Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
CPSC 257: Information Securityin the Real World
Ewa Syta
January 21, 2016
CPSC 257 January 21, 2016 1 / 35
1 Essentials of Information Security
2 Real-world adversaries and their attacks
CPSC 257 Outline January 21, 2016 2 / 35
Essentials of Information Security
CPSC 257 Essentials of Information Security January 21, 2016 3 / 35
Achieving Security
In the ideal world, we would like to achieve perfect security ofinformation.
It is impossible to protect everything against every attacker under allcircumstances while maintaining usability (utility of the system).
CPSC 257 Essentials of Information Security January 21, 2016 4 / 35
Simplistic Approach
Goal: We want to protect the password.
password
Client Server
CPSC 257 Essentials of Information Security January 21, 2016 5 / 35
Simplistic Approach
How: Use strong encryption to encrypt the password.
password
Client Server
CPSC 257 Essentials of Information Security January 21, 2016 6 / 35
The Reality
So much more going on!
password
Client Serverpasswordrecovery
psw1
CPSC 257 Essentials of Information Security January 21, 2016 7 / 35
Achieving Security
Security is a trade-off of what we want to achieve and what we canachieve.
• Make the system as secure as possible.• What does it even mean?
• Make the system as secure as possible given our constraints.• Value of assets• Risk tolerance• Cost• Usability and convenience• Legal obligations
CPSC 257 Essentials of Information Security January 21, 2016 8 / 35
Achieving Security
Security is about risk management.
• Identify specific risks to assets.
• Identify the level of risk tolerance.
• Identify appropriate protections to reduce or remove risks.
• Identify and accept responsibility for untreatable residual risks.
CPSC 257 Essentials of Information Security January 21, 2016 9 / 35
Cost-Benefit Analysis
In the real world, everything is about making the best possible choice:balancing costs and benefits.
• Evaluate what level of security is necessary, appropriate, ordesirable.
• From adversary’s perspective• Cost of launching a particular attack vs. value of attack to an
adversary.
• From company’s perspective• Cost of damages from an attack vs. cost of defending against the
attack.
• Likelihood of a particular attack.
CPSC 257 Essentials of Information Security January 21, 2016 10 / 35
Information as an Asset
Information is a strategic business asset.
• Transaction information.
• Client information.
• Proprietary information.
CPSC 257 Essentials of Information Security January 21, 2016 11 / 35
Example: Amazon
• Type of information.
• Value (cost of loss).
CPSC 257 Essentials of Information Security January 21, 2016 12 / 35
Security Mindset
Security is not a product, it is a process.
We need to learn to think with a “security mindset”.
• How could this system be attacked?
• Who could attack this system?
• Are they likely to attack the system?
• What is the weakest point of attack?
• How could this system be defended?
• How effective will a given countermeasure be?
• What is the trade-off between security, cost, and usability?
CPSC 257 Essentials of Information Security January 21, 2016 13 / 35
Security Mindset
You see an advertisement for a new product. What is your reaction?
“Wow! This is such a cool product. I can’t wait to use it!!!”
“Wow! This is a neat product but I wonder what are thepotential consequences of using it? Does it work asadvertised? Is it safe? Can something go wrong while usingit? Can someone else exploit it?”
CPSC 257 Essentials of Information Security January 21, 2016 14 / 35
Example: Nest Learning Thermostat
YouTube: How Nest Learning Thermostat Learns
CPSC 257 Essentials of Information Security January 21, 2016 15 / 35
Security of an Information System
We cannot protect information on its own.
You need to look at the entire system within which the informationexists.
A system is only as strong as its weakest component.
CPSC 257 Essentials of Information Security January 21, 2016 16 / 35
Analyzing the security of IS
• Understand the system and its components.
• Identify assets.
• Identify vulnerabilities.
• Identify attacks.
• Identify adversaries.
CPSC 257 Essentials of Information Security January 21, 2016 17 / 35
Assets
You need to know what there is to protect.
You need to know what is worth protecting.
CPSC 257 Essentials of Information Security January 21, 2016 18 / 35
Vulnerabilities
Vulnerabilities are weaknesses that could be exploited to causedamage to assets.
• Bad passwords
• Buggy software
• Untrained employees
• Lack of encryption
CPSC 257 Essentials of Information Security January 21, 2016 19 / 35
Attacks
Attacks are ways of exploiting a vulnerability.
• Bad passwords: using password crackers.
• Buggy software: launching an SQL injection attack.
• Untrained employees: tricking them to share their credentials.
• Lack of encryption: eavesdropping on communications.
CPSC 257 Essentials of Information Security January 21, 2016 20 / 35
Attacks
There are several ways to classify attacks.
By damage to the assets
• Confidentiality, integrity, availability.
By the source of the attack
• Insider vs outsider, local vs remote.
By the actions
• Interception, interruption, modification, fabrication.
CPSC 257 Essentials of Information Security January 21, 2016 21 / 35
Real-world adversaries and their attacks
CPSC 257 Real-world adversaries and their attacks January 21, 2016 22 / 35
Adversaries
Adversaries are entities that may carry out attacks.
• Hackers
• Governments
• Terrorists
• Competitors
• Clients
• Employees
CPSC 257 Real-world adversaries and their attacks January 21, 2016 23 / 35
Adversaries
An adversary must have three things:
• Method: the skills, knowledge, tools, and resources.
• Opportunity: the time and access to accomplish the attack.
• Motive: a reason to want to perform this attack against thissystem.
CPSC 257 Real-world adversaries and their attacks January 21, 2016 24 / 35
Classification of Adversaries Image source:TIM Review
CPSC 257 Real-world adversaries and their attacks January 21, 2016 25 / 35
Actions and Motivations of Adversaries Image source:TIM Review
Political: destroying, disrupting, or taking control of targets; espionage; and making political statements, protests, orretaliatory actions.Economic: theft of intellectual property or valuable assets (e.g., funds, credit card information); fraud; industrialespionage and sabotage; and blackmail.Socio-cultural: philosophical, theological, political, and even humanitarian goals, curiosity, and a desire for publicity orego gratification.
CPSC 257 Real-world adversaries and their attacks January 21, 2016 26 / 35
Modern Adversaries
All types of adversaries are often referred to as hackers.
Black Hat is an annual conference that brings together a variety ofpeople interested in information security.
• Representatives of government agencies,
• Representatives of corporations,
• Hackers.
Thycotic surveyed 127 self-identified hackers at the 2014 Black Hatevent.
CPSC 257 Real-world adversaries and their attacks January 21, 2016 27 / 35
Motivation Image source:Thycotic Black Hat 2014 Report
CPSC 257 Real-world adversaries and their attacks January 21, 2016 28 / 35
Consequences Image source:Thycotic Black Hat 2014 Report
CPSC 257 Real-world adversaries and their attacks January 21, 2016 29 / 35
Targeted Employees Image source:Thycotic Black Hat 2014 Report
CPSC 257 Real-world adversaries and their attacks January 21, 2016 30 / 35
Old tricks still work Image source:Thycotic Black Hat 2014 Report
Phishing is the attempt to acquire sensitive information such as usernames, passwords, and credit card details bymasquerading as a trustworthy entity in an electronic communication.
CPSC 257 Real-world adversaries and their attacks January 21, 2016 31 / 35
They are worried too Image source:Thycotic Black Hat 2014 Report
CPSC 257 Real-world adversaries and their attacks January 21, 2016 32 / 35
Real-World Security Breaches by Motivation
By another government.
• In December 2014, Sony Pictures was hacked.
• A group called “The Guardians of Peace” took responsibility forhacking Sony over the released of “The Interview”, a movieabout an assassination of Kim Jong Un, the leader of NorthKorea.
• FBI attributed the attack to the North Korean government.
• The incident was labeled as cyberwarfare.
CPSC 257 Real-world adversaries and their attacks January 21, 2016 33 / 35
Real-World Security Breaches by Motivation
By hackers whose motivation was financial.
• In January 2014, Target was hacked.
• Hackers stole credit and debit card numbers, expiration dates,the three-digit CVV security code, and even PIN data for up to70 million customers.
By hackers whose motivation was political.
• In July 2015, Canadian government websites were taken down.
• A group called “Anonymous” claimed responsibility for a Denialof Service attack against Canadian government websites inprotest of the passage of bill C-51- an anti-terror legislation thatgrants additional powers to Canadian intelligence agencies.
CPSC 257 Real-world adversaries and their attacks January 21, 2016 34 / 35
Real-World Security Breaches by Motivation
By dishonest employees.
• In January 2015, Korea Credit Bureau’s data was leaked.
• An employee of KCB has been arrested and accused of stealing20 million customer records from three credit card firms whileworking for them as a temporary consultant.
By employee.
• In March 2015, Australian Immigration Department’s data wasaccidentally revealed.
• An employee of the agency inadvertently sent the passportnumbers, visa details and other personal identifiers of al worldleaders attending the G20 Brisbane summit to the organizers ofthe Asian Cup football tournament.
• Barack Obama, Angela Merkel, Vladimir Putin, David Cameronand many others were affected.
CPSC 257 Real-world adversaries and their attacks January 21, 2016 35 / 35