1. 1

2. Page : 2 Ten-fifteen years ago  Firewalls, IDS, anti-virus software, OS update were rare Now  Virus attacks : every day  E-mail : scanned for suspicious attachments  Network admins : work overtime to Build the latest security defenses Keep the defenses up-to-date  Computer attacks via the Internet Making computer security one of the prime concerns

3. Page : 3 Why security is becoming increasingly difficult Why security is becoming increasingly difficult  Speed of attacks Speed of attacks Widely available of modern tools – Used to scan systems Used to scan systems » To find weaknesses To find weaknesses » Launch attacks Launch attacks Most tools are automated – Easy to attack target systems Easy to attack target systems

4. Page : 4 Speed of attacks: (examples) In 2003 : the Slammer worm infected 75,000 computers in the first 11 minutes after it was released and infected double every 8.5 seconds. As its peak, Slammer was scanning 55 million computers per second looking for a computer to infect. Later that year, Blaster worm infected 138,000 computers in its first four hours and eventually infected over 1.4 million computers.** ** From M. Ciampa, Security + Guide to Network Security Fundamentals, 2 nd edition, Thompson, 2005

5. Page : 5 Why security is becoming increasingly difficult  Sophistication of attacks Security attacks are becoming more complex – Difficult to detect  Faster detection of weaknesses Newly discovered system vulnerabilities double annually » More difficult for software developers to update their products

6. Page : 6 Why security is becoming increasingly difficult  Distributed attacks Multiple systems can be used to attack against a single computer or network (many against one) approach – Impossible to stop an attack by identifying and blocking the source  Difficulties in patching So, users do not apply patches

7. Page : 7 Attack name Impact of attackDate patch first issued Date attack began Days between patch and attack BugbearInfected more than 2 million computers 16/5/200130/9/20025002 YahaUnleashed 7,000 attacks per day as an e-mail distributed distributed- denial-of-service worm 16/5/200122/6//2002402 BlasterInfected > 1.4 million computers 16/7/200311/8/200326

8. 8

9. 9  Vulnerabilities  Security weaknesses that open a program to attack  An exploit takes advantage of a vulnerability  Vendors develop fixes  Zero-day exploits: exploits that occur before fixes are released  Exploits often follow the vendor release of fixes within days or even hours  Companies must apply fixes quickly

10. 10  Fixes  Work-arounds ▪ Manual actions to be taken ▪ Labor-intensive so expensive and error-prone  Patches: ▪ Small programs that fix vulnerabilities ▪ Usually easy to download and install  Service packs (groups of fixes in Windows)  Version upgrades

11. 11  Problems with Patching  Must find operating system patches ▪ Windows Server does this automatically ▪ LINUX versions often use rpm ▪ …  Companies get overwhelmed by number of patches ▪ Use many programs; vendors release many patches per product ▪ Especially a problem for a firm’s many application programs

12. 12  Problems with Patching  Cost of patch installation ▪ Each patch takes some time and labor costs ▪ Usually lack the resources to apply all  Prioritization ▪ Prioritize patches by criticality ▪ May not apply all patches, if risk analysis does not justify them

13. 13  Problems with Patching  Risks of patch installation ▪ Reduced functionality ▪ Freeze machines, do other damage—sometimes with no uninstall possible ▪ Should test on a test system before deployment on servers

14.  Threat  An adversary (devil/satan) who is capable and motivated to exploit a vulnerability ▪ (exploit = utilize, especially for profit)  A person, thing, event ▪ which poses some danger to an asset in terms of that asset’s confidentiality, integrity, availability  Accident threats  Delibrate threats : Passive and Active 14

15.  Examples of threat  Hacker/cracker  Script kiddies  Spies and Malware  Denial-of-service (DoS) attack  Zombies  Insecure/poorly designed applications  Virus  Worms 15

16.  Script kiddies  Want to break into computers like crackers, but ▪ unskilled users ▪ download software from web sites, use to break into computers 16

17. Page : 17 Spies  A person who Has been hired to break into a computer and steal information Do not randomly search for unsecured computers to attack Malware A group of destructive programs such as viruses, worms, Trojan horse, logic bombs, and spyware

18. 18  Virus : a computer program that  can copy itself and infect a computer without permission or knowledge of the user  spreads from one computer to another when its host (such as an infected file) is taken to that computer  viruses always infect or corrupt files on a targeted computer

19. 19  Worm : a computer program that  is a self-replicating code ▪ Resides in active memory (the program is executed) ▪ Propagates itself  uses a network to send copies of itself to other node  can spread itself to other computers without needing to be transferred as part of an infected file  always harm the network

20. 20  Trojan horse : a program that  installs malicious software while under the guise of doing something else  differs from a virus in that ▪ a Trojan horse does not insert its code into other computer files ▪ appears harmless until executed

21. 21  Logic Bomb : a program that  inactive until it is triggered by a specific event, e.g. ▪ a certain date being reached  once triggered, the program can perform many malicious activities  is difficult to defend against

22. 22  Spyware : a computer program that  installed surreptitiously on a personal computer ▪ to intercept or take partial control over the user's interaction with the computer, without the user's awareness installing additional software redirecting web browser activity ▪ secretly monitors the user's behavior collects various types of personal information,

23.  Mobile Code (more spyware)  Executable code on a webpage  Code is executed automatically when the webpage is downloaded  Javascript, Microsoft Active-X controls, etc.  Can do damage if computer has vulnerability 23

24.  Social Engineering in Malware  Social engineering is attempting to trick users into doing something that goes against security policies  Several types of malware use social engineering ▪ Spam ▪ Phishing ▪ Spear phishing (aimed at individuals or specific groups) ▪ Hoaxes 24

25. 25  Denial-of-service (DoS) attack : a threat that  Prevents legitimate traffic from being able to access the protected resource  Common DoS ▪ Crashes a targeted service or server ▪ Normally done by Exploiting program buffer overflow problem Sending too many packets to a host  causing the host to crash

26. 26  Zombies : systems that  Have been infected with software (e.g. Trojan or back doors) ▪ Under control of attackers  Be used to launch an attack against other targets  Insecure/poorly designed applications  One of the most difficult threats to be detected

27. Page : 27 Cyberterrorists  Terrorists that attack the network and computer infrastructure to Deface electronic information (such as web sites) Deny service to legitimate computer users Commit unauthorised intrusions into systems and networks that result in infrastructure outages and corruption of vital data

28. Page : 28 Security attack Any action that compromises security information, or The use or exploitation of a vulnerability. Security mechanism A mechanism that designed to detect, prevent, or recover from a security attack Security service A service that enhances the security of data processing systems and information transfers. Makes use of one or more security mechanisms

29. Page : 29 Risk  A qualitative assessment describing the likelihood of an attacker/threat using an exploit to ▪ successfully bypass a defender ▪ Attack a vulnerability ▪ Compromise a system Risk analysis :  Provides a quantitative means of determining whether an expenditure on safeguards is warranted

30. Page : 30  Security  In a general-use environment, the system will not be openly vulnerable to  Attacks,  Data loss,  Privacy loss Security is about the protection of assets *  Protective measures Prevention Detection Reaction/Response * From : Gollmann D., Computer Security, John Wiley &Sons, 1999

31. Page : 31 Information security  The tasks of guarding digital information Information : – Typically processed by a computer – Stored on a some devices – Transmitted over a network  Ensures that protective measures are properly implemented A protection method

32. Page : 32 Computer Security  Computer security deals with the prevention and detection of unauthorized actions by users of computer system *  The goal is to protect data and resources  Only an issue on shared systems Like a network or a time-sharing OS  No “global” solution * From : Gollmann D., Computer Security, John Wiley &Sons, 1999

33. Page : 33 Computer security  No absolute “secure” system  Security mechanisms protect against specific classes of attacks

34. Page : 34 Network security  Security of data in transit Over network link Over store-and-forward node  Security of data at the end point Files Email Hardcopies

35. Page : 35 Network security differences from computer security  Attacks can come from anywhere, anytime  Highly automated (script)  Physical security measures are inadequate  Wide variety of applications, services, protocols Complexity Different constraints, assumptions, goals  No single “authority”/administrators Definition of computer and network security

36. Prevention – Take measures that prevent assets from being damaged – Addresses the steps to deter an attack or lessen a system compromise – The measures, e.g. – Physical network architecture – Firewall elements – Antivirus systems – System hardening – User education 36

37. Detection – Take measures that be able to detect when an asset has been damaged – Knowing when a system is under attack – Provides an important step toward responding to threats – Examples of measures – Intrusion Detection System (IDS) – SNORT 37

38. Reaction/Response – Take measures that be able to recover from a damage – Common mitigation (lessen) options – Intrusion Prevention System (IPS) – (an IDS that remove access control) – Backup devices – Response procedure 38

39.  Example of response procedure (POLICIES)  Turn off the compromised systems : may be desirable to ▪ Power off and individual workstation ▪ Shutting off a server ▪ (could cause a significant impact for many mission-critical environment)  Inform law enforcement ▪ Which organization? 39

40.  Example of response procedure (POLICIES)  Reset the system, investigate the cause ▪ Some attacks ▪ Restore the system should be sufficient ▪ Complicated attacks ▪ Blindly resetting a system may not lessen the problem ▪ Should analyze the attack methods ▪ Reset the environment to a state that led to the initial compromise !!  For sensitive information ▪ How much information was compromised> ▪ How long was the attacker accessing the system? ▪ Knowing this ▪ Directly leads to damage control 40

41.  Example of response procedure (POLICIES)  An individual/team in charge of leading the response ▪ Have one  can save valuable time 41

42. 42

43.  Internal attacker motivation  Corporate spies  Disgruntled employees ▪ Personal issues, e.g. ▪ Disagreement with boss or coworker ▪ General frustration ▪ Unfair disadvantage ▪ Greed ▪ May see value in selling insider access to an interested external party ▪ Curiosity ▪ Ignorance ▪ May not be aware that specific information should be confidential 43

44.  External attacker motivation  Political  Status  demonstrate his/her skill  Power  show his/her technical superiority 44

45. 45 Probe and Exploit Attack Packets

46. 46 Source IP Address Spoofing

47. 47 Chain of Attack Computers For probes whose replies must be received, attacker sends probes through a chain of attack computers. Victim only knows the identity of the last compromised host (123.125.33.101) Not that of the attacker For probes whose replies must be received, attacker sends probes through a chain of attack computers. Victim only knows the identity of the last compromised host (123.125.33.101) Not that of the attacker

48.  Traditional External Attackers: Hackers 48  Social Engineering ◦ Social engineering is often used in hacking  Call and ask for passwords and other confidential information  E-mail attack messages with attractive subjects  Piggybacking  Shoulder surfing  Pretexting  Etc. ◦ Often successful because it focuses on human weaknesses instead of technological weaknesses

49. 49

50.  Confidentiality  Authenticaion  Authorizatoin  Integrity  Repudiation  Availability (most common : CIA  confidentiality, integrity, availability) 50

51.  Confidentiality / privacy  System that provide confidentiality ▪ Lessen the risks of eavesdropper or attacker  Example ▪ Email is transmitted in plain text  problem  Authentication  Permits one system to determine the original of another system 51

52.  Authorization and access control  The level of access control that is permitted  Not everyone is equal  Based on authentication ▪ Systems, processes, users are offered different levels of access  Integrity  Information is not modified by unauthorized party  Nonrepudiation  Ensures that an originator cannot deny 52

53. Page : 53 Authentication Basics Passwords Biometrics Multiple methods

54. Page : 54 Authentication  A process of verifying a user’s identity Two reasons for authenticating a user  The user identity is a parameter in access control decision (for a system)  The user identity is recorded when logging security-relevant events in an audit trail

55. Page : 55 Authentication  Binding of an identity to a principal (subject)  An identity must provide information to enable the system to confirm its identity  Information (one or more) What the identity knows (such as password or secret information) What the identity has (such as a badge or card) What the identity is (such as fingerprints) Where the identity is (such as in front of a particular terminal)

56. Page : 56 Authentication process  Obtaining information from the identity  Analysing the data  Determining if it is associated with that identity Thus : authentication process is  The process of verifying a claimed identity

57. Page : 57 Username and Password  Very common and simple identities  Used to enter into a system  Username Announce who a user is This step is called identification  Password To prove that the user is who claims to be This step is called authentication

58. Page : 58 Password Password Aging One-Time Password

59. Page : 59 Password  Based on what people know  User supplies password  Computer validates it  If the password is associate with the user, then the user’s identity is authenticated

60. Page : 60 Choosing passwords  Password guessing attack is very simple and always works !! Because users are not aware of protecting their passwords  Password choice is a critical security issue Choose passwords that cannot be easily guessed Password defenses Set a password to every account Change default passwords Password length – A minimum password length should be prescribed

61. Page : 61 Password defenses  Password format Mix upper and lower case symbols Include numerical and other non-alphabetical symbols  Avoid obvious passwords

62. Page : 62 How to improve password security?  Password checker tool Check passwords against some dictionary of weak password  Password generation A utility in some system Producing random password for users  Password aging A requirement that password be changed after some period of time Required mechanism – Forcing users to change to a different password – Providing notice of need to change – A user-friendly method to change password

63. Page : 63 How to improve password security?  One-Time Password A password is valid for only one use  Limit login attempts A system monitors unsuccessful login attempts – Reacts by locking the user account if logging in process failed  Inform user After successful login a system display – The last login time – The number of failed login attempts

64. Page : 64 Password guessing  Exhaustive search (brute force) Try all possible combination of valid symbols  Dictionary attack  Random selection of passwords  Pronounceable and other computer-generated passwords  User selection passwords Passwords based on – Account names – User names – Computer names, etc.

65. Page : 65 The automated measurement of biological or behavioral features that identifies a person Method:  A set of measurement of a user is taken (recorded) when a user is given an account  When a user access the system The biometric authentication mechanism identify the identity

66. Page : 66 Fingerprints Voices Eyes Faces Keystrokes  Keystroke intervals  Keystroke pressure  Keystroke duration combinations

67. Security Awarenesses

68. 68  Exploiting passwords  Exploiting known vulnerabilities  Exploiting protocol flaws  Examining source files for new security flaws  Denial-of-service attacks  Abusing anonymous FTP  Installing sniffer programs  IP source address spoofing

69. 69  Locate a system to attack  New systems  Network sweeps  Gain entry to a user ’ s account  No password or easy-to-guess password  Sniffed password  Exploiting system configuration weakness or software vulnerability to obtain access to a privileged account

70. 70  Once inside, and intruder may:  Remove traces from auditing records  Install back door for future use  Install Trojan Horse programs to capture system and account information  Jump to other hosts on your network  Use your system to launch attacks against other sites  Modify, destroy, or inappropriately disclose information

71. 71  Protect your own operational environment  Protect your user ’ s data  Provide service to your users

72. 72  Stay current with security issues

73. 73  Do:  Understand and respect security policies  Take responsible for your own security  Respect other Internet neighbours  Cooperate to provide security

74. 74  Avoid:  Unauthorised access to other accounts and systems  Cracking password file from other systems  Sharing accounts  Unauthorised access to unprotected files  Reading the e-mail of other users  Disrupting service

75. 75

76. 76  Understanding Security  Writing a security policy  Monitoring the network  Auditing the network  Preparing for an attack  Handling an attack  Forensics  Log analysis  Damage control

77. 77  The Shape of Logging System  What to Log  Logging Mechanisms  Time  Sensor  Log Management

78. 78  Goals of a monitoring system  Reduce the likelihood of an attack going unlogged  Increase the likelihood that the events logged for an attack will be recognized as an attack

79. 79  Problem of logging system  What events to be logged? ▪ if every event is logged  the log file will be very large ▪ if only selected events are logged  some crucial events might not be logged !!  Log file can be tampered by attackers ▪ To delete attack traces  Attackers can tamper the log file ▪ If the logs are accessible to them

80. 80  Log should not be accessible to an attacker  Mechanisms can deny access to logs  The logs are kept on a separate machine  The logs are encrypted  The logs are stored in a write-only media  The logs are stored in multiple places

81. 81  Log should not be tampered with  Tampering efforts should be easily detected  Achieved by  Cryptographically signing each log entry to detect invalid entries  Monitoring the log entries to look for a sudden decrease in log size ▪ Indicates that the log entries have been deleted  Assigning a sequence number to each log entry and verifying that the sequence is unbroken

82. 82  The network should log any events necessary to detect known attack patterns  The network should log any events necessary to detect unusual patterns of access

83. 83  Syslog  The most common network logging mechanism  Runs on Unix systems  Components  Syslog daemon  Syslog ruleset  Syslog-enabled programs

84. 84  Syslog daemon  A program that runs in a background on all machines using syslog  Serves several purposes ▪ Collects messages from syslog-enabled programs on the machine hosting it ▪ Collects certain messages from the system that are not syslog enabled (such as kernel messages regarding starting- up and some device problems) ▪ Listens on the syslog port (port 514/UDP) for messages ▪ Save all of the above messages in a file

85. 85  Usually in /etc/syslog.conf  Contains directives to the syslog daemon  Determine where various types of messages should be logged  Choices of logging  Put a message into a file  Log a message to another machine via UDP  Write a message to the system console  Write a message to all log-in users

86. 86  Syslog is a standard facility in Unix  many Unix programs have calls to syslog built into them  Enable these programs to log various events ▪ To the local syslog daemon

87. 87  Universally available  Standard implementation  Available from nonprogrammable devices  A read-only logging mechanism

88. 88  Unauthenticated protocol  Can be spoofed  Unencrypted transmission  Can be eavesdropped by attackers  Unreliable UDP transmission  Not all syslog messages reach their intended destination

89. 89  An important issue in log gathering and analysis Jun 4 22:33:21 machine1.ycom.com login: user smt login ok Jun 4 22:34:29 machine3.ycom.com login: user smt login ok  Time is used in analysis process  It should be accurate and synchronised with other systems  A logging system should synchronise its time with a time server machine (NTP server)

90. 90  A mechanism that can be used to aid device- based logging  Provides a means for gathering information and integrating it into the logging system

91. 91  Examples  Some sensors can detect several variations on attacks  Some sensors can detect problems with the network being monitored

92. 92  Some sensors are built to detect conditions on the logging system  Are the logs increasing monotonically? ▪ If not  a log file might be tampered  Is the logging system receiving all the logs that are being sent? ▪ Some devices transmit a sequence number with each log entry ▪ if a particular number is missing  something goes wrong

93. 93  Has any machine stopped logging? ▪ A machine that has stopped logging ▪ Might indicate a network problem OR an attack

94. 94  A process of making sure that logging system  Stable  Useful

95. 95

96. 96  Authentication and authorization mechanism  Account ▪ Stores information about users (subjects) ▪ Including privileges granted to a user  Identification and authentication ▪ Verify a user identity ▪ Allowing the system to associate the user’s privileges with any process started by the user  Permissions on resources (objects) ▪ Can be set by the system manager or the owner of the resource

97. 97  Super User Account ◦ Every operating system has a super user account ◦ The owner of this account can do anything ◦ (Called Administrator in Windows) ◦ Called root in UNIX  Hacking Root ◦ Goal is to take over the super user account ◦ Will then “own the box” ◦ Generically called hacking root

98. 98  Appropriate Use of a Super User Account  Log in as an ordinary user  Switch to super user only when needed ▪ In Windows, the command is RunAs ▪ In UNIX, the command is su (switch user)  Quickly revert to ordinary account when super user privileges are no longer needed

99. 99

100. 100  Authentication and authorisation mechanism  When a user request to access any resource ▪ An operating system has to make a decision ▪ Grant or deny the access ? ▪ Based on  User’s identity  User’s privilege  The permission of the object  Detection mechanism  Unix provides an audit log (audit trail) ▪ To keep track of actions performed by users ▪ These records can be used to investigate security breaches

101. 101  Unix users (accounts) are defined by user names  Users are authenticated by passwords  Passwords  (most unix systems) limited to 8 characters  Enciphered with the crypt(3) algorithm ▪ Repeats a slightly modified DES algorithm 25 times ▪ Using all-zero block as start value ▪ Using the password as key  The encrypted passwords are stored in the /etc/passwd file

102. 102  Example of /etc/passwd file (old versions of Unix systems)  For security-conscious version of unix  Stored encrypted password field in another file, such as /etc/shadow or /.secure/etc/passwd  An entry in a /etc/passwd file is as follows user_name:encrypted password: userID:groupID:User full name:home directory:login shell user_name:*: userID:groupID:User full name:home directory:login shell

103. 103  Changing password  Command passwd(1) ▪ A user is asked to supply the current password ▪ To prevent someone else changing a user password ▪ A user is then asked to enter new password two times ▪ Password characters are not displayed on the screen when the password is entered  Logging  /usr/adm/lastlog  log user last login time

104.  Users and Superuser  A user name is represented internally (in a system or user process) by a 16-bit number, called uid (userID)  Unix does not distinguish between users having the same uid ▪  several user name can be set to the same uid  Some of the uid have special meanings such as -2nobody2uucp 0root3bin 1daemon9audit

105.  In every Unix system  There is a user with special privileges  It is called superuser, has a uid = 0  User name is usually called root  The root privilege is used ▪ By an operating system for essential tasks, such as ▪ Recording the audit log ▪ Access to I/O devices ▪ By system administrators to ▪ Perform certain system administration tasks  Almost all security check is turned off for the superuser account !!

106. 106  The superuser  Very powerful, can do everything, such as ▪ Can become any other users ▪ Can change the system clock ▪ Can write into a read-only file (if a proper methods are used)  This becomes a weakness of Unix systems ▪ If an attacker achieves a superuser status ▪ It can take control of the entire system !!!

107. 107  Access control  Based on attributes of users and resources  Standard Unix systems facilitate discretionary access control with a granularity of owner, group, world  Unix treats all resources in a uniform manner ▪ Making no distinction between files and devices

108.  Unix File Structure  Arranges files in a tree-structured file system  Containing files and directories -rwxr--r--1 user1 users 1212 Jan 23 11:21 myfile.txt drwx----- 2 user1 users 512 Jan 21 16:42 mydirectory File type file permission link counter (counting the number of links (pointers) to the file size of the file (in bytes) file name name of the owner and group of the file Modified/accessed /created time modeType of file and access rigths UidUser who owns this file GidGroup which owns this file AtimeAccess time MtimeModification time ItimeInode alteration Block count Size of file Selected fields in the inode (file data structure of Unix systems)

109. 109  Unix File Structure  File permissions (permission bits) ▪ 3-group ▪ Read ▪ Write ▪ Execute ▪ Each group is for ▪ An owner of the file ▪ Group (users in the same group) ▪ Other (other users) - r w - r - - r - - Gives read and write access to owner Read access to group and other

110. 110  Access permission granting decision making  If the user uid indicates that it is the owner of the file ▪ The permission bits for owner decide whether the user can get access  if the user is not the owner of the file, but the gid indicates that the user’s gro up owns the file ▪ The permission bits for the group decide whether the user can get access  If the user is neither the owner of the file nor a member of the group that owns the file ▪ The permission bits for other decide whether the user can get access

111. 111  Unix provides some mechanisms which allow to detect  Security violations  Suspicious events  Examples of these mechanisms  Auditing  Intrusion detection  Automatic retaliation (intrusion response)

112. 112  Auditing  Records security relevant events in and audit log or audit trail files  The audit log files must be protected ▪ Set the logical protection ▪ Only privileged users have write access ▪ Send the audit log to another computer ▪ Root on the audited machine has no superuser privilege ▪ Offer double protection ▪ Send the audit log to a secure printer ▪ Physical security measures are required to protect the integrity of the audit log

113. 113  Auditing files (for some Unix versions) /usr/adm/lastlogRecords the last time a user has logged in; this information can be displayed with the fingercommand /var/adm/utmpRecords accounting information used by the who command /var/adm/wtmpRecords every time a user logs in or logs out; this information can be displayed with the last command. To prevent this file from taking over all available memory, it may be pruned automatically at regular intervals /var/adm/acctRecords all executed commands; this information can be displayed with the lastcomm command