1. Computer & Network Security nittida.n@psu.ac.th

2. Outlines Definition of computer and network security Security Terminology Weaknesses and Vulnerabilities Identification and Authentications Authentication Mechanism Computer System and Network Intrusions Internet Etiquette Security Management

3. Definition of computer and network security Definitions  Security Security is about the protection of assets *  Protective measures Prevention – Take measures that prevent assets from being damaged Detection – Take measures that be able to detect when an asset has been damaged Reaction – Take measures that be able to recover from a damage * From : Gollmann D., Computer Security, John Wiley &Sons, 1999

4. Definition of computer and network security Information security  The tasks of guarding digital information Information : – Typically processed by a computer – Stored on a some devices – Transmitted over a network  Ensures that protective measures are properly implemented A protection method

5. Definition of computer and network security Computer security  No absolute “secure” system  Security mechanisms protect against specific classes of attacks

6. Definition of computer and network security Network security  Security of data in transit Over network link Over store-and-forward node  Security of data at the end point Files Email Hardcopies

7. Definition of computer and network security Network security differences from computer security :  Attacks can come from anywhere, anytime  Highly automated (script)  Physical security measures are inadequate  Wide variety of applications, services, protocols Complexity Different constraints, assumptions, goals  No single “authority”/administrators

8. Security Terminology Security attack Security mechanism Security service Risk Risk Analysis Spies Cyberterrorists

9. Security Terminology Security attack Any action that compromises security information Security mechanism A mechanism that designed to detect, prevent, or recover from a security attack Security service A service that enhances the security of data processing systems and information transfers. Makes use of one or more security mechanisms

10. Security Terminology Risk  A measure of the cost of a realised vulnerability that incorporates the probability of a successful attack Risk analysis :  Provides a quantitative means of determining whether an expenditure on safeguards is warranted

11. Security Terminology Spies  A person who Has been hired to break into a computer and steal information Do not randomly search for unsecured computers to attack Cyberterrorists  Terrorists that attack the network and computer infrastructure to Deface electronic information (such as web sites) Deny service to legitimate computer users Commit unauthorised intrusions into systems and networks that result in infrastructure outages and corruption of vital data

12. Weaknesses, Vulnerabilities and Threats

13. Weaknesses and Vulnerabilities Vulnerability  A weakness in a system allowing an attacker to violate the confidentiality, integrity, availability  May result from  Software bugs  Software of system design flaws

14. Weaknesses and Vulnerabilities Vulnerability  Examples of vulnerabilities  Buffer overflows  Race conditions  Unencrypted protocols  Bad/insufficient sanity checks  Backdoors  Unqualified trust  Some of these vulnerabilities are described later

15. Threats Threat means  A person, thing, event  which poses some danger to an asset in terms of that asset’s confidentiality, integrity, availability  Accident threats  Delibrate threats : Passive and Active Examples of threat  Hacker/cracker  Script kiddies  Spies and Malware  Denial-of-service (DoS) attack  Zombies  Insecure/poorly designed applications

16. Threats Hacker/cracker**  Hacker :  a person who uses his/her advanced computer skills to attack computers, but not with a malicious intent, hackers use their skills to expose security flaws.  Cracker :  a person who violates system security with malicious intent. Crackers destroy data, deny legitimate users of services, cause serious problems on computers and networks. ** from : M. Ciampa, Security+guide to network security fundamentals, Thomson course technology, 2005

17. Threats Script kiddies  Want to break into computers like crackers, but  unskilled users  download software from web sites, use to break into computers Spies  A person who  Has been hired to break into a computer and steal information  Do not randomly search for unsecured computers to attack Malware  A group of destructive programs such as viruses, worms, Trojan horse, logic bombs, and spyware

18. Threats Virus : a computer program that  can copy itself and infect a computer without permission or knowledge of the user  spreads from one computer to another when its host (such as an infected file) is taken to that computer  viruses always infect or corrupt files on a targeted computer Worm : a computer program that  is a self-replicating code  Resides in active memory (the program is executed)  Propagates itself  uses a network to send copies of itself to other node  can spread itself to other computers without needing to be transferred as part of an infected file  always harm the network

19. Threats Trojan horse : a program that  installs malicious software while under the guise of doing something else  differs from a virus in that  a Trojan horse does not insert its code into other computer files  appears harmless until executed Logic Bomb : a program that  inactive until it is triggered by a specific event, e.g.  a certain date being reached  once triggered, the program can perform many malicious activities  is difficult to defend against

20. Threats Spyware : a computer program that  installed surreptitiously on a personal computer  to intercept or take partial control over the user's interaction with the computer, without the user's awareness installing additional software redirecting web browser activity  secretly monitors the user's behavior collects various types of personal information,

21. Threats Denial-of-service (DoS) attack : a threat that  Prevents legitimate traffic from being able to access the protected resource  Common DoS  Crashes a targeted service or server  Normally done by Exploiting program buffer overflow problem Sending too many packets to a host  causing the host to crash

22. Threats Zombies : systems that  Have been infected with software (e.g. Trojan or back doors)  Under control of attackers  Be used to launch an attack against other targets Insecure/poorly designed applications  One of the most difficult threats to be detected

23. Identification and Authentications Authentication Basics Passwords Biometrics Multiple methods

24. Authentication Basics Authentication  A process of verifying a user’s identity Two reasons for authenticating a user  The user identity is a parameter in access control decision (for a system)  The user identity is recorded when logging security-relevant events in an audit trail

25. Authentication Basics Authentication  Binding of an identity to a principal (subject)  An identity must provide information to enable the system to confirm its identity  Information (one or more) What the identity knows (such as password or secret information) What the identity has (such as a badge or card) What the identity is (such as fingerprints) Where the identity is (such as in front of a particular terminal)

26. Authentication Basics Authentication process  Obtaining information from the identity  Analysing the data  Determining if it is associated with that identity Thus : authentication process is  The process of verifying a claimed identity

27. Authentication Basics Username and Password  Very common and simple identities  Used to enter into a system  Username Announce who a user is This step is called identification  Password To prove that the user is who claims to be This step is called authentication

28. Authentication Mechanism Password Password Aging One-Time Password

29. Passwords  Based on what people know  User supplies password  Computer validates it  If the password is associate with the user, then the user’s identity is authenticated

30. Passwords Choosing passwords  Password guessing attack is very simple and always works !! Because users are not aware of protecting their passwords  Password choice is a critical security issue Choose passwords that cannot be easily guessed Password defenses Set a password to every account Change default passwords Password length – A minimum password length should be prescribed

31. Passwords Password defences  Password format Mix upper and lower case symbols Include numerical and other non- alphabetical symbols  Avoid obvious passwords

32. Passwords How to improve password security?  Password checker tool Check passwords against some dictionary of weak password  Password generation A utility in some system Producing random password for users  Password aging A requirement that password be changed after some period of time Required mechanism – Forcing users to change to a different password – Providing notice of need to change – A user-friendly method to change password

33. Passwords How to improve password security?  One-Time Password A password is valid for only one use  Limit login attempts A system monitors unsuccessful login attempts – Reacts by locking the user account if logging in process failed  Inform user After successful login a system display – The last login time – The number of failed login attempts

34. Attacking a Password System Password guessing  Exhaustive search (brute force) Try all possible combination of valid symbols  Dictionary attack  Random selection of passwords  Pronounceable and other computer-generated passwords  User selection passwords Passwords based on – Account names – User names – Computer names, etc.

35. Biometrics The automated measurement of biological or behavioral features that identifies a person Method:  A set of measurement of a user is taken (recorded) when a user is given an account  When a user access the system The biometric authentication mechanism identify the identity

36. Biometrics Fingerprints Voices Eyes Faces Keystrokes  Keystroke intervals  Keystroke pressure  Keystroke duration Combinations

37. Computer System and Network Intrusions

38. Intrusion Profiles Exploiting passwords Exploiting known vulnerabilities Exploiting protocol flaws Examining source files for new security flaws Denial-of-service attacks Abusing anonymous FTP Installing sniffer programs IP source address spoofing

39. Typical Network Intrusions Locate a system to attack  New systems  Network sweeps Gain entry to a user ’ s account  No password or easy-to-guess password  Sniffed password Exploiting system configuration weakness or software vulnerability to obtain access to a privileged account

40. Typical Network Intrusion Once inside, and intruder may:  Remove traces from auditing records  Install back door for future use  Install Trojan Horse programs to capture system and account information  Jump to other hosts on your network  Use your system to launch attacks against other sites  Modify, destroy, or inappropriately disclose information

41. Why Should You Care Protect your own operational environment Protect your user ’ s data Provide service to your users

42. What Should You Do? Stay current with security issues

43. Internet Etiquette-1 Do:  Understand and respect security policies  Take responsible for your own security  Respect other Internet neighbours  Cooperate to provide security

44. Internet Etiquette-2 Avoid:  Unauthorised access to other accounts and systems  Cracking password file from other systems  Sharing accounts  Unauthorised access to unprotected files  Reading the e-mail of other users  Disrupting service

45. Security Management 45  Understanding Security  Writing a security policy  Monitoring the network  Auditing the network  Preparing for an attack  Handling an attack  Forensics  Log analysis  Damage control

46. Understanding Security :Security Objectives** Confidentiality  Confidentiality is the term used to prevent the disclosure of information to unauthorized individuals or systems. Confidentiality Integrity  In information security, integrity means that data cannot be modified undetectably. Availability  For any information system to serve its purpose, the information must be available when it is needed. available (CIA) ** http://en.wikipedia.org/wiki/Information_securityhttp://en.wikipedia.org/wiki/Information_security

47. Understanding Security  What are we protecting  Asses value  Protecting cost  Thinking like a defender  List of problems might happen in various situations  The organisation we are protecting  Business types  different levels of security

48. Understanding Security  The process of security 1  Expands on this endless loop  Endless loop of Security Learn everything about the threats The Internet is full of information How to protect a system How to break in to a system System vulnerabilities, etc. Well design every thing before implement !! Analysis must come before synthesis !!

49. Understanding Security  The process of security 2 Endless loop of Security Think “pathologically” about the design (or “think evil thought”) Implement it the way it is designed Never let any components be altered from the design Continuously recheck it to make sure that it has not changed, such as Configuration change in routers/computers Practice running it to make sure that you understand it and can operate it correctly

50. Understanding Security  The process of security 3 Endless loop of Security Make it simple for others to do when you want them to do Make it hard for people to do when you do not want them to do Make it easy for you to detect problems Make it difficult to hide what you do not want to be hidden Test everything you can test Practice everything you can practice Improve anything you can improve Repeat this process endlessly, at all levels of detail

51. Security Management 51  Understanding Security  Writing a security policy  Monitoring the network  Auditing the network  Preparing for an attack  Handling an attack  Forensics  Log analysis  Damage control

52. Writing a Security Policy  Security Policy : Definitions :  (1) Information security policy ** Objective : To provide management direction and support for information security in accordance with Business requirements, Relevant laws and regulations ** ISO/IEC 17799:2005(E)

53. Writing a Security Policy  Security Policy : Definition  (2) [Ciampa] : “The backbone of any infrastructureis its security policy. Without a policy that clearly outlines what needs to be protected, how it should be protected, and what users can – and cannot – do in support of the policy, there is no effective security.”

54. Writing a Security Policy  Security Policy  A document or sets of documents that Clearly defines the defense mechanisms an organisatoin will employ to keep information secure Outlines how the organisation will respond to attacks Outlines the duties and responsibilities of its employee for information security

55. Writing a Security Policy  Security Policy : Definition:  (3) [Northcutt] : A security policy establishes what you must do to protect information stored on computers  A well-written policy contains sufficient definition of “what” to do so you can identify and measure, or evaluate “how”

56. Writing a Security Policy  Purpose of Security Policy  Describes of what being protected and why  Sets priorities about what must be protected first and at what cost  Allows an explicit agreement to be made with various parts of the organisation regarding the value of security  Provides the security department with a valid reasons to say “no” when that is needed  Provides the security department to back up the “no”  Prevents the security department from acting illegally

57. Writing a Security Policy  Security Policy  Trade of suggested by Wadlow A good policy today is better that a great policy next year A weak-policy that is well distributed is better than a strong policy no one has read A simple policy that is easily understood is better than a complicated and confusing policy that no one ever bother to read A policy whose details are slightly wrong is better than a policy with no details at all A living-policy that is constantly updated is better than one that grow obsolete over time

58. Writing a Security Policy  An amateur (simple) policy  State a coup  A formal policy  Follow some guidelines/standards

59. 59 Suggestion  A suggestion to get a decent policy for an organisation (which currently no security policy) 1. Write a security policy for your organisation Say nothing specific State generalities Should cover no more than 5 pages Should not take more than 2 days to write Don’t ask for help, do it yourself Don’t try to make it perfect, just try to get some key issues written down It doesn’t have to be complete It doesn’t have to be crystal clear (From : T. A. Wadlow, The process of network security) Writing a Security Policy

60. 60 Suggestion (cont.) 1.find 3 people who are willing to become “security committee” : their job is To make ruling and amendment to the policy To be judges, not enforcers 2.create an internal web site with policy page Committee contact information Amendments Approved and added to the web site as quick as possible Writing a Security Policy

61. 61 Suggestion (cont.) 3. treat the policy as if it were absolute rule of the law Do not violate the policy Allow no violation to occur 4. if someone has a problem with the policy Have the person propose an amendment The policy committee members need to agree Make an amendment Writing a Security Policy

62. 62 Suggestion (cont.) 5. schedule a regula meeting to consolidate policy and amendments Once a year, for example Involve You and the security committee Current security policy and the amendments Make a new policy statements 6. repeat the processes 3-6 Writing a Security Policy

63. 63 Contents What are we protecting?  Describe in detail The types of security levels expected to have in an organisation Characterise the machines on the network (for example) Writing a Security Policy

64. 64 Contents (cont.)  Red : contains extremely confidential information or provide mission- critical service  Yellow : contains sensitive information or provides important service  Green : able to access red or yellow machines but does not directly store sensitive information or perform crucial function  White : unable to access red, yellow, or green systems but not externally accessible. No sensitive information or function  Black : externally accessible. Unable to access red, yellow, green or white systems

65. Writing a Security Policy 65 Contents (cont.) Methods of protection Describe Levels for protection Priorities for protection For example

66. Writing a Security Policy 66 Contents (cont.) Organisation priorities : 1. health and human safety 2. compliant with applicable local, state, and federal laws 3. Preservation of the interests of the organisation 4. Preservation of the interests of partners of the organisation 5. Free and open dissemination of nonsensitive information Height Priority Low Priority

67. 67 Describe general policies for access to each category of system Redred networks onlyRed-cleared employees only Monthly CategoryNetworkAccessQualification Cycle * YellowYellow and red networkEmployees onlyQuarterly GreenYellow, red, and green network Employees and cleared contractors Yearly WhiteWhite networks onlyEmployees and contractors Yearly BlackBlack networks onlyEmployees, contractors, and public (through cleared access means) monthly

68. Writing a Security Policy 68 Contents (cont.) Responsibility  Describes the responsibilities, privileges that are accorded each class of system user : e.g.  General Knowledge of this policy All actions in accordance with this policy Report any known violations of this policy to security Report any suspected problems with this policy to security  Sysadmin/operations All user information to be treated as confidential No authorised access to confidential information Indemnified for any action consistent with systems administrator code of conduct

69. Writing a Security Policy 69 Contents (cont.)  Security Administrator Highest level of ethical conduct Indemnified for any action consistent with security officer code of conduct  Contractor Access to specifically authorised machine in specifically authorised fashion Request advance authorisation in writing for any actions which might be interpreted as security issue  Guest No access to any computing facilities except with written advance notice to security

70. Writing a Security Policy 70 Contents (cont.)  Appropriate Use Describe the ways in which employees should not use the network  General Minimal personal use during normal business hours No use of network for outside business activity Access to Internet resource consistent with HR policies  Sysadmin Responsible access to sensitive or personal information on the network All special access justifiable for business operations

71. Writing a Security Policy 71 Contents (cont.)  Security Personal Responsible access to sensitive information on the network All special access justifiable for business operations Use of security tools for legitimate business purpose only  Contractor No personal access any time Minimal use of the network and only for specific reasons relating to specific contracts  Guest No use of the network at any time

72. Writing a Security Policy 72 Contents (cont.) Consequence Describe the way in which the magnitude of a policy violation is determined and the categories of consequences. Examples:  Security review board  Penalties Critical Serious limited

73. 73 Writing a Formal policy  Known as “risk-based security management”.  Risk  Combination of the probability of an event and its consequence  Risk analysis  Systematic use of information to identify sources and to estimate the risk  Risk evaluation  Process of comparing the estimated risk against given risk criteria to determine the significance of the risk

74. 74 Writing a Formal Policy  Risk (Cont.)  Risk assessment  Overall process of risk analysis and risk evaluation  Risk management  Coordinated activities to direct and control an organization with regard to risk

75. 75 Writing a Formal Policy  Some guidelines  ISO/IEC 17799:2005(E)  SANS guidelines www.sans.org/security-resources/policies  NIST guidelines http://csrc.nist.gov/index.html  etc.

76. 76 ISO/IEC 17799:2005(E) Security Policy  Should contain  Definitions of information security  Overall objectives and scope  Importance of security  A statement of management intent  A framework for setting control objectives and controls  Including the structure of risk assessment and risk management

77. 77 ISO/IEC 17799:2005(E) Security Policy  A brief explanation of the security policies, principles, standards, and compliance requirements of particular importance to the organization, including  Compliance with legislative, regulatory, and contractual requirements;  Security education, training, and awareness requirements;  Business continuity management;  Consequence of information security policy violations;

78. 78 ISO/IEC 17799:2005(E) Security Policy  A definition of general and specific responsibilities for information security management, including  Reporting information security incidents;  References to documentation which may support the policy, e.g.  More detailed security policies and procedures for specific systems or security rules should comply with.

79. 79 ISO/IEC 17799:2005(E) Security Policy  Review of the information security policy  The information security policy should be reviewed  At a planned intervals, or  If significant changes occur  To ensure its continuing suitability, adequacy, and effectiveness

80. 80 Example of Security Policy Format 1. Purpose/Overview 2. Scope 3. Policy 4. Enforcement 5. Revision history

81. 81 Example of Policies (suggested by SANS*) Organization Policy Audit policy Computer security policy Desktop security policy Email security policy Internet security policy Mobile security policy Network security policy Physical security policy Server security policy Wireless security policy * www.sans.org/security-resources/policies

82. Monitoring Your Network 82  The Shape of Logging System  What to Log  Logging Mechanisms  Time  Sensor  Log Management

83. Monitoring Your Network 83  Goals of a monitoring system  Reduce the likelihood of an attack going unlogged  Increase the likelihood that the events logged for an attack will be recognized as an attack

84. The Shape of Logging System 84  Problem of logging system  What events to be logged? if every event is logged  the log file will be very large if only selected events are logged  some crucial events might not be logged !!  Log file can be tampered by attackers To delete attack traces  Attackers can tamper the log file If the logs are accessible to them

85. The Shape of Logging System 85  Log should not be accessible to an attacker  Mechanisms can deny access to logs  The logs are kept on a separate machine  The logs are encrypted  The logs are stored in a write-only media  The logs are stored in multiple places

86. The Shape of Logging System 86  Log should not be tampered with  Tampering efforts should be easily detected  Achieved by  Cryptographically signing each log entry to detect invalid entries  Monitoring the log entries to look for a sudden decrease in log size Indicates that the log entries have been deleted  Assigning a sequence number to each log entry and verifying that the sequence is unbroken

87. What to Log 87  The network should log any events necessary to detect known attack patterns  The network should log any events necessary to detect unusual patterns of access

88. Logging Mechanisms 88  Syslog  The most common network logging mechanism  Runs on Unix systems  Components  Syslog daemon  Syslog ruleset  Syslog-enabled programs

89. Syslog 89  Syslog daemon  A program that runs in a background on all machines using syslog  Serves several purposes Collects messages from syslog-enabled programs on the machine hosting it Collects certain messages from the system that are not syslog enabled (such as kernel messages regarding starting- up and some device problems) Listens on the syslog port (port 514/UDP) for messages Save all of the above messages in a file

90. Syslog Ruleset 90  Usually in /etc/syslog.conf  Contains directives to the syslog daemon  Determine where various types of messages should be logged  Choices of logging  Put a message into a file  Log a message to another machine via UDP  Write a message to the system console  Write a message to all log-in users

91. Syslog-enabled Program 91  Syslog is a standard facility in Unix  many Unix programs have calls to syslog built into them  Enable these programs to log various events To the local syslog daemon

92. Pro (of syslog) 92  Universally available  Standard implementation  Available from nonprogrammable devices  A read-only logging mechanism

93. Con (syslog) 93  Unauthenticated protocol  Can be spoofed  Unencrypted transmission  Can be eavesdropped by attackers  Unreliable UDP transmission  Not all syslog messages reach their intended destination

94. Time 94  An important issue in log gathering and analysis Jun 4 22:33:21 machine1.ycom.com login: user smt login ok Jun 4 22:34:29 machine3.ycom.com login: user smt login ok  Time is used in analysis process  It should be accurate and synchronised with other systems  A logging system should synchronise its time with a time server machine (NTP server)

95. Sensors 95  A mechanism that can be used to aid device-based logging  Provides a means for gathering information and integrating it into the logging system

96. Sensors 96  Examples  Some sensors can detect several variations on attacks  Some sensors can detect problems with the network being monitored

97. Sensors 97  Some sensors are built to detect conditions on the logging system  Are the logs increasing monotonically? If not  a log file might be tampered  Is the logging system receiving all the logs that are being sent? Some devices transmit a sequence number with each log entry if a particular number is missing  something goes wrong

98. Sensors 98  Has any machine stopped logging? A machine that has stopped logging Might indicate a network problem OR an attack

99. Log Management 99  A process of making sure that logging system  Stable  Useful

100. References 1. Wadlow T. A., The process of network security: Designing and managing a safe network, Addison- Wesley, 2000 2. Ciampa M., Security + guide to network security fundamentals, Thomson course technology, 2005 3. Northcutt S., et.al., Inside network perimeter security, Sam publishing, 2005 4. ISO/IEC 27001:2005(E) 5. ISO/IEC 17799

101. Security Contest Topics Network Security Concept Network Security Architecture Network Security Assessment & Penetration Test Method Network Security Monitoring ISO27001 and series Computer Laws

102. ประกาศเลื่อนการสมัครและสอบ security contest วันที่ปิดรับสมัคร  จากวันที่ 14 ตุลาคม เลื่อนเป็นวันที่ 31 ตุลาคม วันที่สอบคัดเลือกรอบแรก  จากวันที่ 28 ตุลาคม เลื่อนเป็นวันที่ 18 พฤศจิกายน วันที่รอบชิงชนะเลิศพร้อมประกาศรางวัล  จากวันที่ 25 พฤศจิกายน เลื่อนเป็นวันที่ 19 ธันวาคม

103. CS subject 344-422 344-422 Computer and Network Security วิชาเลือก ประจำภาคการศึกษา 1 ของทุกปี