INFORMATION WARFARE Part 1: Fundamentals

1-1/29 Copyright © 2006 M. E. Kabay. All rights reserved. 08:15-09:00

INFORMATION WARFARE

Part 1: Fundamentals

Advanced Course in Engineering2006 Cyber Security Boot Camp

Air Force Research Laboratory Information Directorate, Rome, NY

M. E. Kabay, PhD, CISSP-ISSMPAssoc. Prof. Information Assurance

Program Direction, MSIA & BSIA Division of Business & Management, Norwich University

Northfield, Vermont mailto:[email protected] V: 802.479.7937


Topics

08:00-08:15 Introductions & Overview08:15-09:00 Fundamental Concepts09:05-10:25 INFOWAR Theory10:35-11:55 Case Histories & Scenarios


Part 1: Fundamental Concepts

Fundamental Elements of INFOSECSources of Damage to ITRisk CategoriesTaxonomy for Computer Incidents


Fundamental Elements of INFOSEC:

Protect the 6 atomic elements of information security (not just 3):

ConfidentialityPossession or controlIntegrityAuthenticityAvailabilityUtility

C-I-A


Confidentiality

Restricting access to dataProtecting against unauthorized disclosure of

existence of dataE.g., allowing industrial spy to deduce

nature of clientele by looking at directory names

Protecting against unauthorized disclosure of details of dataE.g., allowing 13-yr old girl to examine

HIV+ records in Florida clinic


Possession

Control over informationPreventing physical contact with data

E.g., case of thief who recorded ATM PINs by radio (but never looked at them)

Preventing copying or unauthorized use of intellectual propertyE.g., violations by software pirates


Integrity

Internal consistency, validity, fitness for useAvoiding physical corruption

E.g., database pointers trashed or data garbled

Avoiding logical corruptionE.g., inconsistencies between order header

total sale & sum of costs of details


Authenticity

Correspondence to intended meaningAvoiding nonsense

E.g., part number field actually contains cost

Avoiding fraudE.g., sender’s name on e-mail is changed

to someone else’s


Availability

Timely access to dataAvoid delays

E.g., prevent system crashes & arrange for recovery plans

Avoid inconvenienceE.g., prevent mislabelling of files


Utility

Usefulness for specific purposesAvoid conversion to less useful form

E.g., replacing dollar amounts by foreign currency equivalent

Prevent impenetrable codingE.g., employee encrypts source code and

"forgets" decryption key


Rough Guesses About Sources of Damage to IT

See CSH4 (Computer Security Handbook, 4th ed): Ch 4, “Studies and Surveys of Computer Crime.”Also http://www2.norwich.edu/mkabay/methodology/crime_stats_methods.htm


Risk Categories*

Physical Attempts to gain control (physical intrusion)

Electronic Attempts to gain control (malicious hacking)

Execution of Arbitrary Code (viruses, trojans, Active-x, Java, ...)

Spoofing (lying about who you are -- users, sites, devices)

Eavesdropping (sniffing, wiretapping of data, passwords ...)

________

* ICSA Risk Framework


Risk Categories (Cont’d)

Lack of Knowledge / Awareness (admin., users, outside errors)

Lack of Trust, Confidence (IT, users, disgruntled… )

Denial of service (down time: electronic DOS, disasters, reliable)

Exploitation of User by Site (privacy, swindles….)

Exploitation the data subject (privacy, confidentiality, non-user)

Lack of Interoperability


Taxonomy for Computer Security Incidents What is a Common Descriptive Language? What is a Taxonomy? Why a Language/Taxonomy for Computer Crime? The Model as a Whole Actions Targets Events Vulnerability Tool Unauthorized Result Objectives Attackers


What is a Common Descriptive Language?

Set of terms that experts agree on in a fieldClear definitions to the extent possible

PreciseUnambiguousEasy to determine in the field

A common language does not necessarily imply a causal or structural model

Provides means of communication among experts

Supports analysis


What is a Taxonomy?

Structure relating terms in the common language

Permits classification of phenomenaExpresses (a) model(s) of the underlying

phenomenaSupports hypothesis-buildingSupports collection and analysis of statistical

information


Why a Language/Taxonomy for Computer Crime?Field of information assurance growing

More peopleLess common experienceGrowing variability in meaning of terms

What’s wrong with ambiguous terminology?Can cause confusion – talking at cross-

purposesCan mislead investigators and othersWastes time in clarification time after timeInterferes with data-gatheringMakes comparisons and tests difficult or

impossible


The Model as a Whole(See full-page printout at end)


Actions

Probe / scanFloodAuthenticate / Bypass / SpoofRead / Copy / StealModify / Delete


Targets

Analyze the following real cases and identify the target(s) in the events:

A criminal inserts a Trojan Horse into a production system; it logs keystrokes

A criminal hacker defaces a Web pageAn attacker launches millions of

spurious packets addressed to a particular e-commerce server

The Morris Worm of November 1988 takes down 9,000 computers on the Internet


Events

An event consists of an action taken against a target

Analyze the following events in these terms:An 8-year-old kid examines all

the ports on a Web server to see if any are unprotected

A dishonest employee makes copies on a Zip disk of secret formulas for a new product

A saboteur cuts the cables linking a company network to the Internet


Vulnerability

Vulnerability = a weaknessDistinguish among vulnerabilities

due toDesignImplementationConfiguration

See National Vulnerability Database Thousands of vulnerabilities Classified by platform and version


National Vulnerability DBhttp://nvd.nist.gov/


Tool

Means of exploiting a vulnerabilityWidely available on InternetExchanged at hacker meetings

2600L0pht (defunct)

Discussed and demonstrated at black-hat and gray-hat conferencesDEFCON – Las VegasHACTIC – Netherlands

Many exploits usable by script kiddies and other poorly-trained hackers


Unauthorized Result

Many possible results; e.g., consider results of these attacks:

Someone installs a Remote Access Trojan called BO2K on a target system

An e-mail-enabled worm (e.g., KLEZ) sends a copy of a confidential document to 592 strangers

The Stacheldraht DDoS tool completely interdicts access to an e-commerce site

A secret program installed by an employee uses all the “excess” CPU cycles in a corporate network for prime-number calculations


Objectives

Characteristics of the human beings involved in the attack

Different objectives and define different labelsCriminal hackingIndustrial espionageIndustrial sabotageInformation warfare


AttackersWide range of attributesSubject of chapter 6 in CSH4

Skill

IdeologyGain


The Model as a Whole (again)


Resume at 09:05:03

Documents

INFORMATION WARFARE Part 1: Fundamentals