityPart I: The Problem
Next slide: PgDn or ClickPrevious slide: PgUpTo quit the presentation: Esc
The world of bits and atoms (3)
Electricity generation Water treatment
7 days a week, 24 hours a day operationsSafety monitoring and controlsEnvironmental controls (for discharges)Quality assurance and controlsDistribution managementetc.
14 of 49E. GelbsteinA. Kamal
Information InsecurityPart I: The Problem
Next slide: PgDn or ClickPrevious slide: PgUpTo quit the presentation: Esc
And more: vital services
Skills and knowledge intensiveI.T. is becoming a component in all of them
Emergency services
Hospitals
Education
15 of 49E. GelbsteinA. Kamal
Information InsecurityPart I: The Problem
Next slide: PgDn or ClickPrevious slide: PgUpTo quit the presentation: Esc
Crime and punishment
Codes of conduct and law recorded since the invention of writing
Humans are tool makers. Tools have always been used creatively in crime and war
Legislation develops less fast than technology and new forms of crime
Law enforcement is not a 100% answer
Code of Hammurabicontains 282 proclamations (laws)Mesopotamia ~ 3300 years ago Musée du Louvre, Paris
particularly in cyberspace
16 of 49E. GelbsteinA. Kamal
Information InsecurityPart I: The Problem
Next slide: PgDn or ClickPrevious slide: PgUpTo quit the presentation: Esc
Types of cyber-attackComputers and communications as tools
Breaking passwords DecryptionInterception
Computers and communications as weapons
Malicious codedis-information sabotage smart weapons
Computers and communications as a target
Fraud Extorsion DisruptionEspionage
17 of 49E. GelbsteinA. Kamal
Information InsecurityPart I: The Problem
Next slide: PgDn or ClickPrevious slide: PgUpTo quit the presentation: Esc
101101010…
Many forms of attack
Many players
Everyone a targetEvery system a challengeNo need for physical contactFew, if any, traces leftInadequate or non-existent legislation
18 of 49E. GelbsteinA. Kamal
Information InsecurityPart I: The Problem
Next slide: PgDn or ClickPrevious slide: PgUpTo quit the presentation: Esc
Attack trends: malicious code
Source: CERT, Computer Emergency Response Team April 2002 at Carnegie Mellon University www.cert.org
Year 1995 1996 1997 1998 1999 2000 2001
Vulnerabilities 171 345 311 262 417 1090 2437
Year 1988 1989 1990 1991 1992 1993 1994
Incidents reported 6 132 252 406 773 1334 2340
Year 1995 1996 1997 1998 1999 2000 2001
Incidents reported 2402 2573 2134 3734 98592175
652658
Vulnerabilities reported to CERT
Number of incidents reported to CERT
19 of 49E. GelbsteinA. Kamal
Information InsecurityPart I: The Problem
Next slide: PgDn or ClickPrevious slide: PgUpTo quit the presentation: Esc
Economic Impact (1)
Average bank holdup: $ 14,000 dollars
Average computer theft: $ 2,000,000 dollars
Source: Association of Certified Fraud Examiners (U.S.A.), 2000
20 of 49E. GelbsteinA. Kamal
Information InsecurityPart I: The Problem
Next slide: PgDn or ClickPrevious slide: PgUpTo quit the presentation: Esc
Economic Impact (2)
CODE RED (a worm) infected360,000 web servers in the first 14 hours
Source: Computer Economics Inc, 2000
The bad news: CODE RED and NIMDA had no destructive
payload and are seen as “proof of concept” for future designs
It then spread around the world in 48 hours
21 of 49E. GelbsteinA. Kamal
Information InsecurityPart I: The Problem
Next slide: PgDn or ClickPrevious slide: PgUpTo quit the presentation: Esc
Economic Impact (3)
Estimated cost of virus and worm infections in 2001 – 17 billion US dollars to
• clean malicious software from all equipment
• restore lost and damaged data
• help end users and clients
• test and return systems to normal operations
• loss of productivity as a result of downtime
Assumes 1 person-minute = 1 $
22 of 49E. GelbsteinA. Kamal
Information InsecurityPart I: The Problem
Next slide: PgDn or ClickPrevious slide: PgUpTo quit the presentation: Esc
The Players – by organization
Individual usersSmall businesses
Large enterprisesand organizations
National governmentand legislation
Vendors andservice providers
Highereducation
CriticalInfrastructures
InternationalOrganizations
23 of 49E. GelbsteinA. Kamal
Information InsecurityPart I: The Problem
Next slide: PgDn or ClickPrevious slide: PgUpTo quit the presentation: Esc
Critical infrastructures
Oil refineries anddistribution depots
Airlines and airtraffic control
Banking andfinancial services
Power generationand distribution
pipelines
Water purificationand distribution
IXPs
Public transport
Emergencyservices
Fixed and mobiletelecommunications
24 of 49E. GelbsteinA. Kamal
Information InsecurityPart I: The Problem
Next slide: PgDn or ClickPrevious slide: PgUpTo quit the presentation: Esc
Public domain informationSome of these Exchanges are
not secure facilities
25 of 49E. GelbsteinA. Kamal
Information InsecurityPart I: The Problem
Next slide: PgDn or ClickPrevious slide: PgUpTo quit the presentation: Esc
so far, just fun
www.turnofftheinternet.com
26 of 49E. GelbsteinA. Kamal
Information InsecurityPart I: The Problem
Next slide: PgDn or ClickPrevious slide: PgUpTo quit the presentation: Esc
Special responsibilities
Ensure computing is highly secure
Monitor and deal with vulnerabilities continually
Maintain effective boundaries with the Internet
Employ qualified and trained I.T. security personnel
Manage interdependencies with other critical infrastructures
Share information with other critical infrastructures
Have ready disaster recovery and crisis management plans
Seek, obtain and maintain security certification
CRITICAL INFRASTRUCTURES
27 of 49E. GelbsteinA. Kamal
Information InsecurityPart I: The Problem
Next slide: PgDn or ClickPrevious slide: PgUpTo quit the presentation: Esc
Special responsibilitiesNATIONAL GOVERNMENT AND LEGISLATION
Implement national security programs
Promote standards and best practices
Ensure clear definition of accountability and oversight
Conduct security audits of government agencies
Provide adequate funding for information security
Recruit, train and retain qualified I.T. security personnel
Conduct awareness programs for government employees
Make arrangements for reporting security incidents
Have warning, analysis, incident response and recovery procedures
28 of 49E. GelbsteinA. Kamal
Information InsecurityPart I: The Problem
Next slide: PgDn or ClickPrevious slide: PgUpTo quit the presentation: Esc
Special responsibilitiesINTERNATIONAL ORGANIZATIONS
Encourage international standards for information security
Develop mechanisms for international cooperation
Develop appropriate governance of cyberspace
Create effective mechanisms for sharing information
29 of 49E. GelbsteinA. Kamal
Information InsecurityPart I: The Problem
Next slide: PgDn or ClickPrevious slide: PgUpTo quit the presentation: Esc
Special responsibilitiesVENDORS AND SERVICE PROVIDERS
Balance “time to market” against product vulnerabilities
Protect the interests of customers by providing alerts, patches, fixes and upgrades, perform more functions for them
Liaise with User Groups and others to reduce vulnerabilities
Develop fair terms and conditions of software licences that do not absolve vendors from responsibility and liability
Collaborate in the pursuit of cyber-attackers by providing access to records, logs and data
30 of 49E. GelbsteinA. Kamal
Information InsecurityPart I: The Problem
Next slide: PgDn or ClickPrevious slide: PgUpTo quit the presentation: Esc
Special responsibilitiesLARGE ENTERPRISES AND ORGANIZATIONS
Establish clear responsibility for information security and appropriate reporting lines
The CEO, the Board and the Auditors should know about standards, best practices and self-evaluation
Establish enterprise-wide security policies including what should be disclosed to the Board, stakeholders, auditors, etc
Implement employee awareness programs
Manage insider threats (and balance risk vs. employee privacy)
Have appropriate risk management and insurance cover
Have working arrangements to report security incidents
31 of 49E. GelbsteinA. Kamal
Information InsecurityPart I: The Problem
Next slide: PgDn or ClickPrevious slide: PgUpTo quit the presentation: Esc
Special responsibilitiesHIGHER EDUCATION
Take steps to prevent attacks originating within Institutions
Protect critical information from external and internal attack
Organize for security as a shared concern with other Institutions worldwide
32 of 49E. GelbsteinA. Kamal
Information InsecurityPart I: The Problem
Next slide: PgDn or ClickPrevious slide: PgUpTo quit the presentation: Esc
Special responsibilitiesSMALL BUSINESSES AND INDIVIDUALS
Be aware of cyber-security issues and of how to deal with vulnerabilities and incidents
Awareness of the security issues of new technologies such as ADSL, wireless connectivity, etc
Require vendors to disclose risks
Need for Internet Service Providers to perform more cyber-security functions for home users ?
33 of 49E. GelbsteinA. Kamal
Information InsecurityPart I: The Problem
Next slide: PgDn or ClickPrevious slide: PgUpTo quit the presentation: Esc
The Players – by nature
Responsible end-usersSecurity administrators
Security managersInternal auditors
Security coordinatorsProviders of security alerts
Ethical hackers
Malicious insidersScript kiddiesHackers, crackers, phreakersHacktivistsSpies (industrial and other)Organised crimeCyber-terrorists
VendorsSecurity auditors Security consultantsLegislators
BAD GUYS
VERY SPECIAL GUYS
GOOD GUYS
and many more
34 of 49E. GelbsteinA. Kamal
Information InsecurityPart I: The Problem
Next slide: PgDn or ClickPrevious slide: PgUpTo quit the presentation: Esc
The Bad Guys
Knowledge
Access
Motivation
Malicious insidersScript kiddies
Hackers, crackers, phreakersHacktivists
Spies (industrial and other)Organised crimeCyber-terrorists
35 of 49E. GelbsteinA. Kamal
Information InsecurityPart I: The Problem
Next slide: PgDn or ClickPrevious slide: PgUpTo quit the presentation: Esc
ACCESS mechanisms
OFFICIAL
UNOFFICIAL
Authorized insidersRights of former personnel (should have been removed)
Disclosure by insidersAbuse of insider knowledgeAbuse of presence as visitorTheft of ID and passwordNewly discovered vulnerabilities Hacker club disclosuresForced entry (password breaker)
36 of 49E. GelbsteinA. Kamal
Information InsecurityPart I: The Problem
Next slide: PgDn or ClickPrevious slide: PgUpTo quit the presentation: Esc
Knowledge sources
Shared through hacker groups and conferences
Obtained by followingpublic discussions onproduct vulnerabilities
Privileged insider knowledge
Buying commercially available hacking tools
Virus, worm and othermalicious code design
37 of 49E. GelbsteinA. Kamal
Information InsecurityPart I: The Problem
Next slide: PgDn or ClickPrevious slide: PgUpTo quit the presentation: Esc
38 of 49E. GelbsteinA. Kamal
Information InsecurityPart I: The Problem
Next slide: PgDn or ClickPrevious slide: PgUpTo quit the presentation: Esc
What motivates the Bad Guys (1)
nuisances
Script Kiddies
Ethical HackersIndividual copyright violators
HacktivistsCyber-hooligansEmulate the “big boys”
ego-trip Deny service (sit-in)Make themselves heardCause embarrassmentMaliceGain publicity
Defy authoritySafely break the lawMinor financial gain
Show how smart they areIdentify vulnerabilities = fun
Many become security consultants
39 of 49E. GelbsteinA. Kamal
Information InsecurityPart I: The Problem
Next slide: PgDn or ClickPrevious slide: PgUpTo quit the presentation: Esc
What motivates the Bad Guys (2)
Industrial+ spies
Business copyright violators
Non-ethical Hackers (crackers)
Virus and worm designers
almost alwaysMONEY
“Just because it’s there”
Test new ways to spread malicious codeCause loss or corruption of dataSteal IDs and passwords Impersonation and spoofingSteal credit card and similar dataSabotage, etcLow risk of detection and punishment
40 of 49E. GelbsteinA. Kamal
Information InsecurityPart I: The Problem
Next slide: PgDn or ClickPrevious slide: PgUpTo quit the presentation: Esc
What motivates the Bad Guys (3)
Organized crime
Malicious insider
Strong personal animosity towards a personGrudge against employer
Criminal intent: fraud, extortion, theft,corruption of data, sabotage, etc
Low risk of detection and punishment
New areas of opportunity - globallyEase of hiding in cyberspaceEase of establishing global networksLack of legislation and jurisdiction
Interpol, Europol, FBI, Chambers of Commerce and many others organizing to fight it
41 of 49E. GelbsteinA. Kamal
Information InsecurityPart I: The Problem
Next slide: PgDn or ClickPrevious slide: PgUpTo quit the presentation: Esc
What motivates the Bad Guys (4)
Cyber-terrorists
Ease of establishing global networksAbility to hide in cyberspaceLack of legislation and jurisdiction
Richness of opportunityAvailability and low cost of resources neededImpact of successful attacksVisibility
Driven by ideology
42 of 49E. GelbsteinA. Kamal
Information InsecurityPart I: The Problem
Next slide: PgDn or ClickPrevious slide: PgUpTo quit the presentation: Esc
Hiding in cyber-space (1)
Encryption
Voice, fax and data communicationsE-mailStored dataIn public postings
Dorothy Denning and William BaughInformation, Communication and Society, 1999
Digital compression
Steganography
XWR2T P5%WZ $E#GT
LLVWLSHVBNRMVDFRMTHTXT
Message bits are mixed with the bits defining the image
43 of 49E. GelbsteinA. Kamal
Information InsecurityPart I: The Problem
Next slide: PgDn or ClickPrevious slide: PgUpTo quit the presentation: Esc
Hiding in cyber-space (2)
Use of passwords
Hiding information in remote servers
Disabling audit logs in servers
Anonymous remailersAnonymous digital cashComputer penetration and loopingCellphone cloningCellphone pre-paid cards
Anonymity
Nobody knows who you areNobody knows where you are
44 of 49E. GelbsteinA. Kamal
Information InsecurityPart I: The Problem
Next slide: PgDn or ClickPrevious slide: PgUpTo quit the presentation: Esc
Offences – forms of attack
Aiding and abetting cyber-criminalsFraud, embezzlementForgery
CATEGORIES
Data-relatedInterception Modification Theft
Network-relatedInterference
SabotageAnonymity
Access-relatedHacking
Malicious code distribution
Computer-related
45 of 49E. GelbsteinA. Kamal
Information InsecurityPart I: The Problem
Next slide: PgDn or ClickPrevious slide: PgUpTo quit the presentation: Esc
Network-related offences
Interference
SabotageDenial of service
Control of a server or network devicesUsing a trusted network to access
another network“Sniffing” traffic
Hoaxes
Physical disconnection or damageCorruption of Domain Name Servers
Attack on an Internet Exchange Point (IXP)Attack of a critical infrastructure
AnonymityStolen and cloned cellphonesHijacking the ID and password of a legitimate network user
46 of 49E. GelbsteinA. Kamal
Information InsecurityPart I: The Problem
Next slide: PgDn or ClickPrevious slide: PgUpTo quit the presentation: Esc
Data-related offencesInterception
Modification
Theft
Defacement of a websitee-mail spoofing and impersonationDatabase and document contentsCommercial transactions
Intellectual propertyPersonal dataUser IDs and passwordsNon-public domain information
Voice and fax e-mail Data transfers
(fixed and mobile)
10010101001
47 of 49E. GelbsteinA. Kamal
Information InsecurityPart I: The Problem
Next slide: PgDn or ClickPrevious slide: PgUpTo quit the presentation: Esc
Access-related offencesHacking
Distribution ofmalicious code
Unauthorized access to networks and computer systemsUse of electronic services without paymentDeleting and/or destroying dataDisclosure of security weaknesses found and how to overcome themInvasion of privacy
To launch a distributed denial of service attackTo slow down/close down a network (worm)To corrupt servers and data (virus and/or worm)To gain control of a server or device (trojan horse, back door)To extort payment (logical bomb)
48 of 49E. GelbsteinA. Kamal
Information InsecurityPart I: The Problem
Next slide: PgDn or ClickPrevious slide: PgUpTo quit the presentation: Esc
Computer-related offences
Aiding and abettingcyber-crime
Fraud
Forgery
Providing (knowingly or not) technical, financial and legal facilities for conducting and/or hiding cyber-crime
Messaging and documentsDigital I.D.Copyrighted data (software, music, e-book)
Falsification of financial transactionsMisuse of credit card and personal dataUnlicensed financial services, gambling
49 of 49E. GelbsteinA. Kamal
Information InsecurityPart I: The Problem
Next slide: PgDn or ClickPrevious slide: PgUpTo quit the presentation: Esc
Impact of various offences
Most pervasive Most expensive
Most publicised Most frequent
Virus, worm, trojan horseInsider fraud, sabotage
Theft of proprietary information
Attacks on e-business- theft of credit card data- Denial of Service
Developers’ mistakesNetwork misconfigurationPoor system administration
Recommended