1. Arun Sood ISA 562 – Information Security Theory and Practice
1. Introduction+Threat
Arun Sood
ISA 562 – Information Security Theory and Practice
This slide deck is modified with permission from Dan Fleck

2. Outline Introduction: What is “security” Why is security hard?
Security as risk management
Aspects of security

3. What does security mean?
The term security is used in a variety of contexts. What’s the common thread?
Personal security
Corporate security
Personnel security
Energy security
Homeland security
Operational security
Communications security
Network security
System security

4. What does security mean?
In the most general terms, security seems to mean something like “protection of assets against threats.”
What assets?
What kinds of threats?
What does “protection” mean?
Does the nature of protection vary depending on the threat?
Coming up: Security on a Personal Level

5. Security on a Personal Level
Suppose you’re visiting an online retailer, and need to enter personal information. What protections do you want? From what threats?
Authentication (protection from phishing)
Authorization
Privacy of your data
Integrity of your data
Availability
Non-repudiation
What else?
Answers
Authentication (protection from phishing)
Authorization
Privacy of your data
Integrity of your data
Availability
Non-repudiation
What else?

6. Security on an Institutional Level
Consider the following scenarios:
A large corporation’s computer systems are penetrated and data on thousands of customers is stolen.
A student hacks into university registrar’s system and changes his grade in several classes he has taken.
An online retailer’s website is overwhelmed by malicious traffic, making it unavailable for legitimate customer purchases.
Does this suggest why it’s hard to define “security” in the context of digital systems?
What are the consequences? Mitigations?

7. Why are Attacks Becoming More Prevalent?
Increased connectivity
Many valuable assets online
Low threshold to access
Sophisticated attack tools and strategies available
Others?

8. Some Sobering Facts
There were over 1 million new unique malware samples discovered in each of the past two quarters. Unlike the worms and mass-mailers of the past, many of these were extremely targeted to particular industries, companies and even users. ( 10/19/2009)
Once PCs are infected they tend to stay infected. The median length of infection is 300 days. ( 10/19/2009)

9. Some Sobering Facts
A recent study of 32,000 Websites found that nearly 97% of sites carry a severe vulnerability. –Web Application Security Consortium, Sept 2008
“NSA found that inappropriate or incorrect software security configurations (most often caused by configuration errors at the local base level) were responsible for 80 percent of Air Force vulnerabilities.” –CSIS report on Securing Cyberspace for the 44th Presidency, Dec. 2008, p. 55

10. Why Should We Care?
A dozen determined computer programmers can, if they find a vulnerability to exploit, threaten the United States’ global logistics network, steal its operational plans, blind its intelligence capabilities or hinder its ability to deliver weapons on target. – William J. Lynn, U.S. Deputy Secy of Defense, Foreign Affairs (2010)
A top FBI official warned today that many cyber-adversaries of the U.S. have the ability to access virtually any computer system, posing a risk that’s so great it could “challenge our country’s very existence.” –Computerworld, March 24, 2010

11. Educate Yourself Educating yourself about computer security can:
enhance your own protection;
contribute to security in your workplace;
enhance the quality and safety of interpersonal and business transactions;
improve overall security in cyberspace.

12. Is Cyber Security Particularly Hard?
Question: Why would security be any more difficult than most technological problems?
Answer 1: Most technology-related efforts are concerned with ensuring that something good happens. Security is all about ensuring that bad things never happen.
In security, not only do you have to find “bugs” that make the system behave differently than expected, you have to identify any features of the system that are susceptible to misuse and abuse, even if your programs behave exactly as you expect them to.

13. What Bad Things?
Answer 2: If security is all about ensuring that bad things never happen, that means we have to know what those bad things are. The hardest thing about security is convincing yourself that you’ve thought of all possible attack scenarios, before the attacker thinks of them. “A good attack is one that the engineers never thought of.” –Bruce Schneier

14. Programming Satan’s Computer
Answer 3: Unlike most technology problems, you have to defeat one or more actively malicious adversaries. Ross Anderson characterizes this as “Programming Satan’s Computer.” The environment in which your program is deployed works with malice and intelligence to defeat your every effort. The defender has to find and eliminate all exploitable vulnerabilities; the attacker only needs to find one!

15. Easiest Penetration
Answer 4: Information management systems are a complex, “target-rich” environment comprising: hardware, software, storage media, peripheral devices, data, people. Principle of Easiest Penetration: an intruder will use any available means to subvert the security of a system. “If one overlooks the basement windows while assessing the risks to one’s house, it does not matter how many alarms are put on the doors and upstairs windows.” –Melissa Danforth

16. Security Isn’t the Point
Answer 5: Security is often an afterthought. No-one builds a digital system for the purpose of being secure. They build digital systems to do something useful. Security mechanisms may be viewed as a nuisance to be subverted, bypassed, or disabled.

17. Upshot: Perfect Security Ain’t Happening
Perfect security is probably impossible in any useful system.
“The three golden rules to ensure computer security are: do not own a computer; do not power it on; and do not use it.” –Robert H. Morris, former Chief Scientist of the National Computer Security Center (early 1980’s)
“Unfortunately the only way to really protect [your computer] right now is to turn it off, disconnect it from the Internet, encase it in cement and bury it 100 feet below the ground.” –Prof. Fred Chang, former director of research at NSA (2009)

18. If Security Gets in the Way
Security is meant to prevent bad things from happening; one side-effect is often to prevent useful things from happening.
Typically, a tradeoff is necessary between security and other important project goals: functionality, usability, efficiency, time-to-market, and simplicity.

19. Some Lessons
He who defends everything defends nothing. –old military adage
Security is difficult for several reasons. Since you can never achieve perfect security, there is always a tradeoff between security and other system goals.

20. Security as Risk Management
If perfect security is not possible, what can be done.
Viega and McGraw (Building Secure Software) assert that software and system security really is “all about managing risk.”
Risk is the possibility that a particular threat will adversely impact an information system by exploiting a particular vulnerability.
The assessment of risk must take into account the consequences of an exploit.

21. Risk Management Framework
Risk management is a process for an organization to identify and address the risks in their environment.
One particular risk management procedure (from Viega and McGraw) consists of six steps:
Assess assets
Assess threats
Assess vulnerabilities
Assess risks
Prioritize countermeasure options
Make risk management decisions

22. GMU Does it: https://itsecurity.gmu.edu/DRAC/about-DRAC.cfm
Coping with Risk
Once the risk has been identified and assessed, managing the risk may involve:
Risk acceptance: risks are tolerated by the organization. e.g. sometimes the cost of insurance is greater than the potential loss.
Risk avoidance: not performing an activity that would incur risk. e.g. disallow remote login.
Risk mitigation: taking actions to reduce the losses due to a risk; most technical countermeasures fall into this category.
Risk transfer: shift the risk to someone else. e.g. most insurance contracts, home security systems.
GMU Does it:
Coming up: Annualized Loss Expectancy

23. Annualized Loss Expectancy
One common tool for risk assessment is annualized loss expectancy (ALE), which is a table of possible losses, their likelihood, and potential cost for an average year.
Example: consider a bank with the following ALE. Where should the bank spend scarce security dollars?
Loss type
Amount
Incidence
ALE
SWIFT* fraud
$50,000,000
0.005
$250,000
ATM fraud (large)
0.20
$50,000
ATM fraud (small)
$20,000
0.50
$10,000
Teller theft
$3,240
200
$648,000
* - large scale transfer of funds.

24. Is ALE the Right Model?
Annualized Loss Expectancy effectively computes the “expected value” of any security expenditure.
Consider the following two scenarios:
I give you a dollar.
We flip a coin. Heads: I give you $1000. Tails: you give me $998.
Note that the expected values are the same in both cases ($1), but the risks seem quite different.

25. Lessons
Because perfect security is impossible, realistic security is really about managing risk.
Systematic techniques are available for assessing risk.
Assessing risk is important, but difficult and depends on a number of factors (technical, economic, psychological, etc.)

26. Threats

27. Cyber’s Vectors From Col (Retired) Bob Banks, GMU doctoral student
Intelligences traditionally bounded by three V’s, the Volume, Velocity and Vector or Variety in this example. Where Data now adds a new fourth, Veracity.
Data is doubling in size every two years, and by 2020 the digital universe – the data we create and copy annually – will reach 44 zettabytes, or 44 trillion gigabytes.
Verizon Data Beach Investigation Report chart talks about that speed of a comprise and the limited discovery, last year report has identified nine patterns that representing 92% of the past ten years 1 million or more incidents.
Symantec annual report has not only moved but changed the goal posts, no longer lists the unique malware variants for the CVE (Common Vulnerabilities and Exposures). The insight, its easier to sell software that addresses a few thousands verses of hundreds of Millions. Have we resolved Polymorph Malwares
When you connect just these three dots, it’s too much and too late?
Finally, A IBM reports graphs the attack types, scale and impacted industry. While SQL and DOS are leaders, But so are the numbers of unknown method of attacks.
So what is the algorithm, hash mark or how do we detect an unknown?
From Col (Retired) Bob Banks, GMU doctoral student

28. Anatomy of an Hack Identify Target Install Malicious Code
Foot print analysis
Who is
NSLookup
Search Engines
Enumeration
Scanning
Machines
Ports
Applications
Exploitation
Buffer Overflow
Spoofing
Password
DOS
Manual Approach
Analyze publicly available info. Set scope of attack and identify key targets
Damage
“Owning” IP Theft,
Blackmail, Graffiti,
Espoinage
Destruction
Check for vulnerabilities on each target
Attack targets using library of tools and techniques
Foot print analysis
Who is
NSLookup
Search Engines
Enumeration
Automated Scanning
Machines
Ports
Applications
Deliver Payload
Custom Trojan
Rootkit
Identify Target
Install Malicious Code
Hack Other Machines
Take over Domain Controller
Damage
“Owning” IP Theft,
Blackmail, Graffiti,
Espoinage
Destruction
Automated Approach
Attack targets using installed software
Richard Stiennon, May 2006,
9/19/2018 28

29. Insider Attacks Anderson Combs Masqueraders
Clandestine: evade audit controls
Legitimate
Combs
Internal users with accounts
Internal users in the physical space but no accounts
9/19/2018 29

30. Anatomy of an Insider Attack
Reconnaissance
Plant keystroke
Lorgger or sniffer
Execution
Manual Approach
Understand business process
Determines who has credentials
Escape
Install hardware or software keystroke logger.
Steal credentials.
Move funds
Ship products
Steal data
Plant time bomb
Fly to Cayman
Islands.
CS469 Security Engineering
9/19/2018

31. Classes of Threats Disclosure Unauthorized access to info
Examples: Snooping, wiretapping
Deception
Acceptance of false data
Examples: Modification, spoofing, repudiation of origin, denial of receipt
CS469 Security Engineering
9/19/2018

32. Classes of Threats Disruption
Interruption or prevention of correct operation
Example: Modification
Usurpation
Unauthorized control of some part of the system
Examples: Modification, spoofing, delay, denial of service
CS469 Security Engineering
9/19/2018

33. Cyber Risk = Threats X Vulnerabilities X Consequences
CS469 Security Engineering
9/19/2018

34. Attack Examples : DOS, Social Engineering
Host Vulnerability and Exploits,
Common Attacks on Hosts

35. Why Care About Hosts? Most Attacks/Intrusions Have Targeted Hosts Why?
Break-in, penetration
Root privilege compromise
Steal, delete, modify and fabricate information in server
Why?
Hosts are more interesting
It has (almost) all the sensitive and useful information
Medical record
Payroll information
Classified information
Hosts have all the executables
It has potentially more vulnerabilities
It is easier for the intruders to exploit with many executables
9/19/2018

36. Common Attack on Hosts Gain Unauthorized Access to Host
User level
Could impersonate that user, change, delete or forge information
Root level
Could do everything to the host – worst possible scenario
Denial of Service Provided by the Host
Denial of use of a host completely
Disable the mail server
Denial of use of an application
Disable the online stock trading
Denial of use of data
Make the financial record inaccessible to users
What Else?
9/19/2018 36

37. DoS: Web Server Attacks
Many DoS Attacks Are Against Web Servers
Attacker sends enormous amount of bogus requests to the web server
i.e. Syn-flood attack
Attacker sends a request consisting of thousands of ‘/’s.
Some servers go belly up at this
How to Detect?
How To Handle This Kind of DoS?
Shutdown the web server?
9/19/2018 37

38. DoS: Mailbomb Exploits The Open-Door Nature of Email System
Mail server is supposed to receive s
Attacker sends thousands of huge junk s
Fill up disks, overflow the quotas
Deny access to s
Cause legitimate s lost
Usually done by some automated tools
Mailbomb Is Different From Spam
There is no particular desire to have the read, responded, or even necessarily received
The goal is to jam the server and make is unusable
How To Detect This?
How To Handle This?
9/19/2018 38

39. DoS: Resource Hogging Resource Hogs Detection Is Not Difficult
Programs that uses up the resources of the machine
Fill up disks
Use all the memory
Use all the CPU cycle
Could be some executable downloaded
Code Wars was a game
Let opponents write programs that would use up all the resources, until the opponent’s code was unable to run
Detection Is Not Difficult
Except for memory leak
How To Handle This?
9/19/2018 39

40. Social Engineering/Phishing
Tricking People into Giving Access
Example
“Hello, this Smith, the Vice President of marketing. I need to update my photo in the corporate directory, and I’ve fogot my password”
“Hello, I’m a customer support from Citibank, and we are upgrading the security mechanism of our customer account management. Please login into web site to verify the status of your account”
How to detect this automatically?
9/19/2018

41. Council of Europe: Convention on Cyber Crime
“Convinced that the present Convention is necessary to deter action directed against the confidentiality, integrity and availability of computer systems, networks and computer data as well as the misuse of such systems, networks and data by providing for the criminalisation of such conduct, as described in this Convention, and the adoption of powers sufficient for effectively combating such criminal offences, by facilitating their detection, investigation and prosecution at both the domestic and international levels and by providing arrangements for fast and reliable international co- operation;”
Source:
9/19/2018

42. Computer Security - Triad
Confidentiality
Access Control
Who has the rights to access
Integrity
Correctness and consistency
Unauthorized change – deliberate or accidental – breach
Availability
Constancy and timely access
Denial-of-service. Service level agreements
9/19/2018

43. Hexad CIA are three tradition pillars
Donn Parker (2002) proposed 3 additional attributes
Possession or Control
I leave by credit card at a restaurant by mistake
No breach of confidentiality: still a concern for potential misuse
Authenticity
Claim / assignment of authorship: signature on paper
Digital signatures
Utility
Lost decryption key would reduce the usefulness of the data
9/19/2018

44. Cyber Crimes Burglary Vandalism Extortion Espionage Data theft
Download, Laptop
Personal Identification Information (PII) for customers, partners, employees
Intellectual Property; Commercial Info; Bid pricing
Reliable attribution is hard
Vandalism
Defacement
Mischievous alteration of the data
Extortion
Encryption of dataset
Attach value to the key
Espionage
9/19/2018

45. Value on Black Market
Credit card details for $2 to $90: Pirated credit card details can include the cardholder's full name, mailing address, phone number, Social Security number, date of birth, the card type, card number, expiration date, security number, PIN and bank name. The more details, the more it costs. Armed with this information, thieves can make online purchases or clone fake cards for use at ATMs.
Physical credit cards for $180, plus the cost of the details: These are counterfeit plastic credit cards that have been replicated down to the bank hologram. They are available in white plastic or color printing at additional cost. The stolen credit card details, such as the card number, PIN and security number, are not included in the price of the card. Minimum order: five cards.
Card cloners for $200 to $1,000: These machines allow you to print or clone phony credit cards, complete with magnetic stripes and embossed numbers. Thieves obtain the information needed to clone cards through skimmers or fake ATMs that capture and copy the card data. Several cloner models are available. All can make multiple copies of the same card.
Fake ATMs for $80 to $700: There are two basic types: devices called skimmers that fit over the card intake slot on a regular bank ATM or a full replica of an ATM console. When people insert their credit or debit cards into the machine, it copies the card data and tells users there was an error and the transaction was aborted.
Bank credentials for $3,500: User names and passwords for customer bank accounts, plus any other credentials, such as answers to security questions, that you may need to log in to the accounts. Thieves may obtain this information from malicious software that captures keystrokes. When bank customers access their online accounts, the programs copy the information and send it back to the cyberthieves.
Money laundering for 10% to 40% of the amount laundered: Bank transfers and check cashing services are available to move stolen money from victims' accounts into untraceable accounts. This service can include using stolen bank credentials to hack accounts and transfer money to "money mules," who are paid to transfer the money to legitimate accounts using money transfer services.
Revenue loss in North America 2010: $2.7 B
Source; (Posting date: 4/28/2011)
Data theft: $114 B per year; US Bank Robberies 2010 $43M ; Global Cocaine $85 M
9/19/2018

46. Cost per Data Breach Incident
Large companies: loss of 1000 to 100,000 records
Average cost $ 7.2 M in 2010
$ 6.8 in 2009
$ 6.7 in 2008
Cost per activity in 2010
Loss of business $ 4.5 M
Ex-post response $ 1.7 M
Notification $ 0.5 M
Detection and escalation $ 0.5 M
Source: Ponemon Institute Report for 2010
port.pdf?om_ext_cid=biz_socmed_twitter_facebook_marketwire_linkedin_2011Mar_worldwide_costo fdatabreach
9/19/2018

47. Cost per Record of Data Breach
Large Companies
Average Cost per Record in 2010: $214
2009: $204
2008: $ 202
Cost per Activity Per Record
Lost Business $134
Ex-post Response $51
Notification $15
Detection & Escalation $13
Source: Ponemon Institute Report
9/19/2018

48. Breach Costs by Activity
Source: Ponemon Institute Report
9/19/2018

49. What do You Conclude?
Does this data impact on the development strategy?
Does this impact architectural decisions?
Does this influence the design approach?
With this data would you have changed your choices?
How does this data impact on security architecture?
9/19/2018

50. Example: Architecture Choices Increase Security
Ex-filtration volume = Ex-filtration rate X Time
Ex-filtration rate = f(Available BW, program choices,…)
Database
Bandwidth
Usage
Alternatives
9/19/2018

51. Cyber Defense Stages Prevention Detection Location Isolation
Information
Sharing
Breach Reporting
Restoration
Firewall
Detect
Prevention
Detection
Location
Isolation
Breach reporting and notification
Forensics
Remediation
Recovery
9/19/2018

52. Why has cyber security become such a big problem today as compared to 20 years ago?
9/19/2018

53. Why Now? Reduce cost Increased international cyber capability
Reduce redundancy: less spare capacity
Standardize: less diversity leads to easier targets
Ultimate example: Cloud
Increased international cyber capability
Knowledge dissemination
9/19/2018

54. Annual Threat Reports Verizon HP Symantec McAfee IBM Mandiant Sophos
Check out Assignment 1 for pointers
9/19/2018