Computer & Network Security [email protected]. Outlines Definition of computer and network security Security Terminology Weaknesses and Vulnerabilities

Computer & Network Security

[email protected]

Outlines

Definition of computer and network security

Security TerminologyWeaknesses and VulnerabilitiesIdentification and AuthenticationsAuthentication MechanismComputer System and Network Intrusions Internet EtiquetteSecurity Management


• Definitions Security

• Security is about the protection of assets *

Protective measures• Prevention

– Take measures that prevent assets from being damaged

• Detection– Take measures that be able to detect when an asset

has been damaged• Reaction

– Take measures that be able to recover from a damage

* From : Gollmann D., Computer Security, John Wiley &Sons, 1999


• Information security The tasks of guarding digital information

• Information : – Typically processed by a computer– Stored on a some devices– Transmitted over a network

Ensures that protective measures are properly implemented

• A protection method


• Computer security No absolute “secure” system Security mechanisms protect against

specific classes of attacks


• Network security Security of data in transit

• Over network link• Over store-and-forward node

Security of data at the end point• Files• Email• Hardcopies


• Network security differences from computer security : Attacks can come from anywhere, anytime Highly automated (script) Physical security measures are inadequate Wide variety of applications, services,

protocols• Complexity• Different constraints, assumptions, goals

No single “authority”/administrators

Security Terminology

• Security attack• Security mechanism• Security service• Risk• Risk Analysis• Spies• Cyberterrorists


• Security attack• Any action that compromises security

information

• Security mechanism• A mechanism that designed to detect, prevent,

or recover from a security attack

• Security service• A service that enhances the security of data

processing systems and information transfers. • Makes use of one or more security

mechanisms


• Risk A measure of the cost of a realised vulnera

bility that incorporates the probability of a successful attack

• Risk analysis : Provides a quantitative means of determin

ing whether an expenditure on safeguards is warranted


• Spies A person who

• Has been hired to break into a computer and steal information

• Do not randomly search for unsecured computers to attack

• Cyberterrorists Terrorists that attack the network and computer

infrastructure to • Deface electronic information (such as web sites)• Deny service to legitimate computer users• Commit unauthorised intrusions into systems and networks

that result in infrastructure outages and corruption of vital data

Weaknesses, Vulnerabilities and

Threats

Weaknesses and Vulnerabilities

Vulnerability A weakness in a system allowing an

attacker to violate the confidentiality, integrity, availability

May result from Software bugs Software of system design flaws

Weaknesses and Vulnerabilities

Vulnerability Examples of vulnerabilities

Buffer overflows Race conditions Unencrypted protocols Bad/insufficient sanity checks Backdoors Unqualified trust

Some of these vulnerabilities are described later

Threats

Threat means A person, thing, event

which poses some danger to an asset in terms of that asse t’s confidentiality, integrity, availability

Accident threats Delibrate threats : Passive and Active

Examples of threat Hacker/cracker Script kiddies Spies and Malware Denial-of-service (DoS) attack Zombies Insecure/poorly designed applications

Threats

Hacker/cracker** Hacker :

a person who uses his/her advanced computer skills to attack computers, but not with a malicious intent, hackers use their skills to expose security flaws.

Cracker : a person who violates system security with

malicious intent. Crackers destroy data, deny legitimate users of services, cause serious problems on computers and networks.

** from : M. Ciampa, Security+guide to network security fundamentals, Thomson course technology, 2005

Threats

Script kiddies Want to break into computers like crackers, but

unskilled users download software from web sites, use to break into

computers

Spies A person who

Has been hired to break into a computer and steal information

Do not randomly search for unsecured computers to attack

Malware A group of destructive programs such as viruses, worms,

Trojan horse, logic bombs, and spyware

Threats

Virus : a computer program that can copy itself and infect a computer without permissio

n or knowledge of the user spreads from one computer to another when its host

(such as an infected file) is taken to that computer viruses always infect or corrupt files on a targeted

computerWorm : a computer program that

is - a self replicating code Resides in active memory (the program is executed) Propagates itself

uses a network to send copies of itself to other node can spread itself to other computers without needing

to be transferred as part of an infected file always harm the network

Threats

Trojan horse : a program that installs malicious software while under the guise of

doing something else differs from a virus in that

a Trojan horse does not insert its code into other computer files

appears harmless until executed

Logic Bomb : a program that inactive until it is triggered by a specific event, e.g.

a certain date being reached once triggered, the program can perform many

malicious activities is difficult to defend against

Threats

Spyware : a computer program that installed surreptitiously on a personal computer

to intercept or take partial control over the user' s interaction with the computer, without the user 's awareness

• installing additional software• redirecting web browser activity

secretly monitors the user's behavior

• collects various types of personal information ,

Threats

Denial-of-service (DoS) attack : a threat that Prevents legitimate traffic from being able to

access the protected resource Common DoS

Crashes a targeted service or server Normally done by

• Exploiting program buffer overflow problem

• Sending too many packets to a host causing the host to crash

Threats

Zombies : systems that Have been infected with software (e.g. Trojan or

back doors) Under control of attackers

Be used to launch an attack against other targetsInsecure/poorly designed applications

One of the most difficult threats to be detected

Identification and Authentications

• Authentication Basics• Passwords• Biometrics• Multiple methods

Authentication Basics

• Authentication A process of verifying a user’s identity

• Two reasons for authenticating a user The user identity is a parameter in access

control decision (for a system) The user identity is recorded when

logging security-relevant events in an audit trail


• Authentication Binding of an identity to a principal (subject) An identity must provide information to enable

the system to confirm its identity Information (one or more)

• What the identity knows (such as password or secret information)

• What the identity has (such as a badge or card)• What the identity is (such as fingerprints)• Where the identity is (such as in front of a

particular terminal)


• Authentication process Obtaining information from the identity Analysing the data Determining if it is associated with that

identity

• Thus : authentication process is The process of verifying a claimed

identity


• Username and Password Very common and simple identities Used to enter into a system Username

• Announce who a user is• This step is called identification

Password• To prove that the user is who claims to be• This step is called authentication

Authentication Mechanism

• Password• Password Aging• One-Time Password

Passwords

• Passwords Based on what people know User supplies password Computer validates it If the password is associate with the user,

then the user’s identity is authenticated

Passwords

• Choosing passwords Password guessing attack is very simple and always

works !!• Because users are not aware of protecting their

passwords Password choice is a critical security issue

• Choose passwords that cannot be easily guessed

• Password defenses• Set a password to every account• Change default passwords• Password length

– A minimum password length should be prescribed

Passwords

• Password defences Password format

• Mix upper and lower case symbols• Include numerical and other non-alphabetical symbols

Avoid obvious passwords

Passwords

• How to improve password security? Password checker tool

• Check passwords against some dictionary of weak password

Password generation• A utility in some system• Producing random password for users

Password aging• A requirement that password be changed after some

period of time • Required mechanism

– Forcing users to change to a different password– Providing notice of need to change– A user-friendly method to change password

Passwords

• How to improve password security? One-Time Password

• A password is valid for only one use Limit login attempts

• A system monitors unsuccessful login attempts– Reacts by locking the user account if logging in

process failed Inform user

• After successful login a system display – The last login time – The number of failed login attempts

Attacking a Password System

• Password guessing Exhaustive search (brute force)

• Try all possible combination of valid symbols Dictionary attack Random selection of passwords Pronounceable and other computer-generated

passwords User selection passwords

• Passwords based on– Account names– User names– Computer names, etc.

Biometrics

• The automated measurement of biological or behavioral features that identifies a person

• Method: A set of measurement of a user is taken

(recorded) when a user is given an account When a user access the system

• The biometric authentication mechanism identify the identity

Biometrics

• Fingerprints• Voices• Eyes• Faces• Keystrokes

Keystroke intervals Keystroke pressure Keystroke duration

• Combinations

Computer System and Network Intrusions

Intrusion Profiles

Exploiting passwords Exploiting known vulnerabilities Exploiting protocol flaws Examining source files for new security flaws - - Denial of service attacks Abusing anonymous FTP Installing sniffer programs IP source address spoofing

Typical Network Intrusions

Locate a system to attack New systems Network sweeps

Gain entry to a user’ s account - - No password or easy to guess password Sniffed password

Exploiting system configuration weakness or software vulnerability to obtain access to a p rivileged account

Typical Network Intrusion

Once inside, and intruder may: Remove traces from auditing records Install back door for future use Install Trojan Horse programs to capture system a

nd account information Jump to other hosts on your network Use your system to launch attacks against other si

tes Modify, destroy, or inappropriately disclose inform

ation

Why Should You Care

Protect your own operational environment Protect your user’ s data Provide service to your users

What Should You Do?

Stay current with security issues

-Internet Etiquette 1

Do: Understand and respect security poli

cies Take responsible for your own securit

y Respect other Internet neighbours Cooperate to provide security

EEEEEEEEE-E2

Avoid: Unauthorised access to other accounts an

d systems Cracking password file from other system

s Sharing accountsUnauth orised access to unprotected files - Reading the e mail of other users Disrupting service

Security Management45

Understanding Security Writing a security policy Monitoring the network Auditing the network Preparing for an attack Handling an attack Forensics Log analysis Damage control

Understanding Security :Security Objectives**

Confidentiality Confidentiality is the term used to prevent the

disclosure of information to unauthorized individuals or systems.

Integrity In information security, integrity means that data

cannot be modified undetectably.

Availability For any information system to serve its purpose, the

information must be available when it is needed.

(CIA)

** http://en.wikipedia.org/wiki/Information_security

Understanding Security

What are we protecting Asses value Protecting cost

Thinking like a defender List of problems might happen in various

situations The organisation we are protecting

Business types different levels of security


The process of security1

Expands on this endless loop

Endless loop of Security Learn everything about the threats

The Internet is full of information How to protect a system How to break in to a system System vulnerabilities, etc.

Well design every thing before implement !! Analysis must come before synthesis !!



Endless loop of Security Think “pathologically” about the design (or “think

evil thought”) Implement it the way it is designed

Never let any components be altered from the design Continuously recheck it to make sure that it has

not changed, such as Configuration change in routers/computers

Practice running it to make sure that you understand it and can operate it correctly



Endless loop of Security Make it simple for others to do when you want them to

do Make it hard for people to do when you do not want

them to do Make it easy for you to detect problems Make it difficult to hide what you do not want to be

hidden Test everything you can test Practice everything you can practice Improve anything you can improve Repeat this process endlessly, at all levels of detail

Security Management

51

Understanding Security Writing a security policy Monitoring the network Auditing the network Preparing for an attack Handling an attack Forensics Log analysis Damage control

Writing a Security Policy

Security Policy : Definitions : (1) Information security policy **

Objective : To provide management direction and support for information security in accordance with

Business requirements,Relevant laws and regulations

** ISO/IEC 17799:2005(E)


Security Policy : Definition

(2) [Ciampa] : “The backbone of any infrastructureis its security policy. Without a policy that clearly outlines what needs to be protected, how it should be protected, and what users can – and cannot – do in support of the policy, there is no effective security.”


Security Policy A document or sets of documents that

Clearly defines the defense mechanisms an organisatoin will employ to keep information secure

Outlines how the organisation will respond to attacks

Outlines the duties and responsibilities of its employee for information security


Security Policy : Definition:

(3) [Northcutt] : A security policy establishes what you must do to protect information stored on computers A well-written policy contains sufficient definition of

“what” to do so you can identify and measure, or evaluate “how”


Purpose of Security Policy Describes of what being protected and why Sets priorities about what must be protected first and at

what cost Allows an explicit agreement to be made with various

parts of the organisation regarding the value of security Provides the security department with a valid reasons to

say “no” when that is needed Provides the security department to back up the “no” Prevents the security department from acting illegally


Security Policy Trade of suggested by Wadlow

A good policy today is better that a great policy next year

A weak-policy that is well distributed is better than a strong policy no one has read

A simple policy that is easily understood is better than a complicated and confusing policy that no one ever bother to read

A policy whose details are slightly wrong is better than a policy with no details at all

A living-policy that is constantly updated is better than one that grow obsolete over time


An amateur (simple) policy State a coup

A formal policy Follow some guidelines/standards

59

Suggestion A suggestion to get a decent policy for an

organisation (which currently no security policy)1. Write a security policy for your organisation

Say nothing specific State generalities Should cover no more than 5 pages Should not take more than 2 days to write Don’t ask for help, do it yourself Don’t try to make it perfect, just try to get some key

issues written down It doesn’t have to be complete It doesn’t have to be crystal clear

(From : T. A. Wadlow, The process of network security)


60

Suggestion (cont.)1. find 3 people who are willing to become “security

committee” : their job is• To make ruling and amendment to the policy• To be judges, not enforcers

2. create an internal web site • with

• policy page• Committee contact information

• Amendments• Approved and added to the web site as quick

as possible


61

Suggestion (cont.)

3. treat the policy as if it were absolute rule of the law• Do not violate the policy• Allow no violation to occur

4. if someone has a problem with the policy • Have the person propose an amendment• The policy committee members need to agree

• Make an amendment


62

Suggestion (cont.)

5. schedule a regula meeting to consolidate policy and amendments• Once a year, for example• Involve

• You and the security committee• Current security policy and the amendments

• Make a new policy statements

6. repeat the processes 3-6


63

Contents• What are we protecting?

Describe in detail The types of security levels expected to

have in an organisation Characterise the machines on the network

(for example)


Writing a Security Policy64

Contents (cont.) Red : contains extremely confidential information or

provide mission-critical service Yellow : contains sensitive information or provides

important service Green : able to access red or yellow machines but

does not directly store sensitive information or perform crucial function

White : unable to access red, yellow, or green systems but not externally accessible. No sensitive information or function

Black : externally accessible. Unable to access red, yellow, green or white systems


Contents (cont.)• Methods of protection

• Describe Levels for protection Priorities for protection For example


Contents (cont.)Organisation priorities :

1. health and human safety2. compliant with applicable local, state, and

federal laws3. Preservation of the interests of the

organisation4. Preservation of the interests of partners of the

organisation5. Free and open dissemination of nonsensitive

information

Height Priority

Low Priority

67

Describe general policies for access to each category of system

Red red networks only Red-cleared employees only

Monthly

Category

Network Access Qualification Cycle*

Yellow Yellow and red network

Employees only Quarterly

Green Yellow, red, and green network

Employees and cleared contractors

Yearly

White White networks only Employees and contractors

Yearly

Black Black networks only Employees, contractors, and public (through cleared access means)

monthly


Contents (cont.)• Responsibility

Describes the responsibilities, privileges that are accorded each class of system user : e.g.

General Knowledge of this policy All actions in accordance with this policy Report any known violations of this policy to

security Report any suspected problems with this policy to

security Sysadmin/operations

All user information to be treated as confidential No authorised access to confidential information Indemnified for any action consistent with systems

administrator code of conduct


Contents (cont.) Security Administrator

• Highest level of ethical conduct• Indemnified for any action consistent with security

officer code of conduct Contractor

• Access to specifically authorised machine in specifically authorised fashion

• Request advance authorisation in writing for any actions which might be interpreted as security issue

Guest• No access to any computing facilities except

with written advance notice to security


Contents (cont.) Appropriate Use

Describe the ways in which employees should not use the network

General Minimal personal use during normal business hours No use of network for outside business activity Access to Internet resource consistent with HR

policies Sysadmin

Responsible access to sensitive or personal information on the network

All special access justifiable for business operations


Contents (cont.) Security Personal

• Responsible access to sensitive information on the network

• All special access justifiable for business operations • Use of security tools for legitimate business purpose

only Contractor

• No personal access any time• Minimal use of the network and only for specific

reasons relating to specific contracts Guest

• No use of the network at any time


Contents (cont.)• Consequence

Describe the way in which the magnitude of a policy violation is determined and the categories of consequences. Examples: Security review board Penalties

Critical Serious limited

73

Writing a Formal policy

Known as “risk-based security management”. Risk

Combination of the probability of an event and its consequence

Risk analysis Systematic use of information to identify sources

and to estimate the risk Risk evaluation

Process of comparing the estimated risk against given risk criteria to determine the significance of the risk

74

Writing a Formal Policy

Risk (Cont.) Risk assessment

Overall process of risk analysis and risk evaluation

Risk management Coordinated activities to direct and control an

organization with regard to risk

75

Writing a Formal Policy

Some guidelines ISO/IEC 17799:2005(E) SANS guidelines

﮸ www.sans.org/security-resources/policies NIST guidelines

http://csrc.nist.gov/index.html etc.

76

ISO/IEC 17799:2005(E) Security Policy

Should contain Definitions of information security

Overall objectives and scope Importance of security

A statement of management intent A framework for setting control objectives and

controls Including the structure of risk assessment and

risk management

77


A brief explanation of the security policies, principles, standards, and compliance requirements of particular importance to the organization, including

Compliance with legislative, regulatory, and contractual requirements;

Security education, training, and awareness requirements;

Business continuity management; Consequence of information security policy

violations;

78


A definition of general and specific responsibilities for information security management, including

Reporting information security incidents; References to documentation which may

support the policy, e.g. More detailed security policies and

procedures for specific systems or security rules should comply with.

79


Review of the information security policy The information security policy should be

reviewed At a planned intervals, or If significant changes occur

To ensure its continuing suitability, adequacy, and effectiveness

80

Example of Security Policy Format

1. Purpose/Overview2. Scope3. Policy4. Enforcement5. Revision history

81

Example of Policies (suggested by SANS*)

Organization PolicyAudit policyComputer security policyDesktop security policyEmail security policyInternet security policyMobile security policyNetwork security policy Physical security policyServer security policyWireless security policy

* www.sans.org/security-resources/policies

Monitoring Your Network82

The Shape of Logging System What to Log Logging Mechanisms Time Sensor Log Management

Monitoring Your Network83

Goals of a monitoring system Reduce the likelihood of an attack going

unlogged Increase the likelihood that the events

logged for an attack will be recognized as an attack

The Shape of Logging System84

Problem of logging system What events to be logged?

if every event is logged the log file will be very large

if only selected events are logged some crucial events might not be logged !!

Log file can be tampered by attackers To delete attack traces

Attackers can tamper the log file If the logs are accessible to them


Log should not be accessible to an attacker

Mechanisms can deny access to logs The logs are kept on a separate machine The logs are encrypted The logs are stored in a write-only media The logs are stored in multiple places


Log should not be tampered with Tampering efforts should be easily detected

Achieved by Cryptographically signing each log entry to

detect invalid entries Monitoring the log entries to look for a

sudden decrease in log size Indicates that the log entries have been

deleted Assigning a sequence number to each log

entry and verifying that the sequence is unbroken

What to Log87

The network should log any events necessary to detect known attack patterns

The network should log any events necessary to detect unusual patterns of access

Logging Mechanisms88

Syslog The most common network logging

mechanism Runs on Unix systems

Components Syslog daemon Syslog ruleset Syslog-enabled programs

Syslog89

Syslog daemon A program that runs in a background on all

machines using syslog Serves several purposes

Collects messages from syslog-enabled programs on the machine hosting it

Collects certain messages from the system that are not syslog enabled (such as kernel messages regarding starting-up and some device problems)

Listens on the syslog port (port 514/UDP) for messages

Save all of the above messages in a file

Syslog Ruleset90

Usually in /etc/syslog.conf Contains directives to the syslog daemon

Determine where various types of messages should be logged

Choices of logging Put a message into a file Log a message to another machine via UDP Write a message to the system console Write a message to all log-in users

Syslog-enabled Program91

Syslog is a standard facility in Unix many Unix programs have calls to syslog

built into them Enable these programs to log various

events To the local syslog daemon

Pro (of syslog)92

Universally available Standard implementation Available from nonprogrammable

devices A read-only logging mechanism

Con (syslog)93

Unauthenticated protocol Can be spoofed

Unencrypted transmission Can be eavesdropped by attackers

Unreliable UDP transmission Not all syslog messages reach their

intended destination

Time94

An important issue in log gathering and analysisJun 4 22:33:21 machine1.ycom.com login: user smt login

ok

Jun 4 22:34:29 machine3.ycom.com login: user smt login ok

Time is used in analysis process It should be accurate and synchronised

with other systems A logging system should synchronise its

time with a time server machine (NTP server)

Sensors 95

A mechanism that can be used to aid device-based logging

Provides a means for gathering information and integrating it into the logging system

Sensors96

Examples Some sensors can detect several variations

on attacks Some sensors can detect problems with the

network being monitored

Sensors97

Some sensors are built to detect conditions on the logging system Are the logs increasing monotonically?

If not a log file might be tampered Is the logging system receiving all the logs

that are being sent? Some devices transmit a sequence number

with each log entry if a particular number is missing

something goes wrong

Sensors98

Has any machine stopped logging?A machine that has stopped logging

Might indicate a network problem OR an attack

Log Management99

A process of making sure that logging system Stable Useful

References

1. Wadlow T. A., The process of network security: Designing and managing a safe network, Addison-Wesley, 2000

2. Ciampa M., Security + guide to network security fundamentals, Thomson course technology, 2005

3. Northcutt S., et.al., Inside network perimeter security, Sam publishing, 2005

4. ISO/IEC 27001:2005(E)5. ISO/IEC 17799

Security Contest Topics

Network Security Concept

Network Security Architecture

Network Security Assessment &Penetration T est Method

Network Security Monitoring

ISO27001 and series

Computer Laws

ประกาศเลื่� อนการสมั�ครแลื่ะสอบ security contest

วั�นที่� ป�ดร�บสมั�คร จากวั�นที่� 14 ตุ�ลื่าคมั เลื่� อนเป�นวั�นที่� 31 ตุ�ลื่าคมั

วั�นที่� สอบค�ดเลื่�อกรอบแรก จากวั�นที่� 28 ตุ�ลื่าคมั เลื่� อนเป�นวั�นที่� 18

พฤศจ"กายนวั�นที่� รอบชิ"งชินะเลื่"ศพร&อมัประกาศรางวั�ลื่

จากวั�นที่� 25 พฤศจ"กายน เลื่� อนเป�นวั�นที่� 19 ธั�นวัาคมั

CS subject

344-422344-422 Computer and Network Securityวั"ชิาเลื่�อก ประจ(าภาคการศ*กษา 1 ของที่�กป-

Documents

Computer & Network Security [email protected]. Outlines Definition of computer and network security Security Terminology Weaknesses and Vulnerabilities