Information Protection :Why? Information - An important
strategic and operational asset for any organization Damages and
misuses of information affect not only a single user or an
application; they may have disastrous consequences on the entire
organization Additionally, the advent of the Internet as well as
networking capabilities has made the access to information much
easier 4
Slide 5
Information Security: Requirements 5 Information Security
Availability Confidentiality Integrity
Slide 6
Information Security: Examples Consider a payroll database in a
corporation, it must be ensured that: salaries of individual
employees are not disclosed to arbitrary users of the database
salaries are modified by only those individuals that are properly
authorized paychecks are printed on time at the end of each pay
period 6
Slide 7
Information Security :Examples In a military environment, it is
important that: the target of a missile is not given to an
unauthorized user the target is not arbitrarily modified the
missile is launched when it is fired 7
Slide 8
Information Security-Main requirements Confidentiality - it
refers to information protection from unauthorized read operations
the term privacy is often used when data to be protected refer to
individuals Integrity - it refers to information protection from
modifications; it involves several goals: Assuring the integrity of
information with respect to the original information (relevant
especially in web environment) often referred to as authenticity
Protecting information from unauthorized modifications Protecting
information from incorrect modifications referred to as semantic
integrity Availability - it ensures that access to information is
not denied to authorized subjects 8
Slide 9
Information Security-Additional requirements Information
Quality it is not considered traditionally as part of information
security but it is very relevant Completeness it refers to ensure
that subjects receive all information they are entitled to access,
according to the stated security policies 9
Slide 10
Classes of Threats Disclosure Snooping, Trojan Horses Deception
Modification, spoofing, repudiation of origin, denial of receipt
Disruption Modification Usurpation Modification, spoofing, delay,
denial of service 10
Slide 11
Goals of Security Prevention Prevent attackers from violating
security policy Detection Detect attackers violation of security
policy Recovery Stop attack, assess and repair damage Continue to
function correctly even if attack succeeds 11
Slide 12
Information Security-How Information must be protected at
various levels: The operating system The network The data
management system Physical protection is also important 12
Slide 13
Information Security-Mechanisms Confidentiality is enforced by
the access control mechanism Integrity is enforced by the access
control mechanism and by the semantic integrity constraints
Availability is enforced by the recovery mechanism and by detection
techniques for DoS attacks an example of which is query flood
13
Slide 14
Information Security-How Additional Requirements User
authentication - to verify the identity of subjects wishing to
access the information Information authentication - to ensure
information authenticity - it is supported by signature mechanisms
Encryption - to protect information when being transmitted across
systems and when being stored on secondary storage Intrusion
detection to protect against impersonation of legitimate users and
also against insider threats 14
Slide 15
Data Vs Information Computer security is about controlling
access to information and resources Controlling access to
information can sometimes be quite elusive and it is often replaced
by the more straightforward goal of controlling access to data The
distinction between data and information is subtle but it is also
the root of some of the more difficult problems in computer
security Data represents information. Information is the
(subjective) interpretation of data 15
Slide 16
Data Vs Information Data Physical phenomena chosen by
convention to represent certain aspects of our conceptual and real
world. The meaning we assign to data are called information. Data
is used to transmit and store information and to derive new
information by manipulating the data according to formal rules
16
Slide 17
Data Vs Information Protecting information means to protect not
only the data directly representing the information Information
must be protected also against transmissions through: Covert
channels Inference It is typical of database systems It refers to
the derivation of sensitive information from non-sensitive data
17
Inference -Example Assume that there is a policy stating that
the average grade of a single student cannot be disclosed; however
statistical summaries can be disclosed Suppose that an attacker
knows that Ann is a female CS student By combining the results of
the following legitimate queries: Q1: SELECT Count (*) FROM
Students WHERE Sex =F AND Programme = CS Q2: SELECT Avg (Grade Ave)
FROM Students WHERE Sex =F AND Programme = CS The attacker learns
from Q1 that there is only one female student so the value 70
returned by Q2 is precisely her average grade 19
Slide 20
Information Security- Complete Solution It consists of: first
defining a security policy then choosing some mechanism to enforce
the policy finally providing assurance that both the mechanism and
the policy are sound 20 SECURITY LIFE-CYCLE
Slide 21
Policies and Mechanisms Policy says what is, and is not,
allowed This defines security for the information Mechanisms
enforce policies Composition of policies If policies conflict,
discrepancies may create security vulnerabilities 21
Slide 22
Assurance Specification Requirements analysis Statement of
desired functionality Design How system will meet specification
Implementation Programs/systems that carry out design 22
Slide 23
Management and Legal Issues Cost-Benefit Analysis Is it more
cost-effective to prevent or recover? Risk Analysis Should we
protect some information? How much should we protect this
information? Laws and Customs Are desired security measures
illegal? Will people adopt them? 23
Slide 24
Human Factor Issues Organizational Problems Power and
responsibility Financial benefits People problems Outsiders and
insiders Social engineering 24
Slide 25
Key Points Policies define security, and mechanisms enforce
security Confidentiality Integrity Availability Importance of
assurance The human factor 25
Slide 26
Privacy 26
Slide 27
Motivations Privacy is an important issue today Individuals
feel Uncomfortable: ownership of information Unsafe: information
can be misused (e.g., identity thefts) Enterprises need to Keep
their customers feel safe Maintain good reputations Protect
themselves from any legal dispute Obey legal regulations 27
Slide 28
Privacy- Definition Privacy is the ability of a person to
control the availability of information about and exposure of him-
or herself. It is related to being able to function in society
anonymously (including pseudonymous or blind credential
identification). Types of privacy giving raise to special concerns:
Political privacy Consumer privacy Medical privacy Information
technology end-user privacy; also called data privacy Private
property 28
Slide 29
Data Privacy Data Privacy problems exist wherever uniquely
identifiable data relating to a person or persons are collected and
stored, in digital form or otherwise. Improper or non-existent
disclosure control can be the root cause for privacy issues. The
most common sources of data that are affected by data privacy
issues are: Health information Criminal justice Financial
information Genetic information 29
Slide 30
Data Privacy The challenge in data privacy is to share data
while protecting the personally identifiable information. Consider
the example of health data which are collected from hospitals in a
district; it is standard practice to share this only in aggregate
form The idea of sharing the data in aggregate form is to ensure
that only non- identifiable data are shared. The legal protection
of the right to privacy in general and of data privacy in
particular varies greatly around the world. 30
Slide 31
Technologies with Privacy Concerns Biometrics (DNA,
fingerprints, iris) and face recognition Video surveillance,
ubiquitous networks and sensors Cellular phones Personal Robots DNA
sequences, Genomic Data 31
Slide 32
Approaches in Privacy Anonymization Techniques Have been
investigated in the areas of networks (see the Anonymity
Terminology by Andreas Pfitzman) and databases (see the notion of
k- anonymity by L. Sweeney) Privacy-Preserving Data Mining P3P
policies Are tailored to the specification of privacy practices by
organizations and to the specification user privacy preferences
Hippocratic Databases Are tailored to support privacy policies
Fine-Grained Access Control Techniques Private Information
Retrieval Techniques 32
Slide 33
Privacy Vs Security Privacy is not just confidentiality and
integrity of user data Privacy includes other requirements: Support
for user preferences Support for obligation execution Usability
Proof of compliance 33
Slide 34
Access Control Exerting control over who can interact with a
resource Includes Authentication Authorization Audit 34
Slide 35
Access Control Models Discretionary Access Control-Policy
determined by the owner of the object File and Data Ownership,
Access rights and permissions Mandatory Access Control-Allowing
access based on existing rules Role Based Access Control-Access
policy determined by the system 35
Slide 36
Network Security 36
Slide 37
Problem of Network Security The Internet allows an attacker to
attack from anywhere in the world from their home desk They just
need to find one vulnerability A security analyst need to close
every vulnerability 37
Slide 38
Common Security Attacks Finding a way into the network
Exploiting software bugs, buffer overflows Denial of Service TCP
hijacking Packet Sniffing Social Problems and many more 38
Slide 39
Hacker Class Black Hat A person with extraordinary computing
skills involved in malicious or destructive activities White Hat
Person possessing hackers skill using them for defensive purpose
aka security analyst Gray Hat Person who plays a role of black hat
and white hat at various times Suicide Hackers A person committed
to bring down critical infrastructure without worrying to face
punishments 39
Slide 40
Triangle Phenomenon Moving the ball toward security means
moving away from functionality and ease of use 40 Functionality
Security Ease Of Use
Reconnaissance Reconnaissance is the phase for the attacker to
collect and gather as much information as possible about the target
of evaluation prior to launching an attack Types of Reconnaissance
Passive reconnaissance involves acquiring information without
directly interacting with the target eg. search public records,
news Active reconnaissance involves interacting with the target
directly by any means Telephone, email etc. 42
Slide 43
Tools for Reconnaissance DNS Nslookup Whois ARIN Trace route
Traceroute Visualroutetrace Email Visual route mail tracker
EmailTrackpro 43
Slide 44
Scanning Scanning refers to the pre-attack phase when the
hacker scans the network for specific information on the basis of
information gathered during reconnaissance Scanning includes Port
scanners Network mapping Vulnerability scanners 44
Slide 45
Types of Scanning Network Sweeps Network tracing Port scans OS
fingerprinting Version scans Vulnerability scans 45
Slide 46
Tools for Scanning Nmap Hping2 Firework Nessus Nikto Nemessis
46
Slide 47
Gaining Access Gaining Access refers to the penetration phase.
The hacker exploits the vulnerability in the target of evaluation
Gaining of access can be achieved by Buffer overflows Denial of
services Session hijacking Password cracking 47
Slide 48
Tools for Gaining Access Password Cracking Dictionary Attack,
Brute-force attack : John the Ripper, sniffers Escalating privilege
Cracking NT/2000 Password Executing Applications Host/remote key
loggers Buffer Overflows Metasploit 48
Slide 49
Tools for Gaining Access DOS attacks Trinvo TFN2K Social
Engineering Phishing URLs Email, Telephone 49
Slide 50
Exploit Categories Server Side Client Side Local Privilege
Escalation 50
Slide 51
Retaining Access Retaining Access refers to the phase when the
hacker tries to retain the ownership of the system The hacker has
compromised the system Hackers may harden the system from other
hackers as well Hackers can upload, download or manipulate data,
applications or configurations on the owned system 51
Slide 52
Retaining Access Trojans Netcat Loki Rootkits Knark, Torn etc
52
Slide 53
Covering Tracks Covering Track refers to the activities that
the hacker undertakes to hide his misdeed Reasons include the need
for prolonged stay, continued use of resources, removing evidence
of hacking or avoiding legal action 53
Slide 54
Tools for Covering Tracks Steganography Camoflouge MP3Stego
Tunnelling HTTPTunnel 54
Slide 55
Types of attacks Operating System Attacks Application Level
Attacks Shrink Wrap Code Attacks Misconfiguration Attacks 55
Slide 56
Operating System Attacks Todays Operating System are complex in
nature Operating system run many services, ports, and modes of
access and require access tweaking to lock them down. Default
installation leaves the OS with large number of open ports and
unwanted services running Apply patches, because attackers look for
OS vulnerabilities and exploit them to gain access 56
Slide 57
Application Level Attacks Software Developers are under tight
schedule to deliver products on time. Software applications have
tons of functionalities and features Sufficient time is not there
to perform complete testing before releasing products. Security is
often an after thought and usually delivered as add-on component.
Poor or non-existing error checking in applications which leads to
Buffer Overflow 57
Slide 58
Shrink Wrap Code Attack When you install an OS, it comes with
tons of sample script to make the life of an administrator easy.
The problem is not fine tuning or customizing these scripts. This
will lead to default code or shrink wrap code attack 58
Slide 59
Mis-configuration Attack System that should be fairly secure
are hacked because they were not configured correctly System are
complex and the administrator does not have the necessary skills or
resources to fix the problem. Administrator will create the simple
configuration that works Remove unwanted services or software.
59
Slide 60
Vulnerability Research To identify and correct network
vulnerabilities. To protect the network from being attacked by
intruders. To get information that help to prevent security
problems. To know how to recover from network attacks. 60
Penetration Testing Determine how susceptible your network is
to external or internal attacks and access the effectiveness of
your safegaurds Attempt to exploit the weaknesses and demonstrate
the effectiveness of the security measures 62
Slide 63
63 Ground Reality CVE vulnerabilities on average 7 per day
Bugtraq mailing list publishes almost 100 vulnerabilities every
week. Security not a primary consideration while designing
software. Implementations are buggy. Networks are more open and
accessible than ever.
Slide 64
64 Ground Reality Mistaken assumptions and unawareness about
security Internet Revolution & Crackers at large Intense
cut-throat competition between companies The future is fully
connected. New technologies rely on networks and computers
Slide 65
65 All About Attacks Sql Injection Url Scrawler Attacks Using
Who is Performing Attacks Traceroute to trace routers ARP
Poisioning Man in the Middle (MITM) MAC Flooding Cookie Stealing
Attacks Hack Gmail and Yahoo mail accounts in LAN Protocol
Stripping Attacks
Slide 66
66 All About Attacks Cross Site Scripting (XSS) Session
Fixation Cross Site Request Forgery (CSRF) TCP Session Hijacking
Attack Google Hacks Social Engineering Attack
Slide 67
67 What Is SQL Injection ? Sql Injection is a type of security
exploit in which the attacker injects SQL query through a web from
input box, to gain access to resources, or make changes to data. It
is a technique of injecting SQL commands to exploit non-validated
input vulnerabilities in a web application database backend.
Programmers use sequential commands with user input, making it
easier for attackers to inject commands. select * from table where
user=$v1 and pass=$v2
Slide 68
68 Exploiting Web Applications It exploits web applications
using client-supplied SQL queries. It enables the attackers to
execute unauthorized SQL commands. It also takes advantage of
unsafe query in web applications and build dynamic SQL query For
Example when users logs onto a web page by using a user name and
password for validation, SQL query is used.
Slide 69
69 What you should look for Try to look for pages that allow
user to submit data, a log in page, a search page. Look for HTML
pages that use POST or GET Commands Check the source code of the
HTML to get information.
Slide 70
70 Other Techniques If input page is not present then check for
pages like ASP, JSP, CGI, or PHP Check for URLs that take
parameters. http://www.xyz.com/index.php?id=0
http://www.xyz.com/index.asp?id=blah or 1=1--
Slide 71
71 URL Crawlers Definition A URL Crawler is a computer program
that browses the given URL in a methodical automated manner.
Utilities Gather pages and URL from the given web site Support
search engine and used for data mining and so on.
Slide 72
72 Whois Whois is a query/response protocol that is widely used
for querying database in order to determine the registrant or
assignee of internet resources, such as a domain name, an IP
address block or an autonomus system number. Reference:-
Wikipedia
74 Traceroute Traceroute is a network tool which shows the path
taken by the packet to reach its destination. It works by using the
TTL field of the IP Protocol Used for network troubleshooting. Used
for information gathering of the network architecture.
Slide 75
75 ARP Poisoning ARP Poisoning is a kind of spoofing in which a
forged ARP reply is sent to the original ARP request Updation of
target computer cache with a forged entry. The Victim Machine
starts sending the packet to the attacker thus allowing attacker to
sniff the packets.
Slide 76
76 ARP Poisoning
Slide 77
77 Vulnerable and Non Vulnerable OS OS Vulnerable to ARP
Spoofing Windows 98/2000 Windows NT Linux Netgear AIX 4.3 OS NOT
Vulnerable to ARP Spoofing Sun Solaris
Slide 78
78 Man In The Middle (MITM) Man in the middle is a type of a
attack in which the attacker forms independent connection with the
client and the server and is transparent to each of them.
Slide 79
79 Man In The Middle (MITM) Possible Causes Of Man In The
Middle Attack ARP Poisoning DNS poisoning Route Mangling Proxy
Slide 80
80 Once In The Middle It is the easiest attack to launch since
all the packets transit through the attacker All the plain text
protocols are compromised (the attacker can sniff user and password
of many widely used protocols such as telnet, ftp, http) It is
transparent to the victims on either side. It can issue its own
certificate to form secure connection (HTPS).
Slide 81
81 Consequences Attacker can add packets to already established
connection The attacker can modify the sequence number and keep the
connection synchronized while injecting packets If the mitm attack
is proxy attack it is even easier to inject. The attacker can
modify the payload by recalculating the checksum. Can create
filters on the fly
Slide 82
82 MAC Flooding Attack This attack targets switches. Flood the
switch with fake MAC addresses. CAM is full with fake MAC address
Thus switch bleeds the traffic out Switch starts behaving like a
HUB
Slide 83
83 MAC Flooding Attack Attacker Does The MAC FloodingSwitch
Bleeds The Traffic Out
Slide 84
84 What Is A Cookie ? Short piece of text generated during web
activity and stored in the users machine for future references.
Instructions for reading and writing cookies are coded by website
authors and executed by user browsers. Developed for user
convenience to allow customization of sites without need for
repeating preferences Used as an identity of the user using the web
server.
Slide 85
85 Cookie Facts Most cookie stored just 1 data value A cookie
may not exceed 4Kb in size Browsers are preprogrammed to allow a
total of 300 cookies, after which automatic deletion based on
expiry date and usage. Cookies have 3 key attributes: name, value
expiry date.
Slide 86
86 Cookie Algorithm Start : On Page Load Write new cookie
prompt for info if necessary Update cookie Use Cookie Info to
customize /login etc Read Cookie Is Cookie Empty Continue Loading
Page NO YES
Slide 87
87 Cookie Stealing Cookie can be steeled through sniffing of
the traffic By using some scripts that will execute on client
browser thus revealing the cookie information to the attacker. By
using Man in the Middle technique.
Slide 88
88 Using Cookie Editor For Hacking Cookie Editor available as
an Add-On of mozilla Helps in viewing cookies Cookie Editor helps
in updating, deleting and modifying the present cookies.
Slide 89
89 Protocol Stripping Attack Why hackers strip a protocol ? Can
we decrypt SSL encryption ? Till date no mechanism has been devised
Does this means HTTPS protocol is secure? Hackers dont think so.
Can HTTPS be tricked? Definitely YES
Slide 90
90 Positive Browsers
Slide 91
91 Negative Browsers
Slide 92
92 Gmail Login Page
Slide 93
93 Gmail Login Page
Slide 94
94 Yahoo Login Page
Slide 95
95 Yahoo Login Page
Slide 96
96 Facebook Login Page ?
Slide 97
97 Facebook Login Page ?
Slide 98
98 Whats Going On Behind ? Host AAttacker Host B HTTP
HTTPS
Slide 99
99 Cross Site Scripting Attack (XSS) Cross site scripting
occurs when an attacker uses a web application to send malicious
code, like java script Stored XSS Stored attacks are those where
the injected code is permanently stored in the target server data
base Reflected XSS Reflected attacks are those where the injected
code takes another route to the victim
Slide 100
100 Consequences of XSS Disclosure of the users session cookie
allows an attacker to hijack the users session and take over the
account. In XSS end user files are disclosed, trojan horse are
installed, the user is redirected to some other page and the
presentation of the content is modified. Web servers, application
servers, and web application environments are susceptible to cross
site scripting.
Slide 101
101 Session Fixation Attack In session fixation attack the user
fixes the session key, even before the user logs into the server
thus eliminating the need to steal the session key and helps the
attacker to take over the victims account. Steps For Session
Fixation Attack : Session Setup Session Fixation Session
Entrance
Slide 102
102 Session Fixation Attack
Slide 103
103 TCP Session Hijacking TCP Session hijacking is a hacking
tech. That uses spoofed packets to take over the connection b/w a
victim and a target machine. The victim connection hangs, and the
hacker is then able to communicate with the hosts machine as if the
attacker is the victim. To launch the TCP session hijacking the
attacker must be on the same network as the victim.
Slide 104
104 TCP Session Hijacking SYN ISN 4000 SYN ISN 5000 / ACK 4001
ACK 5001 SEQ 4000 DATA 128 ACK 4129 SEQ 4129 DATA 91 ACK 4220 SEQ
4220 DATA 10 ACK 4230 SEQ 4230 DATA 512 SEQ 4220 DATA 145
Slide 105
105 CROSS SITE REQUEST FORGERY This attack forces another users
browser to do something on attackers behalf CSRF attacks are
effective in number of situations The victim has an active session
on the target site The Victim is authenticated via HTTP auth on
target site If the user is an logged in as an administrator on a
website, the attack can be used to escalate privilege.
Slide 106
106 TYPES OF CSRF Classical CSRF-In the course of web browsing
the target user encounters a request from a malicious site or
location that makes a request on behalf of the user to a site the
user is already authenticated to.CSRF seeks to use victims cookie
to force victim to execute a trade without his knowledge or
consent. Dynamic CSRF-In a dynamic CSRF scenario attacker creates a
customized, per-request forgery, based on each users session
specific information, including valid CSRF tokens and other
parameters specific to the users session.
Slide 107
107 Google Hacks inurl: adminlogin.php login: * password= *
filetype:xls intitle:"Live View / AXIS" intitle:"index.of.personal"
intitle:index.ofadministrators.pwd intitle:"index of"
intext:connect.inc filetype:ini lot of google hacking keywords can
be referred from google hacking database (GHDB).
Slide 108
108 Victim is tricked to reveal confidential information A non
technical attack Still more dangerous and powerful from most of the
complex technical attacks. Does not require technical skills Social
engineering
Slide 109
Perimeter Security 109
Slide 110
Firewall S/w and/or h/w designed to block unauthorized access
while permitting authorized communications Configured to permit,
deny, encrypt, decrypt based on set of rules and other criteria.
Helps to block all incoming communications from unauthorized
sources. 110
Slide 111
Firewall 111
Slide 112
Firewall Implementation Rules at Router Linux Network layer
firewall Linux as Firewall Platform Robust kernel-based filtering
Tested platform Performance Cost Packet filtering iptables 112
Slide 113
IDS Intrusion Detection System is a security system that
detects malicious activities on computer systems and networks
113
Slide 114
Types of IDS 114 IDS Host Based Network Based Signature Based
Anomaly based Anomaly Based
Slide 115
IPS N/w security appliances that monitor network and/or system
activities for malicious activity Functions: Identify malicious
activity Log information Attempt to stop the activity Report the
activity 115
Slide 116
IPS Network-based intrusion prevention system (NIPS): monitors
the entire network for suspicious traffic by analyzing protocol
activity. Network behavior analysis (NBA): examines network traffic
to identify threats that generate unusual traffic flows, such as
distributed denial of service (DDoS) attacks, certain forms of
malware, and policy violations. Host-based intrusion prevention
system (HIPS): monitors a single host for suspicious activity by
analyzing events occurring within that host. 116
Slide 117
IPS Detection Methods Signature based Detection Statistical
anomaly Based detection Stateful Protocol Analysis Detection
117
Slide 118
VPN VPN is a connection that is established over an existing
public or shared infrastructure using encryption or authentication
technologies, to provide remote offices or individual users with
secure access to their organizations network. 118
Slide 119
VPN A means of carrying private traffic over a public network
Often used to connect two similar or different private networks,
over a public network, to form a virtual network Aims to avoid an
expensive system of owned or leased lines that can be used by only
one organization The goal of a VPN is to provide the organization
with the same secure capabilities but at a much lower cost 119
VPN methodology The basic concept behind a VPN is securing a
communication channel with encryption Communication can be
safeguarded through encryption at many different layers of the
network- Application, Transport, Network & Data link layers
122
Slide 123
References E. Bertino, R. Sandhu Database Security Concepts,
Approaches, and Challenges, IEEE Transactions on Dependable and
Secure Computing, 2(1), 2005. L. Sweeney, k-Anonymity: a Model for
Protecting Privacy
http://privacy.cs.cmu.edu/people/sweeney/cv.html#publications A.
Pfitzman et al. Anonymity, Unobservability, Pseudonymity and
Identity Management A Proposal for Terminology,
http://dud.inf.tu-dresden.de/Literatur_VI.shtml
http://homes.cerias.purdue.edu
http://www.redbooks.ibm.com/redpapers/pdfs/redp4397.pdf
http://en.wikipedia.org 123
