Computer Science and Engineering 1 Which is the Cuckoo's Egg? $45 million Quebec Drug arrest Hacking scam Poland, Brazil, Manitoba, and the United States

Computer Science and Engineering 1

Which is the Cuckoo's Egg?Which is the Cuckoo's Egg?

• $45 million • Quebec • Drug arrest• Hacking scam• Poland, Brazil, Manitoba, and the United States • Age 17 to 26• Computer network


Cuckoo's EggCuckoo's Egg

• Drug arrest• Canada: police have broken up a major international

computer-hacking network• Target: unprotected personal computers around the

world• Police arrested 16 people – age between 17 and 26• Online to attack and gain control of as many as one

million computers worldwide


Csilla FarkasAssociate Professor

Dept. of Computer Science and EngineeringUniversity of South Carolina

[email protected]://www.cse.sc.edu/~farkas


Financial LossFinancial Loss

Dollar Amount Losses by Type

Total Loss (2006): $53,494,290 CSI/FBI Computer Crime and Security SurveyComputer Security Institute


Security ProtectionSecurity ProtectionPercentage of Organizations

Using ROI, NPV, or IRR MetricsPercentage of IT Budget

Spent on Security

CSI/FBI Computer Crime and Security SurveyComputer Security Institute


What is Wrong with the What is Wrong with the Following Specification?Following Specification?

• The CEO of ReallySecure Inc. instructed the system administrator of the organization’s computing resources to implement security mechanisms, including– Hardware firewall– Authentication mechanisms– Access control– Secure communication– Encryption capabilities


Risk Management Framework(Business Context)

Understand BusinessContext

Identify Business and Technical Risks

Synthesize and RankRisks

Define RiskMitigation Strategy

Carry Out Fixesand Validate

Measurement and Reporting


Understand the Business Understand the Business ContextContext

• “Who cares?”• Identify business goals, priorities and

circumstances, e.g., – Increasing revenue– Meeting service-level agreements– Reducing development cost– Generating high return investment

• Identify security risk to consider


Identify Business and Identify Business and Technical RisksTechnical Risks

• “Why should business care?”• Business risk

– Direct threat– Indirect threat

• Consequences– Financial loss– Loss of reputation– Violation of customer or regulatory constraints– Liability

• Tying technical risks to the business context in a meaningful way


Synthesize and Rank the Synthesize and Rank the RisksRisks

• “What should be done first?”• Prioritization of identified risks based on business

goals• Allocating resources• Risk metrics:

– Risk likelihood– Risk impact– Risk severity– Number of emerging risks


Define the Risk Mitigation Define the Risk Mitigation StrategyStrategy

• “How to mitigate risks?”• Available technology and resources• Constrained by the business context: what can the

organization afford, integrate, and understand• Need validation techniques


Carry Out Fixes and Carry Out Fixes and ValidateValidate

• Perform actions defined in the previous stage• Measure “completeness” against the risk

mitigation strategy– Progress against risk– Remaining risks– Assurance of mechanisms

• Testing


Measuring and ReportingMeasuring and Reporting

• Continuous and consistent identification and storage of risk information over time

• Maintain risk information at all stages of risk management

• Establish measurements, e.g., – Number of risks, severity of risks, cost of

mitigation, etc.


What is Being Protected, What is Being Protected, Why, and How?Why, and How?

• Risk assessment

RISKRISK

Threats

Vulnerabilities Consequences


Security ObjectivesSecurity Objectives

Secrecy

Prevent/detect/deter improperDisclosure of information

Availability

Prevent/detect/deter improperDenial of access to services

Integrity

Prevent/detect/deter Improper modificationof information


Security TradeoffsSecurity Tradeoffs

COST

Security Functionality

Ease of Use


Achieving Security

PolicyWhat to protect?

MechanismHow to protect?

AssuranceHow good is the protection?


PolicyPolicyOrganizational policy

Information systems policy


Security by ObscuritySecurity by Obscurity

Hide inner working of the systemBad idea!

– Vendor independent open standard– Widespread computer knowledge


Security by LegislationSecurity by Legislation

Instruct users how to behaveNot good enough!

– Important– Only enhance security– Targets only some of the security problems


Security MechanismSecurity Mechanism

Prevention DetectionTolerance and Recovery


IdentificationIdentificationAuthenticationAuthentication


AuthenticationAuthentication• Allows an entity (a user or a system) to prove its

identity to another entity• Typically, the entity whose identity is verified reveals

knowledge of some secret S to the verifier• Strong authentication: the entity reveals knowledge of

S to the verifier without revealing S to the verifier


User AuthenticationUser Authentication

• What the user knows– Password, personal information

• What the user possesses– Physical key, ticket, passport, token, smart card

• What the user is (biometrics)– Fingerprints, voiceprint, signature dynamics


Access ControlAccess Control



• Protection objects: system resources for which protection is desirable– Memory, file, directory, hardware resource,

software resources, etc.• Subjects: active entities requesting accesses to

resources– User, owner, program, etc.

• Access mode: type of access– Read, write, execute



• Access control components:– Access control policy: specifies the authorized accesses

of a system– Access control mechanism: implements and enforces

the policy• Separation of components allows to:

– Define access requirements independently from implementation

– Compare different policies– Implement mechanisms that can enforce a wide range

of policies


Closed v.s. Open SystemsClosed v.s. Open Systems

Closed system Open System

Access requ. Access requ.

Exists Rule? Exists Rule?

Access permitted

Access denied

Access denied

Access permitted

Allowed accesses

Disallowed accesses

yes no yesno

(minimum privilege) (maximum privilege)


FirewallsFirewalls


Traffic Control – FirewallTraffic Control – Firewall

External Network

security wall between private (protected) network and outside word

Private Network

Firewall


Firewall ObjectivesFirewall Objectives

Keep intruders, malicious code and

unwanted traffic or

information out

Keep proprietary and sensitive

information in

Private Network

External Network

Proprietary data

External attacks


Cryptography

- Secret-Key Encryption

- Public-Key Encryption

- Cryptographic Protocols


Insecure communicationsInsecure communications

Sender

Snooper

Recipient

Insecure channel

Confidential


Encryption and Decryption

Encryption DecryptionPlaintext Ciphertext Plaintext


Conventional (Secret Key) Conventional (Secret Key) CryptosystemCryptosystem

Encryption Decryption

Plaintext PlaintextCiphertext

K

Sender Recipient

C=E(K,M)M=D(K,C)

K needs secure channel


Public Key Cryptosystem

Encryption Decryption

Plaintext PlaintextCiphertext

Sender Recipient

C=E(Kpub,M)M=D(Kpriv,C)

Recipient’s public Key (Kpub)

Recipient’s private Key (Kpriv)

Kpub needs reliable channel


Cryptographic Protocols

Messages should be transmitted to destinationMessages should be transmitted to destination Only the recipient should see itOnly the recipient should see it Only the recipient should get itOnly the recipient should get it Proof of the sender’s identityProof of the sender’s identity Message shouldn’t be corrupted in transitMessage shouldn’t be corrupted in transit Message should be sent/received once onlyMessage should be sent/received once only


Detection/ResponseDetection/Response


Misuse PreventionMisuse Prevention

• Prevention techniques: first line of defense• Secure local and network resources• Techniques: cryptography, identification,

authentication, authorization, access control, security filters, etc.

Problem: Losses occur!


Intrusion ManagementIntrusion Management

Intrusion Prevention: protect system resources

Intrusion Detection: (second line of defense) discriminate intrusion attempts from normal system usage

Intrusion Recovery: cost effective recovery models


Looks likeNORMAL behavior

Does NOT lookLike NORMAL behavior

Anomaly versus MisuseAnomaly versus MisuseNon-intrusive use Intrusive use

False negativeNon-anomalous but Intrusive activities

False positiveNon-intrusive butAnomalous activities like


Malicious Code Detection Malicious Code Detection

• Virus and Worm• Programming Flaws• Application Specific Code

– Distributed, heterogeneous platforms– Complex applications

• Security Applications vs. Secure Applications– Build security into the system


Response/ToleranceResponse/Tolerance


Incident ResponseIncident Response

• Federal Communications Commission: Computer Security Incident Response Guide, 2001, http://csrc.nist.gov/fasp/FASPDocs/incident-response/Incident-Response-Guide.pdf

•Incident Response Team, R. Nellis, http://www.rochissa.org/downloads/presentations/Incidence%20Response%20Teams.ppt

•NIST special publications, http://csrc.nist.gov/publications/nistpubs/index.html

http://csrc.nist.gov/fasp/FASPDocs/incident-response/Incident-Response-Guide.pdf

http://csrc.nist.gov/fasp/FASPDocs/incident-response/Incident-Response-Guide.pdf

http://www.rochissa.org/downloads/presentations/Incidence%20Response%20Teams.ppt

http://www.rochissa.org/downloads/presentations/Incidence%20Response%20Teams.ppt

http://csrc.nist.gov/publications/nistpubs/index.html


Intrusion RecoveryIntrusion Recovery

• Actions to avoid further loss from intrusion • Terminate intrusion and protect against reoccurrence• Law enforcement• Enhance defensive security• Reconstructive methods based on:

– Time period of intrusion– Changes made by legitimate users during the effected period– Regular backups, audit trail based detection of effected

components, semantic based recovery, minimal roll-back for recovery


What is What is “Survivability”?“Survivability”?

To decide whether a computer system is “survivable”, you must first decide what “survivable” means.


Effect Modeling and Effect Modeling and Vulnerability DetectionVulnerability Detection

Cascading effects

Seriously effectedcomponents

Weaklyeffected component

Not effectedcomponents


Due Care and LiabilityDue Care and Liability

• Organizational liability for misuse– US Federal Sentencing Guidelines: chief executive

officer and top management are responsible for fraud, theft, and antivirus violations committed by insiders or outsiders using the company’s resources.

– Fines and penalties• Base fine• Culpability score (95%-400%)

– Good faith efforts: written policies, procedures, security awareness program, disciplinary standards, monitoring and auditing, reporting, and cooperation with investigations


How to Respond?How to Respond?






Roles and Roles and ResponsibilitiesResponsibilities

• User: – Vigilant for unusual behavior– Report incidents

• Manager:– Awareness training– Policies and procedures

• System administration:– Install safeguards– Monitor system– Respond to incidents, including preservation of evidences


Computer Incident Computer Incident Response TeamResponse Team

• Assist in handling security incidents– Formal – Informal

• Incident reporting and dissemination of incident information

• Computer Security Officer– Coordinate computer security efforts

• Others: law enforcement coordinator, investigative support, media relations, etc.


Incident Response Incident Response Process 1.Process 1.

Preparation – Baseline Protection – Planning and guidance– Roles and Responsibilities – Training – Incident response team



Identification and assessment

– Symptoms

– Nature of incident• Identify perpetrator, origin and extent of attack

• Can be done during attack or after the attack

– Gather evidences • Key stroke monitoring, honey nets, system logs, network traffic,

etc.

• Legislations on Monitoring!

– Report on preliminary findings



Containment– Reduce the chance of spread of incident– Determine sensitive data– Terminate suspicious connections, personnel,

applications, etc.– Move critical computing services– Handle human aspects, e.g., perception management,

panic, etc.



Eradication– Determine and remove cause of incident if

economically feasible– Improve defenses, software, hardware, middleware,

physical security, etc.– Increase awareness and training– Perform vulnerability analysis



Recovery– Determine course of action– Reestablish system functionality– Reporting and notifications– Documentation of incident handling and evidence

preservation


Follow Up ProceduresFollow Up Procedures

• Incident evaluation:– Quality of incident (preparation, time to response,

tools used, evaluation of response, etc.)– Cost of incident (monetary cost, disruption, lost data,

hardware damage, etc.)• Preparing report• Revise policies and procedures


Questions?Questions?

Documents

Computer Science and Engineering 1 Which is the Cuckoo's Egg? $45 million Quebec Drug arrest Hacking scam Poland, Brazil, Manitoba, and the United States