Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright © 1995-2007 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE USC CSci530 Computer Security Systems Lecture.

Published by Modified over 8 years ago

Similar presentations

Presentation on theme: "Copyright © 1995-2007 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE USC CSci530 Computer Security Systems Lecture."— Presentation transcript:

1 Copyright © 1995-2007 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE USC CSci530 Computer Security Systems Lecture notes Fall 2007 Dr. Clifford Neuman University of Southern California Information Sciences Institute

2 Copyright © 1995-2007 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Announcements Mid-term Grading Complete –Grades posted –Papers available on Monday. ▪See TA’s in office hours for any issues with grading. Dr. Neuman’s Office hours –Back to Normal Friday 12:50-1:50

3 Copyright © 1995-2007 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE CSci530: Computer Security Systems Lecture 9 – 26 October 2007 Malicious Code Continued and Countermeasures Dr. Clifford Neuman University of Southern California Information Sciences Institute

4 Copyright © 1995-2007 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Zombies/Bots/Botnets Machines controlled remotely –Infected by virus, worm, or trojan –Can be contacted by master –May make calls out so control is possible even through firewall. –Often uses IRC for control. –Storm Worm

5 Copyright © 1995-2007 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Spyware Infected machine collect data –Keystroke monitoring –Screen scraping –History of URL’s visited –Scans disk for credit cards and password. –Allows remote access to data. –Sends data to third party.

6 Copyright © 1995-2007 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Theory Can not detect a virus by determining whether a program might perform a particular activity. –Reduction from the Halting Problem But can apply heuristics

7 Copyright © 1995-2007 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Defenses to Malicious Code Detection –Signature based –Activity based Prevention –Prevent most instances of memory used as both data and code

8 Copyright © 1995-2007 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Defenses to Malicious Code Sandbox –Limits access of running program –So doesn’t have full access or even users access. Detection of modification –Signed executables –Tripwire or similar Statistical detection

9 Copyright © 1995-2007 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Root Kits Hide traces of infection or control –Intercept systems calls –Return false information that hides the malicious code. –Returns fall information to hide effect of malicious code. –Some root kits have countermeasures to attempts to detect the root kits. –Blue pill makes itself hyper-root

10 Copyright © 1995-2007 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Best Detection is from the Outside Platform that is not infected –Look at network packets using external device. –Mount disks on safe machine and run detection on the safe machine. –Trusted computing can help, but still requires outside perspective

11 Copyright © 1995-2007 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Attacks on Availability Denial of service attacks seek to block availability by overloading network, host, or service resources. –Mounted from a single powerful node –Utilizes consequences of protocol features to amplify attacks. –May be originated from many compromised nodes scattered across the network (Distributed Denial of Service) 16

12 Copyright © 1995-2007 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Difficulty Defending against DOS Identification/detection –How to distinguish against slash/dotting (i.e. flash crowds) Even once attack is identified, pushing back require help from other parts of the network. –Blocking at the end point can still leave your connection saturated. –May inadvertently block your legitimate traffic, which is the goal of the attack to begin with. Redundancy can help Best approach is to design protocols so that minimal resources can be consumed until legitimacy of request can be established. 16

13 Copyright © 1995-2007 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Some Spyware Local Might not ship data, but just uses it –To pop up targeted ads –Spyware writer gets revenue for referring victim to merchant. –Might rewrite URL’s to steal commissions.

14 Copyright © 1995-2007 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Economics of Malicious Code Controlled machines for sale “Protection” for sale Attack software for sale Stolen data for sale Intermediaries used to convert online balances to cash. –These are the pawns and the ones that are most easily caught

15 Copyright © 1995-2007 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE CSci530: Security Systems Lecture 9 – October 26, 2007 Countermeasures Dr. Clifford Neuman University of Southern California Information Sciences Institute

16 Copyright © 1995-2007 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Intrusion Everything Intrusion Prevention –Marketing buzzword –Good practices fall in this category ▪We will discuss network architectures ▪We will discuss Firewalls –Intrusion detection (next week) ▪Term used for networks ▪But applies to host as well –Tripwire –Virus checkers –Intrusion response (part now, part next week) ▪Evolving area –Anti-virus tools have a response component –Can be tied to policy tools 16

17 Copyright © 1995-2007 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Architecture: A first step Understand your application –What is to be protected –Against which threats –Who needs to access which apps –From where must the access it Do all this before you invest in the latest products that salespeople will say will solve your problems. 16

18 Copyright © 1995-2007 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE What is to be protected Is it the service or the data? –Data is protected by making it less available –Services are protected by making them more available (redundancy) –The hardest cases are when one needs both. 16

19 Copyright © 1995-2007 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Classes of Data Decide on multiple data classes –Public data –Customer data –Corporate data –Highly sensitive data (not total ordering) These will appear in different parts of the network 16

20 Copyright © 1995-2007 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Classes of Users Decide on classes of users –Based on the access needed to the different classes of data. You will architect your system and network to enforce policies at the boundaries of these classes. –You will place data to make the mapping as clean as possible. You will manage the flow of data 16

21 Copyright © 1995-2007 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Example Where will you place your companies public web server, so that you can be sure an attacker doesn’t hack your site and modify your front page? Where will you place your customer’s account records so that they can view them through the web? –How will you get updates to these servers? 16

22 Copyright © 1995-2007 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Other Practices Run Minimal Systems –Don’t run services you don’t need Patch Management –Keep your systems up to date on the current patches –But don’t blindly install all patches right away either. Account management –Strong passwords, delete accounts when employees leave, etc. Don’t rely on passwords alone 16

23 Copyright © 1995-2007 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE How to think of Firewalled Network Crunchy on the outside. Soft and chewy on the inside. –Bellovin and Merrit 16

24 Copyright © 1995-2007 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Firewalls Packet filters –Stateful packet filters ▪Common configuration Application level gateways or Proxies –Common for corporate intranets Host based software firewalls –Manage connection policy Virtual Private Networks –Tunnels between networks –Relationship to IPsec 16

25 Copyright © 1995-2007 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Packet Filter Most common form of firewall and what one normally thinks of Rules define what packets allowed through –Static rules allow packets on particular ports and to and from outside pairs of addresses. –Dynamic rules track destinations based on connections originating from inside. –Some just block inbound TCP SYN packets 16

26 Copyright © 1995-2007 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Network Address Translation Many home firewalls today are NAT boxes –Single address visible on the outside –Private address space (net 10, 192.168) on the inside. Hides network structure, hosts on inside are not addressable. –Box maps external connections established from inside back to the private address space. Servers require persistent mapping and manual configuration. –Many protocols, including attacks, are designed to work through NAT boxes. 16

27 Copyright © 1995-2007 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Application FW or Proxies No direct flow of packets –Instead, connect to proxy with application protocol. –Proxy makes similar request to the server on the outsdide. Advantage –Can’t hide attacks by disguising as different protocol. –But can still encapsulate attack. Disadvantage –Can’t do end to end encryption or security since packets must be interpreted by the proxy and recreated. 16

28 Copyright © 1995-2007 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Host Based Firewalls Each host has its own firewall. –Closer to the data to be protected –Avoids the chewy on the inside problem in that you still have a boundary between each machine and even the local network. Problems –Harder to manage –Can be manipulated by malicious applications. 16

29 Copyright © 1995-2007 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Virtual Private Networks Extend perimeter of firewalled networks –Two networks connected –Encrypted channel between them –Packets in one zone tunneled to other and treated as originating within same perimeter. Extended network can be a single machine –VPN client tunnels packets –Gets address from VPN range –Packets encrypted in transit over open network 16

30 Copyright © 1995-2007 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE IPSec IP Security (IPsec) and the security features in IPv6 essentially move VPN support into the operating system and lower layers of the protocol stack. Security is host to host, or host to network, or network to network as with VPN’s –Actually, VPN’s are rarely used host to host, but if the network had a single host, then it is equivalent. 16

31 Copyright © 1995-2007 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Attack Paths Many attacks today are staged from compromised machines. –Consider what this means for network perimeters, firewalls, and VPN’s. A host connected to your network via a VPN is an unsecured perimeter –So, you must manage the endpoint even if it is your employees home machine. 16

32 Copyright © 1995-2007 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Defense in Depth One should apply multiple firewalls at different parts of a system. –These should be of different types. Consider also end to end approaches –Data architecture –Encryption –Authentication –Intrusion detection and response 16

33 Copyright © 1995-2007 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Protecting the Inside Firewalls are better at protecting inward threats. –But they can prevent connections to restricted outside locations. –Application proxies can do filtering for allowed outside destinations. –Still need to protect against malicious code. Standalone (i.e. not host based) firewalls provide stronger self protection. 16

34 Copyright © 1995-2007 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Virus Checking Signature based –Looks for known indicators in files –Real-time checking causes files to be scanned as they are brought over to computer (web pages, email messages) or before execution. –On server and client Activity based –Related to firewalls, if look for communication –Alert before writing to boot sector, etc. Defenses beyond just checking –Don’t run as root or admin 16

35 Copyright © 1995-2007 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Current Event ITIT: Storm Worm Strikes Back at Security ProsStorm Worm Strikes Back at Security Pros Posted by ScuttleMonkey on Wednesday October 24, @10:25AM from the skynet-worm dept.ScuttleMonkey alphadogg writes "The Storm worm, which some say is the world's biggest botnet despite waning in recent months, is now fighting back against security researchers that seek to destroy it and has them running scared, conference attendees in NYC heard this week. The worm can figure out which users are trying to probe its command-and-control servers, and it retaliates by launching DDoS attacks against them, shutting down their Internet access for days, says an IBM architect."fighting back

Download ppt "Copyright © 1995-2007 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE USC CSci530 Computer Security Systems Lecture."

Similar presentations

Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)

Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)
Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition
ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.

ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.
5-Network Defenses Dr. John P. Abraham Professor UTPA.

5-Network Defenses Dr. John P. Abraham Professor UTPA.
Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.

Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.
Cosc 4765 Network Security: Routers, Firewall, filtering, NAT, and VPN.

Cosc 4765 Network Security: Routers, Firewall, filtering, NAT, and VPN.
1 Topic 1 – Lesson 3 Network Attacks Summary. 2 Questions ► Compare passive attacks and active attacks ► How do packet sniffers work? How to mitigate?

1 Topic 1 – Lesson 3 Network Attacks Summary. 2 Questions ► Compare passive attacks and active attacks ► How do packet sniffers work? How to mitigate?
Module 5: Configuring Access for Remote Clients and Networks.

Module 5: Configuring Access for Remote Clients and Networks.
Authored by: Rachit Rastogi Computer Science & Engineering Deptt., College of Technology, G.B.P.U.A. & T., Pantnagar.

Authored by: Rachit Rastogi Computer Science & Engineering Deptt., College of Technology, G.B.P.U.A. & T., Pantnagar.
Chapter 10: Data Centre and Network Security Proxies and Gateways * Firewalls * Virtual Private Network (VPN) * Security issues * * * * Objectives:

Chapter 10: Data Centre and Network Security Proxies and Gateways * Firewalls * Virtual Private Network (VPN) * Security issues * * * * Objectives:
Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.

Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Firewall Configuration Strategies

Firewall Configuration Strategies
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
Chapter 12 Network Security.

Chapter 12 Network Security.
Information Security 1 Information Security: Demo of Some Security Tools Jeffy Mwakalinga.

Information Security 1 Information Security: Demo of Some Security Tools Jeffy Mwakalinga.
Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE USC CSci530 Computer Security Systems Lecture.

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE USC CSci530 Computer Security Systems Lecture.
INTRANET SECURITY Catherine Alexis CMPT 585 Computer and Data Security Dr Stefan Robila.

INTRANET SECURITY Catherine Alexis CMPT 585 Computer and Data Security Dr Stefan Robila.
Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.

Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.
Security Awareness: Applying Practical Security in Your World

Security Awareness: Applying Practical Security in Your World

Similar presentations

Ads by Google