View
213
Download
0
Tags:
Embed Size (px)
Citation preview
Chapter 9
Security
The Threat Environment
3
Figure 9-1: CSI/FBI Survey
• Companies Face Many Attacks– Viruses (and other malware)
– Insider abuse of net access
– Laptop theft
– Unauthorized access by insiders
– Denial-of-service attacks
– System penetration
– Sabotage
– Theft of proprietary information
– Fraud
– Telecoms eavesdropping and active wiretaps
In Order ofDecreasing Frequency
There are manytypes of attacks
4
Figure 9-1: CSI/FBI Survey
• Very Common Successful Incidents
– Viruses and other malware
– Insider abuse of net access
– Laptop theft
• Low-Frequency / High-Damage Attacks
– Theft of proprietary information ($2.7 M per incident)
– Denial-of-service attacks ($1.4 M per incident)
5
Figure 9-2: Malware
• Malware
– A general name for evil software
• Viruses
– Pieces of code that attach to other programs
– When infected programs execute, the virus executes
– Infect other programs on the computer
– Spread to other computers by e-mail attachments, IM, peer-to-peer file transfers, etc.
– Antivirus programs are needed to scan arriving files• Also scans for other malware
6
Figure 9-2: Malware
• Worms
– Stand-alone programs that do not need to attach to other programs
– Can propagate like viruses through e-mail, etc.• But this require human gullibility, which is slow
– In addition, vulnerability-enabled worms jump to victim hosts directly
• Can do this because hosts have vulnerabilities
• Vulnerability-enabled worms can spread with amazing speed
• Vendors develop patches for vulnerabilities but companies often fail or are slow to apply them
7
Figure 9-2: Malware
• Payloads
– After propagation, viruses and worms execute their payloads (damage code)
– Payloads erase hard disks, send users to pornography sites if they mistype URLs
– Trojan horses are exploitation programs that disguise themselves as system files
8
Figure 9-2: Malware
• Attacks on Individuals
– Social engineering is tricking the victim into doing something against his or her interests
– Spam is unsolicited commercial e-mail
– Credit card number theft is performed by carders
– Identity theft is collecting enough data to impersonate the victim in large financial transactions
– Fraud involves get-rich-quick schemes, medical scams
9
Figure 9-2: Malware
• Attacks on Individuals
– Adware pops up advertisements
– Spyware collects sensitive data and sends it to an attacker
– Phishing: sophisticated social engineering attack in which an authentic-looking e-mail or website entices the user to enter his or her username, password, or other sensitive information
10
Figure 9-3: Human Break-Ins (Hacking)
• Human Break-Ins
– Viruses and worms rely on one main attack method
– Humans can keep trying different approaches until they succeed
• Hacking
– Hacking is breaking into a computer
– Hacking is intentionally using a computer resource without authorization or in excess of authorization
11
Figure 9-3: Human Break-Ins (Hacking)
• Scanning Phase
– Send attack probes to map the network and identify possible victim hosts
– Nmap programming is a popular program for scanning attacks (Figure 9-4)
12
Figure 9-4: Nmap
IP Range to Scan
Type of Scan
Identified Host and
Open Ports
13
Figure 9-3: Human Break-Ins (Hacking)
• The Term “Exploit” is Used in Different Ways
– Noun: The actual break-in
– Noun: Exploit is the program used to make the break-in
– Verb: Attackers exploit the computer
14
Figure 9-3: Human Break-Ins (Hacking)
• After the Break-In, the Hacker
– Becomes invisible by deleting log files
– Creates a backdoor (way to get back into the computer)
• Backdoor account—account with a known password and super user privileges
• Backdoor program—program to allow reentry; usually Trojanized
• Rootkit—stealthy backdoor that cannot be detected by the operating system
– Does damage at leisure
New
15
Figure 9-5: Distributed Flooding Denial-of-Service Attack
Victim60.168.47.47
Attacker1.34.150.37
Handler
Handler
Zombie
Zombie
Zombie
AttackCommand Attack Packet
Attack Packet
Attack Packet
AttackCommand
AttackCommand Attack
Command
AttackCommand
The attacker installs handler and zombie programs on victimsThe attacker sends an attack command to handlers.
Handlers send attack commands to zombies.The zombies overwhelm the victim with attack packets.
16
Figure 9-6: Bots
BotBotSoftware
Update
Command
Human Master
Bots are like zombies,but they can be updated
by the human masterto give new functionality.
17
Figure 9-7: Types of Attackers
• Traditional Attackers:
– Traditional Hackers
• Hackers break into computers
• Driven by curiosity, a feeling of power, and peer reputation
– Virus writers
• Vandals
• Amoral
18
Figure 9-7: Types of Attackers
• Traditional Attackers:
– Script kiddies use scripts written by experienced hackers and virus writers
• Have limited knowledge and abilities
• But the large numbers of script kiddies makes them very dangerous collectively
19
Figure 9-7: Types of Attackers
• Traditional Attackers:
– Disgruntled employees andex-employees
• Dangerous becausethey have knowledge ofand access to systems
• Too often ignored, they can do extensive damage
• The most dangerous employee attackers are IT and security staff members
20
Figure 9-7: Types of Attackers
• Criminal Attackers
– Most attacks are now made by criminals rather than amateurs
– Crime generates funds that criminal attackers need to increase attack sophistication
21
Figure 9-7: Types of Attackers
• On the Horizon
– Cyberterror: Attacks by terrorists
– Cyberwar: Attacks by nations
– Potential for massive attacks
22
Figure 9-8: Planning Principles
• Security Is a Management Issue, Not a Technical Issue
– Without good management, technology cannot be effective
• Comprehensive Security
– An attacker only has to find one weakness
– A firm needs comprehensive security to close all avenues of attack
– This requires centralized security planning and management
23
Figure 9-8: Planning Principles
• Defense in Depth
– Every protection breaks down sometimes
– Attacker should have to break through several lines of defense to succeed
– Providing this protection is called defense in depth
Countermeasure2
Stops the Attack
Countermeasure1
(fails)
24
Figure 9-9: Access Control
• Enumerating and Prioritizing Assets
– Firms must enumerate and prioritize the assets they have to protect
– Otherwise, security planning is impossible
• Risk Analysis
– Must balance threat risks against the cost of protection
– Don’t overpay for security
– Don’t fail to protect sensitive assets
25
Figure 9-9: Access Control
• Companies Must Then Develop an Access Control Plan for Each Asset
– The plan includes the AAA protections
– Authentication is proving the identity of the person wishing access
– Authorization is determining what the person may do if they are authenticated
– Auditing is logging data on user actions for later appraisal. May send an alarm if certain conditions are found.
26
Figure 9-10: Authentication
Verifier
Applicant
Verifier
Applicant
1.Credentials
(Password, etc.)2. OK?
3. OK andAuthorizations
4. Welcome
AuthenticationServer
The applicant is the person who wishes to prove his or her identity.The verifier is the person who wants to authenticate the applicant.
The applicant sends credentials (passwords, etc.).Usually a central authentication server judges the credentials.
This provides consistency in authentication.
27
Figure 9-11: Password Authentication
• Passwords– Strings of characters
– Typed to authenticate someone wanting to use a username (account) on a computer
• Benefits– Ease of use for users (familiar)
– Inexpensive because built in to operating systems
Figure 9-11: Password Authentication
• Problems
– Passwords that are common words or names are widespread
• Can be cracked quickly with dictionary attack
– Variations of common words (capitalizing the first character, adding a digit at the end, etc.), can be broken almost as quickly by hybrid dictionary attack that looks for these tricks
28
29
Figure 9-11: Password Authentication
• Passwords should be complex
– Mix case (A and a), digits (6), and other keyboard characters ($, #, etc.)
– Can only be cracked with brute force attacks (trying all possibilities)
• Passwords should be long
– Eight characters minimum
– Each added character increases the brute force search time by a factor of about 70
30
Figure 9-11: Password Authentication
• Other Concerns
– If people are forced to use long and complex passwords, they tend to write them down
– People should use different passwords for different sites
• Otherwise, compromising a password will give access to multiple sites.
• But many people use the same password at multiple sites
31
Figure 9-11: Password Authentication
• Critique each of the following passwords, tell what attack can break it, and tell how difficult it will be for the attack to guess the password.
– swordfish
– Processing1
– SeAtTLe
– R7%t&
– 4h*6tU9$^l
32
Figure 9-12: Digital Certificate Authentication
• Public and Private Keys
– Each party will have both a public key and a private key
– Each party makes its public key available to everybody
– Each party keeps its private key secret
• Digital Certificate
– Tamper-proof file that gives anamed party’s public key
33
Figure 9-12: Digital Certificate Authentication
Calculation Digital Certificate
Authentication
Public key ofthe person
the applicantclaims to be
Applicantdoes a calculation
with his or herPrivate key
Verifier tests the calculation with the public key of theclaimed party. If the test succeeds, the applicant mustknow the secret private key of the claimed party, which
only the claimed party should know.
34
Figure 9-12: Digital Certificate Authentication
• Appraisal
– Digital signature authentication gives extremely strong authentication
– Very expensive: must set up infrastructure for distributing public-private key pairs
– The firm must do the labor of creating, distributing, and installing private keys.
35
Figure 9-13: Biometric Authentication
• Biometric Authentication
– Authentication based on bodily measurements
– Promises to eliminate passwords
• Fingerprint Scanning
– Dominates biometrics use today
– Simple and inexpensive
– Substantial error rate (misidentification)
– Often can be fooled fairly easily by determined impostors
– Not a problem for low-risk situations like home computers
36
Figure 9-13: Biometric Authentication
• Iris Scanners
– Scan the iris (colored part of the eye)with a camera (not a laser beam)
– Irises are complex, so very strong authentication
– Expensive
• Face Recognition
– Camera allows analysis of facial structure
– Can be done surreptitiously—without the knowledge or consent of person being scanned
– Very high error rate and easy to deceive
37
Figure 9-13: Biometric Authentication
• Error Rates and Deception
– Error rates (the frequency of identification errors when there is no deception) typically are higher than vendors claim
• Vendors test under idealized conditions
– Deception (deliberately trying to fool the system) is easier than vendors claim
• Especially for fingerprint recognition
– The in-the-field accuracy of biometrics is uncertain
38
Figure 9-14: Firewall Operation
InternalCorporateNetwork
Attacker
AttackPacket
InternetFirewall
HardenedClient PC
AllowedLegitimate Packet
Hardened Server Internet
DeniedAttackPacket
Log File LegitimateHost
LegitimatePacket
Ingress Filtering
Egress Filtering
Firewalls inspect each packet.Legitimate packets are allowed through.
Provable attack packets are dropped and logged.
39
Figure 9-15: Stateful Firewall Filtering
• Stateful Firewall Filtering
– There are several types of firewall filtering
– Stateful inspection is the dominant methodology today
– Stateful firewalls often use other filtering mechanisms as secondary mechanisms
40
Figure 9-15: Stateful Firewall Filtering
• Connection Initiation Attempts– Some Packets Attempt to Open a Connection
– Example: packets with TCP segments whose SYN bits are set
– Stateful firewalls have default rules for connection-opening attempts
Site
StatefulBorderFirewall
ExternallyInitiated
Connections areRejected
By Default
Internally Initiated ConnectionsAre Allowed by default
41
Figure 9-15: Stateful Firewall Filtering
• Stateful Inspection Access Control Lists (ACLs)
– ACLs modify the default behavior for ingress or egress
– Ingress ACL rules: allow access to selected internal servers
– Egress ACL rules: prevent access to certain external servers
42
Figure 9-15: Stateful Firewall Filtering
• Packets that Do Not Attempt to Open a Connection
– Most packets do not attempt to open a connection
– Very simple behavior
• If the packet is part of an established connection, it is passed without further inspection. (However, these packets can be filtered if desired)
• If the packet is not part of an established connection, it is dropped and logged
– This simplicity makes the cost of processing most packets minimal
43
Stateful Firewalls: Recap
All Packets
Connection-OpeningAttempts
Other Packets
Default Behavior
ACL Exceptions
Part ofPreviouslyPermitted
Connection
Not Part ofPreviouslyPermitted
Connection
Drop PacketAccept Packet
44
Figure 9-15: Stateful Firewall Filtering
• Perspective
– Stateful firewalls’ simple operation leads to inexpensive stateful firewall operation
– However, stateful inspection firewall operation is highly secure
45
Figure 9-17: Ingress Access Control List (ACL) for a Stateful Inspection Firewall
• 1. If packet’s source and destination sockets are in the connection table, PASS.
– If the packet is part of an previously established connection, pass it without further filtering.
• 2. If the packet’s source and destination sockets are not in the connection table and the packet is not a connection-opening attempt, DROP and LOG.
– Drop any packet that is not a connection-opening attempt and that is not part of an established connection.
46
Figure 9-17: Ingress Access Control List (ACL) for a Stateful Inspection Firewall
• 3. If protocol = TCP AND destination port number = 25, PASS and add connection to connection table.
– This rule permits external access to all internal mail servers.
• 4. If IP address = 10.47.122.79 AND protocol = TCP AND destination port number = 80, PASS and add connection to connection table.
– This rule permits access to a particular webserver (10.47.122.79)
47
Figure 9-17: Ingress Access Control List (ACL) for a Stateful Inspection Firewall
• 5. Deny All AND LOG
– If earlier rules do not result in a pass or deny decision, this last rule enforces the default rule of banning all externally initiated connection-opening attempts.
48
Figure 9-18: Firewalls, Intrusion Detection Systems (IDSs), and Intrusion Prevention Systems (IPSs)
• Firewalls– Drop provable attack packets
• Intrusion Detection Systems (IDSs)– Very sophisticated filtering—better than firewalls
– Identify suspicious packets
– Do not drop--suspicious packets may be legitimate
• Intrusion Prevention Systems (IPSs)– Use IDS filtering mechanisms
– Drop suspicious packets highly likely to be attacks
– Ignore other suspicious packets
49
Figure 9-18: Firewalls, Intrusion Detection Systems, and Intrusion Prevention Systems
• IDS and IPS filtering
– Stream Analysis
• Analyze streams of packets to identify suspicious patterns
– Deep packet inspection
• Inspect headers and messages at the internet, transport, and application layers
50
Figure 9-18: Firewalls, Intrusion Detection Systems, and Intrusion Prevention Systems
Firewalls IDSs IPSs
Processing Power Required
Modest Heavy Heavy
Maturity Fairly Mature Still immature. Too many false positives
Tuning reduces false positives but is labor-intensive
New.
Only used to stop attacks that can be identified fairly accurately.
51
Figure 9-19: Cryptographic Systems
• Cryptographic Systems
– Provide security to multi-message dialogues
• At the Beginning of Each Communication Session
– The two parties usually mutually authenticate each other
Party A Party B
Initial Authentication
A’s CredentialsTo B
B’s CredentialsTo A
52
Figure 9-19: Cryptographic Systems
• Message-by-Message Protection
– After this initial authentication, cryptographic systems provide protection to every message
– Encrypt each message for confidentiality so that eavesdroppers cannot read it
Party A Party BMessages Encrypted for Confidentiality
EavesdropperCannot Read Messages
53
Figure 9-19: Cryptographic Systems
• Message-by-Message Protection
– Adds an electronic signature to each message
• The electronic signature authenticates the sender
• It also provides message integrity: receiver can tell if a message has been changed in transit
Party A Party BElectronic Signature
54
Figure 9-20: Symmetric and Public Key Encryption
Symmetric Key Encryption for Confidentiality
Message“Hello”
Cipher &Key
SymmetricKey
Party A
Party B
Network
Encrypted Message
Encryption uses anon-secret cipher
(encryption method )and a secret key
55
Figure 9-20: Symmetric and Public Key Encryption
Symmetric Key Encryption for Confidentiality
Encrypted Message
SymmetricKey
Party A
Party B
InterceptorNetwork
Interceptor cannot readencrypted messages en route
Encrypted Message
56
Figure 9-20: Symmetric and Public Key Encryption
Symmetric Key Encryption for Confidentiality
Encrypted Message Message“Hello”
Cipher &Key
SymmetricKey
SameSymmetric
KeyParty A
Party B
InterceptorNetwork
Receiver decrypts the messageusing the same cipher
and the same symmetric key
57
Figure 9-20: Symmetric and Public Key Encryption
Public Key Encryption for Confidentiality
EncryptedMessage
EncryptedMessage
Party A Party B
Encrypt withParty B’s Public Key
Decrypt withParty B’s Private Key
Decrypt withParty A’s Private Key
Encrypt withParty A’s Public Key
Note:Four keys are used to encryptand decrypt in both directions
Figure 9-21: Other Aspects of Protection
• Symmetric Key Dominates Encryption for Confidentiality
– Accounts for 99% of all encryption for confidentiality
– Dominates because it is computationally simple and therefore inexpensive
• Public Key Encryption for Confidentiality is Only Used Rarely and for Very Short Messages
– Computationally, 100 to 1,000 times slower than symmetric key encryption
– However, public key encryption for authentication is more common
58
59
Figure 9-21: Other Aspects of Protection
• Hardening Servers and Client PCs
– Some attack packets inevitably reach hosts
– Hardening is setting up computers to protect themselves
– Server Hardening
• Back up so that restoration is possible
• Patch security vulnerabilities
• Use host firewalls
• …
Attacks
Host
60
Figure 9-21: Other Aspects of Protection
• Hardening Servers and Client PCs
– Client PC Hardening
• As with servers, patching vulnerabilities, having a firewall, and implementing backup
• Also, a good antivirus program that is updated regularly
• Client PC users often make errors or sabotage hardening techniques
• In corporations, group policy objects (GPOs) can be used to centrally manage security on Windows clients
61
Figure 9-21: Other Aspects of Protection
• Vulnerability Testing
– Protections are difficult to set up correctly
– Vulnerability testing is attacking your system yourself or through a consultant
– There must be follow-up to fix vulnerabilities that are discovered
62
Figure 9-22: Incident Response
• Even with the best security, successful attacks sometimes happen
1. Detect the Attack
2. Stop the Attack
3. Repair the Damage
4. Punish the Attacker
63
Figure 9-22: Incident Response
• Major Attacks and CSIRTs
– Major Incidents
– Must be handled by the computer security incident response team (CSIRT)
• Must include members of senior management, the firm’s security staff, members of the IT staff, members of functional departments, and the firm’s public relations and legal departments
64
Figure 9-22: Incident Response
• Disasters and Disaster Recovery
– Natural and humanly made disasters
– Need a disaster recovery plan ahead of time
– Need a backup site and procedures to shift work there
– Need rehearsals to iron out difficulties and develop speed